Government Regulation is Not the Answer to the Equifax Hack

The recent Equifax hack has placed an enormous amount of pressure on legislators to further regulate the credit-reporting industry. While such a response may be expected of those typically in favor of government intervention, the fever has even reached less-inclined Republican members of Congress, who recently endorsed a bill to boost federal oversight of firms.

While there is understandably a lust to “do something” in the wake of a scandal, Congress shouldn’t be so quick to throw the federal rule book at credit-reporting firms. Such an urge should be tempered by the characteristically conservative understanding of the limits of what government intervention can achieve. Relying on centralized bureaucracy to regulate credit reporting gave us the cartelized and unresponsive system we have today—with limited competition and accountability. It would be foolish to double down on such an approach.   

While credit-reporting firms benefit from economies of scale, it is not a coincidence that the industry is dominated by three big firms: Equifax, Experian, and TransUnion. Each firm is also a product of regulatory economies of scale.

As CEI Vice President Jim Harper found in his study of the legislation, the Fair Credit Reporting Act (FCRA) cartelized the industry by erecting barriers to entry. The industry’s standards are established not by competing firms’ pursuit to satisfy consumers, but by meeting the requirements of a nearly 50-year-old law.

This never had to be the case. Multiple Silicon Valley challengers have emerged over time to break up the industry, but the FCRA’s onerous legal risks and compliance costs have barred them from doing so. So it shouldn’t come as a surprise when the industry fails to spur innovation or maintain adequate security standards. The R Street Institute’s Steven Titch elaborates on how such lack of competition breeds complacency:

Over the decades, this has made the agencies complacent. While the hack may have been due to a vulnerability in software, a patch for that fault had been available for months. Equifax failed to keep up. Unfortunately, there might be very little Congress can do in way of penalty other than to shame the executives, whose response will be a litany of variations on “we complied with all regulations.”

Quite simply, Equifax can afford to be lazy because there aren’t enough vigorous challengers to keep it in check. As long as the credit-reporting industry is required to satisfy federal regulation and not the consumers it serves, such inadequate business models will persist.

Breaking down these barriers to competition should be the first place to start. Relentless competition from innovative challengers is a better punishment than a slap on the wrist from regulators.

Nearly 50 years of intense credit reporting regulation has not made the system any more efficient, equitable, or safe. Instead, it has led to the concentrated and unaccountable system we have today. Giving more authority to regulators to increase supervision and set uniform standards will do little to rectify this.

In financial regulation, as in much of economic policy, conservatives understand the limits of government intervention. The most damning aspect of the Dodd Frank Act, for example, is that it relies on government regulators to manage the financial system—the same “experts” who failed to prevent the last financial crisis. Congressional Republicans correctly question the efficacy of such regulators. This should also apply to credit-reporting systems.

The government has neither the requisite knowledge nor the proper incentives to manage credit reporting cybersecurity and establish best practices in the industry. Sen. Elizabeth Warren (D-Mass.), a major critic of Equifax, recently introduced provisions to force all new Department of Defense technology to be built with the same software that Equifax used. Further, the Consumer Financial Protection Bureau, who would likely oversee the new regulations, has been repeatedly criticized by the Government Accountability Office for not implementing appropriate privacy controls to secure people’s personal data. Trusting the government to manage the cybersecurity of credit reporting firms top-down provides customers and firms with a false sense of security that their data is being adequately protected.

A better approach would be to realign the incentives that credit-reporting firms face so they have more at stake, such as losing customers to competitors with better services. Competition requires credit reporting firms to improve their operations, or consumers will take their business elsewhere.  

It is highly unlikely that today’s cybersecurity problems can be solved by governmental mandate. The federal government lacks the knowledge to dictate best practices, but it has the power to limit competition and erode the accountability of credit-reporting firms. When it comes to legislative responses to the Equifax hack, it would be unwise for Congress to double down on a failed strategy.