By Krista Shonk and Nessa Feddis
On September 7, the credit reporting bureau Equifax announced that it had been hacked in a massive data breach that exposed the personal information of 145.5 million people—nearly half of the U.S. population. Millions of Social Security numbers, driver’s licenses and other information were stolen, increasing the risk of identity theft, synthetic identity theft and the takeover of bank and credit card accounts. As Americans come to grips with such a large-scale data breach, banks are proactively working to protect themselves and their customers against potential fraud. Integral to this effort are questions regarding third-party risk management—including how to manage risk associated with credit reporting agencies.
Staff from the American Bankers Association recently met with representatives from the federal banking agencies to better understand how regulators expect banks to handle the Equifax breach from a third-party risk management perspective. Below are the key takeaways from the meeting. We understand that this information does not resolve all of the questions and concerns that banks have about the breach, and ABA will continue to communicate with the agencies as additional information emerges.
Don’t forget the basics
In recent years, banks have devoted significant resources to understanding and complying with agency guidance on third-party risk management. However, several factors complicate how banks should manage their dealings with Equifax, including:
- The sensitivity of the data that was breached
- The inability of all 6,000 U.S. banks to conduct onsite visits or a thorough analysis of a credit bureau’s information security policies and processes
- The wide variety of entities that provide consumer information to the credit bureaus
- Public policy that encourages banks to report loan performance to credit bureaus in order to help consumers build their credit files
- The lack of regulatory examination authority over the data security practices of credit bureaus.
Against this backdrop, bank regulators remind banks that they should treat the credit reporting agencies, including Equifax, the same as any other third party. In other words, a bank should include the credit bureaus in its third-party inventory and ensure that it understands the overall risk and complexity of its relationship with each bureau. Each bank’s risk rating of a credit bureau will be determined by several factors, including the scope of services provided across all business lines and the criticality of those services to the bank.
ABA members report that some examiners are asking questions about banks’ rationale for assigning Equifax a particular risk rating. As a result, banks are concerned that regulators will retroactively criticize their third-party management of the credit bureaus in light of the Equifax breach. However, the banking agencies indicated to ABA that they do not intend to second guess a bank’s risk rating and due diligence on Equifax. Rather, the agencies will focus on banks’ efforts going forward.
With this in mind, banks should scale their due diligence on a credit reporting agency according to the overall risk and complexity of the relationship. For example, a bank that relies on Equifax for market analytics only may opt to conduct less intensive due diligence than a bank that utilizes the firm for credit scoring and data verification.
Oversight of Equifax remediation
While regulators expect banks to manage third-party risk presented by Equifax, the banking agencies recognize that it is impractical for banks of all sizes to have a comprehensive view of Equifax’s remediation of systems vulnerabilities, such as insufficient patching and coding practices or inadequate vulnerability and penetration testing. However, at some point after the initial breach response, banks should ensure that they are doing business with a safe and secure company.
Regulators acknowledge that banks—community banks in particular—can experience difficulty obtaining comprehensive information on a third party’s internal controls and information security procedures. In the Equifax situation, information about the breach has been slow to emerge, and many banks have struggled to obtain information that is more detailed than what has been reported in the media. The situation is further complicated by the fact that the banking agencies do not have supervisory or enforcement authority over Equifax’s data security practices and cannot compel the company to provide detailed information regarding its remediation efforts.
What is a bank to do?
Banks should make a good faith effort to obtain information about the breach and enhance their fraud detection efforts. In particular, banks should:
- Assess the situation. Banks should gather as much information about the breach as possible and document their efforts to obtain this information.
- Analyze the impact of the breach. Banks should use the information that they gather to assess and detect potential risks to the bank and its customers. Bank management should be able to explain to the board of directors, customers, and regulators the actions that the institution is taking to analyze this information and protect the bank and its customers. However, it is ABA’s understanding that regulators do not expect a bank to research whether personal information of individual customers was compromised. Given the scope of the cyberattack, all banks will have a substantial percentage of customers whose information was breached. As a result, regulators are immediately focused on bank efforts to improve fraud detection and prevention.
- Enhance account monitoring activities. Banks should use information about the breach to enhance their anti-fraud activities, with a particular emphasis on preventing new account identity theft, synthetic identity theft, and takeover of bank and credit accounts.
- Anticipate credit report freezes. Consumers may freeze their credit reports in an effort to protect against identity theft. These freezes may slow the review of credit applications and create compliance timing complications, particularly for mortgage loans. As a result, banks should review their credit application processes and be prepared to address questions and expectations of customers who have frozen their credit reports.
- Update the identify theft red flag program. Under the Fair Credit Reporting Act, banks must establish policies and procedures to prevent identify theft. The regulation implementing that provision requires that banks periodically review and update those policies and procedures to reflect changes in risks to customers and to the safety and soundness of the financial institution. Such policies must be “appropriate to the size and complexity” of the depository institution and the “nature and scope of its activities.” (For more information on bank responsibilities under the FCRA, see ABAWorks on Fraud: Identity Theft Red Flags.)
Should banks end their relationship with Equifax?
The federal banking agencies do not intend to influence a bank’s decision to continue or end its relationship with Equifax. Banks are encouraged to consider several factors when evaluating whether to continue conducting business with or reporting to Equifax. Banks should document the rationale for their decision. Some key considerations are:
- Scope of the relationship. A bank may want to consider the scope of its relationship with the company. Does it report data to Equifax? Does it use Equifax’s consumer reports for loan underwriting? Does the bank rely on other products and services provided by the firm?
- Legal and contractual requirements. No law or regulation, including the FCRA, mandates that banks report loan performance to the credit bureaus. However, in the past, regulators and policy makers encouraged banks to report all of their loans to the credit bureaus in order to help consumers build a credit file and obtain lower interest rates. While credit reporting is not required by law, Fannie Mae and Freddie Mac seller/servicer agreements currently require that originators and servicers pull credit reports from and report loan performance to the credit reporting agencies.
- Consumer impacts. Discontinuing furnishing information to Equifax may lower consumers’ credit scores or make them unscorable. For example, customers cannot be scored unless they have a certain number of current credit accounts in their file. Credit scores may also decrease because the utilization rate—that is, the amount of credit used compared to the amount of credit available—will decline if a line of credit is no longer reported.
- Equifax remediation efforts. While information has been slow to emerge about what Equifax has done to address its systems vulnerabilities, banks may want to analyze the October 6 congressional testimony of former Equifax CEO Richard Smith. Smith’s testimony describes steps the company has taken to shore up its security protocols, including enhancing vulnerability scanning and patch management, strengthening restrictions for housing and accessing data, increasing network segmentation, and deploying additional web application firewalls.
- Consider the big picture. Some industry experts have observed that the information that was compromised may result in a fraudulent account that is ultimately reported to other credit reporting agencies. In other words, fraud risk will still exist regardless of whether a bank terminates its business with Equifax. Banks may also want to consider the reputation risk of continuing its relationship with Equifax.
Be aware of expectations by state regulators
In addition to monitoring feedback from the federal banking regulators, banks should be mindful of advisories and related communications issued by various state banking regulators. For example, guidance from the New York Department of Financial Services urges New York chartered banks to “confirm the validity of information contained in Equifax credit reports . . . before relying on them for provision of products and services” to new applicants and existing clients. In addition, NYDFS instructs banks that provide consumer or commercial related account and debt information to Equifax to ensure that the terms of the arrangement “receive a very high level of review and attention to determine any potential risk associated with the continued provision of data” in light of the breach.
The Equifax breach will have significant impacts on third-party management, cybersecurity, anti-fraud efforts and the United States credit reporting system. ABA will continue to share information about regulatory expectations and leading practices as they become available.
Krista Shonk is VP for regulatory compliance policy at ABA. Nessa Feddis is SVP and deputy chief counsel for consumer protection.
Third-Party Tactics, a regular feature on the ABA Banking Journal site, explores leading practices and practical tips for third-party risk management.
For more information about fraud prevention measures, access the free, members-only Fraud Mitigation Post Data Breach Webinar hosted by ABA and the Financial Services Information Sharing and Analysis Center.