The recent data breach at Equifax, which is believed to have impacted over 143 million U.S. consumers, set off a firestorm of discussion about how to keep credit reporting data secure. There is no simple or one-size-fits-all solution because regulatory standards and data management vary greatly throughout the world. Parts of Europe are highly regulated with credit data repositories run by the central banks, whereas the U.K. and Singapore operate much like the U.S. with private reporting agencies competing for business.
When a robust set of credit reporting agencies (CRAs) is in full operation, it helps to create a robust market for lending. While existing CRAs are beginning to explore new ideas, there is growing interest in blockchain technology that gives power back to the consumer and garners trust in the process. Several banks in Canada are currently participating in trials of blockchain technology and we expect banks in the U.S. to also jump on this bandwagon in the near future. Disruption in credit data reporting is beginning to take shape as evidenced by an uptick in transaction activity in the sector.
What can we learn from how progressive countries operate?
Leaders in credit reporting standards include Southeast Asia countries Malaysia, Singapore and Hong Kong, all of which have comprehensive databases along with strong cybersecurity standards.
Germany has been at the forefront of process improvement in the western world, by further building on the EU’s General Data Protection Regulation (GDPR) and passing their Data Protection Amendments and Implementation Act in July 2017.
The economic crises in South America in the 1980s caused many countries there to bolster their credit reporting systems to include both banks and private lenders. Today, Brazil has private and public credit reporting agencies who issue comprehensive credit histories that include positive and negative consumer information.
It’s clear that regulatory standards and treatment of consumer and business data differ widely, which makes for a complex and challenging ecosystem. Creation of a market that is properly regulated and trustworthy will generate the most consumer solutions and, in turn, drive more lending.
Partnerships shaping the industry
According to the Global Cybersecurity Index (GCI), the U.S. ranks second only to Singapore on five pillars of cybersecurity commitment—legal, technical, organizational, capacity building and cooperation. A recent uptick in M&A and partnerships in the space indicate the credit reporting agencies understand an even greater need to improve their security, but are these partnerships enough to prevent another breach like Equifax experienced?
Experian entered into several partnerships in 2017 to bolster security. In January, they signed a multi-year agreement with cybersecurity and analytics company UST Global to develop software that is in line with global standards. To combat fraud and improve cybersecurity, Experian also partnered with Daon, a biometric authentication company in March.
Prior to announcing the credit data breach, Equifax acquired ID Watchdog for $63 million. This transaction closed on August 10, 2017, and was valued at 5.6 times revenue. ID Watchdog’s technology provides identity theft protection and breach resolution to the employee benefits marketplace. These partnerships are just a few among many and indicate the growing importance that companies are placing on security in order to mitigate fraud and data breaches.
Aside from cybersecurity, other deals have focused on the need for improved analytics as CRAs and analytics companies partner to improve their predictions about consumer behavior. Collection of data is less profitable to CRAs than the analytics around that data.
New entrants to this space are nipping at the heels of incumbents, such as Dun & Bradstreet, with innovative approaches and technology. “Customer frustration with legacy data providers is building. The general technology trends of cheaper storage, faster processing and improved data management and access have allowed us to create a flexible and scalable platform,” said Jim Swift, CEO of Cortera.
Expanding the analytics and mining rich data will help with the accuracy of credit scores and ultimately the assessment of risk. The additional analytics allow for the opening of credit to ‘Credit Invisibles’ – those who are underbanked or have little to no credit history. Over the past year, financial services firms have purchased technologies and earlier stage companies at an increased pace. These deals are expected to continue, especially as newcomers develop innovative ways of analyzing consumers and businesses and underwriting becomes more efficient.
Where do we go from here?
Even the heaviest regulation of data collection can’t compete with the level of threat hackers present today. Not only did Equifax wait too long to reveal their breach, but they also weren’t well prepared for the consequences and backlash from consumers and the government.
If data breaches are inevitable, government mandates could be put in place to require credit reporting agencies to immediately disclose when a breach has occurred. Beginning in May 2018, the EU will enforce a new General Data Protection Regulation that requires companies to notify the government within 72 hours of discovering a breach. By contrast, there is currently no such legislation in the U.S.
Recent investment activity into blockchain decentralized efforts makes it harder for breaches to occur because there is no single failure point. Civic Technologies, founded in 2015, has raised $2.75 million to date to build a platform that uses a decentralized authentication model. SecureKey, which is tackling identify verification using blockchain technologies, raised $27 million CDN from a consortium of Canadian banks in 2016.
The advent of blockchain technology may prove to be disruptive to traditional CRAs by decentralizing data aggregation and allowing consumers to take ownership of their data through a personalized wallet they could share with prospective lenders. This concept would allow individuals and businesses to store their data on their own devices and efficiently share that data with anyone who needs to review or validate it.
Two large CRAs, TransUnion and Equifax, have joined in a trial with many of Canada’s largest banks to use blockchain technology for identity verification. The trial network maintains transaction records and confidential data is shared with parties only when the consumer authorizes a release of information.
A more efficient ecosystem for credit data a is on the horizon, led by new innovative technologies and startups. The most likely result will be a combination of a centralized and decentralized system, which will force existing centralized systems to operate in a more transparent manner. As long as security is strong, we anticipate a robust ecosystem could thrive as trust builds. However, we are many years away from an ideal credit reporting system.