This is outside my usual brief, but one of my hobbies is that I used to ghostwrite letters to credit reporting agencies and banks. It is suddenly relevant after the Equifax breach, so I’m writing down what I know to help folks who might need this in the future.

That’s a pretty weird hobby? (Sidenote hidden here.)

I’m not a lawyer. I am not your lawyer. I no longer have enough free time to write letters for people. But feel free to read the below to help guide your research in dealing with your credit-related problems.

What problems can this advice help with? What can’t it?

Was your data leaked, or possibly leaked, without an account being opened yet? You might have heard your data was included in the Equifax breach or be unsure about that. Someone could, potentially, use that data to open accounts at financial institutions. Someone could also potentially have robbed your home while you were out. You wouldn’t call the police immediately after returning home on the possibly you might have been robbed – you’d do it only if there was actually evidence of a specific crime. You don’t need to do anything just because your data was leaked or might have been leaked.

I realize some folks find that advice unsatisfying. If you cannot sleep at night without doing anything, direct each of the three credit reporting agencies to put a “freeze” or “hold” on your records. Do not sign up for credit monitoring; it is a great revenue source for credit reporting agencies but almost never a good purchase for consumers. If you want to see what is on your credit report, you’re legally guaranteed three free reports a year (see here); once every 4 months is plenty for most people. You can also get free ones through banks these days; American Express and Capital One, among others, will give them for free as a customer acquisition / retention tool.

Do not use the following advice to correct a problem with an account which is factually yours. If someone has stolen your credit card number and used it to buy things, you should not send letters. Just call your bank; they’ll take care of it. For reasons beyond the scope of this post, that is a really well-understood scenario that banks are very customer-friendly about. The only thing we’re talking about here is accounts / debts which were never yours.

Was an account opened in your name without your consent? Great, you’re in the right place. The rest of this article assumes that you’ve either checked a credit report or been told by a bank that an account exists in your name which you didn’t open. (There exist steps related to the below to help improve one’s situation in the circumstance where your problem is that you’ve not paid debts you legitimately owed, but that problem is out of scope here.)

Understanding the players

There are three big credit reporting agencies (CRAs) in the US: Equifax, TransUnion, and Experian. Their business model is keeping records, organized on a per-person basis, about debts. They sell this information to banks for the banks to use in underwriting processes. They also sell credit scoring, a product which gives the bank a single number (or small set of numbers) to evaluate your creditworthiness. The most common score is FICO, named after Fair, Isaac, And Company (which developed it), but there are several varieties of this product. It’s sort of like Kleenex: Fair Isaac was so successful at owning this space that people call credit scores FICO scores.

A brief note about credit scoring.

The CRAs get data from many, many places, but the ones most immediately relevant to you are financial institutions (I’ll call them “banks”, but there are many that aren’t strictly banks) and non-bank creditors (I’ll call them “debt collectors”, since that is the majority case, even though e.g. AT&T can be a creditor which reports to a CRA).

You never have to deal directly with FICO; they provide math which either a CRA or a bank does. You only care about the data sources backing that math, which are at the CRAs, and the actual accounts underlying the data, which are maintained by banks.

The most interesting items on your credit reports are called tradelines in the industry. The exact data included depends on the type of underlying account / fact, the reporter, and how fragmentary the data is (it is often very incomplete), but in rough overview it is when the account was opened, a monthly balance history, and a monthly report of what state the account was in (paying as agreed, late by 30 days, late by 60 days, defaulted, etc).

A CRA can’t “close an account.” A bank maintains an account. A CRA only has a tradeline. The action you want is them to correct and/or delete that tradeline.

CRAs do not collect debts. Debt collectors (or original creditors, or lawyers hired by either of the two) collect debts. The interplay between debt collectors and CRAs is subtle: because many banks (and insurance companies, and landlords, and other institutions) make decisions partially based on credit scores, debt collectors can de-facto threaten to harm your future interests by reporting debts against you to the CRA in the present.

Never pay a penny of a debt which isn’t yours. Paying waives your legal rights, because the system assumes that nobody would pay something they didn’t actually owe. Paying also doesn’t help you, because in most cases paying debts which were once delinquent does not improve your credit scores. Why? Math math, clustering algorithms, blah blah; just trust me.

Understanding a CRA’s incentives

We say “You aren’t the customer, you’re the product” a lot in the tech industry, but this is very, very true of CRAs. Your data is their only product. If they could never talk to you ever, they’d love to do that, because talking to you costs them money but doesn’t make their product (you) much more valuable in most cases. Luckily for you, the CRAs are regulated in the United States, so just plugging their fingers in their ears isn’t an option… but they’ll certainly push that to the limit.

The main regulation CRAs care about is the Fair Credit Reporting Act. The legal code of this is here; the layman’s explanation from the FTC is here. The rest of this post is a very opinionated user’s guide to the FCRA and related legislation such as the Fair Debt Collections Practices Act (FDCPA) and long, boring books of regulations without fun acronyms.

Assume the CRAs will do the bare minimum to comply with the law, always. They are among the most odious and user-unfriendly institutions in the United States. You want to minimize your interactions with them; you want to minimize discretion that you give to them about your situation.

You should never call a CRA, ever. They have phone centers staffed with people whose only job is getting you off the phone. They have very limited availability to help, for the same reason that the phone center for Walmart does not have anyone who can help a shoe. You will deal with CRAs only in writing.

These days they have streamlined online applications for writing to them, but I suggest that you only send them paper letters. This is a really weird thing for a technologist to suggest, but when you send paper letters, you can establish and own a “paper trail.” When you type words into their godawful web applications and hit submit, you will likely fail to retain a copy of those words and fail to retain records about what they told you (exactly) and when. This will complicate your resolution with them. Communicate with them only over postal mail. Keep a log of every mail you send (including what you said) and when it was sent; keep a copy of every letter they send to you and when it was sent. You don’t need physical copies; digital is fine. I like organizing all of mine on a per-incident basis in Dropbox.

Retain copies of all correspondence with a bank or a CRA forever. Erroneously reported debts which you thought were taken care of can be resurrected years later by someone failing to check a box during a CSV export, resulting in the debt getting sold to a new debt collector, who will not know that you spent weeks resolving it. You want your paper trail so that your first and only letter to that debt collector credibly promises armageddon.

Presenting like a professional

Banks deal with lots of angry people, and are optimized to treat this like a customer service problem. Some do better and some do worse at this, but you never want identity theft treated like a customer service problem. Their CS department is scored on number of tickets resolved per hour, and each rep’s incentives are simply to classify you as something requiring no followup and get you off the phone.

Instead, you want to communicate with the bank in a manner which suggests that you’re an organized professional who is capable of escalating the matter if the bank does not handle it themselves. You do not yell – not that you’re ever verbally speaking with anyone, but you wouldn’t yell in a letter, either. You do not bluster. (“I will tell on you to my attorney” is, generally, bluster, and that’s bluster that is common to people who do not actually have attorneys.) You instead present as if you’re collecting a paper trail.

Mean words cannot hurt a bank. Threats cannot hurt a bank. Paper trails, though, are terrifying to regulated institutions. Your bank’s customer support representatives are taught to evaluate whether someone looks like they’re competent and collecting a paper trail. If they are, the CS rep is supposed to stop touching the case immediately and instead escalate them to a supervisor or to the legal department.

The legal department (or an analogous group – it is different at every bank) is not scored on cases resolved per week. They are scored on regulatory incidents per quarter, and their target for success is likely zero. Shockingly senior people will be involved to avert regulatory incidents.

What causes a regulatory incident? Bad behavior on the part of the bank? No. Banks screw up all the time; the screwups are literally forecast and budgeted for. Do regulators cause regulatory incidents? Generally no; they’re understaffed and underfunded, and they don’t go on fishing expeditions. The thing which causes regulatory incidents is well-organized people taking paper trails to regulators which allow a regulator to trivially follow up with an investigatory letter. Accordingly, anyone who sounds like a well-organized professional with a paper trail is a problem to be swiftly addressed.

That, dear reader, can be you.

Form letters and the inadvisability thereof

Regulation of CRAs is in some ways consumer-friendly and in some ways is designed to be to the advantage of the CRAs. For example, the CRAs told the regulators that there were businesses and websites offering form letters which correctly cited the FCRA and FDCPA, and that this let people send in a vexatious number of “frivolous” form letters. (Translation: Walmart is annoyed how many shoes found out how to speak.) So the regulators offered the CRAs an olive branch: they’re allowed to close without actioning any case which involves a form letter.

Is that fair? No. CRAs are allowed to respond to you with a form letter, and in fact will, and in fact in many cases it will literally include checkboxes so that they can most efficiently tell you the rationale for not helping you.

Fun story: When I reported to a CRA “I do not owe this debt. It was opened in 1978 and I was born in 1982. Clearly something must be wrong.”, I got a letter with the checkbox “[ X ] You have told us that your minor child’s information is on your credit card report, but we checked and it is not there.”

So if you can’t just download a letter from the Internet, how should you write a bespoke, artisanal letter such that people reading it read you as a Dangerous Professional?

Professional mien: You’re a professional, and not someone straining to pretend to be one.

If you’ve never been in a customer-facing role, you might not have ever seen this genre of communication, but a lot of folks suddenly adopt electutory tendencies which they believe approximate legal professionals whom the have copious exemplars of from TV. This is not the way actual professionals write, which is generally clear and to-the-point. Write clearly and concisely. You want to outline relevant facts and omit long, windy narrations of e.g. how you were feeling when you discovered that your identity was stolen.

On August 5th, 20XX I accessed my credit report from Experian, numbered 1234567. It shows an account with your institution in my name, with account number XXX123. I am unaware of the full account number. I have no knowledge of this account. I did not open it or authorize anyone to open it.

Restrained emotions: You’re a professional. Someone in the economy has made a mistake; you require it to be fixed with alacrity, but you’re not angry at either the bank or anyone working at it. Why be angry? This is just business to you. It’s business that you will, with night-turns-into-day certainty, cause consequences if your legitimate requirements are not met, but you won’t bear anyone ill will over it.

Showing anger decreases the perception of risk of you filing a regulatory action or a lawsuit. This is counterintuitive to many people. The vast majority of people who show anger are showing anger because they want to show anger. They want someone to validate their emotions. They don’t want to be “disrespected” by the person in front of them. You don’t particularly care about the individual you’re writing to or whether they’re emotionally supportive of you. You want a resolution, no more no less. Professionals know that if they want emotional support they could just buy a dog.

People who can file a regulatory action while being emotionless about it are terrifying, because they suggest that their day job is e.g. administrator for a hospital, that they’re very comfortable with pushing papers around government agencies, and that they will remember deadlines, keep copious records, and consult with other professionals where appropriate. People like this have an annoyingly predictable tendency to convince bureaucracies to give them what they want.

If you’ve ever seen the House M.D. episode (season 1, episode 6, “The Socratic Method”) with the high school student who immediately confirms his understanding of anything a person in a position of authority says, writes it down in a notebook, and references specific facts from the notebook in follow-up conversations, that is exactly who you want to be.

Micro-tip: I never phrase an initial letter with “I demand you…” because I’m a professional. Angry people demand; professionals “require.” If you’ve asked me to pay money that I don’t owe you, I “require” you to stop doing that.

Be very clear about what you want. What you do not want is to give someone the excuse to read your letter and conclude that no further action is required or that a form letter trivially answers it. You want a specific set of actions, you want those actions to be confirmed to you in writing, and you want them done by a specific date.

The FCRA and FDCPA have a variety of timelines embedded in them. For example, incorrect information on your credit report has to be investigated and corrected within 30 days. There are varying penalties for the bank / CRA if they exceed a statutorily defined timeline. You can either learn all of the timelines and specific consequences, or you can just suggest that you’re aware that timelines exist. The clock(s) start typically counting when the bank or CRA has a specific, written complaint, so you want to both make sure your initial letter constitutes that and signal that you are aware they are now on the clock. People who are aware of legal deadlines and sound like they are going to count to 30 days and then immediately cause consequences on day 31 are much scarier than people who scream “I NEED AN ANSWER FROM YOU TODAY!”

Please correct this tradeline and confirm this to me in writing within the timeframe specified by law. If you cannot correct this tradeline, provide me with your written justification for why your investigation concluded that this tradeline was accurate.

There are some subtleties here, but you’re playing this game and look to be playing it well. Non-response is documentable non-response. Any response is either non-responsive to your request (which activates a regulatory machine) or commits in writing to the fact that an investigation has occurred. This is an important Rubicon to force the CRA to cross, because (if you are factually innocent of the debt) then any investigation which concludes that you owe it likely includes blindingly obvious errors which will be discovered on review.

Did I mention they said, on paper, that I had a validated debt dating to before I was born? That is not an exaggeration, at all.

Blindingly obvious errors lead to punitive damages and very incensed regulators, so even if the CRA has a low-ceremony way for “validating” a trade line (“We checked in our web application and shocker the database says what we said it said; click here to generate form letter”) they will not trust their usual process to do it. Instead, you’ll get escalated internally, then a lawyer will say “My time is valuable; you’re creating legal risk; just give the shoe what they want.”

Don’t say untrue things. Don’t say “I will file a suit” unless your true intent is to file a suit. Don’t say that you’ve involved a lawyer if you haven’t involved a lawyer. People bluster all the time and your counterparty is immune to bluster. People who have factually involved an attorney don’t need to announce that; their attorney will for them.

You can, however, be a professional who says things that have some strategic ambiguity. “I will avail myself of remedies available under the law” could imply that you’ll involve an attorney, that you’ll write to your local attorney general or another bureaucrat, or that you’ll write letters. Can you write letters? Great; avail away.

Who do I write first?

If an account was opened without your knowledge and consent, you’re going to write the bank, but you’re going to make a quick stop at your local police department first.

Why? Well, the most common genre of identity theft is what is variously called “family fraud” or “friendly fraud” and what is informally called “a household cannot agree about financial decisions and asks a bank to be the adult for them.” If your spouse opens an account in your name, the bank will say “Did you file a police report? No? Alright, best of luck resolving that at the dinner table.” If an unrelated person opens an account, the bank will (explicitly or implicitly) assume that they might well be a romantic partner, business associate, friend, cousin, etc who opened the account with your active or tacit consent. Resolve the ambiguity by immediately filing a police report.

Police departments will give a written copy of a police report or receipt for a report for virtually anyone who comes in and asks for one. They will likely not investigate or “catch the bad guy”, but you don’t require that. You are just using the police to validate that you’re willing to make expensive statements. (This is an “expensive” statement because lying to the police is a crime and lying to banks is, while still a crime, a crime which people commit by the millions every day. “I thought I had the money before I wrote the check! Honest!” They’ve heard it before. “I, a responsible professional, swore the following out on penalty of law in front of a police officer” signals seriousness.)

You will have your first letter be to the bank and include a copy of your police report. It will be short and to the point: when you learned the account was opened, a clear statement that you did not open the account, and your requirement that they investigate and take appropriate action immediately.

Don’t write like a supplicant. Yep, they’re a big bank… but you’re a crime victim and they are, as of this minute, an instrumentality of the crime committed against you. You’re not angry, but you expect immediate resolution of this, and if they don’t immediately resolve it well then they aren’t an unwitting participant in the crime against you any more, are they.

You may get a letter back requesting additional information. In general, read the letters and reply accordingly, but my general theme in follow-up letters was:

In my previous letter to you, dated XX/YY, I provided sufficient information to you to identify this account. You have, in a letter to me dated NN/MM, requested additional information but not yet instructed the credit reporting agencies to delete the tradeline or, to my knowledge, closed the account. This is clear error, as the account is not mine. I reiterate my requirement from the XX/YY letter that you take appropriate action against this account and instruct the CRAs to remove it from my credit reports. As a professional courtesy, I am attaching the information you requested in your letter. Please complete your investigation immediately and confirm this fact and your followup actions to me in writing. If you cannot, you are required to send me your written justification for why the bank believes that I own this account and why the bank believes that their reporting of this account to the credit reporting agencies is in compliance with the law.

Why write like this? Because the bank will argue “We get (e.g.) 30 days to investigate from the day we agree with you that there exists a problem”, and they will default to asking for additional information, sometimes multiple times, just to wear you down and make you stop responding, then they will close the case for non-response. You will say “No, what the law actually says is that you get 30 days to investigate from the day where I sent you a specific written complaint. Your legal obligations date from that letter, not when you decide they date from. Your letter to me saying you need additional information does not excuse your inability to comply with your legal obligations.”

You can choose to write the CRAs in parallel with the banks or after writing the banks. It will require the least number of letters from you if you do it after you have written confirmation from the bank that the account is not yours. Your letter to the CRA then sounds like:

My credit report reflects a tradeline from Bank of Boondoggles with account number XXX123. This account is not mine, and the bank has confirmed this – I am attaching a letter from their SVP to this effect. Please immediately investigate this erroneous tradeline and delete it, or confirm to me your rationale for verifying it in writing. As the bank has acknowledged the error already, if you report to me that it is verified, that will be a per-se violation of the FCRA and I will avail myself of remedies defined in the FCRA or elsewhere.

Non-response to your specific written demand within the timeframe is concession; you should then send them a letter taking notice of the non-response and requiring immediate and permanent deletion of the tradeline. (You will frequently not receive a letter within the timeframe.) Response which includes deletion means no new letters from you, but verify that the deletion happened and keep the correspondence forever.

What happens if you get a verification back? Well, you can either continue sending pointed letters about how they’re in violation already, or you can just proceed directly to involving your local attorney general and/or suing them. In my experience of sending out a few hundred letters, this was not actually required in more than a handful of cases that I’m aware of. The system is broken in totality but can work for you specifically if you are patient and determined about it.

Where exactly should I address letters?

Google is your friend. Remember, you’re dealing with very large corporations which have many divisions. They can pass messages between each other. You do not want to send to the Department Of Fobbing People Off when you can send to the Legal department. Even if the actual pushing-of-buttons you require can only be done by the Department of Fobbing People Off, you want the request to push buttons to come from someone who cannot be fobbed off, like an annoyed attorney whose time is being wasted but who, because they are an attorney, does not ever want to have not responded to an issue which could credibly create a legal or regulatory risk.

If you cannot route letters to the legal department, go as high up as required. Pro-tip: virtually every major US company has a department called Investor Relations which is trivially discoverable, very well-funded, publicly routable, and very bored during 80% of the year. You can excuse any letter to Investor Relations with:

I am a shareholder in BigBank. I was therefore profoundly displeased when I learned…

What’s a well-paid bored professional in Investor Relations going to do with your account information? Nothing? Nothing is a great way to get fired. No, they’re going to open up their internal phone tree or ticketing system and say “I have a letter from an investor which alleges an identity theft issue. Which group handles that? Your department? Great; handle it and call me when you’re done. Do you want it by fax, email, or FedEx?”

“But I’m not a shareholder!” A surprising amount of Americans are shareholders in large financial institutions. Do you have an IRA? Does it invest in e.g. mutual funds? If you own a mutual fund or index fund, you are highly likely to beneficially own fractional shares of US financial institutions. Someone who owns 0.01 shares is a shareholder; welcome to the magic of capitalism.

(Note that there is no register of shareholders kept by Investor Relations – they don’t know who owns their company, except for the few largest holders. You could own $20 million of their company and they’d be totally ignorant of that fact – the records are kept elsewhere. Which suggests a strategy you could employ, but why lie when you can simply tell the truth.)

No help from investor relations? Try the highest part of the company you can find an address for; this can be named e.g. the Office of the President / CEO or similar. A secretary will read your letter, come to the conclusion that it is not worth the boss’ time, and does something that she does a few dozen times a day: “$BOSS got this letter from a customer. Thanks in advance.” The Department Of Fobbing People Off fobs off people but it doesn’t fob off the CEO.

I got a call from a debt collector.

“What is your address?” Get it then hang up. Never speak to debt collectors.

Write the debt collector.

Say that you will accept further communication about this matter ONLY in writing and all other forms of contact are inconvenient.

If you were told enough to know the debt isn’t yours, write so. Otherwise, write that you have no knowledge of the debt. Ask them to verify it with the original creditor. Remind them that they can take no action until they do so.

You will likely get follow-up calls, because this industry is rife with illegal behavior. “I’ve given you written notice that calls are inconvenient. This is a per-se FDCPA violation. I am writing down the day and time of this call. Goodbye.”

After you’ve had the bank verify that the account is closed, the letter to every debt collector is fairly similar. The term of art in the industry is FOAD, and it does not stand for Fly Off And Die.

Bank of Bigness has confirmed that that account was never mine. I have attached a copy of the correspondence for your records. Any collection activity is illegal. Selling the debt, which you now know to be illegitimate, is illegal. Reporting it to the CRAs is illegal. Instruct the CRAs to remove it from my credit reports immediately, cease all collection activity, and ensure you do not sell it. You are allowed one additional communication, delivered via the US Mail, to confirm that you have complied with your legal obligations.

You gain nothing by writing “If you do absolutely anything other than that, I will sue you, and be quickly vindicated”, but I find saying that out loud to an empty room let me blow off steam.

Do I need a lawyer?

You can involve a lawyer, but the sums of money involved are generally not cost-effective for most people. My per-incident resolution time was generally 2~3 letters (total cost: < $20 – I was sending “certified mail, return receipt requested”, which is Dangerous Professional for “Do you like paper trails? I like paper trails. I particularly like paper trails where the United States Federal Government attests to the exact minute your firm learned the contents of this letter.”); my max in my personal situation was six. Total resolution time is generally on the order of 3 to 10 weeks.

Taking low-complexity matters to a lawyer generally results in a bill of a few hundred dollars. (I wouldn’t say “Literally any lawyer could do this” but, well… let’s say that it isn’t rocket surgery.) They will likely not sue on your behalf; they might (depending on temperament and your paper trail) either send a letter that you could have sent (but which is signed Dangerous Professional, Attorney At Law) or perhaps file suit to get the attention of the legal department at the CRA or bank. Defending a lawsuit is symmetrically costly (finally!) and, because you have a paper trail, all parties know what the likely outcome will be in advance, so ask your lawyer on what their estimate is regarding probability of settlement.

You might or might not pay out of pocket in that circumstance; you might or might not get some amount of money.

You might have questions for me, particularly if this gets distributed beyond my normal circle of geeks. I unfortunately have no time to help with this, but I wish you the best of luck.

If you need help and can’t afford or locate an attorney, good choices are:

  • Your state’s attorney general office (Google it)
  • Your state’s consumer protection division (Google it)
  • The FTC’s complaint division

If you are dealing with a bank specifically, you can complain to their regulator – bring your paper trail. Banks are regulated by a variety of organizations in the United States and it may not be obvious which to direct your complaint to. You can trivially find this out by either walking in to any branch and asking or calling any of their 1-800 numbers; you may be escalated to a complaints department, but politely insisting “I need to write a letter to your regulator. Who is that, please.” will get you their name within 5 minutes. (It is also, depending on the bank, Googleable – searching for [Bank of America regulator] got me the right answer, the Federal Reserve System, on the first result, and searching for [Federal Reserve System complaint] would trivially find the right place to submit your paper trail. Again, there are a lot of banking regulators and the FRS might not regulate the bank you’re trying to get help with – do the Googling.)

You can also look for consumer advocacy groups, but the vast majority that you’ll find are extremely unsavory. (There exist a variety of “credit repair” businesses, some operated as non-profits, which are scams which charge people money to putatively get debts discharged.)

I have not found in my experience that the good ones are a faster or more reliable option than writing to the companies directly or escalating to government agencies.

You will get through this; you will not have to pay debts which are factually not yours. I share your frustration with The System. It is broken, and it catches innocent people up in its gears far, far too often. You can still win.

I wish you the best of luck and skill.