Insights into the ICO CRA investigation

1. Anti-competitive
Yesterday, 27 Oct 2020, the UK’s Information Commissioners Office (‘ICO’) pulled the plug on the practice of the 3 credit reference agencies (‘CRAs’ or ‘bureaux’) washing and selling data products enhanced using the personal information of millions of people without their consent [1].

A two-year investigation by the ICO into Experian, Equifax and TransUnion found they were using personal consumer data to enhance and enrich a variety of data products without the consumers knowledge. This is counter to General Data Protection Regulation (GDPR) which is enacted in UK law. The data was then sold to commercial organisations, political parties and charities; a clear violation of the reciprocity rules that govern the 3 CRAs. These data broking businesses were used by organisations to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.

The motivation? Profit. Nothing wrong with that unless you are:

• Anti-competitive by breaking the reciprocity rules and GDPR that govern the 3 CRAs to gain a competitive advantage over other vendors who cannot enrich their data sets with credit-based data
• Exploitative of consumers by ignoring a lack of consent

2. A lack of data governance
When we think of credit bureaux, we think of credit scores. Credit scores are typically derived across credit active consumers (‘data owners’). They will have made, at some point in time, a credit application to a lender; defined as a ‘data controller’. As part of the application consumers will have shared either directly or indirectly, personal details, details of their salary and other incomes, savings, property values, cost of living and other expenses and other credit commitments. The consumer will have to consent to the lender sharing some of this information, to enriching their own data, with a CRA (the ‘data processor’), as part of the application. No consent, no loan. However, as the data owner the consumer has the right under GDPR to request, at any time, once the account has been closed, that the data controller deletes their data. On receiving such a request the data controller has to delete this data and request that the data processor(s) does as well.

The bureaux typically have four data tiers. These closely follow the paid for data services that the bureaux provide:

• Tier 1: The reciprocal sharing of data between closed user groups such as current account turnover (‘CATO’) between six clearing banks.
• Tier 2: The reciprocal sharing of credit account data restricted to lenders making the same data type contributions to the bureau service as described above.
• Tier 3: The non-reciprocal provision of data products derived from credit application data obtained from tiers 1 and 2 to others, not just lenders, who commit to undertaking some, but not credit application data, sharing. E.g. Debt purchasers accessing affordability scores and CATO scores in exchange for reporting on the account performance.
• Tier 4: The non-reciprocal provision of data products derived from data sharing and open data initiatives (e.g. loyalty cards, insolvency service and land registry data) enriched with data obtained from tiers 1 to 3.

The ICOs investigation was focused on tier 4. The bureaux are, like alternative data vendors, modelling data from data sharing and open data initiatives. Unlike alternative data vendors they are training these models and enriching this data using consumer data obtained from tiers 1 to 3. This gives them a distinct commercial advantage but breaches the reciprocity rules that govern the 3 CRAs and so is clearly anti-competitive. What’s more this breaches GDPR as it is being done without the data owners’ consent and there is no way of removing the unconsented data from the derived data should a ‘delete my data’ request be received. The breaching of GDPR and reciprocity rules applies equally to tier 3 as it does to tier 4.

3. Possible next steps for the ICO?
We expect that the ICO will seek to fine Experian as it has still yet to fully satisfy the ICO that it has addressed the issue unlike TransUnion and Equifax. We would hope that the ICO extend their investigation of tier 4 CRA practices to tier 3 CRA practices. Finally, the ICO might investigate the governance of data derived from tier 1 and tier 2 in light of reciprocity rules. Whilst this may be welcomed by data controllers and consumers alike it is perhaps less likely to happen.

References
[1] ‘ICO takes enforcement action against Experian after data investigation’, Credit-Connect, 28 October 2020.