Algorithmic Consumer Creditworthiness Assessment in the European Union and the United States
Asress Adimi Gikay - Brunel Law School
-- Over the years, creditworthiness assessment has evolved from interview-based evaluation and decisions make by loan officers, to automated decision-making (ADM) with minimal or no human intervention. ADM in financial services presents opportunities and potential risks including biases and unfairness against individuals and groups. The European Union’s General Data Protection Regulation (GDPR) contains provisions regulating ADM, including in the consumer credit industry, while the United States lacks specific law in the field, leading some to propose GDPR as a model for the regulation of algorithmic consumer credit risk assessment in the US. In my forthcoming article, ‘The American Way —Until Machine Learning Beats the Law’, I argue that consumers in both jurisdictions are protected similarly despite the lack of special law in the US.
On many levels, the GDPR provisions governing ADM lack the desired efficacy in terms of both consumer protection and encouraging data innovation. The GDPR prohibits sole use of ADM with legal effect or similar significant effect on the consumer but creates three exceptions to the prohibition. First, the data controller can make fully automated decision with the consumer’s consent, subject to implementing suitable measures to safeguard the rights, freedoms, and legitimate interest of the consumer. While consent based decision should protect the consumer from adverse automated decisions, evidence shows that the majority of European consumers do not utilize consent as a tool of consumer protection as they do not read privacy policies adequately to guard themselves from potential unfair algorithmic decisions. In the second exception, the GDPR allows EU Member States to authorize sole use of ADM by law. The implementation of the relevant provision by Member States can have adverse effect on data innovation and consumer protection.
Germany has used the exception to permit sole use of ADM in cases of insurance service contracts where the request of the consumer, for instance for reimbursement is granted. The German approach is unnecessarily restrictive of ADM even in cases where the harm to the consumers is appreciably low or non-existent. The UK’s Data Protection Act (2018) has taken the opposite approach by permitting fully automated decisions across all sectors subject to ex post facto procedural safeguards, including notice to the consumer that the decision in question was fully automated. In the UK, the consumer has the right to request a new decision that is not fully automated. The data controller should comply with the request, and notify the consumer of the steps taken as well as the outcome. The UK’s approach permits sole use of ADM even in cases that could be considered high risk (for instance visa processing). The ex post facto procedural safeguards could be abused by a non-compliant data controller while the procedure may put a burden on the consumer wanting to challenge adverse decisions.
In the US, automated consumer creditworthiness assessment is governed by old consumer credit laws, the most relevant federal statutes being the Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act), the Fair Credit Reporting Act (FCRA) and the Equal Credit Opportunity Act). While incremental changes to update these laws in line with technological advances and data innovation are being made, the core of these statutes remain unchanged and are applicable to algorithmic credit risk assessment. These statutes, inter alia, prohibit discrimination in consumer credit provision, require accurate credit reporting and impose transparency requirements.
In 2017 the Consumer Financial Protection Bureau (CFBC) fined Conduent LLC $1.1 Million for inaccurate consumer credit reporting using an automated process, under the FCRA. Conduent supplied automated auto loan consumer credit reporting to lenders and credit reporting agencies, containing various categories of errors in the files of over 1 million consumers. Similarly, in 2018 the Federal Trade Commission imposed a large fine on Realpage for inaccurate algorithmic credit reporting related to rental home applicants. These cases illustrate that with technology neutral interpretation of legal rules, algorithmic decisions could be tackled without having tailored legal regime.
ML decisions require a significant regulatory change on both sides of the Atlantic. While GDPR’s general approach to ADM fails to strike a balance between encouraging innovation and consumer protection, it’s provisions requiring transparency in ADM, including granting the right to explanation, are considered to be unfit for ML decisions. The European Commission’s White Paper on Artificial Intelligence (AI) acknowledges some of the flaws in the GDPR and envisions some changes. The white paper adopts a risk-based approach to AI regulation. It proposes two step analysis —identifying certain AI applications that are generally regarded as high risk and determining whether a given application within the identified sector is likely to pose a significant risk. If implemented appropriately, the risk-based approach to AI regulation protects fundamental rights, safeguards individuals from risky and unexplainable AI driven decisions and strikes a balance between the protection of ethical values and innovation.
The evidence undoubtedly demonstrates that the call for GDPR-Inspired legal rules for automated consumer creditworthiness assessment in the US is based on an unwarranted assumption about the efficient functioning of the GDPR.