Clearly, if you are a banker, you can rest assured that the data breach at Equifax affecting 143 million consumers was not your fault. So why do you have a dog in this fight? The problem for banks is not what they did, or what they did not do, but rather what steps they might neglect in dealing with the aftermath of the Equifax breach.

The reason is straightforward: Those 143 million consumers whose personal information was stolen are not Equifax’s customers, they are yours. Equifax is your vendor and you provided it with highly sensitive information that, if compromised, could cause significant harm to the very customers who trusted you with it. It was your responsibility, through rigorous due diligence and vendor management, to ensure that this information was protected and, like it or not, it is now your responsibility to help your customers deal with this potentially damaging situation.

Banks may or may not have a legal responsibility to address this situation. However, if I were a board member of a bank that shared customer information with Equifax, I would certainly be asking tough questions right now and demanding thorough and documented answers. What agreements do we have in place with both the credit bureaus and our customers in terms of which party has liability in a breach of a credit reporting agency? What documentation did we rely on to evaluate and approve Equifax’s security procedures? Was our systems assessment thorough or cursory? It is imperative that management and the board quickly get the answers to these questions and others to determine the extent of any legal liability.

Fingers pointing
The tendency in a data breach is to blame and punt issues to the company where the breach occurred. But in the case of the Equifax breach, whether banks like it or not, how they respond will affect their reputation with their customers. Adobe Stock

However, while determining any potential legal liability is important, it is not the most important issue that banks should address immediately. Rather, the core question is how can the bank protect its customers? Should it be reactive or proactive? Should it initiate customer communications or respond generically to customer inquiries? How the bank addresses these issues can have a significant impact on its reputation.

This not a time to point blame. Rather, it is a time to step up and demonstrate your commitment to your customers. If you punt the problem to Equifax, you show that you don’t really care. This seems like an easy choice, but it will be interesting to see how many banks make the right one.

So far, at least, Equifax’s response has been woefully inadequate. For whatever reason, the credit bureau was slow to identify the breach and inexplicably slow to disclose it. Further, it is likely that its clients heard about the breach at the same time as the public. While the company did set up an online portal ostensibly to allow customers to determine if they had been impacted, the site appears to be unreliable. For example, a number of publications have reported that when false names and random Social Security numbers (last six digits only) are entered the system often produces a positive response.

And the fun doesn’t stop there. Once customers are notified that their personal information may have been compromised, they are invited to enroll in Equifax’s proprietary ID protection program. Equifax is not charging for this service for a period of time. But the company was immediately criticized for forcing mandatory arbitration agreements on those enrolling in the service, which seemed to eliminate consumers’ ability to file class actions. (Equifax said Friday that customers were not giving up their right to sue.)

Is this how you want your customers treated?

Unfortunately, banks have dealt with numerous data breaches, both intrusions of their own systems and breaches of retailers that led to customers’ credit or debit cards being compromised. Most banks have developed proven processes to identify impacted customers, monitor accounts and issue new cards as necessary. While customers find these breaches annoying and inconvenient, they generally trust the bank to do the right thing and protect them from fraudulent usage.

Banks need to do whatever they can to provide that peace of mind once again with the Equifax breach. Has Equifax been forthcoming in providing the information you need to communicate with your customers? If not, why not? Is it too hard for Equifax to identify the banks with which a consumer has a loan and whether or not that customer’s information has been compromised? That seems like a simple task for a company that is, at its core, an information management company. In fact, the credit agencies really only have one job — to manage (collect, maintain, protect and report) the highly sensitive information banks give them.

Banks are faced with many risks that can damage the company’s reputation — most of which are self-inflicted and, therefore, controllable. But the Equifax breach, even though banks were not directly targeted, is no different. In order not only to protect, but importantly, to enhance the bank’s reputation and brand, it is incumbent on management to immediately take control of this situation. They should not just defer responsibility to Equifax, which does not care about banks’ reputation, and certainly has not shown that it cares about your customers.

Banks should demand that Equifax quickly provide the customer information that financial institutions need to assess potential customer impact, develop a proactive and timely customer communication program, and offer quality services to help protect their customers as fully as possible. Banks that take a leadership role in the response now will position themselves as true customer advocates.

Rolland Johannsen

Rolland Johannsen

Rolland Johannsen is senior consulting associate at the Capital Performance Group.

BankThink submission guidelines

Want to contribute to BankThink, American Banker's platform for informed opinion about the ideas, trends and events reshaping financial services? View our detailed submission criteria and instructions.