RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING White Paper © 2022 The World Bank Group 1818 H Street NW Washington, DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org All rights reserved. This volume is a product of the staff of the World Bank Group. The World Bank Group refers to the member institutions of the World Bank Group: The World Bank (International Bank for Reconstruction and Development); International Finance Corporation (IFC); and Multilateral Investment Guarantee Agency (MIGA), which are separate and distinct legal entities each organized under its respective Articles of Agreement. We encourage use for educational and non-commercial purposes. The findings, interpretations, and conclusions expressed in this volume do not necessarily reflect the views of the Directors or Executive Directors of the respective institutions of the World Bank Group or the governments they represent. The World Bank Group does not guarantee the accuracy of the data included in this work. Rights and Permissions The material in this publication is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission to reproduce portions of the work promptly. All queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. 2 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING Table of Contents Executive Summary 6 Introduction 8 Use of Technology in Credit Reporting 10 2.1. Disruptive Technologies in Credit Reporting 11 2.1.1. Smartphones 11 2.1.2. Digital Payments 11 2.1.3. Big Data 11 2.1.4. Open Banking 12 2.1.5. AI/ML 13 2.1.6. Digital ID & Biometrics 14 2.1.7. Cloud Computing 14 2.1.8. Distributed Ledger Technologies 14 2.2. Implications of Innovations in Credit Reporting 15 2.2.1. Benefits and Opportunities 15 2.2.2. The Emergence of Alternative Credit Reporting Service Providers 16 2.2.3. Risks and Challenges 17 Stocktake and Analysis of Responsible Use of Technology Frameworks 20 3.1. Ethics and Human Rights for Responsible Use 20 3.2. Big Data 21 3.3. Open Banking & Open APIs 21 3.4. AI/ML 22 3.5. Digital ID & Biometrics 23 3.6. Cloud Computing 23 3.7. Distributed Ledger Technologies 23 Principles for the Responsible Use of Technology in Credit Reporting 26 4.1. Principle 1: Fairness 27 4.2. Principle 2: Ethics 27 4.3. Principle 3: Accountability 27 4.4. Principle 4: Transparency 28 4.5. Principle 5: Security and Robustness 29 4.6. Principle 6: Lawfulness 29 4.7. Principle 7: Privacy 29 4.8. Principle 8: Sustainability and Well-Being 29 4.9. Principle 9: Inclusivity 30 4.10. Principle 10: Trust 30 Considerations for Implementing the Principles 32 5.1. Applying the Principles 32 5.2. Capacity Building 33 5.3. Technology-Specific Recommendations 33 5.4. Use Cases 34 Appendix A 36 Appendix B 40 Appendix C 42 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 3 Abbreviations AI Artificial intelligence AISP Account information service provider API Application program interface BCBS Basel Committee on Banking Supervision BIS Bank for International Settlements CRSP Credit reporting service provider CSP Cloud service provider DLT Distributed ledger technology EBA European Banking Authority EU European Union FCRA Fair Credit Reporting Act Fintech Technology-enabled financial services FSB Financial Stability Board GDPR General Data Protection Regulation ICCR International Committee on Credit Reporting ID Identification IEEE Institute of Electrical and Electronics Engineers IOSCO International Organization of Securities Commissions ISO International Standards Organization ITU International Telecommunications Union LEI Legal Entity Identifier MAS Monetary Authority of Singapore ML Machine learning MSME Micro small and medium enterprise OECD Organization for Economic Co-operation and Development PBOC People’s Bank of China P2P Peer to peer SME Small and medium enterprise TPP Third-party provider UN United Nations UNDG United Nations Development Group UNESCO United Nations Educational, Scientific & Cultural Organization WAEMU West African Economic and Monetary Union WEF World Economic Forum 4 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING Acknowledgements This paper is a product of the International Committee on Credit Reporting (ICCR) and the World Bank Group. The paper was prepared by Talha Ocal and Dilip Santlani (independent consultants) under the leadership and guidance of Collen Masunda, Secretariat of the ICCR, and the ICCR Communications and Knowledge Management Working Group, chaired by Giovanna Cardellicchio (Alacred). The document benefited from a consultation process and the contributions of plenary members, representative organizations, and external peer reviewers. The committee gratefully acknowledges valuable inputs and comments from peer reviewers Natalia Bailey (Research Manager, FinRegLab) and Dr. Michael Akinwumi (Chief Tech Equity Officer, National Fair Housing Alliance). The ICCR would also like to thank the Chairman of the ICCR, Mahesh Uttamchandani, and Secretariat members Luz Maria Salamina and Collen Masunda for guiding the process. Susan Boulanger provided editorial services. The layout and design of the report was prepared by Nitin Kapoor. RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 5 Chapter Executive Summary Technology is at the core of credit reporting systems, relevance to the credit reporting industry, and suitability which have evolved significantly over the past decade by from the perspective of responsible use. adopting new technologies and business models. Disruptive technologies such as advanced computing, artificial Section 4 introduces ten principles to guide responsible use intelligence (AI), machine learning (ML), big data analytics, of technology in credit reporting activities. By applying and digital payments are reshaping the credit reporting these principles, the industry can make the best, most industry. Innovations have enabled credit reporting service responsible use of disruptive technologies while benefiting providers (CRSPs) greater access to and sharing of data with all stakeholders. To ensure this objective, the principles are improved analytics capabilities. As a result, the population technology agnostic and apply to all types of technologies coverage of credit reports increased, the scope of processed used in credit reporting activities. Participants in credit data expanded, and credit reports were delivered much faster. reporting systems are expected to apply these principles proportionately, according to their technology use. The As disruptive technologies have been increasingly adopted principles are not mutually exclusive; each entity using around the globe, concerns have arisen over possible misuse technology-supported credit reporting systems should apply or unethical use of these new technologies. These concerns them in totality. inspired international institutions and national authorities to issue high-level principles and guidance documents on The principles are as follows: responsible technology use. While adopting new technologies benefits the credit reporting industry, unintended negative 1. Fairness. Credit reporting systems should ensure the outcomes of these technologies from ethics and human- fair use of technologies deployed in their operations. rights perspectives must also be considered. Against this Technology-driven credit reporting products should at background, ICCR is pleased to offer this white paper as all times protect the fundamental rights of individuals a framework for responsible use of technology in credit and should not discriminate against any individuals, reporting activities. groups of consumers, or SMEs. 2. Ethics. Credit reporting system participants should The white paper begins with a brief introductory section, ensure that any technology they adopt and use complies followed in Section 2 with a discussion of technology use in with their corporate values, codes of conduct, and credit reporting, with a special focus on the key disruptive technologies being increasingly adopted by the industry. highest ethical standards. Technology-driven decisions In parallel with innovation, the role of credit reporting has should be held to at least the same ethical standards as also evolved, and CRSPs are transforming into technology- human-driven decisions. intensive entities that provide a wide range of data analytics 3. Accountability. Credit reporting system participants solutions beyond credit reporting. Moreover, the explosion are accountable for the use of both internally developed of technological advancements has led to the emergence and externally resourced technologies. Appropriate of alternative credit reporting service providers in the governance mechanisms should be in place to oversee industry. The section also discusses the implications of the processes of technology-driven credit reporting new technologies from the dual perspective of benefits and products. opportunities and risks and challenges. 4. Transparency. Credit reporting system participants should ensure that the techniques and methods used Section 3 provides information on the scope, development, in their technology-driven decisions are explainable, and high-level principles of several key technology assessable, and understandable by relevant stakeholders. frameworks, including the principles underlying their 5. Security and Robustness. Credit reporting systems responsible use. The selection of frameworks for this should be governed by an appropriate data security section was made using criteria such as global applicability, 6 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING Executive Summary framework to ensure the confidentiality, integrity, and economic, and environmental aspects. availability of information at all times. The robustness 9. Inclusivity. The adoption and use of technological of technologies should be ensured to avoid unintentional innovations in credit reporting systems must not result harm to individuals. in or accentuate the exclusion of any individual or group 6. Lawfulness. Credit reporting system participants should of individuals. ensure that the use of data and technologies is lawful 10. Trust. Technologies employed in credit reporting and complies with relevant regulations and professional systems should be considered trustworthy in the eyes standards. of stakeholders, including data subjects and financial 7. Privacy. Credit reporting system participants should institutions. protect the privacy of data subjects while accessing, collecting, analyzing, processing, and distributing their Finally, Section 5 discusses considerations for applying data for credit reporting. the principles. It discusses how to assess a technology for 8. Sustainability and Well-Being. Technologies employed possible use, highlights the need for capacity building, and in credit reporting systems should support human well- provides additional technology-specific recommendations to guide adopters. The section concludes with use cases being and be sustainable in all human, social, cultural, illustrating the principles in action. RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 7 Chapter 1 Introduction Over the past decade, technological advancements and concerns, including data ownership and confidentiality innovations, including advanced computing, artificial issues. intelligence (AI), and machine learning (ML), have exploded, reshaping the credit reporting industry. These innovations While adopting new technologies benefits the credit reporting enable greater access to data (big data), and data sharing takes industry, their implications from the ethics and human- place with better identification, transaction, networking, rights perspectives must also be considered. International analytics, and other capabilities, significantly impacting the institutions, national regulatory agencies, and industry industry. Improved algorithms also play a more significant associations thus have issued guidance and directives on role in credit risk management and promote access to credit responsible use of technology, but the effort remains in for unserved and underserved communities. By opening its infancy, and little material guidance directly applies to doors to the use in credit decision-making of nontraditional the credit reporting industry. In most cases, the guidance data sources, such as rental, telecommunication, and documents focus on ethical use of AI/ML. cash flow data, these technological advancements allow individuals or businesses previously unscorable or invisible Against this background, this white paper aims to present under mainstream credit systems to gain access to credit. for consideration by credit reporting industry stakeholders a framework that combines ethics and rights-based Technologies are accelerating the evolution of regulatory approaches to responsible technology use. The paper begins standards as well as providing tools to oversee regulatory by reviewing the use of new technologies in credit reporting compliance. Regulatory authorities leverage these and then evaluates the rights and ethics frameworks that technological enhancements to improve their oversight apply to such use and proposes principles for responsible and policy development functions. For example, advanced technology use in credit reporting going forward. Finally, computing and analytics enable regulators to access and use the document discusses how the proposed responsible use broader data sets for policy making and supervision. The principles can be instituted. Applying the proposed principles technologies also allow regulatory bodies to automate the as appropriate will facilitate the credit reporting industry’s supervisory processes to some extent with the help of the best most responsible use of disruptive technologies to the RegTech and SupTech tools being developed by emerging benefit of all stakeholders. tech startups. Yet the spread of new technology and disruptive changes in the credit reporting ecosystem raises concerns about possible unintended negative consequences. For example, use of AI/ML and big data analytics has raised several questions regarding the transparency of the processes, the privacy of the data being accessed, and potential biases internalized into the algorithms and models. Other concerns relate to lack of clarity over how well these new technologies fit into and comply with existing regulations. For example, big data acquisition and processing, use of cloud computing, reliance on third-party vendors and the black boxes associated with AI/ML systems can be contrary to regulations. Further, some of these technologies might raise privacy and security 8 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING Introduction RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 9 Chapter 2 Use of Technology in Credit Reporting Technology is at the core of credit reporting systems. From In parallel with innovation, the role of credit reporting has the era of paper-based credit reports to today’s automated evolved, and CRSPs are transforming into technology- lending systems, credit reporting service providers (CRSP) intensive entities that provide a wide range of data analytics have adopted technological advances to update and improve solutions (Figure 1). their capabilities in creating and delivering credit reports. Smartphones Digital Payments • Creates digital footprints generating extensive structured • Increase with the rise of fintechs and unstructured data • Creates a key alternative data source by serving as a • Increased end-user interaction between CRSPs and proxy of customers’ financial behavior customers Big Data Open Banking & Open APIs • Expands the amount of data, including behavioral data, • Allows seamless collection of information from banks, available for creditworthiness assessment. Contributes to including transactional / positive data more accurate credit scores while increasing coverage • Increases the number of players with access to banking data thus changing the competitive landscape Artificial Intelligence/Machine Learning Digital ID & Biometrics • Uses vast data sets and algorithms to understand • Allows remote identification of customers patterns among multiple complex variables and to predict • Provides a tool to accurately verify identities and reduce outcomes. identity fraud • Self-evolving, with less need for recalibration Cloud Computing Distributed Ledger Technologies • Allows efficient IT infrastructure as servers, software, • Allows a decentralized data management system storage can be accessed as required • Offers potential for greater automation and security • Allows focus on core lines of business Figure 1: Innovations Affecting the Credit Reporting Industry (Source: Authors). 10 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 2 2.1. Disruptive Technologies in Credit Reporting 2.1.2. Digital Payments 2.1.1. Smartphones As a result of the accelerated rise of electronic commerce and online shopping channels, digital payment platforms Credit reporting systems have room to improve their are extensively used by growing numbers of consumer. coverage of the global population. A large population cannot These platforms address the limitations of cash payments access traditional financing channels due to insufficient prior and provide fast, convenient, safe transactions for both credit history. In the top 20 economies, 83 percent of the individuals and businesses. Digital payment platforms adult population on average is covered by a credit bureau include electronic funds transfer instruments, digital payment or registry, whereas in the bottom 50 economies the average cards, and e-money instruments. In addition, the adoption coverage is only at 10 percent (World Bank 2020). Due to of digital payments creates large amounts of transactional the telecommunication revolution, however, a majority of and cashflow data for both payers and payment acceptors, the global population has access to some form of mobile which can be used for behavioral analysis, debt estimation, device. As of October 2021, there were 5.29 billion unique income estimation, and forecasting cash flows. Especially mobile phone users (67.1% of the population) globally and for developing markets, digital payments data has expanded 4.44 billion mobile internet users. Of the mobile internet credit reporting system coverage to individuals and SMEs users, 89.6 percent used smartphones (Data Reportal 2021). previously were unable to access finance. Over the years, smartphones have transformed into a one- Electronic and mobile payments platforms have emerged stop platform for most activities. Thus, mobile devices as a significant source of alternative data for use in credit generate a large quantity of both structured and unstructured reporting systems, and their coverage accelerated during the data through the general use of the device itself. Examples COVID-19 pandemic. E-commerce giants take advantage of structured data are transactional data, such as top- of transactions data to evaluate the creditworthiness of their up patterns, utility payments, and mobile money use; sellers and customers. E-commerce platforms often come unstructured data include details of the consumer’s use of with financing options. For example, Amazon Lending uses these devices, such as browsing patterns and social media the proprietary data of small businesses that sell through the footprints. While structured data based on transactions has Amazon marketplace. It offers loans to sellers directly or more descriptive value for CRSPs, unstructured data also via third-party lenders. M-Shwari in Kenya offers deposits holds value, allowing CRSPs to assess borrowers with and loans to its customers through its M-Pesa mobile money inadequate transactional data. system, using M-Pesa payments and phone data to determine credit scores. Unlike Amazon Lending, M-Shwari reports its These nontraditional data sources are valuable for credit clients to the credit bureau. reporting because, first, they can capture comprehensive details on individuals, which when coupled with other data 2.1.3. Big Data sources can create a credit report on the user. Second, CRSPs can use the data to assess individuals who have had no While credit reporting still mainly relies on traditional exposure to the traditional credit services. Smartphones thus data sources, big data is increasingly used. The attributes provide a valuable tool for assessing the creditworthiness of used to qualify a dataset as big data are volume, velocity, consumers who lack formal relationships with a financial variety, veracity, and value, and innovative technologies are institution. In some cases, these sources offer the only data the quintessential tools for leveraging insights from these available on a consumer’s or SME’s behavior. Without dimensions of big data. In addition, big data require these such information credit risk is very difficult to measure, innovative technologies to extract outcomes of predictive leading the financial institution to deny credit or charge value to support creditworthiness assessments. The growing excessively high costs. Evidence from modeling shows number of digital devices, internet-of-things (IoT) devices, that performance based on credit score and digital footprint and other technological innovations have increased the variables significantly exceeds performance based on either amount of data generated on various platforms. Reliable credit score or digital footprint variables alone (Berg et al. sources of nontraditional data have several common 2019). As a result, many CRSPs have adopted nontraditional attributes. Among them are: (i) coverage of an adequate data generated through smartphones for credit scores and number of consumers, (ii) compliance with regulations for developed applications for consumers to monitor their data privacy, security, and protection, (iii) relevance and credit scores. For example, Experian in India partnered predictive power, (iv) ability to enhance already existing with First Principle Labs to develop a mobile app that helps traditional data, (v) ability to provide accurate, up to consumers access their credit scores free of cost and provides date, and timely information, and (vi) links to a specific personalized tips on improving credit scores. individual (ICCR 2018). As a result, CRSPs increasingly use alternative data sources to support their creditworthiness RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 11 CHAPTER 2 assessments. Adopting alternative data in credit reporting 2.1.4. Open Banking systems can promote access to creditors for individuals and MSMEs with little or no credit history. In addition, studies Open banking interfaces allow third-party providers to support that alternative data have explanatory power in access information at banks and then develop innovative predicting default probability and complementing, rather products based on it. These providers, licensed in the than substituting for, traditional data when analyzing European Union (EU) as account information service creditworthiness (Berg et al. 2019). As such, globally active providers (AISP), can securely connect to the banking CRSPs have been looking for ways to leverage alternative systems using application programming interfaces data sources to expand their coverage. (API) that hold certain specifications. APIs improve the efficiency, quality, and accuracy of data collection from TransUnion’s CreditVision Link leverages alternative banks and enable the seamless extraction of transactional sources of data to evaluate consumers’ payment data to produce credit scores. Thus, data available via behaviors and transactional activities. It provides a tool open banking is not limited to narrow indicators such as for analyzing consumer behavior over time to help shape credit balances or loan arrears. Open banking provides an tailored products offered by lenders. effective tool for CRSPs to collect data from banks and expand the scope of credit reporting information, while TransUnion acquired FactorTrust, which specializes in enabling fintechs to collect and process information from nonprime consumers, to provide predictive credit data, banks, which can then be leveraged to develop credit scores analytics, and risk scoring solutions. (Box 2). Experian Boost allows consumers to add additional on-time payments to their credit reports by linking their Equifax acquired the open banking fintech AccountScore bank accounts. Payments made to qualifying utility, cell- in the UK to enhance its data analytics capabilities. phone, and video streaming platforms can be connected to the users’ accounts, boosting their credit scores. TransUnion offers an integrated service using open banking APIs to access transactional bank account Equifax-owned DataX uses alternative payment information to assist customers with creditworthiness transactions (e.g., checks, cash, or money orders) to and affordability assessments. create comprehensive credit reports. CRIF acquired the open banking fintech Strands, which Creditinfo-owned Coremetrix leverages psychometric offers AI-based personal financial management tools. data collected via online applications to generate credit scores for consumers with thin credit files. Bonify in Germany uses transactional data from open banking platforms to create credit scores based on historical and current transactional data. Box 1: Examples of CRSPs’ Expanding Coverage Quod, based in Brazil, uses positive transactional data The new digital era has also led to the emergence of super from consumers to provide ML-powered credit scores. apps that serve as single portals to a wide range of products Since its approval, positive data has driven delinquency and services. These services include mobile payments, rates down and broadened access to credit for both consumers and firms. e-money transfers, payment installments, e-commerce credits, and digital loans. Super apps leverage a wealth Based in France, Algoan leverages open banking data of data, including extensive transaction data. This data is to provide credit decisioning services. As France follows often processed to develop credit scores by leveraging AI/ a “negative” credit reporting approach, open banking ML-based models, so the super apps can offer consumers can play a key complementary role by providing positive financial products on their platforms. Depending on the payment behavior data. information the super apps collect, they can give lenders an information advantage in credit scoring relative to a Box 2: Examples of the Use of Open Banking for Credit Reporting traditional credit bureau (Frost et al. 2019). Prominent super app platforms include WeChat and Alipay in China, Likewise, open data initiatives are encouraged by countries Go-Jek and Grab in Southeast Asia, and Mercado Libre in such as the UK and New Zealand to foster competition Latin America, to name a few. In essence, these BigTech and innovation. These public or private initiatives provide platforms have been transformed into alternative lenders freely available data, usually accessible by APIs, to in their regions, developing their credit scoring models by promote open-source technologies and leverage big data. leveraging AI and using alternative data, and may not be Open data platforms can be reliable sources of traditional part of the credit reporting systems in the countries they and alternative data for CRSPs, provided that security, operate. integrity, and quality conditions are met. However, open 12 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 2 data is not without risks. These platforms raise concerns Studies support the idea that AI/ML-based credit scoring on cybersecurity, fraud, and the ethical use of data. models can outperform basic statistical models and Notwithstanding the potential benefits to CRSPs, open data that nontraditional data improves an ML-based model brings challenges to the credit reporting industry. Fintechs (Gambacorta et al. 2019). AI/ML techniques add particular can leverage an extensive amount of data at once to develop value for predicting the creditworthiness of consumers and credit scores and emerge as competitors to CRSPs. businesses with thin credit files. While AI can promote financial inclusion, it involves algorithmic processes for 2.1.5. AI/ML decision-making that are often difficult to interpret or explain. In addition, AI models sometimes use proprietary Artificial intelligence (AI) generally refers to technologies algorithms. Their decision-making processes are protected that enable problem-solving by allowing computers to as trade secrets, which makes third-party assessments of think, understand, and learn. AI enables computers to learn, these algorithms more difficult, as opposed to traditional understand, or think so that they can either do things that models. at present humans can do better or do things that require massive labor or human time. In essence, AI is the practice Explainability is fundamental to understanding and of adding human capabilities to machines. CRSPs use validating the internal behavior of AI/ML systems. AI to offer various products, including, but not limited Explainability in general refers to the ability to understand to, credit scoring models, fraud detection, and personal the high-level decision-making processes used by a model, financial management. Machine learning (ML) is a subset and it is relevant to evaluating the model’s overall behavior of AI that analyzes patterns in big data from diverse sources and fitness for use. Explainability also refers to the ability and produces reliable outputs. An ML-capable machine or to identify the basis for individual decisions directed by the computer can learn from patterns without being explicitly model. ML algorithms have a varying degree of intrinsic programmed to do so. ML is the type of AI most used explainability or interpretability, and in most cases, they for credit decisioning, product recommendations, hiring behave as black box models. Techniques can be used to decisions, and market segmentation (ICCR 2019a). help understand AI/ML models despite the opacity of their underlying algorithms (CSSF 2018). While the industry Traditional forms of automated prediction also use standard uses logistic regression models for credit scoring, computers to make computations, but they typically rely CRSPs are working to develop AI/ML models that will on programmers to define the basic relationship between satisfy jurisdictions’ concerns and comply with existing and the inputs and the target variable. ML algorithms are expected regulations (Box 3). usually given only the target variable, which is then used in computationally intensive processes to identify relationships Equifax developed a NeuroDecision model that aims between various data inputs and the target variable and to comply with US regulations requiring disclosure of produce a predictive model. The ML algorithm thus has the reasons for an adverse decision on a loan application. capacity to change computational processes and improve the The model provides users with logical and actionable model’s performance at each step of the process. reason codes (Equifax 2020a). ML can find patterns for credit scoring in nontraditional TransUnion has deployed a flexible framework into its ML and unstructured data that traditional statistical models find model development and production scoring processes that enhances explainability while maintaining predictive either impossible or difficult to detect. Thus, ML expands power, including path-based tree explainability methods, the range of information that can be leveraged to assess conditional expectations-based Shapley values, creditworthiness. As a result, ML models are increasingly and other model diagnostics and feature attribution used for credit scoring (Figure 2). techniques. Collect Raw Data Trackstar.ai, based in the US, uses historical dispute Combine and Aggregate Data data to develop a prediction model. Its model claims to Engineer Features leverage explainable AI techniques so that solutions can Algorithmic Selection be analyzed and understood by humans. Select Useful Features Studies also support the technical possibility of building Train Dataset explainable AI models for credit scoring (Bussmann et Interpret Results al. 2021). Validation & Tuning Credit Box 3: Efforts Toward Explainable AI Scores Figure 2: ML Steps for Credit Scoring (ICCR 2019a) RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 13 CHAPTER 2 2.1.6. Digital ID & Biometrics advantage of unused processor capacity. Financial institutions increasingly implement cloud computing with a cloud-first An essential step in producing credit reports is to accurately approach that complements legacy IT infrastructures. Not match and merge data subjects’ identities from various sources surprisingly, most fintechs adopt a cloud-only or cloud- of information. Basic identification (ID) data such as names, native approach. Legacy IT infrastructures are still used addresses, and birth dates can be missing in the collected data, in the credit reporting industry, but cloud computing is especially in developing countries. In some instances, public increasingly taking over and is expected to become standard ID systems may have multiple enumerations. As of 2018, it practice for CRSPs (Box 4). is estimated that one billion people worldwide do not have essential identity documents (World Bank 2021b). Creating After the industry’s most significant data breach, Equifax unique IDs for individuals also plays a special role in helping adopted a cloud-native transformation strategy for its unserved and underserved populations access finance. credit reporting services (Equifax 2020b). Accurate identification is also important for business credit reports. In many cases, standard identification data such as TransUnion implemented a hybrid multi-cloud strategy a taxpayer ID or business ID is not available or reliable for and shifted its on-premise technology to cloud businesses. CRSPs often use algorithms to analyze data for infrastructure. the unique identification of businesses. As a global initiative, Experian built a cloud-based sandbox environment the Financial Stability Board (FSB) created the Global Legal that feasibly enables credit score modeling using large Entity Identifier Foundation to facilitate worldwide adoption amounts of data. of unique Legal Entity Identifiers (LEIs). Some credit registries (as in Germany and Spain) use LEIs to identify Creditinfo leveraged a SaaS solution to develop a businesses, but their use by CRSPs is globally low (World regional hub and spoke credit information-sharing Bank 2018). system in WAEMU countries. 1 Box 4: Examples of CRSPs’ Use of Cloud Computing From an innovation perspective, algorithms’ improved ability to match pieces of ID-related information and Cloud services promote a convenient shift to distance collate them under unique IDs plays a key role in producing working, as seen during the COVID-19 pandemic, ensuring accurate credit reports. Biometric tools are used in credit business continuity and operational resilience under severe reporting for ID verification through unique physical or conditions. Yet cloud computing can facilitate cross-border behavioral characteristics. Physical (e.g., fingerprints, facial services in hub and spoke credit reporting infrastructures recognition, voice recognition) and behavioral (e.g., typing that serve multiple markets and enable regional integration. dynamics, location behavior) characteristics of an individual Although CRSPs have adopted or are looking to adopt can be extracted for the purpose of biometric recognition. cloud computing, switching to cloud-based services can Wide adoption of smart devices capable of biometric be challenging. Integrating cloud services with legacy IT recognition has also been a principal driver in this field. systems requires a sound cyber-governance strategy. Also, in In addition, the COVID-19 pandemic accelerated use of many jurisdictions, data sovereignty legislation restricts or biometric ID verification as an efficient tool to protect against prohibits transferring, storing, and processing data at remote identity fraud while enabling seamless digital onboarding of cloud servers based outside national borders. For example, customers. To this end, CRSPs offer products to properly when personal data of an EU resident is processed, the CRSP authenticate and verify identities and help prevent identity must comply with General Data Protection Regulation fraud. (GDPR) requirements, even if it does not directly operate in any EU jurisdiction. 2.1.7. Cloud Computing 2.1.8. Distributed Ledger Technologies Cloud computing technologies offer a wide range of on- demand services over the internet, including IT resources Distributed ledger technologies (DLT) allow data to be such as servers, software, storage, databases, etc. Because recorded, accessed, and shared across a distributed network the services are offered on-demand, they eliminate the large of different participants. A “blockchain” can be used in setup costs and initial investments that had been barriers for distributed ledgers to store and transmit data in encrypted businesses. Three of the service models available are SaaS packages called blocks that are connected in a digital chain. (software as a service), IaaS (infrastructure as a service), and Blockchain immutably records transactions of members PaaS (platform as a service). of a shared network without any intermediary. DLT and blockchain technologies have the potential to introduce a Cloud computing technologies use remote server networks greater level of automation, security, and privacy control for for data processing and optimize performance by taking processing data and to disrupt the way information is shared. 14 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 2 While innovation advocates suggest blockchain technology 2.2.1. Benefits and Opportunities can transform the industry (Gohardashy et al. 2018), key challenges exist for enabling a full-scale blockchain-based Big data analytics improves financial inclusion by increasing transformation for credit reporting. These challenges include the data sources used to build credit scores for customer the scalability of IT infrastructures, ensuring data privacy, segments with little or no formal financial borrowing history, and complying with data retention periods (Liu and Hou expanding the reach of lending institutions to otherwise 2021). Fintechs, CRSPs, and especially alternative credit underserved customers. To the extent a customer’s digital reporting service providers are exploring ways to use DLT footprint enables creditworthiness assessments as reliable and blockchain to collect and share credit information as those from traditional data sources, mainstream adoption securely and effectively (Box 5). of big data for credit scoring has strong implications for expanding access to credit. US-based startup Bloom developed a decentralized, blockchain-based digital ID platform and partnered with The use of big data analytics has also paved the way for TransUnion to offer free credit scores. creating hyper-personalized services, because lenders can analyze customers’ spending patterns and provide customized Kiva launched Africa’s first national decentralized ID offerings to better suit their needs. Behavioral analysis of system with Hyperledger Indy to issue digital ID to all customers enables creditors to price loans accordingly. citizens of Sierra Leone. As a country with over 80 Digital payments also permit customized collections, such percent of the population unbanked, the open-source as variable repayment based on revenues, thus improving blockchain technology provides a fast, secure, free way the management of credit risk. for the unbanked to open a savings account and move into the formally banked population. Open APIs (application program interfaces) provide readily The People’s Bank of China (PBOC) is working on available and reliable real-time information support for using blockchain to share the credit information of CRSPs, reducing the need for data validation, eliminating regional CRSPs, providing a secure and efficient way potential human errors that happen during manual check- to aggregate information currently available only in ups, and speeding up processing of consumers’ transactions isolated data islands (Source: PBOC). data. Further, by connecting other APIs, CRSPs can improve their insights into customer behavior and offer personalized Box 5: Examples of DLT Use in Credit Reporting services. A further benefit is the potential for enhanced Another use of DLTs is in cryptocurrencies. Using DLT or collaboration among financial institutions and CRSPs to centralized ledgers, cryptocurrencies surfaced as a digital better meet customers’ expectations. Over time as more third currency alternative. Bitcoin, Ethereum, and others use parties use APIs, the interfaces mature through multiple online ledgers with strong cryptography to secure online cycles of fixing issues found in various iterations. APIs help transactions. Used more and more widely, cryptocurrencies to scale as multiple partners can use the same API to process are often traded without regulatory oversight by any transactions data. Every iteration using APIs further matures jurisdiction. Notwithstanding the risks, cryptocurrencies the open banking ecosystem and increases trust in API use. are potential sources of alternative data not used by many CRSPs. AI/ML methods allow greater flexibility in analyzing data, often in volumes and at speeds and levels of complexity 2.2. Implications of Innovations in Credit Reporting well beyond what humans can achieve. AI/ML models can improve the ability to infer the entire distribution of The credit reporting ecosystem has evolved significantly potential outcomes and understand the variability of model in the past decade by adopting new technologies and predictions, which can translate into stronger credit risk business models. As a result, the accuracy, depth, and management tools. AI/ML can also capture historical fraud breadth of credit data has been improved. Delivery of patterns and recognize similarities in chains of events before credit reports is much faster, if not instant. Despite the a fraud takes place. They can anticipate and detect fraudulent benefits, improved technologies represent a source of risk transactions, cyber-attacks, and related risks. AI/ML can be for credit reporting systems, such as strategic, operational, used to entirely automate lending decisions without need cyber, and compliance risks (BCBS 2019). These risks for human involvement. For example, Experian’s Ascend are in addition to those traditionally associated with credit Intelligence Services provides a lending platform with reporting activities. Hence, CRSPs that adopt and leverage AI-based decision models and strategies to help automate advanced technologies should ensure that their IT and other credit-granting decisions. risk management processes and control environments can effectively address new sources of risk. Biometrics is a proven, reliable way to authenticate identities and is the method most resistant to counterfeiting RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 15 CHAPTER 2 and spoofing, though it can be abused if oversight is lacking. Biometrics automates and smooths customer identification Colendi, based in Turkey, uses a blockchain-based and verification processes hassle-free for the credit reporting decentralized platform that leverages AI to generate credit scores based on alternative data. Its users authorize industry and hence serves as a valuable solution for regulatory Colendi to read their data on smartphones or social media know-your-customer requirements. Digital ID technologies to be analyzed through integrated blockchain nodes. also enable CRSPs to verify customers’ identities rapidly and cost-effectively. In addition, it can provide real-time Ledger Score, based in Estonia, offers users a credit credit reporting services with fewer concerns about identity scoring platform that leverages their cryptocurrency theft and similar impersonation-related threats. transactions data. It removes the anonymity of crypto transactions by digitally verifying individuals and Cloud computing’s principal advantage is its cost- businesses. effectiveness, as it removes the necessity to invest in and maintain in-house IT infrastructure. Using cloud computing Future Finance, based in Ireland, produces credit scores for university students and offers affordable loans. Its services, a CRSP has the flexibility to scale up or scale proprietary algorithm predicts future loan affordability down operations and storage as needed. Ability to scale based on assessing continuation rates to school and also minimizes the risks involved in in-house operations employment rates after graduation. and maintenance. Cloud computing also reduces the risk of downtime that could lead to a loss in productivity, reliability, Amartha in Indonesia developed AI/ML algorithms and reputation. For example, having previous versions of to evaluate the psychometric test results of women credit reporting software stored in the cloud and running on entrepreneurs in rural areas. They target a customer multiple cloud availability zones allows faster recovery from segment that often does not have access to mainstream disasters. If one zone goes down for any reason, the system financial services. will automatically failover to working regions without any Nova Credit enables a consumer-driven, cross-border interruption for users. credit information sharing platform that allows individuals to transfer their credit reports from nine countries to the DLT permits secure sharing, viewing, and storing of digital US to be transformed into a credit score applicable in the information. Furthermore, its use of cryptography encryption US. brings security and transparency of data to new levels. Decentralized ledgers can secure the digital databases, Credit Vidya in India offers alternative data-based credit making the system immune to cybercrime, as all copies scores for first-time and underserved borrowers. It stored across the network must be attacked simultaneously collects customers’ digital footprints (e.g., contacts, SMS, for any cyberattack to succeed. Decentralization also reduces location) and uses ML and big data analytics to assess operational costs and increases efficiency in the long run, creditworthiness. providing more opportunities to work on separate projects Social Lender in Nigeria offers access to finance by simultaneously. assessing the social reputation of users on mobile, online, and social community platforms. Its algorithm performs a 2.2.2. The Emergence of Alternative Credit Reporting social audit of the user and calculates a social reputation Service Providers score. New technologies combined with new data sources enable Farm Drive in Kenya focuses on alternative credit scores alternative credit reporting service providers to rapidly for smallholder farmers. It leverages mobile phones and develop innovative products. The potential transformation of other alternative data with ML tools and aims to close the the financial industry by innovative entities has implications credit information gap for farmers and help them access for the credit reporting systems as well. As strong innovators, finance. globally active CRSPs closely follow developments in the fintech ecosystems. In the meantime, fintechs are emerging Cignifi in the US and Brazil leverages mobile phone data and other nontraditional data to help financial institutions as competitors or challengers to the existing CRSPs and are and telcos serve underserved consumer segments. It filling gaps that the industry has not been able to address. uses proprietary big-data-based AI analytics tools. Box 6 provides a non-exhaustive selection of case examples of companies involved in credit reporting activities. Kiva, based in the US, uses a social underwriting process to evaluate creditworthiness. Kiva seeks financially excluded borrowers or businesses with positive social impact. In lieu of requiring credit scores, Kiva uses a social-network-driven fundraising tool to increase Box 6: Case Examples of Alternative Credit Reporting Service Providers commitment to credit repayment. 16 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 2 2.2.3. Risks and Challenges CRSPs will not be able to use the information, as its validity will be questionable. CRSPs sharing APIs with third parties Innovations often come with operational and cyber risks. also risk being subject to phishing by cybercriminals who CRSPs are potential targets of cyberattacks, and data pretend to be fintech companies seeking to collect customer- breaches can cause significant harm. Without effective related sensitive data. information security and control environments and sound risk management, innovative technologies can expose Open banking ecosystems involve various stakeholders CRSPs to cyber incidents. Also, data or model breaches can such as data providers, third-party providers, consumers, expose consumers to risk, as their personally identifiable and government agencies. As such, if a dispute arises, data may be sold in black markets and make them targets for the resolution mechanism becomes challenging and blackmails or scams. Breaches to models may also expose complicated. For example, a grievance filed by the customer CRSPs to loss of trade secrets and competitive advantage as could be due to an issue with any of the stakeholders. Due well as reputational risks. In addition, data breaches can ruin to the number of moving parts in the information-sharing confidence in credit reporting systems and potentially affect ecosystem, however, linking the fault to a specific party will the credit system as well. be difficult. A proper investigation and routing mechanism for dispute resolution is thus crucial. Big data analytics is becoming a key source for CRSPs, bringing with it the responsibility to protect the confidentiality Most AI/ML systems are considered black boxes that lack and security of personal and potentially sensitive data. transparency as to how or why they reach a particular Implementing big data systems bears the risk of infringing decision or score. However, consumers personally impacted on consumer privacy and consent rights. Continuous by AI-based decisions can benefit from feedback on the availability of big data sources also raises concerns of over- reason for a rejection or a low score. This feedback is dependency on third-party data providers. constructive, helping consumers build up their credit score or get loan approval in a following round. This challenges Using alternative data sources heightens regulatory and AI/ML systems, which may not be able to provide such compliance risks with respect to personal data protection feedback. legislation. Therefore, as is necessary under relevant regulations, CRSPs must undertake compliance assessments AI/ML systems may not uphold optimal decision-making and to ensure individuals are informed and have consented to can produce unexpected outputs. In lending, ML models have have their data collected, processed, used, and shared. the potential to replicate or amplify historical discrimination if faulty lending data was used to train the model. The Most big data sources are still not readily available, as biases could be due to the data used or to the humans that most APIs and other information-sharing technologies are developed the systems. Bias risk becomes apparent when currently being developed. In addition, most entities still do it is not possible to demonstrate how changes in individual not have procedures in place for sharing these data securely data elements affect the output. Discrimination is suggested with the CRSPs. Big data is mainly being used to supplement when an individual’s credit score is lower, seemingly due the traditional data and still cannot serve as a stand-alone to the AI’s biased decision based on the individual’s region, tool for assessing creditworthiness. Also, big data can be religion, political view, ethnicity, or sexual preference. Thus, artificially manipulated, especially if nonfinancial data while AI/ML removes the conscious and unconscious biases points are used as a stand-alone measurement. of human-based assessments, it also has the potential to impede progress in anti-discrimination practices in human Open third-party APIs inherently involve differences in judgments. security standards as the operations of the third-party provider (TPP) is not controlled by the CRSP. Thus, if Unlike human assessors who can adapt to a given situation, the TPP does not comply with specific security measures, AI/ML requires substantial amounts of historical data to cyberthreats may affect the CRSPs. A reputational risk also predict future outcomes or develop a credit score. However, arises from collaborating with TPPs. If the TPP engages in a primary requirement for both is a sufficient quantity of an unethical or other unfavorable practice, it would reflect verified, accurate data. Without that, AI/ML will not derive negatively upon the CRSPs as well. a reliable prediction. The unavailability or inadequacy of such data to train/feed the AI/ML models is thus a significant Open APIs create an ecosystem of collaboration in which challenge. customers are informed about all parties that can share their data. When operating through open APIs, the customer owns Biometric databases include vulnerable and sensitive his/her data. However, if the security of the data is breached, personal information. Certain data can be locked with RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 17 CHAPTER 2 passwords, while the biometric data itself cannot be changed. services to the CRSP. However, going forward, it is likely This carries the risk of false negatives when there are slight that the technology will be regulated, and its effects on the differences in the data subject, such as a change in facial already implemented technologies and their future remains complexion. The biometrics database can also be threatened uncertain. by cybercriminals breaching the system and stealing data. As biometrics are used as secure authentication with less human While also being one of the main advantages, the main checking, frauds may go unnoticed for extended periods. downside of DLT is that it creates an immutable database, Digital ID systems also involve the risk of exploiting or which means information, once stored, cannot be deleted, controlling individuals through at-scale surveillance, social and any updates are permanently recorded. Further, CRSPs profiling, or algorithmic discrimination. face the risk of storing all personal data in one system. As the GDPR and many other data protection laws require For several reasons, some digital ID systems are unable to personal data to be deleted after a specified period, using an cover most of the people for which they were intended to immutable database conflicts with such requirements. Also, work. These include those unable to pay, but also individuals even though DLT has a great number of potential benefits, lacking correct documentation or who demonstrate digital the technology is still in the experimental stage; its resilience illiteracy or resistance to digital ID technology. For example, in various environments has yet to be proven. the gov.uk service currently has a coverage success rate of 45 percent. Also, most jurisdictions lack proper functioning Certain consensus protocols used in DLT, such as “proof biometric regulations. As existing regulations are subject of work,” use excessive amounts of energy, posing a to change in each jurisdiction, and no globally accepted novel environmental challenge. Unless greener ways of regulatory standard exists, lack of standardization affects the implementing DLTs (such as exploring methods of “proof efficiency of biometric technologies. Also, it results in sub- of stake”) are effectively employed, the benefits derived par maintenance of the sensitive biometric data gathered. from the technology could be offset by its impacts on sustainability. Cloud computing raises potential risks that include the lack of visibility within cloud applications, theft of data from a cloud application, incomplete control over who can access sensitive data, and inability to monitor data in transit to and from cloud applications. Beside its benefits, cloud computing can result in third-party vendor risk. Cloud service providers and any outsourced third-party service providers must operate under robust standards and service levels. Due to the nature of its services, any interruptions in cloud computing systems directly affect the day-to-day operations of CRSPs. Any problems in the cloud services can also harm the resilience of the credit reporting system. Cloud computing stores large amounts of sensitive and personal information for internal use. Unsecured internet connections can potentially increase the risk of cyberattacks. In the event of a security breach, cybercriminals could access information stored on credit reporting systems. In response to such risks, many data protection laws confine personal information, including credit and financial information, to within a country, constraining the credit reporting industry’s use of cloud computing services. DLTs provide decentralized, open, and permissionless services, but this is also a barrier to industry regulation, especially as no one owner can be identified as responsible. The uptake of DLT in the credit reporting industry has been for more private and permissioned ledgers such as digital ID systems. These use outsourcing regulatory frameworks, which bind the administrator/owner of the DLT providing 18 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 2 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 19 Chapter 3 Stocktake and Analysis of Responsible Use of Technology Frameworks As use of disruptive technologies gradually increased, defend, and exercise human rights, but they can also be used concerns arose over their possible unethical use or misuse. to suppress, limit, and violate human rights (UN n.d.). Since Therefore, international bodies and regulatory agencies existing human rights treaties were signed in a pre-digital have issued high-level principles, guidance documents, and era, possible protection gaps caused by evolving digital regulatory directives on responsible technology use. This technologies remain to be addressed. effort is still in its infancy, however, and only a few countries have implemented material guidance. In most cases, these In response, the United Nations (UN) developed its Guiding directives have focused on the ethical use of AI/ML. Principles on Business and Human Rights (2011), calling on all business enterprises, regardless of size, sector, operational This section provides information on some of the key context, ownership, or structure, to respect human rights. frameworks along with their scope and high-level principles, The principles require businesses to do the following: based on the main types of technologies, to shed light on the development of principles for responsible use of technology 1. Avoid causing or contributing to adverse human rights in the credit reporting industry. This selection relies on impacts through their own activities, and address such criteria such as the global applicability, relevance to the credit impacts when they occur; and reporting industry, and suitability of the framework from the 2. Seek to prevent or mitigate adverse human rights impacts perspective of responsible technology use. Given the scale directly linked to their operations, products, or services and broad scope of the issues, this selection is not exhaustive; or by their business relationships, even if they have not for further reference, additional frameworks developed by contributed to those impacts. policy makers, regulators, international organizations, and industry associations are briefly discussed in Appendix A. In particular, the UN advises that business enterprises should have in place policies and processes appropriate to their size 3.1. Ethics and Human Rights for Responsible Use and circumstances, including: Generally, frameworks on responsible use aim to address 1. A policy commitment to meet their responsibility to both ethics, and human rights. While ethics relates primarily respect human rights; to human values, human rights are primarily associated with 2. Human rights due diligence processes to identify, human entitlements. The two are strongly linked, however, prevent, mitigate, and account for how they address sharing two fundamental goals: protecting society from their impacts on human rights; and harm and enhancing citizens’ quality of life (Gauthier 2009). 3. Processes to enable the remediation of any adverse To inform an organization’s decision-making process, human rights impacts they cause or contribute to. principles for responsible use of technology thus require an effective combination of approaches based on both ethics The extensive use of digital technologies has also raised and human rights. A robust and holistic framework that can concerns from an ethics perspective. Mainly focusing on the both realize benefits and mitigate risks will consider the two use of AI, several countries and organizations have published approaches as complementary. The rights-based approach ethical frameworks to address these concerns. For example, is grounded in universally agreed international laws and WEF issued the “Ethics by Design: An Organizational norms, and the ethics-based approach covers broader issues Approach to Responsible Use of Technology” (WEF such as fairness, inclusiveness, social justice, and cultural 2020b). For ethical design, development, and deployment contexts. A rights-based approach provides a foundation for of technology, the paper suggests three design principles applying ethical principles, choices, and judgments (WEF for incorporating and promoting ethical behavior into any 2020a). organization’s technology practices: Digital technologies provide new means to advocate, 1. Attention: Timely reminders, checklists, frequent 20 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 3 refresher trainings, and other means to help ensure that Similarly, International Committee on Credit Reporting ethical considerations are top-of-mind at crucial decision (ICCR) issued a guidance note on the Use of Alternative Data points. to Enhance Credit Reporting. The report outlines several 2. Construal: Mission statements, deliberate choices of policy recommendations to promote the adoption and use of ethically freighted language, employee onboarding alternative data for credit reporting, while mitigating the risks sessions, and periodic trainings involving ethical inherent in such use (ICCR 2018). The recommendations deliberation, and other interventions to promote ethical particularly relevant to the use of technology include the considerations. following: 3. Motivation: Encouraging prosocial actions, employing social “norm nudge” interventions, and other culture- 1. Increasing the availability of unique identifiers for change activities to motivate ethical behavior. individuals and businesses. 2. Providing access to national ID databases for validation 3.2. Big Data purposes. 3. Promoting the development and provision of access to The United Nations Development Group (UNDG) issued a open data systems and standards. guidance note on big data, focusing on data privacy, ethics, 4. Increasing the availability of digital footprints by and protection and applicable to all member entities within promoting the use of digital platforms and digitization the UN (2017). The guidance note is designed to establish of the services of relevant government agencies. common principles across UNDG to support the operational 5. Assessing the feasibility of implementing global unique use of big data to achieve sustainable development goals; identifiers for businesses or individuals for cross-border serve as a risk-management tool, taking into account use and data sharing. fundamental human rights; and set principles for obtaining, retaining, using, and assuring quality control for private 3.3. Open Banking & Open APIs sector data. The principles covered include the following: Open banking ecosystems vary across jurisdictions. In 1. Data should be obtained, collected, analyzed, or jurisdictions with no specific regulatory intervention, such otherwise used through lawful, legitimate, and fair as the US or Singapore, bilateral agreements between banks means. and third parties can set the conditions for access to banks’ 2. Any data use must be compatible or otherwise relevant APIs, security and data protection requirements, and other and not excessive in relation to the purposes for which obligations for each party. In other jurisdictions, such as it was obtained. Japan or Hong Kong, high-level regulatory guidelines for 3. A risks, harms, and benefits assessment that accounts for open banking rely on banks for specifics. In jurisdictions data protection and data privacy, as well as ethics of data with mandatory open banking models, banks are required to use, should be conducted. grant third-party access to bank accounts, accompanied by a 4. Stricter standards of data protection should be employed regulatory framework that sets a specific regime for the third while obtaining, accessing, collecting, analyzing, or parties (EU). otherwise using any type of sensitive data. 5. Robust technical and organizational safeguards should be As an example, the Open Banking Implementation Entity implemented to ensure proper data security management (OBIE) in the UK developed standards and guidelines to throughout the data lifecycle. foster the use of open banking. The standards include the 6. Data access, analysis, or other use should be kept to the principles for informed decision-making, simple and easy minimum amount necessary to fulfill its purpose, and the navigation, parity of experience, and familiarity and trust, all amount and granularity of data should also be limited to intended to enable a well-designed data sharing experience the minimum necessary. while protecting vulnerable customers. The principles 7. Data should be validated for accuracy, relevancy, outline the following: sufficiency, integrity, completeness, usability, validity, and coherence and should be kept up to date. 1. Transparency of choice, action, and the consequences of 8. Appropriate governance and accountability mechanisms actions for clarifying rights and responsibilities of data should be established to monitor compliance with sharing and how the relationship works. relevant laws and the highest standards of confidentiality 2. Control, maximizing the customer’s sense of control and moral and ethical conduct with regard to data use. over what data is shared and its data frames, enabling 9. Third-party collaborators engaged in data use should act users to make informed decisions and choices. in compliance with relevant laws, as well as the highest 3. Speed appropriate to the customer and the data sharing standards of confidentiality and moral and ethical experience undertaken. conduct. 4. Security precautions, with explicit clarity and reassurance RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 21 CHAPTER 3 in relation to data definition, use, and protection. 5. Clear and adequate information to the data subjects. 6. High level of robustness, security, and accuracy. The principles of control, speed, transparency, and security overall aim to create a trust environment for the customer The ethics perspective of AI/ML requires policy (OBIE n.d.). considerations on a broader level. Many policy frameworks for AI/ML use have been published globally. For example, 3.4. AI/ML the Monetary Authority of Singapore (MAS) published principles to promote fairness, ethics, accountability, and AI/ML use to assess creditworthiness is under the radar of transparency (FEAT) in the use of AI and data analytics for regulatory authorities regarding data privacy, transparency the financial sector (MAS 2018). The principles provide high- in models, and fairness and explainability of outputs. Most level guidance on justifiability, accuracy, and bias, ethics, regulations protect to some degree against discriminatory internal and external accountability, and transparency. ICCR, practices in credit scoring (e.g., in the US and the EU). The too, recommends that credit scoring models be explainable, use of AI/ML is an area of particular concern, however, as transparent, and fair. The data used and the decisions made some of these propriety algorithms work as black boxes, on the basis of credit scoring should operate within equal rendering their decision-making methods only inconsistently opportunity or anti-discrimination laws (ICCR 2019a). An transparent. In the US, AI models must address the adverse overview of common regulatory principles relating to AI/ action notice requirements of the Fair Credit Reporting Act ML use in comparison with traditional credit scoring models (FCRA), which applies when denial of a loan application is appears in Table 1. based in whole or in part on a credit score obtained from a CRSP; creditors must disclose the key factors that adversely UNESCO recently published the first global standard- affected the score. The EU has proposed a regulation to setting instrument on the ethics of AI in the form of a introduce harmonized rules on AI, following a risk-based recommendation (UNESCO 2021) providing the following approach to protect the fundamental rights and safety of principles: individuals and businesses, while supporting innovation (EU 2021). In line with a risk-based approach, AI systems falling 1. Proportionality and do no harm into the high-risk category include credit scoring models. In 2. Safety and security this sense, credit scoring models that use AI will be subject 3. Fairness and non-discrimination to strict obligations such as: 4. Sustainability 5. Right to privacy and data protection 1. Adequate risk assessment and mitigation systems and 6. Human oversight and determination appropriate human oversight to minimize risk. 7. Transparency and explainability 2. High-quality datasets feeding the system to minimize 8. Responsibility and accountability risks and discriminatory outcomes. 9. Awareness and literacy 3. Logging of activity to ensure traceability of results. 10. Multi-stakeholder and adaptive governance and 4. Detailed documentation with all necessary information collaboration for authorities to assess compliance. Principle Common Themes Reliability/ In general, expectations are similar as those for traditional models. For AI models, assessing reliability and Soundness soundness of model outcomes is viewed from the perspective of avoiding harm (e.g., discrimination) to consumers. Accountability Similar to expectations outlined in general accountability or governance requirements, but human involvement is viewed as more necessary. For AI models, accountability includes “external accountability” to ascertain that data subjects (e.g., prospective or existing customers) are aware of AI-driven decisions and have channels for recourse. Transparency Similar expectations as related to explainability and auditability. For AI models, external disclosure (e.g., data used to make AI-driven decisions and how the data affects the decision) to data subjects is also expected. Fairness Stronger emphasis in AI models. Expectations on fairness relate to addressing or preventing biases in AI models that could lead to discriminatory outcomes, but otherwise “fairness” is not typically defined. Ethics Stronger emphasis in AI models. Ethics expectations are broader than “fairness” and relate to ascertaining that customers will not be exploited or harmed, through bias, discrimination, or other causes (e.g., AI that uses illegally obtained information). Table 1: Common AI/ML Principles (Yong 2021) 22 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 3 3.5. Digital ID & Biometrics (CSP). The document outlines the following principles for credit reporting activities by cloud services: Digital identification tools are key to increasing the coverage of credit reporting systems. The World Bank issued 1. Conduct suitable due diligence in selecting an appropriate principles on identification for sustainable development CSP and monitoring its ongoing performance. in the digital age. The document, as endorsed by the UN 2. Enter into a legally binding written contract with each and several national and international organizations and CSP, the nature and detail of which are appropriate to the international financial institutions, outlines the following materiality or criticality of the outsourced task. key considerations: 3. Ensure both the CRSP and any CSP establish procedures and controls to protect proprietary and client-related 1. Ensuring universal access for individuals, free from information and software and ensure a continuity of discrimination. services, including a plan for disaster recovery, with 2. Removing barriers to access and use. periodic testing of backup facilities. 3. Establishing a trusted (unique, secure, and accurate) 4. Ensure that CSPs protect confidential information and identity. data related to the regulated entity and its clients, from 4. Creating a responsive and interoperable platform. intentional or inadvertent unauthorized disclosure to 5. Using open standards and preventing vendor and third parties. technology lock-in. 5. Be aware of the risks posed and manage them effectively, 6. Protecting privacy and agency through system design. where the CRSP depends on a single CSP for material or 7. Planning for financial and operational sustainability. critical outsourced tasks or where it is aware that one 8. Protecting personal data, maintaining cyber security, and CSP provides material or critical outsourcing services to safeguarding people’s rights through a comprehensive multiple entities including itself. legal and regulatory framework. 6. Ensure that the CRSP’s regulator, its auditors, and itself 9. Establishing clear institutional mandates and are able to obtain promptly, upon request, information accountability. concerning outsourced tasks relevant to contractual 10. Enforcing legal and trust frameworks through compliance and/or regulatory oversight, including, as independent oversight and adjudication of grievances. necessary, access to the data, IT systems, premises, and personnel of CSPs relating to the outsourced tasks. CRSPs use biometrics in a range of products. The Biometrics 7. Include written provisions relating to the termination Institute identifies the following seven principles for of outsourced tasks in the CRSP’s contract with CSPs addressing ethical issues relating specifically to biometrics. and ensure that the CRSP maintains appropriate exit strategies. 1. Ethical behavior, that is, avoiding actions that harm people and the environment beyond legal requirements. 3.7. Distributed Ledger Technologies 2. Ownership of the biometric and respect for individuals’ personal data, as treated with the utmost care. The International Telecommunication Union (ITU), as the 3. Serving humans, which entails accounting for public UN’s specialized agency for information and communication good, community safety, and net benefits to individuals. technologies, published a technical paper that discusses the 4. Justice and accountability, by accepting principles of key features of DLT and its associated regulatory challenges openness, independent oversight, accountability, and the (ITU 2019b). Examples of approaches that users, regulators, right of appeal and appropriate redress. and solution providers could use to address these challenges 5. Promoting privacy-enhancing technology of the highest are discussed in the paper, along with the following quality for accuracy, error detection, and repair, with recommendations: robust systems and quality control. 6. Recognizing the dignity of individuals and families, 1. Distribution and ledger sharing: Civil and criminal in line with the UN Universal Declaration of Human liability for blockchain distributed control, decentralized Rights. controllers/managers (human or not), authoritative 7. Equality, entailing preventing discrimination or systemic sources of records and data, and DLT-record and other bias. related digital sources of legal proof. 2. Autonomy and responsibility: Considering pro- 3.6. Cloud Computing transparency measures early at the design stage, setting on-chain dispute resolution tools on a case-by-case basis The International Organization of Securities Commissions prior to an off-chain solution, to be complemented by (IOSCO) developed its guidance document on the Principles consumer protection regimes, and increasing the level on Outsourcing, updating it to cover cloud service providers of trust with tools like certification of smart contracts. RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 23 CHAPTER 3 3. Tamper evidence and resistance: Framework standardization for use of symmetric cryptography, enhanced public key infrastructure standardization, avoiding storing clear-text personal data on blockchain, using sidechains or other private storage options for sensitive data, using zero-knowledge proofs where possible, applying additional measures when storing hashes of personal data, avoiding relying solely on consent in the context of personal data, and performing a data protection impact analysis. 4. Incentive mechanism and digital assets: Consider developing interoperability specifications at the right levels where appropriate. 5. Openness, transparency, and anonymity: Adjust the level of openness and transparency of the DLT protocol in accordance with relevant regulations. 24 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING SECTION 1 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 25 Chapter 4 Principles for the Responsible Use of Technology in Credit Reporting The principles discussed here are meant to ensure responsible This section outlines ten principles for responsible use of technology use in credit reporting activities. Applying technology in credit reporting (Box 7). Participants in credit the proposed principles will help the credit reporting reporting systems are expected to apply the principles industry make the best, most responsible use of disruptive according to their use of the technologies. The principles technologies to the benefit of all stakeholders. To ensure this are not mutually exclusive from one technology to another, objective, the principles are written to apply to all types of and should be considered in their totality. Finally, as noted, technologies used in credit reporting activities rather than to the principles are technology agnostic: they do not focus specific technologies or types of CRSPs. This is particularly on specific systems, software, or technology and should be important given the evolving nature of credit reporting applied regardless of development language or data storage systems as technology advances. methods. 1. Fairness the confidentiality, integrity, and availability Credit reporting systems should ensure the fair of information at all times. The robustness use of technologies deployed in their operations. of technologies should be ensured to avoid Technology-driven credit reporting products unintentional harm to individuals. should at all times protect the fundamental rights of individuals and should not discriminate against 6. Lawfulness any individuals, groups of consumers, or SMEs. Credit reporting system participants should ensure that the use of data and technologies is 2. Ethics lawful and complies with relevant regulations and Credit reporting system participants should ensure professional standards. that any technology they adopt and use complies with their corporate values, codes of conduct, 7. Privacy and highest ethical standards. Technology-driven Credit reporting system participants should protect decisions should be held to at least the same the privacy of data subjects while accessing, ethical standards as human-driven decisions. collecting, analyzing, processing, and distributing their data for credit reporting. 3. Accountability Credit reporting system participants are 8. Sustainability and Well-Being accountable for the use of both internally Technologies employed in credit reporting developed and externally resourced technologies. systems should support human well-being and Appropriate governance mechanisms should be be sustainable in all human, social, cultural, in place to oversee the processes of technology- economic, and environmental aspects. driven credit reporting products. 9. Inclusivity 4. Transparency The adoption and use of technological innovations Credit reporting system participants should in credit reporting systems must not result in or ensure that the techniques and methods used in accentuate the exclusion of any individual or their technology-driven decisions are explainable, group of individuals. assessable, and understandable by relevant stakeholders. 10. Trust Technologies employed in credit reporting 5. Security and Robustness systems should be considered trustworthy in the Credit reporting systems should be governed by eyes of stakeholders, including data subjects and an appropriate data security framework to ensure financial institutions. Box 7: Principles for Responsible Use of Technology in Credit Reporting 26 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 4 4.1. Principle 1: Fairness 4.2. Principle 2: Ethics Credit reporting systems should ensure the fair use of Credit reporting system participants should ensure that any technologies deployed in their operations. Technology- technology they adopt and use complies with their corporate driven credit reporting products should at all times protect values, codes of conduct, and highest ethical standards. the fundamental rights of individuals and should not Technology-driven decisions should be held to at least the discriminate against any individuals, groups of consumers, same ethical standards as human-driven decisions. or SMEs. CRSPs should establish and maintain the highest level of CRSPs should ensure both the substantive and the ethical standards in the use of technology. Appropriate tools procedural fairness of their products. Substantive fairness such as mission statements, periodic trainings, and social ensures that individuals and groups are free from unfair bias, activities should promote ethical behavior throughout the discrimination, and stigmatization and that in creating equal organization. The ethical standards of a CRSP should also opportunity in terms of access to financial services due care be supported by codes of conduct and human-centered is taken to ensure technology use does not lead to individuals corporate values. Ethical considerations should ensure that being unjustifiably impaired. Over and above these points, individuals are not in any way exploited or harmed through procedural fairness assures individuals they have the ability bias, discrimination, or any other means, such as unlawfully to contest and seek effective redress against technology- obtained information. driven decisions and CRSPs. CRSPs should recognize the dignity and equal rights CRSPs should ensure that use of AI/ML does not result in of individuals and should use technology and in a way bias and discrimination against individuals or protected that serves humans, taking into account the public good, groups; rather, it should promote positive discrimination community safety, and net benefits to individuals. of previously marginalized people. Beyond potential algorithmic bias, CRSPs should ensure that the underlying AI/ML-based systems should operate in line with the highest training data on which AI/ML systems are built are inclusive ethical standards for CRSPs. The ethical considerations in and unbiased by implementing pre-processing techniques the use of AI/ML should be monitored by appropriate human like optimized pre-processing, suppression, massaging, agency and oversight. CRSPs should ensure staff dealing reweighing, and sampling. In addition, in-processing with AI/ML systems are adequately trained to interpret AI techniques such as adversarial debiasing, regularization, model output and decisions and to detect and manage data or surrogate models, and post-processing techniques, like bias. To contribute to objectivity and respect for various statistical calibration, should be employed to ensure models perspectives, needs, and objectives, staff teams that design, are fair. CRSPs should categorically consider human rights develop, test, and deploy AI/ML systems should reflect the at every stage of AI/ML systems development and endeavor diversity of users and of society in general. to conduct a search for the least discriminatory alternative models prior to deployment. 4.3. Principle 3: Accountability CRSPs should establish a model governance framework Credit reporting system participants are accountable for the and an AI/ML-specific risk management framework for use of both internally developed and externally resourced credit scoring models to ensure scores are fair. Scoring technologies. Appropriate governance mechanisms should models should use lawfully obtained, clear, understandable, be in place to oversee the processes of technology-driven disclosable data. Rigorous validation, testing, and back- credit reporting products. testing of models should be performed to confirm the accuracy and reliability of technology-driven outputs. In AI/ML-based systems used at CRSPs should be governed addition, the methods and techniques employed should be by an appropriate internal accountability mechanism. independently assessable and auditable. Decision-making processes driven by AI/ML should be tested, monitored, approved, and authorized by responsible CRSPs should ensure the fairness of biometric systems used authorities throughout the organization. The board of in their services. Sensitive information such as gender or race directors and senior management are accountable for the identifiable through biometrics should only be employed to use of AI/ML systems, including self-learning algorithms. verify identity and should not be accessible for any other Senior management should develop, with board approval, subjective assessment tools. a clearly defined model governance framework to establish the roles and responsibilities in developing and monitoring AI/ML system operations. RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 27 CHAPTER 4 The explainability, traceability, and auditability properties by relevant stakeholders. of AI/ML systems should allow independent third parties to assess and develop qualified opinions. The decision-making CRSPs should disclose to the public its credit reporting process in these systems should be appropriately traceable activities, technology policies, ethical values, and codes of for human oversight in testing, validation, back-testing, and conduct. CRSPs should proactively disclose the use of AI/ calibration phases. ML-based systems, their implications, and the measures to mitigate potential risks to data subjects and other stakeholders. An appropriate validation process should be in place for AI/ Use of AI/ML based systems should be transparent in terms ML-based systems prior to their use for credit reporting. This of their use, the extent of data feeding the systems, and how initial validation should be performed or at least examined the system produces its particular outcomes. by an independent function not involved in the original modeling process. For ongoing validation at regular intervals, AI/ML systems should be explainable and interpretable by factors that trigger ad hoc validation and recalibration of the relevant stakeholders. CRSPs should be able to provide data AI/ML system should be determined. subjects, upon request, clear explanations on the data used to make AI/ML-driven decisions about the subject and how CRSPs are accountable for the extraction of alternative the data affects the decision. Disclosures to data subjects data and the design of AI/ML algorithms and processes should be in the form of plain information on the factors and should provide accessible redress mechanisms. Data forming the basis for the decision. The elements should subjects should have available appropriate communication each be shown separately to identify the relative weight or channels to enquire about, appeals, and request review of AI/ significance they bear on the final decision, along with the ML-based decisions that affect them. Verified and relevant detailed logic on why that driver would be calculated as a supplementary data provided by data subjects should be positive or a negative factor within the model. taken into account when performing such reviews. Adequate documentation should be provided that AI/ML- CRSPs are accountable for the services provided to the based systems can be verified by independent third parties. consumer and for the proper use of data accessed through In particular, the selection process of the model, model APIs. Data providers and CRSPs are both accountable for calibration and training, and model validation procedures ensuring data security when using APIs. Accountability in must be adequately documented. AI/ML-based models terms of API technology lies with the ultimate aggregator/ should be traceable in the sense that their decisions, and collector of the API data, which should be accountable to the datasets and processes that yield the decisions, are customers in any dispute. A responsible data management documented in an easily understandable way. model covering legal and other concerns should be established with clearly defined ownership and liabilities for CRSPs using big data and/or alternative data should be all parties. transparent on the types and sources of data and the process for gathering, storing, and using it. The types of data that CRSPs are accountable for managing the biometrics and provide the basis of credit reporting products should be digital identification data and their security to the extent clear, understandable, and disclosable to the data subjects. they act as collecting agencies of such data. The roles and responsibilities should be defined for designing and CRSPs should be transparent about their dealings with data managing the privacy protection of biometrics data. subjects’ biometric data. Biometric data should only be shared with third parties if required, and only after obtaining CRSPs are accountable for assessing, managing, and the individual’s unambiguous and informed consent. Data monitoring their relationship with cloud service providers subjects should be able to know at any given time the extent as well as other third-party vendors. Outsourcing policies of information accessed about them, and CRSPs should and processes should cover the conduct of appropriate due provide simple, fast, and efficient procedures that allow data diligence for selecting service providers, managing the risks subjects to withdraw consent at any time and without any associated with outsourcing agreements, maintaining an undue delay or cost or any gain to the collector/holder of effective control environment over data, and establishing such information. viable contingency plans to ensure business continuity. CRSPs should be transparent in their use of cloud service 4.4. Principle 4: Transparency providers, particularly in data management. CRSPs should ensure that information concerning outsourced tasks relevant Credit reporting system participants should ensure that the to data subjects, data users, and data providers is disclosed techniques and methods used in their technology-driven appropriately to the relevant stakeholders. decisions are explainable, assessable, and understandable 28 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 4 4.5. Principle 5: Security and Robustness Third-party providers engaging with data should also act in compliance with applicable laws and the highest standards Credit reporting systems should be governed by an of confidentiality and moral and ethical conduct. appropriate data security framework to ensure the confidentiality, integrity, and availability of information at CRSPs should have in place an effective compliance all times. The robustness of technologies should be ensured function with an adequate number of staff with the necessary to avoid unintentional harm to individuals. qualifications and experience to manage the legal and compliance risks of technology use. Any engagement with CRSPs should develop and employ an appropriate data new technologies, dealings with third-party technology security framework, reviewed and updated as needed, providers, or accessing new sources of data should be that accounts for potential risks associated with the use of subject to a robust evaluation process to ensure lawfulness. new technologies. The framework should cover effective CRSPs should also ensure that the technologies employed board oversight, clearly defined and documented roles and comply with the technical and professional standards issued responsibilities for information security functions, and by relevant standard-setting organizations. allocation of adequate staff with necessary qualifications and appropriate budgets to ensure sound management of 4.7. Principle 7: Privacy information security and cyber risks. CRSPs should employ control and risk mitigation tools for data management, Credit reporting system participants should protect the such as minimum access, access recertification, user privacy of data subjects while accessing, collecting, accountability, activity logs, or authentication measures. analyzing, processing, and distributing their data for credit Regular cyber audits should assess and assure the safety and reporting. soundness of credit reporting activities against cyber risks, with a risk-based approach. CRSPs should have in place an effective data governance framework, including a risks, harms, and benefits assessment AI/ML systems should be verifiably safe and secure that accounts for data protection and data privacy. The throughout their processes. AI/ML should be developed and framework should recognize the dignity of individuals and used in a technically robust way to ensure that they reliably include concrete protections for human rights as well as the behave as intended while unintentional and unexpected ethics of data use. harm is minimized and unacceptable harm is prevented. AI/ ML systems should be protected against confidentiality and Access, processing, analysis, or other use of personal data integrity attacks on their architecture and underlying data to should be kept to the minimum amount and granularity avoid adversarial outputs to data subjects or CRSPs. CRSPs needed to perform credit reporting activities. Stricter data should ensure AI/ML systems are robust against potential protection standards should be used when dealing with any vulnerabilities such as data poisoning, adversarial attacks, type of sensitive data. Robust technical and organizational or model extraction attacks that could lead to unreliable safeguards should be implemented to ensure proper data outputs. Sufficiently robust models can contribute toward security management. building trust in AI/ML system output. CRSPs employing DLT in their activities should develop Outsourcing policies for third-party providers should appropriate policies to protect the privacy of personal data include appropriate and proportionate consideration of and ensure compliance with relevant legal requirements to minimum cybersecurity standards, data retention periods, delete personal data, while respecting the transparent and data encryption requirements, network security processes, immutable structure of DLT systems. and cyber incident handling plans. 4.8. Principle 8: Sustainability and Well-Being 4.6. Principle 6: Lawfulness Technologies employed in credit reporting systems should Credit reporting system participants should ensure that the support human well-being and be sustainable in all human, use of data and technologies is lawful and complies with social, cultural, economic, and environmental aspects. relevant regulations and professional standards. CRSPs should prioritize human well-being as an outcome CRSPs should ensure that data is accessed, collected, in the development, design, and deployment of technology analyzed, processed, and used through lawful and legitimate by using the best available, most widely accepted metrics means. Appropriate governance mechanisms should be for well-being as a reference. In assessing the physical and established to monitor compliance with relevant laws and the mental impacts of technology use on individuals, CRSPs highest standards of ethical conduct with regard to data use. should also consider technology policies from a broad social RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 29 CHAPTER 4 perspective. CRSPs should assess the overall process of technology development and use in terms of sustainability and impacts on the environment. Use of resources and energy consumption should be considered in terms of efficiency, effectiveness, and minimizing harm. Use of DLT in CRSPs should be optimized to use fewer energy resources and minimize climate effects. Greener ways of using DLTs should be explored to limit environmental impacts. 4.9. Principle 9: Inclusivity The adoption and use of technological innovations in credit reporting systems must not result in or accentuate the exclusion of any individual or group of individuals. Adoption of any technological innovations by CRSPs should not exclude or disadvantage any communities or individuals. CRSPs should employ technologies that are inclusive by design to assure that the design processes lead to products usable by all groups of people, particularly those traditionally excluded. These technologies should provide open and fair services to all groups of consumers, regardless of any personal characteristics or protected attributes. Particular attention during model design and AI/ML system use should ensure that models incorporate underserved segments of the economy at risk of exclusion from modelling data sets. Digital identification systems should serve all customers without excluding any personal attributes such as any physical traits or literacy levels. Particular care should be taken to ensure that information collected for verification is acceptable in terms of protecting human rights. 4.10. Principle 10: Trust Technologies employed in credit reporting systems should be considered trustworthy in the eyes of stakeholders, including data subjects and financial institutions. New technologies introduced by CRSPs should not adversely impact the reliability and trustworthiness of credit reporting systems. CRSPs should ensure that the technologies they introduce will increase efficiency and not undermine service quality. Due to the credit reporting industry’s key role in the financial sector of any economy, before new technologies are implemented, due care must be taken to anticipate how they will be perceived by the ultimate users. 30 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING SECTION 1 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 31 Chapter 5 Considerations for Implementing the Principles 5.1. Applying the Principles Data Use 1. Is the data lawful and legitimate? Should the data be Like any other ethics-based or rights-based framework, the used? principles are not a set of fixed rules to adapt and comply 2. What are the precautions for identifying and eliminating with. Nor are they technical standards that a CRSP can types of data that can act as proxies for protected simply apply as one-off action items. Rather, the principles attributes? require an organization-wide adaptation with ongoing efforts 3. How is the lawfulness of data collection ensured with to understand the impacts and implications of technologies, regard to sources of nontraditional data? maximize the technologies’ benefits while eliminating or minimizing their harms, distribute benefits and burdens, Data Governance and develop diverse perspectives for navigating dilemmas 1. What is the quality of the data? and solving conflicts. Applying the principles requires 2. Is the data accurate and fit for purpose? commitment from CRSP leadership and the organization as 3. How are the risks of inaccuracy and bias assessed and a whole. managed? Assessing responsibility for observing the principles Model Documentation primarily lies with a CRSP’s board of directors. Assessing 1. Is there appropriate documentation in place for using the current practices against the principles should identify AI/ML systems? weaknesses and assist in defining areas for improvement. 2. Is there a proper traceability process in place throughout CRSPs can communicate the results of this compliance the documentation? assessment to the public. Assessments can be done by either 3. Does documentation include logging activities of staff the ethics board or similar body or by external assessors, with access to sensitive data? as appropriate. Assessors should gather the facts necessary 4. Are roles and responsibilities clearly identified for to develop conclusions regarding each principle. To gain a deploying the model ethically? general understanding of and analyze the existing situation relating to the principles and key considerations associated Outcome Analysis and Controls with them, assessors can use questions such as the illustrative 1. Is there an effective control framework in place? ones listed below. 2. Is there an effective human oversight mechanism in place? Model Design 3. Is a grievance mechanism in place for individuals 1. Is the AI/ML model applicable and appropriate for its impacted by the outputs of technology-driven decisions? intended purpose? 4. Is there a process for providing accurate information to 2. Is the AI/ML model ethical? data subjects regarding the use of AI/ML? 3. Do AI/ML developers have training in ethics, human rights, and civil rights? How diverse is the team that Tuning and Monitoring develops AI/ML products and services? 1. How often are results validated? 4. How is the sustainability impact of technologies 2. Is there an ongoing monitoring process in place? assessed? 3. Is there an established mechanism to identify and correct 5. Does an ethics board or similar committee assess unintended results following from the decisions of AI/ the potential risks and mitigate them throughout the ML systems? development and deployment of the model? 4. Which measures are in place to protect individuals’ privacy? 32 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 5 5.2. Capacity Building the AI/ML algorithms. Many of the disruptive technologies in the credit reporting Big data analytics systems should be managed with a big industry are relatively new, and limited information or data governance and risk management framework to ensure knowledge surrounds them. Using these technologies appropriate policies and procedures are maintained for to their optimum potential requires understanding the different data sets and objectives. Policies on collecting and technologies in the context of all relevant stakeholders keeping the minimal amount of data will limit risks related and the trainings provided to key staff working with them. to privacy issues and mitigate potential discriminatory Improving policy makers’ and CRSPs’ technical proficiency practices based on collection of nonessential and nonbearing is of foremost importance for successfully implementing information. Minimality also helps produce comprehensible, every one of these technologies. Capacity building for a reliable outputs, as only relevant information is fed into the thorough understanding of the credit reporting industry’s system, essentially reducing both the variety and the volume technology infrastructure is key for rolling out new of data. technologies efficiently and responsibly. Capacity-building activities should also cover understanding and implementing Open APIs provide access to a larger amount of information the principles for responsible technology use. While the than required, hence it is important to determine the responsibility for facilitating training primarily lies within responsibilities of each collaborator or TPP for managing the CRSP, regulatory authorities can promote training in privacy concerns and security breach risks. A clearly defined their respective jurisdictions. responsibility matrix enables every party involved in the open API ecosystem to focus on their respective scope and Industry associations of CRSPs can also play an important work. In addition, appropriate dispute resolution mechanisms role in capacity building for responsible technology use. should be in place for handling customer complaints and The credit reporting industry has a long history of being infrastructure failures involving data providers and TPPs. largely self-regulated. Considering the technical details and associated risks in credit reporting systems, the industry Biometric systems must be secure and robust enough developed its own Codes of Conduct. In this sense, self- to handle bad actors, fraud, and abuse without creating regulatory mechanisms developed within credit reporting additional burdens for end users. The checks and procedures industry associations in many jurisdictions and at the in place should be located between extreme innovation and regional level. Considering the highly technical nature of conservative security, as the security of the system cannot credit reporting activities, these associations can promote the be compromised in the interests of innovation and user- implementation of the principles in various ways, such as by friendliness. Digital ID systems should be designed and creating guidance documents on assessment methodology built using a human-centric approach that recognizes the of the principles, developing open-source toolkits for diversity of cultures and inherent human qualifications. A responsible innovation, and facilitating trainings on areas of well-established human-centric approach will help eliminate key concern. or minimize potential exclusions by these technologies. In addition, adaptive technologies, such as multimodal 5.3. Technology-Specific Recommendations biometrics, can be leveraged so that the system can use multiple biometric traits to adjust to new behavioral AI/ML algorithms use supervised and unsupervised learning characteristics. techniques to analyze the data sets fed into them. These systems are built to perfect over time their models, the data Third-party cloud service providers should adhere to the same they gather, and the results and correlations of historical principles as does the credit reporting industry, including predictions. If the amount of data available is limited or the relevant principles laid out in the previous section, such low quality, however, AI/ML models can require human as ethics, accountability, security and robustness, privacy, intervention to rectify any undesired decisions. Interventions lawfulness, and sustainability. Compliance by cloud service such as human-in-the-loop or human-on-the-loop should be providers with key regulatory rules such as data access, used as appropriate to review the model’s results and correct control, storage, or removal of sensitive data should be of any undesired biases until the algorithm properly “learns” to concern to the CRSPs. produce reliable results in the long run. Therefore, the AI/ML system’s degree of autonomy should be clearly defined, and While DLT has specific advantages due to its inherent the different levels of human control over the system should qualities, such as immutability and transparency, special be clearly identified based on the specificities of each use attention is needed to its extreme use of computing power case. An appropriate combination of human oversight and AI and resources. Thus, relevant pieces of evidence should be should safeguard the system, establishing a continuous loop shared and verified for the specific use cases to ensure DLT of training, testing, fine-tuning, validating, and monitoring RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 33 CHAPTER 5 use makes sense. Further, it might be suitable to run the put the principles into practice. Relevant business units requirement through a blockchain ethical design framework and functions are represented on the ethics board, sharing to ensure that the distributed infrastructure is the most viable responsibility for providing governance on ethical issues option for the solution being developed. pertaining to technology use for the overall organization. The CRSP encourages its staff to provide feedback when a 5.4. Use Cases technology’s output appears biased or suboptimal. The ethics board empowers technology users to share their experiences Credit reporting system participants can benefit from to enhance trust in the AI/ML systems. Finally, employees considering the following use cases as illustrative examples are appropriately involved in interpreting and using AI/ML- of applying the principles. The use cases demonstrate based outputs when making decisions. how different types of CRSPs — big or small, local or international — can implement or align their governance Use Case 3: Accountability practices with the principles. Senior management at the CRSP established strategies, Use Case 1: Fairness & Inclusivity guidelines, and rules for use of AI-based decision-making processes. Employees receive adequate training to raise The CRSP conducts regular reviews to ensure its AI/ awareness of the principles for responsible use of technology. ML-based credit scores are fair. The team responsible Trainings also cover legal frameworks applicable to AI/ML for developing the credit scoring model maintains a data system use. Appropriate mechanisms are in place to allow mapping exercise that allows tracing all data used to their redress of any harm or adverse impact to data subjects. respective sources. The map helps identify the data source Relevant third parties or employees can also report potential even after transformation and aggregation. The model uses vulnerabilities, risks, or biases in the AI/ML systems. different datasets for training, testing, and validation. The datasets used do not include protected class attributes, and The CRSP established both internal and external audit variables that could serve as proxies for protected class mechanisms to ensure the accountability of its AI/ML systems. attributes are removed. The dataset has been assured to be Assessments are made in model design and performance, inclusive in the sense that it does not categorically exclude implementation, governance, and documentation. The any groups of customers with protected attributes. Further, a internal audit team reviews the documentation, including disparate impact that can occur even absent using protected the system’s intended function and performance, the model class or proxy variables is evaluated and tested at each stage architecture, datasets used in training and testing, checkpoints of the model development cycle. for reviewing and validating datasets, and organizational processes to monitor system operations. Focused audits are The staff team tracks model outputs regularly to ensure the performed regularly in which a specific dataset feeds the reliability, accuracy, and consistency of the AI/ML model. system to allow review of the outputs to check for bias in The results from the training, back-testing, and validation the system or unexpected results. These focused audits also stages are used as a benchmark for the model outputs for serve to stress test the processes that produce credit reports fine-tuning at the post-deployment stage. Fairness reviews or other products. Where appropriate, code reviews are occur at the appropriate minimum intervals to ensure that the conducted by internal or external audit resources, provided models do not cause disparities due to changes in the dataset. that the privacy of any personal data is preserved. For example, the model is tested for bias (e.g., representation bias, measurement bias) regarding borrowers’ sex (male Use Case 4: Transparency as a privileged group; female as an unprivileged group) against default thresholds. If the results of the test reveal a The CRSP employs an AI-based neural network model for bias against the unprivileged group, appropriate techniques credit scoring. If a consumer questions the reason behind a are applied to mitigate the bias, such as data weighting or low credit score, the model can explain it using reasons that resampling in pre-processing, adversarial debiasing in- emerge directly from the model that generated the score. For processing, or label modification post-processing. example, Consumer X is denied his/her credit application from a lender. In response, the consumer asks for the Use Case 2: Ethics reasoning behind the denial. The consumer is provided with an explanation that “the number of accounts with a credit The CRSP created an ethics board that guides the balance, number of occurrences for 30 days delinquency, age organization through the ethical development and of bankcard accounts, and lack of retail accounts are listed, deployment of technologies. While the ethics board draws respectively, as the four most important factors that cause the up the principles for the company’s technology ethics, consumer to lose points in the credit score.” If the loan officer it also has appropriate powers and resources necessary to 34 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING CHAPTER 5 wants to understand why Consumer X’s credit application personal data privacy. was denied, compared to similar applications from other customers, the loan officer is provided with a response such The CRSP uses a blockchain-based data management as: “Consumers A, B, and C have similar financial profiles platform to produce credit reports. The platform allows with Consumer X, regarding their number of accounts with consumers’ digital identities to be kept with relevant a credit balance, delinquency occurrences with 30 days, and data. To ensure personal data privacy, the CRSP employs age of bankcard accounts. These consumers all defaulted technologies such as secure multi-party computation to on their lines of credit in the last 12 months; therefore the create a barrier between the consumer’s identification data model recommends that Consumer X’s application should and all anonymized data related to that consumer. be denied for the time being.” Use Case 8: Sustainability and Well-Being Use Case 5: Security and Robustness The CRSP integrates environmental, social, and governance The CRSP established a sound data security framework factors into its technology practices. Sustainability principles under which potential vulnerabilities are regularly assessed. are disclosed and incorporated into corporate strategies, Preventive measures are in place to ensure the integrity policies, and processes. Credit reporting activities are and resilience of data against potential attacks. Business pursued in line with sustainable development objectives. The continuity and contingency plans are established to deal CRSP highlights its environmental and social commitments with cyber incidents. The CRSP assesses the possibility compared to a set of globally recognized standards and that its AI/ML systems will harm data subjects, providers, environmental, social, and governance impact factors. In users, or other relevant third parties through any type of particular, the CRSP has established policies to measure both unintentional behavior or unintended results because of the environmental impact and the broader social impacts of cyber vulnerabilities such as cyberattacks, data poisoning, the technologies employed for its credit reporting activities. or adversarial attacks. When adopting new technologies, appropriate due diligence is conducted, and governance mechanisms are established. Ongoing employee training programs are in place to raise awareness of and knowledge regarding information security. Use Case 6: Lawfulness The CRSP applies a data governance framework for the lawful collection of alternative data. The framework provides clear policies and processes on issues such as obtaining consumers’ consent to collect and process data where necessary; ensuring the accuracy, currency, and validity of data collected through third-party providers; protecting the dignity and privacy of data subjects; ensuring the relevance of data for the purpose specified for its collection; and enabling consumers to access and correct their information where appropriate. Use Case 7: Privacy The CRSP established a data governance framework that includes a data privacy officer responsible for protecting the privacy of data subjects. Relevant technical standards such as those of ISO and IEEE are adopted for data management. Oversight mechanisms are in place for data collection, storage, processing, and use. In particular, the AI/ML system’s data collection process is appropriately managed to ensure the models are trained using minimal personal data. In addition, appropriate measures, such as encryption, anonymization, and aggregation, are used to enhance RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 35 Appendix A Additional Examples of Guidance on Responsible Technology Use in Credit Reporting Big Data Open APIs The European Economic and Social Committee explored The Consultative Group to Assist the Poor (CGAP) issued the ethical dimensions of Big Data in an attempt to balance a guidance note that provides key considerations when them with the need for economic growth within the EU. developing legal terms and conditions for financial services The report identified a range of ethical issues involving APIs. The document highlights the key risks and legal awareness, control, trust, ownership, surveillance and issues arising for various API use cases and considers how security, digital identity, tailored reality, de-anonymization, the risks could be managed through contract design and digital divide, and privacy. In response, five balancing implementation. The guidance note covers the following actions were suggested to benefit from the use of Big Data considerations: while addressing ethical considerations. The five actions can be summarized as follows: 1. Partner selection, due diligence, and onboarding 2. Termination or suspension of access following 1. Establish a privacy management platform that allows onboarding natural persons to control their own personal data. 3. Access to APIs, obtaining consumer consent 2. Institute an ethical data management protocol to increase 4. Methods of authenticating the customer transparency and make people aware of big data holders’ 5. Data protection concerns level of compliance with relevant law, both public and 6. Security concerns such as risks of screen-scraping private. 7. Allocation of liability risk 3. Develop a data management statement to boost the 8. Technical standards confidence of internal and external stakeholders that 9. Licenses, dispute resolution, and business continuity/ organizations may submit to declare how they collect, contingency use, or sell personal data from customers and general business activities. AI/ML 4. Promote digital education on big data to create a broader digital culture in Europe, specifically aimed at deepening The European Commission’s High-Level Expert Group understanding of big data, how it interacts with citizens on AI presented its “Ethics Guidelines for Trustworthy throughout their lives, and how it affects each individual. Artificial Intelligence.” The document provides guidance on 5. Create an e-health database. how trustworthy AI can be realized under seven principles. The GSM Association (GSMA) published the report, 1. Human agency and oversight: Fundamental rights, “Mobile Big Data Analytics and AI for a Better Future.” The human agency, and human oversight. document outlines the following principles for harnessing 2. Technical robustness and safety: Security and resilience trustworthy AI in big data analytics by ensuring its ethical to attack; fall back plan; and general safety, accuracy, use: reliability, and reproducibility. 3. Privacy and data governance: Respect for privacy, 1. Do no harm. quality and integrity of data, and access to data. 2. Be inclusive. 4. Transparency: Traceability, explainability, and 3. Be fair. communication. 4. Ensure transparency. 5. Diversity, non-discrimination, and fairness: The 5. Embed accountability. avoidance of unfair bias, accessibility and universal 6. Adopt privacy and ethics by design. design, and stakeholder participation. 7. Advance security and safety. 6. Environmental and societal well-being: Sustainability 8. Support sustainability and societal well-being. and environmental friendliness; social impact; society 36 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING APPENDIX A and democracy. stewardship of trustworthy AI and ensuring respect for human 7. Accountability: Auditability, minimization, and rights and democratic values. The document identifies five reporting of negative impact, trade-offs, and redress. complementary values-based principles for the responsible stewardship of trustworthy AI and calls on stakeholders to Germany’s Financial Supervisory Authority (BaFin) promote and implement these principles: issued principles for the use of algorithms in decision- making processes. BaFin sets out as key principles clear 1. Inclusive growth, sustainable development, and well- management responsibility, appropriate risk, and outsourcing being management; preventing bias; and ruling out types of 2. Human-centered values and fairness differentiation prohibited by law. The guide follows these 3. Transparency and explainability specific principles for the AI development phase: 4. Robustness, security and safety 5. Accountability 1. Maintain data strategy and governance. 2. Comply with data protection requirements. The Institute of Electrical and Electronics Engineers (IEEE) 3. Ensure accurate, robust, and reproducible results. issued principles for ethically aligned design as part of its 4. Document systems to ensure clarity for both internal and vision for Prioritizing Human Well-Being with Autonomous external parties. and Intelligent Systems. The document advises on the 5. Follow appropriate validation processes. following principles: 6. Use relevant data for calibration and validation purposes. 1. Human Rights BaFin sets out the following principles for the AI application 2. Prioritizing Well-Being phase: 3. Accountability 4. Transparency 1. Put humans in the loop. 5. Technology Misuse and Awareness 2. Establish in-depth approval and feedback processes. 3. Establish contingency measures. Digital ID & Biometrics 4. Conduct ongoing validation and overall evaluation and make appropriate adjustments. The UN published the “Compendium of Recommended Practices for the Responsible Use and Sharing of Biometrics Likewise, the Hong Kong Monetary Authority (HKMA) in Counter-Terrorism.” While the compendium primarily issued high-level principles on the use of AI and big data addresses state authorities, the following recommendations analytics. HKMA emphasizes applying the principles in are relevant for the responsible use of biometrics: a proportionate manner that reflects the nature of AI use cases and the level of risks involved. The HKMA principles 1. Adopt a human-rights based approach that includes include the following key considerations: procedural safeguards and effective oversight of applications. Establish or expand independent, 1. Governance: Accountability of the board and senior appropriate oversight bodies to supervise implementing management for the outcome of AI applications. relevant privacy legislation and providing effective 2. Application design and development: Possessing remedies in case of violations, to be supplemented by an sufficient expertise; ensuring an appropriate level of ethical review process. explainability of AI applications; using data of good 2. Conduct regular risk assessments of the end-to-end quality; conducting rigorous model validation; ensuring processes of biometric applications against cyber threats auditability of AI applications; implementing effective and vulnerabilities. management oversight of third-party vendors; and being 3. Assure the compliance of biometric systems with ethical, fair, and transparent. international technical standards to ensure meeting 3. Ongoing monitoring and maintenance: Conducting business needs in terms of accuracy, security, and periodic reviews and ongoing monitoring; complying operational reliability. with data protection requirements; implementing effective cybersecurity measures; and maintaining risk WEF developed a Framework for Action for Responsible mitigation and contingency plans. Limits on Facial Recognition (WEF 2020c). The goal of the initiative is to establish a governance framework for The Recommendation on AI is the first intergovernmental facial recognition technology, recommending the following standard on AI adopted by the OECD. The document aims principles for organizations taking action: to foster innovation and trust in AI by promoting responsible RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 37 APPENDIX A 1. Take appropriate steps to ensure that unfair bias or providers: outcomes can be detected. 2. Take reasonable steps to assess the capabilities for use 1. Conduct business with honesty and integrity. and limitations of the systems and ensure systems are 2. Pay due regard to the interests and needs of each and all appropriate for purpose. customers, and communicate with customers in a way 3. Design systems to support privacy, including privacy that is fair, clear, and not misleading. considerations in system requirements and carrying 3. Maintain adequate financial and nonfinancial resources. through privacy support in the design, development, and 4. Manage and control business effectively and conduct testing of technology. business with due skill, care, and diligence, including 4. Ensure a culture of accountability internally and across having proper regard to risks to the business and its third-party service providers or business partners. customers. 5. Conduct a comprehensive risk assessment of systems, 5. Establish effective arrangements for the protection of including the impact on privacy, potential for errors, clients’ assets and money. susceptibility to unfair bias, vulnerability to hacking and 6. Have effective corporate governance arrangements. cyberattacks, lack of transparency in the decision-making 7. Ensure that all systems and security access protocols are process, and potential for civil rights infringements. maintained to appropriate high standards. 6. Follow the standards for evaluating the accuracy and 8. Have systems in place to prevent, detect, and disclose performance of systems at the design (lab tests) and financial crime risks such as money laundering and deployment (field tests) stages. terrorist financing. 7. Provide information to end users who have questions 9. Be resilient and develop contingency plans for the and/or need information on the use of systems. orderly, solvent wind-down of business. 8. Obtain informed, explicit, affirmative consent from individuals for the use of systems. 9. Ensure facial recognition does not exclude anyone and is always accessible to and usable by all groups of people, including elderly people and people with disabilities. 10. Conduct human oversight for any use that could result in a consequential decision, such as an infringement of a civil right. Cloud Computing The European Banking Authority (EBA) published recommendations on outsourcing to cloud service providers to clarify the EU-wide supervisory expectations for institutions intending to adopt cloud computing. The recommendations were calibrated to allow the institutions to leverage the benefits of using cloud services while ensuring that any related risks are adequately identified and managed. The document covers the following topics: 1. Conducting materiality assessment 2. Duty to adequately inform supervisors 3. Determination of access and audit rights 4. Security of data and systems 5. Considerations on the location of data and data processing 6. Managing risks associated with chain outsourcing 7. Contingency plans and exit strategies Distributed Ledger Technologies Gibraltar Financial Services Commission issued the following regulatory principles to be applied by DLT 38 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING APPENDIX A RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 39 Appendix B Glossary Term Definition Source Alternative credit report- Entities that use innovative methodologies and nontraditional Authors ing service provider data to assess credit risk and produce credit scores. Artificial intelligence The theory and development of computer systems able to FSB (2017) perform tasks that traditionally have required human intelli- gence. Big data A generic term that designates the massive volume of data FSB (2017) generated by the increasing use of digital tools and informa- tion systems. Business information Entities that collect information on businesses, including sole World Bank (2011) provider proprietorships, partnerships, and corporations for credit risk assessment, credit scoring, or other business purposes. Code of conduct A self-regulatory framework for credit reporting service pro- Authors viders that governs their relationship to data providers, users, borrowers, other bureaus, and the supervisory authority. Consumer See data subject. Consumer consent A data subject’s freely informed, specific agreement, written or World Bank (2011) verbal, to the collection, processing, and disclosure of person- al data. Credit bureau Model of a credit-information exchange the primary objective World Bank (2011) of which is to improve the quality and availability of data so creditors can make better-informed decisions. Credit registry Model of a credit-information exchange the main objectives of World Bank (2011) which are assisting prudential supervision and enabling data access to regulated financial institutions to improve the quality of their credit portfolios. Credit reporting service Entities that collect information on a borrower’s credit history World Bank (2019a) provider from creditors and available public sources; includes credit bureaus, credit registries, business information providers, and alternative credit reporting service providers. Credit risk The risk that a counterparty will fail to make any of the pay- ECB (2018) ments that it is contractually obliged to make. Credit score Form of statistical analysis that estimates the probability that ICCR a loan applicant, existing borrower, or counterparty will default or become delinquent. (2019a) Creditworthiness The ability of a borrower to repay current and prospective World Bank (2011) financial obligations in a timely manner; used as an assess- ment of a borrower’s past credit behavior to assist a potential lender in deciding whether to extend new credit. Data provider A creditor or other entity that proactively and in a structured World Bank (2011) fashion supplies information to the credit reporting service providers. Data subject An individual or a business whose data could be collected, World Bank (2011) processed, and disclosed to third parties in a credit reporting system. Data user An individual or business that requests credit reports, files, or World Bank (2011) other related services from credit reporting service providers, typically under predefined conditions and rules. 40 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING APPENDIX B Default Failure to complete a payment obligation under a credit or World Bank (2011) loan agreement. IaaS Infrastructure as a service; a cloud service provider’s ability to NIST (2017b) provision processing, storage, networks, and other fundamen- tal computing resources where the customer can deploy and run arbitrary software. Machine learning A method of designing a sequence of actions to solve a prob- FSB (2017) lem in a way that optimizes automatically through iteration, with limited or no human intervention. Negative information Statements about defaults or arrears and bankruptcies; may World Bank (2011) also include statements about lawsuits, liens, and judgments obtained from courts or other official sources. PaaS Platform as a service; a software development and/or deploy- NIST (2017b) ment platform with the capability to develop and/or deploy applications without the complexities of managing underlying infrastructure services. Permissioned Requiring authorization to perform a particular activity or ITU (2019a) activities. Permissionless Not requiring authorization to perform a particular activity. ITU (2019a) Personal data Information relating to an identified or identifiable natural ICCR (2021) person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an ID number or one or more factors specific to the person’s physical, physiological, mental, economic, cultural, or social identity. Positive information Information that covers facts of contractually compliant be- World Bank (2011) havior, including detailed statements about outstanding credit, amount of loans, repayment patterns, assets, liabilities, and guarantees and/or collateral. RegTech Any range of applications of fintech for regulatory and com- FSB (2017) pliance requirements and reporting by regulated financial institutions. SaaS Software as a service; services in which the customer can NIST (2017b) use the cloud service provider’s applications running on a cloud infrastructure; applications are accessible through either a thin client interface, such as a web browser, or a program interface. Structured data Any data that reside in a fixed field within a record or file. Typi- ICCR (2019a) cally, the data reside in the form of relational databases and spreadsheets. The formal structure allows one to easily enter, store, query, and analyze the data. Supervised learning A subset of machine learning in which an algorithm is fed a FSB (2017) set of “training” data that contains labels on the observations. SupTech Applications of fintech by supervisory authorities. FSB (2017) Unstructured data Data that do not have a predefined data model or are not ICCR (2019a) organized in a predefined manner; they typically exist in the form of text files, images, social media data, and sensor data. Unsupervised learning A subset of machine learning in which the data provided to FSB (2017) the algorithm does not contain labels. RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 41 Appendix C Bibliography Akinwumi, M., J. Merrill, L. Rice, K. Saleh, and M. Yap. 2021. “An AI Fair Lending Policy Agenda for the Federal Financial Regulators.” Series on Financial Markets and Regulation, Brookings Institution, Washington, DC. https://www. brookings.edu/research/an-ai-fair-lending-policy-agenda-for-the-federal-financial-regulators/. Aldasoro, I., L. Gambacorta, P. Giudici, and T. Leach. 2020. “The Drivers of Cyber Risk.” BIS Working Papers No. 865, Bank for International Settlements, Basel, Switzerland. https://www.bis.org/publ/work865.pdf. BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht). 2021. “Big Data and Artificial Intelligence: Principles for the Use of Algorithms in Decision-Making Processes.” Federal Financial Supervisory Authority, Bonn, Germany. https://www.bafin.de/SharedDocs/Downloads/EN/Aufsichtsrecht/dl_Prinzipienpapier_BDAI_en.html. Basel Committee on Banking Supervision (BCBS). 2019. “Implications of Fintech Developments for Banks and Bank Supervisors.” Bank for International Settlements. https://www.bis.org/bcbs/publ/d431.pdf Berg, T., V. Burg, A. Gombović, and M. Puri. 2019. “On the Rise of FinTechs — Credit Scoring Using Digital Footprints.” Michael J. Brennan Irish Finance Working Paper Series Research Paper No.18-12. http://dx.doi.org/10.2139/ssrn.3163781. Biometrics Institute. 2019. “Ethical Principles for Biometrics.” Biometrics Institute, London. https://www.biometricsinstitute. org/ethical-principles-for-biometrics/. Bussmann, N., Giudici, P., Marinelli, D. 2021. “Explainable Machine Learning in Credit Risk Management”. Computational Economics 57, 203–216 (2021). https://doi.org/10.1007/s10614-020-10042-0 Calmon, F., D. Wei, B. Vinzamuri, K. Natesan Ramamurthy, and K. R. Varshney. 2017. “Optimized Pre-Processing for Discrimination Prevention.” Advances in Neural Information Processing Systems 30. 31st Conference on Neural Information Processing Systems (NIPS 2017), Long Beach, CA. https://papers.nips.cc/paper/2017/hash/9a49a25d845a483fae4be7e341 368e36-Abstract.html. Last accessed June 9, 2021. Centre for Data Ethics and Innovation (CDEI). 2020. “Review into Bias in Algorithmic Decision-making.” Centre for Data Ethics and Innovation, London. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/957259/Review_into_ bias_in_algorithmic_decision-making.pdf. CGAP (Consultative Group to Assist the Poor). 2020. “Guidance Note: Key Considerations When Developing Legal Terms and Conditions for Financial Services APIs.” CGAP, World Bank, Washington, DC. https://www.findevgateway.org/sites/default/files/publications/files/cgap-guidance-note-key-considerations-when- developing-legal-terms-and-conditions-for-financial-services-apis-january-2020.pdf. Creditinfo. 2020. “Global Lending Industry Trends.” CreditInfo, Reykjavík, Iceland. https://creditinfo.com/wp-content/ uploads/2017/08/creditinfo_trends_2020.pdf. CSSF (Commission de Surveillance du Secteur Financier). 2018. “AI: Opportunities, Risks and Recommendations for the Financial Sector.” Commission de Surveillance du Secteur Financier, Luxembourg. https://www.cssf.lu/wp-content/ uploads/files/Publications/Rapports_ponctuels/CSSF_White_Paper_Artificial_Intelligence_201218.pdf. 42 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING APPENDIX C Data Reportal. 2021. “Global Digital Overview October 2021.” Data Reportal, Singapore. https://datareportal.com/reports/ digital-2021-october-global-statshot. ECB (European Central Bank). 2018. Anacredit. European Central Bank, European Union, Paris. https://www.ecb.europa. eu/stats/money_credit_banking/anacredit/html/index.en.html. Equifax. 2020a. “Putting Neural Network Models to the Test.” Equifax, Atlanta, GA. https://www.equifax.com/white- papers/putting-neural-network-models-test/. Equifax. 2020b. “Seizing the Cloud Opportunity — Securely and Safely.” Equifax, Atlanta, GA. https://assets.equifax.com/ marketing/US/assets/equifax_seizing_cloud_opportunity_safely_security_paper_aug2020.pdf. Last accessed Jan. 31, 2022. Equifax. 2021. “Equifax Data Breach Settlement.” Equifax, Atlanta, GA. https://www.equifaxbreachsettlement.com/. Last accessed June 24, 2021. EU (European Union). 2016. “General Data Protection Regulation.” European Union, Brussels. https://gdpr-info.eu/. EU (European Union). 2021. “Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonized Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts.” European Union, Brussels. https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1623335154975&uri=CELEX%3A52021PC0206. European Banking Authority (EBA). 2020. “EBA Report on Big Data and Advanced Analytics.” European Banking Authority, Paris. https://www.eba.europa.eu/sites/default/documents/files/document_library/Final%20Report%20on%20 Big%20Data%20and%20Advanced%20Analytics.pdf. “Experian Enables Next Generation Data Analytics Platform Using AWS.” Experian, Costa Mesa, CA. https://aws.amazon. com/tr/solutions/case-studies/experian/. Last accessed Jan. 31, 2022. Federal Deposit Insurance Corporation (FDIC). 2017. “Supervisory Guidance on Model Risk Management.” Federal Deposit Insurance Corporation, Washington, DC. https://www.fdic.gov/news/financial-institution-letters/2017/fil17022a.pdf. Fjeld, J., A. Nele, H. Hilligoss, A. Nagy, and M. Srikumar. 2020. “Principled Artificial Intelligence: Mapping Consensus in Ethical and Rights-based Approaches to Principles for AI.” Berkman Klein Center for Internet and Society, Harvard University, Cambridge, MA. https://dash.harvard.edu/bitstream/handle/1/42160420/HLS%20White%20Paper%20Final_ v3.pdf?sequence=1&isAllowed=y. Frost, J., L. Gambacorta, Y. Huang, H. S. Shin, and P. Zbinden. 2019. “BigTech and the Changing Structure of Financial Intermediation.” BIS Working Papers No. 779, Bank for International Settlements, Basel, Switzerland. https://www.bis.org/ publ/work779.pdf. FSB (Financial Stability Board). 2017. “Artificial Intelligence and Machine Learning in Financial Services — Market Developments and Financial Stability Implications.” Financial Stability Board, Basel, Switzerland. https://www.fsb.org/ wp-content/uploads/P011117.pdf. Last accessed June 9, 2022. Gambacorta, L., Y. Huang, and J. Wang. 2019. “How do ML and non-traditional data affect credit scoring? New Evidence from a Chinese Fintech Firm.” BIS Working Papers No. 834. Bank for International Settlements, Basel, Switzerland. https:// www.bis.org/publ/work834.pdf. Gauthier, J. 2009. “Ethical principles and human rights: Building a better world globally.” Counselling Psychology Quarterly 22:1, 25–32. https://www.tandfonline.com/doi/abs/10.1080/09515070902857301. Gibraltar Financial Services Commission. 2020. “The Regulatory Principles for DLT Providers.” Gibraltar Financial Services Commission, Gibraltar. https://www.fsc.gi/FSC/distributed-ledger-technology-providers. RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 43 APPENDIX C Goharshady, A. Behrouz A. and Chatteriee K. 2018. “Secure Credit Reporting on the Blockchain.” 2018 IEEE International Conference, pp. 1343-1348. https://ieeexplore.ieee.org/document/8726769 GSM Association (GSMA). 2019a. “Mobile Big Data Analytics and AI for a Better Future: AI Ethics Principles.” GSMA, London. https://www.gsma.com/betterfuture/wp-content/uploads/2019/09/AI-Ethics_2Pager_v1.pdf. GSM Association (GSMA). 2019b. “Mobile Big Data Solutions for a Better Future Report.” GSMA, London. https://www. gsma.com/betterfuture/wp-content/uploads/2019/10/2019-GSMA-Mobile-Big-Data-for-a-Better-Future_Full-Report-1. pdf. GPFI. 2017. “Alternative Data Transforming SME Finance.” https://www.gpfi.org/sites/gpfi/files/documents/GPFI%20 Report%20Alternative%20Data%20Transforming%20SME%20Finance.pdf and and https://www.smefinanceforum. org/post/alternative-data-transforming-sme-finance-0 and https://www.gpfi.org/publications/gpfi-report-alternative-data- transforming-sme-finance Hagendorff, T. 2020. “The Ethics of AI Ethics: An Evaluation of Guidelines.” Minds and Machines 30:99–120. https://doi. org/10.1007/s11023-020-09517-8. Hengel, E. 2010. “Discussion Paper on Credit Information Sharing.” Facilitating Access to Finance Discussion Paper Series, Organization for Economic Co-operation and Development, Paris. https://www.oecd.org/global-relations/45370071.pdf. Hong Kong Monetary Authority (HKMA). 2019. “High-Level Principles on AI.” Hong Kong Monetary Authority, Hong Kong. https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2019/20191101e1.pdf. Hyperledger Case Study — Kiva. Hyperledger Foundation. https://www.hyperledger.org/wp-content/uploads/2021/01/ Hyperledger_CaseStudy_Kiva_Printable.pdf. Last accessed Jan. 31, 2022. IBM. Trusted AI Tools. International Business Machines, Armonk, NY. https://research.ibm.com/teams/trusted-ai. Last accessed Jan. 31, 2022. ICCR (International Committee on Credit Reporting). 2013. “Assessment Methodology for the General Principles for Credit Reporting.” ICCR, World Bank, Washington, DC. http://hdl.handle.net/10986/21813. ICCR (International Committee on Credit Reporting). 2014. “Facilitating SME Financing through Improved Credit Reporting.” ICCR, World Bank, Washington, DC. http://hdl.handle.net/10986/21810. ICCR (International Committee on Credit Reporting). 2018. “Use of Alternative Data to Enhance Credit Reporting to Enable Access to Digital Financial Services by Individuals and SMEs Operating in the Informal Economy.” Global Partnership for Financial Inclusion Guidance Note. ICCR, World Bank, Washington DC. https://www.gpfi.org/sites/gpfi/files/documents/ Use_of_Alternative_Data_to_Enhance_Credit_Reporting_to_Enable_Access_to_Digital_Financial_Services_ICCR.pdf. ICCR (International Committee on Credit Reporting). 2019a. “Credit Scoring Approaches Guidelines” ICCR, World Bank, Washington, DC. https://thedocs.worldbank.org/en/doc/935891585869698451-0130022020/original/ CREDITSCORINGAPPROACHESGUIDELINESFINALWEB.pdf. ICCR (International Committee on Credit Reporting). 2019b. “Cybersecurity in Credit Reporting Guidelines.” ICCR, World Bank, Washington, DC. https://thedocs.worldbank.org/en/doc/735641585870130697-0130022020/original/ Cybersecurityincreditreportingguidelinefinal.pdf. International Committee on Credit Reporting (ICCR). 2021. “Cross-border Credit Reporting” World Bank, Washington, DC. https://www.biia.com/wp-content/uploads/2021/08/ICCR-Cross-Border-Report-final-July-2021.pdf 44 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING APPENDIX C IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems. 2017. “Ethically Aligned Design: A Vision for Prioritizing Human Well-being with Autonomous and Intelligent Systems.” Institute of Electrical and Electronics Engineers, New York. http://standards.ieee.org/develop/indconn/ec/autonomous_ systems.html. International Organization of Securities Commissions (IOSCO). 2021. “Principles on Outsourcing.” International Organization of Securities Commissions, Madrid. https://www.iosco.org/library/pubdocs/pdf/IOSCOPD687.pdf. ITU (International Telecommunication Union). 2019a. “Distributed Ledger Technology Terms and Definitions.” International Telecommunication Union, Geneva, Switzerland. https://www.itu.int/en/ITU-T/focusgroups/dlt/Documents/d11.pdf. Last accessed June 9, 2022. ITU (International Telecommunication Union). 2019b. “Technical Report — Distributed Ledger Technology Framework.” International Telecommunication Union, Geneva, Switzerland. https://www.itu.int/en/ITU-T/focusgroups/dlt/Documents/ d41.pdf. Last accessed June 9, 2022. Liu, C., and C. Hou. 2021. “Challenges of Credit Reference Based on Big Data Technology in China.” Mobile Networks and Applications 27:47–57 (2022). https://doi.org/10.1007/s11036-020-01708-y. MAS (Monetary Authority of Singapore). 2018. “Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore’s Financial Sector.” Monetary Authority of Singapore, Singapore. https://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Monographs%20and%20 Information%20Papers/FEAT%20Principles%20Final.pdf. National Fair Housing Alliance (NFHA). 2022. “Purpose, Process and Monitoring: A New Framework in Auditing Algorithmic Bias in Housing & Lending.” National Fair Housing Alliance, Washington, DC. https://nationalfairhousing. org/wp-content/uploads/2022/02/PPM_Framework_02_17_2022.pdf. Last accessed June 9, 2022. National Telecommunications and Information Administration (NTIA). N.d. “An Ethical Framework for Facial Recognition.” National Telecommunications and Information Administration, Washington, DC. https://www.ntia.doc.gov/files/ntia/ publications/aclu_an_ethical_framework_for_face_recognition.pdf. NIST (National Institute of Standards and Technology). 2017a. “Cybersecurity Framework.” National Institute of Standards and Technology, Gaithersburg, MD, and Boulder, CO. https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8183.pdf. NIST (National Institute of Standards and Technology). 2017b. “Draft — Evaluation of Cloud Computing Services Based on NIST 800-145.” National Institute of Standards and Technology, Gaithersburg, MD, and Boulder, CO. https://www.nist.gov/ system/files/documents/2017/05/31/evaluation_of_cloud_computing_services_based_on_nist_800-145_20170427clean. pdf. NIST (National Institute of Standards and Technology). 2021. “AI Risk Management Framework Concept Paper.” National Institute of Standards and Technology, Gaithersburg, MD, and Boulder, CO. https://www.nist.gov/system/files/ documents/2021/12/14/AI%20RMF%20Concept%20Paper_13Dec2021_posted.pdf. OBIE (Open Banking Implementation Entity). N.d. “Customer Experience Standards.” Open Banking Implementation Entity, U.K. https://standards.openbanking.org.uk/customer-experience-guidelines/introduction/design-and-experience- principles/latest/. Last accessed Jan. 31, 2022. OneScore Mobile App by Experian India. N.d. OneScore, Pune. https://www.onescore.app/. Last accessed Jan. 31, 2022. Open Technology Institute. 2021. “Cracking Open the Black Box: Promoting Fairness, Accountability, and Transparency Around High-Risk AI.” Open Technology Institute, Washington, DC. https://www.newamerica.org/oti/reports/cracking- open-the-black-box/. RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 45 APPENDIX C Organization for Economic Co-operation and Development (OECD). 2019. “Recommendation of the Council on Artificial Intelligence.” Organization for Economic Co-operation and Development, Paris. https://legalinstruments.oecd.org/en/ instruments/OECD-LEGAL-0449. Singapore Personal Data Protection Commission. 2020. “Model AI Governance Framework.” Singapore Personal Data Protection Commission, Singapore. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Resource-for-Organisation/ AI/SGModelAIGovFramework2.pdf. Singapore Personal Data Protection Commission. 2020. “Compendium of Use Cases: Practical Illustrations of the Model AI Governance Framework.” Singapore Personal Data Protection Commission, Singapore. https://www.pdpc.gov.sg/-/media/ Files/PDPC/PDF-Files/Resource-for-Organisation/AI/SGAIGovUseCases.pdf. Toronto Centre. 2018. “Cloud Computing: Issues for Supervisors.” TC Notes. Toronto Centre, Toronto. https://res. torontocentre.org/guidedocs/Risk-Based%20Supervision%20FINAL.pdf. TransUnion. 2021. “TransUnion and AWS Executives Explores How Disruptive Work Flows Unlock Banking Opportunities.” TransUnion, Chicago, IL. https://www.globenewswire.com/news-release/2021/09/30/2306150/0/en/Panel- with-TransUnion-and-AWS-Executives-Explores-How-Disruptive-Work-Flows-Unlock-Banking-Opportunities.html. Last accessed Jan. 31, 2022. UN (United Nations). 2011. “Guiding Principles on Business and Human Rights.” United Nations, New York. https://www. ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf. UN (United Nations). 2017. “Data Privacy, Ethics and Protection: Guidance Note on Big Data for Achievement of the 2030 Agenda.” United Nations, New York. https://unsdg.un.org/resources/data-privacy-ethics-and-protection-guidance-note-big- data-achievement-2030-agenda. UN (United Nations). 2018. “Compendium of Recommended Practices for the Responsible Use and Sharing of Biometrics in Counter-Terrorism.” United Nations, New York. https://www.un.org/securitycouncil/ctc/sites/www.un.org.securitycouncil. ctc/files/files/documents/2021/Jan/compendium_on_biometricsl_eng.pdf. UN (United Nations). 2021. “Resource Guide on AI Strategies.” United Nations, New York. https://sdgs.un.org/sites/default/ files/2021-04/Resource%20Guide%20on%20AI%20Strategies_April%202021_rev_0.pdf. UN (United Nations). 2022. “Digital Space and Human Rights”. United Nations, New York. https://www.ohchr.org/en/ topic/digital-space-and-human-rights. Last accessed Jan. 31, 2022. UNESCO (United Nations Educational, Scientific and Cultural Organization). 2021. “Recommendations on the Ethics of AI.” UNESCO, Paris. https://en.unesco.org/artificial-intelligence/ethics#recommendation. Veritas Consortium. 2020. “FEAT Fairness Principles Assessment Case Studies.” Monetary Authority of Singapore, Singapore. https://www.mas.gov.sg/-/media/MAS/News/Media-Releases/2021/Veritas-Document-1-FEAT-Fairness- Principles-Assessment-Methodology.pdf. Veritas Consortium. 2021. “FEAT Fairness Principles Assessment Case Studies.” Monetary Authority of Singapore, Singapore. https://www.mas.gov.sg/-/media/MAS/News/Media-Releases/2021/Veritas-Document-2-FEAT-Fairness- Principles-Assessment-Case-Studies.pdf. WEF (World Economic Forum). 2018. “Responsible Use of Technology.” World Economic Forum, Cologny, Switzerland. https://www3.weforum.org/docs/WEF_Responsible_Use_of_Technology.pdf. WEF (World Economic Forum). 2020a. “Companion to the AI Model Governance Framework – Implementation and Self- Assessment Guide for Organizations.” World Economic Forum, Cologny, Switzerland. https://www.pdpc.gov.sg/-/media/ 46 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING APPENDIX C Files/PDPC/PDF-Files/Resource-for-Organisation/AI/SGIsago.pdf. WEF (World Economic Forum). 2020b. “Ethics by Design: An Organizational Approach to Responsible Use of Technology.” World Economic Forum, Cologny, Switzerland. https://www3.weforum.org/docs/WEF_Ethics_by_Design_2020.pdf. WEF (World Economic Forum). 2020c. “A Framework for Responsible Limits on Facial Recognition Use Case: Flow Management.” World Economic Forum, Cologny, Switzerland. https://www3.weforum.org/docs/WEF_Framework_for_ action_Facial_recognition_2020.pdf. WEF (World Economic Forum). 2021. “Responsible Use of Technology: The IBM Case Study.” World Economic Forum, Cologny, Switzerland. https://www3.weforum.org/docs/WEF_Responsible_Use_of_Technology_The_IBM_Case_ Study_2021.pdf. World Bank. 2011. “General Principles for Credit Reporting.” World Bank, Washington DC. http://hdl.handle. net/10986/12792. World Bank. 2018. “Improving Access to Finance for SMEs: Opportunities through Credit Reporting, Secured Lending and Insolvency Practices.” World Bank, Washington, DC. https://documents1.worldbank.org/curated/en/316871533711048308/ pdf/129283-WP-PUBLIC-improving-access-to-finance-for-SMEs.pdf World Bank Group. 2019a. “Credit Reporting Knowledge Guide 2019.” World Bank, Washington, DC. http://hdl.handle. net/10986/31806. World Bank Group. 2019b. “Disruptive Technologies in the Credit Information Sharing Industry: Developments and Implications.” Fintech Note No. 3, World Bank, Washington, DC. http://hdl.handle.net/10986/31714. World Bank. 2020. “Doing Business 2020: Comparing Business Regulation in 190 Economies.” World Bank, Washington, DC. http://hdl.handle.net/10986/32436. World Bank. 2021a. “Consumer Risks in Fintech: New Manifestations of Consumer Risks and Emerging Regulatory Approaches.” World Bank, Washington, DC. http://hdl.handle.net/10986/35699. World Bank. 2021b. “Principles on Identification for Sustainable Development.” World Bank, Washington, DC. https://id4d. worldbank.org/principles. World Bank and CGAP (Consultative Group to Assist the Poor). 2018. “Data Protection and Privacy for Alternative Data.” Global Partnership for Financial Inclusion Discussion Paper, World Bank, Washington, DC. https://www.gpfi.org/sites/gpfi/ files/documents/Data_Protection_and_Privacy_for_Alternative_Data_WBG.pdf. Yong, J., Prenio, J. 2021. “Humans Keeping AI in Check: Emerging Regulatory Expectations in the Financial Sector.” FSI Insights on Policy Implementation No. 35, Bank for International Settlements, Basel, Switzerland. https://www.bis.org/fsi/ publ/insights35.pdf. Reference [1]. The members of the West African Economic and Monetary Union (also known by its French acronym, UEMOA) are Benin, Burkina Faso, Côte D’Ivoire, Guinea-Bissau, Mali, Niger, Senegal, and Togo. RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 47 RESPONSIBLE USE OF TECHNOLOGY IN CREDIT REPORTING 49