The most noticeable benefit is that lenders reduce the processing time and credit risk, which corresponds to borrowers' ability to access loans and receive disbursement quickly. Seeing these benefits, especially in the context of the explosion of artificial intelligence (AI) technology, credit institutions in Vietnam have quickly and actively introduced and implemented credit scoring with support from regulatory authorities.
However, the risk mitigation measures regarding customers' privacy and equality during the credit scoring process have not been widely discussed, while Vietnam's legal regulations on this issue still have gaps.
The Risk of Violating Customer Privacy
Customer privacy in credit lending activities refers to the ability of customers to control what data lenders can access and how it is used. This right is defined in various legal documents, such as the 2013 Constitution (Article 21), the 2015 Civil Code (Article 38), the Law on Network Information Security (Articles 16-20), and most notably, Decree 13/2013/ND-CP on personal data protection. Privacy regulations ensure that customers are aware of and have the right to decide how their personal data is collected and used, avoiding risks related to the control and manipulation of personal behavior based on their life activities.
To optimize credit scoring algorithms, credit institutions, either on their own or through credit scoring service providers, are required to collect various types of personal data, such as names, dates of birth, addresses, ID numbers, social security numbers, bank accounts, transaction histories, payment histories, credit debt, credit relationships duration, and even online activity histories. This raises concerns about the monitoring and surveillance of customer behavior, potentially infringing on their freedom to choose.
The first scenario involves customers being aware of and agreeing to their personal data being processed for credit scoring purposes, yet they still may be affected in terms of their freedom to choose loans. In lending relationships, lenders typically have more advantages, particularly in terms of access to capital. Additionally, individual customers often lack the ability to understand and evaluate the transparency and fairness of loan procedures at financial companies or banks. Customers also lack the means to ensure that financial institutions comply with the personal data protection terms they have committed to, which leads to a threat to customer privacy. Furthermore, credit institutions offer personal loan packages based on credit scores, but customers may not fully understand the decision-making process or have access to correct data (if there are errors), which restricts their freedom to choose loans.
The second scenario involves customers not being aware of or not agreeing to their personal data being processed for credit scoring purposes. In this case, customers may not realize that the credit institution is monitoring and predicting their credit needs to offer personalized marketing content or advertisements on social media platforms. These marketing efforts, lacking transparency, may influence customers' consumption decisions, harming their free will.
The Risk of Violating Customer Equality
Customer equality in credit lending refers to the ability of customers to access loans without being discriminated against based on personal characteristics such as gender, race, religion, nationality, marital status, etc. This right is a principle enshrined in the 2013 Constitution, which states that “no one shall be discriminated against in political, civil, economic, cultural, or social life” (Article 16). Equality regulations ensure that individuals are treated equally in terms of opportunities and are not excluded or limited by characteristics beyond their control (gender, race, skin color, age, nationality) or that reflect personal views (personal attitudes, religion, marital status, political opinions).
This regulation is crucial to protecting freedom, will, and respecting human diversity, as discrimination in various forms has persisted throughout human history.
Credit scoring algorithms mimic human decision-making processes and are trained on data generated by humans, so they can replicate the biases existing in human history. For example, men are often considered more creditworthy than women, or those with university degrees are often rated better than those with only a high school diploma, or followers of one religion may be rated higher than those of another. This occurs both in reality and in the credit scoring process.
Moreover, personal data collected automatically may be inaccurate compared to actual circumstances. Automated credit scoring, where customers lack the knowledge of the scoring process and the data uploaded about themselves, can lead to customers being unfairly rated, thus limiting their ability to access loans.
Legal Loopholes
Currently, regulations on personal privacy protection in the context of digital technology are being improved in Vietnam. In 2023, the government issued Decree 13/2023/ND-CP on personal data protection, the first legal document detailing personal privacy protection in cyberspace. However, the absence of implementation guidelines from state agencies and practical guidelines from non-state sectors (professional associations, reputable businesses, etc.) leads to difficulties for credit institutions in complying with personal data protection regulations for customers, while customers face challenges in exercising their privacy rights. In 2024, the Ministry of Public Security announced a proposal to draft a Personal Data Protection Law, but it did not include an outline of the draft law. Overall, the legal framework for personal data protection in Vietnam remains vague.
Meanwhile, regulations ensuring equal treatment in the context of digital technology have hardly been discussed in policy revisions. Previously, the 2010 Law on Credit Institutions and related circulars on credit activities in Vietnam, such as Circular 02/2013/TT-NHNN, Circular 03/2013/TT-NHNN, Circular 39/2016/TT-NHNN, Circular 43/2016/TT-NHNN, were designed to create an internal credit rating system within banks to mitigate credit risks, where borrowers had the obligation to prove their creditworthiness through documents proving feasible capital use plans, financial capability, legal capital use purposes, and loan security measures before credit was granted. By 2024, a new Law on Credit Institutions has been issued, and implementation guidelines are being drafted, but changes to the customer credit scoring system have not yet been clearly seen.
These regulations, combined with the development of AI technology and big data, have led to credit scoring becoming a "magic wand" in the hands of lenders, as they are not obligated to be transparent in credit scoring and lending decisions, nor are they held accountable if they treat borrowers unequally.
Finding Solutions
To develop solutions to protect customers' rights in credit scoring, a recommended approach is to combine various policy tools, such as legal regulations and codes of conduct, with the involvement of diverse stakeholders from both the state and non-state sectors, such as businesses, research and advisory units at universities, and social organizations.
Firstly, legal regulations on credit under the 2024 Law on Credit Institutions and related guidelines should be improved. Three points should be considered for amendment and supplementation: (1) limit the types of personal data collected for credit scoring purposes, the cases in which data can be transferred and shared within the credit information system, (2) grant customers the right to oversee the entire scoring process, the right to an explanation of the credit scoring process and methodology, and (3) audit the credit scoring system.
Secondly, state regulatory agencies, either on their own or by supporting professional associations, should develop ethical guidelines for the responsible development and use of AI in the financial sector. Four principles should be emphasized: (1) transparency, such as disclosing data sources, credit scoring data sources, or ensuring the explainability of algorithms, (2) fairness, such as avoiding biased labeling in the credit scoring algorithm training process, (3) protection of customer privacy, safety, and freedom in credit lending, and (4) system security, minimizing the risk of cyber-attacks. Although these ethical principles are not legally binding, they promote voluntary practice and social consensus in the private sector before becoming legal regulations in the future.
Thirdly, while there are no legal regulations or specific guidelines, credit institutions currently and in the future using algorithms to score customer credit should clarify their role and responsibility in protecting customer rights. These institutions can adopt best practices, such as clearly explaining the personal data sources used, the credit scoring process, along with the technologies used, the measures to protect customer privacy and equality in the credit scoring process, and the data and system security standards of the institution. These practices will help build and strengthen the credit institution's reputation with customers.
It is clear that protecting customer privacy and equality in credit scoring is just a small example of a larger picture—how to respond to the rapid changes in technology. More than ever, establishing and maintaining practices that aim for common good values become core principles for each organization and individual to adapt and thrive.
(This article was translated by an AI-powered translation tool).
