Incentives and Identity Theft

By Chris Hoofnagle

Posted on April 13, 2010


Identity theft has remained at 2003 levels, despite intensified criminal sanctions and public education efforts at reducing the crime. Scholars have framed identity theft as a problem both of having too much privacy in society (i.e. creditors cannot properly identify applicants for accounts), and a problem of privacy architecture (i.e. a lack of a system of rights and responsibilities in data stewardship causes data to leak, leading to an ease of impersonation).

In my latest article, new provisions in the Fair Credit Reporting Act were employed to obtain the application and other business records generated by identity theft impostors. This information was shared with the victims, who indicated whether there were errors on the applications.

The results suggest that the problem is grounded in incentives, not in a problem of too much or too little privacy. Materials from 16 incidents of identity theft were obtained pertaining to 6 individuals who were victims of financial, medical, and criminal identity theft. Every financial credit application contained some type of incorrect personal information, yet credit grantors chose to extend products and services to the impostor. Disconfirming information was apparently ignored, in ways difficult to belive in some cases. For instance, study subject 5 was the victim of multiple incidents of mortgage loan fraud; all three consumer reporting agencies flagged the transactions as suspicious. The impostor was a different race than the victim, used the incorrect date of birth on one application, and a phony address on the others. The impostor even used a fake driver’s license number—one never even issued by the state.

Credit granting companies have many compelling incentives to quickly open new accounts, and in light of this, some fully automate the process (yes, this means that credit is granted without any human reivew). These incentives create great rewards for the granting company, and significant opportunity costs if the delay in investigating the applicant causes the customer to go elsewhere.

An effective anti-identity-theft approach would consider the incentives embedded in the credit granting markets. These incentives drive credit grantors to make decisions quickly and forgo some basic identity theft prevention strategies. In the paper, I propose that credit grantors internalize the costs of identity theft, by bearing the responsibility to compensate victims for lost time associated with the crime. (Many victims cannot point to financial damages, not even subject 5, who was subjected to the indignity of being pursued by a web of collections agencies--ones that would sell the obligation to others once they learned of the underlying fraud.) So long as more money can be made by issuing credit as quickly as possible, grantors will continue to overlook fraud and pass off some of the costs of this fraud to others.