Tuesday, September 26, 2017

Identity Theft, Credit Reports, and You

This is outside my usual brief, but one of my hobbies is that I used to ghostwrite letters to credit reporting agencies and banks. It is suddenly relevant after the Equifax breach, so I’m writing down what I know to help folks who might need this in the future. (...)

I’m not a lawyer. I am not your lawyer. I no longer have enough free time to write letters for people. But feel free to read the below to help guide your research in dealing with your credit-related problems.

What problems can this advice help with? What can’t it?


Was your data leaked, or possibly leaked, without an account being opened yet? You might have heard your data was included in the Equifax breach or be unsure about that. Someone could, potentially, use that data to open accounts at financial institutions. Someone could also potentially have robbed your home while you were out. You wouldn’t call the police immediately after returning home on the possibly you might have been robbed – you’d do it only if there was actually evidence of a specific crime. You don’t need to do anything just because your data was leaked or might have been leaked.

I realize some folks find that advice unsatisfying. If you cannot sleep at night without doing anything, direct each of the three credit reporting agencies to put a “freeze” or “hold” on your records. Do not sign up for credit monitoring; it is a great revenue source for credit reporting agencies but almost never a good purchase for consumers. If you want to see what is on your credit report, you’re legally guaranteed three free reports a year (see here); once every 4 months is plenty for most people. You can also get free ones through banks these days; American Express and Capital One, among others, will give them for free as a customer acquisition / retention tool.

Do not use the following advice to correct a problem with an account which is factually yours. If someone has stolen your credit card number and used it to buy things, you should not send letters. Just call your bank; they’ll take care of it. For reasons beyond the scope of this post, that is a really well-understood scenario that banks are very customer-friendly about. The only thing we’re talking about here is accounts/debts which were never yours.

Was an account opened in your name without your consent? Great, you’re in the right place. The rest of this article assumes that you’ve either checked a credit report or been told by a bank that an account exists in your name which you didn’t open. (There exist steps related to the below to help improve one’s situation in the circumstance where your problem is that you’ve not paid debts you legitimately owed, but that problem is out of scope here.)

Understanding the players

There are three big credit reporting agencies (CRAs) in the US: Equifax, TransUnion, and Experian. Their business model is keeping records, organized on a per-person basis, about debts. They sell this information to banks for the banks to use in underwriting processes. They also sell credit scoring, a product which gives the bank a single number (or small set of numbers) to evaluate your creditworthiness. The most common score is FICO, named after Fair, Isaac, And Company (which developed it), but there are several varieties of this product. It’s sort of like Kleenex: Fair Isaac was so successful at owning this space that people call credit scores FICO scores.

The CRAs get data from many, many places, but the ones most immediately relevant to you are financial institutions (I’ll call them “banks”, but there are many that aren’t strictly banks) and non-bank creditors (I’ll call them “debt collectors”, since that is the majority case, even though e.g. AT&T can be a creditor which reports to a CRA). (...)

Never pay a penny of a debt which isn’t yours. Paying waives your legal rights, because the system assumes that nobody would pay something they didn’t actually owe. Paying also doesn’t help you, because in most cases paying debts which were once delinquent does not improve your credit scores. Why? Math math, clustering algorithms, blah blah; just trust me.

Understanding a CRA’s incentives

We say “You aren’t the customer, you’re the product” a lot in the tech industry, but this is very, very true of CRAs. Your data is their only product. If they could never talk to you ever, they’d love to do that, because talking to you costs them money but doesn’t make their product (you) much more valuable in most cases. Luckily for you, the CRAs are regulated in the United States, so just plugging their fingers in their ears isn’t an option… but they’ll certainly push that to the limit.

The main regulation CRAs care about is the Fair Credit Reporting Act. The legal code of this is here; the layman’s explanation from the FTC is here. The rest of this post is a very opinionated user’s guide to the FCRA and related legislation such as the Fair Debt Collections Practices Act (FDCPA) and long, boring books of regulations without fun acronyms.

Assume the CRAs will do the bare minimum to comply with the law, always. They are among the most odious and user-unfriendly institutions in the United States. You want to minimize your interactions with them; you want to minimize discretion that you give to them about your situation.

You should never call a CRA, ever. They have phone centers staffed with people whose only job is getting you off the phone. They have very limited availability to help, for the same reason that the phone center for Walmart does not have anyone who can help a shoe. You will deal with CRAs only in writing.

These days they have streamlined online applications for writing to them, but I suggest that you only send them paper letters. This is a really weird thing for a technologist to suggest, but when you send paper letters, you can establish and own a “paper trail.” When you type words into their godawful web applications and hit submit, you will likely fail to retain a copy of those words and fail to retain records about what they told you (exactly) and when. This will complicate your resolution with them. Communicate with them only over postal mail. Keep a log of every mail you send (including what you said) and when it was sent; keep a copy of every letter they send to you and when it was sent. You don’t need physical copies; digital is fine. I like organizing all of mine on a per-incident basis in Dropbox.

Retain copies of all correspondence with a bank or a CRA forever. Erroneously reported debts which you thought were taken care of can be resurrected years later by someone failing to check a box during a CSV export, resulting in the debt getting sold to a new debt collector, who will not know that you spent weeks resolving it. You want your paper trail so that your first and only letter to that debt collector credibly promises armageddon.

Presenting like a professional

Banks deal with lots of angry people, and are optimized to treat this like a customer service problem. Some do better and some do worse at this, but you never want identity theft treated like a customer service problem. Their CS department is scored on number of tickets resolved per hour, and each rep’s incentives are simply to classify you as something requiring no followup and get you off the phone.

Instead, you want to communicate with the bank in a manner which suggests that you’re an organized professional who is capable of escalating the matter if the bank does not handle it themselves. You do not yell – not that you’re ever verbally speaking with anyone, but you wouldn’t yell in a letter, either. You do not bluster. (“I will tell on you to my attorney” is, generally, bluster, and that’s bluster that is common to people who do not actually have attorneys.) You instead present as if you’re collecting a paper trail.

Mean words cannot hurt a bank. Threats cannot hurt a bank. Paper trails, though, are terrifying to regulated institutions. Your bank’s customer support representatives are taught to evaluate whether someone looks like they’re competent and collecting a paper trail. If they are, the CS rep is supposed to stop touching the case immediately and instead escalate them to a supervisor or to the legal department.

The legal department (or an analogous group – it is different at every bank) is not scored on cases resolved per week. They are scored on regulatory incidents per quarter, and their target for success is likely zero. Shockingly senior people will be involved to avert regulatory incidents.

What causes a regulatory incident? Bad behavior on the part of the bank? No. Banks screw up all the time; the screwups are literally forecast and budgeted for. Do regulators cause regulatory incidents? Generally no; they’re understaffed and underfunded, and they don’t go on fishing expeditions. The thing which causes regulatory incidents is well-organized people taking paper trails to regulators which allow a regulator to trivially follow up with an investigatory letter. Accordingly, anyone who sounds like a well-organized professional with a paper trail is a problem to be swiftly addressed.

That, dear reader, can be you.

Form letters and the inadvisability thereof

Regulation of CRAs is in some ways consumer-friendly and in some ways is designed to be to the advantage of the CRAs. For example, the CRAs told the regulators that there were businesses and websites offering form letters which correctly cited the FCRA and FDCPA, and that this let people send in a vexatious number of “frivolous” form letters. (Translation: Walmart is annoyed how many shoes found out how to speak.) So the regulators offered the CRAs an olive branch: they’re allowed to close without actioning any case which involves a form letter.

Is that fair? No. CRAs are allowed to respond to you with a form letter, and in fact will, and in fact in many cases it will literally include checkboxes so that they can most efficiently tell you the rationale for not helping you. (...)

So if you can’t just download a letter from the Internet, how should you write a bespoke, artisanal letter such that people reading it read you as a Dangerous Professional?

Professional mien: You’re a professional, and not someone straining to pretend to be one.

If you’ve never been in a customer-facing role, you might not have ever seen this genre of communication, but a lot of folks suddenly adopt electutory tendencies which they believe approximate legal professionals whom the have copious exemplars of from TV. This is not the way actual professionals write, which is generally clear and to-the-point. Write clearly and concisely. You want to outline relevant facts and omit long, windy narrations of e.g. how you were feeling when you discovered that your identity was stolen.
On August 5th, 20XX I accessed my credit report from Experian, numbered 1234567. It shows an account with your institution in my name, with account number XXX123. I am unaware of the full account number. I have no knowledge of this account. I did not open it or authorize anyone to open it.
Restrained emotions: You’re a professional. Someone in the economy has made a mistake; you require it to be fixed with alacrity, but you’re not angry at either the bank or anyone working at it. Why be angry? This is just business to you. It’s business that you will, with night-turns-into-day certainty, cause consequences if your legitimate requirements are not met, but you won’t bear anyone ill will over it.

Showing anger decreases the perception of risk of you filing a regulatory action or a lawsuit. This is counterintuitive to many people. The vast majority of people who show anger are showing anger because they want to show anger. They want someone to validate their emotions. They don’t want to be “disrespected” by the person in front of them. You don’t particularly care about the individual you’re writing to or whether they’re emotionally supportive of you. You want a resolution, no more no less. Professionals know that if they want emotional support they could just buy a dog.

People who can file a regulatory action while being emotionless about it are terrifying, because they suggest that their day job is e.g. administrator for a hospital, that they’re very comfortable with pushing papers around government agencies, and that they will remember deadlines, keep copious records, and consult with other professionals where appropriate. People like this have an annoyingly predictable tendency to convince bureaucracies to give them what they want.

If you’ve ever seen the House M.D. episode (season 1, episode 6, “The Socratic Method”) with the high school student who immediately confirms his understanding of anything a person in a position of authority says, writes it down in a notebook, and references specific facts from the notebook in follow-up conversations, that is exactly who you want to be.

Micro-tip: I never phrase an initial letter with “I demand you…” because I’m a professional. Angry people demand; professionals “require.” If you’ve asked me to pay money that I don’t owe you, I “require” you to stop doing that.

Be very clear about what you want. What you do not want is to give someone the excuse to read your letter and conclude that no further action is required or that a form letter trivially answers it. You want a specific set of actions, you want those actions to be confirmed to you in writing, and you want them done by a specific date.

by Patrick McKenzie, Kalzumeus | Read more:
Image: via
[ed. Not just for credit/security breaches (although CRAs sound like real assholes, don't they?). The dispassionate letter, clearly written with intent of establishing a paper trail, is always the most effective method for getting a response and possible resolution to any bureaucratic matter.]