Europeiska dataskyddsstyrelsen

New Rules for Credit Reporting Systems in the Digital Economy

Tuesday, 22 October, 2019
it

The main novelties for consumer credit, loans and new types of financing

Greater safeguards for consumers registered in credit databases, transparency on the functioning of algorithms that analyse financial risk, openness to new technologies and fintech services.

These are some of the innovations laid down in the new ‘Code of conduct for credit reporting systems operated by private entities regarding consumer credit, creditworthiness and punctuality in payments’, proposed by the trade associations and approved by the Italian Garante after a complex review of the old Code of Ethics, which has been rendered obsolete by the changes introduced by the European and national legislation on privacy.

The new rules for credit risk analysis — in order to adapt to the challenges posed by the digital economy — do not only concern data on loans and mortgages, but also those relating to different forms of leasing, long-term rental and the most innovative forms of loan between private entities (‘peer-to-peer lending’) managed through fintech platforms.

In order to facilitate the proper functioning of the financial and credit market, the records may be processed without the data subjects’ consent, on the basis of the so-called legitimate interest of the companies participating in the credit reporting systems, while guaranteeing the wider rights set out in the European Data Protection Regulation. Only necessary, relevant data not exceeding the credit risk assessment purposes may be processed, by providing complete and timely information to the data subjects. For example, if you apply for a mortgage and your application is rejected, you will be able to know if the decision was taken also on the basis of the risk scoring given to you by an algorithm and, if so, to request to know the underlying logic.

In addition, the statistical analysis models as well as the algorithms used should be reviewed and updated at least every two years. Particular attention has been given to the security measures taken to protect the data from unlawful access and to ensure reliability of the systems. New forms of contact, such as those enabled by instant messaging systems used on smartphones, have also been identified in order to simplify the arrangements for informing data subjects prior to their registration in a credit reporting system (prior notice).

Some of the main novelties are listed below:
-    Rights: enhanced rights to protect the privacy of data subjects
-    Disclosure: more complete information about the data processed by the participating companies
-    Monitoring body: an independent body must be established to oversee the work of credit reporting systems
-    New forms of contact: subject to agreement with the data subjects, ‘alert notices’ may also be sent by means of instant messaging systems that ensure traceability of the delivery.
-    New credit categories: the scope of registered data was extended to include various forms of leasing, hire, lending between private parties (peer to peer lending)
-    Longer positive data series: positive historical data on clients may be stored for 60 months to protect credit and to meet the demand coming from supervisory bodies
-    Transparency in decisions: in the event of a denial of credit based on automated analysis, the data subject may request to know the logic underlying operation of algorithms
-    Pseudonymised data for the training of algorithms: algorithms may be ‘trained’ with pseudonymised data, i.e. data that can no longer be related to a specific entity
-    Security: additional measures are envisaged to protect data security and against unlawful access

In the approval decision, the Italian Garante nevertheless required credit reporting systems to make some changes to the functioning of the monitoring body established by the Code in order to strengthen its   independence and autonomy from sector-related companies.

The members of the new Code of Conduct have committed themselves to comply forthwith with the rules and principles, even if the text will become fully effective only upon completion of the accreditation procedure of the monitoring body which requires the favourable opinion the EU Data Protection Board (EDPB).

For more information, please contact the Italian supervisory authority: garante@garanteprivacy.it