INTERNATIONAL CONFERENCE ON CREDIT BUREAU OPERATIONS Kyiv, UkraineSeptember 29, 2006

Credit Bureaus in the Region: legal and regulatory framework

What is the experience in the region with implementing credit bureau laws?

Table of ContentsTable of Contents

1.1. European ExperienceEuropean Experiencea.a. Major issuesMajor issues

2.2. Regional ExperienceRegional Experiencea.a. Kazakhstan, Russian, UkraineKazakhstan, Russian, Ukraine

3. The 95/75 Rule - Success3. The 95/75 Rule - Success

4. Recommendations4. Recommendations

EU-Directive 95/46EU-Directive 95/46

Parliaments throughout Europe, North American and elsewhere encourage information exchange as long as it does not violate a consumer’s basic right to privacy.

Information flows:

1. reduce adverse economic selection effects, oligopolistic tendencies and credit rationing.

2. remove barriers between EU states in order to establish a single internal European market.

Legal ChallengeLegal Challenge

Find the right balance between privacy and information exchange.

Key Question:

a) how much privacy legislation is required to protect the citizenry from unscrupulous users, which is the main function of regulation, and

b) what is the cost of privacy legislation to the economy and to its citizens.

International Privacy International Privacy GuidelinesGuidelines

Consumer RightsConsumer Rights

To obtain Credit Report within reasonable To obtain Credit Report within reasonable time, at reasonable cost, & in a reasonable time, at reasonable cost, & in a reasonable way.way.

To dispute data and have it correctedTo dispute data and have it corrected To know the purpose for data collectionTo know the purpose for data collection To limit amount of data collected – religion, To limit amount of data collected – religion,

ethnic background, etc.ethnic background, etc. To limit use and transferTo limit use and transfer To demand that data is accurateTo demand that data is accurate To demand reasonable accountability of data To demand reasonable accountability of data

processor, and apply remedies, when processor, and apply remedies, when requiredrequired

EU Dir. 95/46

Data Protection Acts do not detail specific security measures that a Data Controller or Data Processor must have in place. Rather, they place an obligation on persons to have appropriate measures in place to prevent "unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction."

Measures include:

Access ControlEncryptionAnti-Virus SoftwareFirewallsAutomatic screen saversLogs and Audit trails

Security Guidelines

The Human FactorRemote AccessWireless networksLaptopsBack-up systemsPhysical Security

Cost of Excessive Cost of Excessive RegulationRegulation

In other words,

There is a direct cost to the consumer and SMEs in terms of higher prices, higher interest rates and restricted access to credit when excessive privacy legislation (i.e., excessive regulation) interferes with the exchange of personal identification and credit history data.

Kazakhstan, Russia & Ukraine: a) No clear legal basis for data sharing

b) Despite the fact that all banks indicated that they would share data, banks in fact reluctant to share data

c) SME and consumer data fragmented;

d) Regulatory “overreach”, as appeared in early drafts of the law, threatened a private CB’s operational viability

e) Consumer rights not clearly protected in the law

f) Conflicting legislation

Legislative Context Before Law

a) Adopted in July 2004 – consistent with EU 95/46

b) 100% private in a free market competitive system;

c) Consumer consent required

d) Data sharing of positive and negative data permissible;

e) Single Regulatory Body;

f) Open system – all sectors of economy participate

g) Supervisory body will implement “MINIMUM REQUIREMENTS” for data regulation;

h) If consumer “Opts-in” then bank mandated to transfer data to CB

Kazakhstan Credit Bureau Law

Kazakhstan – Regulatory Kazakhstan – Regulatory FrameworkFramework

State Agency for IT Solutions regulates data State Agency for IT Solutions regulates data processing processprocessing process

Requirement for certification of equipment Requirement for certification of equipment – To secure protection of data To secure protection of data – Monitoring of data processing Monitoring of data processing – Compliance with the requirements of data Compliance with the requirements of data

processing regulationsprocessing regulations

Minimum regulatory requirements written into the law

Russian Credit Bureau Russian Credit Bureau Law Law

• Adopted in December 2004

• Law is workable but should be simplified & amended – consent required

• E.g., 50% limitation for single owner

• Tries to define what types of data can be collected, i.e, Credit Cards – revolving lines of credit not specifically included in the law

• Regulations are quite extensive but also work

• Should be simplified

Ukrainian Credit Bureau Ukrainian Credit Bureau Law Law

• Adopted on June 23, 2005

• Substantially consistent with UE and American legislation

• Played a decisive role in laying the foundation for CB operation in Ukraine.

• Enables both data sharing and protection of the rights of subjects of credit histories.

Ukrainian CB LawUkrainian CB Law• Needs to be refined to facilitate data Needs to be refined to facilitate data

collection for CB database (e.g. public collection for CB database (e.g. public registries)registries) Impracticality of certain provisionsImpracticality of certain provisions

• Needs to be amended to avoid excessive Needs to be amended to avoid excessive regulatory burden of CB operations regulatory burden of CB operations (inspections etc)(inspections etc) Don’t duplicate oversight Don’t duplicate oversight

• May need to be transformed into a May need to be transformed into a comprehensive CB lawcomprehensive CB law Single legislation more workable Single legislation more workable

Ukrainian RegulationsUkrainian Regulations

Licensing Licensing RegistrationRegistration InspectionInspection Others likelyOthers likely

Make sure that Regulations are robust but not excessively detailed.

Market’s participation with drafting

regulations is an excellent decision by

MinJus

Suggested Targets and SuccessSuggested Targets and Success

Put in place the essential elements so that a credit reference Put in place the essential elements so that a credit reference bureau has passed from being merely established to a more bureau has passed from being merely established to a more advanced, mature and self-sufficient stage. advanced, mature and self-sufficient stage. Regulatory framework key

Success may occur when the following is in place: Success may occur when the following is in place:

– At least 95% of the financial sector has included “customer At least 95% of the financial sector has included “customer consent” clauses on credit application forms; and consent” clauses on credit application forms; and

– 75% of historical credit data in Ukraine has been collected in 75% of historical credit data in Ukraine has been collected in a single location and public record information accessible to a single location and public record information accessible to a credit bureau; a credit bureau;

The 90/75 Rule

RecommendationsRecommendations Regulations must encourage data exchange, Regulations must encourage data exchange,

particularly since customer consent is necessaryparticularly since customer consent is necessary

Design a simple mechanism for tete-a-tete Design a simple mechanism for tete-a-tete resolution of disputes using proven resolution of disputes using proven methodologies from other countriesmethodologies from other countries

Allow commercial issues to be negotiated and Allow commercial issues to be negotiated and agreed upon between the data supplier and agreed upon between the data supplier and credit bureaucredit bureau

Find balance between data flows and data Find balance between data flows and data security at the regulatory level. security at the regulatory level.

Thank you for your attention

Questions

Javier M. Piedra

Senior Advisor

USAID/ACTI

Kiev, Ukraine

September 29, 2006