Letter to FTC re: Equifax sales of consumer info to predatory lenders
In 2012, the US Federal Trade Commission brought a remarkable case against Equifax for selling consumer financial information — which included credit scores and late mortgage payment information– to companies offering services to consumers in financial distress. (See In the Matter of Equifax Information Services LLC
FTC File No. 102 3252, <http://www.ftc.gov/os/caselist/1023252/130315equifaxcmpt.pdf>.)
or Read the WPF letter below
November 8, 2012
Federal Trade Commission
Office of the Secretary
Room H-113 (Annex D)
600 Pennsylvania Avenue, NW
Washington DC 20580
Re: Proposed Consent Agreement In the Matter of In the Matter of Equifax Information Services LLC, FTC File No. 102 3252;
Thank you for the opportunity to comment on the proposed consent decree, In the Matter of Equifax Information Services LLC. The consent decree appeared in the Federal Register at 77 Federal Register 63833 (October 17, 2012), http://www.ftc.gov/os/fedreg/2012/10/121017equifaxagreefrn.pdf.
The WPF is a non-profit public interest research group that focuses on privacy issues, including technology, finance, health, and other privacy topics. Our materials can be found at www.www.worldprivacyforum.org.
The consent decree and complaint against Equifax is one of two that the Commission filed relating to this matter. The other consent decree was against Direct Lending Source, Inc. and others. Taken together, the consent decrees describe significant and egregious violations of the Fair Credit Reporting Act by Equifax and Direct Lending LLC that in the Commission’s own words, substantially harmed consumers.
The documents in these cases show that for a period of two years, Equifax sold the names of consumers who were late on their mortgages to businesses that used that information to market financially damaging and in some cases outright fraudulent products and services to these consumers.  These lists of consumers that Equifax sold then made their way through an underbelly of shady data brokers as the lists were sold and resold, often to companies under investigation by law enforcement.  According to the Commission, more than 17,000 lists containing information about millions of consumers were sold. The complaints state that some consumers lost their homes due to the sales of the Equifax lists, and that more than 1,500 consumers were charged up-front fees of $1,000 to $5,000 in debt-relief scam operations, also resulting from the list sales. 
According to Commission documents, Equifax had reason to know that the sales of the lists were not going to be used in compliance with the law.
The FTC documents do not describe a one-time, stray, accidental violation by just one or two employees. The complaints describe a violation that went on for two years. The complaint against Equifax notes this when it states, “Given Direct Lending’s failures, Equifax had reason to believe that the entities to whom its prescreened lists were being sold did not have a permissible purpose for obtaining the lists. Nonetheless, Equifax continued to sell prescreened lists to Direct Lending.”
The scope of the consent decree does not match the nature of the harm to consumers in this case. This case affords the Commission a notch on its gun, but it does not do much to help aggrieved consumers who lost their homes and paid thousands of dollars to scam operations.
The FTC complaint explains that the thousands of lists that were improperly sold are now largely untraceable because they had presumably been spread too far and wide. The Commission’s complaint against Direct Lending states, “In some cases, Defendants sold the prescreened lists at issue to list brokers and others, which in turn resold the lists to unidentified downstream entities. In these instances, Defendants cannot identify the entity or individual that ultimately obtained the list. Defendants did not identify to Equifax the end-user of these consumer reports.” The picture painted here is one of significant mishandling of consumer data.
WPF is especially concerned about continuing practices and consumer harms in this case. The deleterious consumer impacts of the improper “mortgage lates” list sales by Equifax the FTC described may not have run its course, as it is probable that the old lists are still being circulated downstream. Other new sales may still be continuing. To check on the status of the Equifax lists, we searched for Equifax lists of 30, 60, and 90-day mortgage “lates.” We note for the record that Equifax lists of 30, 60, and 90+ day mortgage “lates” are still for sale online today.  With relative ease, we found a Nextmark Equifax “lates” list for sale. The data card for the list states options to modify their mortgage or stop foreclosures, and that, in some instances, homeowners realized they had been scammed too late to avoid the loss of their home.” (p.6) that it turns around the data in 24 to 48 hours, which is a very rapid turnaround, as noted on the card. The data card for the list we found is attached at the end of this letter. We request that the data card attached to this letter be entered into the public record along with this letter.
WPF remains concerned that the late–mortgage-payers lists in current circulation from Equifax may either be the outcropping of the old lists, or a new list that is just as problematic as the lists the proposed consent decree describes. Are the same practices continuing with new lists, even as the old lists may still be in circulation and in use? WPF is happy to see Commission action here, but the job seems incomplete based on what we can see from the outside.
Nothing in the consent decree requires an independent review of the sale of these lists, an audit of the use of the lists, or an investigation of the purchasers of the lists to determine if they have previously engaged in questionable activities or that they will engage in lawful activities. The guts of the consent decree merely require Equifax to comply with a law that the company is already subject to and that the company has according to the Commission’s own complaint ignored. Equifax already knows that the cost of violating a consent decree entered into with the Commission is trivial. In United States of America (for the Federal Trade Commission v. Equifax Credit Information Services, Inc., Civil Action No. 1:00-CV-0087-MHS (Northern District of Georgia, Atlanta Division), the cost to Equifax of violating a consent decree was an insignificant $250,000. See http://www.ftc.gov/opa/2003/07/equifax.shtm. We observe that Equifax’s operating income for the most recent quarter was more than $132 million dollars.
Because we are still finding “mortgage lates” lists from Equifax for sale that match those same lists discussed in the consent decree, because of the scale of the harm, (consumers losing their homes) and because public trust in regulated entities is crucial, we believe it is important for the Commission to document in much more detail the facts of the case for the public. This includes documenting with more specificity the number of consumers affected and the appropriateness of the amount of the $392,803 penalty that Equifax has been asked to pay. The Commission has stated that the fine is related to the amount of revenue made from the list sales.  But the consent decree and the complaint both lack many specific factual details, making proper analysis impossible.
We would like to know, for example, exactly how many consumers were affected by the improper sale of lists? (How many millions?) The Equifax data card that we found notes many millions of consumers names are being sold. We are also interested in finding out how many consumers are known to have been adversely affected by the improper sale of lists, and what losses did consumers incur as a result of the improper sale of lists? Is there a dollar figure for the consumer losses? If the effects on consumers of these lists sales are not known, then maybe this investigation should not be closed with a token fine.
We are also very interested in seeing copies of the original Equifax data cards and scripts for the sale of this information so a comparison can be made between the old and the new data cards. Why wasn’t this information made available with the complaint or the consent decree?
We respectfully request the answers to the following specific questions in relationship to this consent decree:
- Does the Commission have a copy of the original Equifax data card? Can it be put in the public record?
- Have the consumers whose names were on the lists been offered one year of free Equifax credit monitoring to mitigate the negative impacts of the list sales?
- Has Equifax taken affirmative steps to remove all of the old data cards and lists from rotation?
- What is being done to contact the consumers on the list and repair the harm? We know from press reports that Equifax has contacted customers regarding this matter,  but what has the company done to specifically repair the damage to consumers, especially those who lost their homes?
- How many consumers were known to be adversely affected by the improper sale of lists? “Millions” is an insufficient and non-specific fact.
- How much did consumers lose as a result of the improper sale of lists?
- Does the $392,803 fine represent the amount of revenue that Equifax collected from thesale of or just the profit from the sale of lists?
- How precisely was the $392,803 figure determined? It would be most helpful if the Commission would show the calculation that achieved that result.
- Did the Commission include or exclude any elements of company overhead in its calculation? How many lists did Equifax sell improperly? Is the figure of more than 17,000 – which is noted in the press release and in the Direct Lending complaint — accurate? If so, can it be placed in the official Equifax documents filed with the court on the public record and not just included in a press release?
We recognize that some information in a case may legitimately be confidential business information. Nothing prevents the Commission, however, from explaining the number of lists that a company sold illegally, the number of consumers impacted, or the revenues earned illegally. Those figures are not proprietary.
We request that the Commission revise this consent decree to include more facts and to explain with more specificity how the amount of the payment was determined, how many consumers were impacted, and what Equifax is specifically doing to affirmatively mitigate the harm it caused by its actions, including consumer redress and retraction of the lists in question. We reiterate that we have substantial concerns that consumer lists detailing late mortgage payments are still being sold, and we reiterate our question that these lists will be genuinely used for firm offers of credit. There are many of unanswered questions here and many unaddressed concerns. What hangs in the balance is the potential for additional serious consumer harm from predatory lending offers and sketchy debt relief marketing efforts.
World Privacy Forum
 See US v. Direct Lending Source, Bailey and Associates Advertising, et al: “For example, Defendants sold over 2,400 lists to entities that target consumers in financial distress for loan modification, debt relief, and foreclosure relief services. Some of the lists were sold to entities with names such as: “Save Me From Foreclosure,” “SOS Modification,” “Stop Your Lender,” “Virginia Foreclosure Prevention,” “Making Homes Affordable,” “Fight Your Credit Co.,” and “Debt Regret.” (p.5) The complaint also stated: “According to the California Attorney General, Mason Capital charged more than 1,500 homeowners up-front fees ranging from $1,000 to $5,000 and promised to obtain a loan modification from the consumer’s lender. As alleged in the criminal complaint, in almost every case, no loan modification was completed as promised. The Attorney General further charged that homeowners were lured by misrepresentations contained in the solicitations and dissuaded from timely pursuing other legitimate <http://www.ftc.gov/os/caselist/1023000/121010directlendingcmpt.pdf >.
 The FTC complaint against Equifax states: “Equifax’s failure to employ reasonable and appropriate measures to control access to the sensitive consumer financial information it maintains and sells for prescreening services resulted in prescreened lists being sold to a number of entities that were ultimately the subject of actions or warnings by law enforcement. Equifax’s lack of reasonable procedures caused or is likely to cause substantial consumer injury that is not reasonably avoidable by consumers and is not outweighed by benefits to consumers or competition.” <http://www.ftc.gov/os/caselist/1023252/index.shtm>.
 See http://lists nextmark.com/market?page=order/online/datacard&id=244684, a screen copy of the page as seen Oct. 31, 2012 is available at the end of this letter.
 The Commission’s press release of October 10, 2010, FTC Settlements Require Equifax to Forfeit Money Made by Allegedly Improperly Selling Information about Millions of Consumers Who Were Late on Their Mortgages http://www ftc.gov/opa/2012/10/equifaxdirect.shtm. From this we learn that the number of impacted consumers numbers in the millions, although we do not have a specific number. The press release also implies that the amount that Equifax will pay is the money made from the improper sale of lists.
 A spokesperson from Equifax was quoted as saying “We discontinued all business activities with Direct Lending and any of its affiliates the summer of 2011. We also formally notified all of our customers at the time that we had ceased doing business with them and any of their affiliates, and that was formal notification by direct mail as well as email.” Human Resources Journal, http://www.humanresourcesjournal.com/2012/10/equifax-accused-of-fail…-to- safeguard-sensitive-consumer-data-settle-complaints-for-393000/.