« Do Sanctions Prevent Venezuela From Restructuring CAC Bonds? | Main | Your Friendly Neighborhood Sanctions Running Strategy »

Equifax: A Call for Public Utility Regulation of Consumer Reporting Agencies

posted by Adam Levitin

This post diagnoses what went wrong with Equifax and proposes a solution:  a public utility regulation regime for consumer reporting agencies in which the CRAs would be restricted in their ability to pay dividends and executive compensation unless they meet certain performance metrics in terms of reporting accuracy, dispute resolution, and data security.  Here goes: 

If we’re going to have any chance of fixing things with Equifax and other consumer reporting agencies (CRAs), we have to first diagnose what went wrong. Let’s start by keeping in mind that CRAs are essential utilities for consumer credit markets. Consumer credit markets depend on the integrity of the data collected by the CRAs, and part of that data integrity is its security, as with data stolen by a CRA it’s possible to open false accounts.

On the simplest level the problem here is a theft (let’s call this hacking what it is), and Equifax is itself a victim. The problem here isn’t poor Equifax, however, but that there are huge externalities from the theft. If it were just Equifax’s internal operating plans or the secret sauce for the Vantage score that were stolen, the hacking wouldn’t be a matter of public policy concern. But it was consumer records that were stolen, and that means there’s a huge externality from the theft. First, there’s just a loss of consumer privacy, but second, and more alarming, is that those records can be used to create fraudulent accounts, which will potentially harm consumers’ credit in the future.

Now notice that this hacking is different from that of say Target. When Target suffered a data security breach it lost customer records. Equifax didn’t lose customer records. It lost consumer records. That’s an important distinction, and it goes to the heart of the problem with the CRAs. Consumers can, in theory, avoid harm from a data security breach at a merchant by not doing business with the merchant. Moreover, if a consumer believes that a merchant hasn’t been responsible in handling data, the consumer can withhold future business from the merchant.

To be sure, it’s very hard for consumers to evaluate data security at businesses, and few consumers are likely to make purchasing decisions based on merchant data security. But it’s at least theoretically possible with regular merchants. It’s not possible for a consumer to withhold business from a CRA because the consumer does not have a business relationship with the CRA. And this is the key problem: we have a consumer financial services market in which consumers cannot vote with their pocketbooks. Credit reporting isn’t the only market like this—consumers can’t choose their loan servicers or debt collectors—and those markets too have lots of problems because competition isn’t forcing better treatment of consumers. That means, among other things, that there is no punishment in the market for failing to take care of consumer records. So lack of consumer-market competition is problem 1 with CRAs.

Problem #2 is that CRAs are huge hacking targets. When Willie Sutton was asked why he robbed banks, he replied incredulously, “Because that’s where the money is.” That’s the problem today. Consumer data, particularly payments data, but also credit histories, is readily monetizable. That makes anyone sitting on such data target for hacking. CRAs are sitting on massive lodes of consumer data because they’re able to do so. Consumers can’t stop ‘em because consumers don’t own the data they produce. But this means we have a bunch of very tempting targets with limited incentives to take care about protecting that data (or ensuring that it is 100% accurate).

So what can we do with these problems? Let’s start with this. We’re not going to get rid of hacking. We can enact a Bloody Code or the like, but it’s not going to stop hacking, especially as it can increasingly be done internationally. Instead, we need a system that incentivizes CRAs to take the appropriate level of care. That means that the CRAs need to “internalize” the costs of the externalities that are produced when they are hacked as they are the “least cost avoider” of the hacking. How can we do that?

Let me start with what I think won’t work: an ex post liability regime. There have been calls to increase CRAs’ liability for breaches and/or inaccurate consumer files. I’m all for that, but I don’t think an ex post liability regime will ever be enough to sufficiently change CRA behavior, especially as a host of procedural problems will continue to bedevil consumer litigation. There will never be complete cost internalization by CRAs even with a much stronger ex post liability regime.

Instead, I think we need to consider moving to a public utility regulation regime for CRAs. What I have in mind is a system in which the CRAs’ ability to pay dividends to shareholders and to dole out executive compensation would be restricted and tied to their meeting various performance standards relating to consumer file accuracy, dispute resolution, and data security.

Public utility regulation is far from perfect, but we’re looking at a situation here in which there is no market discipline because CRAs do not have consumer relationships. Private discipline through ex post liability under-deters. And a command-and-control regime of public liability also under-deters (look how well it’s worked for stopping problems like Wells Fargo). There’s no disclosure regulation tweak or even set of substantive rules that are likely to fix things. Instead, if we want to ensure a minimal level of consumer welfare effects we will have to mandate those levels and tie the CRAs’ ability to pay shareholders and executives to performance on metrics that affect consumers. CRAs profit off of consumer data because and solely because the law tolerates it. There’s no natural right to this data. Instead, the law permits CRAs to gather and sell the data. It’s quite reasonable to qualify that right with a regulatory system that ensures cost internalization.

I recognize that this would take major legislative change. So for those of you who want to play small ball, there are some more targeted fixes that are long overdue. For example, just as consumers have a statutory right to a free annual credit report, they should also have a right to place credit freezes on their accounts for free. State law in a number of states regulates credit freeze fees, but allows fees to be charged. That’s ridiculous. Freezes should be free in all circumstances. Second, federal law really ought to require that all consumer data be stored and transmitted solely encrypted formats. That should be a non-brainer.

So that’s my proposal: create a public utility type regime for regulating CRAs. I’d do this as a board under the CFPB, sort of like PCAOB or the MSRB under the SEC, but that sort of detail seems secondary to recognizing that we need a public utility regime for CRAs.


I think that your proposal is very interesting but I'm concerned that it would entrench the existing CRAs.

I agree with you that CRAs are hacked because they're the ones aggregating credit data and our credit scores are hugely important in terms of accessing financial products. And I agree that regulating CRAs as a public utility and, more importantly, tying executive and shareholder compensation to certain benchmarks, may result in greater accuracy, and data security. As anyone who's argued with their cable company can attest, however, it's not clear that dispute resolution will become any better...

But the problem with CRAs isn't that they sell the data to third parties, but that they aggregate consumer credit data at all and therefore are "where the money is." And we've been seeing and will continue to see explosive growth in what I've been calling "algorithmic lenders." Those so-called "marketplace lenders" using Big Data/alternative credit data points to make lending decisions. These seem poised to be the future aggregators of consumer credit data and thus are ripe future targets for hacking. But they often do not sell this data to third parties and therefore do not qualify as CRAs.

So, IMO, any regulatory regime would need to account for them. Your proposal would add a huge regulatory burden, making it hard for these new algorithmic lenders to succeed and thereby entrenching the existing CRAs as the arbiters of credit. IMO, this would be a shame as our existing credit scoring system leaves millions of people without access to credit (even though they may be "creditworthy").

This is a great diagnosis of the situation, Adam. I share some of Matthew's concerns about whether a public-utility model is a good one. The regulatory problem with the CRAs may be sui generis and not be well informed by existing models.

The Equifax breach has affected more than half of the U.S. adult population, meaning it is more probable than not that any given adult has been affected. The externalities everyone seem to be focused on is the externalities from harm to the consumer -- identity theft, fraud, and so forth. Those are real harms, and I don't want to be heard to trivialize them in any way.

An even bigger externality, however, is when lenders cannot rely on the information they are being given. Right now, any lender looking at a U.S. adult who is applying for a loan should be thinking, "There is a greater than 50% chance this information comes from a person whose financial data have been compromised." That is not to say the lender cannot necessarily rely on the information. But, how the lenders change their behavior in light of this increased possibility, that is a big externality.

I told my class the other day that the episode reminded me of the old adage that if you owe your bank $10,000 it is your problem. If you owe your bank $100 million, it is the bank's problem. In the same way, the data breach is not Equifax's problem; it is our problem.

What would happen if companies that provide information to Equifax said, we're not going to do that anymore, and we're also not going to buy reports from Equifax either? How many would make up a critical mass that would seriously affect Equifax?

I think that initially credit reports from TransUnion and Experian would be as likely to contain "bad" information as Equifax's. Would the bad information eventually be washed out, or would stronger measures be required?

How high are the barriers to entry into the credit reporting agency business? Every few years there are stories in the mass media about a fourth major credit bureau, or how lenders et al are going to be using Facebook or some other social media to make decisions instead of or in addition to traditional credit reports. As far as I can tell, no true competitor to the Big 3 credit bureaus has emerged.

Could a new entrant provide better service to the lenders and ultimately to their indirect "customers", the consumers, in the form of more accurate records and reports? Or is the litigation position of the Big 3, that they are already providing maximum possible accuracy, actually correct?

I'm not privy to the contracts between the furnishers and the credit bureaus - could this breach be grounds for the furnishers to terminate their contacts with Equifax

I expected this post. For any problem in the financial industry the solution is a new set of regulations.

So the same Federal government which has lost its own data to hackers on multiple occasions is going to tell consumer reporting agencies how to manage their data?

A regulator might enforce uniformity on CRAs, and will likely ensure reduced competition. If it also specifies data security protocols, it then gives the CRAs a defense against any new breach -- they followed the regulator dictated security so are not liable for a breach. Given the history of regulatory agencies, the agency rules will both specify how CRAs do data security and will prevent CRAs from implementing better data security.

So the net result will likely be guaranteed safe profits for CRAs, a regulatory shield against liability, and no guaranty of improved security.

Matthew Bruckner is right to point out the danger of further ensconcing the big 3 CRAs. Of course Bob Lawless is also right that the value of their reports seems much lower now, which might encourage consumer report users to seek alternative underwriting data. The suppliers of that data, however, are likely also CRAs for FCRA purposes, so I would think that any regulatory system should cover them as well.

David Yen's comment raise a really interesting question of why no one has broken into the market in a big way. The only barrier to entry I see is network effects--the Big 3's reports are more valuable than new entrants because they are getting data from so many more sources. I don't know how hard it is to get a business to report to an additional firm, but that would seem to be an issue. The other problem might be on the user side--loan officers are conservative folks. Just as no one ever got fired for choosing IBM, so too, no one ever got fired for choosing credit reports from the Big 3. If you want a sense of how slow change is to come in the credit industry regarding credit reports consider that the mortgage industry standard is still FICO 4, when the latest version of FICO is FICO 9.

As for ThomasW, regulators don't always get it right, but the current system sure ain't working (when was the last time someone won a judgment for poor data security?), and I don't hear any alternative suggestions from you. I don't think a regulator has to specify particular data security protocols, but if you've followed the reporting, there is some low-hanging fruit (like using admin/admin as the username and password combo). I think it's enough for regulators to provide general guidelines (e.g., end-to-end encryption for transmissions and data stored in encrypted forms, not using SSNs as an identifier, etc.). Instead, what I have in mind is tying the only market discipline that seems to exist for CRAs--the stock market--to consumer outcomes, such that if certain levels of consumer care (including data security) are not met, then the company can't pay dividends or stock options can't vest.

David, Lenddo, which appears to operate primarily outside the United States claims to increase approval rates by 15% while decreasing defaults by 12%. See https://www.youtube.com/watch?v=rwlYYZIk1Q4.

I'm not sure if this is true. Other so-called marketplace lenders have had a mixed track record. For example, some of SoFi's loans have been defaulting at higher-than-projected rates. see, e.g., https://www.bloomberg.com/news/articles/2017-03-13/sofi-s-loan-losses-pile-up-as-even-wealthy-borrowers-default. Still others have well-performing loans. So it seems hard to be definitive at this point.

In any case, these new companies are not clear competitors to the big 3 CRAs in that they want to package and sell consumer reports to lenders. Instead, they often seem like they are 1) engaged in direct lending or 2) are partnering with other lenders to help those lenders leverage their in-house customer data to make better credit decisions.

I wonder why Adam picks the public utility approach over the bank supervisory approach. Or does he view them as indistinguishable?

Btw Adam, people win judgments for poor data security all the time in payment cases, especially those involving Article 4A of the UCC. Not that payment cases are a good template for credit agencies. I don't have any problems with a public utility/supervisory approach.

Hi Scrooge. I just saw an inland bill of exchange payable to you or your order:

"All he could make out was, that it was still very foggy and extremely cold, and that there was no noise of people running to and fro, and making a great stir, as there unquestionably would have been if night had beaten off bright day, and taken possession of the world. This was a great relief, because "three days after sight of this First of Exchange pay to Mr. Ebenezer Scrooge or his order," and so forth, would have become a mere United States’ security if there were no days to count by."

For 4A cases, I assume those are not about data storage, but wrongful transmission because of inadequate security procedures for authentication. If so, that's a different flavor of security breach. What I have in mind is liability for theft of data, not liability for bad security procedures that allow an unauthorized transfer of funds. Does that make sense or am I missing something?

As for the supervisory approach, I gave that some thought (as well as using the AML framework), and concluded that it doesn't get to the real problem of a lack of market discipline. The only market discipline on the CRAs is the stock market. What I'm calling a public utility approach (although I'm not committed to the label) is designed to harness that market discipline by tying returns to investors to meeting specific consumer service metrics.

I don't think a supervisory approach has a lot to offer (although I would think a licensing regime would be a sensible part of any regulation) because I don't think examiners are well equipped to probe data security procedures. As it happens the larger participants in the CRA market are under CFPB supervision, but the focus there, I assume, is on FCRA compliance, and that's a limited mandate.

Prof Levitin: I was going answer your response to my earlier comment but in the mean time found an announcement from 2012 that the CFPB had begun regulating credit reporting. See https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-to-superivse-credit-reporting/. You also mention this at the end of your last comment.

You assume the regulation is on FCRA comopliance and "a limited mandate". Is that the case? The CFPB announcement in 2012 says they will review "review of compliance systems and procedures", I'd think computer security comes under this heading.

So before calling for a new regulatory regime perhaps somebody should determine that the CFPB doesn't already have the authority to perform this regulation. If it does, then we have to ask why it hasn't. They've had 5 years during which time numerous security breaches have happened, including massive breaches at the Federal government (thus my question of why they are a good choice of regulator).

ThomasW: Let me clarify. Nothing in FCRA requires any particular type of data security. FCRA places limitations on "furnishing" (rather than "disclosing") consumer reports in 15 USC 1681e(a). A "consumer report" is a "communication" of information about the consumer's creditworthiness, etc. Is allowing a hacker to make off with data "furnishing" a "communication" about the consumer's creditworthiness? That's the argument that some of the purported class actions suits about the data breach are making. I don't know of any relevant caselaw, but without having looked at the legislative history, Equifax certainly has a colorable textual argument that this particular statutory provision just doesn't apply to a theft of data. So to the extent the CFPB is enforcing FCRA, it's not obvious that there's a FCRA compliance problem.

As it happens the Gramm-Leach-Bliley Act does have some data security requirements. The CFPB has GLBA enforcement authority, but with the data security provision specifically carved out (see 12 USC 5481(12)(J) (excluding GLBA section 501(b), 12 USC 6801(b)). Even if the CFPB had total GLBA authority, however, I don't think the statute applies to Equifax. GLBA applies to "financial institutions". The definition of "financial institution" does not clearly cover consumer reporting agencies, unless one says that they provide "financial advisory services". The regulation implementing the GLBA data security provision for non-banks is the FTC's Safeguards Rule, 16 CFR Part 314. The Safeguards Rule doesn't impose detailed requirements for data security (and I wouldn't suggest such a thing), but broad standards of care. The Safeguards Rule, however, doesn't define "financial institution," but the FTC's Financial Privacy Rule (also under GLBA) does, and while it gives a bunch of examples of who is a financial institution, it doesn't include consumer reporting agencies. In any event, the FTC lacks supervisory authority. It can undertake an investigation, but it doesn't have the sort of immediate access to an institution as a regulator with visitorial powers.

So yet, it would probably make sense as an easy first step to give the CFPB authority over section 501(b) of Gramm-Leach-Bliley, and to clarify by regulation that "financial institution" includes consumer reporting agencies. But what would this accomplish? It would mean that there would be the possibility of a public enforcement action for the data breach. The CFPB and FTC can already bring such an action by alleging that failure to have reasonable data security measures is an "unfair" practice, even if there is no regulatory requirement of reasonable data security.

The reason I'm calling for a broader regulatory regime change is that data security is not the only problem with the CRAs. It's one of several problems that stem from the fact that the CRAs don't get their business from consumers, even though their actions have major impacts on consumers. However good the CFPB and FTC are in terms of exercising their supervisory and enforcement authority, it's necessary to recognize that there are funding and staffing limitations on the agencies. You'd never know it from the financial services lobby's bellyaching about overenforcement, but the CFPB only has around 150 enforcement attorneys. That's not even AmLaw 250 size. To really ensure good treatment of consumers, it's necessary to link that treatment with market results. That's what I'm proposing--a system for tying metrics of consumer treatment to stock market discipline through regulation of dividends to shareholders.

The comments to this entry are closed.


Current Guests

Follow Us On Twitter

Like Us on Facebook

  • Like Us on Facebook

    By "Liking" us on Facebook, you will receive excerpts of our posts in your Facebook news feed. (If you change your mind, you can undo it later.) Note that this is different than "Liking" our Facebook page, although a "Like" in either place will get you Credit Slips post on your Facebook news feed.



  • As a public service, the University of Illinois College of Law operates Bankr-L, an e-mail list on which bankruptcy professionals can exchange information. Bankr-L is administered by one of the Credit Slips bloggers, Professor Robert M. Lawless of the University of Illinois. Although Bankr-L is a free service, membership is limited only to persons with a professional connection to the bankruptcy field (e.g., lawyer, accountant, academic, judge). To request a subscription on Bankr-L, click here to visit the page for the list and then click on the link for "Subscribe." After completing the information there, please also send an e-mail to Professor Lawless ([email protected]) with a short description of your professional connection to bankruptcy. A link to a URL with a professional bio or other identifying information would be great.