The only newsletter that scans and analyzes the full breadth of regulatory developments every day. Written and curated by Rob Garver for SourceMedia.

9.8.17 - Thank God It’s Friday. Unless you happen to work in the Equifax public relations department.

When it comes to PR, about the best a credit reporting agency can hope for is that people don’t outright hate it. For members of the general public, interacting with them is like dealing with the cable company or going to the dentist. Everybody does it at some point, but never because they want to.

So it’s virtually never good news for a credit bureau when it’s name is in headlines, and that rule held true for Equifax on Friday morning, when the U.S. awoke to the news that the Atlanta-based company had admitted that a July data breach exposed vast amounts of personal information belonging to some 143 million consumers, including 209,000 credit card numbers.

The agency said that outside attackers were able to capture names, Social Security numbers, birth dates, addresses and driver’s-license numbers — a treasure trove of personal data for criminals seeking to commit identity theft or other kinds of financial fraud.

The Wall Street Journal put the scale of the breach in historical context this way: “The size of the hack is second only to the pair of attacks on Yahoo disclosed last year that affected the information of as many as 1.5 billion customers. It also involves nearly twice the number affected by one of the highest-profile breaches at a financial firm, the cyberattack at J.P. Morgan Chase & Co. about three years ago.”

That, all by itself, is a disaster for the company. But it isn’t even close to the end of the story.

The most glaring fact outstanding in reports about the breach is that the company has known about it since July 29. In a statement issued Thursday night it said, “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017,” adding, “The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

On its Twitter account, the company wrote: “We recently discovered a cybersecurity incident involving consumer information. Once discovered, we acted immediately to stop the intrusion. We apologize to our consumers and business customers for the concern and frustration this causes.”

It offered no explanation for the 10-week delay in letting the victims of the breach know that their personal information was in the hands of hackers.

At a minimum, one would assume that given that much lead time, Equifax would have prepared an airtight response -- setting up a system to inform and assist consumers affected by the breach. But the company did not.

In brutal detail, Bloomberg’s Polly Mosendz on Friday morning detailed a system in which call center operators were unable to provide even basic information and a website setup to assist victims was laden with its own problems. In addition to requesting that consumers enter the same sort of personal data that was stolen in the first place, it used a CAPTCHA system that malfunctioned, making access impossible for some consumers.

At this point, readers might be saying to themselves, “Wow! Could this possibly get any worse?”

Yes. Yes, it could.

The company also had to disclose that three senior executives unloaded $1.8 million in company stock shortly after the discovery of the breach. The company said in a statement that CFO John Gamble, president of U.S. information solutions Joseph Loughran, and workforce solutions president Rodolfo Ploder “had no knowledge that an intrusion had occurred at the time.”

Still, it’s not a good look for a company already doing serious damage control.

Like what you've just read? Get it in your inbox first-thing every morning.

Today’s Key Reads

Internal control weaknesses correlate with financial fraud
Accounting Today - The audits of companies’ internal controls mandated by the Sarbanes-Oxley Act are good predictors of financial fraud, according to a new study. The study found the incidence of fraud disclosures at companies previously found by auditors to have material weaknesses in their internal controls is approximately 80 to 90 percent greater than companies on average.

Congressmen concerned about misuse of .cpa domain
Accounting Today - A group of four lawmakers has sent a letter to an internet governing body expressing concern about how the proposed .cpa domain extension might be exploited by fraudsters pretending to be CPAs.

New bill would make small bitcoin purchases tax-exempt
American Banker - Since the Internal Revenue Service declared virtual currency to be a form of property in 2014, all bitcoin transactions have become a tax reporting nightmare. Now, two Congressmen are proposing to make cryptocurrency more viable by easing up on those requirements.

A year later, Wells still struggling to repair tattered reputation
American Banker - One year after the San Francisco megabank paid $190 million in fines and restitution to settle charges that thousands of employees opened millions of unauthorized checking and credit card accounts for customers, Wells remains mired in scandal and struggling to repair its once-pristine reputation.

Senate panel approves leadership picks for Fed, OCC
American Banker - The Senate Banking Committee on Thursday approved the nominations of Randal Quarles for vice chairman of supervision at the Federal Reserve Board and Joseph Otting to run the Office of the Comptroller of the Currency. They will now be sent to the full Senate for confirmation.

Senate panel may again probe Wells scandals
Credit Union Journal - Wells Fargo’s continued missteps following revelations last year that the bank created millions of unwanted accounts for customers may lead to additional hearings on Capitol Hill.

States modernize licensing system as more fintechs eye bank charter
National Mortgage News - State regulators are modernizing their common licensing platform for nonbank financial institutions, hoping the update will help convince wary fintechs that they don’t need to pursue a national charter being developed by federal regulators.

Extra Credit

Euro, Bond Yields Rise on Report ECB Officials Agreed on Need for Stimulus Cut
Reuters - Reports that European regulators have agreed in principle on the need for a cut in the European Central bank’s stimulus program drove stocks down and sent investors on the hunt for government and euro bonds.

Plan to Fund Health Insurer Payments Coalesces
Wall Street Journal - Lawmakers appear to be coalescing around a deal to continue controversial subsidy payments to health insurers, after a threat to eliminate the Affordable Care Act-mandated payments caused concerns about a collapse of the market for individual insurance policies.

New York regulator kicks Pakistan’s Habib Bank out of US
Financial Times - The New York State Department of Financial Services fined Pakistan’s largest bank $225 million and will force it to stop operating in the US. Habib Bank, the regulator claimed, had numerous compliance failures that “opened the door” to terror finance.

Investors in catastrophe bonds flee Irma fury
The Financial Times - Catastrophe bonds, unsurprisingly, are taking a beating in the markets as investors consider the damage from Hurricane Harvey and the prospect of even more destruction from Hurricane Irma.

How Harvey Will Affect Houston’s Housing Market
Bloomberg - As counter-intuitive as it may seem, this may be a very good time to be selling a home in Houston -- as long as you built it on a hill. In the wake of Hurricane Harvey, undamaged housing is fetching top prices.

Rob Garver

Rob Garver has been covering the intersection of public policy and the private sector for more than 20 years.