Credit unions should immediately evaluate their credit reporting practices, find ways to get better breach data and prepare for a spike in fraud in the wake of Equifax’s enormous data breach, two experts have warned.
The Equifax breach, announced Sept. 7, affects 143 million U.S. consumers. Compromised information primarily includes names, Social Security numbers, birth dates, addresses and in some cases driver’s license numbers. The breach also jeopardized credit card numbers for about 209,000 people, as well as dispute documents for about 182,000 consumers.
Liability Concerns
Though consumers are understandably worried about the ramifications of the breach, so are credit unions, according to David Reed, who is an attorney and partner at the Arlington, Va.-based Reed & Jolly, which specializes in credit unions and is counseling them about the breach, including whether and how to maintain a relationship with Equifax.
Reed said concerns about potential legal liability around transmitting data to and from Equifax are less of a worry right now because Equifax has allegedly stopped the breach.
“Now, with that having been said, credit unions need to make sure that they’re doing their due diligence,” he warned. “They need to show that they’ve talked about this, literally at their highest levels, that they have received assurances that that data is being protected.” Credit unions also need to help members deal with the fallout, he said.
Continued Equifax Use
Reed said he’s not advising his clients to stop reporting to Equifax at this point.
“But I am advising that they take a look at it,” he said. “Everybody knows that the biggest repository of personal private information on a borrower, outside of the financial institution, is with the credit reporting agencies. That’s all they are – they are a big wide vault of this information with the ability to manipulate that information and feed it back out to us. But if [credit unions are] not comfortable with that, then they need to make that decision. They need to show at least they’ve looked at it.”
Ceasing to report to Equifax could complicate things, Reed noted. First of all, many credit unions have contracts with Equifax. Also, it’s a two-way street.
“There’s a possibility that Equifax will say, ‘Well, if you’re no longer reporting to us, then we may no longer support you to draw our credit report.’ Now, I don’t know that would ever happen. Equifax would not do a double negative, but it’s important to know that this is not just as simple as flipping a switch,” Reed warned.
The Issue of Mass Reissue
The Equifax breach is indeed insidious, but mass card reissues might be premature – and not even much of a solution, Reed said.
“Once you’ve stopped that card, then that breach for that individual account is over. If it’s a really big breach, if it breached all your cards, great, then you shut down that entire portfolio and it’s done. This [the Equifax breach] is never done,” he explained.
Credit unions should work on getting fraud warnings sooner, warned Canh Tran, CEO of the Chicago-based fraud technology company Rippleshot.
“Ask more from your data processor,” he said. Instead of the typical weekly or monthly reports, credit unions should ask for daily information on credit card and fraud transactions.
“They have that in their database, it’s just that the credit unions haven’t been asking for it,” he said.
Get Ready for Synthetic Fraud
The Equifax breach’s theft of personally identifying information is a game-changer for fraud and authentication, according to Tran.
Card-not-present fraud and ATM/gas pump skimming are still raging, he said, but another type of fraud – synthetic fraud – will get an especially huge boost thanks to the Equifax breach. To fight back, credit unions and other lenders may tighten lending criteria and do manual reviews, which could slow lending and raise operational costs, Tran noted.
Synthetic fraud occurs when criminals create credit profiles for fictional people. Often, the fake profiles include real information about real people, but with a few minor changes. A criminal that gets a person’s Social Security number, date of birth and credit card information, for example, might apply for a loan with that information but add a different street address, Tran explained. In the first attempt, the potential lender submits the information to a credit bureau and then likely declines the application because there’s no exact match in the system.
But that creates a credit file on the fake applicant, Tran said. At that point, the criminal then applies for something else, usually small – a card with a $500 credit limit, for example.
“Their application may not be as stringent,” he explained. “That lender will check the credit, find that new credit file and issue the card. That builds credit history for a fictitious person, and the criminal can continue borrowing under the fictional profile.”
The lender eventually eats the losses, because there’s quite literally nobody to collect from.
“Synthetic fraud is going to be the big one,” he said.
