Bank refuses customer access to internal credit score
PIPEDA Case Summary #2002-63
[Principle 4.9, Schedule 1; section 9(3)(b)]
An individual complained that a bank had refused him access to his personal information, specifically his credit score.
Summary of Investigation
After reading an article on the subject, the complainant had written asking his bank for his credit score. The bank refused him access, citing the exemption provided in section 9(3)(b) of the Personal Information Protection and Electronic Documents Act. The bank's position was that to give customers their internal credit scores would be to reveal confidential commercial information in the form of the credit scoring model on which the scores were based.
The bank confirmed that it maintained an "account management" credit score in connection with the complainant's use of his credit card. The credit score in question was the bank's internal credit score. It had been generated not by a credit reporting agency's standardized credit scoring model, but rather by a customized model unique to the bank and incorporating its strategic business priorities.
In support of the proposition that its internal credit scoring models were confidential commercial information, the bank made three main arguments:
(1) A confidentiality agreement between the bank and the firm from which it licensed the models prohibited the disclosure of account management scores. The Commissioner noted that, unless the scores were determined to be exemptable under section 9(3)(b) or some other provision of the Act, the Act would supersede any such confidentiality agreement.
(2) Credit scoring models should be deemed confidential commercial information by reference to the factors commonly considered by the courts in determining what constitutes a "trade secret" or in distinguishing between "commercial" and "business" information. In this context, the bank demonstrated to the Commissioner's satisfaction that it and other financial institutions did genuinely regard their internal credit scoring models as proprietary, confidential commercial information, analogous to trade secrets, and did treat and protect them accordingly. The Commissioner noted that he found this argument particularly compelling in making his determinations.
(3) The experience of other jurisdictions is instructive and supports the bank's position that credit scores should not be released. The Commissioner noted that, though practices in other countries ought not determine what rules should apply in Canada or how our own Act should be interpreted, he had nevertheless found the experience of other jurisdictions helpful in satisfying him that the depiction of internal credit scoring models as confidential commercial information was neither fanciful nor disingenuous.
In support of the proposition that releasing internal credit scores could reveal the models by which they were generated, the bank presented a forensic analysis of the risk of fraud contingent upon the availability of credit scores. That analysis concluded that, if internal credit scores were readily available, the integrity of a credit scoring model could be compromised on the basis of a relatively small number of known scores generated by the model. The Commissioner's Office consulted an expert in the field of algorithms, who found this conclusion to be correct on the whole and affirmed that access to customized credit scores would definitely make it easier to approximate a bank's model.
Issued July 22, 2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.
Application: Principle 4.9 states that, upon request, an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. Section 9(3)(b) is an exemption provision stipulating that an organization is not required to give access to personal information if to do so would reveal confidential commercial information.
The Commissioner was satisfied that the bank's internal credit scoring model was confidential commercial information. Moreover, on the cumulative basis of the submissions from this and an earlier case, he was persuaded in general that customized credit scoring models internal to financial institutions should in future be deemed confidential commercial information for purposes of the Act.
On the question whether the release of credit scores would reveal the model by which they were generated, the Commissioner found as follows:
- He noted that section 9(3)(b), by using the word "would" rather than "could" or "might", set a very high standard for justifying the withholding of personal information.
- Though willing to admit that it was technically possible to approximate a credit scoring model from knowledge of a few scores, he was not in the least persuaded that it would ever happen.
- Specifically, the bank's submissions had failed to convince him that fraudsters would actually go to the lengths described in the risk analysis to deceive a bank. He found it especially difficult to accept the apprehension, evidently shared by all Canadian banks, that even one's competitors in the credit-granting community would as a matter of course resort to such tactics in order to "crack" one another's credit scoring models and gain competitive advantage.
- Nevertheless, the fact remained that the bank had stated its belief and expressed its fear of inevitable fraud through manipulation of released credit scores and its mistrust of the competitive ethics of the credit-granting community. Having personally examined the bank's credit scoring model, he had no reason to suspect ulterior motives that might be contrary to the public interest, such as fear of giving rise to controversy or embarrassment for the bank.
- However unlikely it seemed to him that the release of credit scores would reveal the internal scoring model, it was undeniably a prospect that the Canadian banking community continued to take very seriously and that he himself was unable to refute. Moreover, he continued to see no significant harm ensuing to Canadians' privacy rights from the inability to obtain internal credit scores.
- Given his responsibility to achieve a balance between the privacy rights of individuals and the legitimate informational interests of organizations, he considered it only fair in the circumstances to accept the proposition that the release of internal credit scores would reveal the credit scoring model on which they were based.
The Commissioner found that, in citing the section 9(3)(b) exception for confidential commercial information to refuse the complainant access to his credit score, the bank had been acting in accordance with the Act.
He concluded that the complaint was not well-founded.
This finding is identical to the Commissioner's finding in a previous complaint against a different bank with regard to denied access to internal credit scores.
- Date modified: