Credit Bureau APIs
A developer's perspective on getting access and dealing with the APIs of big three credit bureaus.
Since rolling out Supergood, our solution to monitor and manage all of your mission-critical third-party APIs, we’ve been asked the same simple question by many of our users:
Which APIs should I use, and what should I watch out for?
There’s no real value in giving amortized advice in dealing with any arbitrary third-party integration, so we decided to name names.
Here are our hot takes on the big three Credit Bureaus and their APIs. This level of detail has been compiled from our own experiences and anecdotes from other developer friends in the industry.
Getting Access
The credit bureau APIs are some of the most challenging to access, as their utility is heavily regulated by the Consumer Financial Protection Bureau (CFPB).
There is somewhat good intention for this level of regulation, as the CFPB wants credit decisions to be made fairly and with permissible purpose, which requires the bureaus to ensure that the sensitive consumer data coming from their APIs is being handled securely and in accordance with the Fair Credit Reporting Act.
Given this level of compliance, approval to access these APIs can take anywhere between 3 and 6 months and requires code audits, network diagrams and an actual human person to perform a physical inspection of your office. This physical inspection consists of ticking off several arbitrary checkboxes including clear signage of your business, locked filing cabinets, locked conference rooms, and my personal favorite requirement: The physical address of where your servers are located.
Unfortunately pointing upwards and saying “The Cloud” is not an accepted response, trust me.
Once you get through the approval gauntlet, you’ll end up paying upwards of $2.00 per API call, wholly depending on the scores and consumer data you request, your company’s projected volume, and your negotiation skills. Equifax’s service, “The Work Number”, which theoretically can give you full income history of a consumer just from their SSN, can even cost up to $35 per API call*, being one of the most expensive APIs in the industry.
*Companies with high volume and special contracts are able to make all of these calls for much cheaper, but this data is anecdotally aggregated from Series A+ private companies.
Naming Names
Experian
Experian tends to be the most popular bureau to integrate with first, although the on-boarding experience for each one of the three tends to be same.
When you finally receive partial approval from Experian, which might happen anywhere from 1 to 3 months in the process, you’ll be given access to a sandbox environment containing synthetic users.
Like many sandbox environments, this will give you an extremely broad sense for what real payloads might resemble, but it is far from complete. To make matters worse, the API documentation for Experian is hundreds of pages long, contains a smattering of codes that need to be mapped, and is only accessible as a PDF, making search near impossible.
Unfortunately, its near impossible to account for every single edge case, once you’re live in production. For most engineers its a never ending battle of adding additional observability and logging infrastructure — which is incredibility costly from both a engineering time sink and actual infrastructure expense.
To enumerate some of the issues users have encountered when dealing with Experian include:
Breaking API changes buried in spammy newsletter updates
Random outages at various times of the day, while the Experian Status Page remains entirely green.
Extreme and random slowness with regard to response time, which can easily cause customers to churn
Malformed payloads mangling sensitive customer information, that at-best are unusable and at-worst will leave you guessing
Note: Do not guess when it comes to making credit & lending decisions.
Unpredictable matching requirements, requiring customers to give up the most sensitive information such as an SSN to return any usable data.
TransUnion
Many of the same issues from Experian can plague the TransUnion APIs, TransUnion anecdotally gets integrated as a failover for larger financial institutions that have had enough issues with Experian. While the mapping of Experian payloads to TransUnion is not exactly one-to-one, it tends to be sufficient enough for a stop gap when Experian causes problems.
From anecdotal interviews, TransUnion APIs tend to be a bit of a mixed bag. The newer, and more public facing APIs tend to be built with more modern standards, e.g. JSON and RESTful, but if you’re working with any of their old school bread-and-butter APIs, you’re most likely dealing with XML SOAP.
While nothing inherently wrong with the XML SOAP protocol, you’ll most likely need to dig up some unmaintained open source library on GitHub just to be able to parse these responses, which naturally just adds more complexity to your code and even logging infrastructure.
Equifax
While usually not everyone’s first, or even second go-to when it comes to pulling credit reports, Equifax has established itself as the de-facto service* when it comes to income and employment verification.
*There are many impressive API-based incumbents that we will cover in later posts.
Equifax offers a ubiquitous service called “The Work Number” or “TWN” where it has integrated with some of the largest payroll providers and employers in the world to give enterprises instant access to consumer income data.
One API call theoretically can provide full work history with detailed income data for any given consumer, regardless of the number of jobs that they have worked at over the years, but this is not always the case and the resulting data is fairly difficult to audit unless you’ve set up robust (and potentially expensive) logging and observability.
You’ll quickly run into data quality issues in production with unexpected schema changes, small to large gaps in income history and partial income data.
To make matters worse, no matter how unusable the returned payload, you’ll be making one of the most expensive API calls on the market, costing up to $35 a call. Equifax’s cash cow for this API is the mortgage industry, where that cost is easily justified when compared to overall cost of underwriting a home loan.
The Supergood Plug
We built Supergood to remove all the complexity involved with integrating and maintaining any third-party APIs, including but absolutely not limited to, the credit bureau APIs. Its only takes five minutes to get Supergood up and running on your system and we’re totally agnostic to vendors, as long as they’re HTTPS based.
If you’ve ever banged your head against a wall debugging sudden payload schema changes, randomly slow response times or surprise costs - reach out to us at hello@supergood.ai .
These third-party integrations should just work as described - you have enough of your own code to worry about.
Stay tuned for our next post on income verification APIs!