Submission on the Proposals to Extend the Range of Shared Consumer Credit Data

I.  INTRODUCTION

１.   This paper outlines the Consumer Council's views on

1. the overall issue of the proposals to extend the range of consumer credit data that is shared between credit providers; and
2. the specific proposals being put forward in a consultation document issued by the Office of the Privacy Commissioner for Personal Data (PCO) on the same subject.

2.   The proposal to allow greater sharing of consumer credit data among credit providers represents a fundamental change in Hong Kong's consumer credit environment. This change has wider implications for the community than simply serving the stated purpose of enhancing the assessment of credit risk. The Council's comments in this paper are a reflection of the concern that has been expressed to it by consumers in Hong Kong. In this submission the Council is putting forward various suggestions if the extension to the range of shared credit data were to go ahead.

II.  OVERALL ISSUES

Measuring Outcomes

3.   The Council shares the community's interest in ensuring that the finance industry remains healthy and responsive to the needs of the market. However, it feels there are important questions from consumers that the industry and government need to answer regarding the range of information on consumers' personal credit information that financial institutions can share amongst each other.

4.   In past discussions with the Council the industry has provided research material from other jurisdictions that has quantified the benefits to consumers of an expanded credit information data base in those jurisdictions.

5.   The Council therefore calls on industry and government to tell consumers now, what benefits are going to arise, and to establish quantifiable benchmarks upon which the benefits can be measured after a period of time, specifically,

• the expected differentiation in interest rates for those consumers with different credit risks;
• the expected reduction in default rates and bankruptcies, that are attributed to the fault of debtors, rather than economic causes;
• the expected increase in the percentage of consumers who will be eligible to obtain credit under the expanded data base, as compared to the level under the current limited data base; and
• the expected decrease in other costs of finance, such as the required down payment, convenience of access, credit limits and fees.

6.   The industry has also made general assurances that there will not be any increases in abusive access to the consumer information data base. This also suggests that a goal should be set, against which the new procedures can be measured.

7.   Setting benchmarks to measure outcomes of new initiatives is common practice in the private sector and there should not be great difficulty for the financial industry to comply with this request.

8.   Upon review, if the goals are not achieved the industry and government should be prepared to find more effective measures to address the problem or revert back to the current position.

Safeguards

9.   While the Council fully recognizes the commercial needs of the finance industry for access to consumer information, we believe that in expanding the sharing of consumer credit data there needs to be effective mechanisms to adequately safeguard consumer rights; in particular the right to redress in case of misuse or errors in consumer credit reports.

10.   Credit information is both a valuable financial asset and a personal asset that should be carefully guarded. It will be in the interest of the industry upon expansion of the sharing of credit data, not to expose their customers to conceivably excessive and unwanted credit inquiries as well as to opportunities for misuse of that information. Fraud or inaccuracy in relation to consumer credit reports can cause the industry and consumers considerable harm, the latter case includes denial of credit and wasteful use of time and money to remove inaccurate information from the reports.

11.   The Council is aware that in other countries, such as the US, credit report errors, and inappropriate behaviour by credit reference agencies have been a serious problem. Problems that have arisen are credit reference agencies collecting and selling information to banks, and without consulting consumers to ensure accuracy of the information, which could have an effect on consumers' future applications for credit.

12.   In general, consumers rarely know about or check on their credit reports until after they have been denied or otherwise encountered a problem. This is often due to the fact that there is a lack of notice drawing consumers' awareness to their rights, or that access fees act to discourage consumers from checking on their reports. The Council considers that consumer rights will be enhanced if measures are introduced for consumers to

-  opt out from sharing of credit data (para. 21 & 22, 42 - 44)
-  know if access to credit report is legitimate (para. 25, 32 - 34)
-  limit access (para. 45 - 47)
-  have outdated or inaccurate data removed and corrected (para. 37)
-  have free copy of credit report (para. 35 & 36, 48 - 51)
-  opt out from the continued use of the payment data upon determination of a credit relationship (para. 39 - 41)
-  has redress (para. 58 & 59)

13.   The following has been proposed to enhance public confidence of the operation of the credit reference system:

-  increase transparency in the credit scoring system by disclosing information on the formula used in compiling credit scores for consumers (para. 26)
-  provide clear and transparent guidelines on issues such as the definition of "abnormal access" (para. 28 - 31, 53 - 56)
-  make submission of compliance audit report as a routine measure instead of "upon request" (para. 57)
-  explore the nature of credit reference agencies and their role in the future (para. 61 & 62)

The Credit Reference Agency

14.   A matter of ongoing concern for the Council, that will need to be examined by government, is the nature of credit information agencies and their role in the future. For example, to what extent should they be allowed to develop into profit making enterprises, given that their existence at the present time is seen by some to be providing a source of stability to the finance sector, and the balance that needs be achieved between the commercial interests served from collecting that information and the privacy and ownership rights of consumers.

15.   The Council considers it necessary to re-examine whether credit information services should be provided by profit making entities. Since they are currently a commercial operation, pressure to make profits may bring about practices such as the sale of consumers' credit data, and have cost implications for consumers. Who monitors the operation of such entities is also a matter that needs to be addressed.

III.  PCO PROPOSALS & COUNCIL RESPONSE

16.   The following Council comments are focused on the PCO's proposed provisions on consumer credit data protection in relation to the sharing of positive credit data as stated in the consultation document. They reflect a general concern that has been expressed by consumers who have contacted the Council regarding the activities of credit reference agencies, credit providers, and the responsibility they feel they are currently owed by government. However, the concerns relate not only to the current proposals, but to future activities of information collection businesses as a major ongoing concern, that will need to keep under study by government.

Issue 1: Scope of new credit data

PCO proposal:

17.   Additional credit data to be included (refers to proposal 3 of the PCO consultation document) -

• General credit data: the identity of the credit provider, account opening date, the type of facility and the currency in which it is denominated

-  Credit card: the approved credit limit.
-  Other credit facilities (e.g. personal loan): the original credit amount or approved credit limit and repayment term.

• Repayment data:

-  Credit card: remaining available credit, the date of last statement and amount shown on such statement, and the date and amount of payment(s) made during last reporting period.
-  Other credit facilities: remaining available credit, the outstanding balance of the account, the date on which repayment last fell due and the amount then due, and the date and amount of payment(s) made during last reporting period.

• Account termination data: the date of account termination, and the fact that the account had been terminated by full repayment.

18.   Information not allowed to include -

• Residential mortgage loans (proposal 1).
• Personal income, deposits or other assets or non-credit based information such as the individual's employment information (proposal 2).

Council comment:

Employment information

19.   The proposed scope in effect provides credit providers with a fuller picture of a consumer's total credit exposure and payment pattern. The Council welcomes the fact that the PCO has taken into account our suggestion in the consultation document that the credit reference agency may not collect employment information. This is for reasons similar to that of not being allowed to collect information on personal income. The Council does not support including information that will have any labeling effect on consumers derived from non credit based information.

Extent of industry participation

20.   At present there is no statutory requirement for credit providers to report their customers' credit data to the credit reference agency. In April this year HKMA stated that "participation is on a voluntary basis" and it will be issuing supervisory guidelines encouraging Authorized Institutions (AIs) to participate in the positive data sharing. However, the Council notes that voluntary participation by AIs conflicts with the notion that increasing the range of information will assist to address some of the problems with increased levels of unsustainable debt.

Right to opt out from sharing of credit data

21.   The Council believes that regardless of the extent of participation by credit providers in the system, consumers should in any event be provided at the outset with a right to opt out of the credit reporting system. This may seem to conflict with the point above regarding the need for credit providers to ensure full participation in the system by providing borrowers' information to the credit reference agency. Incomplete information will disadvantage a consumer whereas the absence of information may not, where a consumer so desires. This is because the absence of some consumers' information from the system, where those consumers have requested not to be included, will not jeopardize the utility of the system. This is because non participating consumers who choose to become borrowers will have to negotiate other means of assuring credit providers of their credit risk profile.

Right to be informed of company policies and consumer rights

22.   Credit providers should notify consumers of the company's privacy and information policies credit data. The Council notes that financial institutions have made such information available to consumers. Nevertheless, the Council considers it important that credit providers draw consumers' particular attention to their policy with regard to the collection of negative and the proposed expanded credit information, including their right to opt out upon application for credit facilities. Credit providers should also provide consumers with the means to opt out, for example, by filling in a simple form, calling a hotline, or using an e-mail or web form and also, how to check accuracy of their information, what to do in case of inaccuracy and right to redress etc. This information should be clearly and prominently spelled out, i.e. not in 'small print'.

Issue 2: Restrictions on data sharing

PCO proposal:

23.   Limits on the extent of data -

• Upon a date specified by the PCO, credit reference agency may collect from credit provider information about an individual's credit facilities where there is a current borrowing relationship (proposal 4).
• Credit reference agency should not collect an individual's credit facilities repayment details that occurred prior to the effective date (proposal 5).
• Credit report to credit providers may display repayment history records of the most recent 24 months (proposals 6 & 9).
• A credit report should not disclose the names of the lender (i.e. the source of the credit) and individual's credit facilities except where that lender is the credit provider requesting the report (proposal 7).
• Credit data used for credit scoring limits to data compiled within a period of 5 years immediately preceding the date of the credit scoring (proposal 8).

Council comment:

24.   The above proposals describe the extent to which credit data may be collected, compiled and disclosed. The Council supports the PCO's notion that it is necessary to limit the reporting of historical information so as to protect the interests of consumers.

Disclosure of lender name

25.   In relation to the disclosure of the name of the lender in a credit report, the Council would not object to this non-disclosure in the case of credit providers. However, from a consumer's perspective the need for information on who is accessing the credit data base to obtain a credit report would be different. Information provided to consumers should contain such information. With this information consumers would be in a better position to identify the source of errors, if any.

Credit scoring

26.   With regard to credit score, a poorly designed credit scoring system can work to a consumer's disadvantage. Experience in other jurisdictions indicates that often credit scoring models fail to account for the existence of disputed, erroneous or fraudulent information which is not easy to identify simply by looking at a score. There should be more transparency in the credit scoring system and publicly debated with expert input. Accordingly, consumers should be allowed access to credit scores and explanations as a part of their credit report. A credit reference agency should disclose information on the formula used in compiling credit scores for consumers.

Issue 3: Privacy safeguards applicable to credit providers

PCO proposal:

27.   Access restrictions -

• Credit provider may obtain access from a credit reference agency, credit data about an individual when considering any grant, review or renewal of consumer credit to the individual or to another person for whom the individual proposes to act as a guarantor, or upon default by the individual as principal or as guarantor (proposal 10).
• On each occasion of accessing the credit reference database of a credit reference agency, a credit provider should specify to the agency the event necessitating such access in accordance with the permissible purposes (proposal 12).

Council comment:

Meaning of review

28.   The Council has often received consumer inquiries and concerns about credit providers' access to consumer credit data, in particular about the term "review". It is opined that the term is so vague that this allows credit providers great flexibility of access to consumer credit reports. Consumers are confused as to how they are to know whether their credit reports have not been the subject of credit providers' abuse or manipulation.

29.   The Council can understand their concerns as records of access to credit reports are not made known to consumers.

30.   Currently, credit providers can directly access the credit reference agency's database through a network of which computer entry of key personal identification data such as name and ID number of a consumer suffices to get access to that consumer's credit report. No physical proof of consumer's consent, such as signed credit application, is required by the credit reference agency to check on whether such access is legitimate or not.

31.   It is acknowledged that credit providers and the credit reference agency would impose user guidelines on their staff and conduct audits. However, the Council believes that increasing transparency in the mechanism that is used enhances consumers' confidence in the data sharing mechanism.

Right to know if access to credit report is legitimate

32.   Consumers should be assured that only persons with a permissible purpose have access to their credit report, and only to people with a need recognized by the PCO (i.e. a credit provider) to consider an application for credit. The Council notes that the Code of Practice on Consumer Credit Data limits the purposes of access by credit providers only during the course of considering any grant, review or renewal of consumer credit to the consumer or where default has occurred. However, there are concerns whether permissible purposes of access refer only in respect of consumer initiated transactions. The Council considers it useful to register in a list, for public inspection, those credit providers who have been recognized.

33.   The computer programme should be so designed to identify and record the enquirer. This should be most useful to curb unjustified access and for auditing purposes.

34.   The Council welcomes that the PCO has taken initiatives to address the concerns of consumers and the Council, to introduce access control measures on usage of the credit database. Nevertheless, the Council reiterates its stance that consumers, who are the subject of credit data should have the right to know who has accessed their credit information. The frequencies etc. are spelled out in the ensuing paragraph.

Right to know the contents of credit report

35.   Allowing consumers access to their own credit reports is important because consumers play an important role in ensuring data accuracy and industry compliance. Therefore,

(a) Consumers must be told if information in their reports has been used against them, for example, in denying credit.
(b) Credit reference agencies should provide consumers with a free copy of their credit report.
(c) Consumers should be provided, annually, with a contact list of all individuals or companies that have requested a copy of their credit report, along with the copy of the report.

36.   With the provision of credit reports and the requestor list, consumers will be in a better position to know whether or not information in their report is complete and accurate, and whether any abusive access has happened.

PCO proposal:

Credit provider is required to update credit data about an individual at the end of each reporting period not exceeding 31 days to ensure that individual is not prejudiced by information that may be out-dated (proposal 11).

Council comment:

Data accuracy

37.   The Council believes that it is in the interests of credit providers and the credit reference agency to update consumer credit data as quickly as possible. Inaccurate information may distort credit worthiness of a consumer and this would undermine the accuracy of their credit assessment and thereby in turn damage the effectiveness of the database. Therefore:

(a) Consumers should have the right to question the information in their credit report and have the questions investigated by both credit reference agency and credit providers/information source.
(b) If a consumer disputes an item to a credit provider, the credit provider should not then report the information to the credit reference agency without including a notice of the consumer's dispute. This is to minimise the impact of any incorrect data found in a consumer credit report which the credit provider has not yet updated.
(c) In addition, once the consumer has notified the source of the error, credit providers should not continue to report the information if it is, in fact, an error.
(d) The credit reference agency must give the consumer a written report of the investigation, and a free copy of an updated credit report if the investigation results in any change.
(e) Consumers should be allowed to add a brief statement about any information in their report if a dispute is not resolved. This would be a qualifying statement to explain the circumstances surrounding the negative information in the consumer credit report.
(f) To ensure that a consumer is not prejudiced by information that may be outdated or inaccurate, any credit provider, as the information source, and the credit reference agency, both have responsibilities to remove and correct inaccurate data. The consumer should not have to pay for access of such information.
(g) A credit reference agency and credit providers should explore ways to improve data updating time. Using a computerized system or even a fax, for receiving corrections from credit providers can shorten the time required to pass on accurate data to credit reference agency.
(h) Credit providers that furnish information to a credit reference agency should also be required to increase accuracy standards to minimize mistakes. Credit providers should follow the same kind of "reasonable procedures" to avoid errors that the credit reference agency utilizes.

PCO proposal:

38.   Notification to consumers -

• Upon application for a new credit facility, a credit provider should make provision to inform a borrower that, upon full repayment of his account, the borrower may elect to "opt-out" of the use of the account information by a credit reference agency (proposal 13).
• Credit provider should consider giving to the borrower, as soon as reasonably practicable upon the termination of the account by full repayment, a reminder regarding his choice to "opt-out" (proposal 14).
• Credit provider should seek from the borrower his written consent to access closed account data (proposal 15).
• Upon receipt of an "opt-out" relating to a closed account, and subject to verification of the individual's identity/authority and further that the said account contains no default data held on file (e.g. no default payments in excess of 90 days past due), the credit reference agency should cease using the account information and making it available to other credit providers (proposal 16).

Council comment:

39.   The proposal of giving consumer's choice on allowing or disallowing the continued use of the relevant payment data upon determination of a credit relationship, can work both to the advantage and disadvantage of consumers. The advantage of disallowing is that those consumers who have substantial privacy concerns can contain their credit information exposure to further use by other credit providers. But in doing so, the disadvantage will be an incomplete picture of their payment history. In particular, if the repayment records are of good status.

Certified copy of credit history

40.   One possible solution to the need by some consumers to contain the exposure of their credit information would be to give them the option of obtaining a free certified copy of their payment history during the period when credit was used and repaid, from the credit reference agency. This would provide those consumers having a substantial concern over their privacy, with a reliable reference to their credit payment history, should they wish to reactivate their participation in the market.

Informing consumers of the option

41.   In regard to allowing credit providers' flexibility in informing consumers of the opt out option (e.g. as soon as reasonably practicable instead of the 90 days originally proposed) the Council considers that a specified time frame should be in place to provide certainty to consumers. It is not appropriate to provide such notification only upon application for new credit facilities.

Obtaining consumer consent generally

42.   The Council is also concerned that the above notification applies only to opt-out arrangement in relation to termination of a credit relationship. In the consultation document, it appears that a credit provider is not required to obtain consent from an individual to disclose his credit information to a credit reference agency.

43.   Obtaining a customer's consent would provide individuals with a measure of data privacy protection as they would be able to decide whether or not to allow a financial institution to disclose or access their information. However, there are also views that when a credit applicant is faced with a decision as to whether permission should be given to a credit provider to seek data, the credit applicant is placed in an onerous position. In these circumstances, a person's wishes as to privacy would most likely be subordinated to the desire to obtain credit, and a need not to jeopardize the chance of obtaining the credit.

44.   Nevertheless, the Council considers that consumers should have a choice to opt out of the credit reporting system. If consumers choose to take part in the system, the Council considers it important to provide conditions relating to the right to limit access; and the right to have a free copy of the credit report. These are discussed below.

Right to limit access

45.   Consumer consent is required for credit reports that are provided to credit providers and third parties. A credit reference agency may not give out information about a consumer, without the consumer's written consent.

46.   A credit provider may disclose information only to a credit reference agency after obtaining consumer's permission.

47.   However, there will be an implementation problem such as whether this will be an application consent (i.e. a one-off consent) or a per-request consent. From a practical perspective, the latter approach is troublesome to all three parties concerned, and costly. However, by giving one-off consent to credit reference agency, and credit providers, consumers will lose control on data access.

48.   To resolve the above dilemma, the Council believes that improving consumers access to their credit report can act as a check and balance against abusive access. As suggested earlier, consumers should have the right to know what information has been reported about them and who has accessed their credit report, and the right to be able to review their credit report for accuracy without paying a fee for the privilege.

49.   At present, if consumers want to know what information is included in their credit report, they pay the Credit information Service Ltd. (CIS) an amount of $150 for access to their report. According to CIS, the company policy is to refund the money (after the deduction of $20 handling fee) to consumers if their reports contain inaccurate information recorded by them, but not in other scenarios.

50.   Consumers in Australia will generally not be charged for access to their credit files. For some states in the US, consumers can get free annual copies of credit reports. Under the US Fair Credit Reporting Act, consumers are entitled to a free consumer credit report [ 1 ] if they are either unemployed, recipient of public welfare assistance, believe their file contains inaccurate information due to fraud, or have been subject of adverse action such as denial of credit. In Canada and UK, consumers can request a copy of credit file at a minimal fee [ 2 ] . In comparison, Hong Kong's access fee is higher than that of other jurisdictions.

Right to have free copy of credit report

51.   Credit reference agency should provide consumers one free copy of their credit report every twelve months. This can be done either upon consumers' request and/or by an online access to read-only version of credit reports.

Issue 4: Privacy safeguards applicable to credit reference agencies

PCO proposal:

52.   Preventing abusive access -

• Credit reference agency should implement an access log record system of all instances of access to its credit database by credit providers and such log records should be kept for not less than 2 years for examination by its compliance auditor and/or the PCO (proposal 17).
• Credit reference agency should promptly report to the senior management of credit provider and to the PCO incidents about any suspected abnormal access by their staff to credit reference agency database. Credit provider should then undertake a prompt investigation of the incident (proposal 18).
• Credit reference agency is recommended to commission an independent compliance audit annually to verify whether data management practices are complied with the Code. Such an audit should be submitted by the compliance auditor to the PCO no later than 3 months from the date of commencement of the audit (proposal 19).

Council comment:

53.   The Council queries how the industry would define the term 'abusive access'. The Council understands that the credit reference agency (CIS) has held discussions with credit providers to come up with different criteria to control data quality.

54.   The Council is aware that one of the criteria is that: if access is made more than 5 times to a particular individual's credit report by the same department within the same institution in a calendar month, then this would be considered by the credit reference agency as 'suspected abnormal access'.

55.   Whether the criteria are appropriate or not should be subject to further consideration and discussion; with the Consumer Council's input. Apparently, more access to the database can benefit the credit reference agencies as they charge credit providers on a per access basis.

56.   As the Council proposed earlier, consumers should be provided with the means to monitor access to their credit report regularly. To enhance public confidence on the operation of the credit reference agency, some clear and transparent guidelines should be provided for information.

Auditing

57.   The Council welcomes the proposal of requiring a credit reference agency to commission an annual independent compliance audit. As pointed out in our previous submission to the PCO, the Council is pleased to note that the PCO has taken an active role in oversight and enforcement of non-compliance by making submissions of an audit report a routine measure instead of 'upon request', and requiring credit reference agency to keep log records for not less than two years for examination by the PCO.

Penalties for non-compliance

58.   The Council notes that at present, non-compliance of an enforcement notice served by PCO on a person in breach of privacy requirements, attracts a penalty in the range of $25,001 to $50,000 and imprisonment for two years. Given that there continue to be instances where non-compliance with legislated requirements apparently continue, the Council sees a need for vigilant enforcement and effective deterrence, given the wider scope of the credit data.

Compensation for damages

59.   Consumers may claim compensation for damage caused to them as a result of a contravention of the Privacy Ordinance through civil proceedings. With respect to enforcement of credit accuracy, the Council puts forward for consideration whether there is a need to introduce mandatory minimum statutory damages to consumers for non-compliance by a credit reference agency or information providers, rather than the current requirement that consumers prove actual damages in each complaint. Given the wider application data sharing, in order to provide speedy redress for consumers, a process similar to the spirit of the Small Claims Tribunal procedure could be introduced.

Issue 5: Other regulatory control measures

PCO proposal:

Credit reference agency should make its credit reference system available for inspection by the PCO (proposal 20).

Credit provider, in deciding on the engagement or renewal of any relationship with a credit reference agency, should treat as an important criterion the demonstration by the agency of its compliance with the Ordinance and the Code (proposal 21).

Council comment:

60.   The Council believes that the second proposal should also apply in a reverse direction. That is, a credit reference agency should not disclose any credit data about a consumer's credit data to credit providers unless the credit providers have implemented good data management practices. In particular, the two issues of access and disposal of consumer credit data.

61.   It is also important for a credit reference agency and credit providers to carry routine inspection checks on their own internal control systems.

Issue 6: Implementation safeguards

PCO proposal:

• There should be a 24-month transition period following the effective date for sharing of positive credit data. During that period, credit providers may report positive credit data of existing borrowers to the credit reference agency, but are prevented from accessing and using the data for the purposes for the purposes of assessing the renewal or review of existing credit facilities of borrowers until after the transition period has elapsed (proposal 22).
• The above restriction should not apply to new applications for credit made by a borrower to the credit provider during the said transition period (proposal 23).

Council comment:

62.   If the proposals to extend the range of data collected on consumers go ahead, the Council would agree with the transition period being at least 24 months, to gauge the extent to which the new system is functioning, and to forestall the problem of any sudden calling of loans which may have a significant impact on the economy.

IV.  CONCLUSION

63.   While credit reference agencies and credit providers have gone to great lengths to stress that they have the need to collect and compile comprehensive lists of credit information about consumers, the Council believes that there is also a need to ensure that those parties exercise their responsibilities with fairness, and a respect for the consumer rights. Policymakers also have obligations to provide suitable protection for consumers, as demonstrated by the issuing of the consultation paper. We urge that such principles be taken as guidance in the entire decision making process.