Vincenzo Zeno-Zencovich
Professor of Comparative Law – University of Roma Tre Rector of the Rome University of International Studies (UNINT)
CREDIT REPORTING
AND DATA PROTECTION
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• In &mes of financial instability growing importance of credit repor&ng
• Credit repor&ng as part of monitoring system of the common financial market
• Credit repor&ng as obliga&on of both public ins&tu&ons and private enterprises
• Evalua&on of creditworthiness is fundamental in gran&ng credit and in evalua&ng risk
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• In 2013 numerous EU legisla&on which involves, directly or indirectly, credit repor&ng Ø Direc&ve 2013/36 of 26 June 2013 on access to the ac&vity of credit ins&tu&ons and the pruden&al supervision of credit ins&tu&ons
Ø Regula&on 575/2013 of 26 June 2013 on pruden&al requirements for credit ins&tu&ons and investment firms
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
Ø Regula&on 462/13 of 21 May 2013 on credit ra&ng agencies
• Direc&ve 2013/36:
Ø Ar&cle 77, para. 2: “ Competent authori.es shall, taking into account the nature, scale and complexity of ins.tu.ons' ac.vi.es, monitor that they do not solely or mechanis.cally rely on external credit ra.ngs for assessing the creditworthiness of an en.ty or financial instrument”
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• Regula&on 575/13:
Ø In order to obtain covered bonds “Both the
credit ins.tu.on and the protec.on provider shall carry out a creditworthiness assessment of the borrower” (ar&cle 129)
Ø In order to obtain credit protec&on necessary t o d e t e c t e x c e s s i v e r e l i a n c e o n creditworthiness (ar&cle 217)
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
Ø Credit ins&tu&ons must “not undertake
business with a counterparty without assessing its creditworthiness” (ar&cle 286)
Ø Ins&tu&ons applying credit risk mi&ga&on techniques must disclose “the main types of
guarantor and credit deriva.ve counterparty and their creditworthiness”(ar&cle 453)
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• Regula&on 462/13:
Ø Ins&tu&ons should avoid entering into contracts using credit ra&ng «as only
p a r a m e t e r t o a s s e s s creditworthiness» (preamble n. 9) (i.e. they
must use further informa&on)
Ø «More diversity in the assessment of
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
Ø In order «to make an informed assessment of
the creditworthiness of finance instruments»
investors must be provided with further informa&on (preamble n. 30)
Ø Use of «credit scores»
Ø European Data Protec&on Supervisor (EDPS) expressly asked that Regula&on 462 should have a safeguard clause of data protec&on, but the request was rejected.
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
Ø Paramount are «the enhancement of
consumer and investor protec.on» (ar&cle 1)
• Clear conflict between need for stable, reliable, transparent and compe&&ve financial markets and increase of data protec&on measures
• Typical example of conflict: Dra^ direc&ve on credit agreements rela&ng to residen&al property
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• In dra^ direc&ve extended provisions on:
Ø Obliga&on to assess the creditworthiness of the consumer (ar&cle 14)
Ø Disclosure obliga&on on the part of the consumer (ar&cle 15)
Ø Right to access databases on creditworthiness of consumers and for monitoring consumers compliance (ar&cle 16)
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• In the Opinion of the ECB “private credit
bureaux or credit reference agencies and public credit registers” should be allowed “against the background of their purposes and business models, to collect addi.onal informa.on on these credits where appropriate”.
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• In the Opinion of the EDPS, instead:
Ø the whole ac&vity should be subject to data protec&on laws
Ø sources from which informa&on on debtor’s creditworthiness can be obtained should be restricted
Ø access to database should be allowed only prior to specific communica&on to the debtor
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• Different approach between financial market regulators and data protec&on authori&es is very clear in other EU documents.
• Commission Retail Banking Sector Inquiry (2007)
Ø “Credit registers are an important element of retail banking market infrastructure. To ensure strong compe..on among credit providers in retail banking markets it is vital that credit registers enable open and non-‐discriminatory access to credit data”
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• Credit data sharing tends to have posi&ve economic effects: Ø Credit data reduces the informa&on asymmetry between a
bank and its poten&al customer (lower default rates)
Ø Credit informa&on sharing acts as a borrower discipline device: borrowers know that if they default, this fact becomes public knowledge and their reputa&on with other lenders is affected
Ø Credit repor&ng helps reduce problems of adverse selec&on, generally ensuring greater credit availability on becer condi&on
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• Banks and other providers of credit require access to good quality credit informa&on in order to price accurately for borrowers, and a greater availability of credit data tends to improve banking market performance
• Need for common rules throughout the EU
• Similar sugges&ons come from the 2009 EU Report of the Expert Group on Credit Histories
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
Ø Access to credit registers should be possible throughout the lifecycle of the credit and also a^er
Ø Common mechanisms for consumers to access credit reports
Ø Necessary to strike a balance between transparency of credit markets and data protec&on
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• Model suggested in 2007 by Retail Banking Sector Inquiry and 2009 EGCH is consistent with interna&onal models and standards
• US Fair Credit Repor&ng Act
Ø Credit repor&ng agencies have the right to create individual credit records
Ø Consumers have the right to access their record and to ask correc&ons
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• Australian Credit Repor&ng Code of Conduct Ø Informa&on on why informa&on is collected Ø Data must be accurate, up to date, complete
and not misleading
Ø Right of access and correc&on of credit records
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
• In Canada regula&on on a provincial basis Ø Model is that of credit scores which each
consumer has the right to access and ask correc&ons
Ø Great effort in informing consumers by Financial Consumer Agency
Ø See «Understanding Your Credit Report and
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
In 2011 World Bank has issued «General Principles for Credit Repor&ng» sehng several public policy objec&ves:
Ø Credit repor&ng systems should effec&vely support the sound and fair extension of credit in an economy as the founda&on for robust and compe&&ve credit markets. Credit repor&ng systems should be safe and efficient, and fully suppor&ve of data subjects and consumer rights.
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
Ø Credit repor&ng systems should have accurate, &mely and sufficient data – including posi&ve -‐ collected on a systema&c basis from all relevant and available sources, and should retain this informa&on for a sufficient amount of &me.
Ø Credit repor&ng systems should have rigorous standards of security and reliability, and be efficient.
Ø The governance arrangements of credit repor&ng service providers and data providers should ensure accountability, transparency and effec&veness in managing the risks associated with the business and fair access to the informa&on by users.
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
Ø The overall legal and regulatory framework for credit repor&ng should be clear, predictable, non-‐discriminatory, propor&onate and suppor&ve of data subject and consumer rights
Ø Cross-‐border credit data transfer should be facilitated where appropriate
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
SOME CONCLUSIONS
Ø Credit collec&on firms in the EU should side the acemps of the Commission and other financial governance ins&tu&ons (ECB) to put into place a comprehensive regula&on of credit repor&ng
Ø Processing of data in the field of credit cannot be considered a ‘personal’ macer which concerns only the borrower
CREDIT REPORTING AND DATA PROTECTION IN EU LAW
Ø Credit records are relevant not only for credit ins&tu&ons but also for public financial market regulators: personal data have public impact Ø Many sugges&ons can come from non-‐EU
models (US, Australia, Canada)
Ø Objec&ve: special regula&on – and not General Data Protec&on Regula&on – for credit repor&ng