Newsroom

October 26, 2017

Hunt: NAFCU monitoring Equifax fallout, actively engaged to protect CUs

NAFCU is actively engaged with lawmakers and regulators to ensure any new rules stemming from the Equifax data breach don't negatively impact credit unions, association Executive Vice President and General Counsel Carrie Hunt told listeners during yesterday's member-only call outlining credit union industry options in the breach's aftermath.

From a regulatory standpoint, Hunt said most agencies are monitoring the issue but are not actively pursuing a specific response and doesn't expect much action from them. Congress, on the other hand, has been active with multiple hearings and one piece of legislation already proposed to address the issue.

Hunt said lawmakers are "concerned with the breadth of information that was lost in the Equifax breach" and will be looking at what consumer information should be eliminated to help keep things protected and private.

Rep. Patrick McHenry, R-N.C., recently introduced the PROTECT Act, which Hunt said could have huge implications on credit unions as it includes provisions to phase out the use of Social Security numbers as financial identifiers by the credit bureaus. The bill would also subject the bureaus to examinations via the Federal Financial Institutions Examination Council (FFIEC), something for which NAFCU has advocated in the wake of the Equifax breach. It also establishes a national process for consumers to request a credit freeze.

Hunt alluded to another piece of legislation Rep. Blaine Luetkemeyer, R-Mo., is expected to introduce before the end of the year that will address the issue of when entities should notify the public of a breach.

Responding to a member's question, NAFCU Senior Regulatory Compliance Counsel Elizabeth LaBerge noted that Equifax is unlikely to notify all who were impacted by the breach – something the company's ex-CEO said during one of the congressional hearings. It's also not required by the FTC.

Hunt followed up that "no one's been impressed" with Equifax's public notification of the breach and that's something Congress has been most critical of. NAFCU will monitor legislative proposals to ensure they don't create a broad notification requirement that puts the burden on credit unions to notify their members.

While decision-makers consider next steps to hopefully reduce future breaches, LaBerge encouraged credit unions to reexamine their identification authentication procedures and potentially redo risk assessments. She said some credit unions are looking for ways to reduce their reliance on Social Security numbers for identification as the information may now be less reliable than before the breach.

There are already several class-action lawsuits filed against Equifax – including two credit union specific ones – but Hunt said the key to litigation will be proving direct damages to the financial institution as a result of the Equifax breach. She noted the chance of financial institutions receiving monetary compensation is very slim.

NAFCU is continuing to weigh its involvement in legal proceedings; members are encouraged to take the association's survey to report how their credit unions are responding to the breach.