SMITH BRAIN TRUST – The massive Equifax data breach has pulled the lid off the credit repository industry and now is drawing fresh scrutiny on the scarcely regulated firms that hold sway over the financial lives of millions of people. "It has opened up a Pandora's Box, for sure," says Clifford Rossi, professor of the practice in the finance department at the University of Maryland's Robert H. Smith School of Business.
What's in that Pandora's Box? Likely, additional regulatory oversight, hearings on Capitol Hill and perhaps steep fines for failing to do more to prevent a data breach that revealed the personal details of some 143 million Americans, more than half of the country's adult population.
The country's credit repository firms – namely, Equifax, Experian and TransUnion – are subject to some regulatory oversight from the Consumer Financial Protection Bureau and some state agencies. But the regulatory environment isn't nearly as intense as what major U.S. banks face, Rossi says, despite that industry's broad reach.
"By and large, the credit repository industry has remained under the regulatory radar screen," Rossi says. "And I think those days may come to an end here."
That's probably not what Equifax was hoping for. The company had been lobbying Washington for a looser regulatory environment, seeking lower limits on its legal liabilities, among other things. In fact, the matter was contained in a bill that was debated by the House Financial Services Committee the day the Equifax breach was disclosed.
Rossi says he expects Congress to be under pressure to increase the regulatory power of the CFPB, though many lawmakers had previously been seeking to curb it. He says the agency, like many of Washington's financial regulatory agencies, "is woefully lacking in the resources and expertise" it needs to protect consumers, particularly in light of today's cyber risks.
Equifax says hackers were able to steal highly sensitive information in the data breach, including social security numbers, full names, addresses, dates of birth, credit card numbers, driver's license numbers and other personal information.
"The nature of that data is so proprietary and so personal, and in many ways, so intrusive, I would say that at the very least it needs to have a heightened level of regulation on it, at least as much as what the banks have," says Rossi, a former chief risk officer for Citigroup's consumer lending unit.
Consumers are swept up into the credit repository industry with little choice in the matter, underscoring the need for public oversight of its workings. The industry, Rossi explains, serves as gatekeeper for virtually every credit transaction. "When you pull that card out of of your wallet and you use it to pay for something, they are tracking it," he says.
"They are tracking every transaction you make, every manner in which you pay off that transaction – be it a mortgage, a car loan, a credit-card purchase, a personal loan, or whatever. Every financial transaction you have with an institution or a party is being tracked, and it all goes into determining how good your credit score is."
Rossi says he's often asked where the next global crisis will come from. "And I always tell them the next crisis isn't going to be a mortgage crisis," he says. The next crisis, he says, will stem from cyber risks. And each new hack is a reminder.
"This is a wake-up call for all companies out there that manage consumer credit on our behalf," says Rossi. He says it's time for data security audits at the credit repository industry's big three companies, as well as at Fair Isaac Corporation, widely known for generating its FICO scores.
He also recommends that Equifax add a chief risk officer to its senior leadership team and a risk committee to its board of directors. "Maybe it's not been the biggest focus for the company," he says. "But, you know, everybody gets religion when they are in the foxhole."
If Equifax's breach seems more ominous than the large-scale hacks that have come before it – Target's, Sony's or Yahoo's, for example – that's because it is. For the millions of people whose personal details were stolen in the unprecedented hack, the financial consequences could play out for years to come.
"People should not be lulled into thinking that they can monitor their credit for one year, and then all will be well," Rossi warns. "The hackers could hold on in the dark markets where this information is traded for a long time."
GET SMITH BRAIN TRUST DELIVERED
TO YOUR INBOX EVERY WEEK