"Call Me First" Before Opening A New Account
A "Call Me First" service could be offered as an opt-in service by the credit bureaus as part of the process of providing credit scores to credit grantors when a new account is being opened. In effect, it would serve as an identity and authorization check to make sure that the credit bureau is providing credit information to a credit grantor as part of a legitimate request for a new credit account, and not as part of an identity theft attempt.
How "Call Me First" Could Work
A "Call Me First" service could work like this:
- Interested individuals would need to “register” their identities (ie, their SSNs) on a kind of "Call Me First” list, patterned along the lines of the ever-popular Do Not Call list. A person who can prove that they “own” a particular SSN would provide contact information (phone number, email address, etc.) to the credit bureaus to enable any credit bureau to contact him/her whenever someone attempts to use his/her SSN to establish a new credit account. This would constitute the process of registering an identity on the Call Me First list.
- During the new account opening procedure, a credit grantor contacts a credit bureau and provides the identity information (including SSN) being used by someone seeking to open a new account. Upon receipt of the information, the credit bureau determines whether the claimed identity is registered on the Call Me First list.
- If the claimed identity is registered, the credit bureaus contacts the consumer whose identity is being used, to determine whether he/she is truly the one seeking to establish the new account. This process would be very similar to what credit grantors currently do when they respond to a fraud alert. However, it could incorporate better authentication procedures to verify that the person receiving the call is the person whose identity needs to be verified. For instance, the person contacted may be requested to provide a PIN, or to say something that can be verified as being uttered by the correct person, via speech analysis and speaker verification methods.
- If the person contacted acknowledges that he/she is truly the same person seeking to establish the new account, the credit bureau provides the requested credit file or credit score to the credit grantor.
- If the person contacted does NOT acknowledge that he/she is the same person
requesting the new account, the credit bureau would NOT return any
credit information to the credit grantor making the request. To
reinforce that the request for credit is likely fraudulent, the credit
bureau could also return a statement to the credit grantor that the person whose identity is
being used to open the account specifically does not recognize the new
account request, and requests that the credit grantor NOT establish the
account.
- If the claimed identity is not registered on the Call Me First list, the credit bureau would treat the request for credit information by the credit grantor as it normally would.
A system such as this would seem to provide the benefits of a security freeze, while eliminating many of the disadvantages. While the security freeze is somewhat of a blunt instrument against identity theft, in that it prevents any credit information from being provided unless the freeze is lifted, the Call Me First concept can give individuals more control over the dissemination of their credit information. No longer would it first be necessary to “unfreeze” your credit file at each of the three credit bureaus, and then “refreeze” it later on.
Although the Call Me First concept is also similar to a fraud alert, in that an individual is contacted to gain approval before an account is opened, there may be some advantages if a small number of credit bureaus can be relied upon to contact individuals for the purposes of authenticating requests for new credit accounts, rather than depending on a much larger number of potential credit grantors to do it.
- One possible
advantage is that it may be easier for the major credit bureaus to enforce some
standards or best-practices for authenticating individuals, rather than assuming
that every credit grantor will follow any kind of standard procedures or best-practices for performing this authentication.
- Another advantage to having a credit bureau perform this function is that it may help prevent damage to a consumer's credit history. When credit grantors return negative information to credit bureaus because someone was late in paying a bill, or did not pay at all, the credit bureau has no way of knowing whether this is a result of a credit account that was opened by an identity thief, or whether the non-payment information is legitimate.
If the non-payment information results from an account established by an identity thief, the credit bureau will be recording negative information in the credit history of an identity theft victim, thereby damaging the victim's credit history. Today the credit bureau has no way of knowing the difference, and trusts that the credit grantor has taken steps to ensure that a credit account is legitimate. This may not have been done, or it may have been done inadequately, especially if the consumer had no fraud alert in place.
Authenticating the Consumer to the Credit Bureau
With "Call Me First", the credit bureau must contact a consumer whose identity is registered with the Call Me First list whenever that registered identity is used to establish a new credit account. There are three types of identity verifications that are needed.
- Any identity registered on the Call Me First list must be verified; in other words, it must be verified that the name, birthdate, SSN, and other information provided actually describe the identity of a real person.
- If the identity information is valid, it must be determined whether the identity of the person registering with the Call Me First list is truly defined by this information. In order to do this, it may be necessary to enlist the help of trusted third parties such as a bank where a consumer has an account, or employ other methods such as knowledge-based authentication.
- The credit bureau must ensure that the person it contacts to obtain authorization for releasing the credit file is truly the person listed in the Call Me First list, and not a family member using the same phone number, or someone else.