May an Identity Theft Victim Sue the Lender that Allowed the Thief to Open the Account?
Suppose an identity thief takes out a loan in your name with a lender, defaults, and so blemishes your credit record. Do you have a claim against the lender for opening the account ? (The question of what the lender's obligations in its role as a furnisher of information is dealt with by the FCRA in § 1681s-2 and I won't address that in this post.) Up to now, the answer has usually been no. If you could show that the lender had obtained your credit report and that it lacked a reason to believe that the imposter was in fact you, then under FCRA § 1681b the lender would have obtained your credit report without a proper purpose, and it would be liable. See Andrews v. TRW, Inc., 225 F.3d 1063 (9th Cir. 2000), rev'd on other grounds sub nom. TRW Inc. v. Andrews, 534 U.S. 19 (2001). But often the lender will indeed have a reason to think that you are the person applying for credit. Many common law claims are preempted by FCRA § 1681h(e) and courts have generally rebuffed consumers arguing for creation of a new claim, such as negligent enablement of imposter fraud. See, e.g., Polzer v. TRW, 256 A.D.2d 248, 682 N.Y.S.2d 194 (1st Dept. 1998). But a new case offers more hope to identity theft victims. In Wolfe v. MBNA America Bank, 485 F.Supp.2d 874 (W.D.Tn. 2007), plaintiff alleged that the defendant had issued a credit card to an identity thief using the plaintiff’s name without verifying the accuracy of the information in the identity thief’s application. The court refused to dismiss plaintiff’s negligence claim, saying:
With the alarming increase in identity theft in recent years, commercial banks and credit card issuers have become the first, and often last, line of defense in preventing the devastating damage that identity theft inflicts. Because the injury resulting from the negligent issuance of a credit card is foreseeable and preventable, the Court finds that under Tennessee negligence law, Defendant has a duty to verify the authenticity and accuracy of a credit account application before issuing a credit card. The Court, however, emphasizes that this duty to verify does not impose upon Defendant a duty to prevent all identity theft. The Court recognizes that despite banks utilizing the most reasonable and vigilant verification methods, some criminals will still be able to obtain enough personal information to secure a credit card with a stolen identity. Rather, this duty to verify merely requires Defendant to implement reasonable and cost-effective verification methods that can prevent criminals, in some instances, from obtaining a credit card with a stolen identity. Whether Defendant complied with this duty before issuing a credit card in Plaintiff's name is an issue for the trier of fact. Accordingly, Defendant's motion to dismiss Plaintiff's negligence and gross negligence claims in the first factual context is DENIED.
The court also found that plaintiff’s allegations stated a claim under the Tennessee UDAP statute and were not preempted by the FCRA.
Posted by Jeff Sovern on Thursday, August 02, 2007 at 11:52 AM in Identity Theft | Permalink
This is good news for consumers. Creditors should take extra precautions to prevent opening fraudulent accounts. The calculation by credit issuers of whether to open the new account without verifying the identity of the applicant thereby risking an identity theft versus the cost of losing the consumer's business along with the additional cost of performing due diligence on the application may have changed.
Until now, the value of the loss due to fraud has been deemed a measured risk cost of business compared to the need to sign up new accounts quickly. The more accounts, the greater profit from the business of collecting fees and interest.
For a credit based identity theft to be successful, the address of the victim must somehow be changed or appear to be changed by the perpetrator. This is always the case with true name fraud. With synthetic identity theft, the creditor may be eager to approve the application since the synthesized identity has little or no credit history (more risk, more interest). To verify the application by attempting to contact the consumer based upon skip trace results and not the application would be responsible but bad business, until now.
"Rather, this duty to verify merely requires Defendant to implement reasonable and cost-effective verification methods that can prevent criminals, in some instances, from obtaining a credit card with a stolen identity."
The cost of not performing an ID check on the identity (not the application) may have just increased to the advantage of the American consumer who pays for fraud losses at the check out lane. This is a situation to watch.