The Equifax breach that came to light last month compromised sensitive data for a massive portion of the U.S. population, putting 145.5 million people at the risk of identity theft.
The breach at the major credit-reporting bureau calls into question security protocols that should have been addressed and how companies disclose hacks. It also raises questions about the utility of Social Security numbers as a security feature in an age when the dark web is littered with people’s Social Security numbers and it’s only getting worse.
But bigger and more sweeping questions are emerging, as lawmakers and consumers ponder an industry that has flown under the radar until being thrust into the public view under the worst circumstances possible.
On Capitol Hill this week, a bipartisan group of lawmakers cut into Equifax’s former CEO Richard Smith. Senator Elizabeth Warren (D-MA), brought up a recent speech from Smith in which he said, “Fraud is a huge opportunity for us. It is massive growing business for us.” She then remarked, “the breach of your system has actually created more business opportunities for you.”
In this moment, Warren indirectly touched on something that people have begun to notice — the lack of incentivizing for the credit reporting industry to regulate itself.
The incentives are not in line for effectiveness
“The incentives in this industry are completely out of whack,” Warren said. She noted that consumers will have to look over their shoulders for the rest of their lives worrying about identity theft, and banks and other businesses will lose money to thieves and the cost of issuing new cards. “But Equifax will be just fine — heck, it could actually come out ahead.”
This isn’t the only failure of incentivization in the current model. According to an exhaustive report by the Federal Trade Commission in 2012, one in five people has a “potentially material error” in their credit history. Even finding these errors requires extremely proactive behavior on the part of consumers, and they are not easy to erase.
As Brookings fellow Aaron Klein noted in a recent column, the method of dealing with these errors is extremely biased against the consumer. The way it works: A consumer sees an error and advises the bureau, which reaches out to the creditor. If the creditor stands by the claim, the case is closed and the black mark stays.
For all consumers with erroneous credit reports, real money is on the line. A mistake can drive up a loan’s interest rate, and potentially add thousands of dollars to a mortgage. It also makes lending less competitive. Many larger institutions have their own systems for credit analysis and do not prompt Equifax and its competitors to improve, Klein notes.
The insouciance of creditors is truly something to behold. Klein points to an alarming study from NerdWallet that found 50% or more of all medical bills have errors in them. Often, these errors are in the hospital’s or insurance company’s favor, not yours.
Credit-buying debt collectors may likewise have no idea of the specifics of your debt, should they get it. They do not care, and often collect anyway. A 2017 report by the CFPB on issues with debt collecting found that 28% of issues arose because no debt was actually owed. Thirty-three percent of issues had an incorrect amount, and 16% of the time, it wasn’t their debt, but a family member’s.
There is no clear path forward that suggests an alternative, like say Belgium’s national credit bureau, which has no incentives at all besides providing a repository of credit information. But this unfortunate Equifax moment is an opportunity to improve the industry. Lawmakers from both sides are interested in protecting data and dealing with breaches. As Rep. Anna G. Eshoo noted when Smith came to the House for his turn to see the former CEO run the gauntlet, “You have brought Republicans and Democrats together in outrage and distress and frustration.”