170 likes | 309 Views
Credit Bureaus in the Region: legal and regulatory framework What is the experience in the region with implementing credit bureau laws?. INTERNATIONAL CONFERENCE ON CREDIT BUREAU OPERATIONS Kyiv, Ukraine September 29, 2006. Table of Contents. European Experience Major issues
E N D
Credit Bureaus in the Region: legal and regulatory framework What is the experience in the region with implementing credit bureau laws? INTERNATIONAL CONFERENCE ON CREDIT BUREAU OPERATIONS Kyiv, Ukraine September 29, 2006
Table of Contents • European Experience • Major issues • Regional Experience a.Kazakhstan, Russian, Ukraine 3. The 95/75 Rule - Success 4. Recommendations
EU-Directive 95/46 • Parliaments throughout Europe, North American and elsewhere encourage information exchange as long as it does not violate a consumer’s basic right to privacy. • Information flows: • reduce adverse economic selection effects, oligopolistic tendencies and credit rationing. • remove barriers between EU states in order to establish a single internal European market.
Legal Challenge • Find the right balance between privacy and information exchange. • Key Question: • how much privacy legislation is required to protect the citizenry from unscrupulous users, which is the main function of regulation, and • what is the cost of privacy legislation to the economy and to its citizens.
International Privacy Guidelines EU Dir. 95/46 Consumer Rights • To obtain Credit Report within reasonable time, at reasonable cost, & in a reasonable way. • To dispute data and have it corrected • To know the purpose for data collection • To limit amount of data collected – religion, ethnic background, etc. • To limit use and transfer • To demand that data is accurate • To demand reasonable accountability of data processor, and apply remedies, when required
Security Guidelines • Data Protection Actsdo not detail specific security measures that a Data Controller or Data Processor must have in place. Rather, they place an obligation on persons to have appropriate measures in place to prevent "unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction." • Measures include: • Access Control • Encryption • Anti-Virus Software • Firewalls • Automatic screen savers • Logs and Audit trails • The Human Factor • Remote Access • Wireless networks • Laptops • Back-up systems • Physical Security
Cost of Excessive Regulation In other words, There is a direct cost to the consumer and SMEs in terms of higher prices, higher interest rates and restricted access to credit when excessive privacy legislation (i.e., excessive regulation) interferes with the exchange of personal identification and credit history data.
Legislative Context Before Law • Kazakhstan, Russia & Ukraine: • No clear legal basis for data sharing • Despite the fact that all banks indicated that they would share data, banks in fact reluctant to share data • SME and consumer data fragmented; • Regulatory “overreach”, as appeared in early drafts of the law, threatened a private CB’s operational viability • Consumer rights not clearly protected in the law • Conflicting legislation
Kazakhstan Credit Bureau Law • Adopted in July 2004 – consistent with EU 95/46 • 100% private in a free market competitive system; • Consumer consent required • Data sharing of positive and negative data permissible; • Single Regulatory Body; • Open system – all sectors of economy participate • Supervisory body will implement “MINIMUM REQUIREMENTS” for data regulation; • If consumer “Opts-in” then bank mandated to transfer data to CB
Kazakhstan – Regulatory Framework State Agency for IT Solutions regulates data processing process Requirement for certification of equipment • To secure protection of data • Monitoring of data processing • Compliance with the requirements of data processing regulations Minimum regulatory requirements written into the law
Russian Credit Bureau Law • Adopted in December 2004 • Law is workable but should be simplified & amended – consent required • E.g., 50% limitation for single owner • Tries to define what types of data can be collected, i.e, Credit Cards – revolving lines of credit not specifically included in the law • Regulations are quite extensive but also work • Should be simplified
Ukrainian Credit Bureau Law • Adopted on June 23, 2005 • Substantially consistent with UE and American legislation • Played a decisive role in laying the foundation for CB operation in Ukraine. • Enables both data sharing and protection of the rights of subjects of credit histories.
Ukrainian CB Law • Needs to be refined to facilitate data collection for CB database (e.g. public registries) • Impracticality of certain provisions • Needs to be amended to avoid excessive regulatory burden of CB operations (inspections etc) • Don’t duplicate oversight • May need to be transformed into a comprehensive CB law • Single legislation more workable
Ukrainian Regulations • Licensing • Registration • Inspection • Others likely Market’s participation with drafting regulations is an excellent decision by MinJus Make sure that Regulations are robust but not excessively detailed.
Suggested Targets and Success Put in place the essential elements so that a credit reference bureau has passed from being merely established to a more advanced, mature and self-sufficient stage. Regulatory framework key Success may occur when the following is in place: • At least 95% of the financial sector has included “customer consent” clauses on credit application forms; and • 75% of historical credit data in Ukraine has been collected in a single location and public record information accessible to a credit bureau; The 90/75 Rule
Recommendations • Regulations must encourage data exchange, particularly since customer consent is necessary • Design a simple mechanism for tete-a-tete resolution of disputes using proven methodologies from other countries • Allow commercial issues to be negotiated and agreed upon between the data supplier and credit bureau • Find balance between data flows and data security at the regulatory level.
Thank you for your attention Questions Javier M. Piedra Senior Advisor USAID/ACTI Kiev, Ukraine September 29, 2006