Senators Rip Credit-Reporting Model in Wake of Equifax -- Update

Senators questioning Equifax Inc.'s former chief on Wednesday attacked the business model of the credit-reporting industry, asking why consumers shouldn't have power over the data that the companies collect on them.

The hearing, one of a series this week, was as much about the control consumers have over their personal data as it was about the Equifax hack. Senators questioning former Equifax Chief Executive Richard Smith asked whether a large overhaul is needed for both private sector and government activities.

"Massive data collection is being undertaken across this country," said Banking Committee Chairman Sen. Michael Crapo (R., Idaho) during Wednesday's hearing before his panel. He added that Congress needs to take action with personal identification being collected by government, the private sector and others.

Speaking about the big credit-reporting companies -- which along with Equifax include Experian PLC and TransUnion -- senators repeatedly raised the following point: Consumers don't choose to share their data with these firms, but much of their financial lives, including whether they can get approved for loans or rent an apartment, depends on the data the companies have and then sell to lenders and other companies.

Although Equifax has been the main focus of attention since disclosing its massive breach in early September, the credit-reporting industry has feared the breach will lead to more regulatory oversight and changes to the underpinnings of the consumer-finance economy.

Several senators called for just that. Sen. Sherrod Brown (D., Ohio) said consumers have more control over their personal medical data and questioned why similar standards shouldn't be applied to financial information.

Such comments raised questions about how the industry could be changed, and whether doing so would make it more difficult for consumers to obtain credit. Consumers who don't have credit reports often can't get approved for loans.

At the same time, consumers don't give their permission to have their personal financial information collected, nor do they receive any compensation for it. Rather, the credit-reporting companies gather it and then sell it to lenders.

The broader industry focus didn't spare Mr. Smith and Equifax from another day of harsh criticism for missteps that allowed hackers to access consumers' data and the handling of the breach once it was disclosed. On Tuesday, Mr. Smith was similarly grilled during an appearance before a House subcommittee.

The executive goes before another Senate panel Wednesday afternoon and another House committee on Thursday.

Equifax's quest to acquire more data on consumers under Mr. Smith's leadership came under attack. And questions were raised about when Equifax became aware of the severity of the breach and why Mr. Smith and other executives made public presentations without acknowledging that something was amiss.

Mr. Smith, who repeatedly apologized for the hack, responded that at those times, the company had yet to fully understand the size or scope of the breach.

Senators also blasted Equifax over a contract it has reached with the Internal Revenue Service to help the agency verify taxpayers' identities. Mr. Smith said the contract was a renewal of an existing pact and that the breach shouldn't negate the rest of the company's 118-year history. The IRS also defended its decision to award the $7.25 million contract, which was first reported by Politico.

And senators noted Equifax might actually benefit financially from the hack: The company sells data-security products, and some consumers who froze their credit files immediately after the breach had to pay Equifax for it. The company later said it would refund those fees.

"The breach of your systems has actually created more business opportunities for you," Sen. Elizabeth Warren (D., Mass.) told Mr. Smith.

Mr. Smith avoided addressing what Equifax will do for people who find they have fake accounts opened in their name or otherwise have their identities stolen as a result of the hack. He said Equifax is offering free services designed to prevent that from happening. '"That is the extent of our offering,' doesn't touch at all" on the question, said Sen. Joe Donnelly (D., Ind.), of the response.

Sen. Chris Van Hollen (D., Md.) criticized Equifax's requirement for consumers to use arbitration in disputes with the company instead of filing lawsuits. Equifax said it did so inadvertently with respect to consumers who signed up for credit monitoring after the breach. But the company also uses forced-arbitration clauses in other offerings.

"If you're looking out for the rights of consumers, why don't you give them a choice as to how they seek their remedy?" Sen. Van Hollen asked.

Mr. Smith said that "today arbitration is a part of the law and we're following the law."

Senators were also critical of stock sales by three Equifax executives a few days after the company discovered the breach. Equifax has said the executives didn't know about the hack at the time.

Sen. Tim Scott (R., S.C.) said the executives must have been "the luckiest investors...to sell the stock at the best price," before it dropped significantly after Equifax disclosed the breach.

Mr. Smith said, as he did in his previous testimony Tuesday, that the executives are "honorable men" who followed the proper procedures in selling the stock.

Mr. Smith has said repeatedly that Equifax knew at first in late July only that there had been "suspicious activity" in its systems. He added that it was only later that it found consumers' personal information had been stolen, lengthening the period before Equifax disclosed the breach to consumers.

Mr. Smith did say in response to a question that the company notified the Federal Bureau of Investigation about the incident on Aug. 2. Mr. Smith said it was "not unusual" for Equifax to inform the FBI when it finds such activity without responding to a question about how many times it had previously done so.

Sen. Heidi Heitkamp (D., N.D.) said the move "looks pretty suspicious," especially as John J. Kelley, Equifax's chief legal officer who was in charge of approving the three executives' stock sales, knew about the incident around the same time.

Mr. Smith defended his compensation to the committee. The Wall Street Journal has calculated that his pay in his 12 years as CEO totaled around $127 million; he said he had volunteered to give up a bonus this year and severance pay, and that the millions of dollars he walked away with consisted of pension benefits and unvested equity earned over his career.

"I've worked hard, I don't set those compensation levels," he said. "The board does and the board is elected every year."

--Andrew Ackerman contributed to this article.

Write to AnnaMaria Andriotis at annamaria.andriotis@wsj.com, Michael Rapoport at Michael.Rapoport@wsj.com and Christina Rexrode at christina.rexrode@wsj.com

(END) Dow Jones Newswires

October 04, 2017 14:19 ET (18:19 GMT)