Equifax Eyes Are Watching You–Big Data Means Big Brother

As one of three credit bureaus in the United States, Equifax keeps financial data on every adult in America, plus people in 16 other countries. But the company knows much more than just what goes into an old-fashioned credit score.

It maintains information about people who share the same phone number or address, “non-obvious” relationships between individuals, loans for dental work, magazine subscriptions, rental history, real estate assets, investment wealth, retail purchasing, the type of federal tax return someone files, marital status, employment, utility payments, cable TV accounts, criminal records, debt-to-income ratios, changes of address, motor vehicle files, post office boxes, inferences about someone’s capacity to pay bills, predictions about someone’s propensity to pay, links to past and potential fraud crimes–and more.

This pile of more than 800 billion records is sliced, diced, analyzed and indexed into 26 petabytes of data. That’s more data than the FBI’s Investigative Data Warehouse, said to be the single biggest repository at the agency, with its relatively measly 1 billion unique documents. In all, Equifax has data on 500 million consumers and 81 million businesses worldwide.

Says Equifax CIO Dave Webb: “We know more about you than you would care for us to know.”

In his wry British way, Webb alludes to the power of information and his push to derive ever more lucrative products and services from Equifax’s vast stores of it. Webb says Equifax can make money off IT innovation–that is, his staff’s ability to manipulate massive amounts of data better and faster than competitors can.

The company has launched scores of new IT-based products in the past few years, chasing two ideas: cutting risk and improving marketing for its 46,000 business customers. Equifax can, among other things, check an immigrant’s employment status, verify a doctor’s credentials, assess an Internet user’s social influence and monitor a child’s budding credit portfolio. Big data. Big Brother. Big bucks.

But like other companies in various industries hoping to spin in-house data into revenue, Equifax has to maneuver through tricky economic, political and cultural changes. The recession forces businesses to seek out reliable data on which to base decisions (opportunity), but they have less money to spend (problem). Congress enacted tough regulations to try to control mortgage companies (opportunity), while President Obama’s new Consumer Financial Protection Bureau says it’s going to monitor credit bureaus (problem). People are freer with personal data than ever before (opportunity), but they don’t like it when companies get too personal (problem).

Rivals Experian and TransUnion also are remaking themselves into analytics companies. “Decision analytics is the growth engine for these companies,” says Elizabeth Mason, an analyst at Outsell, a company that studies the information industry. “Yet it’s a shifting landscape. We don’t know yet what the public’s tolerance is for companies mining all of this data really well.”

Privacy? What Privacy?

Business isn’t just about building a better mousetrap. It’s about finding out why people don’t like mice and what they’re willing to do about it. In the past, companies might have gathered consumers in a room to quiz them. Now they pay millions of dollars to collect, buy and analyze data about those consumers, to market the best mousetraps to the right customers.

And why not? People give up personal information in return for convenience. They hand over data about their Web activity for the chance to win a cruise. They let online game companies vacuum up personal tidbits from their Facebook accounts.

Equifax itself coaxes consumers to give up personal information online. A contest to win World Series tickets and $3,000 asked Facebook users to submit a photo and short essay on what they would do with the money.

Consumers share knowingly and unknowingly, through surveys, location-based services, searches, online resumes, photos, check boxes, check-ins, tweets and clicks. People have no time to read gobbledygook privacy policies; they simply click “I Agree.”

“The majority of consumers have no clue about the breadth of the information about them, where their information is residing and who has access to it,” says John Ulzheimer, president of consumer education at SmartCredit.com, which offers consumers credit scores, identity protection and credit-monitoring services.

How the norms have shifted. Until the mid-1990s, the conventional wisdom about privacy protection was, in essence, that information collected for one purpose shouldn’t be used for another. The idea is rooted in a 1973 federal guideline, “Code of Fair Information Practices,” which advocated consumer control and consent as core principles.

After the Web opened up, we moved away from the notion of separating and guarding individual pieces of data to protect privacy. Now the prevailing goal seems to be to collect and combine nearly as much personal information as possible in the quest for profit.

There’s a growing movement against that trend, though, that CIOs should monitor. What people don’t like is when companies combine personal data to reveal more than any single piece of information can, says Lee Rainie, director of the Pew Research Center’s Internet and American Life Project. “They are nervous, concerned that material might hurt them,” he says.

Still, he notes, people fail to lock down their data out of ignorance or neglect, or sometimes because it’s simply not possible.

To protect consumers from themselves and from overreaching companies, lawmakers are getting involved. In March, the Federal Trade Commission recommended that businesses make privacy protection their “default setting.” Companies are asked to issue clearer explanations about what happens to consumer data and simplify the choices people are given for how their information is used. “Implementing these best practices will enhance trust and stimulate commerce,” the FTC says. Congress, meanwhile, is writing “Do Not Track” and other privacy bills.

For now, as data-based products grow more profitable, the boundaries consist of regulations, laws and the judgment of companies policing themselves.

Monetizing Innovation

Pulling in $2 billion in revenue, Equifax is the second-largest of the three credit bureaus, tucked between $1 billion TransUnion and $4 billion Experian. With no one dominant player, the three are in a constant, tense battle to come up with new products that reveal that much more about consumers. Each touts the breadth and uniqueness of its data. Where they overlap–and despite their rhetoric, they do overlap–speed and innovation are the advantages. “It’s a fast-followers game,” Webb says.

His mission: to use his operations and IT background, combined with financial industry expertise, to uncover new revenue for Equifax. Webb joined the company in 2010 from SVB Financial Group, a financial services company with $20 billion in assets, where he was CIO and later COO. While his bachelor’s degree in Russian may not help, his MBA certainly does.

“I am amazed at how few opportunities business identifies to mine data,” Webb says. “We have a responsibility to identify opportunities.”

Asked how far Equifax should go, Webb pauses. “The morality question is another whole discussion. But we have the technology to do this, and if it’s legal, we should.”

They are. Equifax cranked out 69 new products last year in risk management, identity verification, fraud detection, analytics and marketing. Equifax executives carefully measure innovation in revenue terms. An index called New Product Innovation (NPI) measures the revenue generated from products launched in the previous three years to see if they, combined, can bring in at least 10 percent of the company’s revenue in a given year. NPI revenue last year was $181 million, up from $176 million in 2010 and $134 million in 2009.

In another innovation program, the company removes 12-15 high-performers from various business units and support functions and sends them off together to brainstorm new products. They meet for three or four weeks, excused from their day jobs, to talk about how to target a need in a specific industry. Most of their ideas make it through the NPI process.

Two new products in development would help companies use analytics to avoid bad customers, says David Brooks, senior vice president of integrated data solutions at Equifax. In one, developers are building a model for banks that combines a person’s credit scores with his track record for paying utility bills. The results would indicate whether it’s worth the bank’s time to pursue the customer for delinquent credit card payments.

The other new product, nicknamed Suspicious ID internally, is a system for watching inquiries on credit reports in real time, to catch crime in the making. The rate of inquiries, along with other factors, would be scored according to fraud risk. “When fraudsters find something that works,” says Keith Manthey, the company’s vice president of integrated data solutions, “they share it and use it quick.”

Breaking IT Traditions

Webb has been stepping up Equifax’s analytics and collaboration capabilities, buying a business intelligence tools company and a workflow software vendor last year. The company has spent $1.7 billion in the past five years acquiring data-collection and technology companies. It’s a long way from the paper ledgers the company kept through the first 50 of its 113 years in existence. If the useful life of data is two to 15 years, as Equifax says in its latest annual report, Webb wants to make the most of that time. He has set loose his 1,000-member IT group to attack big data, and they’ve come back with technology innovations that create competitive advantage, he says.

The way Equifax’s data is stored and retrieved, for example, bucks tradition. Historically, companies with enormous amounts of data build giant warehouses, often running on massively parallel processing systems. The hardware is expensive, and the architecture of a relational database inhibits queries of unstructured data, Brooks says.

Instead, Equifax views the work as content delivery, rather than query processing. Data is spread across a grid of low-cost servers. IT developed proprietary distributed indexing technology to find information.

“Since our data sizes, transaction inquiry volumes and response-time requirements are all very challenging, we have to be careful about blindly following an industry-standard approach,” Brooks says. “That can drive large and complex infrastructure demands that may not be necessary if you step back and think differently about the problem.”

The IT group also tosses aside another worn idea. Where master data management projects seek the fabled single version of the truth, Brooks says there’s no such thing. Equifax data gurus certainly spend time de-duplicating and cleansing data they integrate from public and private sources, but they’ve stopped fretting about finding and storing one definitive view of a consumer. Context is more important. “The reality is, they’re all right. Now we think of observations more than truth,” he says.

Webb encourages creativity in IT, saying the best results come from people who feel challenged. “You know who in your organization wants to learn. Let them have the reins,” he says. “Set out the problem and get out of the way.”

Mining You

One common way to uncover insights is to mix and match data sets, looking for correlations. Do the credit limits on the department store charge cards of single women indicate anything about their propensity to lease cars? Such blue-sky dabbling might produce useful results for marketers. For example, Equifax’s rival Experian recently discovered that adults who use social media are more likely than other Internet users to visit Starbucks. Starbucks–or its coffee competitors–may want to step up its ad buys on Facebook.

At Equifax, insights also come from an executive brain spark. Last spring, Webb’s imagination was caught by a CNN story about a $500,000 credit card fraud. According to federal investigators, two brothers conspired with an employee at a Beverly Hills dentist office to create hundreds of fake people who looked real on paper. They made up names, Social Security numbers and other personal data to generate “synthetic” individuals to whom the insider could pretend to give loans for dental work. The insider then reported the loans and false payments to Experian, to establish credit histories under names such as Garnik Dumanov and Grisha Stpanov.

For more than a year, the trio got credit cards under these and other false identities from Bank of America, Wells Fargo and 19 other banks, which approved them after seeing good credit scores. DirecTV and several cell phone providers approved accounts. Car dealerships approved loans for an Audi Q7 and a Lexus IS 250.

Webb emailed Brooks: Could we catch scams like this?

Brooks, Manthey and other colleagues looked up more details about the crime and pulled internal data beyond just credit reports from across Equifax’s wide assortment of records. Then they began testing new ways to analyze the information in an effort to produce the outcome they already knew to be true–that Stpanov, for example, couldn’t be real.

Typically, someone with valid identity information will show up in other files, even if he doesn’t have credit, by paying a phone bill, for example, or subscribing to a magazine. Manthey says the Equifax data showed that the synthetic individuals “obtained lines of credit, then vaporized.”

“A normal person would have a footprint in many areas,” Brooks adds. “Our 360-degree view lets us not be fooled.”

This kind of reverse analytics, spurred by Webb, ultimately resulted in new fraud-detection tools for Equifax’s security team to use with clients.

The fraudster brothers, meanwhile, are in federal prison and the dentist’s office insider is on probation.

Beyond Financial Reporting

The way Webb sees it, new regulations for the mortgage industry hand Equifax another opportunity. The Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted in 2010, holds financial institutions more accountable for bad loans. Equifax quickly launched Undisclosed Debt Monitoring, an always-on service that monitors a borrower’s major spending during the time between getting approved for a mortgage and the closing date. Taking out a car loan after you’ve been approved for a mortgage, for example, can change your risk profile, possibly putting you outside the bank’s threshold for the mortgage deal.

Assessing the mortgage crisis, financial experts realized simple credit scores don’t provide enough information for banks deciding whether to approve a big loan, Webb says. “We identified gaps in their knowledge.”

Equifax can mold its technology into revenue-generating products to suit very different circumstances. Real-time identity verification, for example, can help a telecommunications company avoid fraud. Equifax can confirm for us that Elaine Quinn is who she says she is and pays her cell phone bills on time. We’ll sell to her.

That same telco can also buy marketing services from Equifax, to build on the basic identity product. Equifax can tell us that Elaine Quinn has a high wealth score, a history of big spending in the summertime and is active on social media. Let’s upsell her to our most expensive mobile phone and offer a discount on her data plan if she later gets two social-media friends to sign on with us.

Upselling is most effective in the moment when a customer is interacting with a company. Sending a pamphlet in the mail weeks later or even an email a few days later is far less effective, Webb says. Real-time identity verification and “decisioning” services let retailers, telecom companies and other organizations strike while the customer is standing there. And not with generic offers, but with ones tailored to that kind of customer.

“To the extent we can know who you are when you’re doing a transaction, that’s highly valuable,” he says.

Equifax has extended far beyond the financial realm, and way beyond being a credit bureau. Patients and medical staff who need to prove their identities online to hospitals can use the company’s authentication technology, which presents questions whose answers should be known only by the individual. “Which of the following streets did you live on: Greenlawn Ave., Baldwin Rd., Elmcrest Dr. or Mead St.?” Last year, Equifax started helping the Department of Homeland Security and U.S. Citizenship and Immigration Services check the employment eligibility of immigrants.

What’s Next?

The question now is where, or perhaps even whether, this will end. Some privacy advocates worry that U.S. companies can find out too much about private citizens in the name of corporate profits. But even if Congress passes stricter laws, the privacy debate will never disappear, says Pew’s Rainie. That’s in part because an individual’s decision to reveal personal data “is highly contextual and conditional,” he says, depending on what they receive in return for disclosure. But that, too, can change over time. “People in different stages of life sometimes have different calculations about this.”

Technology is another unpredictable force. Future IT capabilities will enable unforeseen uses of data. Companies, to remain competitive, must stay ahead of these trends, says Outsell’s Mason, but follow a steady internal compass.

“Executives must bring to the table a sense of ethics around information, as well as knowledge of the laws and regulations,” Mason says.

“The challenge that any credit bureau faces is balancing the potential for revenue with offering services and data that, while completely legal, seem to cross the line between what’s right for the bottom line and what’s clearly wrong for consumers,” adds Ulzheimer, the credit consultant. He says credit bureaus have made consumer-friendly choices, so far, such as not permanently reporting negative credit events like bankruptcies.

At Equifax, CIO Webb emphasizes how solemnly the company regards its duty to follow the laws and regulations that rule how it can use information. “We have very strong governance and controls around how data gets consumed,” he says. “We are trusted stewards of data and have a responsibility to protect it.”