This post has been updated.
One of Washington’s top consumer watchdogs warned on Wednesday that credit rating agencies should prepare for tougher supervision in the wake of a massive hack at Equifax that exposed sensitive data on 143 million people.
“We’re going to have monitoring in place that’s preventive,” Richard Cordray, the head of the Consumer Financial Protection Bureau, said in an interview with CNBC. “It’s going to be a different regime than we’re used to. In the past they dealt with these problems on their own. … That’s not good enough.”
The big three credit bureaus — Equifax, TransUnion and Experian — collect information on 200 million consumers but have traditionally only been federally regulated by the Federal Trade Commission. In 2010s financial reform legislation, the Dodd-Frank Act, the CFPB gained the power to supervise the companies on a day-to-day basis.
In the interview, Cordray indicated that the agency would be accelerating that effort following the Equifax hack, which has also sparked investigations by the FBI and other regulators. Congress could grant the agency additional powers to supervise the industry’s efforts on data security, he said.
“If they’re going to restore public confidence in this marketplace and if they’re going to create the kind of reforms necessary, they’re going to have to recognize the old days of just doing what they want, being subject to lawsuits now and then, are over.”
It is unclear how specifically Cordray wants to increase supervision of the industry. In January, the agency fined Equifax and TransUnion for deceiving consumers about the usefulness and cost of credit scores they compile. And in a March report, the CFPB said it receives thousands of complaints a year about the industry, including about the accuracy of the reports it produces on consumers and the difficulty of having false information corrected.
“I am glad to see the CFPB is going to push their authority and do this,” said Chi Chi Wu, a staff attorney with the National Consumer Law Center. “That is perhaps the best way to make sure this doesn’t happen again.”
Spokespeople from Equifax and Experian didn’t immediately respond to requests for comment.
TransUnion said in a statement that it is already regulated on a state and federal level.
“At our company, information security and data protection are always a top priority and our compliance, information security and investigation teams work together to protect customers as well as the consumers who put their trust in us,” the statement said.
This comes as Equifax scrambles to address growing concerns among lawmakers about the hack, which potentially revealed the Social Security numbers and other personal information of about 40 percent of the U.S. population. On Tuesday, the company’s chief executive and chairman, Richard Smith, stepped down. Equifax’s board of directors has launched an independent investigation into the leak.
The company, which has already seen its stock price decline nearly 30 percent, has repeatedly apologized and said it moved as quickly as it could once it understood the severity of the problem.
Reuters reported that New York’s Department of Financial Services proposed on Sept. 18 credit reporting agencies be subject to a state cybersecurity rule requiring banks and other financial institutions to establish a program to protect consumer data and alert the regulator to significant breaches.
Had Equifax already been subject to the regulation, Reuters said, it would have had to report the breach within 72 hours of its discovery, rather than the 41 days the company took after finding out that consumer information had been compromised.
Congress, too, has grown increasingly agitated about the leak and the company’s bungled response.
“I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity,” Sen. Mark R. Warner (D-Va.) said on Tuesday.
Rep. Maxine Waters (D-Calif.), ranking member of the House Committee on Financial Services, has called for an overhaul of the nation’s credit reporting system. Sen. Elizabeth Warren (D-Mass.) has introduced what she has called the Freedom from Equifax Exploitation Act, or FREE Act. The FREE Act allows every consumer to freeze and unfreeze their credit file free. If a person’s credit report is frozen, no one can access the data to open a new credit card or take a loan. Better Markets, an advocacy group, is calling for the Securities and Exchange Commission to require companies to “promptly” disclose a hack unless its insignificant. (Equifax notified the public six weeks after it discovered the breach.)
The industry’s fate likely depends on whether efforts to reform the industry can gain Republican support. Republicans in both chambers have expressed outrage about the breach and Rep. Jeb Hensarling, (R.-Tex.), the head of the Financial Services Committee, has called for hearing, but it is unclear whether he would support legislative changes.
Read More on Equifax: