> White Paper
The Data Matching Game:
Enabling Customer Data Integration and
Protecting Consumer Privacy
October 2008
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
What’s Your Phone Number? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Mary Johnson and the “Privacy vs. Accuracy” Challenge . . . . . . .2
How to Win the Data Matching Game . . . . . . . . . . . . . . . . . . . . . . .3
Consumer Credit Data and the GLB Act . . . . . . . . . . . . . . . . . . . . . .4
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Introduction
To comply with privacy rules that seek to protect consumer
interests, businesses must consistently and accurately recognize
records associated with the consumer. That task is fraught with
complexities, especially for businesses that manage consumer
information across multiple databases and products.
Organizational and technological “silos” create barriers to
matching information in disparate places. A few examples of
questions a business may need to resolve:
• Is J. Patterson the same person as John Patterson?
• Are records for Julie Banks (maiden name) and Julie Watson
(married name) accurately linked?
• Are records for Mark Adams at his old address and new address
accurately matched?
To accurately identify consumers, businesses are increasingly
relying on reference-based matching systems that use unique
identifiers to recognize and integrate dissimilar records. The
challenge for providers of reference-based matching systems is to
comply with privacy legislation while supplying businesses with
the most accurate and reliable information afforded by law.
The foundation of most reference-based matching systems is
“credit header” data that links information in a credit report to a
particular individual. Credit headers enable Customer Data
Integration (CDI), ensuring both the privacy and security of
consumers.
This paper explores two requirements that sometimes are in
conflict: the business’s need for accurate identity information and
the privacy rights of consumers. The paper explains how businesses
can use reference-based matching systems to favorably resolve the
privacy-versus-accuracy challenge.
What’s Your Phone Number?
Consumers are routinely asked to provide data about themselves
to conduct business transactions.
Consider your own daily experiences. The department store clerk
wants to know your phone number. The cashier at a toy store asks
for your zip code. When you call your bank, the customer service
representative wants you to verify your address — and the last four
digits of your Social Security number.
Businesses invest heavily on systems that capture, store, and
1
analyze the data they collect about their customers and prospects.
Uses of the data are broad:
• Loyalty programs track purchases and encourage future
transactions.
• Surveys gather demographic information and insight into
shopping trends.
• Return activity is monitored to prevent losses and control abuses.
• Analysis of what is being purchased regionally helps businesses
to manage inventory and improve logistics.
• Telephone numbers, addresses and Social Security numbers
are used to recognize customers and provide customer service
support.
• Analysis of consumers’ in-store behavior helps store managers to
improve sales through better placement of complimentary
merchandise.
How can a business use consumer data to improve profitability and
customer satisfaction, while at the same time protecting consumer
privacy? Many consumers fear that simply accepting a preapproved credit offer or requesting a catalog will result in waves of
unwanted offers and solicitations. And with increasing concerns
over identity theft, consumers worry about proliferating access to
their personal information.
Mary Johnson and the “Privacy vs. Accuracy”
Challenge
Concern for the protection of consumer privacy sparked moves to
regulate how companies can share data and contact consumers.
Enacted in 1999, the Gramm-Leach-Bliley Act (“GLB Act”)
provides privacy protections for consumers by regulating how
financial institutions can share nonpublic personal information,
such as name, Social Security number and address information.
The GLB Act requires issuance of privacy notices, which, with
some exceptions, give consumers the right to “opt-out” and
disallow the sharing of their nonpublic personal information with
nonaffiliated third parties.
To comply with privacy regulation, companies face the substantial
challenge of accurately identifying consumers. Many businesses
manage their customer information across multiple databases,
product lines and portfolios. Consequently, personal information
resides in various data silos that can’t communicate with each
other, vastly complicating the task of identifying consumers
accurately and consistently.
2
The unstable nature of data compounds the problem. Data entry is
an error-prone process; names and addresses change frequently
due to marriage, divorce and relocations. Is Mary V. Johnson in
Dallas the same Mary V. Johnson as the one in Irving, a Dallas
suburb? Can Mary Johnson’s bank recognize that she has two credit
cards it issued, one to M. V. Johnson and one to Mary V. Johnson,
each at different addresses? If she opts-out of further solicitations
and the sharing of her nonpublic personal information with
nonaffiliated third parties, will the bank implement her choices
and protect her privacy?
How to Win the Data Matching Game
Names and addresses
frequently change due to
marriage, divorce and
relocations.
Is “M. Johnson” the
same individual as
“Mary Johnson?”
Businesses now have access to Customer Data Integration (CDI)
tools specifically designed to help them deal with how consumer
records are recognized and integrated. CDI is at the heart of efforts
to consolidate and integrate customer information into a single,
holistic view of the customer.
With CDI tools, businesses gain the ability to accurately match
records in disparate data. Algorithms and one-to-one or string
matching, the traditional methods for data matching, often fail to
link together dissimilar records.
Reference-based technology provides a more advanced form of
data matching used to identify consumers. Reference-based
matching systems employ large databases housing the name and
address information of millions of consumers.
Users of this technology provide names and addresses for matching
with the names and addresses in the reference database. When a
user-submitted name and address produces a match, the service
provider returns to the user a unique identifier or “key” that
identifies this consumer within the reference database. With these
keys, users can identify individuals across business products,
channels and databases, regardless of name or address change. The
bank mentioned earlier would therefore recognize that Mary V.
Johnson and M. V. Johnson are the same individual because both
have the same key. The bank benefits by gaining a single view of its
customer, and Ms. Johnson is spared from unwanted solicitations
and phone calls.
Several reference-based matching systems and services are
available in the marketplace. A major differentiator is the
robustness and accuracy of the data that resides in the reference
database.
The credibility and depth of the data is essential to providing an
accurate match. A larger database with more history can be
expected to have greater accuracy, resulting in fewer unwanted
mailings and solicitations, unwanted information sharing, and
3
consumer recognition errors. For example, reference databases with
several years of address history enable users to identify consumers
who have multiple addresses or who have moved frequently.
Often these reference databases include data from surveys,
marketing lists and other public data sources. Since these sources
can often contain inaccuracies, providers of CDI services seek to
augment the database with more reliable data sources. One such
source is “credit header data”— the consumer identification
information located within the header portion of the consumer
credit file.
In addition, credit header data includes actual account information
provided to consumer credit reporting companies for various
purposes.
Credit headers provide an excellent, reliable source of name and
address information. By incorporating historical credit header data,
the identification information of individuals can be linked even
though their names and addresses have changed over the years.
Consumer Credit Data and the GLB Act
Credit header data is a coveted, yet highly regulated, source of
information. Any company that uses credit header data as part of its
reference-based matching product must comply with laws
regarding how the data can be used.
The GLB Act specifies how the data can be used by financial
institutions and third parties receiving the data for various purposes.
Regardless of the type of data found within the reference database,
any financial institution that transmits nonpublic personal
information to a company for assigning a unique key or identifier
must comply with the GLB Act. The Act’s definition of “nonpublic
personal information” includes basic identifying information about
individuals, such as name, Social Security number, address,
telephone number, mother’s maiden name, and prior addresses.
The GLB Act limits financial institutions from sharing consumer
information with a third party. Financial institutions are broadly
defined to include banks, lenders, insurers, loan brokers, and credit
reporting agencies. Before a financial institution can share protected
information, it must provide a notice that gives the consumer an
opportunity to opt out. The Act has various exceptions that allow
nonpublic personal information to be provided to, and used by,
third parties without having to provide a notice and an opt-out. In
general, the exceptions allow the use of nonpublic personal
information for consumer reporting (pursuant to the Fair Credit
Reporting Act), fraud protection, law enforcement and regulatory
or self-regulatory purposes.
4
The GLB Act also requires financial institutions to implement
appropriate physical, technical and procedural safeguards to
protect the security and integrity of information they receive from
customers, directly or indirectly. The Federal Trade Commission
has broad discretion to interpret the GLB Act’s statutory definitions.
As FTC Commisioner Jon Leibowitz noted in his May 11, 2006
statement before the House Subcommittee on Commerce, Trade
and Consumer Protection, the FTC has a Safeguards Rule requiring
financial institutions to have a written information security plan
that describes their procedures to protect customer information.
Equifax believes that the use, consistent with contractual
requirements, of keys derived from a reference database
incorporating credit header information is within GLB
requirements. Other than the key itself, no other information
within the reference database is disclosed or distributed to users.
The use of keys can impact a variety of activities that enable
the business to communicate, manage and process customer
transactions — such as when a consumer applies for credit,
authorizes a purchase, or requests a credit increase.
By using the key in its front and back office operations, a company
can streamline its operations and facilitate consumer transactions.
When the business markets its own products and services to
current customers or prospects, the keys protect the integrity of the
institution and help prevent actual or potential fraud.
Businesses are finding many fine advantages to using these keys.
Applications and benefits include:
• Compliance with the consumer’s “opt-out” requests, as required
by various federal and state laws, such as the GLB Act. These
requests can involve email solicitations, do-not-call lists, and
invitations to apply for a product or service. To comply with such
opt-out instructions of the consumer, a company must have
effective ways to fully identify a consumer across all marketing
channels, products and operations.
• Fraud protection. Better identification measures will help prevent
actual or potential fraud and prevent unauthorized transactions.
By having a unique identifier for each customer or prospect, a
business can greatly increase its ability to identify the misuse of
personal information, such as having a single Social Security
number associated with multiple names.
• Responsiveness to requests from law enforcement or regulatory
authorities. Accurate information about a consumer’s financial
relationships with an organization is essential to help law
enforcement respond to suspicious and illegal activity.
5
• Meeting legal responsibilities. Data-matching processes are
essential in fulfilling “know your customer” obligations,
including identity verification and anti-money laundering
requirements of the USA PATRIOT Act. In the subprime lending
environment, lenders may be required to exercise additional
diligence in understanding the consumer’s relationships with the
organization.
Only by recognizing
their customers can
businesses provide highly
valued customer service
and protect against
losses. Such losses are
not necessarily related
to fraud.
With a reliable source of data covering several years of name-andaddress history, a business gains the means to protect its own
interests while preserving the privacy and security of consumers.
Reference-based data matching provides the ability to accurately
recognize a consumer by using a unique identifier at the point of
sale or service. The business or lender can thereby validate a
consumer’s identity claims and discover what other relationships
the consumer has with the organization.
Using credit header data in a private and confidential manner
allows for added security by providing the ability to identify the
potential misuse of Social Security numbers. In a case of fraud,
criminals will appropriate Social Security numbers to establish new
lines of credit. With Social Security numbers residing in a historical
reference database, businesses can identify and track all names
and/or addresses associated with a single Social Security number.
Only by recognizing their customers can businesses provide highly
valued customer service and protect against losses. Such losses are
not necessarily related to fraud. For example, companies in the
telecommunications industry often have difficulty recognizing
former customers among new applicants. Using a unique key from
a reference-based technology, the telecommunications company can
match the new applicant information to internal customer records.
The company can then determine if it should establish service with
the new applicant immediately or collect a previous debt first.
Summary
Complying with privacy rules that seek to protect consumer
interests requires businesses to consistently and accurately
recognize the consumer. To do so, businesses are increasingly
relying on reference-based matching systems that utilize the most
accurate and reliable information afforded by law. Credit header
data is a significant part of a foundation that enables Customer Data
Integration, which ensures the privacy and security of consumers.
6
Contact Information
Equifax Inc. is a global leader in information technology that
enables and secures global commerce with consumers and
businesses. We are one of the largest sources of consumer and
commercial data. Utilizing our databases, advanced analytics and
proprietary enabling technology, we provide real-time answers for
our customers. This innovative ability to transform information
into intelligence is valued by customers across a wide range of
industries and markets.
Headquartered in Atlanta, Georgia, Equifax employs approximately
4,700 people in 13 countries throughout North America, Latin
America and Europe. Equifax was founded 109 years ago, and
today is a member of Standard & Poor's (S&P) 500® Index. Our
common stock is traded on the New York Stock Exchange under the
symbol EFX.
Equifax offers a wide array of risk, collections, and marketing
tools for managing portfolios of all sizes and types. Visit
http://www.equifax.com/consumer/marketing for additional details.
Equifax Inc.
1550 Peachtree Street, NW
Atlanta, Georgia 30309
www.equifax.com
1-800-879-1025
This publication contains many of the valuable trademarks, service marks, names, titles,
logos, images, designs, copyrights and other proprietary materials owned, registered and
used by Equifax Inc. and its affiliated companies, including but not limited to the registered
mark “Equifax”; any unauthorized use of same is strictly prohibited and all rights are
reserved by Equifax Inc. and its affiliated companies. All other trademarks and service
marks not owned by Equifax Inc. or its affiliated companies that appear in this publication
are the property of their respective owners. Copyright © 2008, Equifax Inc., Atlanta, Georgia.
All rights reserved.
7
Equifax is a registered trademark of Equifax Inc. Inform, Enrich,
Empower is a trademark of Equifax Inc. Copyright © 2008, Equifax
Inc., Atlanta, Georgia. All rights reserved. Printed in the U.S.A.
EFS-838-ADV—10/08