Why the 3 Credit Reporting Companies Are Still Standing

It has been almost two years since the massive Equifax data breach came to light. In the aftermath, the CEOs of the three major credit reporting companies (CRCs) - Equifax, Experian and TransUnion - were called to testify before the House Financial Services Committee in a public hearing.

The pressure on CRCs has been running high in the wake of the Equifax scandal and some cynics have even begun to question whether these companies still serve a purpose. A recent proposal, in fact, called for banks to develop their own credit bureau, effectively eliminating current CRCs.

Taking into account all the criticism, it would seem only a matter of time before the current CRC model is reconstructed. However, no major shift of the CRC business model or the market structure has taken place in the past two years. Nor will it happen in the foreseeable future.

This is because the current CRC business model is working just fine to meet the industry's needs, although there are obvious areas - including data security - that need to be improved.

Let's now take a look at some common questions about CRCs that surfaced in the post-Equifax breach era.

The Role of CRCs

Given their flaws, do we even still need CRCs? Well, there are actually some good reasons that Equifax, Experian and TransUnion remain giants in the personal credit data sector.

For consumers, CRCs act as the references when you apply for credit. Although consumers can provide the information required on credit applications, it is helpful to have an independent third party verify the identity and the claim of good credit history for every individual applicant.

When applying for a credit card or a personal loan, consumers today don't have to hassle with paperwork and often enjoy instantaneous decisions. That's because the full credit file for each consumer can be easily distributed to lenders, via the infrastructure developed by CRCs.

For the more complicated financing applications such as mortgages, consumers can avoid tracking down all of their credit card statements (lenders already have access to consumers' existing liability information) and instead focus on providing paperwork not available - such as their most recent pay stubs and tax returns.

For lenders, the full credit file of a borrower provides the foundation for making an informed evaluation of his or her credit risk. Before extending new credit to a borrower, a lender cannot afford to miss out on information that a borrower has multiple large debts elsewhere. Fortunately, through CRC-provided full credit files, a lender can fully assess the credit risk of a borrower and provide the appropriate credit with a reasonable pricing.

If no CRCs existed and no full credit files were available, lenders would be prone to making incorrect decisions, such as extending too much credit to high-risk borrowers and/or denying credit for consumers they should qualify. Without CRCs, the overall cost of credit would be higher and good-credit consumers would be subject to higher pricing, paying higher interest rates to compensate lenders' losses from bad-credit consumers.

Government agencies, meanwhile, use comprehensive credit data from CRCs to get a handle of the consumer lending industry's health and to make relevant policy decisions. For example, using data from one of the three major CRCs, the CFPB publishes consumer credit trends dashboards for major lending products. The New York Fed, moreover, actually used Equifax credit report data to create a Consumer Credit Panel - a database that provides insights into the debt and credit of American households.

Necessary Structure

Why, you may ask, do CRCs have to host the full credit files for consumers, rather than, say, a single lender? One reason is that lenders actually need barriers from disclosing their customers' data to competitors.

For a lender to play the role to host all the credit data, it would have to persuade all of its competitors to submit their latest credit accounts on a regular basis. Just think, for example, if Citibank or Wells Fargo had to submit their credit and customer account data to Chase on a daily basis.

There is also no guarantee that if a lender were to receive all of this data, it would not use to enhance its own decision making well before aggregating and distributing the credit files back to the industry. That would obviously put all its competitors at a huge disadvantage.

What's more, even if all banks somehow agreed to exchange information among themselves, it would take quite a bit of resources to aggregate and distribute the data without a standalone CRC.

A Single CRC … or Room for More?

Some critics have argued that there should only be one CRC, but such a market structure could create a monopoly. As the sole owner of credit data, a lone CRC would conceivably be able to charge an exorbitant price to its clients (lenders) and consumers.

Indeed, having a few players actually helps keep credit data costs down for banks. Today, lenders spend only a small percentage of their revenues generated from credit-related products on credit data from CRCs. Clients, of course, always want to get an even cheaper price, and having a few providers to choose from helps that negotiation.

Competition also drives production innovations. In the pursuit of market share against competitors, CRCs are more responsive to industry changes and have incentives to develop new products and services that address the needs of clients and consumers.

One other issue that has been debated is whether we should have more than three CRCs. Since they are performing essentially the same data aggregation and distribution functions - and producing very similar end products - it is not necessary to have a large number of CRCs.

As an example, consider credit card technology. Although in theory every credit card issuer could develop its own system (to host account information, facilitate transactions and support risk & fraud strategies), that would result in multiple technology teams across the industry doing the same thing and producing very similar end products.

Third-party companies like FDR and TSYS provide standard credit card systems, so card issuers do not need to develop and maintain the systems themselves. Developing systems in house would certainly be more expensive for issuers, and it therefore makes sense for them to bear the technology cost collectively.

Getting back to credit reporting, it is the same idea. It makes more economic sense for lenders to collectively share the cost of credit data aggregation and distribution for just a few CRCs, rather than a dozen or more. Otherwise, the cost of accessing credit data will be higher for lenders in the industry as a whole.

Parting Thoughts

In essence, the current CRCs are the result of the market forces and regulations that have evolved over multiple decades. Although imperfect, the current CRC business model largely serves the essential need of an efficient lending industry, benefitting both lenders and consumers.

Given the large amount of data they hold, CRCs are always going to be prime targets of data thieves. Therefore, they definitely need to improve their data security.

But we can't be scared into restructuring the entire CRC industry based on one highly-publicized failure. If a house is structurally sound and recently experienced a theft, it is not necessary to tear it down and build a new one. Rather, just beef up the controls and the security system.

Frank Tian (FRM) is a vice president of risk management for unsecured lending at MUFG Union Bank. His work over the past 17 years has spanned the full spectrum of retail risk management, from credit strategy and risk modeling to credit systems and fraud management. Prior to his current post, he held various risk positions at multiple financial institutions - including Wells Fargo, GE Money, BMO and CIBC - in the US and Canada.

Disclaimer: Tian does not have investment interest in Equifax, Experian or TransUnion.