Company Quick10K Filing
Quick10K
Equifax
Closing Price ($) Shares Out (MM) Market Cap ($MM)
$108.13 121 $13,040
10-K 2018-12-31 Annual: 2018-12-31
10-Q 2018-09-30 Quarter: 2018-09-30
10-Q 2018-06-30 Quarter: 2018-06-30
10-Q 2018-03-31 Quarter: 2018-03-31
10-K 2017-12-31 Annual: 2017-12-31
10-Q 2017-09-30 Quarter: 2017-09-30
10-Q 2017-06-30 Quarter: 2017-06-30
10-Q 2017-03-31 Quarter: 2017-03-31
10-K 2016-12-31 Annual: 2016-12-31
10-Q 2016-09-30 Quarter: 2016-09-30
10-Q 2016-06-30 Quarter: 2016-06-30
10-Q 2016-03-31 Quarter: 2016-03-31
10-K 2015-12-31 Annual: 2015-12-31
8-K 2019-02-22 Officers, Exhibits
8-K 2019-02-20 Earnings, Exhibits
8-K 2019-02-04 Officers, Exhibits
8-K 2018-11-14 Officers
8-K 2018-10-24 Earnings, Exhibits
8-K 2018-10-01 Enter Agreement, Leave Agreement, Off-BS Arrangement, Exhibits
8-K 2018-09-12 Officers
8-K 2018-07-25 Earnings, Exhibits
8-K 2018-07-16 Officers, Exhibits
8-K 2018-06-25 Other Events, Exhibits
8-K 2018-05-23 Other Events, Exhibits
8-K 2018-05-04 Other Events, Exhibits
8-K 2018-05-03 Shareholder Vote
8-K 2018-04-25 Earnings, Exhibits
8-K 2018-03-27 Officers, Exhibits
8-K 2018-03-21 Officers, Exhibits
TRU Transunion
SC Santander Consumer USA Holdings
DNB DUN & Bradstreet
TREE LendingTree
ONDK On Deck Capital
ATAX America First Multifamily Investors
HX Hexindai
SNFCA Security National Financial
XRF China Rapid Finance
IPB Merrill Lynch
EFX 2018-12-31
Part I
Item 1. Business
Item 1A. Risk Factors
Item 1B. Unresolved Staff Comments
Item 2. Properties
Item 3. Legal Proceedings
Item 4. Mine Safety Disclosures
Part II
Item 5. Market for The Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Item 6. Selected Financial Data
Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations
Item 7A. Quantitative and Qualitative Disclosures About Market Risk
Item 8. Financial Statements and Supplementary Data
Item 9. Changes in and Disagreements with Accountants on Accounting and Financial Disclosure
Item 9A. Controls and Procedures
Item 9B. Other Information
Part III
Item 10. Directors, Executive Officers and Corporate Governance
Item 11. Executive Compensation
Item 12. Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters
Item 13. Certain Relationships and Related Transactions and Director Independence
Item 14. Principal Accountant Fees and Services
Part IV
Item 15. Exhibits and Financial Statement Schedules
Item 16. Form 10-K Summary
EX-21.1 exhibit211-12312018.htm
EX-23.1 exhibit231consent-12312018.htm
EX-31.1 exhibit311-12312018.htm
EX-31.2 exhibit312-12312018.htm
EX-32.1 exhibit321-12312018.htm
EX-32.2 exhibit322-12312018.htm

Equifax Earnings 2018-12-31

EFX 10K Annual Report

Balance SheetIncome StatementCash Flow

10-K 1 efx10k20181231.htm 10-K Document


UNITED STATES
SECURITIES AND EXCHANGE COMMISSION 
Washington, D.C. 20549
____________________________________
FORM 10-K
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended December 31, 2018 
OR
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the transition period from                          to 
Commission File Number 001-06605
____________________________________
EQUIFAX INC.
(Exact name of registrant as specified in its charter)
Georgia
 
58-0401110
(State or other jurisdiction of incorporation or organization)
 
(I.R.S. Employer Identification No.)
1550 Peachtree Street, N.W.
 
 
Atlanta, Georgia
 
30309
(Address of principal executive offices)
 
(Zip Code)
Registrant’s telephone number, including area code: 404-885-8000
Securities registered pursuant to Section 12(b) of the Act: 
Title of each class
 
Name of each exchange on which registered
Common Stock, $1.25 par value per share
 
New York Stock Exchange
Securities registered pursuant to Section 12(g) of the Act: None.
____________________________________
Indicate by check mark if Registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Exchange Act (“Act”).   YES     NO
Indicate by check mark if Registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act.   YES   NO
Indicate by check mark whether Registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.          YES     NO
Indicate by check mark whether the Registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T during the preceding 12 months (or for such shorter period that the Registrant was required to submit such files).    YES     NO  
Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of Registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K.   
Indicate by check mark whether the Registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company” and “emerging growth company” in Rule 12b-2 of the Exchange Act. (Check one):
 Large accelerated filer
 
 Accelerated filer
 
 Non-accelerated filer
 
 Smaller reporting company
 
  Emerging growth company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.  
Indicate by check mark whether the Registrant is a shell company (as defined in Rule 12b-2 of the Act).    YES     NO
As of June 30, 2018, the aggregate market value of Registrant’s common stock held by non-affiliates of Registrant was approximately $15,064,356,603 based on the closing sale price as reported on the New York Stock Exchange. At January 31, 2019, there were 120,699,888 shares of Registrant’s common stock outstanding.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of Registrant’s definitive proxy statement for its 2019 annual meeting of shareholders are incorporated by reference in Part III of this Form 10-K.




TABLE OF CONTENTS
 
 
 
Page
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


1



PART I
 
ITEM 1.  BUSINESS
 
Overview
 
Equifax Inc. is a global data, analytics and technology company. We provide information solutions and human resources business-process outsourcing services for businesses, governments and consumers. We have a large and diversified group of clients, including financial institutions, corporations, governments and individuals. Our services are based on comprehensive databases of consumer and business information derived from numerous sources including credit, financial assets, telecommunications and utility payments, employment, income, demographic and marketing data. We use advanced statistical techniques, machine learning and proprietary software tools to analyze available data to create customized insights, decision-making solutions and processing services for our clients. We also provide information, technology and services to support debt collections and recovery management. Additionally, we are a leading provider of payroll-related and human resource management business process outsourcing services in the United States of America (U.S.). For consumers, we provide products and services to help people understand, manage and protect their personal information and make more informed financial decisions.
 
We currently operate in four global regions: North America (U.S. and Canada), Asia Pacific (Australia, New Zealand and India), Europe (the United Kingdom (U.K.), Spain and Portugal) and Latin America (Argentina, Chile, Costa Rica, Ecuador, El Salvador, Honduras, Mexico, Paraguay, Peru and Uruguay). We maintain support operations in the Republic of Ireland, Chile, Costa Rica and India. We also offer Equifax-branded credit services in Russia and India through joint ventures, have investments in consumer and/or commercial credit information companies through joint ventures in Cambodia, Malaysia, Singapore and the United Arab Emirates, and have an investment in a consumer and commercial credit information company in Brazil.
 
Equifax was originally incorporated under the laws of the State of Georgia in 1913, and its predecessor company dates back to 1899. As used herein, the terms Equifax, the Company, we, our and us refer to Equifax Inc., a Georgia corporation, and its consolidated subsidiaries as a combined entity, except where it is clear that the terms mean only Equifax Inc.
 
We are organized and report our business results in four operating segments, as follows:
 
U.S. Information Solutions (USIS) provides consumer and commercial information solutions to businesses in the U.S. including online information, decisioning technology solutions, fraud and identity management services, analytical services, portfolio management services, mortgage reporting and marketing services.

International provides products and services similar to those available in the USIS operating segment but with variations by geographic region. We also provide information, technology and services to support debt collections and recovery management. This operating segment is comprised of our Canada, Europe, Latin America and Asia-Pacific business units.

Workforce Solutions provides services enabling customers to verify income and employment (Verification Services) of people in the U.S., as well as providing our customers services to outsource and automate the performance of certain payroll-related and human resource management business processes, including unemployment claims management, tax credits and incentives and I-9 and W-2 form management services and services to allow employers to ensure compliance with the Affordable Care Act (Employer Services). Workforce Solutions is in the process of establishing Verifications Services operations in Canada and Australia.

Global Consumer Solutions provides products to consumers in the U.S., Canada and the U.K., enabling them to understand and monitor their credit and monitor and help protect their identity. We also sell consumer credit information to resellers who combine our information with other information to provide direct-to-consumer monitoring, reports and scores.

2017 Cybersecurity Incident

In 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of certain personally identifiable information of U.S., Canadian and U.K. consumers. Criminals exploited a software vulnerability in a U.S. website application to gain unauthorized access to our network. In March 2017, the U.S. Department of Homeland Security distributed a notice concerning the software vulnerability. We undertook efforts to identify and remediate vulnerable

2



systems; however, the vulnerability in the website application that was exploited was not identified by our security processes. We discovered unusual network activity in late-July 2017 and upon discovery promptly investigated the activity. Once the activity was identified as potential unauthorized access, we acted to stop the intrusion and engaged a leading, independent cybersecurity firm to conduct a forensic investigation to determine the scope of the unauthorized access, including the specific information impacted. Based on our forensic investigation, the unauthorized access occurred from mid-May 2017 through July 2017. No evidence was found that the Company’s core consumer, employment and income, or commercial reporting databases were accessed. We continue to cooperate with law enforcement in connection with the criminal investigation into the actors responsible for the 2017 cybersecurity incident.

The Company has taken actions to provide consumers with tools to protect credit data. Immediately following the announcement of the 2017 cybersecurity incident, the Company devoted substantial resources to notify people of the incident and to provide free services to assist people in monitoring their credit and identity information. This included making its TrustedID® Premier service, an identity theft protection and credit file monitoring product, available for free to all U.S. consumers for twelve months for those who signed up by January 31, 2018. In late 2018, the Company extended the free credit file monitoring services for impacted consumers in the U.S. using the free TrustedID Premier® service by providing them the opportunity to enroll in Experian® IDNotify at no cost for an additional twelve months. Similarly, for impacted consumers in Canada and the U.K., we provided free credit reports and scores, credit monitoring and identity theft protection for twenty four months. As part of our commitment to providing long-term resources and protections for consumers, in January 2018, the Company introduced Lock & Alert, a mobile application enabled service that allows U.S. consumers to quickly lock and unlock their Equifax credit report for free, for life.

As a result of the 2017 cybersecurity incident, we are party to numerous lawsuits and governmental investigations. See “Item 1A. Risk Factors” and “Item 3. Legal Proceedings” in this Form 10-K for more information regarding these lawsuits and investigations.

Our Business Strategy
 
Our vision is to be a trusted global leader in data, advanced analytics and technology that creates innovative solutions and insights for our customers. Our business strategy is driven by the following imperatives:

Lead our industry in data security. Building on the progress we made following the 2017 cybersecurity incident, we are focused on becoming a leader in our industry in the effectiveness of our data and technology security practices. This includes building an Equifax culture that considers data and technology security, and more broadly risk management, as a primary requirement in all decisions. This also includes the extensive use of advanced data and technology security tools, techniques, services and processes in order to enhance our ability to protect the information with which we are entrusted from fraudulent access.

Transform our technology. We plan to rebuild our technology infrastructure, accelerate our migration to a public cloud environment, employ virtual private cloud deployment techniques, and rationalize and rebuild our application portfolio using cloud-focused services. This technology transformation is a significant enabler to our goal of leading our industry in data and technology security capability. Our goal is to deliver market-leading capabilities to our customers in terms of speed of bringing new products and services to market; ease of customer and partner implementation and integration; ease of consumer access to and interaction with Equifax, our systems and data; system resiliency and uptime; and ultimately cost to serve. We are approximately one year into our multi-year technology transformation, which is already broadly impacting our internal and external information technology systems.

Lead in data and analytics, to develop unparalleled analytical insights leveraging Equifax’s unique data. We use proprietary advanced analytical platforms, including capabilities in machine learning and advanced visualization tools, to leverage our unique data to develop leading analytical insights that enhance the precision of our customers’ decisioning activities. We strive to continue to advance these capabilities through ongoing data monetization activities, the acquisition of distinctive and differentiated assets, and continued advancement of capabilities in artificial intelligence and machine learning. As part of our technology transformation, we are investing to simplify our customers’ access to our leading analytical platforms, in order to speed the development of unique insights and the conversion of these insights into new products and services consumable by our customers through our delivery platforms.

We offer a wide array of products, ranging from custom products for large clients, to software-as-a-service-based decisioning and data access technology platforms that are cost-effective for clients of all sizes. We also develop

3



predictive scores and analytics, some of which leverage multiple data assets, to help clients acquire new customers and manage their existing customer relationships. We develop a broad array of industry, risk management, cross-sell and account acquisition models to enhance the precision of our clients’ decisioning activities. We also develop custom and generic solutions that enable customers to effectively manage their debt collection and recovery portfolios.

Improve the consumer user experience. Equifax understands the importance of providing consumers with user-friendly capabilities to see, understand and question their consumer credit file and information. As part of our technology transformation, we are rebuilding our digital and call center technology infrastructure to provide an experience focused on making consumers’ interactions with Equifax as effective and efficient as possible.

Foster a culture of customer centricity. We are focused on building a culture in which the customer is at the center of our decision processes, and we exceed customer expectations by delivering solutions with speed, flexibility, stability and performance. Our focus on customer centricity will enable us to be more proactive in solving problems better and faster for customers while delivering enhanced operational readiness to provide a better customer experience.

Deliver growth while enhancing profitability and shareholder returns. We strive to accelerate innovation through expanded customer focus and collaboration. We intend to leverage our unique data assets and capabilities, as well as customer expertise and data and technology assets, to help us jointly create high-value analytical products and services targeted at a broader range of customer needs. We seek to expand partnerships in order to further broaden the key customer domains and verticals that our products and services are able to serve.

We seek to increase our share of clients’ spend on information-related services through these new products and services, price our products and services in accordance with the value they represent to our customers, increase the range of current products and services utilized by our clients, and improve the quality and effectiveness of our support for both customers and consumers.

We believe there are opportunities to continue to expand in the U.S. and internationally, across the existing financial, mortgage, telecommunications, automotive, insurance, healthcare, government and other markets that we serve, as well as in new and emerging market segments. We continue to invest, including through acquisitions and partnerships, to expand our addressable markets, and the data and capabilities we offer to solve customer challenges ranging from identity authentication to risk management.

We seek to enhance shareholder value through the disciplined execution of these imperatives and by positioning ourselves as a premier and trusted provider of high value information solutions.

Build a world-class Equifax team by investing in talent to drive our strategy and promote a culture of innovation. We attract top talent by providing opportunities to grow and lead within our company. We regularly undertake talent initiatives to engage, develop and retain our top talent.


4



Markets and Clients
 
Our products and services serve clients across a wide range of verticals, including financial services, mortgage, employers, consumer, commercial, telecommunications, retail, automotive, utilities, brokerage, healthcare and insurance industries, as well as state and federal governments. We also serve consumers directly. Our revenue stream is highly diversified with our largest client providing less than 3% of total revenue. The following table summarizes the various end-user markets we serve:
chart-1f6729fc567153bd987.jpg
(1) 
Predominantly sold to companies who serve the direct-to-consumer market and includes other small end user markets. Mortgage and auto resellers are excluded from this category as they are included within their respective categories above.
(2) 
Other includes revenue from other miscellaneous end-user markets.

We market our products and services primarily through our own direct sales organization that is structured around sales teams that focus on client segments typically aligned by vertical markets and geography. Sales groups are based in our headquarters in Atlanta, Georgia, and field offices located in the U.S. and in the countries where we have operations. We also market our products and services through indirect channels, including alliance partners, joint ventures and other resellers. In addition, we sell through direct mail and the internet.
 
Our largest geographic global regions are the U.S.; Asia Pacific (Australia, New Zealand and India); Europe (the U.K., Spain and Portugal); Canada; and Latin America (Argentina, Chile, Costa Rica, Ecuador, El Salvador, Honduras, Mexico, Paraguay, Peru and Uruguay). We maintain support operations in the Republic of Ireland, Chile, Costa Rica, and India. We also offer Equifax branded credit services in Russia and India through joint ventures, have investments in consumer and/or commercial credit information companies through joint ventures in Cambodia, Malaysia, Singapore and the United Arab Emirates, and have an investment in a consumer and commercial credit information company in Brazil. We also provide information, technology and services to support debt collections and recovery management in Asia Pacific, Europe, Canada and Latin America.
 
Revenue from international clients, including end users and resellers, amounted to 29% of our total revenue in 2018, 29% of our total revenue in 2017 and 27% of our total revenue in 2016.

Products and Services
 
Our products and services help our clients make more informed decisions with higher levels of confidence by leveraging a broad array of data assets. Analytics are used to derive insights from the data that are most relevant for the client’s decisioning needs. The data and insights are then processed through proprietary software and generally transmitted to the client’s operating system to execute the decision.
 

5



The following chart summarizes the key products and services offered by each of the business units within our segments:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
USIS
 
International
 
 
 
Workforce Solutions
 
 
 
 
Online Information Solutions
 
Financial Marketing Services
 
Mortgage Services
 
Europe
 
Asia Pacific
 
Latin America
 
Canada
 
Verification Services
 
Employer Services
 
Global Consumer Solutions
 
Online data
X
 
 
 
X
 
X
 
X
 
X
 
X
 
X
 
 
 
X
 
Portfolio management services
X
 
X
 
X
 
X
 
X
 
X
 
X
 
X
 
 
 
 
 
Analytical services
X
 
X
 
X
 
X
 
X
 
X
 
X
 
X
 
X
 
X
 
Technology services
X
 
 
 
X
 
X
 
X
 
X
 
X
 
 
 
 
 
 
 
Identity management and fraud
X
 
 
 
 
 
X
 
X
 
X
 
X
 
X
 
 
 
X
 
Marketing Services
 
 
X
 
X
 
 
 
X
 
X
 
X
 
 
 
 
 
 
 
Direct-to-consumer credit monitoring
 
 
 
 
 
 
 
 
X
 
 
 
 
 
 
 
 
 
X
 
Employment and income verification services
 
 
 
 
 
 
 
 
X
 
 
 
 
 
X
 
 
 
 
 
Business process outsourcing (BPO)
 
 
 
 
 
 
 
 
X
 
 
 
 
 
X
 
X
 
 
 
Debt collection software, services and analytics
 
 
 
 
 
 
X
 
X
 
X
 
X
 
 
 
 
 
 
 
 
Each of our operating segments is described more fully below. For the operating revenue, operating income and total assets for each segment see Note 12 of the Notes to the Consolidated Financial Statements in this report.
 
USIS
 
USIS provides consumer and commercial information solutions to businesses in the U.S. through three product and service lines, as follows:

Online Information Solutions. Online Information Solutions’ products are derived from multiple large and comprehensive databases of consumer and commercial information that we maintain about individual consumers and businesses, including credit history, current credit status, payment history and address information. Our clients utilize the information and analytical insights we provide to make decisions for a broad range of financial and business purposes, such as whether, and on what terms, to approve auto loans or credit card applications, and whether to allow a consumer or a business to open a new utility or telephone account. In addition, this information is used by our clients for cross selling additional products to existing customers, improving their underwriting and risk management decisions, and authenticating and verifying consumer and business identities. We also sell consumer and credit information to resellers who may combine our information with other information to provide services to the financial, mortgage, fraud and identity management, and other end-user markets. Our software platforms and analytical capabilities can integrate all types of information, including third-party and client information, to enhance the insights and decisioning process to help further mitigate the risk of granting credit, predict the risk of bankruptcy, indicate the applicant’s risk potential for account delinquency, ensure the identity of the consumer, and reduce exposure to fraud. These risk management services enable our clients to monitor risks and opportunities and proactively manage their portfolios.

Online Information Solutions’ clients access products through a full range of electronic distribution mechanisms, including direct real-time access, which facilitates instant decisions. We also develop and host customized applications that enhance the decision-making process for our clients. These decisioning technology applications assist with a wide variety of decisioning activities, including determining pre-approved offers, cross-selling of various products, determining deposit amounts for telephone and utility companies, and verifying the identity of their customers. We have also compiled commercial databases regarding businesses in the U.S., which include loan, credit card, public records and leasing history data, trade accounts receivable performance, and Secretary of State and Securities and Exchange Commission registration information. We offer scoring and analytical services that provide additional information to help mitigate the credit risk assumed by our clients.

Mortgage Solutions. Our Mortgage Solutions products, offered in the U.S., consist of specialized credit reports that combine information from the three major consumer credit reporting agencies (Equifax, Experian and TransUnion) into a single “merged” credit report in an online format, commonly referred to as a tri-merge report. Mortgage lenders use these tri-merge reports in making their mortgage underwriting decisions. Additionally, we offer various “triggering” services designed to alert lenders to changes in a consumer’s credit status during the underwriting period and securitized portfolio risk assessment services for evaluating inherent portfolio risk.
 
Financial Marketing Services. Our Financial Marketing Services products utilize consumer and commercial financial information enabling our clients to more effectively manage their marketing efforts, including targeting and segmentation, to identify and acquire new clients for their products and services; to develop portfolio strategies to minimize

6



risk and maximize profitability; and to realize additional revenue from existing customers through more effective cross selling of additional products and services. These products utilize information derived from consumer and commercial information, including credit, income, asset, liquidity, net worth and spending activity, which also support many of our Online Information Solutions’ products. These data assets broaden the understanding of consumer and business financial potential and opportunity which can further drive high value decisioning and targeting solutions for our clients. We also provide account review services, which assist our clients in managing their existing customers and prescreen services that help our clients identify new opportunities with their customers. Clients for these products primarily include institutions in the banking, brokerage, retail, insurance and mortgage industries as well as companies primarily focused on digital and interactive marketing.
  
International
 
The International operating segment includes our Asia Pacific, Europe, Latin America and Canada business units. These business units offer products that are similar to those available in the USIS operating segment, but with variations by geographic region. In some jurisdictions, data sources tend to rely more heavily on government agencies than in the U.S. We also offer specialized services that help our customers better manage risk in their consumer portfolios. This operating segment’s products and services generate revenue in Argentina, Australia, Canada, Chile, Costa Rica, Ecuador, El Salvador, Honduras, India, Mexico, New Zealand, Paraguay, Peru, Portugal, Spain, the U.K. and Uruguay. We also maintain support operations in the Republic of Ireland, Chile, Costa Rica, and India. We offer consumer credit services in Russia and India through investments in joint ventures, have investments in consumer and/or commercial credit information companies through joint ventures in Cambodia, Malaysia, Singapore and the United Arab Emirates, and have an investment in a consumer and commercial credit information company in Brazil. We also provide information, technology and services to support debt collections and recovery management in Asia Pacific, Europe, Canada and Latin America.
 
 Europe. Our Europe operation provides information solutions, marketing and personal solutions products. Information solutions and personal solutions products are generated from information that we maintain and include credit reporting and scoring, asset information, risk management, identity management and authentication services, fraud detection and modeling services. Most of these products are sold in the U.K. with a more limited set of information solutions products sold in Spain and Portugal. Marketing products, which are similar to those offered in our Financial Marketing Services business unit, are primarily available in the U.K. and, to a lesser extent, in Spain. We also provide information, technology and services to support debt collections and recovery management in the U.K. and, to a lesser extent, in Spain. In the U.K., this includes a contract to provide these services to the U.K. government.

Asia Pacific. Our Asia Pacific operation provides consumer and commercial information solutions products, marketing products, workforce solutions, and personal solutions products. We offer a full range of products, generated from credit records and other data, including credit reporting and scoring, decisioning technology, risk management, identity management, authentication and fraud detection services. Our consumer and commercial products are the primary source of revenue in each of the countries in which we operate and include credit reporting, decisioning tools and risk management services. We also provide information, technology and services to support debt collections and recovery management. Additionally, we provide a variety of consumer and commercial marketing products generated from information databases, including business profile analysis, business prospect lists and database management. The countries in which we operate include Australia, New Zealand and India, as well as through joint ventures in India, Russia, Cambodia, Malaysia, Singapore and the United Arab Emirates.

Latin America. Our Latin America operation provides consumer and commercial information solutions products, marketing products and personal solutions products. We offer a full range of products, generated from credit records that we maintain, including credit reporting and scoring, decisioning technology, risk management, identity management, authentication and fraud detection services. Our consumer products are the primary source of revenue in each of the countries in this region in which we operate. We also offer various commercial products, which include credit reporting, decisioning tools and risk management services, in the countries we serve. We also provide information, technology and services to support debt collections and recovery management. Additionally, we provide a variety of consumer and commercial marketing products generated from our credit information databases, including business profile analysis, business prospect lists and database management. The countries in this region in which we operate include Argentina, Chile, Costa Rica, Ecuador, El Salvador, Honduras, Mexico, Paraguay, Peru and Uruguay. We also have an investment in a consumer and commercial credit information company in Brazil.

Canada. Similar to the USIS business units, our Canada operation offers products derived from the credit information that we maintain about individual consumers and businesses. We offer many products in Canada, including credit reporting and scoring, consumer and commercial marketing, risk management, fraud detection and modeling services, identity management and authentication services, together with certain of our decisioning products that facilitate pre-approved offers of credit and

7



automate a variety of credit decisions. We also provide information, technology and services to support debt collections and recovery management in Canada.
 
Workforce Solutions
 
Workforce Solutions operates in the U.S. through two business units:
 
Verification Services. Verification Services include employment and income verification services. Our online verification services enable third-party verifiers including various governmental agencies, mortgage originators, credit card and automotive lenders and pre-employment screeners to verify the employee’s employment status and income information. We also offer an offline manual verification service, which expands employment verification to locate data outside our existing automated database. 
 
Employer Services. These services are aimed at reducing the cost to the human resources function of businesses through a broad suite of services including assisting with employment tax matters designed to reduce the cost of unemployment claims through effective claims representation and management and efficient processing and to better manage the tax rate that employers are assessed for unemployment taxes; comprehensive services designed to research the availability of employment-related tax credits (e.g., federal work opportunity tax credits), and to process the necessary filings and assist the client in obtaining the tax credit; W-2 management services (which include initial distribution, reissue and correction of W-2 forms); paperless pay services that enable employees to electronically receive pay statement information as well as review and change direct deposit account or W-4 information; I-9 management services designed to help clients electronically comply with the immigration laws that require employers to complete an I-9 form for each new hire; and onboarding services using online forms to complete the new hire process for employees of corporate and government agencies. In addition, we provide software and services to employers to assist in their compliance with the Affordable Care Act (“ACA”).

The Work Number®. The Work Number is our key repository of employment and income data serving our Verification Services business unit and enabling our Employer Services business unit. We rely on payroll data received from tens of thousands of organizations to regularly update the database. The updates occur as employers and other data contributors transmit data electronically to Equifax from their payroll systems. Employers provide this data to us so that we can handle verification requests on behalf of each employer. We use this data to provide automated employment and income verification services to third-party verifiers.
 
The fees we charge for services in these two business units are generally on a per transaction basis. We have not experienced significant turnover in the employer contributors to the database because we generally do not charge them to add their employment data to The Work Number® database and the verification service we offer relieves them of the administrative burden and expense of responding to third-party employment verification requests. The Work Number® database is approaching 380 million current and historic employment records at December 31, 2018.

Workforce Solutions is in the process of building income and employment verification service businesses in Canada and Australia, including establishing The Work Number® in each country. At present, revenues from these services in Canada and Australia are insignificant.

Global Consumer Solutions
 
Our Global Consumer Solutions (“GCS”) products give consumers information to enable them to understand and monitor their credit and monitor and help protect their identity. Equifax products offer monitoring features for consumers who are concerned about identity theft, including credit report monitoring from all three credit bureaus, internet scanning, bank account monitoring and lost wallet support. Country specific versions of our products are available to consumers in the U.S., Canada, and the U.K. primarily over the internet. Products may also be available indirectly through relationships with business partners who distribute our products or provide these services to their employees or customers. We also sell consumer credit information to resellers who combine our information with other information to provide direct-to-consumer monitoring, reports and scores. Due to the 2017 cybersecurity incident we ceased advertising our consumer business in the U.S. in September 2017. We resumed limited advertising of our consumer business in the U.S. in the fourth quarter of 2018.

Free Consumer Services
    
As part of our response to the 2017 cybersecurity incident, we made our TrustedID® Premier service, an identity theft protection and credit file monitoring product, available for free to all U.S. consumers for twelve months for those who signed up by January 31, 2018. In late 2018, the Company extended the free credit file and identity monitoring services for impacted

8



consumers in the U.S. using the free TrustedID® Premier service, by providing them the opportunity to enroll in Experian® IDNotify at no cost for an additional twelve months. Similarly, for consumers impacted by the 2017 cybersecurity incident in Canada and the U.K., we provided free credit reports and scores, credit monitoring, and identity theft protection for twenty four months. We provide U.S. consumers with an annual free credit report and the ability to freeze and unfreeze their Equifax credit report for free in accordance with the Fair Credit Reporting Act. Additionally, in January 2018, the Company introduced Lock & Alert, a mobile application enabled service that allows U.S. consumers to quickly lock and unlock their Equifax credit report for free, for life.

Seasonality
 
We experience seasonality in certain of our revenue streams. Revenue generated by the online consumer information services component of our USIS operating segment is typically the lowest during the first quarter, when consumer lending activity is at a seasonal low. Revenue generated from the Employer Services business unit within the Workforce Solutions operating segment is generally higher in the first quarter due primarily to the provision of Form W-2 preparation services which occur in the first quarter each year. Revenue generated from our financial wealth asset products and data management services in our Financial Marketing Services business is generally higher in the fourth quarter each year due to the significant portion of our annual renewals and deliveries which occur in the fourth quarter of each year. Mortgage related revenue is generally higher in the second and third quarters of the year due to the increase in consumer home purchasing during the summer in the U.S.

Competition

The market for our products and services is highly competitive and is subject to constant change. Our competitors vary widely in size and in the nature of the products and services they offer. Sources of competition are numerous and include the following:

Competition for our credit information solutions and direct-to-consumer solutions products varies by both application and industry, but generally includes two global consumer credit reporting companies, Experian and TransUnion, both of which offer a product suite similar to our credit information solutions. In the U.S., LifeLock is a national provider of personal identity theft protection service. Also, there are competitors offering free credit scores including Credit Karma in the U.S. and the U.K., ClearScore in the U.K., and Credit Simple and Credit Savvy in Australia. There are also a large number of competitors who offer competing products in specialized areas (such as fraud prevention, risk management and application processing and decisioning solutions) and software companies offering credit modeling services or analytical tools. Our differentiators include our unique data assets, decisioning technology and the features and functionality of our analytical capabilities. We emphasize our improved decision making and product quality while remaining competitive on price. Our marketing services products also compete with the foregoing companies and others who offer demographic information products, including Acxiom, Harte-Hanks and infoGROUP. We also compete with Fair Isaac Corporation with respect to certain of our analytical tools and solutions.

Competition for our commercial solutions products primarily includes Experian, Dun & Bradstreet and Cortera, and providers of these services in the international markets we serve.

Competition in the Verification Services market includes employers who manage verifications in-house, lenders who obtain verifications directly from employers, and other online and offline verification companies, such as CCC Verify, Thomas & Company, First Advantage and Employers Edge. Competition in the Employer Services market is diverse and includes in-house management of such services or the outsourcing of one or more of such services to other third-party outsourced providers like Corporate Cost Control, Thomas & Company, and Employers Edge; human resources (“HR”) consulting firms such as Mercer and Towers Watson; HR management services providers such as Oracle and Silk Road; payroll processors such as ADP and Ceridian; accounting firms such as PwC and EY; analytics companies such as Tableau and Visier; and hundreds of smaller companies that provide one or multiple offerings that compete with our Employer Services business.

Competition for our debt collection and recovery management software, services and analytics is similar to the competition for our consumer credit information solutions. We believe that the breadth and depth of our data assets enable our clients to develop a more current and comprehensive view of consumers. In the category of platforms and analytics, we compete to some extent with entities that deploy collections platforms, account management systems or recovery solutions. 


9



While we believe that none of our competitors offers the same mix of products and services as we do, certain competitors may have a larger share of particular geographic or product markets or operate in geographic areas where we do not currently have a presence.

We assess the principal competitive factors affecting our markets to include: our ability to protect information and systems; product attributes such as quality, depth, coverage, adaptability, scalability, interoperability, functionality and ease of use; product price; technical performance including system response time and availability; access to unique proprietary databases; availability in application service provider (“ASP”) format; quickness of response, flexibility and client services and support; effectiveness of sales and marketing efforts; existing market penetration; and new product innovation.

Technology and Intellectual Property
 
We generally seek protection under federal, state and foreign laws for strategic or financially important intellectual property developed in connection with our business. Certain intellectual property, where appropriate, is protected by registration under applicable trademark laws or by prosecution of patent applications. We own a number of patents registered in the U.S. and several in foreign countries. We also have certain registered trademarks, service marks, logos and internet domain names in the U.S. and in many foreign countries, the most important of which are “Equifax,” “Decision360,” “The Work Number” and variations thereof. These marks are used in connection with many of our product lines and services. We believe that, in the aggregate, the rights under our patents and trademarks are generally important to our operations and competitive position, but we do not regard any of our businesses as being dependent upon any single patent or group of patents or trademark. However, certain Company trademarks, which contribute to our identity and the recognition of our products and services, including but not limited to the “Equifax” trademark, are an integral part of our business, and their loss could have a significant negative impact on us. We also protect certain of our confidential intellectual property and technology in compliance with trade secret laws and through the use of nondisclosure agreements.
 
We license other companies to use certain data, software, and other technology and intellectual property rights we own or control, primarily as core components of our products and services, on terms that are consistent with customary industry standards and that are designed to protect our interest in our intellectual property. Other companies license us to use certain data, technology and other intellectual property rights they own or control. For example, we license credit-scoring algorithms and the right to sell credit scores derived from those algorithms from third parties for a fee. We do not hold any franchises or concessions that are material to our business or results of operations.
 
Governmental Regulation
 
We are subject to a number of U.S. federal, state, local and foreign laws and regulations that involve matters central to our business. These laws and regulations may involve consumer reporting, privacy, data protection, intellectual property, competition, consumer protection, anti-corruption, anti-bribery, anti-money laundering, employment, health, taxation or other subjects. In particular, we are subject to U.S. federal, state, local and foreign laws regarding the collection, protection, dissemination and use of personal information we have in our possession. Failure to satisfy those legal and regulatory requirements, or the adoption of new laws or regulations, could have a significant negative impact on our results of operations, financial condition or liquidity.
 
U.S. federal, state, local and foreign laws and regulations are evolving and can be subject to significant change. In addition, the application and interpretation of these laws and regulations are often uncertain. These laws are enforced by federal, state and local regulatory agencies in the jurisdictions where we operate, and in some instances also through private civil litigation. There are also a number of legislative proposals pending before the U.S. Congress, various state legislative bodies, and foreign governments concerning consumer and data protection that could particularly affect us.
 
Summary of U.S. Regulation Relating to Consumer and Data Protection
 
Our U.S. operations are subject to numerous laws and regulations governing the collection, protection and use of consumer credit and other information, and imposing sanctions for the misuse of such information or unauthorized access to data. Many of these provisions also affect our customers’ use of consumer credit or other data we furnish.


10



Examples of the most significant of these laws include, but are not limited to, the following:

Federal Laws and Regulation

FCRA - The Fair Credit Reporting Act (“FCRA”) regulates consumer reporting agencies, including us, as well as data furnishers and users of consumer reports such as banks and other companies. FCRA provisions govern the accuracy, fairness and privacy of information in the files of consumer reporting agencies (“CRAs”) that engage in the practice of assembling or evaluating certain information relating to consumers for certain specified purposes. The FCRA limits the type of information that may be reported by CRAs, limits the distribution and use of consumer reports and establishes consumer rights to access, freeze and dispute their credit files. CRAs are required to follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates and if a consumer disputes the accuracy of any information in the consumer’s file, to conduct a reasonable reinvestigation. CRAs are required to make available to consumers a free annual credit report and free credit freezes. The FCRA imposes many other requirements on CRAs, data furnishers and users of consumer report information. Violation of the FCRA can result in civil and criminal penalties. The FCRA contains an attorney fee shifting provision to provide an incentive for consumers to bring individual or class action lawsuits against a CRA for violations of the FCRA. Regulatory enforcement of the FCRA is under the purview of the United States Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”), and state attorneys general, acting alone or in concert with one another.

The Dodd-Frank Act - Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”) created the CFPB. The Dodd-Frank Act provides the CFPB with examination and supervisory authority over CRAs, including us. The Dodd-Frank Act prohibits unfair, deceptive or abusive acts or practices (“UDAAP”) with respect to consumer financial services practices and provides the CFPB with enforcement authority to enforce those provisions. The CFPB may pursue administrative proceedings or litigation to enforce the laws and rules subject to its jurisdiction. In these proceedings the CFPB can obtain cease and desist orders, which can include orders for restitution to consumers or rescission of contracts, as well as other types of affirmative relief, and monetary penalties ranging from $5,000 per day for ordinary violations and up to $1 million per day for known violations. Also, the Dodd-Frank Act empowers state attorneys general and state regulators to bring civil actions in certain circumstances for the kind of cease and desist orders available to the CFPB (but not for civil penalties).

FTC Act - The Federal Trade Commission Act (“FTC Act”) prohibits unfair methods of competition and unfair or deceptive acts or practices. Under the FTC Act, the Federal Trade Commission’s jurisdiction includes oversight of the security measures we employ to safeguard the personal data of consumers. Allegations that we failed to safeguard or handle such data in a compliant manner may subject us to regulatory scrutiny or enforcement action. There is no private right of action under the FTC Act.

GLBA - The Financial Services Modernization Act of 1999, or Gramm-Leach-Bliley Act (“GLBA”), regulates, among other things, the use of non-public personal information of consumers that is held by financial institutions, including us. We are subject to various GLBA provisions, including rules relating to the use or disclosure of the underlying data and rules relating to the physical, administrative and technological protection of non-public personal financial information. Breach of the GLBA can result in civil and/or criminal liability and sanctions by regulatory authorities. Regulatory enforcement of the GLBA is under the purview of the FTC, the CFPB, the federal prudential banking regulators, the SEC and state attorneys general, acting alone or in concert with each other.

CROA - The Credit Repair Organizations Act (“CROA”) regulates companies that claim to be able to assist consumers in improving their credit standing. There have been efforts to apply the CROA to credit monitoring services offered by consumer reporting agencies and others. CROA allows for a private right of action. Consumers can sue to recover the greater of the amount paid or actual damages, punitive damages, costs, and attorney’s fees for violations of CROA.


11



State Laws and Regulation Relating to Consumer and Data Protection
 
A number of states have enacted requirements similar to the federal FCRA. Some of these state laws impose additional, or more stringent, requirements than the FCRA, especially in connection with investigations and responses to reported inaccuracies in consumer reports. The FCRA preempts some of these state laws, but the scope of preemption continues to be defined by the courts. The state of Vermont is grandfathered under the original FCRA requirements and thus we are subject to additional requirements to comply with Vermont law.

A majority of states have adopted versions of data security breach laws that require notification of affected consumers and potentially regulators in the event of a breach of personal information. A subset of these laws and other state data security laws require the implementation of data security measures as well. State attorneys general can enforce such state laws and can seek equitable as well as monetary remedies and in some cases private rights of action are permitted by such laws. 

The New York State Department of Financial Services (“NYDFS”) has enacted regulatory requirements applicable to CRAs that require registration with that agency, prohibit unfair and deceptive consumer practices and require compliance with significant portions of the NYDFS cybersecurity rules.

We may also become subject to and affected by new and proposed state privacy laws such as the California Consumer Privacy Act which takes effect in 2020 and which will impose additional data privacy requirements on many businesses operating in the state, including, potentially, with respect to employee data in addition to consumer data. A number of states, such as Maryland, Massachusetts and Washington, appear to be following California’s lead and have introduced comprehensive data privacy legislation modeled after the California Consumer Privacy Act or the European General Data Protection Regulation.

State banking and financial services regulatory agencies have asserted either express or implied authority under applicable state laws to examine us as a third-party service provider to financial institutions, and in certain cases to bring enforcement actions against us. Generally, such examinations, and related enforcement actions, are focused on assessing our safety and soundness in support of financial institutions we serve.

We are also subject to federal and state laws that are generally applicable to any U.S. business with national or international operations, such as antitrust laws, the Foreign Corrupt Practices Act, the Americans with Disabilities Act, state unfair or deceptive practices acts and various employment laws. We continuously monitor legislative and regulatory activities that involve credit reporting, data privacy, security and other relevant issues to identify issues in order to remain in compliance with all applicable laws and regulations.

Summary of International Regulation Relating to Consumer and Data Protection
 
We are subject to various data protection, privacy and consumer credit laws and regulations in the foreign countries where we operate. Examples of the most significant of these laws include, but are not limited to, the following:

In the U.K., we are subject to a regulatory framework which provides for primary regulation by the Financial Conduct Authority (the “FCA”). The FCA focuses on consumer protection, the integrity of the U.K. financial system, and effective competition in the interests of consumers. The FCA has significant powers, including the power to regulate conduct related to the marketing of financial products, to specify minimum standards and to place requirements on products, impose unlimited fines, and to investigate organizations and individuals. In addition, the FCA is able to ban financial products for up to a year while considering an indefinite ban; it has the power to instruct firms to immediately retract or modify promotions which it finds to be misleading, and to publish such decisions. Effective December 2019, the FCA framework under which we operate will also include the “senior managers and certification regime” which among other things will allow the FCA to bring an enforcement action directly against designated personnel who do not take reasonable steps to avoid non-compliance. Our core credit reporting (“credit reference”) and debt collections services and recovery management businesses in the U.K. are subject to FCA supervision. In addition to regulation by the FCA, we are also subject to regulation by the U.K. Information Commissioner’s Office, which focuses on upholding information rights in the public interest and the protection of data privacy for individuals.

In Europe, we are subject to the European General Data Protection Regulation (“GDPR”). The GDPR establishes multiple data protection requirements that are more specific and comprehensive than those of the U.S. and most

12



other countries where Equifax operates. In addition, the GDPR includes data breach notification requirements and it establishes the ability of regulators to pursue substantial penalties for non-compliance.

In Canada, federal and provincial laws govern how we collect, use or disclose personal information in the course of our commercial activities. Federally, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) governs the collection, use and disclosure of personal information by organizations in the private sector. It sets out specific obligations with respect to accountability and identifying purposes, consent, collection, use, disclosure, retention, accuracy, safeguards, personal data breach reporting, individual access and compliance. The federal and provincial privacy regulators have powers of investigation and intervention, and provisions of Canadian law regarding civil liability apply in the event of unlawful processing which is prejudicial to the persons concerned. Canada also has specific credit reporting legislation that is regulated at a provincial level. At present, each province has credit reporting legislation, with the exception of New Brunswick and the Territories (Northwest Territories, Yukon, and Nunavut). Generally speaking, the legislation regulates the contents of credit files, the length of time information can be included on a credit file and who can receive credit reports.

In Latin America, data protection and credit reporting laws and regulations vary considerably among Latin American countries. Some countries, such as El Salvador, Ecuador and Honduras, establish a constitutional right to privacy without general data protection standards or a data protection authority. These countries, however, have laws that govern the functioning of credit bureaus. In 2018, Ecuador amended a 2017 law relating to the collection of credit data and the operation of a credit bureau within the country allowing the existence of private credit bureaus along with the public credit data registry to be established. Other countries, such as Argentina, Uruguay, Peru, Costa Rica and most recently Brazil have enacted comprehensive data protection legislation similar to the European GDPR. The EU recognizes Argentina and Uruguay as having adequate levels of protection for personal data transfers and processing. Peru also has a specific law for credit reporting. Paraguay and Chile have fewer comprehensive data protection laws in place, but do have rules regarding reporting periods, consent and data collection.

In Australia, we are subject to regulatory oversight by various agencies. The Office of the Australian Information Commissioner (“OAIC”) is the agency with direct responsibility for administering the Australian Privacy Principles (which relate to the collection, holding, use and disclosure of personal information) and Part IIIA of the Privacy Act 1988 (which regulates credit reporting). The OAIC can investigate a complaint, conduct its own investigations, resolve/make binding determinations and seek civil penalties. Our credit reporting business, Equifax Information Services and Solutions, is a member of an external dispute resolution scheme, the Australian Financial Complaints Authority, which has been approved by the OAIC to handle privacy and credit reporting complaints and make binding determinations. The OAIC can register codes of practice under the Privacy Act 1988, and has registered the Privacy (Credit Reporting) Code 2014. The Australian Competition and Consumer Commission (“ACCC”) is the agency responsible for enforcing the Competition and Consumer Act of 2010 and related legislation concerning consumer protection and competition. The ACCC has the authority to use a range of actions to ensure compliance with the law, including investigative powers and the ability to seek penalties through litigation and other formal enforcement means. The Australian Retail Credit Association (“ARCA”) is a credit and credit reporting industry self-regulatory body, which administers principles and standards for the exchange of credit data between industry participants. Equifax Australasia Credit Ratings Pty Limited (formerly named Corporate Scorecard Pty Limited, one of our Australian subsidiaries), holds an Australia Financial Services License (“AFSL”), which allows it to provide general advice to wholesale clients by issuing a credit rating, and has been approved by the Reserve Bank of New Zealand as a rating agency under section 86 of the Non-bank Deposit Takers Act of 2013. The Australian Securities and Investments Commission (“ASIC”) regulates that business, and has authority to investigate, prosecute, ban individuals, and to seek civil penalties. In addition, in Australia, draft legislation has been released by the Federal Government, mandating the supply by large banks of comprehensive credit information to credit reporting bodies, including Equifax, and imposing certain disclosure, storage and reporting obligations on the credit reporting bodies.

In New Zealand, the regulatory framework provides for primary regulation under the Office of the Privacy Commissioner (“NZ OPC”). The NZ OPC investigates complaints relating to the collection, use, holding and disclosure of personal information, both credit-related and non-credit related. The NZ OPC can make a finding that there has been an interference with privacy but cannot impose civil penalties. In extreme cases where there has been an interference with privacy it can refer these cases to the Director of Human Rights for determination in the Human Rights Review Tribunal. The NZ OPC can issue practice codes under the Privacy Act 1993, and has issued and subsequently amended, the Credit Reporting Privacy Code 2004. A self-regulatory body, the Retail

13



Credit Association of New Zealand (“RCANZ”) addresses reciprocity of data issues relating to comprehensive credit reporting and data standards.

In India, various legislation including the Information Technology Act of 2000 and rules framed thereunder and the Credit Information Companies (Regulation) Act of 2005 and rules and regulations framed thereunder, establishes a federal data protection framework. Entities that collect and maintain personal data and/or credit information must ensure that it is complete, accurate and safeguarded, and must adopt certain privacy principles with respect to collecting, processing, preserving, sharing and using such data and/or credit information. The Indian parliament has passed legislation that would allow individuals to sue for damages in the case of a data breach, if the entity negligently failed to implement reasonable security practices and procedures to protect personal data and/or credit information and in 2018 the Personal Data Protection Bill was released by the Indian government and is expected to be enacted and eventually to impose additional requirements in this area. Our Indian joint venture is subject to regulation by the Reserve Bank of India, which is India’s central banking institution.

In Russia, credit reporting activities are governed by the Federal Law on Credit Histories No.218-fz, dated December 30, 2004. The law regulates the contents of credit files, who may submit data to a credit bureau and who can receive credit reports. Russia has also enacted a comprehensive data protection law that is similar to Europe’s approach.

Tax Management Services
 
The Tax Management Services business within our Employer Services business unit in our Workforce Solutions segment is potentially impacted by changes in renewal or non-renewal of U.S. tax laws or interpretations, for example, those pertaining to work opportunity tax credits and unemployment compensation claims.
 
Personnel
 
Equifax employed approximately 10,900 employees in 22 countries as of December 31, 2018. None of our U.S. employees are subject to a collective bargaining agreement and no work stoppages have been experienced. Pursuant to local laws, certain of our employees in Argentina and Spain are covered under government-mandated collective bargaining regulations that govern general salary and compensation matters, basic benefits and hours of work. In some of our non-U.S. subsidiaries, certain of our employees are represented by workers’ councils or statutory labor unions.
 
Forward-Looking Statements
 
This report contains information that may constitute “forward-looking statements.” Generally, the words “believe,” “expect,” “intend,” “estimate,” “anticipate,” “project,” “will” and similar expressions identify forward-looking statements, which generally are not historical in nature. All statements that address operating performance, events or developments that we expect or anticipate will occur in the future, including statements relating to future operating results and statements related to the 2017 cybersecurity incident and improvements in our information technology and data security infrastructure, including as part of our technology transformation, our strategy, our culture, our ability to innovate, the market acceptance of new products and services and similar statements about our business plans are forward-looking statements. Management believes that these forward-looking statements are reasonable as and when made. However, forward-looking statements are subject to certain risks and uncertainties that could cause actual results to differ materially from our Company’s historical experience and our present expectations or projections, including without limitation our expectations regarding the Company’s outlook, long-term organic and inorganic growth, and customer acceptance of our business solutions referenced above under “Item 1. Business” and below in “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operation Business Environment and Company Outlook.” These risks and uncertainties include, but are not limited to, those described below in “Item 1A. Risk Factors,” and elsewhere in this report and those described from time to time in our future reports filed with the United States Securities and Exchange Commission (“SEC”). As a result of such risks and uncertainties, we urge you not to place undue reliance on any such forward-looking statements. Forward-looking statements speak only as of the date when made. We undertake no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law.
 
Available Information
 
Detailed information about us is contained in our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, proxy statements and other reports, and amendments to those reports, that we file with, or furnish

14



to, the SEC. These reports are available free of charge at our website, www.equifax.com, as soon as reasonably practicable after we electronically file such reports with or furnish such reports to the SEC. However, our website and any contents thereof should not be considered to be incorporated by reference into this document. We will furnish copies of such reports free of charge upon written request to Equifax Inc., Attn: Office of Corporate Secretary, P.O. Box 4081, Atlanta, Georgia, 30302. These reports are also available at www.sec.gov.

ITEM 1A. RISK FACTORS
 
All of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. The risks described below are not the only ones facing us. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations. This Form 10-K also contains forward-looking statements and estimates that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of specific factors, including the risks and uncertainties described below.

Security breaches like the 2017 cybersecurity incident and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation.

In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of consumers. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Despite our substantial investment in physical and technological security measures, employee training and contractual precautions, our information technology networks and infrastructure (or those of our third-party vendors and other service providers) are potentially vulnerable to unauthorized access to data or breaches of confidential information due to criminal conduct, attacks by hackers, employee or insider malfeasance and/or human error.

In 2017, we were the target of a cybersecurity attack that involved the theft of certain personally identifiable information of approximately 145.5 million U.S. consumers, approximately 19,000 Canadian consumers and approximately 860,000 U.K. consumers. In addition, we identified approximately 2.4 million U.S. consumers whose name and partial driver’s license information were stolen in the attack. While the forensic analysis of the 2017 cybersecurity incident is complete, it is possible that further analysis will identify additional consumers affected or additional types of data accessed, which could result in additional notifications and negative publicity.

Following the 2017 cybersecurity incident, we began undertaking significant remediation efforts and other steps to enhance our data security infrastructure which are ongoing. In connection with these efforts, we have incurred significant costs and expect to incur additional significant costs as we continue to enhance our data security infrastructure and take further steps to prevent unauthorized access to our systems and the data we maintain. Despite these efforts, we cannot assure you that all potential causes of this incident have been identified and remediated and that similar cyber incidents will not occur in the future.

Because our products and services involve the storage and transmission of personal information of consumers, we will continue to routinely be the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. As we transition to cloud-based technologies, we may be exposed to additional cyber threats as we migrate our data from our legacy systems to cloud-based solutions. Our increased dependence on third parties to store our cloud-based data systems may also subject us to further cyber threats. Insider or employee cyber and security threats are also a significant concern for all companies, including ours. In addition, the 2017 cybersecurity incident may embolden individuals or groups to target our systems.

We must continuously plan, develop and monitor our information technology networks and infrastructure to identify, protect, detect, respond to and recover from the risk of unauthorized access, misuse, malware, phishing and other events that could have a security impact. If we experience additional breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure or other loss of information could subject us to significant additional litigation, regulatory fines, penalties, losses of customers or reputational damage, any of which could have a significant negative impact on our cash flows, competitive position, financial condition or results of operations.


15



We cannot ensure that our insurance policies in the future will be adequate to cover losses from any future failures. Our $125.0 million cybersecurity insurance policy was not adequate to cover the losses we have incurred to date from the 2017 cybersecurity incident, and all future losses we incur as a result of the incident will not be covered by insurance. In addition, our insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention.

The government investigations and litigation resulting from the 2017 cybersecurity incident will continue to adversely impact our business and results of operations.

As a result of the 2017 cybersecurity incident, we are currently a party to a consolidated multi-district consumer class action lawsuit and a consolidated multi-district financial institution class action lawsuit, as well as a consolidated securities class action lawsuit, shareholder derivative litigation and other lawsuits and claims arising out of the 2017 cybersecurity incident seeking monetary damages or other relief. A number of U.S. federal, state, local and foreign governmental officials and agencies, including Congressional committees, the FTC, the CFPB, the SEC, the U.S. Department of Justice and state attorneys general offices in the U.S., the FCA in the U.K. and the Office of the Privacy Commissioner in Canada, continue to investigate events related to the 2017 cybersecurity incident, including how it occurred, the consequences thereof and our response thereto. While we believe it is beneficial to resolve the consolidated multi-district consumer class action and one or more of the government investigations in the U.S. through a global resolution, the complexity of achieving a multi-party resolution, especially involving multiple government agencies, makes this a difficult objective to achieve. We may not have success in achieving a global resolution or even a resolution of any of these matters individually. In addition, other lawsuits, investigations and reports related to the 2017 cybersecurity incident may be filed, commenced or issued. The claims and investigations have resulted in the incurrence of significant external and internal legal costs and expenses and reputational damage to our business and are expected to continue throughout 2019 and beyond. The resolution of these matters may result in damages, costs, fines or penalties substantially in excess of our insurance coverage, which, depending on the amount, could have a material adverse effect on our liquidity or compliance with our credit agreements. If such damages, costs, fines or penalties were great enough that we could not pay them through funds generated from operating activities and/or cause a default under our revolving credit facility, we may be forced to renegotiate or obtain a waiver under our revolving credit facility and/or seek additional debt or equity financing. Such renegotiation or financing may not be available on acceptable terms, or at all. In these circumstances, if we were unable to obtain sufficient financing, we may not be able to meet our obligations as they come due. The outcome of such claims and investigations could also adversely affect or cause us to change how we operate our business. Various governmental agencies investigating the 2017 cybersecurity incident are seeking to impose injunctive relief, consent decrees, and civil penalties, which could, among other things, impact our ability to collect and use consumer information, materially increase our data security costs, reduce available resources to invest in technology and innovation and/or otherwise require us to alter how we operate our business, and put us at a competitive disadvantage. Any legislative or regulatory changes adopted in reaction to the 2017 cybersecurity incident or other companies’ data breaches could require us to make modifications to the operation of our business that could have an adverse effect and/or increase or accelerate our compliance costs. Furthermore, these matters necessitate significant attention by management, which may divert the focus of management from the operation of our business resulting in an adverse impact on our results of operations.

The 2017 cybersecurity incident and the adverse publicity that followed have had a negative impact on our reputation and our relationships with our customers, and we cannot assure that it will not have a long-term effect on our relationships with our customers, our revenue and our business.
 
Our reputation with consumers and other stakeholders and our customer relationships were damaged following the 2017 cybersecurity incident, resulting in a negative impact on our revenue. Despite our progress made toward repairing our reputation and business relationships, if we are unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business.

Additionally, following the 2017 cybersecurity incident, certain of our International Organization for Standardization (“ISO”) certifications, which specify requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system, were suspended. Additionally, certain of our payment card industry certifications were suspended. These certifications, including the ISO 27001 certification, are critical to our business, because certain of our current and potential customers and the contracts governing certain customer relationships, as well as certain of our data suppliers, require us to maintain them as a requirement of doing business. In 2018, significant focus was placed on remediation activities in order to obtain ISO and payment card industry re-certifications. We have reacquired three independent ISO/IEC 27001:2013 certifications (representing our Corporate, U.K. and Canada environments) and two of our payment card industry certifications (U.K. and Canada). In addition, we expect to obtain the

16



USIS and GCS payment card industry re-certification in 2019. If we fail to maintain or regain these certifications, customers may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue.

The failure to realize the anticipated benefits of our technology transformation strategy could adversely impact our business and financial results.

We expect our technology transformation strategy, including our transition to cloud-based technologies, will significantly increase our efficiency and productivity, the functionality of our products and services, as well as decrease the cost of our systems infrastructure, all of which we expect will drive growth and have a positive effect on our business, competitive position and results of operations. This initiative is a major undertaking as we replace many of our previous operating systems with cloud-based systems. This complex, multifaceted and extensive initiative will be expensive and may cause material unanticipated problems and expenses. If our new systems do not operate as expected, we may have to incur significant additional costs to modify them. Moreover, we may experience issues of customer migration, as many of our customers may choose not to utilize our products and services during and after our transition to cloud-based technologies.

We cannot assure you that our technology transformation strategy will be beneficial to the extent, or within the timeframes, expected, or that the estimated efficiency, cost savings and other improvements will be realized as anticipated or at all. Market acceptance of cloud-based offerings is affected by a variety of factors, including information security, reliability, performance, the sufficiency of technological infrastructure to support our products and services in certain geographies, customer concerns with entrusting a third party to store and manage its data as well as the customer’s ability to access this data once a contract has expired, and consumer concerns regarding data privacy and the enactment of laws or regulations that restrict our ability to provide such services to customers. If we are unable to correctly respond to these issues, we may experience business disruptions, damage to our reputation, negative publicity, diminished customer relationships and other adverse effects on our business. Even if the anticipated benefits and savings are substantially realized, there may be consequences, internal control issues or business impacts that were not expected. Our transition and migration to cloud-based technologies may increase our risk of liability and cause us to incur significant technical, legal or other costs.

Our technology transformation strategy places a significant strain on our management, operational, financial and other limited resources.

As part of our technology transformation strategy, we are transitioning and migrating our data systems from traditional data centers to cloud-based platforms. This initiative will place significant strain on our management, personnel, operations, systems, technical performance and financial resources and internal financial control and reporting function. In addition, many of our existing personnel do not have experience with native cloud-based technologies and, as a result, we have and will continue to hire personnel with such experience. This effort will be time consuming and costly. Our technology transformation strategy requires management time and resources to educate employees and implement new ways of conducting business. The dedication of resources to our technology transformation strategy and cloud-based technologies limits the resources we have available to devote to other initiatives or growth opportunities, or to invest in the maintenance of our existing internal systems. We cannot guarantee that our strategy is the right one or that investments in alternative technologies or other initiatives would not be a better use of our limited resources.

Additionally, as a result of our migration efforts in connection with our technology transformation strategy, we may experience a loss of continuity, loss of accumulated knowledge or loss of efficiency during transitional periods. Reorganization and transition can require a significant amount of management and other employees’ time and focus, which may divert attention from operating activities and growing our business. If we fail to achieve some or all of the expected benefits of these activities, it could have a material adverse effect on our competitive position, business, financial condition, results of operations and cash flows.

Our transition to cloud-based technologies could expose us to operational disruptions.

We rely on the efficient and uninterrupted operation of complex information technology systems and networks, some of which are managed internally within the Company and some of which are outsourced to third parties. As part of our technology transformation strategy, we are upgrading the information technology systems used to operate our business and replacing them with cloud-based solutions. This transition will require substantial changes to our software and network infrastructure, which could lead to system interruptions, affect our data systems and further expose us to operational disruptions, and cause us to lose customers, all of which could have a material adverse effect on our results of operations.

Upon implementation of the new cloud-based solutions, much of our information technology systems will consist of outsourced, cloud-based infrastructure, platform and software-as-a-service solutions not under our direct management or

17



control. Any disruption to either the outsourced systems or the communication links between us and the outsourced supplier could negatively affect our ability to operate our data systems and could impair our ability to provide services to our customers. We may incur additional costs to remedy the damages caused by these disruptions.

The loss of access to credit, employment, financial and other data from external sources could harm our ability to provide our products and services.

We rely extensively upon data from external sources to maintain our proprietary and non-proprietary databases, including data received from customers, strategic partners and various government and public record sources. This data includes the widespread and voluntary contribution of credit data from most lenders in the U.S and many other markets as well as the contribution of data under proprietary contractual agreements, such as employers’ contribution of employment and income data to The Work Number®, financial institutions’ contribution of individual financial data to IXI, and telecommunications, cable and utility companies’ contribution of payment and fraud data to the National Cable, Telecommunications and Utility Exchange. For a variety of reasons, including concerns of data furnishers arising out of the 2017 cybersecurity incident, legislatively or judicially imposed restrictions on use, additional security breaches or competitive reasons, our data sources could withdraw, delay receipt of or increase the cost of their data provided to us. Where we currently have exclusive use of data, the providers of the data sources could elect to make the information available to competitors. We also compete with several of our third-party data suppliers. If a substantial number of data sources or certain key data sources were to withdraw or be unable to provide their data, if we were to lose access to data due to government regulation, if we lose exclusive right to the use of data, or if the collection, disclosure or use of data becomes uneconomical, our ability to provide products and services to our clients could have a significant negative impact, which could result in decreased revenue, net income and earnings per share and reputational loss. There can be no assurance that we would be able to obtain data from alternative sources if our current sources become unavailable.

Negative changes in general economic conditions, including interest rates, unemployment rates, income, home prices, investment values and consumer confidence, could adversely affect us.

Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions, including the demand and availability of affordable credit and capital, the level and volatility of interest rates, inflation, employment levels, consumer confidence and housing demand, both inside and outside the U.S. Business customers use our credit information and related analytical services and data to process applications for new credit cards, automobile loans, home and equity loans and other consumer loans, and to manage their existing credit relationships. Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity, which can be impacted by changes in interest rates. Bank and other lenders’ willingness to extend credit are adversely affected by elevated consumer delinquency and loan losses in a weak economy. Consumer demand for credit (i.e., rates of spending and levels of indebtedness) also tends to grow more slowly or decline during periods of economic contraction or slow economic growth. For example, in 2018, our revenue was negatively impacted in the U.S. by the weak mortgage market; in Argentina by the substantial weakening of the economy and local currency; in Australia by weak real estate and mortgage markets and overall weakness in consumer credit markets.

Our customer base suffers when financial markets experience volatility, illiquidity and disruption and the potential for increased and continuing disruptions going forward presents considerable risks to our business and revenue. High or rising rates of unemployment and interest, declines in income, home prices or investment values, lower consumer confidence and reduced access to credit adversely affect demand for many of our products and services, and consequently our revenue and results of operations, as consumers may postpone or reduce their spending and use of credit, and lenders may reduce the amount of credit offered or available.

Our markets are highly competitive and new product introductions and pricing strategies being offered by our competitors could decrease our sales and market share or require us to enhance our products and services or reduce our prices in a manner that reduces our operating margins.

We operate in a number of geographic, product and service markets that are highly competitive. Competitors may develop products and services that are superior to or that achieve greater market acceptance than our products and services. The size of our competitors varies across market segments, as do the resources we have allocated to the segments we target. Therefore, some of our competitors may have significantly greater financial, technical, marketing or other resources than we do in one or more of our market segments, or overall. As a result, our competitors may be in a position to respond more quickly than we can to new or emerging technologies and changes in customer requirements, or may devote greater resources than we can to the development, enhancement, promotion, sale and support of products and services, or some of our customers may develop products of their own that replace the products they currently purchase from us, which would result in lower revenue.

18



In addition, many of our competitors have extensive consumer relationships, including relationships with our current and potential customers. Moreover, new competitors or alliances among our competitors may emerge and potentially reduce our market share, revenue or margins.

We also sell our information to competing firms, and buy information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U.S. mortgage market. Changes in prices between competitors for this information and/or changes in the design or sale of tri-bureau versus single bureau product offerings may affect our revenue or profitability.

Some of our competitors may choose to sell products that compete with ours at lower prices by accepting lower margins and profitability, or may be able to sell products competitive to ours at lower prices, individually or as a part of integrated suites, given proprietary ownership of data, technological superiority or economies of scale. Price reductions by our competitors could negatively impact our margins and results of operations and could also harm our ability to obtain new customers on favorable terms. Historically, certain of our key products have experienced declines in per unit pricing due to competitive factors and customer demand. Since a significant portion of our operating expenses is relatively fixed in nature due to sales, information technology and development and other costs, if we were unable to respond quickly enough to changes in competition or customer demand, we could experience further reductions in our operating margins.

Our relationships with key long-term customers may be materially diminished or terminated.

We have long-standing relationships with a number of our customers, many of whom could unilaterally terminate their relationship with us or materially reduce the amount of business they conduct with us at any time. Many of our material customer agreements can be terminated by the customer for convenience on advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors.

We also provide our services to business partners who may combine them with their own or other branded services to be offered as a bundle to consumers, governmental agencies and businesses in support of fraud or credit protection, credit monitoring, identity authentication, insurance or credit underwriting, and collections. Some of these partners are the largest providers of credit information or identity protection services to the consumer market.

Market competition, business requirements, financial condition and consolidation through mergers or acquisitions, could adversely affect our ability to continue or expand our relationships with our customers and business partners. There is no guarantee that we will be able to retain or renew existing agreements, maintain relationships with any of our customers or business partners on acceptable terms or at all, or collect amounts owed to us from insolvent customers or business partners. The loss of one or more of our major customers or business partners could adversely affect our business, financial condition and results of operations.
 
If we do not introduce successful new products, services and analytical capabilities in a timely manner, or if the market does not adopt our new services, our competitiveness and operating results will suffer.

We generally sell our products in industries that are characterized by rapid technological changes, frequent new product and service introductions and changing industry standards. In addition, certain of the markets in which we operate are seasonal and cyclical. Without the timely introduction of new products, services and enhancements, our products and services will become technologically or commercially obsolete over time, in which case our revenue and operating results would suffer. The success of our new products and services will depend on several factors, including our ability to properly identify customer needs; innovate and develop new technologies, services and applications; successfully commercialize new technologies in a timely manner; produce and deliver our products in sufficient volumes on time; differentiate our offerings from competitor offerings; price our products competitively; anticipate our competitors’ development of new products, services or technological innovations; and control product quality in our product development process. Our resources have to be committed to any new products and services before knowing whether the market will adopt the new offerings. In addition, our management is and will continue to be intensely focused on enhancing our security measures and responding to consumer and customer concerns relating to the 2017 cybersecurity incident and may not be able to devote sufficient time or resources to new product development, which could cause us to be less competitive as compared to our peers, lose out on new revenue opportunities and have an adverse effect on our growth and our business.


19



The demand for some of our products and services may be negatively impacted to the extent the availability of free or less expensive consumer information increases.

Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, particularly through the internet, and this trend is expected to continue. In addition, governmental agencies in particular have increased the amount of information to which they provide free public access and these or other sources of free or relatively inexpensive consumer information from competitors or other commercial sources may reduce demand for our services, particularly in our USIS and Global Consumer Solutions business units. Recently, there also has been an increase in companies offering free or low-cost direct-to-consumer credit services (such as credit scores, reports and monitoring) as part of alternative business models that use such services as a means to introduce consumers to other products and services. To the extent that our customers choose not to obtain services from us and instead rely on information obtained at no cost or relatively inexpensively from these other sources, our business, financial condition and results of operations may be adversely affected.

Due to the 2017 cybersecurity incident and our provision of free services to consumers in connection therewith, we ceased the advertisement and sale of new products in our direct-to-consumer business from September 2017 through October 2018, which resulted in a significant decline in revenue in that business. Furthermore, in late January 2018, we began offering a new credit lock service, Lock & Alert, that is free for life and is aimed at empowering U.S. consumers to control access to their Equifax credit file directly and quickly from their smartphone or computer. Additionally, effective September 2018, federal law allows consumers to place freezes on their credit files at all credit bureaus including Equifax. If a significant number of consumers lock or freeze their file, our population of data is reduced which could affect our product offerings and value to our customers in our other businesses.

If our systems do not meet customer requirements for response time or high availability, or we experience system constraints or failures, or our customers do not modify and/or upgrade their systems to accept new releases of our products and services, our services to our customers could be delayed or interrupted, which could result in lost revenues or customers, lower margins, or other harm to our business and reputation.

We depend on reliable, stable, efficient and uninterrupted operation of our technology network, systems, and data centers to provide service to our customers. Many of the services and systems upon which we rely have been outsourced to third parties. In addition, many of our revenue streams are dependent on links to third party telecommunications providers. These systems and operations, and the personnel that support, service and operate these systems, could be exposed to interruption, damage or destruction from power loss, telecommunication failures, computer viruses, denial-of-service attacks, employee or insider malfeasance, human error, fire, natural disasters, war, terrorist acts or civil unrest. We may not have sufficient disaster recovery or redundant operations in place to cover a loss or failure of systems or telecommunications links in a timely manner. In addition, as part of our technology transformation, we continue to be intensely focused on enhancing our data security infrastructure and effecting our technology transformation strategy and implementation of those enhancements could result in service interruptions. Our customers expect high system availability and response time performance, as well as a very high degree of system resilience. Any significant system interruption or series of minor interruptions could result in the loss of customers and/or lost revenues, lower margins or other significant harm to our business or reputation.

We and our customers are subject to various current laws and governmental regulations, and could be affected by new laws or regulations, including as a result of the 2017 cybersecurity incident, compliance with which may cause us to incur significant expenses and change our business practices, and if we fail to maintain satisfactory compliance with certain regulations, we could be subject to civil or criminal penalties.

We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy, data and financial protection. See “Item 1. Business—Governmental Regulation” in this Form 10-K for a summary of the U.S. and foreign consumer and data protection laws and regulations to which we are subject. These regulations are complex, change frequently, have tended to become more stringent over time, and are subject to administrative interpretation and judicial construction in ways that could harm our business. Examples of such new laws and regulations include recent amendments to the FCRA requiring the provision of free credit freezes to consumers, new cybersecurity and other requirements promulgated by the New York Department of Financial Services and the passage of the California Consumer Protection Act. Furthermore, we expect there to be an increased focus on laws and regulations related to our business because of the great public concern in the U.S. with regard to the operation of credit reporting agencies, as well as the collection, use, accuracy, correction and sharing of personal information, which was in part heightened by the 2017 cybersecurity incident. There are a number of legislative proposals pending before the U.S. Congress, various state legislative bodies and foreign governments concerning data protection that could affect us and the President of the United States could act by Executive Order. In addition, a growing number of legislative and regulatory bodies have adopted consumer notification and other requirements in the event that

20



consumer information is accessed by unauthorized persons and additional regulations regarding the use, access, accuracy and security of such data are possible. In the U.S., state laws provide for disparate notification regimes, all of which we are subject to. Further, any perception that our practices or products are an invasion of privacy, whether or not consistent with current or future regulations and industry practices, may subject us to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability.

We devote substantial compliance, legal and operational business resources to facilitate compliance with applicable regulations and requirements. In the future, we may be subject to significant additional expense to ensure continued compliance with applicable laws and regulations and to investigate, defend or remedy actual or alleged violations. Additionally, we cooperate with CFPB supervisory examinations and respond to other state, federal and foreign government examinations of or inquiries of our business practices. Any failure by us to comply with, or remedy any violations of, applicable laws and regulations could result in the curtailment of certain of our operations, the imposition of fines and penalties, liability to private plaintiffs as a result of individual or class action litigation, restrictions on our ability to carry on or expand our operations and reputational harm. It is difficult to predict the impact on our business if we were subject to allegations of having violated existing laws. For example, in Europe, the GDPR, which includes extensive regulations for certain security incidents, could result in fines of up to four percent of annual worldwide “turnover” (a measure similar to revenues in the U.S.). In addition, because many of our products are regulated or sold to customers in various industries, we must comply with additional regulations in marketing our products. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on customers’ adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. We cannot predict the ultimate impact on our business of new or proposed CFPB, FCA or other rules, supervisory examinations or government investigations or enforcement actions.

The following legal and regulatory developments also could have a substantial negative impact on our business, financial condition or results of operations:

amendment, enactment or interpretation of laws and regulations that restrict the access and use of personal information and reduce the availability or effectiveness of our solutions or the supply of data available to customers;
changes in cultural and consumer attitudes in favor of further restrictions on information collection and sharing, which may lead to regulations that prevent full utilization of our solutions;
failure of data suppliers or customers to comply with laws or regulations, where mutual compliance is required;
failure of our solutions to comply with current laws and regulations; and
failure of our solutions to adapt to changes in the regulatory environment in an efficient, cost effective manner.

These laws and regulations (as well as actions that may be taken by legislatures and regulatory bodies in other countries) and the consequences of any violation could limit our ability to pursue business opportunities we might otherwise consider engaging in, impose additional costs on us, result in significant loss of revenue, result in significant restitution and fines, impact the value of assets we hold, or otherwise adversely affect our business. See “Item 1. Business—Governmental Regulation” and “Item 3. Legal Proceedings” in this Form 10-K.

Regulatory oversight of our contractual relationships with certain of our customers may adversely affect our business.

The federal banking agencies, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the CFPB, as well as many state banking agencies have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider’s business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain “critical activities.” In light of this guidance, our existing or potential bank and financial services customers subject to this guidance may continue to revise their third-party risk management policies and processes and the terms on which they do business with us, which may adversely affect our relationship with such customers. In 2018, we entered into a consent order with certain state banking regulators in response to their multi-state review of our information security program. This consent order obligates us to, among other things, make certain changes to our corporate governance and information security practices. If we are unable or otherwise fail to comply with this consent order, our ability to do business with financial institutions in those states could be impaired. It is possible that the consent order or other actions resulting from examinations by federal or state banking regulators could lead to adverse changes in our customer relationships.


21



Economic, political and other risks associated with international sales and operations could adversely affect our results of operations.

Sales outside the U.S. comprised 29% of our total revenue in 2018. As a result, our business is subject to various risks associated with doing business internationally. In addition, many of our employees, suppliers, job functions and facilities are located outside the U.S. Accordingly, our future results could be harmed by a variety of factors including:

changes in specific country or region political, economic or other conditions;
trade protection measures;
data privacy and consumer protection regulations;
difficulty in staffing and managing widespread operations;
differing labor, intellectual property protection and technology standards and regulations;
business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions;
difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner;
implementation of exchange controls;
geopolitical instability, including terrorism and war;
foreign currency changes;
increased travel, infrastructure, legal and compliance costs of multiple international locations;
foreign laws and regulatory requirements;
terrorist activity, natural disasters and other catastrophic events;
restrictions on the import and export of technologies;
difficulties in enforcing contracts and collecting accounts receivable;
longer payment cycles;
failure to meet quality standards for outsourced work;
unfavorable tax rules;
the presence and acceptance of varying level of business corruption in international markets; and
varying business practices in foreign countries

We earn revenue, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar, including among others the British pound, the Australian dollar, the Canadian dollar, the Argentine peso, the Chilean peso, the Euro, the New Zealand dollar, the Costa Rican colon, the Singapore dollar, the Brazilian real, the Russian ruble and the Indian rupee. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenue, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, increases or decreases in the value of the U.S. dollar against major currencies will affect our operating revenues, operating income and the value of balance sheet items denominated in foreign currencies. In 2018, a general weakening of foreign currencies in countries where we have operations against the U.S. dollar had a negative impact on our results as reported in U.S. dollars. See “Segment Financial Results—International—Asia Pacific,” “—Europe,” “—Latin America,” and “—Canada” and “Effects of Inflation and Changes in Foreign Currency Exchange Rates” in the “Item 7. Management’s Discussion and Analysis” in this Form 10-K. Because of the geographic diversity of our operations, weaknesses in some currencies might be offset by strengths in others over time. We generally do not mitigate the risks associated with fluctuating exchange rates, although we may from time to time through forward contracts or other derivative instruments hedge a portion of our translational foreign currency exposure or exchange rate risks associated with material transactions which are denominated in a foreign currency. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Accordingly, fluctuations in foreign currency exchange rates, particularly the strengthening of the U.S. dollar against major currencies, may materially affect our consolidated financial results.

Compliance with applicable U.S. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, labor laws and anti-competition relations increases the cost of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors or agents could nevertheless occur.


22



We are regularly involved in claims, suits, government investigations, supervisory examinations and other proceedings that may result in adverse outcomes.

In addition to what we are currently experiencing due to the 2017 cybersecurity incident, we are regularly involved in claims, suits, government investigations, supervisory examinations and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits. Such claims, suits, government investigations and proceedings are inherently uncertain and their results cannot be predicted with certainty. Regardless of their outcome, such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties or sanctions, as well as judgments, consent decrees or orders preventing us from offering certain features, functionalities, products or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results, and financial condition. The FCRA contains an attorney fee shifting provision to provide an incentive for consumers to bring individual and class action lawsuits against a CRA for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of the FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years.

We rely, in part, on acquisitions, joint ventures and other alliances to grow our business and expand our geographic reach. The acquisition, integration or divestiture of businesses by us may not produce the expected financial, operating results or IT and data security profile we expect. In addition, if we are unable to make acquisitions or successfully develop and maintain joint ventures and other alliances, our growth may be adversely impacted.

Historically, we have relied, in part, on acquisitions, joint ventures and other alliances to grow our business. Any acquisitions we do complete may not be on favorable terms, and the expected benefits, synergies and growth from these initiatives may not materialize as planned. We may have difficulty assimilating new businesses and their products, services, technologies, IT systems and personnel into our operations. IT and data security profiles of acquired companies may not meet our technological standards and may take longer to integrate and remediate than planned. This may result in significantly greater transaction costs for future acquisitions than we have experienced historically, or it could mean that we will not pursue certain acquisitions where the costs of integration and remediation are too significant. We may also have difficulty integrating and operating businesses in countries and geographies where we do not currently have a significant presence, and acquisitions of businesses having a significant presence outside of the U.S. will increase our exposure to risks of conducting operations in international markets. These difficulties could disrupt our ongoing business, distract our management and workforce, increase our expenses and adversely affect our operating results and financial condition.

Despite our past experience, opportunities to grow our business through acquisitions, joint ventures and other alliances may not be available to us in the future. In addition, our focus on our technology transformation strategy, our migration to cloud-based technologies and potential fines, penalties and other costs as a result of the 2017 cybersecurity incident may limit our ability to identify and complete acquisitions as we will have less time and resources to devote to identifying suitable acquisition candidates and our technological criteria and standards for acquisition candidates may increase.

Dependence on outsourcing certain portions of our operations may adversely affect our ability to bring products to market and damage our reputation. Dependence on outsourced information technology and other administrative functions may impair our ability to operate effectively.

As part of our efforts to streamline operations and to reduce operating costs, we have outsourced various components of our application development, information technology, operational support and administrative functions and will continue to evaluate additional outsourcing. Although we have implemented service level agreements and have established monitoring controls, if our outsourcing vendors fail to perform their obligations in a timely manner or at satisfactory quality levels including with respect to data and system security, or increase prices for their services to unreasonable levels, our ability to bring products to market and support our customers and our reputation could suffer. Any failure to perform on the part of these third-party providers could impair our ability to operate effectively and could result in lower future revenue, unrealized efficiencies and adversely impact our results of operations and our financial condition. Much of our outsourcing takes place in developing countries and, as a result, may be subject to geopolitical uncertainty.

Changes in income tax laws can significantly impact our net income.

Federal and state governments in the U.S. as well as a number of other governments around the world are currently facing significant fiscal pressures and have considered or may consider changes to their tax laws for revenue raising or economic competitiveness reasons. Changes to tax laws can have immediate impacts, either favorable or unfavorable, on our

23



results of operations and cash flows, and may impact our competitive position versus certain competitors who are domiciled in other jurisdictions and subject to different tax laws. In December 2017, the U.S. enacted the Tax Cuts and Jobs Act of 2017 which significantly impacted our U.S. and global tax expense and net income and our earnings per share in 2018. The IRS issued clarification notices and the U.S. Treasury issued Proposed Regulation which also provided clarity to the Tax Act. However, the IRS could issue additional clarification and additional changes could be made to the final issuance of the Regulations.

If our government contracts are terminated, if we are suspended from government work, or if our ability to compete for new contracts is adversely affected, our business could suffer.

We derive a portion of our revenue from direct and indirect sales to U.S., state, local and foreign governments and their respective agencies. Such contracts are subject to various procurement laws and regulations, and contract provisions relating to their formation, administration and performance. Failure to comply with these laws, regulations or provisions in our government contracts could result in the imposition of various civil and criminal penalties, termination of contracts, forfeiture of profits, suspension of payments or suspension of future government contracting. Following the 2017 cybersecurity incident, our government contracts received enhanced scrutiny and negative media attention that resulted in the suspension of one of our contracts. If we are unable to repair the reputational damage caused by the 2017 cybersecurity incident and ensure the security of the data we maintain, our ability to maintain our existing and acquire new government contracts may be substantially impacted.
 
Also, the government programs to which we provide services, or which are the bases of compliance services we provide non-governmental clients, including, in particular, the employer requirements under the Affordable Care Act, may be terminated or substantially altered by the government and our services would no longer be needed. If our government contracts are terminated, if we are suspended from government work, if the services we provide are no longer needed due to government program change or termination, or if our ability to compete for new contracts is adversely affected, our business could suffer.

Third parties may claim that we are infringing on their intellectual property and we could suffer significant litigation or licensing expenses or be prevented from selling products or services.

There has been substantial litigation in the U.S. regarding intellectual property rights in the information technology industry. From time to time, third parties may claim that one or more of our products or services infringe their intellectual property rights. We analyze and take action in response to such claims on a case by case basis. Any dispute or litigation regarding patents or other intellectual property could be costly and time-consuming due to the complexity of our technology and the uncertainty of intellectual property litigation, could divert our management and key personnel from our business operations and we may not prevail. A claim of intellectual property infringement could force us to enter into a costly or restrictive license agreement, which might not be available under acceptable terms or at all, or could subject us to significant damages or to an injunction against development and sale of certain of our products or services. Our intellectual property portfolio may not be useful in asserting a counterclaim, or negotiating a license, in response to a claim of intellectual property infringement. In certain of our businesses we rely on third-party intellectual property licenses and we cannot ensure that these licenses will be available to us in the future on favorable terms or at all. Although our policy is to obtain licenses or other rights where necessary, we cannot provide assurance that we have obtained all required licenses or rights.

Third parties may misappropriate or infringe on our intellectual property and we may suffer competitive injury or expend significant resources enforcing our rights.

Our success increasingly depends on our proprietary technology. We rely on various intellectual property rights, including patents, copyrights, database rights, trademarks and trade secrets, as well as contract restrictions, confidentiality provisions and licensing arrangements, to establish our proprietary rights. The extent to which such rights can be protected varies in different jurisdictions. If we do not enforce our intellectual property rights successfully our competitive position may suffer which could harm our operating results. Our pending patent and trademark applications may not be allowed or competitors may challenge the validity or scope of our intellectual property rights. In addition, our patents, copyrights, trademarks and other intellectual property rights may not provide us a significant competitive advantage.

We may need to devote significant resources, including cybersecurity resources, to monitoring our intellectual property rights and we may or may not be able to detect misappropriation or infringement by third parties. Our competitive position may be harmed if we cannot detect misappropriation or infringement and enforce our intellectual property rights quickly or at all. In some circumstances, enforcement may not be available to us because a third party has a dominant intellectual property position or for other business reasons. In addition, competitors might avoid infringement by designing around our intellectual property rights or by developing non-infringing competing technologies. Intellectual property rights and

24



our ability to enforce them may be unavailable or limited in some countries which could make it easier for competitors to capture market share and could result in lost revenue.

The U.K.’s impending departure from the EU could adversely affect us.

The outcome of the 2016 referendum on the U.K.’s membership in the EU approving the exit of the U.K. from the EU (referred to as “Brexit”) could cause disruptions to and create uncertainty surrounding our business, including affecting our relationships with our existing and future customers, suppliers and employees, which could have an adverse effect on our business, financial results and operations. The effects of any Brexit will depend on its terms. In addition, developments regarding Brexit may also create global economic uncertainty, which may cause our clients to closely monitor their costs and reduce their spending on our solutions and services.

A downgrade to our credit ratings would increase our cost of borrowing under our credit facility and adversely affect our ability to access the capital markets.

We are party to a $1.10 billion five-year unsecured revolving credit facility with a group of financial institutions that matures in September 2023 (the “Revolver”). The Revolver replaced the Company’s previous $900 million unsecured revolving credit facility that was scheduled to mature in November 2020. The cost of borrowing under the Revolver and our ability and the terms under which we may access the credit markets are affected by credit ratings assigned to our indebtedness by the major credit rating agencies. These ratings are premised on our performance under assorted financial metrics, such as leverage and interest coverage ratios and other measures of financial strength, business and financial risk, industry conditions, transparency with rating agencies and timeliness of financial reporting. Our current ratings have served to lower our borrowing costs and facilitate access to a variety of lenders. However, there can be no assurance that our credit ratings or outlook will not be lowered in the future in response to adverse changes in these metrics caused by our operating results or by actions that we take that reduce our profitability or that require us to incur additional indebtedness for items such as substantial cash acquisitions, significant increases in costs and capital spending in security and IT systems, significant costs related to settlements of litigation or regulatory requirements, or by returning excess cash to shareholders through dividends or under our share repurchase program. A downgrade of our credit ratings would increase our cost of borrowing under the Revolver, negatively affect our ability to access the capital markets on advantageous terms, or at all, negatively affect the trading price of our securities and have a significant negative impact on our business, financial condition and results of operations.

We may not be able to borrow under our revolving credit facility and Receivables Facility.

We are party to a $225.0 million, two-year receivables funding facility (the “Receivables Facility”) as well as the Revolver. Our Revolver and Receivables Facility have representations, covenants, financial covenants and events of default which may limit our ability to borrow under such debt obligations. Any breach of a representation or failure to comply with any covenant or financial covenant or the occurrence of any event of default under the Revolver or the Receivables Facility could result in a prohibition of further borrowings under the Revolver and Receivables Facility or acceleration of any obligations outstanding thereunder. Any event of default under the Revolver or Receivables Facility could result in a cross default under our other outstanding debt obligations.

Changes in interest rates could adversely affect our cost of capital and net income.

Rising interest rates, credit market dislocations and decisions and actions by credit rating agencies can affect the availability and cost of our funding and adversely affect our net income.

Our business will suffer if we are not able to retain and hire key personnel.

Our future success, including our ability to implement our technology transformation strategy, depends partly on the continued service of our key development, sales, marketing, executive and administrative personnel. Additionally, increased retention risk exists in certain key areas of our operations, such as IT and security, which require specialized skills, such as maintenance of certain legacy computer systems, data security experts and analytical modelers. If we fail to retain and hire a sufficient number of these personnel, we will not be able to maintain or expand our business. As part of our technology transformation strategy, we have hired a significant number of new employees and contract employees. Hiring, training, motivating, retaining and managing employees with the skills required is time-consuming and expensive. If we are not able to hire sufficient employees to support our technology transformation, or to train, motivate, retain and manage the employees we do hire, it could have a material adverse effect on our business operations or financial results. We believe our pay levels are competitive within the regions in which we operate. However, there is also intense competition for certain highly technical specialties in geographic areas where we continue to recruit, and it may become more difficult to retain our key employees.

25




Our retirement and post-retirement pension plans are subject to financial market risks that could adversely affect our future results of operations and cash flows.

We have significant retirement and post-retirement pension plan assets and obligations. The performance of the financial markets and interest rates impact our plan expenses and funding obligations. Significant decreases in market interest rates, decreases in the fair value of plan assets and investment losses on plan assets will increase our funding obligations, and adversely impact our results of operations and cash flows.

We are subject to a variety of other general risks and uncertainties inherent in doing business.

In addition to the specific factors discussed above, we are subject to risks that are inherent to doing business. These include growth rates, general economic and political conditions, customer satisfaction with the quality of our services, costs of obtaining insurance, changes in unemployment rates, and other events that can impact revenue and the cost of doing business.

ITEM 1B. UNRESOLVED STAFF COMMENTS
 
None.
 
ITEM 2. PROPERTIES
 
Our executive offices are located at 1550 Peachtree Street, N.W., Atlanta, Georgia. Our other properties are geographically distributed to meet sales and operating requirements worldwide. We consider these properties to be both suitable and adequate to meet our current operating requirements. We ordinarily lease office space for conducting our business and are obligated under approximately 100 leases and other rental arrangements for our field locations. We owned 8 office buildings at December 31, 2018, including our executive offices, one campus which houses our Alpharetta, Georgia data center, a building utilized by our Workforce Solutions operations located in St. Louis, Missouri, as well as three buildings utilized by our Latin America operations located in Mexico City, Mexico and Asuncion, Paraguay.
 
For additional information regarding our obligations under leases, see Note 6 of the Notes to Consolidated Financial Statements in this Form 10-K. We believe that suitable additional space will be available to accommodate our future needs.


26



ITEM 3. LEGAL PROCEEDINGS
 
Litigation and Investigations related to the 2017 Cybersecurity Incident 

Since the 2017 cybersecurity incident, hundreds of class actions and other lawsuits have been filed against us typically alleging harm from the 2017 cybersecurity incident and seeking various remedies, including monetary and injunctive relief. We dispute the allegations in the complaints described below and intend to defend against such claims. In addition, numerous governmental agencies are investigating us in connection with the 2017 cybersecurity incident, which may result in fines, settlements or other relief. Set forth below are descriptions of the main categories of these lawsuits and investigations.

Multidistrict Litigation. Hundreds of class actions were filed against us in federal and state courts relating to the 2017 cybersecurity incident. The plaintiffs in these cases, who purport to represent various classes of U.S. consumers and small businesses, generally claim to have been harmed by alleged actions and/or omissions by Equifax in connection with the 2017 cybersecurity incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief and other related relief.

In addition, certain class actions have been filed by financial institutions that allege their businesses have been placed at risk due to the 2017 cybersecurity incident and generally assert various common law claims such as claims for negligence and breach of contract, as well as, in some cases, statutory claims. The financial institution class actions seek compensatory damages, injunctive relief and other related relief.
Furthermore, a lawsuit has been filed against us by the City of Chicago with respect to the 2017 cybersecurity incident alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud, breach notice requirements and business practices and seeking declaratory and injunctive relief and the imposition of fines the aggregate amount of which the complaint does not specifically quantify. Three Indian Tribes filed suits in federal court asserting putative class actions relating to the 2017 cybersecurity incident brought on behalf of themselves and other similarly situated federally recognized Indian Tribes and Nations. Additionally, the Commonwealth of Puerto Rico filed an action on its own behalf and on behalf of the people of Puerto Rico arising out of the 2017 cybersecurity incident.
Beginning on December 6, 2017 and pursuant to multiple subsequent orders, the U.S. Judicial Panel on Multidistrict Litigation ordered the consolidation and transfer for pre-trial proceedings with respect to the U.S. cases pending in federal court discussed above, including the City of Chicago action, the Indian Tribal suits, and the Puerto Rico action, to the Northern District of Georgia as the single U.S. District Court for centralized pre-trial proceedings (the “MDL Court”). Based on these orders, consolidated proceedings with respect to U.S. consumer and financial institution federal class actions and other lawsuits related to the 2017 cybersecurity incident have been conducted in the MDL Court. The MDL Court has established separate tracks for the consumer and financial institution class action cases and appointed lead counsel on behalf of plaintiffs in both tracks. Certain individual plaintiffs with cases pending in the MDL consolidated proceedings, including Puerto Rico and the City of Chicago, have sought the establishment of additional tracks and other related relief. The MDL Court has not yet ruled on those requests.
The Company moved to dismiss the consolidated class action complaints filed by the U.S. consumer, small business and financial institution plaintiffs in their entirety. On January 28, 2019, the MDL Court dismissed the small businesses’ consolidated class action complaint in its entirety. The MDL Court dismissed certain claims brought by the consumer and financial institution plaintiffs, while allowing other claims by those plaintiffs to proceed. Pursuant to case management orders issued by the MDL Court, consolidated pre-trial proceedings, including discovery between the parties, will proceed on the remaining claims of the U.S. consumer and financial institution plaintiffs.
Georgia State Court Consumer Class Actions. Four putative class actions arising from the 2017 cybersecurity incident were filed against us in Fulton County Superior Court and Fulton County State Court in Georgia based on similar allegations and theories as alleged in the U.S. consumer class actions pending in the MDL Court and seek monetary damages, injunctive relief and other related relief on behalf of Georgia citizens. These cases have been transferred to a single judge in the Fulton County Business Court and three of the cases were consolidated into a single action. On July 27, 2018, the Fulton County Business Court granted the Company’s motion to stay the remaining single case, and on August 17, 2018, the Fulton County Business Court granted the Company’s motion to stay the consolidated case.
Canadian Class Actions. Seven Canadian class actions, five of which are on behalf of a national class of approximately 19,000 Canadian consumers, have been filed against us in Ontario, Saskatchewan, Quebec and British Columbia. Each of the proposed Canadian class actions asserts a number of common law and statutory claims seeking monetary damages and other related relief in connection with the 2017 cybersecurity incident. The plaintiffs in each case seek

27



class certification/authorization on behalf of Canadian consumers whose personal information was allegedly impacted by the 2017 cybersecurity incident. In some cases, plaintiffs also seek class certification on behalf of Canadian consumers who had contracts for subscription products with Equifax around the time of the incident. All purported class actions are at preliminary stages, and we are opposing class certification or authorization in cases where such motions are pending. In addition, one of the cases in Ontario as well as the Saskatchewan case have been stayed. The Court’s order staying the Saskatchewan case is on appeal.
TransUnion Litigation. On November 27, 2017, Trans Union LLC and TransUnion Interactive, Inc. (collectively, “TransUnion”) filed a lawsuit in the U.S. District Court for the Northern District of Illinois against Equifax Information Services LLC, Equifax Inc., and Equifax Consumer Services LLC f/k/a Equifax Consumer Services, Inc. In its lawsuit, TransUnion asserts claims for declaratory relief, breach of contract, and anticipatory repudiation of contract based on our Reciprocal Data Supply Agreement (the “Agreement”), which sets forth the pricing terms for credit monitoring supplied by the parties to each other. TransUnion seeks a declaration regarding its contractual rights under the Agreement and monetary damages. On January 26, 2018, we moved to dismiss TransUnion’s claims. On June 19, 2018, the court granted in part and denied in part our motion to dismiss, dismissing Equifax Inc. from the case. Discovery has now commenced and is scheduled to end in March 2019. We dispute the allegations by TransUnion and intend to defend against its claims.
Securities Class Action Litigation. A consolidated putative class action lawsuit alleging violations of various federal securities laws in connection with statements and alleged omissions regarding our cybersecurity systems and controls is pending against us and certain of our current and former executives, officers and directors in the U.S. District Court for the Northern District of Georgia. The consolidated complaint seeks certification of a class of all persons who purchased or otherwise acquired Equifax securities from February 25, 2016 through September 15, 2017 and unspecified monetary damages, costs and attorneys’ fees. The Company moved to dismiss the consolidated class action complaint in its entirety. On January 28, 2019, the court dismissed claims against certain individual defendants and claims challenging certain statements, but allowed other claims against Equifax and our former Chairman and Chief Executive Officer to proceed. Pursuant to scheduling and case management orders issued by the court, pre-trial proceedings, including discovery between the parties, will proceed on the remaining claims.
Shareholder Derivative Litigation. A consolidated putative shareholder derivative action naming certain of our current and former executives, officers and directors as defendants and naming us as a nominal defendant is pending in the U.S. District Court for the Northern District of Georgia. Among other things, the consolidated complaint alleges claims for breaches of fiduciary duties, unjust enrichment, corporate waste and insider selling by certain defendants, as well as certain claims under the federal securities laws. The complaint seeks unspecified damages on behalf of the Company, plus certain equitable relief. We have appointed a committee of independent directors empowered to evaluate and respond in our best interests to the claims and related litigation demands.
Government Lawsuits. In addition to the City of Chicago’s and Commonwealth of Puerto Rico’s lawsuits in the MDL Court, the City of San Francisco filed a lawsuit against us in Superior Court in the City of San Francisco on behalf of the People of the State of California alleging violations of California’s unfair competition law due to purported violations of statutory protections of personal data and statutory data breach requirements and seeking statutory penalties, injunctive relief, and restitution for California consumers, among other relief. The court has stayed the City of San Francisco action until March 29, 2019.

Civil enforcement actions have been filed against us by the Attorneys General of Massachusetts and West Virginia alleging violations of commonwealth/state consumer protection laws. The Massachusetts action is pending in Suffolk Superior Court and seeks permanent injunctive relief, civil penalties, restitution, disgorgement of profits, costs and attorneys’ fees. The Suffolk Superior Court denied the Company’s motions to stay and dismiss the case, and the case is in discovery. The West Virginia action is pending in the Circuit Court of Boone County and seeks civil penalties and attorneys’ fees. Equifax’s motion to stay proceedings was granted on a temporary basis on December 21, 2018, and then continued on January 24, 2019, with the court scheduling a further hearing for February 28, 2019. The lawsuit filed by the Attorney General of Puerto Rico was transferred to the MDL proceeding, as described above. The Puerto Rico Department of Consumer Affairs has issued Notices of Infraction related to the Company’s alleged failure to give timely notice of the data breach under Puerto Rico law to the Department and Puerto Rico consumers.

Individual Consumer Litigation. Over 1,000 individual consumer actions, including multi-plaintiff actions, have been filed against us in state (general jurisdiction and small claims) and federal courts across the U.S. related to the 2017 cybersecurity incident. These claims include more than 2,500 individual plaintiffs. In addition, there are approximately 50 individual arbitration claims. The plaintiffs/claimants in these cases generally claim to have been harmed by alleged actions and/or omissions by Equifax in connection with the 2017 cybersecurity incident and assert a variety of common law and

28



statutory claims seeking primarily monetary damages. Where possible, actions filed in federal court or removed to federal court have been noticed for transfer to the MDL Court. Some of these matters have been finally resolved, and others are in various stages.

Government Investigations. We continue to cooperate with federal, state, city and foreign governmental agencies and officials investigating or otherwise seeking information, testimony and/or documents, including through Civil Investigative Demands and subpoenas, regarding the 2017 cybersecurity incident and related matters, including 48 state Attorneys General offices, the District of Columbia, the Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”), the U.S. Securities and Exchange Commission (“SEC”), the U.S. Department of Justice, other U.S. state regulators, certain Congressional committees of both the U.S. Senate and House of Representatives, the Office of the Privacy Commissioner of Canada (“OPC”) and the U.K.’s Financial Conduct Authority (“FCA”). The Financial Industry Regulatory Authority, Inc. conducted an investigation that has now been concluded.
 
With respect to state Attorneys General investigations, the Company is cooperating with a consolidated multi-state investigation involving the Attorneys General of 46 states and the District of Columbia. As noted above, the Attorneys General of Massachusetts, West Virginia and Puerto Rico are not participating in the multi-state process and have filed suit. The Attorneys General of Indiana and Texas are each conducting separate investigations.
The staffs of the CFPB and FTC have informed us that their respective agencies intend to seek injunctive relief damages and, with respect to the CFPB, civil money penalties against us based on allegations related to the 2017 cybersecurity incident. We have submitted written responses to the CFPB and FTC addressing their allegations, and we continue to cooperate with the agencies in their investigations. On October 2, 2018, the Enforcement Staff of the NYDFS provided us with notice that it is considering recommending that the NYDFS take legal action against us, potentially seeking consumer relief and civil money penalties. We continue to cooperate with the NYDFS in its investigation.
The staff of the OPC has informed us that the OPC intends to make certain findings and recommendations in connection with its investigation of the 2017 cybersecurity incident. We have submitted written responses to the OPC and we continue to cooperate in its investigation.

The SEC issued a subpoena on May 14, 2018 regarding disclosure issues relating to the 2017 cybersecurity incident. We continue to cooperate with the SEC in its investigation. In addition, we continue to cooperate with the SEC and the U.S. Attorney’s Office for the Northern District of Georgia regarding investigations into the trading activities by certain of our current and former employees in relation to the 2017 cybersecurity incident.
The New York State Attorney General Investor Protection Bureau (“IPB”) issued a subpoena on September 20, 2017 relating to an investigation of whether there has been a violation of the Martin Act. We continue to cooperate with the IPB in its investigation.
The FCA served an Enforcement Notice and Information Requests. We have provided responses to these requests and continue to cooperate with the FCA.
Although we are actively cooperating with the above investigations and inquiries, an adverse outcome to any such investigations and inquiries could subject us to fines or other obligations, which may have an adverse effect on how we operate our business or our results of operations.
Public Records Litigation
Equifax has been named as a defendant in 19 putative class action lawsuits pending in federal courts across the country relating to its reporting of civil judgments and tax liens on consumers’ credit files. In October 2018, Equifax and the plaintiffs’ attorneys who filed the lawsuits reached an agreement in principle to settle the public records-related claims at issue on behalf of a nationwide class of consumers and we accrued an estimate of our liability for these matters in the third quarter of 2018. The amount accrued represents our best estimate of the liability related to this matter and is not material to the Consolidated Financial Statements. The parties have filed notices of settlement in the pending lawsuits and have begun drafting a settlement agreement and preliminary approval papers to file with the requisite court. If the final terms of a settlement agreement cannot be agreed upon, or if the settlement is not ultimately approved by the court, Equifax believes it has valid defenses to each of these actions and will continue to defend against them.

29



ACCC Investigation
In March 2017, the Australian Competition and Consumer Commission (the “ACCC”) commenced an investigation to determine whether the Company has been or is engaged in unlawful acts or practices relating to advertising, marketing and sale of consumer reports, credit scores or credit monitoring products in violation of the Australian Consumer Law, which prohibits misleading or deceptive conduct and false representations. The ACCC issued a number of notices to produce documents and information. On March 16, 2018, the ACCC commenced proceedings against the Company. The proceedings were settled on October 2, 2018. The settlement, which is subject to final court review, requires Equifax to, among other things, pay a monetary penalty, provide refunds to certain impacted consumers and refrain from engaging in specified conduct.
California Bankruptcy Litigation

In consolidated actions filed in the U.S. District Court for the Central District of California, captioned Terri N. White, et al. v. Equifax Information Services LLC, Jose Hernandez v. Equifax Information Services LLC, Kathryn L. Pike v. Equifax Information Services LLC, and Jose L. Acosta, Jr., et al. v. Trans Union LLC, et al., plaintiffs asserted that Equifax violated federal and state law (the FCRA, the California Credit Reporting Act and the California Unfair Competition Law) by failing to follow reasonable procedures to determine whether credit accounts are discharged in bankruptcy, including the method for updating the status of an account following a bankruptcy discharge. On August 20, 2008, the District Court approved a Settlement Agreement and Release providing for certain changes in the procedures used by defendants to record discharges in bankruptcy on consumer credit files. That settlement resolved claims for injunctive relief, but not plaintiffs’ claims for damages. On May 7, 2009, the District Court issued an order preliminarily approving an agreement to settle remaining class claims. The District Court subsequently deferred final approval of the settlement and required the settling parties to send a supplemental notice to those class members who filed a claim and objected to the settlement or opted out, with the cost for the re-notice to be deducted from the plaintiffs’ counsel fee award. Mailing of the supplemental notice was completed on February 15, 2011 and the deadline for this group of settling plaintiffs to provide additional documentation to support their damage claims or to opt-out of the settlement was March 31, 2011. On July 15, 2011, the District Court approved the settlement. Several objecting plaintiffs subsequently filed notices of appeal to the U.S. Court of Appeals for the Ninth Circuit, which, on April 22, 2013, issued an order vacating the settlement and remanding the case to the District Court for further proceedings. On January 21, 2014, the District Court denied the objecting plaintiffs’ motion to disqualify counsel for the settling plaintiffs and granted the motion of counsel for the settling plaintiffs to be appointed as interim lead class counsel. On March 28, 2016, the U.S. Court of Appeals for the Ninth Circuit affirmed the District Court’s lead counsel appointment. On January 9, 2017, the United States Supreme Court denied the objectors’ Petition for a Writ of Certiorari. The parties re-engaged in settlement discussions, including participation in mediations in August 2016 and November 2016, and reached an agreement to again settle the monetary claims. Settlement documents were filed with the District Court on April 14, 2017. On June 16, 2017, the Court granted preliminary approval of the proposed settlement, conditionally certified the settlement class, and appointed class counsel and administrator. A Final Fairness Hearing was held on December 11, 2017 and on April 6, 2018, the Court granted final approval. A Notice of Appeal was filed on May 7, 2018. Following the Notice of Appeal, the parties reached a Stipulation Regarding Attorneys’ Fees and Costs with the District Court subject to affirmance of the settlement with the U.S. Court of Appeals for the Ninth Circuit. The Ninth Circuit issued a briefing schedule on July 3, 2018, and on September 17, 2018, the objectors filed their appellate brief. The settling parties filed responsive briefs on January 31, 2019.

Other

Equifax has been named as a defendant in various other legal actions, including administrative claims, regulatory matters, government investigations, class actions and other litigation arising in connection with our business. Some of the legal actions include claims for substantial compensatory or punitive damages or claims for indeterminate amounts of damages. We believe we have defenses to and, where appropriate, will contest, many of these matters. Given the number of these matters, some are likely to result in adverse judgments, penalties, injunctions, fines or other relief. We may explore potential settlements before a case is taken through trial because of the uncertainty and risks inherent in the litigation process.
 
For information regarding our accounting for legal contingencies, see Note 6 of the Notes to Consolidated Financial Statements in this Form 10-K.

ITEM 4. MINE SAFETY DISCLOSURES
 
Not applicable.


30



PART II
 
ITEM 5. MARKET FOR THE REGISTRANT’S COMMON EQUITY, RELATED STOCKHOLDER MATTERS AND ISSUER PURCHASES OF EQUITY SECURITIES
 
Equifax’s common stock is traded on the New York Stock Exchange under the symbol “EFX.” As of January 31, 2019, Equifax had approximately 3,330 holders of record; however, Equifax believes the number of beneficial owners of common stock exceeds this number.
 
Shareholder Return Performance Graph
 
The graph below compares Equifax’s five-year cumulative total shareholder return with that of the Standard & Poor’s Composite Stock Index (S&P 500) and a peer group index, the S&P 500 Banks Index (Industry Group). The graph assumes that the value of the investment in our Common Stock and each index was $100 on the last trading day of 2013 and that all quarterly dividends were reinvested without commissions. Our past performance may not be indicative of future performance.

COMPARATIVE FIVE-YEAR CUMULATIVE TOTAL RETURN AMONG EQUIFAX INC., S&P 500 INDEX, AND S&P 500 BANKS INDEX (INDUSTRY GROUP)
chart-edab4eae0ca45e84966.jpg
 
Fiscal Year Ended December 31,
 
Initial
 
2014
 
2015
 
2016
 
2017
 
2018
Equifax Inc.
100.00

 
153.68

 
214.06

 
226.90

 
228.22

 
143.32

S&P 500 Index
100.00

 
150.51

 
152.59

 
169.24

 
205.24

 
150.33

S&P 500 Banks Index (Industry Group)
100.00

 
149.79

 
148.23

 
178.13

 
214.75

 
148.30


    

31



The table below contains information with respect to purchases made by or on behalf of Equifax of its common stock during the fourth quarter ended December 31, 2018:
 
Issuer Purchases of Equity Securities
Period
 
Total Number of Shares Purchased (1)
 
Average Price Paid Per Share (2)
 
Total Number of Shares Purchased as Part of Publicly-Announced Plans or Programs
 
Maximum Number (or Approximate Dollar Value) of Shares that May Yet Be Purchased Under the Plans or Programs (3)
October 1 - October 31, 2018
 
540

 
$

 

 
$
590,092,166

November 1 - November 30, 2018
 
295

 
$

 

 
$
590,092,166

December 1 - December 31, 2018
 
7,044

 
$

 

 
$
590,092,166

Total
 
7,879

 
$

 

 
$
590,092,166


 (1)
The total number of shares purchased includes, if applicable: (a) shares purchased pursuant to our publicly-announced share repurchase program, or Program; and (b) shares surrendered, or deemed surrendered, in satisfaction of the exercise price and/or to satisfy tax withholding obligations in connection with the exercise of employee stock options and vesting of restricted stock, totaling 540 shares for the month of October 2018, 295 shares for the month of November 2018 and 7,044 shares for the month of December 2018.

(2)
Average price paid per share for shares purchased as part of our Program (includes brokerage commissions).

(3)
We did not repurchase any common shares during the twelve months ended December 31, 2018. At December 31, 2018, the amount authorized for future share repurchases under the Program was $590.1 million.

Information relating to compensation plans under which the Company’s equity securities are authorized for issuance is included in the section captioned “Equity Compensation Plan Information” in our 2019 Proxy Statement and is incorporated herein by reference.

32



ITEM 6. SELECTED FINANCIAL DATA
 
The table below summarizes our selected historical financial information for each of the last five years. The summary of operations data for the years ended December 31, 2018, 2017, and 2016, and the balance sheet data as of December 31, 2018 and 2017, have been derived from our audited Consolidated Financial Statements included in this report. The summary of operations data for the years ended December 31, 2015 and 2014, and the balance sheet data as of December 31, 2016, 2015 and 2014, have been derived from our audited Consolidated Financial Statements not included in this report. The historical selected financial information may not be indicative of our future performance and should be read in conjunction with the information contained in Management’s Discussion and Analysis of Financial Condition and Results of Operations, and the Consolidated Financial Statements and the accompanying Notes to the Consolidated Financial Statements in this report.
 
 
Twelve Months Ended
December 31,
 
2018 (1) (2)
 
2017 (3) (4)
 
2016 (5)
 
2015 (6) (7)
 
2014 (8)
 
(In millions, except per share data)
Summary of Operations:
 
 
 
 
 
 
 
 
 
Operating revenue
$
3,412.1

 
$
3,362.2

 
$
3,144.9

 
$
2,663.6

 
$
2,436.4

Operating expenses
2,964.1

 
2,530.5

 
2,319.8

 
1,963.6

 
1,794.5

Operating income
448.0

 
831.7

 
825.1

 
700.0

 
641.9

Consolidated income from continuing operations
306.3

 
598.0

 
495.1

 
434.8

 
374.0

Net income attributable to Equifax
$
299.8

 
$
587.3

 
$
488.8

 
$
429.1

 
$
367.4

 
 
 
 
 
 
 
 
 
 
Dividends paid to Equifax shareholders
$
187.9

 
$
187.4

 
$
157.6

 
$
137.8

 
$
121.2

Diluted earnings per share


 


 


 


 


Net income attributable to Equifax
$
2.47

 
$
4.83

 
$
4.04

 
$
3.55

 
$
2.97

Cash dividends declared per share
$
1.56

 
$
1.56

 
$
1.32

 
$
1.16

 
$
1.00

Weighted-average shares outstanding (diluted)
121.4

 
121.5

 
121.1

 
120.9

 
123.5

 
As of December 31,
 
2018 (1) (2)
 
2017 (3) (4)
 
2016 (5)
 
2015 (6) (7)
 
2014 (8)
 
(In millions)
Balance Sheet Data:
 
 
 
 
 
 
 
 
 
Total assets
$
7,153.2

 
$
7,233.4

 
$
6,664.0

 
$
4,501.5

 
$
4,661.0

Short-term debt and current maturities
4.9

 
965.3

 
585.4

 
49.3

 
380.4

Long-term debt, net of current portion
2,630.6

 
1,739.0

 
2,086.8

 
1,138.4

 
1,145.7

Total debt, net
2,635.5

 
2,704.3

 
2,672.2

 
1,187.7

 
1,526.1

Total equity
3,155.7

 
3,239.0

 
2,721.3

 
2,350.4

 
2,234.6

 

(1)
During the year ended December 31, 2018, the Company recorded $401.2 million of pre-tax expenses related to the 2017 cybersecurity incident and insurance recoveries of $75.0 million for net expenses of $326.2 million. Costs related to the 2017 cybersecurity incident are defined as incremental costs to transform our information technology infrastructure and data security; legal fees and professional services costs to investigate the 2017 cybersecurity incident and respond to legal, government and regulatory claims; as well as costs to provide the free product and related support to the consumer.

(2)
During the fourth quarter of 2018, we recorded a restructuring charge of $46.1 million all of which is recorded in selling, general, and administrative expenses in our Consolidated Statements of Income. The restructuring charge primarily relates to a reduction in headcount to support the Company’s strategic objectives and increase the integration of our global operations. For additional information, see Note 11 of the Notes to the Consolidated Financial Statements in this report.

33




(3)
During the year ended December 31, 2017, the Company recorded $164.0 million of pre-tax expenses related to the 2017 cybersecurity incident and insurance recoveries of $50.0 million for net expenses of $114.0 million. Expenses include costs to investigate and remediate the 2017 cybersecurity incident and legal and other professional services related thereto, all of which were expensed as incurred. Additionally, as a result of the 2017 cybersecurity incident, we offered free credit file monitoring and identity theft protection to all U.S. consumers. We recorded the expenses necessary to provide this service to those who signed up during 2017. For additional information, see Note 6 of the Notes to the Consolidated Financial Statements in this report.

(4)
The Tax Cuts and Jobs Act of 2017 (“Tax Act”), as signed by the President of the United States on December 22, 2017, significantly revised U.S. tax law. The legislation positively impacted the Company’s ongoing effective tax rate due to the reduction of the U.S. federal corporate tax rate from 35% to 21%. The Tax Act made major changes to the U.S. international tax system. Under previous law, foreign earnings were subject to U.S. tax when repatriated to the U.S. Under the Tax Act, foreign earnings are generally exempt from U.S. tax. Additionally, there is a one-time deemed repatriation tax on undistributed foreign earnings and profits (the “transition tax”). The Tax Act imposes other U.S. taxes on “global intangible low taxed income” and “base erosion anti-abuse transactions.” Other significant changes included limitations on the deductibility of interest expense and executive compensation, and repeal of the deduction for domestic production activities. As a result of the current interpretation and estimated impact of the Tax Act, the Company recorded adjustments totaling a net tax benefit of $48.3 million in the fourth quarter of 2017 to provisionally account for the estimated impact. Refer to Note 7 of the Notes to the Consolidated Financial Statements in this Form 10-K for additional information. We also prospectively applied the provisions of ASU 2016-09 “Compensation - Stock Compensation (Topic 718),” related to the recognition of windfall tax benefits in the Consolidated Statement of Income which resulted in the recognition of $26.7 million of tax benefits for the year ended December 31, 2017.

(5)
In the first quarter of 2016, we completed the acquisition of 100% of the ordinary voting shares of Veda for cash consideration plus debt assumed of approximately $1.9 billion. For the year ended December 31, 2016, we recorded $40.2 million ($28.2 million, net of tax) for Veda acquisition related amounts. Of this amount, $30.1 million relates to transaction and integration costs in operating income, $9.2 million is recorded in other income and is the impact of foreign currency changes on the transaction structure, including the economic hedges, $0.2 million is recorded in depreciation and amortization, and $0.7 million is recorded in interest expense.

(6)
In the first quarter of 2015, we recorded a $20.7 million restructuring charge ($13.2 million, net of tax) all of which was recorded in selling, general and administrative expenses on our Consolidated Statements of Income. This charge resulted from our continuing efforts to realign our internal resources to support the Company’s strategic objectives and increase the integration of our global operations.

(7)
During the second quarter of 2015, the management of Boa Vista Servicos S.A. (“BVS”), in which we hold a 15% cost method investment, updated the financial projections of BVS. The updated projections, along with the continued weakness in the Brazilian consumer and small commercial credit markets were considered indicators of impairment. As a result of these changes, and the associated near-term changes in cash flow expected from the business, we recorded a 46.0 million Brazilian Reais ($14.8 million) impairment of our investment. 

(8)
During the first quarter of 2014, we acquired 100% of the stock of TDX, a data, technology and services company in the United Kingdom that specializes in debt collections and recovery management through the use of analytics, data exchanges and technology platforms. The results of this acquisition have been included in our USIS and International operating segments subsequent to the acquisition.

34



ITEM 7.  MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS
 
As used herein, the terms Equifax, the Company, we, our and us refer to Equifax Inc., a Georgia corporation, and its consolidated subsidiaries as a combined entity, except where it is clear that the terms mean only Equifax Inc.
 
All references to earnings per share data in Management’s Discussion and Analysis, or MD&A, are to diluted earnings per share, or EPS, unless otherwise noted. Diluted EPS is calculated to reflect the potential dilution that would occur if stock options or other contracts to issue common stock were exercised and resulted in additional common shares outstanding.
 
BUSINESS OVERVIEW
 
Equifax Inc. is a global data, analytics and technology company. We provide information solutions and human resources business process outsourcing services for businesses, governments and consumers. We have a large and diversified group of clients, including financial institutions, corporations, governments and individuals. Our services are based on comprehensive databases of consumer and business information derived from numerous sources including credit, financial assets, telecommunications and utility payments, employment, income, demographic and marketing data. We use advanced statistical techniques, machine learning and proprietary software tools to analyze available data to create customized insights, decision-making solutions and processing services for our clients. We also provide information, technology and services to support debt collections and recovery management. Additionally, we are a leading provider of payroll-related and human resource management business process outsourcing services in the United States of America, or U.S. For consumers, we provide products and services to help people understand, manage and protect their personal information and make more informed financial decisions.
 
We currently operate in four global regions: North America (U.S. and Canada), Asia Pacific (Australia, New Zealand and India), Europe (the United Kingdom, or U.K., Spain and Portugal) and Latin America (Argentina, Chile, Costa Rica, Ecuador, El Salvador, Honduras, Mexico, Paraguay, Peru and Uruguay). We maintain support operations in the Republic of Ireland, Chile, Costa Rica and India. We also offer Equifax branded credit services in Russia and India through joint ventures, have investments in consumer and/or commercial credit information companies through joint ventures in Cambodia, Malaysia, Singapore and the United Arab Emirates, and have an investment in a consumer and commercial credit information company in Brazil.

2017 Cybersecurity Incident

In 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of certain personally identifiable information of U.S., Canadian and U.K. consumers. Criminals exploited a software vulnerability in a U.S. website application to gain unauthorized access to our network. In March 2017, the U.S. Department of Homeland Security distributed a notice concerning the software vulnerability. We undertook efforts to identify and remediate vulnerable systems; however, the vulnerability in the website application that was exploited was not identified by our security processes. We discovered unusual network activity in late-July 2017 and upon discovery promptly investigated the activity. Once the activity was identified as potential unauthorized access, we acted to stop the intrusion and engaged a leading, independent cybersecurity firm to conduct a forensic investigation to determine the scope of the unauthorized access, including the specific information impacted. Based on our forensic investigation, the unauthorized access occurred from mid-May 2017 through July 2017. No evidence was found that the Company’s core consumer, employment and income, or commercial reporting databases were accessed. We continue to cooperate with law enforcement in connection with the criminal investigation into the actors responsible for the 2017 cybersecurity incident.

As a result of the 2017 cybersecurity incident, we are party to numerous lawsuits and governmental investigations. See “Item 1A. Risk Factors” and “Item 3. Legal Proceedings” in this Form 10-K for more information regarding these lawsuits and investigations.
    
Product Liability.  As a result of the 2017 cybersecurity incident, we offered TrustedID® Premier, a credit file monitoring and identity theft protection product, for free to all eligible U.S. consumers who signed up through January 31, 2018. We also provided free credit reports and scores, credit monitoring and identity theft protection for twenty four months to impacted consumers in Canada and the U.K. We have recorded the expenses necessary to provide this service to those who signed up. Through December 31, 2017, we recorded $50.7 million of product costs in selling, general and administrative expenses in the accompanying Consolidated Statements of Income. In 2018, the Company extended the free credit monitoring services for an additional twelve months for eligible consumers impacted by the 2017 cybersecurity incident by providing them the opportunity to enroll in Experian® IDNotify at no cost. We recorded $20.4 million related to these services in selling,

35



general, and administrative expenses in the accompanying Consolidated Statements of Income for the twelve months ended December 31, 2018.

Litigation, Claims and Government Investigations.  As a result of the 2017 cybersecurity incident, we are subject to a significant number of proceedings and investigations as described in Part I, “Item 3. Legal Proceedings” in this Form 10-K. While we believe it is reasonably possible that we will incur losses associated with such proceedings and investigations, it is not possible at this time to estimate the amount of loss or range of possible loss that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations described in “Item 3. Legal Proceedings” based on the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues. The Company will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable. The Company believes that the ultimate amount paid on these actions, claims and investigations could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.

Future Costs.  We are currently executing substantial initiatives in security and consumer support, and a company-wide transformation of our technology infrastructure, which we refer to as our technology transformation, and incurred substantial increased expenses and capital expenditures in 2018 related to these initiatives. We expect to again incur significant expenses and capital expenditures in 2019 and 2020 related to these initiatives, although at levels slightly below those incurred in 2018.

We incurred significant legal and professional services expenses related to the lawsuits, claims and government investigations to which we are a party in 2018, and expect to continue to incur these expenses until these items are resolved. We will recognize the expenses and capital expenditures referenced herein as they are incurred. In 2018, we incurred elevated costs for insurance, finance and compliance activities, and expect to incur costs at these levels again in 2019.

Insurance Coverage.  At the time of the 2017 cybersecurity incident, we had $125.0 million of cybersecurity insurance coverage, above a $7.5 million deductible, to limit our exposure to losses such as those related to this incident. During the twelve months ended December 31, 2018 and 2017, the Company recorded insurance recoveries of $75.0 million and $50.0 million, respectively, and received payments of $110.0 million and $15.0 million, respectively, for reimbursable costs incurred to date. Since the announcement of the 2017 cybersecurity incident in September 2017, we have received the maximum reimbursement under the insurance policy of $125.0 million.

Segment and Geographic Information
 
Segments. The USIS segment, the largest of our four segments, consists of three service lines: Online Information Solutions; Mortgage Solutions; and Financial Marketing Services. Online Information Solutions and Mortgage Solutions revenue is principally transaction-based and is derived from our sales of products such as consumer and commercial credit reporting and scoring, identity management, fraud detection and modeling services. USIS also markets certain decisioning software services, which facilitate and automate a variety of consumer and commercial credit-oriented decisions. Financial Marketing Services revenue is principally project and subscription based and is derived from our sales of batch credit and consumer wealth information such as those that assist clients in acquiring new customers, cross selling to existing customers and managing portfolio risk.
 
The International segment consists of Asia Pacific, Europe, Latin America and Canada. Canada’s services are similar to our USIS offerings. Asia Pacific, Europe and Latin America are made up of varying mixes of service lines that are generally in our USIS reportable segment. We also provide information and technology services to support lenders and other creditors in the collections and recovery management process.
 
The Workforce Solutions segment consists of the Verification Services and Employer Services business lines. Verification Services revenue is transaction-based and is derived primarily from employment and income verification. Employer Services revenues are derived from our provision of certain human resources business process outsourcing services that include both transaction and subscription based product offerings. These services include unemployment claims management, employment-based tax credit services and other complementary employment-based transaction services.
 
Global Consumer Solutions revenue is both transaction and subscription based and is derived from the sale of credit monitoring and identity theft protection products, which we deliver electronically to consumers primarily via the internet in the U.S., Canada, and the U.K. We also sell consumer and credit information to resellers who combine our information with other information to provide direct-to-consumer monitoring, reports and scores. Due to the 2017 cybersecurity incident we ceased

36



advertising our consumer business in the U.S. in September 2017. We resumed advertising our U.S. paid products in the fourth quarter of 2018.

As part of our response to the 2017 cybersecurity incident, we made our TrustedID® Premier service, an identity theft protection and credit file monitoring product, available for free to all U.S. consumers for twelve months for those who signed up by January 31, 2018. In late 2018, the Company extended the free credit file monitoring services for impacted consumers in the U.S. using the free TrustedID Premier® service by providing them the opportunity to enroll in Experian® IDNotify at no cost for an additional twelve months. Similarly, for impacted consumers in Canada and the U.K., we provided free credit reports and scores, credit monitoring and identity theft protection for twenty four months. As part of our commitment to providing long-term resources and protections for consumers, in January 2018, the Company introduced Lock & Alert, a mobile application enabled service that allows U.S. consumers to quickly lock and unlock their Equifax credit report for free, for life.
    
Geographic Information. We currently have operations in the following countries: Argentina, Australia, Canada, Chile, Costa Rica, Ecuador, El Salvador, Honduras, India, Mexico, New Zealand, Paraguay, Peru, Portugal, the Republic of Ireland, Spain, the U.K., Uruguay and the U.S. We also offer Equifax branded credit services in India and Russia through joint ventures, we have investments in consumer and/or commercial credit information companies through joint ventures in Cambodia, Malaysia, Singapore and the United Arab Emirates, and have an investment in a consumer and commercial credit information company in Brazil. Approximately 71% our revenue was generated in the U.S. during both of the twelve months ended December 31, 2018 and 2017.
 
Key Performance Indicators.  Management focuses on a variety of key indicators to monitor operating and financial performance. These performance indicators include measurements of operating revenue, change in operating revenue, operating income, operating margin, net income, diluted earnings per share, cash provided by operating activities and capital expenditures. Key performance indicators for the twelve months ended December 31, 2018, 2017 and 2016, include the following: 
 
Key Performance Indicators
Twelve Months Ended
December 31,
 
2018
 
2017
 
2016
 
(In millions, except per share data)
Operating revenue
$
3,412.1

 
$
3,362.2

 
$
3,144.9

Operating revenue change
1
%
 
7
%
 
18
%
Operating income
$
448.0

 
$
831.7

 
$
825.1

Operating margin
13.1
%
 
24.7
%
 
26.2
%
Net income attributable to Equifax
$
299.8

 
$
587.3

 
$
488.8

Diluted earnings per share
$
2.47

 
$
4.83

 
$
4.04

Cash provided by operating activities
$
672.2

 
$
816.0

 
$
823.0

Capital expenditures*
$
(368.1
)
 
$
(214.0
)
 
$
(191.5
)
*Amounts above include accruals for capital expenditures.
 
Business Environment and Company Outlook 

Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity, small commercial credit and marketing activity. Demand is also enhanced by our initiatives to expand our products, capabilities, and markets served. In the United States, we expect 2019 economic activity, as measured by GDP, to be down from the levels seen in the second half of 2018. We expect modest growth in consumer credit, excluding mortgage, over the course of 2019. U.S. Mortgage market originations are expected to be much weaker in the first half of 2019 and down for the full year of 2019 versus 2018. We anticipate 2019 economic activity, as measured by GDP, in Canada to be slightly below the levels seen in the second half of 2018. In Australia, as measured by GDP, we anticipate 2019 economic activity to be below the levels seen in the second half of 2018 due to overall weakness in consumer credit markets. In the European markets we serve, the U.K., Spain and Portugal, we are expecting 2019 economic activity, as measured by GDP, to be at or slightly below the levels in 2018. In Latin America, our two largest markets are in Argentina and Chile. In Argentina, the market weakened significantly in 2018. We are expecting continued weakness in 2019 but at lower levels than in 2018. In Chile, we are expecting economic activity in 2019 to be down slightly compared to 2018.

37



    
The 2017 cybersecurity incident is expected to continue to negatively impact revenue, principally in our USIS and Global Consumer Solutions businesses. We have incurred, in 2018, and will continue to incur, in 2019, legal, consulting and other costs related to the analysis and response to the 2017 cybersecurity incident. Additionally, in 2018 and beyond, we have incurred and will continue to incur increased costs and capital expenditures related to our technology transformation, which includes costs for enhanced data security. In 2018 and beyond, we had and will continue to have increases in the ongoing run-rate of technology and security spending. We also expect to continue to incur increased expenses for insurance, finance, compliance activities, and to meet increased legal and regulatory requirements. The ultimate amount of these increases is expected to be significant.

As a result of the 2017 cybersecurity incident, we are subject to a significant number of proceedings and investigations as described in “Item 3. Legal Proceedings” in this Form 10-K. While we believe it is reasonably possible that we will incur losses associated with these proceedings and investigations, it is not possible to estimate the amount of loss or range of possible loss that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations based on the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues. The Company will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable. The Company believes that the ultimate amount paid on these actions, claims and investigations could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods and may reduce available resources to invest in technology and innovation.
    
RESULTS OF OPERATIONS —
TWELVE MONTHS ENDED DECEMBER 31, 2018, 2017 AND 2016
 
Consolidated Financial Results
 
Operating Revenue
 
 
Twelve Months Ended December 31,
 
Change
 
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
Operating Revenue
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions)
U.S. Information Solutions
 
$
1,247.3

 
$
1,262.7

 
$
1,236.5

 
$
(15.4
)
 
(1
)%
 
$
26.2

 
2
%
International
 
966.2

 
932.3

 
803.6

 
33.9

 
4
 %
 
128.7

 
16
%
Workforce Solutions
 
826.8

 
764.2

 
702.2

 
62.6

 
8
 %
 
62.0

 
9
%
Global Consumer Solutions
 
371.8

 
403.0

 
402.6

 
(31.2
)
 
(8
)%
 
0.4

 
%
Consolidated operating revenue
 
$
3,412.1

 
$
3,362.2

 
$
3,144.9

 
$
49.9

 
1
 %
 
$
217.3

 
7
%
 
Revenue for 2018 increased by 1% compared to 2017. The growth was driven by our Workforce Solutions and International segments which was partially offset by declines in USIS and Global Consumer Solutions which were negatively impacted by the 2017 cybersecurity incident. Workforce Solutions saw strong growth driven by Verification Services. International had local currency growth across all regions. The effect of foreign exchange rates reduced revenue by $28.3 million, or 1%, in 2018 compared to 2017.

Revenue for 2017 increased by 7% compared to 2016. The growth was driven by our International and Workforce Solutions segments. International had strong growth across all regions, which reflects broad based organic growth and the Veda acquisition. Workforce Solutions saw strong growth driven by Verification Services. USIS had an increase in revenue compared to 2016, reflecting growth in core credit decisioning, financial marketing services, mortgage and identity and fraud solutions. Revenue in our USIS, Global Consumer Solutions and Workforce Solutions segments were negatively impacted by the 2017 cybersecurity incident. The effect of foreign exchange rates reduced revenue by $6.0 million in 2017 compared to 2016.


38



Operating Expenses
 
 
Twelve Months Ended December 31,
 
Change
 
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
Operating Expenses
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions)
Consolidated cost of services
 
$
1,440.4

 
$
1,210.7

 
$
1,113.4

 
$
229.7

 
19
%
 
$
97.3

 
9
%
Consolidated selling, general and administrative expenses
 
1,213.3

 
1,032.0

 
941.0

 
181.3

 
18
%
 
91.0

 
10
%
Consolidated depreciation and amortization expense
 
310.4

 
287.8

 
265.4

 
22.6

 
8
%
 
22.4

 
8
%
Consolidated operating expenses
 
$
2,964.1

 
$
2,530.5

 
$
2,319.8

 
$
433.6

 
17
%
 
$
210.7

 
9
%
 
Cost of Services.  Cost of services increased $229.7 million in 2018 compared to 2017. We incurred increased incremental technology and data security costs of $146.5 million in 2018. These increased technology and security costs predominantly reflect the investments we are making in our technology transformation, which include costs for enhanced data security. We expect these incremental costs as well as increased ongoing technology and security costs to continue in 2019 and 2020. The remaining increase is due to increased people and royalty costs. The effect of changes in foreign exchange rates reduced cost of services by $6.4 million.

Cost of services increased $97.3 million in 2017 compared to 2016. The increase in cost of services, when compared to 2016, was due to the increase in production costs driven by higher revenues, as well as increases of $14.2 million in professional services related to the 2017 cybersecurity incident and in people costs. The effect of changes in foreign exchange rates reduced cost of services by $2.1 million.

Selling, General and Administrative Expenses.  Selling, general and administrative expenses increased $181.3 million in 2018 as compared to 2017.

We incurred increased incremental technology and data security costs of $160.7 million in 2018. As was the case in cost of services, these increased technology and security costs predominately reflect the investments we are making in our technology transformation, which include costs for enhanced data security. We expect these incremental costs as well as increased ongoing technology and security costs to continue in 2019 and 2020.

Related to the 2017 cybersecurity incident, we incurred net costs of $19.0 million in 2018. We incurred legal and investigative fees of $73.6 million, and decreased costs to fulfill and support the free credit monitoring service provided to eligible consumers of $20.4 million. Additionally, we benefited from the recognition of insurance proceeds of $75.0 million to offset these costs in 2018, versus the $50.0 million of insurance proceeds recorded in 2017.

The remaining changes were driven by increases due to the restructuring charge of $46.1 million, people, the public records litigation settlement of $18.5 million, and insurance costs which were partially offset by decreased advertising costs.

The impact of changes in foreign currency exchange rates decreased our selling, general and administrative expenses by $10.2 million.

Selling, general and administrative expenses increased $91.0 million in 2017 as compared to 2016. The increase was due to $99.8 million of costs related to the 2017 cybersecurity incident, higher occupancy and people costs, partially offset by a decline in Veda integration and transaction costs. The impact of changes in foreign currency exchange rates decreased our selling, general and administrative expenses by $2.2 million.
 
Depreciation and Amortization.  Depreciation and amortization expense for 2018 increased by $22.6 million. The increase is due to amortization of capitalized internal-use software and system costs and depreciation of production equipment, partially offset by a decrease in amortization of purchased intangibles.
 
Depreciation and amortization expense for 2017 increased by $22.4 million primarily due to increased depreciation due to increased capital expenditures.

39



 
Operating Income and Operating Margin
 
 
Twelve Months Ended December 31,
 
Change
Operating Income and Operating Margin
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions)
Consolidated operating revenue
 
$
3,412.1

 
$
3,362.2

 
$
3,144.9

 
$
49.9

 
1
 %
 
$
217.3

 
7
 %
Consolidated operating expenses
 
2,964.1

 
2,530.5

 
2,319.8

 
433.6

 
17
 %
 
210.7

 
9
 %
Consolidated operating income
 
$
448.0

 
$
831.7

 
$
825.1

 
$
(383.7
)
 
(46
)%
 
$
6.6

 
1
 %
Consolidated operating margin
 
13.1
%
 
24.7
%
 
26.2
%
 
 

 
(11.6
)pts
 
 
(1.5
)pts
 
Total company margin decreased in 2018 versus 2017, primarily due to the aforementioned technology and data security spending by the Company after the 2017 cybersecurity incident of $326.2 million reflected in costs of services and selling, general, and administrative expenses in our Consolidated Statements of Income.

Total company margin decreased in 2017 versus 2016, primarily due to the costs related to the 2017 cybersecurity incident, partially offset by increased margins in International and Workforce Solutions business segments and lower integration costs related to the acquisition of Veda.

Interest Expense and Other Income (Expense), net
 
 
Twelve Months Ended December 31,
 
Change
 
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
Consolidated Interest and Other Income (Expense), net
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions)
Consolidated interest expense
 
$
(103.5
)
 
$
(92.8
)
 
$
(92.1
)
 
$
(10.7
)
 
12
 %
 
$
(0.7
)
 
1
 %
Consolidated other income, net
 
11.8

 
7.7

 
(4.8
)
 
4.1

 
53
 %
 
12.5

 
(260
)%
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Average cost of debt
 
3.8
%
 
3.4
%
 
3.5
%
 
 

 
 

 
 

 
 

Total consolidated debt, net, at year end
 
$
2,635.5

 
$
2,704.3

 
$
2,672.2

 
$
(68.8
)
 
(3
)%
 
$
32.1

 
1
 %
 
Interest expense increased in 2018, when compared to 2017, due to an increase in our overall average cost of debt resulting from the issuance of the Senior Notes in May 2018.
 
Interest expense increased in 2017, when compared to 2016, due to an increase in our average consolidated debt outstanding in 2017, reflecting debt incurred in the first quarter of 2016 to finance the acquisition of Veda. Our average cost of debt decreased in 2017 compared to 2016, due to the higher balance of low rate commercial paper outstanding and lower long-term rates due to the repayment on July 3, 2017 of $272.5 million in principal amount of our 6.3% senior notes.

The increase in other income (expense), net, in 2018 is primarily due to higher earnings on certain equity method investments, an increase in interest income, and the release of a liability from a past acquisition. These increases were partially offset by increased pension expense and the foreign exchange impact of remeasuring the peso denominated monetary assets and liabilities as a result of Argentina becoming a highly inflationary economy for accounting purposes in 2018.

The increase in other income (expense), net, in 2017 is primarily due to a 2016 loss on the economic hedges, offset by a foreign currency gain on intercompany debt related to the Veda transaction which did not recur in 2017. There were also higher earnings on certain equity method investments in 2017.


40



Income Taxes
 
 
Twelve Months Ended 
 December 31,
 
Change
 
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
Provision for Income Taxes
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions)
Consolidated provision for income taxes
 
$
(50.0
)
 
$
(148.6
)
 
$
(233.1
)
 
$
98.6

 
(66
)%
 
$
84.5

 
(36
)%
Effective income tax rate
 
14.0
%
 
19.9
%
 
32.0
%
 
 

 
 

 
 

 
 

 
Our effective tax rate was 14.0% for 2018, down from 19.9% for the same period in 2017. The decrease in our effective income tax rate is due to the decrease in the statutory U.S. tax rate as a result of the Tax Act enacted in the fourth quarter of 2017 and the increase in the benefit received from the reversal of uncertain tax positions. These changes were offset by an increase in the impact of equity compensation, an increase in the foreign rate differential impact, and the deferred tax benefit recorded in the fourth quarter of 2017 to reflect the impact of the Tax Act.
 
Our effective tax rate was 19.9% for 2017, down from 32.0% for the same period in 2016. The decrease in our effective income tax rate for 2017 is primarily attributable to recording the preliminary impact of the Tax Act enacted in the fourth quarter of 2017, and the adoption of the new stock-based compensation guidance we prospectively adopted in the first quarter of 2017. We recognized a $48.3 million and $26.7 million tax benefit related to the estimated impact of tax legislation enacted in 2017 and the accounting change for stock-based compensation guidance for the full year 2017, respectively.

Net Income
 
 
Twelve Months Ended 
 December 31,
 
Change
 
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
Net Income
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions, except per share amounts)
Consolidated operating income
 
$
448.0

 
$
831.7

 
$
825.1

 
$
(383.7
)
 
(46
)%
 
$
6.6

 
1
 %
Consolidated other expense, net
 
(91.7
)
 
(85.1
)
 
(96.9
)
 
(6.6
)
 
8
 %
 
11.8

 
(12
)%
Consolidated provision for income taxes
 
(50.0
)
 
(148.6
)
 
(233.1
)
 
98.6

 
(66
)%
 
84.5

 
(36
)%
Consolidated net income
 
306.3

 
598.0

 
495.1

 
(291.7
)
 
(49
)%
 
102.9

 
21
 %
Net income attributable to noncontrolling interests
 
(6.5
)
 
(10.7
)
 
(6.3
)
 
4.2

 
(39
)%
 
(4.4
)
 
70
 %
Net income attributable to Equifax
 
$
299.8

 
$
587.3

 
$
488.8

 
$
(287.5
)
 
(49
)%
 
$
98.5

 
20
 %
Diluted earnings per share:
 
 

 
 

 
 

 
 

 
 

 
 

 
 

Net income attributable to Equifax
 
$
2.47

 
$
4.83

 
$
4.04

 
$
(2.36
)
 
(49
)%
 
$
0.79

 
20
 %
Weighted-average shares used in computing diluted earnings per share
 
121.4

 
121.5

 
121.1

 
 

 
 

 
 

 
 

 
Consolidated net income decreased by $291.7 million, or 49%, in 2018 compared to 2017 due to decreased operating income primarily driven by the $326.2 million of aforementioned incremental technology and data security costs. The increased costs were partially offset by decreased income tax expense due to lower pre-tax income and the decrease in the statutory U.S. tax rate as a result of the Tax Act enacted in the fourth quarter of 2017.

Consolidated net income increased by $102.9 million, or 21%, in 2017 compared to 2016 due to increased operating income, principally in our International, Workforce Solutions, and USIS businesses, partially offset by the 2017 cybersecurity costs of $114.0 million and lower operating income in the Global Consumer Solutions business. There were also several income tax benefits, consisting principally of the fourth quarter tax benefit related to the Tax Act and the prospective adoption of the new stock-based compensation guidance in the first quarter of 2017. Additionally, there was an increase in other income, primarily due to a 2016 loss on economic hedges, offset by a foreign currency gain on intercompany debt related to the Veda transaction which did not recur in 2017.


41



Segment Financial Results
 
U.S. Information Solutions
 
 
Twelve Months Ended December 31,
 
Change
U.S. Information Solutions
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions)
Operating revenue:
 
 

 
 

 
 

 
 

 
 

 
 

 
 

Online Information Solutions
 
$
877.5

 
$
889.6

 
$
879.3

 
$
(12.1
)
 
(1
)%
 
$
10.3

 
1
 %
Mortgage Solutions
 
153.6

 
148.9

 
142.2

 
4.7

 
3
 %
 
6.7

 
5
 %
Financial Marketing Services
 
216.2

 
224.2

 
215.0

 
(8.0
)
 
(4
)%
 
9.2

 
4
 %
Total operating revenue
 
$
1,247.3

 
$
1,262.7

 
$
1,236.5

 
$
(15.4
)
 
(1
)%
 
$
26.2

 
2
 %
% of consolidated revenue
 
37
%
 
37
%
 
39
%
 
 

 
 

 
 

 
 

Total operating income
 
$
441.7

 
$
539.1

 
$
537.0

 
$
(97.4
)
 
(18
)%
 
$
2.1

 
 %
Operating margin
 
35.4
%
 
42.7
%
 
43.4
%
 
 

 
(7.3
)pts
 
 

 
(0.7
)pts
 
U.S. Information Solutions revenue decreased 1% in 2018 compared to 2017 due to declines in our core credit decisioning services and lower project related revenue as well as the negative impact from the 2017 cybersecurity incident. These declines were partially offset by revenue from a 2018 acquisition, growth in core mortgage, and revenue from mortgage channel partners.
 
U.S. Information Solutions revenue increased 2% in 2017 compared to 2016 due to growth in the mortgage and financial verticals, partially offset by a decline in our auto vertical and the impact of the 2017 cybersecurity incident.

Online Information Solutions.  Revenue for 2018 decreased 1% compared to 2017, due to declines in our core credit decisioning services and identity and fraud solutions revenue. These declines were partially offset by growth from a 2018 acquisition and revenue from mortgage, auto, and direct to consumer channel partners.

Revenue for 2017 increased 1% compared to 2016, due to growth in core credit decisioning and identity and fraud solutions.
 
Mortgage Solutions.  Revenue increased 3% in 2018 compared to 2017, primarily due to a new product offering. This growth was partially offset by declines in the mortgage market and our other mortgage product offerings.

Revenue increased 5% in 2017 compared to 2016, driven by growth in core mortgage, as well as growth from other mortgage product offerings.
 
Financial Marketing Services.  Revenue decreased 4% in 2018 compared to 2017 due to a reduction in projects delivered.

Revenue increased 4% in 2017 compared to 2016 due to growth in credit marketing services and project related revenue.
 
U.S. Information Solutions Operating Margin.  USIS operating margin decreased to 35.4% in 2018 compared to 42.7% in 2017, primarily due to the decrease in revenue and increases in incremental technology and data security costs, royalties, and the public records litigation settlement of $18.5 million. USIS operating margin decreased to 42.7% in 2017 compared to 2016 of 43.4%, primarily due to increased people costs, partially offset by product mix.


42



International 
 
 
Twelve Months Ended December 31,
 
Change
 
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
International
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions)
Operating revenue:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Asia Pacific
 
$
325.6

 
$
308.9

 
$
244.2

 
$
16.7

 
5
 %
 
$
64.7

 
26
%
Europe
 
287.3

 
273.8

 
253.6

 
13.5

 
5
 %
 
20.2

 
8
%
Latin America
 
206.6

 
213.6

 
183.9

 
(7.0
)
 
(3
)%
 
29.7

 
16
%
Canada
 
146.7

 
136.0

 
121.9

 
10.7

 
8
 %
 
14.1

 
12
%
Total operating revenue
 
$
966.2

 
$
932.3

 
$
803.6

 
$
33.9

 
4
 %
 
$
128.7

 
16
%
% of consolidated revenue
 
28
%
 
28
%
 
26
%
 
 
 
 
 
 
 
 
Total operating income
 
$
108.6

 
$
169.4

 
$
111.4

 
$
(60.8
)
 
(36
)%
 
$
58.0

 
52
%
Operating margin
 
11.2
%
 
18.2
%
 
13.9
%
 
 
 
(7.0
)pts
 
 

 
4.3
pts
 
International revenue increased by 4% in 2018 as compared to 2017. Local currency revenue growth for 2018 was 7%, driven by growth across all regions. Local currency fluctuations against the U.S. dollar negatively impacted revenue by $29.5 million, or 3%.

International revenue increased by 16% in 2017 as compared to 2016. Local currency organic revenue growth for 2017, excluding Veda, was 11%, driven by growth across all regions. Local currency fluctuations against the U.S. dollar negatively impacted revenue by $4.3 million, or 1%.
 
Asia Pacific. Local currency growth was 8% in 2018 primarily due to the Mercury acquisition and growth in our commercial business. Local currency fluctuations against the U.S. dollar negatively impacted revenue by $8.8 million, or 3%, in 2018. Reported revenue increased 5% in 2018.

Local currency growth was 24% in 2017 primarily due to the Veda acquisition. Local currency fluctuations against the U.S. dollar positively impacted revenue by $6.1 million, or 3%, in 2017. Reported revenue increased 26% in 2017.

Europe.  Local currency revenue growth was 1% in 2018 primarily due to growth in U.K. and Spain credit operations revenue and was partially offset by a decline in our debt management services. Local currency fluctuations against the U.S. dollar positively impacted revenue by $10.0 million, or 4%, for 2018. Reported revenue increased 5% in 2018.

Local currency revenue growth was 12% in 2017 primarily due to growth in U.K. debt management services and other growth in the U.K. and Spain. Local currency fluctuations against the U.S. dollar negatively impacted revenue by $9.1 million, or 4%, for 2017. Reported revenue increased 8% in 2017.

Latin America. Local currency revenue increased 11% in 2018 driven by core growth primarily in Argentina, Chile and Ecuador. Local currency fluctuations against the U.S. dollar negatively impacted revenue by $30.8 million, or 14%, in 2018, most notably due to depreciation in the foreign exchange rate of the Argentine peso. Reported revenue decreased 3% in 2018.

Local currency revenue increased 18% in 2017 driven by growth primarily in Argentina and Chile. Local currency fluctuations against the U.S. dollar negatively impacted revenue by $3.9 million, or 2%, in 2017, most notably due to depreciation in the foreign exchange rate of the Argentine peso, partially offset by appreciation of the Chilean peso. Reported revenue increased 16% in 2016.
 
Canada.  Local currency revenue increased 8% in 2018 compared to 2017, primarily due to broad based revenue growth. Local currency fluctuations against the U.S. dollar negatively impacted revenue by $0.1 million in 2018. Reported revenue increased 8% in 2018.

Local currency revenue increased 9% in 2017 compared to 2016, primarily due to organic growth. Local currency fluctuations against the U.S. dollar negatively impacted revenue by $2.7 million, or 2%, in 2017. Reported revenue increased 12% in 2017.

43




International Operating Margin.  Operating margin decreased to 11.2% in 2018 as compared to 18.2% in 2017. The reduced margin is due to an increase in incremental technology and data security, people, and production costs as well as depreciation and amortization. These increased costs were positively impacted by foreign currency fluctuations during the year. Operating margin increased to 18.2% in 2017 as compared to 13.9% in 2016. The increase primarily resulted from a decrease in integration costs related to the Veda acquisition, lower growth in people costs, a gain on the sale of an asset, and a slight decrease in purchased intangibles amortization.
 
Workforce Solutions
 
 
Twelve Months Ended December 31,
 
Change
 
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
Workforce Solutions
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions)
Operating Revenue:
 
 

 
 

 
 

 
 

 
 

 
 

 
 

Verification Services
 
$
567.0

 
$
501.5

 
$
437.3

 
$
65.5

 
13
 %
 
$
64.2

 
15
 %
Employer Services
 
259.8

 
262.7

 
264.9

 
(2.9
)
 
(1
)%
 
(2.2
)
 
(1
)%
Total operating revenue
 
$
826.8

 
$
764.2

 
$
702.2

 
$
62.6

 
8
 %
 
$
62.0

 
9
 %
% of consolidated revenue
 
24
%
 
23
%
 
22
%
 
 

 
 

 
 

 
 

Total operating income
 
$
332.7

 
$
331.9

 
$
295.5

 
$
0.8

 
 %
 
$
36.4

 
12
 %
Operating margin
 
40.2
%
 
43.4
%
 
42.1
%
 
 

 
(3.2
)pts
 
 

 
1.3
 pts
 
Workforce Solutions revenue increased by 8% in 2018 compared to 2017 due to strong growth in Verification Services, partially offset by decreased revenue in unemployment claims.

Workforce Solutions revenue increased by 9% in 2017 compared to 2016 due to strong growth in the government, mortgage, financial and pre-employment screening verticals, partially offset by the impact of the 2017 cybersecurity incident.

Verification Services.  Revenue increased 13% in 2018 compared to 2017, due to strong growth in government, mortgage, talent solutions, and healthcare verticals, and continued addition of new records to The Work Number database.

Revenue increased 15% in 2017 compared to 2016, due to strong growth in government, mortgage, financial, pre-employment screening and telecommunications verticals, and continued addition of new records to The Work Number database.
 
Employer Services.  Revenue decreased 1% in 2018 compared to 2017 due to declines in our unemployment claims services, workforce analytics and our other employer services. These declines were partially offset by growth from our 2018 acquisitions.

Revenue decreased 1% in 2017 compared to 2016 due to a decline in our employment based tax credit services and workforce analytics offset by an increase in our on-boarding and unemployment claims services.
 
Workforce Solutions Operating Margin.  Operating margin decreased 320 basis points to 40.2% in 2018 compared to 43.4% in 2017 due to increases in people, incremental technology and data security, and royalty costs. These increases were partially offset by the additional margin generated from increased revenue. Operating margin increased 130 basis points to 43.4% in 2017 compared to 42.1% in 2016 due to revenue growth and product mix, offset by increased people costs.
 

44



Global Consumer Solutions
 
 
Twelve Months Ended December 31,
 
Change
Global Consumer Solutions
 
 
 
 
 
 
 
2018 vs. 2017
 
2017 vs. 2016
 
2018
 
2017
 
2016
 
$
 
%
 
$
 
%
 
 
(In millions)
Total operating revenue
 
$
371.8

 
$
403.0

 
$
402.6

 
$
(31.2
)
 
(8
)%
 
$
0.4

 
 %
% of consolidated revenue
 
11
%
 
12
%
 
13
%
 
 
 
 
 
 
 
 
Total operating income
 
$
68.6

 
$
106.2

 
$
112.4

 
$
(37.6
)
 
(35
)%
 
$
(6.2
)