The Explanations Edition: Equifax, Apple and Square

Data Dive: Intuit, Zillow And Amazon

All eyes were on the sky last week, as most of the Southeastern United States braced for Hurricane Irma. And, as post-Harvey rebuilding assessments are ongoing in Houston, our thoughts and prayers are with everyone, especially the rescue workers and first responders who are now tending to the situation in Florida.

But not even apocalyptic weather can stop payments and commerce news. Last week was another one for the record books — literally, as Equifax managed to vault itself into the elite union of major organizations that have found themselves, and their customers, on the wrong side of a data breach. The world got its first peek at Apple Pay Cash in advance of the main event on Sept. 12, when everyone will get to meet the latest and greatest addition to the iPhone family. Finally, Square became the latest FinTech provider to make its move into banking.

 

The Big Equifax Hack

In the words of the American poetess Britney Spears: Oops, they did it again.

Cybercriminals have managed to snag the personal information — including such useful tidbits as names, birthdays and Social Security numbers — of 143 million Americans, and the credit card numbers of another 209,000 for good measure.

Equifax is the firm that managed to cough up all that data. In a press release detailing the cybercrime, the company said hackers potentially exploited a U.S. website application vulnerability to gain access to certain files.

Based on an internal investigation, the data breach occurred from mid-May through July 2017, with no evidence of unauthorized activity in Equifax’s consumer or commercial credit reporting databases, the company said in the news release.

In some cases, hackers seemed to have put their grubby cyberclaws on drivers’ license numbers — data that is particularly useful in breaching mobile bank accounts.

The company also reported that 209,000 U.S. consumer accounts were accessed by the hackers, as well as certain documents with personal identifying information for approximately 182,000 U.S. consumers. As part of its investigation, Equifax also identified unauthorized access to limited personal information for some U.K. and Canadian residents.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Chairman and Chief Executive Officer Richard F. Smith in the release. “I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

Equifax said that as soon as it discovered the cybercrime on July 29, the company immediately moved to stop the intrusion and engaged an independent cybersecurity firm.

As if being breached wasn’t bad enough, Equifax drew further press scrutiny when it was reported that three company executives took the time to unload almost $1.8 million worth of stock shortly after the company discovered the breach — but before the massive hack was made public. The trades were not part of a scheduled action, though the firm claimed that the trio had not yet been informed of the data breach at the time of the sale.

Bloomberg reports that regulatory findings indicate that CFO John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. Information Solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of Workforce Solutions, sold $250,458 worth of stock on Aug. 2.

Heck of a coincidence.

Equifax also said that the company has notified law enforcement and is working with authorities. The inquiry is expected to be completed in a couple of weeks. Until that time, Equifax is offering customers the opportunity to enroll in one year of free credit monitoring — a move that has been widely deemed insufficient given the scope of the breach — and an online portal where they can determine if their data has been exposed. These perks are offered in exchange for customers waiving their rights to join a class-action lawsuit.

 

Apple’s Early First Looks
 
The big day is on Tuesday (Sept. 12) — when everyone will get to see if the iPhone 8 lives up to all the 10-year anniversary hype that has been generated over the past year. Preliminary signs point to “no,” but the early chatter about Apple products has a long and glorious history of being wrong in every direction.

As we wait for the big reveal, the news tidbits are floating through the ether, and Apple’s new expansion into peer-to-peer (P2P) payments managed to stir some interest in advance of the big game.

LetsGoDigital was the first to debut the news that Apple had filed a trademark registration with the European Union Intellectual Property Office pertaining to Apple Pay Cash. The move, reports said, signals Apple’s plans to expand Apple Pay Cash into Europe. The filing also suggests that consumers will need a photo ID to use Apple Pay Cash.

Other than that, confirmed details are a bit scarce, although most reports indicate that Apple will offer more information when the executive team takes the stage on Tuesday.

Apple is expected to announce the iPhone 8, as well as a new iPhone 7s, an Apple smartwatch, Apple TV and iOS 11 software. So far, Apple Pay Cash is known only to be an extension of Apple Pay, which will support P2P payment capabilities in iMessage. The technology will reportedly enable users to send and request money from within iMessage without using third-party apps like Venmo. Balances are stored within the Apple Pay Cash virtual card in the Wallet app, and funds can be transferred to bank accounts or used via the virtual card, according to reports.

It remains to be seen whether (and how) Apple plans to attract users with friends and family who don’t have iPhones or iMessage.

We hope to pass along more details in our full report on Apple’s latest and greatest on Wednesday morning.

And finally…

 
Square Sneaks into Banking

Another FinTech player enters the mainstream banking ring…

According to reports in The Wall Street Journal last week, Square submitted an application to form a wholly owned and operated bank in Utah and to acquire an industrial banking license. The business unit, which would be called Square Financial Services Inc., would be capitalized with around $56 million in cash. Its purpose would be to offer loans and deposit accounts to small businesses.

This positions Square as the third major FinTech player to make a move on a banking license. Mobile banking startup Varo Money made a similar move, as did online vendor SoFi. The timing is not quite a surprise — recently, federal regulators have been more open to the idea of new banks than they have been at any time since the Great Recession.

As an industrial loan company, Square would have many of the same privileges as a traditional bank. Sixteen other industrial banks are currently licensed to operate in Utah.

Square already has an SMB lending arm, called Square Capital, which it operates through a deal with Utah-based Celtic Bank. That lending operation has been fairly successful for Square, extending more than $1.8 billion in working capital to more than 141,000 firms.

“As we scale, it’s increasingly important that we have direct relationships with regulators,” said Jacqueline Reses, who leads Square Capital and will be chairman of the bank. Finance Executive Lewis Goodwin will serve as the bank’s acting CEO. Goodwin recently transitioned to Square from Green Dot, where he was instrumental in leading the firm’s banking subsidiary.

Reses noted that by choosing to apply for an industrial loan company charter instead of a traditional banking license, Square is able to continue participating in the parts of its business that are entirely non-financial, such as selling hardware payment terminals and offering food delivery through its Caviar business unit. Bank holding companies are prohibited from engaging in non-financial business activity.

But industrial loan charters can be a challenge to secure; Walmart is one of the more public failures. The company’s attempt at moving toward an industrial loan charter caused widespread complaints and anger from bank lobbyists and community groups, who argued that non-financial companies owning banks would concentrate too much commercial and economic power in one place. Similar arguments have been made against some of today’s new applicants to the market.

SoFi, for example, does not currently have eCommerce interests like Walmart. However, Christopher Cole, executive vice president at the Independent Community Bankers of America, said that this won’t necessarily always be the case. “SoFi might even become ambitious enough to set up an online retail company that would compete with Amazon,” he said.

We’re sure they’ll be delighted by the more commerce-focused Square’s entry to the market.

So, what did we learn this week? Expect explanations in the forecast. Equifax has a breach to talk about; Apple must persuade the world that the old iPhone magic is alive and well 10 years later and Square has to convince regulators that it can help the market more than it could hurt it as a bank.

Should be an interesting series of conversations.

We’ll make sure you’re on top of all of them.