C R E D I T B U R E A U S R E S P O N D
The FCRA has been on the books for more than decade—and it’s been updated and modified on a regular basis to reflect changes in the credit and financial services industries. But no amount of regulation— however well intended—has the same effect as a
change in market conditions
.
For years, the industry refused to sell scores to consumers, saying officially that they would be mis-construed. (But, in fact, they didn’t want to shift
their focus away from their paying customers—banks
and lenders.)
The consolidation among banks and other financial institutions that followed the GLB Act in the early 2000s has brought attention to the critical role that credit bureaus (CRAs, in the jargon of the law) play in financial services. As a result, the CRAs have started to adjust their businesses to
serve end-users
more directly.
Starting in late 2002, the companies that sell credit information to lenders began various
campaigns to
convince consumers
to buy their services.
In early 2003, Experian (which began its corporate life as part of the conglomerate TRW—and the reason that some people refer to their credit rating as their “TRW”) began providing consumers with their scores on a monthly basis, so they could monitor changes. Experian also launched an “optimizer” ser-1 5 7
B A N K S A N D C R E D I T B U R E A U S
vice that would tell consumers the specific ways they could boost their individual credit ratings.
In the fall of 2002, Equifax, Inc.—the oldest and, generally considered, the largest credit bureau—and ChoicePoint Inc., an affiliated writer of scoring formulas, began selling consumers’ insurance scores.
Equifax also sold credit reports and credit scores to individuals.
TransUnion—by most accounts, the smallest of the big three credit bureaus—followed the other two bureaus and announced that it would sell individual credit reports combined with credit scores produced by Fair, Isaac & Co. for $12.95—or in a $38.85 package that let consumers review their data four times in a year.
Frankly, the CRAs hope to
tap into anxieties of
people
who worry about ID theft. Of course, they explain their efforts differently. In the press releases and for public consumption, the CRAs talk a lot about how “consumer education” is the best tool for combating ID theft.
But some consumer advocates are skeptical. John and Mary Elizabeth Stevens are two such vocal consumer advocates. They’ve written: Identity theft is only possible with the full cooperation of three major participants: the impostor, the creditor and the credit bureau.
All are co-conspirators and equally guilty of identity theft. …The perpetuation of identity theft has created a new product line for the
1 5 8
C H A P T E R 7
credit bureaus, which now sell services alert-ing cardholders to significant changes on their credit reports.
Not surprisingly, the credit bureaus take great offense to the notion that they are complicit in the boom in ID theft during the late 1990s and early 2000s. But their complicity may not have been direct…or inten-tional.
The fact is that the credit bureaus have the computer files of personal financial information that every ID
thief seeks. And all of the major ID theft cases that have come to light in the U.S. during the 1990s and 2000s have involved—to some degree and, in some cases, indirectly—
information taken from credit
bureau files
.
Again, assuming the perspective of a disinterested economist, the inefficiencies created by the CRAs’
primary customer/end user split and their general restriction of access to information contributed to a marketplace that didn’t respond quickly to manipulation and abuse. When a market—especially a market in information—is managed to be inefficient, it’s
ripe
for thieving
.
F A I R , I S A A C & C O .
While the big three credit bureaus take most of the scrutiny from consumer advocates and laws like the FCRA, one company has had a
huge influence over
the credit industry
but a lower regulatory and public profile—until the early 2000s.
1 5 9
B A N K S A N D C R E D I T B U R E A U S
California-based Fair, Isaac & Co.—which goes by the abbreviation FICO—writes algorithms and other mathematical formulas that convert the data in credit reports into widely-used credit scores. The company’s formulas are used nearly everywhere in the U.S.; so, FICO has had an influence over the American financial services industry that’s much larger than its relatively small corporate size. (“FICO score” has largely replaced the previously-mentioned “TRW” as short-hand for personal credit rating.)
FICO has traditionally been careful to point out that
it is not a credit bureau. It doesn’t keep files on
individual consumers. Therefore, it is unlikely to be
complicit in any specific ID theft.
But FICO has participated in the trend toward marketing its credit services to consumers. In November 2002, it launched a $69.95
credit-monitoring service
called Score Power. And it began selling its scores in a $39.95 package that included credit reports from the big three credit bureaus as part of the “consumer credit empowerment services” available at its Web site.
Subscribers would receive four Score Power reports for monitoring changes to their FICO score and their Equifax credit report. Score Power also provides Fair, Isaac’s score analysis that “provides insight into the same information lenders use, in order to help consumers improve their true credit potential over time.”
1 6 0
C H A P T E R 7
Why would a consumer pay for a credit-monitoring service from a company that doesn’t keep consumer information itself? Because FICO markets itself as the
brains behind the credit decisions
that lenders and finance companies make. And, in a highly publi-cized deal that took place in 2002, it acquired HNC
Software—which specialized in thwarting credit card fraud.
Ultimately, FICO—like the CRAs—may not care whether
consumers use their services. The consumer services
may be little more than a public relations effort to
thwart further regulatory and political hassles.
Like the credit bureaus, FICO’s real customers are
lenders and corporations
that pay for computer programs that help them sort through the customer data stored at the big three credit bureaus. About three-quarters of the company’s revenues come from
roy-alties on computer programs
. For example: It offers credit card companies better ways to highlight riskier accounts before they become delinquent. Repeated cash advances and large-balance transfers are red flags suggesting overextended credit.
The thread that holds most of FICO’s programs together is the SSN. In most cases, it’s the mechanism for searching across several databases. And this use of SSNs creates exactly the sort of information bottle-neck that makes ID theft so devastating.
1 6 1
B A N K S A N D C R E D I T B U R E A U S
C R A S C I R C L E T H E I R W A G O N S
Beginning in late 2001, a group of bills were proposed in Washington D.C. and various state capitols that would limit the ability of credit bureaus and government agencies to sell their information to private-sector marketing firms. The main mechanism for enforcing these limits would be a restriction on sharing SSNs. These bills were generally promoted as protections of privacy and against ID theft.
The credit bureaus didn’t agree. And they sent lobbyists to fight the privacy bills wherever they could.
Associated Credit Bureaus
(ACB) is an international trade association representing 500 consumer information companies that provide “fraud prevention and risk management products, credit and mortgage reports, tenant and employment screening services, check fraud and verification services and collection services.”
In November 2001 congressional testimony, the ACB’s Stuart K. Pratt said: The key to ensuring that both the government and the private sector can fully authen-ticate identifying information on applications of all types is through a
robust system of
authentication and verification technologies
. At the core of these technologies is the availability of validated consumer identification information for cross-matching purposes.
Our members’ systems are a good example of how the private sector is already integrating a range of information sources today.
1 6 2
C H A P T E R 7
Key in this integration is the freedom to develop fraud prevention products for a range of industries.
Unfortunately, for example, the current FTC
rules…seriously impinge on the use of essential consumer identifying information for non-Fair Credit Reporting Act purposes.
In fact, the rule may foreclose on any opportunity to use credit header for other types of security screening efforts, such as scanning airline passenger manifests.
The “essential consumer identifying information” included SSNs. Sharing these had a lot more to do with marketing consumer data to direct mail companies than preventing terrorist from boarding airplanes.
And sharing SSNs with direct mail companies creates a real exposure to ID theft.
The
Individual Reference Services Group
(IRSG) is a group of the leading information industry companies—including major credit bureaus—that provide services to help identify, verify identity of or locate individuals. It’s the main lobbying front for the credit industry. In May 2001 congressional testimony, the IRSG’s Ronald Plesser made the industry’s case: The members of the IRSG are committed to the responsible acquisition and use of personally identifiable information in business-to-business transactions. We do not oppose a prohibition of the public display of Social Security numbers to the public. We share the Committee’s concern about the potential misuse of SSNs for identity theft and other harmful purposes.
1 6 3
B A N K S A N D C R E D I T B U R E A U S
We do oppose legislation that would prohibit the purchase and sale of SSNs for legitimate business purposes.
In the fight against identity theft, where verifying an individual’s identity is crucial, individual reference service products are absolutely essential. Banks, credit card companies and other types of credit institutions…are all becoming increasingly plagued by fraudsters who use an existing person’s identity to illegally obtain products, services and money.
The best, and perhaps only, means of preventing this type of fraud is to crosscheck through the use of personal identifying data, often provided by individual reference services.
D O E S S E L F - R E G U L A T I O N W O R K ?
In July 2001 congressional testimony, John A. Ford— the Chief Privacy Officer at Equifax, Inc.—defended his company’s commercial use of SSNs: [T]he personally identifiable information in our consumer-reporting database is entirely separate and distinct from information contained in our marketing databases. In fact, the databases are managed by totally separate Equifax companies.
Naturally, marketers must have name and address information in order to communi-cate their offers directly to consumers. It is important to note, however, that the information included within the Equifax market-1 6 4
C H A P T E R 7
ing databases is not organized so as to be readily and easily retrievable by personal identifiers (i.e., name and address).
It is very important to emphasize that personal information obtained for marketing purposes is not used for risk assessment purposes. Marketing data is not used to make decisions about whether an individual obtains or retains a job, insurance or a government license or benefit. Instead, the information is used merely for the purpose of efficiently shaping the kinds of offers an individual receives.
[O]ur customers are prohibited from using our marketing databases for individual look-up purposes. We have always contractually prohibited our customers from using our database for this purpose. Furthermore, we have designed our system so that we have no delivery mechanism for a customer to query the database based on a name; therefore, no individual look up is offered or feasible.
Further, Equifax provides consumers with meaningful and practicable privacy protections through our compliance with a variety of self-regulatory programs providing consumer rights and redress.
Legitimate business access to relevant consumer information is critical to achieving a number of societal benefits: thwarting identity theft, locating estate heirs, witnesses, child support delinquents, debtors, missing children, organ donors,
etc.
1 6 5
B A N K S A N D C R E D I T B U R E A U S
Consumer advocates scoff at the
tactic of defending the sale of personal financial information
behind missing children and organ donors.
In the era of financial services consolidation, the ties between credit bureaus and direct marketing companies are getting closer. In fact, some credit bureaus
are
becoming
direct marketers. For example: Equifax provides consumer information to banks and lenders making credit decisions. These activities are regulated under the Fair Credit Reporting Act and dozens of state statutes. But Equifax Direct Marketing Solutions—a corporate sibling acquired in the 1990s— maintains “the largest marketing database of lifestyle and compiled data in the world.” And Equifax makes this information available to
anyone who will pay
for it
.
Does this mean Equifax is selling personal financial information like SSNs? Yes, in some cases.
Not everyone agrees that private-sector companies should be free to sell personal information that includes SSNs—even if the buyers have “legitimate business purposes.” In May 2001 congressional testimony, Marc Rotenberg—Executive Director of the Electronic Privacy Information Center—made the case against the credit bureaus’ sale of personal information: Several years ago, significant public concern was raised about information brokers that routinely buy and sell detailed personal information, including Social Security numbers. The Individual Reference Services Group was established to improve practices
1 6 6