AI Opacity in the Financial Industry and How to Break It

doi:10.1017/9781009334297.007

4 - AI Opacity in the Financial Industry and How to Break It

from Part I - Automated Banks

Published online by Cambridge University Press: 16 November 2023

Zofia Bednarz and

Linda Przhedetsky

Edited by

Zofia Bednarz and

Monika Zalnieriute

Show author details

Zofia Bednarz: Affiliation:
University of Sydney
Monika Zalnieriute: Affiliation:
University of New South Wales, Sydney

Book contents

Summary

This chapter closes Part 1 by analysing how the opacity surrounding the use of AI and ADM tools by financial corporations is enabled, and even encouraged by the law. As other chapters in the book demonstrate, such opacity brings about significant risks to fundamental rights, consumer rights, and the rule of law. Analysing examples from jurisdictions including the US, UK, EU, and Australia, Bednarz and Przhedetsky unpack how financial entities often rely on rules and market practices protecting corporate secrecy such as complex credit scoring systems, proprietary rights to AI models and data, as well as the carve out of ‘non-personal’ information from data and privacy protection laws. The authors then focus on the rules incentivising the use of AI and ADM tools by financial entities, showing how they provide a shield behind which corporations can hide their consumer scoring and rating practices. The authors also explore potential regulatory solutions that could break the opacity and ensure transparency, introducing direct accountability and scrutiny of ADM and AI tools, and reducing the control of financial corporations over people’s data.

Keywords

AI opacity financial industry corporate secrecy credit scoring automated decision-making (ADM)accountability data and privacy

Type: Chapter
Information: Money, Power, and AI
Automated Banks and Automated States
, pp. 70 - 92

DOI: https://doi.org/10.1017/9781009334297.007 [Opens in a new window]

Publisher: Cambridge University Press

Print publication year: 2023
Creative Commons: This content is Open Access and distributed under the terms of the Creative Commons Attribution licence CC-BY-NC-ND 4.0 https://creativecommons.org/cclicenses/

4.1 Introduction

Automated Banks – the financial entities using ADM and AI – feed off the culture of secrecy that is pervasive and entrenched in automated processes across sectors from ‘Big Tech’ to finance to government agencies, allowing them to avoid scrutiny, accountability, and liability.Footnote ¹ As Pasquale points out, ‘finance industries profit by keeping us in the dark’.Footnote ²

An integral part of the financial industry’s business model is the use of risk scoring to profile consumers of financial services, for example in the form of credit scoring, which is a notoriously opaque process.Footnote ³ The use of non-transparent, almost ‘invisible’ surveillance processes and the harvesting of people’s data is not new: financial firms have always been concerned with collecting, aggregating, and combining data for the purposes of predicting the value of their customers through risk scoring.Footnote ⁴ AutomationFootnote ⁵ introduces a new level of opacity in the financial industry, for example through the creation of AI models for which explanations are not provided – either deliberately, or due to technical explainability challenges.Footnote ⁶

In this chapter we argue that the rise of AI and ADM tools contributes to opacity within the financial services sector, including through the intentional use of the legal system as a ‘shield’ to prevent scrutiny and blur accountability for harms suffered by consumers of financial services. A wealth of literature critiques the status quo, showing that consumers are disadvantaged by information asymmetries,Footnote ⁷ complicated consent agreements,Footnote ⁸ information overload,Footnote ⁹ and other tactics that leave consumers clueless if, when, and how they have been subject to automated systems. If consumers seek to access a product or service, it is often a requirement that they be analysed and assessed using an automated tool, for example, one that determines a credit score.Footnote ¹⁰ The potential harms are interlinked and range from financial exclusion to digital manipulation to targeting of vulnerable consumers and privacy invasions.Footnote ¹¹ In our analysis we are mostly concerned with discrimination as an example of such harm,Footnote ¹² as it provides a useful illustration of problems enabled by opacity, such as significant difficulty in determining if unfair discrimination has occurred at all, understanding the reasons for the decision affecting the person or group, and accessing redress.

The rules we examine will differ among jurisdictions, and our aim is not to provide a comprehensive comparative analysis of all laws that provide potential protections against scrutiny and increase the opacity of ADM-related processes of Automated Banks. We are interested in exploring certain overarching tendencies, using examples from various legal systems, and showing how financial firms may take advantage of the complex legal and regulatory frameworks applicable to their operations in relation to the use of AI and ADM tools.

As the use of AI and ADM continues to grow in financial services markets, consumers are faced with the additional challenge of knowing about, and considering how their ever-expanding digital footprint may be used by financial institutions. The more data exists about a person, the better their credit score (of course within certain limits, such as paying off debts on time).Footnote ¹³ The exact same mechanism may underpin ‘open banking’ schemes: consumers who do not have sufficient data – often vulnerable people, such as domestic violence victims, new immigrants, or Indigenous people – cannot share their data with financial entities, may be excluded from accessing some products or offered higher prices, even if their actual risk is low.Footnote ¹⁴

In Australia, consumers have claimed that they have been denied loans due to their use of takeaway food services and digital media subscriptions.Footnote ¹⁵ Credit rating agencies such as Experian explicitly state that they access data sources that reflect consumers’ use of new financial products, including ‘Buy Now Pay Later’ schemes.Footnote ¹⁶ As more advanced data collection, analysis, and manipulation technologies continue to be developed, there is potential for new categories of data to emerge. Already, companies can draw surprising inferences from big data. For example, studies have shown that seemingly trivial Facebook data can, with reasonable accuracy, predict a range of attributes that have not been disclosed by users: in one study, liking the ‘Hello Kitty’ page correlated strongly with a user having ‘[d]emocratic political views and to be of African-American origin, predominantly Christian, and slightly below average age’.Footnote ¹⁷

Unless deliberate efforts are made, both in the selection of data sets and the design and auditing of AMD tools, inferences and proxy data will continue to produce correlations that may result in discriminatory treatment.Footnote ¹⁸

This chapter proceeds as follows. We begin Section 4.2 with discussion of rules that allow corporate secrecy around AI models and their data sources to exist, focusing on three examples of such rules. We discuss the opacity of credit scoring processes and the limited explanations that consumers can expect in relation to a financial decision made about them (Section 4.2.1), trade secrecy laws (Section 4.2.2), and data protection rules which do not protect de-identified or anonymised information (Section 4.2.3). In Section 4.3 we analyse frameworks that incentivise the use of ADM tools by the financial industry, thus providing another ‘protective layer’ for Automated Banks, again discussing two examples: financial product governance regimes (Section 4.3.1) and ‘open banking’ rules (Section 4.3.2). The focus of Section 4.4 is on potential solutions. We argue it is not possible for corporate secrecy and consumer rights to coexist, and provide an overview of potential regulatory interventions, focusing on preventing Automated Banks from using harmful AI systems (Section 4.4.1), aiding consumers understand when ADM is used (Section 4.4.2), and facilitating regulator monitoring and enforcement (Section 4.4.3). The chapter concludes with Section 4.5.

4.2 Rules That Allow Corporate Secrecy to Exist

4.2.1 Opacity of Credit Scoring and the (Lack of) Explanation of Financial Decisions

Despite their widespread use in the financial industry, credit scores are difficult for consumers to understand or interpret. A person’s credit risk has traditionally been calculated based on ‘three C’s’: collateral, capacity, and character.Footnote ¹⁹ Due to the rise of AI and ADM tools in the financial industry, the ‘three C’s’ are increasingly being supplemented and replaced by diverse categories of data.Footnote ²⁰ An interesting example can be found through FICO scores, which are arguably the first large-scale process in which automated computer models replaced human decision-making.Footnote ²¹ FICO, one of the best-known credit scoring companies,Footnote ²² explains that their scores are calculated according to five categories: ‘payment history (35%), amounts owed (30%), length of credit history (15%), new credit (10%), and credit mix (10%)’.Footnote ²³ These percentage scores are determined by the company to give consumers an understanding of how different pieces of information are weighted in the calculation of a score, and the ratios identified within FICO scores will not necessarily reflect the weightings used by other scoring companies. Further, while FICO provides a degree of transparency, the ways in which a category such as ‘payment history’ is calculated remains opaque: consumers are not privy to what is considered a ‘good’ or a ‘bad’ behaviour, as represented by data points in their transaction records.Footnote ²⁴

Globally, many credit scoring systems (both public and private) produce three-digit numbers within a specified range to determine a consumer’s creditworthiness. For example, privately operated Equifax and Trans Union Empirica score consumers in Canada between 300 and 900,Footnote ²⁵ whereas credit bureaus in Brazil score consumers between 1 and 1,000.Footnote ²⁶ In an Australian context, scores range between 0 and 1,000, or 1,200, depending on the credit reporting agency.Footnote ²⁷ By contrast, other jurisdictions use letter-based ratings, such as Singapore’s HH to AA scale which corresponds with a score range of 1,000–2,000,Footnote ²⁸ or blacklists, such as Sweden’s payment default records.Footnote ²⁹

Credit scoring, it turns out, is surprisingly accurate in predicting financial breakdowns or future loan delinquency,Footnote ³⁰ but the way different data points are combined by models is not something even the model designer can understand using just intuition.Footnote ³¹ Automated scoring processes become even more complex as credit scoring companies increasingly rely on alternative data sources to assess consumers’ creditworthiness, including ‘predictions about a consumer’s friends, neighbors, and people with similar interests, income levels, and backgrounds’.Footnote ³² And a person’s credit score is just one of the elements lenders, Automated Banks, feed into their models to determine a consumer’s risk score. It has been reported that college grades, and the time of day an individual applies for a loan have been used to determine a person’s access to credit.Footnote ³³ These types of data constitute ‘extrinsic data’ sources, which consumers are unknowingly sharing.Footnote ³⁴

The use of alternative data sources is purported as a way of expanding consumers’ access to credit in instances where there is a lack of quality data (such as previous loan repayment history) to support the underwriting of consumers’ loan.Footnote ³⁵ Applicants are often faced with a ‘Catch-22 dilemma: to qualify for a loan, one must have a credit history, but to have a credit history one must have had loans’.Footnote ³⁶ This shows how ADM tools offer more than just new means to analyse greater than ever quantities of data: they also offer a convenient excuse for Automated Banks to effectively use more data.

Of course, increasing reliance on automated risk scoring is not the origin of unlawful discrimination in financial contexts. However, it is certainly not eliminating discriminatory practices either: greater availability of more granular data, even when facially neutral, leads to reinforcing of existing inequalities.Footnote ³⁷ Automated Banks have been also shown to use alternative data to target more vulnerable consumers, who they were not able to reach or identify when only using traditional data on existing customers.Footnote ³⁸ The quality change that AI tools promise to bring is to ‘make the data talk’: all data is credit data, if we have the right automated tools to analyse them.Footnote ³⁹

Collection, aggregation, and use of such high volumes of data, including ‘extrinsic data’, also make it more difficult, if not impossible, for consumers to challenge financial decisions affecting them. While laws relating to consumer lending (or consumer financial products in general) in most jurisdictions provide that some form of explanation of a financial decision needs to be made available to consumers,Footnote ⁴⁰ these rules will rarely be useful in the context of ADM and AI tools used in processes such as risk scoring.

This is because AI tools operate on big data. Too many features of a person are potentially taken into account for any feedback to be meaningful. The fact that risk scores and lending decisions are personalised make it even more complicated for consumers to compare their offer with anyone else’s. This can be illustrated by the case of Apple credit card,Footnote ⁴¹ which has shown the complexity of investigation necessary for people to be able to access potential redress: when applying for personalised financial products, consumers cannot immediately know what features are being taken into account by financial firms assessing their risk, and subsequent investigation by regulators or courts may be required.Footnote ⁴² The lack of a right to meaningful explanation of credit scores and lending decisions based on the scores makes consumers facing Automated Banks and the automated credit scoring system quite literally powerless.Footnote ⁴³

4.2.2 Trade Secrets and ADM Tools in Credit Scoring

The opacity of credit scoring, or risk scoring more generally, and other automated assessment of clients that Automated Banks engage in, is enabled by ADM tools which ‘are highly valuable, closely guarded intellectual property’.Footnote ⁴⁴ Complementing the limited duty to provide explanation of financial decisions to consumers, trade secrets laws allow for even more effective shielding of the ADM tools from scrutiny, including regulators’ and researchers’ scrutiny.

While trade secrets rules differ between jurisdictions, the origin and general principles that underpin these rules are common across all the legal systems: trade secrets evolved as a mechanism to protect diverse pieces of commercial information, such as formulas, devices, or patterns from competitors.Footnote ⁴⁵ These rules fill the gap where classic intellectual property law, such as copyright and patent law, fails – and it notably fails in relation to AI systems, since algorithms are specifically excluded from its protection.Footnote ⁴⁶ Recent legal developments, for example the European Union Trade Secrets Directive,Footnote ⁴⁷ or the US Supreme Court case of Alice Corp. v CLS Bank,Footnote ⁴⁸ mean that to protect their proprietary technologies, companies are now turning to trade secrets.Footnote ⁴⁹ In practice, this greatly reduces the transparency of the ADM tools used: if these cannot be protected through patent rights, they need to be kept secret.Footnote ⁵⁰

The application of trade secrets rules leads to a situation in which financial entities, for example lenders or insurers, who apply third party automated tools to assess creditworthiness of their prospective clients might not be able to access the models and data they use. Using third party tools is a common practice, and the proprietary nature of the tools and data used to develop and train the models will mean financial entities using these tools may be forced to rely on the supplier’s specifications in relation to their fairness as they may not be able to access the code themselves.Footnote ⁵¹

Secrecy of ADM tools of course has implications for end users, who will be prevented from challenging credit models, and is also a barrier for enforcement and research.Footnote ⁵² Trade secret protections apply not only to risk scoring models, but often extend also to data sets and inferences generated from information provided by individuals.Footnote ⁵³ Commercial entities openly admit they ‘invest significant amounts of time, money and resources’ to draw inferences about individuals ‘using […] proprietary data analysis tools’, a process ‘only made possible because of the [companies’] technical capabilities and value add’.Footnote ⁵⁴ This, they argue, makes the data sets containing inferred information a company’s intellectual property.Footnote ⁵⁵

The application of trade secrets rules to credit scoring in a way that affects the transparency of the financial system is not exactly new: ‘[t]he trade secrecy surrounding credit scoring risk models, and the misuse of the models coupled with the lack of governmental control concerning their use, contributed to a financial industry wide recession (2007–2008)’.Footnote ⁵⁶

In addition to trade secrets laws, a sui generis protection of source code of algorithms is being introduced in international trade law through free trade agreements,Footnote ⁵⁷ which limit governments from mandating access to the source code. The members of the World Trade Organization (WTO) are currently negotiating a new E-commerce trade agreement, which may potentially include a prohibition on government-mandated access to software source code.Footnote ⁵⁸ WTO members, including Canada, the EU, Japan, South Korea, Singapore, Ukraine, and the United States support such a prohibition,Footnote ⁵⁹ which in practice will mean a limited ability for states to adopt laws that would require independent audits of AI and ADM systems.Footnote ⁶⁰ It is argued that adoption of the WTO trade agreement could thwart the adoption of the EU’s AI Act,Footnote ⁶¹ demonstrating how free trade agreements can impose another layer of rules enhancing the opacity of AI and ADM tools.

4.2.3 ‘Depersonalising’ Information to Avoid Data and Privacy Protection Laws: Anonymisation, De-identification, and Inferences

Automated Banks’ opacity is enabled by the express exclusion of ‘anonymised’ or ‘de-identified’ data from the scope of data and privacy protection laws such as the GDPR.Footnote ⁶² In its Recital 26, the GDPR defines anonymised information as not relating to ‘an identified or identifiable natural person’ or as ‘data rendered anonymous in such a manner that the data subject is not or no longer identifiable’. This allows firms to engage in various data practices, which purport to use anonymised data.Footnote ⁶³ They argue they do not collect or process ‘personal information’, thus avoiding the application of the rules, and regulatory enforcement.Footnote ⁶⁴ Also, consumers to whom privacy policies are addressed believe that practices focusing on information that does not directly identify them have no impact on their privacy.Footnote ⁶⁵ This in turn may mean privacy policies are misrepresenting data practices to consumers, which could potentially invalidate their consent.Footnote ⁶⁶

There is an inherent inconsistency between privacy and data protection rules and the uses and benefits that ADM tools using big data analytics promise. Principles of purpose limitation and data minimisationFootnote ⁶⁷ require entities to delimit, quite strictly and in advance, how the data collected are going to be used, and prevent them from collecting and processing more data than necessary for that specific purpose. However, this is not how big data analytics, which fuels ADM and AI models, works.Footnote ⁶⁸ Big data means that ‘all data is credit data’, incentivising the Automated Banks to collect as much data as possible, for any possible future purpose, potentially not known yet.Footnote ⁶⁹ The exclusion of anonymised or de-identified data from the scope of the protection frameworks opens doors for firms to take advantage of enhanced analytics powered by new technologies. The contentious question is at which point information becomes, or ceases to be, personal information. If firms purchase, collect, and aggregate streams of data, producing inferences allowing them to describe someone in great detail, including their age, preferences, dislikes, size of clothes they wear and health issues they suffer from, their household size and income level,Footnote ⁷⁰ but do not link this profile to the person’s name, email, physical address, or IP address – would it be personal information? Such a profile, it could be argued, represents a theoretical, ‘model’ person or consumer, built for commercial purposes through aggregation of demographic and other information available.Footnote ⁷¹

De-identified data may still allow a financial firm to achieve more detailed segmentation and profiling of their clients. There are risks of harms in terms of ‘loss of privacy, equality, fairness and due process’ even when anonymised data is used.Footnote ⁷² Consumers are left unprotected against profiling harms due to such ‘narrow interpretation of the right to privacy as the right to anonymity’.Footnote ⁷³

There is also discussion as to the status of inferences under data and privacy protection laws. Credit scoring processes are often based on inferences, where a model predicts someone’s features (and ultimately their riskiness or value as a client) on the basis of other characteristics that they share with others deemed risky by the model.Footnote ⁷⁴ AI models may thus penalise individuals for ‘shopping at low-end stores’, membership in particular communities or families, and affiliations with certain political, religious, and other groups.Footnote ⁷⁵ While AI-powered predictions about people’s characteristics are often claimed to be more accurate than those made by humans,Footnote ⁷⁶ they may also be inaccurate.Footnote ⁷⁷ The question is if such inferences are considered personal information protected by privacy and data laws.

Entities using consumers’ data, such as technology companies, are resisting against expressly including inferred information in the scope of data and privacy protections. For example, Facebook openly admitted that ‘[t]o protect the investment made in generating inferred information and to protect the inferred information from inappropriate interference, inferred information should not be subject to all of the same aspects of the [Australian Privacy Act] as personal information’.Footnote ⁷⁸ The ‘inappropriate interference’ they mention refers to extending data correction and erasure rights to inferred information.

Second, there is an inherent clash between the operation of privacy and data protection rules and the inference processes AI tools are capable of carrying out. Any information, including sensitive information, may be effectively used by an ADM system, even though it only materialises as an internal encoding of the model and is not recorded in a human understandable way. The lack of explicit inclusion of inferred information, and its use, within the privacy and data protection frameworks provides another layer of opacity shielding financial firms (as well as other entities) from scrutiny of their ADM tools.

When information is ‘depersonalised’ in some way: de-identified on purpose through the elimination of strictly personal identifiers,Footnote ⁷⁹ through use of anonymous ‘demographic’ data, through ‘pseudonymisation’ practices, or because it is inferred from data held (either personal or already de-identified), the result is the same – privacy and data protection rules do not apply. The firms take advantage of that exclusion, sometimes balancing on the thin line between legal and illegal data processing, making their data practices non-transparent to avoid scrutiny by consumers and regulators.

As a US judge in a recent ruling put it: ‘[i]t is well established that there is an undeniable link between race and poverty, and any policy that discriminates based on credit worthiness correspondingly results in a disparate impact on communities of color’.Footnote ⁸⁰ The data used in large-scale AI and ADM models is often de-identified or anonymised, but it inherently mirrors historical inequalities and biases, thus allowing the Automated Banks to claim impartiality and avoid responsibility for the unfairness of data used.

The reason why privacy and data protection rules lack clear consideration of certain data practices and processes enabled by AI may be due to these tools and processes being relatively new and poorly understood phenomena.Footnote ⁸¹ This status quo is however very convenient for the companies, who will often raise the argument that ‘innovation’ will suffer if more stringent regulation is introduced.Footnote ⁸²

4.3 Rules That Incentivise the Use of ADM Tools by Financial Entities

In addition to offering direct pathways allowing Automated Banks to evade scrutiny of their AI and ADM models, legal systems and markets in the developed world have also evolved to incentivise the use of automated technology by financial entities. In fact, the use of ADM and AI tools is encouraged, or sometimes even mandated,Footnote ⁸³ by legal and regulatory frameworks. After all, the fact that they are told to either use the technology, or to achieve outcomes that can effectively only be reached with the application of the tools in question, provides a basis for a very convenient excuse. Though this is mainly an unintended effect of the rules, it should not be ignored.

In this section, we discuss two examples of rules that increase the secrecy of AI or ADM tools used in the context of risk scoring: financial products governance rules and ‘open banking’ regimes.

4.3.1 Financial Products Governance Rules

Financial firms have always been concerned with collecting and using data about their consumers, to differentiate between more and less valuable customers. For example, insurance firms, even before AI profiling tools were invented (or at least before they were applied at a greater scale) were known to engage in practices referred to as ‘cherry-picking’ and ‘lemon-dropping’, setting up firms’ offices at higher floors in buildings with no lifts, so that it would be harder for disabled (potential) clients to reach them.Footnote ⁸⁴ There is a risk that the widespread data profiling and use of AI tools may exacerbate issues relating to consumers’ access to financial products and services. AI tools may introduce new or replicate historical biases present in data,Footnote ⁸⁵ doing so more efficiently, in a way that is more difficult to discover, and at a greater scale than was possible previously.Footnote ⁸⁶

An additional disadvantage resulting from opaque risk scoring systems is that consumers may miss out on the opportunity to improve their score (for example, through the provision of counterfactual explanations, or the use of techniques including ‘nearby possible worlds’).Footnote ⁸⁷ In instances where potential customers who would have no trouble paying back loans are given low risk scores, two key issues arise: first, the bank misses out on valuable customers, and second, there is a risk that these customers’ rejections, if used as input data to train the selection algorithm, will reinforce existing biases.Footnote ⁸⁸

Guaranteeing suitability of financial services is a notoriously complicated task for policymakers and regulators. With disclosure duties alone proving largely unsuccessful in addressing the issue of consumers being offered financial products that are unfit for purpose, policymakers in a number of jurisdictions, such as the EU and its Member States, the United Kingdom, Hong Kong, Australia, and Singapore, have started turning to product governance regimes.Footnote ⁸⁹ An important component of these financial product governance regimes is an obligation placed on financial firms, which issue and distribute financial products, to ensure their products are fitness-for-purpose and to adopt a consumer-centric approach in design and distribution of the products. In particular, a number of jurisdictions require financial firms to delimit the target market for their financial products directed at retail customers, and ensure the distribution of the products within this target market. Such target market is a group of consumers of a certain financial product who are defined by some general characteristics.Footnote ⁹⁰

Guides issued by regulators, such as the European Securities and Markets AuthorityFootnote ⁹¹ and the Australian Securities and Investment Commission,Footnote ⁹² indicate which consumers’ characteristics are to be taken into account by financial firms. The consumers for whom the product is intended are to be identified according to their ‘likely objectives, financial situation, and needs’,Footnote ⁹³ or five ‘categories’: the type of client, their knowledge and experience, financial situation, risk tolerance, and objective and needs.Footnote ⁹⁴ For issuers or manufacturers of financial products these considerations are mostly theoretical: as they might not have direct contact with clients, they need to prepare a potential target market, aiming at theoretical consumers and their likely needs and characteristics.Footnote ⁹⁵ Both issuers and distributors need to take reasonable steps to ensure that products are distributed within the target market, which then translates to the identification of real consumers with specific needs and characteristics that should be compatible with the potential target markets identified. Distributors have to hold sufficient information about their end clients to be able to assess if they can be included in the target market,Footnote ⁹⁶ including:

– indicators about the likely circumstances of the consumer or a class of consumers (e.g. concession card status, income, employment status);

– reasonable inferences about the likely circumstances of the consumer or a class of consumers (e.g. for insurance, information inferred from the postcode of the consumer’s residential address); or

– data that the distributor may already hold about the consumer or similar consumers, or results derived from analyses of that data (e.g. analysis undertaken by the distributor of common characteristics of consumers who have purchased a product).Footnote ⁹⁷

Financial products governance frameworks invite financial firms to collect data on consumers’ vulnerabilities. For example in Australia, financial firms need to consider vulnerabilities consumers may have, such as those resulting from ‘personal or social characteristics that can affect a person’s ability to manage financial interactions’,Footnote ⁹⁸ as well as those brought about by ‘specific life events or temporary difficulties’,Footnote ⁹⁹ in addition to vulnerabilities stemming from the product design or market actions.

The rationale of product governance rules is to protect financial consumers, including vulnerable consumers,Footnote ¹⁰⁰ yet the same vulnerable consumers may be disproportionately affected by data profiling, thus inhibiting their access to financial products. Financial law is actively asking firms to collect even more data about their current, prospective, and past customers, as well as the general public. It provides more than a convenient excuse to carry out digital profiling and collect data for even more precise risk scoring – it actually mandates this.

4.3.2 How ‘Open Banking’ Increases Opacity

Use of AI and ADM tools, together with ever-increasing data collection feeding the data hungry models,Footnote ¹⁰¹ is promoted as beneficial to consumers and markets, and endorsed by companies and governments. Data collection is thus held out as a necessary component of fostering AI innovation. Companies boast how AI insights allow them to offer personalised services, ‘tailored’ to individual consumer’s needs. McKinsey consulting firm hails ‘harnessing the power of external data’ noting how ‘few organizations take full advantage of data generated outside their walls. A well-structured plan for using external data can provide a competitive edge’.Footnote ¹⁰²

Policymakers use the same rhetoric of promoting ‘innovation’ and encourage data collection through schemes such as open banking.Footnote ¹⁰³ The aim of open banking is to give consumers the ability to direct companies that hold financial data about themselves to make it available to financial (or other) companies of the consumer’s choice. Thus, it makes it possible for organisations to get access to consumers’ information they could never get from a consumer directly, such as for example their transaction data for the past ten years.

Jurisdictions such as the EU, United Kingdom, Australia, and Hong Kong have recently adopted regulation promoting open banking, or ‘open finance’ more generally.Footnote ¹⁰⁴ The frameworks are praised by the industry as ‘encourag[ing] the development of innovative products and services that help consumers better engage with their finances, make empowered decisions and access tailored products and services’.Footnote ¹⁰⁵

While open banking is making it possible for financial firms to develop new products for consumers, the jury is still out as to the scheme’s universally positive implications for consumers and markets.Footnote ¹⁰⁶ One thing that is clear, however, is that because of its very nature, open banking contributes to information and power asymmetry between consumers and Automated Banks.

Traditionally, in order to receive a financial product, such as a loan or an insurance product, consumers would have to actively provide relevant data, answering questions or prompts, in relation to their income, spending, age, history of loan repayments, and so on. Open banking – or open finance more broadly – means that consumers can access financial products without answering any questions. But these questions provided a level of transparency to consumers: they knew what they were being asked, and were likely to understand why they were being asked such questions. But when an individual shares their ‘bulk’ data, such as their banking transaction history, through the open banking scheme, do they really know what a financial firm is looking for and how it is being used? At the same time, in such a setting, consumers are deprived of control over which data to share (for example, they cannot just hide transaction data on payments they made to merchants such as liquor stores or pharmacies). The transparency for financial firms when data is shared is therefore significantly higher than in ‘traditional’ settings – but for consumers the process becomes more opaque.Footnote ¹⁰⁷

4.4 Can Corporate Secrecy Coexist with Consumer Rights? Possible Regulatory Solutions

ADM tools contribute to maintaining corporate secrecy of Automated Banks, and as we argue in this chapter, legal systems perpetuate, encourage, and feed the opacity further. The opacity then increases the risk of consumer harm, such as discrimination, which is more difficult to observe, and more challenging to prove.

In this section we provide a brief outline of potential interventions that may protect against AI-facilitated harms, particularly if applied synchronously. This discussion does not aim to be exhaustive, but rather aims to show something can be done to combat the opacity and resulting harms.

Interventions described in academic and grey literature can be divided into three broad categories: (1) regulations that prevent businesses from using harmful AI systems in financial markets, (2) regulations that aid consumers to understand when ADM systems are used in financial markets, and (3) regulations that facilitate regulator monitoring and enforcement against AI-driven harms in financial markets. Approaches to design (including Transparency by DesignFootnote ¹⁰⁸) are not included in this list, and while they may contribute to improved consumer outcomes, they are beyond the scope of this chapter.

The somewhat provocative title of this section asks if corporate secrecy is the real source of the AI-related harms in the described context. The interventions outlined below focus on preventing harms, but can the harms really be prevented if the opacity of corporate practices and processes is not addressed first? Corporate secrecy is the major challenge to accountability and scrutiny, and consumer rights, including right to non-discrimination, cannot be guaranteed in an environment as opaque as it currently is. We submit that the regulatory interventions urgently needed are the ones that prevent secrecy first and foremost. AI and ADM tools will continue to evolve, and technology as such is not a good regulatory targetFootnote ¹⁰⁹ – the focus must be on harm prevention. Harms can only be prevented if the practices of financial firms, such as credit scoring discussed in this chapter, are transparent and easily monitored both by regulators and consumers.

4.4.1 Preventing Automated Banks from Designing Harmful AI Systems

International and national bodies in multiple jurisdictions have recently adopted, or are currently debating, various measures with an overarching aim of protecting consumers from harm. For example, the US Federal Trade Commission has provided guidance to businesses using AI, explaining that discriminatory outcomes resulting from the use of AI would contravene federal law.Footnote ¹¹⁰ The most comprehensive approach to limiting the use of particular AI tools can be found in the EU’s proposed Artificial Intelligence Act. Its Recital 37 specifically recommends that ‘AI systems used to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems’. This proposal is a step towards overcoming some opaque practices, through the provision of ‘clear and adequate information to the user’ along with other protections that enable authorities to scrutinise elements of ADM tools in high-risk contexts.Footnote ¹¹¹ Early criticisms of the proposed Act note that while a regulatory approach informed by the context in which ADM is used has some merit, it does not cover potentially harmful practices such as emotion recognition and remote biometric identification,Footnote ¹¹² which could be used across a range of contexts, generating data sets that may later be used in other markets such as financial services.

An alternative approach to regulating AI systems before they are used in markets is to limit the sources of information that can be used by ADM tools, or restrict the ways in which information can be processed. In addition to privacy protections, some jurisdictions have placed limitations on the kinds of information that can be used to calculate a credit score. For example, in Denmark, the financial services sector can use consumers’ social media data for marketing purposes but is explicitly prohibited from using this information to determine creditworthiness.Footnote ¹¹³ Similarly, the EU is considering a Directive preventing the use of personal social media and health data (including cancer data) in the determination of creditworthiness.Footnote ¹¹⁴ Such prohibitions are, however, a rather tricky solution: it may be difficult for the regulation to keep up with a growing list of data that should be excluded from analysis.Footnote ¹¹⁵ One way of overcoming this challenge would be to avoid focusing on restricted data sources, and instead create a list of acceptable data sources, which is a solution applied for example in some types of health insurance.Footnote ¹¹⁶

Imposing limits on how long scores can be kept and/or relied on by Automated Banks is another important consideration. In Australia, credit providers are bound by limits that stipulate the length of time that different pieces of information are held on a consumer’s file: credit providers may only keep financial hardship information for twelve months from the date the monthly payment was made under a financial hardship arrangement, whereas court judgements may be kept on record for five years after the date of the decision.Footnote ¹¹⁷ In Denmark, where the credit reporting system operates as a ‘blacklist’ of people deemed more likely to default, a negative record (for instance, an unpaid debt) is deleted after five years, regardless of whether or not the debt has been paid.Footnote ¹¹⁸ A challenge with these approaches is that the amount of time particular categories of data may be kept may not account for proxy data, purchased data sets, and/or proprietary scoring and profiling systems that group consumers according to complex predictions that are impossible to decode.

4.4.2 Aiding Consumers Understand When ADM Systems Are Used in Financial Services

Despite the development of many principles-based regulatory initiatives by governments, corporates, and think tanks,Footnote ¹¹⁹ few jurisdictions have legislated protections that require consumers to be notified if and when they have been assessed by an automated system.Footnote ¹²⁰ In instances where consumers are notified, they may be unable to receive an understandable explanation of the decision-making process, or to seek redress through timely and accessible avenues.

Consumers face a number of challenges in navigating financial markets, such as understanding credit card repayment requirementsFootnote ¹²¹ and failing to accurately assess their credit.Footnote ¹²² For individuals, it is crucial to understand how they are being scored, as this will make it possible for them to be able to identify inaccuracies,Footnote ¹²³ and question decisions made about them. Credit scoring is notoriously opaque and difficult to understand, so consumers are likely to benefit from requirements for agencies to simplify and harmonise how scores are presented.Footnote ¹²⁴An example of a single scoring system can be found in Sri Lanka, where credit ratings, or ‘CRIB Scores’ are provided by the Central Information Bureau of Sri Lanka, a public-private partnership between the nation’s Central Bank and a number of financial institutions that hold equity in the Bureau. The Bureau issues CRIB Score reports to consumers in a consistent manner, utilising an algorithm to produce a three-digit number ranging from 250 to 900.Footnote ¹²⁵ In Sri Lanka’s case, consumers are provided with a singular rating from a central agency, and although this rating is subject to change over time, there is no possibility of consumers receiving two different credit scores from separate providers.

Providing consumers with the opportunity to access their credit scores is another (and in many ways complementary) regulatory intervention. A number of jurisdictions provide consumers with the option to check their credit report and/or credit score online. For example, consumers in CanadaFootnote ¹²⁶ and AustraliaFootnote ¹²⁷ are able to access free copies of their credit reports by requesting this information directly from major credit bureaus. In Australia, consumers are able to receive a free copy of their credit report once every three months.Footnote ¹²⁸

However, such approaches have important limitations. Credit ratings are just one of many automated processes within the financial services industry. Automated Banks, with access to enough data, can create their own tools going outside the well-established credit rating systems. Also, it is consumers who are forced to carry the burden of correcting inaccurate information which is used to make consequential decisions about them, while often being required to pay for the opportunity to do so.Footnote ¹²⁹

In addition, explainability challenges are faced in every sector that uses AI, and there is considerable investigation ahead to determine the most effective ways of explaining automated decisions in financial markets. It has been suggested that a good explanation is provided when the receiver ‘can no longer keep asking why’.Footnote ¹³⁰ The recent EU Digital Services ActFootnote ¹³¹ emphasises such approach by noting that recipients of online advertisements should have access to ‘meaningful explanations of the logic used’ for ‘determining that specific advertisement is to be displayed to them’.Footnote ¹³²

Consumer experience of an AI system will depend on a number of parameters, including format of explanations (visual, rule-based, or highlighted key features), their complexity and specificity, application context, and variations suiting users’ cognitive styles (for example, providing some users with more complex information, and others with less).Footnote ¹³³ The development of consumer-facing explainable AI tools is an emerging area of research and practice.Footnote ¹³⁴

A requirement of providing meaningful feedback to consumers, for example, through counterfactual demonstrations,Footnote ¹³⁵ would make it possible for individuals to understand what factors they might need to change to receive a different decision. It would also be an incentive for Automated Banks to be more transparent.

4.4.3 Facilitating Regulator Monitoring and Enforcement of ADM Harms in Financial Services

The third category of potential measures relies on empowering regulators, thus shifting the burden away from consumers. For example, regulators need to be able to ‘look under the hood’ of any ADM tools, including these of proprietary character.Footnote ¹³⁶ This could be in a form of using explainable AI tools, access to raw code, or ability to use dummy data to test the model. A certification scheme, such as quality standards, is another option, the problem however is the risk of ‘set and forget approach’. Another approach to providing regulators insight into industry practices is the establishment of regulatory sandboxes, which nevertheless have limitations.Footnote ¹³⁷

Financial institutions could also be required to prove a causal link between the data that they use to generate consumer scores, and likely risk. Such approach would likely reduce the use of certain categories of data, where correlations between data points would not be supported by a valid causal relationship. For example, Android phone users are reportedly safer drivers than iPhone users,Footnote ¹³⁸ but such rule would prevent insurers from taking this into account when offering a quote on car insurance (while we do not suggest they are currently doing so, in many legal systems they could). In practice, some regulators are looking at this solution. For example, while not going as far as requiring direct causal link, the New York State financial regulator requires a ‘valid explanation or rationale’ for underwriting of life insurance, where external data or external predictive models are used.Footnote ¹³⁹ However, such approach could result in encouraging financial services providers to collect more data, just to be able to prove the causal link,Footnote ¹⁴⁰ which may again further disadvantage consumers and introduce more, not less, opacity.

4.5 Conclusions

Far from being unique to credit scoring, the secrecy of ADM tools is a problem affecting multiple sectors and industries.Footnote ¹⁴¹ Human decisions are also unexplainable and opaque, and ADM tools are often made out to be a potential, fairer and more transparent, alternative. But the problem is secrecy increases, not decreases, with automation.Footnote ¹⁴²

There are many reasons for this, including purely technological barriers to explainability. But also, it is obviously cheaper and easier not to design and use transparent systems. As we argue in this chapter, opacity is a choice made by organisations, often on purpose, as it allows them to evade scrutiny and hide their practices from the public and regulators. Opacity of ADM and AI tools used is a logical consequence of the secrecy of corporate practices.

Despite many harms caused by opacity, the legal systems and market practice have evolved to enable or even promote that secrecy surrounding AI and ADM tools, as we have discussed using examples of rules applying to Automated Banks. However, the opacity and harms could be prevented with some of the potential solutions which we have discussed in this chapter. The question is whether there is sufficient motivation to achieve positive social impact with automated tools, without just focusing on optimisation and profits.

Footnotes

^* The authors would like to thank Arundhati Suma Ajith for excellent research assistance.

¹ Frank Pasquale, The Black Box Society (Cambridge: Harvard University Press, 2015) 187.

² Footnote Ibid.

³ Janine S Hiller and Lindsay Sain Jones, ‘Who’s Keeping Score?: Oversight of Changing Consumer Credit Infrastructure’ (2022) 59(1) American Business Law Journal 61, 104.

⁴ Pernille Hohnen, Michael Ulfstjerne, and Mathias Sosnowski Krabbe, ‘Assessing Creditworthiness in the Age of Big Data: A Comparative Study of Credit Score Systems in Denmark and the US’ (2021) 5(1) Journal of Extreme Anthropology 29, 34–35.

⁵ Solon Barocas and Andrew D Selbst, ‘Big Data’s Disparate Impact’ (2016) 104(3) California Law Review 671, 673–77.

⁶ Alejandro Barredo Arrieta et al, ‘Explainable Artificial Intelligence (XAI): Concepts, Taxonomies, Opportunities and Challenges toward Responsible AI’ (2020) 58 Information Fusion 82, 99–101.

⁷ Peter Cartwright, ‘Understanding and Protecting Vulnerable Financial Consumers’ (2014) 38(2) Journal of Consumer Policy 119, 121–23.

⁸ Frederik Borgesius, ‘Consent to Behavioural Targeting in European Law: What Are the Policy Implications of Insights from Behavioural Economics?’ (Conference Paper for Privacy Law Scholars Conference, Berkeley, CA, 6–7 June 2013).

⁹ Petra Persson, ‘Attention Manipulation and Information Overload’ (2018) 2(1) Behavioural Public Policy 78.

¹⁰ Andrew Grant and Luke Deer, ‘Consumer Marketplace Lending in Australia: Credit Scores and Loan Funding Success’ (2020) 45(4) Australian Journal of Management 607.

¹¹ Zofia Bednarz and Kayleen Manwaring, ‘Risky Business: Legal Implications of Emerging Technologies Affecting Consumers of Financial Services’ in Dariusz Szostek and Mariusz Zalucki (eds), Internet and New Technologies Law: Perspectives and Challenges (Baden: Nomos, 2021) 59–74.

¹² Aaron Klein, Brookings Institution, Reducing Bias in AI-Based Financial Services (Report, 10 July 2020) <www.brookings.edu/research/reducing-bias-in-ai-based-financial-services/>.

¹³ Hohnen et al, ‘Assessing Creditworthiness’, 36.

¹⁴ Zofia Bednarz, Chris Dolman, and Kimberlee Weatherall, ‘Insurance Underwriting in an Open Data Era – Opportunities, Challenges and Uncertainties’ (Actuaries Institute 2022 Summit, 2–4 May 2022) 10–12 <https://actuaries.logicaldoc.cloud/download-ticket?ticketId=09c77750-aa90-4ba9–835e-280ae347487b>.

¹⁵ Su-Lin Tan, ‘Uber Eats, Afterpay and Netflix Accounts Could Hurt Your Home Loan Application’ (5 December 2018) Australian Financial Review <www.afr.com/property/uber-eats-afterpay-and-netflix-accounts-could-hurt-your-home-loan-application-20181128-h18ghz>.

¹⁶ ‘Credit Bureau’, Experian Australia (Web Page) <www.experian.com.au/business/solutions/credit-services/credit-bureau>. ‘Secured from critical sectors of the Australian credit industry as well as from niche areas such as Specialty Finance data, short-term loans (including Buy Now Pay Later) and consumer leasing, enabling a more complete view of your customers’.

¹⁷ Michal Kosinski, David Stillwell, and Thore Graepel, ‘Private Traits and Attributes Are Predictable from Digital Records of Human Behavior’ (2013) 110 Proceedings of the National Academy of Sciences of the United States of America 5805.

¹⁸ Anya ER Prince and Daniel Schwarcz, ‘Proxy Discrimination in the Age of Artificial Intelligence and Big Data’ (2020) 105(3) Iowa Law Review 1257, 1273–76.

¹⁹ Eric Rosenblatt, Credit Data and Scoring: The First Triumph of Big Data and Big Algorithms (Cambridge: Elsevier Academic Press, 2020) 1.

²⁰ Hiller and Jones, ‘Who’s Keeping Score?’, 68–77.

²¹ Rosenblatt, Credit Data and Scoring, 7.

²² Hohnen et al, ‘Assessing Creditworthiness’, 36.

²³ ‘What’s in My FICO® Scores?’, MyFico (Web Page) <www.myfico.com/credit-education/whats-in-your-credit-score>.

²⁴ Consumer Financial Protection Bureau, ‘The Impact of Differences between Consumer- and Creditor-Purchased Credit Scores’ (SSRN Scholarly Paper No 3790609, 19 July 2011) 19.

²⁵ ‘What Is a Good Credit Score?’, Equifax Canada (Web Page) <www.consumer.equifax.ca/personal/education/credit-score/what-is-a-good-credit-score>; ‘FICO Score 10, Most Predictive Credit Score in Canadian Market’, FICO Blog (Web Page) <www.fico.com/blogs/fico-score-10-most-predictive-credit-score-canadian-market>.

²⁶ Frederic de Mariz, ‘Using Data for Financial Inclusion: The Case of Credit Bureaus in Brazil’ (SSRN Paper, Journal of International Affairs, 28 April 2020).

²⁷ ‘Credit Scores and Credit Reports’, Moneysmart (Web Page) <https://moneysmart.gov.au/managing-debt/credit-scores-and-credit-reports>.

²⁸ ‘Credit Score’, Credit Bureau (Web Page) <www.creditbureau.com.sg/credit-score.html>.

²⁹ ‘Payment Default Records’, Swedish Authority for Privacy Protection (Web Page) <www.imy.se/en/individuals/credit-information/payment-default-records/>.

³⁰ Or even car accidents one will have in the future, Rosenblatt, Credit Data and Scoring, 6.

³¹ Footnote Ibid, 7.

³² Mikella Hurley and Julius Adebayo, ‘Credit Scoring in the Era of Big Data’ (2016) 18 Yale Journal of Law and Technology 148, 151.

³³ Hiller and Jones, ‘Who’s Keeping Score?’, 68–77.

³⁴ Zofia Bednarz and Kayleen Manwaring, ‘Hidden Depths: The Effects of Extrinsic Data Collection on Consumer Insurance Contracts’ (2022) 45(July) Computer Law and Security Review: The International Journal of Technology Law and Practice 105667.

³⁵ ‘Examining the use of alternative data in underwriting and credit scoring to expand access to credit’ (Hearing before the Task Force on Financial Technology of the Committee on Financial Services, U.S. House of Representatives, One Hundred Sixteenth Congress, First Session July 25, 2019) <www.congress.gov/116/chrg/CHRG-116hhrg40160/CHRG-116hhrg40160.pdf>.

³⁶ Hohnen et al, ‘Assessing Creditworthiness’, 38.

³⁷ Hiller and Jones, ‘Who’s Keeping Score?’, 87–96; Bartlett et al, ‘Consumer-Lending Discrimination in the FinTech Era’ (2022) 143(1) Journal of Financial Economics 30.

³⁸ Hiller and Jones, ‘Who’s Keeping Score?’, 92–93.

³⁹ Quentin Hardy, ‘Just the Facts: Yes, All of Them’ (25 March 2012) The New York Times <https://archive.nytimes.com/query.nytimes.com/gst/fullpage-9A0CE7DD153CF936A15750C0A9649D8B63.html>.

⁴⁰ See for example: US: Equal Credit Opportunity Act (ECOA) s 701, which requires a creditor to notify a credit applicant when it has taken adverse action against the applicant; Fair Credit Reporting Act (FCRA) s 615(a), which requires a person to provide a notice when the person takes an adverse action against a consumer based in whole or in part on information in a consumer report; Australia: Privacy Act 1988 (Cth) s 21P, stating that if a credit provider refuses an application for consumer credit made in Australia, the credit provider must give the individual written notice that the refusal is based wholly or partly on credit eligibility information about one or more of the persons who applied; Privacy (Credit Reporting) Code 2014 (Version 2.3) para 16.3 requiring a credit provider who obtains credit reporting information about an individual from a credit reporting bureau and within 90 days of obtaining that information, refuses a consumer credit application, to provide a written notice of refusal, informing the individual of a number of matters, including their right to access credit reporting information held about them, that the refusal may have been based on the credit reporting information, and the process for correcting the information; UK: lenders are not required to provide reasons for loan refusal, even when asked by a consumer, but s 157 Consumer Credit Act 1974 requires them to indicate which credit reporting agency (if any) they used in assessing the application.

⁴¹ Neil Vidgor, ‘Apple Card Investigated after Gender Discrimination Complaints’ (10 November 2019) The New York Times <www.nytimes.com/2019/11/10/business/Apple-creditcard-investigation.html>.

⁴² See e.g. Corrado Rizzi, ‘Class Action Alleges Wells Fargo Mortgage Lending Practices Discriminate against Black Borrowers’ (21 February 2022) ClassAction.org <www.classaction.org/news/class-action-alleges-wells-fargo-mortgage-lending-practices-discriminate-against-black-borrowers> or Kelly Mehorter, ‘State Farm Discriminates against Black Homeowners When Processing Insurance Claims, Class Action Alleges’ (20 December 2022) ClassAction.org <www.classaction.org/news/state-farm-discriminates-against-black-homeowners-when-processing-insurance-claims-class-action-alleges>; Hiller and Jones, ‘Who’s Keeping Score?’, 83–84.

⁴³ Hiller and Jones, ‘Who’s Keeping Score?’, 65.

⁴⁴ Consumer Financial Protection Bureau, ‘The Impact of Differences between Consumer- and Creditor-Purchased Credit Scores’ (SSRN Scholarly Paper No 3790609, 19 July 2011) 5.

⁴⁵ Brenda Reddix-Smalls, ‘Credit Scoring and Trade Secrecy’ (2012) 12 UC Davis Business Law Journal 87, 115.

⁴⁶ Katarina Foss-Solbrekk, ‘Three Routes to Protecting AI Systems and Their Algorithms under IP Law: The Good, the Bad and the Ugly’ (2021) 16(3) Journal of Intellectual Property Law & Practice 247, 248.

⁴⁷ Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure [2016] OJ L 157/1.

⁴⁸ 573 U.S. 208 (2014).

⁴⁹ Foss-Solbrekk, ‘Three Routes to Protecting AI Systems and Their Algorithms under IP Law’, 248; Meghan J Ryan, ‘Secret Algorithms, IP Rights and the Public Interest’ (2020) 21(1) Nevada Law Journal 61, 62–63.

⁵⁰ Ryan, ‘Secret Algorithms’, 62–63.

⁵¹ Hiller and Jones, ‘Who’s Keeping Score?’, 83.

⁵² Reddix-Smalls, ‘Credit Scoring and Trade Secrecy’, 117; see also Bartlett et al, ‘Consumer-Lending Discrimination in the FinTech Era’.

⁵³ Gintarè Surblytė-Namavičienė, Competition and Regulation in the Data Economy: Does Artificial Intelligence Demand a New Balance? (Cheltenham: Edward Elgar, 2020).

⁵⁴ Facebook, ‘Submission to the Australian Privacy Act Review Issues Paper’ (6 December 2020) 25 <www.ag.gov.au/sites/default/files/2021–02/facebook.PDF>.

⁵⁵ Footnote Ibid.

⁵⁶ Reddix-Smalls, ‘Credit Scoring and Trade Secrecy’, 89.

⁵⁷ Kristina Irion, ‘Algorithms Off-Limits?’ (FAccT’22, 21–24 June 2022, Seoul) 1561 <https://dl.acm.org/doi/pdf/10.1145/3531146.3533212>.

⁵⁸ Footnote Ibid.

⁵⁹ Footnote Ibid.

⁶⁰ Footnote Ibid, 1562.

⁶¹ Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (AI Act) and Amending Certain Union Legislative Acts [2021] OJ COM 206.

⁶² Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) [2016] OJ L 119/1, Recital (26); Australian Privacy Act 1988 (Cth) s 6.

⁶³ Katharine Kemp, ‘A Rose by Any Other Unique Identifier: Regulating Consumer Data Tracking and Anonymisation Claims’ (August 2022) Competition Policy International TechReg Chronicle 22.

⁶⁴ Footnote Ibid.

⁶⁵ Footnote Ibid, 23.

⁶⁶ Footnote Ibid, 27–29.

⁶⁷ See e.g. Art. 5 GDPR.

⁶⁸ Tal Zarsky, ‘Incompatible: The GDPR in the Age of Big Data’ (2017) 4(2) Seton Hall Law Review 995, 1004–18.

⁶⁹ Footnote Ibid, 1010.

⁷⁰ Wolfe Christl and Sarah Spiekermann, Networks of Control: A Report on Corporate Surveillance, Digital Tracking, Big Data & Privacy (Vienna: Facultas, 2016); Forbrukerrådet (Norwegian Consumer Council), Out of Control: How Consumers Are Exploited by the Online Advertising Industry (Report, 14 January 2020) 19–22.

⁷¹ Footnote Ibid.

⁷² Mireille Hildebrandt, ‘Profiling and the Identity of the European Citizen’ in Mireille Hildebrandt and Serge Gutwirth (eds), Profiling the European Citizen: Cross-Disciplinary Perspectives (New York: Springer, 2008) 305–9; Sandra Wachter, ‘Data Protection in the Age of Big Data’ (2019) 2 Nature Electronics 6, 7.

⁷³ N Chami et al, ‘Data Subjects in the Femtech Matrix: A Feminist Political Economy Analysis of the Global Menstruapps Market’ (Issue Paper 6, Feminist Digital Justice, December 2021) 4.

⁷⁴ Hurley and Adebayo, ‘Credit Scoring in the Era of Big Data’, 183.

⁷⁵ Footnote Ibid.

⁷⁶ Wu Youyou, Michal Kosinski, and David Stillwell, ‘Computer-Based Personality Judgments Are More Accurate than Those Made by Humans’ (Research Paper, Proceedings of the National Academy of Sciences 112(4): 201418680, 12 January 2015).

⁷⁷ Hurley and Adebayo, ‘Credit Scoring in the Era of Big Data’, 183.

⁷⁸ Facebook, ‘Submission to the Australian Privacy Act Review Issues Paper’, 25–26.

⁷⁹ CM O’Keefe et al, The De-Identification Decision-Making Framework (CSIRO Reports EP173122 and EP175702, 18 September 2017), ix.

⁸⁰ Office of the Insurance Commissioner Washington State, Final Order on Court’s Credit Scoring Decision; Kreidler Will Not Appeal (Media Release, 29 August 2022) <www.insurance.wa.gov/news/final-order-courts-credit-scoring-decision-kreidler-will-not-appeal>.

⁸¹ For example, Prof Sandra Wachter has pointed out the GDPR is based on an outdated concept of a ‘nosey neighbour’: Sanda Wachter, ‘AI’s Legal and Ethical Implications’ Twimlai (Podcast, 23 September 2021) <https://twimlai.com/podcast/twimlai/ais-legal-ethical-implications-sandra-wachter/>.

⁸² Microsoft Australia, ‘Microsoft Submission to Review of the Privacy Act 1988’ (December 2020) 2–3 <www.ag.gov.au/sites/default/files/2021–02/microsoft-australia.PDF>; Facebook, ‘Submission to the Australian Privacy Act Review Issues Paper’, 25.

⁸³ See Zofia Bednarz, ‘There and Back Again: How Target Market Determination Obligations for Financial Products May Incentivise Consumer Data Profiling’ (2022) 36(2) International Review of Law, Computers & Technology 138.

⁸⁴ Marshall Allen, ‘Health Insurers Are Vacuuming Up Details about You: And It Could Raise Your Rates’ (17 July 2018) NPR <www.npr.org/sections/health-shots/2018/07/17/629441555/healthinsurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates>.

⁸⁵ Australian Human Rights Commission, Using Artificial Intelligence to Make Decisions: Addressing the Problem of Algorithmic Bias (Technical Paper, November 2022) 34–44.

⁸⁶ E Martinez and L Kirchner, ‘Denied: The Secret Bias Hidden in Mortgage-Approval Algorithms’ (25 August 2021) The Markup.

⁸⁷ Sandra Wachter, Brent Mittelstadt, and Chris Russell, ‘Counterfactual Explanations without Opening the Black Box: Automated Decisions and the GDPR’ (2018) 31(2) Harvard Journal of Law & Technology 841, 848.

⁸⁸ European Union Agency for Fundamental Rights, Bias in Algorithms: Artificial Intelligence and Discrimination (Report, 2022) 8–9 <https://fra.europa.eu/sites/default/files/fra_uploads/fra-2022-bias-in-algorithms_en.pdf>.

⁸⁹ Hannah Cassidy et al, ‘Product Intervention Powers and Design and Distribution Obligations: A Cross-Border Financial Services Perspective’ (Guide, Herbert Smith Freehills, 11 June 2019) <www.herbertsmithfreehills.com/latest-thinking/product-intervention-powers-and-design-and-distribution-obligations-in-fs>.

⁹⁰ Martin Hobza and Aneta Vondrackova, ‘Target Market under MiFID II: the Distributor’s Perspective’ (2019) 14 Capital Markets Law Journal 518, 529.

⁹¹ European Securities and Markets Authority (ESMA), ‘Guidelines on MiFID II Product Governance Requirements’ (ESMA35–43-620, 5 February 2018).

⁹² Australian Securities and Investment Commission (ASIC), ‘Regulatory Guide 274: Product Design and Distribution Obligations’ (December 2020).

⁹³ ASIC, ‘Regulatory Guide 274’, para 274.6.

⁹⁴ ESMA, ‘Guidelines on MiFID II Product Governance Requirements’, 34–35.

⁹⁵ ESMA, ‘Final Report: Guidelines on MiFID II Product Governance Requirements’ (ESMA35–43-620, 2 June 2017) 34, para 17.

⁹⁶ ‘The MiFID II Review – Product Governance: How to Assess Target Market’ Ashurst (Financial Regulation Briefing, 3 October 2016) <www.ashurst.com/en/news-and-insights/legal-updates/mifid-12-mifid-ii-product-governance-how-to-assess-target-market/#:~:text=Regular%20review%20by%20the%20manufacturer,how%20to%20get%20that%20information>.

⁹⁷ ASIC, ‘Regulatory Guide 274’, para. 277.180.

⁹⁸ ASIC’s RG para. 274.47 provides examples of such personal and social characteristics: ‘speaking a language other than English, having different cultural assumptions or attitudes about money, or experiencing cognitive or behavioural impairments due to intellectual disability, mental illness, chronic health problems or age’.

⁹⁹ ASIC, ‘Regulatory Guide 274’ para. 274.47: ‘an accident or sudden illness, family violence, job loss, having a baby, or the death of a family member’.

¹⁰⁰ For example, Indigenous Australians, whose lack of financial literacy historically made them an easy target for mis-selling of inadequate products: Commonwealth of Australia, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Interim Report Vol. 2, 2018) 452–57.

¹⁰¹ Machine Learning in particular has been described as ‘very data hungry’ in the World Economic Forum and Deloitte; WEF and Deloitte, The New Physics of Financial Services: Understanding How Artificial Intelligence Is Transforming the Financial Ecosystem (Report, August 2018) <www.weforum.org/reports/the-new-physics-of-financial-services-how-artificial-intelligence-is-transforming-the-financial-ecosystem/>.

¹⁰² Mohammed Aaser and Doug McElhaney, ‘Harnessing the Power of External Data’ (Article, 3 February 2021) McKinsey Digital.

¹⁰³ Nydia Remolina, ‘Open Banking: Regulatory Challenges for a New Forum of Financial Intermediation in a Data-Driven World’ (SMU Centre for AI & Data Governance Research Paper No 2019/05, 28 October 2019).

¹⁰⁴ EMEA Center for Regulatory Strategy, ‘Open Banking around the World’ Deloitte (Blog Post) <www.deloitte.com/global/en/Industries/financial-services/perspectives/open-banking-around-the-world.html>.

¹⁰⁵ UK Finance, ‘Exploring Open Finance’ (Report, 2022) <www.ukfinance.org.uk/system/files/2022–05/Exploring%20open%20finance_0.pdf>.

¹⁰⁶ Joshua Macey and Dan Awrey, ‘The Promise and Perils of Open Finance’ Harvard Law School Forum on Corporate Governance (Forum Post, 4 April 2022) <https://corpgov.law.harvard.edu/2022/04/04/the-promise-and-perils-of-open-finance/>.

¹⁰⁷ Bednarz et al, ‘Insurance Underwriting in an Open Data Era’.

¹⁰⁸ Heike Felzmann et al, ‘Towards Transparency by Design for Artificial Intelligence’ (2020) 26(6) Science and Engineering Ethics 3333, 3343–53.

¹⁰⁹ Lyria Bennett Moses, How to Think about Law, Regulation and Technology: Problems with ‘Technology’ as a Regulatory Target (SSRN Scholarly Paper No ID 2464750, Social Science Research Network, 2013) 18–19.

¹¹⁰ Elisa Jilson, ‘Aiming for Truth, Fairness and Equity in Your Company’s Use of AI’ US Federal Trade Commission (Business Blog Post, 19 April 2021) <www.ftc.gov/business-guidance/blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai>.

¹¹¹ European Commission, ‘Regulatory Framework Proposal on Artificial Intelligence’ European Commission (Web Page) <https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai#:~:text=encourages%20dangerous%20behaviour.-,High%20risk,life%20(e.g.%20scoring%20of%20exams>.

¹¹² Daniel Leufer, ‘EU Parliament’s Draft of AI Act: Predictive Policing Is Banned, but Work Remains to Protect People’s Rights’ (4 May 2022) Access Now <www.accessnow.org/ai-act-predictive-policing/>.

¹¹³ Hohnen et al, ‘Assessing Creditworthiness’.

¹¹⁴ Proposal for a Directive of the European Parliament and of the Council on consumer credits [2021] OJ COM 347 (47).

¹¹⁵ For examples of such potentially harmful data sources see: Pasquale, The Black Box Society, 21, 31; Hurley and Adebayo, ‘Credit Scoring in the Era of Big Data’, 151–52, 158; Hiller and Jones, ‘Who’s Keeping Score?’.

¹¹⁶ E.g., health insurers in the United States under the US Public Health Service Act, 42 USC § 300gg(a)(1)(A) may only base their underwriting decisions on four factors: individual or family coverage; location; age; and smoking history.

¹¹⁷ ‘Your Credit Report’, Financial Rights Legal Centre (Web Page, 6 February 2017) <https://financialrights.org.au/>.

¹¹⁸ Hohnen et al, ‘Assessing Creditworthiness’, 40.

¹¹⁹ Anna Jobin, Marcello Ienca, and Effy Vayena, ‘The Global Landscape of AI Ethics Guidelines’ (2019) 1(9) Nature Machine Intelligence 389, 2–5.

¹²⁰ See e.g. Art. 22 GDPR.

¹²¹ Jack B Soll, Ralph L Keeney, and Richard P Larrick, ‘Consumer Misunderstanding of Credit Card Use, Payments, and Debt: Causes and Solutions’ (2013) 32(1) Journal of Public Policy & Marketing 66, 77–80.

¹²² Marsha Courchane, Adam Gailey, and Peter Zorn, ‘Consumer Credit Literacy: What Price Perception?’ (2008) 60(1) Journal of Economics and Business 125, 127–38.

¹²³ Beth Freeborn and Julie Miller, Report to Congress under Section 219 of the Fair and Accurate Credit Transactions Act of 2003 (Report, January 2015) i <www.ftc.gov/system/files/documents/reports/section-319-fair-accurate-credit-transactions-act-2003-sixth-interim-final-report-federal-trade/150121factareport.pdf>. In one study of 1001 US consumers, 26 per cent found inaccuracies in their credit reports.

¹²⁴ Heather Cotching and Chiara Varazzani, Richer Veins for Behavioural Insight: An Exploration of the Opportunities to Apply Behavioural Insights in Public Policy (Behavioural Economics Team of the Australian Government, Commonwealth of Australia, Department of the Prime Minister and Cabinet, 2019) 1, 14. Studies have shown simplifying and standardising information in consumer markets aids comprehension and assists consumers in making choices that result in better outcomes.

¹²⁵ Credit Information Bureau of Sri Lanka, ‘CRIB Score Report Reference Guide’ (Guide) <www.crib.lk/images/pdfs/crib-score-reference-guide.pdf>.

¹²⁶ ‘Getting Your Credit Report and Credit Score’ Government of Canada (Web Page) <www.canada.ca/en/financial-consumer-agency/services/credit-reports-score/order-credit-report.html>.

¹²⁷ ‘Access Your Credit Report’ Office of the Australian Information Commissioner (Web Page) <www.oaic.gov.au/privacy/credit-reporting/access-your-credit-report>.

¹²⁸ Footnote Ibid.

¹²⁹ Some consumers discovered that their reports ‘featured inconsistent or misleading claims descriptions and statuses, included personal information unrelated to insurance at all, and no explanation of the terms used to assist in comprehensibility’. See Roger Clarke and Nigel Waters, Privacy Practices in the General Insurance Industry (Financial Rights Legal Centre Report, April 2022) vii <https://financialrights.org.au/wp-content/uploads/2022/04/2204_PrivacyGIReport_FINAL.pdf>.

¹³⁰ Leilani Gilpin et al, ‘Explaining Explanations: An Overview of Interpretability of Machine Learning’ (2019) v3 arXiv, 2 <https://arxiv.org/abs/1806.00069>.

¹³¹ Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) [2022] OJ L 277/1, para 27.10.2022.

¹³² Footnote Ibid, para 52.

¹³³ Yanou Ramon et al, ‘Understanding Consumer Preferences for Explanations Generated by XAI Algorithms’ (2021) arXiv, 9–14 <http://arxiv.org/abs/2107.02624>.

¹³⁴ Jessica Morley et al, ‘From What to How: An Initial Review of Publicly Available AI Ethics Tools, Methods and Research to Translate Principles into Practices’ (2020) 26(4) Science and Engineering Ethics 2141.

¹³⁵ Rory Mc Grath et al, ‘Interpretable Credit Application Predictions with Counterfactual Explanations’ (2018) v2 arXiv, 4–7 <https://arxiv.org/abs/1811.05245>.

¹³⁶ Ada Lovelace Institute, Technical Methods for the Regulatory Inspection of Algorithmic Systems in Social Media Platforms (December 2021) <www.adalovelaceinstitute.org/wp-content/uploads/2021/12/ADA_Technical-methods-regulatory-inspection_report.pdf>.

¹³⁷ Sophie Farthing et al, Human Rights and Technology (Australian Human Rights Commission, 1 March 2021) 1, 95–97.

¹³⁸ Henry Hoenig, ‘Sorry iPhone Fans, Android Users Are Safer Drivers’ Jerry (Blog Post, 20 April 2023) <https://getjerry.com/studies/sorry-iphone-fans-android-users-are-safer-drivers>.

¹³⁹ New York State Department of Financial Services Circular Letter No 1 (2019), 18 January 2019, ‘RE: Use of External Consumer Data and Information Sources in Underwriting for Life Insurance’.

¹⁴⁰ Gert Meyers and Ine Van Hoyweghen, ‘“Happy Failures”: Experimentation with Behaviour-Based Personalisation in Car Insurance’ (2020) 7(1) Big Data and Society 1, 4.

¹⁴¹ See for example Chapters 8, 10 and 11 in this book.

¹⁴² Pasquale, The Black Box Society.