響馴 、囉 -NTERNATI○NALC○MM―〕丁EE○N CRED-T REP○RT-NG ASS ESS M E NT M ETH○D○L○G丫 F○R THE GENERAL PR-NC-PLES F○R CRED-T REP○RT-NG MarCh 2013 .→‘口口目響 INTERNATIONAL COMMITTEE ON CREDIT REPORTING ASSESSMENT METHODOLOGY FOR THE GENERAL PRINCIPLES FOR CREDIT REPORTING March 2013 THE WORLD BANK 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org E-mail: feedback@worldbank.org All rights reserved. This volume is a product of the staff of the International Bank for Reconstruction and Development/ The World Bank. The findings, interpretations, and conclusions expressed in this volume do not necessarily reflect the views of the Executive Directors of The World Bank or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denomi- nations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Rights and Permissions The material in this publication is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The International Bank for Reconstruction and Development / The World Bank encourages dissemination of its work and will normally grant permission to reproduce portions of the work promptly. For permission to photocopy or reprint any part of this work, please send a request with complete information to the Copyright Clearance Center Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; telephone: 978-750-8400; fax: 978- 750-4470; Internet: www.copyright.com. All other queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank. org. Book cover and interior design by Michele de la Menardiere. PREFACE In September 2011, the ICCR published the report General Principles for Credit Reporting (GPCR) which estab- lishes an internationally agreed framework for credit reporting systems including credit registries, credit bureaus and commercial credit reporting companies. This report contains the ICCR Assessment Methodology for the General Principles for Credit Reporting and Recommendations for Oversight referenced in the GPCR. This assessment intends to provide guidance to assessors for evaluating observance of the five (5) principles, six (6) roles for partici- pants and five (5) recommendations for Oversight set forth in the GPCR.  TABLE OF CONTENTS ABBREVIATIONS V I INTRODUCTION 1 1.1 USE OF THE ASSESSMENT METHODOLOGY, 2 1.2 KEY CONSIDERATIONS WHEN ASSESSING THE GENERAL PRINCIPLES AND RELATED ROLES, 2 Access to Information, 3 Actual Practice, 3 Assessors' Background and Experience, 3 Obstacles and Impediments During the Assessment, 3 II ASSESSMENT FRAMEWORK 5 STEP 1- SCOPE OF THE ASSESSMENT, 5 STEP 2- FACT GATHERING, 5 STEP 3- DEVELOP CONCLUSIONS, 6 STEP 4- RATINGS, 7 Guidance on the assignment of ratings, 7 STEP 5- TIMEFRAME FOR ADDRESSING EACH OF THE IDENTIFIED AREAS OF CONCERN, 8 III COUNTRY ASSESSMENT REPORT TEMPLATE ON OBSERVANCE OF THE GPCRS AND RESPONSIBILITIES OF AUTHORITIES 11 EXECUTIVE SUMMARY, 11 INTRODUCTION, 11 OVERVIEW OF THE NATIONAL CREDIT REPORTING LANDSCAPE, 11 SUMMARY ASSESSMENT, 12 RECOMMENDED ACTIONS, 12 DETAILED ASSESSMENT REPORT, 13 AUTHORITIES RESPONSE, 14 III iv ASSESSMENT METHODOLOGY IV QUESTIONS BY PRINCIPLE AND RECOMMENDATION 17 4.1 THE GENERAL PRINCIPLES, 17 General Principle 1, 17 General Principle 2, 21 General Principle 3, 23 General Principle 4, 25 General Principle 5, 28 4.2 RECOMMENDATIONS FOR EFFECTIVE OVERSIGHT OF CREDIT REPORTING SYSTEMS, 30 Recommendation A: Regulation and Oversight, 30 Recommendation B: Regulatory Powers, 31 Recommendation C: Disclosures of objectives and policies with respect to credit reporting systems, 31 Recommendation D: Application of the General Principles for credit reporting systems, 32 Recommendation E: Cooperation among authorities, 33 ANNEX 1: Memebers of the ICCR 34 ABBREVIATIONS AM Assessment Methodology CRSP Credit Reporting Service Providers GPCR General Principles for Credit Reporting IFIs International Financial Institutions IMF International Monetary Fund FSAP IMF-World Bank Financial Sector Assessment Program V lftbblbb, SECTION I INTRODUCTION 1. In May 2009 an international task force coordinated 3. The main purpose of the Assessment Methodology by The World Bank with support from the Bank for (AM) for credit reporting is to provide guidance International Settlement was created with the ultimate through a structured framework to assessors on how to goal of producing international standards for credit conduct assessments of observance against the GPCR. reporting. The task force comprised representatives This AM is primarily intended for external assessors at from central banks and other financial and data priva- the international level, in particular the international cy regulators, from multilateral organizations involved financial institutions (IFIs). in credit reporting and from credit reporting service providers, represented through their associations. As 4. Both reports, the General Principles Report and a first result of such work, the General Principles for the AM, complement each other and should be taken Credit Reporting were produced, and published in together as closely related and supporting documents September 2011. when conducting an assessment. It should be noted that no new principles or standards or any other ad- 2. Since then, the international task force has been ditional considerations have been included in the transformed into an international Committee on AM as compared to the General Principles Report. Credit Reporting and is working in promoting and fa- In some cases, further guidance on the interpretation cilitating observance and implementation of the stan- of some of the principles, roles and recommendations dards by providing additional information and guid- may have been provided in the AM for clarification ance. The current report is the first outcome of this purposes and not to amend or expand upon the key follow-up work.' This new report presents the meth- issues underlying the GPCR. odology for assessing country-level observance of the five principles and related roles of credit reporting system participants, and of the recommendations for effective oversight of credit reporting systems (herein- after referred to collectively as the "GPCR").2 As part of future work, the Committee also intends to develop detailed guid- ance for specific credit reporting areas and activities. 2This new report draws heavily from the CPSS-IOSCO "Assessment methodol- ogy for the principles for FMIs and the responsibilities of authorities" (consulta- tive version, April 2012). 1 2 ASSESSMENT METHODOLOGY 1.1 USE OF THE ASSESSMENT promote implementation of the GPCR by undertaking METHODOLOGY periodical assessments of observance in their jurisdic- tions, including a self-assessment of their own obser- 5. Periodic assessments of observance may be per- vance of the recommendations for effective oversight formed by a variety of stakeholders. These may include of credit reporting systems. system operators,3 national public sector authorities and other internal and external assessors. While the 10. Potential external assessors include mainly interna- common objective is to determine observance with tional financial institutions (IFIs) like the International the GPCR, individual objectives of the assessments Monetary Fund (IMF) and the World Bank. External may differ somewhat. assessments may be performed on an ad hoc basis, for example in response to a specific request made by na- 6. In this regard, the primary responsibility for ensur- tional authorities. External assessments are also likely ing the implementation of the general principles lies to be performed as part of programmatic assessment with the owners and operators of the systems, this is, initiatives in the financial sector, in particular - though with credit reporting service providers (CRSPs). CRSPs not exclusively - the IMF-World Bank Financial Sector may wish to review or self-assess their own systems pe- Assessment Program (FSAP).4 riodically against the GPCR to identify areas that may require improvement to conform to international stan- 11. It should be noted that only those assessments dards and best practices. carried out by the relevant national public sector au- thorities and/or by IFIs will typically be considered as 7. As it will be explained later on in detail, assessment having some form of official validity from either the of observance of the general principles, related roles country or international perspectives, and as being and the recommendations for effective oversight is to binding in the sense that CRSPs cannot refrain from be performed at the country or jurisdictional level with being subject to them. As already mentioned, this AM the aim of identifying opportunities for improvement is primarily intended for external assessors, in particu- of the credit reporting industry as a whole in the coun- lar the IFIs. try. Assessments by individual CRSPs are, by their own nature, highly unlikely to have the intended scope or lead to such an outcome. 1.2 KEY CONSIDERATIONS WHEN ASSESSING THE GENERAL 8. In this regard, efforts by an industry wide body, PRINCIPLES AND RELATED where such an organization exists, may be conducted ROLES to determine observance of the GPCR at the country or jurisdictional level. 12. When conducting an assessment there are some practical matters that should be considered. 9. However, in general such a scope is more likely to be pursued by the relevant national authorities. The General Principles Report emphasizes the need for As part of the FSAP program, national authorities agree with the IMF and central banks and/or other financial supervisors to the World Bank to undergo an assessment of their financial sector by external experts. The scope of the overall assessment, including the specific areas that will be covered and whether a formal assessment of observance of such areas with Credit reporting service providers, as per the terminology used in the General international standards is to be performed, is mutually agreed between national Principles Report. authorities and the IFIs. ASSESSMENT METHODOLOGY 3 Access to Information rules and any other similar written provisions are rel- evant, assessors should place strong emphasis on the 13. Assessors should be given access to all interested way in which such laws, regulations and rules are ap- parties and all relevant information, including statisti- plied in practice. cal data deemed relevant. Assessors' Background and Experience 14. Assessors will need to meet with a range of individ- uals and organizations, including private and/or public 19. Prior to the assessment, it is crucial to ensure that credit reporting service providers, key data providers, the assessor fulfills a minimum set of skills and practi- a variety of users of these services and supervisory and cal and relevant experience, coupled with an impec- regulatory authorities, among others. cable ethical reputation. This is particularly important for official external assessments such as those that are 15. Assessors should make sure they have proper ac- performed by IFIs. A balanced set of skills would in- cess to all existing public information and documents clude detailed knowledge of credit reporting and finan- that are or may be relevant for the assessment. In ad- cial institution operations in general, credit reporting dition, relevant non-public information should be dis- value-added services, the GPCR, as well as knowledge closed to the assessors for the specific purpose of the of the relevant policy issues and regulatory and over- assessment. Among others, this may include internal sight aspects. Assessors also need to be familiar with policies and procedures, supervisory handbooks, or- broader financial sector development and overall fi- ganizational charts, data, and statistics. nancial stability concepts and issues. 16. Assessors should reflect in their report when any Obstacles and Impediments during the required information or access to key staff is not pro- Assessment vided, as well as the implications for the completeness and accuracy of their assessment.' 20. Assessors should be able to reflect in their rec- ommendations report any issue or challenge that 17. On the other hand, assessors should bear in mind impaired the assessment. In particular the degree of that some pieces of information or data provided to cooperation with the relevant parties during the as- them may be regarded as confidential, and are there- sessment should be reflected in the assessment report. fore intended solely for the purposes of the assessment and not to be disclosed to or shared with any third parties. Actual Practice 18. It is crucial that the actual practice (including laws, rules and regulations) in a given country in the differ- ent areas of credit reporting be considered as the basis of the assessment. While the existing laws, regulations, ' Assessors should be aware that in some cases and for some specific aspects, CRSPs may be forbidden by law to disclose some information and/or data. Section I. Introduction  SECTION 11 ASSESSMENT W FRAMEWORK 21. This section describes the different phases that take cial sector development and overall financial stability place during an assessment of the credit reporting sys- in the relevant jurisdiction. tem of any given country against the GPCR. 24. At the same time, it is also recognized that in some occasions an assessment might be performed over a STEP 1- SCOPE OF THE ASSESSMENT specific area or component of the national credit re- porting system, for example to determine the extent 22. Assessment of observance of the general princi- of the reforms that are needed in such specific area or ples, related roles and the recommendations for effec- component. In such cases it might not be necessary to tive oversight is to be done at the country or jurisdic- use all of the general principles, roles and recommen- tional level. While some of the general principles will dations for effective oversight but only some of them. require assessors to review individual credit reporting At the same time, assessors should be able to decline service providers, conclusions are to be drawn at the to assess a component if it leads to a misleading report jurisdictional level. Likewise, if a rating is assigned to that can be misused. reflect the degree of observance (see sub-section 2.4 below), the rating should not reflect the observance 25. In the case of external assessments performed by achieved by a specific credit reporting service provider IFIs, the scope of the assessment should be clearly or system, but rather observance of the relevant gen- determined and agreed with the relevant national au- eral principle or recommendation at the jurisdictional thority (or authorities), and communicated in advance level. Preparation of conclusions and the possibility of to all the entities and stakeholders that will be involved assigning ratings are discussed in further detail below in the assessment exercise. in sub-sections 2.3 and 2.4 respectively. 23. In addition, in the case of assessments performed STEP 2- FACT GATHERING by external assessors such as IFIs, as part of the over- all goal of safety, reliability and effectiveness of the na- 26. Assessors should gather sufficient facts to be able tional credit reporting system, external assessors are to develop conclusions for each of the GPCR. For each expected to consider and provide insights on the way of the general principles and recommendations for ef- in which such a system is contributing to both finan- fective oversight, the assessor should first analyze the 5 6 ASSESSMENT METHODOLOGY current situation on the basis of the guidelines and key iv. How do CRSPs, data providers and data users considerations associated with each of them as per the measure and monitor ongoing observance of the General Principles report. To support this analysis, a GPCR? What other stakeholders are part of this detailed list of questions has been developed in this ongoing effort (e.g. industry organizations). AM to help the assessor gather facts (see section 4). If and when deemed useful, assessors should also ana- v. What other evidence is available to support ongo- lyze any previous relevant work performed by national ing performance in observing the principle? authorities/regulators. 28. As regards to the role of authorities and their re- 27. Throughout the process of determining observance sponsibility with regard to the recommendations for with the key elements of each general principle, asses- effective oversight, the following overarching ques- sors must develop a general understanding of the legal tions should be taken in to consideration: and regulatory framework, the overall environment for data sharing, and also of the basic business processes, i. What is the authorities' approach for observing operations, and activities of the individual CRSPs be- the recommendations? ing reviewed. Obtaining this macro view will provide context for an assessment and position assessors to ii. What analyses, processes, and rationale did the seek the full set of information needed. Therefore, as- authorities use in developing, identifying, select- sessors should keep in mind the following overarching ing, and ensuring the effectiveness of their ap- questions for each principle during the assessment:6 proach for observing the recommendations? i. What legal aspects, technology infrastructure iii. How do the authorities measure and monitor their limitations, core cultural traditions or competi- ongoing performance in observing the recom- tion dynamics impinge on the full and appropri- mendations and to ensure that that industry ob- ate application of the GPCR in a given country or serves the general principles? jurisdiction? iv. What other evidence is available to support ongoing ii. What is the method being applied by individual performance in observing the recommendations? CRSPs, data provider or data user to ensure they observe the principle or part thereof that is appli- cable to them? What is the method being applied STEP 3- DEVELOP CONCLUSIONS to ensure observance of the relevant principles at the level of the industry? 29. For each of the guidelines and key considerations associated respectively with the general principles and iii. What analyses, processes, and rationale was used the recommendations for effective oversight, the asses- in developing, identifying, selecting, and ensuring sor should summarize current practices and achieve- the effectiveness of its approach/method for ob- ments. For any identified gaps and shortcoming, the serving the principle? assessor should describe in detail the area, aspect or component of concern, and explain the impact that 6 These overarching questions are not intended to be exhaustive but to guide such situation might have in the safety, reliability and their assessors in their assessment. Assessors may at their own discretion formu- late additional questions to complete their fact gathering process. ASSESSMENT METHODOLOGY 7 effectiveness of the credit reporting system as a whole, STEP 4- RATINGS and eventually over the broader financial sector. 34. A system of ratings might be useful to convey to 30. For some of the general principles, the individual some audiences a punctual message on the degree of components (e.g. individual CRSPs) will need to be observance of the various general principles and rec- reviewed. To determine the degree in which a gap or ommendations. Ratings might also be used to promote shortcoming identified with one of these individual consistency of the assessments made over time of the components will affect observance of the relevant national credit reporting system. principle at the industry or jurisdictional level, the as- sessor will need to determine the materiality or rela- 35. In general, it is not mandatory to use ratings when tive importance of that particular component and its conducting an assessment of observance of the GPCR. interactions with other individual components (e.g. This practice is however common when assessments alternatives that are available for users). are conducted by IFIs, especially in the context of the FSAP. In the latter case, whenever a formal assessment 31. Any recommendations should build on the facts of observance with international standards is per- describing the areas of concern and provide one or formed, the use of ratings is mandatory. more potential solutions. 36. In this context, table 1 presents a rating system 32. To ensure accountability, the assessor should also based on the FSAP rating scale. The FSAP scale is built identify the entity or entities (e.g. a regulatory authori- on the gravity and urgency to remedy identified "issues ty, a specific credit reporting service provider or a set of of concern" such as a risk management flaw, a signifi- entities such as data providers) that would be respon- cant weakness in the legal and regulatory framework sible for the implementation of the various recommen- or other deficiencies. The rating is assigned based on dations that have been made. For this purpose, asses- the degree of observance assessed for each principle or sors should rely on the roles of credit reporting system recommendation. participants as described in the General Principles re- port, and also on the legal and institutional framework 37. It should be noted that, in the FSAP, ratings are in the country. not used to rank countries in connection with their national credit reporting system or market (or the in- 33. The identification of roles might also lead to dif- dividual systems or components thereof).' ferent entities being responsible for implementing one recommendation. In such cases the assessor should Guidance on the assignment of ratings clearly identify if there is an entity with primary re- sponsibility over the relevant recommendation. If 38. Assessors should assign ratings to reflect condi- deemed necessary, guidance can be provided to ensure tions at the time of the assessment. The rating is built coordination between the different participants. on the key conclusions and reflects assessors' judgment regarding the type or impact of the risks and other is- 7 Additional information on the FSAP process, including the types of reports produced, confidentiality issues and other topics can be found at the specialized websites of the IMF (http://www.imforg/external/NP/fsap/fsap.aspx and the WB (http://www.wordbank.org/fsap). Section II. Assessment Framework 8 ASSESSMENT METHODOLOGY TABLE 1 - OBSERVANCE OF THE GPCR: RATING SYSTEM (optional) RATING DESCRIPTION Observed The principle is observed. Any identified gaps are not issues of concern and could be addressed in the normal course of business. Broadly Observed There are one or more issues of concern that the relevant stakeholder(s) is encouraged to address according to a defined timeline. These are typically areas that require attention but that are not critical for the efficiency and safety of the system as a whole. Partly Observed There are one or more areas of concern that require attention and should be addressed in a timely manner. The relevant stakeholders(s) should agree on establishing high priority to address those issues. Not Observed The principle is not observed. There are one or more serious issues and/or critical areas that require immediate attention. The relevant stakeholders(s) must agree on addressing these issues in an immediate manner. Not Applicable The principle is not applicable due to the particular legal, structural, insti- tutional or other characteristic of the country's credit reporting market or system. sues associated with each identified gap or shortcom- STEP 5- TIMEFRAME FOR ing. Plans for improvements should be noted in the ADDRESSING EACH OF THE assessment report, where appropriate, but should not IDENTIFIED AREAS OF CONCERN influence judgments about observance. 40. It is highly recommended that the assessor estab- 39. The assessment should note instances where ob- lish a timeline for the relevant entity or entities to take servance of a particular principle, role or recommen- action based on the concerns identified and the rec- dation could not be adequately assessed and explain ommendations provided. Frequently, the party or par- why. For example, certain information may not have ties intended to implement the recommendations will been provided or key individuals or institutions may need further guidance with regard to prioritization have been unavailable to discuss important issues. and the associated timeframe. The assessor should es- Unsatisfied requests for information or meetings tablish priorities based on the level on impact that the should be documented in writing. area of concern poses to the overall safety, effectiveness and reliability of the system. 41. In the context of the FSAP, the timeframe must be consistent with the FSAP rating system and the description associated with each of the rat- ing categories. Accordingly, table 2 shows the as- sociation between the various FSAP rating cat- egories and the timeframe for action to be taken. ASSESSMENT METHODOLOGY 9 TABLE 2 - FSAP TIMEFRAME FOR RECOMMENDATIONS ASSIGNED RATING' TIMEFRAME TO ADDRESS RECOMMENDATIONS Observed For consideration in the normal course of business. Broadly Observed To be addressed in a defined timeline. Partly Observed To be addressed in a timely manner. Not Observed Immediate action. As previously discussed, the use of ratings is generally mandatory in the FSAP, but is normally optional in other contexts. Section II. Assessment Framework  SECTION III COUNTRY ASSESSMENT REPORT TEMPLATE ON OBSERVANCE OF THE GPCRS AND RESPONSIBILITIES OF AUTHORITIES EXECUTIVE SUMMARY OVERVIEW OF THE NATIONAL CREDIT REPORTING LANDSCAPE 42. This section should include a brief descrip- tion of the relevant facts including observations and 45. The overview section is intended to provide a gen- recommendations. eral understanding of the context under which credit reporting activities are performed in the country. This section should be descriptive in nature, reflecting cur- INTRODUCTION rent facts. 43. The assessor should include here the objective of 46. The assessor should briefly describe the role that the assessment, identification of the assessor and con- credit reporting is currently playing in the country with text. In addition, this section should clearly identify regard to credit decision-making and for other relevant the scope of the assessment. The assessor should pro- areas of the financial system, and its relevance in prac- vide an explanation if and why the assessment does tice for such activities and areas. The main stakehold- not consider all the general principles, roles and rec- ers should be identified, specifying the role(s) they play ommendations for effective oversight but only some of in the credit reporting market. This should include the them. regulatory, supervisory and oversight authorities. The legal and regulatory framework, enforcement mecha- 44. This section should also list the sources of infor- nisms and consumer protection framework should mation used during the assessment, including both also be described here at the general level. A general public and non-public sources. The latter would typi- description of each of the relevant individual credit re- cally include a list of the institutions that were visited porting systems should also be included, including key or interviewed. characteristics such as the type of data providers and users or the type of services provided. 47. Finally, this section should describe major changes implemented in the recent past or scheduled for the near future. 11 12 ASSESSMENT METHODOLOGY TABLE 3- RATINGS SUMMARY FOR THE PRINCIPLES Assigned Category Principle Observed e.g. Principle 1, 3 Broadly Observed e.g. Principle 2 Partly Observed Not Observed Not Applicable SUMMARY ASSESSMENT that will be achieved if the current efforts to ad- dress weaknesses end-up being successful. 48. This section should summarize the key findings of the detailed assessment. In particular, the assessors 49. When applicable, this section should conclude with should: a summary of the results of the assessment of obser- vance for each of the principles as well as for each of * Highlight key practices and achievements. If the recommendations for the effective oversight of and when necessary, disaggregated by individual credit reporting systems. Table 3 shows the ratings CRSPs. summary for the principle-by-principle assessment. A similar table should also be completed for the over- * List identified issues of concern, gaps or short- sight recommendations. comings. As previously discussed, to determine the degree to which an identified gap or shortcom- ing of an individual CRSP is relevant for the credit RECOMMENDED ACTIONS reporting industry as a whole, the assessor should exercise its judgment over the materiality of that 50. Assessors should link recommended actions with individual system and its interrelations with other the issues of concern, gaps or shortcomings as per the components of the industry. description made in the "Key findings and follow-up" section of the detailed assessment. * Comment separately on the principles and recom- mendations that are deemed not fully observed, 51. A preferred option is to include a table with the list and indicate whether the issues of concern are al- of recommended actions based on the identified issues ready being addressed. of concern for the various principles and oversight *recommendations, as applicable. The table should also staIn the coneon ofo hegin aSP thein assohul identify the entity or entities responsible for the imple- state the main reasons for assigning a rating other mentation of each recommended action. A principle 9.(or oversight recommendation) might be listed more than once depending on whether the findings are re- crdtIeorigsytmshabe3shwhteraig ASSESSMENT METHODOLOGY 13 TABLE 4: LIST OF PRIORITIZED RECOMMENDED ACTIONS Principle (and/ or Oversight Issues of concern and other gaps or shortcomings Recommended action Relevant parties Recommendation) Serious and warranting immediate action To be addressed in a timely manner To be addressed in a defined timeline For consideration in the normal course of business lated to the same principle (oversight recommenda- 54. For each principle and recommendation, the de- tion) or not. tailed assessment should provide a detailed descrip- tion of actual practices, followed by key conclusions 52. In the context of the FSAP, the list must be ordered and an assessment rating. A set of guiding questions is according to the priority the assessor has assigned to provided in section 4 to support the analysis of the ob- the various recommended actions (i.e. serious and servance of each of the key considerations. As a mini- warranting immediate action, to be addressed in a mum, the description and analysis should be able to timely manner, to be addressed in a defined timeline, cover the set of questions included in section 4. The as- for consideration in the normal course of business). sessor should feel free to ask any additional questions See table deemed necessary and add details as required. If there is an on-going action that will contribute to address any of the identified gaps or shortcomings, this should DETAILED ASSESSMENT REPORT also be mentioned by the assessor. 53. In this section a detailed assessment will be con- 55. It is recommended that the detailed assessment be ducted for each principle and oversight recommenda- performed following the template shown below (see tion. For the purposes of the assessment, the roles of Tables 5 and 6 for the assessment of the principles and credit reporting system participants are embedded in of the oversight recommendations, respectively). the relevant principle or principles. Section III. Country Assessment Report Template 14 ASSESSMENT METHODOLOGY TABLE 5: DETAILED ASSESSMENT OF OBSERVANCE OF THE PRINCIPLES For each applicable principle Principle X Text of the Principle For each Guideline include: This section should provide information on the practices in the country as they relate to the relevant Text of guideline guideline. Assessors should be guided by the questions for each applicable guideline/key consider- ation and, where applicable, should organize the information according to the subject headers pro- vided in the question set in Section 4. Responses should reflect the actual practices followed in the country. Text of next guideline Key conclusions for principle This section should provide a narrative summary of key information collected by the assessors for each principle based on the supporting facts collected for each applicable guideline/key consideration. The narrative summary should summarize the practices and achievements, describe the seriousness of any issues of concern, and identify any other gaps or shortcomings. Assessment of principle This section should state whether the principle is "observed", "broadly observed", "partly observed", "not observed" or "not applicable". This section should also give the rationale for the assigned rating. Recommendations and comments This section should provide recommended actions and other comments for each identified issue of concern and any other gaps or shortcomings. AUTHORITIES RESPONSE 57. This section can alternatively be used by authorities to express their disagreement with the rating assigned 56. In the context of the FSAP, authorities are given by the assessor to one or more of the GPCR. In the an opportunity to include an explanation stating the context of FSAPs, and generally also as part of other reasons for which they believe the credit reporting sys- types of assessments conducted by IFIs, a consultation tem in their country has not been able to achieve full period with authorities will be typically launched once observance with one or more of the GPCR. In this re- a complete draft of the detailed assessment report has gard, the authority or authorities that are the primary been produced to make sure there are no misunder- points of contact and which will receive the assessment standings or that no relevant information may have report from the IFIs are exhorted to share the out- been omitted. In addition, the detailed assessment will comes with all the parties they deem relevant and nec- undergo a thorough internal review process within the essary in order to obtain additional points of view or relevant IFIs to ensure consistency with regard to in- detailed feedback on certain topics or specific issues. terpretation of the GPCR, conclusions and ratings, and This would normally include credit reporting service the completeness of the assessment, among other key providers, and possibly also some key data providers elements. Nonetheless, it can still be the case that even and other relevant institutions in both the private and if these quality control mechanisms have been applied public sectors. the authorities will not agree with the rating assigned by the assessor. ASSESSMENT METHODOLOGY 15 TABLE 6: DETAILED ASSESSMENT OF OBSERVANCE OF THE OVERSIGHT RECOMMENDATIONS FOR AUTHORITIES For each recommendation Recommendation X Text of the Recommendation For each key consideration include: This section should provide information on the practices in the country as they relate to the relevant Text of key consideration key consideration. Assessors should be guided by the questions for each applicable key consideration and, where applicable, should organize information according to the subject headers provided in the question set in Section 4. Responses should reflect the actual practices followed in the country. Text of next key consideration Key conclusions for This section should provide a narrative summary of key information collected by the assessors for recommendation each recommendation based on the supporting facts collected for each key consideration. The narra- tive summary should summarize the authorities' practices and achievements, describe the serious- ness of any issues of concern, and identify any other gaps or shortcomings. Assessment of recommendation This section should state whether the recommendation is "observed", "broadly observed", "partly observed", "not observed" or "not applicable". This section should also give the rationale for the as- signed rating. Recommendations and comments This section should provide recommended actions and other comments for each identified issue of concern and any other gaps or shortcomings. Section III. Country Assessment Report Template  SECTION IV QUESTIONS BY PRINCIPLE AND RECOMMENDATION 4.1 THE GENERAL PRINCIPLES General Principle 1 Credit reporting systems should have relevant, accurate, timely and sufficient data-including positive-collected on a systematic basis from all reliable, appropriate and available sources, and should retain this information for a suf- ficient amount of time. Accuracy of data Guidance to determine observance by data providers, CRSPs and data subjects Key Considerations Guiding Questions Data collected and distributed should be, to the extent possible, free of error 0.1- What are the types of data disclosed/included in the credit reporting sys- truthful, complete and up to date. tem (CRS)? What are the sources of information? 0.2- Information on identification has been provided by data subjects? Are data Role A: Data providers should report accurate timely and sufficient data to subjects aware of the consequences of providing wrongful data? credit reporting service providers on an equitable basis. 0.3- What are the instruments and processes used to identify data subjects in Role B: Other data sources, in particular public record agencies should facili- the system? tate access to their databases to credit reporting service providers. 0.4- Is there a unique identification number broadly used in the system? Role C: CRSPs should ensure data processing is secure and provide high qual- 0.5- What are the policies and procedures to ensure data quality? Are these ity and efficient services policies documented? Are these policies accessible to employees? Role E: Data subjects should provide truthful and accurate information 0.6- Are processes such as normalization, validation and verification in place for each data load? 0.7- Is data being updated on a systematic basis? Is data updated on a monthly basis? Describe the rules and policies for data updating, including the definitions that are used to determine when a loan is considered delinquent. Are there any enforcement tools (e.g. penalties) to en- sure data quality by all participants? 0.8- Are data correction services timely and adequate? 17 18 ASSESSMENT METHODOLOGY Additional questions on Data supply rules 0.1 -Are policies and procedures in place regarding data supply? Is a standard data reporting format used across the industry? 0.2 Is there regular or systematic training to employees on laws and regula- tions, policies and procedures on data supply? 0.3 What are the applicable rules, including enforcement mechanisms, in case incorrect, incomplete or inaccurate data is provided? 0.4. Do these policies and rules equally apply to all data providers? 0.5. Are there any exemptions? Timeliness of data Guidance to determine observance by CRSPS, data providers and users Key Considerations Guiding Questions CRSP and data providers should apply clear and detailed rules for the updating 0.1- Are rules regarding data updates clear and sufficient? For example, do of information. Data update should be based on pre-defined schedules. At a they clearly set the reporting frequency and the reporting deadline among other minimum, this should include prompt action in the event of error adjustments key elements? Are they documented and available to all data providers and and ideally in case of relevant changes in credit exposures, arrears, fraud, de- other relevant parties? faults and bankruptcies. 0.2 -Name any potential challenge that makes data updating difficult due to unclear or non- standardized rules (e.g. definition of default) Role A: Data providers should report accurate timely and sufficient data to 0.3- What are the measures in place to update in between standard updating credit reporting service providers on an equitable basis. periods (e.g. within a month)? Role B: other data sources, in particular public record agencies should facili- 0.4- Are there any enforcement tools to ensure reasonable timeline updates? tate access to their databases to credit reporting service. Role C: CRSPs should ensure data processing is secure and provide high qual- ity and efficient services. Data should be available for users of the credit reporting system in a prompt Q.1- How long does the CRSP takes to perform the data processing cycle and manner to enable them to carry out their functions without unnecessary delays. have information available to users? Q.2 Provide details for both the case of full data updates (e.g. monthly) and in Role C: CRSPs should ensure data processing is secure and provide high qual- between or ad-hoc updates. ity and efficient services. Q.3- If there are delays in data supply what is the main cause? Sufficient data, including positive Guidance to determine observance by CRSPs, and data providers Key Considerations Guiding Questions Credit reporting service providers should be able to collect and process all the Q.1- Definition of relevant data? Is this definition included in the legal frame- relevant information needed to fulfill their lawful purposes. Relevant information work? comprises both negative and positive data, as well as any other information Q.2 - Name any challenge of any nature preventing the CRSP collecting rel- deemed appropriate by the credit reporting system, consistent with the consid- evant data. erations described in the other General Principles. Q.3- Are there measures in place to overcome such challenges? Q.4- What type of information is collected by the CRSP? Role C: CRSPs should ensure data processing is secure and provide high qual- Q.5- Is there a threshold above of which credit data is to be reported? ity and efficient services. ASSESSMENT METHODOLOGY 19 Credit reporting service providers should set up clear rules on minimum data 0.1 - Has the CRSP defined a list of minimum data inputs? inputs and optional data inputs. Data elements to be collected should include Q.2- Has this list been defined with the participation of the data providers? at a minimum: identification information, information on the credit including 0.3- Is the list of minimum data set a binding rule? original amount, date of origination, maturity, outstanding amount, type of loan, Q.4- Is this list applicable to all data providers? default information, arrears data and transfer of the credit when applicable. 0.5- Has this list changed in the past 12 months? Ideally this would also include credit risk mitigation instruments such as guar- Q.6 - Has the CRSP clearly identified the form(s) through which the data is to antees, collateral and an estimate of their value. be provided? Q.7- Is there any set of data identified by the GP not being collected? Why? Role A: Data providers should report accurate timely and sufficient data to credit reporting service providers on an equitable basis. Role C: CRSPs should ensure data processing is secure and provide high qual- ity and efficient services. Collection of data on a systematic basis from all relevant and available sources Guidance to determine observance by data providers, other data sources, CRSPs, users and authorities Key Considerations Guiding Questions Credit reporting service providers should be able to gather information from all 0.1- Are there any specific data sets that should not be collected according to relevant data providers within the limits established in the law established laws (e.g. so-called sensitive data)? 0.2- Is this limitation clearly established in the law? Role A: Data providers should report accurate timely and sufficient data to Q.3- What are the mechanisms to determine the data that is relevant? credit reporting service providers on an equitable basis. 0.4- Are there any other challenges impeding the collection of relevant data? Role B: other data sources, in particular public record agencies should facili- Q.5- Are there any actions in place to overcome this challenge? tate access to their databases to credit reporting service providers. 0.6- Are there exclusivity contracts for data collection in place? Role F: authorities should promote a credit reporting system that is efficient and effective in satisfying the needs of the various participants and supportive of data subject and consumer rights and of the development of a fair and com- petitive credit market. Credit reporting service providers should be able to access other data sources .1 - Is there an automated national identification database available? Can the of relevance, within the limits established in the law. CRSP access ID databases or records (e.g. national identity records) for valida- tion purposes? Please indicate any challenge. Role B: other data sources, in particular public record agencies should facili- Q.2- Is information on other relevant public records easily accessible (e.g. via tate access to their databases to credit reporting service providers. electronic means) and updated on a systematically basis (e.g. records on liens Role F: authorities should promote a credit reporting system that is efficient on property, court records)? and effective in satisfying the needs of the various participants and supportive Q.3- Are there any technical or commercial problems impeding this access? of data subject and consumer rights and of the development of a fair and com- Provide details. petitive credit market. Section IV. Questions by Principle and Recommendation 20 ASSESSMENT METHODOLOGY Retention of data Guidance to determine observance by data providers, CRSPs, users and authorities Key Considerations Guiding Questions Data collected should be available fora period of time that is consistent with Q.1- Is there a definition of data retention? Is this definition captured in the the purpose for which the data is used. legal framework? Q.2- Does the current data retention period enable the development of value Role C: CRSPs should ensure data processing is secure and provide high qual- added services? ity and efficient services. Q.3- Is the existing data not distributed to the participants after a period of Role D: Users should make proper use of the information available from credit time? Why? reporting service providers. Q.4 What is the retention period for distribution? Are there different rules for negative data and for positive data? What is the retention period for storage? Are there different rules for negative data and for positive data? Q.5- Are there different levels of retention period? Q.6 Is there a situation whereby the specific data can no longer be shown explicitly to users after a certain period of time, but can still be used as an input for other services such as credit scores or for financial intermediaries supervi- sion? Clear rules should be in place to determine the specific date or event when 0.1 - Are the rules for calculating the distribution period clear enough to par- distribution should be discontinued ticipants? 0.2- In practice, is the calculation method for the distribution period applied Role F: authorities should promote a credit reporting system that is efficient consistently by all participants? and effective in satisfying the needs of the various participants and supportive of data subject and consumer rights and of the development of a fair and com- petitive credit market. ASSESSMENT METHODOLOGY 21 General Principle 2 Credit reporting systems should have rigorous standards of security and reliability, and be efficient. Security measures Guidance to determine observance by data providers, other data sources, CRSPs, users and authorities Key Considerations Guiding Questions Credit reporting system participants should protect data against any loss, cor- 0.1- Is there an information security policy in place? Has it been document- ruption, destruction, misuse or undue access. ed? Has it been approved by the Board? 0.2- Does the policy cover physical and logical access and any other relevant Role A: Data providers should report accurate, timely and sufficient data to technological and organizational aspects? CRSPS 0.3- Does the policies address the following; access procedures and authori- Role B: Other data sources should facilitate access to their databases to CRSPs zation rules, mechanisms for data release including mechanism to minimize Role C: CRSPs should ensure data processing is secure and provide high qual- data disclosure? ity and efficient services 0.4- Is the person or department with primary responsibility for these matters Role D: Users should make proper use of the information available from credit clearly identified in the information security policy document? reporting service providers. 0.5- Does the document cover specific actions in emergency situations? Role F: authorities should promote a credit reporting system that is efficient 0.6- Does the document include a communications protocol with all relevant and effective in satisfying the needs of the various participants and supportive parties involved, both internal level and external level? of data subject and consumer rights and of the development of a fair and com- 0.7- Does procedures describe who can access to secure areas? petitive credit market 0.8- Are electronic data transfers done through a secure method? Describe the method? Are ancillary data sets encrypted when not in use? 0.9- Are there any contractual provisions ensuring accountability in the event any loss, destruction, misuse or undue access occurs? 0.10-Do policies outline specific reasons, permissions and physical security procedures for using, transporting and protecting information outside the organization's premises? Reliability Guidance to determine observance by CRSPs Key Considerations Guiding Questions Credit Reporting Service providers should implement appropriate business con- Q.1 Is there a business continuity plan (BCP) in place? Has this been approved tinuity measures to ensure that their services will be available to users without by the Board? any significant disruptions. 0.2 Does the BCP reflect objectives, policies and procedures that allow for the rapid recovery and timely resumption of critical operations following a major Role C: CRSPs should ensure data processing is secure and provide high qual- disruption? ity and efficient services 0.3 Is there a specific recovery time objective (RTO) as part of the BCP? Pro- vide details. 0.4 In the event of a disruption, is there is a possibility of data loss? If yes, what are the procedures to deal with such loss? 0.5 Has the CRSP set up a secondary site with sufficient resources, capabili- ties, functionalities and appropriate staffing that would allow for it to take over operations if needed? 0.6 To what extent does the BCP address the needs for effective communica- tions internally and with key external stakeholders? 0.7 How and how often is the BCP reviewed and tested? Are data providers and users involved in these tests? Section IV. Questions by Principle and Recommendation 22 ASSESSMENT METHODOLOGY Efficiency Guidance to determine observance by data providers, CRSPs and users Key Considerations Guiding Questions Credit reporting service providers should strive to be efficient both from an 0.1 Does the CRSP promote and/or facilitate the use of standardized formats/ operational as well as from a cost perspective, while continuing to meet users' templates for data provisioning and in general terms greater levels of automa- needs and high standards for service levels. tion? 0.2 What are the different access channels to CRSP data? Is an on-line ser- Role C: CRSPs should ensure data processing is secure and provide high qual- vice in place? ity and efficient services. 0.3 Does the CRSP have in place a service level or standards to respond to Role D: Users should make proper use of the information available from credit queries from system users? Does the service contract with users reflect the reporting service providers. consequences of such service level not being met? 0.4- How are users' needs taken into consideration in the strategy plans of the CRSP? 0.5- Is there a Users' Committee in place? If yes, does it involve both data providers and key system users (e.g. relevant institutional users)? 0.6- Are services and prices published or broadly available? 0.7- Is there a users' group in place? What is the composition? Policies and procedures for this group are pre-defined? 0.8- What are the requirements to become user of the system? Is there a contract in place to access the system? Is this contract standard? ASSESSMENT METHODOLOGY 23 General Principle 3 The governance arrangements of credit reporting service providers and data providers should ensure accountability, transparency and effectiveness in managing the risks associated with the business and fair access to the information by users Accountability of governance arrangements Guidance to determine observance by CRSPs Key Considerations Guiding Questions Credit reporting service providers and credit reporting data providers should be 0.1- Are Board' responsibilities clearly defined and documented? subject to mechanisms that ensure proper accountability of management and, 0.2- Are management responsibilities and reporting lines clearly established? where applicable, of board members. This should include independent audits 0.3 Is there a compliance officer or function in place? or reviews. 0.4- Are procedures in place to review performance of the Board? 0.5- Are procedures in place to review performance of management? Role C: CRSPs should ensure data processing is secure and provide high qual- 0.6- Is the CRSP screened by external auditors for areas such as IT, compli- ity and efficient services ance, financials, etc? Transparency of governance arrangements Guidance to determine observance by CRSPs and data providers Key Considerations Guiding Questions Governance arrangements for credit reporting service providers and credit re- 0.1 Are the documents describing Board responsibilities and its composition porting data providers should ensure timely and accurate disclosure of relevant available to the oversight authorities, owners and system participants (data matters related to the entity and its activities. providers and users)? Are they publicly available? 0.2 Are any changes in the composition of the ownership of the CRSP dis- Role C: CRSPs should ensure data processing is secure and provide high qual- closed to the authorities and participants, and to general public? ity and efficient services. 0.3 What relevant matters are disclosed by the CRSP management to authori- ties, system participants and to the general public (use paragraph 134 of the GPCR report as a reference)? 0.4- In case governance arrangements may be having an impact on activities such as data storage or on cross border data flows, is the situation disclosed to authorities and participants? 0.5- Is information related to additional users not contributing data being disclosed to data providers? Throughout the Assessment Methodology, the use of term "Board of Directors" should be interpreted widely to refer to the CRSP's top governing body, in any of its forms. Section IV. Questions by Principle and Recommendation 24 ASSESSMENT METHODOLOGY Ensuring appropriate risk management through effective governance Guidance to determine observance by CRSPs Key Considerations Guiding Questions The management of credit reporting service providers and data providers 0.1 What is the risk management framework, i.e. the CRSP policies and pro- should identify all relevant risks faced by the organization. The outcomes of this cedures in place to identify, measure, monitor and manage the risks that arise risk analysis should be reported periodically to the organization's top governing in the system? body. 0.2 Has this framework been approved by the Board of Directors? 0.3 What specific risks does the risk management framework cover? Role C: CRSPs should ensure data processing is secure and provide high qual- 0.4 Are roles and responsibilities with regard to risk management and internal ity and efficient services. controls clearly defined? 0.5 How does the CRSP assess the effectiveness of its risk management framework? To properly address and mitigate risks, credit reporting service providers and 0.6- Is the outcome of the analysis referred to in the previous question dis- credit reporting data providers should establish sound internal controls and risk closed to the CRSP's Board or other top governing body? management mechanisms. Role C: CRSPs should ensure data processing is secure and provide high qual- ity and efficient services. Ensuring all users have fair access to information through effective governance Guidance to determine observance by CRSPs Governance arrangements of credit reporting service providers should promote 0.1- Are participation rules clearly defined in the legal and regulatory frame- all users having access to information under equitable conditions. This objec- work? tive should not be affected by the ownership structure of the service provider. 0.2- Are there any exceptions? 0.3- Is there a fair treatment of all current users of the system? For example, Role C: CRSPs should ensure data processing is secure and provide high qual- this includes pricing considerations, or the ability to access the available data ity and efficient services. and additional services effectively. 0.4- Are Board members able to object the participation of a data provider or user in the system? 0.5- Describe any areas of concern. ASSESSMENT METHODOLOGY 25 General Principle 4 The overall legal and regulatory framework for credit reporting should be clear, predictable, non-discriminato- ry, proportionate and supportive of data subject/consumer rights. The legal and regulatory framework should include effective judicial or extrajudicial dispute resolution mechanisms Clarity and predictability Guidance to determine observance of the guidelines for the legal environment Key Considerations Guiding Questions The legal and regulatory framework should be sufficiently precise to allow 0.1 - Has the drafting process of the regulatory framework involved a consul- service providers, data providers, users and data subjects to foresee the con- tative period with the industry, consumer organizations and relevant special- sequences that their actions may entail. ized lawyers? Q.2- Have the key concepts been included in a law governing the credit re- Role F: authorities should promote a credit reporting system that is efficient porting system? and effective in satisfying the needs of the various participants and support- Q.3- Is there any major concept that is not adequately covered in the relevant ive of data subject and consumer rights and of the development of a fair and law or regulation? competitive credit market Q.4 -Are rules and provisions sufficiently clear? The terminology used throughout the legal and regulatory framework, includ- 0.1- Are the terms used in the legal and regulatory framework consistent ing the rules and other norms, should be consistent at the domestic level. across the various laws, regulations and contractual arrangements? Q.2- During the drafting process, have the existing standards and glossaries Role F: authorities should promote a credit reporting system that is efficient being considered? and effective in satisfying the needs of the various participants and supportive of data subject and consumer rights and of the development of a fair and competitive credit market. Public awareness of the laws and rules of credit reporting operations contrib- 0.1 - How do CRSPs show that their rules are formulated in an understandable utes to the clarity and predictability of the legal and regulatory framework. manner? 0.2 Are there or have there been specific efforts to disseminate the applicable Role F: authorities should promote a credit reporting system that is efficient legal and regulatory framework among CRSP participants, other relevant and effective in satisfying the needs of the various participants and supportive stakeholders and the general public? of data subject and consumer rights and of the development of a fair and competitive credit market. Non-discrimination Guidance to determine observance of the guidelines for the legal environment Key Considerations Guiding Questions Data supplying and data access should be established in a fair manner re- 0.1- How does the CRSP demonstrate impartiality when applying the rules to sponding to impartial rules regardless of the nature of the participants. all its participants? 0.2- Are rules for reciprocity clearly established? Are these rules enforced? Role C: CRSPs should ensure data processing is secure and provide high Q.3 -Are there any exceptions? quality and efficient services Role F: Authorities should promote a credit reporting system that is efficient and effective in satisfying the needs of the various participants and support- ive of consumer rights and the development of a fair and competitive credit market. Section IV. Questions by Principle and Recommendation 26 ASSESSMENT METHODOLOGY Obligations on data quality, security measures and consumer rights should be Q.1- Do laws and regulations clearly cover the responsibilities of all existing equally applicable to all credit reporting service providers, data providers and CRSPs regarding data quality, security measures and consumers' rights? users. Proportionality Guidance to determine observance of the guideline for the legal environment Key Considerations Guiding Questions The legal and regulatory framework should not be overly restrictive and bur- 0.1- Are there any elements in the legal and regulatory framework imposing densome relative to the possible issues it is designed to tackle. excessive burden to any participant in the system? 0.2 - Does the legal and regulatory framework impose serious limitations to Role F: authorities should promote a credit reporting system that is efficient data collection? and effective in satisfying the needs of the various participants and supportive 0.3- For data collection limitation is criteria clearly defined in the legal and of data subject and consumer rights and of the development of a fair and regulatory framework? competitive credit market. 0.4- Are rules for data usage clearly defined in the legal and regulatory framework? Laws and regulations should be practical and effective as to ensure a high 0.1- Are the laws and regulations capturing market and user needs? degree of compliance. Q-2- Do laws and regulations allow for flexibility for future market develop- ment? Q.3- Are laws and regulations prescriptive? Consumer rights and data protection Guidance to determine observance of the appropriate formulation of rules, their application and enforcement Key Considerations Guiding Questions Rules regarding the protection of data subjects/consumers should be clearly 0.1- Are consumers' rights clearly identified in the legal and regulatory frame- defined. At the minimum these rules should include: (i) the right to object to work? their information being collected for certain purposes and/or used for certain 0.2- Are timelines for accessing information defined? Are the consequences purposes, (ii) the right to be informed on the conditions of collection, process- for not meeting deadlines defined? ing and distribution of data held about them, (iii) the right to access data held 0.3- Is the process to correct data disclosed to consumers and general pub- about them periodically at little or no cost, and (iv) the right to challenge ac- lic? Does the process allow for consumers living in remote areas to correct curacy of information about them. their data in a reasonable manner? Q.4-What is the cost to a consumer for accessing their report? Is there a limi- Role A: Data providers should report accurate, timely and sufficient data to tation in time to access consumers' own report? CRSPS. Q.5- Are there any loops in the process of data correction? Role B: Other data sources should facilitate access to their databases to 0.6- Are communications protocols between CRSPs and data providers clearly CRSPs. established for data correction? Role C: CRSPs should ensure data processing is secure and provide high quality and efficient services. Role F: authorities should promote a credit reporting system that is efficient and effective in satisfying the needs of the various participants and supportive of data subject and consumer rights and of the development of a fair and competitive credit market. The legal and regulatory framework should address all relevant issues related Q.1- Is data subject's privacy adequately covered under the law? to data subject's privacy, especially if such issues are not covered by a per- 0.2- Is there a data protection/privacy law? Does this law cover credit data sonal data protection law or other similar law. protection regarding credit reporting? 0.3 Are all relevant privacy issues adequately covered under the law? Role F: authorities should promote a credit reporting system that is efficient and effective in satisfying the needs of the various participants and supportive of data subject and consumer rights and of the development of a fair and competitive credit market. ASSESSMENT METHODOLOGY 27 Dispute resolution Guidance to determine observance by authorities and CRSPs Key Considerations Guiding Questions The process for solving disputes should be established in the law(s) governing 0.1- Is the process for solving disputes in place? credit reporting activities orin substantive regulations when such laws do not 0.2- Does the process end with the mechanism established by the data pro- exist viders and CRSPs? 0.3-Is there an alternative (e.g. out-of-court) dispute mechanism system? Role A: Data providers should report accurate, timely and sufficient data to 0.4- Is the practice compliant with the legal framework? CRSPS. 0.5- Is the process for solving disputes "consumer-friendly"? For example, Role B: Other data sources should facilitate access to their databases to can be accessed with ease by data subjects? Is it low cost? CRSPs. Role C: CRSPs should ensure data processing is secure and provide high quality and efficient services. Role F: authorities should promote a credit reporting system that is efficient and effective in satisfying the needs of the various participants and support- ive of data subject and consumer rights and of the development of a fair and competitive credit market. Credit reporting service providers and data providers should flag to all users cases where data subjects are involved in a dispute with the data provider in 0.1- Is there a mechanism to indicate or flag existence of an on-going data connection with the subject's data. dispute initiated by a consumer or the relevant authority? 0.2- Does this situation have an impact on the credit score of the consumer? Role A: Data providers should report accurate, timely and sufficient data to CRSPS. Role B: Other data sources should facilitate access to their databases to CRSPs. Role C: CRSPs should ensure data processing is secure and provide high quality and efficient services. Credit reporting service and data providers should cooperate in reaching and 0.1- Are there communication procedures in place to address data subjects expeditious solution to disputes. complaints regarding data errors? 0.2- Is this procedure effective? Role A: Data providers should report accurate, timely and sufficient data to 0.3- Are there any loopholes? CRSPS. 0.4- Does the decision affect the integrity of the database? Role C: CRSPs should ensure data processing is secure and provide high quality and efficient services. The legal framework should provide suitable enforcement mechanisms, in- cluding redress for data subjects harmed. 0.1- Are there enforcement mechanisms in place for the existing legal provi- sions with regard to dispute resolution? Role F: authorities should promote a credit reporting system that is efficient 0.2- Are there any areas where the enforcement process is not recognized in and effective in satisfying the needs of the various participants and supportive the law? of data subject and consumer rights and of the development of a fair and competitive credit market. Section IV. Questions by Principle and Recommendation 28 ASSESSMENT METHODOLOGY General Principle 5 Cross-border credit data transfers should be facilitated, where appropriate, provided that adequate requirements are in place Pre-conditions for cross-border credit transfers Guidance to determine observance by domestic and foreign authorities, CRSPs and data providers Key Considerations Guiding Questions The feasibility or desirability of cross-border data transfers should be based 0.1 What needs have been identified that would support or justify cross bor- on a cost-benefit analysis that considers market conditions, the level of eco- der data transfers? For example, a common market for goods and services, nomic and financial integration, legal and regulatory barriers, and participant labor mobility, etc. needs. 0.2- Is the cross-border data transfer arrangement the result of the small individual size of the countries involved (representing a barrier for the devel- Role A: Data providers should report accurate, timely and sufficient data to opment of a CRS domestically)? CRSPS. Role C: CRSPs should ensure data processing is secure and provide high quality and efficient services. Role F: authorities should promote a credit reporting system that is efficient and effective in satisfying the needs of the various participants and supportive of data subject and consumer rights and of the development of a fair and competitive credit market. Standardization of data formats and procedures should be fostered to facili- 0.1 -Are data formats compatible across the jurisdictions involved in the tate cross-border credit data transfers. cross-border data transfer arrangement? 0.2 -What are the formal arrangements for this standardization to take place? Role C: CRSPs should ensure data processing is secure and provide high quality and efficient services. ASSESSMENT METHODOLOGY 29 Requirements for cross-border credit data transfers Guidance to determine observance by domestic and foreign authorities, CRSPs and data providers Key Considerations Guiding Questions When cross border credit data transfers occur the potential sources of risks 0.- Is there a risk management framework in place to specifically address that can arise should be identified and appropriately managed. the risks of cross-border data transfers and the underlying specific arrange- ment? Role F: authorities should promote a credit reporting system that is efficient 0.2- To what extent differences in the legal and regulatory framework in the and effective in satisfying the needs of the various participants and support- jurisdictions involved have been addressed in the specific arrangement for ive of data subject and consumer rights and of the development of a fair and transferring data across borders? Is this specific arrangement considered competitive credit market sound from a legal perspective? Role C: CRSPs should ensure data processing is secure and provide high 0.3- Are rules on data transfers clear enough to all participants? Are these qualiQy and efficient services, rules binding to participants? 0.4- Are data subjects notified of the existence of a cross border data trans- fer? 0.5- How are data subjects able to access, correct and be informed about the processing of their information by third parties abroad? 0.6- How are system failures addressed or planned to be addressed? 0 e.7- How are changes in management or ownership in the hosting country addressed so that smooth functioning of the system is ensured? 0.8- How is confidentiality addressed in the hosting country policies and procedures? 0.9- How is P Ib dealt with in case of cross-border activity? pr0- How do governance structures of a CRSP impact the operations of the system? .71 What are the business continuity measures in this case? There should be a framework for cooperation and coordination between the Is there a formal agreement for cooperation between authorities of the relevant regulators and overseers, various jurisdiction involved in the cross-border data transfer arrangement? 0.2 In practice, how does this cooperation take place? Role F: authorities should promote a credit reporting system that is efficient 01.3 Is there any area lacking certainty under the observed arrangement? and effective in satisfying the needs of the various participants and support- lye of data subject and consumer rights and of the development of a fair and competitive credit market Section IV. Questions by Principle and Recommendation 30 ASSESSMENT METHODOLOGY 4.2 RECOMMENDATIONS FOR EFFECTIVE OVERSIGHT OF CREDIT REPORTING SYSTEMS" Recommendation A: Regulation and Oversight Credit reporting systems should be subject to appropriate and effective regulation and oversight by a central bank, a financial supervisor, or other relevant authorities. It is important that one or more authorities exercise the function as primary overseer. Guidance to determine observance by authorities Key Considerations Guiding Questions Authorities at the national level should identify credit reporting systems that 0.1- Are the credit reporting systems operating in the country being identi- should be subject to regulation and oversight using publicly disclosed criteria. fied for the purpose of determining whether they should be regulated and overseen? 0.2- Is the criteria for determining whether credit reporting systems should be regulated and overseen publicly disclosed? 0.3. Has the relevant criteria being discussed with the industry, the data pro- viders and users? Appropriate authorities such as a central bank, financial regulator or other 0.1- Which authority (or authorities) in practice regulate credit reporting sys- relevant body should oversee credit reporting systems that are identified us- tems? ing such criteria. 0.2- Which authority (or authorities) in practice oversees credit reporting systems? 0.3- Is there any particular case of a credit reporting systems that has been identified to be subject to regulation and oversight and that is not regulated and/or overseen in practice? 0.4- Are there any other relevant areas that are not subject to regulation and oversight ? One or more authorities should be appointed as primary overseer Such 0.1- If there is more than one regulator/overseer, has a primary overseer be- authority(ies) should coordinate its/their oversight actions with other relevant ing established? authorities. 0.2- If answer to 0.1 is affirmative, what authority (e.g. central bank, financial supervisor) has been assigned with primary responsibility for the oversight function? 0.3- Is the role of primary overseer for credit reporting recognized by the law? 0.4- Is there a mechanism for coordination between the various regulators/ overseers in place? In practice is there coordination between authorities? 0.5- In case there are cross-border credit reporting activities, are authorities in the other relevant countries also vested with oversight powers? 0.6- Are there formal coordination arrangements in place between domestic and foreign authorities? Observance of the 5 recommendations is the exclusive responsibility of the relevant authorities. The corresponding role identified in the General Principles report (i.e. Role F) is therefore not included under each of the key considerations. ASSESSMENT METHODOLOGY 31 RECOMMENDATION B: REGULATORY POWERS Central banks, financial supervisors, and other relevant authorities should have the powers and resources to carry out effectively their responsibilities in regulating and overseeing credit reporting systems. Guidance to determine observance by authorities Key Considerations Guiding Questions Authorities should have powers or other capacity consistent with their rel- 0.1 - What are the authorities' specific powers in relation to their oversight evant oversight responsibilities, including the ability to obtain information and responsibilities? induce change. Q.2- Do relevant authorities have concrete powers to obtain the required in- formation and data from CRSPs, data providers and other relevant parties? Q.3- Do authorities have a mechanism in place to monitor the system par- ticipants' observance of the standards, and to require from them to make the necessary changes to achieve full observance? Authorities should have sufficient resources to fulfill their regulatory and over- 0.1- Is there a process to evaluate needs and resources in connection with sight responsibilities. oversight responsibilities? 0.2- Are financial and human resources deemed adequate at the moment? Q.3- What other relevant challenges have been identified as part of the needs assessment process? Recommendation C: Disclosures of objectives and policies with respect to credit reporting systems Central banks, financial supervisors, and other relevant authorities should clearly define and disclose their regulatory and oversight objectives, roles, and major regulations and policies with respect to credit reporting systems Guidance to determine observance by authorities Key Considerations Guiding Questions Authorities should clearly define their regulatory and oversight objectives, 0.1 Have policy objectives with regard to credit reporting been defined? Have roles, regulations, and policies to set clear expectations for credit reporting the relevant authorities defined their regulatory and oversight objectives? systems and facilitate compliance with applicable policy requirements and Q.2- Is there a formal forum where authorities discuss credit reporting con- standards. cerns with all relevant stakeholders? Q.3- Are actions formulated and documented by the relevant authority? Authorities should publicly disclose their objectives, roles, regulations, and 0.1 Are policy objectives, overseer objectives and roles, and relevant regula- policies to provide accountability in the exercise of regulation and oversight of tions publicly disclosed? credit reporting systems Section IV. Questions by Principle and Recommendation 32 ASSESSMENT METHODOLOGY RECOMMENDATION D: APPLICATION OF THE GENERAL PRINCIPLES FOR CREDIT REPORTING SYSTEMS Central banks, financial supervisors, and other relevant authorities should adopt, where relevant, the General Principles for credit reporting systems and apply them consistently Guidance to determine observance by authorities Key Considerations Guiding Questions To establish key minimum standards, authorities should adopt the General 0.1- How are the General Principles been adopted? Have authorities formally Principles for credit reporting systems, providing a consistent regulatory and adopted the General Principles for credit reporting systems as the standards oversight framework within and across national and regional jurisdictions to for their market? all credit reporting system participants. 0.2- Even if not adopted formally, do authorities apply the General Principles in practice? 0.3- Are there any arrangements to evaluate the level of adoption of the Gen- eral Principles? 0.4- Are there any plans for the formal adoption of the General Principles and have these been disclosed to the relevant stakeholders? Authorities should ensure that the General Principles and related roles are 0.1 - How do authorities ensure that the General Principles are applied con- applied consistently to all credit reporting system participants. sistently to all credit reporting systems participants? 0.2- In particular, if the authority responsible for regulation/oversight is also a CRSP, how does it ensure that the system it operates is subject to the same standards as those applied to systems operated by third parties? For example, what are the organizational arrangements with regard to the operation and oversight of the internal system? ASSESSMENT METHODOLOGY 33 RECOMMENDATION E: COOPERATION AMONG AUTHORITIES Central banks, financial supervisors, and other relevant authorities, both domestic and international, should cooper- ate with each other, as appropriate, in promoting the development, safety and efficiency of credit reporting systems. Guidance to determine observance by authorities Key Considerations Guiding Questions Authorities should cooperate with each other, as appropriate, to support more Q.1- Are the areas of cooperation being identified? efficient and effective regulation and oversightof credit reporting systems. Q.2- Does cooperation apply to all relevant CRs in the country (ies)? Q.3- Is there a communication process identified? Q.4- Are specific staff charged with fostering and implementing dialogue among the different authorities? Q.4- Are there any areas impeding the cooperation between authorities either at domestic or the international level? Authorities should adopt current and evolving best practices on international Q.1 - Have the relevant authorities established an explicit cooperative arrange- cooperative arrangements. ment? What are the main features of that arrangement? Is it deemed effective (e.g. the arrangement facilitates coordinated and timely actions in emergency as well as in normal circumstances)? Q.2- If authorities have not established an explicit cooperative arrangement, do they still cooperate in practice? Is the level of cooperation adequate? Section IV. Questions by Principle and Recommendation 34 ASSESSMENT METHODOLOGY ANNEX 1: MEMBERS OF THE ICCR The list below shows the institutions and individuals that under the leadership of the chairman coordinated the pro- duction of the assessment methodology and the consultative process for such methodology. Chairman Massimo Cirasino, World Bank Members Arab Monetary Fund Nabil Al-Mubarak Asociaci6n Latinoamericana de Cr6dito Luz Maria Salamina Association of Consumer Credit Information Suppliers Neil Munroe Banco Central do Brasil Rog6rio Rabelo Peixoto Banco de Espafia Ram6n Santilldn Nuria Armas (alternate) Banca D'Italia Maria Pia Ascenzo Bank for International Settlements Marc Hollanders Business Information Industry Association Joachim Bartels Center for Latin American Monetary Studies Fernando Tenjo Raill Morales (alternate) Central Bank of the Republic of Turkey Omer Kayhan Seyhun Consumer Data Industry Association Stuart Pratt Deutsche Bundesbank Michael Ritter European Bank for Reconstruction and Development Frederique Dahan Inter-American Development Bank Morgan Doyle People's Bank of China Xiaolei Wang Reserve Bank of India Rajesh Jai Kanth Secretaria de Hacienda y Cr6dito Piblico de M6xico German Saldivar South Africas National Credit Regulator Darrel Beghin Secretariat Jose Antonio Garcia Luna, World Bank Fredesvinda Montes Herriz, World Bank Mara&iahscnz