using your face as the password to prove your identity.”
Such technology solutions can produce good outcomes, but they can also lead to some of the downsides consumers now resent about traditional credit agencies, says professor R.A. Farrokhnia, a member of Columbia University’s business and engineering faculty, and executive director of Advanced Projects and Applied Research in Fintech at Columbia.
Just as the credit agencies sweep up our financial information without our permission, new technologies can monitor personal behaviors such as our Internet search histories, which have also been proposed as possible indicators of creditworthiness—or a lack of it, Farrokhnia says.
Government response
Ackerman sees regulatory actions by governments as one of the important ingredients in re-engineering the credit reporting industry for the 21st century. That also goes for other sectors responsible for safeguarding the valuable data of individuals, in his book. He admires the EU General Data Protection Regulation (GDPR) data privacy scheme that will be enforced starting in May 2018. It will impose substantial penalties on companies that fail to safeguard the data of EU residents, no matter where the company is located.
Multiple functions of credit bureaus
Ackerman and others see problems worth solving due to the array of different roles filled by credit bureaus. The primary function of the agencies is to help banks and other lenders to determine whether a borrower is creditworthy; these entities report back to the credit bureau on each consumer’s track record of repayment.
The credit agencies also offer services to consumers, by helping them correct inaccuracies in their credit reports. But Ackerman sees these efforts as half-hearted.
“Their interest in our privacy and security and accuracy of information is lip service,” Ackerman says. “They care only if [an inaccuracy] reduces the value of information they’re selling. They collect your information without your permission, and they only work with you in response to regulatory pressure.”
As an investor, Ackerman says he’s been talking to colleagues for some years now about possible business models for an independent company that would protect consumer privacy and identity.
“I think there’s an opportunity,” he says. “More than an opportunity; there’s a need.”
University of Houston professors Conklin and Bronk think regulators should peel away another of the multiple functions of the credit bureaus: they sell the sensitive financial information of consumers to marketers.
“Lawmakers should consider investigating and possibly banning data brokering by the credit bureaus,” the professors suggest. “It is one thing for credit bureaus to inform lending establishments of consumer creditworthiness, but another for them to serve as behind the scenes marketing intelligence firms. So long as these companies cannot protect their data resources, they will harm U.S. consumers, financial institutions, and government through the countless cases of identity theft that incidents like the Equifax breach enable.”
Currently, U.S. government regulations applying to credit agencies are scanty, as detailed by the New York Times.
Farrokhnia, the fintech expert at Columbia, says the chance of a U.S. regulatory overhaul of the credit reporting industry may be slim, given the many distractions on the political scene and the current administration’s inclination to reduce regulation rather than expand it. Even so, the Federal Trade Commission has announced that it is investigating the Equifax hack, Reuters reported. Pressure is coming from other government sources, including investigations and lawsuits by state attorneys general. Class action law firms are lining up to sue Equifax on behalf of consumers.
Equifax’s management of the crisis is adding to public outrage. It delayed announcing the cyberattack after discovering it, and during that delay, company executives sold some of their share holdings. Equifax offered consumers free credit monitoring for a year, but at first made it a condition that they give up their right to sue the company for damages due to the data breach. Equifax later removed that condition under pressure.
The fallout from the huge breach could end up imposing substantial costs not only on Equifax, but also on most businesses, according to a report by the financial institution UBS.
“Major high profile attacks involving consumer data, like this Equifax incident, tend to lead to reevaluation of industry wide security practices and the architecture of digital security,” according to the UBS report. The result could be higher spending not only on cybersecurity measures, but also on insurance to cover the potentially devastating financial impact of a cyberattack, UBS stated. Citing a Gartner report, UBS says global cybersecurity spending could grow to $170 billion by 2020.
“I can tell you, the cybersecurity budgets for Experian and TransUnion are now unlimited,” Ackerman says.
Xconomy’s Texas editor Angela Shah contributed to this story.
