Valentine credit data crackdown delivers kiss of death for online fraud

User-initiated bans bite from today.


It might be Valentine’s Day, but there will be no bouquets for debt collectors and online payment card fraudsters hoarding personal details, all thanks to a small but lethal tweak quietly delivered by the Office of the Australian Information Commissioner.

From today, credit information providers across Australia will be legally required to share information, between themselves, on when a consumer has asked for a ban on new credit applications – the ground floor door for online fraudsters establishing bogus credit cards and loans.

It’s a small, common sense and incremental change that flies in the face of all the fear and loathing peddled by cyber security vendors and will require no big spend on new detection systems, software and widely loathed PCI-DSS upgrades that can cost more than they save.

But it’s set to have a big effect, because it closes a yawning hole scammers have been exploiting for decades thanks to the opaque nature of consumer credit hygiene reporting used by banks, credit cards utilities and telcos.

The crackdown comes in the form of amendments to the Credit Reporting Code 2014 overseen by the OAIC and requires agencies that check your credit score to now ping each other to check if you’ve requested an active stop on fresh credit being issued in your name.

What that means is that if you’ve been a victim of identity fraud, or had your card or accounts compromised, crooks will find it a lot harder to just keep signing you up for new products that are then looted, leaving consumers to clean up the mess.

The OAIC’s small step is also important because once it bites, it’s likely to lessen the utility and dark market resale value of stolen Australian credentials used by fraudsters to impersonate legitimate customers.

Credit cards are the big prize for ID fraudsters, because once bogus accounts are set up across multiple issuing banks it can be between 50 days to three months before a sting is discovered, often when bills aren’t paid and are sent through to ‘collection’ – or the debt collectors.

And it’s those defaults that then wind up on a customer’s credit file, with the victim often only finding out when debt collectors come calling with threats of legal action, triggering a long and painful disputation process.

It’s a regulatory loophole the credit fraudsters have driven a truck through for years.

Amazingly, until now, there has been no formal requirement for credit bureaus to share consumer requests for new credit stops between themselves, resulting in identity theft victims being forced to go agency by agency to prevent their stolen credentials from being repeatedly misused.

We’ll get to the important and ignominious relationship between debt collectors and credit agencies in a moment, because there’s a track record of poor, often illegal behaviour and fraud victim exploitation

The challenge for ID fraud victims, especially in the age of digital onboarding and screen scraping, is that it’s not just loans or credit cards that get maxed-out by fraudsters. In the main, banks are vigilant to fraud and can and do act quickly upon detection.

The real consumer sting is for phone services, gas, electricity, cable television packages and now increasingly buy-now pay-later and merchant credit facilities (think tech, tools and tradies) that are used to milk out value.

The typologies are not that sophisticated, but they are effective. Sign-up for a two year mobile phone plan on a stolen card and and credentials, shift the phone.

Take the poor value (but easy to get) monthly instalment plan for a high-end gaming laptop. The list goes on.

Enter the debt collectors and the credit bureaus, who for the most part are joined at the hip.

Once the payments made using stolen credentials or instruments stop and the bills mount up (remember the 50-day interest free period), the fraud victim usually only finds out when they get a menacing phone call to pay.

As previously reported by iTnews, not all debt collectors are empathetic to the plight of fraud victims. 

They and can, and do, sometimes harass and threaten fraud victims to get the money allegedly owed, irrespective of the evidence, abusing their substantial powers and aggravating the harm to victims.

Queensland based debt collector Panthera is currently being prosecuted by the Australian Competition and Consumer Commission (ACCC) for multiple instances of unconscionable conduct that all revolve around the alleged hounding of fraud victims to pay debts they did not incur.

The key allegation in the ACCC case is that Panthera broke the law because it used “undue harassment” stemming from “repeatedly pursuing payment from each of the consumers, and continuing to require onerous documentation from each consumer after they had informed Panthera of the basis on which they were not in fact liable for the debt being pursued”. 

In one of the incidents alleged by the ACCC in the Panthera case, the debt collector extracted $100 from a victim who had a Telstra Mobile Broadband account fraudulently taken out in their name under the pretext of a credit default being removed (it wasn’t, despite the money being paid).

Put that behaviour in the context of credit bureaus not telling each other when a stop on new credit has been requested and it’s not hard to see how criminals milk the same victim multiple times over.

“These changes make it easier for people to prevent identity and credit fraud. Consumers can ask credit reporting bodies to notify each other about the consumer’s request to place a ban period on credit applications, OAIC Commissioner Angelena Falk said back in December when the changes were flagged.

The amendments will also set strict timeframes “for processing corrections to consumer credit reports” as well as limiting what information can be kept on credit files.

The seamy end of the credit and debt collection industry will never smell of roses, but from today it will stink that little bit less.