I got my $5.21 check too. For those who don't remember, the original settlement for the 2017 data breach was supposed to be $125. But they had "unexpected response" so the final settlement ended up being about 4% of that. It's kind of an insulting payment after Equifax leaked names, Social Security numbers, birth dates, addresses, and some drivers license and credit card numbers.
The notion that identity theft monitoring is sufficient mitigation to a customer after a breach like this is laughable.
I'm concerned as the tend becomes normalized, when someone does finally bring a challenge in court where that's one of the matters to be dealt with, the company will simply say "industry standard".
Of course, that's really 5 years of Experian trying to upsell you to their paid (out of pocket) services. Why can't I set it to email me only if there's a change? Why does it need to send me email every month?
> You filed a claim in the Equifax Data Breach Settlement and chose to receive free, three-bureau (Equifax, Experian, and TransUnion) credit monitoring from Experian for four years.
The fact that people would pay for credit monitoring is strange to me.
Credit Karma is free, and has been very good. When I applied to finance a car online, within 15 seconds of me pressing "Submit" on the web page, I had an e-mail from Credit Karma that someone did a hard pull of my credit report.
Does the identity theft service you got do anything more than that that you would actually use?
I didn't even bother because I figured the cash would be meaningless, and I've already got monitoring because my info was part of the OPM breach a while back where all of the same information plus my secret clearance background check info, fingerprints, and toeprints were leaked.
That's about what I got. I remember there were a few different avenues to get different types of compensation. One was reimbursement for any costs incurred because of the breach. I had bought some identity theft insurance at some point after the breach so I claimed that. As well as some other stuff, maybe a credit karma thing. They sent all kinds of requests for information after that trying to disqualify any and all claims, which I don't think I actually did. But I did end up with a whopping $21.
If $5 is all that information is worth, I wonder if enterprising criminals will just cut out the middleman and start making offers to potential victims directly.
"Screw Equifax and their paltry breach, we'll give you $50 for it over here at h@cknonymous!".
> You filed a claim in the Equifax Data Breach Settlement and chose to receive free, three-bureau (Equifax, Experian, and TransUnion) credit monitoring from Experian for four years.
Has anyone been able to show damages? I get the fury at Equifax. I personally refuse to unfreeze their reports. But it’s looking increasingly like a leak that was shocking but moderately harmful at worst.
Has any leak ever resulted in someone saying they could clearly id damages from a specific leak and then get compensation from the company who leaked it?
We aren't even told when a government entity looks at and uses our private information. How in the world would we know when a criminal does, and how would we be able to say they looked at that specific leak instead of one of the other 10 possible sources of my leaked private information?
Maybe it is time to pool the damages of all identity thefts together, (about 56 billion in 2021) and split the bill (+ maintenance and administrative costs for managing the money) across all businesses that have leaked private data. That money could be used as a resource to all identity thefts victims to be made whole.
As far as I'm concerned, every single act of identity theft that occurred after the breach where at least one piece of data leaked in the breach was used, are damages. Sure, it might have happened anyway, but it doesn't really matter which illicit source they got it from it was available anyway.
Just like in an assault/homicide case, if a victim has a heart attack and dies soon after you assaulted them, you can't prove that the attack led to the heart attack. Could just be bad timing. But most courts and juries would likely find the assaulter guilty to some extent.
This isn’t how civil damages work in any jurisdiction.
> like in an assault/homicide case
Apples and oranges. If the only way we can finger Equifax is by equating their actions to violent crimes, there is no case. That is increasingly my conclusion. These leaks have little to no actual cost.
In the case of the equifax leak, I don't think they have shown up in large tranches on the dark web like other leaks. Which I think suggests that it may have been a state actor. So Equifax's negligence has created a national security issue. Imagine how a state actor could cripple the financial system by using bots to open millions of accounts en-masse and start taking out loans or whatever. Banks would have to shut down until they could figure out which accounts are fraudulent.
How do propose liability could be demonstrated with something like this? Do you expect hackers and fraudsters to cite their sources when they are defrauding someone?
I had someone walk up to the ATT counter at a Walmart in Arkansas and purchase two brand new iPhones, transferring my SIM ID and deactivating my phone on a Sunday afternoon. Fortunately I noticed immediately and cancelled the SIM to prevent MFA issues with banks and whatnot. In order to do what they did, they needed to show a fake Driver's License with all of my exact information, and I have an extremely common surname. I cannot prove it was due to the breach but given the timing and my surname it seems likely. As it happens, ATT paid for the phones, I suffered some minor inconvenience but it could have been much worse. I'm a bit surprised ATT hasn't gone after them legally, because they were likely the financial victim in many similar schemes, but perhaps they have insurance for this sort of thing.
This is why I absolutely refuse to upload an image of my drivers license to anyone for any reason. I understand it can still get there via data upload from the DMV, but there's no way in hell I would ever give FB (as an example) an opportunity to have that data just to verify my identity. At no point is that service worth the risk, unlike the DMV where driving is absolutely necessary.
The only account to use my middle name was the bank account I opened as a teenager using pen and paper. Once banking went digital a year later, the account was "corrected" to my first name.
Following the Equifax breach, I experienced yearly identity theft using the combination of that name and my childhood address. Unless the teller who opened my original account has taken up a life of fraud and state hopping, Equifax is the likeliest culprit.
When millions of IDs are lost the chances of your individual ID being used nefariously are pretty low; that doesn't mean that hundreds (or thousands?) of IDs still aren't being used nefariously every day. Lots of people were seriously impacted by this, it's just a really big breach.
I got a fraudulent tax filing that year, as did my sister and several of my friends. Can we prove it's due to the leak? Not really. It's hard to prove something like that. But I'm still very convinced.
My sister got her SS# stolen and every time she tries to open a bank account, it's drained immediately. She's been unbanked for years as a result. I think that counts; if I weren't around to manage her money (and trustworthy), she'd be fucked.
Good thing you can opt out of your data being collected by Equifax, right.. right?
Seriously though, how did credit scores come about and was there any resistance at all at the time to peoples' financial information being collected en mass by private companies?
How else would you do risk management for loans? Without credit bureau where would the loan originator determine the risk of the loan? Would each individual be responsible have to store all payments and receipt of payment and submit that? Or do we just blend the risk with everyone so if you always paid your loans on time, you pay the same rate as someone who has a loan write off and is 3 months behind in loan payments?
They have a public credit bureau hosted by the national bank that records all the loans and credit. The data is not for sale to just about any company that is willing to pay for it, the individual has to give permission to share it when they apply for a loan. There isn't such bullshit as in the US where you practically have to push your student to get a credit card "to start building up a credit score."
The system works well enough that there's hardly any debate about it.
> Approximately 22.1 million records were affected, including records related to government employees, other people who had undergone background checks, and their friends and family.
> One of the largest breaches of government data in U.S. history, information that was obtained and exfiltrated in the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses.
It's interesting how we justify everything shitty in the US as being part of capitalism without ever examining why we think that's a reasonable justification. I feel like it's a result of tons of red-scare propaganda that still exists in droves to this day.
When you think about it (and reduce it to a single sentence) “Capitalism” is just economic monarchy where we pay homage to those who h r more than us already.
>They have a public credit bureau hosted by the national bank that records all the loans and credit.
So basically the same as credit bureaus in the US, but it's a government monopoly? Given how well other government agencies work at least in the US (eg. DMV), I'm skeptical that waving a "government" wand would magically fix stuff.
>The data is not for sale to just about any company that is willing to pay for it, the individual has to give permission to share it when they apply for a loan
AFAIK that's also the case in the US. When you open a bank account/apply for a credit card, somewhere buried in the terms and conditions is a consent for a credit check.
>There isn't such bullshit as in the US where you practically have to push your student to get a credit card "to start building up a credit score."
In the US at least, the reason why it's commonly advised for students (and other young adults) to "build credit" is to build up a history of credit usage and repayments. I don't see why the same dynamic wouldn't exist in Belgium. Your own linked article says "Later, it added positive marks as well, allowing “no credit” and “good credit” to be distinguished", which suggests the same dynamic would exist in Belgium.
Firsthand experience: DMV experience comes down to funding.
Ohio BMV is basically a pleasure and a joy to visit every time I interacted. Staff was competent, offices were laid out logically, and time to completion was measured in minutes.
Texas, on the other hand, funds offices relative to the proportion of tax base in the area (this also disproportionately affects minorities, I've seen). Some areas are like the general Ohio BMV. Others one could reasonably point to and say getting an ID there is so difficult that it must be the goal (like voter suppression). At one of these, I waited over 5 hours in line only to find they skipped my number and wouldn't let me come back. We showed up 1.5 hours before opening and were in the line that wrapped around the block. Wait time after their screwup would have put getting services after closing (i.e. wasn't happening that day). I got lucky the second day I took off of work to get my license changed. But areas with higher tax base (Hebron area in Carollton, TX, part of Austin, TX, etc.) you get in and out quickly.
For government services you get what you pay for when you put appropriate monitoring in place.
> Firsthand experience: DMV experience comes down to funding.
>you get what you pay for when you put appropriate monitoring in place
That's the problem, isn't it? Recall my original comment:
>I'm skeptical that waving a "government" wand would magically fix stuff.
Sure, we might get the Ohio DMV experience, or the Texas DMV experience. It's not as simple as "nationalize it", and it turns out swimmingly. Given that such a database would have to be federal, you can expect all the federal level politics (eg. fundings/defundings, gridlock, government shutdowns) that go along with it.
Texas is a pretty messed up governance model in general. Whenever you see this kind of incompetence, it always a political issue, as the DMV is a revenue generator. If there's friction involved in paying taxes, it's due to the some stupid political problem.
RealID is a huge driver of increased demand for those services. Not only the bullshit around voter suppression and casual racism, but fundamentally areas with more immigrants and more complex documentation needs will take longer to service. Richer areas have a lower demand for services, but county clerks, etc, usually get a piece of the action.
I can only speak of Germany, where we have the equifax-like SCHUFA.
> somewhere buried in the terms and conditions is a consent for a credit check.
That’s luckily not allowed (as many other burial tactics) and has to be very visible and explicit. Though in the end that doesn’t change much because it’s not as if you have a choice (outside of saying no thanks to the whole thing)
> which suggests the same dynamic would exist in Belgium.
It doesn’t in Germany. If they don’t know you at all (= no contact with the banking system whatsoever), you are rated higher risk, but just having a bank account for some time is enough to have a good score.
Until data protection laws came along, they even charged you to see your own data, nowadays at least you get it free once per year.
IMO the biggest differences are the lack of having to "build credit", the incidental lack of an SSN that can be leaked, and the lack of companies allowing someone to wrongly take out a loan in your name and somehow making it your issue instead of theirs.
That paperwork is for legal risk, there are services out there that allow you to search for anyone's credit report at any time. 3rd party collections companies use them to try and hunt down people, for example.
IIRC, a few celebrities have ended up suing such services due to stalkers using them to hunt the celebrities down, so there ARE controls on them, but not typically for your normal person.
Well for starters you could voluntarily submit your repayment history to one of a pool of competitive good-for-the-money record keepers, rather than it being involuntarily hoovered up by a state sponsored oligopoly.
That’s basically what you have now - every single reporting agency somewhere in the giant ball of terms and condos states that they’ll report on you to credit burros.
You can avoid it by avoiding any of those accounts. Whether that is possible practically is another question.
> Whether that is possible practically is another question.
Well it's sort of the key question though right?
The incentives of the credit reporting agencies are fundamentally unbalanced because the average consumer has no meaningful input into their behavior.
If could practically avoid having my information sent to bad actors they would be incentivized to treat my data with care.
This is an example of where good government regulation can be introduced (giving consumers the option to opt out) rather than what I would consider bad government regulation (trying to specify how the companies should behave directly).
I believe in the free market but I also understand that there are cases where incentives are incorrectly balanced and we need a neutral party to make sure all incentives are properly accounted for.
>If could practically avoid having my information sent to bad actors they would be incentivized to treat my data with care.
who are the "bad actors" in this case? Equifax? Whoever equifax sold the information to? Whoever equifax got the information from?
>This is an example of where good government regulation can be introduced (giving consumers the option to opt out) rather than what I would consider bad government regulation (trying to specify how the companies should behave directly).
As the parent poster has mentioned, you can already "opt out" by not getting a loan. I agree that it'd be nice if some government regulation allowed to you to have your cake (ie. get loans) and eat it too (not have it reported), but there are two obvious problems:
1. One man's "private information" is another man's free speech. Why should a company be prevented from making true statements about its business dealings with you? You can leave nasty yelp reviews for businesses that have behaved inappropriately. Why shouldn't businesses be able to leave nasty credit reviews for individuals that failed to make payments?
2. On more practical level, opting out might put you in a high risk pool. Part of the enforcement mechanism for repaying loans is that if you don't, your credit gets wrecked and your life becomes harder. If you opted out of credit reporting, that's one enforcement mechanism that a lender wouldn't have, and therefore will adjust accordingly. Going back to the yelp analogy, imagine if yelp allowed businesses to opt out of reviews. Would you want to go to such a business, all else being equal?
Just wanted to comment on this to say: This is impossible. The reason why it's impossible is subtle because it comes from a source you'd not expect: Utility payments (power, gas, water, sewer, cable, internet, satellite, etc.). Utilities are always charged and paid for after they're delivered, and are thus loans and reported to the credit bureaus.
Also, credit bureaus don't just report on loans/debts. They also report on public proceedings that may or may not have financial consequences. And your employment record is also reported by many company's HR departments to these same bureaus.
So, short of going Ted Kaczynski (and even he had enough of a public presence to probably also have a credit report), you will exist in all of Credit Bureaus' databases.
Outside of loans that will opt you out of Experian selling your data. You should also opt out from your bank that sells your financial transactions to Bloomberg so hedge funds can front run earnings and business’s who can determine if your a big spender or not.
You can avoid the utility thing but it's hard. One way is a landlord who does NOT report - there are more of these than you'd think; many single-family home landlords are so small they don't really bother.
You can also do some trickery with companies (LLC or other) but the lawyer costs and annoyance may be high. But utilities are setup to bill companies with basically no credit (worst case you deposit or pre-pay).
My experience is that this is true. I literally have no credit, as in, reports from all 3 credit agencies returns with nada. mid-40's and I made this decision in college, and don't regret it.
I certainly have utility bills. There may be exceptions out there, but not in any of the municipalities I've lived in over the years.
> The incentives of the credit reporting agencies are fundamentally unbalanced because the average consumer has no meaningful input into their behavior.
Howso? The lenders are obligated to submit truthful data, and under FCRA you can dispute fraud and incorrect data. And the FICO/Vantage scoring system can be computed from the data, they don't just spit out a hidden number generated by some ML model.
>And the FICO/Vantage scoring system can be computed from the data, they don't just spit out a hidden number generated by some ML model.
AFAIK those models aren't public. If you search around you'd find some vague factors and aproximate weights, but nowhere near enough data to reproduce the scores yourself. For the typical consumer and company, they're a black box just like a ML model.
Checked the Experian website (their "freecreditreport" product, aka the thing that tricks people into foregoing annualcreditreport) and they provide weights for how much each contributes:
Payment History: 35% of score. in no particular order:
- Late payments 30+ Days ("About 98% of FICO High Achievers have no missed payments at all") / Late Payments 60+ Days / Accounts Always Paid as Agreed / No Delinquent Accounts
- Collections ("FICO® Score 8 only considers collections with an amount of $100 or greater. Virtually no FICO High Achievers have a collection listed on their credit report") / Late Payments 60+ Days / Derogatory Public Records
Amount of Debt: 30% of score. in no particular order:
- % revolving credit: ("For FICO High Achievers, the average ratio is less than 7%.")
- Number of Accounts with Balances ("FICO High Achievers have an average of 3 accounts carrying a balance.")
- Total balance on revolving and open-ended accounts ("Most FICO High Achievers owe less than $2,500 on revolving and/or open-ended accounts such as credit cards, charge cards and department store cards.")
Length of credit history: 15% of score
- Average age of accounts ("Most FICO High Achievers have an average age of accounts of 9 years or more.")
- Age of Oldest Account ("FICO High Achievers opened their oldest account 25 years ago, on average.")
Amount of new credit: 10% of score ("FICO High Achievers opened their most recent account 2 years, 7 months ago, on average.")
Credit Mix: 10% of score ("FICO High Achievers have an average of 11 revolving accounts, 5 installment accounts, 6 credit cards)
Also, a trend I see is that almost every option says "Authorized user accounts aren't considered in the calculation of this attribute", which might be a big contributor as to why Credit Karma / Vantage Score numbers are almost always higher than FICO, which leads to people thinking they have a higher number when they walk into a car dealership / apply for a loan.
But you're right in that I don't see any actual weights or FICO simulators.
If you read your own link, you'd discover that the former refers to companies like "Moody's Investors Service, Standard & Poor's, and Fitch Ratings". Needless to say, those are separate entities from credit bureaus, which are companies like equifax, transunion, and experian.
The average HN reader isn't a telepath. If you posted a link about a different subject without any accompanying explanation about why it's related, and other readers get confused, that's on you. Your follow up reply makes the same mistake, but it's worse because it's obvious that at least one person isn't seeing the connection, yet you don't make an effort to provide such an explanation.
This is what's called a 'contract of adhesion.' If no part of it is negotiable, I don't think one party should be able to just endlessly add terms for their own convenience.
One novel method that auto insurers have been experimenting with is voluntarily reporting data that can only help, not hurt. So, for instance, if you install their monitoring device in your vehicle and it shows that you don't drive in risky ways, you qualify for a discount. If you choose not to volunteer this data, or the data shows that you're a risky driver, you pay the base rate.
Now, is that really "volunteering" the data, or do you end in up roughly the same position as with the credit bureaus, where you need to turn over lots of personal information to get reasonable rates? I think reasonable people can disagree about that.
Careful. What seems to really happen is they jack the base rate up a bit, and their threshold for safe driving is “never speed, at all, or use more than 10% throttle or 25% brake”
> One novel method that auto insurers have been experimenting with is voluntarily reporting data that can only help, not hurt. So, for instance, if you install their monitoring device in your vehicle and it shows that you don't drive in risky ways, you qualify for a discount. If you choose not to volunteer this data, or the data shows that you're a risky driver, you pay the base rate.
How is this help, not hurt? Insurers are tightly regulated in most states, and the sum of the premiums for a group can't be mlre than the losses for that group plus an allowed profit margin. If you give someone else in my group a discount, that's coming out of my pocket in some form or other. (Of course, if the discount encourages them to drive in a way that reduces losses, that could be money going into my pocket too; either way, I'm not letting them snoop on me, thanks)
This works for things like car insurance because most people aren’t driving secretly insured cars they don’t tell other insurers about, and because many of the factors determining your car insurance rate are cited by the state. It could work for loans too, but it’d require creating a state agency which… well, I decided not to post that surely unpopular opinion.
I've had the opposite experience sort of. A company sold my home loan off as-is common and failed to close the account. They reported me as delinquent to the credit bureau. So I did the thing you are supposed to do, repeatedly contacting mortgage loan fools to inform them my account is in good standing (took three times) and of course filing a dispute with the credit bureaus.
After having a credit score north of 700 for over a decade that was at 780 at its peak, my score dropped to around 600. I was horrified. It's been a year and it still hasn't recovered and is currently around 700 through no fault of my own. The only debt I've had since 2018 is home loans.
That should be criminal, or at least have some civil liability because I'm pretty sure you'd be able to prove damages.
Insane that there's little to no recourse for this at all, and that none of the parties responsible for such an error will be held responsible for them.
I’ve had a few lucky mistakes in my credit favor, but nothing like that! It shouldn’t be surprising that you take such a principled position in light of that, but it is. Good show.
I like the current model of risk management, but the problem is that if a bank is defrauded by someone pretending to be you, you’re on the hook. That is, the credit bureau doesn’t do a good enough job verifying identity.
The credit agency is reporting what has been reported to them. If credit agency Foo correctly reports that “Bank A has reported to us that mhb is delinquent on their loan”, that’s not libel if the bank did report that and the agency has no reason to believe the underlying fact is untrue. (Once you start the dispute process, they stop saying that for a while until it’s resolved. My mental model is a lot of the dispute process is based on avoiding libel.)
What does "authenticated" mean in this case? When I apply for credit, the credit is granted by a bank or financial institution. They are the ones responsible for authenticating that I am who I say I am, not the credit agency.
There is some interaction between the bank and the credit agency taking place regarding sokoloff. I don't know the details of how they identify which sokoloff they are discussing, but it doesn't seem particularly clever (DOB, last 4 of SSN?). Something in that interaction has led them to misidentify the person who wants money with the real sokoloff.
Maybe it's the bank's fault. Maybe it's the credit agency's fault. It's not sokoloff's fault. If there is harm to sokoloff, in the future, by the credit agency representing that sokoloff's credit is not what it should be because the credit agency did a bad job authenticating an identity when the bank asked about it, it should be liable (and libel).
If fake-sokoloff shows up to the bank, pretends to be sokoloff, the bank checks with the credit agency who says "yup, sokoloff is a good credit risk", and the bank gives fake-sokoloff money in part based on the premise that sokoloff is a good risk, I don't think the credit agency has done anything wrong there.
The bank failed by authenticating fake-sokoloff as sokoloff. (I'm no fan of credit agencies, but I am a fan of correctly diagnosing system problems and assigning root cause to the right place in the system.)
There is a second-order effect where it should be straightforward for sokoloff to repudiate a loan taken out by fake-sokoloff and incorrectly tagged to sokoloff. An agency failing to follow that process may then be liable of libel.
This is one of those things where fairness is less important.
If real-sokoloff is hurt, someone fucked up and needs to be held accountable and make real-sokoloff whole.
We can debate the how and the why, but the spirit of that sentence needs to be respected more highly than fairness to the bank or credit agency. Part of the reason they can be so Laissez Faire about it is because it's not their risk and they're not the ones that need to be made whole.
Regardless of how it happens, it needs to happen. Making it their risk would convince them to figure it out.
There is a chain of authentication between fake-sokoloff and the credit agency. Maybe fake-sokoloff has tricked the bank due to the bank's weak security. Now the bank asks the credit agency for information about sokoloff by providing whatever weak metrics it has obtained. Both the bank and the credit agency have failed due to accepting weak metrics.
Also, in future interactions, the credit agency makes representations to others about sokoloff's credit. Why should the standard of what they are able to say be set by the least secure report they have received from a bank? They hold themselves out to be a credit reporting company - not just an aggregator of hearsay.
>That is, the credit bureau doesn’t do a good enough job verifying identity.
Credit bureaus routinely report false information and defame people based on false/unverified information that they don't even attempt to properly vet. If some random person called me on the phone and reported that you were a sex offender, and I dutifully repeated that to every job you applied for, every apartment you tried to rent and anyone else who asked me, I would be guilty of defaming you and responsible for damages. It should be no different for so-called credit reporting agencies.
There's also a government-managed register of bad payers (called "interdit bancaire" - literally "forbidden from banking") for which there's a lengthy process to get onto that may involve court action - the lenders literally have to take you to court.
This means there is a due process to get onto the register, and a simple misunderstanding or fraudulent company can't ruin your credit (unless they want to lie to a government official and potentially to a court).
In America, they'll verify your income by requesting pay stubs, but banks can't see your other loans/LoC without doing a credit check from one of the credit reporting bureaus (Equifax, Experian, TransUnion).
There's a strong distrust of government across the entire political spectrum. The difference is that one half thinks the solution is to let private corporations handle everything because they have this strange delusion that a corporation actually has their interests in mind beyond the bare minimum to earn a profit. The other half has a delusion that government can be fixed.
I struggle with this one. If they don’t know how to do X, find people that do and hire them as civil servant, with a slightly less than average salary.
I know it’s not that trivial, but I don’t see why conceptually it cannot be fixed?
( asking as a new us citizen btw; I voted for the first time a few month back.
Yes, this place is fucked.
I will probably not retire here. Or even stay that long.
But there is a few things going for us. For instance direct democracy is more alive than most. Electing judges, specifically in that debatable precedent system… is really powerful and readily accessible.)
There's a considerable perception that politicians serve their corporate donors more than their voters, as well as there being an extreme level of excess spending without getting outcomes.
Sometimes these combine. Like, if the state wants to build a new road, they'll give the contract to whoever is going to donate the most to the governor's campaign during the next election, even if that means it costs a lot more.
It doesn't help that our voting system creates a scenario that will always devolve into just two political parties. Any third party candidate ends up being a spoiler for a similar party and guarantees a victory for the other major party. This is why Democrats are hoping Trump runs for President as a third party, as it would split the Republican vote and hand the Democrats an effortless win.
We only have direct democracy for local and state offices. Presidential elections are not a direct democracy.
Strike.
Those two particular issue are really core : election financing and parties creation.
The first one should be harshly reign in IMO. Having strict and enforced limitation on donations works.
The proof : crooked politician try to get around it and are sometime getting caught. ( sarkozy, chirac )
Second one is more mechanical: having > 2 parties allow politics to happen.
Switzerland had banking secrecy laws for the longest time (still do to some extent) that prevent this sort of mass collection of payment data. And yet they had a comparable credit / GDP ratio to the US and above the world average [0]. So your claim that one can't do lending without involuntary mass data collection is empirically false.
> How else would you do risk management for loans?
Government-run credit-bureau, like Thailand's National Credit Bureau (NCB), that isn't trying to make a buck. Bank of Thailand (who are behind NCB) is also responsible for Prompt Pay, which is a most-excellent and ubiquitous QR-code and cell-number based instant payment system.
American retail banking appears to have been screwed hard by "leaving it to the markets", where government intervention and threats have given us Faster Payments (UK), SEPA Instant (EU), Prompt Pay (TH) etc
>American retail banking appears to have been screwed hard by "leaving it to the markets", where government intervention and threats have given us Faster Payments (UK), SEPA Instant (EU), Prompt Pay (TH) etc
Looking at this comparison table[1], it seems like the options in the US (Zelle and RTP) arrived in similar timeframes to RT1 in the EU?
Why am I still receiving ACH and e-check payments from my clients then?
Genuinely, I don't know the answer to this -- maybe the US account Wise provides me with is limited? Additionally, every time a Bitcoin maximalist shows up, if they're American they'll tout "fast, cheap payments!" and "right, but what if you wanted to make a transfer to a different bank AND on a weekend?!" as benefits, which are the benefits much of the developed world already has and doesn't think twice about any more.
Of note: "The USA has the least regulatory oversight resulting in the highest interchange fees in the world. The same data below compares the interchange fee by country in chart form."
To add, the quick payment interface of India, UPI. Unified Payment Interface. Central Bank defined the rules. Every bank follows it. Money still gets settled as regular in behind the scenes, but on front end, customer sees money moving instantly, no fees. Money moves between super verified accounts or customers only.
> Or do we just blend the risk with everyone so if you always paid your loans on time, you pay the same rate as someone who has a loan write off and is 3 months behind in loan payments?
This is how it works in Denmark for property mortgages. There is security in the house and up to 80% of the house price can be lent. It's up to the credit institution and bank to decide whether to approve you for the loan based on an expense budget provided by you, pay slips for the past 3 months and the property valuation. Bank provides the contact between you and the credit institution as well as budget vetting, the credit institution sells bonds to investors to raise the money for the mortgage. Risk is spread over the bond series and is carried by the credit institution.
We have some of the lowest mortgage rates anywhere. Current 30 year rate is 5%. This is after a huge hike in the last year after having been at 0% or even negative for at least 5 years.
So yeah, for large investments like property mortgages with considerable security drop the credit rating and spread the risk across enough people. On average it will be cheaper.
That has a side effect of requiring 20% down (after all transaction fees), which means buyers have to save significantly longer than when 3% or 5% down payment loans can be made.
This has disadvantages for some people over a credit rating system, even if it’s overall cheaper for the people who can get loans under it.
This also means that you the likelihood of ending up with insurmountable personal debt in case of a default on the mortgage is a lot smaller.
In some cases the down payment can be a bank loan at significantly higher rates. I did this for my house and the rate for the down payment loan was something like 8% while mortgage was 2%. I forget what percentage of the total was a bank loan but it was around 10-15%.
There are not the same conditions on the bank loan, though. E.g. a bank loan can in theory be called in with a months notice, while this is not the case for the bond based mortgage.
you _could_ do it Plaid-style, where you consent to share your history (either raw transactions and liabilities to run through a model, or a pre-calculated score) with a potential creditor. That would solve the formal consent problem. But the essence of it is the same: unfortunately, you have to furnish your verified history to every creditor rando if you want their money.
Also, they can't really verify what you give them. Income verification is already "hopefully they aren't lying" for low-risk credit cards and "we have to call their employer to verify this income" for high-risk loans like housing loans. Verifying this amongst dozens of auto loan departments and credit card operations, likely with different hours of operation, would be extremely labor intensive which is why everyone gets to pull applicant credit history from a central database to determine creditworthiness if they also contribute to that database.
This is basically how things used to work. The drawback is that young people with no credit can't build credit easily. You'd be disproportionately favoring those familial lineages with assets and losing out on a huge potential customer pool.
With better centralized data it's possible to having something of a win-win where banks get more customers and people can bootstrap their own lending reputation without having the last name "Jones".
Of course there's the tradeoff that you have to trust an institution to be a good steward of that data...
What would be the negative effects of that drawback? Higher wealth inequality? Increasing age for first time home buyers?
The ability to build credit isn’t actually an advantage in and of itself. In most other lines of business, if the business tried to point to “we’ve given you more opportunities to prove yourself a worthy customer” as a perk we’d laugh at them.
The argument is that advantaged groups (privileged communities) get to build their life on credit and quickly become doctors and lawyers and such, and that denying loans to people who haven't proven the ability to repay (or who do not have people to co-sign) prevents them from getting a leg up on the pile. There's something to it.
But what we have seen is that the banks and companies prey on the disadvantaged people pretty effectively; note the absolute magnitude of student loans given to poor students for degrees that don't show a practical repayment opportunity.
And there's also the argument that easy access to very-low interest rate credit precisely is what is causing house prices to be so astronomically high - if credit isn't as available.
The overall practical result would be an increase in the cost of credit and a slowing of the economy. Disadvantaged groups could be assisted in other ways, however; the way we try to do it is not necessarily the only possible way.
The problem is in the US they're not 'credit bureaus'. They're largely unregulated and unaccountable for-profit private corporations. Couldn't buy a home or had to pay higher interest rates because one of these private credit reporting companies had inaccurate information on your credit report? Well sucks to be you and the credit reporting company is in no way liable for your loss. The fact that Experian, one of the 'big three' credit reporting corporations in the US, is offering to boost your credit score if you install their app is a damning indictment of how misguided and contrived the US credit rating system is.
You can always just keep information about ppl that don't pay their loans, instead of keeping information about ppl who did nothing wrong.
This system is hellish.
> How else would you do risk management for loans?
Gee, I wish there was a method for two counterparties to record a transaction publicly and pseudo anonymously so that one might be able to display a mathematical proof of satisfactory fulfillment (or not) of an agreement.
Here's a paper on how they do it in Afghanistan, absent any reliable banking infrastructure. Islamic finance in general is interesting because it rests on different ethical mores from British-style capitalism, perhaps with a view to limiting pure accumulation.
> How else would you do risk management for loans? Without credit bureau where would the loan originator determine the risk of the loan? Would each individual be responsible have to store all payments and receipt of payment and submit that?
You act like this is ridiculous but the fact of the matter is that I would prefer that, because ultimately the difference agency in this situation I provide the lender my information that I control, in any other scenario my agency has been taken away by an outside group, whom I may or may not trust.
Hell imagine how different everything would be if instead of the Credit Unions working for the lenders I instead paid for a service myself that performed this service for me. The difference being one is done to me the other is done by me.
> You act like this is ridiculous but the fact of the matter is that I would prefer that, because ultimately the difference agency in this situation I provide the lender my information that I control, in any other scenario my agency has been taken away by an outside group, whom I may or may not trust.
This wouldn’t work, because borrowers would only present receipts for credit they repaid on time while withholding information about lines of credit they failed to repay.
The point of credit history is that it exposes your past payments or failure to repay. It’s not an equivalent system if borrowers can just conveniently forget to mention the other loans they didn’t repay
> It’s not an equivalent system if borrowers can just conveniently forget to mention the other loans they didn’t repay
Which is, of course, what we currently have, except it's the businesses who are able to "conveniently forget to mention" instead of the borrowers.
I pay myriad bills on time and in full every month, but only three of them--all loans--report my positive payment history to credit bureaus. Yet all of them, from mobile phone providers to landlords to utilities to insurance companies, insisted on being able to look at that payment history. They get the benefit of being able to evaluate me on an incomplete set of data; why shouldn't I get the return?
(The answer as always is that we don't have any leverage. Simply saying "well, then don't use those companies" is a non-answer when every company does it the same way and all of them lobby government to keep it that way.)
>Which is, of course, what we currently have, except it's the businesses who are able to "conveniently forget to mention" instead of the borrowers.
>I pay myriad bills on time and in full every month, but only three of them--all loans--report my positive payment history to credit bureaus
Okay, but the reason for that seems to be due to practicality reasons rather than some sort of concerted effort to oppress consumers. The types of accounts that do get reported to credit agencies (off the top of my head: credit cards, student/car/personal loans, mortgages) have one thing in common: they all have high dollar amounts in at least one of: monthly payment, total owed, and available credit. Being able to stay on top of payments and/or not get into debt spiral provides a much stronger signal about your credit worthiness than you being able to afford the $100/month electric bill. Therefore, bills typically don't get reported, and presumably that's factored in the credit models. After all, the bills that you mention are mostly mandatory (eg. utilities), so it's reasonable to assume that if you don't have any such bills sent to collection, that you got those bills and paid them on time for all of your adult life.
There is nothing stopping a company from offering credit using this strategy. They don't have to source their credit rating from an existing credit agency.
Why would someone want to give credit this way, though? If the rating is provided by a company that is paid by the person requesting credit, why would the company giving credit trust it?
There was a very cool exhibit at the Baker Library at Harvard way back from the archives of Dun an Bradstreet that showed their 19th century version of a credit check product. It was basically just freeform notes about businesspeople like, "Joe is said to be a man of high moral virtue, though it is said that he is often delayed by family matters," or whatever. Super interesting!
The entirety of modern American society is built on those scores. You want life without it? Go to a developing country and suffer a life of poverty with few avenues to build your credibility - and likewise, few avenues to escape poverty.
> Seriously though, how did credit scores come about
Consumer demand.
If given the choice between a lower rate loan that utilized people’s centrally collected credit history or a higher rate loan that didn’t rely on any centralized organization, the vast majority of people would take the lower rate loan with a credit score. It wouldn’t even be close.
The bottom line is that centralized credit reporting is necessary to achieve the lowest rates. The threat of a reduced credit score is necessary to get a lot of people to pay back loans.
Meanwhile a share of Equifax stock is $198.31. It strikes me that data breaches might decrease in frequency if injured parties could choose whether to be compensated in cash or stock. If their negligence caused you to get pwned, you should get to pwn them in turn.
Former Equifax CEO Richard Smith resigned rather than being fired, and got to leave with a $90 million severance package including $18 million of pension, although the breach is estimated to have cost the firm $700 million. He still sits on the board of Docusign.
This makes no sense. Paying in stock works by either issuing new shares and diluting existing shareholders or buying the shares to give out. Either way, it's a wash between getting stock and getting cash.
If you want to see them impact, look at what shares prices do the day a breach is announced and the day it settles. The impact was priced-in long before, and shareholders already felt it.
It's not a wash, because stock allows voting* and cash does not. You could also require that firms reserve a certain amount of stock as collateral against data breaches, with rules specified about its issuance, voting behavior, and distribution designed to maximize the negative impact upon existing shareholders and management. The owners and operators of a firm that extracts information as well as revenue from consumers but fails to secure such information should suffer the consequences of their negligence.
* well, not all stock allows voting, some companies have different classes of stock to prevent plebs having leverage over corporate decision-making. Since I'm making up possible rules, I'd ban that too.
Meanwhile, the stock price kept growing since. Which, once again, confirms what I commented multiple times here on HN: when you see a large company getting its personal databases breached then sued for hundreds of millions, buy its stock.
It is very sadly the only way to get some form of reparation from the damage they have done in a justice system that still sees its "job creators" as gods on earth.
Those solicitations I get in the mail to join class action suits always seem phishy to me, and I usually just throw them away. "There's a class action suit against a company you bought capacitors from 9 years ago! Give us your personal information and you may be entitled to a payout!" Uhh... no thanks, that's exactly what a scammer would say. How do people determine which ones are real, and what makes you decide to sign up?
Facebook had to pay me $300. Waiting on similar from Google. Illinois' Biometric Information Privacy Act has real teeth, and if you see a tech company claiming they want federal privacy legislation, it's very likely with the goal of weaker federal laws which preempt BIPA.
Are you scared of them coming after you for a non-disclosure / non-disparagement clause? Someone who isn't me had a few of these because of breaches from other companies but can't really talk about them.
it’s also weird because this seems like the universal style of class action lawsuits? why are they so poorly formatted in such a consistently bad way? some legal tradition?
You can in principle look up the case numbers that should be present in the court documents explaining the settlement. Alternatively you can look it up in a public database such as [1], (also a good way to find suits you qualify for, if you so desire).
I like the idea of a Chief Liability (or Lamb…) Officer, a person who serves with the understanding that they’ll be the person who serves prison time for the felonious crimes of the corporation
“I’d sign that purchase order, Bill, but our CLO is literally holding a gun to my head and sobbing saying it’s better this way”
Why should all the other C-levels avoid jailtime for crimes committed by the corporation they're responsible for by just having a literal official patsy? That seems like such a blatant way to put C-levels above the law for real instead of the defacto way they seem to be right now.
(Hey, friend. I meant this as a lighthearted take. I have no power to write this into law)
I don’t think at all anyone should do this cheaply haha. And imagine if the CLO told the board the other C-suite were squirreling secrets away. And individuals can always be indicted for fraud
> Why should all the other C-levels avoid jailtime
I don't care if the C-levels (other than the CEO and President of the board) go to prison.
I want to see the CEO and ALL board members in prison for life with no possibility of parole.
Oh of course if the CLO runs out of statistical life another would be appointed by the board only from the existing C-suite, even if the board is part court-appointed…
That or the desperate. Seems like there are a lot of people who'd be willing to risk spending a year or two at a company with a very high salary even if there was a chance that in that year they might end up in some minimum security prison
They already actually have that it is called the CISO or Chief Intentional Sacrificial Officer, sometime misinterpreted as Chief Information Security Officer.
It looks about right. I've yet to see a class action suit where the individuals get any substantial money. I've heard of one where the settlement involved coupons for the product rather than cash.
Keep in mind that class actions necessarily exist as a middle-ground mechanism. If the harm to each person were large enough, they would pursue individual claims. But in many cases, it is not worth people's time to pursue individual claims because the damage is relatively minor. A little bit of harm spread over a large enough population, however, becomes a large amount of harm in the aggregate, so class actions are a mechanism for holding companies accountable in those situations. So you would not expect individual members of the class to be getting huge payouts. But you expect that the company is held accountable for the aggregate harm in a way that, if not for class actions, they would likely never be held accountable for.
I would argue they have the opposite effect: They allow businesses a way to write off a crime with a minimal payout to some subset the harmed individuals, in exchange for the ability to be completely absolved of future lawsuits by people who were unaware at the time.
I got $397.00 from a Facebook biometrics class action settlement in Illinois, out of a $650M settlement. But yes, definitely the exception rather than the rule.
I have a high school buddy that is a big class action lawyer. When he posts about winning a big case I’m always holding back from commenting asking how much he got paid vs the folks that were actually harmed.
On one hand, yes, it's a shame that the victims rarely get anything. On the other hand, anyone is allowed to opt out and sue on their own if they want to. The problem is that very few will because it's not worth your time or money to sue someone for, say, $1000. As someone who wasn't going to take Equifax to court, I prefer an outcome where some lawyer gets rich, I get $5, and Equifax gets a $500 million dollar fine plus a commitment to spend $1 billion on overhauling their security. The alternative was Equifax getting away with a few small-scale lawsuits that would have had total payouts in the low millions.
In a more just world, Equifax would go out of business and the assets would be divided among the affected parties. The fact that that won't happen isn't your buddy's fault. At the end of the day, sure, he gets high fees, but if the lawyers in the equifax case were to distribute their fees to victims, maybe I would have gotten $6 instead of $5? My point is, I'm mad at Equifax a lot more so than your buddy.
Maybe you can bring it up in a way that appears guileless rather than accusatory? “Nice job dude! I bet you really helped out the victims — how much did you get them?”
He would reply with big numbers: $100, $500 million, and so on. They don’t really communicate publicly in terms of the payout per capita although they do negotiate hard to increase the per capita payout (otherwise the total would be small.)
All of the class actions where I've gotten back $5 or whatever have a document listing how the money is spent. Usually at least a third of it goes to the lawyers.
Right, so in such a case, if the lawyers decided to work for free and give ALL the money to the class members, you'd get back a whopping $7.50 instead of $5.00.
Really, these cases are mostly a way for lawyers to make money, because on a person-by-person basis there's just not enough money to be made in pursuing legal action, but with millions of class members, the aggregate amount is pretty high, and 20 or 33% of that for the lawyers ends up being a nice paycheck.
The court awarded attorney fees of 20% of the overall (minimum) award in this case, which came to about $77 million. This is based off a $380.5 million minimum settlement fund (under certain conditions the fund can go up to $100-something million higher).
I was recently in a settlement for something like $4 and looked into it.
My take is basically that in many class action suits there's limited proof of wrongdoing. So it might not make it to court, and if it did make it to court it might be thrown out. Companies pay out since they aren't sure either, but not for the full amount. The lawyers are investing in a suit with unstable ground.
Because it's so wishy-washy there just isn't much money in it, and in consequence the payouts are limited.
So I'm not sure there's a better way to do it. I do wish the lawyers were more upfront about the above in their messaging to class members (like, "we don't have enough definite evidence to get a conviction, but enough that it's risky for the company, so we can settle for a lower amount") as well as how much it will actually mean per individual, what consequences are likely for the company if the suit succeeds, etc.
Not a lawyer (obviously) so if anyone has better info I'd be interested.
I had a 2016 MacBook Pro that was repaired 4 times over 4 years (all free repairs) so I should get the full settlement.
In all cases, repairs were covered for the first 4 years so most of them should've been done for free, the settlement is purely for compensating time and effort.
PayPal finally has a purpose… receiving all these settlements. Plaid’s recent settlement was a decent $35 which is about what it costs to get a new drivers license ¯\_(ツ)_/¯
I also received my payout via PayPal but did not receive a notification so it sat in my account for several weeks. Was this intentional? I typically always receive notification when money hits my PP account...
I received an alert, so it may not be intentional that you didn't see anything (or an accident that I did). Paid for 1.25 months of GitHub since I don't tend to use PayPal for much else.
I didn't get around to it, but with one of the class action suits over a breach, I wanted to object to the settlement because it mostly made the lawyers money, and, judging by how many breaches keep happening, doesn't provide enough incentive for companies to take security seriously. If more people objected to settlements, judges might pay more attention.
I got an email that says I could collect my 5 bucks, but it and the website it links to look incredibly shady and despite seemingly confirming their legitimacy with a bit of googling there’s no way I’m giving them any information for 5 bucks.
Mine was a grand $3.52. A far sight less than the $125 that was reported a few years ago. I still wonder where that number went.
As far as class action based on actual damage and aggregations thereof. I believe that may be a strategy, unfortunately most of those end up going to government entities. So the very people who will not legislate statute to protect you will be in the same organization as the Attorney's General that will sue the firms and receive the damages...
$5.21 should be enough to buy a new identity on the darkweb and rotate to it. For maximal security you should make sure to rotate your identity every 18 months.
When I got my credit report, I found that Equifax had recorded the previous selling price for my house. That... really makes me uncomfortable, and you have to ask the obvious: will lenders use the value of my house to decide if I'm credit-worthy?
Transunion, Equifax, etc all have their own proprietary scoring algorithm which could already be using this data to compute your score. I used to work at one of these places - any bit of data they can use to enhance their score, they will try.
You were allowed to bill for time you spent trying to repair Equifax’s damage. I spent 4-6 hours trying to verify all my various private banking details were still safe, so Equifax was happy to pay me for what they thought my time was worth (so I received like $19 instead of $5 lmao).
I got about 3x what the OP got, but less than this. The payout schedule is probably published somewhere or at least as part of the settlement agreement.
If our government wasn’t a corrupt shit show they would have been shut down over what they did, or at least their ability to manage the general public’s data. $5 what an insult.
Wouldn’t it make more sense for these payouts to be consolidated and donated to a non-profit (humanitarian) org? Considering the overhead of processing all these “micro” payments. Assuming most people got few dollars payout. Or at least give people the option to opt out of the payout.
Info on the original settlement: https://arstechnica.com/tech-policy/2019/07/you-can-go-claim...