One of the few stories that has managed to compete successfully with the specter of hurricanes pounding US cities is the massive Equifax data breach. It was bad enough that 143 million individuals’ records were compromised, which given how borrowing is distributed, almost certainly translates into more than half of the working population. To add insult to injury, Equifax knew about the hacks as of late July. Three top executives sold large chunks of their stockholdings shortly thereafter, yet are trying to maintain that they didn’t know what was going on. And when Equifax finally ‘fessed up, it compounded the damage by making consumers ask whether they were affected rather than notifying them, giving inconsistent answers, trying to get consumers to provide even more information, waive their rights to a trial, and sign up for a free credit monitoring service that would later incur fees if they forgot to cancel it down the road.
Equifax was also disturbingly hazy about what sort of files were compromised. Bloomberg reported today that it appeared to be, ironically, files related to the same aforementioned credit monitoring service. That means the damage is not as extensive as it could have been, since those records do not include information like previous addresses. But from an individual’s perspective, having your Social Security number, current address, and other information in the hands of hackers is more than enough for them to engage in identity fraud.
Even from watching this story on a limited basis due to being on vacation last week, it was frustrating to see gaps and misconstructions in the reporting by the mainstream media. One of the biggest is the tacit assumption that credit bureaus are a necessary feature of life with banks and the problem was letting them slip through the regulatory cracks.
While the Federal Trade Commission can impose fines on Equifax for security breaches, they have been in the wet noodle lashing category. As the New York Times pointed out last week:
Non-bank companies, like the credit bureaus, generally are scrutinized only after something has gone wrong.
Federal laws require all companies to take reasonable steps to safeguard consumer data. While the Consumer Financial Protection Bureau has some supervisory and enforcement authority over the credit bureaus, the agency generally leaves data privacy enforcement to the main regulator in charge of it, the Federal Trade Commission. And the trade commission lacks the authority to impose big fines.
Last month, the commission punished TaxSlayer, a tax preparation website, for a weak security system that allowed hackers to gain access to nearly 9,000 customer accounts. TaxSlayer agreed to strengthen its systems and undergo compliance audits. But it paid no financial penalty, because the commission has no power to levy fines for first-time violations of certain rules.
“Both in terms of resources and authority, what the F.T.C. can do clearly doesn’t measure up to the scale of the problem,” said William McGeveran, a professor at the University of Minnesota Law School who specializes in privacy law.
But the same Times story also sold the story that credit bureaus were indispensable:
“You cannot fire the three credit bureaus,” said Rohit Chopra, a former assistant director at the Consumer Financial Protection Bureau and now a senior fellow at the Consumer Federation of America. “Credit reporting agencies are the plumbing of our financial system but are much less regulated than many banks.”
This is not correct. Credit bureaus are not “too critical to fail” institutions. And it’s disingenuous to promote this impression, since if this security breach results in large-scale identity theft, Equifax could become an Arthur Andersen, done in by legal liability. It has a net worth of roughly $3 billion. It is exposed to private and government suits. Class action lawyers are already discussing multi-billion dollar litigation, although a complicating factor is that the best causes of action are likely to be under state law. On the government side, one example is that Equifax violated some states’ data breach notification laws. Vermont, a small state, is contemplating suing on behalf of more than 240,000 citizens, with penalties of up to $10,000 per violation. Reuters gives an update:
More than 30 lawsuits have been filed in the United States against Equifax Inc after the credit reporting company said thieves may have stolen personal information for 143 million Americans in one of the largest hackings ever.
At least 25 lawsuits had been filed in federal courts by Sunday, including at least one accusing the company of securities fraud, court records show.
Several more lawsuits were filed against Equifax on Monday. Many of those raising similar claims will likely be combined into a single, nationwide case….
And insurance won’t do much to help Equifax. Bloomberg reported over the weekend that Equifax’s policies would cover a mere $100 to $150 million in losses.
While it is true that that it would be extremely disruptive to try to get rid of the credit bureaus quickly, it would be entirely possible to reduce their importance over time. Banks would need to take up activities that they’ve outsourced to the credit bureaus.
For instance, banks are already starting to backpedal from loans that were heavily dependent on credit bureau input. From the Wall Street Journal:
The goal of digital lending in recent years has been to make credit decisions quickly and cheaply. The Equifax Inc. data breach could force some lenders to hit the brakes.
Lenders and data providers said that in the wake of the breach announced by Equifax last week, they are evaluating procedures for confirming a potential borrower’s identity. Equifax, like other credit-reporting companies, played a big role in helping these firms verify borrowers’ identities, selling them access to a database that could quickly match up a person’s identifying information.
And notice what the alternative is:
Unlike traditional banks, which may lend to people who walk into a branch, or to customers they know well through checking accounts or other products, newer online lenders take applications from unknown people, entirely online…
Now, however, those checks could become less effective in weeding out someone putting in a loan application with a false identity.
In other words, banks used to know something about their customers! What a concept! But making things as easy as possible for borrowers has become a priority:
Dave Girouard, CEO of online lender Upstart Network Inc., said that as a rule of thumb, each additional document a company asks a borrower to produce reduces completed applications by 15%.
That’s assumed to be a Bad Thing. In fact, consumer debt is not economically productive and serves as a drag on growth. More generally, economists have taken notice of the fact that advanced economies have overly large financial sectors which also weigh down on the economy. The IMF in 2015 wrote that the optimal size of a financial sector relative to the economy was that of Poland, which is much smaller relative to its GDP than ours. The IMF noted that it might be possible to have a somewhat larger banking sector without hurting growth….if it were well regulated.
How US Regulators Promoted Credit Bureaus Without Making Them Accountable
The FDIC promoted the use of FICO scores as the basis for making consumer loans. The justification was to prevent discrimination, since if banks used local intelligence, in particular where a borrower lived, as part of its loan scoring, history suggested that they would steer away from minority borrowers.
However, as economists and other experts have pointed out, effectively requiring banks to use the same metric as their main input for lending decision produces a monoculture that increases systemic risk. It also means that at the margin, banks have less freedom to look at additional factors to determine whether to approve or turn down a loan. The inability to make more refined judgments likely increases the cost of credit since lenders will anticipate that cruder methods will produce higher loan losses.
I will quote liberally from a 2016 paper, Formulaic Transparency: The Hidden Cost of Mass Securitization, by professor Amar Bhide. He points describes how banks and merchants shared information about borrowers as far back as the 1700s, due to the fact that Americans even then too often would move and stiff creditors. Credit bureaus began operating in the 1800s. The industry was fragmented in part due to the fact that banking was state-chartered; by 1960, there were over 1500 credit bureaus. The industry started consolidating shortly thereafter. In parallel, Fair, Isaac and Company started developing credit scoring models. FICO launched its first standardized score in 1989 and the three dominant credit bureaus, Equifax, Transunion, and Experian, had adopted it by 1991.
Bhide explains how regulators promoted the use of FICO scores, and with it, the role of credit bureaus:
Regulators enforcing the 1968 Fair Housing Act and the 1974 Equal Credit Opportunity Act, distinguish between “empirically derived, demonstrably and statistically sound” (EDDSS) credit scoring and “judgmental” systems; and credit scoring that meets the EDDSS standards reduces the risks of violating fair-lending laws (Skanderson and Ritter 2014 p8). However, as a Federal Deposit Insurance Corporation (FDIC) guide to staff who conduct fair lending examinations points out, statistical scoring is by itself not a “panacea.”
Discretionary overrides, the FDIC cautions, pose problems: “The more discretion bank staff is permitted in overriding a credit scoring system and the greater the number of staff with override authority, the greater the risk that the discretion will be exercised discriminatorily.” Lenders who allow front line staff to extend credit to individuals with low scores (“low side” overrides) or deny credit to individuals with high scores (“high side” overrides) therefore face more regulatory scrutiny.
Regulators also favor “generic credit history scoring models” over “customized” scoring. Generic (or what I also call “standardized”) scores, best known to US consumers as their “FICO” score, are based on samples of all records in credit bureaus and the predictive variables are limited to those contained in bureau records. Notably, an individual’s income and assets are not contained in bureau records and therefore do not affect standardized bureau scores. In contrast, regulators call scores customized if, 1) they are derived from samples of the lenders’ current or prospective customers (rather than from unbiased samples of all individuals in bureau databases); or 2) the scoring models include variables (such as income) not contained in credit bureau records (Federal Reserve 2007 Report to Congress p 8).
If a lender uses standardized bureau scores, the FDIC guide advises, “the examiner does not need to obtain more information about the scoring system.”5 In contrast, custom scoring models can pose fairness problems, according to the FDIC guide, because they can include “prohibited” variables or variables correlated with prohibited variables. For instance, “non-bureau” variables such as wealth and education that may improve predictions of defaults may also be correlated with race, ethnicity, sex, or age, (Skanderson and Ritter 2014 p.7), so their use can require lenders to demonstrate a business justification.*
Yves here. Understand what happened here. Methods of screening borrowers that would seem to be common-sensical, such as looking at their incomes, were deemed to be suspect and any bank that used them would have some ‘splaining to do to the FDIC. By contrast, banks that relied heavily on FICO scores would get a green light.
This is pure regulatory laziness. Bank regulators have the power to do proctological exams. They can also respond to consumer complaints. Giving a grossly simplified, low-information metric like FICO scores such elevated importance was neither necessary nor desirable. It was merely convenient.
Fannie and Freddie jumped on the FICO bandwagon. Bhide again:
Government Sponsored Entities (GSEs), notably Fannie Mae and Freddie Mac, that guarantee over 60% of new residential mortgages in the US (Elul 2015 p. 12) have been instrumental in making standardized bureau scores the main determinant of the creditworthiness of mortgage applicants. Until the mid-1990s, GSEs used “thick books of underwriting guidelines, stringently designed to screen for acceptable loan quality” of mortgages originated by brokers and banks. Yet, “procedural loopholes” allowed mortgage brokers to sell low-quality mortgages (Poon 2009 p 661- 663), and the costs and time required to verify applications limited the loans GSEs could securitize.
The GSEs then made a “shift from rule-based rating towards a system of score-based rating” that “marked a fundamental change in mortgage underwriting” (Poon 2009 p. 661). This shift resulted from an effort, apparently prompted by ambitious GSE expansion goals, to automate underwriting. In 1994, Fannie Mae launched the Trillion Dollar Commitment (pledging $1 trillion in targeted housing finance), supported by a “Technology to Lower Costs” initiative. The initiative aimed to cut the costs of making a mortgage by $1,000 and origination time from more than eight weeks down to five days. It also sought to improve the quality of loans by “enforcing uniform standards” and to prevent racial discrimination by “removing subjective reasoning” (McDonald et. al, 1997 p. 861).
Let us not forget that the GSEs were a public-private partnership, and meeting its growth objectives would justify higher executive pay levels. Back to the article:
Previous technology projects had “simply converted existing underwriting standards to an electronic format.”6 But efforts to control opportunistic mortgage brokers had made the existing rules exceedingly cumbersome, limiting the benefit of replicating them on computer systems. And, after again starting with a “purely rule-based approach” (McDonald et. al, 1997 p. 861), Fannie Mae and Freddie Mac (which had launched its own technology initiative) decided in 1995 to use a credit-scoring algorithm that would simplify, not just automate, underwriting.
The GSEs further sped up automation by relying on FICO scores, which had been designed for consumer lending, rather than develop scores to predict mortgage defaults.7 And, because the scores were well known, “the FICO feature of automated system design was politically useful when the software was showcased to legislators (Poon 2009 p. 663).” For instance, Freddie Mac reported to a Senate subcommittee in 1996 that its statistical tests demonstrated the “predictive power” of the score for mortgages, that the scores did not discriminate against minorities, that laws passed by Congress in previous decades provided assurance that credit files from which the scores were derived would be would be well maintained, and that using bureau scores would enable lenders to “expedite their reviews of borrowers’ credit profiles.”8 By 1997, Fannie Mae officials reported that users of its system had seen “notable streamlining of their workflow and a significant reduction in time and effort spent processing each loan (McDonald et al 1997 p. 882). And, as cost and processing time declined, net issuance of GSE- guaranteed (“agency”) MBSs jumped from $127 billion in the first half of the 1990s to $314 billion in the second half of the decade.
In principle, the GSEs could have encouraged consideration of risks excluded from its underwriting models by offering originators with low default rates better prices ex-ante or giving them ex-post rebates. But pricing incentives would have jeopardized the growth of mortgage lending: better ex-ante pricing could have discouraged new originators (like Countrywide Financial, which grew from a two-man operation in 1969 to approximately 500 branches in 2007) while ex-post rebates would have increased administrative complexity and costs. And, as it happens, GSE prices discourage loan originators from doing more than securing GSE approval: high-volume originators get better terms, but originators whose loans have defaulted at low rates do not.*
Notice the lack of any mention of the GSE’s regulator, then the OFHEO, in this discussion.
Bhide describes how pervasive FICO has become:
Non-discretionary FICO-based evaluation of creditworthiness has become routine in the US not just in
GSE guaranteed mortgages (where it is explicitly mandated) but also in student loans, car loans and credit card issuance. Card issuers in the US routinely offer credit through solicitations mailed to lists of individuals provided by credit bureaus and by law everyone on a list is made a “firm offer” (as we will see below). Some card issuers do customize models to screen applicants and set credit limits but fair lending rules encourage them to omit or dampen the influence of variables that can have “disparate impact.” Even nominally customized models therefore effectively treat standardized bureau scores as a “sufficient” statistic for assessing default risk, making the score the main determinant of borrowers’ credit limits.
Europeans, who didn’t have regulators pushing FICO, have banks doing far more information-gathering and assessment in house. As Bhide writes:
European banks that served households faced relatively few constraints on the range of their product offerings and on their geographic scope…Banks that have long operated nationally have little incentive to share information with credit bureaus, while many local and regional banks that have “sticky” multi-faceted relationships with their customers actively oppose information sharing (according to a banker I interviewed who had tried to orchestrate an expansion of bureau information… Regulators in turn have faced less pressure from the public to promote the accuracy and comprehensiveness of bureau records since they are not widely used to extend credit.
Rather, European rules emphasize privacy, further reducing the completeness and use of credit bureau information. Where US individuals have to make an effort to “opt-out” of credit bureau lists, European rules follow “opt-in” principles. Similarly, US individuals cannot prevent their lenders from sharing personal information (including account balances, payment histories, account transaction, and credit card or other debt) with credit bureaus or prevent the bureaus for providing this data in the course of an authorized credit inquiry. European consumers have more control of information that is provided to and by credit bureaus.
Therefore, standardized credit scoring has not become popular in Europe — in spite of the efforts of the European subsidiaries of US credit bureaus to replicate the US model…
Similarly, anti-discrimination rules do not discourage customization of models or discretionary overrides. In fact, new rules to prevent banks from extending more debt to borrowers than the borrowers can be reasonably expected to repay encourage more case-by-case reviews of model scores.
And why has Bhide chosen to question the role of FICO? He concludes that standardized scoring was a boon for the growth of securitization in the US: ” In securitizing small non-commercial loans, underwriters themselves restrict the information they collect about borrowers so they can tell much of the little they know.” Bhide stresses that the pattern in financial markets, of the greater use of technology being used to turn products into anonymously traded commodities, is the opposite of what has occurred elsewhere, where technology has served to provide prospective buyers with more information and facilitated more exact matches between seller merchandise and consumer appetites. Bhide again:
Exogenous technological advances did not preordain widespread reliance on standardized scores and the commoditization of consumer and mortgage credit. Like Google, Amazon, and many large European banks, US lenders could have developed algorithms that incorporate a wide range of proprietary data and match lending terms to borrower characteristics. Like college admissions staff, banks could have used Skype to interview remote loan applicants. Or, like Handelsbanken, they could have applied IT to reduce the costs and increase the effectiveness of detailed credit evaluations and the delegation of responsibilities to local lending staff. The GSEs too could have continued their initial efforts to develop rule-centered Artificial Intelligence systems to automate case-by-case underwriting.
In other words, the way the FDIC chose to implement laws against discrimination in lending resulted in the near universal use of a simple-minded credit score that is administered by credit bureaus. The FDIC had other ways to achieve this end but for reasons unknown, ignored them.
The FDIC also failed to take steps to assure the integrity of the information used in this credit scoring process, nor did it obligate banks to hold the credit bureaus to certain standards, which would have had an effect similar to that of regulating them directly. Pray tell how good are models if the data in them is lousy, as regular consumer complaints and credit bureau refusal to correct errors confirm is a long-standing issue? Even Consumer Financial Protection Bureau supervision has only made some improvement in credit bureau responsiveness.
Banks could wean themselves off their heavy dependence on credit bureaus. More important, regulators should recognize that using single scores results in information loss and poorer lending decisions. But politically, readily available credit has become the antidote to stagnant real wages. You can’t promise the modern version of a chicken in every pot unless consumers can spend more. The preferred economic model since the Reagan era has been to let them borrow more rather than increase wages. The 2008 crisis showed that the US and many other advanced economies had hit the limits of that paradigm. The cost of trying to keep it on life support has been low growth, ever rising levels of income inequality, and political instability. Equifax is a tiny example of the many problems with our financial system that were papered over rather than fixed. So if were it to fail under the weight of litigation, that might force some overdue changes.