Asress Adimi Gikay(PhD), Brunel University London
Over the years, creditworthiness assessment has evolved from interview-based evaluation and decisions making by loan officers, to automated decision-making(ADM) with minimal or no human intervention. ADM in financial services presents opportunities and potentials risks including biases and unfairness against individuals and groups. The European Union’s General Data Protection Regulation(GDPR) contains provisions regulating ADM including in the consumer credit industry while the United States lacks specific law in the field, leading some to propose GDPR as a model for the regulation of algorithmic consumer credit risk assessment in the US. In my forthcoming article, ‘The American Way —Until Machine Learning Beats the Law’, I argue that consumers in both jurisdictions are protected similarly despite the lack of special law in the US.
On many levels, the GDPR provisions governing
ADM lack the desired efficacy both in terms of consumer protection and
encouraging data innovation. The GDPR prohibits solely ADM with legal effect or
similar significant effect on the consumer by creating three exceptions to the
prohibition. First, the data controller can make fully automated decision with
the consumer’s consent, subject to implementing suitable measures to safeguard
the rights, freedoms, and legitimate interest of the consumer. While consent
based decision should protect the consumer from adverse automated decisions,
evidence shows that the majority of European consumers do utilize consent as a
tool of consumer protection as they do not read privacy policies adequately to guard themselves
from potential unfair algorithmic decisions. In the second exception, the GDPR
allows EU Member States to
authorize solely ADM by law. The implementation of the relevant provision Member States
can have adverse effect on data innovation and consumer protection.
Germany has used the exception to permit solely ADM
in cases of insurance service contracts where the request of the
consumer, for instance for
reimbursement is granted. The German approach is unnecessarily restrictive of ADM even in cases
where the harm to the consumers is appreciably low or non-existent. The UK’s Data Protection
Act (2018) has taken
the opposite approach by permitting fully automated decisions across all
sectors subject to ex post facto procedural safeguards,
including notice to the consumer that the decision in question was fully
automated. In the UK, the consumer has the right to request for a new decision
which is not fully
automated. The data
controller should comply with the request, and notify the consumer of the steps taken as well
as the outcome. UK’s approach
permits solely ADM even in cases that could be considered high risk (for instance visa process). The ex post facto procedural
safeguards could be abused by a non-compliant data controller while the
procedure may put a burden on the consumer wanting to challenge adverse
decisions.
In the US, automated consumer creditworthiness
assessment is governed by old consumer credit laws the most relevant federal
statutes being the Financial Services Modernization Act of 1999(the Gramm-Leach-Bliley Act), the Fair Credit Reporting Act (FCRA) and the Equal Credit Opportunity Act). While
incremental changes to update these laws in line with technological
advances and data innovation are being made, the core of these
statutes remain unchanged and are applicable to algorithmic credit risk
assessment. These statutes, inter alia, prohibit discrimination
in consumer credit provision, require accurate credit reporting and impose
transparency requirements.
In 2017 the Consumer Financial Protection
Bureau(CFBC) fined Conduent LLC $1.1 Million for inaccurate consumer credit reporting using an automated
process, under the FCRA. Conduent supplied automated auto loan consumer credit reporting to
lenders and credit reporting agencies, containing various categories of errors
in the files of over 1 million consumers. Similarly, in 2018 the
Federal Trade Commission imposed a large fine on Realpage for inaccurate algorithmic credit reporting related to rental
home applicants. These cases illustrate that with technology
neutral interpretation of legal rules, algorithmic decisions could be tackled
without having tailored legal regime.
ML decisions require a significant regulatory
change on both sides of the Atlantic. While GDPR’s general approach
to ADM fails to strike a balance between encouraging innovation and consumer
protection, it’s provisions requiring transparency in ADM including granting
the right to explanation are considered to be unfit for ML decisions. The European
Commission’s White Paper on Artificial Intelligence(AI)
acknowledges some of the flaws in the GDPR and envisions some changes. The
white paper adopts a risk-based approach to AI regulation. It proposes two step
analysis —identifying certain AI applications that are generally regarded
as high risk and determining whether a given application within the identified
sector is likely to pose a significant risk. If implemented appropriately, the
risk-based approach to AI regulation protects fundamental rights, safeguards
individuals from risky and unexplainable AI driven decisions and strikes a
balance between the protection of ethical values and innovation.
The evidence undoubtedly demonstrates that the call
for GDPR-Inspired legal rules for automated consumer creditworthiness
assessment in the US is based on an unwarranted assumption of the efficient
functioning of the GDPR.
No comments:
Post a Comment