It’s way past time for banks to start taking responsibility for issuing fraudulent loans. If someone else takes out a loan using my information, it shouldn’t even remotely be my problem to help clean up, and it shouldn’t involve me at all. This is between the bank and the fraudster.
Even the term “identity theft” is slimy: deftly deflecting blame from the negligent bank, trying to draw an unrelated 3rd party into the mix by nominating him as the “theft victim.”
It's almost as if.. The power to mediate loans from fed interest rates to an arbitrary rate should come with.. The responsibility to ensure that the loan went to the right person.
>It’s way past time for banks to start taking responsibility for issuing fraudulent loans.
That sounds nice and all, but what would that actually look like in terms of legislation? Legally speaking you're already not responsible for fraudulent loans, and the onus is on the creditor to prove that the debt was actually yours.
Legally, yes. In practice, debt collectors (which originators of debt of all sorts will quickly dump unpaid debt onto, even medical providers who don't want to wait for patients to cough up the funds due) will take advantage of unsophisticated/financially illiterate citizens to coerce payment, even if there is no obligation to pay.
The fix is straightforward: require evidence of the debt upfront, and if you're attempting to collect on debt you can't verify was agreed to by the person you're pursuing, damages are substantial (say, $1M per occurance). Make reporting of violations via the CFPB frictionless.
You will see debt originators rapidly standing up robust identity proofing systems (having customers come into a branch with their IDs), and asking Congress to legislate their implementation (Login.gov and similar for private enterprise, with the end game being a usable national ID system such that Estonia has [1]).
Tangentially, current risk management in this space between identity and finance sucks. I worked with someone to get liens off their Lexis Nexis Risk Solutions report (which mortgage originators use for compliance purposes with conventional mortgage underwriting guidelines as it relates to foreclosures and real estate fraud) that were on their report for almost 8 years in error. It took a CFPB complaint for Lexis Nexis to remove them with citations from an attorney to state statute, and this data isn't classified as consumer reporting, so it's almost impossible to obtain financial recourse/damages for these occurrences.
> Make reporting of violations via the CFPB frictionless.
Totally agree.. but sending a debt validation letter is already pretty simple. In most cases you can send the scumbag collector a barely-modified form letter and that’s that. I’ve done this twice and it’s pretty painless, but in a perfect world, I wouldn’t be involved at all!
…to be equivalent to a person, for the purpose of issuing loans. It’s total madness, and honestly I’m shocked that this kind of fraud isn’t even more common.
That and
struct { acct_no, routing_no }
…is enough to withdraw money from my bank account thru ACH! Also lunacy. How are banks allowed to be so crappy?
Walk out onto a public street. Ask the first 3 people you come across if they know how to send a debt validation letter. Report back. One should not need to have knowledge with consumer credit laws and regulation to navigate exceptions; it's citizen hostile and a developed economy anti pattern imho. Fail citizen safe.
Agree about ACH. The Fed's FedNow instant payment system due out next year should deprecate all that is trash about the ACH rails (switching to a push from a pull model being one of said deficiencies).
> Walk out onto a public street. Ask the first 3 people you come across if they know how to send a debt validation letter. Report back. One should not need to have knowledge with consumer credit laws and regulation to navigate exceptions; it's citizen hostile and a developed economy anti pattern imho. Fail citizen safe.
By that logic, other things that are antipatterns:
* most laws (do you think "the first 3 people you come across" would know the difference between murder and manslaughter?)
* programming APIs (ie. the trope of programmers having to search up usages for basic library functions)
* most basic life tasks (this can be literally anything. even how to cook. if your parents didn't teach you, and you couldn't search on the internet, most people would be toast).
> Most laws (do you think "the first 3 people you come across" would know the difference between murder and manslaughter?)
Personally, I think the chances are much higher of getting a working definition, and toomuchtodo could probably have said 30 people without looking implausible.
At this point, you might be thinking that few don't know the precise definitions of manslaughter vs. murder, but consider this: most people (I suspect) at least have an understanding of the difference between manslaughter and murder, while not having the slightest idea of what sort of responses are available to them in the fraudulent loan scenario. Furthermore, while both probabilities are low, I doubt that the likelihood that your average person needs to know the difference between manslaughter and murder is close to the likelihood for being in the sort of situation being discussed here.
> Most basic life tasks (this can be literally anything. even how to cook. if your parents didn't teach you, and you couldn't search on the internet, most people would be toast).
It never occurred to me, until now, that the human race is perpetually at risk of extinction in one generation for this reason... but has there been one documented fatality, anywhere, at any time, from this cause?
>I doubt that the likelihood that your average person needs to know the difference between manslaughter and murder is close to the likelihood for being in the sort of situation being discussed here.
Okay, what about if you want to renovate your house? Is the bureaucracy utterly out of control because you can't legally make modifications to your house without getting a permit from the city? Most people know they have to get a permit, and maybe that they need to go to city hall to get it, but good luck getting a permit without asking someone working there or looking it up the internet.
That’s moving the goalposts, not knowing it’s possible to do something is quite different than needing to look up how to do something.
I suspect the vast majority of people aren’t going to add a major addition to their house without having someone to do the work who knows about permits, or actually knowing about it themselves. It’s like complaining about how few people know seamanship rules when most people don’t own or operate a boat.
> That’s moving the goalposts, not knowing it’s possible to do something is quite different than needing to look up how to do something.
In this day and age, is there a meaningful difference between those two? If someone got a call from a debt collector for a debt they weren't responsible for, don't you think they'd know to "look up how to do something"?
Yes absolutely, the concept you are missing is "culture" - the majority of knowledge a "citizen" or "consumer" is taught is either picked up through cultural context (parents, TV, books, online articles), or through a common cultural ritual (often school, maybe some game).
You won't even know what to search for if you don't know its something you can do - heck, given certain cultural contexts, you won't even know you can search for "what to do when" X happens.
And that goes back to the earlier point - unless your problem is something low-hanging on WikiHow, commercial/legal construct is such that you probably won't find the answer to your problem, and end up having to "hire an expert", assuming you have the money to do so. So, anti-patterns, yes, absolutely.
By now, your claims have become so weakened that they no longer have any relevance to the original issue, which is whether there is a better way than the current method for handling the problem of loans fraudulently acquired through identity theft.
Yes, many people don’t even read the manual when they can’t get something to work. Expecting everyone to look up how to solve problems they can seemingly ignore is simply not how many people are wired.
>Should the average person need to know the difference between murder and manslaughter to avoid getting scammed into a murder charge?
While I think "legal system that everyone understands" is a laudable goal, there are too many edge cases and "bad" behaviors for that to be possible.
>Should the average programmer have to memorize every API they use to avoid creating the next Heartbleed?
I'm not sure why you modified my original argument. Is having impossible-to-use-from-muscle memory APIs totally fine unless they lead to security vulnerabilities?
>And basic life skills is the literal opposite of your other examples...
in what way? because you assume most people know how to cook? that's because it's knowledge that parents pass down because you need it daily, not because society engineered it to fail safe or whatever.
> While I think "legal system that everyone understands" is a laudable goal, there are too many edge cases and "bad" behaviors for that to be possible.
This is not the issue here. The issue here is whether there is a better way to handle the problem of fraudulent loans facilitated by identity theft.
>Agree about ACH. The Fed's FedNow instant payment system due out next year should deprecate all that is trash about the ACH rails (switching to a push from a pull model being one of said deficiencies).
Are they actually going to get rid of ACH though? It's all pointless if they still have ACH for legacy reasons. Take our EMV implementation. Not only do we have "chip and signature" if the chip fails to read three times most readers just fall back to mag stripe.
The complaint system isn’t too terrible to use - at least when I last tried it out for a credit reporting dispute. You’ll likely get a reply from the institution in a week or so, and if they don’t reply in a timely manner it’s a red flag:
> if you're attempting to collect on debt you can't verify was agreed to by the person you're pursuing, damages are substantial (say, $1M per occurance)
Congratulations, you just outlawed uncollateralised lending to everyone but the super rich.
The core idea is sound. But link the payout to actual costs and damages.
Uhm, I don't think that outcome is a bad thing at all. There should be very few and ideally no reasons you have to go into debt, except for high-value long-term purchases. And these are typically things that can sever as collateral (think houses, cars). Heck even computers and phones nowadays have significant resell value.
Come to think of it, except for medical bills, I really don't know what an uncollateralized loan would be for and which I'd consider a net-positive. And before you come back to me with medical bills: Fix your health insurance system and that problem goes away...
Propose a penalty that is sufficient to deter unscrupulous behavior but not so excessive as to cause lenders to flee the market entirely. If the penalty can be considered the cost of doing business, it is ineffective for its purpose. This is no different than applying KYC and a customer identification program to lending operations.
> Propose a penalty that is sufficient to deter unscrupulous behavior but not so excessive as to cause lenders to flee the market entirely
Treat it as you suggest: a KYC/AML failure. Public reporting requirements. Liability to the injured (for actual damages). And, if a pattern emerges, license restriction and eventually revocation.
A $1mm mandatory penalty will force lenders to settle. (Nobody will spend $100k proving they properly made a $25k loan with a $1mm penalty if they’re wrong or unconvincing.) When customers know that, you get adverse selection. That would shut down the market.
I concede that this is an excellent start to resolving the overarching issue, and prefer the revocation of licensing for repeat offenders versus potentially unreasonable (depending on size of the org) monetary penalties. Appreciate you pointing out my suboptimal initial proposal to solve the problem. I had the usual suspects on my mind when writing that comment (too big to fail finance who buys their way out of every single attempt at accountability). Thank you.
Sorry, are you saying that criminal impersonation should be legal, because making it illegal excludes people and may be a net loss to the nation? If they want to be included, surely they can just be honest about who they are.
> European and developed world thing and use IDs with proper identification methods
You obviously have no idea what you are talking about. Perhaps "Europe" to you only refers to some rich Scandinavian countries?
In Eastern Europe ID cards are frequently issued solely on the basis of witness statements, fraud is very common.
There are probably hundreds of thousands of "fraudulently" issued European passports in circulation. If you go walk near embassies in Chisinau, you'll be approached a plenty of people offering to help you procure one.
I don't think Moldova is representative of Eastern Europe. Hundreds of thousands of illegals among a population of 400 million doesn't sound like such a huge problem.
I live in the poor Eastern Europe and its most certainly not true.
Where do you live in the east that you're so confident making this outrageous claim?
It's not an outrageous claim. The huge scale of passport fraud in Romania and Hungary is widely known, literally to the point where half the rich Russians living in central London hold fraudulently acquired Romanian passports.
Of course it's not only Eastern Europe, of course Greece and Italy have struggled with this too.
Rich Russians get their passports by investing in countries, you might dislike the way its possible to acquire passport but it's drop of the ocean. Your claim like its s massive problem on the grand scale of things in Europe is propaganda.
Strengthening identification is a non-starter until the US has something similar to the GDPR, and the surveillance industry has been massively reigned in. Right now it's a feature that the average person balks when asked for personal identifiers like social security number, otherwise things like grocery store discount cards would insist on positive identification. If we had a universal smartcard for ID, imagine having to swipe it for every single fucking transaction.
Apropos of nothing, but I really wish grocery store discount cards were illegal, even though taking a usually anti-government / authority stance I find it really hard to justify as a law. It's completely ridiculous how every major grocery chain cranks their prices up 20-30% unless you opt into their surveillance.
I totally agree on the annoyance and also where you're coming from. Although I'd probably focus more on requiring sale and other product prices to be published online in a semantic format. Ultimately this sale game is an attempt to frustrate the market and create inefficiency.
The wider surveillance issue should be addressed with a GDPR equivalent. What bona fide use do they have for knowing my identity and analyzing my individual purchases? None!
FWIW you can usually get the sale prices by asking the cashier to swipe the "store card" or periodically getting a new nym.
Maybe because you were never given an identity at birth? Or you are in the country illegally? Or you are trying to escape debt or the law or someone wanting you dead? Maybe you lost all your id documents in a fire and don't have anything left for the government to reissue you an ID. Maybe you've just forgotten who you are due to illness.
Plenty of reasons, some more legit than others, but there are a large number of people in this position.
Somehow the rest of the world can deal with these issues. You can skip any contract the society creates with the same reasons from paying taxes to getting a vaccine.
I always get a kick out of how the same people asking why the US can’t do things every other country does, like single payer healthcare or the metric system will have no end of excuses why the US can’t do that other thing ~every other country does: national ID cards that are used for, among other things, verifying one’s identity when voting.
You might want to see what people are actually saying. The problem with ID checks is that there are barriers to entry which are conspicuously not evenly distributed. If you live in a big city, sure, it's easy but there are a lot of people around the country who have real challenges getting to the closest DMV (which can be hours away after closures and poorly connected to transit), coming up with the various paperwork establishing their identity (e.g. think about a newly-widowed 80 year old whose husband's name was on the mortgage, all of the bills, etc.), and non-trivial amounts of money.
I really wish that someone would seriously propose a voting reform act which would basically be the national equivalent of “motor voter registration” except for anyone, at no cost, and either with widespread offices or free transportation (to cover the poor, old, blind, etc.). Get rid of every possible excuse for not having ID and then we can clean up so many screwy processes which rely on a patchwork of paperwork to handle different situations, no two agencies with identical requirements.
> If you live in a big city, sure, it's easy but there are a lot of people around the country who have real challenges getting to the closest DMV (which can be hours away after closures and poorly connected to transit)
That’s fairly deep in “the administration doesn’t want to.” territory. Granted, Germany isn’t as sparsely populated as the US in some regions, but for example we have pop-up admin posts. Effectively a bus that comes visit every few weeks, clerks pop up an admin office where you can do all the tasks, including getting an ID card. That’s not unfeasible, even in comparatively sparsely populated regions.
> That’s fairly deep in “the administration doesn’t want to.” territory
No, it's describing real things which have happened in the U.S. — for example, in 2015 the state of Alabama closed a number of DMV offices in predominantly black counties. They reversed that in 2017 after outcry and some investigations, but it's not like that's a one-time concern which will never go away. Here's a story from last year with similar concerns (note that this doesn't need to be intended maliciously to have an uneven impact):
That's why I'd like to avoid the issue entirely by having strong legal protections and guaranteed funding. The kind of pop-up you mentioned would be a great solution in rural cases, as would other possibilities like some kind of shared infrastructure with the post office or other government agencies where you could have a trusted third-party take an official picture and seal all of the provided material, etc. The idea would be to pair a voter ID requirement with a guarantee that ID would be free and easily available to categorically remove this class of concern.
I think you’re misreading my post. I’m not saying that this isn’t happening, often with nefarious reasons. I’m saying that this is a man made decision and it can be changed by another man made decision. It’s not a natural law, but people often treat it as auch.
A national ID could be issued not through the DMV (Department of Motor Vehicles) or other similar bureaucracies in whichever state you live in, but through the Post office. Every citizen has access to a nearby Post Office, and many times more frequently than a DMV.
> How is excluding tax frauds a "net loss for the nation"?
Calling this tax fraud is... I guess true, but kind of odd and silly.
Two people making $X/2 will in almost all cases pay more taxes while receiving fewer benefits than one person making $X. If you wanted to pay fewer taxes, you wouldn't use this scheme except in a few strange edge cases. I don't think the brothers are sharing a passport, a driver's license, and tax filings in order to reduce their tax bill...
(Reading between the lines, since you didn't seem to pick up on it: one of the brothers is an undocumented immigrant. The goal is not tax minimization... the two brothers are paying more taxes while receiving fewer benefits in order to avoid deportation of the undocumented brother.)
Legislation to broaden access for the unbanked and legal docs for non-citizens is the way to solve that use case, not enabling illegal credential sharing to obtain money as a use case (in my opinion)
Quite sure most people, the vast majority of people would rather this be tightened up just for the fact that they don't want to have others living under their identity.
As for brothers sharing a passport, I doubt that these laws would affect them the same way, especially if they're twins and pass for each other. But then, just because they can do so, doesn't mean that they should.
Very simple: any contract between a financial institution and a third party is rescinded and null in whole if the third party was represented by someone else, without power of attorney. Full stop. Burden of proof on the bank to ensure this. They already have a huge apparatus in place to verify creditworthiness and identity. Any attempt to collect once such a complaint is filed should be illegal before it is resolved.
One easy, but indirect, fix would be to remove the legal special casing that exempts credit reporting companies from libel laws.
That would force a number of other changes, and I think they would mostly be positive. Those whose businesses depend on high-volume easy credit may disagree.
> One easy, but indirect, fix would be to remove the legal special casing that exempts credit reporting companies from libel laws.
I wonder if this can be bypassed by a warrant canary (or repayment canary)? Basically instead of having creditors report that you defaulted on your debts, creditors will just report whether you opened/closed a line of credit, and whether you're current on it. If you aren't current, then the algorithm assumes you're delinquent. Since you can't compel speech (first amendment), you'll have a very hard time forcing companies to do something.
Has the legality of a warrant canary ever been tested? Commenters on this site often mention that the law is not executed by machine, and so it seems a court would see through this charade.
As far as I understand, the major effect of identity theft on the person is the problems with their credit score and thus all kinds of other credit-related activities while the issue is being resolved. I think that at least in parts of Europe the legal solution is a requirement that lenders must get these fraudulent loans off the credit reports within a fairly strict time limit when they're contested in a simple, standardized way, so even if some investigation takes a long time, that does not affect your creditworthiness during that time.
Legally speaking I had someone take out a fraudulent PACE loan which the administrative agency then used to put a lien on my property taxes and I’m still fighting to get that money back.
Not necessarily a common problem, but this kind of stuff can pop up in surprising ways where the victim is left cleaning up the mess of the financial institutions involved.
Is it possible to sue for damages as an innocent bystander in these cases? I'm guessing damages are small and not worth pursuing, but is it legally feasible?
And also on-point, when are management and coders going to realize that much data should be treated as toxic waste and destroyed, rather than kept forever, just in case we might want it?
This guy had an ID theft, prevented it from going forward, but the payday lender had his info in their DB, and so the second time around somehow actually authorized the bogus loan. If they hadn't stored the info from this person who would NEVER deliberately be a customer, the bogus loan would not have happened.
And all that trouble caused so some thief could net a measly $1000.
In a just world, companies such as this lender would not only lose the money they loaned, but would be liable for the vast amounts of time and grief they caused a completely unrelated individual.
Only then might we get a financial system which is robust against ID theft. While the costs are externalized to countless individuals, nothing will change.
I wonder at the likelihood of success if this person were to sue the company in his local small claims court for a claim at N hours multiplied by $80 per hour to fix the problem. At the minimum it would require them to hire local counsel to show up and answer a statement of claim.
There really should be an investigatory process when credit is fraudulently taken out in someone else's name.
How did the company get duped into making the loan? If the answer is something like "we treated an SSN as identification", that company should lose the right to be a credit issuer.
Serious question for any lawyers out there: why isn't there more serious recourse for consumers when credit agencies commit libel?
If Equifax issues a report saying that I owe X, and I contact them with proof that this was a fraudulent loan, and they continue issuing that report... how is this not criminal libel?
Being brutally honest: because Equifax and similar agencies always engage in politics. They lobby politicians, they have people on staff on alert should any legislation related to this topic come up, etc. Angering these companies carries political costs.
The typical individual is not engaged in the political process, and if they pay attention to this subject, they do so for an ephemeral amount of time. Individual voter's anger has no consequence.
Our system is optimized to privatize gains and socialize losses.
Regulatory capture through the "Fair" Credit Reporting Act. Go read it - they've legislatively exempted themselves from the standard time-honored tort! Similarly to how medical providers can nonsensically create post-facto arbitrary bills instead of needing to create contracts like every other industry.
Curiously, political pushes for reform never advocate for getting rid of the corrupt laws, but rather creating a whole new regulatory regime whose corporate giveaways will only become apparent down the line.
15 U.S. Code § 1681e(b) reads "Whenever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates."
I know that courts move slowly and judges are often depressingly technological illiterate, but I have absolute confidence that I could put together an incredibly convincing panel of experts who would define "reasonable procedures" in a way that would run wholly afoul of the SOP of the major credit reporting agencies.
So don't let me stop you? In general courts are going to have their own standards for such things that differ from your plain language reading, and a stack of paperwork from the surveillance companies' auditors will suffice to meet it. But by all means, go for it!
By my quick non-attorney reading I think you'll be arguing under 1681o, and still stuck showing actual financial damages for having been denied a loan or whatever. Point being they've legislated themselves out of the straightforward tort of libel by 1681h (e).
Similarly to how medical providers can nonsensically create post-facto arbitrary bills instead of sticking to contracts like every other industry.
While medical providers do seem to take this to ludicrous, my understanding is that there's an underlaying common law principle concerning actions taken on behalf of someone in an emergency, and it's not just medical providers to whom this applies.
When my partner was pregnant, the OBGYN's office would send us small little bills despite us having paid our copay's. The bills ranged from $40-$200 and did not indicate what the bill was for, listing it as something generic "misc services" for instance. I called down there once and asked what the bill was for and the person I spoke to could not tell me. So, I didn't pay any of them switched OBGYN's.
Second story, the partner had incredible stomach pain... we ended up in the ER, paid the co-pay, etc. A couple months later I get a bill for 1k for seeing an out of network doctor. I call the insurance company and ask if that's correct and this is what they told me: That the hospital had a habit of sending out fraudulent bills, and that they had a legal settlement with them that they weren't even allowed to contact the patients directly.
One reason is because the Supreme Court held in late 2020 that unless you can prove you were actually--not theoretically--harmed by an exact instance of an entity covered under the Fair Credit Reporting Act, you do not have standing to sue.
> Held: Only a plaintiff concretely harmed by a defendant’s violation of the Fair Credit Reporting Act has Article III standing to seek damages against that private defendant in federal court.
Per the Court, this means something like you were provably denied credit on the basis of the incorrect reporting, and you either didn't have an opportunity to explain yourself or your explanation was not accepted in favor of the information from the credit reporting agency's information. This is a very, very high bar to clear and is made even more difficult by the fact that almost any agreement of substance includes a mandatory binding arbitration clause. Thus, you don't even get the chance to go to court.
(Many businesses lauded here on Hacker News have such clauses, so even the "good" entrepreneurs can't resist taking away rights to the courthouse from their users.)
I'm not sure that ruling really has the impact you say it does here. That ruling held that of the 8,000 plaintiffs in the class action suit, only 1,853 had standing because their incorrect credit reports were actually sent to businesses. The remaining 6,332 did not have standing because although their files were incorrect, this incorrect information was never transmitted to anyone (I am getting this from scotusblog coverage). I wouldn't call this a very, very high bar to clear.
Because the court system has become a pay to play scheme where if you have more money than your opponent, the courts will provide an advantage to the one who is profiting from corruption than the ones being taken advantage of. Even representing yourself pro se does not come without a significant burden where judges will clearly tell you that you are disadvantaging yourself by doing so, and the laws are so complex that often they could care less what is fair rather than what a previous judge decided a long time ago back when racial discrimination was prominent.
Why isn't the Bank of America account in his name? I was under the impression that know your customer laws would require them to match up the individual taking the loan and the individual holding the bank account.
KYC laws just require that the source and destination accounts are tied to individuals whose identities are known, not that they are tied to the same individual.
Why not just outlaw loans with interest rates above some reasonable limit rendering the obligations void and the very attempt of offering such a loan a crime?
These loans are illegal in most states however the loan sharks have paid individuals associated with a native american tribe to "own" the company in an effort to claim tribal sovereignty much like casinos like to do in states where gambling laws aren't favorable. The state may set an upper limit on these usurious loans but if an individual tribe has not then they can run the business under the jurisdiction of the tribal council even though most of the people getting these loans legitimately are not a member of the local tribe.
Even the term “identity theft” is slimy: deftly deflecting blame from the negligent bank, trying to draw an unrelated 3rd party into the mix by nominating him as the “theft victim.”