The Equifax data breach has left millions of consumers bewildered and concerned about whether they will become victims of identity theft. Why was Equifax so cavalier about protecting consumer data? And why in the wake of the data breach has it been so inept in helping consumers who are trying to protect themselves from identity theft?
The answer is simple: Equifax has no reason to care about consumers. Equifax’s customers are businesses, not consumers. Equifax competes primarily with Experian and Transunion to get business from the lenders, insurers, and employers who use credit reports. Moreover, the information Equifax gets about consumers is provided by lenders, not consumers.
Because consumers are not Equifax’s customers, Equifax has no incentive to make consumers happy. This is reflected in terms of substandard data security, rampant data inaccuracy, and poor customer service. Because you and I aren’t Equifax customers, Equifax isn’t going to lose our business if it allows data about us to be stolen. Nor is Equifax going to lose our business if the data it has about us in inaccurate or if it provides poor service in response to consumer inquires. Not surprisingly, Equifax is the second-most complained about company in the Consumer Financial Protection Bureau’s consumer complaint database, followed closely by Experian (4th) and Transunion (5th). Together almost a fifth of the complaints in the CFPB database are about these three companies.
The only way Equifax is going to treat consumers better is if it pays to do so. One way to incentivize credit bureaus to treat consumers right is to impose liability on them when they fail to do so. An after-the-fact liability system, however, is unlikely to ensure that Equifax and the other credit reporting agencies treat consumers with proper care and respect. Private litigation faces numerous legal obstacles. At best, it results in settlements, but it is doubtful that settlements will adequately incentivize Equifax to take better care with consumer data in the future or generally address data accuracy and customer service problems. The same it true regarding public enforcement actions by the CFPB, Federal Trade Commission, and state attorneys general.
The experience in the mortgage servicing market is instructive in this regard. Just as consumers don’t get to choose their credit reporting agency, so too they don’t get to choose their mortgage servicer—the firm that manages their mortgage loan, such as collecting payments and handling foreclosures. The rights to service a mortgage can and are frequently sold separately from the right to payment on the mortgage loan. Because the servicer doesn’t get its business from the consumer, it has no incentive to treat the consumer right. Rampant abuses in the mortgage servicing industry led to a landmark $25 billion settlement in 2012, but that settlement hardly fixed the underlying problems in the servicing industry, which continues to be a major source of consumer complaints to the CFPB. Neither private liability nor public enforcement will be sufficient to ensure that consumers are treated right by credit bureaus.
Instead, if we want Equifax to treat consumers and their data right, we need to harness consumer outcomes to market forces. Unfortunately, Equifax’s actual customers, the businesses that purchase credit reports are not going to penalize Equifax for failing to treat consumers fairly. It’s not that businesses that use credit reports are unaffected by the data breach: if the breach results in false accounts being opened in consumers’ names, the reliability of credit reports will decline. But the false account problem will plague Equifax and its competitors alike, so Equifax won’t be at a competitive disadvantage. Nor can creditors simply stop using credit reports. They rely on these reports directly and on the credit scoring models based the information in these reports. Our entire consumer credit economy is built on the foundation of credit reports, so creditors, insurers, and employers aren’t about to stop using credit reports any time soon, even if the reliability of the reports diminishes.
Instead, if we want to harness market forces to help consumers, we need to turn to the market Equifax really cares about: the stock market. Equifax’s executives receive stock-based compensation, and Equifax’s shareholders will demand new management if stock prices falter. A key component of those share prices is Equifax’s ability to pay out cash dividends, something it has done multiple times a year every year for the past 100 years, including as recently as August 4th, 2017.
Thus, it’s possible to tie Equifax’s stock price to consumer welfare metrics through legislation. Here’s how: Congress could restrict Equifax’s ability to pay shareholder dividends and for executive stock options to vest unless Equifax meets certain consumer performance metrics. These metrics could be things like a record of data security, a minimum accuracy threshold for credit reports, response time at call centers, etc. The details could be worked out and implemented by a regulatory agency; the key idea is to require Equifax to treat consumers right if it wants to pay out funds to shareholders or to allow its executives to cash in on stock options. Consumers would have priority over shareholders, and because Equifax cares about pleasing its shareholders, it will have to take care of consumers first. If Equifax doesn’t treat consumers right, it won’t be able to pay out dividends, so its share price will fall, which will make it more likely that investors will push for a change in management. This calculus will incentivize managers to ensure that Equifax meets its consumer performance metrics.
If this sort of regulatory regime sounds familiar, it’s because some states already do something like this for public utilities. Some public utility commissions have the power to restrict utilities from paying dividends to shareholders unless they have satisfied various consumer service metrics. The execution of public utility regulation often leaves something to be desired, but the basic logic is sound: public utilities have a monopoly over service provision, so they are not subject to normal market discipline when dealing with consumers because consumers can’t take their business elsewhere. Dividend restrictions substitute for missing market discipline by ensuring that utilities’ stock prices are tied to consumer welfare.
Credit reporting agencies present an analogous situation. Equifax and the other credit reporting agencies get their business in no small part because federal regulations, much as public utilities are granted their concession by regulation. Fair lending laws encourage the use of credit reports and credit scores by lenders because they offer a more objective measure of evaluating borrowers that is less susceptible to discriminatory action. Federal law generally requires creditors to get consumer consent before sharing their information with unaffiliated parties, but specifically excepts credit reporting, thereby ensuring that Equifax can obtain consumer data in the first place. Because of the role of federal regulation in facilitating Equifax’s business, it is hardly unreasonable for Congress to condition Equifax’s receipt of these benefits upon putting consumers first.
Credit bureaus are an essential part of America’s economic infrastructure, just like the power company or the water company. It’s time we regulate credit bureaus in the public interest like the public utilities they are.