How to Reduce Risk from Credit Reporting Companies

The recent Congressional hearings on U.S. credit reporting companies (CRCs) put the spotlight again on a corner of the consumer credit market sorely in need of market and regulatory reform. A year-and-a-half after a data breach at Equifax exposed personal information of nearly 150 million consumers, the practices of credit reporting companies, their oversight and potential reform is finally back on the table.

Credit reporting is essentially a commodity business. That commodity is data and the CRCs found a lucrative niche for decades as information brokers that transform raw credit data into value-added credit information products for banks and other credit-granting entities. However, this model is broken - underscored by a general lack of strong risk management practices and oversight in one of the most sensitive areas for lenders and consumers alike.

CRCs have an enviable business model. They receive credit information from banks and other credit granting organizations on individuals for free, and in return sell that data and other wholesale and retail data products back to lenders and individuals.

On the surface, this business model seems hard to believe, but its roots go back before the information age and cloud computing. Decades ago, a relatively balkanized market existed for credit information exchange. Retailers and other credit grantors banded together in markets to provide each other access to their consumer credit history data, which, over time, vaulted the three large CRCs (Equifax, Experian and TransUnion) onto the national and world stage for credit reporting.

By requiring accurate reporting of consumer credit information that smaller players would have difficulty managing, the Fair Credit Reporting Act (FCRA) provided a regulatory nudge to further solidify the position of CRCs. Historically, due to a host of regulatory, technology and business-related issues, banks and other lenders did not see the direct investment in credit data and systems as having much strategic value. So, they effectively farmed those processes out to the CRCs.

Regulatory and Risk Management Inadequacies

Over time CRCs, grew in scale and scope. But, unfortunately, their risk management practices and regulatory oversight did not keep up with this growth. The FCRA designated the Federal Trade Commission with primary oversight (if you can call it that) over the CRCs. Lamentably, compared with the level of regulatory oversight in banking, the FTC's oversight of CRCs was - and is - wholly inadequate.

Although the CRCs manage some of the most important and sensitive data for millions of individuals worldwide, they operate with little rigor with respect to risk governance and industry standard risk management practices. Indeed, according to their websites and annual reports, the CRCs do not feature a chief risk officer among their top executives. Moreover, their boards lack risk committees.

The concept of risk governance, such as the “three lines of defense” doctrine, also appears to be generally lacking among the CRCs. For instance, at Equifax, among the CFO's duties are audit functions - clearly a responsibility that would call attention to any large bank with a similar CFO role. It seems only natural that in light of the Equifax data breach, any reform of the CRCs must require robust risk management practices be put in place to protect consumers.

Don't Forget about FICO

Even though it's critically important to the credit-granting process, FICO - the software vendor that provides credit scores to each of the three CRCs - is another key market participant that goes relatively unnoticed in discussions of consumer credit information reform. The developers of FICO (also known as Fair Isaac) have essentially exerted an unregulated monopoly over credit grantors for decades, and their credit scores have become ubiquitous in the market as a result. Moreover, each CRC has its own version of FICO, which adds another dimension of confusion and over-engineering into the credit process for lenders and consumers.

FICO scores are based on statistical models leveraging millions of consumers' detailed credit history information. In the years following the financial crisis, model risk management regulatory oversight and practices strengthened - but those improvements did not apply directly to FICO.

To be sure, banks perform their own testing of FICO and its variants as an input to bank consumer models; however, FICO is not required to undergo the same level of model risk management and validation as would be found, for instance, in the OCC's 2011-12 model validation guidance.

As important as they are to bank lending activities and beyond, it only seems natural that FICO and the CRCs undergo the same level of testing and oversight required by the primary industry users of their scores.

The renewed focus on CRCs by Congress offers a chance to reform how consumer credit information is managed, used and brokered. One question that needs to be asked is whether it make sense for there to be three CRCs today providing essentially the same products and data to industry and consumers. Moreover, what level of regulatory oversight is required and by what agency?

Parting Thoughts

Given the importance of consumer credit information and credit scores in lending decisions, a logical argument can be made for the CFPB becoming the primary regulator of the CRCs and FICO. Banks, meanwhile, should reevaluate the strategic value of credit data for several reasons. Breaking the CRCs' stranglehold on credit data would reduce the cost of this critical information to banks and provide more accessibility to nontraditional and existing sources of credit data, enabling banks to make better-informed credit portfolio decisions.

Today, the cost for a bank to pull updated credit attribute data for loans in their portfolio can be extremely expensive (based on what the CRCs charge for credit archive extracts), which prevents many firms from marking their credit portfolios to market on an ongoing basis.

As the primary contributors of credit, lenders and other credit grantors should establish their own CRC market utility. This would essentially “starve” the CRCs out of existence over time.

The result would be a much better outcome for lenders and consumers alike. A single credit repository coupled with a single credit score would bring greater transparency to the market, reduce costs and, most importantly, improve the risk management of the credit reporting and data management process.

Clifford Rossi (PhD) is Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business, University of Maryland, and a Principal of Chesapeake Risk Advisors, LLC. He has nearly 25 years of experience in financial risk management, having held a number of C-level positions at major banking institutions. Prior to his current posts he was the chief risk officer for Citigroup's North America Consumer Lending Division.