Millions of consumers who followed the correct procedure for protecting themselves from identity theft may still be at risk because the system for sharing fraud alerts among the nation's three credit bureaus is flawed, according to a study released Wednesday.

The study is small, but the findings are consistent with other research documenting inaccuracies or discrepancies in credit bureaus' files.

Consumers who fear someone has stolen their personal information are instructed by the credit industry to call one of the nation's three credit bureaus and request a fraud alert be placed on their accounts. The alerts are meant to warn potential creditors that identity theft might be under way so that lenders will take extra steps before granting credit to anyone applying with data included in the credit report.

In the past 18 months, some 90 million consumers have been informed that their personal information has been lost by a company or government agency, and nearly all have been told to place a fraud alert on their credit files as a first step toward protecting themselves from identity theft.

When consumers call to place the alerts at one of the nation's three credit bureaus, an automated system informs them that it's not necessary to call the other two bureaus – that the alert information is automatically shared among all three companies. Since passage of the Fair and Accurate Transaction Act in 2003, sharing of the alert information is required by federal law.

Instead, about 40 percent of the time, the sharing system doesn't work, according to the study by Debix Inc., a new company that is selling a service to consumers designed to make fraud alerts more effective. That leaves millions of credit reports unprotected, the study suggests.

'How can that be?'
"I just assumed when a law was created (to implement fraud alerts) that someone would actually measure the process to ensure that it worked," said Julie Ferguson, a vice president at Debix Inc. "Turns out we are the first to measure the fraud alert system. ... I just keep asking myself, how can that be?"

Ferguson is also a board member on the Merchant Risk Council, an association of electronic merchants which shares information and research concerning credit card fraud and other risks. Members include such e-commerce giants as Apple, American Express, Expedia, and the credit bureau Experian.

Norm Magnuson, spokesman for the Consumer Data Industry Association, an industry lobby group, questioned the methodology of the Debix study, and the study's results.

"Do I think there is a 40 percent propagation failure? No," he said. He said fraud alerts were successfully helping protect consumers from identity theft, and pointed to a reduction in the rate of increase of identity theft in recent years.

Asked if the industry had conducted its own study of fraud alert failures, Magnuson said he had not "seen any figures on rejection rates."

Don Girard, a spokesman for Experian, criticized the study's small sample size and said internal data contradicts its results.

"We see a success rate of 98-plus percent … in other words, a failure rate of less than 2 percent (receiving fraud alerts from the other two bureaus and applying them to the correct credit report)." he said. "I am baffled and mystified by this so-called study."

He said he did not know how successful Trans Union and Equifax are at applying fraud alerts that consumers file with Experian.

Betsy Broder, who heads the Federal Trade Commission's special ID theft unit, said she was aware of the Debix study.

"We have oversight of the system and we think it's important that the system works well for consumers," she said.

Most lenders – retailers such as cell phone companies or loan-granters such as auto dealerships – only examine one credit report before granting credit. If a consumer's fraud alert information is not shared among the bureaus, then two of the three credit bureau reports would not reflect the warnings, making identity thieves' work much easier.

The problem: Finding the right consumer
The Debix study tracked 54 consumers as they attempted to place fraud alerts on their files from May to August. Debix is about to launch a new product that automatically resets fraud alerts for consumers, which by default expire after 90 days.

Ferguson said that minor discrepancies in credit reports was the most common reason that the information was not shared among the bureaus. Examples included slight differences in a name (some include middle initial; others list full names) or erroneous data. When attempts are made to transmit an alert from one bureau to another, many alerts are rejected because the system cannot apply the fraud alert to a consumer's accounts because of these discrepancies, the study found.

In other words, the fraud alert is discarded because the system cannot verify that it is being applied to the right consumer.

In virtually every situation, the credit bureau involved failed to inform the consumer that the fraud alert did not set properly, Ferguson said. The only way to make sure an alert has been placed on a file is to obtain a credit report and see the alert printed on it, she added.

"(I'm) pretty disheartened because consumers and creditors put a lot of energy into making the system work and it is actually working pretty well if you can figure out how to set your fraud alert at all three bureaus," Ferguson said.

The biggest culprit in the failure, Ferguson said, was mismatched information in the consumers' address field – for example, one listing might indicate "99 Second Street", and another "99 2nd St." Mismatched dates of birth, or problems identifying generations (Michael Smith Jr. or Michael Smith III) also were common, she said.

Placing a fraud alert on a credit report involves responding to a confusing set of prompts from an electronic answering system that requires consumers to manually enter their personal information to verify their identity.

Frequently, subjects in the Debix study were able to fix their alert problems by obtaining a credit report and scanning it for errors, then calling the fraud alert system and entering the information as listed – even if it was wrong -- on the credit report, Ferguson said. In one example, an alert was successfully added to a report only by entering the same erroneous birthday into the system that was listed on the credit report, she said.

Credit reports: Many errors
The existence of factual discrepancies on credit reports has been chronicled many times. In 2004, the Public Research Interest Group found 54 percent of credit reports had some errors. In 2003, the Federal Reserve released a study which indicated that 70 percent of reports had some error. Thousands of lenders – known as "furnishers" in the industry – voluntarily place data in consumers' credit files. The quality of the entries varies, so it's common that consumers' reports end up with multiple versions of their names and addresses listed in their reports.

Because credit report information is private, it is notoriously difficult to perform comprehensive studies on credit report data. Researchers must obtain permission from individual consumers in any study, making the sample sizes small. The nation's three credit bureaus reject error rates found in such studies, and say mistakes are rare.

The fraud alert system has long been criticized by consumer advocates as ineffective. During congressional hearings in 2003, many consumers indicated they'd been hit by identity theft even after they'd placed fraud alerts on their accounts. For example, new credit cards were issued to imposters using consumers' personal information despite indications on credit reports that credit should not be granted without further identity verification.

The credit bureaus have often blamed retailers for ignoring the fraud alerts. Observation of them is not mandatory; lenders can choose to accept the risk of giving credit to a person with fraud alert on their account.

The Debix study, however, found that fraud alerts were generally observed by lenders, suggesting the blame might lie with a faulty fraud alert system.

Ferguson recommends consumers ignore the advice given by credit bureaus and call all three companies individually when requesting fraud alerts. Consumers should then obtain copies of their credit reports to make sure the alert appears, she said.