This is the accessible text file for GAO report number GAO-02-363 
entitled 'Identity Theft: Prevalence and Cost Appear to be Growing' 
which was released on March 1, 2002. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to Congressional Requesters: 

March 2002: 

Identity Theft: 

Prevalence and Cost Appear to be Growing: 

GA0-02-363: 

Contents: 

Letter: 

Results: 
Concluding Observations: 
Agency Comments: 

Appendix I: Objectives, Scope, and Methodology: 
Objectives: 
Scope and Methodology: 

Appendix II: Prevalence of Identity Theft: 
National Consumer Reporting Agencies: 
FTC Maintains a National Database of Identity Theft Complaints: 
SSA/OIG Fraud Hotline Statistics: 
Department of Justice Law Enforcement Components: 
Department of the Treasury Law Enforcement Components: 
Postal Inspection Service: 

Appendix III: Cost of Identity Theft to the Financial Services 
Industry: 
Direct Fraud Losses: 
Staffing and Cost of Fraud Departments: 
Consumer Confidence in Online or E-Commerce: 

Appendix IV: Cost of Identity Theft to Victims: 
FTC Data on the Cost of Identity Theft to Victims: 
Summary of Our Contacts with Victims: 
Consumer Advocacy Report on the Cost of Identity Theft to 
Victims: 
Additional Observations: 

Appendix V: Cost of Identity Theft to the Federal Criminal 
Justice System: 
Cost of Investigations: 
Cost of Prosecutions: 
Cost of Incarceration: 
Cost of Community Supervision: 

Appendix VI: Contact Points for Reporting Identity Theft and Seeking 
Assistance: 

Appendix VII: GAO Contacts and Staff Acknowledgments: 
GAO Contacts: 
Staff Acknowledgments: 

Tables: 

Table l: Number of Files with Fraud Alerts Posted (Agency A), 1995 
through 2000: 

Table 2: Number of Files with Fraud Alerts Posted (Agency B), July 
1999 through June 2001: 

Table 3: Number of Identity Theft Complaints FTC Received (Nov. 
1999 through Sept. 2001) from Leading States: 

Table 4: Identity Theft Complaints FTC Received (Nov. 1999 through 
Sept. 2001) and Categories of Methods Suspects Used to Obtain Personal 
Information: 

Table 5: Relationship of Suspect to Victim in Identity Theft 
Complaints FTC Received (Nov. 1999 through Sept. 2001): 

Table 6: SSA/OIG Fraud Hotline Statistics on Allegations of SSN Misuse 
and Program Fraud with SSN Misuse Potential: 

Table 7: SSA/OIG Fraud Hotline Statistics on Allegations of SSN Misuse 
That Directly Involve Identity Theft (by Category), March through 
September 2001: 

Table 8: U.S. Attorney Cases Filed Under Statutes Related to Identity 
Fraud: 

Table 9: FBI Accomplishments Under Identity Theft-Related Statutes, 
Fiscal Years 1996 through 2001: 

able 10: Questionable Refund Schemes Detected by IRS: 

Table 11: Secret Service Data on Identity Theft-Related Arrests, Cases 
Closed, and Dollar Losses in Fiscal Years 1998 through 2000: 

Table 12: Postal Inspection Service Identity Theft-Related Arrests, 
Fiscal Years 1996 through 2001: 

Table 13: Percentages of Banks' Total Check Fraud-Related Losses 
Attributable to Identity Theft, 1999: 

Table 14: Percentage of Banks that Regard Identity Theft (True Name 
Fraud) as One of the Top Three Threats Against Deposit Accounts: 

Table 15: MasterCard and Visa Fraud Losses, Calendar Years 1996 
through 2000: 

Table 16: Amount of Expenses Per Bank Devoted to Prevention, 
Detection, Investigation, and Prosecution of Check Fraud, 1999: 

Table 17: Nonmonetary Harm Reported by Identity Theft Complainants to 
FTC (Nov. 1999 through Sept. 2001): 

Table 18: Monetary Losses Reported by Identity Theft Complainants to 
FTC (Nov. 1999 through Sept. 2001): 

Table 19: Summary of GAO's Interviews of Identity Theft Victims: 

Abbreviations: 

ABA: American Bankers Association: 

BOP: Bureau of Prisons: 

CALPIRG: California Public Interest Research Group: 

CRA: consumer reporting agencies: 

EOUSA: Executive Office for U.S. Attorneys: 

FBI: Federal Bureau of Investigation: 

FinCEN: Financial Crimes Enforcement Network: 

FTC: Federal Trade Commission: 

GAO: General Accounting Office: 

IACP: International Association of Chiefs of Police: 

OIG: Office of the Inspector General: 

SSA: Social Security Administration: 

SSA/OIG: Social Security Administration's Office of the Inspector 
General: 

SSN Social Security number: 

[End of section] 

United States General Accounting Office: 
Washington, DC 20548: 

March 1, 2002: 

The Honorable Dianne Feinstein:
Chairwoman: 
The Honorable Jon Kyl: 
Ranking Minority Member:
Subcommittee on Technology, Terrorism and Government Information: 
Committee on the Judiciary:
United States Senate: 

The Honorable Charles E. Grassley: 
United States Senate: 

This report responds to your request that we review and compile the 
latest statistics on the incidence and societal cost of identity 
theft. Generally, as noted in our May 1998 report[Footnote 1] identify 
theft or identity fraud involves "stealing" another person's personal 
identifying information-—such as Social Security number (SSN), date of 
birth, and mother's maiden name-—and then using the information to 
fraudulently establish credit, run up debt, or take over existing 
financial accounts. Later that year, Congress passed legislation-—the 
Identity Theft and Assumption Deterrence Act of 1998 (the Identity 
Theft Act)[Footnote 2]-—which separately made identity theft a 
specific federal crime and recognized that victims include 
individuals, as well as financial institutions and other business 
entities. Also, since 1998, most states have enacted laws that 
criminalize identity theft. 

Specifically, in response to your request, this report provides 
information on: 

* the extent or prevalence of identity theft; 

* the cost of identity theft to the financial services industry, 
[Footnote 3] including direct fraud losses, staffing of fraud 
departments, and effect on consumer confidence in online commerce; 

* the cost of identity theft to victims, including victim productivity 
losses, out-of-pocket expenses, and cost of being denied credit; and; 

* the cost of identity theft to the federal criminal justice system. 

To address these topics, we interviewed responsible officials and 
reviewed documentation obtained from relevant federal agencies—the 
Department of Justice and its components, including the Executive 
Office for U.S. Attorneys (EOUSA) and the Federal Bureau of 
Investigation (FBI); Department of the Treasury and its components, 
including the Secret Service and the Internal Revenue Service (IRS); 
the Social Security Administration's (SSA) Office of the Inspector 
General (OIG); the Postal Inspection Service; and the Federal Trade 
Commission (FTC). Also, we contacted representatives of the three 
national consumer reporting agencies and two payment card associations 
(MasterCard and Visa). Furthermore, at our request and with the 
consent of the victims, FTC provided us with the names and telephone 
numbers of a small cross section of victims (10 total) to interview. 
According to FTC staff, the sample of 10 victims was selected to 
illustrate a range in the extent and variety of the identity theft 
activities reported by victims. The experiences of these 10 victims 
are not statistically representative of all victims. We conducted our 
work from March 2001 to January 2002 in accordance with generally 
accepted government auditing standards. Appendix I presents more 
details about the scope and methodology of our work. 

Results: 

No single hotline or database captures the universe of identity theft 
victims. Some individuals do not even know that they have been 
victimized until months after the fact, and some known victims may 
choose not to report to the police, credit bureaus, or established 
hotlines. Thus, it is difficult to fully or accurately quantify the 
prevalence of identity theft. Some of the often-quoted estimates of 
prevalence range from one-quarter to three-quarters of a million 
victims annually. Usually, these estimates are based on limited 
hotline reporting or other available data, in combination with various 
assumptions regarding, for example, the number of victims who do not 
contact credit bureaus, the FTC, the SSA/OIG, or other authorities. 
Generally speaking, the higher the estimate of identity theft 
prevalence, the greater the (1) number of victims who are assumed not 
to report the crime and (2) number of hotline callers who are assumed 
to be victims rather than "preventative" callers. We found no 
information to gauge the extent to which these assumptions are valid. 
Additionally, there are no readily available statistics on the number 
of victims who may have contacted their banks or credit card issuers 
only and not the credit bureaus or other hotlines. 

Nevertheless, although not specifically or comprehensively 
quantifiable, the prevalence and cost of identity theft seem to be 
increasing, according to the available data we reviewed and many 
officials of the public and private sector entities we contacted. The 
following presents summary information for each of the topics that we 
addressed. More detailed information is presented in appendixes II 
through V, respectively. 

Prevalence of Identity: 

As we reported in 1998, there are no comprehensive statistics on the 
Theft prevalence of identity theft. Similarly, during our current 
review, various officials noted that precise, statistical measurement 
of identity theft trends is difficult due to a number of factors. 
Generally, federal law enforcement agencies do not have information 
systems that facilitate specific tracking of identity theft cases. For 
example, while the amendments made by the Identity Theft Act are 
included as subsection (a)(7) of section 1028, Title 18 of the U.S. 
Code, EOUSA does not have comprehensive statistics on offenses charged 
specifically under that subsection. EOUSA officials explained that, 
except for certain firearms statutes, docketing staff are asked to 
record cases under only the U.S. Code section, not the subsection or 
the sub-subsection. Also, the FBI and the Secret Service noted that 
identity theft is not typically a stand-alone crime; rather, identity 
theft is almost always a component of one or more white-collar or 
financial crimes, such as bank fraud, credit card or access device 
fraud, or the use of counterfeit financial instruments. 

Nonetheless, while recognizing measurement difficulties, a number of 
data sources can be used as proxies or indicators for gauging the 
prevalence of such crime. These sources can include consumer 
complaints and hotline allegations, as well as law enforcement 
investigations and prosecutions of identity theft-related crimes such 
as bank fraud and credit card fraud. Each of these various sources or 
measures seems to indicate that the prevalence of identity theft is 
growing: 

Consumer reporting agency data. Generally, in the view of consumer 
reporting agency officials, the most reliable indicator of the 
incidence of identity theft is the number of 7-year fraud alerts 
placed on consumer credit files. Generally, fraud alerts constitute a 
warning that someone may be using the consumer's personal information 
to fraudulently obtain credit. Thus, a purpose of the alert is to 
advise credit grantors to conduct additional identity verification or 
contact the consumer directly before granting credit. One of the three 
consumer reporting agencies estimated that its 7-year fraud alerts 
involving identity theft increased 36 percent over 2 recent years—from 
about 65,600 in 1999 to 89,000 in 2000.[Footnote 4] A second agency 
reported that its 7-year fraud alerts increased about 53 percent in 
recent comparative 12-month periods; that is, the number increased 
from 19,347 during one 12-month period (July 1999 through June 2000) 
to 29,593 during the more recent period (July 2000 through June 2001). 
The third agency reported about 92,000 fraud alerts[Footnote 5] for 
2000 but was unable to provide information for any earlier year. 
[Footnote 6] Also, due largely to increased public awareness about 
identity theft, the number of inquiries received by the fraud units of 
consumer reporting agencies is at an all-time high. However, an 
industry official opined that the number of inquiries is not a 
reasonable measure of the incidence of identity theft because 
virtually all individuals whose wallet or purse is lost or stolen will 
now call the consumer reporting agencies as a precautionary measure. 

FTC data. From its establishment in November 1999 through September 
2001, FTC's Identity Theft Data Clearinghouse received a total of 
94,100 complaints from victims, including 16,784 complaints 
transferred to the FTC from the SSA/OIG. In the first month of 
operation, the Clearinghouse answered an average of 445 calls per 
week. By March 2001, the average number of calls answered had 
increased to over 2,000 per week. In December 2001, the weekly average 
was about 3,000 answered calls. 

However, FTC officials noted that identity theft-related statistics 
may, in part, reflect enhanced consumer awareness and reporting. 

SSA/OIG data. SSA/OIG has reported a substantial increase in call-ins 
of identity theft-related allegations to its Fraud Hotline in recent 
years. Allegations involving SSN misuse, for example, increased more 
than fivefold, from about 11,000 in fiscal year 1998 to about 65,000 
in fiscal year 2001. To some extent, the increased number of 
allegations may be due to additional Fraud Hotline staffing, which 
increased from 11 to over 50 personnel during this period. However, 
SSA/OIG officials attributed the trend in allegations partly to a 
greater incidence of identity theft. Also, irrespective of staffing 
levels, SSA/OIG data indicate that about 81 percent of all allegations 
of SSN misuse relate directly to identity theft. 

Federal law enforcement data. Generally, although federal law 
enforcement agencies do not have information systems that facilitate 
specific tracking of identity theft cases, the agencies provided us 
case statistics for identity theft-related crimes. Regarding bank 
fraud, for instance, the FBI reported that its arrests increased from 
579 in 1998 to 645 in 2000—-and was even higher (691) in 1999. The 
Secret Service reported that, for recent years, it has redirected its 
identity theft-related efforts to focus on high-dollar, community-
impact cases. Thus, even though the total number of identity theft-
related cases closed by the Secret Service decreased from 8,498 in 
fiscal year 1998 to 7,071 in 2000, the amount of fraud losses 
prevented in these cases increased from a reported average of $73,382 
in 1998 to an average of $217,696 in 2000.[Footnote 7] The Postal
Inspection Service, in its fiscal year 2000 annual report, noted that 
identity theft is a growing trend and that the agency's investigations 
of such crime had "increased by 67 percent since last year." (See 
appendix II.) 

Cost of Identity Theft to the Financial Services Industry: 

We found no comprehensive estimates of the cost of identity theft to 
the financial services industry. Some data on identity theft-related 
losses—such as direct fraud losses reported by the American Bankers 
Association (ABA) and payment card associations—indicated increasing 
costs. Other data, such as staffing of the fraud departments of banks 
and consumer reporting agencies, presented a mixed and/or incomplete 
picture. For example, one consumer reporting agency reported that 
staffing of its fraud department had doubled in recent years, whereas 
another agency reported relatively constant staffing levels. 
Furthermore, despite concerns about security and privacy, the use of e-
commerce has grown steadily in recent years. Such growth may indicate 
greater consumer confidence but may also have resulted from an 
increase in the number of people who have access to Internet 
technology. 

Regarding direct fraud losses, in its year 2000 bank industry survey 
on check fraud, the ABA reported that total check fraud-related losses 
against commercial bank accounts-—considering both actual losses ($679 
million) and loss avoidance ($1.5 billion)-—reached an estimated $2.2 
billion in 1999, which was twice the amount in 1997.[Footnote 8] 
Regarding actual losses, the report noted that the 1999 figure ($679 
million) was up almost 33 percent from the 1997 estimate ($512 
million). However, not all check fraud-related losses were attributed 
to identity theft, which the ABA defined as account takeovers (or true 
name fraud). Rather, the ABA reported that, of the total check fraud-
related losses in 1999, the percentages attributable to identity theft 
ranged from 56 percent for community banks (assets under $500 million) 
to 5 percent for superregional/money center banks (assets of $50 
billion or more), and the average for all banks was 29 percent. 

The two major payment card associations, MasterCard and Visa, use very 
similar (although not identical) definitions regarding which 
categories of fraud constitute identity theft. Generally, the 
associations consider identity theft to consist of two fraud 
categories-—account takeovers and fraudulent applications.[Footnote 9] 
Based on these two categories, the associations' aggregated identity 
theft-related losses from domestic (U.S. operations) rose from $79.9 
million in 1996 to $114.3 million in 2000, an increase of about 43 
percent. The associations' definitions of identity theft-related fraud 
are relatively narrow, in the view of law enforcement, which considers 
identity theft as encompassing virtually all categories of payment 
card fraud. Under this broader definition, the associations' total 
fraud losses from domestic operations rose from about $700 million in 
1996 to about $1.0 billion in 2000, an increase of about 45 percent. 
However, according to the associations, the annual total fraud losses 
represented about 1/10th of 1 percent or less of U.S. member banks' 
annual sales volume during 1996 through 2000. Generally, the fraud 
losses are borne by the respective financial institution that issued 
the payment card. 

To reiterate, regarding direct fraud losses involving payment cards, 
we contacted MasterCard and Visa only. We did not obtain information 
about losses involving other general-purpose cards (American Express, 
Diners Club, and Discover), which account for about 25 percent of the 
market. Also, we did not obtain information about losses involving 
merchant-specific cards issued by retail stores. Furthermore, we did 
not obtain information from various other entities, such as insurance 
companies and securities firms, which may incur identity theft-related 
costs. 

Regarding staffing and cost of fraud departments, in its year 2000 
bank industry survey on check fraud, the ABA reported that the amount 
of resources that banks devoted to check fraud prevention, detection, 
investigation, and prosecution varied according to bank size. For 
check fraud-related operating expenses (not including actual losses) 
in 1999, the ABA reported that over two-thirds of the 446 community 
banks that responded to the survey each spent less than $10,000, and 
about one-fourth of the 11 responding superregional/money center banks 
each spent $10 million or more for such expenses. 

One national consumer reporting agency told us that staffing of its 
Fraud Victim Assistance Department doubled in recent years, increasing 
from 50 individuals in 1997 to 103 in 2001. The total cost of the 
department was reported to be $4.3 million for 2000. Although not as 
specific, a second agency reported that the cost of its fraud 
assistance staffing was "several million dollars." And, the third 
consumer reporting agency said that the number of fraud operators in 
its Consumer Services Center had increased in the 1990's but has 
remained relatively constant at about 30 to 50 individuals since 1997. 

Regarding consumer confidence in online commerce, despite concerns 
about security and privacy, the use of e-commerce by consumers has 
steadily grown. For example, in the year 2000 holiday season, 
consumers spent an estimated $10.8 billion online, which represented 
more than a 50-percent increase over the $7 billion spent during the 
1999 holiday season. Furthermore, in 1995, only one bank had a Web 
site capable of processing financial transactions but, by 2000, a 
total of 1,850 banks and thrifts had Web sites capable of processing 
financial transactions.[Footnote 10] 

The growth in e-commerce could indicate greater consumer confidence 
but could also result from the increasing number of people who have 
access to and are becoming familiar with Internet technology. 
According to an October 2000 Department of Commerce report, Internet 
users comprised about 44 percent (approximately 116 million people) of 
the U.S. population in August 2000. This was an increase of about 38 
percent from 20 months prior.[Footnote 11] According to Commerce's 
report, the fastest growing online activity among Internet users was 
online shopping and bill payment, which grew at a rate of 52 percent 
in 20 months. (See appendix III.) 

Cost of Identity Theft to Victims: 

Identity theft can cause substantial harm to the lives of individual 
citizens-—potentially severe emotional or other nonmonetary harm, as 
well as economic harm. Even though financial institutions may not hold 
victims liable for fraudulent debts, victims nonetheless often feel 
"personally violated" and have reported spending significant amounts 
of time trying to resolve the problems caused by identity theft—-
problems such as bounced checks, loan denials, credit card application 
rejections, and debt collection harassment. 

For the 23-month period from its establishment in November 1999 through
September 2001, the FTC Identity Theft Data Clearinghouse received
94,100 complaints from victims, including complaint data contributed by
SSA/OIG. The leading types of nonmonetary harm cited by consumers were 
"denied credit or other financial services" (mentioned in over 7,000 
complaints) and "time lost to resolve problems" (mentioned in about 
3,500 complaints). Also, in nearly 1,300 complaints, identity theft 
victims alleged that they had been subjected to "criminal 
investigation, arrest, or conviction." Regarding monetary harm, FTC 
Clearinghouse data for the 23-month period indicated that 2,633 
victims reported dollar amounts as having been lost or paid as out-of-
pocket expenses as a result of identity theft. Of these 2,633 
complaints, 207 each alleged losses above $5,000; another 203 each 
alleged losses above $10,000. 

From its database of identity theft victims, after obtaining the 
individuals' consent, FTC provided us the names and telephone numbers 
of 10 victims, whom we contacted to obtain an understanding of their 
experiences. In addition to the types of harm mentioned above, several 
of the victims expressed feelings of "invaded privacy" and "continuing 
trauma." In particular, such "lack of closure" was cited when elements 
of the crime involved more than one jurisdiction and/or if the victim 
had no awareness of any arrest being made. For instance, some victims 
reported being able to file a police report in their state of 
residence but were unable to do so in other states where the 
perpetrators committed fraudulent activities using the stolen 
identities. Only 2 of the 10 victims told us they were aware that the 
perpetrator had been arrested. 

In a May 2000 report, two nonprofit advocacy entities-—the California 
Public Interest Research Group (CALPIRG) and the Privacy Rights 
Clearinghouse—-presented findings based on a survey (conducted in the 
spring of 2000) of 66 identity theft victims who had contacted these 
organizations.[Footnote 12] According to the report, the victims spent 
175 hours, on average, actively trying to resolve their identity theft-
related problems. 

Also, not counting legal fees, most victims estimated spending $100 
for out-of-pocket costs. The May 2000 report stated that these 
findings may not be representative of the plight of all victims. 
Rather, the report noted that the findings should be viewed as 
"preliminary and representative only of those victims who have 
contacted our organizations for further assistance (other victims may 
have had simpler cases resolved with only a few calls and felt no need 
to make further inquiries)." (See appendix IV.) 

Federal Criminal Justice System Costs: 

Regarding identity theft and any other type of crime, the federal 
criminal justice system incurs costs associated with investigations, 
prosecutions, incarceration, and community supervision!' Generally, we 
found that federal agencies do not separately maintain statistics on 
the person hours, portions of salary, or other distinct costs that are 
specifically attributable to cases involving identity theft. As an 
alternative, some of the agencies provided us with average cost 
estimates based, for example, on workyear counts for white-collar 
crime cases—-a category that covers financial crimes, including 
identity theft. 

In response to our request, the FBI estimated that the average cost of 
an investigative matter handled by the agency's white-collar crime 
program was approximately $20,000 during fiscal years 1998 to 2000, 
based on budget and workload data for the 3 years. However, an FBI 
official cautioned that the average cost figure has no practical 
significance because it does not capture the wide variance in the 
scope and costs of white-collar crime investigations. Also, the 
official cautioned that-—while identity theft is frequently an element 
of bank fraud, wire fraud, and other types of white-collar or 
financial crimes—-some cases (including some high-cost cases) do not 
involve elements of identity theft. 

Similarly, Secret Service officials—in responding to our request for 
an estimate of the average cost of investigating financial crimes that 
included identity theft as a component—said that cases vary so much in 
their makeup that to put a figure on average cost is not meaningful. 
Nonetheless, the agency's Management and Organization Division made 
its "best estimate of the average cost" of a financial crimes 
investigation conducted by the Secret Service in fiscal year 2001. The 
resulting estimate was approximately $15,000. Secret Service officials 
noted that this estimate was for a financial crimes investigation and 
not specifically for an identity theft investigation. Also, the 
officials emphasized that, in the absence of specific guidelines 
establishing a standard methodology, average-cost figures provide no 
basis for making interagency comparisons. 

SSA/OIG officials responded that the agency's information systems do 
not record time spent by function to permit making an accurate 
estimate of what it costs the OIG to investigate cases of SSN misuse. 
Also, in commenting on a draft of this report, the Commissioner, SSA, 
said that SSA/OIG's priorities are appropriately targeted to SSA's 
program integrity areas and business processes rather than 
specifically on identity theft, which is investigated by many 
different federal and state agencies. 

Regarding prosecutions, in fiscal year 2000, federal prosecutors dealt 
with approximately 13,700 white-collar crime cases, at an estimated 
average cost of about $11,400 per case, according to EOUSA. The total 
cases included those that were closed in the year, those that were 
opened in the year, and those that were still pending at yearend. 
EOUSA noted that the $11,400 figure was an estimate and that the 
actual cost could be higher or lower. 

According to Bureau of Prisons (BOP) officials, federal offenders 
convicted of white-collar crimes generally are incarcerated in minimum-
security facilities. For fiscal year 2000, the officials said that the 
cost of operating such facilities averaged about $17,400 per inmate. 

After being released from BOP custody, offenders are typically 
supervised in the community by federal probation officers for a period 
of 3 to 5 years. For fiscal year 2000, according to the Administrative 
Office of the United States Courts, the cost of community supervision 
averaged about $2,900 per offender—-which is an average for "regular 
supervision" without special conditions, such as community service, 
electronic monitoring, or substance abuse treatment. (See appendix V.) 

Concluding Observations: 

Since our May 1998 report, various actions—particularly passage of 
federal and state statutes—have been taken to address identity theft. 
The federal statute,[Footnote 14] enacted in October 1998, made 
identity theft a separate crime against the person whose identity was 
stolen, broadened the scope of the offense to include the misuse of 
information as well as documents, and provided punishment—generally, a 
fine or imprisonment for up to 15 years or both. Under U.S. Sentencing 
Commission guidelines—even if (1) there is no monetary loss and (2) 
the perpetrator has no prior criminal convictions—a sentence as high 
as 10 to 16 months incarceration can be imposed. Regarding state 
statutes, at the time of our 1998 report, very few states had specific 
laws to address identity theft. Now, less than 4 years later, a large 
majority of states have enacted identity theft statutes. 

In short, federal and state legislation indicate that identity theft 
has been widely recognized as a serious crime across the nation. As 
such, a current focus for policymakers and criminal justice 
administrators is to ensure that relevant legislation is effectively 
enforced. Given the frequently cross-jurisdictional nature of identity 
theft crime, enforcement of the relevant federal and state laws 
presents various challenges, particularly regarding coordination of 
efforts. Although we have not evaluated them, initiatives designed to 
address these challenges include the following: 

* After enactment of the 1998 Identity Theft Act, the Attorney 
General's Council on White Collar Crime established a Subcommittee on 
Identity Theft. Purposes of the Subcommittee are to foster 
coordination of investigative and prosecutorial strategies and promote 
consumer education programs. Subcommittee leadership is vested in the 
Fraud Section of the Department of Justice's Criminal Division, and 
membership includes representatives from various Justice, Treasury, 
and State Department components; SSA/OIG; the FTC; federal regulatory 
agencies, such as the Office of the Comptroller of the Currency and 
the Federal Deposit Insurance Corporation; and professional 
organizations, such as the International Association of Chiefs of 
Police (IACP), the National Association of Attorneys General, and the 
National District Attorneys Association. 

* Various identity theft task forces, with multiagency participation 
(including state and local law enforcement), have been established to 
investigate and prosecute cases. Such task forces enable law 
enforcement to more effectively pursue cases that have 
multijurisdictional elements, such as fraudulent schemes that involve 
illegal activities in multiple counties or states. At the time of our 
review, the Secret Service was the lead agency in 37 task forces 
across the country that were primarily targeting financial and 
electronic crimes, many of which may include identity theft-related 
elements. 

* Also, under the 1998 Identity Theft Act, the FTC established a toll-
free number for victims to call and is compiling complaint information 
in a national Identity Theft Data Clearinghouse. FTC's Consumer 
Sentinel Network makes this information available to federal, state, 
and local law enforcement. According to FTC staff, use of the Consumer 
Sentinel Network enables law enforcement to coordinate efforts and to 
pinpoint high-impact or other significant episodes of identity theft. 

Furthermore, there is general agreement that, in addition to 
investigating and prosecuting perpetrators, a multipronged approach to 
combating identity theft must include prevention efforts, such as 
limiting access to personal information. In this regard, federal law 
enacted in 1999, the Gramm-Leach-Bliley Act,[Footnote 15] directed 
financial institutions—banks, savings associations, credit unions, 
broker-dealers, investment companies, investment advisers, and 
insurance companies-—to have policies, procedures, and controls in 
place to prevent the unauthorized disclosure of customer financial 
information and to deter fraudulent access to such information. 
Prevention efforts by financial institutions are particularly 
important, given FTC data showing that a large majority of consumer 
complaints regarding identity theft involve financial services—-new 
credit card accounts opened, existing credit card accounts used, new 
deposit accounts opened, and newly obtained loans. 

Finally, given indications that the prevalence and cost of identity 
theft have increased in recent years, most observers agree that such 
crime certainly warrants continued attention from law enforcement, 
industry, and consumers.[Footnote 16] Also, due partly to the growth 
of the Internet and other communications technologies, there is 
general consensus that the opportunities for identity theft are not 
likely to decline. 

Agency Comments: 

On February 5, 2002, we provided a draft of this report for comment to 
the Departments of Justice and the Treasury, FTC, SSA, and the Postal 
Inspection Service. The various agencies either expressed agreement 
with the information presented in the report or provided technical 
comments and clarifications, which have been incorporated in this 
report where appropriate. 

Also, the Commissioner, SSA, offered additional perspectives to 
clarify that the role of the SSA/OIG is to protect SSA's programs and 
operations from fraud, waste, and abuse. That is, the Commissioner 
noted that the SSA/OIG's priorities are appropriately targeted to 
SSA's program integrity areas and business processes. On the other 
hand, the Commissioner said that most identity theft allegations 
referred to SSA/OIG are not related to these areas and processes. The 
Commissioner commented that identity theft is a serious crime and that 
many federal and state agencies have a role in investigating such 
crime. 

As arranged with your offices, unless you publicly announce its 
contents earlier, we plan no further distribution of the report until 
30 days after its issue date. At that time, we will send copies to 
interested congressional committees and subcommittees; the Attorney 
General; the Secretary of the Treasury; the Chief Postal Inspector, 
U.S. Postal Inspection Service; the Commissioner, SSA; and the 
Chairman, FTC. We will also make copies available to others on request. 

If you or your staff have any questions about this report or wish to 
discuss the matter further, please contact me at (202) 512-8777 or 
Danny R. Burton at (214) 777-5600. Other key contributors are 
acknowledged in appendix VII. 

Signed by: 

Richard M. Stana: 
Director, Justice Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Objectives: 

In response to a request from Senator Dianne Feinstein, Chairwoman, 
and Senator Jon Kyl, Ranking Minority Member, Subcommittee on 
Technology, Terrorism and Government Information, Senate Committee on 
the Judiciary, and Senator Charles E. Grassley, we developed 
information on: 

* the extent or prevalence of identity theft; 

* the cost of identity theft to the financial services industry, 
including direct fraud losses, staffing of fraud departments, and 
effect on consumer confidence in online commerce; 

* the cost of identity theft to victims, including victim productivity 
losses, out-of-pocket expenses, and cost of being denied credit; and; 

* the cost of identity theft to the federal criminal justice system. 

Scope and Methodology: 

The following sections discuss the scope and methodology of our work. 

Extent or Prevalence of Identity Theft: 

To obtain information on the extent or prevalence of identity theft, 
we contacted private and public sector entities that could provide 
broad or national perspectives. For example, we contacted entities 
that operate call-in centers for receiving consumer complaints and 
hotline allegations, as well as federal law enforcement agencies 
responsible for investigating and prosecuting identity theft-related 
crimes. We did not canvass state and local law enforcement agencies. 

In contacting each of the following entities, we obtained relevant 
statistics and discussed with responsible officials any qualifications 
or caveats associated with the data: 

* The three national consumer reporting agencies—-Equifax, Inc.; 
Experian Information Solutions, Inc.; and Trans Union, LLC. Each 
agency has a call-in center that receives complaints or allegations 
from consumers. In obtaining statistics from the three agencies, we 
agreed to report the information in a manner not specifically 
identifiable to the respective agency. 

* The Federal Trade Commission (FTC), which operates a toll-free 
telephone hotline for consumers to report identity theft. 

* The Social Security Administration's Office of the Inspector 
General, which operates a hotline to receive allegations of Social 
Security number misuse and program fraud. 

* Two Department of Justice law enforcement components—the Executive 
Office for U.S. Attorneys (EOUSA) and the Federal Bureau of 
Investigation (FBI). 

* Three Department of the Treasury law enforcement components—the 
Internal Revenue Service (IRS), the Secret Service, and the Financial 
Crimes Enforcement Network (FinCEN). 

* The Postal Inspection Service, a leading federal law enforcement 
agency that investigates the theft of mail or use of the mail to 
defraud individuals or financial institutions. 

Cost of Identity Theft to the Financial Services Industry: 

In obtaining information on the cost of identity theft to the 
financial services industry, we focused on three categories—(1) direct 
fraud losses, (2) staffing and operating cost of fraud departments, 
and (3) consumer confidence in online commerce. Generally, the scope 
of our work focused primarily on obtaining information from banks, two 
payment card associations (MasterCard and Visa), and the national 
consumer reporting agencies. We did not obtain information about fraud 
losses involving other general-purpose cards (American Express, Diners 
Club, and Discover), nor losses involving merchant-specific cards 
issued by retail stores. Furthermore, we did not obtain information 
from various other entities, such as insurance companies and 
securities firms, which may incur identity theft-related costs. 

Regarding direct fraud losses, we reviewed recent surveys of banks 
conducted by the American Bankers Association (ABA). For instance, one 
survey—Deposit Account Fraud Survey Report 2000—provided information 
about the percentages of total check fraud-related losses attributable 
to identity theft in 1999. However, we believe that the results from 
the ABA's Report 2000 should be interpreted with caution. Although the 
ABA surveyed a national probability sample of all commercial and 
savings banks, the overall response rate—that is, the number of 
completed questionnaires divided by the number of sent questionnaires—
was only 11 percent. The response rates stratified by bank size were 
as follows: 

* 10 percent for community banks (assets under $500 million), the 
large majority of all banks. 

* 16 percent for mid-size banks (assets of $500 million to under $5 
billion). 

* 27 percent for regional banks (assets of $5 billion to under $50 
billion). 

* 65 percent for superregional/money center banks (assets of $50 
billion or more). 

Surveys with a low level of responses-—particularly surveys with 
response rates lower than 50 percent-—could be affected by nonresponse 
bias. In other words, if a survey has a low response rate, and if 
respondents are different in important ways from those who did not 
respond, the survey results could be biased. For instance, if banks 
with little or no fraud losses tend not to respond, then survey 
estimates about the percentage of banks nationwide that regard 
identify theft as a problem could be overstated. ABA staff did not 
conduct any follow-up analyses to find out whether the banks that 
responded were different from the banks that did not respond. ABA 
staff said that they were not concerned about the survey's response 
rate because they believed that the survey had adequate coverage of 
banking industry assets and losses by virtue of having a good 
representation of large banks (i.e., regional banks and 
superregional/money center banks). The ABA staff noted, for instance, 
that most assets and dollar losses in the banking industry are with 
larger banks. 

Furthermore, regarding direct fraud losses, two major payment card 
associations (MasterCard and Visa) provided us with information on 
their identity theft-related fraud losses. As mentioned previously, we 
did not obtain information about direct fraud losses involving other 
general-purpose cards (American Express, Diners Club, and Discover), 
nor losses involving merchant-specific cards issued by retail stores. 
However, to obtain additional perspectives on direct fraud losses, we 
contacted the top 14 credit-card issuing banks.[Footnote 17] Six of 
the banks provided us with information. Generally, the other eight 
banks (1) chose not to respond, partly because of concerns about the 
release and use of proprietary information,[Footnote 18] or (2) asked 
that we seek to obtain the information from the Consumer Bankers 
Association.[Footnote 19] However, citing definitional differences 
among financial institutions, the Consumer Bankers Association was 
unable to provide us with information on identity theft-related fraud 
losses. 

Regarding staffing and cost of fraud departments, we obtained 
information from the ABA's 2000 survey report and from the six banks, 
mentioned previously. Also, we contacted each of the three national 
consumer reporting agencies to discuss the staffing levels and the 
costs associated with the respective entity's fraud or victim 
assistance department. 

Furthermore, regarding consumer confidence in online commerce, we 
conducted a literature search and reviewed relevant congressional 
hearings and testimony statements made by officials from FTC, the
Department of Justice, and a major credit card issuer. Also, officials 
at five of the six banks we contacted offered comments about the 
impact of identity theft on consumer confidence in using e-commerce. 

Cost of Identity Theft to Victims: 

In response to our inquiry, FTC staff provided us with statistical 
information on the types of nonmonetary harm (e.g., denied credit or 
other financial services) and monetary harm (e.g., out-of-pocket 
expenses) reported by identity theft victims. This information was 
based on complaints reported to the FTC's Identity Theft Data 
Clearinghouse during the period November 1999 through June 2001. 

Furthermore, at our request and after obtaining the individuals' 
consent, FTC staff provided us with the names and telephone numbers of 
a small cross section of identity theft victims (10 total) to 
interview. According to FTC staff, the 10 victims were selected to 
illustrate the range in the types of identity theft activities 
reported by victims. The experiences of these 10 victims are not 
statistically representative of all identity theft victims. 

Also, we reviewed and summarized information from a May 2000 report 
prepared by two nonprofit advocacy entities-—the California Public 
Interest Research Group (CALPIRG) and the Privacy Rights 
Clearinghouse.[Footnote 20] The report presented findings based on a 
survey (conducted in the spring of 2000) of 66 identity theft victims 
who had contacted these organizations. 

Cost of Identity Theft to the Federal Criminal Justice System: 

As agreed with the requesters' offices, to obtain estimates of the 
cost of identity theft to the criminal justice system, we focused on 
federal agencies only and did not attempt to quantify the cost of 
state and local law enforcement activities. Thus, our efforts focused 
on obtaining information about the cost associated with federal 
investigations, prosecutions, incarceration, and community 
supervision. Generally, we found that federal agencies do not maintain 
cost data specifically attributable to cases involving identity theft. 
Thus, as an alternative, we asked the agencies to provide us with 
average cost estimates based, for example, on white-collar crime cases—
a category that covers financial crimes, including identity theft. 
Specifically, we contacted the following federal agencies: 

* The FBI and the Secret Service were asked to provide data on the 
respective agency's average cost of investigating white-collar crimes. 
The SSA/OIG was asked to provide an estimate for investigating cases 
involving SSN misuse. 

* EOUSA was asked to provide data on the average cost of prosecuting 
white-collar crimes. 

* The federal Bureau of Prisons was asked to provide data on the 
average cost of incarcerating felons convicted of white-collar crimes. 

* The Administrative Office of the United States Courts was asked to 
provide data on the average cost of supervising white-collar crime 
offenders in the community. 

[End of section] 

Appendix II: Prevalence of Identity Theft: 

This appendix presents information about the prevalence of identity 
theft, that is, the extent or incidence of such theft. Some 
individuals do not even know that they have been victimized until 
months after the fact, and some known victims may choose not to report 
to the police, credit bureaus, or established hotlines. Thus, it is 
difficult to fully or accurately quantify the prevalence of identity 
theft. Some of the often-quoted estimates of prevalence range from one-
quarter to three-quarters of a million victims annually. Usually, 
these estimates are based on limited hotline reporting or other 
available data, in combination with various assumptions regarding, for 
example, the number of victims who do not contact credit bureaus, the 
FTC, the SSA/OIG, or other authorities. Generally speaking, the higher 
the estimate of identity theft prevalence, the greater the (1) number 
of victims who are assumed not to report the crime and (2) number of 
hotline callers who are assumed to be victims rather than 
"preventative" callers. We found no information to gauge the extent to 
which these assumptions are valid. Additionally, there are no readily 
available statistics on the number of victims who may have contacted 
their banks or credit card issuers only and not the credit bureaus or 
other hotlines. 

As we reported in 1998, there are no comprehensive statistics on the 
prevalence of identity theft.[Footnote 21] Similarly, during our 
current review, various officials noted that precise, statistical 
measurement of identity theft trends is difficult due to a number of 
factors. The Secret Service noted, for instance, that identity theft 
is not typically a stand-alone crime; rather, identity theft is almost 
always a component of one or more crimes, such as bank fraud, credit 
card or access device fraud, or the use of counterfeit financial 
instruments. Nonetheless, while recognizing measurement difficulties, 
a number of data sources can be used as proxies or indicators for 
gauging the prevalence of such crime. These sources can include 
consumer complaints and hotline allegations as well as law enforcement 
investigations and prosecutions. Each of these various sources or 
measures seems to indicate that the prevalence of identity theft is 
growing. This appendix summarizes statistical and related information 
we obtained from: 

* the three national consumer reporting agencies (CRAs) that have call-
in centers for reporting identity fraud or theft; 

* the Federal Trade Commission (FTC), which maintains a database of
complaints concerning identity theft; 

* the Social Security Administration's Office of the Inspector General 
(SSA/OIG), which operates a hotline to receive allegations of SSN 
misuse and program fraud; and; 

* federal law enforcement agencies-—Department of Justice components, 
Department of the Treasury components, and the Postal Inspection 
Service—-responsible for investigating and prosecuting identity theft-
related cases. 

National Consumer Reporting Agencies: 

Statistics provided to us by the three national CRAs included the 
number and types of fraud alerts placed on consumers' credit files, as 
well as the number of inquiries (call volume) received by the fraud 
units of the CRAs. Generally, fraud alerts constitute a warning that 
someone may be using the consumer's personal information to 
fraudulently obtain credit. Thus, a purpose of the alert is to advise 
credit grantors to conduct additional identity verification or contact 
the consumer directly before granting credit. 

Due largely to increased public awareness about identity fraud, the 
number of inquiries received by the fraud units of CRAs is at an all-
time high. For instance, a senior official of one CRA told us that his 
agency's fraud unit experienced an 84-percent increase in inquires 
from 1998 to 2000. Now, the CRA official opined, virtually all 
individuals whose wallet or purse is lost or stolen will call a CRA as 
a precautionary measure. 

According to industry officials, individuals who suspect that they 
have been the victims of fraud will generally contact all three 
national CRAs rather than just one or two.[Footnote 22] Thus, industry 
officials told us that there probably is a high degree of overlap in 
each CRA's respective fraud statistics. Also, the officials said that 
any large variations in reported statistics among the national CRAs 
are generally the result of different methods for classifying fraud-
related inquiries. 

In obtaining statistics from the three national CRAs, we agreed to 
report the information in a manner not specifically identifiable to 
the respective agency. Thus, in the following sections, we refer to 
the three sources as "Agency A," "Agency B," and "Agency C." 

Agency A: Number of Files with Fraud Alerts: 

Agency A officials provided us with trend statistics on the number of 
individual credit files that had a 7-year fraud alert posted by the 
agency's fraud victim assistance division. Regarding the total number 
of consumers helped by this division, the officials said that the 
number of fraud alert postings is a better indicator than the number 
of consumer contacts with the division. The officials explained that: 

* The number of consumer contacts may include some double counting. 
For instance, the same consumer may call or write the fraud victim 
assistance division more than once. 

* In contrast, for any given time period, the agency will post a fraud 
alert only once to an individual consumer's file. Thus, there is no 
double counting in these statistics. 

Furthermore, the officials noted that, based on the agency's best 
judgment and years of experience with 7-year fraud alert postings, the 
reasons for such postings can be grouped into three categories. 

* About 50 percent of the postings are based on preventative calls 
from consumers rather than actual or verified instances of fraud. 
Generally, these consumers request a fraud alert from the standpoint 
of being "safe rather than sorry"—a preventative approach. 

* Another 25 percent of the postings are based on credit card account 
takeovers. The agency does not define or consider these postings as 
involving "identity fraud." 

* The remaining 25 percent of the postings are based on identity 
fraud. Most of these instances involve fraudulent credit card 
applications. 

Using these groupings and estimated percentages, Agency A officials 
developed the 7-year fraud alert data presented in table 1. As 
indicated, the estimated number of consumers who had their credit 
files impacted by identity fraud increased about threefold in recent 
years—from an estimated 27,800 for calendar year 1995 to an estimated 
89,000 for calendar year 2000. The most recent year's estimated number 
(89,000 consumer files in 2000) represents an increase of about 36 
percent over the 1999 number (65,600). 

Table 1: Number of Files with Fraud Alerts Posted (Agency A), 1995 
through 2000: 

Year fraud alert posted[A]: 1995; 
Expiration year of fraud alert: 2002; 
Number of files with fraud alert[B]: 111,287; 
Reason for fraud alert: preventative (50 percent): 55,600; 
Reason for fraud alert: account takeover (25 percent): 27,800; 
Reason for fraud alert: identity fraud (25 percent): 27,800 

Year fraud alert posted[A]: 1996; 
Expiration year of fraud alert: 2003; 
Number of files with fraud alert[B]: 172,319; 
Reason for fraud alert: preventative (50 percent): 86,200; 
Reason for fraud alert: account takeover (25 percent): 43,100; 
Reason for fraud alert: identity fraud (25 percent): 43,100 

Year fraud alert posted[A]: 1997; 
Expiration year of fraud alert: 2004; 
Number of files with fraud alert[B]: 168,992; 
Reason for fraud alert: preventative (50 percent): 84,500; 
Reason for fraud alert: account takeover (25 percent): 42,200; 
Reason for fraud alert: identity fraud (25 percent): 42,200 

Year fraud alert posted[A]: 1998; 
Expiration year of fraud alert: 2005; 
Number of files with fraud alert[B]: 191,321; 
Reason for fraud alert: preventative (50 percent): 95,700; 
Reason for fraud alert: account takeover (25 percent): 47,800; 
Reason for fraud alert: identity fraud (25 percent): 47,800 

Year fraud alert posted[A]: 1999; 
Expiration year of fraud alert: 2006; 
Number of files with fraud alert[B]: 262,410; 
Reason for fraud alert: preventative (50 percent): 131,200; 
Reason for fraud alert: account takeover (25 percent): 65,600; 
Reason for fraud alert: identity fraud (25 percent): 65,600 

Year fraud alert posted[A]: 2000; 
Expiration year of fraud alert: 2007; 
Number of files with fraud alert[B]: 356,001; 
Reason for fraud alert: preventative (50 percent): 178,000; 
Reason for fraud alert: account takeover (25 percent): 89,000; 
Reason for fraud alert: identity fraud (25 percent): 89,000 

Note: Agency A ran a special scan on the agency's national database to 
produce counts of the number of individual credit files that had a 7-
year fraud alert posted. To array the count data, the agency sorted 
the counts by year of the alert's expiration. According to agency 
officials, most fraud alerts are posted for 7 years, unless the 
consumer requests a shorter period. 

[A] We calculated these dates by subtracting 7 years from the 
expiration year shown in the next column. 

[B] As noted in the table, Agency A officials determined these counts 
based on a special scan of the agency's national database. The agency 
used these counts (and the percentages indicated in the next three 
columns) to calculate the "reason" numbers shown in the respective 
column. We rounded the "reason" numbers to the nearest hundred. 

Source: Consumer reporting agency (Agency A) data. 

[End of table] 

Agency B: Number of Files with Security Alerts or Victim Statements: 

Agency B provides its customers two types of fraud alerts—-a temporary 
or 90-day security alert and a 7-year victim statement. A security 
alert requests that a creditor ask for proof of identification before 
granting credit in that person's name. A victim statement provides 
telephone numbers supplied by the consumer and requests that creditors 
call the consumer before issuing credit in that person's name. 

The officials explained that, if a consumer suspects a fraud-related 
problem, the individual is to initially call the agency's automated 
voice response system, which generates a 90-day security alert on the 
respective credit file. Agency B officials emphasized to us that most 
of these initial calls are not indicators that the individuals have 
been actual victims of fraud. Rather, the officials noted that 
consumers may take action to generate a 90-day security alert for a 
variety of reasons, such as: 

* reaction to a media story on identity fraud; 

* a desire for added protection from identity fraud; 

* suspicion of a relative, coworker, neighbor, or other person; 

* an effort to get out of a legitimate debt or financial obligation; 
or; 

* a host of other reasons not related to fraud. 

Also, after the 90-day security alert is generated, Agency B's policy 
is to provide the consumer a free copy of his or her credit file. This 
policy, according to Agency B officials, is to help ensure that the 
consumer has a better-informed basis for considering his or her 
situation and the need for any further action or assistance. 

Upon receiving and reviewing the credit file copy, the consumer may 
then follow-up with the agency's call center and speak to a fraud 
specialist to discuss any suspicious entries on the file. In so doing, 
the consumer can choose to make a "victim statement," which will have 
the effect of extending the fraud alert from 90 days to 7 years. 

Agency B officials told us that the most reliable indicator of the 
true incidence of identity fraud that the agency could provide is the 
number of 7-year victim statements placed on consumer credit files. 
Relevant statistics (see table 2) provided to us by Agency B indicate 
that the number of 7-year victim statements increased about 53 percent 
in recent comparative 12-month periods; that is, the number increased 
from 19,347 during one 12-month period (July 1999 through June 2000) 
to 29,593 during the more recent period (July 2000 through June 2001). 
Agency B officials pointed out that these numbers are relatively small 
compared with the numbers of initial calls that generated the 90-day 
security alerts. For the more recent 12-month period, for example, the 
number of 7-year victim statements (29,593) equates to about 2.5 
percent of the initial calls that generated 90-day security alerts. 

Table 2: Number of Files with Fraud Alerts Posted (Agency B), July 
1999 through June 2001: 

Initial and follow-up calls from consumers: Initial calls that 
generated 90-day security alerts; 
July 1999 through June 2000: 1,033,180; 
July 2000 through June 2001: 1,198,272; 
Percentage change: +16.0%. 

Initial and follow-up calls from consumers: Some follow-up calls 
generated 7-year victim statements: Follow-up calls; 
July 1999 through June 2000: 81,041; 
July 2000 through June 2001: 73,096; 
Percentage change: -9.8%. 

Initial and follow-up calls from consumers: Some follow-up calls 
generated 7-year victim statements: 7-year victim statements; 
July 1999 through June 2000: 19,347; 
July 2000 through June 2001: 29,593; 
Percentage change: +53.0%. 

Source: Consumer reporting agency (Agency B) data. 

[End of table] 

Agency C: Number of Files Agency C allows consumers to place temporary 
or 6-month fraud alerts on with Fraud Alerts their credit files either 
by (1) using an automated voice response system and choosing the fraud 
option or (2) directly calling the fraud hotline and speaking with an 
operator at the agency's Consumer Services Center. Then, after the 
consumers have had the opportunity to receive and review a copy of 
their files, they have the option of requesting that a longer-term 
fraud alert be placed on their files. The duration of such an alert 
can range from 2 to 7 years, at the discretion of the individual 
consumer. 

An Agency C official told us that the most reliable metric of fraud, 
including identity theft, is the number of files with the longer-term 
(2- to 7-year) fraud alerts. The official said that, in 2000, 
approximately 92,000 consumers called Agency C to place longer-term 
fraud alerts on their files. However, the official said that Agency C 
had no comparative statistics available for earlier years and, thus, 
could not make any observations about trends in the number of such 
fraud alerts. 

The official noted that many consumers who took action to have the 
longer-term fraud alerts placed on their files generally had some 
information—such as documentation from a credit grantor, a police 
report, or an affidavit—indicating that they were the victims of 
fraud. On the other hand, the official also noted that some consumers 
had no direct evidence that they were victims but were uncomfortable 
enough with the information on their credit files to request an 
extended (2- to 7-year) fraud alert. The official explained that 
Agency C does not require consumers to submit any particular type of 
evidence or information in order to have these longer-term fraud 
alerts placed on their files. 

FTC Maintains a National Database of Identity Theft Complaints: 

The Identity Theft and Assumption Deterrence Act of 1998 requires the 
FTC to "log and acknowledge the receipt of complaints by individuals 
who certify that they have a reasonable belief" that one or more of 
their means of identification have been assumed, stolen, or otherwise 
unlawfully acquired. In response to this requirement, in November 
1999, FTC established the Identity Theft Data Clearinghouse (the FTC 
Clearinghouse) to gather information from any consumer who wishes to 
file a complaint or pose an inquiry concerning identity theft. 
[Footnote 23] In November 1999, the first month of operation, the FTC 
Clearinghouse answered an average of 445 calls per week. By March 
2001, the average number of calls answered had increased to over 2,000 
per week. In December 2001, the weekly average was about 3,000 
answered calls. 

At a congressional hearing in September 2000, an FTC official 
testified that Clearinghouse data demonstrate that identity theft is a 
"serious and growing problem.[Footnote 24] Recently, during our 
review, FTC staff cautioned that the trend of increased calls to FTC 
perhaps could be attributed to a number of factors, including 
increased consumer awareness, and may not be due solely or primarily 
to an increase in the incidence of identity theft. From its 
establishment in November 1999 through September 2001, the 
Clearinghouse received a total of 94,100 complaints from identity 
theft victims. As table 3 shows, five states accounted for about 44 
percent of the total complaints. 

Table 3: Number of Identity Theft Complaints FTC Received (Nov. 1999 
through Sept. 2001) from Leading States: 

State: California; 
Number of complaints: 16,147; 
Percentage: 17.2%. 

State: New York; 
Number of complaints: 8,219; 
Percentage: 8.7%. 

State: Texas; 
Number of complaints: 6,775; 
Percentage: 7.2%. 

State: Florida; 
Number of complaints: 6,309; 
Percentage: 6.7%. 

State: Illinois; 
Number of complaints: 4,145; 
Percentage: 4.4%. 

State: Subtotal; 
Number of complaints: 41,595; 
Percentage: 44.2%. 

State: Remaining states and the District of Columbia; 
Number of complaints: 45,175; 
Percentage: 48.0%. 

State: Other[A]; 
Number of complaints: 7,330; 
Percentage: 7.8%. 

State: Total[B]; 
Number of complaints: 94,100; 
Percentage: 100.0%. 

[A] Other refers to identity theft complaints made from U.S. 
territories and other countries, as well as complaints made by 
consumers who do not list their location. 

[B] The total includes identity theft complaints forwarded from 
SSA/OIG to the FTC. The total does not include approximately 36,274 
calls from consumers who were not identity theft victims but were 
seeking information about identity theft. 

Source: FTC's Identity Theft Data Clearinghouse. 

[End of table] 

Furthermore, the FTC data for November 1999 through September 2001 
showed that FTC received 500 or more identity theft complaints from 
each of 13 cities. Of these, New York City had the highest number of 
complaints (3,916), followed by Chicago (1,620), Los Angeles (1,487), 
Houston (1,282), Miami (941), Philadelphia (695), San Francisco (621), 
Las Vegas (572), Phoenix (570), District of Columbia (542), San Diego 
(539), Dallas (537), and Atlanta (517). 

As table 4 shows, of the total identity theft complaints (94,100) 
reported to the FTC during November 1999 through September 2001, the 
majority of the victims (about 62 percent of the complaints) were 
unaware of the methods that the suspects had used to obtain the 
victims' personal information, and in another 18 percent of the cases, 
this type of information was not collected. Of the remaining 19,241 
complaints, or about 20 percent of the 94,100 total complaints 
reported to the FTC for the 23-month period, the victims provided the 
FTC information about the various methods used by suspects. FTC data 
indicated that in cases where the identity theft victim knew how the 
identity theft had occurred, "access through relationship with victim" 
(e.g., family member, neighbor, or coworker) was the most prevalent 
method used by suspects to obtain personal information. Specifically, 
this method accounted for 10,101 complaints for which the victim 
reported one or more methods used to obtain his or her personal 
information. 

Table 4: Identity Theft Complaints FTC Received (Nov. 1999 through 
Sept. 2001) and Categories of Methods Suspects Used to Obtain Personal 
Information: 

Method suspects used to obtain information: Method not known; 
Number of complaints: 58,078; 
Percent: 61.7%. 

Method suspects used to obtain information: Information not collected 
(non-FTC data[A]); 
Number of complaints: 16,781; 
Percent: 17.8%. 

Method suspects used to obtain information: Method known; 
Number of complaints: 19,241; 
Percent: 20.5%. 

Method suspects used to obtain information: Total; 
Number of complaints: 94,100; 
Percent: 100.0%. 

Method-known cases (methods of obtaining personal information were 
reported): Access through relationship with victim; 
Number of complaints: 10,101; 
Percent based on subtotal[C]: 52.5%. 

Method-known cases (methods of obtaining personal information were 
reported): Wallet or purse containing identification was lost or 
stolen; 
Number of complaints: 6,615; 
Percent based on subtotal[C]: 34.4%. 

Method-known cases (methods of obtaining personal information were 
reported): Mail theft or fraudulent address change filed; 
Number of complaints: 2,577; 
Percent based on subtotal[C]: 13.4%. 

Method-known cases (methods of obtaining personal information were 
reported): Application, financial, or employment records compromised; 
Number of complaints: 1,322; 
Percent based on subtotal[C]: 6.9%. 

Method-known cases (methods of obtaining personal information were 
reported): Burglary or break-in; 
Number of complaints: 686; 
Percent based on subtotal[C]: 3.6%. 

Method-known cases (methods of obtaining personal information were 
reported): Internet solicitation or purchase; 
Number of complaints: 462; 
Percent based on subtotal[C]: 2.4%. 

Method-known cases (methods of obtaining personal information were 
reported): Telephone or mail solicitation or purchase; 
Number of complaints: 132; 
Percent based on subtotal[C]: 0.7%. 

Method-known cases (methods of obtaining personal information were 
reported): Other; 
Number of complaints: 1,706; 
Percent based on subtotal[C]: 8.9%. 

Method-known cases (methods of obtaining personal information were 
reported): Information about method not provided[B]; 
Number of complaints: 572; 
Percent based on subtotal[C]: 3.0%. 

Method-known cases (methods of obtaining personal information were 
reported): Subtotal; 
Number of complaints: 19,241[D]. 

[A] Non-FTC data refer to identity theft complaints forwarded from 
SSA/OIG to the FTC. In these complaints, information about the methods 
suspects used was not collected. 

[B] In 572 cases, consumers said that they knew but did not specify 
how the suspects obtained the personal information. 

[C] Percentages add to more than 100 percent because some victims 
reported that the suspect used multiple methods of obtaining the data. 

[D] Details exceed 19,241 because some victims reported that the 
suspect used multiple methods of obtaining data. 

Source: FTC data. 

[End of table] 

Additional information about the 10,101 cases involving "access 
through relationship with victim" is presented in table 5. As shown, 
in 4,629 of the 10,101 cases where the victim knew the suspect, the 
victim and the suspect were family members. However, table 5 further 
indicates that the 10,101 cases represent less than 11 percent of the 
total 94,100 complaints received by the FTC during November 1999 
through September 2001. 

Table 5: Relationship of Suspect to Victim in Identity Theft 
Complaints FTC Received (Nov. 1999 through Sept. 2001): 

Relationship of suspect to victim: Family member; 
Number of complaints: 4,629; 
Percent based on total 94,100 complaints: 4.9%. 

Relationship of suspect to victim: Roommate/cohabitant; 
Number of complaints: 1,137; 
Percent based on total 94,100 complaints: 1.2%. 

Relationship of suspect to victim: Neighbor; 
Number of complaints: 1,003; 
Percent based on total 94,100 complaints: 1.1%. 

Relationship of suspect to victim: Workplace 
coworker/employer/employee; 
Number of complaints: 836; 
Percent based on total 94,100 complaints: 0.9%. 

Relationship of suspect to victim: Otherwise known; 
Number of complaints: 2,496; 
Percent based on total 94,100 complaints: 2.7%. 

Total: 
Number of complaints: 10,101; 
Percent based on total 94,100 complaints: 10.7%. 

Source: FTC data. 

[End of table] 

SSA/OIG Fraud Hotline Statistics: 

SSA/OIG operates a Hotline to receive allegations of fraud, waste, and 
abuse. According to SSA/OIG officials, until about mid-February 2001, 
Hotline staff had no procedures for specifically categorizing any 
incoming calls as involving identity theft allegations. Rather, in 
recent years, the allegations most likely to involve identity theft 
were recorded by Hotline staff as either (1) SSN misuse or (2) program 
fraud, which may contain elements of SSN misuse potential. SSA/OIG 
officials explained these two categories of allegations as follows: 

* Allegations of "SSN misuse" included, for example, incidents wherein 
a criminal used the SSN of another individual for the purpose of 
fraudulently obtaining credit, establishing utility services, or 
acquiring goods. Generally, this category of allegations does not 
directly involve SSA program benefits. 

* On the other hand, allegations of fraud in SSA programs for the aged 
or disabled often entailed some element of SSN misuse. For example, a 
criminal may have used the victim's SSN or other identifying 
information for the purpose of obtaining Social Security benefits. 
When Hotline staff received this type of allegation, it was to be 
classified in the appropriate program fraud category, which may also 
have SSN misuse potential. 

As shown in table 6, the number of Fraud Hotline allegations in both 
of these categories increased substantially in recent years. That is, 
the number of SSN misuse allegations increased more than fivefold, 
from 11,058 in fiscal year 1998 to 65,220 in fiscal year 2001, and the 
number of allegations of program fraud with SSN misuse potential more 
than doubled, from 14,542 in 1998 to 38,883 in 2001. To some extent, 
the increased number of allegations may be due to additional Fraud 
Hotline staffing, which increased from 11 to over 50 personnel during 
this period. However, SSA/OIG officials attributed the trend in 
allegations partly to a greater incidence of identity fraud. 

Table 6: SSA/OIG Fraud Hotline Statistics on Allegations of SSN Misuse 
and Program Fraud with SSN Misuse Potential: 

Fiscal year: 1998; 
Allegations of SSN misuse: 11,058; 
Allegations of program fraud with SSN misuse potential: 14,542. 

Fiscal year: 1999; 
Allegations of SSN misuse: 30,116; 
Allegations of program fraud with SSN misuse potential: 32,260. 

Fiscal year: 2000; 
Allegations of SSN misuse: 46,840; 
Allegations of program fraud with SSN misuse potential: 36,881. 

Fiscal year: 2001; 
Allegations of SSN misuse: 65,220; 
Allegations of program fraud with SSN misuse potential: 38,883. 

Source: SSA/OIG data. 

[End of table] 

As mentioned previously, for most of the years shown in table 7, 
SSA/OIG had no procedures for specifically categorizing incoming calls 
as involving identity theft allegations. However, in 1999, SSA's 
Office of the Inspector General analyzed a sample of SSN misuse 
allegations and determined that 81.5 percent of such allegations 
related directly to identity theft.[Footnote 25] The analysis covered 
a statistical sample of 400 allegations from a universe of 16,375 SSN 
misuse allegations received by the SSA/OIG Fraud Hotline from October 
1997 through March 1999. The analysis did not cover the other category 
presented in table 6, that is, allegations of program fraud with SSN 
misuse potential. Recently, in about mid-February 2001, SSA/OIG 
implemented procedures to routinely and specifically determine which 
Fraud Hotline allegations of SSN misuse involve identity theft. 
[Footnote 26] For example, as table 7 shows, for 7 months (Mar. 
through Sept.) in 2001, the Fraud Hotline received 25,991 identity 
theft allegations, which are arrayed among 16 categories. As shown, 
the most prevalent identity theft category involved credit cards, 
which accounted for 9,488 allegations or almost 37 percent of the 
total identity theft allegations. The next highest identity theft 
category—about 4,600 employment-related allegations—usually involved 
illegal aliens, according to SSA/OIG officials. 

Table 7: SSA/OIG Fraud Hotline Statistics on Allegations of SSN Misuse 
That Directly Involve Identity Theft (by Category), March through 
September 2001: 

Identity theft category: Credit card; 
Number of allegations: 9,488; 
Percentage: 36.5%. 

Identity theft category: Employment; 
Number of allegations: 4,637; 
Percentage: 17.8%. 

Identity theft category: Lost/stolen SSN information (wallet/purse)[A]; 
Number of allegations: 3,421; 
Percentage: 13.2%. 

Identity theft category: Bank fraud; 
Number of allegations: 2,765; 
Percentage: 10.6%. 

Identity theft category: Utility; 
Number of allegations: 2,761; 
Percentage: 10.6%. 

Identity theft category: Tax return; 
Number of allegations: 1,032; 
Percentage: 4.0%. 

Identity theft category: Medical care; 
Number of allegations: 548; 
Percentage: 2.1%. 

Identity theft category: Driver's license; 
Number of allegations: 496; 
Percentage: 1.9%. 

Identity theft category: Housing; 
Number of allegations: 224; 
Percentage: 0.9%. 

Identity theft category: Child support; 
Number of allegations: 171; 
Percentage: 0.7%. 

Identity theft category: Internet; 
Number of allegations: 157; 
Percentage: 0.6%. 

Identity theft category: Government loan; 
Number of allegations: 93; 
Percentage: 0.4%. 

Identity theft category: Bankruptcy; 
Number of allegations: 83; 
Percentage: 0.3%. 

Identity theft category: INS document; 
Number of allegations: 79; 
Percentage: 0.3%. 

Identity theft category: Birth certificate; 
Number of allegations: 24; 
Percentage: 0.1%. 

Identity theft category: Passport; 
Number of allegations: 12; 
Percentage: 0.0%. 

Identity theft category: Total; 
Number of allegations: 25,991; 
Percentage: 100.0%. 

Note: According to the SSA/OIG, the identity theft categories reflect 
the most applicable primary allegation code assigned by the individual 
SSA program specialist who originally received the allegation. Also, 
the SSA/OIG noted that the accuracy of the categorizations cannot be 
confirmed until an allegation is investigated; only about 10 percent 
of all allegations are opened as investigative cases. Furthermore, the 
SSA/OIG noted that its identity theft codes do not include certain 
categories, such as counterfeit SSN cards, trafficking counterfeit SSN 
cards, trafficking legitimate SSN cards, and false statement to obtain 
SSN. 

[A] The SSA/OIG began using this primary allegation code in June 2001. 
The SSA/OIG indicated that the code is used for reports of a lost or 
stolen SSN card where the caller is concerned that his or her SSN may 
be used fraudulently, but no information is provided to indicate that 
the SSN has in fact been misused and no loss has been suffered. 

Source: SSA/OIG data. 

[End of table] 

During this 7-month period, the number of identity theft allegations 
per month increased about 40 percent, from 3,028 in March 2001 to 
4,258 in September 2001. 

Department of Justice Law Enforcement Components: 

Regarding Department of Justice law enforcement actions (e.g., number 
of investigations, arrests, and prosecutions), we obtained identity 
theft-related statistics from the Executive Office for U.S. Attorneys 
(EOUSA) and the Federal Bureau of Investigation (FBI). 

EOUSA Data: 

For fiscal years 1996 through 2000, EOUSA provided us with statistics 
on the number of cases filed under federal statutes related to 
identity fraud. As indicated in table 8: 

* The number of cases filed under 18 U.S.C. § 1028 reflect year-to-
year increases and more than doubled from 314 cases in 1996 to 775 
cases in 2000. 

* The number of cases filed under 18 U.S.C. § 1029 reflect a general 
decrease, and the most recent figure--703 cases in 2000—-is 
considerably lower than the 924 cases filed in 1996. 

* The number of cases filed under 42 U.S.C. § 408 reflect a general 
increase. The number of cases filed increased substantially in 1998, 
when compared with the previous 2 years. And, the number of cases 
filed in 2000 was more than double the number filed in 1996. 

Table 8: U.S. Attorney Cases Filed Under Statutes Related to Identity 
Fraud: 

Fiscal year: 1996; 
18 U.S.C. § 1028 (Identification documents): 314; 
18 U.S.C. § 1029 (Access devices): 924; 
42 U.S.C. § 408 (SSN misuse): 310. 

Fiscal year: 1997; 
18 U.S.C. § 1028 (Identification documents): 404; 
18 U.S.C. § 1029 (Access devices): 864; 
42 U.S.C. § 408 (SSN misuse): 308. 

Fiscal year: 1998; 
18 U.S.C. § 1028 (Identification documents): 550; 
18 U.S.C. § 1029 (Access devices): 752; 
42 U.S.C. § 408 (SSN misuse): 576. 

Fiscal year: 1999; 
18 U.S.C. § 1028 (Identification documents): 568; 
18 U.S.C. § 1029 (Access devices): 675; 
42 U.S.C. § 408 (SSN misuse): 558. 

Fiscal year: 2000; 
18 U.S.C. § 1028 (Identification documents): 775; 
18 U.S.C. § 1029 (Access devices): 703; 
42 U.S.C. § 408 (SSN misuse): 694. 

Source: EOUSA data. 

[End of table] 

Also, in reference to table 8, EOUSA staff made the following 
clarifying comments: 

* A given case may be counted under more than one of the three U.S. 
Code sections because a defendant could have been charged with 
multiple offenses. However, in table 8's statistics for case filings, 
there is no double counting of multiple charges of the same Code 
section, nor of filings under the subsections of that section. For 
instance, if a defendant was charged with two counts of violations 
under 18 U.S.C. § 1028(a)(7) in one case, the relevant statistics 
would still appear as only one case under the 18 U.S.C. § 1028 column 
in table 8. 

* EOUSA has only limited statistical information available at the 
subsection level or the sub-subsection level for offenses charged 
under title 18 of the U.S. Code. Except for certain firearms statutes, 
the case management system requests that cases be recorded under the 
U.S. Code section only, not under the subsection or the sub-
subsection, although this additional information sometimes is 
provided. Thus, these "subsection-level or sub-subsection-level 
statistics" have great potential for underreporting. Also, cases 
involving identity theft or identity fraud are charged under a variety 
of different statutes, and many criminals who commit identity theft 
are charged under statutes relating to these defendants' other crimes. 
With these significant limitations or caveats in mind, EOUSA data 
indicated that, of the 568 cases filed under 18 U.S.C. § 1028 in 
fiscal year 1999, the number of cases with at least one charge of a 
violation of subsection (a)(7) recorded in the EOUSA data base was 24 
cases. And, for fiscal year 2000, of the 775 cases filed under 18 
U.S.C. § 1028, the number of cases with at least one charge of a 
violation of subsection (a)(7) recorded in the EOUSA data base was 68 
cases. 

FBI Data: 

At the time of our review, FBI officials told us that the agency did 
not have the capability to determine the number of statistical 
accomplishments (e.g., arrests and convictions) that have resulted 
from 18 U.S.C. § 1028(a)(7). The officials noted, however, that the 
agency was in the process of developing a system to track the number 
of cases that included identity theft as a component. 

Moreover, regarding case statistics that were presently available, the 
FBI officials offered the following contextual considerations: 

* Even if accomplishments from investigative cases could be isolated 
or tracked to the 1998 act, these cases would not necessarily be an 
accurate reflection on this law. For instance, an open issue would be 
to determine if these cases would have been prosecuted using other 
equally beneficial statutes or not at all. 

* Cases involving identity theft or identity fraud typically are 
classified by the crimes committed using the stolen fraudulent 
identity—classified, for example, as bank fraud, wire fraud, or mail 
fraud. In other words, an individual may not always be charged with 
identity theft but instead be charged with the substantive violations 
carried out using the stolen identity. 

* As other possibilities, a prosecutor may allow an individual who was 
charged with identity theft to plead guilty to other criminal conduct 
charges. 

With these considerations in mind, the FBI provided us with statistics 
showing the agency's accomplishments under identity theft-related 
statutes. Table 9 summarizes the statistics for fiscal years 1996-
2001. As indicated, much of the FBI's enforcement activities involved 
bank fraud cases, which is an area of longstanding responsibility for 
the FBI. 

Table 9: FBI Accomplishments Under Identity Theft-Related Statutes, 
Fiscal Years 1996 through 2001: 

Statute: 18 U.S.C. § 1028 (Identification documents): 

Indictments and informations[B]: 
1996: 33; 
1997: 33; 
1998: 22; 
1999: 55; 
2000: 99; 
2001[A]: 49. 

Arrests: 
1996: 24; 
1997: 17; 
1998: 20; 
1999: 28; 
2000: 40; 
2001[A]: 43. 

Convictions: 
1996: 33; 
1997: 27; 
1998: 17; 
1999: 21; 
2000: 50; 
2001[A]: 29. 

Statute: 18 U.S.C. § 1029 (Access devices); 

Indictments and informations[B]: 
1996: 90; 
1997: 95; 
1998: 114; 
1999: 96; 
2000: 125; 
2001[A]: 39. 

Arrests: 
1996: 38; 
1997: 60; 
1998: 78; 
1999: 69; 
2000: 90; 
2001[A]: 35. 

Convictions: 
1996: 60; 
1997: 80; 
1998: 77; 
1999: 105; 
2000: 74; 
2001[A]: 35. 

Statute: 18 U.S.C. § 1014 (Loan and credit applications); 

Indictments and informations[B]: 
1996: 311; 
1997: 290; 
1998: 235; 
1999: 189; 
2000: 206; 
2001[A]: 94. 

Arrests: 
1996: 58; 
1997: 62; 
1998: 72; 
1999: 38; 
2000: 85; 
2001[A]: 38. 

Convictions: 
1996: 304; 
1997: 242; 
1998: 170; 
1999: 146; 
2000: 121; 
2001[A]: 50. 

Statute: 18 U.S.C. § 1344 (bank fraud); 

Indictments and informations[B]: 
1996: 1,225; 
1997: 1,159; 
1998: 1,305; 
1999: 1,492; 
2000: 1,481; 
2001[A]: 626. 

Arrests: 
1996: 311; 
1997: 468; 
1998: 579; 
1999: 691; 
2000: 645; 
2001[A]: 311. 

Convictions: 
1996: 1,121; 
1997: 896; 
1998: 983; 
1999: 1,047; 
2000: 1,112; 
2001[A]: 449. 

Statute: 42 U.S.C. § 408 (SSN misuse); 

Indictments and informations[B]: 
1996: 85; 
1997: 75; 
1998: 97; 
1999: 119; 
2000: 98; 
2001[A]: 40. 

Arrests: 
1996: 25; 
1997: 15; 
1998: 40; 
1999: 48; 
2000: 62; 
2001[A]: 22. 

Convictions: 
1996: 61; 
1997: 50; 
1998: 62; 
1999: 64; 
2000: 68; 
2001[A]: 23. 

Statute: 15 U.S.C. § 1644 (fraudulent use of credit cards); 

Indictments and informations[B]: 
1996: 11; 
1997: 1; 
1998: 1; 
1999: 1; 
2000: 1; 
2001[A]: 1. 

Arrests: 
1996: 2; 
1997: 0; 
1998: 1; 
1999: 0; 
2000: 0; 
2001[A]: 2. 

Convictions: 
1996: 5; 
1997: 2; 
1998: 2; 
1999: 0; 
2000: 0; 
2001[A]: 1. 

[A] Fiscal year 2001 numbers are as of April 10, 2001. 

[B] Generally, an indictment is an accusation presented in writing by 
a grand jury, charging a person for some criminal offense, whereas an 
information is presented by a competent public officer on his or her 
oath of office. 

Source: FBI data. 

[End of table] 

Department of the Treasury Law Enforcement Components: 

Regarding Department of the Treasury law enforcement actions, we 
obtained identity theft-related statistics from the Internal Revenue 
Service (IRS), the Secret Service, and the Financial Crimes 
Enforcement Network (FinCEN). 

IRS: Many Questionable According to the IRS, many questionable refund 
schemes involve an Refund Schemes Involve element of identity theft or 
identity fraud. However, IRS emphasized that Identity Theft not all 
questionable refund schemes involve this element. For instance, IRS 
noted that many false returns are filed by the true taxpayer using 
false income documents (e.g., W-2s, W-2Gs, and Forms 4852 and 1099) 
with inflated income and/or withholding. 

IRS-Criminal Investigation does not routinely keep statistics as to 
how many questionable refund schemes and questionable returns involve 
some element of identity theft or identity fraud. Thus, IRS told us 
that it is difficult to determine the specific number of schemes, 
refunds, claims, and dollar losses that are solely attributable to 
identity theft or fraud. 

With these caveats in mind and in response to our request, IRS-
Criminal Investigation's Office of Refund Crimes developed statistics 
to reflect its "best effort to show the prevalence of identity fraud." 
That is, for calendar years 1996 through 2000, IRS provided us with 
statistics covering all questionable refund schemes that IRS 
classified as involving a "high frequency" of identity theft or 
identity fraud—schemes very likely to have elements of this type of 
crime (see table 10). In 2000, for example, IRS detected a total of 
3,085 such schemes, consisting of 35,185 questionable tax returns that 
claimed a total of $783 million in refunds. According to IRS 
officials, the agency's detection efforts in that year prevented 
payment of $757 million. 

Table 10: Questionable Refund Schemes Detected by IRS: 

Calendar year: 1996; 
Questionable refund schemes: 2,458;
Questionable returns detected: 24,919; 
Refunds claimed: $82 million; 
Refunds stopped: $69 million. 

Calendar year: 1997; 
Questionable refund schemes: 2,857; 
Questionable returns detected: 30,936; 
Refunds claimed: $108 million; 
Refunds stopped: $95 million. 

Calendar year: 1998; 
Questionable refund schemes: 2,810; 
Questionable returns detected: 31,155; 
Refunds claimed: $98 million; 
Refunds stopped: $77 million. 

Calendar year: 1999; 
Questionable refund schemes: 2,406; 
Questionable returns detected: 31,532; 
Refunds claimed: $689 million; 
Refunds stopped: $667 million. 

Calendar year: 2000; 
Questionable refund schemes: 3,085; 
Questionable returns detected: 35,185; 
Refunds claimed: $783 million; 
Refunds stopped: $757 million. 

Calendar year: Total; 
Questionable refund schemes: 13,616; 
Questionable returns detected: 153,727; 
Refunds claimed: $1.760 billion; 
Refunds stopped: $1.665 billion. 

Source: IRS, Criminal Investigation. 

[End of table] 

Secret Service Data: 

According to the Secret Service, the vast majority of financial crimes 
involve the use of some sort of false identification, the use of 
another individual's personal or financial identifiers, or the 
assumption of a false or fictitious identity. In explanation, Secret 
Service officials noted the following: 

* Broadly speaking, from the perspective of law enforcement, identity 
theft can involve either "account takeover" or "identity takeover." 
That is, such theft involves the use of personal information to (1) 
make unauthorized use of existing credit or other financial accounts 
or (2) establish new accounts, apply for loans, etc. Generally, the 
personal information often sought by criminals is information required 
to obtain goods and services on credit. Primary types of this 
information include names, dates of birth, and SSNs. With the 
proliferation of computers and increased use of the Internet, many 
identity thieves have used information obtained from company databases 
and Web sites. 

* Identity theft is not typically a "stand alone" crime. Rather, 
identity theft is almost always a component of one or more crimes, 
such as bank fraud, credit card or access device fraud, or the use of 
counterfeit financial instruments. In many instances, an identity 
theft case encompasses several different types of fraud. 

In further response to our inquiry, Secret Service officials said that 
they believe that identity theft continues to occur at a seemingly 
increasing pace. The officials cautioned, however, that the incidence 
of identity theft is difficult to measure on the basis of available 
statistics (such as number of investigations or arrests) for a variety 
of reasons. Among others, the reasons cited were lack of reporting by 
victims, classification of identity theft in other crime categories 
(e.g., theft or forgery) or perhaps as a civil matter, and different 
levels of law enforcement (federal, state, and local) having 
concurrent jurisdiction with respect to many aspects of identity 
theft. Given these limitations, the officials suggested that any 
assessment of overall trends regarding identity theft perhaps should 
be based on statistics from FTC-—the agency designated to be the 
primary point of contact for victims. 

Nonetheless, we obtained available statistics from the Secret Service 
regarding its identity-theft related cases for fiscal years 1998-2000 
(see table 11). In interpreting these data, Secret Service officials 
noted that, in recent years, the agency has moved away from 
investigating "street crime" level offenders in the identity theft 
spectrum to targeting individuals and groups engaged in the 
systematic, large-scale pursuit of profits through the commission of 
various types of identity theft. That is, the agency is now focusing 
on high-dollar, community-impact cases that merit federal interest. 
Case statistics for fiscal years 1998-2000 reflect this shift in 
focus, according to Secret Service officials, who noted the following: 

* The number of arrests decreased 28 percent from 1998 to 2000, and 
the number of cases closed dropped 37 percent. 

* On the other hand, the average actual losses to victims in closed 
cases rose 71 percent from 1998 to 2000. The average fraud losses 
prevented rose 48 percent from 1998 to 1999 and rose an additional 101 
percent from 1999 to 2000. 

Table 11: Secret Service Data on Identity Theft-Related Arrests, Cases 
Closed, and Dollar Losses in Fiscal Years 1998 through 2000: 

Data category: Arrests; 
1998: 4,421; 
1999: 3,814; 
2000: 3,163. 

Data category: Cases closed[A];
1998: 8,489; 
1999: 7,071; 
2000: 5,379. 

Data category: Average actual losses to victims in cases closed[B]; 
1998: $26,922; 
1999: $38,078; 
2000: $46,119. 

Data category: Average fraud losses prevented in cases closed[C]; 
1998: $73,382; 
1999: $108,476; 
2000: $217,696. 

Note: In compiling these data, the Secret Service defined identity 
theft as any case related to the investigation of false, fraudulent, 
or counterfeit identification; stolen, counterfeit, or altered checks 
or Treasury securities; stolen, altered, or counterfeit credit cards; 
or financial institution fraud. 

[A] Cases can be closed for a variety of reasons, such as completion 
of judicial action, declination to prosecute by the Office of the 
United States Attorney, or a determination that insufficient evidence 
exists to identify or charge a suspect. 

[B] As defined by the Secret Service, "actual losses" are the amounts 
of money, goods, or services that were obtained by the criminal or 
group of criminals through the commission of the crime. 

[C] As defined by the Secret Service, "fraud losses prevented" is the 
difference between potential losses and actual losses. The Service 
defined "potential losses" as the amounts of money, goods, or services 
that the criminal or group of criminals was trying to obtain through 
the commission of the crime. 

Source: Secret Service data. 

[End of table] 

FinCEN Data: 

In April 1996, financial institutions were required to begin filing 
suspicious activity reports (SAR) to assist law enforcement in 
detecting and prosecuting violations of money laundering and other 
financial crimes.[Footnote 27] Recently, to "provide insights into the 
patterns of criminal financial activity associated with identity 
theft," FinCEN analyzed SARs filed during the period April 1996 
through November 2000-—a total of 490,595 filings. Of this total, 
FinCEN's analysis indicated that 1,030 SARs reported identity theft. 
Analysis of these 1,030 SARs, according to FinCEN's June 2001 report, 
confirms "industry perceptions of increases in both the incidence of 
identity theft-based fraud and SAR reporting about the phenomenon." 
[Footnote 28] Specifically, FinCEN noted the following: 

* During January through December 1997, the first full year of 
required SAR reporting, 44 instances of identity theft-—fewer than 4 
per month—-were reported. 

* Recently, during January through November 2000, there were 617 SARs 
filed that reported identity theft, an average of 56 SARs per month. 

Also, in its report, FinCEN noted—but did not elaborate or provide 
related statistics—that advanced technology (particularly the 
Internet) is proving to be a "powerful facilitator" of identity theft. 

Postal Inspection Service: 

The Postal Inspection Service is a leading federal law enforcement 
agency in the investigation of identity takeovers, a crime that 
frequently begins with the theft of mail or use of the mail to defraud 
individuals or financial institutions. In its fiscal year 2000 annual 
report, the Postal Inspection Service noted that identity theft is a 
growing trend: 

"Inspection Service identity theft investigations increased by 67 
percent since last year. Identity theft occurs when mail is stolen for 
the personal information it contains, which criminals use to 
fraudulently order credit cards, checks or other financial 
instruments. Mail theft may go unreported—the thief looks for mail 
containing items such as a credit card payment, copies personal 
identifiers and credit card and bank account information, and reseals 
the envelope and returns it to the mailstream, often undetected. 
Checks and credit cards may then be ordered in the victim's name. 
Private mailboxes at commercial receiving agencies ... are often 
rented so the crook can receive the fraudulently obtained cards and 
checks anonymously."[Footnote 29] 

Also, in its 2000 annual report, the Postal Inspection Service 
mentioned various initiatives to address identity theft: 

"Credit card theft and identity theft are becoming increasingly 
intertwined as crimes involving the U.S. Mail. The U.S. Postal 
Inspection Service's Credit Card Mail Security Initiative has brought 
various federal law enforcement agencies and credit card industry 
representatives together since 1992 to discuss loss and theft issues 
and develop solutions. Many of the identity theft issues related to 
credit card losses are currently being addressed by members of the 
initiative. ... 

"On November 6, 1999, President Clinton announced the Know Fraud 
initiative, a partnership of several leading private and government 
agencies, including the U.S. Postal Inspection Service, to educate 
consumers about how to protect themselves from telemarketing and mail 
fraud. ... Although work continues on the first Know Fraud initiative, 
plans are underway for a second one to launch in early 2001. Focusing 
on identity theft, the goal of the new effort is to deliver to every 
home in America prevention information that will raise awareness of 
this growing trend and provide consumers with protective tactics." 
[Footnote 30] 

According to the Postal Inspection Service, the "Know Fraud" 
initiative is "the largest consumer protection effort ever undertaken, 
with postcards sent to 123 million addresses across America, arming 
consumers with common sense tips and guidelines ..." 

Postal Inspection Service arrest statistics indicate that the agency 
has increased its focus on identity theft-related crime in recent 
years (see table 12). For instance, whereas the annual number of 
arrests was relatively constant during fiscal years 1996 through 1999, 
the year 2000 total (1,722 arrests) represents an increase of about 36 
percent over the previous year. Furthermore, the total for partial-
year 2001 (9 months) is higher than the year 2000 total. 

Table 12: Postal Inspection Service Identity Theft-Related Arrests, 
Fiscal Years 1996 through 2001: 

Fiscal year: 1996; 
Number of arrests: 1,287. 

Fiscal year: 1997; 
Number of arrests: 1,226. 

Fiscal year: 1998; 
Number of arrests: 1,122. 

Fiscal year: 1999; 
Number of arrests: 1,267. 

Fiscal year: 2000; 
Number of arrests: 1,722. 

Fiscal year: 2001 (through June 30, 2001); 
Number of arrests: 1,752. 

Source: Postal Inspection Service data. 

[End of table] 

[End of section] 

Appendix III: Cost of Identity Theft to the Financial Services 
Industry: 

According to industry data, the dollar value of goods and services 
purchased by consumers in the United States was $6.8 trillion in the 
year 2000. General purpose credit cards-—American Express, Diners 
Club, Discover, MasterCard, and Visa-—were used to pay for 20.4 
percent of these consumption expenditures.[Footnote 31] MasterCard and 
Visa comprised about 76 percent of the U.S. card market share, based 
on first quarter 2001 data. Also, as members of the MasterCard and 
Visa associations, much of the banking industry engaged in issuing 
credit cards, as well as offering checking accounts. 

This appendix discusses identity theft and the financial services 
industry in reference to three categories or aspects of cost—direct 
fraud losses, staffing and operating cost of fraud departments, and 
consumer confidence in online commerce (i.e., e-commerce through the 
Internet). 

Direct Fraud Losses: 

Regarding identity theft-related direct fraud losses incurred by the 
financial services industry, we obtained information from (1) the 
American Bankers Association (ABA); (2) the two leading payment card 
associations, MasterCard and Visa; and (3) six credit card-issuing 
banks.[Footnote 32] 

ABA Check Fraud Survey: 

In its 2000 bank industry survey on check fraud, the ABA reported that 
total check fraud-related losses in 1999—-considering both actual 
losses ($679 million) and loss avoidance ($1.5 billion)-—against 
commercial bank accounts reached $2.2 billion, which was twice the 
amount in 1997.[Footnote 3] Regarding actual losses, the report noted 
that the 1999 figure ($679 million) was up almost 33 percent from the 
1997 estimate ($512 million). 

In 1999, according to ABA data shown in table 13, the percentages of 
total check fraud-related losses attributable to identity theft ranged 
from 56 percent at community banks to 5 percent at superregional/money 
center banks. To restate, at the high end of this range, community 
banks reported that 56 percent of their check fraud-related losses 
could be attributed to identity theft; and at the low end of the 
range, superregional/money center banks reported that 5 percent of 
their check fraud-related losses could be attributed to identity 
theft. As previously mentioned, the ABA reported that check fraud-
related losses totaled $2.2 billion in 1999. However, the ABA's report 
did not specifically disaggregate this total among the bank-size 
categories shown in table 13. 

Table 13: Percentages of Banks' Total Check Fraud-Related Losses 
Attributable to Identity Theft, 1999: 

Banks (by size based on assets): Community banks (assets under $500 
million); 
Identity theft losses as a percentage of total check fraud-related 
losses: 56%. 

Banks (by size based on assets): Mid-size banks (assets of $500 
million to under $5 billion); 
Identity theft losses as a percentage of total check fraud-related 
losses: 18%. 

Banks (by size based on assets): Regional banks (assets of $5 billion 
to under $50 billion); 
Identity theft losses as a percentage of total check fraud-related 
losses: 6%. 

Banks (by size based on assets): Superregional/money center banks 
(assets of $50 billion or more); 
Identity theft losses as a percentage of total check fraud-related 
losses: 5%. 

Banks (by size based on assets): All sizes combined; 
Identity theft losses as a percentage of total check fraud-related 
losses: 29%. 

Note: ABA defined identity theft as losses due to account takeovers 
(or true name fraud). As indicated in appendix I, the overall response 
rate for ABA's survey was 11 percent. The response rates by bank size 
were as follows: community banks (10 percent), mid-size banks (16 
percent), regional banks (27 percent), and superregional/money center 
banks (65 percent). Surveys with a low level of responses—particularly 
surveys with response rates lower than 50 percent—could be affected by 
nonresponse bias. Thus, the results from ABA's survey should be 
interpreted with caution. 

Source: ABA, Deposit Account Fraud Survey Report 2000, p. 19. 

[End of table] 

In the same report, banks surveyed by the ABA between February and 
June 2000 identified the leading threats against deposit accounts 
anticipated in the next 12 months. The leading threat category cited 
by the surveyed banks involved counterfeit checks, and this category 
was closely followed by concerns regarding debit cards, identity theft 
(true name fraud), and the Internet. The percentages of surveyed banks 
that ranked identity theft among the top three threats against deposit 
accounts, as shown in table 14, ranged from a low of 48.4 percent of 
community banks to a high of 75.8 percent of regional banks. 

Table 14: Percentage of Banks that Regard Identity Theft (True Name 
Fraud) as One of the Top Three Threats Against Deposit Accounts: 

Banks (by size based on assets): Community banks (assets under $500 
million); 
Percentage of surveyed banks: 48.4%. 

Banks (by size based on assets): Mid-size banks (assets of $500 
million to under $5 billion); 
Percentage of surveyed banks: 60.2%. 

Banks (by size based on assets): Regional banks (assets of $5 billion 
to under $50 billion); 
Percentage of surveyed banks: 75.8%. 

Banks (by size based on assets): Superregional/money center banks 
(assets of $50 billion or more); 
Percentage of surveyed banks: 63.6%. 

Note: ABA defined identity theft as losses due to account takeovers 
(or true name fraud). As indicated in appendix I, the overall response 
rate for ABA's survey was 11 percent. The response rates by bank size 
were as follows: community banks (10 percent), mid-size banks (16 
percent), regional banks (27 percent), and superregional/money center 
banks (65 percent). Surveys with a low level of responses—particularly 
surveys with response rates lower than 50 percent—could be affected by 
nonresponse bias. Thus, the results from ABA's survey should be 
interpreted with caution. 

Source: ABA Data. 

[End of table] 

Two Major Payment Card Associations: Fraud Losses Involving Identity 
Theft: 

MasterCard and Visa are separate associations owned by numerous 
financial institutions that issue payment cards (credit cards and 
debit cards) bearing the MasterCard name and the Visa name, 
respectively. As such, MasterCard and Visa rarely receive complaints 
of fraud directly from consumers. Rather, the fraud-related statistics 
that MasterCard and Visa report represent an aggregation of data 
reported by each association's members. Association members report 
fraud-related statistics in various categories, such as account 
takeovers, fraudulent applications, lost cards, stolen cards, never-
received cards, counterfeit cards, and mail order/telephone order 
fraud. 

Regarding these various categories, MasterCard and Visa use very 
similar (although not identical) definitions regarding which of these 
categories constitute identity theft, as opposed to other types of 
fraud. According to a MasterCard official, the identity theft-related 
categories are account takeovers and some portion of fraudulent 
applications. A Visa official said that two categories—account 
takeovers and fraudulent applications—are considered by Visa to be 
identity theft because the other forms of fraud do not necessarily 
require the "stealing" of another person's identifying information. 
[Footnote 34] 

In response to our inquiry, MasterCard and Visa officials provided us 
with information on their respective association's fraud-related 
dollar losses for calendar years 1996 through 2000. However, the 
officials considered this information to be proprietary and requested 
that we aggregate the data in our reporting rather than present 
association-specific data. We agreed. The associations' aggregated 
data are presented in table 15. As indicated, for domestic (U.S.) 
operations, the associations' identity theft-related fraud losses-
defined as involving account takeovers and fraudulent applications-
rose from $79.9 million in 1996 to $114.3 million in 2000, an increase 
of about 43 percent. Much of this increase is reflected in the account-
takeover losses, which increased more than twofold, from $33.0 million 
in 1996 to $68.2 million in 2000. An official of one association said 
that this increase probably could be attributed to "inconsistencies in 
reporting among member banks." The official added that consumers are 
not really at risk because a zero liability policy protects them from 
financial loss. 

Table 15: MasterCard and Visa Fraud Losses, Calendar Years 1996 
through 2000: 

Fraud losses by category: Identity theft-related losses: Account 
takeovers[A]; 
1996: $33.1 million; 
1997: $32.4 million; 
1998: $34.4 million; 
1999: $39.8 million; 
2000: $68.2 million;. 

Fraud losses by category: Identity theft-related losses: Fraudulent 
applications[B]; 
1996: $46.8 million; 
1997: $36.9 million; 
1998: $37.2 million; 
1999: $43.4 million; 
2000: $46.1 million. 

Fraud losses by category: Subtotal; 
1996: $79.9 million; 
1997: $69.3 million; 
1998: $71.6 million; 
1999: $83.3 million; 
2000: $114.3 million. 

Fraud losses by category: Additional fraud losses[C]; 
1996: $620.3 million; 
1997: $590.4 million; 
1998: $663.9 million; 
1999: $700.8 million; 
2000: $898.9 million. 

Total fraud losses: 
1996: $700.2 million; 
1997: $659.7 million; 
1998: $735.5 million; 
1999: $784.1 million; 
2000: $1.013 billion. 

Identity theft-related losses as a percentage of total fraud losses: 
1996: 11.4%; 
1997: 10.5%; 
1998: 9.7%; 
1999: 10.6%; 
2000: 11.3%. 

Total fraud losses as a percentage of associations' U.S. members' 
sales volume: 
1996: 0.104%; 
1997: 0.084%; 
1998: 0.081%; 
1999: 0.074%; 
2000: 0.082%. 

[A]A Visa official said that the account takeover category may include 
some miscellaneous fraud losses reported by Visa member banks; thus, 
the dollar losses attributed to account takeovers may be somewhat 
overstated. 

[B] According to a MasterCard official, the fraudulent applications 
category can have components that do not involve identity theft. 

[C] Additional fraud losses include categories such as lost and stolen 
cards, never-received cards, counterfeit cards, and mail 
order/telephone order fraud. 

Source: MasterCard and Visa data for domestic (U.S.) operations. 

[End of table] 

Furthermore, table 15 shows that the associations' identity theft-
related losses as a percentage of total fraud losses were relatively 
constant at about 9 to 10 percent during 1996 through 2000. In further 
perspective, for most of these years, table 15 shows that the 
associations' total fraud losses represented less than 1/10th of 1 
percent of U.S. member banks' sales volume. Generally, the fraud 
losses are borne by the financial institution that issued the payment 
card. In some instances, although reportedly rare, retail merchants 
may bear such losses if the merchants do not follow proper procedures 
for verifying use of the card. 

To reiterate, regarding direct fraud losses involving payment cards, 
we contacted MasterCard and Visa only. We did not obtain information 
about losses involving other general-purpose cards (American Express, 
Diners Club, and Discover), which account for about 25 percent of the 
market. Also, we did not obtain information about losses involving 
merchant-specific cards issued by retail stores. Furthermore, we did 
not obtain information from various entities, such as insurance 
companies and securities firms, which may incur identity theft-related 
costs. 

An official of one of the associations told us that identity theft is 
not perceived to be one of the biggest fraud-related problems faced by 
member banks. The official said that many banks have experience in 
dealing with identity fraud, including using new technology to detect 
where such fraud may be taking place. Additionally, to help reduce the 
incidence of fraud, the official noted that the association provides 
guidance or recommendations for member banks and merchants to follow, 
as well as a number of specific computer models and authorization and 
verification systems that help reduce fraud and identity theft. 

Selected Credit Card-Issuing Banks: 

Officials of six credit card-issuing banks that we contacted said 
their financial institutions track fraud in several categories. But, 
we found some inconsistency among these institutions on the definition 
of credit card fraud associated with identity theft. For example, some 
financial institutions did not consider "friendly fraud" or "family 
fraud"[Footnote 35] in their fraud losses to be related to identity 
theft. However, two categories of identity theft-related fraud used by 
all six banks were (1) fraudulent applications and (2) account 
takeovers. Five of the six banks had data on identity theft losses 
involving fraudulent applications and account takeovers. These losses 
ranged from 18 percent to 42 percent of the respective bank's overall 
fraud losses.[Footnote 36] However, bank officials acknowledged that 
identity theft could also be associated with lost or stolen payment 
cards or other categories of losses-—and, thus, the reporting of 
losses for only two categories (fraudulent applications and account 
takeovers) may understate total identity theft-related losses. 

Officials from one of the six banks said that the amount of losses is 
not large, and the bank considered these losses to be within an 
acceptable level of risk. Also, the officials noted that the bank 
experienced more fraud from unauthorized use-—that is, use of lost or 
stolen cards and forged checks—-than from account takeovers and 
fraudulent applications. 

Officials from a second bank said that their bank's largest source of 
credit card fraud was from lost or stolen credit cards. The officials 
added that the next most common form of fraud involved counterfeit 
credit cards-—a type of fraudulent activity that occurred worldwide 
and often was perpetrated by organized crime rings. The third most 
common form of fraud—-and more difficult to detect-—was account 
takeover. The root cause of identity theft associated with account 
takeover, according to these bank officials, involved the misuse of 
SSNs acquired from another source. Also, this bank reported having 
experienced an increase in the number of cases of friendly fraud—-that 
is, incidents whereby a victim's family member or acquaintances 
obtained or tried to obtain credit in the victim's name. For example, 
in a divorce situation, a spouse may have opened an account in his or 
her partner's name without consent. 

Officials from a third bank said that the growth of fraud losses was 
correlated to business growth. However, the officials noted that the 
bank's losses associated with identity theft had remained relatively 
constant during the last few years. 

Officials at a fourth bank said that the bank does not normally track 
identity theft. Rather, the bank tracked the number of fraudulent 
applications denied due to the suspicion of fraud. Regarding this 
category, the bank officials did not consider the number of incidents 
to be significant in relationship to the bank's overall customer base; 
however, the officials noted that cases often occurred in "waves." 
Moreover, the officials said that they were concerned with larger 
losses, which resulted from fraudulent activities perpetrated by 
organized crime rings. 

At a fifth bank, officials said that roughly 90 percent of the bank's 
identity theft cases involved fraudulent applications, and the 
remainder represented account takeovers. The officials explained that, 
when the bank focuses on combating one form of fraudulent activity, 
other or replacement manifestations often begin to appear. For 
instance, the officials noted that fraud had increased from credit 
cards not received in the mail. In addition, the officials said they 
believed that fraudulent activity associated with organized crime 
rings was on the rise. 

At the sixth bank, officials provided no additional information about 
the institution's fraud losses. 

Staffing and Cost of Fraud Departments: 

The following sections discuss the staffing and cost of the fraud 
departments of banks and CRAs. The sections present information based 
on (1) ABA's 2000 bank industry survey on check fraud, (2) responses 
from officials of various banks we contacted, and (3) our interviews 
with officials of the three national CRAs. 

ABA Data: Fraud-Related Operating Expenses of Banks:; 

In its 2000 bank industry survey on check fraud, the ABA reported that 
the amount of resources that banks devoted to check fraud prevention, 
detection, investigation, and prosecution varied as a direct function 
of bank size. For instance, as table 16 shows for check fraud-related 
operating expenses (not including actual losses) in 1999, 

* over two-thirds (69.5 percent) of the 446 community banks that 
responded to ABA's survey each incurred less than $10,000 for such 
expenses; 

* about one-third (32.0 percent) of the 103 responding mid-size banks 
each incurred such expenses ranging from $50,000 to $249,999; 

* about one-fourth (24.2 percent) of the 33 responding regional banks 
each incurred such expenses ranging from $500,000 to $999,999. Another 
one-fourth of the regional banks each incurred such expenses ranging 
from $1 million to $4.9 million; and; 

* about one-fourth (27.3 percent) of the 11 responding 
superregional/money center banks each incurred more than $10 million 
for such expenses. 

Table 16: Amount of Expenses Per Bank Devoted to Prevention, 
Detection, Investigation, and Prosecution of Check Fraud, 1999: 

Expenses per bank: Less than $10,000; 
Community banks (assets under $500 million): 69.5%. 
Mid-size banks (assets of $500 million to under $5 billion): 24.3%. 
Regional banks (assets of $5 billion to under $50 billion): [Empty]; 
Superregional/money center banks (assets of $50 billion or more): 
[Empty] 

Expenses per bank: $10,000 to $49,999; 
Community banks (assets under $500 million): 9.6%; 
Mid-size banks (assets of $500 million to under $5 billion): 21.4%; 
Regional banks (assets of $5 billion to under $50 billion): [Empty];
Superregional/money center banks (assets of $50 billion or more): 
[Empty]. 

Expenses per bank: $50,000 to $249,999; 
Community banks (assets under $500 million): 1.3%; 
Mid-size banks (assets of $500 million to under $5 billion): 32.0%; 
Regional banks (assets of $5 billion to under $50 billion): 21.2%; 
Superregional/money center banks (assets of $50 billion or more): 
[Empty]. 

Expenses per bank: $250,000 to $499,999; 
Community banks (assets under $500 million): [Empty]; 
Mid-size banks (assets of $500 million to under $5 billion): 4.9%; 
Regional banks (assets of $5 billion to under $50 billion): 18.2%; 
Superregional/money center banks (assets of $50 billion or more): 
[Empty]. 

Expenses per bank: $500,000 to $999,999; 
Community banks (assets under $500 million): [Empty]; 
Mid-size banks (assets of $500 million to under $5 billion): [Empty]; 
Regional banks (assets of $5 billion to under $50 billion): 24.2%. 
Superregional/money center banks (assets of $50 billion or more): 18.2% 

Expenses per bank: $1 million to $4.9 million; 
Community banks (assets under $500 million): [Empty]; 
Mid-size banks (assets of $500 million to under $5 billion): 1.0%. 
Regional banks (assets of $5 billion to under $50 billion): 24.2%. 
Superregional/money center banks (assets of $50 billion or more): 
27.3%. 

Expenses per bank: $5 million to $9.9 million; 
Community banks (assets under $500 million): [Empty]; 
Mid-size banks (assets of $500 million to under $5 billion): [Empty]; 
Regional banks (assets of $5 billion to under $50 billion): [Empty];
Superregional/money center banks (assets of $50 billion or more): 9.1%. 

Expenses per bank: $10 million or more; 
Community banks (assets under $500 million): [Empty]; 
Mid-size banks (assets of $500 million to under $5 billion): [Empty]; 
Regional banks (assets of $5 billion to under $50 billion): [Empty]; 
Superregional/money center banks (assets of $50 billion or more): 
27.3%. 

Expenses per bank: Do not know; 
Community banks (assets under $500 million): 19.5%. 
Mid-size banks (assets of $500 million to under $5 billion): 16.5%. 
Regional banks (assets of $5 billion to under $50 billion): 12.1%. 
Superregional/money center banks (assets of $50 billion or more): 
18.2%. 

Expenses per bank: Totals[A]; 
Community banks (assets under $500 million): 99.9%; 
Mid-size banks (assets of $500 million to under $5 billion): 100.1%; 
Regional banks (assets of $5 billion to under $50 billion): 99.9%; 
Superregional/money center banks (assets of $50 billion or more): 
100.1%. 

Number of banks responding; 
Community banks (assets under $500 million): 446; 
Mid-size banks (assets of $500 million to under $5 billion): 103; 
Regional banks (assets of $5 billion to under $50 billion): 33; 
Superregional/money center banks (assets of $50 billion or more): 11. 

[A] Percentages do not add to 100.0 percent due to rounding. 

Source: ABA, Deposit Account Fraud Survey Report 2000, p. 60. 

[End of table] 

Fraud Departments of Selected Banks: 

The six banks discussed earlier also responded to our questions about 
fraud department staffing. Bank officials expressed concern about the 
growing sophistication of identity thieves, and the officials 
indicated that their respective banks had taken a number of 
proprietary steps for preventing, detecting, and responding to fraud. 
The officials told us that fraud department staffing had increased 
over the last few years, both in relationship to the growth in 
business portfolios and to address increasing fraud losses. However, 
the officials said that they could not specifically quantify the fraud 
department costs associated with identity theft. Rather, the 
information provided to us can be summarized as follows: 

* At four of the six banks, officials reported that fraud department 
staffing had expanded, with designated or specialized staff devoted to 
dealing with fraud prevention. The officials noted that their 
respective bank's fraud prevention procedures were dynamic and 
proprietary. 

* At a fifth bank, officials told us that about 30 percent of the 
fraud unit's employees were associated with addressing identity theft. 
The officials added that the unit's staffing had increased over the 
last 5 years, in line with the bank's portfolio growth. However, the 
officials also said they had witnessed an increase in fraudulent 
applications—concurrent with an increase in Web site usage—-and had 
taken additional preventative steps to address such applications. 

* At the sixth bank, officials told us that fraud department staffing 
had remained relatively stable over the last 5 years. 

Moreover, in addition to fraud department staffing, various bank 
officials indicated that there were other indirect costs associated 
with addressing identity theft. Examples of such costs included the 
following: 

* To assist in correcting credit bureau files, banks devote resources 
to communicating with customers and CRAs. 

* Banks use resources in cooperating with law enforcement agents who 
investigate identity theft crimes. And, expenses are incurred in 
attempts to locate perpetrators, bill them, and collect owed amounts. 

* Banks may incur lost opportunity costs in not being able to extend 
credit to legitimate customers. 

Fraud-Assistance Staffing at the Three National CRAs: 

Officials from each of the three national CRAs told us that the number 
of fraud-assistance staff—that is, staff to answer telephone calls and 
correspondence from individuals who believed that they may have been 
the victims of fraud—had increased in recent years. In obtaining 
staffing information from the three national CRAs, we agreed to report 
the information in a manner not specifically identifiable to the 
respective agency. Thus, in the following sections, we refer to these 
sources as "Agency A," "Agency B," and "Agency C." Of the three, 
Agency A and Agency C had a call center devoted specifically to fraud 
assistance. Agency B's call center handled both fraud-related and 
nonfraud-related matters, such as various types of consumer inquiries 
and disputes. 

Agency A: Fraud-Assistance Staffing Has Doubled: 

An Agency A official said that the number of staff in the agency's 
fraud assistance department doubled in recent years, increasing from 
50 in 1997 to 103 in 2001. In discussing the reasons for this 
increase, the official explained that greater public awareness of 
identity theft has resulted in a much larger volume of calls from 
consumers to the CRA. Now, the official opined, virtually any person 
who has a wallet or purse stolen will call a CRA as a protective 
measure against becoming a fraud victim. 

Moreover, the official said that Agency A's operating policy is to 
have a sufficient number of fraud-assistance staff available so that 
consumers will be able to speak with someone when they first 
telephone. In contrast, the official noted that the other two CRAs 
have an automated response system for handling the initial telephone 
inquiries from consumers. Thus, the official said that Agency A has a 
greater number of fraud-assistance staff than the other two CRAs. 

According to this official, Agency A's staffing costs for the fraud 
assistance department were about $3.3 million in 2000. Adding 
administrative costs to the staffing costs, the official said that the 
department's total operating costs for the year exceeded $4 million. 

Agency B: Fraud-Assistance Staffing Has Increased: 

Agency B officials provided us with information that was more general 
or less specific than that provided by Agency A. That is, the 
officials said that: 

* Agency B's fraud-assistance staffing has increased in recent years 
and remained relatively steady at 30 to 40 fraud specialists in 2000 
and 2001. 

* The annual cost of maintaining a staff of fraud-assistance 
specialists is in the range of "several million dollars." 

Also, in discussing Agency B's automated response system for handling 
initial inquiries, the officials said that the system has the 
advantage of being available to consumers 24 hours a day, 7 days a 
week. The officials explained Agency B's system as follows:
* When a consumer telephones the CRA, the automated system gives a 
menu of various options, one of which is a fraud-assistance option. If 
a consumer selects this option, Agency B automatically places a 90-day 
security alert on the consumer's file. 

* In addition to being provided a credit file report, the consumer is 
given a toll-free telephone number that the consumer can call to 
discuss-—with Agency B fraud-assistance staff—-the report and any 
related fraud concerns. In calling and discussing his or her 
situation, the consumer may choose to make a "victim statement," which 
will have the effect of extending the fraud alert to a period of 7 
years. Upon adding the victim statement, an updated credit report will 
be sent to the consumer, and two more reports will be provided at 45-
day intervals. 

According to these officials, another advantage of Agency B's 
automated response system for handling a consumer's initial inquiry is 
that the credit file reports give the consumer a basis for 
subsequently having a more informed discussion with the agency's fraud-
assistance staff. Finally, the officials noted that the free reports—
which total over 1 million annually—represent a significant but easily 
overlooked cost of identity fraud to CRAs. 

Agency C: Fraud-Assistance Staffing Has Increased: 

An Agency C official provided us with information on the approximate 
costs and hotline staffing levels for the fraud component of the 
agency's Consumer Services Center. The official told us that the 
number of fraud operators at the Consumer Services Center had 
increased in the 1990's but has remained relatively constant at about 
30 to 50 individuals since 1997. The official said that the cost of 
salaries for these operators has been approximately $900,000 per year, 
with annual adjustments to reflect inflation and merit increases. 
Also, the official noted that other administrative expenses-—such as 
computer costs, rent payments, etc.—-would raise the cost higher. 
However, the official did not quantify these expenses. 

In describing Agency C's inquiry process, the official explained that 
consumers could place temporary or 6-month fraud alerts on their 
credit files by (1) using the agency's main automated toll free number 
and choosing the fraud option or (2) directly calling the fraud 
hotline and speaking with a fraud operator. According to this official: 

* After temporary fraud alerts have been initiated, the consumers are 
automatically opted out of preapproved offers of credit. 

* Additionally, the consumers receive free copies of their credit 
files. Upon reviewing their credit files, the consumers can contact a 
fraud operator and place a longer-term (2- to 7-year) fraud alert on 
their files. 

Consumer Confidence in Online or E-Commerce: 

The following sections present (1) overview information about Internet 
fraud, (2) credit industry views regarding identity theft and consumer 
confidence in using e-commerce, and (3) statistical data showing 
continued growth in e-commerce. 

Overview: Internet Fraud: 

In addition to facilitating e-commerce, Internet technology can also 
increase the potential of exposing individuals to identity theft and 
other fraudulent activities or schemes. Generally, the term "Internet 
fraud" refers to any scheme that uses one or more components of the 
Internet—such as Web sites, message boards, e-mail, or chat rooms—to 
conduct fraudulent transactions, present fraudulent solicitations to 
prospective victims, or transmit the proceeds of fraud to financial 
institutions or others connected with the scheme. According to 
Internet Fraud Watch, which was created in 1996 to enable the National 
Fraud Information Center[Footnote 37] to offer consumers advice about 
promotions in cyberspace and to route reports of suspected Internet 
and online fraud to the appropriate government agencies: 

"While scams online are both new and old, free standing and 
combinations, the Internet itself creates a whole new set of problems 
and opportunities for law enforcement and for criminals. There are 
millions of people online, with thousands of new users every day.... 
There are now more e-mails sent every day than regular mail, including 
junk mail. Once a consumer goes online, he or she is bombarded with 
unsolicited commercial e-mail (spam) advertising everything from 
legitimate services to fraudulent investment schemes. Web sites abound 
offering both legitimate and fraudulent products and services." 
[Footnote 38] 

At a congressional hearing in September 2000, an FTC official 
testified, in part, as follows: 

"The Internet has dramatically altered the potential occurrence and 
impact of identity theft. First, the Internet provides access to 
identifying information through both illicit and legal means. The 
global publication of identifying details that previously were 
available only to a select few increases the potential for misuse of 
that information. Second, the ability of the identity thief to 
purchase goods and services from innumerable e-merchants expands the 
potential harm to the victim through numerous purchases. The explosion 
of financial services offered on-line, such as mortgages, credit 
cards, bank accounts and loans, provides a sense of anonymity to those 
potential identity thieves who would not risk committing identity 
theft in a face-to-face transaction."[Footnote 39] 

Recently, at a congressional hearing in May 2001, a Department of 
Justice official testified partly as follows: 

"Internet fraud, in all of its forms, is one of the fastest-growing 
and most pervasive forms of white-collar crime.... Regrettably, 
criminal exploitation of the Internet now encompasses a wide variety 
of securities and other investment schemes, online auction schemes, 
credit-card fraud, financial institution fraud, and identity theft.... 

"A January 2001 study by Meridien Research ... reports that with the 
continuing growth of e-commerce, payment-card fraud on the Internet 
will increase worldwide from $1.6 billion in 2000 to $15.5 billion by 
2005. The Securities and Exchange Commission staff reports that it 
receives 200 to 300 online complaints a day about Internet-related 
securities fraud. Foreign law enforcement authorities also regard 
Internet fraud as a growing problem. Earlier this year, the European 
Commission reported that in 2000, payment-card fraud in the European 
Union rose by 50 percent to $553 million in fraudulent transactions, 
and noted that fraud was increasing most in relation to remote payment 
transactions, especially on the Internet. Similarly, the International 
Chamber of Commerce's Commercial Crime Service reported that nearly 
two-thirds of all cases it handled in 2000 involved online fraud." 
[Footnote 40] 

Industry Views: Payment Card Association and Selected Banks: 

At the May 2001 congressional hearing, a Senior Vice President from 
Visa—a major credit card association testified, in part, as follows: 
[Footnote 41] 

"Electronic commerce is vital to the U.S. economy and to the prospects 
for our continued economic growth. ... There is no doubt that 
electronic commerce is a large, growing and permanent new channel for 
the sale of goods and services to consumers. The Department of 
Commerce estimates, for example, that online retail sales grew from 
less than $5.2 billion in the fourth quarter of 1999 to almost $8.7 
billion in the same quarter one year later. Sales projections for the 
electronic commerce market range from $35 billion to $76 billion by 
the year 2002. By any measure, this counts as explosive growth ... 

"Visa has taken steps to promote consumer confidence in this new 
channel of commerce. These steps include ... [a] zero liability policy 
for unauthorized use of our payment cards.... This zero liability 
policy applies to online transactions a well as offline transactions. 
Customers are protected online in exactly the same way as when they 
are using their cards at a store, ordering from a catalog by mail, or 
placing an order over the phone. In case of a problem, Visa provides 
100 percent protection against unauthorized card use, theft, or loss. 
If someone steals a payment card number from one of our cardholders 
while the cardholder is shopping, online or offline, our customers are 
fully protected—they pay nothing for the thief's fraudulent activity." 

During our review, of the six credit card-issuing banks we contacted, 
five responded to our questions about the impact of identity theft on 
consumer confidence in using e-commerce. These responses can be 
summarized as follows: 

* One of the five banks had recently conducted a focus group to assess 
the issue of consumer confidence in using e-commerce. Bank officials 
told us that most of the focus group participants expressed no concern 
about identity theft or fraud in conducting online banking or e-
commerce transactions. In the credit card issuer's experience, 
individuals over age 55 were more leery of online banking and e-
commerce and were not as familiar with the technology. 

* A second bank's officials told us that many of the bank's customers 
had an irrational fear of using e-commerce, or using credit cards for 
Internet transactions. The officials explained that, when fraud 
occurs, many customers were absolutely convinced the Internet was the 
root cause of the compromised information and the subsequent fraud, 
regardless of whether or not the Internet was actually used in the 
fraudulent transaction. 

* A third bank had conducted focus groups on fraud and found that the 
largest concern voiced was identity theft. However, according to bank 
officials, this concern was not a major barrier to using e-commerce. 

* At the fourth and fifth banks, officials did not have any 
information about consumers' fears of identity theft from using online 
banking services or engaging in e-commerce transactions. However, 
officials from one of these banks noted that there was little basis in 
fact for such concerns. The officials explained that information 
transmitted to and from financial institutions for banking and other 
online transactions is encrypted; and, while there have been instances 
in which such information has been compromised, its misuse for 
identity theft purposes has been rare. 

Steady Growth of E-Commerce: 

Despite concerns about security and privacy, the use of e-commerce by 
consumers has steadily grown. For example, in the 2000 holiday season, 
consumers spent an estimated $10.8 billion online, which represented 
more than a 50-percent increase over the $7 billion spent during the 
1999 holiday season. Furthermore, in 1995, only 130 banks and thrifts 
had a Web site; but, the number had grown to 4,600 by 2000. Similarly, 
in 1995, only one bank had a Web site capable of processing financial 
transactions; but, by 2000, a total of 1,850 banks and thrifts had Web 
sites capable of processing financial transactions.[Footnote 42] 

The growth in e-commerce could indicate greater consumer confidence 
but could also result from the increasing number of people who have 
access to and are becoming familiar with Internet technology. 
According to an October 2000 Department of Commerce report, Internet 
users comprised about 44 percent (approximately 116 million people) of 
the U.S. population in August 2000. This was an increase of about 38 
percent from 20 months prior.[Footnote 43] According to Commerce's 
report, the fastest growing online activity among Internet users was 
online shopping and bill payment, which grew at a rate of 52 percent 
in 20 months. In short, as more consumers become familiar with online 
products and services, e-commerce is likely to gain greater acceptance 
as a channel of commerce, and usage can be expected to increase 
further. 

[End of section] 

Appendix IV: Cost of Identity Theft to Victims: 

Victims of identity theft may experience a range of costs that 
encompass nonmonetary harm as well as monetary losses. This appendix 
presents information about both of these cost categories. FTC Data on 
the Cost of Identity Theft to Victims As mentioned previously, from 
its establishment in November 1999 through September 2001, the FTC 
Clearinghouse received a total of 94,100 complaints from identity 
theft victims. In response to our request, FTC staff provided us with 
information about the nonmonetary harm and the monetary losses (out-of-
pocket expenses) reported by the complainants. 

The extent of the harm reported to the FTC depends upon the victims' 
knowledge at the time that they call the FTC. Victims call the FTC at 
all stages of their experience with identity theft. Some victims call 
shortly after they discover the theft of their identities, while 
others may not hear about the FTC's hotline and not call until months 
after they discover the crime. In addition, some victims discover the 
misuse of their identity soon after the misuse begins, while others do 
not discover it until years later. Moreover, the thieves may continue 
to misuse identities long after victims contact the FTC. For these 
reasons, the amount of harm that the victims are aware of and report 
at the time that they call the FTC may not be the full extent of the 
harm they have experienced or will experience. 

FTC Data on Nonmonetary Harm Reported by Identity Theft Complainants: 

As table 17 shows, of the 94,100 identity theft complaints reported to 
the FTC during November 1999 through September 2001, about 14 percent 
involved reports of nonmonetary harm. By far the most prevalent type 
of nonmonetary harm cited by consumers—mentioned in over 7,000 
complaints—was "denied credit or other financial services." The second 
leading type of nonmonetary harm—cited in about 3,500 complaints—was 
"time lost to resolve problems." In nearly 1,300 complaints, identity 
theft victims alleged that they had been subjected to "criminal 
investigation, arrest, or conviction." 

Table 17: Nonmonetary Harm Reported by Identity Theft Complainants to 
FTC (Nov. 1999 through Sept. 2001): 

Nonmonetary harm: Did the consumer report any nonmonetary harm? 

No: 
Number of complaints: 63,959; 
Percent: 68.0%. 

Information not collected (non-FTC data[A]): 
Number of complaints: 16,784; 
Percent: 17.8%. 

Yes: 
Number of complaints: 13,357; 
Percent: 14.2%. 

Nonmonetary harm: Totals: 
Number of complaints: 94,100; 
Percent: 100.0%. 

If yes, what was the harm? 

Denied credit or other financial services[B]: 
Number of complaints: 7,376; 
Percent based on subtotal[C]: 55.2%. 

Time lost to resolve problems: 
Number of complaints: 3,489; 
Percent based on subtotal[C]: 26.1%. 

Harassed by debt collector or creditor: 
Number of complaints: 2,968; 
Percent based on subtotal[C]: 22.2%. 

Criminal investigation, arrest, or conviction: 
Number of complaints: 1,281; 
Percent based on subtotal[C]: 9.6%. 

Civil suit filed or judgment entered: 
Number of complaints: 819; 
Percent based on subtotal[C]: 6.1%. 

Denied employment or loss of job: 
Number of complaints: 580; 
Percent based on subtotal[C]: 4.3%. 

Other: 
Number of complaints: 3,780; 
Percent based on subtotal[C]: 28.3%. 

Total 13,357[D]. 

Note: According to FTC staff, most identity theft victims can be 
assumed to have received a negative or inaccurate credit report and, 
by itself, such a report is not a harm and is not included in this 
analysis. Rather, a negative or inaccurate credit report may result in 
various types of harm, such as the victim being denied credit, having 
to spend time to resolve problems, etc. 

[A] Non-FTC data refer to identity theft complaints forwarded from the 
SSA/OIG to the FTC. In these complaints, information about nonmonetary 
harm to victims was not collected. 

[B]Denied credit or other financial services includes being denied a 
loan, being denied a credit card, being denied a checking or savings 
account, having a credit card rejected, having a telephone or 
utilities cut off or new service denied, or having checks refused for 
payment (bounced). 

[C] Percentages add to more than 100 percent because an identity theft 
complainant may allege more than one type of nonmonetary harm. 

[D] Details add to more than 13,357 because an identity theft 
complainant may allege more than one type of nonmonetary harm. 

Source: FTC data. 

[End of table] 

FTC Data on Monetary Losses Reported by Identity Theft Complainants: 

As table 18 shows, FTC data indicated that 2,633 complaints received 
from November 1999 through September 2001 involved dollar amounts that 
victims reported as having been lost or paid as out-of-pocket expenses 
as a result of identity theft. While most financial institutions do 
not hold victims liable for fraudulent debts, victims may incur 
significant expenses in trying to restore their good names and 
financial health. According to FTC staff, for example, victims 
routinely incur costs for document copies, notary fees, certified 
mail, and long-distance calls. Some consumers have tax refunds or 
other benefits withheld pending resolution of the identity theft 
crime. In addition, some consumers have hired attorneys. Other 
consumers reported that they chose to pay the fraudulent debt because 
of difficulties encountered in trying to have the debt absolved. 

The FTC Clearinghouse had no data regarding direct out-of-pocket 
monetary losses (if any) for 77,063 (about 82 percent) of the 94,100 
complaints received during November 1999 through September 2001. Also, 
for another 14,404 complaints, FTC data indicated that the individual 
victims reported zero dollar losses, that is, no out-of-pocket 
expenses. On the other hand, the data indicated that hundreds of 
complaints-2,633 in total during the 23-month period—reported at least 
some out-of-pocket expenses, with 207 of the complaints each alleging 
losses above $5,000 and another 203 complaints each alleging losses 
above $10,000. Out-of-pocket expenses may increase after victims 
report to the FTC and take further steps to resolve identity theft-
related problems. 

Table 18: Monetary Losses Reported by Identity Theft Complainants to 
FTC (Nov. 1999 through Sept. 2001): 

Dollar amount of losses: No data[A]; 
Number of complaints: 77,063; 
Percent: 81.9%. 

Dollar amount of losses: Zero dollar losses reported; 
Number of complaints: 14,404; 
Percent: 15.3%. 

Dollar losses reported: $1 - $100; 
Number of complaints: 502; 
Percent: 0.5%. 

Dollar losses reported: $101 - $500; 
Number of complaints: 653; 
Percent: 0.7%. 

Dollar losses reported: $501 - $1,000; 
Number of complaints: 399; 
Percent: 0.4%. 

Dollar losses reported: $1,001 - $5,000; 
Number of complaints: 669; 
Percent: 0.7%. 

Dollar losses reported: $5,001 - $10,000; 
Number of complaints: 207; 
Percent: 0.2%. 

Dollar losses reported: Over $10,000; 
Number of complaints: 203; 
Percent: 0.2%. 

Dollar amount of losses: Subtotal; 
Number of complaints: 2,633; 
Percent: 2.8%. 

Dollar amount of losses: Total; 
Number of complaints: 94,100; 
Percent: 100.0%. 

At the time they contacted the FTC, most complainants provided no 
information about the amount of out-of-pocket expenses, if any, they 
had incurred. 

Source: FTC data. 

[End of table] 

Summary of Our Contacts with Victims: 

From its database of identity theft victims, after obtaining 
permission from the individuals, FTC staff provided us with the names 
and telephone numbers of 10 victims, whom we contacted to obtain a 
direct or first-hand understanding of their experiences. As presented 
in table 19: 

*In all 10 cases, the perpetrator used the victim's personal 
information to engage in identity takeover activities. Varying by 
case, such fraudulent activities ranged from the opening of new charge 
accounts and cellphone accounts to obtaining employment and filing tax 
returns in the victim's name. Also, in 2 of the 10 cases, the 
perpetrator engaged in account takeover activities; that is, the 
perpetrator made charges on existing accounts. 

* Nine of the 10 victims reported experiencing both nonmonetary and 
monetary harms. Regarding nonmonetary harm, various victims reported 
being harassed by collection agencies, expending time to clear their 
names, having difficulty obtaining credit, and losing productivity at 
work. Furthermore, one victim reportedly was the subject of an arrest 
warrant, based on speeding tickets issued to the perpetrator, and 
another victim was taken into police custody for a drug-related search 
stemming from the perpetrator's activities. Regarding monetary harm, 
the victims generally reported that out-of-pocket expenses were 
relatively low. However, two victims reported losing a job and wages 
(with losses of about $6,000 and $2,500 per victim, respectively), and 
two victims reported an inability to obtain tax refunds ($1,000 and 
$814, respectively). 

Table 19: Summary of GAO's Interviews of Identity Theft Victims: 

Victim
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
What were the types of harm experienced by the victim? 

Victim 1: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Opened 12 to 18 charge accounts; 
Obtained housing; 
Obtained utility services; 
Obtained fraudulent identification; 
Opened cellphone account. 

What were the types of harm experienced by the victim? 
Nonmonetary harm:
Harassed by collection agency;
Reappearance of charges after they had been removed;
Expended time (about 200 hours over 10 months) to clear
name. 
Monetary harm:
Incurred out-of-pocket expenses ($100 to $200);
Lost job and wages (about $6,000). 

Victim 2: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Attempted to open charge account. 
Account takeover activities: 
Made charges on existing account. 

What were the types of harm experienced by the victim? 
Nonmonetary harm: 
Expended time (about 40 hours over 4 to 6 weeks) to clear name. 
Monetary harm:
Incurred out-of-pocket expenses (less than $20). 

Victim 3: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Opened charge accounts; 
Obtained housing; 
Purchased car; 
Wrote bad checks; 
Obtained employment and owed back taxes. 

What were the types of harm experienced by the victim? 
Nonmonetary harm:
Expended time (about 3 months in worktime equivalent over 6 years) to 
clear name; 
Experienced difficulty obtaining credit.
Monetary harm: 
Harassed by collection agencies;
Incurred out-of-pocket expenses (about $20);
Could not claim tax refund ($1,000). 

Victim 4: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Opened charge accounts; 
Attempted to obtain car loan; 
Wrote bad checks; 
Obtained fraudulent identification; 
Opened cellphone account. 

What were the types of harm experienced by the victim? 
Nonmonetary harm: 
Expended time (between 150 and 200 hours over 6 weeks) to clear name;
Monetary harm:
Incurred out-of-pocket expenses (between $20 and $30 for notaries, 
faxes, etc.). 

Victim 5: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Violated traffic laws (3 speeding tickets); 
Opened charge accounts; 
Wrote bad checks; 
Obtained employment and filed tax return; 
Obtained utility services; 
Obtained fraudulent identification; 
Attended college classes. 

What were the types of harm experienced by the victim? 
Nonmonetary harm:
Arrest warrant issued for victim based on perpetrator’s speeding 
tickets;
Went to court to contest speeding ticket;
Expended hundreds of hours over last 6 years;
Experienced difficulty obtaining credit;
Monetary harm:
Could not obtain IRS tax refund ($814). 

Victim 6: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Opened 10 charge accounts; 
Wrote bad checks; 
Made fraudulent identification. 
Account takeover activities: 
Used existing credit accounts. 

What were the types of harm experienced by the victim? 
Nonmonetary harm: 
Harassed by retailers over bad checks; 
Expended time (missed 3 days of work in 2 months);
Had lower productivity at work. 
Monetary harm: 
Purse was stolen; 
Incurred out-of-pocket expenses for notaries and incidentals ($20). 

Victim 7: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Opened about 20 charge accounts. 

What were the types of harm experienced by the victim? 
Nonmonetary harm: 
Experienced difficulty obtaining credit (rejected for credit 10 times); 
Expended time (about 48 hours over 2-½ years) to clear name; 
Experienced difficulty purchasing a car. 
Monetary harm: 
Incurred several hundred dollars in out-of-pocket expenses on 
notaries, faxes, etc. 

Victim 8: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Filed for income tax refunds; 
Was arrested three times in victim’s name. 

What were the types of harm experienced by the victim? 
Nonmonetary harm: 
Expended time (about 30 hours over 1-½ years) to clear name; 
Taken to police station for car to be searched for drugs. 

Victim 9: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Obtained fraudulent identification; 
Opened bank account; 
Opened multiple charge accounts; 
Purchased car; 
Obtained prescription medication; 
Obtained employment and was fired from employment; 
Received unemployment benefits; 
Was evicted three times from housing; 
Used victim’s name during auto accident; 
Was arrested twice in victim’s name. 

What were the types of harm experienced by the victim? 
Nonmonetary harm: 
Experienced difficulty obtaining credit; 
Experienced difficulty obtaining employment; 
Experienced difficulty purchasing a car; 
Experienced difficulty obtaining housing due to perpetrator’s eviction 
history;
Expended hundreds of hours over 6 years attempting to clear name.
Monetary harm: 
Lost job and wages ($2,500);
Incurred out-of-pocket expenses (about $50). 

Victim 10: 
For what fraudulent activities did the perpetrator use the victim's 
personal information? 
Identity takeover activities: 
Obtained fraudulent identification; 
Opened multiple charge accounts; 
Received traffic violation in victim’s name. 

What were the types of harm experienced by the victim? 
Nonmonetary harm:
Experienced difficulty obtaining credit;
Expended 15 to 20 hours over last 3 years attempting to clear
name. 
Monetary harm:
Incurred out-of-pocket expenses (about $59). 

Note: According to FTC staff, the 10 victims were selected to 
illustrate a range in the number of types of identity theft activities 
reported by victims. The experiences of these 10 victims are not 
statistically representative of all identity theft victims. 

Source: GAO's summary of telephone interviews with 10 identity theft 
victims FTC selected. 

[End of table] 

In addition to the types of harm presented in table 19, several of the 
victims expressed to us feelings of "invaded privacy" and "continuing 
trauma" that likely would affect their lives for quite some time. In 
particular, such "lack of closure" was cited if elements of the crime 
involved more than one jurisdiction and/or if the victim had no 
awareness of any arrest being made. For instance, two victims reported 
being able to file a police report in their state of residence but 
were unable to do so in other states where the perpetrators committed 
fraudulent activities using the stolen identities. Also, 2 of the 10 
victims told us they were aware that the perpetrator had been arrested. 

Consumer Advocacy Report on the Cost of Identity Theft to Victims: 

In a May 2000 report, two nonprofit advocacy entities—-the California 
Public Interest Research Group (CALPIRG) and the Privacy Rights Report 
on the Cost of Clearinghouse—-presented findings based on a survey 
(conducted in the Identity Theft to spring of 2000) of 66 identity 
theft victims who had contacted these organizations.[Footnote 44] The 
May 2000 report noted that victims of identity theft Victims "face 
extreme difficulties attempting to clear the damaged credit, or even 
criminal record, caused by the thief." According to the report, the 
following findings illustrate the obstacles that victims encounter 
when trying to resolve their identity theft cases: 

* The victims spent 175 hours, on average, actively trying to resolve 
their identity theft-related problems. Less than half (45 percent) of 
the respondents believed that their cases had been fully resolved; 
these respondents reported an average of 23 months to reach 
resolution. The other survey respondents (55 percent) reported that 
their unresolved cases had already been open, on average, for 44 
months. 

* Not counting legal fees, victims reported spending between $30 and 
$2,000 on costs related to their identity theft. The average reported 
loss was $808, but most victims estimated spending $100 for out-of-
pocket costs. 

* The majority (76 percent) of the surveyed cases involved "true name 
fraud"-—which occurred, for instance, when the imposter opened new 
credit accounts in the name of the victim. The number of fraudulent 
new accounts opened per victim ranged from 1 to 30, and the average 
was 6 new accounts. 

The May 2000 report stated that these findings may not be 
representative of the plight of all victims. Rather, the report noted 
that the findings should be viewed as "preliminary and representative 
only of those victims who have contacted our organizations for further 
assistance (other victims may have had simpler cases resolved with 
only a few calls and felt no need to make further inquiries)." 

Later, at a national conference, the Director of Privacy Rights 
Clearinghouse expanded on the results of the May 2000 report. For 
instance, regarding the 66 victims surveyed, the Director noted that 
one in six (about 15 percent) said that they had been the subject of a 
criminal record because of the actions of an imposter.[Footnote 45] 
Furthermore, the Director provided additional comments substantially 
as follows: 

* Unlike checking for credit report inaccuracies, there is no easy way 
for consumers to determine if they have become the subject of a 
criminal record. 

* Indeed, victims of identity theft may not discover that they have 
been burdened with a criminal record until, for example, they are 
stopped for a traffic violation and are then arrested because the 
officer's checking of the driver's license number indicated that an 
arrest warrant was outstanding. 

Additional Observations: 

In an April 2001 advisory letter to national banks, the Office of the 
Comptroller of the Currency (OCC) made the following observations 
about the cost of identity theft: 

"This growing crime has a devastating effect on financial institution 
customers and a detrimental impact on the banks. Four of the top five 
consumer complaints regarding identity theft involve financial 
services—new credit card accounts opened, existing credit card 
accounts used, new deposit accounts opened, and newly obtained loans. 
Banks absorb much of the economic losses from bank fraud associated 
with the theft of their customers' identities. Individuals who become 
victims of identity theft also pay, at a minimum, out-of-pocket 
expenses to clear their names and may spend numerous hours trying to 
rectify their credit records."[Footnote 46] 

Also, in congressional testimony in May 2001, an experienced New York 
City police detective characterized the cost of identity theft to 
victims as follows: 

"Over the past five years, there has been a significant increase in 
crimes where criminals compromise personal identification data of 
victims, in order to commit identity theft. The information that falls 
into criminal hands includes name, date of birth, Social Security 
Number, banking account number, and other personal and financial 
information. 

"Victims of identity theft, like other crime victims, are made to feel 
personally violated. This is especially true in light of the vicious 
cycle of event that typically follows the perpetration of this crime. 
Imagine for a moment, a recently married couple just starting out in 
their life together. They work hard and save enough money to make a 
down payment on their first new home only to be denied a mortgage 
because of a negative payment history reflected in a credit report—-
information that they knew nothing about. The trauma of this type of 
fraud causes its innocent victims is unimaginable. Moreover, once the 
crime is discovered and reported, victims are left to fend for 
themselves in attempting to clear their credit history and good name. 

"Our unit has successfully conducted numerous investigations where 
perpetrators have used the personal information to not only obtain 
credit cards and personal loans, but also to purchase cars and homes. 
Although we in law enforcement garner some sense of satisfaction when 
we make arrests for these crimes, it is not enough when compared to 
the amount of time and energy a victim spends trying to undo the work 
of these criminals."[Footnote 47] 

[End of section] 

Appendix V: Cost of Identity Theft to the Federal Criminal Justice 
System: 

This appendix presents information about the cost of identity theft to 
the federal criminal justice system—that is, the cost associated with 
investigations, prosecutions, incarceration, and community 
supervision. Generally, we found that federal agencies do not 
separately maintain statistics on the person hours, portions of 
salary, or other distinct costs that are specifically attributable to 
cases involving 18 U.S.C. §1028(a)(7) and other criminal statutes that 
may be applicable to identity theft and fraud. Thus, as an 
alternative, some of the agencies provided us with average cost 
estimates based, for example, on white-collar crime cases-—a category 
that covers financial crimes, including identity theft. 

Cost of Investigations: 

Various Justice Department law enforcement agencies (e.g., the FBI), 
Treasury Department agencies (e.g., the Secret Service), and the 
Postal Inspection Service are responsible for investigating possible 
federal criminal violations in which identity theft or fraud is a 
factor. Also, the SSA's Office of the Inspector General (OIG) may 
investigate possible identity theft and fraud cases where misuse or 
abuse of Social Security numbers (SSNs) is involved. Three of these 
agencies-—the FBI, the Secret Service, and SSA/OIG-—responded to our 
request for cost-related information, as discussed in the following 
sections. 

FBI: Cost of Investigations: 

In response to our inquiry regarding the cost of investigating 
identity theft crimes, the FBI provided us with an estimate based on 
budget and workload data for the agency's white-collar crime program 
for fiscal years 1998 to 2000. For this 3-year period, the FBI 
estimated that approximately $20,000 was the average cost of an 
investigative matter handled by the agency's white-collar crime 
program. However, an FBI official noted that the agency does not have 
cost data related specifically to identity theft cases, and the 
official told us that the average-cost figure ($20,000) was not very 
meaningful given the following caveats: 

* Using available data, the average cost of an investigative matter 
can be calculated in a number of different ways, none of which is 
perfect. Due to such imperfections, the validity of the $20,000 figure 
is highly questionable. For instance, the average cost figure does not 
capture the wide variance in the scope and costs of white-collar crime 
investigations. Some cases can be of short duration and involve only 
one FBI agent, whereas other cases can be very complicated, be ongoing 
for several years, and involve many agents. 

* Also, it is questionable methodology for the FBI to apply the 
average cost of its white-collar crime investigations in general to 
identity theft cases specifically. Identity theft is rarely a stand-
alone crime; that is, identity theft is frequently an element of bank 
fraud, wire fraud, and other types of white-collar or financial 
crimes. On the other hand, some white-collar or financial crimes, 
including some high-cost cases, may not involve elements of identity 
theft. However, the FBI's information systems are not sufficiently 
code to isolate identity theft-related budget and workload data within 
the white-collar crime program. 

Secret Service: Cost of Investigations: 

We asked the Secret Service for an estimate of the average cost of 
investigating financial crimes that included identity theft as a 
component. The Secret Service responded that the agency does not track 
costs on a per-case basis and noted that the nature and variety of 
factors regularly present in common investigative scenarios do not 
lend themselves to accurate "average cost" tracking. The agency 
explained that variants affecting cost include, but are not limited 
to, the number of personnel assigned, the use of technical and 
surveillance assets, transcription and translation services, case-
related travel (domestic and foreign), task force expenses, 
expenditures for investigative information and evidence, expenditures 
associated with undercover activities, and trial preparation. In 
summary, the Secret Service responded that its cases vary so much in 
their makeup that to put a figure on average cost is not meaningful. 

Nonetheless, recognizing these caveats, the Secret Service's 
Management and Organization Division made its "best estimate of the 
average cost" of a financial crimes investigation conducted by the 
Secret Service in fiscal year 2001. The resulting estimate was 
approximately $15,000. Secret Service officials noted that this 
estimate was for a financial crimes investigation and not specifically 
for an identity theft investigation. Also, the officials emphasized 
that, in the absence of specific guidelines establishing a standard 
methodology, average-cost figures provide no basis for making 
interagency comparisons. 

SSA/OIG: No Estimate of Cost: 

We asked SSA/OIG for an estimate of the average cost of investigating 
cases involving SSN misuse. SSA/OIG officials responded that the 
agency's information systems do not record time spent by function to 
permit making an accurate estimate of what it costs to work these 
types of cases. Furthermore, the officials commented substantially as 
follows: 

* Identity theft poses greater costs to the public and to financial 
institutions than to law enforcement. 

* The cost of identity theft to law enforcement is a moving target. 
The cost can be small or large, depending on what priority SSN misuse 
is given in any law enforcement organization. 

* In fact, SSA/OIG probably could dedicate its entire workforce to SSN 
misuse cases and still not scrape the surface of this issue. 

Finally, the SSA/OIG officials noted that the SSA/OIG's appropriations 
for fiscal year 2001 totaled about $69 million; however, the officials 
reiterated the impracticality of estimating how much of this amount 
was used for investigating cases of SSN misuse. 

Cost of Prosecutions: 

Executive Office for U.S. Attorneys (EOUSA) officials said that the 
agency's timekeeping system could not specifically isolate the cost of 
prosecuting identity theft cases. The officials noted, however, that 
such cases generally are categorized as white-collar crimes, as are 
other types of financial crimes. According to EOUSA: 

* U.S. Attorney Offices handled a total of 13,720 white-collar crime 
cases in fiscal year 2000. This total includes all white-collar crime 
cases that U.S. Attorney Offices dealt with in any manner during the 
year. That is, the total includes cases that were closed in the year, 
cases that were opened in the year, and cases that were still pending 
at yearend. 

* The total cost associated with the 13,720 white-collar crime cases 
handled was $157 million in fiscal year 2000. Thus, the estimated 
average annual cost of prosecuting a white-collar crime case was 
$11,443. 

EOUSA emphasized that this figure was derived using a broad, inexact 
methodology. Furthermore, EOUSA emphasized that the figure was only an 
estimate and that the actual cost could be higher or lower. 

Cost of Incarceration: 

According to Bureau of Prisons (BOP) officials, federal offenders 
convicted of white-collar crimes generally are incarcerated in minimum-
security correctional facilities. For fiscal year 2000, BOP officials 
told us that the cost of operating such facilities averaged $47.68 
daily per inmate. Thus, on a monthly (30 days per month) and an annual 
basis (365 days per year), the respective cost figures would be $1,430 
per inmate and $17,403 per inmate. 

Cost of Community Supervision: 

Federal probation officers are responsible for the community 
supervision of federal offenders released from prison, as well as 
those placed on probation in lieu of a prison sentence. Each offender 
under supervision is assigned to a designated probation officer, whose 
responsibilities include (1) enforcing the conditions of supervision; 
(2) reducing the risk the offender poses to the community; and (3) 
providing the offender with access to treatment, such as substance 
abuse aftercare and mental health services.[Footnote 48] Offenders are 
typically supervised in the community for a period of 3 to 5 years. 

In response to our inquiry, AOUSC provided us average daily cost data 
covering all federal offenders under supervision. The average daily 
cost reported for fiscal year 2000 ranged from $8.02 for regular 
supervision to $31.46 for supervision that involved electronic 
monitoring and substance abuse treatment. An AOUSC official told us 
that white-collar offenders—including those who committed identity 
theft and do not need contract services—probably would fall into the 
regular supervision category. For this category, the average daily 
cost of $8.02 equates to about $2,900 annually per offender. According 
to AOUSC, regular supervision cost is based on the national average 
salary and benefits of a U.S. probation officer, plus additional costs 
associated with management, administrative support, training, and 
overhead (e.g., automation, space, telephone service, and travel). 

[End of section] 

Appendix VI: Contact Points for Reporting Identity Theft and Seeking 
Assistance: 

Credit bureaus: 

Name: Equifax;
Address: P.O. Box 740241, Atlanta, GA 30374-0241; 
Telephone, Web page, or e-mail: 1-800-525-6285: 
www.equifax.com. 

Name: Experian; 
Address: P.O. Box 9532: 
Allen, TX 75013: 
Telephone, Web page, or e-mail: 1-888-397-742
www.experian.com. 

Name: TransUnion; 
Address: Fraud Victim Assistance Division; 
P.O. Box 6790, Fullerton, CA 92834;
Telephone, Web page, or e-mail: 1-800-680-7289
www.transunion.com. 

Advocacy sources: 

Name: Privacy Rights Clearinghouse; 
Address: 3100 5th Ave., #B, San Diego, CA 92103; 
Telephone, Web page, or e-mail: 1-619-298-3396;
www.privacyrights.org. 

Name: Identity Theft Resource Center; 
Address: P.O. Box 26833, San Diego, CA 92196; 
Telephone, Web page, or e-mail: 1-858-693-7935
www.idtheftcenter.org. 

Name: U.S. Public Interest Research Group; 
Address: 218 D St., SE, Washington, D.C. 20003; 
Telephone, Web page, or e-mail: 1-202-546-9707;
uspirg@pirg.org. 

Federal agencies: 

Name: Federal Trade Commission; 
Address: Identity theft Data Clearinghouse, 600 Pennsylvania Ave., NW, 
Washington, D.C. 20580;
Telephone, Web page, or e-mail: 1-877-438-4338 (toll free)
www.consumer.gov/idtheft. 

Name: Department of Justice; 
Telephone, Web page, or e-mail: 
www.usdoj.gov/criminal/fraud/idtheft.html. 

Name: Federal Bureau of Investigation; 
Call local field office; 
Telephone, Web page, or e-mail: www.ifccfbi.gov (for Internet fraud). 

Name: Internal Revenue Service Department of the Treasury; 
Address: Taxpayer Advocates Office; 
Telephone, Web page, or e-mail: 1-877-777-4778; 
www.treas.gov/irs/ci. 

Name: Postal Inspection Service;
Address: Call local post office; 
Telephone, Web page, or e-mail: www.usps.gov/websites/depart/inspect. 

Name: U.S. Secret Service Department of the Treasury; 
Address: Call local field office; 
Telephone, Web page, or e-mail: 
www.treas.gov/usss/financial_crimes.htm. 

Name: Office of the Inspector General Social Security Administration; 
Address: Fraud Hotline, P.O. Box 17768, Baltimore, MD 21235; 
Telephone, Web page, or e-mail: 1-800-269-0271. 

Other sources: 

Name: State law on identity theft; 
State attorney general's office for your state; 
Telephone, Web page, or e-mail: www.naag.org. 

Name: Victim report; 
Address: Your local police. 

Name: Compromised credit cards: 
Address: Your credit card issuer or local bank (also follow the four 
steps listed below); 
Telephone, Web page, or e-mail: Contact information is often found on 
your most recent monthly credit card statement. 

Name: Compromised checking accounts; 
Address: The bank that holds your account; 
Telephone, Web page, or e-mail: Contact information is often found on 
your most recent monthly checking account statement. 

To report identity theft, follow the steps below as listed in the 
Identity Theft FTC Web site: (www.ftc.gov/opa/2002/02/idtheft.htm). 

1. Contact the fraud departments of each of the three credit bureaus 
and report the thefts. 

2. For fraudulently accessed accounts, contact the security department 
of the appropriate creditor or financial institution. 

3. File a report with your local police or the police in the community 
where the identity theft took place. Get the report number or copy of 
the report in case the bank, credit card company, or others need proof 
of the crime. 

4. Call the ID Theft Clearinghouse toll free at 1-877-438-4338 to 
report the theft. The Identity Theft Hotline and the ID Theft Web site 
(www.consumer.gov/idtheft) give you one place to report the theft to 
the federal government and receive helpful information. 

[End of table] 

[End of section] 

Appendix VII: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Richard M. Stana, (202) 512-8777: 
Danny R. Burton (214) 777-5600: 

Staff Acknowledgments: 

In addition to the above, David P. Alexander, Kay E. Brown, Heather T. 
Dignan, Nancy M. Eibeck, William Falsey, Debra R. Johnson, Shirley A. 
Jones, Harry Medina, Robert J. Rivas, Ronald J. Salo, and Donovan 
Wilson made key contributions to this report. (440040) 

[End of section] 

Footnotes: 

[1] U.S. General Accounting Office, Identity Fraud: Information on 
Prevalence, Cost, and Internet Impact is Limited, [hyperlink, 
http://www.gao.gov/products/GAO/GGD-98-100BR] (Washington, D.C.: May 
1, 1998). 

[2] Public Law 105-318 (1998). The relevant section of this 
legislation is codified at 18 U.S.C. § 1028(a)(7) ("fraud and related 
activity in connection with identification documents and information"). 

[3] Generally, regarding the financial services industry, the scope of 
our work focused primarily on obtaining information from banks, two 
payment card associations (MasterCard and Visa), and national consumer 
reporting agencies (commonly referred to as "credit bureaus"). We did 
not obtain information about losses involving other general-purpose 
cards (American Express, Diners Club, and Discover) nor losses 
involving merchant-specific cards issued by retail stores. 

[4] These estimates are approximations based on the judgment and 
experience of agency officials. 

[5] The duration of this agency's fraud alerts can vary from 2 to 7 
years, at the discretion of the individual consumer. 

[6] An aggregate figure—totaling the number of fraud alerts reported 
by the three consumer reporting agencies—may be misleading, given the 
likelihood that many consumers may have contacted more than one 
agency. During our review, we noted that various Web sites—-including 
those of two of the three national consumer reporting agencies, as 
well as the FTC's Web site-—advise individuals who believe they are 
the victims of identity theft or fraud to contact all three national 
consumer reporting agencies. 

[5] In compiling case statistics, the Secret Service defined "identity 
theft" as any case related to the investigation of false, fraudulent, 
or counterfeit identification; stolen, counterfeit, or altered checks 
or Treasury securities; stolen, altered, or counterfeit credit cards; 
or financial institution fraud. 

[8] ABA, Deposit Account Fraud Survey Report 2000. The ABA defined 
"loss avoidance" as the amount of losses avoided as a result of the 
banks' prevention systems and procedures. Because the overall response 
rate by banks to the survey was 11 percent, the ABA's data should be 
interpreted with caution. 

[9] Other fraud categories that the associations do not consider to be 
identity theft-related include, for example, lost and stolen cards, 
never-received cards, counterfeit cards, and mail order/telephone 
order fraud. 

[10] Federal Deposit Insurance Corporation, Evolving Financial 
Products, Services, and Delivery Systems (Feb. 14, 2001). 

[11] Department of Commerce, Falling Through The Net: Toward Digital 
Inclusion (Oct. 2000). This report was the fourth in a series of 
studies issued by Commerce on the technological growth of U.S. 
households and individuals. 

[12] CALPIRG (Sacramento, Cal.) and Privacy Rights Clearinghouse (San 
Diego, Cal.), "Nowhere to Turn: Victims Speak Out on Identity Theft" 
(May 2000). 

[13] As agreed with the requesters, this section of our report focuses 
on costs of identity theft to the federal government only and not to 
state or local governmental entities; although, since 1998, most 
states have enacted laws that criminalize identity theft. 

[14] Public Law 105-318 (1998). 

[15] Public Law 106-102 (1999). 

[16] Appendix VI lists contact points for reporting identity theft and 
seeking assistance. 

[17] Our selection of these 14 banks was based on dollar amounts of 
managed receivables (as of Dec. 31, 2000) presented in The Nilson 
Report (Oxnard, Cal.), a leading source of news and proprietary 
research on consumer payment systems. Managed receivables consist of 
credit card balances outstanding that are carried on the balance 
sheet, as well as such balances outstanding that are securitized (off 
the balance sheet), by the credit card issuer. 

[18] Credit card issuers' participation in our study was voluntary 
because we do not have a legal right of access to any of their account 
or business information not publicly available. 

[19] The Consumer Bankers Association (Arlington, Va.) provides 
leadership and representation on retail banking issues. Member 
institutions are active in consumer finance (auto, home equity, credit 
cards, and education), electronic retail delivery systems, bank sales 
of investment products, small business services, and community 
development. 

[20] CALPIRG (Sacramento, Ca.) and Privacy Rights Clearinghouse (San 
Diego, Cal.), "Nowhere to Turn: Victims Speak Out on Identity Theft" 
(May 2000). The report is accessible at [hyperlink, 
http://www.privacyrights.org/ar/idtheft2000.htm]. 

[21] U.S. General Accounting Office, Identity Fraud: Information on 
Prevalence, Cost, and Internet Impact is Limited, [hyperlink, 
http://www.gao.gov/products/GAO/GGD-98-100BR] (Washington, D.C.: May 
1, 1998). 

[22] During our review, we noted that various Web sites—-including 
those of two of the three national CRAs, as well as the FTC's Web 
site—-advise individuals who believe they are the victims of identity 
theft or fraud to contact all three national CRAs. 

[23] On November 1, 1999, FTC established a toll-free telephone 
hotline (1-877-ID-THEFT)for consumers to report identity theft. 
Information from complainants is accumulated in a central database 
(the Identity Theft Data Clearinghouse) for use as an aid in law 
enforcement and prevention of identity theft. 

[24] FTC, prepared statement on Identity Theft, hearing before the 
House Committee on Banking and Financial Services (Sept. 13, 2000). 

[25] SSA, Office of the Inspector General, Management Advisory 
Report — Analysis of Social Security Number Misuse Allegations Made to 
the Social Security Administration's Fraud Hotline (A-15-99-92019, 
Aug. 1999). 

[26] The procedures do not cover allegations of program fraud with SSN 
misuse potential. 

[27] The SAR system replaced a "criminal referral reporting" system 
that had been used since 1984. 

[28] FMCEN, The SAR Activity Review-—Trends, Tips & Issues, Issue 2 
(June 2001), p. 14. 

[29] 2000 Annual Report of Investigations of the United States Postal 
Inspection Service (Nov. 2000), p. 9. 

[30] 2000 Annual Report of Investigations of the United States Postal 
Inspection Service (Nov. 2000), pp. 9, 40-41. 

[31] Checks were used to pay for 51.3 percent of total consumption 
expenditures, cash was used for 16.7 percent, other proprietary cards 
for 4.1 percent, and "other" (such as money orders) for 7.6 percent. 
(Details add to 100.1 percent due to rounding.) 

[32] As discussed in appendix I, these banks are among the top 14 
credit-card issuing banks in terms of managed receivables. Of the top-
issuing group of 14 banks, we were able to arrange in-person or 
telephone interviews with officials of 6 banks. 

[33] ABA, Deposit Account Fraud Survey Report 2000, p. 9. ABA 
conducted its survey between February and June 2000 and received 
responses (completed survey forms) from 542 commercial banks. 
According to the ABA, the reported loss figures represent 
extrapolations to the industry level. ABA defined "loss avoidance" as 
the amount of losses avoided as a result of the banks' prevention 
systems and procedures. 

[34] In contrast to these relatively narrow definitions, the Secret 
Service, as a lead federal enforcement agency for identity theft, 
defines this crime more broadly to encompass virtually all categories 
of payment card fraud. 

[35] Friendly or family fraud could occur when there is an 
unauthorized use of a credit card or personal information by an 
acquaintance, friend, or family member. Friends or family members 
sometimes apply for credit in the victim's name or take over existing 
accounts in cases of death or disability without notifying the 
financial institution. In these cases, financial institutions are 
usually able to recover their losses or shift the responsibility for 
existing accounts. 

[36] The sixth bank did not provide us with data reflecting identity 
theft losses as a percentage of overall fraud losses. 

]37] The National Fraud Information Center was established in 1992 by 
the National Consumers League, a nonprofit consumer organization, to 
address telemarketing fraud by improving prevention and enforcement. 

[38] Phillip C. McKee, III, Internet Fraud Watch Coordinator, "Remarks 
to the Annual Conference of the American Society of Travel Agents" 
(Oct. 8, 1999). 

[39] FTC, prepared statement on Identity Theft for a hearing before 
the House Committee on Banking and Financial Services, (Sept. 13, 
2000). 

[40] Statement of Mr. Bruce Swartz, Deputy Assistant Attorney General, 
Criminal Division, Department of Justice, at a hearing ("On-line Fraud 
and Crime: Are Consumers Safe?") before the Subcommittee on Commerce, 
Trade, and Consumer Protection, House Committee on Energy and Commerce 
(May 23, 2001). 

[41] Statement of Mr. Mark MacCarthy, Senior Vice President, Public 
Policy, Visa U.S.A. Incorporated, at a hearing ("On-line Fraud and 
Crime: Are Consumers Safe?") before the Subcommittee on Commerce, 
Trade, and Consumer Protection, House Committee on Energy and Commerce 
(May 23, 2001). 

[42] Federal Deposit Insurance Corporation, Evolving Financial 
Products, Services, and Delivery Systems (Feb. 14, 2001). 

[43] Department of Commerce, Falling Through The Net: Toward Digital 
Inclusion (Oct. 2000). This report was the fourth in a series of 
studies issued by Commerce on the technological growth of U.S. 
households and individuals. 

[44] CALPIRG (Sacramento, Cal. and Privacy Rights Clearinghouse (San 
Diego, Cal., "Nowhere to Turn: Victims Speak Out on Identity Theft" 
(May 2000). 

[45] Beth Givens, Director, Privacy Rights Clearinghouse, "Identity 
theft: The Growing Problem of Wrongful Criminal Records," presented at 
the SEARCH National Conference on Privacy, Technology and Criminal 
Justice Information, in Washington, D.C. (June 1, 2000). 

[46] Comptroller of the Currency, Administrator of National Banks, OCC 
Advisory Letter (AL 2001-4), Subject: Identity Theft and Pretext 
Calling (Apr. 30, 2001), pp. 2-3. 

[47] Testimony of Detective Michael Fabozzi, New York City Police 
Department, hearing on "Protecting Privacy and Preventing Misuse of 
Social Security Numbers" before the Subcommittee on Social Security, 
House Committee on Ways and Means (May 22, 2001). 

[48] Title 18, section 3583 of the U.S. Code provides for inclusion of 
a term of supervised release after imprisonment. Section 3603 
specifies the duties of probation officers. 

[End of section] 

GAO’s Mission: 

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO’s commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO’s Web site [hyperlink, 
http://www.gao.gov] contains abstracts and fulltext files of current 
reports and testimony and an expanding archive of older products. The 
Web site features a search engine to help you locate documents using 
key words and phrases. You can print these documents in their entirety, 
including charts and other graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as “Today’s Reports,” on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
[hyperlink, http://www.gao.gov] and select “Subscribe to daily E-mail 
alert for newly released products” under the GAO Reports heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. General Accounting Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, NelliganJ@gao.gov: 
(202) 512-4800: 
U.S. General Accounting Office: 
441 G Street NW, Room 7149:
Washington, D.C. 20548: