international conference on credit bureau operations kyiv, ukraine september 29, 2006 credit bureaus...
TRANSCRIPT
INTERNATIONAL CONFERENCE ON CREDIT BUREAU OPERATIONS Kyiv, UkraineSeptember 29, 2006
Credit Bureaus in the Region: legal and regulatory framework
What is the experience in the region with implementing credit bureau laws?
Table of ContentsTable of Contents
1.1. European ExperienceEuropean Experiencea.a. Major issuesMajor issues
2.2. Regional ExperienceRegional Experiencea.a. Kazakhstan, Russian, UkraineKazakhstan, Russian, Ukraine
3. The 95/75 Rule - Success3. The 95/75 Rule - Success
4. Recommendations4. Recommendations
EU-Directive 95/46EU-Directive 95/46
Parliaments throughout Europe, North American and elsewhere encourage information exchange as long as it does not violate a consumer’s basic right to privacy.
Information flows:
1. reduce adverse economic selection effects, oligopolistic tendencies and credit rationing.
2. remove barriers between EU states in order to establish a single internal European market.
Legal ChallengeLegal Challenge
Find the right balance between privacy and information exchange.
Key Question:
a) how much privacy legislation is required to protect the citizenry from unscrupulous users, which is the main function of regulation, and
b) what is the cost of privacy legislation to the economy and to its citizens.
International Privacy International Privacy GuidelinesGuidelines
Consumer RightsConsumer Rights
To obtain Credit Report within reasonable To obtain Credit Report within reasonable time, at reasonable cost, & in a reasonable time, at reasonable cost, & in a reasonable way.way.
To dispute data and have it correctedTo dispute data and have it corrected To know the purpose for data collectionTo know the purpose for data collection To limit amount of data collected – religion, To limit amount of data collected – religion,
ethnic background, etc.ethnic background, etc. To limit use and transferTo limit use and transfer To demand that data is accurateTo demand that data is accurate To demand reasonable accountability of data To demand reasonable accountability of data
processor, and apply remedies, when processor, and apply remedies, when requiredrequired
EU Dir. 95/46
Data Protection Acts do not detail specific security measures that a Data Controller or Data Processor must have in place. Rather, they place an obligation on persons to have appropriate measures in place to prevent "unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction."
Measures include:
Access ControlEncryptionAnti-Virus SoftwareFirewallsAutomatic screen saversLogs and Audit trails
Security Guidelines
The Human FactorRemote AccessWireless networksLaptopsBack-up systemsPhysical Security
Cost of Excessive Cost of Excessive RegulationRegulation
In other words,
There is a direct cost to the consumer and SMEs in terms of higher prices, higher interest rates and restricted access to credit when excessive privacy legislation (i.e., excessive regulation) interferes with the exchange of personal identification and credit history data.
Kazakhstan, Russia & Ukraine: a) No clear legal basis for data sharing
b) Despite the fact that all banks indicated that they would share data, banks in fact reluctant to share data
c) SME and consumer data fragmented;
d) Regulatory “overreach”, as appeared in early drafts of the law, threatened a private CB’s operational viability
e) Consumer rights not clearly protected in the law
f) Conflicting legislation
Legislative Context Before Law
a) Adopted in July 2004 – consistent with EU 95/46
b) 100% private in a free market competitive system;
c) Consumer consent required
d) Data sharing of positive and negative data permissible;
e) Single Regulatory Body;
f) Open system – all sectors of economy participate
g) Supervisory body will implement “MINIMUM REQUIREMENTS” for data regulation;
h) If consumer “Opts-in” then bank mandated to transfer data to CB
Kazakhstan Credit Bureau Law
Kazakhstan – Regulatory Kazakhstan – Regulatory FrameworkFramework
State Agency for IT Solutions regulates data State Agency for IT Solutions regulates data processing processprocessing process
Requirement for certification of equipment Requirement for certification of equipment – To secure protection of data To secure protection of data – Monitoring of data processing Monitoring of data processing – Compliance with the requirements of data Compliance with the requirements of data
processing regulationsprocessing regulations
Minimum regulatory requirements written into the law
Russian Credit Bureau Russian Credit Bureau Law Law
• Adopted in December 2004
• Law is workable but should be simplified & amended – consent required
• E.g., 50% limitation for single owner
• Tries to define what types of data can be collected, i.e, Credit Cards – revolving lines of credit not specifically included in the law
• Regulations are quite extensive but also work
• Should be simplified
Ukrainian Credit Bureau Ukrainian Credit Bureau Law Law
• Adopted on June 23, 2005
• Substantially consistent with UE and American legislation
• Played a decisive role in laying the foundation for CB operation in Ukraine.
• Enables both data sharing and protection of the rights of subjects of credit histories.
Ukrainian CB LawUkrainian CB Law• Needs to be refined to facilitate data Needs to be refined to facilitate data
collection for CB database (e.g. public collection for CB database (e.g. public registries)registries) Impracticality of certain provisionsImpracticality of certain provisions
• Needs to be amended to avoid excessive Needs to be amended to avoid excessive regulatory burden of CB operations regulatory burden of CB operations (inspections etc)(inspections etc) Don’t duplicate oversight Don’t duplicate oversight
• May need to be transformed into a May need to be transformed into a comprehensive CB lawcomprehensive CB law Single legislation more workable Single legislation more workable
Ukrainian RegulationsUkrainian Regulations
Licensing Licensing RegistrationRegistration InspectionInspection Others likelyOthers likely
Make sure that Regulations are robust but not excessively detailed.
Market’s participation with drafting
regulations is an excellent decision by
MinJus
Suggested Targets and SuccessSuggested Targets and Success
Put in place the essential elements so that a credit reference Put in place the essential elements so that a credit reference bureau has passed from being merely established to a more bureau has passed from being merely established to a more advanced, mature and self-sufficient stage. advanced, mature and self-sufficient stage. Regulatory framework key
Success may occur when the following is in place: Success may occur when the following is in place:
– At least 95% of the financial sector has included “customer At least 95% of the financial sector has included “customer consent” clauses on credit application forms; and consent” clauses on credit application forms; and
– 75% of historical credit data in Ukraine has been collected in 75% of historical credit data in Ukraine has been collected in a single location and public record information accessible to a single location and public record information accessible to a credit bureau; a credit bureau;
The 90/75 Rule
RecommendationsRecommendations Regulations must encourage data exchange, Regulations must encourage data exchange,
particularly since customer consent is necessaryparticularly since customer consent is necessary
Design a simple mechanism for tete-a-tete Design a simple mechanism for tete-a-tete resolution of disputes using proven resolution of disputes using proven methodologies from other countriesmethodologies from other countries
Allow commercial issues to be negotiated and Allow commercial issues to be negotiated and agreed upon between the data supplier and agreed upon between the data supplier and credit bureaucredit bureau
Find balance between data flows and data Find balance between data flows and data security at the regulatory level. security at the regulatory level.
Thank you for your attention
Questions
Javier M. Piedra
Senior Advisor
USAID/ACTI
Kiev, Ukraine
September 29, 2006