FTC Delays Identity Theft Rule Yet Again

coondoggie sends news that the FTC, at the request of several members of Congress, has delayed enforcement of anti-ID-theft rules — for the fourth time since the original implementation date, November 2008. "The [Red Flags] rule requires financial institutions and other creditors to develop and carry out identity-theft prevention programs. ... The problem with the rule revolves around which entities must comply and develop identity-theft prevention programs. ... 'It's the act of delaying payment for services that can sweep in entities you wouldn't normally think of as creditors,' Kuehn said. Already, the American Bar Association, the American Medical Association, and the American Institute of Certified Public Accountants have sued, saying that the Red Flags Rule shouldn't apply to their members."

ok...

[butterflysrage]

why not? do they not have important data that could be used in an identity theft?

Re:ok...

[Qzukk]

do they not have important data that could be used in an identity theft?

The "Red Flags Rule" isn't about stealing data, it's about requiring people to watch for signs that stolen data is being used (hence "Red Flags"). Things like fake IDs, addresses that don't match your records or are not valid, or a SSN that isn't in the date range for the person's DOB.

Re:ok...

[oldspewey]

And at the end of the day, it's all about what costs more/less money where these financial institutions are concerned. If new "red flag" procedures and checks for ID theft cost a bank $25 million per year, and their actuaries tell them they only suffer $10 million per year in ID-theft-related losses, then it's not in their interests to put those "red flag" measures in place.

The human cost to their customers (lost time, mental anguish, etc.) of an incident carries absolutely no weight in their thinking. It's all about the bottom line.

Re:ok...

[OldHawk777]

I agree, but I don't trust politicians to get it done right.

Credit (Equifax...) rating companies, credit card companies, Bank/Loan Sharks... are the one that validate false/stolen IDs. I have always thought the should be the first sued by ID theft victims.

AMA objections.

[TheMeuge]

The reason for the objection by the AMA is that this rule would designate doctors as creditors, by virtue of them billing for their services. This would require a torrent of new paperwork to be handled by the doctors' offices. Ultimately, the time and staff cost of compliance would be extremely high, while there aren't likely to be any benefits in terms of reduction of personal data theft from medical practices, since HIPAA regulations are already very strict regarding personal information.

Since many hospitals and practices already operate on rather thin margins (3% is considered excellent for a hospital), the last thing medical institutions need is more staff to handle paperwork. They already outnumber doctors...

Re:AMA objections.

[Ken+D]

If you read the article, it claims that the issue is the Red Flags rule, which is aimed at preventing *misuse* of identification information while accessing services rather than theft of identification from their systems.

This definitely should apply to the medical industry. Or have you not yet heard of people not only getting billed for medical procedures that they have not had, but simultaneously having their medical history corrupted and having their insurance history mangled as well. http://en.wikipedia.org/wiki/Identity_theft#Medical_identity_theft

Re:AMA objections.

[Sandbags]

Huh? the red flag rules are almost all covered already by HIPAA and Sox. There's immense overlap between them, red flag just applies to a lot more than medical and legal records... Doctors already are required to obey these rules, and most small doctors, due to the cost, already use intermediary companies to handle billing and colelction eliminating them from direct responsibility (and the creditor lablel).

FDIC is looking

[Pagey123]

I know in our last safety and soundness exam the FDIC looked over our Red Flags program. I'm not saying that is where they spent the majority of their time by any means, though. Right now all the banks are getting hammered on asset quality. The regulatory bodies have written so many MOUs they're having a hard time keeping up.

Re:Just Make it Their Problem

[anegg]

BINGO! Just Make It Their Problem! I like the sound of it. Nice and simple. It is exactly what should happen. If a bank extends credit to someone claiming to be me, then bills me for it, it should be the bank's problem to PROVE it was me, not mine to prove it wasn't. There should also be a penalty for those people who falsely claim it wasn't them when it was. I suspect the whole "stolen identity" thing will largely die off when the banks have to eat the results of their bad decisions. There will probably also be an impact on the availability of credit, but I'm not convinced that will be a bad thing.

Re:Bad idea in the first place

[cvd6262]

Especially when there are already laws against the behavior in question and these laws already put the onus on the companies. (This isn't original to me, but I'm too lazy to look up the original reference.)

It works like this: If Person A pretends to be me and gets something without paying for it, that's fraud, not "ID theft." But with fraud, I'm not the victim, whoever accepted the fraudulent credentials is.

Over the last 15 years we've seen a new crime called, "ID theft" wherein the victim is no longer the entity with the power to impede the crime, the victim is a third party. That way credit-granting agencies can ignore the warning signs, and then bill the wrong person for the transaction.

If we stopped talking about "ID theft" and just went back to fraud, the companies would already have the motivation to tighten their ID checks.

Re:Bad idea in the first place

[russotto]

As I understand it, the difference between classic fraud and ID theft is whether or not new credit is established. And the problem isn't so much the money, but the destruction of reputation. Someone steals my credit card number, I just cancel it and don't pay the fraudulent charges. Someone obtains and uses enough information to apply for new credit in my name, I still don't have to pay the bills, but credit reporting agencies list me as a deadbeat; I can challenge the information but the criminals can just keep doing it; I can do little to stop it that doesn't hurt me as well.

Stupid and confusing

[cdrguru]

There are two entirely different things that are both lumped together as "Identity Theft".

The first one is where someone manages to get a bank or loan company to give them credit based on false credentials. You wake up one morning and discover that you owe lots of people you never even heard of, perhaps as much as a year after the loan was given. This is big trouble, because your success depends on convincing the originator of the loan that they made a mistake. It can take years to clean this up and plenty of money. Fortunately, it is extremely rare.

The second sort of "Identity Theft" is where someone "borrows" your credit card number. It is nothing more than credit card fraud and takes about 10 minutes to clear up. It personally happens to me at least once a year. I believe that many businesses end up selling credit card numbers one way or another, usually through employees looking for some extra income. A valid credit card number is worth maybe $2 on the open market, so if you collect of 50 of them you have yourself $100. Plenty of people could use an extra $100 a week.

Credit card fraud is so incredibly common that nearly all large stores have insurance to cover their losses. So they pretty much don't care when it happens - they file for insurance coverage and are reimbursed. The credit card companies do not care at all and pretty much refuse to even attempt to prosecute the people doing it because it looks bad. So the only loser in this is a small business that gets taken on a credit card sale and doesn't have the insurance that bigger stores have.

With a "no prosecution" stand, credit card fraud is about as rampant as it could possibly be. There are no consequences to doing it. If you walk in to a store and try to use a fraudulent credit card it might not validate - around 1960 they called the cops. Today they take the card and suggest you get lost. I suppose if you insisted they call the police they might, but you wouldn't be charged with anything like credit card fraud because nobody cares. Probably end up getting charged with making an ass of yourself in public.

Yes, I have had a physical credit card stolen and reported to the police. I knew who took it and who used it in a store (successfully, I might add), but the police wouldn't do a thing unless the credit card company wanted to press charges. They never do, so they guy got the stuff from the store and got away with it clean.

Re:Stupid and confusing

[gurps_npc]

You left out the THIRD sort of "Identity Theft". Illegal aliens are the largest growing criminals that commit "Identity Theft". They borrow your name/social security number to obtain ID, but do not in any way attempt to steal money from you.