The Complaint
The complainant had an account with the Bank and the Bank granted him several credit facilities for various credit cards. The complainant had not made any default in meeting his payment obligation. However, he found that, without any prior notification to him, the Bank made credit checks on him on a monthly basis totaling seven times respectively from June 2005 to January 2006. The complainant was of the view that such checking was excessive and unnecessary and therefore lodged a complaint with the Commissioner against the Bank for the aforesaid credit monitoring practice.
Findings of the Commissioner
The Commissioner took the view that the practice of the Bank, having monthly access to the credit data of the complainant held by TransUnion Limited, a credit reference agency, for credit monitoring, was in contravention of Data Protection Principles 1(1) and 1(2) due to the Bank’s failure to observe the provisions of the Code of Practice on Consumer Credit Data (the “Code”). The Bank’s act did not fall within the permitted circumstances under the provisions of the Code. As it was likely that the Bank would continue and repeat the practice, the Commissioner pursuant to section 50 of the Ordinance issued an Enforcement Notice requiring the Bank, inter alia, to cease the credit monitoring practice and to destroy all credit data of all customers obtained from TransUnion Limited through the practice. The Bank was dissatisfied with the Commissioner’s decision and appealed to the AAB.
The Appeal
The majority of AAB considered that employment of the automated system by the Bank as a way to review the complainant’s credit facilities fell within the meaning of the Code. Though the review in the present case was so often that it became a monitoring exercise, it did not take away the character of a review of the complainant’s credit facilities for the purposes of increasing, decreasing or cancelling the credit amounts.
Further, the AAB thought that as a prudent and responsible banker, it was not wrong for the Bank to undertake regular risk based assessments and reviews of all credit facilities. It was a lawful purpose directly related to a function or activity of the Bank and was generally supported by Hong Kong Monetary Authority, the Hong Kong Association of Banks and DTC Association. There was nothing wrong for the Bank to develop its own automated risk scoring model system using statistical formulae to analyze the credit information obtained. In such circumstances, it could not be said that the amount of information obtained was excessive and the collection was unfair and unlawful.
The AAB's Decision
The appeal was allowed and the Enforcement Notice was set aside.
uploaded on web in March 2014