Data Breaches Are Making the Credit Bureaus Obsolete

We’re all familiar with the credit check, that ubiquitous step when we’re applying for bank accounts, loans, or credit cards. But while credit checks may be a well intentioned means of identity verification and document verification, the truth is that they’re outdated and unreliable—and increasingly a playground for fraudsters. Something needs to change, and fast.

The problem is that when a credit bureau conducts a credit check, it uses static information, information that’s unlikely to change like a person’s name, date of birth, or social security number. This information is also required to fulfill regulatory requirements like know your customer (KYC) and anti-money laundering (AML) programs. But as much as one wants to believe that this information is truly private, the truth is that it’s actually very widely available. Thanks to data breach after data breach, tons of personal information is easily accessible to fraudsters and is being bought and sold on the black market. And what’s worse is that credit bureaus themselves are among the largest victims of these breaches; last year’s Equifax breach alone compromised 143 million Americans’ private records. Since 2005, more than 10 billion people’s records have been affected, according to the Privacy Rights Clearinghouse.

When this information falls into fraudsters’ hands, they can use it to apply for mortgages, credit cards, and loans, make online purchases, or commit many other types of both online and offline fraud. The prevalence and “ease” of using online applications for everything only makes it easier for them. The burden of cleaning up the mess then falls on the defrauded consumer—not on the credit bureau that made their information so easy to steal in the first place. LexisNexis estimates that between 31 and 43 percent of monthly transactions in the retail, ecommerce, financial services, and lending sectors involve fraud attempts. That’s far too many.

So what’s the solution? Tightening passwords or increasing online security measures might serve as a temporary stopgap. And regulations like GDPR or the Data Breach Prevention and Compensation Act might help protect consumers’ data to some extent. But the real change needs to be an overhaul to the way institutions verify identity.

Rather than relying on the same static data that they’ve used for decades—and that has basically become a free-for-all—a shift to dynamic identity data is a must. Such data might include consented online, social, mobile, or offline data, such as social networks, IP addresses, or the age of one’s email address. Taking all dynamic data together creates an accurate, holistic picture of a person’s identity that can be used reliably to verify a person and better predict risk. What’s more, moving away from traditional credit bureau data would benefit entire swaths of the population that may not have good (or any) credit and thus have a difficult time getting applications approved. Such customers include thin-file millennials and Generation Z-ers, immigrants, and the underbanked.

Even though credit bureaus and security companies are actively striving to address the current fraud issues, there’s almost no chance that the industry can bounce back from the breaches that have already placed billions of people’s personal information in the hands of fraudsters. If the industry continues using this information, institutions may very well start having to conduct identity checks in person, adding an entirely new layer of friction to the process. Rather, consumers should start demanding accountability and pressuring banks and other institutions to stop using outdated methods.