The recent Equifax hacking has exposed weaknesses in the operations of credit reporting agencies. Asian Property Review examines the issue.
In the light of the massive data breach at Equifax Inc. due to cyber hacking, attention has been focused on other jurisdictions’ credit reporting agencies (CRA). For years, most of them have been operating with little regulatory oversight, with some not even governed by any existing laws – either through data protection or credit reporting agency legislations.
In America, Equifax is among a handful of companies that control data such as credit histories which banks rely on to determine whether consumers should get loans. On Sept 7, the company revealed that 143 million Americans’ personal information such as Social Security numbers, driver’s licence records and birth dates have been compromised. According to reports, it faces multiple state and federal investigations (including its response to consumers’ request to opt out or for a credit freeze), and at least one multibillion-dollar class action lawsuit.
Unlike banks, Equifax and its competitors TransUnion and Experian Plc don’t have multiple regulators constantly looking over their shoulders. The few times it got into some hot soup was when the consumer bureau accused Equifax and TransUnion of misleading consumers about credit products they had sold them. Equifax settled the case.
It goes without saying when criminals or unauthorized persons have access to consumer data and use it to commit identity theft, it is the banks and other lending institutions that will suffer losses. To date, even American laws have not made such CRAs responsible for losing consumer data, thus sparking calls for stricter requirements on companies’ tracking of consumer data.
In Malaysia, financial institutions rely on the Central Bank’s Central Credit Reference Information System (CCRIS) which details consumers’ borrowings, their repayment patterns, et cetera, which are supplied by financial institutions. They also access information from CTOS, the leading CRA in Malaysia.
Following the Equifax breach, Asian Property Review asked Dennis Martin, Group CEO of CTOS whether CTOS allows credit freezes or an opt-out option for consumers worried about identity theft should a similar breach occurs in Malaysia.
Says Martin: “In order to maintain the integrity of the database and ensure sound lending decisions are made, CTOS does not allow for credit freezes or an opt-out option. This ensures that people do not deliberately or unwittingly over-extend their borrowings and their ability to repay which could lead to bankruptcy. CTOS like other CRA registries is governed under the Credit Reporting Agencies (CRA) Act with a number of clearly defined requirements to ensure the integrity of the data.”
Martin further said CTOS will soon be releasing details of its new consumer fraud prevention product designed for individuals to help protect against situations such as identity theft.
FREE CREDIT FREEZE – FINALLY
At the end of September, it has emerged that Equifax will offer a free credit lock/freeze service by early next year.
Equifax’s interim CEO Paulino do Rego Barros Jr. was quoted to have said: “By Jan 31, Equifax will offer a new service allowing all consumers the option of controlling access to their personal credit data. The service we are developing will let consumers easily lock and unlock access to their Equifax credit files. You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.”
Clearly, freezing your credit data with CRAs should be the basic right of every consumer. This has been conceded by former Equifax CEO, Richard Smith who had pointed out during the Senate hearing that in fact, control of their own credit information should belong to the consumers themselves.
Consumers should be allowed to freeze it at any time during their lifetime, for free. If they want to apply for loans, they could unfreeze the data. Once the credit check by the credit officer is done, then they could freeze it back. So, there is no danger of credit officers not having full information of the consumer’s credit history.
So, why are CRAs against it citing the danger of consumers going bankrupt, or credit officers not having full credit history? As explained above, there is absolutely no such danger. It could only be speculated that allowing a freeze would hit at the very foundation of the CRA’s income source.
Making all consumer’ credit information available is the major source of their income – from subscribers who sign up to avail of that information; consumers who purchase their own credit report or other services; and from third party advertisers who pay the CRA to be inserted in the dashboard of each individual consumer.
Once you let consumers freeze their credit, then it becomes harder for just about any subscriber to find out your credit history, hence, there is less value to the subscription. Then again, since consent is needed for every access, this shouldn’t be a reason for not subscribing to the service.
At present, consumers in many CRAs can’t opt out of third party advertisements in the dashboard of the CRA website. This should be allowed and there is no good reason not to allow it unless it’s for the CRA to make money out of peddling consumers’ information. Obviously, if the consumers can opt out of the advertisements, the CRAs would lose their income from the advertisers.
We cannot wait for another hacking incident for consumers to be at risk of identity theft or other unauthorised disclosure. Therefore, government authorities around the world should start looking long and hard at CRAs’ operations.
And by the way, whoever controls a CRA is in control of vast amounts of information which he could sell or make use of in any way. Despite laws governing CRAs, if there is no strict monitoring or enforcement of the law, then the law is like a toothless tiger.
If anything, consumers’ credit information should only be owned and managed by the government and not by any private entity. Letting a third party company collect and sell consumer credit data for a profit is like contracting out the entire collection unit of the income tax department.
It took a massive hacking incident for a major CRA like Equifax to finally admit it’s the consumers’ right after all to control access to their own credit and they should not be charged for it. Let’s hope other CRAs follow suit to address this long-neglected issue.
In view of the gravity of compromised data, Asian Property Review recommends the following action by the authorities:
1. To allow credit freezes by the consumer at any time, for free, for life.
2. To allow consumers to opt out from any kind of advertisements, either in the mailing list or in the dashboard within the CRA’s website.
3. Stricter enforcement of rules on the operations of CRAs especially its data collection, security, maintenance and access.
4. As CRAs are private profit-oriented companies, to monitor for conflicts of interest e.g. owners of CRAs having sensitive information of their competitors.
5. To ensure subscriber access is strictly monitored so that only the right entities have access to consumers’ data.
6. Consumers’ specific consent must be obtained prior to each access to their data.
CONSUMER RIGHTS UNDER CRA ACT
Not many in Malaysia are aware of their rights as consumers. Here is a summary of your rights as provided under the Credit Reporting Agencies Act 2010 [Act 710].
The Credit Reporting Act 2010 aims to promote fairness, accuracy and privacy in the practice of credit reporting. CRAs collect and disclose information about you, such as failure to pay your bills or if you have been declared a bankrupt. The Act however gives you certain rights as summarized below (provisions of the Act itself prevail in the event of conflict with the summary):
1. You must be informed by the CRA by way of a notice which states:
1. that credit information is being processed by or on behalf of the credit reporting agency together with its description;
2. the purpose for which the information is being processed;
3. the source of such information;
4. of how you can contact the CRA in case you have any enquiries or complaints;
5. you have the right to access such information and also the right to request the CRA to correct your credit information; and
6. to whom the credit information will be disclosed.
2. Your credit information cannot be collected and used for any purpose other than what is provided under the Act.
This means that a CRA may only collect and use your credit information to prepare a credit report to assess your credit-worthiness, which includes but is not limited to any history of failure or diligence regarding payment of your bills. Your credit information cannot be used or disclosed by any CRA for purposes other than what is permitted under the Act. An example of such unauthorized activity includes disclosing your credit information for direct marketing purposes. In the event that you have information regarding the occurrence of such a practice, then a complaint may be forwarded to the Registrar.
3. Your consent must be obtained before a CRA can disclose/reveal your credit information.
This means that a CRA must get your consent before they can submit your credit report to their subscribers.
4. Your credit report can only contain information according to the Act.
This means that a CRA cannot include such credit information in their report regardless of whether you have given consent or not:
1. if the source of such credit information is not included in the report;
2. if such credit information is regarding any pending proceedings in court more than two years after the proceedings began that has yet to be settled;
3. if such credit information is regarding any default in repayment two years after the date of final settlement of the amount in default.
5. Your right to request from a credit provider information regarding reasons for unfavourable credit action
This means that if a credit provider has taken an unfavourable credit action against you, for example, rejecting your application for a loan, and that rejection was based on a credit report provided by a CRA, you then have the right to be informed of the identity of the CRA. You have the right to access the said credit report as provided by the CRA to the credit provider (which might be different from the one provided to you directly by the CRA).
6. Your right to access credit information or credit report
This means that you have the right to have access to your credit information or credit report from a CRA which holds or have processed your credit report. However, the CRA must verify your identity and confirm that such information is indeed in their database before complying.
7. Your right to dispute incorrect credit information
This means that if your credit report which was disclosed to the credit provider in response to your loan application, and such credit report contains incorrect information, you then have the right to challenge such credit report according to the procedures provided under the Act. You have the right to report any mistakes or misuse of credit information to the Registrar of Credit Reporting Agencies.