# Introduction
For more than a few weeks now, there has been a discussion related to the introduction into the banking law of restrictions on the scoring model when automatically verifying customers' creditworthiness and analyzing credit risk.
# Who is to be affected by the scoring restriction
The regulation is to be found in the Banking Law (Article 105 (1a) and (1b) of the Banking Law), and is to cover "Banks, other institutions authorized by law to grant credit, lending institutions." That is, it is definitely to apply to banks i lending institutions. This design restricts bank factors (the same joint-stock company with a factoring department/division) - giving an advantage to factors in the form of separate non-bank entities, including subsidiaries, non-affiliates, fintechs, etc. These entities can still develop their scoring models, or at least the draft amendments as they currently stand do not restrict them from doing so.
# Status of work
The Law on Amending Certain Laws in Connection with Ensuring the Application of the RODO Regulation (Print No. 3050) is at the stage of completion in committee after the first reading. The status of the work can be followed here. The extraordinary subcommittee published a few days ago its report of 18.01.2019, running to 231 pages, which is a de facto repetition of the contents of the draft. Among others, the Union of Polish Banks (ZBP) and the Polish Association of Loan Institutions (PZIP) - undoubtedly the 2 associations most interested in the fate of the work - actively submitted their comments to the drafts.
# What the restrictions are about
The legislation is intended to limit the ability to assess an individual's creditworthiness and analyze credit risk to only the following categories of data:
– concerning an individual: name(s) and surname, family name, parents' names, date and place of birth, age, sex, citizenship, marital status, series and number of DO or other document confirming identity, PESEL, NIP, address of residence, address of permanent or temporary residence registration, current address of residence, address for correspondence, legal title to occupied premises, place of work, profession, education, form of employment, financial situation, including income and expenses, number of persons in the household, property regime of spouses;
– regarding obligation: the source of the obligation, the amount and currency, the number and status of the bank account, the name and address of the lender, the date the obligation arose, the terms of repayment of the obligation, the legal collateral established, the course of performance of the obligation, the status of the debt on account of the obligation, the date of expiration of the obligation, the reasons for non-performance of the obligation or admission of default, the reasons for expiration of the obligation.
# In what they may limit regulations
In the development and use of scoring systems that enable analysis of data not included in the above-mentioned closed list, i.e., e.g., behavioral data based on the traces people leave on the Internet (posts, comments, opinions on goWork, online vulgarity and heckling, photos, etc.) or information on their devices with geolocation functionality (e.g., frequent trips to dangerous places, participation in extreme sports, participation in races, etc.), as well as data on their health status or previous convictions.) or information from their devices that have a geolocation function (e.g., frequent trips to dangerous places, participation in extreme sports, racing), as well as data on health status, or previous criminal convictions, or bank account data (e.g., purchases at nightclubs, liquor stores, etc.). Obtained consent for such profiling and automated decision-making under the new regulations will be invalid.
# Issue of communicating denial of funding
Another problem arising from the proposed regulation is in fact Expanding the scope of Article 22 of the RODO by providing "the person affected by a decision taken by automated means with the right to receive an adequate explanation of the grounds for the decision taken, to challenge that decision, to express his or her own position, and to obtain human intervention." This, in turn, will entail disclosure, at least in part, of the scoring model used, which is a business secret of the bank/lending institution. This attention to an individual's rights can be painful - when such a person uses the acquired knowledge to, for example, attempt to defraud financing. In addition, it is not difficult to imagine the possibility of acquiring knowledge of the scoring model used by a competitor through a substituted person.
In the ZBP's view, the proposed Article 105a(1a) of the Banking Law is incompatible with the RODO in this regard, because under Article 22 para. 3 of the RODO, the right to obtain human intervention on the part of the controller, to express one's own position and to challenge a decision that is based solely on automated processing - including profiling - does not apply in a situation where the authority to issue automated decisions derives directly from a provision of European Union or Member State law (i.e., in this case, the just introduced Article 105a(1a) of the Banking Law). ZBP also points out that "appropriate measures to protect the rights, freedoms and legitimate interests of the data subject".referred to in the rationale for basing profiling on a legal provision (Article 22(2)(b) of the RODO), derive directly from the current provisions of the Banking Law.
# What if we didn't do everything automatically
Under the proposed Article 105a (1a) of the Banking Law, banks and lending institutions may, for the purpose of assessing creditworthiness and analyzing credit risk, make decisions based on exclusively on automated processing, including profiling, of personal data, and according to the proposed Article 105a (1b) of the Banking Law these decisions may be undertaken exclusively based on the following categories of data (...). The question, then, is whether introducing the human factor (even if only in the form of a formal written credit/loan/factoring decision) of the risk department will not solve the problem and exempt the entity from restrictions. This is already an issue for the legal departments of these entities, which will undoubtedly be forced to consider potential sanctions as a result of a possible PUODO inspection. Undoubtedly, in the case of banks or large-scale loan financing, the human factor is necessary anyway. The problem arises only in the case of bank micro-factoring and micro-lending - here, after all, by design, some entities aim to fully automate the risk assessment process. And it is these entities that may have the biggest problem with the new regulations.
I will report on the progress of the work as part of the news on the blog. Hopefully, the final draft of the Law will change.
EDIT (12.02.2019).. Good information. With the latest amendment, the word "exclusively" has been replaced with "in particular." Thus, banks, bank factories and lending institutions will be able to assess creditworthiness on the basis of other criteria as well - without the restrictions and closed list of criteria indicated in the aforementioned article. The criteria outlined in the banking law will therefore be treated as exemplary. Unfortunately, at the request of the customer (an individual - presumably a consumer) they will be forced to disclose what specific information was taken into account. This obligation is to apply both when the decision was made in a fully automated process and when a human being was also involved in the decision-making. These changes are the result of the Panopticon Foundation's involvement in the consultation process. The financial institution will not be able to charge for providing these explanations.Thus, of the problems discussed in the above article, the problem of disclosing the "know-how" of the financial institution performing the creditworthiness analysis remains topical, but if this option is limited to the consumer - then it will not affect the factoring industry. So let's wait for the final wording of the draft law.