EQUIFAX INC (EFX) Business

ITEM 1.  BUSINESS

Overview

Equifax Inc. is a global data, analytics and technology company. We provide information solutions for businesses, governments and consumers, and we provide human resources business process automation and outsourcing services for employers. We have a large and diversified group of clients, including financial institutions, corporations, government agencies and individuals. Our services are based on comprehensive databases of consumer and business information derived from numerous sources including credit, financial assets, telecommunications and utility payments, employment, income, educational history, criminal justice, healthcare professional licensure and sanctions, demographic and marketing data. We use advanced statistical techniques, artificial intelligence and machine learning, as well as proprietary software tools to analyze available data for the creation of customized insights, decision-making and process automation solutions, and processing services for our clients. We are a leading provider of information and solutions used in payroll-related and human resource management business process services in the United States of America (“U.S.”), as well as e-commerce fraud and charge back protection services in North America. For consumers, we provide products and services to help people understand, manage and protect their personal information and make more informed financial decisions. Additionally, we provide information, technology and services to support debt collections and recovery management.

We currently operate in four global regions: North America (U.S. and Canada), Latin America (Argentina, Brazil, Chile, Costa Rica, Dominican Republic, Ecuador, El Salvador, Honduras, Mexico, Paraguay, Peru and Uruguay), Europe (the United Kingdom (“U.K.”), Spain and Portugal) and Asia Pacific (Australia, New Zealand and India). We maintain support operations in Chile, Costa Rica, India and Ireland. We also have investments in consumer and/or commercial credit information companies through joint ventures in Brazil, Cambodia, Malaysia and Singapore.

Equifax was originally incorporated under the laws of the State of Georgia in 1913, and its predecessor company dates back to 1899. As used herein, the terms Equifax, the Company, we, our and us refer to Equifax Inc., a Georgia corporation, and its consolidated subsidiaries as a combined entity, except where it is clear that the terms mean only Equifax Inc.

We are organized and report our business results in three operating segments, as follows:

•Workforce Solutions — provides services enabling customers to verify income, employment, educational history, criminal justice data, healthcare professional licensure and sanctions of people in the U.S. (Verification Services), as well as providing our employer customers with services which include unemployment claims management, I-9 and onboarding services, Affordable Care Act ("ACA") compliance management, tax credits and incentives and other complementary employment-based transaction services (Employer Services).

•U.S. Information Solutions (“USIS”) — provides consumer and commercial information solutions to businesses in the U.S. including online information, decisioning technology solutions, identity management services, analytical services, e-commerce fraud and charge back protection services, portfolio management services, mortgage information and marketing services. We provide products to consumers in the U.S. to enable them to understand and monitor their credit and help protect their identity. We also sell consumer credit information to resellers who may combine our information with other information to provide direct-to-consumer monitoring, reports and scores.

•International — provides products and services similar to those available in the USIS operating segment but with variations by geographic region. We also provide information, technology and services to support debt collections and recovery management. In addition, we provide products to consumers in Canada, the U.K., Australia and Chile to enable them to understand and monitor their credit and help protect their identity. This operating segment is comprised of our Latin America, Europe, Asia Pacific and Canada business units. It also includes our joint ventures in Brazil, Cambodia, Malaysia and Singapore.

2

Our Business Strategy

Our vision is to be a trusted global leader in data, analytics and technology that creates innovative solutions and insights for our customers. Our business strategy is driven by the following imperatives:

•Leverage our Equifax Cloud capabilities to accelerate innovation, new products and growth. Our cloud data and technology transformation has changed nearly every facet of our global technology infrastructure, including a migration to a public cloud environment that employs virtual private cloud deployment techniques. Central to our move to cloud-native technology is our custom single data fabric, which is a cloud native platform that enables Equifax to build, manage and deploy data products, as well as implementation of best-in-class cloud-based tools and capabilities. Our cloud infrastructure also allows us to rapidly deploy and integrate artificial intelligence, machine learning and agentic based capabilities to improve our products and solutions, as well as internal processes. Our growth strategy includes leveraging our cloud data and technology transformation to accelerate innovation and new product development, deliver market-leading capabilities to our customers, facilitate customer and partner implementation and integration, improve ease of consumer access to and interaction with Equifax, and strengthen system resiliency and uptime.

•Leverage and expand our differentiated portfolio of data assets. We use proprietary advanced analytical platforms, including capabilities in machine learning, artificial intelligence and advanced visualization tools, to leverage our unique data to develop leading analytical insights that enhance the precision of our customers’ decisioning activities. Our cloud-native technology simplifies our customers’ access to our leading analytical and decisioning platforms, allowing us to accelerate the development of unique insights and the conversion of these insights into innovative new products and services consumable by our customers through our delivery platforms. We strive to advance these capabilities and bring our customers multi-data solutions at scale by expanding our unique and differentiated data assets and analytics through organic growth, business acquisitions and partnerships.

•Foster a culture of putting customers and consumers first. We are focused on maintaining a culture in which our customers and consumers are at the center of our decision processes, and where we exceed customer and consumer expectations by delivering solutions with speed, flexibility, stability and performance. We prioritize engagement with our customers and strive to accelerate innovation through collaboration. We seek to leverage our cloud native technology and unique data assets and capabilities, as well as customer expertise and data and technology assets, to drive the development of high-value analytical products and services designed to address a broader range of customer and consumer needs. We work to maximize the value of our differentiated data assets, analytics and decisioning to drive new products and services that provide a fuller picture of consumers and commercial entities to our customers in banking and financial services, government, employee hiring and onboarding and other service providers.

•Execute strategic acquisitions that expand our data portfolio and capabilities and drive revenue growth. A critical lever of our strategy is inorganic growth through accretive and strategic acquisitions that drive incremental annual revenue growth. Our acquisition priorities are clear and focused on re-investing in acquisitions that expand our unique differentiated data assets and solutions to strengthen and grow our core businesses. We continue to invest, including through acquisitions and partnerships, to expand our addressable markets and the data and capabilities we offer to solve customer challenges across the services we provide and to expand our access to differentiated data including across identity authentication, fraud mitigation and risk management. We believe there are opportunities to continue to expand in the U.S. and internationally, across the existing financial, mortgage, telecommunications, automotive, insurance, talent management, human resource services, government and other markets that we serve, as well as in new and emerging market segments.

•Continue our leadership in data security. We are committed to being an industry leader in security. We have built an Equifax culture that prioritizes security, and we consider data and technology security, and more broadly risk management, as a primary requirement in all decisions. We make extensive use of advanced data and technology security tools, techniques, services and processes in order to enhance our ability to protect the information with which we are entrusted. We are committed to working openly with our peers, customers and partners to tackle emerging security challenges, document best practices, provide vital data security thought leadership and work together to deliver solutions that benefit both the security community and consumers.

•Build a world-class Equifax team by investing in talent to drive our strategy and promote a culture of innovation. At Equifax, we are committed to nurturing a culture where talent thrives. We are focused on providing meaningful opportunities for career advancement and development, fostering an inclusive work

3

environment, and promoting employee engagement and recognition. We leverage our enterprise-wide talent initiatives to develop, retain and attract a highly-qualified workforce in order to promote our culture of innovation, add diverse perspectives and deliver on our business strategy.

We seek to enhance shareholder value through the disciplined execution of these imperatives and by positioning our Company as a global data, analytics and technology leader with industry-leading security.

Markets and Clients

Our products and services serve clients across a wide range of verticals, including mortgage, financial services, employers, government (state, federal and local), automotive, commercial, identity and fraud, consumer, resellers, healthcare, telecommunications, retail and insurance. We also serve consumers directly. Our revenue streams are highly diversified with our largest client providing approximately 3% of total revenue. The following table summarizes the various end-user markets we serve:

1.Predominantly sold to companies who serve the direct-to-consumer market and includes other small end user markets. Mortgage and auto resellers are excluded from this category as they are included within their respective categories above.

2.Other includes revenue from other miscellaneous end-user markets.

We market our products and services primarily through our own direct sales organization that is structured around sales teams that focus on client segments typically aligned by vertical markets and geography. In the U.S., the vertical market sales teams for the Mortgage, Financial, Government and Automotive markets sell products from both the USIS and Workforce Solutions business units. Sales groups are based in field offices located throughout the U.S., including our headquarters in Atlanta, Georgia, and in the countries where we have operations. We also market our products and services through indirect channels, including alliance partners, joint ventures and other resellers. In addition, we market our products directly to consumers through e-commerce channels.

Revenue from international clients, including end users and resellers, amounted to 23% of our total revenue in 2025, 24% of our total revenue in 2024 and 23% of our total revenue in 2023.

Products and Services

Our products and services help our clients make more informed decisions with higher levels of confidence by leveraging a broad array of data assets. Analytics are used to derive insights from the data that are most relevant for the client’s decisioning needs. The data and insights are then processed through proprietary software and generally transmitted to the client’s operating system to execute the decision.

4

The following chart summarizes the key products and services offered by each of the business units within our segments:

Each of our operating segments is described more fully below. For the operating revenue, operating income and total assets for each segment, see Note 13 of the Notes to the Consolidated Financial Statements in Item 8 of this report.

Workforce Solutions

Workforce Solutions operates in the U.S. through two business units:

Verification Services. Verification Services include employment, income, educational history, criminal justice data, healthcare professional licensure and sanctions verification services. Our online verification services enable third-party verifiers, including various governmental agencies, mortgage originators, credit card and automotive lenders and pre-employment screeners, to verify the employee’s employment status and income information. We also offer an offline manual verification service, which expands employment verification to locate data outside our existing automated database. In addition, Verification Services administers a comprehensive source of incarceration, justice and people-based risk intelligence data.

Employer Services. These services are aimed at reducing the cost of the human resources function of businesses through a broad suite of services, including assisting with employment tax matters designed to reduce the cost of unemployment claims through effective claims representation and management and efficient processing to better manage the tax rate that employers are assessed for unemployment taxes; comprehensive services designed to research the availability of employment-related tax credits (e.g., federal work opportunity tax credits), and to process the necessary filings and assist the client in obtaining the tax credit; tax form management services (which include initial distribution, reissuance and correction of W-2 and 1095-C forms); I-9 management services designed to help clients electronically comply with the immigration laws that require employers to complete an I-9 form for each new hire; immigration case management services; onboarding services using an online platform to complete the new hire process for employees of corporations and government agencies; and identity theft protection services. In addition, we provide software and services to employers to assist in their compliance with the Affordable Care Act.

The Work Number® is our key employment and income data platform providing a service on behalf of our employer customers to the lenders, government agencies and other customers of our Verification Services business unit. We rely on payroll data received from over 4 million organizations to provide up-to-date verifications. The updates occur as employers and other data contributors transmit data electronically to Equifax from their payroll systems. Employers provide this data to us so that we can handle verification requests on behalf of each employer. We use this data to provide automated employment and income verification services to verifiers who are lenders, employers/background screeners and government agencies.

The fees we charge for services in these two business units are generally on a per transaction basis. We have not experienced significant turnover in the employer contributors to the platform because we generally do not charge them to add their employment data to The Work Number®, and the verification service we offer relieves them of the administrative burden and expense of responding to third-party employment verification requests while providing them with the assurance that the

5

process is automated and not subject to human interpretation. The Work Number® held about 209 million active and 813 million total (active and historic) employment records at December 31, 2025.

USIS

USIS provides consumer and commercial information solutions to businesses in the U.S. through two product and service lines, as follows:

Online Information Solutions. Online Information Solutions’ products are derived from multiple large and comprehensive databases of consumer and commercial information that we maintain about individual consumers and businesses, including credit history, current credit status, payment history, address and other identity information. Our clients utilize the information and analytical insights we provide to make decisions for a broad range of financial and business purposes, such as whether, and on what terms, to approve, mortgages, auto loans or credit card applications, and whether to allow a consumer or a business to open a new utility or telephone account. In addition, this information is used by our clients for cross-selling additional products to existing customers, improving their underwriting and risk management decisions, and authenticating and verifying consumer and business identities. We also sell consumer and credit information to resellers who may combine our information with other information to provide services to the financial, mortgage, fraud and identity management, and other end-user markets. Our software platforms and analytical capabilities can integrate all types of information, including third-party and client information, to enhance the insights and decisioning process to help further mitigate the risk of granting credit, predict the risk of bankruptcy, indicate the applicant’s risk potential for account delinquency, ensure the identity of the consumer and reduce exposure to fraud. Identity verification and fraud management products combine financial and non-financial identity information and activity to provide identity verification and authentication services, to assist customers in assessing the risk of loss due to account takeover, identity theft and chargebacks. These risk management services enable our clients to monitor risks and opportunities and proactively manage their portfolios.

Online Information Solutions’ clients access products through a full range of electronic distribution mechanisms, including direct real-time access, which facilitates instant decisions. We also develop and host customized applications that enhance the decision-making process for our clients. These decisioning technology applications assist with a wide variety of decisioning activities, including determining pre-approved offers, cross-selling of various products, determining deposit amounts for telephone and utility companies and verifying the identity of their customers. We have also compiled commercial databases regarding businesses in the U.S., which include loan, credit card, public records and leasing history data, trade accounts receivable performance and Secretary of State and Securities and Exchange Commission registration information. We offer scoring and analytical services that provide additional information to help mitigate the credit risk assumed by our clients.

Online Information Solutions also includes our mortgage solutions products, offered in the U.S., which includes specialized credit reports that combine information from the three major consumer reporting agencies (Equifax, Experian and TransUnion) into a single “merged” credit report in an online format, commonly referred to as a tri-merge report. Mortgage lenders use these tri-merge reports in making their mortgage underwriting decisions. Additionally, we offer services designed to alert lenders to changes in a consumer’s credit status during the underwriting period and securitized portfolio risk assessment services for evaluating inherent portfolio risk.

Online Information Solutions also includes our consumer solutions product suite that gives U.S. consumers information to enable them to understand and monitor their credit and to monitor and help protect their identity. Equifax products offer monitoring features for consumers who are concerned about identity theft, including credit report monitoring from all three credit bureaus, internet scanning, bank account monitoring and lost wallet support. Products may also be available indirectly through relationships with business partners who distribute our products or provide these services to their employees or customers. We also sell consumer credit information to resellers who may combine our information with other information to provide direct-to-consumer monitoring, reports and scores.

Financial Marketing Services. Our Financial Marketing Services products utilize consumer and commercial financial information enabling our clients to more effectively manage their marketing efforts, including targeting and segmentation, to identify and acquire new clients for their products and services; to develop portfolio strategies to minimize risk and maximize profitability; and to realize additional revenue from existing customers through more effective cross-selling of additional products and services. Our products are also utilized by customers to support digital identity verification and fraud detection and protection. These products utilize information derived from consumer and commercial information, including credit, income, asset, liquidity, net worth and spending activity, which also support many of our Online Information Solutions’ products. These data assets broaden the understanding of consumer and business financial potential and opportunity, which can further drive high value decisioning and targeting solutions for our clients. We also provide account review services, which assist our clients in managing their existing customers and prescreen services that help our clients identify new opportunities

6

with their customers. Clients for these products primarily include institutions in the banking, brokerage, retail, insurance and mortgage industries, as well as companies primarily focused on digital and interactive marketing.

International

The International operating segment includes our Latin America, Europe, Asia Pacific and Canada business units. These business units offer products that are similar to those available in the USIS operating segment, but with variations by geographic region. In some jurisdictions, data sources tend to rely more heavily on government agencies than in the U.S. We also offer specialized services that help our customers better manage risk in their consumer portfolios. This operating segment’s products and services generate revenue in Argentina, Australia, Brazil, Canada, Chile, Costa Rica, Dominican Republic, Ecuador, El Salvador, Honduras, India, Mexico, New Zealand, Paraguay, Peru, Portugal, Spain, the U.K. and Uruguay. We have investments in consumer and/or commercial credit information companies through joint ventures in Brazil, Cambodia, Malaysia and Singapore. We also provide information, technology and services to support debt collections and recovery management in Asia Pacific, Europe, and Latin America.

Latin America. Our Latin America operation provides consumer and commercial information solutions products, marketing products and consumer credit protection products. We offer a full range of products, generated from credit records that we maintain, including credit reporting and scoring, decisioning technology, risk management, identity management, authentication and fraud detection services. Our consumer products are the primary source of revenue in each of the countries in this region in which we operate, with the exception of Mexico where debt management services constitute the core of the business. We also offer various commercial products, which include credit reporting, decisioning tools and risk management services, in the countries we serve. We also provide information, technology and services to support debt collections and recovery management. Additionally, we provide a variety of consumer and commercial marketing products generated from our credit information databases, including business profile analysis, business prospect lists and database management. The countries in this region in which we operate include Argentina, Brazil, Chile, Costa Rica, Dominican Republic, Ecuador, El Salvador, Honduras, Mexico, Paraguay, Peru and Uruguay. We also have an investment in a consumer credit information company through a joint venture in Brazil.

Europe. Our Europe operation provides information solutions, fraud detection services, debt collection services, marketing products, and credit monitoring products to resellers or directly to consumers. Information solutions and fraud products are generated from information that we maintain and include credit reporting, monitoring and scoring, asset information, risk management, identity management and authentication services and fraud detection and modeling services. These products are sold in the U.K. and Spain. Limited marketing products are available in the U.K. and, to a lesser extent, in Spain. We also provide information, technology and services to support debt collections and recovery management in the U.K. and Spain. In the U.K., this includes a contract to provide these services to the U.K. government.

Asia Pacific. Our Asia Pacific operation provides consumer and commercial information solutions products, marketing products, employment verification services and consumer credit protection products. We offer a full range of products, generated from credit records and other data, including credit reporting and scoring, decisioning technology, risk management, identity management, authentication and fraud detection services. Our consumer and commercial products are the primary source of revenue in each of the countries in which we operate and include credit reporting, decisioning tools and risk management services. We also provide information, technology and services to support talent management, as well as debt collections and recovery management. Additionally, we provide a variety of consumer and commercial marketing products generated from information databases, including business profile analysis, business prospect lists and database management. The countries in which we operate include Australia, New Zealand and India, as well as Cambodia, Malaysia and Singapore through joint ventures.

Canada. Similar to the USIS business unit, our Canada operation offers products derived from the credit information that we maintain about individual consumers and businesses. We offer many products in Canada, including credit reporting, monitoring and scoring, consumer and commercial marketing, risk management, fraud detection and modeling services, identity management and authentication services, together with certain of our decisioning products that facilitate pre-approved offers of credit and automate a variety of credit decisions. We also offer credit monitoring products to resellers or directly to consumers, as well as commercial credit solutions, which help businesses manage financial and credit risk and gain insights on customers, markets and industry groups using our commercial data assets. We also provide data, technology and services to facilitate the search of land data and process real estate transactions in Canada.

7

Competition

The market for our products and services is highly competitive and is subject to constant change. Our competitors vary widely in size and in the nature of the products and services they offer. Sources of competition are numerous and include, but are not limited to, the following:

•Competition in the Verification Services business is highly competitive with low barriers to entry and includes employers who manage verifications in-house, lenders who obtain verifications directly from employers, and numerous online and offline firms that provide verification services. Third parties may also seek to obtain verifications directly from employees by leveraging paper copies of information or by seeking employee credentials to access information systems. Competition in the U.S. Employer Services business is also highly competitive with low barriers to entry and includes in-house management of such services or the outsourcing of one or more of such services to numerous online and offline third-party outsourced providers; human resources consulting firms; human resources management services providers; payroll processors; accounting firms; and hundreds of smaller companies that provide one or multiple offerings that compete with our Employer Services business.

•Competition for our credit information solutions and direct-to-consumer solutions products varies by both application and industry, but generally includes global consumer credit reporting companies that offer a product suite similar to our credit information solutions, providers of personal identity theft protection services and providers offering free credit scores. There are also a large number of competitors who offer competing products in specialized areas (such as fraud prevention, risk management and application processing and decisioning solutions) and software companies offering credit modeling services or analytical tools. We believe our product provides the greatest value for customers given our decisioning technology and the features and functionality of our analytical capabilities. We emphasize our improved decision making and product quality while remaining competitive on price.

•Competition for our commercial solutions products primarily includes companies providing commercial credit reports, credit marketing and other business insights and analytics, including providers of these services in the international markets we serve.

•Competition for our debt collection and recovery management software, services and analytics is spread across a number of providers. We believe that the breadth and depth of our offering enables our clients to develop a more current and comprehensive view of consumers. In the category of platforms and analytics, we compete with entities that deploy collections platforms, account management systems or recovery solutions.

While we believe that none of our competitors offers quite the same mix of products and services as we do, we have strong competition in every category and certain competitors may have a larger share of particular geographic or product markets or operate in geographic areas where we do not currently have a presence.

We assess the principal competitive factors affecting our markets to include, among other things: the ability to protect information and systems; product attributes such as quality, depth, coverage, adaptability, scalability, interoperability, functionality and ease of use; product price; technical performance including system response time and availability; access to unique proprietary data tools; quickness of response, flexibility and client services and support; effectiveness of sales and marketing efforts; existing market penetration; proprietary technology; and new product innovation.

Technology and Intellectual Property

We rely on various intellectual property laws, confidentiality procedures and contractual provisions to protect strategic or valuable intellectual property developed in connection with our business. We register, and apply for registration of, certain intellectual property in the U.S. and several foreign countries under applicable patent laws. We also register and rely on common law rights, where applicable, to protect trademarks, service marks, logos and internet domain names in the U.S. and in many foreign countries, the most important of which include “Equifax,” “The Work Number,” “Interconnect,” “Equifax Ignite,” and variations thereof. These marks are used in connection with many of our product lines and services. Our intellectual property rights are generally important to our operations and competitive position, but no single intellectual property right or group of intellectual property rights is solely responsible for protecting our businesses. Certain Company trademarks, including the “Equifax” trademark, contribute to the success of our business, and their loss could have a significant negative impact on us.

8

We license other companies to use certain data, software and other technology and intellectual property rights we own or control, primarily as core components of our products and services, on terms that are consistent with customary industry standards and that are designed to protect our interest in our intellectual property. Other companies license us to use certain data, technology and other intellectual property rights they own or control. For example, we license credit-scoring algorithms and the right to sell credit scores derived from those algorithms from third parties for a fee. We do not hold any franchises or concessions that are material to our business or results of operations.

Governmental Regulation

We are subject to a number of U.S. federal, state, local and foreign laws and regulations that involve matters central to our business. These laws and regulations may involve consumer reports, privacy and consumer protection, data protection, artificial intelligence, intellectual property, competition, anti-corruption, anti-bribery, anti-money laundering, employment, health, taxation or other subjects. In particular, we are subject to U.S. federal, state, local and foreign laws regarding the collection, protection, dissemination and use of personal information we collect, process or otherwise have in our possession. Failure to satisfy those legal and regulatory requirements, or the adoption of new laws or regulations, could have a significant negative impact on our results of operations, financial condition or liquidity.

U.S. federal, state, local and foreign laws and regulations are evolving and can be subject to significant change. In addition, the application and interpretation of these laws and regulations are often uncertain. These laws are enforced by federal, state and local regulatory agencies in the jurisdictions where we operate, and in some instances also through private civil litigation. There are also a number of legislative proposals pending before the U.S. Congress, various state legislative bodies and foreign governments concerning consumer and data protection, as well as artificial intelligence, that could affect us.

Summary of U.S. Regulations Relating to Consumer and Data Protection

Our U.S. operations are subject to numerous laws and regulations that govern the collection, protection and use of consumer credit information, employment and income information, personally identifiable information and other information and impose penalties for the misuse of such information or unauthorized access to data. Many of these laws and regulations also affect our customers’ use of consumer credit information, employment and income information, personally identifiable information or other data that we license. Examples of the most significant U.S. laws include, but are not limited to, the following:

Federal Laws and Regulation

•FCRA. The Fair Credit Reporting Act (“FCRA”) regulates consumer reporting agencies, including many of our U.S. operations, as well as data furnishers and users of consumer reports such as employers, banks and other companies. FCRA provisions govern the accuracy, fairness and privacy of information in the files of consumer reporting agencies (“CRAs”) that engage in the practice of assembling or evaluating certain information relating to consumers for certain specified purposes. Among other requirements, the FCRA limits the type of information that may be reported by CRAs, limits the distribution and use of consumer reports and establishes consumer rights to access, freeze and dispute information in the consumer's files. CRAs are required to follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates, and if a consumer disputes the accuracy of any information in the consumer’s file, to conduct a reasonable reinvestigation. The Consumer Financial Protection Bureau (“CFPB”) is the primary regulator that enforces and provides regulatory guidance related to the FCRA in the United States. CRAs are required to comply with regulations promulgated by the CFPB and are subject to supervisory engagements related to a variety of FCRA requirements. Violation of the FCRA can result in civil and criminal penalties. The FCRA contains an attorney fee shifting provision to provide an incentive for consumers to bring individual or class action lawsuits against a CRA for violations of the FCRA. In addition to the private right of action for individuals and the CFPB’s regulatory authority, the United States Federal Trade Commission (“FTC”) and state attorneys general may also enforce the requirements of the FCRA.

•Dodd-Frank Act. Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”) created the CFPB. The Dodd-Frank Act provides the CFPB with examination and supervisory authority over CRAs, including us. The Dodd-Frank Act prohibits unfair, deceptive or abusive acts or practices (“UDAAP”) with respect to consumer financial services practices and provides the CFPB with enforcement authority to enforce those provisions. Among other areas, the CFPB’s UDAAP authority extends to the security measures we employ to safeguard the personal data of consumers. Allegations that we failed to safeguard or handle such data in a compliant manner may subject us to CFPB enforcement action. The CFPB may pursue administrative proceedings or litigation to enforce the laws and rules subject to its jurisdiction. In these proceedings, the CFPB

9

can obtain cease and desist orders, which can include orders for restitution to consumers or rescission of contracts, as well as other types of affirmative relief and monetary penalties ranging from $5,000 per day for ordinary violations and up to $1 million per day for known violations. Also, the Dodd-Frank Act empowers state attorneys general and state regulators to bring civil actions in certain circumstances for the kind of cease and desist orders available to the CFPB (but not for civil penalties).

•FTC Act. The Federal Trade Commission Act (“FTC Act”) prohibits unfair methods of competition and unfair or deceptive acts or practices. Under the FTC Act, the FTC’s jurisdiction includes the ability to bring enforcement actions based on the security measures we employ to safeguard the personal data of consumers. Allegations that we failed to safeguard or handle such data in a reasonable manner may subject us to regulatory scrutiny or enforcement action. There is no private right of action under the FTC Act.

•GLBA. The Financial Services Modernization Act of 1999, or Gramm-Leach-Bliley Act (“GLBA”), regulates, among other things, the use of non-public personal information of consumers that is held by financial institutions, including us. We are subject to various GLBA provisions, including rules relating to the use or disclosure of the underlying data and rules relating to the physical, administrative and technological protection of non-public personal financial information. Breach of the GLBA can result in civil and/or criminal liability and sanctions by regulatory authorities. Regulatory enforcement of the GLBA is under the purview of the FTC, the CFPB, the federal prudential banking regulators, the SEC and state attorneys general, acting alone or in concert with each other.

•CROA. The Credit Repair Organizations Act (“CROA”) regulates companies that claim to be able to assist consumers in improving their credit standing. There have been efforts to apply the CROA to credit monitoring services offered by CRAs and others. The CROA allows for a private right of action. Consumers can sue to recover the greater of the amount paid or actual damages, punitive damages, costs, and attorney’s fees for violations of the CROA.

State Laws and Regulations Relating to Consumer and Data Protection

•A number of states have enacted requirements similar to the FCRA. Some of these state laws impose additional, or more stringent, requirements than the FCRA, especially in connection with investigations and responses to reported inaccuracies in consumer reports. The FCRA preempts some of these state laws, but the scope of preemption continues to be defined by the courts. The state of Vermont is grandfathered under the original FCRA requirements and thus we are subject to additional requirements to comply with Vermont law.

•All fifty states have adopted versions of data security breach laws that require notification to affected consumers and potentially regulators or law enforcement authorities in the event of a breach of personal information. A subset of these laws and other state laws require the implementation of data security measures as well. State attorneys general can enforce such state laws and can seek equitable as well as monetary remedies and in some cases private rights of action are permitted by such laws.

•The New York State Department of Financial Services (“NYDFS”) has enacted extensive regulatory requirements applicable to CRAs that require registration with that agency, prohibit unfair and deceptive consumer practices and require compliance with significant portions of the NYDFS cybersecurity rules.

•We or certain of our operations are also subject to and affected by new and evolving state privacy and data security laws, including data broker registration requirements in California, Vermont, Oregon and Texas. Many of these laws (i) impose additional data privacy requirements on many businesses operating in the state when processing personal information, (ii) impose notice requirements relating to the collection, use and sharing of personal information and (iii) provide consumers with extensive rights, including the right to access the categories and specific pieces of personal information businesses collect, the right to request businesses delete information, and the right to opt-out of “sales” of personal information, among other rights. A number of other state legislatures have introduced comprehensive data privacy legislation that is pending before the state legislative body. If enacted, such laws may contain variations and impose new compliance risks and obligations on us.

•State banking and financial services regulatory agencies have asserted either express or implied authority under applicable state laws to examine us as a third-party service provider to financial institutions, and in certain cases to bring enforcement actions against us. Generally, such examinations, and related enforcement actions, are focused on assessing our safety and soundness in support of financial institutions we serve.

10

•We are also subject to federal and state laws that are generally applicable to any U.S. business with national or international operations, such as antitrust laws, the Foreign Corrupt Practices Act, the Americans with Disabilities Act, state unfair or deceptive practices acts and various employment laws. We continuously monitor legislative and regulatory activities that involve credit reporting, data privacy, security and other relevant issues to identify issues in order to remain in compliance with all applicable laws and regulations.

Summary of International Regulations Relating to Consumer and Data Protection

We are subject to various data protection, privacy and consumer credit laws and regulations in the foreign countries where we operate. Examples of the most significant of these laws include, but are not limited to, the following:

•In the U.K., we are subject to a regulatory framework that provides for regulation by the Financial Conduct Authority (the “FCA”). The FCA focuses on consumer protection, the integrity of the U.K. financial system, and effective competition in the interests of consumers. The FCA has significant powers, including the power to regulate conduct related to the marketing of financial products, to specify minimum standards and to place requirements on products, impose unlimited fines, and to investigate organizations and individuals. In addition, the FCA is able to ban financial products for up to a year while considering an indefinite ban; it has the power to instruct firms to immediately retract or modify promotions which it finds to be misleading, and to publish such decisions. Our core credit reporting and debt collections services and recovery management businesses in the U.K. are subject to FCA supervision. In addition to regulation by the FCA, we are also subject to regulation by the U.K. Information Commissioner’s Office, which focuses on upholding information rights in the public interest and the protection of data privacy for individuals.

In the U.K., we are subject to provisions that are broadly equivalent to the European Union’s General Data Protection Regulation (“GDPR”), described below.

•In Europe, we are subject to the EU's GDPR, which is an extremely broad and sweeping privacy law. The GDPR establishes multiple privacy and data protection requirements, including data breach notification, and it gives regulators the ability to pursue substantial penalties for non-compliance. In addition to the GDPR, each EU member state may include specific requirements regarding personal data breaches in its local data protection regulations. The EU Artificial Intelligence Act imposes mandatory compliance requirements, including for artificial intelligence governance, documentation and human oversight.

•In Canada, federal and provincial laws govern how we collect, use or disclose personal information in the course of our commercial activities. Federally, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) governs the collection, use and disclosure of personal information by organizations in the private sector. Businesses must follow the fair information principles set forth in PIPEDA to protect personal information, including: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access and compliance. It sets out specific obligations with respect to accountability and identifying purposes, consent, collection, use, disclosure, retention, accuracy, safeguards, personal data breach reporting, individual access and compliance. Alberta, British Columbia and Quebec privacy legislation sets out similar privacy laws and rules that apply to our Canadian business. The federal and provincial privacy regulators have powers of investigation and intervention, and provisions of Canadian law regarding civil liability apply in the event of unlawful processing which is prejudicial to the persons concerned. Canada also has specific credit reporting legislation that is regulated at a provincial level. At present, each province has credit reporting legislation, with the exception of the territories (Northwest Territories, Yukon, and Nunavut). Generally speaking, the legislation regulates the contents of credit files, the length of time information can be included on a credit file, who can receive credit reports and consumer rights pertaining to the maintenance of credit reports.

•In Latin America, data protection and credit reporting regulations have evolved significantly toward comprehensive, GDPR-aligned frameworks. Recent legislative actions in countries such as Chile, Paraguay and El Salvador have established unified national standards and dedicated regulatory authorities. For example, Chile enacted Law No. 21.719, which becomes fully enforceable in December 2026 and establishes a Personal Data Protection Agency and introduces rigorous requirements for data portability, breach notification and cross-border transfers. Similarly, Paraguay passed its first comprehensive Personal Data Protection Law (No. 7593) in November 2025, initiating a two-year transition period for compliance. El Salvador also implemented a general data protection law in late 2024, overseen by its State Cybersecurity Agency.

These developments align with a regional trend toward “international adequacy,” a legal status whereby one country or region formally recognizes that another country’s data protection laws are essentially equivalent to their own. In January 2026, the European Commission and Brazil adopted mutual adequacy decisions, allowing the free flow of personal data between the EU and Brazil without additional safeguards. Brazil now joins

11

Argentina and Uruguay as jurisdictions recognized for providing “adequate” levels of protection. Large countries like Mexico, Colombia and Peru have comprehensive, but not yet “adequate”, data protection laws. In other countries, credit bureaus are still governed by specialized credit reporting laws rather than a broad, EU-style framework.

•In Australia, we are subject to regulatory oversight by various agencies. The Office of the Australian Information Commissioner (“OAIC”) is the regulator with direct responsibility for administering the Australian Privacy Act 1988, which incorporates the Australian Privacy Principles (which relate to the collection, holding, use and disclosure of personal information) and Part IIIA of the Privacy Act 1988 (which regulates credit reporting). The OAIC can investigate a complaint, conduct its own investigations, resolve/make binding determinations and seek civil penalties. Our credit reporting business, Equifax Information Services and Solutions Pty Ltd, is a member of an external dispute resolution scheme, the Australian Financial Complaints Authority, which has been approved by the OAIC to handle privacy and credit reporting complaints and make binding determinations. The OAIC can register codes of practice under the Privacy Act 1988, and has registered the Privacy (Credit Reporting) Code 2024. The Australian Competition and Consumer Commission (“ACCC”) is the regulator responsible for administering and enforcing the Competition and Consumer Act 2010 and related legislation concerning consumer protection and competition. The ACCC has the authority to use a range of actions to ensure compliance with the law, including investigative powers and the ability to seek penalties through litigation and other formal enforcement means, or specific action by means of court-enforceable undertakings. The ACCC also administers the Consumer Data Right legislation, which mandates the supply by banks of comprehensive credit information to credit reporting bodies, including Equifax. The Australian Retail Credit Association is a credit and credit reporting industry self-regulatory body, which administers principles and standards for the exchange of credit data between industry participants. Equifax Australasia Credit Ratings Pty Limited (formerly named Corporate Scorecard Pty Limited, one of our Australian subsidiaries) holds an Australian Financial Services Licence, which allows it to provide general advice to wholesale clients by issuing a credit rating, and has been approved in New Zealand as a rating agency by the Reserve Bank of New Zealand under section 86 of the Non-Bank Deposit Takers Act 2013 (NZ). The Australian Securities and Investments Commission regulates corporations and has authority to investigate, prosecute, ban individuals and to seek civil penalties.

•In New Zealand, the regulatory framework provides for primary regulation under the Privacy Act 2020. The Office of the Privacy Commissioner (“OPC”) investigates complaints relating to the collection, use, holding and disclosure of personal information, both credit-related and non-credit related. The OPC can make a finding that there has been an interference with privacy but cannot impose civil penalties for this. In extreme cases where there has been an interference with privacy, it can refer these cases to the Director of Human Rights for determination in the Human Rights Review Tribunal. The OPC can issue practice codes under the Privacy Act 2020 and has issued and subsequently amended the Credit Reporting Privacy Code 2020. The Privacy Act 2020 contains mandatory data breach reporting. The Retail Credit Association of New Zealand is an industry association which addresses reciprocity of data issues relating to comprehensive credit reporting and data standards.

•In India, various legislation including the Information Technology Act of 2000 and rules framed thereunder and the Credit Information Companies (Regulation) Act of 2005 and rules and regulations framed thereunder, establishes a federal data protection framework. Entities that collect and maintain personal data and/or credit information must ensure that it is complete, accurate and safeguarded, and must adopt certain privacy principles with respect to collecting, processing, preserving, sharing and using such data and/or credit information. India recently enacted a new privacy law, The Digital Personal Data Protection Act, 2023 ("DPDP Act"), which provides greater protection to individuals’ personal data in digital form. Our Indian business is also subject to regulation by the Reserve Bank of India, which is India’s central banking institution.

Summary of Regulations Affecting our Employer Services Business

The Employer Services business unit within our Workforce Solutions business segment helps employers comply with various regulatory frameworks applicable to employers in the United States. As a result, changes to those regulatory frameworks could impact the services we provide. For instance, if the federal government or a state government mandates the use of E-Verify or changes the requirements for individuals to work in the U.S., our I-9 service may be impacted. In addition, if the federal government changes the employer mandate or tax form requirements of the Patient Protection and Affordable Care Act, our Affordable Care Act Management Service may be impacted. The Unemployment Cost Management service could be impacted if a state government changes the requirements for employers to process and/or protest unemployment claims. The Tax Management Services business within our Employer Services business is potentially impacted by changes in renewal or non-renewal of U.S. federal and state tax laws or interpretations, for example, those pertaining to work opportunity tax credits and unemployment compensation claims.

12

Human Resources

Our People

Equifax employed approximately 15,000 employees in 22 countries as of December 31, 2025. Our global employee base consisted of approximately 3,100 employees in our Workforce Solutions business unit, 2,800 employees in our USIS business unit, 4,800 employees in our International business unit and 4,300 employees in our corporate Centers of Excellence, which also include our support centers in Chile, Costa Rica, India and Ireland. In 2025, we hired approximately 2,700 new employees and promoted approximately 1,800 employees as we continue to grow and transform our businesses around the world.

Forward-Looking Statements

This report contains information that may constitute “forward-looking statements.” Generally, the words “believe,” “expect,” “intend,” “estimate,” “anticipate,” “project,” “will,” “may” and similar expressions identify forward-looking statements, which generally are not historical in nature. All statements that address operating performance and events or developments that we expect or anticipate will occur in the future, including statements related to our strategy, our long-term financial framework, our future operating results, improvements in our information technology and data security infrastructure, the expected financial and operational benefits, synergies and growth from our acquisitions, the expected benefits of our use of artificial intelligence, the pricing strategies, benefits and value proposition of product offerings of Equifax and its competitors, changes in the U.S. mortgage market environment (as well as changes more generally in U.S. and worldwide economic conditions), such as changes in interest rates and inflation levels, and similar statements about our financial outlook and business plans, are forward-looking statements. Management believes that these forward-looking statements are reasonable as and when made. However, forward-looking statements are subject to certain risks and uncertainties that could cause actual results to differ materially from the Company’s historical experience and our present expectations or projections, including without limitation our expectations regarding the Company’s outlook, long-term organic and inorganic growth, and customer acceptance of our business solutions referenced above under “Item 1. Business” and below in “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations — Business Overview.” These risks and uncertainties include, but are not limited to, those described below in “Item 1A. Risk Factors,” and elsewhere in this report and those described from time to time in our future reports filed with the United States Securities and Exchange Commission (“SEC”). As a result of such risks and uncertainties, we urge you not to place undue reliance on any such forward-looking statements. Forward-looking statements speak only as of the date when made. We undertake no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law.

Available Information

Detailed information about us is contained in our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, proxy statements and other reports, and amendments to those reports, that we file with, or furnish to, the SEC. These reports are available free of charge at our website, www.equifax.com, as soon as reasonably practicable after we electronically file such reports with or furnish such reports to the SEC. However, our website and any contents thereof should not be considered to be incorporated by reference into this document. We will furnish copies of such reports free of charge upon written request to Equifax Inc., Attn: Office of Corporate Secretary, P.O. Box 4081, Atlanta, Georgia, 30302. These reports are also available at www.sec.gov.