Can we fire Equifax?

On Sept 7th 2017, Equifax, one of the largest Credit Reporting Agencies (CRA’s) in the world, reported that it had suffered a hack and lost sensitive information for 143 million Americans. The company has suggested that consumers sign up for identity protection and credit monitoring services.

TL/DR; We might not need the CRA’s. It might be time for disrupting them with a blockchain based credit reputation system and put ourselves on a robust path where identity hacking becomes an issue of the past.

Who are the Credit Reporting Agencies and what do they do?

You may have never heard of Equifax or Credit Reporting Agencies (CRA’s) but rest assured they have not only heard of you, but have likely been collecting a treasure trove of information about your activities. CRA’s collect information about you from financial institutions, the government, or semi-government agencies; without your direct involvement. This allows them to build up several “reputation” reports or scores about you, the most popular being the “credit report” and it’s associated credit score. Various entities you interact with will often purchase this information to determine if they want to do business with you (e.g, lenders and employers) or whether they should even market products or solutions to you.

What is Wrong?

Equifax can trace its history all the way back to 1899. There is a very real need for reputation data on a counter party (a potential or current customer) that the CRA’s satisfy. This helps a business determine if they want to engage and do business with a customer and if so at what price point. The problem is that the CRA’s continue to employ a method very similar to when they started back in 1899. That is, they “ collect and centralize all the data about the consumer”, for easy consumption by businesses. Before the Fair Credit Reporting Act (FCRA) was passed in 1970, this data could be used by whoever was willing to pay for it. However through the FCRA, Congress defined appropriate use for the data and attempted to resolve this problem universally.

However a few key issues remain:

  1. Centralization Risk

By collecting all the information about all users in one central location, the CRA’s have painted a giant target on their back. If a breach did occur, the chance of losing information (over one billion people’s¹) is exorbitant.

2. Commingling Reputation with Identity

All tracked information is directly associated with common identifying markers, such as driver’s license and Social Security numbers. This makes it straightforward to associate reputation data with an identity. It also makes it easy for hackers to steal identity in the process of gaining access to reputation information.

3. Lack of Control for Consumers

Access to a consumer’s reputation data is NOT controlled by the consumer, instead it is controlled and used through the CRA’s with a marginal amount of consumer involvement. Due to this, each of the CRA’s have been the subject of lawsuits related to usage of their information, eventually leading to the passage of the aforementioned FCRA. Congress has had to amend the act to cover new abuses several times in the 1990s and most recently in 2003. The focus of the FCRA is to promote the accuracy, fairness, and privacy of consumer information contained in the files of CRA’s. It does this by limiting the usage of consumer credit data for what it defines as approved purposes only and ensuring consumers have access to and can dispute information in their records.

Can they be fired?

According to Rohit Chopra, a former assistant director at the Consumer Financial Protection Bureau and now a senior fellow at the Consumer Federation of America, the CRA’s are central to the financial system. The only solution is for the government to further regulate them and ensure they have the right protections in place. Is Equifax really too big to fail?²

The solution might be a movement away from a centralized “trusted” agency model and to a model where trust is embedded in a distributed reputation model, where consumers maintain their own reputations by leveraging blockchain technology.

Utilizing the Blockchain

Public distributed ledger technology such as the blockchain disrupts the need for a centralized trust agency. In the past, the only way to collect data was the way Equifax did, storing it all together in a centralized database and allowing businesses access to the dataset for a fee.

With the blockchain this could be done in a much safer and efficient way. Reputation relevant records would be recorded directly into the blockchain by the institution that the individual has historically conducted business with. This would be done in a private, secure and immutable manner, each record would be signed by the publisher. If an individual felt that a reputation record was not valid they could easily record their dispute instantly on the blockchain. Each of these reputation records would be encrypted with a key that only the consumer would have. Therefore, even if a hacker was to obtain a key, they would only be able to break into that consumer’s account; thereby avoiding any major exploits that the CRA’s like Equifax face.

In addition, businesses would need permission from the consumer to access the data. If the consumer elects not to provide access to their reputation history, the business in question could choose not to do business with them. The consumer could not modify the records on the blockchain or keep certain credit records from a potential business provider due to the immutable nature of the ledger technology. This would effectively move the control over sensitive data back into the consumer’s hands, without a business having to trust the consumer.

Furthermore, businesses would not need direct access to a consumer’s identifying markers (such as Social Security numbers), instead they could leverage an attestation based identity system (the likes of which are already becoming built on the blockchain today). Since these identifiers would stay with the consumer and never be on any distributed system, the threat that hackers pose, stealing people’s identity, would become nonexistent.

Building an open credit reputation system would allow for continued innovation where other reputation relevant events could be pushed into the system, leading to even better more relevant credit products. An open system such as this may also make it easier to add the consumers that are currently not fully represented in the CRA system. It is widely believed that as many as 45 million consumers are unable to leverage the current credit markets or are accessing these markets at a high cost because they are not properly represented in the CRA databases.³

Trust is everything. It allows businesses and consumers to cheaply transact with one another eliminating the costs and burdens of fraud. According to an estimate this trust itself might be worth as much as $12.4 trillion dollars in the U.S. economy.⁴ Making trust information easier to access, richer and cheaper will lead to greater growth for everyone.

Conclusion

We do not buy into the idea that the CRA’s can not be fired. In fact we believe it is about time we look for new and innovative solutions. Regulation has been applied to CRA’s several times over the years, and even though that was somewhat effective, it has not been able to fully address consumer control and privacy issues. The idea of compiling sensitive information in a single store has led to a system many feel is too big to fail and is always going to be a security hazard for everyone.

Footnotes

¹ Trans Union 2016, Annual SEC filing

² Equifax Hack Exposes Regulatory Gaps, Leaving Consumers Vulnerable, The New York Times, September 8th, 2017.

³ Alternative Data and Modeling Technique, Consumer Financial Protection Bureau (CFPB)

The Economics of Trust, Forbes