Credit Referencing Agencies - are they a necessary evil?

1. This isn’t accessing anything beyond an indicator. Doesn’t tell me anything about where accounts are, how is owed etc. It is reasonably ambiguous. If l found out you were a ‘C’ okay l can guess you owe money (l am sure you are not a Civica) don’t know where to, actually here l don’t care you owe money are where to. If l wanted access to more useful data about you there are better ways that using my example. Going through your bins will probably be more insightful that pursuing this example to death.

2. Yes there probably is more controls that are more robust but there’s a cost of implementing them, of managing them. How would a tenant authorise this, what additional infrastructure do l have to put in. If l was getting your health records, if l was finding out your entire financial life at line by line detail. But l am not.

There’s a great word that applies here ‘appropriate’ existed in DPA made it into GDPR and all the technology and organisational measure will be tested by that. I won’t invest a million pounds to protect something that has little usefulness or value.

This isn’t accessing anything beyond an indicator. Doesn’t tell me anything about where accounts are, how is owed etc. It is reasonably ambiguous

Are you sure? The UI is giving you that, but I would bet good money the CRA’s API itself is returning the raw report (given that every lender has to be able to run their own custom scoring algorithm), so someone with administrative access to the system will be able to see full reports.

How would a tenant authorise this

Same way you authorise someone to access your Facebook/Instagram/Twitter account? Get a link by email from the CRA saying “Mr Landlord would like to do the following: read/write access to your credit report - allow/deny?”. Only when they click allow access your company’s system is notified and can now request a report (or directly get the originally requested report in the notification webhook).

Am absolutely sure. Am just checking the API document from the CRA l worked with on this project. I get a value back 1-5 or an error code.

Similarly on other APIs they provide for identity it’s a Pass/Fail/Refer response.

Where do l send my request

Am absolutely sure. Am just checking the API document from the CRA l worked with on this project. I get a value back 1-5 or an error code.

Presumably you’re on a less pricey API or maybe they don’t offer this kind of access to small businesses.

But there’s no denying that some companies (banks, and potentially shitty companies like telcos) have access to the full data so they can run their own custom scoring algorithms on it, and so this data can leak.

This does not invalidate my point about authentication either. Even with your API described above you still don’t have to provide any actual proof that the customer agreed to the credit check.

Where do l send my request

Send me your name, address and DOB first so I can run KYC and a credit check.

Whenever anyone does a credit check on you, they’ll leave a “soft footprint” so you’ll know that has happened.

And these companies will need your explicit permission in order to credit check you - they can’t just put in any name/ addesss to search anyone they like without the persons permission.

When you engage services providers like lenders, housing letting agency, telco etc and sign their T&C, you would have been consented to the credit check.

If you don’t want to be searched, then you won’t be able to use those services.

Now question is - whether if that’s really a choice because there’s no way of getting these services without being subject to a credit search, that’s an entirely different debate.

TL;DR
When you sign T&C, you’ve given the consent to be credit checked and reported to CRAs.

No one can randomly go and credit search anyone they like without obtaining permission.

The loop hole in this, is many T&C’s now take consent for them to allow trusted third parties to run soft checks ahead of offering you products/promotions.

I know they can’t search without your permission but I dislike the whole system. It’s dirty.

Defacto you can’t get by very well in 2018 without your credit file being searched. It’s searched for the most random reasons - I had to agree to a search to purchase a prescription on Boots (!) - so there really isn’t a choice in many scenarios.

Now, while I understand why some companies need to check your credit worthiness, I do not agree with the current system.

For one thing, with several credit agencies, I don’t always know which one is being used by which company. I do not understand why there is even more than one reference company. The data should, theoretically, remain the same on all three (which is the data a company gets, the score is just internal for your own use), so why not have one?

Additionally, without paying, you can’t always see absolutely everything that they hold and how up to date it all is. Yes, there are free options but as we have seen, they can equally show different information from the main website (I think above there was an Experian example). Which is correct?

Finally, I have found that, for example, my Experian data was incorrect in a few places. Most critically my addresses were not accurate and I could not update them - so any searches where you put your history in the form were not matching with my file. I have been in a constant back and forth with Experian for over 2 months for them to fix it, but they haven’t. They have given me compensation (£50 plus free membership for 2 months) but the point remains that had I not paid £14.99 I may never have known and my score would have been affected outside of my control.

I basically feel there should be ONE reference point, possibly even government owned/contracted - with complete and utter free access for all. It’s MY data. I didn’t create an account with any of them, and I have no choice in them being used and frankly need them for so much in life. Get rid of these stupid scores and have raw data available, with explicit consent for access needed and a valid justification for why a company needs access.

Bloody heck I can’t keep a database of email addresses at work without a clear and absolute reason for this under GDPR but Boots are free to check my entire life for what I can only assume is no reason? (I mean they already check with my doctor to release the prescription).

They offer a range of APIs for all the different services they offer. I guess that having many APIs and only providing those APIs for the activity contracted, means that they can control illegitimate use and keep purpose clear. If l only have the Identity verification service, the only thing l can ever get back is a response to the service… Pass/Fail/Refer.

I’m not a small business

I am very sure that some businesses do use APIs to get full credit history. I never used it. Wouldn’t understand how that would work as isn’t something in my line we would very little use for.

I agree with you that the CRA market is a bit broken.

There’s not enough firms out there to increase competitiveness, but the industry also cannot support too many firms because it’ll actually leads to the de-aggregation of data which is counter to what CRA is supposed too be doing.

And I totally agree with you that ideally there should be ONE reference point because if it’s going to be a monopoly, it should probably be a government agency or this private company will have too much power.

But it’s going to be difficult in the UK - even government agencies don’t share data with each other. HMRC don’t even talk to DWP or NHS, 1 person can sometimes have 2 NiNos, there’s no central database of addresses of everyone.

I think it’ll take forever for the government so set something up. With such circumstances, private companies will probably delivery more value for now.

Defacto you can’t get by very well in 2018 without your credit file being searched. It’s searched for the most random reasons - I had to agree to a search to purchase a prescription on Boots (!) - so there really isn’t a choice in many scenarios.

I’m not sure exactly if boots credit checked you. Are you sure it’s a credit check, or are they just verifying your identity with CRA?

CRA provides a hell loads of services e.g.

• identity verification
• fraud detection
• customer segmentation services
• credit checking

When we say ‘credit checking’, it refers to pulling out a summary of all your financial accounts to see if you’ve missed any payments/ defaulted/ current levels of debt etc. I don’t think Boots need that sort of data, and I don’t think CRA will permit boots to have access to that sort of data if there’s no legitimate use.

Only lenders will have access to that sort of granular data. I don’t think other agencies can have access to these data - CRA have very strict guidelines on data usage.

I have a feeling that ‘boots credit check’ is just identity verification…

But I agree that in today’s time, most to access essential services e.g. utilities, telco, loans, credit cards, bank accounts etc, you’ll have no choice but to be credit checked. But if you have nothing to hide (i.e. not a fraudster) there’s nothing to lose? If you pay your bills on time, it helps you build a good credit history which gives you access to cheap credit card, or mortgages at a good rate etc?

Finally, I have found that, for example, my Experian data was incorrect in a few places. Most critically my addresses were not accurate and I could not update them - so any searches where you put your history in the form were not matching with my file.

This I think is an industry wide problem. UK government doesn’t have a central database of address/ people of everyone in the UK. As such it’s super difficult to do KYC checks. And it’s only until recently that Royal Mail has a central database of all addresses in the UK standardised in a nice format (PAF). It’s going to take a while before addresses get’s mapped nicely to improve matching.

At the moment, CRAs just use things like addresses, DOB, name etc to try to trace someone’s movement and identity but because it’s dealing with text data, any spelling mistakes could be super messy.

I think this might be a problem that can be solved with an ‘identity card’ type system. We already have NiNo, but NiNo isn’t shared by different government agencies, and some people can also have 2 different NiNos for very weird reason.

Unlike in Sweden or Germany or the US where everyone has a social security number which they can use to register with commercial companies etc. It’s unlikely we’ll see NiNo being used in the same way in the UK to solve this ‘matching’ problem I think…

But you should always have the option to opt out of marketing and thus not be credit checked. If you disagree with the T&C, simply don’t use it?

Could you give an example of such companies where you have ‘no choice but to be credit checked’?

Sorry I should have mentioned I know it was an ID search but the point really is that it was unnecessary. It’s a prescription that is initially authorised by my doctor, processed through Boots who electronically await approval from my doctor. Once given I go into store and pick it up - - at that point, sure, ID me (they do to an extent with an address check) but there is no valid reason to check my ID when I order, given it’s a prescription already authorised by the health service.

And further to the point, even an ID check has to match what you say on your application. In my current situation actually the information on my file is incorrect and had the right parts been incorrect this check might have failed.

Furthermore, Monzo have for a while not been able to find my credit file due to things not matching. Again, I had to research this and make contact with relevant agencies to rectify.

I still feel that one system and absolutely only access when completely required should be the law. It’s too much information (even ID’ing) to be casual with.

Seems like you’re all avoiding the issue of authentication.

I don’t care how many T&Cs and contracts the lenders need to sign with the CRAs in order to be able to do those checks - paper only keeps honest people honest.

My problem its that there’s nothing technically stopping anyone with privileged access to the systems interfacing with the CRAs from entering my name/address/DOB and getting back my full report.

I mean, stealing and fraud is bad, right? Nobody is supposed to be doing it. Yet we still have PINs on our cards. Why not the same for CRAs?

I wouldn’t say an unnecessary evil well most of the time they aren’t, what does annoy people is when the wrong info is on people’s files and the person involved has to go about correcting it.

Interesting read.