INTERNATIONAL CONFERENCE ON CREDIT BUREAU OPERATIONS Kyiv, Ukraine September 29, 2006 Credit Bureaus in the Region: legal and regulatory framework What is the experience in the region with implementing credit bureau laws?
Table of Contents 1. European Experience a. Major issues 2. Regional Experience a. Kazakhstan, Russian, Ukraine 3. The 95/75 Rule - Success 4. Recommendations
EU-Directive 95/46 Parliaments throughout Europe, North American and elsewhere encourage information exchange as long as it does not violate a consumer’s basic right to privacy. Information flows: 1.reduce adverse economic selection effects, oligopolistic tendencies and credit rationing. 2.remove barriers between EU states in order to establish a single internal European market.
Legal Challenge Find the right balance between privacy and information exchange. Key Question: a) how much privacy legislation is required to protect the citizenry from unscrupulous users, which is the main function of regulation, and b) what is the cost of privacy legislation to the economy and to its citizens.
International Privacy Guidelines Consumer Rights To obtain Credit Report within reasonable time, at reasonable cost, & in a reasonable way. To obtain Credit Report within reasonable time, at reasonable cost, & in a reasonable way. To dispute data and have it corrected To dispute data and have it corrected To know the purpose for data collection To know the purpose for data collection To limit amount of data collected – religion, ethnic background, etc. To limit amount of data collected – religion, ethnic background, etc. To limit use and transfer To limit use and transfer To demand that data is accurate To demand that data is accurate To demand reasonable accountability of data processor, and apply remedies, when required To demand reasonable accountability of data processor, and apply remedies, when required EU Dir. 95/46
Data Protection Acts do not detail specific security measures that a Data Controller or Data Processor must have in place. Rather, they place an obligation on persons to have appropriate measures in place to prevent "unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction." Measures include: Access Control Encryption Anti-Virus Software Firewalls Automatic screen savers Logs and Audit trails Security Guidelines The Human Factor Remote Access Wireless networks Laptops Back-up systems Physical Security
Cost of Excessive Regulation In other words, There is a direct cost to the consumer and SMEs in terms of higher prices, higher interest rates and restricted access to credit when excessive privacy legislation (i.e., excessive regulation) interferes with the exchange of personal identification and credit history data.
Kazakhstan, Russia & Ukraine: a)No clear legal basis for data sharing b)Despite the fact that all banks indicated that they would share data, banks in fact reluctant to share data c)SME and consumer data fragmented; d)Regulatory “overreach”, as appeared in early drafts of the law, threatened a private CB’s operational viability e)Consumer rights not clearly protected in the law f)Conflicting legislation Legislative Context Before Law
a)Adopted in July 2004 – consistent with EU 95/46 b)100% private in a free market competitive system; c)Consumer consent required d)Data sharing of positive and negative data permissible; e)Single Regulatory Body; f)Open system – all sectors of economy participate g)Supervisory body will implement “MINIMUM REQUIREMENTS” for data regulation; h)If consumer “Opts-in” then bank mandated to transfer data to CB Kazakhstan Credit Bureau Law
Kazakhstan – Regulatory Framework State Agency for IT Solutions regulates data processing process Requirement for certification of equipment –To secure protection of data –Monitoring of data processing –Compliance with the requirements of data processing regulations Minimum regulatory requirements written into the law
Russian Credit Bureau Law Adopted in December 2004 Law is workable but should be simplified & amended – consent required E.g., 50% limitation for single owner Tries to define what types of data can be collected, i.e, Credit Cards – revolving lines of credit not specifically included in the law Regulations are quite extensive but also work Should be simplified
Ukrainian Credit Bureau Law Adopted on June 23, 2005 Substantially consistent with UE and American legislation Played a decisive role in laying the foundation for CB operation in Ukraine. Enables both data sharing and protection of the rights of subjects of credit histories.
Ukrainian CB Law Needs to be refined to facilitate data collection for CB database (e.g. public registries)Needs to be refined to facilitate data collection for CB database (e.g. public registries) Impracticality of certain provisions Impracticality of certain provisions Needs to be amended to avoid excessive regulatory burden of CB operations (inspections etc)Needs to be amended to avoid excessive regulatory burden of CB operations (inspections etc) Don’t duplicate oversight Don’t duplicate oversight May need to be transformed into a comprehensive CB lawMay need to be transformed into a comprehensive CB law Single legislation more workable Single legislation more workable
Ukrainian Regulations Licensing Licensing Registration Registration Inspection Inspection Others likely Others likely Make sure that Regulations are robust but not excessively detailed. Market’s participation with drafting regulations is an excellent decision by MinJus
Suggested Targets and Success Put in place the essential elements so that a credit reference bureau has passed from being merely established to a more advanced, mature and self-sufficient stage. Put in place the essential elements so that a credit reference bureau has passed from being merely established to a more advanced, mature and self-sufficient stage. Regulatory framework key Success may occur when the following is in place: –At least 95% of the financial sector has included “customer consent” clauses on credit application forms; and –75% of historical credit data in Ukraine has been collected in a single location and public record information accessible to a credit bureau; The 90/75 Rule
Recommendations Regulations must encourage data exchange, particularly since customer consent is necessary Regulations must encourage data exchange, particularly since customer consent is necessary Design a simple mechanism for tete-a-tete resolution of disputes using proven methodologies from other countries Design a simple mechanism for tete-a-tete resolution of disputes using proven methodologies from other countries Allow commercial issues to be negotiated and agreed upon between the data supplier and credit bureau Allow commercial issues to be negotiated and agreed upon between the data supplier and credit bureau Find balance between data flows and data security at the regulatory level. Find balance between data flows and data security at the regulatory level.
Thank you for your attention Questions Javier M. Piedra Senior Advisor USAID/ACTI Kiev, Ukraine September 29, 2006