Hong Kong Considers Sharing of Consumer Mortgage Data with Credit Providers

On 5 January 2011, the Commissioner issued a consultation paper to seek public comment on the Proposals. The public are invited to submit comments on the Proposals and the related privacy implications by 8 February 2011. 

Sharing of credit data under the current Code of Practice

The Code of Practice was issued by the Commissioner in February 1998 to govern the sharing and use of consumer credit data by credit providers through a credit reference agency ("CRA"); to provide practical guidance to credit data users in the handling of consumer credit data; and to protect the personal data privacy interests of consumers. The Code of Practice was amended in 2003 to introduce the sharing of positive credit data in some circumstances.

Consumer credit data refers to personal data of an individual collected by a credit provider in connection with the provision of consumer credit, relating to the individual’s consumer credit transactions ("Credit Data").

The Code of Practice governs the collection, accuracy, use, security, access and correction of personal data of individuals who are, or have been, applicants for consumer credit. The Code of Practice allows sharing of negative Credit Data (i.e. information relating to failure by individuals to meet their obligations with regard to a financial liability), and positive Credit Data (i.e. information on loans that are not in default, including an individual’s overall credit exposure and payment pattern), among credit providers through a central database operated by a CRA.

CRAs are currently entitled under the Code of Practice to hold general Credit Data about an individual borrower or guarantor (e.g. identity information, credit application data, general account data etc.) obtained from credit providers, as well as information collected from public records (CRAs are not entitled under the current Code of Practice to hold information relating to mortgagors). CRAs then compile the collected Credit Data in a database and issue credit reports on an individual following an enquiry made by a credit provider. Under the current Code of Practice, credit providers and CRAs are allowed to share negative Credit Data for primarily unsecured credit, and since the Code of Practice was amended in 2003, to share positive Credit Data of primarily unsecured credit and negative mortgage data for residential properties. However, credit providers and CRAs are not entitled to share positive mortgage data under the Code of Practice (i.e. they may only share information relating to a mortgage if there is a default in payment for a period exceeding 60 days).

A breach of the Code of Practice does not in itself constitute an offence under the Ordinance. However, a failure to comply with the Code of Practice will give rise to a negative presumption against the data user in any proceedings commenced under the Ordinance, be they an investigation initiated by the Commissioner or legal proceedings.

Sharing of credit data in other jurisdictions

The CCF has emphasised that credit data sharing regimes are an important part of the risk management framework in mature economies such as the United States of America and the United Kingdom, both of which allow the sharing of positive and negative residential mortgage data. Research in the US indicated that consumer data sharing resulted in a number of beneficial outcomes, including a lower rate of mortgage defaults and increased pricing flexibility.

Further, other Asian jurisdictions, such as the People’s Republic of China, Taiwan and Singapore have systems in place for the sharing of positive and negative mortgage data. The CCF believes that Hong Kong may risk losing its competitiveness as a leading consumer credit market, unless it improves its credit awareness.

Proposals for reform

As outlined above, the Code of Practice was amended in 2003 in order to permit the sharing of positive Credit Data in CRA databases in certain circumstances. The HKMA believes that further reforms, to expand the right to share positive Credit Data relating to mortgages, are necessary in light of the recent rise in property prices, which has lead to an increased probability of defaults and bankruptcies, as well as a rising trend in the mortgage debt-to-income ratio. The Proposals are intended to promote responsible lending by credit providers and responsible borrowing by consumers. The HKMA’s stance is that the Proposals will benefit both financial institutions and consumers, will help reduce the increasing amount of consumer debt and personal bankruptcies, and will help credit providers minimise risks in making consumer loans, thus creating a more efficient credit market in Hong Kong and reducing the risk of an asset bubble in the Hong Kong property market. They further argue that to achieve this, greater transparency of credit information is essential and that ultimately, more comprehensive Credit Data available for lenders is expected to result in more favourable terms and pricing for borrowers.

The current regime does not allow for the sharing of positive mortgage data in respect of residential or non-residential loans, or the sharing of negative mortgage data for non-residential properties. The CCF proposes allowing credit providers to disclose the following positive mortgage data in respect of both residential and non-residential properties to the CRA: (i) name; (ii) capacity (i.e. borrower, mortgagor or guarantor); (iii) Hong Kong identity card number or travel document number; (iv) date of birth; (v) gender; (vi) correspondence address; and (vii) account number, type of facility, account status and closed date. The positive data proposed to be shared does not extend to the following data: (i) market value of the property; (ii) property address; (iii) outstanding loan amounts: (iv) installment repayment details; (v) loan tenor; (vi) loan-to-value ration; (vii) income or wealth of any concerned parties; or (viii) interest details.

Negative mortgage data is already shared under the current regime for residential mortgages, and the CCF proposes extending the regime so that same negative mortgage data may be shared in respect of both residential and non-residential properties.

In addition, the CCF proposes to allow credit providers to disclose the Credit Data of mortgagors to CRAs (disclosure is currently only allowed in relation to borrowers and guarantors, as outlined above). The Proposals also deal with transitional provisions for pre-existing mortgages at the time the Proposals are implemented.

While the proposals involve a range of information being provided by credit providers to a CRA, CRAs are only entitled under the Proposals to disclose the number of mortgages which an individual is involved (the "Mortgage Count") to a credit provider that makes an enquiry about a consumer (and only where the consumer has provided his/her consent).

The main differences between the Credit Data sharing scheme under the current Code of Practice and the scheme proposed by the CCF are summarised in the below table:

Consumer concerns

The Commissioner has expressed concern that the broader sharing of Credit Data as proposed by the CCF may adversely affect the privacy interests of individual consumers. This is particularly the case when data is collected from a range of sources. The main privacy implications outlined by the Commissioner relate to data concentration and profiling/stigmatisation.

• Data Concentration. Storage of an increased amount of data (both positive and negative) in a single centralised CRA database, may give rise to undesired intrusion or attempts to misuse the data for a purpose other than the original purpose of collection. Therefore, additional measures are required in order to ensure the security and proper use of the data, and it is recommended that any additional safeguards apply not only to the credit database system, but also to the staff of credit providers and CRAs.

• Profiling/Stigmatization: There are also concerns that an extension of shared Credit Data may result in the information being used for the purposes of ‘credit scoring’ (i.e. using the data for the purpose of generating a score that purports to represent the consumer’s credit worthiness). The Commissioner is concerned that ‘credit scoring’ based on the shared Credit Data (either on its own or in conjunction with other information) could potentially give rise to an inappropriate credit label (depending on the scoring mechanism, the type of data used and the accuracy of the data), thereby adversely affecting the consumers credit standing. However, the CCF believes that it is in the interests of both credit providers and credit applicants that the shared Credit Data will not result in mislabelling of credit applicants, and that a fair assessment by credit providers of consumers’ credit history and repayment ability will result in credit being granted on terms consistent with the consumer’s credit-worthiness. 

Public consultation

The Proposals constitute a significant expansion of the existing regime dealing with the sharing of personal Credit Data. The Commissioner has noted that if the Credit Data sharing framework was to be broadened as proposed, this would have serious implications on data protection and privacy, and a number of data protection safeguards and restrictions would be required to ensure that the privacy interests of consumers were protected, and to ensure that the provisions of the Ordinance were complied with. This is particularly important given the very personal and confidential nature of Credit Data.

As is the case with most privacy reforms, the main challenge when assessing and implementing the Proposals is striking a balance between public and private interests. In the present case, this involves balancing the need to avoid excessive collection of data with the need to achieve a healthy credit system in Hong Kong. The consultation paper primarily focuses on six key privacy issues that have emerged as a result of the Proposals. Broadly speaking, these issues are as follows:

1. whether it is necessary and not excessive for a CRA to hold additional mortgage data (i.e. positive mortgage data for residential properties, and positive and negative mortgage data in respect of non-residential properties);

2. whether it is appropriate to place restrictions on the amount of positive mortgage data contributed to a CRA by credit providers in line with the CRAs operational needs, and to only allow credit providers to access such data where they have obtained the written consent of the credit applicant and only for the purposes of assessing the applicant’s Mortgage Count;

3. whether it is appropriate to share pre-existing mortgage data (at the time of implementation of the proposals);

4. whether it is appropriate for the Credit Data to be used for purposes other than for evaluating mortgage loan applications (e.g. to assess other consumer credit applications, or to review/renew existing credit facilities);

5. the transitional implementation of the amended provisions (whether 24 months is an appropriate transitional period); and

6. the possible need for additional privacy safeguards (e.g. independent audits of CRA databases within 6 months from the implementation date, and periodic IT security audits).

The Commissioner has indicated that he believes that the restrictions outlined in relation to the second issue above are appropriate. However, he has reserved his position on the remaining five issues pending public consultation. The Commissioner has acknowledged that in order to find a solution that strikes a balance between the public interest and private privacy interests of individuals, the following must be taken into account: (i) the public interest – the solution should help develop a healthy mortgage lending environment and contribute to financial and economic stability in Hong Kong; (ii) the relevance of additional Credit Data for the purposes of credit assessments – the collection of additional Credit Data by credit providers should be kept to the minimum necessary for the purpose of assessing the individual’s credit; and (iii) the individual’s right to data privacy – the Commissioner emphasises the need to enable consumers to make an informed choice whether to allow their Credit Data to be shared. This consent-based approach would ensure that the individual’s right to control his own data is preserved.

Following the public consultation period, the Commissioner will take a position in relation to the six privacy issues above and will decide to what extent the Proposals should be incorporated into the Code of Practice. Further updates will be forthcoming when the report on the public consultation is issued by the Commissioner.

Gabriela Kennedy (Partner), [email protected], Heidi Gleeson (Registered Foreign Lawyer), [email protected], and Alya Bloum (Intern), Hogan Lovells, Hong Kong

Authored by Gabriela Kennedy