Equifax hack to test resolve of GOP to ease finance rules
The Equifax data breach has triggered demands on Capitol Hill for stiffer rules and new requirements for what financial companies must do to fend off cyberattacks.
Yet tougher oversight would all but certainly require support from the Trump administration and buy-in from congressional Republicans — both of whom want to reduce financial regulation not stiffen it. Democrats so far have led the calls for more rules in the wake of Equifax’s disclosure that 143 million Americans’ personal information was exposed to hackers.
Tighter constraints would pose a particularly difficult choice for Republican lawmakers because it would most likely mean further empowering the Consumer Financial Protection Bureau, an agency created after the 2008 financial crisis that many Republicans have been trying to delete. No other federal regulator supervises Equifax or has officials inside the firm conducting on-site exams.
“Republicans by nature are loath to regulate,” Sen. Dick Durbin, an Illinois Democrat, said in an interview. “But there comes a moment when a company has so much information and is not handling it in a professional way where I think we are duty-bound to step in on behalf of innocent citizens.”
While President Donald Trump has pledged to cut back government red tape, White House press secretary Sarah Huckabee Sanders said Monday that the severity of the Equifax breach could mean more rules are needed.
She said the administration will look at the situation “extensively,” and that Trump’s homeland security adviser Tom Bossert will lead efforts to respond to the hack.
Equifax is among a handful of companies that control data such as credit histories that lenders rely on to assess whether consumers should get loans. The Atlanta-based company said Thursday that the compromised information includes Social Security numbers, driver’s license records and birth dates. It faces multiple state and federal investigations, and at least one multibillion-dollar classaction lawsuit.
Unlike banks, Equifax and competitors TransUnion and Experian don’t have multiple regulators. The Federal Reserve and Office of the Comptroller of the Currency, for example, have teams of supervisors assigned to specific lenders. The officials have daily responsibilities for monitoring any transactions and weaknesses in computer systems that could threaten financial stability.
Before the Consumer Financial Protection Bureau begin policing the industry in 2012, it faced almost no federal oversight. The Federal Trade Commission has authority to penalize the companies for failing to protect consumers, but it doesn’t engage in proactive monitoring. Durbin said the size of penalties that the Federal Trade Commission is allowed to impose aren’t big enough to adequately punish a breach on the scale of Equifax’s.
Much of the Consumer Financial Protection Bureau’s scrutiny of Equifax and its rivals has been on trying to ensure that credit reports are based on accurate data and that the firms are properly responding to consumer complaints. At least publicly, less of the agency’s focus has been on cybersecurity. The Consumer Financial Protection Bureau is led by Richard Cordray, who was appointed by former President Barack Obama.
In January, the consumer bureau accused Equifax and TransUnion of misleading consumers about credit products they had sold them. Without admitting or denying the allegations, Equifax agreed to provide almost $3.8 million in restitution to affected consumers, while paying a $2.5 million fine. The consumer bureau has said it is investigating Equifax’s data breach as well as the company’s response.
The bureau has authority to ensure financial companies maintain standards to keep customer information safe. The agency brought its first cybersecurity case last year, fining online payment company Dwolla Inc. $100,000 for allegedly deceiving companies about how secure its systems were. The settlement could provide a road map for how the agency deals with Equifax’s breach.
Lawmakers have repeatedly tried to tighten restrictions for how companies report consumer breaches and to expand cybersecurity protections — with limited success. Banks have long lobbied Congress to limit their industry’s financial losses after hacks on other companies.
When criminals get access to consumer data and use it to commit identify theft, it’s banks and credit unions that often bear the brunt of financial losses. Lenders also face costs associated with managing the fallout of a breach, such as reissuing new credit cards and managing consumer complaints. The Equifax breach has reinvigorated calls for Congress to create national standards to ensure all companies are adequately protecting data.
“It’s time for companies who lose consumer data or do not protect it to be held responsible,” said Dan Berger, president of the National Association of Federally-Insured Credit Unions. “I think you’re going to see Congress really take a closer look at this.”
Information for this article was contributed by Jesse Hamilton of Bloomberg News.