Fed Confirms Government Regulation Is Not the Answer to Equifax Data Breach

As reported by Bloomberg earlier this week, the Federal Reserve’s associate director of supervision and regulation, Arthur Lindo, announced that more regulation will not help protect the financial system against cyber attacks, such as the Equifax hack that breached more than 145 million people’s confidential data earlier this year.

The comments come after Senate leadership asked regulators whether they need more authority to help ensure credit bureaus adequately protect consumers’ information. Yet as the Fed confirmed, there are already plenty of cybersecurity regulations that financial institutions must follow. According to the article, “Several lenders and trade groups collected all U.S. and global guidance documents, regulatory requirements and recent proposals on cybersecurity… It ended up being a 2,000-line spreadsheet showing a lot of overlap between rules and demands from different regulators.”

As I wrote in an earlier blog post, government regulation has failed to ensure the cyber safety of credit reporting firms in the past. This is despite nearly 50 years of intense credit reporting regulation, predominately under the Fair Credit Reporting Act. Such legislation, however, merely limited competition and eroded the accountability of credit reporting firms, leading to the concentrated and unaccountable industry we have today. This has not made the system any more efficient, equitable, or safe. Quite simply, the government has neither the requisite knowledge nor the proper incentives to manage credit reporting cybersecurity and establish best practices in the industry.

A better approach would be to break down the barriers to competition in the credit reporting industry. Firms such as Equifax have clearly not responded to regulators, but they will have to respond to competition from innovative challengers, or consumers will take their business elsewhere. 

As the Fed recognizes, giving more authority to regulators to pile on new rules will do little to solve today’s cybersecurity problems. There is already plenty of regulation, and it’s unlikely we need any more.