The CFPB Consumer Complaints Database Does What It Was Designed To Do

In March 2012, the Consumer Financial Protection Bureau (CFPB) began accepting complaints from consumers about bank accounts, including checking, savings, CDs, and related financial products and services. Consumers were able to submit complaints about poor customer service experiences with banks and financial institutions.

Later during 2012, the CFPB began accepting complaints about student loans, credit cards, and credit reporting. In April 2013, the CFPB began accepting complaints about money transfers. In March 2013, the CFPB expanded the database to include mortgage complaints received since December 1, 2011. This expansion also included the addition of complaints about bank accounts private student loans, and other consumer loans received since March 1, 2012.

In March 2013, the CFPB went live with its Consumer Complaints Database. Some facts about it:

• Contains complaints submitted by more than 90,000 consumers
• Includes 450 companies
• Total complaints received - 131,500
• Complaints cover bank accounts, mortgages, student loans, credit cards, and related consumer loans
• Complaints about credit reporting (e.g., credit reports, credit reporting agencies) will be added later
• 48% of complaints were submited through the CFPB website
• 9% of complaints were submitted bia telephone
• 32% of complaints were received from other rgulators and agencies
• At February 28, 2013, the CFPB sent 109,200 complaints (83%) to companies for review and response. Companies have already responded to 104,100 (95%) of those complaints sent

A typical complaint includes:

"... he type of complaint, the date of submission, the consumer’s ZIP code, and the company that the complaint concerns. The database also includes information about the actions taken on a complaint by those companies – whether the company’s response was timely, how the company responded, and whether the consumer disputed the company’s response. A consumer’s identity and other personal information is not included in the data."

So, similar to reports provided the BBB, the CFPB also tracks the status of complaint resolutionl. The CFPB goes further and includes resolution amounts.

In its summary report, the CFPB listed complaints by financial product type:

The CFPB has received 30,600 credit card complaints. The analysis of credit card complaints received by type:

Credit Card Complaint Type	%
Billing Disputes	15%
Annual Percentage Rate (APR) or interest rate	10%
Identity Theft, Fraud, Embezzlement	8%
Credit Reporting	7%
Closing, Cancel Account	6%
Other	6%
Collection Practices	5%
Late Fee	4%
Credit Card Protection, Debt Protection	4%
Collection Debt Dispute	4%
Total: top 10 credit card complaint types	69%

Of the 30,600 credit card complaints received, the CFPB has forwarded 27,700 (84%) to financial institutions for review and response, and forwarded 10% to other regulatory agencies. 5% of credit card complaints are considered incomplete, and 1% are pending. Companies have already responded to 24,800 (96%) of the complaints forwarded. The CFPB also reported:

"Since December 2011, companies have also had the option of reporting the amount of monetary relief, if any. The median amount of relief reported was approximately $125 with $25 being the most common amount of relief for the approximately 5,300 credit card complaints where companies reported relief. Consumers have disputed approximately 4,200 company responses (18%) to credit card complaints."

The types of mortgage complaints received by the CFPB:

The types of bank account and service complaints received by the CFPB:

The types of student loan complaints received by the CFPB:

The types of consumer loan complaints received by the CFPB:

The types of credit reporting complaints received by the CFPB:

Also, BusinessWeek summed it up quite nicely the impacts of the CFPB Consumer Complaints Database upon responses by financial companies:

"Response times have sped up by 3& percent since the database came online... Steven Ramirez, CEO of data-mining consultancy Beyond the Arc, says his financial industry clients are asking him to find patterns in the CFPB data that show where they’re lagging."

Transparency and information are critical to a healthy, functioning marketplace. It helps everyone: both consumers and financial companies. It helpfs financial institutions improve their customer service, which can lower their costs by reducing account turnover and by retaining customers they'd otherwise lose.

With more information, consumers can make better informed decisions about the products and services they purchase. I like that there is now another option for consumers, besides filing a lawsuit or doing nothing. Consumers can now log complaints which the CFPB forwards to banks and financial institutions for review and resolution.

No business is ever too big to avoid responding to customer complaints. To use a sports analogy: while the playing field is still far from being level, the CFPB Consumer Complaints Database removes a lot of the tilt in the field.

Thanks to the CFPB and its staff for all of their excellent, hard work. Learn more about the CFPB Consumer Complaints Database.

Survey: Consumer Usage And Perceptions About Mobile Banking

Late last month, the Federal Reserve Board (FRB) released the results of its latest survey of mobile usage by consumers for online banking. Key findings:

• 87% of the U.S. adult population has mobile phones
• 52% of mobile phones are smartphones (Internet-enabled)
• 87% of smartphone users accessed their devices to access the Internet during the past week
• 28% of all mobile phone owners used their devices for mobile banking during the past 12 months, up from 21% in December 2011
• 48% of smartphone owners used their devices for mobile banking during the past 12 months, up from 42% in December 2011
• 10% of mobile phone users who don't perform mobile banking expect to do so within the next 12 months

The specific mobile banking tasks consumers said they perform:

• 87% check account balances
• 53% transferr money between accounts
• 21% deposit checks
• 24% of smartphone users made mobile payments during the past 12 months,
• 42% made an online bill payment, down from 47% in 2011
• 6% of smartphone users made a retail point-of-sale payment during the past 12 months, up from 1% in December 2011. 22% want to use their mobile devices for retail purchases

Perceptions about the technology:

• 54% of mobile phone users said the primary reason they do not use their device for mobile banking is that their banking needs were already being met without the use of mobile banking. This is down from 58% in 2011
• 38% said concerns about the security were the primary reason for not us mobile banking. This is down from 42% in 2011
• 49% said security was the second most common reason given for not using mobile banking. This is up from 48% in 2011
• More than a third of mobile phone users who do not use mobile payments don’t see any benefit
  from doing so, and find it easier to pay with another methods (e.g., cash, credit, debit, prepaid)

Other tasks respondents said they use their smartphones for:

• 42% comparison shop while in retail stores
• 32% scan a product’s barcode to find the best price for the item
• 64% percent of those who comparison shop have changed where they purchased the product based on the information found
• 44% browse product reviews or get product information while shopping at a retail store
• 70% of those who browse product reviews have changed the item purchased based on the information found
• 64% of mobile banking users checked their account balance before making a large purchase
  in the past 12 months. About half of them did not purchase an item as a result of their account balance or credit limit

Who uses mobile phones:

• 10% are unbanked (neither they nor their spouse have a checking, savings, or money market account)
• 10% are underbanked (have a bank account, but also use a payroll card, payday lender, check cashier, or auto title loan)
• 59% of the unbanked have access to a mobile phone, half of which are smartphones
• 90% of the underbanked have access to a mobile phone, 56% of which are smartphones
• 49% of the underbanked said they used mobile banking during the past 12 months

The terms "unbanked" and "underbanked" are labels used within the banking industry. The FRB defines mobile banking as using a mobile phone to access a bank account, credit card account, or other financial bank account. So, mobile banking includes using the mobile phone's web browse, text messaging, or application features.

The reasons unbanked consumers gave for why they don't have a checking, savings, or money market account:

How consumers said they use the money from payday loans:

The reasons consumers said for why they don't use mobile banking services:

The reasons consumers said for why they don't use mobile payments:

Consumers' perceptions of the security of mobile phones and mobile banking:

Regarding mobile payments, the report found:

"Despite the increasing availability of phones equipped with near field communication (NFC) chips for use with NFC-based payment services, retailers and consumers appear to be trending toward adoption of non-NFC-based payment services. Indeed, consumers making mobile payments were nearly twice as likely to have used a mobile app or barcode to make their payment as to have made a payment by waving or tapping their phone."

How consumers with checking, savings, or money market accounts do their banking:

• 85% of banked consumers said they had visited a branch and spoke with a teller in the past 12 months
• 74% said they used an ATM machine
• 74% said they used online banking
• 34% said they used telephone banking
• 29% said they used mobile banking

The report's authors concluded:

"The two factors limiting consumer adoption of mobile banking and payments are concerns about the security of the technology and a sense that they don’t offer any real benefits to the user over existing methods for banking or making payments. With regards to security, consumers have actually become more likely in the past year to report that they simply don’t know how safe it is to use mobile banking, suggesting that consumers need to be provided with reliable and accurate information on the level of security associated with the various means of accessing mobile banking. In terms of the value proposition to consumers, the significant number of mobile users who reported an interest in using their phones to receive discounts, coupons, and promotions or to track rewards and loyalty points suggests that tying these services to a mobile payment service would increase the attractiveness of mobile phones as a means of payment."

The FRB's Consumer Research Section sponsored the survey and developed the report. GfK (formerly Knowledge Networks), an online consumer research firm. administered the survey from November 16 to 27, 2012. Nearly 2,600 respondents ages 18 or older completed the survey. The FRB conducted its first mobile survey in December, 2011.

Download the FBR "March 2013 - Survey of Consumers' Use of Mobile Financial Services" report (Adobe PDF, 941 kbytes).

FTC Studies The Accuracy Of Consumer Credit Reports. Plenty Of Errors To Be Fixed By Credit Reporting Agencies

The blog post on Monday discussed the 60 Minutes report about the failures in the dispute process at credit reporting agencies to fix mistakes in consumers' credit reports. Today's post discusses the recent U.S. Federal Trade Commission (FTC) survey, which prompted that news report.

The FTC survey analyzed the accuracy and completeness of consumer credit reports. This was the agency's fifth such report. Section 319 of the 2003 FACT Act requires the FTC to conduct a study of the accuracy and completeness of consumer credit reports.

Major findings from this FTC study:

1. 26% of consumers (262 of 1,001 participants) identified errors on their credit reports that might affect their credit scores. 19% of credit reports (572 of 2,968 reports) had an alleged error reported by participants
2. 20% of consumers had an error that was corrected by a credit reporting agency (CRA) after it was disputed, on at least one of their three credit reports
3. Of the 572 credit reports where an error was submitted, 399 reports (70%) were modified by a credit reporting agency, and 211 (36%) had a credit score changed. Those same 211 credit reports are 7.1% of all credit reports in the study
4. Of the 262 consumers who identified alleged inaccuracies in their credit reports and filed disputes, 206 consumers (80%) had a modification made by a credit reporting agency to their credit report in response to the dispute. Of these, 129 consumers (12.9% of all 1,001 participants) experienced a change in credit score following the dispute process
5. Slightly more than 10% of consumers saw a change in their credit score after the credit reporting agencies fixed errors on their credit reports
6. Approximately 5% of consumers had a maximum credit score change of more than 25 points, while 0.4% of consumers had a maximum score change of more than 100 points

If you skimmed or quickly read the high-level findings or the FTC press release, then you might assume that there is no problem -- and you would be wrong for a several reasons. First, that 20% of consumers found an error in at least one of their credit reports means that about could be as many as 40 million people (20% of the 200 million Americans with credit reports) have at least one error in one of their three credit reports with Experiran, Equifax, or TransUnion. That seems to be a huge error rate.

Second, this error rate is based on a percentage of consumers. Some credit reports had multiple errors in them. So, a more accurate error rate would be based on the number of credit reports with errors compared to the total number of credit reports. Or, an even better error rate would be the average number of errors in a credit report. Third, the report doesn't seems to measure the percentage of error items that credit reporting agencies don't fix which they should have fixed (that's another type of error).

Fourth, that 20% error rate is the number of consumers who reported errors and the credit reporting agencies fixed them. (Explanation below.) A much higher rate of consumers reported errors: 26%. It seems that the real error rate is far higher.

I waded through the 370-page FTC report because credit reports are critical documents. Consumers need them to be accurate do business with lenders, and lenders use these documents constantly. Plus, credit reports contain a lot of important, sensitive, personal information about you, your lifestyle, and the purchases you've made:

"... (1) Identifying information including name, address, birth date, SSN, and previous/alternate names and addresses; (2) Credit account information including information about current and past credit accounts such as mortgages, car loans, credit cards, and installment payments; (3) Public records such as bankruptcies, foreclosures, civil judgments, and tax liens; (4) Collection accounts, which include unpaid debts (such as medical bills) that have been turned over to collection agencies; and (5) Inquiries (subscriber requests to access a consumer credit report)."

When you apply for credit or when a potential lender requests to view your credit report to make a lending decision, a "hard inquiry" results. Too many "hard" inquiries and your credit score can go down. The study identified different types of errors (bold emphasis added):

"... we define a ‘potential error’ as an alleged inaccuracy identified by the participants with the help of the study associate... Lenders often use the credit score associated with a credit report to assess the credit risk of a particular consumer. Therefore, we define a ‘potentially material error’ as an alleged inaccuracy in information that is commonly used to generate credit scores. Information used to generate credit scores include the number of collections accounts, the number of inquiries (hard pulls on a credit file), the number of negative items such as late or missed payments, and other factors. An alleged error is considered potentially material prior to the dispute process simply by its nature as an item used to generate credit scores... We define a ‘confirmed material error’ in several ways, though all rely on a confirmed error being determined as a result of the FCRA dispute process..."

If you are reading this closely, then you realize that credit reports contain errors both in the information used to calculate consumers' credit scores, and in the information not used to calculate credit scores:

"Errors in header information (current/previous address, age, or employment) are not considered in determining a FICO credit score and thus are not defined as material in the context of this study."

In my opinion, this distinction does a disservice to consumers. It tolerates a certain level of sloppiness; that it is okay for credit reporting agencies to get their credit reports mostly correct. Header information elements are no less important than other credit report elements. These header elements could be used to match credit reports for a person with input submitted by lenders and/or within dispute investigations. Second, a credit report is such an important document that it needs to be correct. Period. Credit reports are important because:

• They are used by so many potential lenders
• Consumers pay large sums for credit monitoring services
• Credit reporting agencies share information with data brokers

Errors are errors. Period. They all are important. Fix them all. Decades ago and early in my business career, I learned an important lesson about producing a quality product or service:

"Why spend all this time finding and fixing and fighting when you could prevent the incident in the first place?... It is much less expensive to prevent errors than to rework, scrap, or service them... It is always cheaper to do the job right the first time."

Either the credit reporting agencies haven't learned these lessons about quality, or they intentionally choose not to pursue a goal of zero defects.

To the good, the FTC study looked at error rates among header information from credit reports:

"In cases where a participant identified only an error in header information, the participant was instructed to dispute the error directly with FICO and the participant’s credit report was not redrawn. For the individuals with material errors and header information errors, the outcome for the header information disputes is known. The third most common alleged inaccuracies occur in the data on header information (154 alleged errors on 127 reports, comprising 4.3% of the sample). Note this represents a lower bound of the frequency of header information errors, as reports with errors only in header information are not included. The modification rate for header information is higher than that of other alleged material error types (99 modifications, comprising 64.3% of the disputed header information items)."

In other words, in this study 127 credit reports had 154 alleged errors in the header information, or 1.2 errors on average per credit report. The credit reporting agencies fixed 99 of these 154 alleged errors -- what I would calculate as a 64.3% correction rate for header items. Still, this is still a best-case correction rate, because the above excluded instances where the only error reported by the consumer was in the header information.

The study found that the main types of confirmed material errors (that could affect a consumer's credit score) that were fixed by credit reporting agencies were:

"... errors in the tradeline (consumer accounts) or collections information. The most common alleged inaccuracies occur in the data on tradelines (708 alleged errors on 409 reports, comprising 13.8% of the sample) or collections accounts (502 alleged errors on 223 reports, comprising 7.5% of the sample). The most commonly modified errors are tradeline information errors (395 modifications) and collections information errors (267 modifications)."

The supporting details:

Error Type	# of Alleged Errors	Items Modified #(%)	# Reports with Alleged Errors	Avg. # Alleged Errors / Report	Reports with Errors Modified #(%)
Collections	502	267 (53.2%)	223	2.3	146 (4.9%)
Duplicate Entries	65	30 (46.2%)	39	1.7	27 (0.9%)
Header Information	154	99 (64.3%)	127	1.2	90 (3.0%)
Inquiries	88	48 (54.5%)	48	1.8	34 (1.1%)
Derogatory Public Records	44	25 (56.8%)	35	1.3	20 (0.7%)
Tradeline Information	708	395 (55.8%)	409	1.7	267 (9.0%)
Total	1,561	864 (55.3%)	--	--	--

Note: the report did not provide totals. I calculated that row. Overall, slightly more than half (55.3%) of error items reported by consumers are fixed -- and this chart includes only the material errors that could affect a consumer's credit score. What I found interesting: regardless of the error type, there is consistently more than one error per credit report.

The following chart highlights how often credit reporting agencies co-mingle your information with other persons' information:

Error Type	# of Alleged Errors	# Items "Not Mine" Alleged	Items "Not Mine" Corrected #(%)	# Reports With This Alleged Error	# Reports With "Not Mine" Alleged	Reports With "Not Mine" Corrected #(%)
Collections	502	413	209 (50.6%)	224	190	116 (61.1%)
Inquiries	88	88	48 (53.9%)	48	48	33 (68.8%)
Tradeline Information	708	246	133 (54.1%)	409	144	81 (56.3%)
Total	1,561	747	390 (52.2%)	--	--	--

Again, the report did not calculate the total row. I did. As you can see, credit reporting agencies fixed slightly more than half of errors consumers reported as not theirs. How the researchers calculated the effects on consumers' credit scores from credit report errors:

"After the disputes were filed and completed, the study associate drew new credit reports for the consumer and analyzed whether there were changes to the report in response to the dispute. If there were no changes to the report, the original FICO score is relevant for our calculations and if all the alleged inaccurate items were modified by the CRA, the provisional FICO rescore is the relevant credit score. If only some of the disputed items were changed, the modified report was sent to a FICO analyst for a second rescoring to assess the impact of the modifications. The relevant FICO score at the conclusion of the dispute and rescoring process is then compared to the original FICO score to determine how the credit report inaccuracies affected the consumer credit score."

The reports shared a brief explanation of why credit reporting agencies don't fix errors as consumers who reported errors expect:

"... There are a number of reasons, however, why a CRA may make changes to a credit report that differ from the consumer’s instructions. For example, a consumer may dispute an account balance and instruct the CRA to change the balance to a specific amount (i.e., the consumer alleges what is incorrect and what action by the CRA would set it right). If the CRA cannot confirm the existence of the account with the data furnisher, the account is removed from the consumer’s credit report; in this case the outcome is not what the consumer requested. In addition, a consumer may dispute multiple items on a credit report as inaccurate and the CRA may only modify a subset of the disputed items, thus suggesting that the consumer was correct regarding some of the inaccuracies on the report but not all."

The report shared a brief explanation of why credit reporting agencies may not fix at all any errors reported by consumers:

"... there are some consumers who file disputes and yet the CRA makes no modification to their report. For the purpose of the analysis within this report, these consumers are not defined as having a confirmed material error. It is important to note that these consumers with alleged potentially material errors that are not confirmed through the FCRA dispute process may still have inaccurate items on their credit reports; however, we are unable to verify the inaccuracy within the design of this study..."

So, the 20% error rate (percentage of consumers who reported errors and credit reporting agencies fixed them) in the study is probably the best-case scenario; and the real-world error rate is higher. How? If an error discovered and reported by a consumer cannot be verified via the FCRA dispute process, then the credit reporting agencies does nothing and that error remains in the consumers' credit reports. The 60 Minutes show documented real-world examples where consumers fully documented errors in their credit reports; which the credit reporting agencies proceeded to ignore (sometimes setting a lawsuit later out of court).

This best-case error rate problem is also backed by the research methodology. The research team included members from the University of Missouri, St. Louis (UMSL), the University of Arizona, and the Fair Isaac Corporation (FICO). The research methodology included consumers selected at random:

"... from the population of interest (consumers with credit histories at the three national CRAs). Ultimately, 1,001 study participants reviewed 2,968 credit reports (roughly three per participant) with a study associate who helped them identify potential errors. Study participants were encouraged to use the Fair Credit Reporting Act (“FCRA”) dispute process to challenge potential errors that might have a material effect on the participant’s credit standing (i.e., potentially change the credit score associated with that credit report). When a consumer identified and disputed an error on a credit report, the study associate informed FICO of the disputed items, and FICO generated a provisional FICO score for the report under the assumption that all consumer allegations were correct. After the completion of the FCRA dispute process, study participants were provided with new credit reports and credit scores. Using the provisional FICO score, the new credit reports and credit scores, and the original credit reports and credit scores, we are able to determine the impact on the consumer’s credit score..."

Descriptive information of the study participants:

FICO Credit Score	Age	Education	Race
589 and below: 18.2% 590 - 679: 20.2% 680 - 749: 21.0% 750 - 789: 19.5% 790 and above: 21.2%	18 - 30: 21% 31 - 40: 20% 41 - 50: 15% 51 - 60: 21% 61 and older: 22%	HS diploma or less: 12% Some college: 31% College degree: 30% Graduate study: 26%	White: 78% Black: 12% Other: 9%

The study never looked at credit report accuracy in the regional and smaller credit reporting agencies. So, there are more than three credit reports per person on average, when you include those smaller and regional agencies. More credit reports and probably more errors.

What do I think of this study by the FTC? It highlights several important concepts:

• How you define an "error" matters. In the study, a conservative definition yielded a 9.7% error rate (defined as the as the percentage of consumers) while a more expansive definition yielded a 21% error rate.
• How you define an "error" matters. The study calculated the much-publicized error rate based on the percentage of consumers who reported errors. To me, a better method is to calculate the error rate based on the percentage of credit reports with errors. This lets you proceed to the next level to calculate which which credit reporting agency has the higher (or lower) error rate.
• How you label an "error" matters. While caclulating the percentage of credit reports with errors fixed and/or the percentage of error items fixed by credit reporting agencies, what you label these is important. The study used what I consider to be clumsey labels:  "Percent of All Reports Examined With This Error Modified" and "Percent of Items With Any Allegation of this Type Modified," respectively. Let's call them what they really are: "Report Correction Rate" "Report Item Correction Rate," respectively. Then, we can examine which credit reporting agency does a better job of fixing credit reports. Sadly, the study did not provide this level of detail.
• How you define "investigation" matters: this includes both the FCRA dispute process and what credit reporting agencies actually do (or don't do) to investigate error disputes reported by consumers. The 60 Minutes report mentioned low-wage staff in other countries simply assign code numbers to error reports without performing a substantial, comprehensive investigation -- which most consumers probably expect.
• Which brand of credit score matters: this study used FICO credit scores, while many credit reporting agencies and other retailers sell different brands of credit scores to consumers
• Where you place the "responsibility" matters. The study is consistent with general practice -- for better or worse -- that places the responsibility for finding and reporting errors with consumers. Why aren't the credit reporting agencies held responsible for finding, reporting and fixing errors on their own? Would they find the same errors that consumers found? Or more? Or fewer?

This FTC study is half a loaf at best. Why?

First, it didn't analyze the real problem of actual errors already reported by consumers that were never fixed -- what I call the correction rate. A better study would investigate both error rates and correction rates, by perhaps using an independent third-party to analyze the dispute process and the supporting documents submitted by consumers to credit reporting agencies. This would get at the true heart of the matter: how accurate credit reporting agencies are (or are not) with using the documentation consumers provide. In other words, lets better understand the errors that weren't fixed which should have been fixed by credit reporting agencies.

Second, it is better to define error rates not as a percentage of consumers, but instead based on either the number of credit reports with errors, or the average number of error items in a credit report. Each consumer has at least three credit reports -- one with each of the three major credit reporting agencies: Experian, Equifax, and TransUnion. Some consumers have more credit reports with the smaller, regional credit reporting agencies.

Third, the study perpetuates a current bias that distinguishes between errors used to make credit score decision and errors not used in this calculation. Errors are errors. Period. Credit reports are so important, that they need to be correct. Fourth, the study ignored the smaller and regional credit reporting agencies.

Fourth, the study methodology had 100% of participants review their credit reports. In the real-world, far fewer consumers check their credit reports for accuracy. In its report, the FTC said:

"... In 1992, the Associated Credit Bureaus (later Consumer Data Industry Association, or “CDIA”) commissioned Arthur Andersen & Company to perform a study about credit report accuracy. Using credit applicants who had been denied credit, the Andersen Study found that only 8% requested a copy of their report and 2% of those denied credit disputed information contained in their report. Following the dispute, 3% of the people who received copies of their report had the original decision to deny credit reversed...."

While the report cites other studies, the important point is this: if only 8% or consumers request copies of their credit reports, then it makes sense to pursue ways to engage more consumers with checking their credit reports for accuracy. Business as usual means a lot of errors go unreported and undiscovered. In a truly open market with credit reports, each credit reporting agency would tout its accuracy levels; unlike the current mess. The FTC needs to make it real for consumers by explaining the real-world costs of inaccurate credit reports with real examples of denied credit and loans with higher interest rates.

Fifth, I found the language in the report and study methodology needlessly confusing. It could have been simplified with clearer labels, such as:

• Consumer Dispute Rate: the percentage of consumers that submitted error reports
• Credit Report Dispute Rate: the percentage of credit reports with at least one error reported by consumers
• Credit Report Average Item Dispute Rate: the average number of error items per credit report submitted by consumers
• Gross Credit Report Correction Rate: the percentage of credit reports with (all or some) error items fixed by credit reporting agencies
• Net Credit Report Correction Rate: the percentage of error items in credit reports where all items are fixed by credit reporting agencies
• Gross Item Correction Rate: the average number of error items fixed (all or partial) per credit report
• Net Item Correction Rate: the average number of error items where all items are fixed per credit report

What is your opinion of credit reporting agencies? Of their dispute process? Of the FTC study? Share you thoughts below.

Download the 2013 FTC FACTA report (Adobe PDF, 20.8 Mbytes).

17 Privacy Groups Tell US To Stop Lobbying The European Union As It Considers Stronger Privacy Protections For Consumers

Yesterday, about 18 privacy advocacy groups sent a letter to U.S. Government officials which asked for a meeting and requested assurances that the U.S. not hinder new consumer privacy protections being considered by the Europe Union. The group believes that both the U.S. and Europe need to update and modernize their privacy protections for consumers.

The letter, addressed to the U.S. Attorney General, the Secretary of State, the Acting Secretary of Commerce, and two ambassadors who oversee trade with Europe, was signed by the ACLU, the Center For Digital Democracy, the Electronic Privacy Information Center (EPIC), the Patient Privacy Rights Foundation (PPR), the Privacy Rights Clearinghouse, and a dozen other advocacy organizations. The letter (Adobe PDF, 67k bytes) stated:

"Users around the world are experiencing increases in identity theft, security breaches, government surveillance, and secretive, discriminatory profiling. Users find that personal information given for one purpose is often used for another purpose, often without their knowledge or consent. Our personal data -­‐ our privacy -­‐ is being abused by both the commercial sector and governments... Europeans are working together to update and modernize their framework for privacy protection... There are many important, innovative proposals, as well as the recognition that the process of data protection can be simplified to the benefit of all. Europe is considering both an overarching Data Protection Regulation and a Directive on Law Enforcement..."

After a meeting in Brussels with several of the privacy groups, European Parliament members expressed concerns:

"... that both the US Government and US industry are mounting an unprecedented lobbying campaign to limit the protections that European law would provide... They were concerned about the absence of safeguards for personal data stored in the Cloud..."

The Telegraph reported in February 2012 about the intensive lobbyingby U.S. companies. Reportedly, U.S. lobbyists represent several tech companies including Google, Facebook, and Apple. Earlier this month, a leading privacy expert warned citizens in Europe not to use U.S.-based cloud services due to privacy and spying concerns with the FISA Amendments Act of 2008.

As I see it, the privacy letter accurately described the threats to consumers' information and privacy. This blog has reported about numerous instances of corporate data breaches, mobile apps that collected consumers' sensitive data without notice nor consent, developers that fail to provide privacy policies with their mobile apps, app developers that failed to provide privacy notices for parents about apps for their children, secret tracking of online users, software foisted on users without notice during maintenance updates, and a variety of technologies (e.g., Zombie HTTP cookies, Flash cookies, Zombie E-tags, behavioral exchanges, deep packet inspection, e-readers) used by a variety of companies to snoop and track users' online habits often without notice and consent.

More recently, a company has allegedly collected, stored, shared, and manipulated the metadata associated with photos and videos shared at social networking websites. Data privacy laws clearly have not kept pace with Internet and digital technologies.

The group's letter stated several principles in the proposed EU laws that should guide privacy efforts in both the U.S. and Europe:

"... (1) individual control over the collection and use of personal data; (2) transparency; (3) respect for the context in which data is collected; (4) security; (5) access and correction rights for consumers; (6) data limitation; and (7) accountability... These principles reflect many of the same goals contained in the European privacy initiative. But the key is that these principles must be given legal force..."

A copy of the letter is also available here (Adobe PDF, 67k bytes). Visit the CPDP website to learn more about the meeting held in Brussels last month.

Path Inc. Settles With FTC For COPPA And Privacy Violations With Its Mobile Apps

This morning, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with mobile app developer Path for COPPA and privacy violations where users' entire address books were uploaded and stored without notice nor consent. The terms of the settlement require Path Inc. to:

"... establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent."

The Path mobile app enables consumers to create and share journals with up to 150 friends. The app also enables users to upload, store, and share photos, notes, songs they are listening to, and their geolocation. At registration, users share their gender, phone number, and date of birth. The lawsuit filed by the FTC (Adobe PDF, 918 kbytes) alleged that Path:

"Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information online by operators of lnternet websites or online services... In version 2.0 of the Path App for iOS, regardless of whether the user elected to "Add Friends," Defendant automatically collected personal information from users' mobile device contacts (also known as the user's "address book") and stored the personal information on Defendant's servers. For each contact in the user's mobile device address book, Defendant automatically collected and stored the following personal information, if available: first name; last name; address; phone numbers; email addresses; Facebook username; Twitter username; and date of birth. The automatic collection and storage of personal information from the user's mobile device contacts occurred the first time the user launched version 2.0 of the Path App and, if the user signed out of the service, each time the user signed in again. This practice continued until February 8, 2012."

The complaint also alleged:

"From November 14, 2010, through May 4, 2012, Defendant accepted registrations from users who entered a date of birth indicating that the user was under the age of 13. As a result, Defendant knowingly collected email address, first name, last name, date of birth, and if provided, gender and phone number, from approximately 3,000 children under age 13... From November 29, 2011, through February 8, 2012, Defendant also knowingly collected from these children the following personal information for each contact in the child's mobile device address book, if available: first name, last name, address, phone numbers, email addresses, and date of birth... Defendant did not provide parents with a direct notice of its information practices prior to collecting, using, or disclosing children's personal information. Defendant did not obtain verifiable consent from parents prior to collecting, using, or disclosing children's personal information."

The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information. Kudos to the FTC for this settlement, although I wish the fine was far more.

However, Path Inc. faces other legal challenges including a class-action lawsuit about similar privacy violations. The class-action suit included more allegations that Path collected and shared more data with other companies, and tracked users with geo-tags.

To learn more, read about the COPPA Rule in the 2013 U.S. Federal Register (Adobe PDF, 590 kbytes).

Video: 5 Easy Steps You Can Do To Avoid Identity Theft

Below is a brief message from the U.S. Federal Trade Commission (FTC) with 5 easy steps you can do to avoid identity theft. Of course there is more you can do, but these 5 steps are a good start:

FTC Amends Rules Regarding Data Collection Of Personal Information Of Minors

Last month, the U.S. Federal Trade Commission (FTC) clarified and strengthened its rules regarding the collection of personal data of minors under the age of 13. In its announcement, the FTC stated:

"1. Modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
2. Offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
3. close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
4. Extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
5. Extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
6. Strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential
7. Require that covered website operators adopt reasonable procedures for data retention and deletion; and
8. Strengthen the FTC’s oversight of self-regulatory safe harbor programs.

The new rules become effective July 1, 2013. The rules are part of the Children's Online Privacy Protection Act (COPPA) enacted in 1998. The COPPA rules include personal information elements such as the child's full name, home address, email address, telephone number, or any other information that would allow someone to identify or contact the child. As they should, the new rules add more data elements. The FTC stated in its blog:

"The definition of personal information now includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice. Also covered: persistent identifiers that can be used to recognize a user over time and across different websites or online services. But there’s a notable exception: COPPA’s parental notice and consent requirements don’t kick in if the identifier is used solely to support the internal operations of the site or service."

It strikes me that the above exception, or loophole, could be used to avoid and abuse consumer information. Those "persistent identifiers" are key since they are used by the online advertising networks, and enable both online tracking and behavioral advertising. Plus, there is a long history of repeated abuse of consumers' sensitive personal information by companies using zombie cookies, Flash cookies, zombie e-tags, search hijacking, and leaky apps on mobile devices. In September 2012, the FTC issued guidelines for mobile app developers.

Companies are advised to watch the FTC Children's Privacy page for additional updates.

In an ideal world, COPPA rules would not stop at age 13, but extend to age 18, the usual age of majority. It would have been better if the amended COPPA rules explicitly mentioned facial recognition.

FTC Report On Mobile Apps For Children: Insufficient Privacy Disclosures

In February 2012, the U.S. Federal Trade Commission (FTC) published its first report on mobile apps for children, after surveying apps in both the Google Android and Apple app stores. That report found that apps provided little or no information for parents about privacy disclosures of the apps. It also called upon all companies in the children's app ecosystem -- app developers, app stores, and third parties -- to provide better disclosures regarding data collection and privacy practices.

In December 2012, the FTC published its second report, which went further than the first report by testing some apps against their state privacy policies. The FTC found:

"... many apps included interactive features or shared kids’ information with third parties without disclosing these practices to parents... Since the first kids’ app report was issued, the market for mobile apps has continued to grow at an explosive rate, providing many benefits and conveniences to consumers. As of September 2012, there were over 700,000 apps available in Apple’s App Store, a 40% increase since December 2011, and over 700,000 apps available in Google Play, an 80% increase since the beginning of 2012."

The survey found that apps still aren't providing sufficient privacy disclosures:

"... parents still are not given basic information about the privacy practices and interactive features of mobile apps aimed at kids. Indeed, most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data. Even more troubling, the results showed that many of the apps shared certain information – such as device ID, geolocation, or phone number – with third parties without disclosing that fact to parents. Further, a number of apps contained interactive features – such as advertising, the ability to make in-app purchases, and links to social media – without disclosing these features to parents prior to download."

The survey methodology included a search in each app store for children's apps, a review of the first 480 pages of search results, and the random selection of 200 apps from each app store for a close evaluation. That evaluation included a review for privacy disclosures on each app's promotion page, within the app itself, and the app developer's website. The evaluation included a test of each selected app to determine:

"... whether they contained certain interactive features and whether they collected or transmitted any information from the mobile devices they were tested on... nearly 60% (235) of the apps reviewed transmitted device ID to the developer or, more commonly, an advertising network, analytics company, or other third party... only 20% (81) of the apps reviewed disclosed any information about the app’s privacy practices... 58% (230) of the apps reviewed contained advertising within the app, while only 15% (59) indicated the presence of advertising prior to download. Further, 22% (88) of the apps reviewed contained links to social networking services, while only 9% (36) disclosed such linkage prior to download. In addition, 17% (66) of the apps reviewed contained the ability to make purchases for virtual goods within the app, with prices for each purchase ranging from $0.99 in apps from both app stores, to $9.99 for Google Play apps and $29.99 for Apple store apps..."

An encouraging sign is that consumers and parents are getting the message and flexing their muscle in the marketplace:

"... a recent Pew study found that 54% of app users decided not to install an app once they discovered how much personal information the app would collect. The study also showed that 30% of app users have uninstalled an app that was already on their cell phone because they learned that the app was collecting personal information the users did not wish to share. Consistent with these findings, a recent study by the Berkeley Center for Law and Technology showed that most consumers consider the information on their mobile devices to be private..."

Actions that the FTC to address the lacka of privacy disclosures:

1. Urge app developers to include privacy disclosures by design in mobild apps and provide guidelines,
2. Provide consumers and parents with educational information to help them navigate the mobile app market,
3. Starting investigations to determine if specific apps have violated the Childrens Online Privacy Protection Act (COPPA), and
4. Conduct a third survey of the childrens mobile app market

Download the FTC report: Apps For Kids; Still Not Making The Grade (Adobe PDF, 1.1 Mbytes).

FDIC Publishes Money Guide For Young Adults And Teens

The fall issue of the quarterly Consumer News newsletter published by the Federal Deposit Insurance Corporation (FDIC) includes a money guide for young adults and teenage children. Topics include:

• Choosing and using an account for everyday banking;
• Mobile banking by smart phone;
• Avoiding mistakes with credit cards;
• Building a good credit record;
• Obtaining and repaying student loans;
• Getting a good deal on an auto loan;
• Recovering from debt or bill-payment problems;
• Saving money to meet specific goals, made easier with the help of automated services; and
• Guarding against fraud, including identity theft.

Congress created the FDIC in 1933. The agency insures deposits at the nation's 7,181 banks and savings associations. It ensures the soundness of these institutions by identifying, monitoring and addressing risks. The FDIC is funded by fees it charges to the banks its oversees.

The section of the guide about how to avoid costly mistakes with credit cards includes sound advice:

"1. Read the fine print. Before you apply for a credit card, read all the terms and conditions... 2. You can avoid fees by being aware of your card’s credit limit. If you want your credit card issuer to permit transactions over your credit limit to go through, you must notify your lender that you want that service in advance and will pay the resulting fees... 3. Try to pay the entire balance in full and on time every month. That way, you will avoid interest charges and save money... 4. Think twice before applying for more credit cards. Special promotions, such as low introductory rates or discounts on purchases, make it tempting to apply for additional credit cards. But every time you apply for a card, it appears on your credit report. Multiple applications (called “inquiries” on a credit report) or new cards opened within a short time period can lower your credit score... 5. Take advantage of automated alerts from your card issuer. Many lenders and other companies can send customers messages by cell phone or e-mail, such as payment reminders, balance notifications to let you know if you’re close to your credit limit..."

The section about online banking with your smart phone includes several valuable tips:

"1. Ask your bank about the mobile banking services it offers and how much they may cost... 2. Understand your potential liability for unauthorized transactions... 3. Also be aware that the funds you place on a prepaid card may or may not be protected by FDIC insurance if the bank that holds the money (for you and other customers) were to fail... 4. As with any activity conducted online, keep security in mind. Protect your mobile device with a password that is hard for others to guess. Don’t lend your smartphone to others... Quickly report any unauthorized transactions or other suspicious activity."

You can read the money guide online or download a printable copy (Adobe PDF; 892K Bytes).

NASA Data Breach Affects About 10,000 Employees And Contractors

Last week, the National Aeronautics and Space Administration (NASA) announced a data breach on October 31 where an employee's laptop computer was stolen from a locked car. The laptop contained the sensitive personal information for about 10,000 employees and contractors.

NASA first notified all of its employees in an e-mail message. The agency has contracted with ID Experts to provide free credit monitoring and fraud resolution services for breach victims. In the e-mail message, the agency warned that it make take up to sixty (60) days to notify all affected persons.

The stolen laptop was password protected, but did not have full disk encryption. As a result of the data breach, the agency has mandated that any laptops removed the its offices contain full disk encryption:

"The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data."

The agency expects to encrypt all laptops by by December 21, 2012 after which any laptops removed from its offices will have all data encrypted, whether or not that laptop contains sensitive information.

What You Need To Know About Facial Recognition Software And Best Practices Recommended By The FTC

If you use a social networking website like Facebook, then this applies to you. In October, the U.S. Federal Trade Commission (FTC) released a report that included best practices for companies that use facial recognition software with consumer information. Besides the best practices, the report, "Face Facts: Best Practices For Common Uses Of Facial Recognition Technologies" also includes reviews of the facial recognition technologies and sample application.

If you are a Facebook.com member, then you may be aware of how that social networking service uses facial recognition software. Facebook uses the software to help its users identify their friends in photographs, and to encourage its members to "tag" or verify their friends in those photographs.

While traveling recently, I experienced another way Facebook uses facial recognition software. While signing in from a different location in another state, the Facebook.com software challenged my sign-in. I could sign in using a code (since I had both Log-in Approvals and Log-in Notifications enabled), or identify my friends in several photographs. I chose the latter to see how the software works.

The FTC developed its report from a December 8, 2011 workshop and from comments submitted by the public and stakeholders about both the technologies and privacy concerns. The report described several ways the facial recognition software can be used:

"... Facial recognition technologies currently operate across a spectrum ranging from facial detection, which simply means detecting a face in an image, to individual identification, in which an image of an individual is matched with another image of the same individual... In between these two divergent uses are a range of possibilities that include determining the demographic characteristics of a face, such as age range and gender, and recognizing emotions from facial expressions... One company – called SceneTap – has also leveraged the ability to capture age range and gender to determine the demographics of the clientele of bars and nightclubs"

Given this, companies can (and do) use the software to compile from photographs personal data about individuals such gender, age, emotions, location, economic status and connections with other persons. Consider that group photo at a friend's wedding at a private golf course which you posted online, or a group photo at a college reunion. Consider video games like Xbox 360 Kinect that can "see" you. The gaming software can easily be modified to also capture and anlyze your face. Or, consider digital signs or kiosks that are located everywhere from malls to stores to schools to sports arenas:

"... technologies that can determine the gender and age range of the person standing in front of a camera can be placed into digital signs or kiosks, allowing advertisers to deliver an advertisement in real-time based on the demographic of the viewer... Unless these signs are labeled, they often look no different to consumers than digital signs that are not equipped with cameras. Panelists representing companies that currently use facial recognition technologies similarly acknowledged that there are privacy concerns surrounding the use of these technologies..."

It was good to read that a couple industry groups have developed guidelines for the use of digital signs (links added):

"... Point of Purchase Advertising International’s Digital Signage Group (“POPAI”) has developed a code of conduct containing recommendations for marketers to follow in order to maintain ethical data collection practices in retail settings. Similarly, the Digital Signage Federation worked with the Center for Democracy and Technology to craft a voluntary set of privacy guidelines for their members, which include advertisers and digital sign operators..."

I have not reviewed (yet) the documents from these two groups. I hope that it covers both usage and data security to prevent hacked digital signs used by identity criminals. The best practices recommended by the FTC:

"1. Privacy by Design: Companies should build in privacy at every stage of product development.

2. Simplified Consumer Choice: For practices that are not consistent with the context of a transaction or a consumer’s relationship with a business, companies should provide consumers with choices at a relevant time and context.

3. Transparency: Companies should make information collection and use practices transparent."

This list is a good start. However, there are many questions related about the appropriate use of facial recognition technology. Connecticut Senator Richard Blumenthal asked some good questions (bold emphasis added):

"Will a social networking site that uses facial recognition technology to tag friends in photos allow third-party apps to access this face data or create its own data sets from your pictures? Will a store that uses facial recognition technology to identify shoppers check that information against other consumer data to predict customers’ income levels and direct them toward or away from certain products?"

And, should facial recognition be used on children and minors? Should digital signs scan and archive children's facial data? If so, beginning at what age: 13, 14, 18, or all starting at birth? What about facial injuries and medical conditions?

The above recommended best practices lists the items consumers should look for in the privacy policy and/or terms of conditions policy for a website or mobile app. I wish that it had said more about mobile apps, and had attempted to resolve situations where there are several, competing privacy policies (e.g., smart phone users have privacy policies by the mobile device manufacturer, the developer of the operating system for that device, the telecommunications provider, the app developer, and the app store operator). I found the following section of the FTC report particularly important, since it helps consumers evaluate companies that adequately protect your sensitive personal data and privacy:

"... there are at least two scenarios in which companies should obtain consumers’ affirmative express consent before collecting or using biometric data from facial images. First, they should obtain a consumer’s affirmative express consent before using a consumer’s image or any biometric data derived from that image in a materially different manner than they represented when they collected the data. Second, companies should not use facial recognition to identify anonymous images of a consumer to someone who could not otherwise identify him or her, without obtaining the consumer’s affirmative express consent... increased consumer education about the use of facial recognition technologies is of paramount importance and that all stakeholders – including industry, trade associations, consumer and privacy groups, and government entities – should engage in consumer education efforts..."

For privacy reasons, some of my Facebook friends have told me it's okay to post photos about them, but do not tag them in photos. I have my Facebook privacy controls set to review all tags of me in photographs by my friends, which I can either approve or reject.

Download the FTC "Face Facts" report (Adobe PDF). Learn more about the POPAI Digital Signage Group.

Compete Settles With FTC About Alleged Secret Tracking And Data Security

In a press release, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with Compete Inc., a Boston-based Internet analytics firm, about alleged data collection without fully notifying consumers and failures to adequately protect the collected information. According to the FTC:

"... Compete got consumers to download its tracking software in several ways, including by urging them to join a “Consumer Input Panel” that was promoted using ads that pointed consumers to Compete’s website, www.consumerinput.com. Compete told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services... The proposed settlement will require that Compete obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers, that the company delete or anonymize the use of the consumer data it already has collected, and that it provide directions to consumers for uninstalling its software... the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years."

The proposed settlement is open for comment by the public until November 19, 2012. After that time, the FTC will decide whether or not to make the proposed settlement final.

Federal Judge Rules Class Action Against Path Can Proceed On Several Counts

On October 17, a federal judge ruled that a class-action lawsuit against Path Inc. can proceed on several counts. Earlier this year, the class-action suit was filed in federal court in northern California for alleged unfair, deceptive, and unlawful business practices that abused consumers' privacy with a mobile device app that collected address book information without notice nor consent, and allegedly had also installed tracking software on mobile devices without notice nor consent.

In the lawsuit, the plaintiffs had identified three areas of harm by the Path app:

"... (1) diminished mobile device resources, such as storage, battery life, and bandwidth; (2) increased, unexpected, and unreasonable risk to the security of sensitive personal information; and (3) future costs to remove embedded code from media files uploaded through the Path App."

While the court rejected two of these three, it agreed with the plaintiffs who had documented the substantial cost to removed the tracking software from their mobile devices. The court upheld that the plaintiffs had sufficient "standing" to proceed with the class-action. This is good because courts have ruled that some prior class-action suits have failed to show the harm.

Below are the court's rulings on each of the ten (10) claims listed in the original complaint:

Plaintiffs' Claims	Court Ruling On Defendant's Motions To Dismiss
1. Violations of the Electronic Communications Privacy Act 18 U.S.C. 2510	Granted, but claim can be included in suit if amended
2. Violations of the Stored Communications Act	Granted, but claim can be included in suit if amended
3. Violations of the California Computer Crime Law, California Penal Code § 502	Denied
4. Violations of California’s Invasion of Privacy Act, California Penal Code 630	Granted, but claim can be included in suit if amended
5. Violations of the California Unfair Competition Law, California Business and Professions Code 17200	Denied
6. Invasion of Privacy and Seclusion and Public Disclosure of Private Facts	Granted, but claim can be included in suit if amended
7. Negligence	Denied
8. Conversion	Granted, but claim can be included in suit if amended
9. Trespass to Personal Property	Granted, but claim can be included in suit if amended
10. Unjust Enrichment	Denied

Download the court order (322 K bytes; Adobe PDF) in Hernandez v Path.

Equifax And Its Customers To Pay $1.6 Million In FTC Settlement About Alleged Improper List Sales

This morning, the U.S. Federal Trade Commission (FTC) announced that Equifax Information Services LLC., the credit reporting agency, and some of its customers, had agreed to pay $1.6 million to settle allegations about the improper sales of customer lists between January 2008 and early 2010. In a lawsuit (Adobe PDF) filed in U.S. Distrcit Court in Southern California, the FTC alleged that the sales of customer lists violated the Fair Credit Reporting Act (FCRA):

"Defendants buy and sell “prescreened lists,” which are lists of consumers that meet certain pre-selected credit criteria. For example, in this case, Defendants bought and sold “prescreened lists” of consumers who were, among other things, 30, 60, or 90 days late on their mortgage payments... Information such as whether a consumer is 30, 60, or 90 days late on their mortgage bears on, among other things, a consumer’s credit worthiness and credit standing and is used or expected to be used as a factor in determining a consumer’s eligibility for credit. Section 604(f) of the FCRA, 15 U.S.C. §1681b(f), prohibits persons from using or obtaining consumer reports in the absence of a “permissible purpose.” In addition, Section 607(e) of the FCRA, 15 U.S.C. § 1681e(e), requires persons who procure consumer reports for resale to establish and comply with reasonable procedures designed to ensure that the consumer reports are only resold for a permissible purpose. The only permissible purpose for using a prescreened list is to make a firm offer of credit or insurance..."

The following companies and individuals were named as defendants in the complaint:

• Equifax Information Services
• Direct Lending Source, Inc., based in Key Largo, Florida
• Bailey & Associates Advertising, Inc., based in Florida and with in El Paso, Texas and San Diego, California
  Virtual Lending Source, LLC, based in San Diego, California
• Robert M. Bailey, Jr., the Executive Vice President of Direct Lending, Bailey & Associates, and Virtual Lending
• Linda Giordano, President of Direct Lending, Bailey & Associates, and Virtual Lending and an owner of Bailey & Associates and Virtual Lending

Terms of the settlements require Equifax to pay $393,000 for alleged inadequate procedures that led to the sale of lists of consumer information to companies that it should not have sold the information to. According to the FTC, Equifax sold more than 17,000 prescreened lists of consumers to companies including Direct Lending Source, Inc., which subsequently resold some lists to third parties, who used their data to pitch loan modification and debt relief services to people in financial distress. Direct Lending Source will pay a $1.2 million civil penalty,and will be barred from using or selling prescreened lists.

States' Attorney Generals Urge Congress To Reject Payday Lender Bill

On Friday, several states' Attorney Generals announced that they had sent a letter to Congressional leaders urging them to oppose HR 6139, known as the Consumer Credit, Access, Innovation, and Modernization Act. The letter read in part:

"Most states have enacted laws and rules to regulate short term lending, including payday loans. Many of these states have chosen to strike a regulatory balance that preserves access to alternative forms of credit while protecting consumers from repeated debt cycles and other pitfalls associated with such products. H.R. 6139 would turn back existing consumer protections... H.R. 6139 would give nonbank financial services providers – including payday lenders, installment lenders, car-title lenders, prepaid-card issuers, check cashers, and others – access to a federal charter issued by the Office of the Comptroller of the Currency. The bill would totally preempt state licensing laws for nonbank financial services providers... In place of state safeguards, the bill would establish only minimal consumer protections... the bill establishes no standards for determining a consumer’s ability to repay. Moreover, the bill would exempt loans with terms of one year or less from the disclosure requirements of the Truth in Lending Act – the universal standard for measuring the true cost of credit – and substitute a cost metric that is confusing and misleading..."

The letter was sent on Friday October 5, 2012 to House Speaker John Boehner, House Minority Leader Nancy Pelosi, Senate Majority Leader Harry Reid, and Senate Minority Leader Mitch McConnell. 41 states' Attorney Generals signed the letter, including Guam and Puerto Rico.

In Congressional testimony during July 2012, the Office of the Comptroller of the Currency (OCC) stated its concerns:

"The effective result of H.R. 6139 would be to create a class of federally chartered companies (National Consumer Credit Corporations, hereinafter referred to as “NCCCs” or “companies”) focused on consumer credit products of the very nature and character that the OCC has found unacceptable based on consumer protection and safety and soundness concerns. In particular, it is our experience that the profitability of many of the types of small dollar, short-term loans that NCCCs would likely seek to offer is dependent on effectively trapping consumers into a cycle of repeat credit transactions, high fees, and unsustainable debt... The bill will result in a decrease in protections for categories of consumers that may be the most vulnerable. We have ample evidence from the recent financial crisis that the goal of enhanced access to financial products and services must be coupled with assurances that those consumers are subject to meaningful consumer protections and that the firms offering those products and services must do so on a prudent, safe, and sound basis. In this regard, the Consumer Financial Protection Bureau (CFPB) has been provided the authority to issue rigorous, uniform, and nationally-applicable consumer protection standards for financial products and services. It is important that the types of products envisioned for NCCCs not be carved out of coverage of CFPB-administered lending standards..."

There are plenty of examples of this cycle of repeat credit transactions, high fees, and unsustainable debt. In February 2009, CBS News reported about the payday lending industry:

"They've now grown into a $59 billion industry. But six states - Arkansas, Georgia, New Hampshire, North Carolina, Ohio and Oregon as well as the District of Columbia - have now effectively banned these loans... there are 24,000 payday lending stores in America - more than Starbucks and McDonald's combined. They provide 19 million American households a quick way to make ends meet... A typical customer takes out about eight payday loans a year..."

CBS News reported in April 2009:

"The payday loan industry, threatened by Congress with extinction, has deployed well-connected lobbyists and hefty sums of campaign cash to key lawmakers to save itself. The strategy has paid off."

This 2011 news report explained how many layday lenders charge unbelievably high interest rates. Last month, the City of San Francisco negotiated a settlement with payday lender Money Mart (a/k/a Loan Mart), which agreed to pay to $7.5 million to reimburse consumers for alleged illegal lending activities and interest rates as high as 400 percent. Consumers eligible to receive reimbursements may receive payments ranging from $20 to $1,800.

The letter caught my interest for three reasons. First, it seems to avoid unnecessarily the CFPB. Second, it mentioned prepaid-card issuers, which this blog has covered extensively. Banks and non-bank prepaid-card issuers have targeted the same market as payday lenders: consumers who have a checking or savings account and not both (e.g., underbanked), or who have neither (e.g., unbanked). About 8 percent of U.S. households are unbanked, and 20 percent are underbanked. Unbanked and underbanked households are typically non-Asian minorities, low-income, young, and unemployed.

Third, anytime a proposed Congressional bill mentions both "modernization" and financial services, a closer inspection is usually wise. (The Graham-Leach Bliley Act, which repealed Glass-Steagall comes to my mind.) Things often get modernized for some, not for others who really needed it, and there are always unintended consequences. One of the OCC's concerns is money-laundering, which is connected to a host of other global ills. Legislation that creates a new class of financial institutions needs to be well constructed, closely reviewed, an adequately discussed publicly.

The Attorney Generals' letter to Congress is available at the Illinois Attorney General website (Adobe PDF). Download H.R. 6139 (Adobe PDF) and see page 24, lines 3 through 8. That's a deal breaker. And, I suggest that you read the full testimony about H.R. 6139 by the OCC Deputy Comptroller of Compliance Policy (Adobe PDF).

PlaceRaider: Part Of The New Class Of 'Visual Malware'

You may remember news stories during past years where thieves used the Google Earth service to find buildings with valuables on the outside -- roofs made with precious metals, so they could return at night to steal the metal and resell the stolen goods for a profit. Now, imagine a scenario where thieves take over the camera in your smart phone (or tablet) to find valuable items inside homes, to return later when you are away or at work to steal the items they remotely recorded on video.

This sounds like science fiction, eh? Or maybe a fictional episode of NCIS?

Well, it's not science fiction. It's science fact, and the software is available today.

A reader alerted me to an article in Technology Review about PlaceRaider, an Android app already created to secretly record via the victims' mobile devices their personal spaces. With the secretly recorded video, the user can create a three-dimension virtual model of the recorded space:

"... Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of 'visual malware' capable of recording and reconstructing a user's environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information... the malware would be embedded in a camera app that the [victim] would download and run..."

The military applications of this are obvious. It's a stealth method to gather intelligence by recording the battlefield (or urban landscape) before the battle by using malware installed in the enemy's mobile devices. An accurate 3-D virtual model, complete with tools and papers lying about, would enable military officials to plan a more effective and efficient attack -- and know ahead of time what documents to look for and to capture.

An app like this in the hands of identity criminals would be equally devastating. It could secretly record a victim's home office, small business office, doctor's medical records storage area, or similar sensitive interior space. Did you leave credit- or debit cards lying about on your desk or bedroom dresser? PlaceRaider could record the account numbers lying exposed. Did you leave your online banking screen open on your desktop computer monitor? PlaceRaider could record that, too.

Meanwhile, what's a consumer to do? All of the usualy steps:

• Be carefult about the apps you download. Look for trustworthy apps with privacy policies that they comply with
• Install and maintain anti-virus apps on your mobile device(s)
• Password protect your mobile device(s)
• Be careful about which WiFi hotspots you use your mobile device at, just as you would with any other computing device
• Use a mobile VPN connection when appropriate
• Use strong passwords, and change them every 90 or 120 days
• Don't use the same password for all of your online accounts and devices
• Place masking tape over your mobile device's camera lense when not using it for long periods.

Maybe some time soon, mobile device manufacturers will get smart and build lens covers into their mobile devices.

American Express Centurion Bank To Pay $112 Million To Settle Deceptive Credit Card Marketing And Debt Collection Practices

American Express Centurion Bank has agreed to pay $112 million to settle allegations of deceptive credit card marketing and debt collection practices. The Consumer Financial Protection Bureau (CFPB) and the Federal Deposit Insurance Corporation (FDIC) announced the settlement this week.

The FDIC, the Utah Department of Financial Institutions (UDFI), the CFPB, and the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System had all took separate actions against the bank. The settlement agreement requires the bank to pay $85 million to reimburse more than 250,000 affected consumers, and to pay $27 million in civil penalties.

The investigations found violations between 2003 and the spring of 2012. The affected consumers included people who had signed up for the American Express "Blue Sky"credit card program. The bank promised them $300 in bonus points that were never provided. According to the CFPB:

"... American Express Centurion Bank and American Express Bank, FSB billed late fees on certain cards based on a percentage of the debt in violation of the Credit CARD Act... American Express Centurion Bank used a credit scoring system that treated charge card applicants differently on the basis of age. For a period of time, the bank did not fully implement the system for applicants over the age of 35. This violated the Equal Credit Opportunity Act because it requires credit scoring systems that take age into account to be properly designed and implemented... American Express Centurion Bank and American Express Bank, FSB failed to report the existence of certain customer disputes to credit bureaus, which is a violation of the Fair Credit Reporting Act... All three of the American Express subsidiaries deceived consumers into believing there were certain benefits to paying off old debt. Consumers were wrongly told that if they paid off the old debt, the payment would be reported to credit bureaus and could improve their credit scores. In fact, American Express was not reporting the payments and the debts were so old that even if they had tried to report them, many of the payments would not have appeared on these consumers’ credit reports or affected their credit scores..."

American Express Centurion Bank, a subsidiary of American Express Travel Related Services Inc., is based in Salt Lake City, Utah. In a press release, the CFPB emphasized that affected consumers do not need to do anything to receive payments:

"...If the consumer no longer holds the American Express card, American Express will mail a check or credit any outstanding balance.Customers who were promised $300 for signing up for a Blue Sky Credit Card will get the $300. Consumers who paid an illegal late fee will be reimbursed, with interest. Consumers who paid old debt in response to deceptive promises to report payment to credit bureaus will be reimbursed the money they paid plus interest. Consumers who were promised their debt would be forgiven but were denied new American Express cards because the debt was not really forgiven, will receive $100 and a pre-approved offer for a new card with terms we and the FDIC find acceptable. If the consumer already paid the waived or forgiven amount in order to get a new card, they will be refunded that amount plus interest."

[Correction: an earlier version mentioned $102 million. The correct amount of reimbursements and penalties equals $112 million.]

Survey: FDIC Releases Results From Latest Survey Of UnBanked And UnderBanked Consumers

Yesterday, the Federal Deposit Insurance Corporation (FDIC) released the results of its "2011 National Survey of Unbanked and Underbanked Households." The FDIC conducts this survey every two years, in a partnership with the U.S. Bureau of the Census. Key findings from the survey:

• "8.2 percent of U.S. households are unbanked. This represents one in 12 households in the nation, or nearly 10 million in total. The proportion of unbanked households increased slightly since the 2009 survey. The estimated 0.6 percentage point increase represents an additional 821,000 unbanked households."
• "20.1 percent of U.S. households are underbanked. This represents one in five households, or 24 million households with 51 million adults. The 2011 underbanked rate in 2011 is higher than the 2009 rate of 18.2 percent..."
• "29.3 percent of households do not have a savings account, while about 10 percent do not have a checking account. About two-thirds of households have both checking and savings accounts."
• "One-quarter of households have used at least one AFS product in the last year, and almost one in ten households have used two or more AFS. In all, 12 percent of households used an AFS product in the last 30 days, including four in ten unbanked and underbanked households."

The survey included responses from about 45,000 households. The term "unbanked" refers to consumers who do not have a checking account nor a savings account. the term "underbanked" refers to consumers who have either a checking account or savings account, but not both. This is important because banks have targeted both unbanked and underbanked consumers with financial products and services-- typically prepaid cards and variations such as flexible spending health-care cards and payroll cards.

These prepaid cards, which often have numerous fees, and offer fewer rights for consumers than both credit cards and debit cards. Industry research has documented the perception by consumers, many of whom have bank accounts, that prepaid cards are a desirable method to avoid the expensive overdraft fees with debit cards. Some additional findings from the survey:

"The highest unbanked and underbanked rates are found among non-Asian minorities, lower-income households, younger households, and unemployed households. Close to half of all households in these groups are unbanked or underbanked compared to slightly more than one-quarter of all households... Among unbanked households, slightly more than half have never had a bank account. Relatively high proportions of Hispanic (14.7 percent) and foreign-born noncitizen households (18.9 percent) have never had an account. The most common reasons why households report they do not have bank accounts are that they feel they do not have enough money for an account, or they do not need or want one."

The specific banking rates by demographic groups:

Demographic Group	UnBanked %	Underbanked %	Fully Banked %
All Households	8.1	20.1	68.8
Black households	21.4	33.9	41.6
Foreign-born, non-citizens	22.2	28.9	45.8
Households experiencing unemployment	22.5	28.0	47.5
Lower income households (less than $15,000)	28.2	21.6	47.6
Unmarried female head of households	19.1	29.5	48.4
Hispanic households	20.1	28.6	48.7
Households with people under age 24	17.4	31.0	49.7

By targeting unbanked and underbanked households, banks are trying to replace pay-day lenders and check cashing services, often referred to as "Alternative Financial Services" (AFS). The survey reported:

"AFS transaction products (i.e., non-bank money orders, non-bank check cashing, and non-bank remittances) are considerably more widely used than AFS credit products (i.e., payday loans, pawn shops, rent-to-own stores, and refund anticipation loans). In the last year, 23.3 percent of households used transaction AFS and 6.0 percent used AFS credit products. The relationship between household banking status and AFS use is complex. A non-trivial share of unbanked households (29.5 percent) do not use any of the AFS providers asked about in the survey, suggesting they rely primarily on cash. However, overall, unbanked households are more active AFS users than underbanked households."

Also, I found these survey results interesting:

"Having a bank account does not guarantee long-term participation in the banking system. Households can and do cycle in and out the banking system over time. For example, nearly half of unbanked households had an account in the past, and nearly half (48.2 percent) of these report that they are likely to join the banking system again in the future... Households with banking experience appear to have more positive perceptions of having an account and rely less on AFS. Unbanked households that previously had a relationship with a financial institution are more likely to see value in having a bank account than unbanked households without this relationship. Previously banked households are more likely to want to open an account in the future..."

Download the FDIC survey (Adobe PDF, 7.9 MBytes).

FTC Publishes 9 Guidelines For Mobile App Developers

Earlier this week, the U.S. Federal Trade Commission (FTC) introduced guidelines for businesses and mobile application (app) developers. The information is in a new guide titled, "Marketing Your Mobile App: Get It Right from the Start." The guide includes nine recommendations:

"1. Tell the truth about what your app can do. Once you start distributing your app, you become an advertiser... Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth. False or misleading claims, as well as the omission of certain important information, can tick off users and land you in legal hot water... If you make objective claims about your app, you need solid proof to back them up before you start selling. The law calls that “competent and reliable evidence.” If you say your app provides benefits related to health, safety, or performance, you may need competent and reliable scientific evidence."

Businesses that are unsure how to back up their claims with scientific evidence can visit the Business Center Blog for more information.

"2. Disclose key information clearly and conspicuously... your disclosures have to be “clear and conspicuous.” What does that mean? That they’re big enough and clear enough that users actually notice them and understand what they say."

"3. Build privacy considerations in from the start... privacy by design... Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need... For any collection or sharing of information that’s not apparent, get users’ express agreement."

"4. Be transparent about your data practices... be clear to users about your practices. Explain what information your app collects from users or their devices and what you do with their data."

You'd think that following these guidelines was obvious, but researchers at M.I.T. recently documented abuses by mobile apps that tracked users' GPS locations and collected users' browser histories without notice nor consent; sometimes, even when the app was supposedly turned off.

"5. Offer choices that are easy to find and easy to use. Give your users tools that offer choices in how to use your app – like privacy settings, opt-outs, or other ways for users to control how their personal information is collected and shared... Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made."

"6. Honor your privacy promises... Chances are you make assurances to users about the security standards you apply or what you do with their personal information. At minimum, app developers — like all other marketers — have to live up to those promises. The FTC has taken action against dozens of companies that claimed to safeguard the privacy or security of users’ information, but didn’t live up to their promises... The FTC also has taken action against businesses that made broad statements about their privacy practices, but then failed to disclose the extent to which they collected or shared information with others – like advertisers or other app developers."

"7. Protect kids’ privacy. If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule. Specifically, under COPPA, any operator whose app is directed to kids under age 13 or who has actual knowledge that a user is under 13 must clearly explain its information practices and get parental consent before collecting personal information from children. App operators also must keep personal information collected from children confidential and secure."

"8. Collect sensitive information only with consent... get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information. It’s a mistake to assume they won’t mind."

"9. Keep user data secure. At minimum, you have to live up to the privacy promises you make. But what if you don’t say anything specific about what you do with users’ information? Under the law, you still have to take reasonable steps to keep sensitive data secure."

This is a good list, but in my view the above guidelines are the minimum app developers should do. Ways for businesses and app developers to do better than the FTC minimums:

• Choices for consumers should be opt-in not opt-out
• Consolidate and simplify whenever possible. There are too many privacy policies: mobile device manufacturers, device operating system developers, app stores, telecommunications providers, and the app developer
• Plain language privacy policies, not lawyer speak
• Consistent, easy access. Prior studies have documented sporadic and inconsistent access to privacy policies before app install, after app install, and while the app is running
• Give users an estimate of the daily or monthly consumption by the app, so users can make informed decisions and avoid data plan surprises and overage fees. Auto manufacturers publish mileage estimates. App developers can easily do the same (and should) about data plan consumption by their apps

It is a sad state of affairs when the first guideline has to be, "tell the truth." What do you think mobile apps should do to protect consumers' privacy?

Hacker Group Announces Theft Of 12 Million Apple Mobile Device Identification Numbers

A hacker group has announced the theft of 1 million Apple iPhone UDIDs, or Unique Device Identifcation numbers. The hacker group claimed that the data breach was to highlight the unannounced tracking of US citizens by the Federal Bureau of Investigation (FBI) agency. The Next Web reported:

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cellphone numbers, addresses, etc. the personal details fields referring to people..."

The AntiSec hacker group stole 12 million UDIDs, and has publicly released 1 million of them.

What is a UDID? If you read this blog, then you already know what UDIDs are. Every smart phone, tablet, and mobile device has one: a 40-digit number that uniquely identifies each device. If you switched devices recently, chances are your telecommunications provider (e.g., Sprint, AT&T, Verizon, etc.) probably required that you provide them with the UDID for your new device.

The UDID is a bonanza for companies, marketers, government agencies, and any entity interested in tracking consumers. When matched with your 10-digit phone number and iTunes account, the UDID is a powerful identification (and tracking) tool that allows the compilation of all data, usage, and information on a mobile device to a person: phone calls, email messages, photos, video, text messages, GPS position, phone book, web browser history, apps downloaded, music, movies, and more. That compilation is more extensive since many consumers now use multiple email addresses (e.g., work and personal) on a single mobile device. Parents, who gave their children mobile devices, also need to be aware of the tracking threat. Links between your device's UDID and your Apple iCloud account would enable even more extensive tracking at the document level.

The Huffington Post advises consumers who want to check if their UDID was stolen:

"First, use the website whatsmyudid.com to figure out how to access your UDID, which can easily be found by plugging Apple devices into iTunes. Next, copy and paste the ID into The Next Web's data checker, or use tech consultant Sean MacGuire's website to quickly scan through the hacked IDs."

This blog has reported privacy abuses where app developers and marketers allegedly collected consumers' UDID without notice and without consent, including this class-action suit against Apple and this class-action suit against Ringleader Digital and several other companies. The sad reality is that consumers' UDIDs could already be in a lot more entities' databases, since too many mobile device apps fail to provide privacy policies, and collect data without notice and without consent.

[Update 3:30 pm: one blogger analyzed the data released by the hackers, and concluded it isn't so bad since not much other personal data was stolen. I don't place much weight on this view, as there is no guarantee the hackers released everything stolen.]

[Update 10:00 am: the FBI denies that it has the data the hacker group claimed it has.]