[nugget]

CRAs maintain consumer credit scores which support consumer borrowing and lending - a large part of the US financial system. Experian could have (and perhaps should have) been disbanded after their data breach, but if you disband the category, who or what replaces it to track consumer creditworthiness?

Beyond credit scores, there's been a proliferation of "Know Your Customer" (KYC) requirements to reduce fraud and money laundering. The most common form of KYC is called "Knowledge Based Authentication" (KBA). This is when they ask you a series of multiple choice questions about previous addresses, schools, and employers. You usually have to get 4 out of 5 right to "pass". I paid cash for a new car from a Jeep dealership - before they'd complete the transaction, I had to pass KBA from Experian. I believe it was a state law that imposed the requirement.

I don't think it's practical to argue for the extinction of CRAs as a category. I do think it's practical to give consumers more control over their data - what is stored and where it goes. I've been tinkering on solutions for this, as have quite a few others in the data privacy community as well.

[wmf]

I think the existence of KBA is kind of an anti-pattern compared to Estonia-style identity. If we respected our privacy and never let data brokers collect all that information in the first place then KBA would never have been invented.

[nugget]

I did find it odd that the dealership couldn't accept my state-issued ID for ID validation. Maybe there's some regulatory capture at work there. Even if state-issued ID docs were accepted, that would solve for KYC but not for credit scoring.