The reputation hits to credit bureaus keep coming.
The breach of personal data on more than 143 million customers Equifax revealed in September was followed in mid-March by the news that an executive insider-traded stock before the public was notified about the breach. This week, Equifax acknowledged it had sent erroneous breach notification letters to an undisclosed number of people.
In a related bombshell, Facebook announced it was dropping Experian and TransUnion as data partners, along with seven other data brokers including Acxiom and Cisco, as part of its effort to improve customer data privacy. Its action was taken in the wake of Facebook’s own breach, revealed in late March, in which personal information of 50 million users was shared with Cambridge Analytica and its political clients during the 2016 election campaign.
That has left many wondering whether the blows to the credit bureaus, and growing concern about consumer privacy in general, could lead to major changes, including new legislation. Some speculate that the banks that do business with credit reporting agencies may be looking for alternatives.
“I would be astonished if the big banks are not giving it serious consideration,” said Richard Parry, principal of Richard Parry Advisors and a former risk management executive at Chase, Citi and Visa. “As a consumer, I’d be disappointed if they’re not.”
Hard to change
But shaking off the credit bureaus would not be easy — they have a firm hold in financial services.
Alternative data bureaus and startups that have tried to get banks’ business have generally been rebuffed, said Steve Ely, CEO of eCredable.
“What really matters is the data that shows up in a core credit file — 90-95% of credit decisions are based on the data out of a core credit file,” he said.
To take advantage of alternative data that could help it understand how to score more consumers, a lender would have to have multiple scoring solutions.
“The lender says gosh, that sounds more expensive — more people and more money — how much lift am I going to get?” Ely said. “They might get 3-4% lift. The lender says, no thank you. All that data is wonderful, but it is expensive to get implemented by mainstream lenders.”
John Ulzheimer, a consultant who formerly worked at FICO, Equifax and Credit.com, noted that credit bureau data is hardwired into decisions made not only by lenders but by insurance companies, landlords, employers and utility companies.
“I don’t imagine that there’s going to be any large-scale movement away from that information,” he said. “If someday someone builds a better mousetrap and renders credit scores and credit reports useless, then sure, you’ll see some sort of movement. But the reality is that hasn’t happened yet.”
Some banks do pull in loan application data and alternative data such as rental and cellphone payments into underwriting programs that also look at the traditional credit score.
“They have been for many years tiptoeing outside of traditional credit report by considering things like the presence of banking or checking account balances, wealth metrics, time on the job, time at the address, things like that that you won’t get out of the credit report,” Ulzheimer said.
But until banks find that traditional credit reports and credit scores no longer provide decent performance and low-enough default, they’re unlikely to chuck them.
“At the end of the day, it’s a champion/challenger world,” Ulzheimer said. “If the systems we’re using now are performing at a high level, and there’s no reason to believe they’re not, and if some other system which might be the cooler, faster, shinier model comes in and either underperforms or performs on par, there’s not a lot of incentive to switch."
Mandi Woodruff, executive editor of MagnifyMoney said that as soon as a consumer opens a credit card or an account with a utility or cellphone provider, the credit bureaus immediately start tracking that behavior.
“It would probably take an act of Congress to stop them from doing that; it’s such a widely used mechanism in lending,” she said. “I can’t think of a true alternative right now. Lenders come up with their own underwriting criteria, but the information is still coming from what the bureaus are tracking.
“For better or for worse, it’s the system we have.”
Equifax vs. Facebook
That doesn't mean, however, that there aren't long-term concerns. Though the breaches at Equifax and Facebook were different platforms and occurred different ways, consumers are worried about both.
A survey of 1,000 American consumers found 54% were more worried about the data bureau exposure, while slightly less, 46%, were more concerned about Facebook. The survey was conducted soon after the Facebook scandal broke and released Monday by MagnifyMoney, a consumer finance site.
“The Equifax breach seems [more real] because you’re talking about people’s Social Security numbers and driver's licenses,” Woodruff said. “In addition to that, the Equifax data breach was so massive. In early March, they released new information that added another 2 million people to the original list of 143 million people that were impacted, so that’s a significant segment of the population.”
And credit bureaus are expected to have more security, she said, because the information they collect is more sensitive.
“With Equifax, you think a massive organization that is being entrusted with the personal information of millions upon millions of people is going to protect your information,” she said. “They breached that trust not only by letting the information be so vulnerable that it could be obtained by hackers, but also waiting so long to tell us about it. It was months after the original breach when Equifax finally raised a hand.”
Equifax’s CEO resigned and then testified before Congress. Several states are investigating the company, and there could be more consequences to come.
“We are seeing a lot of effort from consumer advocacy groups and federal institutions meant to protect consumers stepping up and doing their job, which is to not letting Equifax off the hook for this,” Woodruff said.
“Those investigations take time, so we haven’t seen any real ruling or regulatory action against Equifax. I would be incredibly surprised if they got away scot-free," Woodruff said. "We just have to be patient and wait.”
Experian and TransUnion, which have also suffered data breaches in recent years, may have to share any Equifax punishments.
Parry agreed it makes sense that consumers would be more concerned about Equifax than Facebook — because they don’t realize that the Facebook gaffe is just as bad.
“It's instructive of how people don’t understand this data aggregation model, and I think it's unfortunate that people misunderstand the ramifications of each of those breaches,” he said.
For instance, Experian’s to-be-discontinued data-sharing arrangement with Facebook, described in this product sheet that Parry found, offers detailed data on 300 million consumers and 126 million households, including birth dates and phone numbers, that could be used to supplement Facebook profile data of customers and prospects.
In all likelihood, consumers had no idea their data was being shared by Experian (and presumably Facebook’s other credit bureau data partner, TransUnion) this way, and probably many banks didn’t know, either.
“Why do we become outraged after breaches when documents like this show the worst kind of exploitation dressed as focused marketing?” Parry said. “Did the top five bank CEOs sign up for this, or know that they did when they were signing up with the bureaus? If I were Jamie Dimon, Brian Moynihan or any other big-bank CEO, I’d be deeply concerned about how my customers’ data shared with partners for a permissible purpose may have been plundered, hacked or sold beyond the perimeter of my enterprise. This should be weighing heavily on them.”
JPMorgan Chase CEO Jamie Dimon alluded to this problem in a 2016 shareholder letter: “Many third parties sell or trade information in a way customers may not understand, and the third parties, quite often, are doing it for their own economic benefit — not for the customer’s benefit,” he wrote.
Banks may never be held accountable for the data they hand over to credit bureaus that then gets sold for marketing and advertising purposes. But their role may be examined.
“I’d be surprised if questions are not being asked in the legislature and among more organized consumer groups: Why is this credit assessment model so closely tied to the data aggregation business beyond that express, permissible purpose for which it was created?” Parry said. “If I were a big bank, I would say I’m not sure I want to give consumer data to anybody.”
Editor at Large Penny Crosman welcomes feedback at email@example.com.