Equifax’s Big Little Fine

SMITH BRAIN TRUST – “It’s a lot of money,” says Maryland Smith’s Clifford Rossi, of the nearly $700 million that credit reporting giant Equifax has agreed to pay over a massive data breach it disclosed two years ago.

But far more needs to be done, adds Rossi, Executive-in-Residence and Professor of the Practice at the University of Maryland’s Robert H. Smith School of Business.

“That’s a big number for a company the size of Equifax. That’s almost a bank-like settlement, so they got slapped on the wrist pretty hard,” he says.

Still, he adds, little appears to have changed at Equifax in the nearly two years since the company disclosed the catastrophic breach that exposed the names, addresses, social security numbers and other data of some 146 million consumers.

“Take a look at Equifax’s website, and look at their board and senior leadership. You still won’t see anyone with a title of risk anything,” says Rossi, who before coming to Smith served as chief risk officer for Citigroup’s Consumer Lending Group. There’s no chief risk officer, or CRO. Neither is there a chief information security officer, or CISO, “a standard position at all the big banks these days for exactly these reasons.”

The credit reporting giants – Equifax, Experian and TransUnion – are “universally important” to the financial services industry, he says, but still face little regulatory oversight. “And as a result, we are all at their mercy. We are taking for granted that they know what they’re doing. And there’s no guarantee, as we saw with that breach, that they have good practices in place to prevent what happened.”

Rossi has also been calling for a holistic review of government oversight of the financial sector and the non-bank entities, or shadow banks, growing up around it.

There are worries, he says. Facebook’s proposed Libra cybercurrency is among the newest. There’s also the ongoing proliferation of nonbank financial institutions now dominating the origination and servicing of the mortgage industry, the boom in financial technology, or fintech, companies. “There is a transformation that is going on in financial services that our regulatory frameworks are not well-suited to handle going forward. Banks are also not in as good a position to really compete effectively at this point. So I do see a lot of change happening fast and our regulatory environment and our laws are kind of behind the times.”

Rossi is not “a big regulation person.”

“But my perspective is that if you are a significant provider of services to the financial sector, or a digital currency, or a fintech company, or a nonbank that provides mortgage origination or servicing, you are going to have to agree to be regulated in a significant way,” Rossi says.

There was one encouraging sign, he says, included in the settlement released this week. It’s a requirement that Equifax research methods of identity verification that do not include Social Security numbers, perhaps relying instead on digital voice prints. It’s a recommendation that Rossi says is long overdue.