A friend, Laurie, wrote to me recent about difficulty she is having with her credit monitoring service:
"In my effort to reduce the likelihood of identity theft, I've ordered a credit check from TransUnion this year as I have for the past 3. This year I had a hard time logging on so I called the help line. It was answered instantly by somebody who asked for my Social Security number. Of course it seems like a natural question from a credit bureau but I had the feeling the operator was an outsourced worker from India. I gave her my data but I still couldn't log in. After further attempts to reach TransUnion in the USA I've discovered it is nearly impossible. I feel like I got sucked into a trap door set for the financially paranoid! Have you heard of this being a problem? Do institutions outsourcing labor in other countries have to comply with the same laws? Do you have any way around credit reporting when it's done overseas?"
Laurie's situation caught my attention first because a friend was having difficulty getting the help she needed. Her situation also caught my attention because of the increasing popularity of credit monitoring services. All consumers demand effective and high-quality customer service... perhaps more so when it involves sensitive personal data, like credit reports.
So, I promised Laurie that I'd try to find answers to her questions. Maybe Laurie had encountered a new or poorly trained call center representative; or a representative with a thick accent. This could happen with any business. Regardless, consumers have an expectation for efficient, quality customer service. And according to Laurie's message, TransUnion's customer service isn't helping and is difficult to contact.
Some background: TransUnion is one of three national credit bureaus (also called credit reporting agencies) in the USA. The national credit bureaus play three roles in the credit services industry:
- Collect and archive credit reports with consumers' sensitive personal and financial data
- Sell credit reports to potential lenders
- Sell credit monitoring services to consumers
The data collected in role #1 includes: Social Security Number, birth date, full legal name, current and past residential addresses, credit cards, loan accounts and information, credit score, employer information, e-mail address, and payment histories. But this data isn't always accurate. Even though credit bureaus make money by selling consumers' credit reports, it is the consumers' responsibility to check their credit files for accuracy at each of the three national credit bureaus.
Regarding role #3, TransUnion operates the TrueCredit credit monitoring service.
One could debate whether roles #2 and #3 present a conflict of interests, perhaps similar to the role a computer software company has when it sells operating system software and application software. But, that debate must wait until after I answer Laurie's questions.
Laurie's message raised the subject of outsourcing, but more specifically off-shore outsourcing. Like many Americans, Laurie probably has an impression that the three national credit bureaus support their credit monitoring service subscribers with systems entirely within the subscriber's home country. In other words, consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.
If this local-same-country processing and archiving isn't the case, then consumers intuitively assume that their personal data is at greater risk. How much more risk? Consumers don't know and the companies rarely say. Laurie has gone the extra step and asked: if her credit service offshore outsources, does she have the same data protections? Does the outsource firm have the same rigorous data security processes and policies? Which country's laws apply, if any, regarding data security standards? If there's a data breach by the outsource vendor in another country, will she be notified? Will that notification be accurate and timely?
Consumers' impressions that the three national credit bureaus don't outsource work are inaccurate. A news literature search found this San Francisco Chronicle article from November 2003:
"Two of the three major credit-reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time. Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas... The top credit agencies -- Equifax, Experian and Trans Union -- have refused in the past to comment on their outsourcing plans. No longer."
The article also reported this about TransUnion:
"A hundred percent of our mail regarding customer disputes is going to go to India at some point," said David Emery, executive vice president and chief financial officer of TransUnion in Chicago. "We are now testing the system and negotiating a contract with an outside vendor. We expect to sign that contract by the end of the year." Emery said in an interview that the decision to have an Indian firm handle thousands of written requests for changes to credit files each year was necessitated in part by the amended Fair Credit Reporting Act, which was approved by the U.S. Senate on Wednesday.
So, it would appear that (for a variety of reasons) at the end of 2003, TransUnion was planning to outsource work to firms in other countries. Since I am not a lawyer, I cannot provide a legal opinion on the laws which govern outsourcing and the credit industry. Nor can I provide an interpretation of the Fair Credit Reporting Act referenced by Emery above. For legal assistance regarding credit information, the Privacy Rights Clearinghouse recommends that consumers contact the National Association of Consumer Advocates, or the list of attorneys at My Fair Credit.
A Wired story from 2004 titled "Outsourcing: Danger to Privacy" reported:
"Democratic Sen. Dianne Feinstein warned the chief executives of banks and credit companies this week that she would crack down on them if they didn't take steps to protect their customers' private data, such as medical and financial information, which is increasingly being handled by clerks working abroad. In a letter to the CEOs of Citigroup, Bank of America, Equifax and TransUnion, Feinstein (D-California) said she might introduce federal legislation to protect the personal data of Americans if the companies don't establish safeguards... All of the recipients of Feinstein's letter already have outsourced clerical services, or have stated their intent to do so."
To my knowledge, that crack-down never happened. It would seem that the US Congress has basically said to credit bureaus: go ahead and outsource, but you'd better not have any consumers' credit or financial data lost or stolen. And, we consumers have elected those members of Congress.
The article didn't explain exactly how Congress would oversee the companies' outsourcing activities in other countries. The article didn't say how Congress would monitor or audit the companies' compliance with the safeguards, or collect timely and accurate data breach notices about any lost, stolen, or mishandled consumer data by firms operating outside the USA.
A lot has happened since that 2003 article. Maybe, the companies' outsourcing plans, activities, or scope have changed. The fact is identity theft and fraud have blossomed as a problem since 2003. Plus, the 2003 San Fran Chronicle article made it clear that the credit bureaus were no longer going to hide their off-shore outsourcing plans and activities.
More about all of this tomorrow.