There has been no shortage of comments on the U.S. credit reporting system following the recent announcement that criminals attacked Equifax, one of the three credit bureaus. While unfortunate, this is not a failing of the credit reporting system--it was a criminal hack of one company and the files of 145 million people.
As policymakers, the media and the credit industry gather the facts and decide what action to take to ensure accountability for this cybercrime, we should be careful to not dismantle a credit reporting system that works. Instead, our focus should first be on helping those who have been impacted and bringing the criminals responsible to justice.
As Americans, we have a truly national credit system. If you have good credit, you can move from Queens, N.Y., to Irvine, Calif., and without knowing a soul, drive a car off a dealership lot or take delivery of a refrigerator minutes after walking into a Big Box store. That’s no accident. Consumer access to fair and affordable instant credit is the result of thousands of companies reporting data to a credit bureau to learn how you--you personally--handle credit.
Many consumers, or at least their parents, can remember when instant credit wasn’t so widely available, and decisions were often made behind closed doors based on factors that gave some an unfair advantage. The benefits of the current system and compiling robust credit profiles not only help you as the consumer, but they help the economy. These practices and policies give equal access to more people and make the system much more fair.
The result? Our credit reporting system has led to the most accessible credit system in the world, and consumers benefit from it every single day. And credit bureaus make that happen.
Today, credit reporting agencies (CRAs) are regulated by federal and state laws that require rigorous information security safeguards. It’s important to understand this regulation, because there is a great deal of misinformation flowing right now. The federal Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA) are federal financial services laws that were passed by bipartisan majorities in Congress. These laws require credit bureaus as both “credit reporting agencies” and “financial institutions” to ensure the security and confidentiality of the information they maintain.
For companies that aren't banks or credit unions--like CRAs--the GLBA is enforced by the FTC through its Safeguards Rule. The Safeguards Rule mirrors the requirements of banks and credit unions and the FTC enforces those rules on credit bureaus. CRAs are also regulated at the federal, state and municipal levels by laws that are enforced by the CFPB, state attorneys general and others. It is just not correct to say credit reporting agencies have no regulation.
Financial institutions and other companies defend against cyber threats every day. We recognize the great amount of sensitive information we hold, and that the public trusts we are using that data for good. That is why security is, and will remain, a top priority for our industry.
It’s time for policy makers and the media to focus their attention on cybersecurity and not on trying to dismantle an effective credit reporting system. This was a crime. A crime that is occurring with alarming frequency across all sectors – no one is immune. It is time for Congress and the Executive Branch to take the scourge of cybercrime and criminal hacking seriously, and to dedicate real resources to eradicate it.
Francis Creighton is president and CEO of the Consumer Data Industry Association.