July-August 2017

Don’t give credit to identity thieves

Robert Buss

Assistant Criminal District Attorney in Galveston County

How to properly charge criminals who steal credit cards and other people’s identifying information with intent to commit fraud

When peace officers investigate cases involving multiple credit cards, they frequently focus on the Credit Card Abuse statute (Penal Code §32.31) because, after all, it has “credit card” in its name. Prosecutors will often make this same mistake when accepting charges involving credit cards. The problem is that the Credit Card Abuse statute does not adequately punish or meet the elements of crimes involving true identity thieves. Correctly charging and proving large-scale identity theft is time-consuming and labor-intensive, but the effort is worth it.
    I recently indicted a prolific identity thief for Engaging in Organized Criminal Activity based on the underlying charge of first-degree felony Fraudulent Use or Possession of Identifying Information. (I will refer to him as John Doe because his case is not yet resolved.) While researching John Doe, I learned that he was previously charged with and convicted of Credit Card Abuse. The offense report that supported the earlier Credit Card Abuse charge showed he had been caught with hundreds, if not thousands, of credit card numbers. When interviewed, he freely admitted to using the credit card numbers and sharing them with more than three other people. He had victimized legions of people and businesses but received only a 10-month state jail sentence for his crimes. I listened to Doe’s jail calls, and he was not fazed by this level of punishment. In fact, he continued to encourage others to engage in the same activities while he was serving time in jail. When released from custody, he once again continued the same scheme.
       This case is not an outlier. I have run across numerous instances where intake prosecutors approved Credit Card Abuse charges on defendants caught with sophisticated card skimmers or notebooks full of credit card numbers. There is a common lack of awareness of how to effectively charge these cases among prosecutors who do not specialize in fraud. This article is meant to guide prosecutors to the right charge, depending on a case’s facts.

The problem with charging Credit Card Abuse
Credit Card Abuse (Penal Code §32.31) is a state jail felony offense unless the victim is elderly (then it is a third-degree felony). There are multiple ways to run afoul of this statute, but generally it is for presenting or using another person’s credit or debit card without the cardholder’s effective consent.
    If prosecutors funnel serious identity theft cases involving credit cards through this statute, then a person who uses or presents the credit card 50 times without the cardholder’s consent could at best be indicted for 50 separate state jail felonies. That is not an efficient approach to case management, and it does not adequately charge the defendant with the severity of the crime.
    Worse yet is when a defendant is arrested with more than 50 different credit card numbers in his possession but there is not very strong evidence linking him to specific, unauthorized uses of all of the cards. The defendant appears to be a major identity thief, but charging him with Credit Card Abuse does not fit the facts because the evidence does not satisfy the element that the card was presented or used by the defendant himself.

The better charge
The Texas Penal Code offense that best covers identity theft is in §32.51 (Fraudulent Use or Possession of Identifying Information). This stat-ute criminalizes using or possessing another person’s identifying information without that person’s consent with the intent to defraud. (It also criminalizes obtaining and transferring identifying information, but those variations of the statute will not be covered here.) The severity of the offense for §32.51 depends on the number of items of identifying information that the defendant used or possessed. Using or possessing more than 50 items is a first-degree felony.
    One of the key points to remember for this offense is the statute’s definition of “identifying information.” Identifying information in-cludes information that alone, or in conjunction with other information, identifies a person. Identifying information includes: name and date of birth; unique biometric data such as retina scans and fingerprints; electronic identification numbers, such as a bank account number or financial institution account number; account authorization transfer numbers; Social Security numbers, driver’s license numbers, and other government-issued identification numbers. Caselaw tells us that identifying information also includes credit card numbers.
    When a defendant possesses 10 items of identifying information, it does not matter whether there are 10 victims or just one. The defendant possessed 10 items of identifying information either way. The number of victims does not affect the severity of the charge, but when a person possesses the identifying information of three or more victims, there is a presumption of intent to defraud.
    The number of items of identifying information charged against a defendant also does not depend on the number of documents where the information is found. I prosecuted a man named Michael Grimm who used multifarious methods to exploit identities. One involved a number of rental contracts containing customer information that Grimm had taken from an RV rental business. Each contract had at least one Social Security number and a victim’s name and date of birth, and many had other identifying information such as credit card numbers. There were around 40 contracts holding a total of well over 80 items of identifying information. The Fourteenth Court of Appeals held that the number of documents containing the identification information was not important. If a single contract had four separate items of identifying information, then that counted as possession of four items instead of just one. A jury sentenced Michael Grimm to 30 years in prison.
    The statute of limitations for Fraudulent Use or Possession is seven years. That is helpful because these investigations can take some time. If a suspect has not been arrested or has been arrested on a different crime, prosecutors may want to hold off on presenting the ID theft case to the grand jury until they have the evidence for a potential trial. Financial institutions can take a month or more to respond to a subpoena deuces tecum, and that information has to be analyzed.

Charging Fraudulent Use
I charge large Fraudulent Use of Identifying Information cases as a criminal episode occurring pursuant to a common scheme or continuing course of conduct (beginning on or about the start date and continuing to on or about the last date of use). This charge works well when the defendant is not caught holding a lot of different credit cards but there is evidence of him using the same credit card (or cards) repeatedly.
    The venue for Fraudulent Use of Identifying Information can be any county in which the offense was committed or the county of residence for the person whose identifying information was fraudulently used.
    I routinely discover cases where a person has used a credit card account without consent on 10 or more occasions but was charged with credit card abuse (a state jail felony). The same facts could have supported a second-degree felony charge under Fraudulent Use. That’s because it does not matter that the same card number was repeatedly used so long as there are separate uses. That being said, the State will need to prove each use it relies on to get to the level of offense indicted.
    A common ID theft scenario involving credit cards includes a defendant using an innocent victim’s identifying information without that victim knowing about the fraudulent account. In such a scenario, a defendant uses a victim’s identity information to take out a credit card online. The defendant will then add his own name as an authorized user to get a new (physical) card issued to himself. The defendant, who is not in the business of making regular payments on the balance, will use the card until it just won’t work anymore. When prosecuting this scenario, remember that even if a credit card was procured without the victim’s knowledge, the account was set up with the victim’s unique identifying information, and it still identifies the victim, so any use of the account can be charged against the defendant.
    When prosecutors get such cases, subpoena all of the application information from the credit card company, as well as detailed billing statements for the life of the credit card account. The application information will show the identifying information that was used to set up the account, and it might include the address the card was mailed to (also known as the defendant’s house). The identifying information used to set up the account and the defendant’s transactions on it are all fraudulent uses. This whole scenario is pursuant to a common scheme or continuing course of conduct, so add up every use and include them in the charge against the defendant.
    I had an unfortunate experience when I took a Credit Card Abuse case to trial. The case had been indicted as Credit Card Abuse for a single listed instance of “abuse,” but there were really well over 20 uses of the credit card number. The card had been obtained online by the victim’s former friend who happened to know the victim’s name, date of birth, and Social Security number. After she got a card in the victim’s name, she added herself to the account and had a separate card (with her own name on it) sent to herself. I thought the case would be a fairly easy guilty verdict, but I was wrong. Members of the jury were confused by the definition of “cardholder” in the Credit Card Abuse statute. “Cardholder” means the person named on the face of a credit card or debit card, the person to whom or for whose benefit the card is issued. The jury believed they could not convict if there was not a physical card in the victim’s name introduced into evidence (impossible because the defendant had it mailed to herself and likely destroyed it). The jury also felt the credit card itself never really belonged to the victim because the defendant took it out for her own personal benefit instead of the victim’s benefit. The trial resulted in a hung jury.
    I re-indicted the case as a second-degree Fraudulent Use of Identifying Information, and after gathering more evidence that contradicted the defendant’s trial testimony, the case pled. I believe that if this case had been originally indicted as Fraudulent Use, it would have never have gone to trial or would have at least made it easier to secure a guilty verdict.

Charging Fraudulent Possession
The Fraudulent Possession of Identifying Information variation of Penal Code §32.51 is preferable when a defendant is caught possessing a large amount of identifying information pursuant to a lawful search or the information is found at a location or vehicle under the defendant’s control. Fraudulent Possession of Identifying Information is usually not committed pursuant to a common scheme or continuing course of conduct because the items typically are all possessed at the same time.
    The offense level depends on the number of different items of identification information the defendant possessed. While the same credit card number can be counted against a defendant multiple times in a Fraudulent Use of Identifying Information case, in a possession case, the card number can be logically possessed only once, even if the defendant possesses multiple copies of the same card number at the same time.
    As mentioned earlier, there is a presumption of intent to defraud if a person possesses the identifying information of three or more people. This presumption helps us prosecute this type of crime, but prosecutors still need more than a mere presumption to convince a jury to lock the defendant up and survive appeal. There are multiple venue options for this variation of the offense, but for practical purposes the venue should be the county where the identifying information was possessed. Prosecutors could pick the victim’s county of residence if all of the victims have the same county or residence, but there is no caselaw on using the county of residence to establish venue when there are multiple victims from separate counties.

Proving the identifying information
Proving Fraudulent Possession in trial is less burdensome in many ways than Fraudulent Use because prosecutors do not need to call witnesses to prove every use of the identifying information. We still have to prove intent to defraud, so I believe it is helpful to introduce some evidence that shows improper use of at least some of the identifying information the defendant possessed.
    For both Fraudulent Use and Fraudulent Possession of Identifying Information, the State must prove that the identifying information identifies a real person. A defendant who uses fictitious identifying information to defraud others has not committed an offense under §32.51.
    When I prosecuted Michael Grimm, he had created numerous temporary driver’s licenses with a computer. The licenses included some information that accurately identified real people, but he would mix it in with fabricated information. Some of the fictitious numbers ended up getting listed in the manner-and-means portion of Grimm’s indictment, which could have spelled trouble. The only reason this error was not fatal was because there was sufficient evidence of other manners and means in the indictment to support the conviction. I no longer take anything associated with an identity thief at face value, and I check that all of the identifying information, including credit card numbers, dates of birth, and Social Security numbers, match real people before they are listed in an indictment.
    An identity thief does not always need to know the name of the person to whom a credit card number belongs to in order to use that credit card number. It is not unusual for the thief to possess credit card numbers without accompanying information. Identity thieves will substitute their own name or a fake name on a card with a real credit card number. They will also often put real people’s credit card numbers on gift cards. Either way, the credit card number itself uniquely identifies a real victim. The issue is figuring out who the credit card number belongs to for the indictment.
    Finding the person identified by a credit card number is a lengthy, labor-intensive process, but it can be done if you’re armed with this information.
Most (not all) credit and debit cards have 16 digits. The first six digits of any credit or debit card (in bold here: 1234-5678-0987-6543) identify the account’s financial institution. These first six digits are commonly known as a BIN (Bank Identification Number) or IIN (Issuer Identification Number).
BINs are public knowledge. You can search for a card number’s six-digit BIN on the internet to figure out the financial institution that holds that number. That financial institution knows the identity of the person to whom that credit card belongs.
Send a subpoena deuces tecum to the financial institution (Chase, Wells Fargo, Synchrony, etc.) for the full account number. Make sure to ask for the application for the credit card, account holder information, and billing statements from the time you believe the defendant used or possessed the account.
Request a notarized business records affidavit so you can introduce these records without a live witness. You do not want to fly in a witness from out of state who knows nothing about your case for the sole purpose of laying the predicate to introduce business records.

Proving “without effective consent”
One of the more daunting hurdles to going to trial on an ID theft case is proving the identifying information was held or used without the owner’s effective consent. If there are just a few victims, call them as witnesses whenever possible. If the defendant possessed a large amount of identifying information, there is the potential for an overwhelming number of witnesses, possibly one for every credit card number the defendant possessed.
    Try to plan ahead before the indictment to reduce the number of witnesses to call. In many of my identity theft cases, the defendants incorrectly assumed they were smarter than everyone else and agreed to talk with police. They invariably try to minimize their involvement but will often admit that they do not know the people the credit card numbers belong to, or, even better, that they did not get permission to possess the credit card numbers. This saves me from calling an army of witnesses in trial.
    In the Michael Grimm case, the RV rental business owner testified that Grimm did not have permission to keep the rental contracts. The rental contracts alone contained more than 50 items of identifying information. There had been a good deal of testimony regarding how the contracts were found and where they originated, and I did have some victims testify as witnesses, but I did not have to call most of them. The appellate court held that circumstantial evidence proved lack of effective consent for all the RV contract victims, and each victim did not need to testify to that effect.

In closing
Fraudulent Use or Possession of Identifying Information is an effective charge against identity thieves. Our communities want law enforcement to take a stand against such thieves, and sentencing a defendant to county jail time for Credit Card Abuse does not adequately deter or punish large-scale identity theft. If we correctly charge identity thieves with Fraudulent Use or Possession, we can put them in prison and send a message to the community that identity theft will be aggressively prosecuted.

1  Cortez v. State, 469 S.W.3d 593 (Tex. Crim. App. 2015); Brown v. State, 354 S.W.3d 518 (Tex.App.—Fort Worth 2011, pet. ref’d); Richardson v. State, 328 S.W.3d 61 (Tex. App.—Fort Worth 2010, pet. ref’d).

2  A person’s name alone does not count as an item of identifying information. The Penal Code requires the name and another piece of information that identifies the victim. Ex parte Harrington, 499 S.W.3d 142, 147 (Tex. App.—Houston [14th Dist.] 2016, pet. ref’d).

3  Grimm v. State, 496 S.W.3d 817 (Tex. App.—Houston [14th Dist.] 2016, no pet.).

4  Ramirez-Memije v. State, 466 S.W.3d 894 (Tex. App.—Houston [14th Dist.] 2015, no pet.).

5  Ford v. State, 282 S.W.3d 256 (Tex. App.—Austin 2009, no pet.).