INTERNATIONAL CONFERENCE ON CREDIT BUREAU OPERATIONS

1
Credit Bureaus in the Region legal and
regulatory framework What is the experience in
the region with implementing credit bureau laws?
INTERNATIONAL CONFERENCE ON CREDIT BUREAU
OPERATIONS Kyiv, Ukraine September 29, 2006
2
Table of Contents

• European Experience
• Major issues
• Regional Experience
• a. Kazakhstan, Russian, Ukraine
• 3. The 95/75 Rule - Success
• 4. Recommendations

3
EU-Directive 95/46

• Parliaments throughout Europe, North American and
  elsewhere encourage information exchange as long
  as it does not violate a consumers basic right
  to privacy.
• Information flows
• reduce adverse economic selection effects,
  oligopolistic tendencies and credit rationing.
• remove barriers between EU states in order to
  establish a single internal European market.

4
Legal Challenge

• Find the right balance between privacy and
  information exchange.
• Key Question
• how much privacy legislation is required to
  protect the citizenry from unscrupulous users,
  which is the main function of regulation, and
• what is the cost of privacy legislation to the
  economy and to its citizens.

5
International Privacy Guidelines
EU Dir. 95/46

• Consumer Rights
• To obtain Credit Report within reasonable time,
  at reasonable cost, in a reasonable way.
• To dispute data and have it corrected
• To know the purpose for data collection
• To limit amount of data collected religion,
  ethnic background, etc.
• To limit use and transfer
• To demand that data is accurate
• To demand reasonable accountability of data
  processor, and apply remedies, when required

?
?
?
?
?
?
?
6
Security Guidelines
Data Protection Acts do not detail specific
security measures that a Data Controller or Data
Processor must have in place. Rather, they place
an obligation on persons to have appropriate
measures in place to prevent "unauthorised access
to, or alteration, disclosure or destruction of,
the data and against their accidental loss or
destruction." Measures include Access
Control Encryption Anti-Virus Software Firewalls
Automatic screen savers Logs and Audit trails
The Human Factor Remote Access Wireless
networks Laptops Back-up systems Physical
Security
7
Cost of Excessive Regulation
In other words, There is a direct cost to the
consumer and SMEs in terms of higher prices,
higher interest rates and restricted access to
credit when excessive privacy legislation (i.e.,
excessive regulation) interferes with the
exchange of personal identification and credit
history data.
8
Legislative Context Before Law

• Kazakhstan, Russia Ukraine
• No clear legal basis for data sharing
• Despite the fact that all banks indicated that
  they would share data, banks in fact reluctant to
  share data
• SME and consumer data fragmented
• Regulatory overreach, as appeared in early
  drafts of the law, threatened a private CBs
  operational viability
• Consumer rights not clearly protected in the law
• Conflicting legislation

9
Kazakhstan Credit Bureau Law

• Adopted in July 2004 consistent with EU 95/46
• 100 private in a free market competitive system
• Consumer consent required
• Data sharing of positive and negative data
  permissible
• Single Regulatory Body
• Open system all sectors of economy participate
• Supervisory body will implement MINIMUM
  REQUIREMENTS for data regulation
• If consumer Opts-in then bank mandated to
  transfer data to CB

10
Kazakhstan Regulatory Framework

• State Agency for IT Solutions regulates data
  processing process
• Requirement for certification of equipment
• To secure protection of data
• Monitoring of data processing
• Compliance with the requirements of data
  processing regulations

Minimum regulatory requirements written into the
law
11
Russian Credit Bureau Law

• Adopted in December 2004
• Law is workable but should be simplified
  amended consent required
• E.g., 50 limitation for single owner
• Tries to define what types of data can be
  collected, i.e, Credit Cards revolving lines of
  credit not specifically included in the law
• Regulations are quite extensive but also work
• Should be simplified

12
Ukrainian Credit Bureau Law

• Adopted on June 23, 2005
• Substantially consistent with UE and American
  legislation
• Played a decisive role in laying the foundation
  for CB operation in Ukraine.
• Enables both data sharing and protection of the
  rights of subjects of credit histories.

13
Ukrainian CB Law

• Needs to be refined to facilitate data collection
  for CB database (e.g. public registries)
• Impracticality of certain provisions
• Needs to be amended to avoid excessive regulatory
  burden of CB operations (inspections etc)
• Dont duplicate oversight
• May need to be transformed into a comprehensive
  CB law
• Single legislation more workable

14
Ukrainian Regulations

• Licensing
• Registration
• Inspection
• Others likely

Markets participation with drafting regulations
is an excellent decision by MinJus
Make sure that Regulations are robust but not
excessively detailed.
15
Suggested Targets and Success

• Put in place the essential elements so that a
  credit reference bureau has passed from being
  merely established to a more advanced, mature and
  self-sufficient stage. Regulatory framework key
• Success may occur when the following is in
  place
• At least 95 of the financial sector has included
  customer consent clauses on credit application
  forms and
• 75 of historical credit data in Ukraine has been
  collected in a single location and public record
  information accessible to a credit bureau

The 90/75 Rule
16
Recommendations

• Regulations must encourage data exchange,
  particularly since customer consent is necessary
• Design a simple mechanism for tete-a-tete
  resolution of disputes using proven methodologies
  from other countries
• Allow commercial issues to be negotiated and
  agreed upon between the data supplier and credit
  bureau
• Find balance between data flows and data security
  at the regulatory level.

17
Thank you for your attention Questions
Javier M. Piedra Senior Advisor USAID/ACTI Kiev,
Ukraine September 29, 2006