Equifax: A Call for Public Utility Regulation of Consumer Reporting Agencies
This post diagnoses what went wrong with Equifax and proposes a solution: a public utility regulation regime for consumer reporting agencies in which the CRAs would be restricted in their ability to pay dividends and executive compensation unless they meet certain performance metrics in terms of reporting accuracy, dispute resolution, and data security. Here goes:
If we’re going to have any chance of fixing things with Equifax and other consumer reporting agencies (CRAs), we have to first diagnose what went wrong. Let’s start by keeping in mind that CRAs are essential utilities for consumer credit markets. Consumer credit markets depend on the integrity of the data collected by the CRAs, and part of that data integrity is its security, as with data stolen by a CRA it’s possible to open false accounts.
On the simplest level the problem here is a theft (let’s call this hacking what it is), and Equifax is itself a victim. The problem here isn’t poor Equifax, however, but that there are huge externalities from the theft. If it were just Equifax’s internal operating plans or the secret sauce for the Vantage score that were stolen, the hacking wouldn’t be a matter of public policy concern. But it was consumer records that were stolen, and that means there’s a huge externality from the theft. First, there’s just a loss of consumer privacy, but second, and more alarming, is that those records can be used to create fraudulent accounts, which will potentially harm consumers’ credit in the future.
Now notice that this hacking is different from that of say Target. When Target suffered a data security breach it lost customer records. Equifax didn’t lose customer records. It lost consumer records. That’s an important distinction, and it goes to the heart of the problem with the CRAs. Consumers can, in theory, avoid harm from a data security breach at a merchant by not doing business with the merchant. Moreover, if a consumer believes that a merchant hasn’t been responsible in handling data, the consumer can withhold future business from the merchant.
To be sure, it’s very hard for consumers to evaluate data security at businesses, and few consumers are likely to make purchasing decisions based on merchant data security. But it’s at least theoretically possible with regular merchants. It’s not possible for a consumer to withhold business from a CRA because the consumer does not have a business relationship with the CRA. And this is the key problem: we have a consumer financial services market in which consumers cannot vote with their pocketbooks. Credit reporting isn’t the only market like this—consumers can’t choose their loan servicers or debt collectors—and those markets too have lots of problems because competition isn’t forcing better treatment of consumers. That means, among other things, that there is no punishment in the market for failing to take care of consumer records. So lack of consumer-market competition is problem 1 with CRAs.
Problem #2 is that CRAs are huge hacking targets. When Willie Sutton was asked why he robbed banks, he replied incredulously, “Because that’s where the money is.” That’s the problem today. Consumer data, particularly payments data, but also credit histories, is readily monetizable. That makes anyone sitting on such data target for hacking. CRAs are sitting on massive lodes of consumer data because they’re able to do so. Consumers can’t stop ‘em because consumers don’t own the data they produce. But this means we have a bunch of very tempting targets with limited incentives to take care about protecting that data (or ensuring that it is 100% accurate).
So what can we do with these problems? Let’s start with this. We’re not going to get rid of hacking. We can enact a Bloody Code or the like, but it’s not going to stop hacking, especially as it can increasingly be done internationally. Instead, we need a system that incentivizes CRAs to take the appropriate level of care. That means that the CRAs need to “internalize” the costs of the externalities that are produced when they are hacked as they are the “least cost avoider” of the hacking. How can we do that?
Let me start with what I think won’t work: an ex post liability regime. There have been calls to increase CRAs’ liability for breaches and/or inaccurate consumer files. I’m all for that, but I don’t think an ex post liability regime will ever be enough to sufficiently change CRA behavior, especially as a host of procedural problems will continue to bedevil consumer litigation. There will never be complete cost internalization by CRAs even with a much stronger ex post liability regime.
Instead, I think we need to consider moving to a public utility regulation regime for CRAs. What I have in mind is a system in which the CRAs’ ability to pay dividends to shareholders and to dole out executive compensation would be restricted and tied to their meeting various performance standards relating to consumer file accuracy, dispute resolution, and data security.
Public utility regulation is far from perfect, but we’re looking at a situation here in which there is no market discipline because CRAs do not have consumer relationships. Private discipline through ex post liability under-deters. And a command-and-control regime of public liability also under-deters (look how well it’s worked for stopping problems like Wells Fargo). There’s no disclosure regulation tweak or even set of substantive rules that are likely to fix things. Instead, if we want to ensure a minimal level of consumer welfare effects we will have to mandate those levels and tie the CRAs’ ability to pay shareholders and executives to performance on metrics that affect consumers. CRAs profit off of consumer data because and solely because the law tolerates it. There’s no natural right to this data. Instead, the law permits CRAs to gather and sell the data. It’s quite reasonable to qualify that right with a regulatory system that ensures cost internalization.
I recognize that this would take major legislative change. So for those of you who want to play small ball, there are some more targeted fixes that are long overdue. For example, just as consumers have a statutory right to a free annual credit report, they should also have a right to place credit freezes on their accounts for free. State law in a number of states regulates credit freeze fees, but allows fees to be charged. That’s ridiculous. Freezes should be free in all circumstances. Second, federal law really ought to require that all consumer data be stored and transmitted solely encrypted formats. That should be a non-brainer.
So that’s my proposal: create a public utility type regime for regulating CRAs. I’d do this as a board under the CFPB, sort of like PCAOB or the MSRB under the SEC, but that sort of detail seems secondary to recognizing that we need a public utility regime for CRAs.