The bipartisan congressional response to the Equifax breach took another step forward Thursday when two key Republicans sharpened their focus on regulatory gaps in the oversight of credit bureaus.
Senate Banking Committee Chairman Mike Crapo sent a letter to the heads of the federal bank regulators asking whether they should be further authorized to supervise the credit reporting agencies. Meanwhile, Rep. Patrick McHenry, R-N.C., vice chairman of the Financial Services Committee, introduced legislation that would create uniform federal cybersecurity standards for credit bureaus.
Republican interest in new rules increases the odds of federal reforms for the credit bureaus, especially after Democrats have similarly shown interest in reining in the credit reporting giants. Analysts have pointed out that some congressional proposals are relatively benign, which could potentially broaden their support.
But critics charge that focusing on cybersecurity requirements for credit bureaus may be too narrow.
Howard Tischler, a co-founder and CEO of EverSafe, a Columbia, Md., fraud prevention company, said he thinks regulators need to look at the entire food chain of data, not just data that banks send to the credit agencies.
"How do we make sure that the entire food chain and infrastructure of a credit reporting agency is secure and who has that responsibility?" asked Tischler. "The focus right now is on the credit reporting agencies but there have been 1,000 other known breaches this year, so shouldn't [regulators] be looking at the broader issue of how do you regulate or prevent breaches?"
In his letter to the bank regulators, Crapo raised his concern about a potential "regulatory gap with respect to supervision of credit reporting agencies for data security standards." He asked the regulators about their current authority over credit bureaus, their "technical capacity" to supervise the bureaus, and how they supervise banks' third-party vendor relationships, including with credit bureaus.
McHenry went a step further, proposing in his bill — titled the Protect Act — that the Federal Financial Institutions Examination Council update its cybersecurity handbook to establish uniform standards to include the three big credit reporting agencies. It also leaves to the FFIEC to designate one of its member agencies as the examiner of the credit bureaus.
“It prevents future harm to all Americans by requiring the largest credit reporting agencies to be subjected to the same standards and supervision as the rest of the financial industry," McHenry said in a press release.
The two Republicans are wading into a potential quagmire for policymakers because oversight of credit reporting agencies is currently spread among different federal and state regulators. But analysts have pointed out that the limited scope of legislative proposals arising from the Equifax breach gives them a greater chance of passage.
"We see this legislation as less onerous for the credit reporting bureaus than we had expected just a few months ago. It also is the type of bill that we believe this Congress could enact into law," said Jaret Seiberg, an analyst with Cowen, ina note.
Roughly a dozen bills have been introduced to rein in the three major credit bureaus but most have focused on consumers' rights to freeze their credit or to use the IRS for consumer data verification.
Yet McHenry's latest bill has some overlap with legislation introduced by Sens. Elizabeth Warren, D-Mass., and Brian Schatz, D-Hawaii, in that both bills would create a federal requirement for credit bureaus to offer free credit freezes to consumers affected by a data breach.
McHenry's bill, however, appears to be less stringent, requiring credit freezes only for senior citizens, minors and victims of identity theft. And Warren's bill would go further by preventing credit reporting agencies from selling consumer information while a freeze is in place.
Also, noticeably absent from Crapo's letter was any mention of the Federal Trade Commission or the Consumer Financial Protection Bureau, the two primary regulators currently investigating the Equifax breach.
The FTC is the primary regulator in charge of enforcing cybersecurity standards for nonbanks, though it lacks direct supervisory authority. Meanwhile, the CFPB currently has supervisory examination authority over Equifax, Experian and TransUnion after designating the credit bureaus "larger participants" in 2012.
Tischler said policymakers need a more complete solution for safeguarding customer data than just going after the credit bureaus.
Using the Target credit card breach in 2013 as an example, Tischler said regulators need oversight beyond financial institutions, citing reports that the retail giant's breach was caused by an HVAC vendor.
"How broad is the FFIEC going to go because there is other data that the credit bureaus have such as a lot of employer data," he said. If they're only looking at the banking data, does that create an issue where it's not the whole picture and they're only looking at half the data?"
Crapo said in the letter that he was concerned that criminals had gained access to internal Equifax files, exposing the addresses, driver's licenses and Social Security numbers of 145 million Americans.
The three banking regulators — Federal Reserve Board, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency — have until Oct. 20 to respond to six specific questions from Crapo about oversight of the credit bureaus.
He asked how bank regulators are securing their own data and whether the credit bureaus are integral to the safety and soundness of banks.
"Please describe in detail how your agency secures the data it maintains (including confidential supervisory information and individuals' personally identifiable information)," he said. "Please describe in detail how credit reporting agencies help ensure the safety and soundness of the banking organizations that you regulate."