By Andy Barratt, Managing Principal Financial Services & Payment Solution Assessment at Coalfire
The fall-out from the Equifax hack has, understandably, focused on the millions of people who have had data stolen, but far less attention is being paid to the wider implications for the financial services industry.
Financial services providers, in particular, rely heavily on credit ratings to vet potential customers, with Equifax being one of the major providers of this information in the UK.
Businesses across the sector need to ask themselves whether they can consider the data they receive from Equifax is reliable. Pleading ignorance is not an option, now that the hack is public knowledge, and the onus is back on financial services providers themselves to ensure they are lending responsibly and securely.
It’s well known that the credit rating services provided by the likes of Equifax, Experian and Callcredit are integral to modern lending processes. The depth of information and immediacy they offer is, for many, simply not achievable otherwise. With this reliance in mind, the broader impact of the breach for the sector could be significant and long-lasting.
Should the extent of the breach be more far-reaching, it might be too late by the time the industry knows that records at Equifax have been manipulated.
The impact of the breach
The first, and more widely discussed, impact of the Equifax breach is the potential for the individuals whose data has been stolen to be a victim of identity fraud.
The number of people affected by this particular incident has been reported widely and is now reasonably understood to be in the millions. This puts an abundance of vital personal information at the fingertips of unscrupulous individuals across the globe.
The second key factor to consider is the systemic impact on the financial services industry. Especially in an environment where increasing amounts of business are carried out without any face-to-face interaction with the customer and automated, rapid decision making used.
For the growing number of online-only businesses, it can be very hard to know if an applicant is who they say they are – especially if the credit rating provided by a third party is potentially compromised. While the affected data will have been flagged as stolen, we don’t know if the cyber-thieves changed any of the original records at source.
If the source data at Equifax has been manipulated, false identities could go undiscovered giving fraudsters a greater chance of success. Stolen data can be used to create fake identities, falsify credit histories and enter into relationships with lenders that would otherwise not be possible.
Criminals could also have made individuals appear more credit-worthy than they are in reality. This might result in over lending to sub-prime or near sub-prime individuals in a manner that may well be judged irresponsible by regulators.
Of course, many lenders use multiple sources alongside their own records to verify loan applications.
But for those relying heavily (or solely) on Equifax data to support their decision making, it is vitally important to evaluate the level of dependence and whether a new approval process needs to be put in place.
Ensuring data reliability
At this stage, completely abandoning Equifax might be overcautious, but a review of how their data is utilised is a must.
Businesses need to start a dialogue with the credit ratings agency immediately. Equifax should be forced to disclose what measures have been put in place to alert both consumers and financial institutions to fraudulent data, how they are identifying the people affected and what new practices are being implemented to ensure data security and integrity in the future.
It will, of course, be down to individual companies to decide whether the evidence provided by Equifax is satisfactory.
If it is not, firms that rely heavily on this agency, should consider other partnerships so that data can be corroborated. Anomalies can be identified by comparing information provided by two or more ratings agencies, potentially uncovering a fraudulent application.
In this vein, firms may also be able to further leverage existing customer data to sense check a new application. For example, if an existing customer’s circumstances or credit worthiness change drastically from one application to the next, this should raise flags.
Common-sense checks such as this are an interim measure, but will help judge the reliability of data while assurances from Equifax are sought and more long-term strategies put in place.
Long term, it will be up to the regulators to decide if Equifax can really be relied upon by the global financial services community. Any rulings or advice on Equifax’s reliability could have significant implications for the financial services industry’s dependency on a small number of credit rating agencies.
If Equifax’s trustworthiness is called into question, it could be a tipping point that opens the door to a new type of ratings agency.
Financial services is in a transformative phase with new ‘challengers’ emerging all the time. Online-only banks like Monzo are capitalising in an industry that is already amenable to change. The sector should watch on with interest for comment from the FCA that could impact Equifax’s role and keep an eye out for potential partnerships should new rating providers enter the market.
The truth is that Equifax and the service it provides is deeply entwined with the financial services sector. So much so that wider implications from the data breach are inevitable. It’s fundamental now that the sector ascertains whether its lending processes are still reliable and make the necessary changes if they are not.
About the Author
Andy Barratt is Managing Principal for Financial Services and Payment Solution Assessment at Coalfire, a cyber security consultancy which works with many businesses across the financial services sector.