---

@Anonymous wrote:

When deveop a credit score model, a client sends a group of consumer ids to credit bureau (for example, Experian). The bureu will append credit history related information to the file and then explictly asks the client to destroy the sequence number in the file (used to identify individual consumer) when it returns the file. See below from Experian website.

 

"If you have a database of customer identiEcation that contains

performance data and demographic data, you may assign a sequence number to each Ele. You must

certify that you have destroyed the link between consumer identiEcation information and the

sequence number before Experian will return the appended credit data."

 

What is the relationale behind this process? 

 

---

I can't say for certainty based on just the above, but there are a lot of regulations out there regarding the handling of confidential information, particularly in the areas of payment cards/finance or health.

Linking personally-identifiable information with payment/credit information exposes someone to a lot of additional legal and IT security requirements. It's not uncommon, particularly in PCI (payment card information), to do similar things to detach and disassociate personally-identifying information from payment information to avoid the risks of failing to meet PCI compliance.

Experian deals with PCI companies frequently so they're probably doing this to avoid having to meet PCI or another such regulation.

FCRA 604 specifies that a CRA may provide credit reports only under the identified cirsumstances, and no other.

The development of a party of credit scoring models is not an identified permissible purpose under FCRA 604.

Identifiction of account specific information linked to a consumer is a consumer credit report, and thus providing such information without removing any link to an identified consumer is an express violation of FCRA 604.

§ 607.  Compliance procedures [15 U.S.C. § 1681e]

(a)        Identity and purposes of credit users. Every consumer reporting agency shall maintain reasonable procedures designed to avoid violations of sec-tion 605 [§ 1681c] and to limit the furnishing of consumer reports to the purposes listed under section 604 [§ 1681b] of this title. These procedures shall require that prospective users of the information identify themselves, certify the purposes for which the information is sought, and certify that the information will be used for no other purpose. Every consumer reporting agency shall make a reasonable effort to verify the identity of a new prospective user and the uses certified by such prospective user prior to furnishing such user a consumer report. No consumer reporting agency may furnish a consumer report to any person if it has reasonable grounds for believing that the consumer report will not be used for a purpose listed in section 604 [§ 1681b] of this title.

§ 619. Obtaining information under false pretenses [15 U.S.C. § 1681q]

Any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined under title 18, United States Code, imprisoned for not more than 2 years, or both.

§ 620. Unauthorized disclosures by officers or employees [15 U.S.C. § 1681r]

Any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to a person not authorized to receive that information shall be fined under title 18, United States Code, imprisoned for not more than 2 years, or both.