A privacy regulation for lending applications

Most recently, the National Privacy Commission (NPC) came out with a policy aimed at addressing the problems associated with online money-lending applications (“lending apps”). A timely but ambitious effort, given the complex nature of the data processing systems involved.

Lending apps process personal data and other information from a wide range of sources for consumer credit-related purposes such as lending and setting interest rates. One, for instance, develops a person’s credit score by using a range of social-media related information, such as contact lists, call logs, photos, videos, social media accounts, text messages, call, records, location, and social networking.

Thus, a policy that hopes to regulate them should be based on thorough research and a comprehensive understanding of their inner workings. One wouldn’t want one that is so restrictive, it effectively bans their use altogether.

This article highlights the main features of the Circular and offers a jump-off point for any discussion of the new regulation.

Scope

In terms of who and what the policy applies to, the former is easier to ascertain. It says it applies to all lending entities—not just those managing lending apps—and any of their personal information processors (PIPs). They include all lending companies and financing companies, as defined under Republic Act Nos. 9474 and the 8556, respectively, and all other entities that act as such, even if not authorized to do so. What it applies to, on the other hand, is subject to speculation. It says it covers “among others” the processing of personal data for loan processing activities, thereby suggesting it encompasses a much broader subject. What are these other things and why did the NPC not just identify them outright? That is, after all, why a policy lays down its scope.

Transparency and Data Collection

In the spirit of transparency, lending entities are mandated to give borrowers “all the information concerning all phases of the loan processing activity.” “Details” about their authorized PIPs must also be made available to borrowers. In both directives, it isn’t clear what the NPC means by “all information” and “details.”

Regarding character referees, the Circular clarifies that it is the borrower’s duty to inform his referees of their inclusion in his submissions. At the same time, though, it also says lending entities must “adequately inform” the character referees that they were referred to as such and that their contact details were shared by the borrower. Does this mean the onus is on both borrowers and lending entities?

Data collection shall be limited only to those necessary to comply with Know-Your-Client (KYC) policies, to determine a borrower’s credit-worthiness, and to prevent fraud. Accordingly, a borrower may be asked to provide the names and contact numbers of his character referees. It isn’t apparent why these two data points were singled out from all possible information a borrower may provide about his referees.

A lending entity that has a lending app is supposed to maintain a “separate interface” through which a borrower can provide his character referees and/or co-makers. What the NPC means by “interface”, and in what sense it is supposed to be separate is unclear.

App Permissions

Still on lending apps, the Circular says app permissions must only be for the following purposes: (1) compliance with KYC policies; (2) determination of a borrower’s credit worthiness; (3) fraud prevention; and (4) debt collection. Those meant for other purposes are prohibited. This somewhat restricts the use of the different criteria for the lawful processing of personal data under the Data Privacy Act of 2012 (DPA) and may therefore be vulnerable to a legal challenge. For example, even if a borrower is willing to give his consent to other uses of his personal data, such other uses shall be disallowed.

The Circular also prohibits specific data processing activities if they will be used for debt collection or harassment, namely: (1) access to “contact details”; (2) harvesting of social media contacts; and (3) copying or saving contacts. Access to contact details is undoubtedly one of the more controversial app permissions. But the NPC appears to contradict itself here when it initially says app permissions may be allowed if for debt collection purposes, only to take away such possibility when the app permission happens to be access to a borrower’s “contact details”.

The Circular also has an unorthodox approach to app permissions, given the way it requires online apps to inform borrowers when they are already supposed to turn off or disallow specific permissions. In the case of phone camera access, for instance, it is initially allowed “for the exclusive purpose of KYC and preventing fraud.” Once the borrower’s photo has been obtained and saved on the app, the lending entity must either turn it off or inform the borrower that he may already do so. It would be interesting to know how receptive lending entities will be to these specific instructions, and how the NPC intends to enforce them.

Data Use

Processing personal data for purposes other than the primary one is allowed if such other purposes have a direct and objective link to the primary purpose. The policy doesn’t really say what it considers to be the primary purpose, but loan processing may be the safe bet. Still, what may be considered as a “direct and objective link” is susceptible to varying interpretations. If a lending entity wants to process the data for marketing or cross-selling, or wishes to share them with third parties to allow ads unrelated to loan processing, this may be permitted if based on any of the DPA’s criteria for lawful data processing.

The Circular specifically prohibits the use of personal data to engage in what the Securities and Exchange Commission (SEC) considers to be unfair collection practices. For whatever reason, it singles out the use of a borrower’s photo for debt collection-related harassment.

Other Notable Components

Here are a few other features (and non-features) of the Circular worth mentioning:

• Lending entities must give character referees the option to have their personal data removed as such, “if the same is feasible”. This, of course, begs the question: when is it ever feasible for a referee to have his personal data removed, considering its impact on the credit-worthiness of the borrower and/or the status of the debt?
• Once the Circular becomes effective, lending entities must immediately dispose of their borrowers’ contact lists. It isn’t clear if all other new requirements must also be implemented with the same sense of urgency. Also, what if there is a continuing need for the contact list, but not for debt collection or harassment purposes?
• When a law or regulation requires the disclosure of the credit data of a borrower, “the relevant provisions of the DPA shall apply”. This, too, is vague. Ordinarily, in a scenario like that, the disclosure will be allowed by the DPA. What are these provisions of the DPA that are so relevant this Circular has to allude to them in this context?
• There are no prescribed penalties for any violation of the Circular. Instead, the policy is rife with references to the DPA and the offenses listed there. How this will impact the effectiveness of this policy, time will certainly tell.
• The Circular does not also feature a provision dedicated solely to the definition of key concepts. For a quick guide, here are some of them and the Sections you may find them: (a) lending company [Section 1]; (b) financial companies [Section 1]; (c) personal information controllers [Section 2]; and (d) personal data [Section 2].

The six-page policy has other content, but most are featured already in the DPA, its Implementing Rules and Regulations, and other existing NPC issuances. Hence, their omission from this summary.

All in all, the Circular still leaves a lot of questions in its wake. This makes it difficult to gauge how much it would actually impact the lending industry and its practices—if at all. For sure, though, there are enough reasons to probe further into the measures it introduces. Will they actually curb the privacy risks they are meant to address, while still allowing legitimate businesses to operate and thrive in a fast-growing digital economy? Let’s hope so.

In the meantime, most people still have their eyes peeled for the outcome of the cases already filed with the NPC against erring lending entities. Their immediate resolution remains a true test of character for an agency still finding its way in the country’s dynamic regulatory landscape.
----------------------------

Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.