Like 142.9+ million other U.S. consumers, my data was stolen from Equifax’s computers recently. Having been the (thankfully brief) victim of identify theft years ago, I can only hope that we all don’t suffer too much from Equifax’s carelessness with our data. As so many other commentators have noted, they have only one job to do, and they failed miserably and spectacularly at it in July. Yet the more I thought about the breach, the more I began to wonder why we even need the Credit Reporting Agencies (CRAs) in 2017?
Credit agencies were invented back in the 1800’s to solve the Industrial Age version of an ancient problem: knowing who was, or was not, a good borrower. Equifax itself was founded in 1899 under the name of the Retail Credit Company. RCC expanded and by the 1960’s it had data on millions of Americans. RCC (which became Equifax in 1975), was joined by TransUnion in 1969 and then Experian in 1980.
Back in the 1800’s when credit worthiness lists were first invented, the need was clear and a centralized database of credit scores made sense. Ditto for the 20th century. But today the central risk assessment is not just antiquated and pointless, it’s also dangerous and costly to the economy and society, as we have just been reminded. The CRA system should be replaced by an opt-in model, wherein individuals set up their own credit self-scoring system to which companies submit monthly credit data. In this model, the consumer chooses to whom that data is made available. Through the creation of such a platform – which I call the Individual Consumer Accreditation Network or ICAN – consumers would be rewarded for keeping complete and accurate credit data. Anyone who maintained shoddy or incomplete information, or no information at all, would be considered a higher credit risk and pay higher borrowing costs accordingly.
The ICAN idea, moreover, is not just a reaction to what happened at Equifax. There is a thread of research underway that looks at the rise of so-called “digital regulators.” A digital regulator is, more or less, a technical platform that either complements or replaces a function that could be played by a formal regulatory body. A good example of a digital regulator is Airbnb, which aggregates the condition of apartments and homes on its platform. In past times, a traveler depended on hotel safety inspectors to assure that a property was safe to inhabit. With Airbnb, that inspection/regulation function is embedded in the platform, and travelers depend on a combination of self-reporting and user feedback to provide an accurate sense of the safety and cleanliness of potential rental space.
The rise of digital regulators was the topic of a recent Duke Law Journal article by Rory Van Loo (Associate Professor, Boston University School of Law). In his piece, the author notes another case similar to the Airbnb model:
Renters, for example, used to have almost no information about landlords in New York City, which left them “with little confidence that the leaky faucet [would] be fixed or the roaches [would] be vanquished.” Following city agencies’ release of complaints and violations online, however, a start-up called Rentlogic built an online searchable database consolidating landlord records and building ratings. Rather than issuing top-down rules prohibiting landlord conduct, an agency may accomplish similar goals by releasing machine- readable data. Citizens can choose to carry on as before, but the increased visibility may give the market a better chance to discipline problematic behavior.
Van Loo goes on to predict that with the increasing movement of personal data to and from companies and intermediate platforms, the regulatory mechanisms that govern modern commerce, which are overwhelmingly modeled on the Industrial Age paradigm, seem increasingly out of touch with current technologies:
…the problems created by data-driven consumer products range far, including the threat of fake news to the democratic process and life-or-death decisions made by driverless cars. Expanding the regulatory mandate of an existing agency, most practically the FTC, would improve the institutional landscape. For a broader solution, ideas such as a Federal Search Commission and Federal Robotics Agency could be combined into a technology meta-agency that provides oversight, rulemaking, and technical updates for an inevitably digital administrative state.
Van Loo is correct on this point, and new AI-age regulatory models are starting to be debated in the academic community. I think we need to include self-regulatory platforms within this field of analysis. We should also recognize that, whenever possible, self-regulatory models are preferable to centralized, oligopolistic models such as the one that has evolved in consumer credit. There is no need to have any private company manage our credit histories, and I hope that the new generation of credit advisory sites such as credit karma and Intuit’s mint will be the logical next step and create platforms that allow individuals to self-monitor and self-report credit.
I read somewhere that this latest data breach is a “game changer” for the CRAs. I hope it’s not just different but fatal. Their callousness and carelessness have caused them to forfeit their social license to operate. Technology was probably going to replace them anyway, and new ways of measuring risk are in any case coming to the fore, as a recent Bloomberg piece noted:
The bureaus are well-established, multi-billion-dollar enterprises, but there are startups trying to make them obsolete. For example, Petal is a New York-based fintech firm that uses data science — and not a credit score — to analyze consumer information and issue credit cards. Credit bureaus “are a system that worked for a long time prior to the technology that is in the market now,” said Amy Walraven, chief analytics officer of Turnkey Risk Solutions, which helps banks combat fraud. The Equifax breach is “a call to action to look at how people do business and what is a better model going forward.”
The bureaus are obsolete, and we need not a “better” model but a different one. It’s time to hurry the CRA-replacement process along. Indeed, back in 2015 I wrote a post about how we now need to manage not just our physical self but also our digital version. We have been complacent in outsourcing that process to not just Equifax but also to Google, Facebook and others. This needs to change. The control of our credit information – and indeed most if not all of our personal and hyper-personal information – belongs not on the anonymous servers of governments and corporations but in the hands of you and me.