Disreputable corporate executives nationwide are bowing in thanks for Equifax, the credit reporting bureau responsible for the most damaging data breach in American history. Hackers stole Social Security numbers, birthdates, addresses, credit card and driver’s license numbers of 143 million people—more than half the adult population in the U.S., and about three-quarters of all Americans with a credit history. And then Equifax, reeling from its third major data breach in a year, made matters even worse.
While the company discovered the problem July 29, they hid it from victims for six weeks. Before that disclosure, three Equifax executives sold $1.8 million in company stock, and there were also abnormally large sales of stock options, suggesting insider tip-offs. Equifax didn’t initially tell its own customer service staff about the breach, but key shareholders appeared to get the message. And if you, the victim, wanted to learn if you were affected, you had to give Equifax more personal information to an insecure WordPress site that looked like something an identity thief would create to trick you into handing over your personal information.
The site, Equifaxsecurity2017.com, pushed victims to a sign up for a credit monitoring service that initially forced users to give up their right to a class-action lawsuit, precisely the corporate immunity maneuver that the Consumer Financial Protection Bureau is trying to ban. (Equifax has since stripped this out.) Initially, Equifax offered the monitoring service for free only for a year, and would charge $19.95 a month thereafter and require users to opt out, meaning the company was trying to take advantage of their own mistake to try to make money. Here, too, company reversed course under pressure.
This parade of missteps and the fact that Equifax failed at its only job, the storage of consumer financial data, has many rightly wondering why we should not pull out the corporate death penalty and end this company’s existence. But I have a bigger question: Why do we have an oligopoly of three major credit-reporting companies who hoard your sensitive personal information? In fact, why do we have credit reporting companies at all?
Equifax began its corporate existence in the 1890s as the Retail Credit Company, a private investigator. Business clients would ask for personal information on individuals, not just financial history but political activity, marital problems, even sex lives. Your race or religion could dock your “score,” which was as tied up with character as it was creditworthiness.
These origins of surveillance explain the industry’s posture toward the people whose data they collect. “Consumers aren’t customers, we’re the commodity,” said Chi Chi Wu, an attorney with the National Consumer Law Center. “If you’re mad at Equifax after this, if you want a mortgage you still have to deal with Equifax.” Individuals had no legal access to their credit file until the Fair Credit Reporting Act (FCRA) of 1971.
After decades of consolidation, the three major U.S. credit reporting bureaus—Experian, Equifax, and Transunion—are used by 90 percent of all lenders. We’re told that they’re vital to the economy, that they enable creditworthiness and allow commerce to function. But it’s not at all clear how they benefit our financial system, and consumers specifically.
These companies effectively act as a time-saver for lenders, who are supposed to have their own underwriting units to determine a potential borrower’s ability to repay. Anyone with access to the data and the Fair Isaac Corporation’s (or FICO) credit scoring formula can make the calculations. Maybe it’s useful to have three “expert” companies compile, store, and analyze that information, but only if they’re actually good at it.
In fact, we know that credit bureaus routinely commit millions of errors on these reports, badly and arbitrarily damaging innocent people. Fixing your credit report can be a Kafkaesque nightmare, such that a cottage industry of dubious “credit repair” companies has popped up simply to navigate people through the process. The reporting firms overhauled dispute procedures two years ago, but only then did the industry consent to using reviewers that were actually trained to review complaints.
With their primary responsibility to shareholders and not consumers, these firms constantly devise new services to sell. Transunion recently sold an add-on to businesses wanting to avoid transactions with terrorists or drug dealers, by improperly matching people by name with the Office of Foreign Assets Control database. Sergio Ramirez, the lead plaintiff in a class-action lawsuit against Transunion, was falsely tagged as a drug kingpin. Transunion was fined $60 million over this in June.
Credit bureaus also sell to non-lenders. Almost half of all employers use credit checks in the hiring process, using it as a proxy for responsibility and trust. This biases businesses against anyone with debt regardless of the circumstance, and creates a spiral where people with bad credit can’t get a job, leading to greater financial hardship and worse credit. The correlation between debt and race makes this practically discriminatory.
For a long time, no federal agency monitored private companies’ compliance with the Fair Credit Reporting Act; the FTC could only bring law enforcement cases, not day-to-day supervision. Now, the Consumer Financial Protection Bureau, Senator Elizabeth Warren’s brainchild, has that authority and has improved the landscape. “It’s why the fight for CFPB is so critical,” said Chi Chi Wu, referring to Republican efforts to gut the consumer protection agency. “If it’s weakened, we’ve gotten rid of the most important measure to keep them in check.”
However, credit reporting bureaus aren’t legally liable for errors on your credit report. The “furnishers” of the information are the liable party; credit bureaus are only obligated to fix mistakes. And with the tight oligopoly of three bureaus, there isn’t much advantage in getting reports right or protecting the data used to create them.
In fact, the industry wants to shield itself from its own incompetence. The same day as the Equifax announcement, House Republicans held a hearing on a bill to massively curtail damages from private litigation under the FCRA. It would eliminate punitive damages and cap statutory damages to $500,000. If the bill becomes law, the 143 million victims of the Equifax breach eligible for the class action lawsuit filed Friday would be able to get a maximum of one-third of a penny in restitution. The credit industry’s chief trade group has lobbied for the bill, and it’s also fighting—against the CFPB—to maintain mandatory arbitration clauses that block class-action lawsuits altogether.
There’s a better way to handle consumer credit. Lenders don’t need inaccurate reports from self-interested companies; they can do their own due diligence. Employers and other non-lenders simply shouldn’t have access to such sensitive personal data. The FICO formula could be made open-source and available for license if it’s so important. And banks could learn far more from relationships with borrowers than the imperfect science of credit scoring. We don’t really need this middleman.
You might suggest that competition and innovation can solve this problem. So far, it’s been a disaster. Consumers don’t just have a FICO score, but an “e-score” that follows your online history and uses zip codes to infer socioeconomic status. These bad models create feedback loops that consign those living among poor people to the same high interest rates as those who are poor. Facebook considered offering a credit score to lenders based on social media profiles; in this Black Mirror–like dystopia, your friends could damage your ability to get a mortgage.
Unregulated credit algorithms don’t work. And we’re finding that the Equifax model, with consumers as products, doesn’t work either. Plenty of countries, like Germany, have “public registries” to hold and report information to lenders. “Government has its own screw-ups, but at least government is accountable to the voters,” said Chi Chi Wu. “I think it’s worth considering.”
Even with tighter regulation, a trio of powerful companies should not be entrusted with controlling Americans’ most vital financial data. The structures set up to maintain Big Data are woefully inadequate, and even more, they’re unnecessary. The Equifax breach offers a critical lesson in exactly what information large corporations keep on us, how they exploit and mishandle it, and why the time has come to break up this oligopoly.
This article has been updated to reflect Equifax’s change to the terms of its monitoring service for hack victims.