Privacy Commissioner releases finding on a bank's refusal to release credit score

PIPEDA Case Summary #2002-39

Ottawa, February 27, 2002 - The Privacy Commissioner of Canada, George Radwanski, today released the following finding under the Personal Information Protection and Electronic Documents Act. The finding is a letter to the organization.

This letter constitutes my report of findings with regard to the complaint filed by [complainant name deleted] against [bank name deleted] under the Personal Information Protection and Electronic Documents Act (the Act). In her complaint received in my Office on February 23, 2001, [the complainant] alleged that [bank name deleted] had contravened the Act by refusing her request for access to her credit score.

I have determined, first of all, that the subject matter of the complaint does fall within my jurisdiction under the Act. As of January 1, 2001, the Act applies to any federal work, undertaking, or business. By operation of constitutional law, any bank, such as [bank name deleted] is a federal work, undertaking, or business. On this basis, therefore, I was required under section 12 of the Act to accept and investigate the complaint.

Before I provide you with my findings, let me first outline the facts obtained in the course of my Office's investigation.

It is important, at the outset, to make clear the nature of the information at issue.

Credit scoring, an automated method of assessing an individual's likelihood of repaying debt on time, is a significant factor in a financial institution's decision whether or not to extend credit to an individual. A credit score is determined by means of an algorithm - a mathematical formula that "runs" an individual's personal information against a credit scoring model.

But there are two different types of credit scores, corresponding to two different types of organizations each using a different type of credit scoring model.

The type of credit score perhaps most familiar to the average credit user is the one provided by credit reporting agencies such as Equifax and TransUnion. It is well-known that financial institutions, in considering applications for credit, obtain credit reports from such agencies and that any such report usually contains a credit score provided by the agency in question.

It is perhaps less well known, however, that financial institutions also generate credit scores of their own, different from those of credit reporting agencies. The difference derives essentially from the type of credit scoring model used in each case.

A credit score provided by a credit reporting agency is based on a standardized model composed largely of biographical data and credit history of the individual. A financial institution, on the other hand, uses a model that also incorporates factors specific to the institution - for example, corporate policies, business strategies, corporate and product objectives, historical loan data, economic indicators, and demographic data. In other words, unlike a credit reporting agency, a financial institution such as [bank name deleted] uses a unique credit scoring model that is internally developed and customized to its own strategic business priorities.

In the complainant's case, it was a credit score of the latter type - that is, a score had generated by means of its own unique credit-scoring model - that she was seeking when she made her access request.

The bank has acknowledged that, in considering an application [the complainant] had previously made for a credit card - a successful application, as it happens - it not only obtained credit scores from Equifax, but also generated an internal credit score by a model of its own. Though willing to release her Equifax score to the complainant by agreement with that agency [bank name deleted] has refused to release its internally generated score to her on grounds that the Act does not require such release.

In support of its position, [bank name deleted] has made two main contentions: (1) that an internal credit score is not personal information for purposes of the Act; and (2) that, even if found to be personal information for purposes of the Act, an internal credit score is not releasable because it would reveal confidential commercial information protected by section 9(3)(b) of the Act.

In the basis of these facts, I am required to determine first whether an internal credit score is, in fact, personal information according to the definition in section 2 of the Act.

Section 2 defines "personal information" as follows: "[P]ersonal information means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization."

On the face of it, the credit score in question certainly pertains to an identifiable individual. And it would appear to be "information about" that individual - namely, how the individual measures up against the bank's criteria for granting credit.

The bank, however, has presented counter-arguments that may be summarized as follows:

• Personal information must be capable of collection, whereas an internal credit score is generated internally by the bank rather than collected from the individual. Likewise, the Act links access to personal information with the ability to review and correct it, whereas an internal credit score, insofar as it is based on a proprietary algorithm, is not subject to correction or revision. Therefore, although the information a bank collects and uses in order to generate a credit score may well be subject to the Act, the credit score itself is not.
• An internal credit score is a corporate opinion, a form of "commercial speech" protected under section 2(b) of the Canadian Charter of Rights and Freedoms. The Charter provides a constitutional guarantee both of the right to speak and the right not to speak one's opinion. Opinion is not included in the definition of personal information under the Act, whereas it is so included under the Privacy Act, the counterpart legislation for the federal public sector. Parliament's intent in excluding opinion from the definition under the Act must have been to preserve freedom of thought and expression within the private sector.

With regard to the first point, Section 2 of theAct defines personal information simply as ".information about an identifiable individual.". This is a clear and elegant definition designed precisely to preclude most legalistic questions of the type raised here - questions about origin, ownership, opinion-versus-fact, et cetera.

It therefore does not matter for the purposes of the Act whether the information in question was collected or internally generated; whether or not it originated with the individual it is about; or whether it is technically "owned" by the individual or by some other party. And it certainly does not matter whether or not it is subject to correction or revision in the normal course of use.

I would point out, in this regard, that banks also generate personal identification numbers, bank account numbers, loan agreement numbers and credit card numbers for their customers. These are not collected by the bank, nor are they subject to correction or revision in the normal course of use. And yet these numbers are clearly "information about an identifiable individual" for the purposes of the Act, and therefore personal information. I find the same to be true of the credit score in question.

[Bank name deleted]'s second point is that credit scores are not personal information subject to disclosure because they are "opinions."

I am unable to accept the bank's surmise that Parliament must have intended to exclude opinions from the definition of personal information because they are not expressly mentioned. On the contrary, I am satisfied that the definition is open-ended and does not include any specific examples, as did the Privacy Act, for exactly the opposite reason: to avoid unintentionally limiting the definition of what personal information can be. Since the Act is, in fact, limitless as to what can constitute "information about an identifiable individual," I find that its scope does indeed extend to opinions, as is the case with the Privacy Act.

As for the bank's invocation of a corporate Charter right to refrain from expressing an opinion, I find this argument as unpersuasive as it is creative.

Corporations, like individuals, may or may not have a right to silence, a right not to express an opinion. But by generating a credit score about an individual, the bank has already broken that silence. It has not only uttered an opinion, but has used that utterance for an administrative purpose: to determine the credit-worthiness of the individual in question. To seek to invoke some notion of a Charter-derived right to silence as a shield against disclosing this opinion to the individual as required by the Act is, in my view, insufficiently respectful both of the Charter and of common sense.

I therefore find that the credit score generated by [bank name deleted] in this case is personal information that is subject to the Act.

I must now address [bank name deleted]'s second contention, which is that it is not required to release an internal credit score because to do so would reveal confidential commercial information protected by section 9(3)(b) of the Act, which states:

"Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if.to do so would reveal confidential commercial information."

This contention on the part of the bank involves two propositions: first, that the release of scores generated by the bank's credit scoring models could somehow reveal the models themselves; and, second, that the bank's credit scoring models constitute confidential commercial information. I will examine each of these propositions in turn.

In support of the proposition that releasing credit scores could reveal the models by which they are generated, [bank name deleted] commissioned and presented a study by fraud experts. The study concluded that, if internal credit scores were readily available, a credit scoring model could be cracked by obtaining as few as 24 scores.

This would be achieved by having 24 individuals submit credit applications with different key variables and then request access to their credit scores. By analyzing the differing scores and the variables on which they were based, competitors or fraudsters could discern the scoring model itself.

To assess the bank's evidence that a credit-scoring model could be "cracked" in this way through knowledge of the scores of individual applicants, my Office consulted an expert in the field of algorithms.

On reviewing the above-mentioned study, this expert found its conclusions to be correct on the whole. In essence he affirmed that, although an exact determination of a credit-scoring model was difficult and highly unlikely, access to customized credit scores would definitely make it easier to approximate a bank's model.

I note that section 9(3)(b) of the Act sets a very high standard for justifying the withholding of personal information. It does not suffice that confidential commercial information could or might be revealed. This provision can only successfully be invoked if such information "would" be revealed. Since assessing such a claim inevitably involves some degree of trying to predict the future, this is a determination that must be very carefully made on a case by case basis whenever this section is invoked.

In the case at hand, I have some difficulty believing that either competitors or rings of algorithmically expert fraud artists would go to the lengths involved. The spectre of the banks falling under systematic assault from teams of loan-hungry mathematicians is simply not one I find particularly persuasive.

As to the risk from competitors, [bank name deleted] has taken the position that "competitive advantage gained at significant cost over many years would be lost through the disclosure of internal credit scores and models. This sensitive and proprietary information should not be directly or indirectly accessible to competitors."

Again, I find it difficult to believe that Canadian banks would go to the above-described lengths that would be required to "crack" each other's credit scoring models. But I am not a banker. Since [bank name deleted] - and all the other banks that share the same reluctance to release individual credit scores - tell me in effect that such are the competitive ethics of the Canadian banking community, I must with some regret accept that this is so.

I must therefore accept, albeit with some reluctance, the evidence provided by the bank and confirmed by my Office that model "cracking" ensuing from the release of internal credit scores is technically possible. Furthermore, I have no doubt whatsoever that [bank name deleted] and other financial institutions do take this very seriously indeed.

On the evidence available to me, I certainly am not in a position at this time to refute the bank's evidence and belief that releasing internal credit scores would result in revealing the scoring models and the considerations on which they are based. For the purposes of dealing with this particular complaint, I must therefore in fairness accept that it would.

What I must now determine is whether the information that would be thus revealed constitutes "confidential commercial information".

For the sake of clarity, let me first emphasize again that the issue is not whether an individual's credit score itself is confidential commercial information. Rather, it is whether such a score is the gateway to confidential commercial information - in other words, whether the disclosure of such scores would reveal confidential commercial information.

What the bank fears would be revealed - and what I must characterize as either constituting confidential commercial information or not - is the credit scoring model, which is shaped by such factors as any given bank's particular corporate policies, business strategies, and corporate and product objectives.

To assist me in making this determination, my Office sought input from a number of key regulatory bodies: the Office of the Superintendent of Financial Institutions, the new Financial Consumer Complaints Agency, and the Competition Bureau. None had studied this matter, and none was able to offer any advice as to whether the information in question should be regarded as confidential commercial information.

Absent either a specific definition in the Act or helpful insights from independent banking experts, it is perhaps most useful to regard confidential commercial information as roughly analogous to "trade secrets" and consider the factors commonly used by the courts in determining what constitutes such a trade secret:

• the extent to which the information is generally known
• whether it is known to others in the same business or trade
• whether it is known within the organization
• whether someone outside the organization could acquire the information independently
• the extent to which the organization takes special measures to ensure the secrecy of the information
• whether the information is in some way unique or original.

The courts have also considered a range of factors in determining whether information is "commercial" or "business" information. These include:

• the economic value of the information
• the value of the information to the organization
• the value of the information to competitors of the organization
• whether the information provides the organization with an advantage over competitors
• the expenditure of resources, time and independent effort in developing and protecting the information.

In applying these considerations to the matter at hand, my investigation has confirmed that [bank name deleted] closely guards its credit scoring models against external access and allows internal access to only a few experts. It invests very substantial effort and expense in developing its models. A model is developed for each specific financial product. And each model is based on proprietary information of the bank, such as business strategies, aggregated historical loan information, risk tolerance, and economic forecasts.

These considerations leave me with little doubt that [bank name deleted] does genuinely regard its internal credit scoring models as proprietary, confidential commercial information and does treat and protect them accordingly.

I also note that in both the United Kingdom and Australia, representatives of the financial sector, consumer advocacy groups and government have jointly reviewed the credit granting system and have released new guidelines which do not call for the release of an individual's internal credit score.

In the United Kingdom, credit grantors are required to give an explanation of the role of scoring in the decision-making process, and to advise consumers of the principal reasons why they were denied credit. However, they are not expected to give details of actual attributes or weightings.

The guidelines in the Australian privacy legislation have a clause which addresses the issue of commercially sensitive decision-making processes:

"In most cases an individual seeks access for an explanation of why an organization has made an adverse decision. An organization could usually meet this concern by explaining (as far as possible) the reasons for the actual decision and giving the raw data. This exception might apply where an organization has used a credit-scoring tool that is commercially sensitive and it does not want to make the score card factors and their weightings available."

It is noteworthy that Canadian banks, like their U.K. and Australian counterparts, do inform individuals as to the principal reasons for a denial of credit or for a low credit rating.

The practices in other countries such as the U.K. and Australia do not, of course, determine what rules should apply in Canada nor how our own Act should be interpreted. I do, however, find the experience of these other jurisdictions useful in helping to satisfy me that the (.)'s depiction of the information in question as confidential commercial information is neither fanciful nor disingenuous.

It remains true that I am not persuaded that the actual competitive or fraud-related consequences of disclosing individual internal credit scores would be as dire as the banks purport. Were I at some future time be required to investigate a similar complaint where I was presented with persuasive evidence confirming my considerable skepticism, my finding might well be different.

Nevertheless, on the information available to me, I find that the most fair conclusion for me to reach is that these scoring models qualify as confidential commercial information for purposes of section 9(3)(b) of the Act.

Two other considerations have also assisted me in making a determination in this case.

First, I have personally examined [bank name deleted]'s scoring model. I can identify nothing in it that - apart from the stated fears of opening doors to fraud or competitive disadvantage - would account for the bank's unwillingness to make the scores available to individuals who request them. In other words, I find no reason to suspect ulterior motives that might be contrary to the public interest, such as fear of giving rise to controversy or embarrassment for the bank.

Second, I am unable to see how the internal credit score itself can be of any real, bona fide benefit to the individual who requests it, provided that the bank does instead provide an explanation of how the individuals credit standing is perceived, and/or why credit has been denied or limited. This is particularly true in the complainant's case, since she was in fact successful in obtaining the credit she sought.

Generally speaking, of course, individuals are entitled to obtain access to their personal information without being required in any way to justify why it would be of benefit to them. But the purpose of the Act, as stated in section 3, is to balance the privacy right of individuals with the need of organizations to collect, use or disclose personal information for appropriate purposes. In meeting my responsibility to identify the appropriate balance when adjudicating a complex case such as this one, I believe it is appropriate to take into consideration whether there is negligible benefit on one side and a reasonable apprehension of significant harm on the other.

In the present case, I can find no significant harm to the complainant's privacy rights or those of Canadians at large that would arise from continued inability to obtain access to internal credit scores. On the other hand, [bank name deleted] - in a position that is supported by all the other banks - has put forward an unrefuted case that significant competitive or fraud-related harm could arise from causing a revelation of what it regards as confidential commercial information. In the circumstances, I find that the bank's position deserves the benefit of the doubt.

I therefore find that the complainant's internal credit score is her personal information, but that in citing the section 9(3)(b) exception for confidential commercial information to refuse her access to this credit score, [bank name deleted] was acting in accordance with the Act.

Accordingly, I conclude that the complaint is not well-founded.

Notwithstanding this conclusion, I want to assure [the complainant], and at the same time notify that with the sole exception of the single item of information found to be exempt from disclosure in this case (i.e., her actual internally generated credit score), her entitlement to access to her personal information collected, used, or disclosed by the bank remains intact.

Notably, [the complainant] remains entitled to obtain from the bank a full and satisfactory explanation in understandable terms for any decision the bank may make in her regard, including an indication of whether the bank used an internal credit score in making the decision.

You should know that the complainant has been informed that pursuant to section 14 of the Act, she has the legal right to apply to the Federal Court - Trial Division for a hearing in respect of any matter that she complained about or that I have dealt with in my report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of the Schedule as modified or clarified by the Act, in subsection 5(3), 8(6) or 8(7) or in section 10. The complainant has been informed that such an application must be made within 45 days of the date of this letter.

This concludes the investigation of this complaint.

Yours sincerely,

George Radwanski
Privacy Commissioner of Canada