Insights & Analyses

OWI Labs op-ed: Equifax is just the beginning

September 22, 2017

The OWI Labs op-ed series breaks down the latest news with an inside look at the identity industry dynamics our team of experts is following. This week, OWI Principal Analyst Kaelyn Lowmaster looks at what’s next for credit scoring and your digital reputation post-Equifax.

The two weeks since the massive Equifax hack was announced have given us a terrifyingly perfect case study in how not to handle personal data.

First, the breach itself was unprecedented both in terms of size and scope, affecting more than 143 million Americans (plus as many as 100,000 Canadians and 400,000 UK citizens) and disclosing social security numbers, credit card information, addresses, birthdates, and driver’s license numbers, among other personal information.

Then there was the aftermath. The site Equifax had set up to address customer concerns first didn’t work for many, then channeled people toward enrolling the company’s own credit monitoring service (with no promises to “fix” any damage done), and initially made concerned customers waive their right to join a class action lawsuit. Proactive customers looking to shield themselves from identity theft by instituting a credit freeze were given laughably insecure PIN numbers. Equifax’s own post-breach announcements directed customers to a phishing site. Last week it was reported that a patch for the vulnerability that led to the breach was available for several months beforehand, Equifax just didn’t use it. The DOJ, CFPB, and Congress are investigating. Multiple lawsuits are in the works.

But that doesn’t mean we should throw up our hands in despair and start pouring assets into gold bullion and canned goods. This is a good opportunity to take stock of how our personal data is used to build credit ratings and the amount of work it will take to get regulation in this space right.

The Equifax hack is especially troubling because traditional credit bureaus are, at least in the U.S. market, some of the most trusted custodians of personally identifiable information. The data they receive is our most sensitive and empirically valuable – including SSNs, financial history, and credit account information. The reports credit bureaus produce are also leveraged in the most critical transactions in our lives, from taking out a mortgage to applying for jobs.

That level of impact has led to a robust, if imperfect, regulatory framework surrounding what data credit bureaus can receive and the use cases for which they can be applied. This means that even though we won’t likely know the extent of damage from the Equifax hack for some time, impacted customers whose personal information is inaccurate, misused, or stolen have at least some degree of legal recourse.

But traditional credit reporting agencies like Equifax aren’t the only ones collecting data on you for the purposes of credit scoring, or more broadly evaluating your digital reputation. A new generation of “alternative” trust scoring players have emerged over the past several years, leveraging advanced predictive modeling that can rate your digital reputation based on a wide variety of information. PRBC records non-credit payment data, for example, Tala relies on cell phone usage metrics, and EFL Global analyzes psychometrics. Even the most unstructured data can be correlated into highly accurate risk profiles.

To a large extent, this new market for alternative data in credit scoring is a welcome development. It moves beyond traditional credit bureaus’ focus on formal credit history, and so can cover larger populations, giving formerly “unscorable” customers a new avenue for inclusion in the formal financial system. The CFPB estimates that 45 million Americans are excluded by traditional credit scoring methods, so there’s a clear need to fill that gap.

However, as more data points and a greater variety of personal data types are included in digital reputation assessments, consumers are less likely to understand what information is being collected and how it’s being used.

This new frontier of digital reputation scoring is also a huge blind spot for regulators, who (at least in the U.S.) have not developed significant consumer data protection laws covering alternative credit score data. The line between “data broker” and “credit reporting agency” has become increasingly blurred, leading to sporadic and inconsistent enforcement. The regulatory structures designed to protect the legacy credit score process – particularly the Fair Credit Reporting Act – were not constructed to accommodate this new era of massive data collection, leaving consumers even more vulnerable.

Moving forward, the Equifax attack could be a turning point in terms of customer awareness of the value of our data. At least one bill has already been proposed since the breach to reform the ways in which our credit reports can be used, and given the widespread impact of this breach, we’ll probably see more moving forward.

Patching the leaks in traditional credit scoring won’t be enough, though. The credit rating ecosystem has expanded such that Equifax and its peers, Experian and TransUnion, are just the tip of the iceberg when it comes to building credit scores with consumer identity data. An effective regulatory regime will have to address the new wave of non-traditional data brokers and scoring providers in order to actually protect consumers, and we’re likely to see more missteps than successes in the near term.

For more information and analysis on personal identity data in credit scoring, see the OWI Labs intelligence report Bad Credit? No Credit? Big Identity Problem, which includes a proprietary framework for understanding the credit and trust scoring ecosystem based around identity data. The report enables investors and entrepreneurs to gauge market opportunities and potential challenges emerging in the broad and dynamic credit scoring and trust assessment landscape.