Statement for the Record
Conference of State Bank Supervisors
to the Senate Banking, Housing and Urban Affairs Hearing
"Overview of the Credit Bureaus and the Fair Credit Reporting Act"
July 12, 2018

The Conference of State Bank Supervisors (CSBS) is the nationwide organization of banking and financial regulators from all 50 states, American Samoa, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands. The mission of CSBS is to support the leadership role of state banking supervisors in advancing the state banking system; ensuring safety and soundness; promoting economic growth and consumer protection; and fostering innovative state regulation of the financial services industry.

State regulators charter and supervise 79 percent of all banks in the United States. In addition, state regulators license and supervise a variety of non-bank financial services providers, including fintech, mortgage lending, money transmission, and consumer finance. CSBS, on behalf of state regulators, also operates the Nationwide Multistate Licensing System (NMLS) to license and register those engaged in mortgage, money transmission, and other non-bank financial services industries.

CSBS appreciates the opportunity to submit this statement for the record on recent efforts by state regulators related to credit bureaus. The recent special multi-state examination demonstrates the responsiveness of the state financial regulatory system working together to protect confidential personal information.

Consent Order with Equifax

On June 25, 2018, state financial regulatory agencies entered into a Consent Order with Equifax Inc., requiring the company to take specific action to protect confidential consumer information in the wake of an extensive security breach last year. Equifax, one of the country’s three major credit reporting agencies, disclosed in September 2017, that a vulnerability in one of its websites was exploited by criminal hackers in May 2017 to gain access to the personal information of an estimated 146 million U.S. consumers. Data accessed through this cybercrime event included individual customer names, Social Security numbers, birth dates, addresses, and related personally identifiable information.

In response to this breach, an examination team composed of state financial regulators from Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas initiated a multi-state examination of the company in November 2017 to evaluate the company’s information security and cybersecurity controls. The states’ examination evaluated the company’s cybersecurity, internal audit, risk management and controls.

In the Consent Order, Equifax agreed to improve how it protects personally identifiable information. The company will undertake a restructuring of its risk management processes, strengthening of internal controls and processes, and enhanced oversight by the Board of Directors on the information security program. The corrective actions will apply to Equifax’s operations nationwide. Compliance with the consent order will be subject to regulator approval and follow-up reports are required from the company. Additionally, the consent order preserves the right of individual states to bring additional actions.

The order requires the Equifax Board and/or Management to:

• Review and approve a written information security risk assessment.
• Improve the oversight of their audit function by establishing a formal and documented internal audit program that effectively evaluates IT controls.
• Approve a consolidated written Information Security Program and review and an annual report on the adequacy of that program.
• The Board must enhance its oversight of the company’s information security program.
• Improve oversight of critical vendors consistent with the guidance from the Federal Financial Institutions Examination Council’s (FFIEC) “Outsourcing Technology Services IT Examination Handbook” and in the “Payment Card Industry Data Security Standards.”
• Improve standards and controls for supporting the patch management function and implement an effective patch management program to reduce the number of unpatched systems and instances of extended patching time frames.
• Enhance oversight of disaster recovery and business continuity.
• Submit a list of all remediation projects planned or in process in response to the 2017 breach to the Multi-state Regulatory Agencies.
• Require an independent third party to validate all such remediation projects and provide notice to the Multi-state Regulatory Agencies.
• Provide progress reports on a quarterly basis to the Multi-state Regulatory Agencies.

As part of required ongoing supervision, the company is required to file written reports with state bank regulators detailing progress with the various provisions of the order on a quarterly basis, and quarterly written progress report submissions will continue until the regulators release the provision.

Amendment to Bank Service Company Act

Moving forward, CSBS encourages enactment of H.R 3626, the Bank Service Company Examination Coordination Act. This legislation will enhance state and federal regulators’ ability to coordinate examinations of and share information on banks’ technology vendors in an effective and efficient manner. Banks partner with third-party technology service providers (TSPs) to outsource a wide variety of critical banking services. The Bank Service Company Act (BSCA) authorizes federal regulators to examine TSPs to assess the potential risks they pose to individual client banks and the broader banking system. Currently, 38 states have similar authority under state law. The BSCA is silent regarding authorities and/or roles of state banking regulators, limiting the ability of federal and state regulators to share information on TSPs.

Amending the BSCA to appropriately reflect states’ authority to examine TSPs will improve state-federal coordination and information sharing and promote more efficient supervision of TSPs that provide critical services to a broad range of banks.

We look forward to working to with the Committee on these issues, another other issues vital to the financial services industry.