70193 General Principles for Credit Reporting September, 2011 THE WORLD BANK General Principles for Credit Reporting September, 2011 Contents Foreword � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �v 1. Introduction and Executive Summary � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �1 Key Considerations Concerning Credit Reporting and the General Principles � � � � � � � � � � � � � � � � � � � � � � � � � � � 2 Scope and Use of the General Principles � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 4 Structure of the Report � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 5 2. Credit Reporting Systems: Brief Overview and Key Considerations � � � � � � � � � � � � � � � � � �7 2�1� The importance of Credit Reporting Systems � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 7 2�2� Key Participants in a Credit Reporting System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2�3� Key Considerations Concerning Credit Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.3.1 Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.3.2 Data Processing: Security and Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.3.3 Governance Arrangements for Credit Reporting Service Providers and Data Providers and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.3.4 Legal and Regulatory Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3.5 Cross-border Data Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3. The General Principles � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 23 3�1� Public Policy Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3�2� The General Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Data Processing: Security and Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Governance and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Legal and Regulatory Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Cross-border Data Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3�3� The Roles of Credit Reporting System Participants. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4. Recommendations for Effective Oversight of Credit Reporting Systems � � � � � � � � � � � � � � 39 Oversight Recommendation A: Regulation and oversight of credit reporting systems . . . . . . . . . . . . . . . . . . . . 39 Oversight Recommendation B: Regulatory and oversight powers and resources . . . . . . . . . . . . . . . . . . . . . . . . 40 Oversight Recommendation C: Disclosures of objectives and policies with respect to credit reporting systems . . . 40 Oversight Recommendation D: Application of the General Principles for credit reporting systems. . . . . . . . . . . . 41 Oversight Recommendation E: Cooperation among authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 General Principles for Credit Reporting Annex 1. Information Cycle for the Creation of a Credit Report � � � � � � � � � � � � � � � � � � � � � 45 Annex 2. Basic Existing Models of Credit Reporting Services � � � � � � � � � � � � � � � � � � � � � � � 49 Annex 3. Privacy, Data Protection and Consumer Protection � � � � � � � � � � � � � � � � � � � � � � � � 53 Annex 4. Select Bibliography � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 57 Annex 5. Glossary � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 61 Annex 6. Members of the Task Force � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 65 iv Foreword F inancial Infrastructure broadly defined comprises national standards for credit reporting systems’ policy the underlying foundation for a country’s finan- and oversight. The Principles for credit reporting are cial system. It includes all institutions, information, deliberately expressed in a general way to ensure that technologies, rules and standards that enable financial they can be useful in all countries and that they will be intermediation. Poor financial infrastructure in many de- durable. These Principles are not intended for use as veloping countries poses a considerable constraint upon a blueprint for the design or operation of any specific financial institutions to expand their offering of financial system, but rather suggest the key characteristics that services to underserved segments of the population and should be satisfied by different systems and the infra- the economy. It also creates risks which can threaten the structure used to support them to achieve a stated com- stability of the financial system as a whole. mon purpose, namely Expanded Access and Coverage, Fair Conditions, and Safe and Efficient Service for bor- The World Bank Group is a leader in financial infra- rowers and lenders. structure development in emerging markets, including payment systems and remittances, credit reporting and Against this background, the standards are expected secured lending. Moreover, the World Bank Group is to inform the action of authorities in this field, for ex- intensifying its commitment to promote and dissemi- ample central banks and banking supervisors in the nate the policy and research debate on these and other context of their supervisory function. It is further en- topics within the scope of financial infrastructure and visaged that the standards would be useful to service also plays the role of international standard setter in this providers and system operators when designing or space. modifying their product offerings, to financial interme- diaries when choosing to be a participant in any spe- Credit reporting systems are very important in today’s cific system, and to end users when agreeing to use a financial system. Creditors consider information held specific system. by these systems a primary factor when they evaluate the creditworthiness of data subjects and monitor the The report has been prepared by a Task Force coordi- credit circumstances of consumers. This information nated by the World Bank, with support from the Bank flow enables credit markets to function more efficiently for International Settlements. The Task Force comprises and at lower cost than would otherwise be possible. representatives from central banks and other financial and privacy regulators, from multilateral organizations This report describes the nature of credit reporting el- involved in credit reporting and from international ements which are crucial for understanding credit re- credit reporting service providers. The Task Force also porting and to ensuring that credit reporting systems benefited from the significant experience of the Credit are safe, efficient and reliable. It intends to provide an Bureau Team of the International Finance Corporation. international agreed framework in the form of inter- Some institutions (“Tier 2� Group), although not con- General Principles for Credit Reporting sidered formally members of the Task Force, have been The World Bank thanks the members of the task force, actively consulted to provide inputs during the process the reviewers, the Secretariat and its Chairman Massimo of preparation of the Principles. They include other in- Cirasino, for their excellent work in preparing this report. dustry associations, private sector operators, scholars and practitioners. The report was also released for pub- Janamitra Devan, Vice President lic consultation. World Bank Group vi 1 Introduction and Executive Summary W ell functioning financial markets contribute to cally guide the various stakeholders in dealing with the sustainable growth and economic develop- challenges associated with the development and day- ment, because they typically provide an efficient to-day operation and improvement of these systems. mechanism for evaluating risk and return to investment, The Credit Reporting Standards Setting Task Force was and then managing and allocating risk. Financial infra- launched by the World Bank, with the support of the structure (FI) is a core part of all financial systems. The Bank for International Settlements, to fill this critical quality of financial infrastructure determines the effi- gap, aiming to provide a core set of general principles ciency of intermediation, the ability of lenders to evalu- to guide these efforts in any given jurisdiction. ate risk and of consumers to obtain credit, insurance and other financial products at competitive terms. Credit re- 5. The general principles are intended for policymak- porting is a vital part of a country’s financial infrastruc- ers, regulators, financial supervisors, credit reporting ture1 and is an activity of public interest. data providers, credit reporting service providers, the users of such services, and individuals and businesses 2. Credit reporting addresses a fundamental problem whose credit histories and identification data are stored of credit markets: asymmetric information between in these systems (the latter two are referred to as “data borrowers and lenders, which may lead to adverse se- subjects� throughout the report). In addition to the lection, credit rationing, and moral hazard problems.2 principles, the Task Force has also developed a set of Regulators and financial market participants are there- specific roles, one for each of the stakeholders in credit fore increasingly recognizing the value of credit report- ing systems for improved credit risk and overall credit portfolio management, to enhance financial supervi- 1 The World Bank, “Financial Infrastructure: Building Access sion and financial sector stability, and as a tool to en- Through Transparent and Stable Financial Systems�, Finan- hance access to credit. cial Infrastructure Policy and Research Series, Washington D.C., 2009. 3. In competitive markets, the benefits of credit report- 2 Some of these issues are analyzed in further detail in Section ing activities are passed on to borrowers in the form of 2 of this report. a lower cost of capital, which has a positive influence on 3 For more information on how credit reporting can lower the productive investment spending.3 Improved information cost of capital, see Marco Pagano and Tullio Jappelli, “Infor- mation Sharing in Credit Markets,� The Journal of Finance, flows also provide the basis for fact-based and quick cred- 43 (1993): 1693–1718; A. Jorge Padilla and Marco Pagano, it assessments, thus facilitating access to credit and other “Endogenous Communication Among Lenders and Entre- financial products to a larger number of borrowers with preneurial Incentives,� The Review of Financial Studies, 10 a good credit history (i.e. good repayment prospects). (Spring 1997): 205–236; and Tullio Jappelli and Marco Paga- no, “Information Sharing in Credit Markets: The European 4. While credit reporting systems are developing rapidly Experience,� Centre for Studies in Economics and Finance, across the world, there are no principles to systemati- Working Paper No. 35 (March 2000). General Principles for Credit Reporting reporting systems, as well as recommendations for ef- sound and fair extension of credit in an economy as fective oversight of credit reporting systems. the foundation for robust and competitive credit mar- kets. To this end, credit reporting systems should be 6. The principles and related roles define the minimum safe and efficient, and fully supportive of data subject/ elements underlying a sound, efficient and effective consumer rights (see Box 1 for a list of the five General credit reporting system. Different markets around the Principles, the related roles, and the recommendations world are at different stages in terms of the develop- for the effective oversight of credit reporting systems). ment of their own credit reporting systems, and the Task Force recognizes that while credit reporting systems in 9. Information quality is the basic building block of an some jurisdictions will already fulfill some or probably effective credit reporting environment. Accuracy of data even most of the principles, in others observance of the implies that such data is free of error, truthful, complete principles will need medium to long-term efforts. and up to date. Inaccurate data may lead to numerous problems, including unjustified loan denials or higher 7. The report builds on previous work in the area of borrowing costs. Quality also means that data is suffi- credit reporting and related fields such as data pro- cient and adequate, implying that: i) relevant detailed tection and credit risk management.4 The World Bank information is captured, including negative as well as Group, through the Global Credit Bureau Program and positive data; ii) information from as many relevant the Western Hemisphere Credit Reporting Initiative,5 sources is gathered, within the limits established by law; has analyzed issues affecting the creation and overall functioning of domestic credit reporting systems, and their continuous development through reforms. Other 4 The list of relevant references presented in this paragraph is relevant work includes that of the Basel Committee on not intended to be exhaustive. Banking Supervision (mainly the Basel Capital Accord),6 5 The Global Credit Bureau Program was created by the IFC in the work developed by the European Central Bank 2001, to improve credit bureaus worldwide through promot- (ECB) through the Working Group on Credit Registers, ing the role of the private sector in their development. The the work of the International Conference of Data Pro- Western Hemisphere Credit Reporting Initiative is a program created in 2004 following a request from the central banks tection and Privacy Commissioners which has debated of Latin America and the Caribbean. The objective of the the role of privacy and data protection from a broad program is to assess and describe credit and loan reporting perspective including credit reporting, the privacy systems in the Western Hemisphere, and provide recommen- frameworks developed by The European Union, APEC dations for their improvement. The latter program is led by and OECD,7 and the work conducted by the European the World Bank in association with CEMLA, and with financial Commission Directorate General on Internal Markets support from the FIRST Initiative. and Services regarding the challenges of cross-border 6 For further information visit the website of the Bank for In- credit data flows in the context of credit reporting.8 ternational Settlements at www.bis.org. 7 Information on these efforts can be found on the websites of, APEC (www.apec.org), OECD (www.oecd.org) and the Key Considerations Concerning Credit Spanish Data Protection Agency (www.agpd.es). For the Eu- Reporting and the General Principles ropean Union Privacy framework please see The Convention of the Council of Europe for the Protection of Individuals 8. The key considerations concerning credit reporting with regard to Automatic Processing of Personal Data (ETS systems can be broadly grouped around the following Nº 108) and its Additional Protocol regarding supervisory topics: i) data; ii) data processing; iii) governance ar- authorities and trans-border data flows (ETS Nº 181); Direc- tive 95/46/EC of the European Parliament and of the Coun- rangements and risk management; iv) legal and regula- cil of 24 October 1995 on the protection of individuals with tory environment; and, v) cross-border data flows. The regard to the processing of personal data and on the free General Principles are organized around these five top- movement of such data. ics. These five General Principles aim at the following 8 The full report from the Expert Group on Credit Histories public policy objectives for credit reporting systems: is available at http://ec.europa.eu/internal_market/consulta- Credit reporting systems should effectively support the tions/ docs/2009/credit_histories/egch_report_en.pdf. 2 Introduction and Executive Summary Box 1 The General Principles The General Principles aim at the following public policy objec- Governance and Risk Management tives for credit reporting systems: Credit reporting systems should General Principle 3: The governance arrangements of credit report- effectively support the sound and fair extension of credit in an econ- ing service providers and data providers should ensure accountabil- omy as the foundation for robust and competitive credit markets. To ity, transparency and effectiveness in managing the risks associated this end, credit reporting systems should be safe and efficient, and with the business and fair access to the information by users. fully supportive of data subject and consumer rights. Legal and Regulatory Environment Data General Principle 4: The overall legal and regulatory framework General Principle 1: Credit reporting systems should have rel- for credit reporting should be clear, predictable, non-discriminatory, evant, accurate, timely and sufficient data—including positive— proportionate and supportive of data subject and consumer rights. collected on a systematic basis from all reliable, appropriate and The legal and regulatory framework should include effective judicial available sources, and should retain this information for a sufficient or extrajudicial dispute resolution mechanisms. amount of time. Cross-Border Data Flows Data Processing: Security and Efficiency General Principle 5: Cross-border credit data transfers should be General Principle 2: Credit reporting systems should have rigorous facilitated, where appropriate, provided that adequate requirements standards of security and reliability, and be efficient. are in place. Roles of Key Players Role A: Data providers should report accurate, timely and complete Role D: Users should make proper use of the information available data to credit reporting service providers, on an equitable basis. from credit reporting service providers. Role B: Other data sources, in particular public records agencies, Role E: Data subjects should provide truthful and accurate informa- should facilitate access to their databases to credit reporting ser- tion to data providers and other data sources. vice providers. Role F: Authorities should promote a credit reporting system that is Role C: Credit reporting service providers should ensure that data efficient and effective in satisfying the needs of the various partici- processing is secure and provide high quality and efficient servic- pants, and supportive of data subject/consumer rights and of the es. All users having either a lending function or a supervisory role development of a fair and competitive credit market. should be able to access these services under equitable conditions. Recommendations for Effective Oversight Recommendation A: Credit reporting systems should be subject to tory and oversight objectives, roles, and major regulations and poli- appropriate and effective regulation and oversight by a central bank, cies with respect to credit reporting systems. a financial supervisor, or other relevant authorities. It is important that Recommendation D: Central banks, financial supervisors, and oth- one or more authorities exercise the function as primary overseer. er relevant authorities should adopt, where relevant, the General Recommendation B: Central banks, financial supervisors, and other Principles for credit reporting systems and related roles, and apply relevant authorities should have the powers and resources to carry them consistently. out effectively their responsibilities in regulating and overseeing Recommendation E: Central banks, financial supervisors, and other credit reporting systems. relevant authorities, both domestic and international, should coop- Recommendation C: Central banks, financial supervisors, and other erate with each other, as appropriate, in promoting the safety and relevant authorities should clearly define and disclose their regula- efficiency of credit reporting systems. 3 General Principles for Credit Reporting iii) information is sufficient in terms of the period over particular the legal and regulatory frameworks should which observations are available. General Principle 1 is, provide a balanced solution to the natural tension be- therefore, that credit reporting systems should have rel- tween the objectives of having access to broader sourc- evant, accurate, timely and sufficient data—including es of information for enhanced credit reporting and positive—collected on a systematic basis from all reli- the interest in preserving individual privacy. There is no able, appropriate and available sources, and should clear consensus on what constitutes an optimal legal retain this information for a sufficient amount of time. and regulatory framework for credit reporting. In addi- tion to contractual agreements, a clear trend worldwide 10. Credit data reside in databases and other types of is that laws be enacted to help protect privacy and pro- data-holding methods that are subject to security and vide data subjects with the ability to access and correct safety concerns, including loss, destruction, corruption, information about them. General Principle 4 is, there- theft and misuse. Moreover, as credit reporting services fore, that the overall legal and regulatory framework are increasingly important for financial market devel- for credit reporting should be clear, predictable, non- opment, the reliability of credit reporting data provid- discriminatory, proportionate and supportive of data ers and credit reporting service providers is a crucial subject and consumer rights. The legal and regulatory element of an effective credit reporting system. At the framework should include effective judicial or extra- same time, users of credit reporting services expect af- judicial dispute resolution mechanisms. fordable services that meet their needs on a continu- ous basis. General Principle 2 is, therefore, that credit 13. As financial markets are increasingly globalized, reporting systems should have rigorous standards of cross-border data transfers can become a useful instru- security and reliability, and be efficient. ment to monitor the credit exposures of important bor- rowers outside a financial institution’s home markets, 11. The growing importance of credit reporting and the or to facilitate the provision of credit and other financial potentially sensitive nature of the activities it entails re- services across borders (e.g. to individuals that do not quire that proper governance arrangements for credit have a credit history in the country where they are ap- reporting service providers and credit reporting data plying for credit). In addition, a single mechanism serv- providers be in place in order to ensure appropriate ing more than one country can be the only cost-effective levels of management accountability and transparency option for credit reporting activities to develop in some in their activities. Good governance arrangements are small markets. While in principle cross-border data also crucial for ensuring that the organization will be flows raise similar concerns as purely domestic credit able to cope successfully with the risks underlying the reporting activities, cross-border activities typically face information sharing and credit reporting businesses, a more complex environment due to the multiplicity including mainly operational risks, legal risks, and rep- of applicable laws, consumer protection frameworks, utational risks. Governance arrangements should also credit cultures, market practices, and institutional struc- ensure that fair competition in the market place and the tures, among others. General Principle 5 is, therefore, robustness of the credit reporting system are not com- that cross-border credit data transfers should be facili- promised because of the particular ownership structure tated, where appropriate, provided that adequate re- of the credit reporting service provider or data provider. quirements are in place. General Principle 3 is, therefore, that the governance arrangements of credit reporting service providers and credit reporting data providers should ensure ac- Scope and Use of the General Principles countability, transparency and effectiveness in man- aging the risks associated with the business and fair 14. The scope of the principles includes those credit access to the information by users. reporting mechanisms whose primary objective is to improve the quality of data for creditors to make bet- 12. A robust legal and regulatory framework covering all ter-informed decisions, as well as those mechanisms relevant aspects involving credit reporting is critical for intended to assist banking and overall financial su- the sound functioning of credit reporting systems. In pervision. These principles are not intended to apply 4 Introduction and Executive Summary to credit rating agencies.9 At the same time, not all of ture and might be reviewed in light of significant chang- the principles may be applicable to commercial credit es in the environment surrounding credit reporting. reporting companies or registries that provide infor- mation and ratings to businesses for the purpose of evaluating trade credit. Structure of the Report 15. While the principles are intended to have univer- 16. Section 2 provides a brief overview of the market sal applicability, they are non-binding and do not aim for credit information sharing and credit reporting ac- at detailed prescriptions for action at national level. tivities and then analyzes in some detail the key consid- Rather, they seek to identify objectives and suggest erations underlying credit reporting. Section 3 outlines various means for achieving them. They can be used the General Principles and related Roles. Section 4 pro- by policy makers and other stakeholders as a reference poses a framework for the effective oversight of credit point when examining the status quo of credit report- reporting systems. ing in their jurisdictions and the need for reforms. In- ternational financial institutions such as the World Bank Group, the International Monetary Fund, regional de- 9 Credit rating agencies typically provide debt or securities rat- velopment banks, and others may also use these prin- ing services for businesses. In some countries, credit rating ciples when carrying out assessment programs and in agencies are starting to provide other types of services, in- providing technical assistance to countries. Moreover, cluding credit reporting services. In such a case, the prin- the principles and related roles are evolutionary in na- ciples would apply over this particular line of business. 5 2 Credit Reporting Systems: Brief Overview and Key Considerations 2.1. The importance of Credit Reporting of the money that the debtor can steadily repay; (iii) as Systems debtors have more information than creditors, they may enter into a contract with no intention of honoring it 17. Credit reporting systems comprise the institutions, (the so-called “moral hazard� problem). individuals, rules, procedures, standards and technol- ogy that enable information flows relevant to making 19. Credit reporting systems reduce information asym- decisions related to credit and loan agreements. At their metries by making a debtor’s credit history available to core, credit reporting systems consist of databases of potential creditors, and are therefore an effective tool information on debtors, together with the institutional, in mitigating issues of adverse selection and moral haz- technological and legal framework supporting the ef- ard. Through credit reporting information and the tools ficient functioning of such databases. The information derived from it (e.g. credit scores), creditors can better stored in these systems can relate to individuals and/or businesses.10 10 See also the definition of National Credit Reporting System 18. A fundamental challenge affecting the relationship in the Glossary. One of the objectives of this report is to pro- between creditors and debtors is that of asymmetric vide a consistent and standard set of definitions of key con- information.11 Debtors are more informed about their cepts in credit reporting. financial situation or standing than the creditor who 11 The problem of asymmetric information is well described is evaluating whether to extend credit to the debtors. in several academic papers including George A. Akerlof, Creditors, therefore, are often limited in their ability to “The market of Lemons: Quality, Uncertainty and the Mar- assess the credit risk associated with lending money or ket Mechanism�, The Quarterly Journal of Economics 84 providing goods and services on credit. Such informa- (August 1970) using the credit market in India in the 1960s tion asymmetries can result in the following less than for one of his examples; Michael Spence, “Job Market Signal- optimal outcomes: (i) potential debtors who are the ing,� The Quarterly Journal of Economics 87 (August 1973); most likely to produce undesirable outcomes being the Michael Rothschild and Joseph Stiglitz “Equilibrium in Com- petitive Insurance Markets: An Essay on the Economics of ones that most actively seek out a loan, and are likely to Imperfect Information,� The Quarterly Journal of Econom- be selected since good debtors are less willing to pay ics 90 (November 1976); and finally also Joseph Stiglitz and a risk premium and hence tend to withdraw their loan Andrew Weiss, “Credit rationing in markets with imperfect in- applications (so-called “adverse selection problem�);12 formation,� The American Economic Review 71 (June 1981). (ii) debtors being able to borrow more money (or goods 12 For example, see Frederic S. Mishkin, The Economics of or services) than they are able to repay under normal Money, Banking and Financial Markets (Addison-Wesley, circumstances, or creditors willing to lend only a fraction 2004) 7th edition, p 32. General Principles for Credit Reporting predict future repayment prospects based on a debtor’s 24. A large variety of private and public entities gather past and current payment behavior and level of indebt- information on individuals and businesses. Many pri- edness, among other factors. vate organizations collect such information as an an- cillary activity derived from their ordinary commercial 20. Historically, credit would be granted on the basis activities involving the sale of goods or services. Other of a credit officer’s personal knowledge of the debtor. private entities specialize in the collection of informa- Robust credit reporting systems capture most of this tion per se, with the intention of selling it to interested information and sometimes even facts that might not parties. Some public sector agencies collect informa- be disclosed to credit officers. Moreover, creditors are tion to build public records for a variety of public in- generally able to access credit reporting information terests (e.g. to better inform public policy decisions, at a fraction of the cost and time of traditional lending administration of justice, or creating and updating ve- mechanisms.13 Credit reporting systems aim to provide hicle inventories, etc.). objective data, which favors segments of the popula- tion that may have been denied credit in the past due 25. The individuals and businesses whose information to some form of prejudice (e.g. assuming that a low- and data are collected, shared or distributed throughout income individual is always a bad debtor). the credit reporting system are referred to as data sub- jects in this report. In some jurisdictions, a data subject 21. Credit reporting systems also serve to discipline does not need to have an actual contractual relation- debtor behavior. A good credit history facilitates access ship with a creditor for its information to be included to credit and can often obviate the need for debtors to in the credit reporting system.17 In others, information put up tangible collateral for loans.14 Debtors who un- on data subjects can be collected and treated only with derstand this are motivated to make payments on time so as to continue to have access to credit products un- der favorable conditions. 13 It should be noted that credit reporting is normally only one of the inputs that goes into the decision of whether to ex- tend a loan. 22. Financial supervisory authorities use credit report- 14 Jappelli and Pagano (2000) show that better information ing data for macro and micro prudential supervision may lead banks to shift from collateral-based lending credit and monitoring of systemic risk levels and producing underwriting policies to more information-based policies. macro statistics of financial system performance. The Margaret Miller, ed., Credit Reporting Systems and the Inter- analysis of credit risk management, provisions and capi- national Economy (Cambridge: The MIT Press, 2003), shows tal adequacy, for example, benefits from the availability how credit bureaus can provide borrowers with “reputation of credit information held by credit reporting service collateral�, frequently viewed as more valuable than physical providers.15 collateral by surveyed lenders. 15 For an analysis of the usefulness of credit reporting data in relation to Basel II, see, for example, the following papers: 2.2. Key Participants in a Credit Reporting Carlos Trucharte Artigas, “A Review of Credit Registers and System their Use for Basel II�, Financial Stability Institute (Septem- ber 2004); Jesús Saurina Salas and Carlos Trucharte, “An As- 23. While different models of credit reporting exist sessment of Basel II Procyclicality in Mortgage Portfolios, throughout the world, each of them involves a number Journal of Financial Services Research 32 (2007); pp. 81–101; Rafael Repullo, Jesús Saurina and Carlos Trucharte, “Mitigat- of actors that intervene at one or more points through- ing the pro-cyclicality of Basel II,� Economic Policy 25 (2010). out the cycle of producing/collecting, storing, pro- 16 Annex 2 provides a detailed description of the main existing cessing, distributing and, finally, using information to models of credit reporting. support credit-granting decisions and financial supervi- 17 In the United Kingdom, identification information is captured sion.16 Figure 1 illustrates this cycle and identifies the directly from the voters roll and included in the credit report- key participants involved in each step. ing system. Also, in the United States credit reporting service providers collect information from sources that do not grant credit as is normally understood, like utility companies. 8 Credit Reporting Systems: Brief Overview and Key Considerations Figure 1: Key Participants in a Credit Reporting System Individuals Creditors Businesses Non-financial creditors Data Other Private Databases Data Providers/ Public Records Agencies Subjects Other Data Sources Users Service Providers Creditors Credit Bureaus Government Agencies Credit Registries Data Subjects Non-financial creditors the consent from the data subject and only for some providers but rather can be consulted upon request, specific purposes. In yet other cases, although data can are referred to throughout this report as “other data be collected with no data subject consent for specific sources.� These other sources may include databases purposes, explicit consent might be required for dis- on bounced cheques, promissory notes and protested tributing or disclosing information when the purpose bills of exchange, collateral registries, vehicle regis- of such distribution or disclosure and the purpose for tries, real estate registries, personal identity records, which the data was collected differ. company registries, tax authority databases and some court records. It is worth noting that in some jurisdic- 26. All the private and public entities that collect in- tions some of these databases may actually meet the formation on data subjects are potential sources of definition of data providers rather than the one used information for other parties interested in such in- herewith for “other data sources�. formation. Those entities that pro-actively provide information to other parties, either because of com- 27. Credit information collected is of interest to a vari- mercial reasons, agreements or a legal obligation to ety of other parties, which are referred to as the “users� do so, are referred to as “data providers.� Some of of this information. A typical user would be a creditor the most common data providers include commercial who has been approached by a potential borrower or banks, other non-bank financial institutions, credit a debtor for a loan and who orders a credit report on card issuers, and in some cases non-financial credi- the applicant to evaluate the loan request. However, tors such as retailers and utility providers. Some enti- credit information might be of interest to other users, ties collect information (for instance court judgment which range from financial supervisors and other units data), compile it and sell it to credit reporting service within a central bank, to users in other sectors of the providers,18 to complement the data collected under economy, like employers, insurers or landlords. In some reciprocity arrangements. These entities are referred jurisdictions the system might be open to individuals or to as “other private databases� in the report. Other en- businesses showing a legitimate interest for accessing a tities collect information for purposes different than credit granting decision-making or financial supervi- sion. Those sources that do not pro-actively provide 18 See paragraph 29 for a definition of credit reporting service the information they collect to credit reporting service provider. 9 General Principles for Credit Reporting Figure 2: Main Users of Credit Reporting Government Others Data Creditors Agencies Subjects Financial sector Banks Banking supervisor Insurers Other Financial Institutions, including Microfinance Judges Employers Non financial sector MFIs Other Creditors Tax authorities Landlords Source: Other creditors include: retailers, utility providers, telecom providers, deferred payment providers, to name a few. The term “merchant traders� refers to suppliers of trade credit, or trade creditors. particular credit report. Figure 2 depicts the main users formation to users in a certain format that can be used of credit reporting services and products. more efficiently for credit assessment purposes. The data provided refers both to consumer lending and to com- 28. Actual practices, however, do not frequently involve mercial lending. a direct relationship between the users and the data providers or other data sources. On the one hand, us- 31. Broadly speaking, two main types of credit report- ers may find it difficult and/or costly to utilize informa- ing service providers can be identified based on the tion that was collected or produced based on different primary objective each of them fulfills: i) those service methodologies—in the extreme, each data provider will providers aiming primarily at improving the quality and have its own methodology for collecting or producing availability of data for financial and non-financial credi- it. On the other hand, providing credit information to tors to make better-informed decisions; and, ii) those third parties is not a core business of many of the enti- service providers whose primary purpose is to assist ties that collect such information. banking supervision while at the same time improving the quality and availability of data for supervised finan- 29. As a result of the above, specialized intermediaries cial intermediaries. In practice, while not their primary have emerged in order to fill the gap between the needs objective many service providers of the first type sup- of users and those of the entities that gather credit in- port banking and overall financial supervision activities. formation from individuals and businesses. These spe- The same is true for several service providers of the cialized intermediaries are denominated here as “credit second type with regard to improving data for creditors reporting service providers� (CRSPs). in the market place. 30. Credit reporting service providers perform many 32. In many international reports and academic pa- important functions. For instance, information received pers the first type of service provider is typically re- from data providers, or that collected from other data ferred to as a private credit bureau, while the second sources, is cleaned, validated (i.e. checked for consis- type is normally referred to as a public credit registry. tency) and stored in a standardized data format. Credit This taxonomy is not necessarily appropriate. First, as reporting service providers then supply organized in- previously discussed, some “private� credit bureaus 10 Credit Reporting Systems: Brief Overview and Key Considerations Figure 3: Credit Reporting Service Providers Credit Registry Credit Bureau Service provider's primary objective: Assist in banking Service provider's primary objective: enhance data quality supervision while at the same time improving the quality and and availability for lending decision-making, by consolidating availability of data for supervised financial intermediaries data from different creditors and other sources Privately-owned Public-private Government-owned Government-owned and administered property In some cases, the The operation operation may be may be outsourced to a private outsourced to For-profit Non-profit sector party a private sector party do support public functions like financial supervision, Indeed, the data collected from various data providers and several “public� credit registries provide services is used to develop specialized products and services that are of interest for private sector activities. More- such as credit reports, credit scores and portfolio mon- over, there are cases where credit bureaus are partially itoring applications, which enable better informed and or wholly-owned by the public sector. Other scenarios quicker credit granting decisions, enhanced credit that are inconsistent with the private credit bureau portfolio monitoring and improved overall credit risk and public credit registry taxonomy are illustrated in management. These products and services are typi- Figure 3. Because of such inconsistencies, the terms cally offered for a fee. “private/public� will not be associated with either credit bureaus or credit registries in the remainder of 35. Credit bureaus can be formed when creditors, this report. driven by the common interest of improving the per- formance of their loan portfolios, associate in order to 33. Credit bureaus are typically characterized by com- share data in a structured and systematic manner. In plex information flows. Data is collected from various other cases, an independent party such as a special- sources and distributed to different users, which may ized technical firm is the single or majority sharehold- include both to those that contribute data as well as er. A significant difference between these two models others that do not. Credit bureaus generally enter into is that credit bureaus owned by third parties aim at agreements with different parties to exchange data in a maximizing profits; hence, in addition to exchanging systematic manner, based on agreed conditions such as information they produce value-added products such the frequency of data updates, the use of standardized as credit scores. Such bureaus also have incentives to formats including common line items, the frequency of give access to as many users as possible, and to attract data access and the price. information from a larger variety of data providers and other data sources. 34. Credit bureaus generally target retail credit and small business lending markets, where average loan 36. Credit registries, on the other hand, provide supervi- volumes are small and mass screening techniques us- sors with an additional offsite tool for systemic risk con- ing statistical analyses enable the processing of a large centration monitoring and assessing overall portfolio number of standard loan applications cost-effectively. quality, or in order to identify discrepancies in borrower 11 General Principles for Credit Reporting ratings among banks or to identify trends in lending. 40. Commercial credit reporting is different from consum- Therefore, most credit registries collect and process in- er credit reporting, in the following ways: (a) commercial formation associated with credit and loans granted by credit reporting companies focus on the creditworthi- regulated financial intermediaries. In more sophisticat- ness of the business itself rather than the creditworthi- ed markets, this information is further used to ascertain ness of the individuals who run the business (except capital requirements and provide guidance for dynamic where the business is a sole proprietorship and the cred- and countercyclical provisioning against loan losses.19 itworthiness of the business and the creditworthiness of the individual(s) who run the business are the same); 37. Credit registries also aim at maximizing synergies of (b) commercial transactions are significantly larger and collecting credit data relevant for supervisory purposes more complex, and risks are inherently different; (c) by distributing back those data to the original providers information needed to assess the risk of commercial to assist them in improving the quality of their portfo- transactions generally includes significantly more pay- lios. Notwithstanding the latter, some key differences ment performance and financial data (e.g., full financial persist. A credit registry would normally distribute back statements). data only to the financial institutions that fall within the regulatory purview of the financial supervisory author- 41. From a broad perspective, credit rating agencies can ity. Also, this information would normally be provided also be considered part of the overall credit reporting on a consolidated or aggregated basis and only for debt- system, as they issue opinions on the creditworthiness ors whose current level of debt or borrowings exceed a of a particular data subject—usually larger companies— specified threshold. The range of possibilities and com- as of a given date. Investors, creditors and even some binations will depend on the idiosyncrasy of the local regulators often rely upon these opinions. While this re- credit markets, the institutional and legal arrangements port intends to cover credit reporting systems as broad- underlying credit markets and, if available, credit infor- mation sharing, and the level of development of the 19 For further reference see: Basel Committee on Banking Su- credit reporting industry. pervision, International Convergence of Capital Measure- ment and Capital Standards: a Revised Framework, Basel, 38. With very few exceptions, credit registries are owned Switzerland, 2006. and operated by central banks or other financial supervi- 20 As noted in Section 1, this report and the principles it out- sors. There are nevertheless cases where the central bank lines target primarily consumer credit reporting systems or financial supervisor has deferred the task of operating rather than commercial credit reporting mechanisms. Infor- the credit registry database to a private sector party. mation on commercial credit registries is provided here to enable the reader to understand better the distinction be- 39. Commercial credit reporting companies provide tween consumer and commercial credit reporting. credit information on (mainly small to medium-sized) 21 The following information on businesses is usually provided businesses and can therefore be considered as part of as part of the service: chief executive officer, company sta- the credit reporting system.20 Users of their services in- tus, parent company, trading styles, name changes, sales, clude financial institutions and other creditors looking credit ratings, start date, control date, history synopsis, pub- to assess the creditworthiness of a business for the pur- lic record filings, line of business, suits, liens or registered pose of extending business loans or trade credit. Com- charges, number of employees business address, tax code, import/exports/flag, delinquency score synopsis and failure mercial credit reporting companies collect information of default synopsis. from the company itself (through interviews), from 22 As noted in Section 1, the principles are not intended for public records and courts (for information on company credit rating agencies in their traditional role. However, registration, lawsuits, tax liens, judgments and business some credit rating agencies have expanded into the credit bankruptcies), and from other entities that do business reporting business (e.g. as credit reporting service provid- with the company such as lenders or suppliers. Services ers, data providers and/or other data sources), in which provided include assessments of credit risk and infor- case the general principles would become applicable to that mation on management’s ability to manage their work- specific line or lines of business. For further information on ing capital.21 credit rating please visit the official website of IOSCO. 12 Credit Reporting Systems: Brief Overview and Key Considerations ly as possible, given the specific function and nature of credit ratings agencies, these will not be discussed in Box 2: Credit Scores the remainder of the report.22 Credit scoring is a statistical method of evaluating the prob- ability of a prospective borrower to fulfill its financial obligations 2.3. Key Considerations Concerning Credit associated with a loan. The practice of credit scoring began in Reporting the 1960s, when the credit card business automated its de- cision-making processes. Over time, the use of credit scoring 42. The key considerations concerning credit reporting techniques has been extended to other classes of customers systems can be broadly grouped around the following including small and medium enterprises. topics: i) data; ii) data processing: security and efficien- The predictive value of credit scores is generally higher than cy; iii) governance arrangements of credit reporting that of assessments derived from credit histories alone. How- data providers and credit reporting service providers, ever, a credit score’s relevance, and thus its predictive value, is and risk management concerns; iv) legal and regulatory higher when applied to an identified and homogeneous popula- environment; and, v) cross-border data flows. tion of borrowers with regard to a specific product. For example, different scoring tables and weights are used for mortgage loans than for personal loans. Broad-based scores from credit 2.3.1 Data reporting systems are often used in conjunction with internal or external product specific scores. Moreover, to sharpen the pre- 43. Credit information results from processing two broad dictive value of the various credit scores there is an increasing categories of data: identity data and credit data. Identity trend to collect more data from a wider range of data providers data is collected to enable the correct identification of the and other data sources. borrower; credit data is collected to describe the borrow- Scores are often provided by private credit bureaus and some er’s indebtedness. In the case of individuals, the infor- commercial credit registries, but creditors also tend to develop mation usually shared throughout the system includes, their own scoring models. Where credit reporting systems do among others, the name and address of the data subject, not provide scores it is normally because the data needed to amount of loan, type of loan, maturity of loan, guarantees develop a predictive score is not available. and collateral value, default information and payments in arrears. Credit reporting service providers usually supply this information to creditors in a standardized manner, and some service providers also include other system- wide or consolidated information such as credit inquiries 45. Some of the typical data elements supplied by from other creditors and credit scores (see Box 2).23 credit registries include name and address of bor- rower, type of loan, outstanding amount of loan, late 44. Other types of data that are valuable for credit re- payments, defaults/cancelled debts, and on-time pay- porting but that are not provided by traditional data ments. Credit registries also develop debtor/borrower providers include identity data that can be matched and classifications which is based on elements such as past cross-checked to validate a data subject’s identity,24 com- due loan payments (e.g. on-time payment would be panies’ registry data, judicial court rulings that provide classified as 1; 30-days past due would be classified as additional information regarding unpaid debts, utility records and telephone files. This information could be useful to detect and prevent fraudulent credit applica- 23 The latter two are produced by the service provider itself. tions. Frequently, the owners of these data sources are 24 Being able to positively identify a data subject in a database public agencies that are not users of the credit report- (usually referred to as a successful “hit�) is one of the critical ing system. Moreover, in some countries certain data challenges of a credit reporting service provider. In this case elements are deemed “sensitive� and are prohibited refers to other data sources that can be cross referenced to by law from being provided to others, such as geo- and validate identity data provided by data providers (i.e. col- ethno-demographic data (e.g., race, religion, gender). lected through application forms). 13 General Principles for Credit Reporting 2; 60-days past due would be classified as 3, and so example, underestimation or overestimation of the data on). subject´s outstanding liabilities. 46. Credit reporting service providers add value to the 50. Another possible source of inconsistency in data re- data they receive by consolidating the various infor- lates to different definitions being used by the various mation pieces and introducing a series of parameters, data providers and other data sources with regard to identifiers, measures or other tools to assist users in what constitutes a delinquency or other credit events. identifying the risk features of data subjects. Addition- For example, most creditors will report a delinquency ally, service providers may offer predictive scoring when a loan is 30-days past due. However, some will models for risk or fraud, and historical performance do so only after 60 days or more. Still others might re- information. port delinquencies immediately after the deadline for a scheduled loan payment is not met. 47. Information quality is the basic building block of an effective credit reporting environment. Accuracy of data 51. In addition to being free of error, data needs to be implies that such data is free of error, truthful, complete updated and made available in a timely manner. This and up to date. Inaccurate data may lead to unjustified implies first that data providers and other data sources loan denials or higher borrowing costs. Thus, problems need to update their respective databases quite fre- related to data accuracy are the subject of numerous quently (i.e. a given number of days after the occurrence complaints and litigation around the world and, as a re- of a given relevant event). Second, updated data needs sult, have a significant impact on the development of to be provided to a credit reporting service provider credit reporting systems. on a frequent basis. This will usually take the form of a pre-defined schedule –, although many credit report- 48. Incorrect data may result from human error or oth- ing service providers have also defined a set of variables er causes. For example, incorrect data provided by the that, in the event of a change, are to be reported within data subject or human error from creditors or other the pre-defined interval (i.e. so-called “trigger events�). sources when inputting data will result in incorrect data Thirdly, updated data needs to be made available to us- being transmitted to the credit reporting system, subse- ers as soon as practical. quently affecting the quality of reports. In addition, data pertaining to a certain data subject may erroneously be 52. Data providers may fail to meet the updating sched- associated to another data subject due to inadequate ule of credit reporting service providers. This may be identification mechanisms (e.g. improper matching of due to several factors, including lack of human or finan- names, lack of identification keys for individuals and/ cial resources or inefficient technology that is incapable or businesses, the inability of such keys to provide a of meeting reporting requirements. It could also be unique identifier or the impossibility to use such keys the case that the data provider willingly fails to observe given legal and regulatory restrictions). Identity match- the reporting schedule. For example, data providers ing problems are likely to be exacerbated in the context may lack the necessary motivation to provide data in a of cross-border data transfers. timely manner if they believe that the data they receive from the credit reporting service provider is not useful 49. Errors can also originate at the level of credit report- enough. A data provider may also come to the conclu- ing service providers. A potential source of errors in this sion that other data providers are not providing timely case is associated with one of the core functions of cred- information, for instance, to keep to themselves infor- it reporting service providers, which consists of consol- mation they deem strategic, in which case it may decide idating and matching the data that is received from a to do the same. Situations like these tend to be more fre- variety of credit reporting data providers and other data quent in the absence of a clear set of rules and/or incen- sources. If no proper definitions, tools and controls are tives that foster compliance with the updating schedule. in place, execution of such processes may result in du- plicate or missing records, which would then lead to 53. The final step in ensuring timeliness of data is that the incorrect inferences about the data subject due to, for updated information actually flows to users from credit 14 Credit Reporting Systems: Brief Overview and Key Considerations reporting service providers without any significant lag. not performed for other reasons, a debtor’s ability to As discussed earlier, credit reporting service providers access new financing following an adverse event may convert raw data into information that is more readily be severely impaired. This is because the negative data usable by users. Therefore, it is important that the time stemming from the adverse event is usually stored for a period to execute this process be as short as possible. number of years, normally ranging from three to seven. Service providers can also help ensure timely delivery of On the other hand, in a positive credit reporting envi- information by offering a range of secure delivery modes ronment a debtor’s economic recovery and improved that enhance the ability of users to access and use data. repayment behavior after the adverse event are cap- tured, and the debtor’s credit score would be progres- 54. Another characteristic of accurate data is its sufficien- sively adjusted. cy and adequacy. Three features are critical for sufficien- cy: i) being able to capture relevant detailed information, 58. In addition to credit reporting being of a “posi- including negative as well as positive data on a given data tive� or “negative� type, it can also be classified as subject; ii) gathering information from as many data pro- comprehensive in the sense that information silos are viders and other data sources as possible, within the lim- avoided.28 Non-comprehensive (which is also known as its established by law; iii) having sufficient information in “segmented�) credit reporting is based on the collec- terms of the period over which observations are available. tion and distribution of information from/to a limited number of sources.29 Comprehensive credit reporting 55. So-called “negative credit reports� or “negative data� on the other hand is based on the collection of informa- are normally limited to reporting unfulfilled financial tion from a wide variety of sources and sectors, includ- obligations, such as late payments, defaults, bankrupt- ing retail, small business, microfinance, credit cards, cies and court judgments. Negative data is “event- insurance, telecoms, utilities, and others. As a result, based�, i.e. is only registered upon the occurrence of comprehensive credit reporting increases the ability of an adverse event. For most debtors, however, such ad- creditors to assess and monitor credit risk, creditwor- verse events are rare or do not occur at all. Therefore, in thiness, and credit capacity.30 an environment where only negative credit reports are provided, debtors that meet their financial obligations regularly and without any adverse events will only have a partial credit history in the eyes of third parties, since 25 As will be discussed later on, in such a scenario debtors that no data on them is shared or reported.25 duly fulfill their financial obligations will not be able to benefit from that good performance by building a good credit history. 56. Positive credit reporting, also known as positive 26 The variables outlined refer to data that is collected though data, integrates the data captured by negative-only files not necessarily disclosed. with other types of data which may include, but not 27 See John M. Barron and Michael Staten, “The Value of Com- limited to, account balances, number of inquiries, debt prehensive Credit Reports: Lessons from the U.S. Experi- ratios, on-time payments, credit limits, account type, ence,� 2000. loan type, lending institution, and public record data, 28 See Michael A. Turner et. al., “Give Credit Where Credit is detailed reports on the prospective borrower’s assets Due: Increasing Access to Affordable Mainstream Credit Us- ing Alternative Data.� PERC (December 2006). This paper and liabilities, guarantees, debt maturity structure, and builds on the benefits that the inclusion of utility and tele- pattern of repayments, among others.26 Positive data is com payment data on a credit reporting system could bring therefore more comprehensive and its use is empiri- to low income households, young people and immigrants, cally associated with lower incidences of extension of as observed in the US market. credit to bad debtors, and at the same time successful 29 A typical example would be information that is collected extension of credit to debtors with little previous credit from banks and is distributed only to such banks. experience.27 30 It should be noted that credit registries normally have a nar- rower scope or legal mandate (i.e. regulated financial insti- 57. In countries where positive credit reporting is pro- tutions). The term “non-comprehensive�, as used herewith, hibited by the legal and regulatory framework or simply would not be applicable to such credit registries. 15 General Principles for Credit Reporting 59. Ensuring a wide range of data providers and oth- databases right away, either because it is mandated er data sources is not always possible, however. The by law or simply because it is common practice in the scope of data and/or the scope of data providers and market place. This reduces the ability of creditors to other data sources may be limited by legal or regu- make informed decisions due to the lack of a sufficient latory restrictions. For example, regulators of non- number of years of relevant data. For banking super- traditional data providers like telecoms may find it visory purposes, granular credit data should be kept unacceptable for their supervised entities to share de- for at least one economic cycle enabling predictable tailed information on their customers outside the sec- borrowers’ behavior detection over time, and serving tor. Moreover, access to public sources of information also as a valuable tool to make assessments on capital is often limited or prohibitively expensive, for instance requirements and rules on provisions for banks and due to the low levels of automation of public records credit institutions. Finally, the lack of sufficient years in some countries.31 of relevant data impacts the predictive power of scor- ing models built using such data. Current practices for 60. At the same time it should be recognized that not all scoring models require a period that ranges between information that can be potentially collected on a given three to seven years of data.33 data subject will be relevant for the purposes associated with credit reporting. Indeed, some data are irrelevant in that they add little or no value in determining the 2�3�2 Data Processing: Security and Efficiency probability of repayment.32 For example, it is not evi- dent that demographic details such as race and ethnic 63. Credit reporting data resides in databases and other origin add any value to credit underwriting decisions. types of data-holding methods that are subject to se- Moreover, some data pieces may not only be irrelevant curity and safety concerns, including loss, destruction, but also harmful to collect or distribute as it could deter corruption, theft and misuse. These concerns become the appetite of data providers to share data, or could greater as the interconnectivity of databases and data lead to undesirable biases in the decision-making pro- networks increases. If such threats were to material- cess for loans and other credit extensions. The contin- ize, they could have serious or even irreversible con- ued collection of irrelevant data is an excessive burden sequences on credit reporting system activities such as on any credit reporting system. widespread distrust regarding data sharing. 61. Irrelevance of data can also occur when certain 64. The major issue related to security and confidential- pieces of data, typically negative data, are retained for ity lies in identifying sources of risk, addressing those a longer-than-needed period of time and become obso- risks and assigning appropriate responsibilities for cor- lete, thus losing their predictive capacity. For example, recting situations in which such risks actually material- “bad debtors� may turn around their repayment behav- ize. The more complex a system is, the more difficult ior and become good borrowers over time. 62. Retention periods are established for storing data 31 In some countries, laws ensuring access to public informa- tion have been enacted. Examples include Chile (2009), and disclosing data. The length of the retention period Guatemala (2008), Hungary (2005), Dominican Republic for each of these functions will depend on whether the (2004), Ecuador (2004), Croatia (2003), Mexico (2002), Ja- data is personalized or depersonalized and if there is a pan (2001), Bulgaria (2000), and Directive 2003/98EC of the need for retaining and/or disclosing such data. On the European Council of 17 November 2003 on the re-use of one hand, data should be kept and/or disclosed for the public sector information. sufficient time serving the purpose of collection. On 32 It might also be necessary to determine whether data is rel- the other hand, retaining that same data for a period evant enough considering the costs associated with its ac- of time that is too short may lead to insufficient time- quisition, updating, processing and storage. frame sampling or inadequate information on a data 33 Major credit reporting systems around the world tend to subject. Indeed, in some countries once a bad debt is retain information for distribution among the users for any- paid off, all negative data related to it is deleted from where between 5 to 7 years. 16 Credit Reporting Systems: Brief Overview and Key Considerations it becomes to identify the potential liabilities and pro- gences can be traced back to the ownership structure actively assign appropriate responsibilities. of the credit reporting service provider. While there are no “good� or “bad� ownership structures, certain struc- 65. Services rendered by the credit reporting service tures may lead to more issues than others. providers are becoming increasingly critical. In coun- tries where credit granting decision-making is highly 70. Ownership by a particular group of large lenders, automated, a disruption in credit reporting services typically banks, can lead to anti-competitive behavior in may cause upheavals in consumer credit markets.34 The the information sharing market. For example, majority reliability of credit reporting services (i.e. being able to shareholders can restrict or prevent access to the ser- access the service when needed) is therefore a crucial vice by smaller lenders. In another scenario, a credit element of an effective credit reporting system. reporting service provider may wish to expand access to all types of users in order to maximize profits. Large 66. Ensuring the provision of continuous service within lenders may not be willing to share information in such the accepted service level standards will most likely re- a scenario as they may consider that they will be contrib- quire credit reporting service providers to make signifi- uting quality data and disclosing their good customers, cant capital investments and undertake a series of other while it is unlikely that this will be compensated with measures related to the organization of work and re- the data they will be able to obtain from the service pro- sponsibilities under different emergency scenarios. All vider. Situations like these may lead to the creation of these can present major challenges. service providers that serve specific sectors of the credit market, thus leading to silos of information. As earlier 67. Significant capital investments are also required to discussed, such fragmented information sharing mar- meet a growing demand for high quality products and kets undermine the benefits of comprehensive credit services that meet the needs of a rapidly evolving credit reporting systems. Problems like these can be mitigated culture. Credit reporting service providers are therefore through proper governance arrangements. faced with the additional challenge of meeting these de- mands while at the same time trying to maintain the 71. Appropriate governance is also crucial for ensur- affordability of the services for the various categories of ing that data providers, other data sources and credit users. reporting service providers will be able to cope suc- cessfully with the risks underlying the information shar- 68. It should be noted that the likelihood of service pro- ing and credit reporting businesses. These entities are viders making the necessary investments will depend mainly exposed to operational risks, legal risks, and rep- to a large extent on the size and sophistication of the utational risks. Therefore, probably more than in most market they serve. From another perspective, in mar- other businesses, the materialization of any of these kets lacking sufficient critical mass, investments of this risks can severely impair the long-term viability of the magnitude might not be viable. credit reporting organization. 72. As with all technology-intensive organizations deal- 2�3�3 Governance Arrangements for Credit ing with multiple parties, the potential for operational Reporting Service Providers and Data Providers errors and unauthorized access to the information, ei- and Risk Management ther from inside the credit reporting service providers or from outside, is significant. Legal risk stems from the 69. To a large extent the services provided by the credit reporting industry are deemed to be of public interest, 34 It should be noted that credit reporting is normally only one and therefore might become the object of public policy. of the inputs that goes into the decision of whether to ex- However, situations exist where the actual objectives tend a loan. At the same time, most creditors involved in that the credit reporting service provider seeks in prac- consumer lending use credit reports as a mandatory input, tice diverge from the public policy goals underlying a meaning that the flow of the transaction would stop in case service of this kind. A major determinant of such diver- such reports were not available. 17 General Principles for Credit Reporting inadequate or erroneous observance or interpretation framework for credit reporting as there is a natural ten- of the applicable legal and regulatory framework. Repu- sion between the objectives of having access to broader tational risk is particularly relevant due to the nature of sources of information for enhanced credit reporting, credit reporting: personal data being used in sensitive and the interest in preserving individual privacy.35 activities like lending and financial supervision. As it is practically impossible to avoid all risks while maintain- 77. In some countries, laws or regulations are enacted ing a viable business, credit reporting service providers to deal with specific issues of concern, some of which and data providers need to recognize these risks and might not be exclusive to credit reporting like privacy is- hence need to manage them. sues and data protection. In others, a special legal frame- work for credit reporting activities exists, usually in an 73. Given the relevance of credit reporting activities for attempt to typify these activities and regulate them in an credit and other financial markets, coupled with the sen- integral manner. It is also possible for the two models to sitivity of the data that is handled in these activities, it co-exist. According to experience in several countries,36 appears desirable that credit reporting service providers legal risks are generally greater where there is an ab- and data providers be scrutinized in order to promote sence of laws and regulations covering credit reporting an appropriate level of accountability on the side of such systems and the related activities. These risks include providers. This would generally be done through some confidentiality breaches regarding financial data, credit form of independent check by a qualified third-party reporting service provider employees’ liability for data such as an auditing firm or a government agency. processing, and risks related to automated decision making, to name just a few. 74. Peculiarities in governance arrangements of public- ly-owned credit reporting service providers should not 78. As with other economic activities, there is the risk preclude the achievement of the business and public that the legal framework be too restrictive, thus hin- policy objectives and appropriate risk management. dering the development of an efficient credit report- ing system. For example, the legal framework, if not properly designed, can create unjustified barriers to 2�3�4 Legal and Regulatory Framework entry to potential new market players. Also, in an at- tempt to protect privacy rights, the legal framework 75. Although credit reporting systems have existed might require data providers and service providers to at least since the 1800s, specific regulation of credit obtain consent from data subjects each time they wish reporting systems coincided with the technological to collect data on them, which, apart from being costly development of 1960s and rising concerns over trans- parency and individual rights. The growing recognition of credit reporting activities as a core function in any modern financial market has also become a catalyst for 35 Privacy is a fundamental right recognized in numerous inter- the regulation of these activities. national agreements including The Universal Declaration of Human Rights (U.N., 1948); The Convention of the Council 76. Over the last decade a large number of countries have of Europe for the Protection of Individuals with regard to devoted efforts to regulate the credit reporting market, Automatic Processing of Personal Data (ETS Nº 108) and its particularly when private sector credit reporting service Additional Protocol regarding supervisory authorities and trans-border data flows (ETS Nº 181); Directive 95/46/EC of providers are present. Regulation of credit reporting ac- the European Parliament and of the Council of 24 October tivities usually focuses on registering or licensing of cred- 1995 on the protection of individuals with regard to the pro- it reporting service providers, imposing responsibility cessing of personal data and on the free movement of such for data accuracy, collection and disclosure, consumers data. See also annual reports of national data protection au- having access to their information and being able to have thorities of the EU. erroneous information corrected, compliance monitor- 36 Several examples on this were identified in Latin American ing, and enforcement. There is however no consensus and Caribbean countries through the WCHRI. For additional on what constitutes an adequate legal and regulatory references, see the WCHRI’s Orange Books at www.whcri.org. 18 Credit Reporting Systems: Brief Overview and Key Considerations would be overly cumbersome and undermine the use- for the systems, in coordinating with all stakehold- fulness of the data. ers—and other authorities as well—and in carrying out a reform plan, if necessary. In some cases, one of 79. On the other hand, regulation can be the only the authorities is designated as the system overseer means through which certain problems can be ad- and is charged with the responsibility of promoting dressed in an effective manner. One important ex- the appropriate development of the credit reporting ample is that of ensuring competitors’ fair access to system as a whole, making sure that the efforts of the credit reporting services, especially when ownership various regulatory authorities are coordinated and are structure of credit reporting service providers do not consistent.37 provide incentives for the latter to do so. Regulation can also be necessary to ensure that certain standards (e.g. data quality) be equally applicable to all partici- 2.3.4.1 Consumer Protection and Data Subject Rights pants in the system. 83. There are many different approaches to the regula- 80. Since credit reporting systems are based on the flow tion of consumer protection and data subject rights as it of data through an existing network of stakeholders, relates to credit reporting systems. European countries, laws and regulation should carefully consider issues re- for example, have developed a data protection direc- lated to property rights regarding data and databases, as- tive that establishes broad protection for data subjects signing realistic responsibilities and rights over the data with regard to their information38 and with a scope that processed and the format used for such processing. A goes beyond credit reporting systems. Alternatively, the relevant matter is that of format ownership, especially if United States has adopted a sector-specific law which this might represent a barrier of entry for other service focuses narrowly on the flows and uses of consumer providers. data associated with credit reporting systems.39 Regard- less of the approach taken, ensuring that consumers 81. One of the biggest challenges of the legal frame- trust credit reporting systems is imperative. Below is a work is that its provisions be enforceable. On the one short discussion of the most relevant data subject and hand, laws and regulations should be practical and ef- consumer rights, and approaches taken to codify these fective to ensure a high degree of compliance. In other rights into laws and regulations. words, rules that cannot be enforced are not likely to be effective. On the other hand, authorities should be 84. Consumer protection and privacy considerations capable of enforcing legal provisions administratively, are closely linked to the purposes of data collection and which requires a combination of sufficient powers and data disclosure. The legal and regulatory framework adequate human and financial resources. In the case surrounding credit reporting typically sets out specific of credit reporting activities, one additional difficulty conditions for data collection and specific conditions is that cross-cutting issues might fall under the juris- for data disclosure. diction of several government agencies, which then leads to the need for effective cooperation between ◆ Collection: In several countries there is an underly- regulators. ing legal basis for data collection. In countries where 82. The public agencies that are normally charged with the responsibility of regulating credit reporting activities include central banks and bank supervisors, and in some cases ministries of finance, data protec- 37 See the Recommendations for Effective Credit Reporting Oversight under Section 4 of this report. tion authorities, consumer protection authorities and competition and antitrust authorities. In recent years, 38 Directive 95/46 European Parliament and of the Council of October 1995 on the protection of individuals with regard to it is recognized that the role of the authorities is not the processing of personal data and on the free movement limited to applying the existing legal framework; au- of such data. thorities also play a leading role in developing a vision 39 The Fair Credit Reporting Act (15 U.S.C 1681 et seq.). 19 General Principles for Credit Reporting this is not the case, a pre-condition for data collec- modalities for notification are generally linked to the tion is that consent be obtained from data subjects. purpose of collection and sharing. ◆ Disclosure: Similarly, different frameworks set con- ditions for data disclosure. One such condition is 86. To protect consumers from the negative conse- the limited use of data. The legal and regulatory quences of inaccurate data or unlawful collection, as framework establishes a finite set of permissible mentioned earlier, it is common practice to provide purposes for which the data subject’s data may consumers with rights to access and challenge data be used. Permissible or legitimate purposes are held on them. usually associated with matters that are of general interest to a society, and generally include verifica- ◆ Access. Provisions are frequently established allow- tion for the extension of credit or the collection ing data subjects to access the information held on of debts, as well as to enforce the fulfillment of them. Such access could be provided at little or no legal and other contractual obligations (see Table cost to data contained in the files of credit service 1). However, even though it might be clear that providers.40 In some countries, data subjects are permissible purposes are being sought after, con- allowed to have free access to their credit reports sumers/data subjects may have the choice to limit once per year upon request. The benefits of giving some of the uses for which data is collected (e.g. consumers access is that it builds trust and ensures employment). transparency. ◆ Dispute and Correction. Data subjects are nor- 85. Notification. As data subjects have in principle a mally able to challenge inaccurate data held on them decisional role over the collection and further process- and to receive a report on the results of the subse- ing of data about them, in some countries, when data quent investigation. Inaccuracies in data are to be is not obtained directly from the data subject or with rectified or deleted when appropriate, and data sub- his/her consent, data subjects are notified (informed) of jects may claim compensation for damages incurred. the collection and sharing of such data. The need and Ideally, the rectification process will be straightfor- ward and inexpensive for the data subject. This right to dispute and seek rectification of inaccuracies in data is not meant to impede the lawful processing of data or allow for misuse by data subjects. A detailed TaBle 1: Permissible Purposes for Personal Data example of dispute resolution mechanisms for credit Disclosure in Select Legal Frameworks reporting is provided in Annex 3. FCRA (United Directive 95/46/EC 87. The various conditions and rights listed above serve States) PIPEDA (Canada) (European Union) to protect the rights of consumers and data subjects. Court Order Legal Obligation While there is little question on the need for having an Consumer Consumer Court Order adequate set of laws and regulations that duly protect Consumer consent and enforce consumer rights, other important needs Credit/insurance/ Extension of credit Legitimate purpose such as fostering the development of an effective and rental transaction Insurance/rental (with notification) efficient credit reporting system should also be part of Purpose consistent the equation. A balanced approach to individual privacy Business transac- with purpose for data tion collection Employment Employment 40 It should be noted that there are credit registries that do not Account review provide regulated institutions credit information at the level Licensing of account but on an aggregated manner showing the overall behavior of the bank as regards to the rest of the banking Child support sector. In these cases, data subjects’ rights would not apply Collection of debt Collection of debt because the data is not linked to a particular data subject. 20 Credit Reporting Systems: Brief Overview and Key Considerations interests, data subject rights and a robust credit report- of important borrowers outside a financial institution’s ing system is therefore necessary. home markets, or providing credit and other financial services on a sound basis to businesses and individuals that do not have a credit history in the country where 2�3�5 Cross-border Data Flows they are applying for credit. Box 3 describes some of the measures and arrangements in the case of the Eu- 88. Financial liberalization has significantly reduced re- ropean Union. strictions on the operations of financial institutions in foreign markets. At the same time, businesses initiat- 89. These examples reflect the fact that, under some ing activities in a new country and individuals that have circumstances, cross-border data transfers can be con- changed their country of residence will most likely sidered a necessary instrument to facilitate the provi- need to establish a relationship with a local financial sion of credit and other financial services in a globalized entity. New challenges have thus emerged in recent world, as well as for financial supervisory purposes. years, including the need to monitor credit exposures Box 3: Single Market and Cross-border Credit: the Case of the eu The European Directive on Consumer Credit (Directive 2008/48/EC) aiming at the integration of consumer markets in Europe, contains provisions facilitating the exchange of information regarding credit payment history of borrowers/consumers between different countries in the European Union. The Directive stresses the importance of assessing creditworthiness on the basis of sufficient information and, where appropriate, on the basis of a consultation of the relevant databases. Access to the relevant databases shall be in a non-discriminatory way and in compliance with data-protection legislation.1 The Expert Group on Credit Histories (EGCH)2 led by the European Commission devoted significant efforts to outlining the major issues imped- ing the use of credit reporting systems across borders in the European Union context. These findings are consistent with previous studies.3 In addition, the EGCH recognizes the relevance of operational factors such as differences in data content, terminology and registration criteria as obstacles for the broad use of credit reports produced in other jurisdictions. There are examples of arrangements for the exchange of credit information between certain credit reporting service providers. For example, against the background of free flow of financial services within the EU and in particular the use of the Euro as single currency in many member states of the EU, the need to gain a picture as complete as possible of the total indebtedness of their borrowers drove several public credit registries in Europe (Austria, Belgium, Czech Republic, France, Germany, Italy, Portugal, Romania and Spain) to sign a Memorandum of Understanding providing for the exchange of credit information on a regular, monthly basis. In addition, institutions are allowed by electronic means to make cross-border inquiries about the indebtedness of their clients on a case by case basis.4 Similar arrangements are observed between some private credit bureaus, which agree to exchange information on the basis of reciprocity and bilateral agreements. Information exchange takes places between BKR (Netherlands) and National Bank of Belgium and between BKR (Netherlands) and CRIF (Italy). Similar arrangements are provided by SCHUFA (Germany) and Credit Info (Iceland).5 1 See Article 9.4 of the Consumer Credit Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for con- sumers and repealing Council Directive 87/102/EEC. 2 For further study see Expert Group on Credit Histories report, 2009. 3 Nicola Jentzsch and Amparo San José Riestra, “Information Sharing and its Implication for Consumer Credit Markets: United States vs. Europe,� (paper prepared for the European University Institute Workshop “The Economics of Consumer Credit: European Experience and Lessons from the U.S.,� Florence, May 13–14, 2003). The paper compares the US and Western Europe credit reporting systems. 4 The Memorandum of Understanding on the Exchange of Information among National Central Credit Registers for the Purpose of Passing it on to Reporting Institutions (2003, amended in 2010) is available at the European Central Bank’s website (www.ecb.int). 5 The binding contract used for these arrangements has been facilitated by ACCIS. 21 General Principles for Credit Reporting 90. In addition, small markets raise the issue of econo- in a certain foreign jurisdiction are in conflict with a ser- mies of scale for credit reporting service providers. As vice provider’s internal or domestic obligations. Also, credit reporting services need to be commercially fea- in case of a dispute by the data subject, the source of sible and cost effective, in small markets this might only inaccuracy might be harder to identify, which could be be possible through the creation of a single mechanism coupled with unclear guidance on what the applicable serving more than one market. Such an arrangement laws or remedial procedures are. will most likely involve setting up an information net- work that centralizes credit data and which is accessed 92. Differences between countries in terms of data re- by creditors from different jurisdictions. tention periods, update frequency, amount of thresh- olds, loan or credit types being reported, among others, 91. In principle cross-border data flows raise concerns could also represent barriers when implementing cross- similar to those raised by purely domestic information border credit reporting. sharing and credit reporting activities. However, cross- border activities are associated with a more complex 93. It is also worth mentioning that not all cross-border environment due to the multiplicity of applicable laws, ventures of this kind might be economically or legally consumer protection frameworks, credit cultures, mar- viable despite the potential benefits they may entail. En- ket practices, and institutional structures, among oth- gaging in such a venture without previously conducting ers. For example, sharing the data of a given data subject a cost-benefit analysis exercise that is sufficiently objec- across borders can elevate concerns about privacy and tive and detailed can lead to numerous financial and appropriate data safeguarding. It can also be the case reputational problems for the parties involved. that the data protection or data access laws that apply 22 3 The General Principles 3.1. Public Policy Objectives Data 94. For this report, the following public policy objectives General Principle 1: Credit reporting systems for credit reporting systems have been defined: credit re- should have relevant, accurate, timely and suf- porting systems should effectively support the sound and ficient data—including positive—collected on a fair extension of credit in an economy as the foundation systematic basis from all reliable, appropriate and for robust and competitive credit markets. In doing so, available sources, and should retain this informa- credit reporting systems should be safe and efficient, and tion for a sufficient amount of time fully supportive of data subject and consumer rights. More specifically, an effective credit reporting system Guidelines on accuracy of data should be able to: Data collected and distributed should be, to the ◆ Support financial institutions and other grantors of extent possible, free of error, truthful, complete credit to accurately assess the risks involved in cred- and up to date� it granting decisions and maintain well-performing credit portfolios. 95. Information is at the core of credit reporting activi- ◆ Facilitate sustainable expansion of credit in the ties. Therefore, high data quality is the basic building economy in a responsible and efficient manner. block of an effective credit reporting environment. In- ◆ Support financial regulators in supervising regulated accuracies in data contained in credit reporting systems institutions in order to ensure that the latter remain can result in unjustified loan denials, higher borrowing safe and sound, minimizing systemic risk. costs, and other unwanted consequences for debtors, ◆ Facilitate fair and unbiased access to various types of data providers and credit reporting service providers. credit products on competitive terms. ◆ Educate and provide incentives to individuals and 96. It is of utmost importance that data be unambigu- businesses to manage their finances responsibly, ously linked to the data subject. If data is erroneously rewarding responsible behaviors and curbing over- associated with another data subject (e.g. due to name- indebtedness issues. sakes or inconsistencies in commonly used identifica- ◆ Take into account consumer interests. tion keys such as national identification numbers for individuals or businesses), this will render the rest of the 3.2. The General Principles data collection and distribution process useless and po- tentially even harmful. Each General Principle described below should be read in conjunction with the accompanying guidelines and 97. The accuracy of data which is made available to us- explanatory text. ers relies on a series of steps, all of which are crucial. General Principles for Credit Reporting The chain starts with the information that is gathered face-to-face consultations), especially when planning on data subjects, normally through loan applications changes to the data collection scheme. and contracts, which is then stored by credit reporting data providers and other data sources. The other part of the equation is the set of processes that is executed by Guidelines on timeliness of data the credit reporting service provider to convert the raw data into the final product or products that are accessed Credit reporting service providers and data by users. This includes data validation, normalization providers should apply clear and detailed rules and other technical processes, as well as applying algo- for the updating of information� Such rules rithms to transform the data into a series of value-added should ensure that updates be performed products and services. on the basis of pre-defined schedules and/ or specific trigger events� At a minimum, this 98. One way to ensure that the data provided are accu- should include prompt action in the event of rate is that the latter are actually used on a continuous error adjustments and ideally in case of relevant basis. Data on which no continuous quality controls and changes in credit exposures, arrears, fraud, routine processes are applied have the risk of becom- defaults and bankruptcies� ing either imprecise or misleading once such data are accessed at a later stage. Therefore, credit reporting 102. Data should be updated immediately upon the systems should balance the need for collecting as much identification of an error. In an ideal scenario, upon oc- information as possible with that of collecting informa- currence of one or more of the trigger events described tion that is useful for the service being rendered. above, the relevant information on the data subject would be updated quite promptly. In contrast, for those To ensure that data accuracy is achieved data subjects for whom there are no relevant changes, on a continuous basis, credit reporting data would be updated less frequently, though not less system participants should consistently often than on a monthly basis. apply appropriate data-supplying rules and procedures to all data providers with similar 103. Appropriate rules should be in place to promote characteristics� compliance with the agreed standards on data updating. 99. Appropriate rules or other enforcement tools Data should be available for users of the credit should be in place to promote compliance with the ap- reporting system in a prompt manner to enable plicable standards on data collection and distribution, them to carry out their functions without especially with regard to incorrect, incomplete or inac- unnecessary delays� curate data. While a broad range of enforcement tools can be considered (e.g. from warnings to some form of 104. Credit reporting service providers should strive monetary sanction for non-compliance), it is important to minimize the lag between the time they receive that the choice does not compromise the integrity of the updated data and the time the new data are made the database. available to final users. In this regard, credit report- ing service providers should set up service levels that 100. Caution should be exerted over granting excep- match users’ and data subjects’ needs for timely and tions, as there is a high cost and risk in managing a va- accurate data. riety of data collection schemes. Exceptions regarding data supply should consider implications on data accu- 105. Automation and standardization of rules and pro- racy and database integrity. cesses are usually the most effective means to improve service levels (i.e. in this particular case, to reduce the 101. It is equally important that rules and procedures be “conversion period� of raw data into the information disseminated extensively throughout the system, using that is actually made available to users) without the risk as many means as possible (e.g. newsletters, seminars, of negatively affecting data accuracy. 24 The General Principles Guidelines on sufficient data – including positive include, at a minimum: identification information, information on the credit including original Credit reporting service providers should be able amount, date of origination, maturity, outstanding to collect and process all the relevant information amount, type of loan, default information, needed to fulfill their lawful purposes� Relevant arrears data and transfer of the credit when information comprises both negative and positive applicable� Ideally this would also include credit data, as well as any other information deemed risk mitigation instruments such as guarantees, appropriate by the credit reporting system, collateral and an estimate of their value� consistent with the considerations described in the other General Principles� 109. Credit reporting service providers should provide clear definitions and detailed explanations on the data 106. Data collected should include all relevant informa- being sought. In agreement with data providers, and tion to enable any given user to adequately evaluate and eventually with other data sources, credit reporting ser- manage credit risks on a continuous basis. This includes vice providers should establish a list of mandatory data information that is necessary to make an unequivocal inputs to be provided on a systematic and continuous identification of the data subject, as well as information basis. Minimum data inputs should be consistent with related to the creditworthiness of the debtor and/or the the previous Guideline on “sufficient data�. repayment prospects of a new loan (e.g. current credit exposures, maturities, guarantees and/or collateral, de- 110. Credit reporting service providers should also fault information, etc.) specify the form(s) through which the data is to be pro- vided (e.g. specific templates or layouts). From a service 107. Negative credit reporting data refers to late pay- provider’s standpoint, using a standard format facili- ments, loan defaults and other unfulfilled economic tates automation and data consistency, which in turn obligations, as well as bankruptcies and other judi- may result in greater efficiency. From the perspective of cial processes. Positive credit reporting also includes data providers and other data sources, using a standard several other pieces of information about the debtor, format with all credit reporting service providers would such as account balances, number of inquiries, debt enable them to process and send the required data with ratios, on-time payments, credit limits, account type, little or no additional costs. loan type, lending institution, interest rates and public registries’ data, detailed reports on assets and liabili- ties, guarantees and collateral, debt maturity structure, Guidelines on collection of data on a systematic basis pattern of repayments, employment records, etc. from all relevant and available sources 108. There is a limit on the information that can be Credit reporting service providers should be able shared, which is usually associated with the permissible to gather information from all relevant data purposes underlying information sharing, or privacy providers, within the limits established by the law� considerations when dealing with sensitive issues such as ethno-demographic data. In other cases, while shar- 111. Data subjects benefit from having their data pro- ing such potentially sensitive data per se is not prohib- vided to all credit reporting service providers in a given ited, there are legal or regulatory restrictions on using market. Therefore, data providers should refrain from en- that information for credit reporting purposes, for ex- tering into exclusivity agreements with a particular credit ample if the data is considered out of proportion when reporting service provider—or a subset of these—and compared to the intended use, or to reduce the possi- share data widely and equitably across the system because bility of introducing a bias in creditors’ decisions. it is beneficial for the credit reporting system as a whole. Credit reporting service providers should set up Credit reporting service providers should be able clear rules on minimum data inputs and optional to access other data sources of relevance, within data inputs� Data elements to be collected should the limits established by the law� 25 General Principles for Credit Reporting 112. Other data sources deemed relevant for credit re- 117. There is, however, a difference between limit- porting include private and public sources or records. ing the length of time for the processing of personal In the case of private sources, the same considerations identifiable data, and limiting the length of time for described under the previous guideline would apply. the storage of such data in depersonalized manner. Data collected by credit reporting service providers 113. Public records are generally available to the public, is frequently used to build credit scoring models and and credit reporting service providers should be able to other analytical decision-enabling tools that are useful access these records at least under the same conditions for creditors. These tools generally require long time as those applicable to the general public. series of data in order to produce a reasonable degree of predictability (see Guidelines on Accuracy of Data). 114. Some public records might not be available to Moreover, to build a model per se, data may not need the general public. This may include identity regis- to be personalized. Insofar as this information remains tries for individuals and businesses. As such informa- stored in such a way that is not possible to reverse en- tion might be crucial for validating a data subject’s gineer the depersonalization process, data in a credit identity, credit reporting service providers could be reporting service provider should be usable for as allowed to access such information under specific or long as necessary. limited conditions. 118. Therefore, any rules or regulations on the maxi- 115. Services associated with public records are often mum time length that credit data can be stored, used quite basic, like consultations of physical records or for modeling purposes, or explicitly distributed to us- consultation of basic computerized data that cannot ers should be clear and specify over which of these ac- be enriched with further data exploitation techniques tivities the limitation(s) would apply. At the same time, (e.g. under a data warehouse environment). Credit these sorts of limitations should carefully balance the reporting service providers should seek to negotiate objectives of fairness on one hand, and information in- special agreements with public records agencies to tegrity and accuracy on the other. ensure a smooth and systematic flow of information. In some cases this may involve defining a cost recov- Clear rules should be in place regarding the ery scheme in order for a public record to be able to method to determine the specific date or provide enhanced services. event when distribution of data should be discontinued� Guidelines on retention of data 119. Rules that restrict the period of time in which that data can be distributed to users should also be clear Data collected by credit reporting systems and specific on how exactly that period of time is to should be available to users for a period of time be calculated. Any ambiguities or lack of specificity on that is consistent with the purpose for which this issue can become a source of disputes, for example the data is used� between data subjects and credit reporting service pro- viders or between the latter and their regulators. 116. The credit-related performance of debtors can change over time. For example, a default or another 120. For example, the rules should state whether the negative performance in the past could have been the maximum length of time, typically expressed as a num- result of a generalized economic downturn or even a ber of years, would be calculated starting when the natural catastrophe, and should not affect the long-term relevant event (e.g. a default) took place, or when the creditworthiness of an otherwise creditworthy debtor. latter was first reported to the credit reporting service For reasons like this, authorities may set limits on the provider, or when an event first led to the denial of a length of time that the negative data can remain in the loan to a data subject. The definition of what constitutes file of data subjects. the “event� itself is also important. 26 The General Principles Data Processing: Security and Efficiency tional financial institutions and the financial industry. As a result, extensive literature now exists on this subject General Principle 2: Credit reporting systems and will not be discussed in further detail in this report. should have rigorous standards of security and Two aspects are worth mentioning, however. First, a reliability, and be efficient comprehensive business continuity plan goes beyond the availability of redundant hardware or other pieces of infrastructure, and needs to consider human factors as Guideline on security measures well (e.g. avoiding situations whereby a severe interrup- tion of the service materializes due to people not be- Credit reporting system participants should ing able to react promptly or effectively, even when the protect data against any loss, corruption, necessary equipment to operate under a contingency destruction, misuse or undue access� is available). Second, the criticality of credit reporting systems varies from jurisdiction to jurisdiction; hence, a 121. Some common threats to data security include cyber “one-size fits all� approach with regard to business con- attacks from outsiders, improper data use by employees tinuity should be avoided. of service providers and/or from the users, accidental disclosure of data, accidental loss of data, and natural 125. The reliability of credit reporting services is a mat- disasters, among others. All participants in a credit re- ter that concerns not only credit reporting service pro- porting system should undertake best efforts to imple- viders but other stakeholders as well, including credit ment commercially reasonable data security safeguards reporting data providers, users and authorities. There- to protect data against these and other potential threats. fore, an “optimal� reliability level for a given credit re- porting system should be the result of discussions and 122. Specific measures and safeguards should be adopt- negotiations balancing service levels (from credit re- ed to cope with the logical, physical and organizational porting service providers to users as well as from us- aspects of data security (i.e. so-called “tridimensional ers to their clients), costs, available infrastructure, and approach to data security�). The objective of these safe- regulatory aspects, among other considerations. guards should be to contain, limit and respond to data security breaches. Measures and safeguards should be reviewed on a regular basis to ensure that they are up to Guideline on efficiency date and effective against newly emerging threats. Credit reporting service providers should strive to be efficient both from an operational as well Guideline on reliability as from a cost perspective, while continuing to meet users’ needs and high standards for service Credit Reporting Service providers should levels� implement appropriate business continuity measures to ensure that their services will 126. Creditors and supervisors alike demand not only be available to users without any significant high-quality data but also increasingly faster response disruptions� times from credit reporting service providers. In this particular regard, real-time data transmission following 123. As services rendered by credit reporting service a query is becoming the standard worldwide. providers are increasingly becoming critical, the reliabil- ity of credit reporting services (i.e. users being able to 127. To meet such a standard while offering cost-effi- access the service when needed) is a crucial element of cient services, credit reporting service providers will an effective credit reporting system. require appropriate infrastructure, including adequate processing capacity and reliable telecommunication 124. For several years, business continuity has been an infrastructure. Proper infrastructure planning should important subject of discussion and action by interna- enable the credit reporting service provider to cope 27 General Principles for Credit Reporting with an increasing number of users and data volumes Guideline on accountability of governance arrangements without compromising service levels. Also, as discussed under the Guideline on reliability, comprehensive busi- Credit reporting service providers and credit ness continuity measures are essential to ensure the reporting data providers should be subject to availability of a service without major disruptions. mechanisms that ensure proper accountability of management and, where applicable, of board 128. It should be noted that significant investments are members� This should include independent necessary in order to meet these service level standards. audits or reviews� In markets lacking the sufficient critical mass (in terms of data and users), an investment of this magnitude 131. Good governance arrangements provide incen- might not be viable. This does not necessarily mean that tives for an organization’s top management to pursue users in smaller countries are to be constrained to low- the long-term interests of the organization, such as con- er service levels. A single credit reporting service pro- tinued growth, increased coverage, profitability (where vider serving multiple countries can be an alternative applicable), and overall viability. to achieve the necessary economies of scale that will enable the investments required for the deployment of 132. Given the sensitive nature of credit reporting activi- top level services to its users.41 ties, credit reporting service providers as well as credit reporting data providers must be held accountable to 129. The provision of integrated services may help low- the various system participants, including the data sub- er unitary costs to users. Users, however, may prefer jects on whom they hold information. Credit reporting having the service provider offer a series of value-added service and data providers should therefore be subject services at an incremental cost compared to the cost of to mechanisms of accountability and independent over- accessing just the basic data. sight, including independent audits, and, where appli- cable, supervision by a public authority. In some cases 130. In case a given credit reporting service provider is some form of self-regulation (e.g. code of conduct) could a monopoly or a clear dominant player or when other be promoted for example through industry associations. market failures exist, regulators and overseers could Observance of self-regulatory mechanisms should be consider developing a mechanism to review periodi- monitored, as appropriate, by the relevant authorities. cally costs and pricing from an efficiency perspective. This review would need to take into consideration the nature of the services being offered, as well as mar- Guideline on transparency of governance ket size and structure. When competitive conditions arrangements exist, regulators and overseers may need to monitor the market to ensure that excessive competition on Governance arrangements for credit reporting pricing does not compromise security standards, intro- service providers and credit reporting data duce unnecessary data fragmentation, efficiency losses providers should ensure timely and accurate or jeopardize the sustainability of the credit reporting disclosure of relevant matters related to the system. entity and its activities� 133. Disclosure helps improve public understanding of Governance and Risk Management the structure and activities of credit reporting service providers, their corporate policies and performance General Principle 3: The governance arrange- with respect to existing standards, and their relation- ments of credit reporting service providers and ships with the communities in which they operate. data providers should ensure accountability, transparency and effectiveness in managing the risks associated with the business and fair access 41 For further discussions on this specific issue see General to the information by users Principle V. 28 The General Principles Credit reporting service providers are expected to dis- use data. The potential for operational errors, either with- close information deemed material, i.e. information in the credit reporting service provider or from outside is whose omission or misstatement could influence the therefore significant. Operational risk is not only related economic decisions taken by users of information. to the proper operation of information technology equip- ment or other pieces of infrastructure; unintentional hu- 134. Management of credit reporting service providers man errors, or unlawful activities like the unauthorized and credit reporting data providers should ensure time- access to data by the service provider staff or others are ly and accurate disclosure of all relevant matters relating also a key source of operational risk. Operational risks can to the business. In the case of credit reporting service also lead to legal problems (e.g. data being distributed to providers, relevant information to be disclosed may in- parties that are not allowed to have access to it). clude: i) The objective of the service provider; ii) Legal and regulatory framework that supports its activities; 138. Legal risk stems from the inadequate or errone- iii) Key financial results as required by law; iv) Codes of ous compliance of the applicable legal and regulatory conducts; v) The types of entities that may become us- framework. Legal risks are generally greater where ers of the service, and the conditions they must fulfill in there is an absence of laws and regulations dealing ex- order to do so; vi) Rules and procedures for collecting plicitly with credit reporting systems and the related ac- and processing data, including scope of data collection tivities, or when such laws do exist but are unclear and efforts; vii) Uses of data; viii) Mechanisms for identify- subject to multiple interpretations, or simply when the ing and mitigating risks; ix) Share distribution, main legal framework is ineffective in dealing with the major shareholders and related parties; x) Dispute resolution issues identified in this report. mechanism applied by the service provider. 139. Reputational risk is particularly relevant due to the 135. Similar standards would apply to those data provid- nature of credit reporting: personal data being used in ers whose core business consists in the collection and sensitive activities like lending and financial supervi- distribution of data for credit-related decision-making. sion. A credit reporting service provider with a history It is likely that banks and other financial and non-finan- of frequent operational problems or that is constantly cial institutions that collect and distribute data as an involved in legal disputes will be exposed to greater ancillary activity will already be subject to transparency reputational risks. So will those service providers that standards associated with their core business. lack transparency in the information they provide to the market (see Guideline on transparency). Guidelines on the effectiveness of governance To properly address and mitigate risks, credit arrangements in ensuring appropriate management of reporting service providers and credit reporting the risks associated with the business data providers should establish sound internal controls and risk management mechanisms� The management of credit reporting service providers and data providers should identify 140. All economic activities face a variety of risks, and all relevant risks faced by the organization� it is the role of management to determine whether the The outcomes of this risk analysis should be identified risks should be avoided, accepted, shared or reported periodically to the organization’s top transferred to third parties. Management will need to es- governing body� tablish internal controls to mitigate the risks it decides to accept. Some of the basic elements of a sound system 136. Major risks faced in credit reporting activities in- of internal controls include: i) having clear lines of re- clude, but are not limited to, operational risk, legal risk sponsibility with the organization; ii) having clear levels and reputational risk. of responsibility for proper escalation of problems and proposed solutions; iii) policy-setting areas within the 137. Credit reporting service providers are technology- organization that are independent from business-ori- intensive and deal with multiple parties that provide and ented areas; iv) policies and procedures providing clear 29 General Principles for Credit Reporting guidance on how to manage the identified risks; v) an er rights. The legal and regulatory framework independent audit function with a direct reporting line should include effective judicial or extrajudicial to the organization’s top governing body (e.g. Board of dispute resolution mechanisms Directors); and vi) other periodical external reviews. 141. Management also needs to analyze whether the sys- Guidelines on clarity and predictability tem of internal controls will have an impact over the ser- vices being provided in the market place, and the extent The legal and regulatory framework should be to which that impact will be transferred to the users in the sufficiently precise to allow service providers, form of either higher costs or lower quality. This is clearly data providers, users and data subjects to another source of risk that needs to be mitigated and bal- foresee the consequences that their actions may anced with other risk management objectives. In any case, entail� it should be noted that in competitive markets, the extra costs generated by a sound system of internal controls 144. Laws, regulations and the more specific rules de- that are actually transferred to users are usually minimal. rived from them should be specific and clear on all key is- sues, such as the types of data that can be and cannot be collected, what type of users can access the credit report- Guideline on effective governance arrangements ing databases and under what conditions, or the rules to ensuring that all users have fair access to information deal with non-compliant behaviors, among others. Governance arrangements of credit reporting 145. Predictability requires that rules be prospective, service providers should promote all users having publicly available, clear, non-contradictory and relatively access to information under equitable conditions� stable. While striving to be clear and precise with regard This objective should not be affected by the to key concepts, functions, or responsibilities, laws and ownership structure of the service provider� regulation should be written to accommodate evolving trends related to credit reporting without requiring fre- 142 Decision-making in economic organizations reflects quent amendments. the balance of power of its stakeholders. In credit report- ing this might be reflected in large shareholders—that in The terminology used throughout the legal many cases are also major users of the service—imposing and regulatory framework, including the rules conditions that are disadvantageous to other independent and other norms, should be consistent at the users. For example, the latter might not be able to access domestic level� some of the information available in the service providers, or may be able to do so only at an unreasonable price. 146. Key terms used in the credit reporting industry should have a unique meaning allowing participants 143. Governance arrangements of the service provid- and regulators minimum space for interpretation. Key ers should mitigate such possibilities. One common terms such as “positive information� or “consent� are formula consists of smaller shareholders or smaller frequently misinterpreted by the various participants service users having appropriate representation in the leading to inconsistencies and in general an inadequate decision-making bodies of the service provider. functioning of the legal framework.42 147. Definitions should reflect the full scope of the is- Legal and Regulatory Environment sue they intend to cover as in some cases very narrow definitions may be harmful. For example, when defining General Principle 4: The overall legal and regu- latory framework for credit reporting should be clear, predictable, non-discriminatory, propor- 42 A glossary of key relevant terms is provided in the Annex 5 of tionate and supportive of data subject/consum- this document for reference. 30 The General Principles the entities that are entitled to access credit reporting databases, using a narrow definition for “credit provid- Box 4: Summary of reciprocity Principles er� could prevent some legitimate participants from ac- in the uK cessing such databases. Data shared only for the prevention of over-commitment, bad Public awareness of the laws and rules of credit debt, fraud and money laundering and to support debt recovery reporting operations contributes to the clarity and debtor tracing, with the aim of promoting responsible lending. and predictability of the legal and regulatory 1. Data provided for sharing purposes must meet legal, regula- framework� tory and voluntary code of practice requirements before pro- vision and in use. 148. Dissemination of the legal and regulatory framework 2. Subscribers must use data only for purposes for which the is essential in order for credit reporting systems’ partici- required form of consent has been given. pants to be fully aware of their rights and obligations and 3. Data will be shared on the principle that subscribers receive shape their conduct accordingly. Apart from the laws and the same credit performance level data that they contribute, key regulations, the specific rules and internal norms that and should contribute all such data available. do not compromise intellectual property and trade secrets 4. Data may be used or made available by the Credit Reporting should also be available to the general public as pertinent. Agencies (CRAs) only in ways permitted by these Principles. 5. Subscribers must never use shared data to target any cus- 149. Proactive efforts should also be undertaken to dis- tomers of other specific subscribers. seminate how certain rules and norms have been ap- plied or enforced in varying circumstances. Guidelines on non-discrimination the data providers/users and the credit reporting ser- vice provider(s). The principles issued by the Steering Data supplying and data access should be Committee on Reciprocity43 (see Box 4) may serve as a established in a fair manner, responding to reference in determining the extent to which reciproc- impartial rules regardless of the nature of the ity should be used as the guiding principle with regard participants� to granting access to the credit reporting databases. 150. Non-discriminatory refers to the legal and regu- Obligations on data quality, security measures latory framework being equally applicable to the vari- and consumer rights should be equally applicable ous participants in credit reporting insofar as they are to all credit reporting service providers, data providing equivalent services. This helps to promote a providers and users� level playing field that encourages competition on a fair and equitable basis. 153. To ensure consistent service levels throughout the credit reporting system, rules, regulations and proce- 151. In principle, all active users of data for lending pur- dures covering data quality, security measures and con- poses should be allowed to access credit reporting data- sumer rights should apply equally to all data providers, bases. A possible exception to this general rule could be credit reporting service providers and users. the case of some credit registries whose basic purpose is to support banking supervision and improve the avail- 154. At the same time, the principles that support the ability and quality of credit data for supervised intermedi- various participants having equal rights with regard to aries—and that as a consequence require data from, and provide access to regulated financial institutions only. 43 The Steering Committee on Reciprocity (SCOR) is a cross industry forum made up of representatives from credit in- 152. In many cases, access to the credit reporting data- dustry trade associations and credit reference agencies in bases is based on some degree of reciprocity between United Kingdom. 31 General Principles for Credit Reporting credit reporting (i.e. fair access) should correspond with Laws and regulations should be practical principles setting equal obligations for each of them. and effective as to ensure a high degree of compliance� 155. Nevertheless, the legal framework may be such that some of these obligations are more closely related 159. The legal framework should be designed to balance to one specific category of credit reporting system par- interests of the consumers/data subjects on one hand, ticipants (e.g. data providers) than others (e.g. credit and the objective of promoting credit information flows reporting service providers or users). In such cases, and innovation in the credit reporting system. this might justify some differentiation of the obligations across categories of participants. 160. Introducing obligations that require extraordi- nary efforts from credit reporting service providers or other credit reporting participants may undermine the Guidelines on proportionality efficient provision of the service and might negatively affect the development of comprehensive credit re- The legal and regulatory framework should not porting systems. Therefore, it is important that any law be overly restrictive and burdensome relative to or regulation balances the benefits of increased safety the possible issues it is designed to tackle� or consumer protection against the potential costs in terms of lost efficiency, competition and innovation. 156. Proportionality of laws and regulations responds to three main characteristics: a) adequacy; b) necessity; and 161. Proportionate regulation is likely to be more effective c) non-excessiveness. In credit reporting, these three as- in the sense that all types of participants in a credit report- pects should be reflected in the legal and regulatory frame- ing system are more likely to observe it. Setting costly and/ work supporting the collection of credit and related data or overly sophisticated requirements to all participants from businesses and individuals, and the use of such data. regardless of their size or nature (e.g. requiring a mini- mum number of staff or departments in the organization, 157. When designing new laws or regulations, or amend- or minimum size of premises) may result in participants ments to the existing ones, regulators should carefully simulating compliance when this is clearly not the case. weigh the intended benefits with the potential negative consequences such new rules may have on the credit reporting system as a whole. This includes the need that Guideline on consumer rights and data protection any penalties that are established be proportional to the related offense. The industry should be consulted to Rules regarding the protection of data subjects/ help ensure the proposed new regulations are propor- consumers should be clearly defined� At the tionate and effective. minimum these rules should include: (i) the right to object to their information being 158. It is important to realize that public policy objec- collected for certain purposes and/or used for tives being sought through new laws or regulations may certain purposes, (ii) the right to be informed not always point in the same direction. Regulation can on the conditions of collection, processing and be a significant barrier because of the costs of com- distribution of data held about them, (iii) the pliance. However, to encourage competition among right to access data held about them periodically credit reporting service providers barriers to entering at little or no cost, and (iv) the right to the market should not be excessively high. On the oth- challenge accuracy of information about them� er hand, other public policy objectives such as safety and efficiency require potentially burdensome regula- i) the right to object to their information being collected tion. Proportionality in this case would mean that any for certain purposes and/or used for certain purposes: such inconsistencies are recognized and resolved in a way that, in the light of a country’s overall priorities, 162. Credit reporting systems should serve banking su- achieves an appropriate balance. pervision and credit decision purposes. There are other 32 The General Principles potential uses of personalized data in the system (e.g. data providers, domestic laws should ensure that data employers using the data to decide whether or not to subjects’ rights are adequately safeguarded. In the ab- hire an individual) which could require consent by data sence of a general privacy or data protection law, or oth- subjects, though such need for consent should be ana- er specific provisions related to credit reporting, credit lyzed together with other variables such as suitability, reporting service providers and data providers may not necessity and non-excessiveness. be legally bound to observe the minimum set of rights as described in the previous guideline. Therefore the legal ii) the right to be informed on the conditions of collec- framework covering credit reporting activities should tion, processing and distribution of data held about consider these needs and address them effectively. them: 163. Data subjects should be informed of the conditions Guidelines on dispute resolution of collection, processing and distribution of data. They should be provided with sufficient and understandable The process for solving disputes should be information to enable potential data access and data established in the law(s) governing credit challenge under user-friendly mechanisms and reason- reporting activities or in substantive regulations able costs. Additionally, data subjects should be cogni- when such laws do not exist� zant of the various credit reporting service providers that operate in their country. 167. Judicial systems are frequently costly and exces- sively burdensome for consumers/data subjects when iii) the right to access data held about them periodi- dealing with disputes concerning data held on them. cally at little or no cost: Therefore, the legal framework should provide for al- ternative mechanisms to solve such disputes in an ex- 164. Data subjects should be able to access data held peditious and less costly manner. about them periodically at little or no cost. Extended practice is to provide data subjects, at their request, 168. As a first instance, in many jurisdictions the legal with a copy of reports about them at no cost once a framework requires credit reporting service providers year or in the event of an adverse action. to create an in-house dispute resolution mechanism— sometimes referred to as an in-house consumer satis- iv) the right to challenge the accuracy of information faction system. This mechanism has proved useful to about them: expedite the dispute resolution process as the data pro- vider is closest to the data subject and, hence, is cogni- 165. The legal framework should ensure that credit zant of the issue underlying the dispute. To be effective, reporting service providers and data providers adopt the in-house mechanism should be transparent, adhere clear, effective and streamlined procedures and tools to to specific deadlines, easily accessible and should de- support data subjects that wish to challenge errors in scribe with precision the different actions that a data the databases. A common approach to this matter by all subject should take to dispute an error related to its re- service providers and data providers in a given jurisdic- cords (e.g. where and how to present the claim, poten- tion is highly desirable. tial costs, timelines and expected outcome). The legal and regulatory framework for credit 169. Other alternative (i.e. extra-judicial) dispute resolu- reporting should address all relevant issues tion mechanisms such as arbitration, mediation or the related to data subjects’ privacy, especially if existence of a supervisory authority playing a neutral such issues are not covered by a personal data role between the parties involved in a dispute should protection law or other similar law� also be encouraged. These mechanisms should ensure impartiality, effectiveness (i.e. designated mediators 166. Because data subjects are not parties to the con- should be adequately skilled), and should keep proce- tract between credit reporting service providers and dural requirements to the minimum. 33 General Principles for Credit Reporting 170. When the legal framework provides for a specific error. For example, users of data should not be liable judicial mechanism for solving disputes involving data for errors that originated with the data provider or the in credit reporting systems, it is important that this credit reporting service provider. Therefore, it is very mechanism operates efficiently and fairly in practice. relevant to investigate the specific step where the error occurred so that liabilities can be properly assigned. Credit reporting service providers and data providers should flag to all users cases where data subjects are involved in a dispute with the data Cross-border Data Flows provider in connection with the subject’s data� General Principle 5: Cross-border credit data 171. The flag can consist of a simple mark indicating the transfers should be facilitated, where appropriate, existence of the dispute. This flagging should be avail- provided that adequate requirements are in place able to all users accessing the data subjects’ report. 172. In general terms, a flagged report should not be Guidelines on pre-conditions for cross-border credit perceived per se as a negative sign of consumer behav- data transfers ior. However, it should be noted that some disputes might not be based on legitimate claims. The feasibility or desirability of cross-border data transfers should be based on a cost-benefit 173. Sometimes data might not be incorrect per se (e.g. analysis that considers market conditions, the there is in fact a non-payment). There might be ongo- level of economic and financial integration, legal ing disputes on a related service (e.g. the merchandise and regulatory barriers, and participant needs� related to a loan was not delivered), which once solved could change the content of the report. 177. As a result of cross-border businesses, migration and other factors, businesses entering a new country Credit reporting service and data providers and individuals that have changed their country of resi- should cooperate in reaching an expeditious dence will most likely need to establish a relationship solution to disputes� with a local financial entity. It is also possible that some businesses and individuals in the above-mentioned sce- 174. Data providers in particular should duly investigate nario will continue to use financial services from entities potential errors in data and correct them as quickly as based in their home country. possible before informing back to the credit reporting service provider/s about the result of the investigation. 178. In regions or economic blocks characterized by a Credit reporting service providers should act promptly strong financial and economic integration, authorities and inform recipients of the relevant reports that an er- may even wish to establish as a policy objective that busi- ror has been corrected. nesses and nationals of the block receive financial servic- es under similar conditions within the block, regardless The legal framework should provide suitable of the specific country they reside in at any given mo- enforcement mechanisms, including redress for ment in time. This may require, for instance, that credit data subjects harmed� reports become available and portable across countries. 175. Consumers/data subjects should be entitled to re- 179. In yet some other cases, a credit reporting system dress based on the harm suffered from the error. It should may only be viable when used by two or more coun- be noted, however, that quantifying the damages and the tries, which, due to market size limitations, would not corresponding compensation is difficult to do in practice. be able to support such a system on an individual basis. 176. Errors can occur at different stages of the data chain. 180. Examples like these reflect the fact that cross- Liability should be assigned based on the source of the border data transfers may be a useful, or even neces- 34 The General Principles sary, instrument to facilitate the provision of credit and 184. When there is a direct link between credit report- other financial services, as well as for banking supervi- ing service providers in different jurisdictions, the cross- sory purposes. However, given the complexity of any border mechanism is subject to practically the same risks cross-border activity, including but not limited to legal as the domestic ones (i.e. operational, legal, and repu- and regulatory aspects, differences in consumer pro- tational risks). Hence, the parties involved should adopt tection frameworks, infrastructure, the diverse nature governance and control measures equivalent to those of the institutions involved and thus the potential for that are applicable to any given domestic credit reporting conflicting interests, the uncertainty about the scale of service provider, as described under General Principle III. future data flows and others, it is important that there is a careful analysis of whether the likely benefits will 185. Even when there is no direct cross-border link be- justify the costs. tween systems, cross-border data transfers or exchanges will still entail several operational, legal and reputational 181. Sometimes such initiatives may be undertaken by risks. The difficulty in identifying, understanding and the market itself, while in other cases supervisory au- managing the new risks might even be greater given thorities might be the key promoters to properly dis- the inherent complexity in trying to comply with an ex- charge their supervisory obligations in connection with panded, or possibly even conflicting, set of laws, regula- cross-border banking and lending activities. tions and other rules. Standardization of data formats and procedures 186. When a single credit reporting service provider ser- should be fostered to facilitate cross-border vices two or more countries, it is likely that the data col- credit data transfers� lected from multiple countries will be stored in a single repository located in a specific country. Likewise, the in- 182. Even without direct cross-border links between formation stored in the repository would be sent across credit reporting service providers, standardized formats several jurisdictions. Such a model might entail specific can do much for creditors and supervisors alike. As dis- operational and legal risks. cussed under General Principle 1, the use of standard- ized formats is probably as important for data accuracy There should be a framework for cooperation purposes as having standard procedures for the collec- and coordination between the relevant tion and updating of data. regulators and overseers� 183. The standardization of data content and data 187. In general, cross-border activities and initiatives formats, at least with respect to what are considered require a high level of bilateral (or possibly multilater- mandatory inputs, among credit reporting systems in al) cooperation on technical, regulatory and oversight different jurisdictions is a necessary element to ensure matters. Regulators and overseers will naturally be in- consistency in cross-border credit or supervisory as- terested in credit reporting service providers and users sessments. Standardization can also reduce expensive observing all applicable laws, regulations and rules in manual intervention necessary to “translate� a format the relevant jurisdictions. But, as mentioned earlier, it used in a given jurisdiction into the one that can be could also be the case that regulators themselves will be used by creditors and supervisors in other jurisdic- the users and/or providers of cross-border credit data tions. transfers (e.g. for banking supervision purposes). 188. A framework for cooperation and coordination Guidelines on requirements for cross-border credit is therefore a useful tool to ensure a common under- data transfers standing of the relevant issues and problems, as well as to discuss, propose and eventually develop solutions. When cross border credit data transfers occur, An initial framework for cooperation typically consists the potential sources of risks that can arise of periodic (e.g. annual or semi-annual) meetings be- should be identified and appropriately managed� tween the parties. In many cases, the latter evolves into 35 General Principles for Credit Reporting more formal forms of cooperation, like a Memorandum 194. If a data provider is also a user of the information in of Understanding (MoU) between two or more parties a credit reporting system, it should also observe Role D. in order to, for example, secure regular exchanges of in- formation, or joint task forces to address specific issues. Role B: Other data sources, in particular public re- cords agencies, should facilitate access to their da- 3.3. The Roles of Credit Reporting System tabases to credit reporting service providers� Participants 195. Public records agencies can make a significant con- tribution to a credit reporting system by systematizing Role A: Data providers should report accurate, their records, transforming them into full-scale databas- timely and sufficient data to credit reporting ser- es that can be efficiently accessed with modern tools vice providers, on an equitable basis� and technologies. 189. The first responsibility of data providers is to ensure 196. Since proper identity matching is crucial in credit that the information they collect from their customers reporting, public agencies in charge of identity reg- (e.g. as part of the loan-underwriting process) is accurate istries (individuals and businesses) should facilitate and complete. They should also ensure that data subjects access to such registries to credit reporting service are duly aware of their responsibility to provide accurate providers. information and that the information they have provided can be distributed to third parties. If required by law and/ 197. In their role as information repositories, public re- or regulation, data providers should collect consent for cords agencies should also observe the guidelines for in- collecting, storing and distributing data from data subjects. formation security described under General Principle II, regardless of the level of automation of their processes. 190. Once they have the data, data providers should take all the necessary provisions to safeguard it, as ex- 198. As it is the case with data providers, public records plained under General Principle II. agencies are usually the first link in the chain for ad- dressing data disputes. Therefore, relevant public re- 191. Data providers must abide by the credit report- cords agencies, especially those that gather information ing system’s rules on data updating. Notwithstanding directly from the public, should cooperate in the data the minimum standards on this matter, data providers dispute resolution process on similar terms to those es- should aim at reporting any new data immediately upon tablished for data providers under Role A. receipt of the same. 199. Some public records agencies are active suppliers 192. With regard to the error correction process, it of data to the credit reporting system, rather than pas- should be noted that data providers are closest to data sive information repositories. Public records agencies subjects than any other participant in a credit report- falling in this sub-category are also expected to observe ing system. In most cases, data providers would also the other aspects described for data providers under be aware of the issue(s) involving allegedly errone- Role A. ous data. Data providers are therefore expected to act diligently in addressing disputes (including a timely reporting of the dispute to credit reporting service Role C: Credit reporting service providers should providers), and, if applicable, in correcting the infor- ensure that data processing is secure and provide mation as required. high quality and efficient services� All users having either a lending function or a supervisory role 193. Data providers should not discriminate among should be able to access these services under credit reporting service providers as established by equitable conditions General Principle I. 36 The General Principles 200. To a large extent, high quality and efficient services different users will have different credit underwriting will be the result of good governance, adequate risk policies it should be recognized that credit reporting management and internal controls, an appropriate set information is typically only one of the inputs to be of policies and rules dealing with information collec- used as part of a credit assessment. Therefore, credit tion, consultation and distribution, and safe and reliable decisions, either approvals or denials, should not be IT systems, among other elements. The General Prin- based solely on the past credit history of applicants ciples, particularly GP1, GP2 and GP3, provide a broad as reflected in a typical credit report, a credit score or road map for credit reporting service providers aiming other similar credit reporting products. Users should at providing levels of service that are consistent with the train their personnel on the adequate use of these needs of users. tools. 201. User needs evolve over time. Because of competi- 206. In case an adverse action against a particular debt- tive pressures, users are increasingly demanding new or is taken (e.g. loan denial, a higher interest rate is products and solutions to enable them to better as- charged), users must inform the debtor in case such sess risks in a consistent, systematic and cost-effective an action was motivated by information contained in manner. Credit reporting service providers must be a credit report or other credit reporting value-added prepared to meet those needs by making available a products. menu of value added services beyond standard credit reports. Role E: Data subjects should provide truthful and 202. Credit reporting service providers should contrib- accurate information to data providers and other ute to a level playing field in the credit and other finan- data sources cial markets. All users of credit reporting services (e.g. those involved in supervisory activities or with a lend- 207. Data subjects should be conscious that the infor- ing function) should be able to access the related ser- mation they provide as part of loan applications can be vices under equitable conditions.44 In that sense, credit distributed to other parties, and that providing wrong- reporting service providers should avoid using pricing ful, incomplete or inaccurate data (e.g. wrong identifi- policies or any other method that favors a particular cation number) might eventually become an element group of users over others with no reasonable basis. for credit denial. Moreover, careless completion of ap- plication forms leading to the provision of inaccurate data might have unintended consequences on other Role D: Users should make proper use of the in- parties, such as the erroneous association of data with formation available from credit reporting service an unrelated data subject. providers 208. Data subjects should take advantage of the mecha- 203. If and when required by law or regulation, users nisms provided by the credit reporting system to veri- should get consent from data subjects to access infor- fy the information stored in the latter. No other party mation stored in credit reporting databases. Users are should be more interested in that the data is accurate also responsible for maintaining required confidential- and updated than the data subject itself. ity over any data accessed by them. At the same time, users should not use the data for purposes other than those specified by the law. 44 In the case of credit registries there are some possible ex- ceptions. Many credit registries would only provide access 204. Users should adopt and enforce proper security to regulated financial institutions. Other databanks operated measures to safeguard the data/information. by central banks or other financial supervisors might be in- tended solely for banking supervision purposes rather than 205. With regard to the actual use of the information to support lending or other related decisions, and therefore and data available from credit reporting services, while might not provide access at all to any outside party. 37 General Principles for Credit Reporting Role F: Authorities should promote a credit report- 212. To ensure the accomplishment of policy goals, au- ing system that is efficient and effective in sat- thorities might also consider participating in the deci- isfying the needs of the various participants, and sion-making body of a credit reporting service provider. supportive of data subject and consumer rights and This could be especially relevant in cases where that of the development of a fair and competitive credit credit reporting service provider is the only real alter- market native in the market place and this situation cannot be offset otherwise. 209. Where implementation of the General Principles and related roles involves multiple domestic authorities, 213. In cases where a given authority operates a cred- public policymakers should ensure that domestic poli- it bureau or credit registry, then that same authority cies are coordinated and that the authorities cooperate should not be charged with regulatory responsibility at the policy and implementation levels. A system over- over the credit reporting system, unless the operational seer charged with the responsibility of promoting the ap- and regulatory functions within the given authority are propriate development of the credit reporting system as clearly separated. a whole, for which purpose it would act as the coordina- tor of the various authorities, has proved to be an effec- 214. In cases where cross-border credit reporting ac- tive solution in other elements of financial infrastructure. tivities are relevant or are expected to become relevant in the foreseeable future, the authorities of the corre- 210. Authorities should avoid distortions in the credit re- sponding jurisdictions should cooperate in order to en- porting system, which may translate into an unlevel play- sure that such cross-border activities will also observe ing field or result in inefficiencies in the credit market. the General Principles. 211. To accomplish their policy goals, authorities will 215. Section 4 of this Report provides recommenda- typically have at their disposal a variety of policy tools, tions for the implementation of an effective oversight depending on the specific powers vested in them. The framework for credit reporting systems. tools range from dialogue and moral suasion, to more interventionist ones like regulations and sanctions. 38 4 Recommendations for Effective Oversight of Credit Reporting Systems 45 T he following are some recommendations for es- other authority. The division of responsibilities among tablishing a proper oversight framework for credit authorities for regulating and overseeing credit report- reporting systems.46 ing systems varies depending on a country’s legal and institutional framework. Sources of authority and ap- proaches to regulation and oversight may take different Oversight Recommendation A: Regulation and forms. For example, an authority may have regulatory oversight of credit reporting systems and oversight responsibility for a credit reporting sys- tem provider registered, chartered, or licensed as an Credit reporting systems should be subject entity that falls within a specific legislative mandate. to appropriate and effective regulation and Credit reporting systems also may be overseen by an oversight by a central bank, a financial authority that exercises customary or other forms of supervisor, or other relevant authorities� It is responsibility for oversight that does not derive from important that one or more authorities exercise a specific legislative mandate. Relevant authorities the function as primary overseer� should address any existing gaps in regulation or over- sight of credit reporting systems through coordination Key considerations with relevant legislative body to implement statutory changes, where possible, or through other capabilities, ◆ Authorities at the national level should identify cred- including moral suasion. it reporting systems that should be subject to regu- lation and oversight using publicly disclosed criteria. ◆ Appropriate authorities such as a central bank, fi- nancial regulator, or other relevant body should 45 The oversight section benefited from a number of docu- ments developed in the payment system space, in particu- oversee credit reporting systems that are identified lar, Committee on Payment and Settlement Systems (CPSS), using such criteria. 2001, Core Principles for Systemically Important Payment ◆ One or more authorities should be appointed as Systems, BIS; CPSS, 2005, Central Bank Oversight on Pay- primary overseer. Such authority(ies) should coor- ment and Settlement Systems, BIS; and the discussions dinate its/their oversight actions with other relevant surrounding the revision of the CPSS-IOSCO standards on authorities. Financial Market Infrastructure, to be released in mid-2011. 46 This framework is based on the framework defined in other 217. Credit reporting systems should be regulated and areas of financial infrastructure, namely the payment and set- overseen by a central bank, financial supervision, or tlement systems. General Principles for Credit Reporting Oversight Recommendation B: Regulatory and public information with other relevant authorities, as oversight powers and resources appropriate, to minimize gaps in regulation or oversight. Central banks, financial supervisors, and other 220. Authorities also should have appropriate powers and relevant authorities should have the powers tools to induce change in a credit reporting system that is and resources to carry out effectively their not complying with relevant regulations or policies. Tools responsibilities in regulating and overseeing that could be used to effect change vary significantly, from credit reporting systems� dialogue and moral suasion to explicit statutory powers that enable the authority to enforce regulatory and over- Key considerations sight decisions. Discussions with credit reporting system participants play an important part in achieving regula- ◆ Authorities should have powers or other capacity tory and oversight objectives. In many cases, an authority consistent with their relevant oversight responsibili- may be able to rely on moral suasion in discussing public ties, including the ability to obtain information and policy interests with credit reporting system participants induce change. and in carrying out its regulatory and oversight responsi- ◆ Authorities should have sufficient resources to fulfill bilities. Moral suasion, however, works best when there their regulatory and oversight responsibilities. are credible regulatory or other legal remedies available to the relevant authorities. Where appropriate, authori- 218. Central banks, financial supervisors, and in some ties may want to consider publicly disclosing their assess- cases other authorities (e.g. Ministry of Finance) gener- ments of certain credit reporting systems. ally share the common objective of ensuring the safety and efficiency of credit reporting systems. The primary 221. In promoting effective regulation and oversight, responsibility for ensuring a credit reporting system’s authorities should have sufficient resources to carry safety and efficiency, however, lies with the system’s out their regulatory and oversight functions, including owner, designer, and operator. Regulators and over- adequate funding, qualified and experienced staff, and seers should have the appropriate powers and resourc- appropriate and ongoing training. In addition, authori- es in order to administer their regulatory and oversight ties should adopt an organizational structure that allows responsibilities effectively. these resources to be used effectively. It should be clear where the responsibility for regulatory and oversight 219. Authorities should have appropriate powers or oth- functions lies within a relevant authority. Regulatory and er capacity to obtain timely information necessary for ef- oversight functions may include gathering information fective regulation and oversight. In particular, relevant on credit reporting systems, assessing their operation authorities should have access to: i) information that and design, taking action to promote observance of enables them to understand and assess the risks borne relevant policies and standards, and conducting on-site or created by credit reporting systems; ii) adherence to visits or inspections when necessary. Where relevant, relevant regulations and policies, including the rules, staff should have appropriate legal protections in carry- procedures, and risk-management controls; iii) vari- ing out their responsibilities. ous functions, activities, and overall financial condition; iv) the impact of any given credit reporting system par- ticipant in the financial system and the broader econo- Oversight Recommendation C: Disclosures of my. Such information can be obtained through regular objectives and policies with respect to credit or ad hoc reports, on-site visits, inspections, dialogue reporting systems with board members, management, internal auditors or other system participants. Authorities should have Central banks, financial supervisors, and other appropriate legal safeguards to protect all non-public relevant authorities should clearly define confidential information obtained from credit reporting and disclose their regulatory and oversight service providers and data providers. Authorities, how- objectives, roles, and major regulations and ever, should be able to share relevant confidential, non- policies with respect to credit reporting systems� 40 Recommendations for Effective Oversight of Credit Reporting Systems Key considerations sight principles rests with the specific credit reporting system participants themselves. ◆ Authorities should clearly define their regulatory and oversight objectives, roles, regulations, and 224. Authorities can publicly disclose their objectives, policies to set clear expectations for credit reporting roles, regulations, and policies in a variety of forms. systems and facilitate compliance with applicable These forms include plain-language documents, pol- policy requirements and standards. icy statements, and relevant supporting material. The ◆ Authorities should publicly disclose their objectives, mechanism for disclosing these documents or state- roles, regulations, and policies to provide account- ments should ensure they are readily available, for ex- ability in the exercise of regulation and oversight of ample, by posting them to a public website. credit reporting systems. 222. Central banks, financial supervisors, and other rel- Oversight Recommendation D: Application of the evant authorities should clearly define their regulatory General Principles for credit reporting systems and oversight objectives, roles, regulations, and policies with respect to credit reporting systems. An author- Central banks, financial supervisors, and other ity’s objectives, roles, regulations, and policies provide relevant authorities should adopt, where a basis for consistent policymaking and a benchmark relevant, the General Principles for credit by which the authority can evaluate its effectiveness in reporting systems and apply them consistently� achieving its objectives. Typically, the primary objectives of an authority with respect to credit reporting systems Key considerations are to promote their safety and efficiency. The objec- tives of an authority are usually implemented through ◆ To establish key minimum standards, authorities specific policies, such as minimum standards or expec- should adopt the General Principles for credit re- tations. The objectives, roles, and policies of an author- porting systems, providing a consistent regulatory ity should be consistent with the legislative framework and oversight framework within and across national for the authority. In many countries, authorities may and regional jurisdictions find it beneficial to consult with key stakeholders and/ ◆ Authorities should ensure that the General Princi- or the broader public regarding their objectives and ples and related roles are applied consistently to all policies. In many countries, such consultations may be credit reporting system participants. required by law. 225. Central banks, financial supervisors, and other rel- 223. Authorities should publicly disclose their regula- evant authorities can enhance their regulation and over- tory and oversight objectives, roles, regulations, and sight of credit reporting through the adoption of the policies with respect to credit reporting systems. Public principles, guidelines and roles presented in this report. disclosure promotes a transparent policy environment These standards draw on the collective experience of and consistency in regulation and oversight. Such dis- many authorities and industry representatives and have closures typically communicate an authority’s regulato- been subject to public consultation. They also represent ry and oversight principles, which facilitates compliance common interests which make it easier for different au- with applicable policy requirements and standards. Fur- thorities to work cooperatively and enhance the effec- thermore, public disclosures communicate the roles tiveness and consistency of regulation and oversight. and responsibilities of authorities to the wider public and promote the accountability of relevant authorities. 226. Authorities should strive to apply these principles These disclosures, however, do not shift the burden of consistently across jurisdictions (including across bor- responsibility from credit reporting system participants ders) and similar types of credit reporting systems. Con- to authorities in ensuring the safety and efficiency of the sistent application of standards is important because system. Authorities should emphasize that primary re- different systems may be dependent on each other, or sponsibility for complying with the regulatory and over- in direct competition with each other, or both. Where 41 General Principles for Credit Reporting central banks or other authorities themselves own or op- reporting systems can be fulfilled more efficiently and erate key components of credit reporting systems, they effectively through mutual assistance. Cooperative ar- should apply the same international standards. Central rangements should be addressed in a way that delivers banks or other authorities can further promote consis- regulation and oversight consistent with each relevant tency, as well as transparency, by disclosing the policies authority’s responsibilities and minimizes the duplica- applicable to the systems they own or operate. Further, tion of effort and the burden on credit reporting system clarification of the central bank’s or other authorities’ participants. Cooperation should also help avoid incon- oversight and operational functions including an appro- sistency in policy approaches and reduce the probabil- priate level of separation between them, where appropri- ity of gaps in regulation and oversight that could arise ate, helps ensure consistent application of the principles. if authorities acted independently of each other. Coop- erative arrangements, however, should be consistent with an authority’s statutory powers and other legal Oversight Recommendation E: Cooperation among frameworks. authorities 228. Cooperative regulatory and oversight arrange- Central banks, financial supervisors, and ments for systems that have important cross-border other relevant authorities, both domestic and links or serve multiple jurisdictions will need to involve international, should cooperate with each other, a formal arrangement because of the involvement of as appropriate, in promoting the development, non-domestic authorities. The case of cross-border safety and efficiency of credit reporting systems� data transfers is covered in the discussion under Gen- eral Principle 5. A credit reporting system that operates Key considerations across borders and serves more than one jurisdiction should be subject to day-to-day regulation and over- ◆ Authorities should cooperate with each other, as sight by an authority that accepts primary responsibil- appropriate, to support more efficient and effective ity, although that could potentially be supplemented regulation and oversight of credit reporting systems. by a committee of regulators and overseers. In most ◆ Authorities should adopt current and evolving best cases, the primary regulator or overseer is the relevant practices on international cooperative arrange- authority where the credit reporting system is located, ments. as it has the authority to provide effective regulation and oversight and the relevant local market experience. 227. Central banks, financial supervisors, and other rel- Where necessary, the primary regulatory or overseer evant authorities should cooperate with each other, as should organize an effective process for cooperating appropriate, to support the mutual objectives of safe and consulting with other relevant authorities to seek and efficient credit reporting systems, particularly those consensus on common issues and keep each other in- conducting business in multiple jurisdictions. Coopera- formed of developments related to the credit reporting tive arrangements provide a mechanism whereby the system. The following box presents some principles for individual responsibilities of the authorities of credit international cooperative oversight. 42 Recommendations for Effective Oversight of Credit Reporting Systems Box 5: Principles for international Cooperative oversight The principles below in no way prejudice the statutory or other responsibilities of authorities participating in a cooperative arrangement. Rather, they are intended to provide a mechanism for mutual assistance among authorities in carrying out their individual responsibilities in pursuit of their shared public policy objectives for the efficiency and stability of credit reporting arrangements. Cooperative oversight principle 1: Notification The primary overseer(s) of a jurisdiction that has identified the actual or proposed operation of a cross-border credit reporting system should inform other countries’ authorities that may have an interest in the prudent design and management of the system. For the purposes of deciding whether or not to set up a cooperative oversight arrangement, the authorities to be informed of the existence of the system, or the proposal to create the system, will normally include those where the main operations of the system are located. These authorities should, in turn, seek to inform any other domestic authorities that may have an interest in the prudent design and management of the system. In the case of a major system that is already in existence and which serves multiple jurisdictions, this principle could be met by requiring the system itself to inform the relevant authorities or to publicly disclose its cross-border activities in a way that meant they were transparent to the relevant central authorities. Financial supervisors and Central banks which have the relevant powers may also find it useful to require financial institutions to report their provision of or participation in any cross-border system. Cooperative oversight principle 2: Primary responsibility Cross-border credit reporting systems should be subject to oversight by authorities which accept primary responsibility for such oversight, and there should be a presumption that the primary overseer where the system is located will have this primary responsibility. One of the authorities in the cooperative arrangement should, by mutual agreement, have primary responsibility for oversight of the system (“the authority with primary responsibility�). The acceptance by a central bank of primary responsibility means that it agrees to carry out the role set out in Cooperative oversight principle 3. It does not prejudice the ability of other authorities to fulfill their individual responsibilities and does not represent any delegation of responsibility to the authorities with primary responsibility from the other authorities. The authority with primary responsibility needs to be able and willing to carry out the agreed role. Determination of which authority is best placed to carry out the role involves consideration of a range of factors including the oversight powers available to that authority, the rel- evance of the overseen system to local financial markets and the authority’s capacity to carry out effective oversight. These criteria are often fulfilled best by the primary overseer where the system is located (in terms of incorporation, management and operations) and thus there is a presumption that this authority bank will have primary responsibility. However, it could be agreed that another authority will have the primary responsibility. This flexibility enables an effective oversight framework to be created in many circumstances, for example if the system has little importance in the country where it is located or if it is located in more than one country. Cooperative oversight principle 3: Assessment of the system as a whole In its oversight of credit reporting systems, the authorities with primary responsibility should periodically assess the design and operation of the system as a whole. In doing so it should consult with other relevant authorities. A key element of the role of the authority with primary responsibility is to carry out periodic comprehensive assessments of the design and operation of the system as a whole on the basis of agreed policies and standards, including the General Principles for credit reporting systems. In carrying out the assessments, the authority with primary responsibility should actively solicit the opinions of the other authorities in the co- operative arrangement, recognize their interests and concerns through a process of consultation, and draw on their expertise where relevant. The authority with primary responsibility has several other functions relating to the cooperative oversight arrangement, including (1) orga- nizing an effective, efficient and clear process for cooperation, (2) facilitating the distribution of the information needed to satisfy the respec- tive responsibilities of the central banks and other authorities in the arrangement, (3) seeking agreement on the policies and standards to (Continued on next page) 43 General Principles for Credit Reporting Box 5: Principles for international Cooperative oversight (Continued) apply in carrying out the assessments, (4) seeking consensus on issues of common interest related to risks and risk management of the system, (5) providing effective communication and coordination in both routine and stressful situations involving the system, and (6) when appropriate, using its powers and influence over the system to induce necessary change. To avoid duplication, inconsistencies or gaps in oversight, all authorities in the cooperative arrangement should agree on their responsibilities and expectations, for example in a memorandum of understanding (MoU) or similar document. It is particularly important to be clear about the objectives of the cooperative oversight, the policy requirements and standards against which the system will be assessed, the scope and frequency of the information to be shared, and the procedures for assessing the system. Cooperative oversight principle 4: Unsound systems In the absence of confidence in the soundness of the design or management of any cross-border credit reporting system, authorities should, if necessary, discourage use of the system or the provision of services to the system, for example by identifying these activities as unsafe and unsound practices In the course of their consultations, relevant authorities should endeavor to ensure the prudent operation of the cross-border systems on terms acceptable to them. However, if this is not possible in some cases, it is clear that authorities must maintain its discretion to discourage the use of a system or the provision of services to a system, if, in their judgment, the system is not prudently designed or managed. 44 Annex 1 Information Cycle for the Creation of a Credit Report Credit reports and related value added services and ingful across organizations, it is particularly relevant products are the result of a combination of data pieces that all participating organizations have harmonized which, when put together in structured manner, be- rules for completing the fields come useful information for creditors in order to make lending decisions. This annex explains in detail the Ensuring a timely and systematic data contribution/ main elements and steps necessary for the creation of updating is also crucial. Data providers generally sup- a credit report. ply data on a monthly basis as the frequency tends to be related to the billing cycles or installment payments due. In most developed markets, some data providers First Step: Data Collection do provide/update data on a weekly basis and even on a daily basis.47 Information is collected from each data provider ac- cording to a specific template or form containing all the Data can be provided through different methods, in- relevant fields necessary for the elaboration of a credit cluding on–line electronic data transfers through the report. At the minimum, this form would contain iden- Internet or a dedicated connection, or the physical de- tification data, including those that would be helpful to livery of tapes and magnetic disks. Many data providers uniquely identify data subjects; variables of interest re- commonly consider more than one way to provide the garding credit account information and the history of information in case the primary method is not available. enquiries related to that account. Data security is a crucial part of this step as there are several risks associated with data handling and transfer- Too often a poor form design interferes with proper ring which may end up in data mishandling, misplace- capturing of data. As an example of a bad design, the ment or unauthorized access. Data providers and credit word “NAME� followed by a line leaves sufficient room reporting service providers frequently agree on terms for very different responses: nicknames, formal names, to mitigate these risks (e.g. data encryption). no initials, titles, and so on. The data format is frequent- ly designed jointly by users and service providers. In the Many credit reporting service providers also collect United States, the “credit reporting agencies� (CRAs) information from other data sources, mainly public re- developed a specific format, called METRO 2, and en- courage all parties contributing data to the CRAs in the 47 In the U.S. credit reporting agencies collect data every country to use this format for consistent reporting. month, and they typically update their credit records within Since each piece of information should be placed in the one to seven days after receiving new information (Avery et adequate field to make the resulting information mean- al. 2004, 298). General Principles for Credit Reporting cords, as referred to throughout this report. In these digit checking, data monitoring, double keying, check- cases it is typically the credit reporting service provider ing allowable ranges of values for a field and hash to- who proactively collects the data from the public sector tals. All these processes are typically run by the credit agency or agencies holding those records. reporting service provider, with no intervention from the data provider unless the file is rejected for inconsis- A credit report is built on data provided by different tencies found, large number of errors or other similar sources, the figure below shows the sources of each of reasons. In such cases, it is common for service pro- the type of data of a credit report. Data subjects and viders to send back to each data provider an error file creditors both contribute data related to the credit ac- with a description of the errors found in their respec- count. Data on enquiries is generated by the credit re- tive files, prompting them to review the files and send porting service provider based on enquiries made by back a corrected one. users on a specific data subject. Data on collections is mostly provided by either collection agencies or credi- tors themselves. Finally there is a group of other sourc- Third Step: Data dissemination es which contribute data and do not necessarily use the system (e.g. most government agencies). Once data is cleaned and organized in a structured man- ner, it is presented to users according to their interests. The most common form of showing the data is on the Second Step: Data validation form of a credit report that includes a summary of the data subjects’ account, detailed information of each line In order to validate the authenticity, completeness, and a history of the payment performance for the past consistency and accuracy of data received from data 24 months. Users can also sign up for additional services providers and other data sources, credit reporting ser- (see discussion on value added services below). vice providers apply a number of techniques and pro- cesses conducive to preventing errors and enhancing The most frequent means of accessing credit reports data quality at data gathering. Techniques may include is through on-line electronic data transfers. Frequent- ly, credit reporting service providers offer users a 24/7/365 access to the credit reporting databases. This Figure 4: Data Sources for Credit Reporting capability depends very much on the type of connec- tivity between the service provider and the final users, as well as on the technological capacity of the service provider to process concurrent requests from a large Credit Data number of users, including multiple sub-users from Account Subjects/Creditors the same user. Non-Credit Data on Data collections Value-added services Utility, Telecom CREDIT The quality and quantity of historical data available are Companies Collection REPORT Agencies the most important factors to determining what type Notaries, Third Parties, Data of value added services can be developed by the credit Subjects Government Agencies reporting service provider. In the absence of positive Third Parties, Lawyers data only a limited number of value added services can be developed. Although value-added services continue Public evolving as needs grow in different areas, the most com- Inquiries records mon services available include the following: (i) credit scoring; (ii) anti-fraud tools; (iii) portfolio monitoring Service Providers/Users services; (iv) debt collection services; and (v) marketing 46 Annex 1 services. Value-added services such as scoring models ing oriented products and services rely extensively on built with sufficient data including negative and positive geo-demographical data such as a compilation of ad- tend to be more predictive than those built only with dresses of the debtor or applicant and recent enquiries negative data. Anti-fraud products are developed using regarding specific financial products among types of data from applications and other data sources in addi- data. It is current practice that credit registries do not tion to credit account data. Debt collection and market- develop value-added services. 47 Annex 2 Basic Existing Models of Credit Reporting Services 1. Credit Registry the central bank or financial supervisory authority, in- cluding mainly the banking supervision and statistics In this model, banks and other regulated financial insti- units. Data subjects may also access the information tutions act as data providers, sending data to the credit and request the correction of erroneous personal data. registry, generating a database where information from It should be noted that data subjects are not able to ac- all creditors is centralized. Most likely the database will cess and dispute errors regarding information collected be administered by the central bank, or in some cases exclusively for supervision. another financial sector supervisory authority, that also sets data requirements to be fulfilled by regulated in- In a credit registry, users are usually only able to access stitutions. Once the data is cleaned and organized—in- consolidated information concerning prospective cus- cluding in some cases a classification of debt according tomers (i.e. information reflecting financial obligations to pre-defined rules—, this is made available to regu- undertaken with all other creditors reporting to the reg- lated financial institutions, which then become also the istry). Frequently the credit registry collects historic data users of the service. This information is used by regu- although such data is not always distributed back to us- lated financial institutions and also by other units within ers. Users therefore might only be able to access a report Figure 5: Typical Model of a Credit Registry Data Providers Service Providers Products Users Other Regulated Financial Institutions Banks/Other Reports Regulated Financial Credit Registry Banks Institutions Databank Debt classification Supervisory Unit Central Bank Consumers Statistics Unit Central Bank General Principles for Credit Reporting covering a portion of the credit account or so–called nancial institutions are usually able to access the service. “snapshot�. In this type of model, value-added services This frequently includes the data subjects, which can ac- for users are very seldom developed. When detailed in- cess their reports and other products and services based formation at account level is provided back to the regu- on data held on them as regular users. Data subjects are lated financial institutions, consumers/data subjects are also able to access data held on them free-of-charge one frequently granted the same rights as in credit bureau or more times per year, and request correction of errors. models. However, when information is provided back to regulated financial institutions in a consolidated manner In the case of a credit bureau it is also worth noting that or de-personalized those rights do not necessary apply. some of the users will not be contributing with data. This could be the case, for example, of landlords or employers. The reciprocity principle is therefore more 2. Credit Bureau difficult to apply in some cases. Finally, a variety of val- ue-added services is frequently available given greater A credit bureau network is usually more complex than data availability and broader coverage. that of a credit registry, mostly because it involves vari- ous types of data sources as well as a greater variety of users. Apart from banks and other financial institutions, 3. Example of a model involving both a sources of information in this case include other non- Credit Registry and one or more Credit financial credit card companies, retailers and suppli- Bureau ers extending trade credit. In addition, non-traditional sources of information to bolster information on “thin- In some countries, a credit registry and one or more file� clients (i.e. those who lack relevant information credit bureau can co-exist without any type of formal from traditional sources) are also included, like data on interaction between the different service providers payments associated with utilities or telecom services. (see Figure 7a). The credit registry collects data from On the side of the users, entities other than banks and fi- banks and other regulated financial institutions and Figure 6: Typical Model of a Credit Bureau Data Providers Service Providers Products Users Regulated Financial Institutions Banks Financial Reports Institutions Telecom companies Utilities Non regulated Financial Institutions Retailers Credit card Credit Bureau issuers Credit Scoring Retailers and credit card issuers Anti fraud Landlords Ju C dg ourt em Other public en Insurance companies ts record repositories Portfolio monitoring Employers Consumers 50 Annex 2 Figure 7a: Example of a Model involving both a Credit Registry and Credit Bureau(s) Data Providers Service Providers Products Users Credit Registry Statistics Unit Banks / Regulated Databank Central Bank Financial Reports Institutions Supervisory Unit Consumers / Credit Applicants Central Bank Non-regulated Debt classification Financial Institutions Credit Banks / Regulated bureau 1 Credit card issuers Financial Institutions Retailers Non-regulated Financial Institutions Credit Reports bureau 2 Telecoms / Utilities Credit card issuers Public records Credit Scoring Retailers Credit Anti Fraud Telecoms / Utilities Court judgments bureau 3 Portfolio Monitoring Central Bank Consumers provides back data to those institutions, as well as uses works further augment the basic data obtained from the information for supervisory purposes. The credit the central database with other pieces of information bureau(s) may collect data from a variety of sources from other non-regulated creditors as well as other data besides the banking/regulated financial institutions sources. and provide several products and services to a wider range of users. In terms of users, this set up frequently provides infor- mation to a large number of users including the bank In a hybrid type of arrangement, data is collected from a supervisor and other units within the central bank, variety of sources and housed in a central database, typi- banks and financial institutions, micro-finance institu- cally operated by the relevant financial supervisory au- tions, telecoms and utilities, insurers, and when per- thority in the country. Information held in this database mitted even landlords and employers. In this model, is provided by the latter to one or more credit reporting value-added services are frequently developed by the service providers operating in the country. These net- credit bureaus and offered to final users together with the reports. 51 General Principles for Credit Reporting Figure 7B: Example of a Model involving both a Credit Registry and Credit Bureau(s) Data Providers Service Providers Products Users Banks /Other Regulated Reports Banks Credit Registry CB 1 Financial Institutions Financial Institutions CB 2 Credit Scoring Non-regulated MFIs Financial Institutions CB 3 Anti fraud Telecoms Other creditors (retailers, Other creditors CB 4 telecoms, Portfolio monitoring utilities, etc.) Central Bank Other data Consumers sources Consumers 52 Annex 3 Privacy, Data Protection and Consumer Protection 1. Consumer Protection and Preserving a framework allowing for more flexible implementation Privacy than that contained in the European framework. In all existing frameworks, the role of the data subject as an ac- Consumer protection in the context of credit report- tive participant is highlighted. So is the concern for data ing can be summarized as the right of any data subject quality accountability and transparency. Some disparities to be aware that his/her information is being collected, between the frameworks are also evident (e.g. propor- shared or consulted (information/notice and access), to tionality vs. collection limitation, international transfers). challenge data (petition to correct or delete informa- tion), and claim compensation for damages suffered as a result of the misuse of personal data held on them in 2. Dispute Resolution credit reporting systems. One of the key elements of consumer/privacy protection There are two main paradigms for safeguarding privacy in credit reporting is the existence of a mechanism for rights or interests, with some overlap between them. solving disputes regarding the information contained in As a broad generalization, the paradigm followed by the the system. Redress mechanisms enable the identifica- European Union views privacy as a fundamental right tion and correction of errors. These mechanisms are and relies on a prescriptive and static set of rules. Un- frequently built into laws and regulations, which among der that paradigm, privacy of any given individual is pro- other things allow data subjects to access and correct tected via requirement of individual’s consent, i.e. the errors in personal data held on them in credit reporting individual’s decisional role to determine the manner systems. and extent to which his/her data are collected and pro- cessed by others.48 The commercial privacy paradigm favored by the United States and APEC focuses on flex- 48 Consent is frequently analyzed together with the principle ible application of high level principles depending on of proportionality based on: (i) suitability, (ii) necessity, and context, such as the nature of the transaction. (iii) non-excessiveness. 49 More recently, an international effort led by fifty National Table 2 shows a comparison between key features of Data Protection Authorities resulted in the issuing of the so- each privacy framework, highlighting commonalities called Madrid Resolution, containing international standards among them. 49 The European Union framework relies on privacy and data protect protection This Resolution was on five principles followed by Directive 95/46/EC which adopted in Madrid on November 6, 2009. An English version should be transposed into EU Member States’ legisla- of the Madrid Resolution can be obtained at https://www. tion. The OECD, APEC and International Standards set agpd.es. 54 TaBle 2: A Comparison of Key Data Protection Frameworks OECD (1980) European Union (1995) APEC (2004) Madrid Resolution (2009) Preventing Harm; (a) Remedies Protecting rights (a) Administrative and Judicial Preventing Harm: (a) from wrongful collec- Protecting rights; (a) Proactive measures to prevent and for privacy infringements, (b) remedies, (b) compensation to the data subject tion, (b) from misuse detect breaches (b) Data Protection Officers (c) Privacy design for preventing harm Impact Assessments (d) audits and codes of practice Notice Notice: (a) when data is collected from the data Notice (a) for individuals to know (b) pur- Openness (a) data collected from the data subject (b) Unless it is already in the public subject, (b) data collected from a third party pose specification data collected from third party domain unless involves a disproportionate effort Collection Limitation(Relevant Data Quality: (a) Fair and Lawful (b) collection Collection Limitation (a) lawful and fair (b) (a) Lawfulness and fairness (b) data quality information according to specific limitation (c) adequate, relevant and non-exces- purpose specification in reference to the General Principles for Credit Reporting purposes) sive (d) accurate and kept up to date collection (e) data retention Uses of PI (Specific purposes) See accountability and legitimate data pro- Uses of PI (a) in reference to the purposes Purpose specification cessing of collection (b) consent (c) interest of the individual (d) legal obligation Choice Legitimate Data processing (a) Choice b) con- Choice (a) where appropriate (b) accessible Legitimacy (a) consent (b) legitimate interest (c) legal tract (c) legal obligation (d) interest of the data and affordable mechanisms to provide contract (c) legal obligation (d) exceptions subject (e) public interest choice Integrity (Accuracy and com- (see data quality) Integrity (a)accuracy and completeness (b) (see data quality) pleteness) up to date (c) for the purpose of the use Security Safeguards (a) Security (b) Confidentiality Security Safeguards (a) proportional to (a) Security Measures (b) Confidentiality likelihood of harm (b) proportional to sever- ity of harm Access and Correction Access and rectification Notification to third Access and Correction (a) conditions on Access, rectification and deletion Notification to third parties timing, fees and process (b) sufficient proof parties of identity (c) explanation of codes included Right to Object (a) justified by personal circum- Right to object: (a) legitimate reason, (b) when a deci- stances (b) when a decision is based SOLELY sion is based Solely on automated processing of data on automated processing of data to evaluate with exceptions related to legal relations. his creditworthiness Accountability (Data Controllers) Accountability (a) single purpose or related Accountability: (a) ensure compliance with Accountability: (i) ensure compliance, (ii) mechanisms purposes (b) register open to consultation the principles, (b) subject to conditions to show compliance to data subjects and supervisory (c) prior checking by authorities authorities Transfer to third parties subject to adequate See accountability International transfer subject to adequate level of level of protection protection Annex 3 Figure 8 illustrates a type of consensual data dispute of the resolution process does not preclude the data mechanism. The data subject initiates a dispute. The subject from seeking redress of grievances in a court of relevant credit reporting service provider(s) then initi- law. However, compensation for damages must be al- ates the review process, which is likely to involve the leged only when appropriate (e. g damage is the result data provider or data source. In this example it is as- of a wrongful act by any of the credit reporting system sumed that the process takes between 15 and 30 days. participants or when the damage has had a significant The resolution of the dispute is notified not only to the impact on the data subject). data subject itself, but also to other interested parties, namely users showing recent enquiries on that particu- On some occasions the data is not corrected retrospec- lar data subject. In this last regard, it is particularly rel- tively in the relevant database up to the moment where evant that data subjects be provided with a list of users the error was initially generated. This has the potential who accessed their data lately in order to ensure that to cause adverse impacts for consumers, especially in such users have been notified of any corrections in those credit reporting products and services where his- data, if applicable. It should be noted that the outcome torical data comprising longer periods of time is used. Figure 8: Example of a Data Dispute Mechanism Between 15–30 days Consumer Open file Search in the CRS No Hit CRS Investigate with Hit Source confirms data source Notify the consumer Source corrects data Notify the consumer OK Consumer Close File Notify users Close File Consumer not OK Mediation Alternative Judicial system Dispute Resolution Conciliation 55 Annex 4 Select Bibliography 1. Basic publications and select relevant 2005; and (3) discussions surrounding the revision of legal texts and references the CPSS-IOSCO standards on Financial Market Infra- structure, to be released in mid-2011. Asian-Pacific Economic Co-operation (APEC), Pri- vacy Framework, November, 2004. Directives for Harmonisation of Data Protection in the Ibero-American Community, adopted by the Ibero- Basel Committee on Banking Supervision, (1) American Data Protection Network, November 2007. Basel Accord I (several documents); (2) Basel II Framework and Basel II Implementation (several European Commission, Report of Expert Group on documents); (3) Credit Risk Assessment and Valuation Credit Histories, DG Internal Markets and Services, May for Loans, BIS 2006. (4) Credit Risk Modeling Practices 2009. and Application, BIS 1999. (5) Principles for the Man- agement of Credit Risk, BIS 2000. European Parliament and the Council, (1) Direc- tive 95/46/EC of the European Parliament and of the Centre for Latin American Monetary Studies, (1) Council on the protection of individuals with regard to Credit and Loan Reporting Systems in Argentina, 2010; the processing of personal data and on the free move- (2) Credit and Loan Reporting Systems in Brazil, 2005; ment of such data, October 1995; (2) Directive 2003/98/ (3) Credit and Loan Reporting Systems in Chile, 2008; EC of the European Parliament and of the Council (4) Credit and Loan Reporting Systems in Colombia, on the re-use of public sector information, November 2005; (5) Credit and Loan Reporting Systems in Costa 2003; (3) Convention of the Council of Europe for the Rica, 2006; (6) Credit and Loan Reporting Systems in Protection of Individuals with regard to Automatic Guatemala (forthcoming); (7) Credit and Loan Re- Processing of Personal Data (ETS Nº 108) and its Addi- porting Systems in Mexico, 2005; (8) Credit and Loan tional Protocol regarding Supervisory Authorities and Reporting Systems in Panama (forthcoming); (9) Cred- Trans-border Data Flows (ETS Nº 181). it and Loan Reporting Systems in Paraguay (forthcom- ing); (10) Credit and Loan Reporting Systems in Peru, International Conference on Data Protection and 2006; (11) Credit and Loan Reporting Systems in Trini- Privacy Commissioners, Madrid Resolution, a joint dad and Tobago (forthcoming); (12) Credit and Loan proposal for international standards on data protection, Reporting Systems in Uruguay, 2006. Madrid 2009. Committee on Payment and Settlement Systems Memorandum of Understanding on the Exchange of (CPSS), (1) Core Principles for Systemically Important Information among National Central Credit Registers Payment Systems, BIS, 2001; (2) CPSS, Central Bank for the Purpose of Passing it to Reporting Institutions, Oversight on Payment and Settlement Systems, BIS, February 2003. General Principles for Credit Reporting Organization for Economic Co-operation and Basel Committee on Banking Supervision, Interna- Development, (1) Guidelines on the Protection of tional Convergence of Capital Measurement and Privacy and Trans-border Flows of Personal Data, Sep- Capital Standards: a Revised Framework, Basel, tember 1980; (2) Principles of Corporate Governance, Switzerland, 2006. 1999 (r. 2004). . .S. Bostic, R.W and P Calem. “Privacy Restrictions and the Principles on Privacy and Personal Data Protection Use of Data at Credit Registries.� In Credit Reporting for Law Enforcement Purposes, agreed by the United Systems and the International Economy, edited by States and the European Union, May 2008. Margaret Miller. Cambridge: MIT Press, 2003. Steering Committee on Reciprocity (U.K.), Vol- Brown, M. and C. Zehnder. “Credit Reporting, Rela- untary principles for credit reporting systems on reci- tionship Banking and Loan Repayment.� Journal of procity, 2010. Money, Credit and Banking 39 (December 2007): 1883–1918. United Nations, Resolution 45/95 “Guidelines con- cerning computerized personal data files�. December Cowan, K, and Jose de Gregorio. “Credit Information 1990. and Market Performance: The Case of Chile.� In Credit Reporting Systems and the International U.S. Department of Commerce, Safe harbor priva- Economy, edited by Margaret Miller. Cambridge: cy principles and related frequently asked questions. MIT Press, 2003. World Bank Group, (1) Credit Reporting Systems De Janvry, A. Craig McIntosh and Elisabeth Sadoulet. Around the Globe: The State of the Art in Public Credit “The Supply- and Demand-Side Impacts of Credit Registries and Private Credit Reporting Firms, Margaret Market Information.� Forthcoming in the Journal of Miller 2006; (2) Credit Bureau Knowledge Guide, Inter- Development Economics. September 2009. national Finance Corporation, 2006. Djankov, S., C. McLiesh and A. Shleifer. “Private Credit in 129 Countries.� 2007. 2. Select academic and empirical research on credit reporting and related matters Doing Business. Getting Credit. www.doingbusiness.org Akerlof, George A. “The Market for “Lemons�: Quality Falkenheim, M. and Anthony Powell. “The Use of Public Uncertainty and the Market Mechanism.� The Quar- Credit Registry Information in the Estimation of Ap- terly Journal of Economics 84 (August 1970): 488– propriate Capital and Provisioning Requirements.� 500. Published by The Oxford Press. In Credit Reporting Systems and the International Economy, edited by Margaret Miller. Cambridge: Avery, Robert B., Paul S. Calem, and Glenn B. Canner. MIT Press, 2003. “Credit Report Accuracy and Access to Credit.� Fed- eral Reserve Board 2004. Galindo, Arturo and Margaret Miller, “Can Credit Registries Reduce Credit Constraints? Empirical Ayyagari, Meghna, Thorsten Beck, and Asli Demirguc- Evidence on the Role of Credit Registries in Firm In- Kunt, “Small and Medium Enterprises across the vestment Decisions�, IDB-IIC 42nd Annual Meeting, Globe.� Small Business Economics 29 (December Santiago, Chile, 2001. 2007): 415–434. Gehrig, T. and R. Stenbacka. “Information sharing and Barron, John, and Michael Staten. “The Value of Com- lending market competition with switching costs prehensive Credit Reports: Lessons from the U.S. and poaching.� European Economic Review 51 Experience.� 2000. (January 2007):77–99. 58 Annex 4 He, Xuehui and Yiming Wang. “Bank Loan Behavior and nomic Policy 25 (201): 659–702. doi: 10.1111/j.1468- Credit Information Sharing: An Insight from Mea- 0327.2010.00252.x surement Costs.� Journal of Economic Policy Re- form 10 (2007): 325–333. Padilla, A. Jorge and Marco Pagano. “Endogenous Com- munication Among Lenders and Entrepreneurial Jappelli Tullio and Marco Pagano. “Information Sharing Incentives.� The Review of Financial Studies, 10 in Credit Markets: The European Experience.� Cen- (Spring 1997): 205–236. tre for Studies in Economics and Finance, Working Paper No. 35 (March 2000). Pagano, Marco and Tullio Jappelli. “Information Shar- ing in Credit Markets.� The Journal of Finance, 43 Jentzsch, Nicola and Amparo San José Riestra, “Informa- (1993): 1693–1718. tion Sharing and its Implication for Consumer Credit Markets: United States vs. Europe.� Paper prepared Rothschild, Michael and Joseph Stiglitz. “Equilibrium for the European University Institute Workshop in Competitive Insurance Markets: An Essay on the “The Economics of Consumer Credit: European Ex- Economics of Imperfect.� The Quarterly Journal perience and Lessons from the U.S.,� Florence, May of Economics 90 (November 1976): 629–649. Pub- 13–14, 2003. lished by: The MIT Press. Joseph E. Stiglitz and Andrew Weiss. “Credit Rationing Spence, Michael. “Job Market Signaling.� The Quarterly in Markets with Imperfect Information.� The Ameri- Journal of Economics 87 (August 1973): 355–374. can Economic Review 71 (June 1981): 393–410. Published by The Oxford Press. Klapper, Leora. “The Role of Factoring for Financing Saurina, Jesus, and Carlos Trucharte. “The impact on Small and Medium Enterprises.�Journal of Banking Lending to Small-and-Medium-Sized Firms. A Regu- and Finance 30 (2006). latory Policy Assessment Base on Spanish Credit Reg- ister Data.� Journal of Financial Services Research Love, Inessa and Nataliya Mylenko. “Credit Reporting 26 2004:121–144. and Financing Constraints.� World Bank Policy Re- search Working Paper 3142, October 2003. Salas, Jesus Saurina and Carlos Trucharte. “An Assess- ment of Basel II Procyclicality in Mortgage Portfo- Luoto, Jill, Craig McIntosh, and Bruce Wydick. “Credit lios.� Journal of Financial Services Research 32 Information Systems in Less-Developed Countries: (2007): pp. 81–101. Recent History and a Test.� 2004. Semenova, Maria. “Information sharing in credit mar- Medine, David, Margaret Miller, and Nataliya Mylenko, kets: incentives for incorrect information reporting.� “Principles and Guidelines for Credit Reporting Sys- Comparative Economic Studies 50 (September tems�, 2004. 2008): 381–415. Mishkin, Frederic S. The Economics of Money, Banking Sorge M., and C. Zhang. “Credit information quality and and Financial Markets. Addison-Wesley, 2004, 7th corporate debt maturity: theory and evidence.� The edition. World Bank Policy Research Working Paper, Series 4239, 2007. Olegario, Rowena. A Culture of Credit: Embedding Trust and Transparency in American Business. Trucharte, Carlos. “A Review of Credit Registers and Harvard University Press 2006. their Use for Basel II.� Financial Stability Institute (September 2004). Repullo, R., Jesus Saurina, and Carlos Trucharte, “Mitigating the pro-cyclicality of Basel II.� Eco- 59 General Principles for Credit Reporting Turner, Michael A., Patrick Walker, and Katrina Dusek. . Turner, Michael A., R. Varghese, P Walker and Dusek, “New to Credit from Alternative Data.� PERC, March K. “Optimal Consumer Credit Bureau Market Struc- 2009. ture in Singapore: Theory and Evidence.� PERC, May 2009. 60 Annex 5 Glossary Below is a short glossary of some key terms relating to a credit rating to some financial institutions, despite credit reporting as used in this report. whether the latter are issuing securities in the market- place or not, and have even entered into new business Account Type: Refers to the use and payment method lines, including in some cases credit reporting. of credit selected by the consumer (e.g. revolving, in- stallments). Credit Registries: Model of credit information exchange whose main objectives are assisting bank supervision and Arrears: Failure to pay an obligation when due. enabling data access to regulated financial institutions to improve the quality of their credit portfolios. Borrower: see Debtor. Credit Reporting Service Provider: An entity that Commercial Credit Reporting Companies: Entities administers a networked credit information exchange. that collect information on businesses, including sole proprietorships, partnerships and corporations for the Credit Reporting System: Credit reporting systems purpose of credit risk assessment, credit scoring or for comprise the institutions, individuals, rules, proce- other business purposes such as the extension of trade dures, standards and technology that enable informa- credit. tion flows relevant to making decisions related to credit and loan agreements. Collection agencies: businesses specialized in collect- ing delinquent accounts. Credit Reporting System Participant: Any individ- ual or business that intervenes at one or more points Consent: A data subject’s freely informed and specific throughout the cycle of collecting, storing, processing, agreement, written or verbal, to the collection, process- distributing and, finally, using information to support ing and disclosure of personal data. credit-granting decisions and financial supervision. Consumer: (see data subject) Credit Scoring: A statistical method for evaluating the probability of a prospective borrower fulfilling its finan- Credit Bureau: Model of credit information exchange cial obligations associated with a loan. whose primary objective is to improve the quality and availability of data for creditors to make better-informed Credit Type: Refers to the purpose of the credit (e.g. decisions. mortgage, credit card, consumer credit). Credit Rating Agency: An entity that typically assigns Creditor: One to whom a financial obligation is owed. a credit grade or rating to issuers of certain types of debt Also, an individual or legal person who is engaged in the obligations. More recently credit rating agencies assign business of lending money or selling items for which General Principles for Credit Reporting immediate payment is not demanded but an obligation Moral Hazard: The risk that a party to a transaction of repayment exists as of a future date. has not entered into the contract in good faith. For ex- ample, this may include that party providing mislead- Creditworthiness: The ability of a borrower to repay ing information about its assets, liabilities or credit current and prospective financial obligations on a time- capacity. ly manner. It is used as an assessment of a borrower’s past credit behavior to assist a potential lender to de- National Credit Reporting System: Describes the cide whether or not to extend new credit. broader institutional framework for credit reporting in an economy, including the following: (1) the public Data Privacy: Ability to control one’s personal infor- credit registry, if one exists; (2) private credit reporting mation. See also Data Protection. firms, if they exist, including those run by chambers of commerce, bank associations, and any other orga- Data Protection: Discipline that aims at creating ad- nized database on borrower performance available in equate safeguards to prevent misuse of individual data the economy; (3) the legal framework for credit report- subjects’ information. Comparable to consumer protec- ing; (4) the legal framework for privacy, as it relates to tion in other areas. credit reporting activities; (5) the regulatory framework for credit reporting, including the institutional capacity Data Providers: Creditors and other entities that pro- in government to enforce laws and regulations; (6) the actively and in a structured fashion supply information characteristics of other pertinent borrower data avail- to the credit reporting service providers. able in the economy, such as data from court records, utility payments, employment status; (7) the use of Data Subject: An individual or a business whose data credit data in the economy by financial intermediaries could be collected, processed and disclosed to third and others, for example, the use of credit scoring or use parties in a credit reporting system. of credit data in creating digital signatures; and (8) the cultural context for credit reporting, including, for ex- Debtor: An individual or a business that owes a finan- ample, the society’s view on privacy and the importance cial obligation to a creditor. accorded to reputation collateral. (See credit reporting system). Default: Failure to complete a payment obligation un- der a credit or loan agreement (see delinquency). Negative data: It consists of statements about defaults or arrears and bankruptcies. It may also include state- Delinquency: Situation where the borrower fails to ments about lawsuits, liens and judgments that are ob- meet his/her financial obligations as and when due. tained from courts or other official sources. Financial Infrastructure: The underlying foundation Networked Credit Information Exchange: Mecha- for a country’s financial system. It includes all institu- nism enabling credit information collection, processing tions, information, technologies, rules and standards and further disclosure to users of data as well as value that enable financial intermediation. added services based on such data. Hit: A positive match from an inquiry on a data subject Other Data Sources: Entities that collect information is made by a creditor or other party and the data stored for purposes different than credit granting decision- in a credit reporting service provider. making and/or financial supervision. These entities typi- cally do not pro-actively provide the information they Late Payment: Any payment posted after the due date collect to credit reporting service providers but rather (see arrears). In the credit report is represented by the can be consulted upon request. number of days after the due date. Payment history: A detailed compilation of past and Lender: See Creditor. current payment behavior. 62 Annex 5 Positive Data: Information that covers facts of con- Reciprocity: Mutual exchange of information. tractually compliant behavior. It includes detailed statements about outstanding credit, amount of loans, Sensitive Data: Personal data that affect the individu- repayment patterns, assets and liabilities, as well as al’s most intimate sphere or that could lead a party that guarantees and/or collateral. The extent to which posi- gets hold of such data to discriminate against, or cre- tive information is collected typically depends on na- ate a serious risk to, certain individuals. Sensitive data tional legislation, including the data protection regime. typically includes gender, health status, marital status, national origin, political affiliation, race, sexual orienta- Public Records: Information filed or recorded by tion, or union membership, among others. government agencies that is made available to the pub- lic under existing laws. Typical public records include User: An individual or business that requests credit corporate and property records, court judgments, and reports, files or other related services from credit re- identification information, among others. These re- porting service providers, typically under pre-defined cords are subject to be made available to the public. conditions and rules. 63 Annex 6 Members of the Task Force Chairman Massimo Cirasino, The World Bank Members Agencia Española de Protección de Datos José Leandro Nuñez Arab Monetary Fund Nabil Al-Mubarak Asociación Latinoamericana de Crédito Luz Maria Salamina Association of Consumer Credit Information Suppliers Neil Munroe Banco Central do Brasil Sidnei Marques Banco de España Ramón Santillán Nuria Armas (alternate) Banca D’Italia Maria Pia Ascenzo Bank for International Settlements Marc Hollanders Business Information Industry Association Joachim Bartels Center for Latin American Monetary Studies Kenneth Coates (until March, 2010) Javier Guzmán Calafell Central Bank of the Republic of Turkey Ayse Dagistan (until September, 2010) Derya Karaburçak Consultative Group to Assist the Poor Nataliya Mylenko Consumer Data Industry Association Stuart Pratt Eric Ellman (alternate) Deutsche Bundesbank Michael Ritter European Bank for Reconstruction and Development Frederique Dahan Alexander Plekhanov (alternate) European Commission Maria Dolores Montesinos Federal Reserve Bank of New York Kevin Coffey Federal Trade Commission Rebecca Kuehn Hugh Stevenson (alternate) General Principles for Credit Reporting Inter-American Development Bank Morgan Doyle International Finance Corporation Tony Lythgoe International Monetary Fund B. Rajcoomar People’s Bank of China Xiaolei Wang Fujun Shao Reserve Bank of India Vinay Baijal Shirish Chandra Murmu (alternate) Secretaría de Hacienda y Crédito Público de México Guillermo Zamarripa (until December, 2010) German Saldivar South Africa’s National Credit Regulator Gabriel Davel (until September, 2010) Darrel Beghin The World Bank Mario Guadamillas Secretariat The World Bank Fredesvinda Montes Shalini Sankaranarayanan Acknowledgments Marc Israel (Bank of France), Professor Tullio Jappelli The members of the Task Force would also like to (University of Naples), Chris Jarrard (Innovis Data thank the following colleagues that contributed to Solutions), Nicola Jentzcsh (the Center for European the work of the Secretariat and the Task Force itself: Policy Studies), Gillian Key-Vice (Experian), David Me- Nagavalli Annamalai, Corina Arteche, Margaret Miller dine (Wilmer Hale), Professor Marco Pagano (Univer- (all World Bank), Jose Antonio Garcia (former World sity of Naples), Professor Andrea Cesare Resti (Bocconi Bank), Matías Gutiérrez Girault (Western Hemisphere University), Oscar Rodriguez (Febraban), Robert Ryan Credit Reporting Initiative) and Peer Stein (Internation- (TransUnion), Jesus Saurina (Bank of Spain), Blair al Finance Corporation). Stewart (The Office of the Privacy Commissioner, New Zealand), Michael Turner (PERC), Sharon Villafana We would also like to thank the following reviewers (Central Bank of Trinidad & Tobago), members of AC- for providing comments on the report: Bruce Bargon CIS, members of BIIA, and the IFC Global Credit Bu- (independent consultant), Joel Heft (Equifax), Jean- reau Program. 66 THE WORLD BANK 1818 H Street, N.W. Washington, DC 20433