Credit Referencing Agencies - are they a necessary evil?


(Dawn Trespass) #23

My take on this whole thing is they are a necessary evil but if you practice good credit management then you shouldn’t hit problems. The main issue is the chain reaction and stopping it once you’ve had a bad default.
Join something like Martin lewis’ credit club… It shows a list of credit cards and how likely you are to get them plus your Experian credit score. The council’s are getting in on the action and selling social rent payment history to them. Of course the council say you have a choice but make it clear that if you don’t allow them to sell your data it could affect your credit status. It can turn good for you if you pay your rent on time though.


(Kevyn) #24

I’m sure if they use a fake passport number they will get caught out, or be asked for further information at least, when the bank cross checks the passport number with HM Passport Office through the Passport Validation Service.


#25

Councils (or Housing Associations) do not sell rent payment history to CRA.

Experian has Rental Exchange which offer LA/HA access to information back for sharing rental information. Experian don’t pay for it, the LA/HA doesn’t receive income from it.


(Andre Borie) #26

Does this service only work with UK passports or with all passports?

What if we’re talking about a foreign ID instead of passport - would it be any different? I know many online banks (including Monzo) allow you to use ID instead of passport to verify your identity,


#27

The PVS is only for validating UK passports. A friend was recently told that their Canadian passport could not be validated by a Post Office.


(Andre Borie) #28

In this case the passport validation can be foiled easily - in my above scenario you just need to make sure the fake passport pretends to be from a foreign country and job done.


#29

Apparently some banks do further checks when using (foreign) ID documents to open a bank account: When I opened my Natwest account it took them almost a week to verify my ID. When I queried why, I was told that since I had used my ID, rather than my passport, they had to get in touch with the embassy, to confirm authenticity.

Suffice it to say that I was extremely surprised (to the extent where I struggle to believe it). Both with natwest and my embassy…


#30

Sorry to bump this thread, but it seemed like the best place to post this (@alexs / @Rat_au_van do move if it’s misplaced!)

Does anyone know how credit reference agencies (CRAs) work commercially? Do banks pay them for access to their data, or are they paid to provide data to the CRAs? Or both? Or neither? :thinking:

I was musing about this the other day - personal data is collected and processed by the CRAs under the “legitimate interest” clause of GDPR. Presumably the CRAs will be making a profit somewhere (through the effective monetisation of personal data?) so I was interested in how the cash flows, in what direction and how… Interestingly, I couldn’t work out who would pay whom, so I thought someone on here might know / have a view…?


#31

I don’t think CRAs pay Banks to get the raw data, but l think Banks etc will pay to searches etc. But credit searches isn’t where the money is these days it is more in identity verification and providing things like propensity to pay data.

I work in systems design where we use data from the likes of Experian or Transunion (previously Callcredit) depending on volumes financial data such as propensity to pay (which uses credit data and payment history) will be pennies, identification verification (similar to what Monzo use) will be a couple of pounds.

There is other interesting products that as part of validation/fraud prevention that will look at how old email addresses are, phone number, device histories etc.


#32

What is propensity to pay? Is that the hard credit check?


(Starling Guru) #33

Credit referencing agencies are shit and the scores don’t mean anything IMO, proof can be shown below:

This is Experian direct

32

And this via the MSE portal that is also Experian

Why the difference, who knows… oh wait I know, it’s to do with sales.

Anyway only thing they are good for is seeing what you have and if anyone had attempted any dodgy stuff.


#34

Propensity to pay typically looks at what you owe and what you are likely to pay.

In one of the ways l have used propensity to pay is to how to approach rent arrears.

Example: my tenant owes me £2k, l check the propensity to pay and that suggests tenant are in real financial distress, owe money everywhere and are not making payments.

I have another tenant that owes me £2k. On checking their propensity to pay that indicates they have lots of available credit, misses no payments…

The conversation l have with the latter is very different to the former. The former l will look to sort out the arrears through longer term payment plan/benefit maximisation. The latter l will be saying “what the hell, don’t take the whatever pay me not your Credit as l am your priority debt not them”.

Typically propensity to pay is returned as a category, rather than full details of a financial position. I don’t think this constitutes a hard search, but is more an aggregated position.


#35

Yeah the scores exist only for consumets. Credit score isn’t used by Banks or other institutions they get the data then score card it themselves, those numbers are an irrelevance. Good marketing (well maybe not)


(Andre Borie) #36

It’s quite crazy that it is legal to be able to lookup anyone’s finances. What happened to privacy? And how would you feel if someone just did that on you and posted the results online?

This feels so wrong to be tbh. I run a business and make sure to not take any risks (everything is paid in advance) but even if someone owed me debt I wouldn’t just be snooping around their finances.


#37

Well l can’t look up anyones finances. I can get information about people who have consented or l have a legitimate interest (contract) to understand someone’s circumstance. You couldn’t find out my propensity to pay (or other data points) unless you had authorised access to that information, as an employee/as a authorised user/whose organisation has contracted to get that information. If you did find out l would suggest you did it via a mischievous method :wink:.

If someone did post this information about me online l have recourse to that event happening and in any case if the above is followed that shouldn’t happen. I don’t say that dismissively my credit past has been far from perfect/a disaster area.

I suggest we are talking about different business, you may do distinct packets of work which are payable for and that you can have milestones to prevent you being out of pocket. If l am a Housing organisation l am providing a tenant free use and access of my asset to use as their home. If they stop paying their rent it will cost me thousands to evict them and l will invite rent loss and if a social housing tenancy it is very unlikely that l have a deposit to make up that loss. I can’t limit my losses easily, the only time l stop those losses is via eviction.

I do not suggest this is a perfect one size fits all process. For some organisations this would be too much, and for some having to use this data would constitute a failure of good practice to limit debt. However what l will say is that in a good proportion of uses this data has been fundamental in the decision to work with a tenant to keep them in property.


(Andre Borie) #38

I can get information about people who have consented or l have a legitimate interest (contract) to understand someone’s circumstance

But what authenticates that, realistically speaking? Is it just a matter of saying “I swear not to do nefarious things”, or is it actual authentication like your client giving you a password/key that allows you to do searches on their file?

If it’s the former I’m afraid it doesn’t count. Fraudsters and identity thieves already know what they’re doing is illegal and it isn’t stopping them, so instructions about only requesting credit reports from people that consented to it are just as pointless. If the data is available, they will get it.

If someone did post this information about me online l have recourse to that event happening

How? If even huge companies like Adobe or LinkedIn that got breached can’t get their password databases removed from the internet, how are you gonna manage to do it?

if the above is followed that shouldn’t happen

Good thing that you yourself recognise the above “security” is meaningless.

I would have less issues if at least the credit bureaus allowed the data subject to securely control who has a right to read/write that data. It could be as simple as a “credit” ID card, where when applying for credit you have to bring this smart card with you and insert it into the lender’s reader, which then signs the lender’s request to access your data and write to your report. Fraud & identity theft will be reduced to pretty much zero because there is no longer a way to request a report based on just a name & address.


#39

An Organisation needs to have a contract with a CRA to get this data. The agreement typically has to go through due process at the CRA so they can demonstrate that the use of that data has a legitimate use. For example if l tried getting access to this data and l am selling you a one off widget for 99p l am unlikely to have legitimate interest as my risk of loss is tiny and doesn’t warrant use of data in this way.

Then typically via API a Housing Management system may make a call for this information when certain triggers are hit a call for that data will be made. That data will then be visible to a user with the appropriate permissions for that system.

I am not here to consider every possible point of failure in this potential process. If you want to do that l am happy to do so l can provide my day rate :wink:.

Realistically business is done on trust. You trust Apple or Google or whoever to do the right thing by you by organisational and technological means. You trust Monzo to look after your money appropriately for you, that may mean understanding every component of their infrastructure and build. I trust Monzo from their approach and style, and that comfort that they are capable people to run a Bank because they have a Banking license.

By recourse l meant provisions in law such as GDPR, slander etc. Appreciate you will say “that’s after the fact” but that comes back to trust.


(Andre Borie) #40

l tried getting access to this data and l am selling you a one off widget for 99p l am unlikely to have legitimate interest as my risk of loss is tiny and doesn’t warrant use of data in this way.

My question is not what the contract says. My question is whether there’s any technical measure preventing you from inputting anyone’s name/address/DOB and getting a credit report. Contracts only keep honest people honest, and I’m not talking about those in this case. :wink:

Realistically business is done on trust. You trust Apple or Google or whoever to do the right thing by you by organisational and technological means. You trust Monzo to look after your money appropriately for you, that may mean understanding every component of their infrastructure and build. I trust Monzo from their approach and style, and that comfort that they are capable people to run a Bank because they have a Banking license.

Well, I trust Apple, Google and Monzo because they at least have some concern for user data and earned that trust. I can’t say the same about most clients of credit bureaus. Actually I can’t even say the same about the credit bureaus themselves, see Equifax for an example. :joy:


#41

Typically you can only call the data for those who have an active account.

So on a Housing system (some will differ) they’d be a need to:

  1. Create a person
  2. Create a property
  3. Create an agreement
  4. Create an account
  5. Create a charge

These would be typically be a separation of responsibility but anyone with system administration permissions could do that.

Personally l’d apply some conditions as well to say the account has to be in arrears for x period for y time. This would help as a control mechanism as this would require several debit transactions which if someone had set up a rogue property and linked account would identity.

Possibly in terms of the escalation process for the account l would have a control that once the account had been reviewed by someone else could the data be called. Thus applying some separation of duty, but that would probably be so excessive.

I have known some geographical constraints that is l can only ask for data from certain post codes, that would be complicated by a Housing organisation being national.

I have not known the example we are discussing here be a simple name and address search via a website. It may exist. Personally l wouldn’t touch that with anything as it could introduce a risk of fraud/snooping and that wouldn’t be acceptable.

Contracts are for honest people. Controls are there to stop bad stuff but controls need to be reasonable to the information bring gained and what use that could be.

In this example l am using l at no point see any raw financial data, all l get back is an indicator 1-5, A-E, Excellent to Poor etc etc.


(Andre Borie) #42

So on a Housing system (some will differ) they’d be a need to…

They’d just need to have administrative access to the server hosting the system, which could happen for a ton of reasons, both legitimate and not legitimate.

I have not known the example we are discussing here be a simple name and address search via a website. It may exist.

Well it doesn’t exist because nobody will set up an account with a CRA, pay for it and open it to everyone for free. What does exist however is if someone already has privileged access to a system that interacts with a CRA and silently uses it to do their own illegitimate queries. The malicious queries will be lost in the noise of legitimate ones and fly under the radar (if there is a “radar” to begin with).

This is why I’m saying that the control as to who gets access to a person’s record should be with them - simple access to a CRA should not allow you to get data on anyone. You should need both CRA access and a (cryptographically signed) authorisation from the data subject.