> White Paper The Data Matching Game: Enabling Customer Data Integration and Protecting Consumer Privacy October 2008
Table of Contents Introduction..............................................1 What s Your Phone Number?................................1 Mary Johnson and the Privacy vs. Accuracy Challenge.......2 How to Win the Data Matching Game.......................3 Consumer Credit Data and the GLB Act......................4 Summary.................................................6
Introduction To comply with privacy rules that seek to protect consumer interests, businesses must consistently and accurately recognize records associated with the consumer. That task is fraught with complexities, especially for businesses that manage consumer information across multiple databases and products. Organizational and technological silos create barriers to matching information in disparate places. A few examples of questions a business may need to resolve: Is J. Patterson the same person as John Patterson? Are records for Julie Banks (maiden name) and Julie Watson (married name) accurately linked? Are records for Mark Adams at his old address and new address accurately matched? To accurately identify consumers, businesses are increasingly relying on reference-based matching systems that use unique identifiers to recognize and integrate dissimilar records. The challenge for providers of reference-based matching systems is to comply with privacy legislation while supplying businesses with the most accurate and reliable information afforded by law. The foundation of most reference-based matching systems is credit header data that links information in a credit report to a particular individual. Credit headers enable Customer Data Integration (CDI), ensuring both the privacy and security of consumers. This paper explores two requirements that sometimes are in conflict: the business s need for accurate identity information and the privacy rights of consumers. The paper explains how businesses can use reference-based matching systems to favorably resolve the privacy-versus-accuracy challenge. What s Your Phone Number? Consumers are routinely asked to provide data about themselves to conduct business transactions. Consider your own daily experiences. The department store clerk wants to know your phone number. The cashier at a toy store asks for your zip code. When you call your bank, the customer service representative wants you to verify your address and the last four digits of your Social Security number. Businesses invest heavily on systems that capture, store, and 1
analyze the data they collect about their customers and prospects. Uses of the data are broad: Loyalty programs track purchases and encourage future transactions. Surveys gather demographic information and insight into shopping trends. Return activity is monitored to prevent losses and control abuses. Analysis of what is being purchased regionally helps businesses to manage inventory and improve logistics. Telephone numbers, addresses and Social Security numbers are used to recognize customers and provide customer service support. Analysis of consumers in-store behavior helps store managers to improve sales through better placement of complimentary merchandise. How can a business use consumer data to improve profitability and customer satisfaction, while at the same time protecting consumer privacy? Many consumers fear that simply accepting a preapproved credit offer or requesting a catalog will result in waves of unwanted offers and solicitations. And with increasing concerns over identity theft, consumers worry about proliferating access to their personal information. Mary Johnson and the Privacy vs. Accuracy Challenge Concern for the protection of consumer privacy sparked moves to regulate how companies can share data and contact consumers. Enacted in 1999, the Gramm-Leach-Bliley Act ( GLB Act ) provides privacy protections for consumers by regulating how financial institutions can share nonpublic personal information, such as name, Social Security number and address information. The GLB Act requires issuance of privacy notices, which, with some exceptions, give consumers the right to opt-out and disallow the sharing of their nonpublic personal information with nonaffiliated third parties. To comply with privacy regulation, companies face the substantial challenge of accurately identifying consumers. Many businesses manage their customer information across multiple databases, product lines and portfolios. Consequently, personal information resides in various data silos that can t communicate with each other, vastly complicating the task of identifying consumers accurately and consistently. 2
The unstable nature of data compounds the problem. Data entry is an error-prone process; names and addresses change frequently due to marriage, divorce and relocations. Is Mary V. Johnson in Dallas the same Mary V. Johnson as the one in Irving, a Dallas suburb? Can Mary Johnson s bank recognize that she has two credit cards it issued, one to M. V. Johnson and one to Mary V. Johnson, each at different addresses? If she opts-out of further solicitations and the sharing of her nonpublic personal information with nonaffiliated third parties, will the bank implement her choices and protect her privacy? Names and addresses frequently change due to marriage, divorce and relocations. Is M. Johnson the same individual as Mary Johnson? How to Win the Data Matching Game Businesses now have access to Customer Data Integration (CDI) tools specifically designed to help them deal with how consumer records are recognized and integrated. CDI is at the heart of efforts to consolidate and integrate customer information into a single, holistic view of the customer. With CDI tools, businesses gain the ability to accurately match records in disparate data. Algorithms and one-to-one or string matching, the traditional methods for data matching, often fail to link together dissimilar records. Reference-based technology provides a more advanced form of data matching used to identify consumers. Reference-based matching systems employ large databases housing the name and address information of millions of consumers. Users of this technology provide names and addresses for matching with the names and addresses in the reference database. When a user-submitted name and address produces a match, the service provider returns to the user a unique identifier or key that identifies this consumer within the reference database. With these keys, users can identify individuals across business products, channels and databases, regardless of name or address change. The bank mentioned earlier would therefore recognize that Mary V. Johnson and M. V. Johnson are the same individual because both have the same key. The bank benefits by gaining a single view of its customer, and Ms. Johnson is spared from unwanted solicitations and phone calls. Several reference-based matching systems and services are available in the marketplace. A major differentiator is the robustness and accuracy of the data that resides in the reference database. The credibility and depth of the data is essential to providing an accurate match. A larger database with more history can be expected to have greater accuracy, resulting in fewer unwanted mailings and solicitations, unwanted information sharing, and 3
consumer recognition errors. For example, reference databases with several years of address history enable users to identify consumers who have multiple addresses or who have moved frequently. Often these reference databases include data from surveys, marketing lists and other public data sources. Since these sources can often contain inaccuracies, providers of CDI services seek to augment the database with more reliable data sources. One such source is credit header data the consumer identification information located within the header portion of the consumer credit file. In addition, credit header data includes actual account information provided to consumer credit reporting companies for various purposes. Credit headers provide an excellent, reliable source of name and address information. By incorporating historical credit header data, the identification information of individuals can be linked even though their names and addresses have changed over the years. Consumer Credit Data and the GLB Act Credit header data is a coveted, yet highly regulated, source of information. Any company that uses credit header data as part of its reference-based matching product must comply with laws regarding how the data can be used. The GLB Act specifies how the data can be used by financial institutions and third parties receiving the data for various purposes. Regardless of the type of data found within the reference database, any financial institution that transmits nonpublic personal information to a company for assigning a unique key or identifier must comply with the GLB Act. The Act s definition of nonpublic personal information includes basic identifying information about individuals, such as name, Social Security number, address, telephone number, mother s maiden name, and prior addresses. The GLB Act limits financial institutions from sharing consumer information with a third party. Financial institutions are broadly defined to include banks, lenders, insurers, loan brokers, and credit reporting agencies. Before a financial institution can share protected information, it must provide a notice that gives the consumer an opportunity to opt out. The Act has various exceptions that allow nonpublic personal information to be provided to, and used by, third parties without having to provide a notice and an opt-out. In general, the exceptions allow the use of nonpublic personal information for consumer reporting (pursuant to the Fair Credit Reporting Act), fraud protection, law enforcement and regulatory or self-regulatory purposes. 4
The GLB Act also requires financial institutions to implement appropriate physical, technical and procedural safeguards to protect the security and integrity of information they receive from customers, directly or indirectly. The Federal Trade Commission has broad discretion to interpret the GLB Act s statutory definitions. As FTC Commisioner Jon Leibowitz noted in his May 11, 2006 statement before the House Subcommittee on Commerce, Trade and Consumer Protection, the FTC has a Safeguards Rule requiring financial institutions to have a written information security plan that describes their procedures to protect customer information. Equifax believes that the use, consistent with contractual requirements, of keys derived from a reference database incorporating credit header information is within GLB requirements. Other than the key itself, no other information within the reference database is disclosed or distributed to users. The use of keys can impact a variety of activities that enable the business to communicate, manage and process customer transactions such as when a consumer applies for credit, authorizes a purchase, or requests a credit increase. By using the key in its front and back office operations, a company can streamline its operations and facilitate consumer transactions. When the business markets its own products and services to current customers or prospects, the keys protect the integrity of the institution and help prevent actual or potential fraud. Businesses are finding many fine advantages to using these keys. Applications and benefits include: Compliance with the consumer s opt-out requests, as required by various federal and state laws, such as the GLB Act. These requests can involve email solicitations, do-not-call lists, and invitations to apply for a product or service. To comply with such opt-out instructions of the consumer, a company must have effective ways to fully identify a consumer across all marketing channels, products and operations. Fraud protection. Better identification measures will help prevent actual or potential fraud and prevent unauthorized transactions. By having a unique identifier for each customer or prospect, a business can greatly increase its ability to identify the misuse of personal information, such as having a single Social Security number associated with multiple names. Responsiveness to requests from law enforcement or regulatory authorities. Accurate information about a consumer s financial relationships with an organization is essential to help law enforcement respond to suspicious and illegal activity. 5
Meeting legal responsibilities. Data-matching processes are essential in fulfilling know your customer obligations, including identity verification and anti-money laundering requirements of the USA PATRIOT Act. In the subprime lending environment, lenders may be required to exercise additional diligence in understanding the consumer s relationships with the organization. Only by recognizing their customers can businesses provide highly valued customer service and protect against losses. Such losses are not necessarily related to fraud. With a reliable source of data covering several years of name-andaddress history, a business gains the means to protect its own interests while preserving the privacy and security of consumers. Reference-based data matching provides the ability to accurately recognize a consumer by using a unique identifier at the point of sale or service. The business or lender can thereby validate a consumer s identity claims and discover what other relationships the consumer has with the organization. Using credit header data in a private and confidential manner allows for added security by providing the ability to identify the potential misuse of Social Security numbers. In a case of fraud, criminals will appropriate Social Security numbers to establish new lines of credit. With Social Security numbers residing in a historical reference database, businesses can identify and track all names and/or addresses associated with a single Social Security number. Only by recognizing their customers can businesses provide highly valued customer service and protect against losses. Such losses are not necessarily related to fraud. For example, companies in the telecommunications industry often have difficulty recognizing former customers among new applicants. Using a unique key from a reference-based technology, the telecommunications company can match the new applicant information to internal customer records. The company can then determine if it should establish service with the new applicant immediately or collect a previous debt first. Summary Complying with privacy rules that seek to protect consumer interests requires businesses to consistently and accurately recognize the consumer. To do so, businesses are increasingly relying on reference-based matching systems that utilize the most accurate and reliable information afforded by law. Credit header data is a significant part of a foundation that enables Customer Data Integration, which ensures the privacy and security of consumers. 6
Contact Information Equifax Inc. is a global leader in information technology that enables and secures global commerce with consumers and businesses. We are one of the largest sources of consumer and commercial data. Utilizing our databases, advanced analytics and proprietary enabling technology, we provide real-time answers for our customers. This innovative ability to transform information into intelligence is valued by customers across a wide range of industries and markets. Headquartered in Atlanta, Georgia, Equifax employs approximately 4,700 people in 13 countries throughout North America, Latin America and Europe. Equifax was founded 109 years ago, and today is a member of Standard & Poor's (S&P) 500 Index. Our common stock is traded on the New York Stock Exchange under the symbol EFX. Equifax offers a wide array of risk, collections, and marketing tools for managing portfolios of all sizes and types. Visit http://www.equifax.com/consumer/marketing for additional details. Equifax Inc. 1550 Peachtree Street, NW Atlanta, Georgia 30309 www.equifax.com 1-800-879-1025 This publication contains many of the valuable trademarks, service marks, names, titles, logos, images, designs, copyrights and other proprietary materials owned, registered and used by Equifax Inc. and its affiliated companies, including but not limited to the registered mark Equifax ; any unauthorized use of same is strictly prohibited and all rights are reserved by Equifax Inc. and its affiliated companies. All other trademarks and service marks not owned by Equifax Inc. or its affiliated companies that appear in this publication are the property of their respective owners. Copyright 2008, Equifax Inc., Atlanta, Georgia. All rights reserved. 7
Equifax is a registered trademark of Equifax Inc. Inform, Enrich, Empower is a trademark of Equifax Inc. Copyright 2008, Equifax Inc., Atlanta, Georgia. All rights reserved. Printed in the U.S.A. EFS-838-ADV 10/08