A credit rating agency scours data on mobile devices , invites interest through online ads on an e-learning sites , even employs a lead generation agency that helps get leads via online ads and offline events in universities where questionnaires are filled out by individuals.
The lead generation agency then buckets the information as ‘Students’ , ‘Foreign Students’ , ‘Professionals Continuing Education’ etc and sends it to the credit rating agency. This agency employs AI based data derivation techniques using a complex technology stack involving big data , machine learning ,supplements it with further financial information via the open banking platforms . It creates a far more refined profile of a certain individual that banks can now access or alt-lenders can now take automated decisions based on this profiles. A student is profiled as ‘Foreign Student of Immigrant Parents with history of social media negativity’ .
The alt-lender now considers this profile for a loan but with a reduced limit.Upon consent to process data , it can make the realtime assessment and calculate a credit score. Basis this score , this profile may be subject to a limit of say 2k over the standard 4k that he originally saw in the online advertisement.
The student questions why only 2k. The lender must then justify the rationale. The student then decides, it’s an unfair limit and refuses to avail the loan but also invokes GDPR data subject rights of exclusion from the process henceforth .
Above , is a hypothetical situation used to understand GDPR in the Lending Landscape.
For now , excluding the IT Landscape – There is a more complex connotation to processor other than credit reference agency when we look at the IT landscape and the vendors involved who provide data storage , processing and integration middleware. For the sake of this discussion , we will not talk of the cloud provider , the loan origination software provider , the system integrator and the likes. Will look at the IT landscape another day when the coffee is stronger !
In the above story, there are the following participants:
- The Data Subject (Student)
- The Data Broker (Collection Agency)
- The Data Processor (Credit Reference Agency – processes on behalf of controller)
- The Data Controller (Bank – determines purpose of the score/profile)
In the above story , Situations that invoke GDPR rights and leakages –
- Collection with consent
- Consent with Transparency
- Explanation of Purpose and Other Disclosure
- Data derivation with or without the knowledge of the data subject
- Profiling with the outcome of either predicting accurately the person’s nature , background and economic situation or alternatively creating a stereotype leading to discrimination
- Automated Decisioning
- Information being sought by customer related to the exact nature of decision and reasons of reaching a particular conclusion
- Consumer decision to access , withdraw or be exluded from the process
And , GDPR Articles that get specifically evoked :
- Articles 5(1)(A) : processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- Articles 5(1)(B) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Article 15(1) (h) – Right of access
- Articles 13(2) (f) and 14(2) (g) – Right to be informed
- Article 22(1) – Right not to be subject to a decision based solely on automated decision-making
- Article 16 – Right to Rectification
- Article 21(1) and (2) – Right to object
A few CX inclusions that an Alt-Lender / Bank would want to include
- A Privacy Dashboard
- Online Preference Management
- 2 Minute Video Explainer of how Automated Profiling Works
- The Data Privacy Rights Scroll
- Emails to remind of the rights
- ‘I Understand My RIghts’ tests for regular users
- Virtual Assistants – chatbots trained to prompt and guide the user through the process educating them of their rights and privileges all along
The basis of the above is detailed in the best practices below and goes on to explain who should implement it to GDPR-proof against which specific article
Articles 5(1)(A) : processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- While taking data from the online website or mobile device, complete information on ownership, purpose needs to be disclosed and consent sought.
- Agencies who act as data brokers are mandated to tell consumers the exact nature of personal data being collected prior to seeking consent.
- The processing of this data needs to be explained including the logic involved behind collection of the said personal data and significance consequence of the processing/profiling/scoring activity on the personal data collected. Also Recital 58 states that transparency as to who is collecting the data needs to be ensured and what purpose , making it critical for credit reference agency or outsourced data collection vendors to adhere to this
Articles 5(1)(B) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Data brokers need to disclose the details of all organizations the borrower’s data is shared with.
- Layered notices where borrowers are informed by step by step processing of data and data ownership – repeated at the collection and decision making steps by either the credit agency and the lending institution
- Inform that the borrower that they may withdraw consent at any point
Article 15(1) (h) – Right of access
Articles 13(2) (f) and 14(2) (g) – Right to be informed
- A good practice for credit agencies or alt lending companies collecting data would be to create an online profile that can be accessed by the borrower with adequate information on source , derivation and purpose of profiling.
- In case of derived data , a simplified explanation of visualization or example of how generally data is derived and the logic behind it
- Step by step illustration of information use and interactive techniques including story-telling to aid algorithmic transparency
- The bank also owes an explanation for its decision to the consumer including , the rationale for decision , the particular information used , the source of the information , the supplementary information (derived information) used to make a decision including previous profile records including payment arrears etc , official records of insolvency or fraud etc
- The bank will also need to advise the data subject that the credit scoring methods used are regularly tested to ensure they remain fair, effective and unbiased.
- The bank/fintech provides contact details for the data subject to request that any declined decision is reconsidered, in line with the provisions of Article 22(3).
- Explanation of the decision should be simplified and not attempt to explain the complex AI algorithms used for decision making.
- The significance of the profile and its role in decision making
Article 22(1) – Right not to be subject to a decision based solely on automated decision-making
Article 16 – Right to Rectification
- Ideally, all information that a credit reference agency collects should be available on a privacy dashboard with online preference management and provision to rectify.
Article 21(1) and (2) – Right to object
- The right to object and withdraw consent has to be visible on the website or app at all times and not hidden away under terms and conditions or elsewhere.
It is going to be very interesting to see how UX is not compromised with the inclusion of a lot of GDPR essentials . Also how does the AI based alt-lender retain the edge they had in terms of how fast and accurate their AI based profiling and scoring techniques are. Quoting Lenddo’s example and its claim to ‘analyse 12000 variables in less than 3 minutes’ to make an informed decision may well be impacted . The game is on. Let’s wait and watch !