The Finance & Leasing Association (FLA) is the leading trade association for the asset, consumer and motor finance sectors in the UK. Our members include banks and non-bank lenders of many types, including the finance subsidiaries of leading retailers and manufacturing companies, and a range of specialist lenders.
FLA members provided €150 billion of credit to UK businesses and households in 2015. Of this, €110 billion was in the form of consumer credit, representing almost one-third of UK consumer lending. €40 billion went to finance business equipment investment in the private and public sectors, amounting to 32% of all UK investment in business equipment. €50 billion of motor finance was provided to business and consumers to support three-quarters of all UK purchases of new cars in 2015.
Although many FLA members fall outside the remit of the European Banking Authority (EBA), and consumer credit is not directly within the scope of the EBA’s paper on the use of consumer data, we believe that it is important that the EBA should understand the rationale for data-processing in the credit industry, particularly as the EBA’s views may influence other regulatory bodies.
The FLA is a trade body which represents lenders of all types, including many which offer their services in a variety of ways involving new technology. These are constantly evolving, and the approach to innovation of individual companies varies significantly according to their size, markets, and customer base. Our response to the EBA’s questions reflects the use of consumer data across a broad range of different sorts of lender.
We are in particular concerned about the timing of the EBA’s investigation. The Discussion Paper (DP) makes little reference to the recently-enacted EU General Data Protection Regulation (GDPR), which covers much of the same ground and has set a new legislative framework in this area. For example, the GDPR places increased emphasis on the need to ensure that customers know exactly how their data will be used and consent to this – which is covered in detail in the DP. The GDPR is due to be reviewed in 2020 and the EBA’s investigation would have been better timed to coincide with that. The two-year process of implementing the GDPR has only just begun and it is very important that the EBA’s work does not disrupt it, even inadvertently.
Lenders are required by relevant EU and national regulation to collect information from potential customers so as (a) to assess their propensity and ability to repay any loan, and (b) to avoid fraud. The level and type of data employed varies considerably according to the market concerned, the product types, and the typical customer profile. The data may include a consumer’s age and employment details, whether they own a home, and any other current credit obligations (e.g. with telecommunications companies, utility providers and landlords).
Lenders’ risk appetites will vary, but they will usually want to gather enough data to consider both the risks of default and a customer’s track record of successful and timely repayment. Because a customer’s personal circumstances may change over the course of a credit agreement, lenders adopt a targeted approach to the analysis of collections data to allow them to understand why any particular customer may have fallen into arrears. This may, for example, simply reflect a late salary payment and lenders will wish to avoid troubling customers who are not, in fact, experiencing real difficulties.
As indicated above, lenders also collect data to reduce fraud. For example, they will check that the details provided on a credit application form matches other information available from the credit reference agencies (CRAs) and the national anti-fraud service CIFAS (see response to Q4, below). Other relevant types of data may include mortality data (so as to minimise fraud involving the details of deceased persons) and information on people who may have left an old address without notifying the lender of a new one, or where a customer has set up a postal re-direction.
UK lenders will primarily base their credit decisions on credit-scoring. They use information provided by the applicant, documentary evidence (e.g. of income), and data held by the three major credit reference agencies (CRAs) which will include data on how the customer has managed existing credit and other financial commitments. They hold publicly-available information, including names and addresses from the official Electoral Register, dates of birth, and official notifications of adverse financial records (for example County Court judgments, Individual Voluntary Arrangements and bankruptcies).
All such data is (by law) used with the borrower’s express prior consent, and shared with other lenders on a reciprocal basis under strict rules, ensuring that it can be used only for the purposes of responsible lending and fraud prevention.
Lenders may also share information on an individual borrower with CIFAS (the UK’s Fraud Prevention Service) if the individual has undertaken a proven fraud. This is important so that other lenders can identify potential fraudulent applications.
As indicated above, lenders process data to assess a borrowers’ ability to repay the loan (i.e. a creditworthiness assessment, as required under the Consumer Credit Directive), to mimimise fraud (see responses to questions above) and to comply with other legislation such as the anti-money laundering rules.
If the consumer gives their consent, their data may also be used for marketing purposes. In these circumstances, lenders are required to act responsibly and carefully about sending customers of services and products. Customers are also able to ‘unsubscribe’ from receiving these offers via email.
In future, the CRAs may hold a wider range of payment data to help lenders build up a more extensive picture of a borrower’s likely ability to repay. A recent example is the collection by the CRAs of data relating to rental payments on domestic property, so that tenants with an otherwise ‘thin’ credit file can demonstrate their ability to make regular payments.
The Second Payments Services Directive (PSD II) will encourage more data to be accessed particularly by new market entrants such as global technology providers.
It may be easier for larger firms to take advantage of innovation given that they will have greater dedicated in-house resources. In contrast smaller firms may need to outsource such activity.
Regulatory change within individual Member States may also have an impact on the data collated. For example, in the UK the Financial Conduct Authority is keen to see more assistance provided to customers in ‘persistent’ credit card debt – where they consistently failing to repay the outstanding balance. This may require lenders to collate and monitor additional data for customers in these circumstances.
We largely agree with the benefits set out in the Paper, especially with regard to lenders using data to (i) price for risk (resulting in lower repayments for some cohorts of customers), (ii) achieve more robust affordability assessments and (iii) ensure that products are targeted more efficiently to those who will benefit from them most.
However, we disagree with the assertion in paragraph 46 that social media data may be used to assess creditworthiness. This is not the experience of FLA members. In any case, such information is unlikely to be complete or reliable. A Facebook entry may indicate that someone has recently been on holiday but not how they have paid for it. Such data only offers a snapshot of an individual at a particular point in time and it would require regular monitoring to deliver any insight into trends in how a customer leads their life. This is simply not feasible or productive from a lender’s perspective. Referring to CRA data on a customer’s past repayment history is much more reliable and predictive.
We are not aware of any barriers at this stage. The current process works well, with customers being advised how their data will be used and providing their consent to this. However, with an increasing number of consumers taking out credit via tablet and mobile, there are challenges in providing Terms and Conditions in a format which works well for consumers. Lenders are working hard to address this, especially in advance of the introduction of the GDPR in 2018 - which will require more detailed disclosure provisions being included.
Paragraph 62 of the paper states that consumers “may not always be properly informed of the usage of their personal data.” But the 1995 Data Protection Directive (and its recent revision) already requires consumers to be informed about the purposes to which their data will be put. The new GDPR also provides the consumer with a right to “port” their data, thus taking control of it. The industry has introduced more detailed disclosure notices in recent years and the UK Information Commissioner has recently consulted on how Privacy Notices can be made clearer and the information repeated at different stages of the life cycle of a credit agreement.
The information complexity referred to in paragraph 63 is in fact prescribed by various existing pieces of legislation. Any further prescription in this area will exacerbate the problem of information overload described above.
Cross-border information asymmetry, cited in paragraph 64, is not a serious risk. There is no cross-border market for credit within the EU, because of the wide differences in the availability of relevant behavioural data in different Member States, an issue unlikely to be resolved in the foreseeable future, given the differences in systems and culture. Just as importantly, there is no discernible consumer demand for cross-border credit (with the exception of a few well-known border areas).
Paragraph 66 speaks of a detriment, but it does not follow that because some data was processed in a manner of which the consumer might not have been aware, that they suffered detriment. Detriment implies that the customer has suffered some material disadvantage.
Paragraph 69 argues that firms may “collect more data than is legally required and then reuse it for other purposes”. In fact, and as indicated above, data processing of this kind is covered by stringent existing legislative requirements – including the GDPR, which requires that data shall only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…. and should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” As described above, lenders collect data, for example to minimise their exposure to fraud and fulfil anti-money laundering requirements, but this is set out in the Fair Processing Notice which, again by law, must be signed by borrowers before taking out a loan.
Paragraph 70 of the paper suggests that consumer data is sold by financial institutions. In the UK at least this this forbidden by law. The UK Information Commissioner’s Office (ICO) guidance for lenders clearly states that “you can only carry out unsolicited electronic marketing if the person you're targeting has given you their permission.”
Paragraph 72b refers to lenders turning down credit applications on the basis of social network data. However, as indicated in response to Question 6 above, FLA members do use such data for creditworthiness assessments.