FINANCIAL INFRASTRUCTURE SERIES Credit Reporting Policy and Research General Principles for Credit Reporting September 2011 General Principles for Credit Reporting September, 2011 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org E-mail: feedback@worldbank.org All rights reserved. This volume is a product of the staff of the International Bank for Reconstruction and Development/ The World Bank. The findings, interpretations, and conclusions expressed in this volume do not necessarily re- flect the views of the Executive Directors of The World Bank or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Rights and Permissions The material in this publication is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The International Bank for Reconstruction and Development / The World Bank encourages dissemination of its work and will normally grant permission to reproduce portions of the work promptly. For permission to photocopy or reprint any part of this work, please send a request with complete informa- tion to the Copyright Clearance Center Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; telephone: 978-750-8400; fax: 978-750-4470; Internet: www.copyright.com. All other queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. Book cover and interior design by Michele de la Menardiere. Foreword Financial Infrastructure broadly defined comprises the underlying foundation for a country’s financial system. It includes all institutions, information, technologies, rules and standards that enable financial intermediation. Poor financial infrastructure in many developing countries poses a considerable constraint upon financial institutions to expand their offering of financial services to underserved segments of the population and the economy. It also creates risks which can threaten the stability of the financial system as a whole. The World Bank Group is a leader in financial infrastructure development in emerging markets, including payment systems and remittances, credit reporting and secured lending. Moreover, the World Bank Group is intensifying its commitment to promote and disseminate the policy and research debate on these and other topics within the scope of financial infrastructure and also plays the role of international standard setter in this space. Credit reporting systems are very important in today’s financial system. Creditors consider information held by these systems a primary factor when they evaluate the creditworthiness of data subjects and monitor the credit circum- stances of consumers. This information flow enables credit markets to function more efficiently and at lower cost than would otherwise be possible. This report describes the nature of credit reporting elements which are crucial for understanding credit reporting and to ensuring that credit reporting systems are safe, efficient and reliable. It intends to provide an international agreed framework in the form of international standards for credit reporting systems’ policy and oversight. The Principles for credit reporting are deliberately expressed in a general way to ensure that they can be useful in all countries and that they will be durable. These Principles are not intended for use as a blueprint for the design or operation of any specific system, but rather suggest the key characteristics that should be satisfied by different systems and the infrastructure used to support them to achieve a stated common purpose, namely Expanded Access and Coverage, Fair Conditions, and Safe and Efficient Service for borrowers and lenders. Against this background, the standards are expected to inform the action of authorities in this field, for example central banks and banking supervisors in the context of their supervisory function. It is further envisaged that the standards would be useful to service providers and system operators when designing or modifying their product of- ferings, to financial intermediaries when choosing to be a participant in any specific system, and to end users when agreeing to use a specific system. The report has been prepared by a Task Force coordinated by the World Bank, with support from the Bank for International Settlements. The Task Force comprises representatives from central banks and other financial and pri- vacy regulators, from multilateral organizations involved in credit reporting and from international credit reporting service providers. The Task Force also benefited from the significant experience of the Credit Bureau Team of the International Finance Corporation. Some institutions (“Tier 2” Group), although not considered formally members of the Task Force, have been actively consulted to provide inputs during the process of preparation of the Principles. They include other industry associations, private sector operators, scholars and practitioners. The report was also released for public consultation. The World Bank thanks the members of the task force, the reviewers, the Secretariat and its Chairman Massimo Cirasino, for their excellent work in preparing this report. Janamitra Devan, Vice President World Bank Group Acknowledgments The members of the Task Force would also like to thank the following colleagues that contributed to the work of the Secretariat and the Task Force itself: Nagavalli Annamalai, Corina Arteche, Margaret Miller (all World Bank), Jose Antonio Garcia (former World Bank), Matías Gutiérrez Girault (Banco Central de la República Argentina) and Peer Stein (International Finance Corporation). We would also like to thank the following reviewers for providing comments on the report: Bruce Bargon (inde- pendent consultant), Joel Heft (Equifax), Jean-Marc Israel (Bank of France), Professor Tullio Jappelli (University of Naples), Chris Jarrard (Innovis Data Solutions), Nicola Jentzcsh (the Center for European Policy Studies), Gillian Key-Vice (Experian), David Medine (Wilmer Hale), Professor Marco Pagano (University of Naples), Professor Andrea Cesare Resti (Bocconi University), Oscar Rodriguez (Febraban), Robert Ryan (TransUnion), Jesus Saurina (Bank of Spain), Blair Stewart (The Office of the Privacy Commissioner, New Zealand), Michael Turner (PERC), Sharon Villafana (Central Bank of Trinidad & Tobago), members of ACCIS, members of BIIA, and the IFC Global Credit Bureau Program. TABLE OF CONTENTS I. Introduction and Executive Summary 1 Key Considerations Concerning Credit: Reporting and the General Principles,2 Scope and Use of the General Principles, 5 Structure of the Report, 6 II. Credit reporting systems: brief overview and key considerations 7 2.1. The importance of Credit Reporting Systems, 7 2.2. Key Participants in a Credit Reporting System, 8 2.3. Key Considerations Concerning Credit Reporting,13 2.3.1 Data, 13 2.3.2 Data Processing: Security and Efficiency, 18 2.3.3 Governance Arrangements for Credit Reporting Service Providers and Data Providers and Risk Management, 18 2.3.4 Legal and Regulatory Framework, 19 2.3.5 Cross-border Data Flows, 23 III. The General Principles 25 3.1. Public Policy Objectives, 25 3.2. The General Principles, 25 Data, 25 Data Processing: Security and Efficiency, 30 Governance and Risk Management, 31 Legal and regulatory environment, 34 Cross-border data flows, 39 3.3. The Roles of Credit Reporting System Participants, 41 iii IV. Recommendations for Effective Oversight of Credit Reporting Systems 45 Oversight Recommendation A: Regulation and oversight of credit reporting systems, 45 Oversight Recommendation B: Regulatory and oversight powers and resources, 46 Oversight Recommendation C: Disclosures of objectives and policies with respect to credit reporting systems, 47 Oversight Recommendation D: Application of the General Principles for credit reporting systems, 50 Oversight Recommendation E: Cooperation among authorities, 50 ANNEX 1: Information Cycle for the Creation of a Credit Report 52 ANNEX 2: Basic Existing Models of Credit Reporting Services 55 ANNEX 3: Privacy, Data Protection and Consumer Protection 59 ANNEX 4: Select Bibliography 62 ANNEX 5: Glossary 66 ANNEX 6: Members of the Task Force 70 SECTION I Introduction and Executive Summary 1. Well functioning financial markets contribute to 3. In competitive markets, the benefits of credit report- sustainable growth and economic development, be- ing activities are passed on to borrowers in the form cause they typically provide an efficient mechanism of a lower cost of capital, which has a positive influ- for evaluating risk and return to investment, and then ence on productive investment spending.3 Improved managing and allocating risk. Financial infrastructure information flows also provide the basis for fact-based (FI) is a core part of all financial systems. The quality and quick credit assessments, thus facilitating access to of financial infrastructure determines the efficiency of credit and other financial products to a larger number intermediation, the ability of lenders to evaluate risk of borrowers with a good credit history (i.e. good re- and of consumers to obtain credit, insurance and other payment prospects). financial products at competitive terms. Credit report- ing is a vital part of a country’s financial infrastructure1 4. While credit reporting systems are developing rap- and is an activity of public interest. idly across the world, there are no principles to sys- tematically guide the various stakeholders in dealing 2. Credit reporting addresses a fundamental problem with the challenges associated with the development of credit markets: asymmetric information between and day-to-day operation and improvement of these borrowers and lenders, which may lead to adverse systems. The Credit Reporting Standards Setting Task selection, credit rationing, and moral hazard prob- Force was launched by the World Bank, with the sup- lems.2 Regulators and financial market participants are port of the Bank for International Settlements, to fill therefore increasingly recognizing the value of credit this critical gap, aiming to provide a core set of gen- reporting systems for improved credit risk and overall eral principles to guide these efforts in any given credit portfolio management, to enhance financial su- jurisdiction. pervision and financial sector stability, and as a tool to enhance access to credit. 3 For more information on how credit reporting can lower the cost of capital, see Marco Pagano and Tullio Jappelli, “Information Sharing in Credit Markets,” The Journal of Finance, 43 (1993): 1693-1718; A. Jorge Padilla and Marco Pagano, “Endogenous Communication Among Lenders and Entrepreneurial Incentives,” The Review of Financial Studies, 10 (Spring 1997): 205-236; and Tullio Jappelli 1 The World Bank, “Financial Infrastructure: Building Access Through and Marco Pagano, “Information Sharing in Credit Markets: The European Transparent and Stable Financial Systems”, Financial Infrastructure Policy and Experience,” Centre for Studies in Economics and Finance, Working Paper No. Research Series, Washington D.C., 2009. 35 (March 2000). 2 Some of these issues are analyzed in further detail in Section 2 of this report. 1 2 GENERAL PRINCIPLES 5. The general principles are intended for policymak- Accord)6, the work developed by the European Central ers, regulators, financial supervisors, credit reporting Bank (ECB) through the Working Group on Credit data providers, credit reporting service providers, the Registers, the work of the International Conference users of such services, and individuals and business- of Data Protection and Privacy Commissioners which es whose credit histories and identification data are has debated the role of privacy and data protection stored in these systems (the latter two are referred to from a broad perspective including credit reporting, as “data subjects” throughout the report). In addition the privacy frameworks developed by The European to the principles, the Task Force has also developed a Union, APEC and OECD,7 and the work conducted set of specific roles, one for each of the stakeholders in by the European Commission Directorate General credit reporting systems, as well as recommendations on Internal Markets and Services regarding the chal- for effective oversight of credit reporting systems. lenges of cross-border credit data flows in the context of credit reporting.8 6. The principles and related roles define the minimum elements underlying a sound, efficient and effective credit reporting system. Different markets around the Key Considerations world are at different stages in terms of the develop- concerning Credit Reporting ment of their own credit reporting systems, and the and the General Principles Task Force recognizes that while credit reporting sys- tems in some jurisdictions will already fulfill some or 8. The key considerations concerning credit reporting probably even most of the principles, in others obser- systems can be broadly grouped around the following vance of the principles will need medium to long-term topics: i) data; ii) data processing; iii) governance ar- efforts. rangements and risk management; iv) legal and regu- latory environment; and, v) cross-border data flows. 7. The report builds on previous work in the area of The General Principles are organized around these five credit reporting and related fields such as data protec- topics. These five General Principles aim at the follow- tion and credit risk management.4 The World Bank ing public policy objectives for credit reporting sys- Group, through the Global Credit Bureau Program and tems: Credit reporting systems should effectively support the Western Hemisphere Credit Reporting Initiative,5 the sound and fair extension of credit in an economy as has analyzed issues affecting the creation and overall the foundation for robust and competitive credit mar- functioning of domestic credit reporting systems, and kets. To this end, credit reporting systems should be safe their continuous development through reforms. Other relevant work includes that of the Basel Committee 6 For further information visit the website of the Bank for International on Banking Supervision (mainly the Basel Capital Settlements at www.bis.org. 7 Information on these efforts can be found on the websites of, APEC (www. apec.org), OECD (www.oecd.org) and the Spanish Data Protection Agency (www. 4 The list of relevant references presented in this paragraph is not intended to agpd.es). For the European Union Privacy framework please see The Convention be exhaustive. of the Council of Europe for the Protection of Individuals with regard to 5 The Global Credit Bureau Program was created by the IFC in 2001, to improve Automatic Processing of Personal Data (ETS Nº 108) and its Additional Protocol credit bureaus worldwide through promoting the role of the private sector in their regarding supervisory authorities and trans-border data flows (ETS Nº 181); development. The Western Hemisphere Credit Reporting Initiative is a program Directive 95/46/EC of the European Parliament and of the Council of 24 October created in 2004 following a request from the central banks of Latin America and 1995 on the protection of individuals with regard to the processing of personal the Caribbean. The objective of the program is to assess and describe credit and data and on the free movement of such data. loan reporting systems in the Western Hemisphere, and provide recommenda- 8 The full report from the Expert Group on Credit Histories is available at tions for their improvement. The latter program is led by the World Bank in http://ec.europa.eu/internal_market/consultations/docs/2009/credit_histories/ association with CEMLA, and with financial support from the FIRST Initiative. egch_report_en.pdf GENERAL PRINCIPLES 3 Box 1: The General Principles The General Principles aim at the following public policy objectives for credit reporting systems: Credit reporting systems should ef- fectively support the sound and fair extension of credit in an economy as the foundation for robust and competitive credit markets. To this end, credit reporting systems should be safe and efficient, and fully supportive of data subject and consumer rights. Data General Principle 1: Credit reporting systems should have relevant, accurate, timely and sufficient data - including positive - col- lected on a systematic basis from all reliable, appropriate and available sources, and should retain this information for a sufficient amount of time. Data Processing: Security and Efficiency General Principle 2: Credit reporting systems should have rigorous standards of security and reliability, and be efficient. Governance and Risk Management General Principle 3: The governance arrangements of credit reporting service providers and data providers should ensure account- ability, transparency and effectiveness in managing the risks associated with the business and fair access to the information by users. Legal and Regulatory Environment General Principle 4: The overall legal and regulatory framework for credit reporting should be clear, predictable, non-discriminatory, proportionate and supportive of data subject and consumer rights. The legal and regulatory framework should include effective judicial or extrajudicial dispute resolution mechanisms. Cross-Border Data Flows General Principle 5: Cross-border credit data transfers should be facilitated, where appropriate, provided that adequate require- ments are in place. Roles of Key Players Role A: Data providers should report accurate, timely and complete data to credit reporting service providers, on an equitable basis. Role B: Other data sources, in particular public records agencies, should facilitate access to their databases to credit reporting service providers. Role C: Credit reporting service providers should ensure that data processing is secure and provide high quality and efficient services. All users having either a lending function or a supervisory role should be able to access these services under equitable conditions. Role D: Users should make proper use of the information available from credit reporting service providers. Role E: Data subjects should provide truthful and accurate information to data providers and other data sources. Role F: Authorities should promote a credit reporting system that is efficient and effective in satisfying the needs of the various partici- pants, and supportive of data subject/consumer rights and of the development of a fair and competitive credit market. Section I. Introduction and Executive Summary 4 GENERAL PRINCIPLES Box 1 (continued): Recommendations for Effective Oversight Recommendation A: Credit reporting systems should be subject to appropriate and effective regulation and oversight by a central bank, a financial supervisor, or other relevant authorities. It is important that one or more authorities exercise the function as primary overseer. Recommendation B: Central banks, financial supervisors, and other relevant authorities should have the powers and resources to carry out effectively their responsibilities in regulating and overseeing credit reporting systems. Recommendation C: Central banks, financial supervisors, and other relevant authorities should clearly define and disclose their regulatory and oversight objectives, roles, and major regulations and policies with respect to credit reporting systems. Recommendation D: Central banks, financial supervisors, and other relevant authorities should adopt, where relevant, the General Principles for credit reporting systems and related roles, and apply them consistently. Recommendation E: Central banks, financial supervisors, and other relevant authorities, both domestic and international, should cooper- ate with each other, as appropriate, in promoting the safety and efficiency of credit reporting systems. and efficient, and fully supportive of data subject/con- all reliable, appropriate and available sources, and should sumer rights (see Box 1 for a list of the five General retain this information for a sufficient amount of time. Principles, the related roles, and the recommendations for the effective oversight of credit reporting systems). 10. Credit data reside in databases and other types of data-holding methods that are subject to security and 9. Information quality is the basic building block of safety concerns, including loss, destruction, corrup- an effective credit reporting environment. Accuracy tion, theft and misuse. Moreover, as credit reporting of data implies that such data is free of error, truthful, services are increasingly important for financial mar- complete and up to date. Inaccurate data may lead to ket development, the reliability of credit reporting data numerous problems, including unjustified loan denials providers and credit reporting service providers is a or higher borrowing costs. Quality also means that data crucial element of an effective credit reporting sys- is sufficient and adequate, implying that: i) relevant de- tem. At the same time, users of credit reporting ser- tailed information is captured, including negative as vices expect affordable services that meet their needs well as positive data; ii) information from as many rel- on a continuous basis. General Principle 2 is, there- evant sources is gathered, within the limits established fore, that credit reporting systems should have rigorous by law; iii) information is sufficient in terms of the standards of security and reliability, and be efficient. period over which observations are available. General Principle 1 is, therefore, that credit reporting systems 11. The growing importance of credit reporting and the should have relevant, accurate, timely and sufficient data potentially sensitive nature of the activities it entails re- - including positive - collected on a systematic basis from quire that proper governance arrangements for credit GENERAL PRINCIPLES 5 reporting service providers and credit reporting data 13. As financial markets are increasingly globalized, providers be in place in order to ensure appropriate cross-border data transfers can become a useful in- levels of management accountability and transparency strument to monitor the credit exposures of important in their activities. Good governance arrangements are borrowers outside a financial institution’s home mar- also crucial for ensuring that the organization will be kets, or to facilitate the provision of credit and other fi- able to cope successfully with the risks underlying the nancial services across borders (e.g. to individuals that information sharing and credit reporting businesses, do not have a credit history in the country where they including mainly operational risks, legal risks, and are applying for credit). In addition, a single mecha- reputational risks. Governance arrangements should nism serving more than one country can be the only also ensure that fair competition in the market place cost-effective option for credit reporting activities to and the robustness of the credit reporting system are develop in some small markets. While in principle not compromised because of the particular ownership cross-border data flows raise similar concerns as pure- structure of the credit reporting service provider or ly domestic credit reporting activities, cross-border ac- data provider. General Principle 3 is, therefore, that the tivities typically face a more complex environment due governance arrangements of credit reporting service pro- to the multiplicity of applicable laws, consumer pro- viders and credit reporting data providers should ensure tection frameworks, credit cultures, market practices, accountability, transparency and effectiveness in manag- and institutional structures, among others. General ing the risks associated with the business and fair access Principle 5 is, therefore, that cross-border credit data to the information by users. transfers should be facilitated, where appropriate, pro- vided that adequate requirements are in place. 12. A robust legal and regulatory framework cover- ing all relevant aspects involving credit reporting is critical for the sound functioning of credit reporting Scope and use of the General systems. In particular the legal and regulatory frame- Principles works should provide a balanced solution to the natu- ral tension between the objectives of having access to 14. The scope of the principles includes those credit broader sources of information for enhanced credit reporting mechanisms whose primary objective is to reporting and the interest in preserving individual pri- improve the quality of data for creditors to make bet- vacy. There is no clear consensus on what constitutes ter-informed decisions, as well as those mechanisms an optimal legal and regulatory framework for credit intended to assist banking and overall financial super- reporting. In addition to contractual agreements, a vision. These principles are not intended to apply to clear trend worldwide is that laws be enacted to help credit rating agencies.9 At the same time, not all of the protect privacy and provide data subjects with the principles may be applicable to commercial credit re- ability to access and correct information about them. porting companies or registries that provide informa- General Principle 4 is, therefore, that the overall legal tion and ratings to businesses for the purpose of evalu- and regulatory framework for credit reporting should ating trade credit. be clear, predictable, non-discriminatory, proportionate and supportive of data subject and consumer rights. The legal and regulatory framework should include effective 9 Credit rating agencies typically provide debt or securities rating services for judicial or extrajudicial dispute resolution mechanisms. businesses. In some countries, credit rating agencies are starting to provide other types of services, including credit reporting services. In such a case, the principles would apply over this particular line of business. Section I. Introduction and Executive Summary 6 GENERAL PRINCIPLES 15. While the principles are intended to have univer- sal applicability, they are non-binding and do not aim at detailed prescriptions for action at national level. Rather, they seek to identify objectives and suggest various means for achieving them. They can be used by policy makers and other stakeholders as a refer- ence point when examining the status quo of credit reporting in their jurisdictions and the need for re- forms. International financial institutions such as the World Bank Group, the International Monetary Fund, regional development banks, and others may also use these principles when carrying out assessment pro- grams and in providing technical assistance to coun- tries. Moreover, the principles and related roles are evolutionary in nature and might be reviewed in light of significant changes in the environment surrounding credit reporting. Structure of the Report 16. Section 2 provides a brief overview of the market for credit information sharing and credit reporting ac- tivities and then analyzes in some detail the key con- siderations underlying credit reporting. Section 3 out- lines the General Principles and related Roles. Section 4 proposes a framework for the effective oversight of credit reporting systems. SECTION II Credit reporting systems: brief overview and key considerations 2.1. The importance of Credit is evaluating whether to extend credit to the debtors. Reporting Systems Creditors, therefore, are often limited in their ability to assess the credit risk associated with lending money or 17. Credit reporting systems comprise the institutions, providing goods and services on credit. Such informa- individuals, rules, procedures, standards and technol- tion asymmetries can result in the following less than ogy that enable information flows relevant to making optimal outcomes: (i) potential debtors who are the decisions related to credit and loan agreements. At most likely to produce undesirable outcomes being the their core, credit reporting systems consist of databas- ones that most actively seek out a loan, and are likely es of information on debtors, together with the insti- to be selected since good debtors are less willing to pay tutional, technological and legal framework supporting a risk premium and hence tend to withdraw their loan the efficient functioning of such databases. The infor- applications (so-called “adverse selection problem”);12 mation stored in these systems can relate to individuals (ii) debtors being able to borrow more money (or and/or businesses.10 goods or services) than they are able to repay under normal circumstances, or creditors willing to lend only 18. A fundamental challenge affecting the relationship a fraction of the money that the debtor can steadily re- between creditors and debtors is that of asymmetric pay; (iii) as debtors have more information than credi- information.11 Debtors are more informed about their tors, they may enter into a contract with no intention financial situation or standing than the creditor who of honoring it (the so-called “moral hazard” problem). 19. Credit reporting systems reduce information asym- See also the definition of National credit reporting system in the Glossary. metries by making a debtor’s credit history available to 10 One of the objectives of this report is to provide a consistent and standard set of definitions of key concepts in credit reporting. potential creditors, and are therefore an effective tool 11 The problem of asymmetric information is well described in several aca- in mitigating issues of adverse selection and moral demic papers including George A. Akerlof, “The market of Lemons: Quality, Uncertainty and the Market Mechanism”, The Quarterly Journal of Economics hazard. Through credit reporting information and the 84 (August 1970) using the credit market in India in the 1960s for one of his tools derived from it (e.g. credit scores), creditors can examples; Michael Spence, “Job Market Signaling,” The Quarterly Journal of better predict future repayment prospects based on a Economics 87 (August 1973); Michael Rothschild and Joseph Stiglitz “Equilibrium in Competitive Insurance Markets: An Essay on the Economics of Imperfect Information,” The Quarterly Journal of Economics 90 (November 1976); and finally also Joseph Stiglitz and Andrew Weiss, “Credit rationing in markets with imper- 12 For example, see Frederic S. Mishkin, The Economics of Money, Banking and fect information,” The American Economic Review 71 (June 1981). Financial Markets (Addison-Wesley, 2004) 7th edition, p 32. 7 8 GENERAL PRINCIPLES debtor’s past and current payment behavior and level 2.2. Key Participants in a Credit of indebtedness, among other factors. Reporting System 20. Historically, credit would be granted on the basis 23. While different models of credit reporting exist of a credit officer’s personal knowledge of the debtor. throughout the world, each of them involves a num- Robust credit reporting systems capture most of this ber of actors that intervene at one or more points information and sometimes even facts that might not throughout the cycle of producing/collecting, storing, be disclosed to credit officers. Moreover, creditors are processing, distributing and, finally, using information generally able to access credit reporting information to support credit-granting decisions and financial su- at a fraction of the cost and time of traditional lend- pervision.16 Figure 1 illustrates this cycle and identifies ing mechanisms.13 Credit reporting systems aim to the key participants involved in each step. provide objective data, which favors segments of the population that may have been denied credit in the 24. A large variety of private and public entities gather past due to some form of prejudice (e.g. assuming that information on individuals and businesses. Many pri- a low-income individual is always a bad debtor). vate organizations collect such information as an an- cillary activity derived from their ordinary commer- 21. Credit reporting systems also serve to discipline cial activities involving the sale of goods or services. debtor behavior. A good credit history facilitates access Other private entities specialize in the collection of to credit and can often obviate the need for debtors to information per se, with the intention of selling it to put up tangible collateral for loans.14 Debtors who un- interested parties. Some public sector agencies col- derstand this are motivated to make payments on time lect information to build public records for a variety so as to continue to have access to credit products un- of public interests (e.g. to better inform public policy der favorable conditions. decisions, administration of justice, or creating and updating vehicle inventories, etc.). 22. Financial supervisory authorities use credit report- ing data for macro and micro prudential supervision 25. The individuals and businesses whose information and monitoring of systemic risk levels and producing and data are collected, shared or distributed through- macro statistics of financial system performance. The out the credit reporting system are referred to as data analysis of credit risk management, provisions and subjects in this report. In some jurisdictions, a data capital adequacy, for example, benefits from the avail- subject does not need to have an actual contractual ability of credit information held by credit reporting relationship with a creditor for its information to be service providers.15 included in the credit reporting system.17 In others, in- formation on data subjects can be collected and treated 13 It should be noted that credit reporting is normally only one of the inputs only with the consent from the data subject and only that goes into the decision of whether to extend a loan. for some specific purposes. In yet other cases, although Jappelli and Pagano (2000) show that better information may lead banks to data can be collected with no data subject consent for 14 shift from collateral-based lending credit underwriting policies to more infor- mation-based policies. Margaret Miller, ed., Credit Reporting Systems and the International Economy (Cambridge: The MIT Press, 2003), shows how credit 16 Annex 2 provides a detailed description of the main existing models of bureaus can provide borrowers with “reputation collateral”, frequently viewed as credit reporting. more valuable than physical collateral by surveyed lenders. 17 In the United Kingdom, identification information is captured directly from 15 For an analysis of the usefulness of credit reporting data in relation to Basel the voters roll and included in the credit reporting system. Also, in the United II, see, for example, the following papers: Carlos Trucharte Artigas, “A Review of States credit reporting service providers collect information from sources that do Credit Registers and their Use for Basel II”, Financial Stability Institute (September not grant credit as is normally understood, like utility companies. 2004); Jesús Saurina Salas and Carlos Trucharte, “An Assessment of Basel II Procyclicality in Mortgage Portfolios, Journal of Financial Services Research 32 (2007); pp. 81-101; Rafael Repullo, Jesús Saurina and Carlos Trucharte, “Mitigating the pro-cyclicality of Basel II,” Economic Policy 25 (2010). GENERAL PRINCIPLES 9 Figure 1: Key Participants in a Credit Reporting System specific purposes, explicit consent might be required entities are referred to as “other private databases” in for distributing or disclosing information when the the report. Other entities collect information for pur- purpose of such distribution or disclosure and the pur- poses different than credit granting decision-making pose for which the data was collected differ. or financial supervision. Those sources that do not pro- actively provide the information they collect to credit 26. All the private and public entities that collect infor- reporting service providers but rather can be consulted mation on data subjects are potential sources of infor- upon request, are referred to throughout this report as mation for other parties interested in such information. “other data sources.” These other sources may include Those entities that pro-actively provide information to databases on bounced cheques, promissory notes and other parties, either because of commercial reasons, protested bills of exchange, collateral registries, vehicle agreements or a legal obligation to do so, are referred registries, real estate registries, personal identity re- to as “data providers.” Some of the most common data cords, company registries, tax authority databases and providers include commercial banks, other non-bank some court records. It is worth noting that in some ju- financial institutions, credit card issuers, and in some risdictions some of these databases may actually meet cases non-financial creditors such as retailers and util- the definition of data providers rather than the one ity providers. Some entities collect information (for used herewith for “other data sources”. instance court judgment data), compile it and sell it to credit reporting service providers,18 to complement the 27. Credit information collected is of interest to a vari- data collected under reciprocity arrangements. These ety of other parties, which are referred to as the “users” of this information. A typical user would be a creditor 18 See paragraph 29 for a definition of credit reporting service provider. who has been approached by a potential borrower or a Section II. Credit Reporting Systems 10 GENERAL PRINCIPLES Figure 2: Main Users of Credit Reporting Source: Other creditors include: retailers, utility providers, telecom providers, deferred payment providers, to name a few. The term “merchant traders” refers to suppliers of trade credit, or trade creditors. debtor for a loan and who orders a credit report on the provider will have its own methodology for collecting applicant to evaluate the loan request. However, credit or producing it. On the other hand, providing credit information might be of interest to other users, which information to third parties is not a core business of range from financial supervisors and other units with- many of the entities that collect such information. in a central bank, to users in other sectors of the econ- omy, like employers, insurers or landlords. In some ju- 29. As a result of the above, specialized intermediaries risdictions the system might be open to individuals or have emerged in order to fill the gap between the needs businesses showing a legitimate interest for accessing a of users and those of the entities that gather credit in- particular credit report. Figure 2 depicts the main us- formation from individuals and businesses. These spe- ers of credit reporting services and products. cialized intermediaries are denominated here as “credit reporting service providers” (CRSPs). 28. Actual practices, however, do not frequently in- volve a direct relationship between the users and the 30. Credit reporting service providers perform many data providers or other data sources. On the one hand, important functions. For instance, information re- users may find it difficult and/or costly to utilize in- ceived from data providers, or that collected from oth- formation that was collected or produced based on er data sources, is cleaned, validated (i.e. checked for different methodologies – in the extreme, each data consistency) and stored in a standardized data format. GENERAL PRINCIPLES 11 FIgure 3: Credit Reporting Service rpoviders Credit reporting service providers then supply orga- mally referred to as a public credit registry. This taxon- nized information to users in a certain format that can omy is not necessarily appropriate. First, as previously be used more efficiently for credit assessment purpos- discussed, some “private” credit bureaus do support es. The data provided refers both to consumer lending public functions like financial supervision, and sev- and to commercial lending. eral “public” credit registries provide services that are of interest for private sector activities. Moreover, there 31. Broadly speaking, two main types of credit report- are cases where credit bureaus are partially or wholly- ing service providers can be identified based on the owned by the public sector. Other scenarios that are primary objective each of them fulfills: i) those service inconsistent with the private credit bureau and pub- providers aiming primarily at improving the quality lic credit registry taxonomy are illustrated in Figure and availability of data for financial and non-financial 3. Because of such inconsistencies, the terms “private/ creditors to make better-informed decisions; and, ii) public” will not be associated with either credit bureaus those service providers whose primary purpose is to or credit registries in the remainder of this report. assist banking supervision while at the same time im- proving the quality and availability of data for super- 33. Credit bureaus are typically characterized by com- vised financial intermediaries. In practice, while not plex information flows. Data is collected from various their primary objective many service providers of the sources and distributed to different users, which may first type support banking and overall financial super- include both to those that contribute data as well as vision activities. The same is true for several service others that do not. Credit bureaus generally enter into providers of the second type with regard to improving agreements with different parties to exchange data in a data for creditors in the market place. systematic manner, based on agreed conditions such as the frequency of data updates, the use of standardized 32. In many international reports and academic papers formats including common line items, the frequency the first type of service provider is typically referred to of data access and the price. as a private credit bureau, while the second type is nor- Section II. Credit Reporting Systems 12 GENERAL PRINCIPLES 34. Credit bureaus generally target retail credit and for dynamic and countercyclical provisioning against small business lending markets, where average loan loan losses.19 volumes are small and mass screening techniques us- ing statistical analyses enable the processing of a large 37. Credit registries also aim at maximizing synergies number of standard loan applications cost-effectively. of collecting credit data relevant for supervisory pur- Indeed, the data collected from various data provid- poses by distributing back those data to the original ers is used to develop specialized products and services providers to assist them in improving the quality of such as credit reports, credit scores and portfolio mon- their portfolios. Notwithstanding the latter, some key itoring applications, which enable better informed differences persist. A credit registry would normally and quicker credit granting decisions, enhanced credit distribute back data only to the financial institutions portfolio monitoring and improved overall credit risk that fall within the regulatory purview of the financial management. These products and services are typically supervisory authority. Also, this information would offered for a fee. normally be provided on a consolidated or aggregated basis and only for debtors whose current level of debt 35. Credit bureaus can be formed when creditors, or borrowings exceed a specified threshold. In few driven by the common interest of improving the per- other countries, the credit registry may act as the ag- formance of their loan portfolios, associate in order to gregator of credit-related information at the domestic share data in a structured and systematic manner. In level and then share this information with all credit other cases, an independent party such as a specialized bureaus. The range of possibilities and combinations technical firm is the single or majority shareholder. A will depend on the idiosyncrasy of the local credit significant difference between these two models is that markets, the institutional and legal arrangements un- credit bureaus owned by third parties aim at maximiz- derlying credit markets and, if available, credit infor- ing profits; hence, in addition to exchanging informa- mation sharing, and the level of development of the tion they produce value-added products such as credit credit reporting industry. scores. Such bureaus also have incentives to give access to as many users as possible, and to attract information 38. With very few exceptions, credit registries are from a larger variety of data providers and other data owned and operated by central banks or other finan- sources. cial supervisors. There are nevertheless cases where the central bank or financial supervisor has deferred 36. Credit registries, on the other hand, provide su- the task of operating the credit registry database to a pervisors with an additional offsite tool for systemic private sector party. risk concentration monitoring and assessing overall portfolio quality, or in order to identify discrepancies 39. Commercial credit reporting companies provide in borrower ratings among banks or to identify trends credit information on (mainly small to medium-sized) in lending. Therefore, most credit registries collect and businesses and can therefore be considered as part of process information associated with credit and loans granted by regulated financial intermediaries. In more sophisticated markets, this information is further used to ascertain capital requirements and provide guidance 19 For further reference see: Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital Standards: a Revised Framework, Basel, Switzerland, 2006. GENERAL PRINCIPLES 13 the credit reporting system.20 Users of their services ness of a particular data subject – usually larger com- include financial institutions and other creditors look- panies - as of a given date. Investors, creditors and even ing to assess the creditworthiness of a business for the some regulators often rely upon these opinions. While purpose of extending business loans or trade credit. this report intends to cover credit reporting systems Commercial credit reporting companies collect infor- as broadly as possible, given the specific function and mation from the company itself (through interviews), nature of credit ratings agencies, these will not be dis- from public records and courts (for information on cussed in the remainder of the report.22 company registration, lawsuits, tax liens, judgments and business bankruptcies), and from other entities that do business with the company such as lenders or 2.3. Key Consideration suppliers. Services provided include assessments of Concerning Credit credit risk and information on management’s ability to Reporting manage their working capital.21. 42. The key considerations concerning credit reporting 40. Commercial credit reporting is different from systems can be broadly grouped around the following consumer credit reporting, in the following ways: (a) topics: i) data; ii) data processing: security and efficien- commercial credit reporting companies focus on the cy; iii) governance arrangements of credit reporting creditworthiness of the business itself rather than the data providers and credit reporting service providers, creditworthiness of the individuals who run the busi- and risk management concerns; iv) legal and regula- ness (except where the business is a sole proprietorship tory environment; and, v) cross-border data flows. and the creditworthiness of the business and the cred- itworthiness of the individual(s) who run the busi- 2.3.1 Data ness are the same); (b) commercial transactions are significantly larger and more complex, and risks are 43. Credit information results from processing two inherently different; (c) information needed to assess broad categories of data: identity data and credit data. the risk of commercial transactions generally includes Identity data is collected to enable the correct identi- significantly more payment performance and financial fication of the borrower; credit data is collected to de- data (e.g., full financial statements). scribe the borrower’s indebtedness. In the case of indi- viduals, the information usually shared throughout the 41. From a broad perspective, credit rating agencies system includes, among others, the name and address can also be considered part of the overall credit report- of the data subject, amount of loan, type of loan, ma- ing system, as they issue opinions on the creditworthi- turity of loan, guarantees and collateral value, default information and payments in arrears. Credit reporting service providers usually supply this information to 20 As noted in Section 1, this report and the principles it outlines target primar- ily consumer credit reporting systems rather than commercial credit reporting creditors in a standardized manner, and some service mechanisms. Information on commercial credit registries is provided here to providers also include other system-wide or consoli- enable the reader to understand better the distinction between consumer and commercial credit reporting. 21 The following information on businesses is usually provided as part of the 22 As noted in Section 1, the principles are not intended for credit rating agen- service: chief executive officer, company status, parent company, trading styles, cies in their traditional role. However, some credit rating agencies have expanded name changes, sales, credit ratings, start date, control date, history synopsis, into the credit reporting business (e.g. as credit reporting service providers, data public record filings, line of business, suits, liens or registered charges, number providers and/or other data sources), in which case the general principles would of employees business address, tax code, import/exports/flag, delinquency score become applicable to that specific line or lines of business. For further information synopsis and failure of default synopsis. on credit rating please visit the official website of IOSCO. Section II. Credit Reporting Systems 14 GENERAL PRINCIPLES dated information such as credit inquiries from other creditors and credit scores (see Box 2).23 Box 2: Credit Scores Credit scoring is a statistical method of evaluating the 44. Other types of data that are valuable for credit re- probability of a prospective borrower to fulfill its finan- porting but that are not provided by traditional data cial obligations associated with a loan. The practice of providers include identity data that can be matched credit scoring began in the 1960s, when the credit card and cross-checked to validate a data subject’s identity,24 business automated its decision-making processes. Over companies’ registry data, judicial court rulings that time, the use of credit scoring techniques has been ex- provide additional information regarding unpaid tended to other classes of customers including small and debts, utility records and telephone files. This informa- medium enterprises. tion could be useful to detect and prevent fraudulent credit applications. Frequently, the owners of these The predictive value of credit scores is generally higher data sources are public agencies that are not users of than that of assessments derived from credit histories the credit reporting system. Moreover, in some coun- alone. However, a credit score’s relevance, and thus its tries certain data elements are deemed “sensitive” and predictive value, is higher when applied to an identified are prohibited by law from being provided to others, and homogeneous population of borrowers with regard to a specific product. For example, different scoring tables such as geo- and ethno-demographic data (e.g., race, and weights are used for mortgage loans than for per- religion, gender). sonal loans. Broad-based scores from credit reporting systems are often used in conjunction with internal or ex- 45. Some of the typical data elements supplied by credit ternal product specific scores. Moreover, to sharpen the registries include name and address of borrower, type predictive value of the various credit scores there is an of loan, outstanding amount of loan, late payments, de- increasing trend to collect more data from a wider range faults/cancelled debts, and on-time payments. Credit of data providers and other data sources. registries also develop debtor/borrower classifications which is based on elements such as past due loan pay- Scores are often provided by private credit bureaus and ments (e.g. on-time payment would be classified as 1; some commercial credit registries, but creditors also tend 30-days past due would be classified as 2; 60-days past to develop their own scoring models. Where credit report- due would be classified as 3, and so on). ing systems do not provide scores it is normally because the data needed to develop a predictive score is not avail- able. 46. Credit reporting service providers add value to the data they receive by consolidating the various in- formation pieces and introducing a series of param- eters, identifiers, measures or other tools to assist users in identifying the risk features of data subjects. Additionally, service providers may offer predictive 23 The latter two are produced by the service provider itself. 24 Being able to positively identify a data subject in a database (usually referred to as a successful “hit”) is one of the critical challenges of a credit reporting service provider. In this case refers to other data sources that can be cross referenced to validate identity data provided by data providers (i.e. collected through applica- tion forms). GENERAL PRINCIPLES 15 scoring models for risk or fraud, and historical perfor- 50. Another possible source of inconsistency in data mance information. relates to different definitions being used by the various data providers and other data sources with regard to 47. Information quality is the basic building block of what constitutes a delinquency or other credit events. an effective credit reporting environment. Accuracy For example, most creditors will report a delinquency of data implies that such data is free of error, truth- when a loan is 30-days past due. However, some will ful, complete and up to date. Inaccurate data may lead do so only after 60 days or more. Still others might re- to unjustified loan denials or higher borrowing costs. port delinquencies immediately after the deadline for Thus, problems related to data accuracy are the sub- a scheduled loan payment is not met. ject of numerous complaints and litigation around the world and, as a result, have a significant impact on the 51. In addition to being free of error, data needs to development of credit reporting systems. be updated and made available in a timely manner. This implies first that data providers and other data 48. Incorrect data may result from human error or oth- sources need to update their respective databases quite er causes. For example, incorrect data provided by the frequently (i.e. a given number of days after the oc- data subject or human error from creditors or other currence of a given relevant event). Second, updated sources when inputting data will result in incorrect data needs to be provided to a credit reporting service data being transmitted to the credit reporting system, provider on a frequent basis. This will usually take subsequently affecting the quality of reports. In addi- the form of a pre-defined schedule –, although many tion, data pertaining to a certain data subject may er- credit reporting service providers have also defined a roneously be associated to another data subject due to set of variables that, in the event of a change, are to be inadequate identification mechanisms (e.g. improper reported within the pre-defined interval (i.e. so-called matching of names, lack of identification keys for in- “trigger events”). Thirdly, updated data needs to be dividuals and/or businesses, the inability of such keys made available to users as soon as practical. to provide a unique identifier or the impossibility to use such keys given legal and regulatory restrictions). 52. Data providers may fail to meet the updating Identity matching problems are likely to be exacerbat- schedule of credit reporting service providers. This ed in the context of cross-border data transfers. may be due to several factors, including lack of human or financial resources or inefficient technology that is 49. Errors can also originate at the level of credit re- incapable of meeting reporting requirements. It could porting service providers. A potential source of errors also be the case that the data provider willingly fails to in this case is associated with one of the core functions observe the reporting schedule. For example, data pro- of credit reporting service providers, which consists of viders may lack the necessary motivation to provide consolidating and matching the data that is received data in a timely manner if they believe that the data from a variety of credit reporting data providers and they receive from the credit reporting service provider other data sources. If no proper definitions, tools and is not useful enough. A data provider may also come controls are in place, execution of such processes may to the conclusion that other data providers are not result in duplicate or missing records, which would providing timely information, for instance, to keep to then lead to incorrect inferences about the data subject themselves information they deem strategic, in which due to, for example, underestimation or overestima- case it may decide to do the same. Situations like these tion of the data subject´s outstanding liabilities. tend to be more frequent in the absence of a clear set of Section II. Credit Reporting Systems 16 GENERAL PRINCIPLES rules and/or incentives that foster compliance with the 56. Positive credit reporting, also known as positive updating schedule. data, integrates the data captured by negative-only files with other types of data which may include, but not 53. The final step in ensuring timeliness of data is that limited to, account balances, number of inquiries, debt the updated information actually flows to users from ratios, on-time payments, credit limits, account type, credit reporting service providers without any signifi- loan type, lending institution, and public record data, cant lag. As discussed earlier, credit reporting service detailed reports on the prospective borrower’s assets providers convert raw data into information that is and liabilities, guarantees, debt maturity structure, and more readily usable by users. Therefore, it is important pattern of repayments, among others.26 Positive data is that the time period to execute this process be as short therefore more comprehensive and its use is empiri- as possible. Service providers can also help ensure cally associated with lower incidences of extension of timely delivery of information by offering a range of credit to bad debtors, and at the same time successful secure delivery modes that enhance the ability of users extension of credit to debtors with little previous credit to access and use data. experience.27 54. Another characteristic of accurate data is its suf- 57. In countries where positive credit reporting is pro- ficiency and adequacy. Three features are critical for hibited by the legal and regulatory framework or sim- sufficiency: i) being able to capture relevant detailed ply not performed for other reasons, a debtor’s abil- information, including negative as well as positive ity to access new financing following an adverse event data on a given data subject; ii) gathering information may be severely impaired. This is because the negative from as many data providers and other data sources as data stemming from the adverse event is usually stored possible, within the limits established by law; iii) hav- for a number of years, normally ranging from three to ing sufficient information in terms of the period over seven. On the other hand, in a positive credit report- which observations are available. ing environment a debtor’s economic recovery and im- proved repayment behavior after the adverse event are 55. So-called “negative credit reports” or “negative captured, and the debtor’s credit score would be pro- data” are normally limited to reporting unfulfilled fi- gressively adjusted. nancial obligations, such as late payments, defaults, bankruptcies and court judgments. Negative data is 58. In addition to credit reporting being of a “positive” “event-based”, i.e. is only registered upon the occur- or “negative” type, it can also be classified as compre- rence of an adverse event. For most debtors, how- hensive in the sense that information silos are avoid- ever, such adverse events are rare or do not occur at ed.28 Non-comprehensive (which is also known as all. Therefore, in an environment where only negative “segmented”) credit reporting is based on the collec- credit reports are provided, debtors that meet their fi- tion and distribution of information from/to a limited nancial obligations regularly and without any adverse events will only have a partial credit history in the eyes 26 The variables outlined refer to data that is collected though not necessarily disclosed. of third parties, since no data on them is shared or 27 See John M. Barron and Michael Staten, “The Value of Comprehensive Credit reported.25 Reports: Lessons from the U.S. Experience,” 2000. 28 See Michael A. Turner et. al., “Give Credit Where Credit is Due: Increasing Access to Affordable Mainstream Credit Using Alternative Data.” PERC 25 As will be discussed later on, in such a scenario debtors that duly fulfill their (December 2006). This paper builds on the benefits that the inclusion of utility financial obligations will not be able to benefit from that good performance by and telecom payment data on a credit reporting system could bring to low income building a good credit history. households, young people and immigrants, as observed in the US market. GENERAL PRINCIPLES 17 number of sources.29 Comprehensive credit reporting irrelevant but also harmful to collect or distribute as it on the other hand is based on the collection of infor- could deter the appetite of data providers to share data, mation from a wide variety of sources and sectors, or could lead to undesirable biases in the decision- including retail, small business, microfinance, credit making process for loans and other credit extensions. cards, insurance, telecoms, utilities, and others. As a The continued collection of irrelevant data is an exces- result, comprehensive credit reporting increases the sive burden on any credit reporting system. ability of creditors to assess and monitor credit risk, creditworthiness, and credit capacity.30 61. Irrelevance of data can also occur when certain pieces of data, typically negative data, are retained for a 59. Ensuring a wide range of data providers and other longer-than-needed period of time and become obso- data sources is not always possible, however. The scope lete, thus losing their predictive capacity. For example, of data and/or the scope of data providers and other “bad debtors” may turn around their repayment be- data sources may be limited by legal or regulatory re- havior and become good borrowers over time. strictions. For example, regulators of non-traditional data providers like telecoms may find it unacceptable 62. Retention periods are established for storing data for their supervised entities to share detailed informa- and disclosing data. The length of the retention period tion on their customers outside the sector. Moreover, for each of these functions will depend on whether the access to public sources of information is often lim- data is personalized or depersonalized and if there is a ited or prohibitively expensive, for instance due to the need for retaining and/or disclosing such data. On the low levels of automation of public records in some one hand, data should be kept and/or disclosed for the countries.31 sufficient time serving the purpose of collection. On the other hand, retaining that same data for a period 60. At the same time it should be recognized that not of time that is too short may lead to insufficient time- all information that can be potentially collected on a frame sampling or inadequate information on a data given data subject will be relevant for the purposes as- subject. Indeed, in some countries once a bad debt is sociated with credit reporting. Indeed, some data are paid off, all negative data related to it is deleted from irrelevant in that they add little or no value in deter- databases right away, either because it is mandated mining the probability of repayment.32 For example, by law or simply because it is common practice in the it is not evident that demographic details such as race market place. This reduces the ability of creditors to and ethnic origin add any value to credit underwriting make informed decisions due to the lack of a sufficient decisions. Moreover, some data pieces may not only be number of years of relevant data. For banking super- visory purposes, granular credit data should be kept for at least one economic cycle enabling predictable A typical example would be information that is collected from banks and is borrowers’ behavior detection over time, and serving 29 distributed only to such banks. 30 It should be noted that credit registries normally have a narrower scope or le- also as a valuable tool to make assessments on capital gal mandate (i.e. regulated financial institutions). The term “non-comprehensive”, requirements and rules on provisions for banks and as used herewith, would not be applicable to such credit registries. 31 In some countries, laws ensuring access to public information have been credit institutions. Finally, the lack of sufficient years enacted. Examples include Chile (2009), Guatemala (2008), Hungary (2005), of relevant data impacts the predictive power of scor- Dominican Republic (2004), Ecuador (2004), Croatia (2003), Mexico (2002), ing models built using such data. Current practices for Japan (2001), Bulgaria (2000), and Directive 2003/98EC of the European Council of 17 November 2003 on the re-use of public sector information. 32 It might also be necessary to determine whether data is relevant enough con- sidering the costs associated with its acquisition, updating, processing and storage. Section II. Credit Reporting Systems 18 GENERAL PRINCIPLES scoring models require a period that ranges between nificant capital investments and undertake a series of three to seven years of data.33 other measures related to the organization of work and responsibilities under different emergency scenarios. 2.3.2 Data Processing: Security and Efficiency All these can present major challenges. 63. Credit reporting data resides in databases and oth- 67. Significant capital investments are also required er types of data-holding methods that are subject to se- to meet a growing demand for high quality products curity and safety concerns, including loss, destruction, and services that meet the needs of a rapidly evolving corruption, theft and misuse. These concerns become credit culture. Credit reporting service providers are greater as the interconnectivity of databases and data therefore faced with the additional challenge of meet- networks increases. If such threats were to material- ing these demands while at the same time trying to ize, they could have serious or even irreversible con- maintain the affordability of the services for the vari- sequences on credit reporting system activities such as ous categories of users. widespread distrust regarding data sharing. 68. It should be noted that the likelihood of service 64. The major issue related to security and confiden- providers making the necessary investments will de- tiality lies in identifying sources of risk, addressing pend to a large extent on the size and sophistication those risks and assigning appropriate responsibilities of the market they serve. From another perspective, in for correcting situations in which such risks actually markets lacking sufficient critical mass, investments of materialize. The more complex a system is, the more this magnitude might not be viable. difficult it becomes to identify the potential liabilities and pro-actively assign appropriate responsibilities. 2.3.3 Governance Arrangements for Credit Reporting Service Providers and Data Providers 65. Services rendered by the credit reporting service and Risk Management providers are becoming increasingly critical. In coun- tries where credit granting decision-making is highly 69. To a large extent the services provided by the credit automated, a disruption in credit reporting services reporting industry are deemed to be of public interest, may cause upheavals in consumer credit markets.34 and therefore might become the object of public pol- The reliability of credit reporting services (i.e. being icy. However, situations exist where the actual objec- able to access the service when needed) is therefore a tives that the credit reporting service provider seeks in crucial element of an effective credit reporting system. practice diverge from the public policy goals underly- ing a service of this kind. A major determinant of such 66. Ensuring the provision of continuous service with- divergences can be traced back to the ownership struc- in the accepted service level standards will most likely ture of the credit reporting service provider. While require credit reporting service providers to make sig- there are no “good” or “bad” ownership structures, certain structures may lead to more issues than others. 33 Major credit reporting systems around the world tend to retain information for distribution among the users for anywhere between 5 to 7 years. 70. Ownership by a particular group of large lenders, It should be noted that credit reporting is normally only one of the inputs typically banks, can lead to anti-competitive behavior 34 that goes into the decision of whether to extend a loan. At the same time, most creditors involved in consumer lending use credit reports as a mandatory input, in the information sharing market. For example, ma- meaning that the flow of the transaction would stop in case such reports were jority shareholders can restrict or prevent access to not available. GENERAL PRINCIPLES 19 the service by smaller lenders. In another scenario, a porting service providers and data providers need to credit reporting service provider may wish to expand recognize these risks and hence need to manage them. access to all types of users in order to maximize prof- its. Large lenders may not be willing to share informa- 73. Given the relevance of credit reporting activities tion in such a scenario as they may consider that they for credit and other financial markets, coupled with will be contributing quality data and disclosing their the sensitivity of the data that is handled in these activ- good customers, while it is unlikely that this will be ities, it appears desirable that credit reporting service compensated with the data they will be able to obtain providers and data providers be scrutinized in order to from the service provider. Situations like these may promote an appropriate level of accountability on the lead to the creation of service providers that serve spe- side of such providers. This would generally be done cific sectors of the credit market, thus leading to silos through some form of independent check by a quali- of information. As earlier discussed, such fragmented fied third-party such as an auditing firm or a govern- information sharing markets undermine the benefits ment agency. of comprehensive credit reporting systems. Problems like these can be mitigated through proper governance 74. Peculiarities in governance arrangements of pub- arrangements. licly-owned credit reporting service providers should not preclude the achievement of the business and pub- 71. Appropriate governance is also crucial for ensur- lic policy objectives and appropriate risk management. ing that data providers, other data sources and credit reporting service providers will be able to cope suc- 2.3.4 Legal and Regulatory Framework cessfully with the risks underlying the information sharing and credit reporting businesses. These entities 75. Although credit reporting systems have existed at are mainly exposed to operational risks, legal risks, least since the 1800s, specific regulation of credit re- and reputational risks. Therefore, probably more than porting systems coincided with the technological de- in most other businesses, the materialization of any of velopment of 1960s and rising concerns over transpar- these risks can severely impair the long-term viability ency and individual rights. The growing recognition of the credit reporting organization. of credit reporting activities as a core function in any modern financial market has also become a catalyst for 72. As with all technology-intensive organizations the regulation of these activities. dealing with multiple parties, the potential for opera- tional errors and unauthorized access to the informa- 76. Over the last decade a large number of countries tion, either from inside the credit reporting service have devoted efforts to regulate the credit reporting providers or from outside, is significant. Legal risk market, particularly when private sector credit report- stems from the inadequate or erroneous observance ing service providers are present. Regulation of credit or interpretation of the applicable legal and regulatory reporting activities usually focuses on registering or framework. Reputational risk is particularly relevant licensing of credit reporting service providers, impos- due to the nature of credit reporting: personal data be- ing responsibility for data accuracy, collection and ing used in sensitive activities like lending and finan- disclosure, consumers having access to their informa- cial supervision. As it is practically impossible to avoid tion and being able to have erroneous information all risks while maintaining a viable business, credit re- corrected, compliance monitoring, and enforcement. There is however no consensus on what constitutes Section II. Credit Reporting Systems 20 GENERAL PRINCIPLES an adequate legal and regulatory framework for credit to collect data on them, which, apart from being costly reporting as there is a natural tension between the ob- would be overly cumbersome and undermine the use- jectives of having access to broader sources of informa- fulness of the data. tion for enhanced credit reporting, and the interest in preserving individual privacy.35 79. On the other hand, regulation can be the only means through which certain problems can be addressed in 77. In some countries, laws or regulations are enacted an effective manner. One important example is that of to deal with specific issues of concern, some of which ensuring competitors’ fair access to credit reporting might not be exclusive to credit reporting like privacy services, especially when ownership structure of credit issues and data protection. In others, a special legal reporting service providers do not provide incentives framework for credit reporting activities exists, usu- for the latter to do so. Regulation can also be necessary ally in an attempt to typify these activities and regu- to ensure that certain standards (e.g. data quality) be late them in an integral manner. It is also possible for equally applicable to all participants in the system. the two models to co-exist. According to experience in several countries,36 legal risks are generally greater 80. Since credit reporting systems are based on the where there is an absence of laws and regulations cov- flow of data through an existing network of stakehold- ering credit reporting systems and the related activities. ers, laws and regulation should carefully consider is- These risks include confidentiality breaches regarding sues related to property rights regarding data and da- financial data, credit reporting service provider em- tabases, assigning realistic responsibilities and rights ployees’ liability for data processing, and risks related over the data processed and the format used for such to automated decision making, to name just a few. processing. A relevant matter is that of format owner- ship, especially if this might represent a barrier of en- 78. As with other economic activities, there is the risk try for other service providers. that the legal framework be too restrictive, thus hin- dering the development of an efficient credit report- 81. One of the biggest challenges of the legal frame- ing system. For example, the legal framework, if not work is that its provisions be enforceable. On the one properly designed, can create unjustified barriers to hand, laws and regulations should be practical and ef- entry to potential new market players. Also, in an at- fective to ensure a high degree of compliance. In other tempt to protect privacy rights, the legal framework words, rules that cannot be enforced are not likely to might require data providers and service providers to be effective. On the other hand, authorities should be obtain consent from data subjects each time they wish capable of enforcing legal provisions administratively, which requires a combination of sufficient powers and 35 Privacy is a fundamental right recognized in numerous international agree- adequate human and financial resources. In the case ments including The Universal Declaration of Human Rights (U.N., 1948); The of credit reporting activities, one additional difficulty Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS Nº 108) and its Additional is that cross-cutting issues might fall under the juris- Protocol regarding supervisory authorities and trans-border data flows (ETS Nº diction of several government agencies, which then 181); Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of leads to the need for effective cooperation between personal data and on the free movement of such data. See also annual reports of regulators. national data protection authorities of the EU. 36 Several examples on this were identified in Latin American and Caribbean countries through the WCHRI. For additional references, see the WCHRI’s 82. The public agencies that are normally charged with Orange Books at www.whcri.org. the responsibility of regulating credit reporting activi- GENERAL PRINCIPLES 21 ties include central banks and bank supervisors, and specific conditions for data collection and specific con- in some cases ministries of finance, data protection ditions for data disclosure. authorities, consumer protection authorities and com- petition and antitrust authorities. In recent years, it is • Collection: In several countries there is an recognized that the role of the authorities is not lim- underlying legal basis for data collection. In ited to applying the existing legal framework; authori- countries where this is not the case, a pre- ties also play a leading role in developing a vision for condition for data collection is that consent be the systems, in coordinating with all stakeholders - and obtained from data subjects. other authorities as well - and in carrying out a reform plan, if necessary. In some cases, one of the authori- • Disclosure: Similarly, different frameworks set ties is designated as the system overseer and is charged conditions for data disclosure. One such condition with the responsibility of promoting the appropriate is the limited use of data. The legal and regulatory development of the credit reporting system as a whole, framework establishes a finite set of permissible making sure that the efforts of the various regulatory purposes for which the data subject’s data may be authorities are coordinated and are consistent.37 used. Permissible or legitimate purposes are usually associated with matters that are of general interest 83. There are many different approaches to the regula- to a society, and generally include verification for tion of consumer protection and data subject rights as the extension of credit or the collection of debts, as it relates to credit reporting systems. European coun- well as to enforce the fulfillment of legal and other tries, for example, have developed a data protection contractual obligations (see Table 1). However, directive that establishes broad protection for data even though it might be clear that permissible subjects with regard to their information38 and with purposes are being sought after, consumers/data a scope that goes beyond credit reporting systems. subjects may have the choice to limit some of the Alternatively, the United States has adopted a sector- uses for which data is collected (e.g. employment). specific law which focuses narrowly on the flows and uses of consumer data associated with credit reporting 85. Notification. As data subjects have in principle a systems.39 Regardless of the approach taken, ensuring decisional role over the collection and further process- that consumers trust credit reporting systems is im- ing of data about them, in some countries, when data is perative. Below is a short discussion of the most rele- not obtained directly from the data subject or with his/ vant data subject and consumer rights, and approaches her consent, data subjects are notified (informed) of taken to codify these rights into laws and regulations. the collection and sharing of such data. The need and modalities for notification are generally linked to the 84. Consumer protection and privacy considerations purpose of collection and sharing. are closely linked to the purposes of data collection and data disclosure. The legal and regulatory frame- 86. To protect consumers from the negative conse- work surrounding credit reporting typically sets out quences of inaccurate data or unlawful collection, as mentioned earlier, it is common practice to provide 37 See the Recommendations for Effective Credit Reporting Oversight under consumers with rights to access and challenge data Section 4 of this report. held on them. 38 Directive 95/46 European Parliament and of the Council of October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 39 The Fair Credit Reporting Act (15 U.S.C 1681 et seq.). Section II. Credit Reporting Systems 22 GENERAL PRINCIPLES Table 1: Permissible Purposes for Personal Data Disclosure in Select Legal Frameworks FCRA (United States) PIPEDA (Canada) Directive 95/46/EC (European Union) Court Order Legal Obligation Consumer Consumer Court Order Extension of credit Consumer consent Credit/insurance/rental transaction Insurance/rental Legitimate purpose (with notification) Purpose consistent with purpose for Business transaction data collection Employment Employment Account review Licensing Child support Collection of debt Collection of debt • Access. Provisions are frequently established and data subjects may claim compensation allowing data subjects to access the information for damages incurred. Ideally, the rectification held on them. Such access could be provided at process will be straightforward and inexpensive little or no cost to data contained in the files of for the data subject. This right to dispute and seek credit service providers.40 In some countries, data rectification of inaccuracies in data is not meant subjects are allowed to have free access to their to impede the lawful processing of data or allow credit reports once per year upon request. The for misuse by data subjects. A detailed example benefits of giving consumers access is that it builds of dispute resolution mechanisms for credit trust and ensures transparency. reporting is provided in Annex 3. • Dispute and Correction. Data subjects are 87. The various conditions and rights listed above serve normally able to challenge inaccurate data held to protect the rights of consumers and data subjects. on them and to receive a report on the results of While there is little question on the need for having an the subsequent investigation. Inaccuracies in data adequate set of laws and regulations that duly protect are to be rectified or deleted when appropriate, and enforce consumer rights, other important needs such as fostering the development of an effective and efficient credit reporting system should also be part of 40 It should be noted that there are credit registries that do not provide regulated the equation. A balanced approach to individual pri- institutions credit information at the level of account but on an aggregated man- ner showing the overall behavior of the bank as regards to the rest of the banking vacy interests, data subject rights and a robust credit sector. In these cases, data subjects’ rights would not apply because the data is not reporting system is therefore necessary. linked to a particular data subject. GENERAL PRINCIPLES 23 Box 3: Single Market and Cross-border Credit: the Case of the EU The European Directive on Consumer Credit (Directive 2008/48/EC) aiming at the integration of consumer markets in Europe, contains provisions facilitating the exchange of information regarding credit payment history of borrowers/consumers between different countries in the European Union. The Directive stresses the importance of assessing creditworthiness on the basis of sufficient information and, where appropriate, on the basis of a consultation of the relevant databases. Access to the relevant databases shall be in a non-discrim- inatory way and in compliance with data-protection legislation.1 The Expert Group on Credit Histories (EGCH)2 led by the European Commission devoted significant efforts to outlining the major issues impeding the use of credit reporting systems across borders in the European Union context. These findings are consistent with previ- ous studies.3 In addition, the EGCH recognizes the relevance of operational factors such as differences in data content, terminology and registration criteria as obstacles for the broad use of credit reports produced in other jurisdictions. There are examples of arrangements for the exchange of credit information between certain credit reporting service providers. For example, against the background of free flow of financial services within the EU and in particular the use of the Euro as single currency in many member states of the EU, the need to gain a picture as complete as possible of the total indebtedness of their borrowers drove several public credit registries in Europe (Austria, Belgium, Czech Republic, France, Germany, Italy, Portugal, Romania and Spain) to sign a Memorandum of Understanding providing for the exchange of credit information on a regular, monthly basis. In addition, institutions are allowed by electronic means to make cross-border inquiries about the indebtedness of their clients on a case by case basis.4 Similar arrangements are observed between some private credit bureaus, which agree to exchange information on the basis of reciproc- ity and bilateral agreements. Information exchange takes places between BKR (Netherlands) and National Bank of Belgium and between BKR (Netherlands) and CRIF (Italy). Similar arrangements are provided by SCHUFA (Germany) and Credit Info (Iceland).5 1 See Article 9.4 of the Consumer Credit Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC. 2 For further study see Expert Group on Credit Histories report, 2009. 3 Nicola Jentzsch and Amparo San José Rientra, “Information Sharing and its Implication for Consumer Credit Markets: United States vs. Europe,” (paper prepared for the European University Institute Workshop “The Economics of Consumer Credit: European Experience and Lessons from the U.S.,” Florence, May 13-14, 2003). The paper compares the US and Western Europe credit reporting systems. 4 The Memorandum of Understanding on the Exchange of Information among National Central Credit Registers for the Purpose of Passing it on to Reporting Institutions (2003, amended in 2010) is available at the European Central Bank’s website (www.ecb.int). 5 The binding contract used for these arrangements has been facilitated by ACCIS. 2.3.5 Cross-border Data Flows have changed their country of residence will most like- ly need to establish a relationship with a local financial 88. Financial liberalization has significantly reduced entity. New challenges have thus emerged in recent restrictions on the operations of financial institutions years, including the need to monitor credit exposures in foreign markets. At the same time, businesses initi- of important borrowers outside a financial institution’s ating activities in a new country and individuals that home markets, or providing credit and other financial Section II. Credit Reporting Systems 24 GENERAL PRINCIPLES services on a sound basis to businesses and individuals 92. Differences between countries in terms of data re- that do not have a credit history in the country where tention periods, update frequency, amount of thresh- they are applying for credit. Box 3 describes some olds, loan or credit types being reported, among oth- of the measures and arrangements in the case of the ers, could also represent barriers when implementing European Union. cross-border credit reporting. 89. These examples reflect the fact that, under some cir- 93. It is also worth mentioning that not all cross-bor- cumstances, cross-border data transfers can be consid- der ventures of this kind might be economically or ered a necessary instrument to facilitate the provision legally viable despite the potential benefits they may of credit and other financial services in a globalized entail. Engaging in such a venture without previously world, as well as for financial supervisory purposes. conducting a cost-benefit analysis exercise that is suf- ficiently objective and detailed can lead to numerous 90. In addition, small markets raise the issue of econ- financial and reputational problems for the parties omies of scale for credit reporting service providers. involved. As credit reporting services need to be commercially feasible and cost effective, in small markets this might only be possible through the creation of a single mech- anism serving more than one market. Such an arrange- ment will most likely involve setting up an information network that centralizes credit data and which is ac- cessed by creditors from different jurisdictions. 91. In principle cross-border data flows raise concerns similar to those raised by purely domestic information sharing and credit reporting activities. However, cross- border activities are associated with a more complex environment due to the multiplicity of applicable laws, consumer protection frameworks, credit cultures, market practices, and institutional structures, among others. For example, sharing the data of a given data subject across borders can elevate concerns about pri- vacy and appropriate data safeguarding. It can also be the case that the data protection or data access laws that apply in a certain foreign jurisdiction are in con- flict with a service provider’s internal or domestic ob- ligations. Also, in case of a dispute by the data subject, the source of inaccuracy might be harder to identify, which could be coupled with unclear guidance on what the applicable laws or remedial procedures are. SECTION III The General Principles 3.1. Public Policy Objectives • Educate and provide incentives to individuals and businesses to manage their finances responsibly, 94. For this report, the following public policy objec- rewarding responsible behaviors and curbing tives for credit reporting systems have been defined: over-indebtedness issues. credit reporting systems should effectively support the sound and fair extension of credit in an economy as the • Take into account consumer interests. foundation for robust and competitive credit markets. In doing so, credit reporting systems should be safe and effi- cient, and fully supportive of data subject and consumer 3.2. The General Principles rights. Each General Principle described below should be More specifically, an effective credit reporting system read in conjunction with the accompanying guidelines should be able to: and explanatory text. • Support financial institutions and other grantors Data of credit to accurately assess the risks involved in credit granting decisions and maintain well- General Principle 1: Credit reporting systems performing credit portfolios. should have relevant, accurate, timely and suf- ficient data - including positive - collected on a • Facilitate sustainable expansion of credit in the systematic basis from all reliable, appropriate economy in a responsible and efficient manner. and available sources, and should retain this in- formation for a sufficient amount of time • Support financial regulators in supervising regulated institutions in order to ensure that the latter remain safe and sound, minimizing systemic Guidelines on accuracy of data risk. Data collected and distributed should be, to the • Facilitate fair and unbiased access to various types extent possible, free of error, truthful, complete and of credit products on competitive terms. up to date. 25 26 GENERAL PRINCIPLES 95. Information is at the core of credit reporting ac- information that is useful for the service being ren- tivities. Therefore, high data quality is the basic build- dered. ing block of an effective credit reporting environment. Inaccuracies in data contained in credit reporting systems can result in unjustified loan denials, higher To ensure that data accuracy is achieved on a borrowing costs, and other unwanted consequences continuous basis, credit reporting system participants for debtors, data providers and credit reporting service should consistently apply appropriate data-supplying providers. rules and procedures to all data providers with similar characteristics. 96. It is of utmost importance that data be unambigu- ously linked to the data subject. If data is erroneously associated with another data subject (e.g. due to name- 99. Appropriate rules or other enforcement tools sakes or inconsistencies in commonly used identifica- should be in place to promote compliance with the ap- tion keys such as national identification numbers for plicable standards on data collection and distribution, individuals or businesses), this will render the rest of especially with regard to incorrect, incomplete or inac- the data collection and distribution process useless curate data. While a broad range of enforcement tools and potentially even harmful. can be considered (e.g. from warnings to some form of monetary sanction for non-compliance), it is impor- 97. The accuracy of data which is made available to us- tant that the choice does not compromise the integrity ers relies on a series of steps, all of which are crucial. of the database. The chain starts with the information that is gathered on data subjects, normally through loan applications 100. Caution should be exerted over granting excep- and contracts, which is then stored by credit reporting tions, as there is a high cost and risk in managing a data providers and other data sources. The other part variety of data collection schemes. Exceptions regard- of the equation is the set of processes that is executed ing data supply should consider implications on data by the credit reporting service provider to convert the accuracy and database integrity.. raw data into the final product or products that are accessed by users. This includes data validation, nor- 101. It is equally important that rules and procedures malization and other technical processes, as well as ap- be disseminated extensively throughout the system, plying algorithms to transform the data into a series of using as many means as possible (e.g. newsletters, value -added products and services. seminars, face-to-face consultations), especially when planning changes to the data collection scheme. 98. One way to ensure that the data provided are accu- rate is that the latter are actually used on a continuous basis. Data on which no continuous quality controls Guidelines on timeliness of data and routine processes are applied have the risk of be- coming either imprecise or misleading once such data Credit reporting service providers and data providers are accessed at a later stage. Therefore, credit report- should apply clear and detailed rules for the ing systems should balance the need for collecting as updating of information. Such rules should ensure much information as possible with that of collecting that updates be performed on the basis of pre- defined schedules and/or specific trigger events. GENERAL PRINCIPLES 27 At a minimum, this should include prompt action in Guidelines on sufficient data –including the event of error adjustments and ideally in case of positive relevant changes in credit exposures, arrears, fraud, defaults and bankruptcies. ❖ Credit reporting service providers should be able to collect and process all the relevant information needed to fulfill their lawful purposes. Relevant 102. Data should be updated immediately upon the information comprises both negative and positive identification of an error. In an ideal scenario, upon data, as well as any other information deemed occurrence of one or more of the trigger events de- appropriate by the credit reporting system, scribed above, the relevant information on the data consistent with the considerations described in the subject would be updated quite promptly. In contrast, other General Principles. for those data subjects for whom there are no relevant changes, data would be updated less frequently, though not less often than on a monthly basis. 106. Data collected should include all relevant infor- mation to enable any given user to adequately evalu- 103. Appropriate rules should be in place to pro- ate and manage credit risks on a continuous basis. mote compliance with the agreed standards on data This includes information that is necessary to make an updating. unequivocal identification of the data subject, as well as information related to the creditworthiness of the debtor and/or the repayment prospects of a new loan Data should be available for users of the credit (e.g. current credit exposures, maturities, guarantees reporting system in a prompt manner to enable them and/or collateral, default information, etc.) to carry out their functions without unnecessary delays. 107. Negative credit reporting data refers to late pay- ments, loan defaults and other unfulfilled economic obligations, as well as bankruptcies and other judicial 104. Credit reporting service providers should strive to processes. Positive credit reporting also includes sever- minimize the lag between the time they receive the up- al other pieces of information about the debtor, such as dated data and the time the new data are made avail- account balances, number of inquiries, debt ratios, on- able to final users. In this regard, credit reporting ser- time payments, credit limits, account type, loan type, vice providers should set up service levels that match lending institution, interest rates and public registries’ users’ and data subjects’ needs for timely and accurate data, detailed reports on assets and liabilities, guaran- data. tees and collateral, debt maturity structure, pattern of repayments, employment records, etc. 105. Automation and standardization of rules and pro- cesses are usually the most effective means to improve 108. There is a limit on the information that can be service levels (i.e. in this particular case, to reduce the shared, which is usually associated with the permis- “conversion period” of raw data into the information sible purposes underlying information sharing, or pri- that is actually made available to users) without the vacy considerations when dealing with sensitive issues risk of negatively affecting data accuracy. such as ethno-demographic data. In other cases, while sharing such potentially sensitive data per se is not Section III. The General Principles 28 GENERAL PRINCIPLES prohibited, there are legal or regulatory restrictions on Guidelines on collection of data on a systematic using that information for credit reporting purposes, basis from all relevant and available sources for example if the data is considered out of proportion when compared to the intended use, or to reduce the Credit reporting service providers should be able to possibility of introducing a bias in creditors’ decisions. gather information from all relevant data providers, within the limits established by the law. Credit reporting service providers should set up clear rules on minimum data inputs and optional 111. Data subjects benefit from having their data pro- data inputs. Data elements to be collected should vided to all credit reporting service providers in a include, at a minimum: identification information, given market. Therefore, data providers should refrain information on the credit including original amount, from entering into exclusivity agreements with a par- date of origination, maturity, outstanding amount, ticular credit reporting service provider - or a subset of type of loan, default information, arrears data and these - and share data widely and equitably across the transfer of the credit when applicable. Ideally this system because it is beneficial for the credit reporting would also include credit risk mitigation instruments system as a whole. such as guarantees, collateral and an estimate of their value. Credit reporting service providers should be able to access other data sources of relevance, within the 109. Credit reporting service providers should provide limits established by the law. clear definitions and detailed explanations on the data being sought. In agreement with data providers, and eventually with other data sources, credit reporting 112. Other data sources deemed relevant for credit re- service providers should establish a list of mandatory porting include private and public sources or records. data inputs to be provided on a systematic and contin- In the case of private sources, the same considerations uous basis. Minimum data inputs should be consistent described under the previous guideline would apply. with the previous Guideline on “sufficient data”. 113. Public records are generally available to the pub- 110. Credit reporting service providers should also lic, and credit reporting service providers should be specify the form(s) through which the data is to be able to access these records at least under the same provided (e.g. specific templates or layouts). From a conditions as those applicable to the general public. service provider’s standpoint, using a standard format facilitates automation and data consistency, which in 114. Some public records might not be available to the turn may result in greater efficiency. From the perspec- general public. This may include identity registries for tive of data providers and other data sources, using a individuals and businesses. As such information might standard format with all credit reporting service pro- be crucial for validating a data subject’s identity, credit viders would enable them to process and send the re- reporting service providers could be allowed to access quired data with little or no additional costs. such information under specific or limited conditions. GENERAL PRINCIPLES 29 115. Services associated with public records are often Moreover, to build a model per se, data may not need quite basic, like consultations of physical records or to be personalized. Insofar as this information remains consultation of basic computerized data that cannot stored in such a way that is not possible to reverse en- be enriched with further data exploitation techniques gineer the depersonalization process, data in a credit (e.g. under a data warehouse environment). Credit re- reporting service provider should be usable for as long porting service providers should seek to negotiate spe- as necessary. cial agreements with public records agencies to ensure a smooth and systematic flow of information. In some 118. Therefore, any rules or regulations on the maxi- cases this may involve defining a cost recovery scheme mum time length that credit data can be stored, used in order for a public record to be able to provide en- for modeling purposes, or explicitly distributed to us- hanced services. ers should be clear and specify over which of these ac- tivities the limitation(s) would apply. At the same time, these sorts of limitations should carefully balance the Guidelines on retention of data objectives of fairness on one hand, and information in- tegrity and accuracy on the other. Data collected by credit reporting systems should be available to users for a period of time that is consistent with the purpose for which the data is Clear rules should be in place regarding the method used. to determine the specific date or event when distribution of data should be discontinued. 116. The credit-related performance of debtors can change over time. For example, a default or another 119. Rules that restrict the period of time in which that negative performance in the past could have been the data can be distributed to users should also be clear result of a generalized economic downturn or even a and specific on how exactly that period of time is to natural catastrophe, and should not affect the long- be calculated. Any ambiguities or lack of specificity on term creditworthiness of an otherwise creditworthy this issue can become a source of disputes, for example debtor. For reasons like this, authorities may set limits between data subjects and credit reporting service pro- on the length of time that the negative data can remain viders or between the latter and their regulators. in the file of data subjects. 120. For example, the rules should state whether the 117. There is, however, a difference between limiting maximum length of time, typically expressed as a the length of time for the processing of personal iden- number of years, would be calculated starting when tifiable data, and limiting the length of time for the the relevant event (e.g. a default) took place, or when storage of such data in depersonalized manner. Data the latter was first reported to the credit reporting ser- collected by credit reporting service providers is fre- vice provider, or when an event first led to the denial of quently used to build credit scoring models and other a loan to a data subject. The definition of what consti- analytical decision-enabling tools that are useful for tutes the “event” itself is also important. creditors. These tools generally require long time se- ries of data in order to produce a reasonable degree of predictability (see Guidelines on Accuracy of Data). Section III. The General Principles 30 GENERAL PRINCIPLES Data Processing: Security and 123. As services rendered by credit reporting service Efficiency providers are increasingly becoming critical, the reli- ability of credit reporting services (i.e. users being able General Principle 2: Credit reporting sys- to access the service when needed) is a crucial element tems should have rigorous standards of security of an effective credit reporting system. and reliability, and be efficient 124. For several years, business continuity has been an important subject of discussion and action by inter- Guideline on security measures national financial institutions and the financial indus- try. As a result, extensive literature now exists on this Credit reporting system participants should protect subject and will not be discussed in further detail in data against any loss, corruption, destruction, this report. Two aspects are worth mentioning, how- misuse or undue access. ever. First, a comprehensive business continuity plan goes beyond the availability of redundant hardware or other pieces of infrastructure, and needs to consider 121. Some common threats to data security include cy- human factors as well (e.g. avoiding situations whereby ber attacks from outsiders, improper data use by em- a severe interruption of the service materializes due to ployees of service providers and/or from the users, ac- people not being able to react promptly or effectively, cidental disclosure of data, accidental loss of data, and even when the necessary equipment to operate under natural disasters, among others. All participants in a a contingency is available). Second, the criticality of credit reporting system should undertake best efforts credit reporting systems varies from jurisdiction to to implement commercially reasonable data security jurisdiction; hence, a “one-size fits all” approach with safeguards to protect data against these and other po- regard to business continuity should be avoided. tential threats. 125. The reliability of credit reporting services is a 122. Specific measures and safeguards should be adopt- matter that concerns not only credit reporting service ed to cope with the logical, physical and organizational providers but other stakeholders as well, including aspects of data security (i.e. so-called “tridimensional credit reporting data providers, users and authorities. approach to data security”). The objective of these safe- Therefore, an “optimal” reliability level for a given cred- guards should be to contain, limit and respond to data it reporting system should be the result of discussions security breaches. Measures and safeguards should be and negotiations balancing service levels (from credit reviewed on a regular basis to ensure that they are up reporting service providers to users as well as from us- to date and effective against newly emerging threats. ers to their clients), costs, available infrastructure, and regulatory aspects, among other considerations. Guideline on reliability Guideline on efficiency Credit Reporting Service providers should implement appropriate business continuity measures to ensure Credit reporting service providers should strive to that their services will be available to users without be efficient both from an operational as well as from any significant disruptions. a cost perspective, while continuing to meet users’ needs and high standards for service levels. GENERAL PRINCIPLES 31 126. Creditors and supervisors alike demand not only market failures exist, regulators and overseers could high-quality data but also increasingly faster response consider developing a mechanism to review periodi- times from credit reporting service providers. In this cally costs and pricing from an efficiency perspective. particular regard, real-time data transmission follow- This review would need to take into consideration the ing a query is becoming the standard worldwide. nature of the services being offered, as well as market size and structure. When competitive conditions ex- 127. To meet such a standard while offering cost- ist, regulators and overseers may need to monitor the efficient services, credit reporting service providers market to ensure that excessive competition on pricing will require appropriate infrastructure, including ad- does not compromise security standards, introduce equate processing capacity and reliable telecommuni- unnecessary data fragmentation, efficiency losses or cation infrastructure. Proper infrastructure planning jeopardize the sustainability of the credit reporting should enable the credit reporting service provider system. to cope with an increasing number of users and data volumes without compromising service levels. Also, as discussed under the Guideline on reliability, com- Governance and Risk prehensive business continuity measures are essential Management to ensure the availability of a service without major disruptions. General Principle 3: The governance ar- rangements of credit reporting service providers 128. It should be noted that significant investments are and data providers should ensure accountability, necessary in order to meet these service level standards. transparency and effectiveness in managing the In markets lacking the sufficient critical mass (in terms risks associated with the business and fair ac- of data and users), an investment of this magnitude cess to the information by users might not be viable. This does not necessarily mean that users in smaller countries are to be constrained to lower service levels. A single credit reporting service Guideline on accountability of governance provider serving multiple countries can be an alterna- arrangements tive to achieve the necessary economies of scale that will enable the investments required for the deploy- Credit reporting service providers and credit ment of top level services to its users.41 reporting data providers should be subject to mechanisms that ensure proper accountability 129. The provision of integrated services may help of management and, where applicable, of board lower unitary costs to users. Users, however, may pre- members. This should include independent audits or fer having the service provider offer a series of value- reviews. added services at an incremental cost compared to the cost of accessing just the basic data. 131. Good governance arrangements provide incen- 130. In case a given credit reporting service provider is tives for an organization’s top management to pursue a monopoly or a clear dominant player or when other the long-term interests of the organization, such as continued growth, increased coverage, profitability (where applicable), and overall viability. 41 For further discussions on this specific issue see General Principle V. Section III. The General Principles 32 GENERAL PRINCIPLES 132. Given the sensitive nature of credit reporting ac- ii) Legal and regulatory framework that supports its tivities, credit reporting service providers as well as activities; iii) Key financial results as required by law; credit reporting data providers must be held account- iv) Codes of conducts; v) The types of entities that able to the various system participants, including the may become users of the service, and the conditions data subjects on whom they hold information. Credit they must fulfill in order to do so; vi) Rules and pro- reporting service and data providers should therefore cedures for collecting and processing data, including be subject to mechanisms of accountability and inde- scope of data collection efforts; vii) Uses of data; viii) pendent oversight, including independent audits, and, Mechanisms for identifying and mitigating risks; ix) where applicable, supervision by a public authority. Share distribution, main shareholders and related par- In some cases some form of self-regulation (e.g. code ties; x) Dispute resolution mechanism applied by the of conduct) could be promoted for example through service provider. industry associations. Observance of self-regulatory mechanisms should be monitored, as appropriate, by 135. Similar standards would apply to those data pro- the relevant authorities. viders whose core business consists in the collection and distribution of data for credit-related decision- making. It is likely that banks and other financial and Guideline on transparency of governance non-financial institutions that collect and distribute arrangements data as an ancillary activity will already be subject to transparency standards associated with their core Governance arrangements for credit reporting business. service providers and credit reporting data providers should ensure timely and accurate disclosure of relevant matters related to the entity and its activities. Guidelines on the effectiveness of governance arrangements in ensuring appropriate manage- ment of the risks associated with the business 133. Disclosure helps improve public understanding of the structure and activities of credit reporting service The management of credit reporting service providers providers, their corporate policies and performance and data providers should identify all relevant risks with respect to existing standards, and their relation- faced by the organization. The outcomes of this ships with the communities in which they operate. risk analysis should be reported periodically to the Credit reporting service providers are expected to dis- organization’s top governing body. close information deemed material, i.e. information whose omission or misstatement could influence the economic decisions taken by users of information. 136. Major risks faced in credit reporting activities in- clude, but are not limited to, operational risk, legal risk 134. Management of credit reporting service provid- and reputational risk. ers and credit reporting data providers should ensure timely and accurate disclosure of all relevant matters 137. Credit reporting service providers are technology- relating to the business. In the case of credit reporting intensive and deal with multiple parties that provide service providers, relevant information to be disclosed and use data. The potential for operational errors, may include: i) The objective of the service provider; either within the credit reporting service provider or GENERAL PRINCIPLES 33 from outside is therefore significant. Operational risk establish internal controls to mitigate the risks it de- is not only related to the proper operation of informa- cides to accept. Some of the basic elements of a sound tion technology equipment or other pieces of infra- system of internal controls include: i) having clear lines structure; unintentional human errors, or unlawful of responsibility with the organization; ii) having clear activities like the unauthorized access to data by the levels of responsibility for proper escalation of prob- service provider staff or others are also a key source lems and proposed solutions; iii) policy-setting areas of operational risk. Operational risks can also lead to within the organization that are independent from legal problems (e.g. data being distributed to parties business-oriented areas; iv) policies and procedures that are not allowed to have access to it). providing clear guidance on how to manage the identi- fied risks; v) an independent audit function with a di- 138. Legal risk stems from the inadequate or errone- rect reporting line to the organization’s top governing ous compliance of the applicable legal and regulatory body (e.g. Board of Directors); and vi) other periodical framework. Legal risks are generally greater where external reviews. there is an absence of laws and regulations dealing ex- plicitly with credit reporting systems and the related 141. Management also needs to analyze whether the activities, or when such laws do exist but are unclear system of internal controls will have an impact over and subject to multiple interpretations, or simply when the services being provided in the market place, and the legal framework is ineffective in dealing with the the extent to which that impact will be transferred to major issues identified in this report. the users in the form of either higher costs or lower quality. This is clearly another source of risk that needs 139. Reputational risk is particularly relevant due to to be mitigated and balanced with other risk manage- the nature of credit reporting: personal data being ment objectives. In any case, it should be noted that used in sensitive activities like lending and financial in competitive markets, the extra costs generated by supervision. A credit reporting service provider with a sound system of internal controls that are actually a history of frequent operational problems or that is transferred to users are usually minimal. constantly involved in legal disputes will be exposed to greater reputational risks. So will those service pro- viders that lack transparency in the information they Guideline on effective governance provide to the market (see Guideline on transparency). arrangements ensuring that all users have fair access to information To properly address and mitigate risks, credit Governance arrangements of credit reporting service reporting service providers and credit reporting data providers should promote all users having access providers should establish sound internal controls to information under equitable conditions. This and risk management mechanisms. objective should not be affected by the ownership structure of the service provider. 140. All economic activities face a variety of risks, and it is the role of management to determine whether the 142. Decision-making in economic organizations re- identified risks should be avoided, accepted, shared or flects the balance of power of its stakeholders. In credit transferred to third parties. Management will need to reporting this might be reflected in large shareholders Section III. The General Principles 34 GENERAL PRINCIPLES – that in many cases are also major users of the ser- 145. Predictability requires that rules be prospective, vice – imposing conditions that are disadvantageous to publicly available, clear, non-contradictory and rela- other independent users. For example, the latter might tively stable. While striving to be clear and precise with not be able to access some of the information available regard to key concepts, functions, or responsibilities, in the service providers, or may be able to do so only at laws and regulation should be written to accommodate an unreasonable price. evolving trends related to credit reporting without re- quiring frequent amendments. 143. Governance arrangements of the service provid- ers should mitigate such possibilities. One common formula consists of smaller shareholders or smaller The terminology used throughout the legal and service users having appropriate representation in the regulatory framework, including the rules and other decision-making bodies of the service provider. norms, should be consistent at the domestic level. Legal and regulatory 146. Key terms used in the credit reporting industry environment should have a unique meaning allowing participants and regulators minimum space for interpretation. Key General Principle 4: The overall legal and regu- terms such as “positive information” or “consent” are latory framework for credit reporting should be frequently misinterpreted by the various participants clear, predictable, non-discriminatory, propor- leading to inconsistencies and in general an inadequate tionate and supportive of data subject/consum- functioning of the legal framework.42 er rights. The legal and regulatory framework should include effective judicial or extrajudicial 147. Definitions should reflect the full scope of the is- dispute resolution mechanisms sue they intend to cover as in some cases very narrow definitions may be harmful. For example, when defin- ing the entities that are entitled to access credit report- Guidelines on clarity and predictability ing databases, using a narrow definition for “credit provider” could prevent some legitimate participants The legal and regulatory framework should be from accessing such databases. sufficiently precise to allow service providers, data providers, users and data subjects to foresee the consequences that their actions may entail. Public awareness of the laws and rules of credit reporting operations contributes to the clarity and predictability of the legal and regulatory framework. 144. Laws, regulations and the more specific rules de- rived from them should be specific and clear on all key issues, such as the types of data that can be and cannot 148. Dissemination of the legal and regulatory frame- be collected, what type of users can access the credit work is essential in order for credit reporting systems’ reporting databases and under what conditions, or the participants to be fully aware of their rights and ob- rules to deal with non-compliant behaviors, among others. 42 A glossary of key relevant terms is provided in the Annex 5 of this document for reference. GENERAL PRINCIPLES 35 Guidelines on non-discrimination Box 4: Summary of Reciprocity Data supplying and data access should be Principles in the UK established in a fair manner, responding to impartial rules regardless of the nature of the participants. Data shared only for the prevention of over-commitment, bad debt, fraud and money laundering and to support debt recoveryand debtor tracing, with the aim of promot- ing responsible lending. 150. Non-discriminatory refers to the legal and regula- tory framework being equally applicable to the vari- 1. Data provided for sharing purposes must meet legal, ous participants in credit reporting insofar as they are regulatory and voluntary code of practice require- providing equivalent services. This helps to promote ments before provision and in use. a level playing field that encourages competition on a fair and equitable basis. 2. Subscribers must use data only for purposes for which the required form of consent has been given. 151. In principle, all active users of data for lending purposes should be allowed to access credit report- 3. Data will be shared on the principle that subscribers ing databases. A possible exception to this general receive the same credit performance level data that they contribute, and should contribute all such data rule could be the case of some credit registries whose available. basic purpose is to support banking supervision and improve the availability and quality of credit data for 4. Data may be used or made available by the Credit supervised intermediaries - and that as a consequence Reporting Agencies (CRAs) only in ways permitted require data from, and provide access to regulated fi- by these Principles. nancial institutions only. 5. Subscribers must never use shared data to target 152. In many cases, access to the credit reporting data- any customers of other specific subscribers. bases is based on some degree of reciprocity between the data providers/users and the credit reporting ser- vice provider(s). The principles issued by the Steering Committee on Reciprocity43 (see Box 4) may serve as a reference in determining the extent to which reciproc- ligations and shape their conduct accordingly. Apart ity should be used as the guiding principle with regard from the laws and key regulations, the specific rules to granting access to the credit reporting databases. and internal norms that do not compromise intellec- tual property and trade secrets should also be available Obligations on data quality, security measures and to the general public as pertinent. consumer rights should be equally applicable to all credit reporting service providers, data providers 149. Proactive efforts should also be undertaken to dis- and users. seminate how certain rules and norms have been ap- plied or enforced in varying circumstances. 43 The Steering Committee on Reciprocity (SCOR) is a cross industry forum made up of representatives from credit industry trade associations and credit reference agencies in United Kingdom. Section III. The General Principles 36 GENERAL PRINCIPLES 153. To ensure consistent service levels throughout the the need that any penalties that are established be pro- credit reporting system, rules, regulations and pro- portional to the related offense. The industry should be cedures covering data quality, security measures and consulted to help ensure the proposed new regulations consumer rights should apply equally to all data pro- are proportionate and effective. viders, credit reporting service providers and users. 158. It is important to realize that public policy objec- 154. At the same time, the principles that support the tives being sought through new laws or regulations various participants having equal rights with regard may not always point in the same direction. Regulation to credit reporting (i.e. fair access) should correspond can be a significant barrier because of the costs of com- with principles setting equal obligations for each of pliance. However, to encourage competition among them. credit reporting service providers barriers to entering the market should not be excessively high. On the oth- 155. Nevertheless, the legal framework may be such er hand, other public policy objectives such as safety that some of these obligations are more closely related and efficiency require potentially burdensome regula- to one specific category of credit reporting system par- tion. Proportionality in this case would mean that any ticipants (e.g. data providers) than others (e.g. credit such inconsistencies are recognized and resolved in a reporting service providers or users). In such cases, way that, in the light of a country’s overall priorities, this might justify some differentiation of the obliga- achieves an appropriate balance. tions across categories of participants. Laws and regulations should be practical and Guidelines on proportionality effective as to ensure a high degree of compliance. The legal and regulatory framework should not be overly restrictive and burdensome relative to the 159. The legal framework should be designed to bal- possible issues it is designed to tackle. ance interests of the consumers/data subjects on one hand, and the objective of promoting credit infor- mation flows and innovation in the credit reporting 156. Proportionality of laws and regulations responds system. to three main characteristics: a) adequacy; b) necessi- ty; and c) non-excessiveness. In credit reporting, these 160. Introducing obligations that require extraordi- three aspects should be reflected in the legal and regu- nary efforts from credit reporting service providers or latory framework supporting the collection of credit other credit reporting participants may undermine the and related data from businesses and individuals, and efficient provision of the service and might negatively the use of such data. affect the development of comprehensive credit re- porting systems. Therefore, it is important that any law 157. When designing new laws or regulations, or or regulation balances the benefits of increased safety amendments to the existing ones, regulators should or consumer protection against the potential costs in carefully weigh the intended benefits with the poten- terms of lost efficiency, competition and innovation. tial negative consequences such new rules may have on the credit reporting system as a whole. This includes GENERAL PRINCIPLES 37 161. Proportionate regulation is likely to be more effec- 163. Data subjects should be informed of the condi- tive in the sense that all types of participants in a credit tions of collection, processing and distribution of reporting system are more likely to observe it. Setting data. They should be provided with sufficient and costly and/or overly sophisticated requirements to all understandable information to enable potential data participants regardless of their size or nature (e.g. re- access and data challenge under user-friendly mecha- quiring a minimum number of staff or departments in nisms and reasonable costs. Additionally, data subjects the organization, or minimum size of premises) may should be cognizant of the various credit reporting result in participants simulating compliance when this service providers that operate in their country. is clearly not the case. iii) the right to access data held about them periodically at little or no cost: Guidelines on consumer rights and data protection 164. Data subjects should be able to access data held about them periodically at little or no cost. Extended Rules regarding the protection of data subjects/ practice is to provide data subjects, at their request, consumers should be clearly defined. At the with a copy of reports about them at no cost once a minimum these rules should include: (i) the right to year or in the event of an adverse action. object to their information being collected for certain purposes and/or used for certain purposes, (ii) the iv) the right to challenge the accuracy of information right to be informed on the conditions of collection, about them: processing and distribution of data held about them, (iii) the right to access data held about them 165. The legal framework should ensure that credit periodically at little or no cost, and (iv) the right to reporting service providers and data providers adopt challenge accuracy of information about them. clear, effective and streamlined procedures and tools to support data subjects that wish to challenge errors in the databases. A common approach to this matter i) the right to object to their information being collected by all service providers and data providers in a given for certain purposes and/or used for certain purposes: jurisdiction is highly desirable. 162. Credit reporting systems should serve banking supervision and credit decision purposes. There are The legal and regulatory framework for credit other potential uses of personalized data in the system reporting should address all relevant issues related (e.g. employers using the data to decide whether or not to data subjects’ privacy, especially if such issues to hire an individual) which could require consent by are not covered by a personal data protection law or data subjects, though such need for consent should be other similar law. analyzed together with other variables such as suitabil- ity, necessity and non-excessiveness. 166. Because data subjects are not parties to the con- ii) the right to be informed on the conditions of col- tract between credit reporting service providers and lection, processing and distribution of data held about data providers, domestic laws should ensure that data them: subjects’ rights are adequately safeguarded. In the ab- Section III. The General Principles 38 GENERAL PRINCIPLES sence of a general privacy or data protection law, or 169. Other alternative (i.e. extra-judicial) dispute res- other specific provisions related to credit reporting, olution mechanisms such as arbitration, mediation credit reporting service providers and data providers or the existence of a supervisory authority playing a may not be legally bound to observe the minimum neutral role between the parties involved in a dispute set of rights as described in the previous guideline. should also be encouraged. These mechanisms should Therefore the legal framework covering credit report- ensure impartiality, effectiveness (i.e. designated me- ing activities should consider these needs and address diators should be adequately skilled), and should keep them effectively. procedural requirements to the minimum. 170. When the legal framework provides for a specific Guidelines on dispute resolution judicial mechanism for solving disputes involving data in credit reporting systems, it is important that this The process for solving disputes should be mechanism operates efficiently and fairly in practice. established in the law(s) governing credit reporting activities or in substantive regulations when such laws do not exist. Credit reporting service providers and data providers should flag to all users cases where data subjects are involved in a dispute with the data provider in 167. Judicial systems are frequently costly and exces- connection with the subject’s data. sively burdensome for consumers/data subjects when dealing with disputes concerning data held on them. Therefore, the legal framework should provide for al- 171. The flag can consist of a simple mark indicating ternative mechanisms to solve such disputes in an ex- the existence of the dispute. This flagging should be peditious and less costly manner. available to all users accessing the data subjects’ report. 168. As a first instance, in many jurisdictions the legal 172. In general terms, a flagged report should not be framework requires credit reporting service providers perceived per se as a negative sign of consumer behav- to create an in-house dispute resolution mechanism – ior. However, it should be noted that some disputes sometimes referred to as an in-house consumer satis- might not be based on legitimate claims. faction system. This mechanism has proved useful to expedite the dispute resolution process as the data pro- 173. Sometimes data might not be incorrect per se (e.g. vider is closest to the data subject and, hence, is cogni- there is in fact a non-payment). There might be ongo- zant of the issue underlying the dispute. To be effective, ing disputes on a related service (e.g. the merchandise the in-house mechanism should be transparent, ad- related to a loan was not delivered), which once solved here to specific deadlines, easily accessible and should could change the content of the report. describe with precision the different actions that a data subject should take to dispute an error related to its records (e.g. where and how to present the claim, po- Credit reporting service and data providers should tential costs, timelines and expected outcome). cooperate in reaching an expeditious solution to disputes. GENERAL PRINCIPLES 39 174. Data providers in particular should duly inves- Guidelines on pre-conditions for cross-border tigate potential errors in data and correct them as credit data transfers quickly as possible before informing back to the credit reporting service provider/s about the result of the in- The feasibility or desirability of cross-border vestigation. Credit reporting service providers should data transfers should be based on a cost-benefit act promptly and inform recipients of the relevant re- analysis that considers market conditions, the level ports that an error has been corrected. of economic and financial integration, legal and regulatory barriers, and participant needs. ❖The legal framework should provide suitable enforcement mechanisms, including redress for data 177. As a result of cross-border businesses, migration subjects harmed. and other factors, businesses entering a new country and individuals that have changed their country of res- idence will most likely need to establish a relationship 175. Consumers/data subjects should be entitled to with a local financial entity. It is also possible that some redress based on the harm suffered from the error. It businesses and individuals in the above-mentioned should be noted, however, that quantifying the dam- scenario will continue to use financial services from ages and the corresponding compensation is difficult entities based in their home country. to do in practice. 178. In regions or economic blocks characterized by a 176. Errors can occur at different stages of the data strong financial and economic integration, authorities chain. Liability should be assigned based on the source may even wish to establish as a policy objective that of the error. For example, users of data should not be businesses and nationals of the block receive financial liable for errors that originated with the data provider services under similar conditions within the block, re- or the credit reporting service provider. Therefore, it gardless of the specific country they reside in at any is very relevant to investigate the specific step where given moment in time. This may require, for instance, the error occurred so that liabilities can be properly that credit reports become available and portable assigned. across countries. 179. In yet some other cases, a credit reporting system Cross-border data flows may only be viable when used by two or more coun- tries, which, due to market size limitations, would not General Principle 5: Cross-border credit be able to support such a system on an individual basis. data transfers should be facilitated, where ap- 180. Examples like these reflect the fact that cross- propriate, provided that adequate requirements border data transfers may be a useful, or even neces- are in place sary, instrument to facilitate the provision of credit and other financial services, as well as for banking super- visory purposes. However, given the complexity of any cross-border activity, including but not limited to legal and regulatory aspects, differences in consumer pro- tection frameworks, infrastructure, the diverse nature Section III. The General Principles 40 GENERAL PRINCIPLES of the institutions involved and thus the potential for Guidelines on requirements for cross-border conflicting interests, the uncertainty about the scale of credit data transfers future data flows and others, it is important that there is a careful analysis of whether the likely benefits will ❖When cross border credit data transfers occur, the justify the costs. potential sources of risks that can arise should be identified and appropriately managed. 181. Sometimes such initiatives may be undertaken by the market itself, while in other cases supervisory authorities might be the key promoters to properly 184. When there is a direct link between credit report- discharge their supervisory obligations in connection ing service providers in different jurisdictions, the with cross-border banking and lending activities. cross-border mechanism is subject to practically the same risks as the domestic ones (i.e. operational, legal, and reputational risks). Hence, the parties involved Standardization of data formats and procedures should adopt governance and control measures equiv- should be fostered to facilitate cross-border credit alent to those that are applicable to any given domestic data transfers. credit reporting service provider, as described under General Principle III. 182. Even without direct cross-border links between 185. Even when there is no direct cross-border link credit reporting service providers, standardized for- between systems, cross-border data transfers or ex- mats can do much for creditors and supervisors alike. changes will still entail several operational, legal and As discussed under General Principle 1, the use of reputational risks. The difficulty in identifying, un- standardized formats is probably as important for data derstanding and managing the new risks might even accuracy purposes as having standard procedures for be greater given the inherent complexity in trying to the collection and updating of data. comply with an expanded, or possibly even conflicting, set of laws, regulations and other rules. 183. The standardization of data content and data 186. When a single credit reporting service provider formats, at least with respect to what are considered services two or more countries, it is likely that the data mandatory inputs, among credit reporting systems in collected from multiple countries will be stored in a different jurisdictions is a necessary element to ensure single repository located in a specific country. Likewise, consistency in cross-border credit or supervisory as- the information stored in the repository would be sent sessments. Standardization can also reduce expensive across several jurisdictions. Such a model might entail manual intervention necessary to “translate” a format specific operational and legal risks. used in a given jurisdiction into the one that can be used by creditors and supervisors in other jurisdictions. There should be a framework for cooperation and coordination between the relevant regulators and overseers. GENERAL PRINCIPLES 41 187. In general, cross-border activities and initiatives should collect consent for collecting, storing and dis- require a high level of bilateral (or possibly multilater- tributing data from data subjects. al) cooperation on technical, regulatory and oversight matters. Regulators and overseers will naturally be in- 190. Once they have the data, data providers should terested in credit reporting service providers and users take all the necessary provisions to safeguard it, as ex- observing all applicable laws, regulations and rules in plained under General Principle II. the relevant jurisdictions. But, as mentioned earlier, it could also be the case that regulators themselves will 191. Data providers must abide by the credit report- be the users and/or providers of cross-border credit ing system’s rules on data updating. Notwithstanding data transfers (e.g. for banking supervision purposes). the minimum standards on this matter, data provid- ers should aim at reporting any new data immediately 188. A framework for cooperation and coordination upon receipt of the same. is therefore a useful tool to ensure a common under- standing of the relevant issues and problems, as well 192. With regard to the error correction process, it as to discuss, propose and eventually develop solu- should be noted that data providers are closest to data tions. An initial framework for cooperation typically subjects than any other participant in a credit report- consists of periodic (e.g. annual or semi-annual) meet- ing system. In most cases, data providers would also ings between the parties. In many cases, the latter be aware of the issue(s) involving allegedly errone- evolves into more formal forms of cooperation, like a ous data. Data providers are therefore expected to act Memorandum of Understanding (MoU) between two diligently in addressing disputes (including a timely or more parties in order to, for example, secure regular reporting of the dispute to credit reporting service exchanges of information, or joint task forces to ad- providers), and, if applicable, in correcting the infor- dress specific issues. mation as required. 193. Data providers should not discriminate among 3.3. The Roles of Credit credit reporting service providers as established by Reporting System General Principle I. Participants 194. If a data provider is also a user of the informa- Role A: Data providers should report accurate, tion in a credit reporting system, it should also observe timely and sufficient data to credit reporting Role D. service providers, on an equitable basis. 189. The first responsibility of data providers is to en- sure that the information they collect from their cus- Role B: Other data sources, in particular public tomers (e.g. as part of the loan-underwriting process) records agencies, should facilitate access to is accurate and complete. They should also ensure that their databases to credit reporting service data subjects are duly aware of their responsibility to providers. provide accurate information and that the information they have provided can be distributed to third parties. 195. Public records agencies can make a significant If required by law and/or regulation, data providers contribution to a credit reporting system by system- Section III. The General Principles 42 GENERAL PRINCIPLES atizing their records, transforming them into full-scale set of policies and rules dealing with information col- databases that can be efficiently accessed with modern lection, consultation and distribution, and safe and re- tools and technologies. liable IT systems, among other elements. The General Principles, particularly GP1, GP2 and GP3, provide a 196. Since proper identity matching is crucial in credit broad road map for credit reporting service providers reporting, public agencies in charge of identity reg- aiming at providing levels of service that are consistent istries (individuals and businesses) should facilitate with the needs of users. access to such registries to credit reporting service providers. 201. User needs evolve over time. Because of competi- tive pressures, users are increasingly demanding new 197. In their role as information repositories, public products and solutions to enable them to better as- records agencies should also observe the guidelines sess risks in a consistent, systematic and cost-effective for information security described under General manner. Credit reporting service providers must be Principle II, regardless of the level of automation of prepared to meet those needs by making available a their processes. menu of value added services beyond standard credit 198. As it is the case with data providers, public re- reports. cords agencies are usually the first link in the chain for addressing data disputes. Therefore, relevant public 202. Credit reporting service providers should con- records agencies, especially those that gather informa- tribute to a level playing field in the credit and other tion directly from the public, should cooperate in the financial markets. All users of credit reporting services data dispute resolution process on similar terms to (e.g. those involved in supervisory activities or with a those established for data providers under Role A. lending function) should be able to access the related services under equitable conditions.44 In that sense, 199. Some public records agencies are active suppli- credit reporting service providers should avoid using ers of data to the credit reporting system, rather than pricing policies or any other method that favors a par- passive information repositories. Public records agen- ticular group of users over others with no reasonable cies falling in this sub-category are also expected to basis. observe the other aspects described for data providers under Role A. Role D: Users should make proper use of the information available from credit reporting ser- Role C: Credit reporting service providers vice providers. should ensure that data processing is secure and provide high quality and efficient services. 203. If and when required by law or regulation, users All users having either a lending function or a should get consent from data subjects to access infor- supervisory role should be able to access these mation stored in credit reporting databases. Users are services under equitable conditions 44 In the case of credit registries there are some possible exceptions. Many credit registries would only provide access to regulated financial institutions. 200. To a large extent, high quality and efficient ser- Other databanks operated by central banks or other financial supervisors might vices will be the result of good governance, adequate be intended solely for banking supervision purposes rather than to support lend- risk management and internal controls, an appropriate ing or other related decisions, and therefore might not provide access at all to any outside party. GENERAL PRINCIPLES 43 also responsible for maintaining required confidential- parties, such as the erroneous association of data with ity over any data accessed by them. At the same time, an unrelated data subject. users should not use the data for purposes other than those specified by the law. 208. Data subjects should take advantage of the mech- anisms provided by the credit reporting system to ver- 204. Users should adopt and enforce proper security ify the information stored in the latter. No other party measures to safeguard the data/information. should be more interested in that the data is accurate and updated than the data subject itself. 205. With regard to the actual use of the information and data available from credit reporting services, while different users will have different credit underwriting Role F: Authorities should promote a credit policies it should be recognized that credit reporting reporting system that is efficient and effective in information is typically only one of the inputs to be satisfying the needs of the various participants, used as part of a credit assessment. Therefore, credit and supportive of data subject and consumer decisions, either approvals or denials, should not be rights and of the development of a fair and based solely on the past credit history of applicants as competitive credit market. reflected in a typical credit report, a credit score or oth- er similar credit reporting products. Users should train 209. Where implementation of the General Principles their personnel on the adequate use of these tools. and related roles involves multiple domestic authori- ties, public policymakers should ensure that domestic 206. In case an adverse action against a particular debt- policies are coordinated and that the authorities coop- or is taken (e.g. loan denial, a higher interest rate is erate at the policy and implementation levels. A system charged), users must inform the debtor in case such overseer charged with the responsibility of promoting an action was motivated by information contained in the appropriate development of the credit reporting a credit report or other credit reporting value-added system as a whole, for which purpose it would act as products. the coordinator of the various authorities, has proved to be an effective solution in other elements of finan- cial infrastructure. Role E: Data subjects should provide truthful and accurate information to data providers and 210. Authorities should avoid distortions in the credit other data sources. reporting system, which may translate into an unlev- el playing field or result in inefficiencies in the credit 207. Data subjects should be conscious that the infor- market. mation they provide as part of loan applications can be distributed to other parties, and that providing wrong- 211. To accomplish their policy goals, authorities will ful, incomplete or inaccurate data (e.g. wrong identifi- typically have at their disposal a variety of policy tools, cation number) might eventually become an element depending on the specific powers vested in them. The for credit denial. Moreover, careless completion of ap- tools range from dialogue and moral suasion, to more plication forms leading to the provision of inaccurate interventionist ones like regulations and sanctions. data might have unintended consequences on other Section III. The General Principles 212. To ensure the accomplishment of policy goals, authorities might also consider participating in the de- cision-making body of a credit reporting service pro- vider. This could be especially relevant in cases where that credit reporting service provider is the only real alternative in the market place and this situation can- not be offset otherwise. 213. In cases where a given authority operates a cred- it bureau or credit registry, then that same authority should not be charged with regulatory responsibility over the credit reporting system, unless the operation- al and regulatory functions within the given authority are clearly separated. 214. In cases where cross-border credit reporting ac- tivities are relevant or are expected to become relevant in the foreseeable future, the authorities of the corre- sponding jurisdictions should cooperate in order toen- sure that such cross-border activities will also observe the General Principles. 215. Section 4 of this Report provides recommenda- tions for the implementation of an effective oversight framework for credit reporting systems. SECTION IV Recommendations for Effective Oversight of Credit Reporting Systems 51 45 216. The following are some recommendations for • Appropriate authorities such as a central bank, establishing a proper oversight framework for credit financial regulator, or other relevant body should reporting systems.46 oversee credit reporting systems that are identified using such criteria. Oversight Recommendation A: Regulation and • One or more authorities should be appointed oversight of credit reporting systems as primary overseer. Such authority(ies) should coordinate its/their oversight actions with other Credit reporting systems should be subject to relevant authorities. appropriate and effective regulation and oversight by a central bank, a financial supervisor, or other 217. Credit reporting systems should be regulated and relevant authorities. It is important that one or more overseen by a central bank, financial supervision, or authorities exercise the function as primary overseer. other authority. The division of responsibilities among authorities for regulating and overseeing credit report- ing systems varies depending on a country’s legal and Key considerations institutional framework. Sources of authority and ap- proaches to regulation and oversight may take differ- • Authorities at the national level should identify ent forms. For example, an authority may have regula- credit reporting systems that should be subject to tory and oversight responsibility for a credit reporting regulation and oversight using publicly disclosed system provider registered, chartered, or licensed as an criteria. entity that falls within a specific legislative mandate. Credit reporting systems also may be overseen by an authority that exercises customary or other forms of responsibility for oversight that does not derive from 45 The oversight section benefited from a number of documents developed in the payment system space, in particular, Committee on Payment and Settlement a specific legislative mandate. Relevant authorities Systems (CPSS), 2001, Core Principles for Systemically Important Payment should address any existing gaps in regulation or over- Systems, BIS; CPSS, 2005, Central Bank Oversight on Payment and Settlement Systems, BIS; and the discussions surrounding the revision of the CPSS-IOSCO sight of credit reporting systems through coordination standards on Financial Market Infrastructure, to be released in mid-2011. with relevant legislative body to implement statutory 46 This framework is based on the framework defined in other areas of financial infrastructure, namely the payment and settlement systems. 45 46 GENERAL PRINCIPLES changes, where possible, or through other capabilities, ence to relevant regulations and policies, including the including moral suasion. rules, procedures, and risk-management controls; iii) various functions, activities, and overall financial con- dition; iv) the impact of any given credit reporting sys- Oversight Recommendation B: Regulatory and tem participant in the financial system and the broader oversight powers and resources economy. Such information can be obtained through regular or ad hoc reports, on-site visits, inspections, Central banks, financial supervisors, and other dialogue with board members, management, inter- relevant authorities should have the powers and nal auditors or other system participants. Authorities resources to carry out effectively their responsibilities should have appropriate legal safeguards to protect all in regulating and overseeing credit reporting non-public confidential information obtained from systems. credit reporting service providers and data providers. Authorities, however, should be able to share relevant confidential, non-public information with other rel- Key considerations evant authorities, as appropriate, to minimize gaps in regulation or oversight. • Authorities should have powers or other capacity consistent with their relevant oversight 220. Authorities also should have appropriate powers responsibilities, including the ability to obtain and tools to induce change in a credit reporting system information and induce change. that is not complying with relevant regulations or poli- cies. Tools that could be used to effect change vary sig- • Authorities should have sufficient resources to fulfill nificantly, from dialogue and moral suasion to explicit their regulatory and oversight responsibilities. statutory powers that enable the authority to enforce regulatory and oversight decisions. Discussions with 218. Central banks, financial supervisors, and in some credit reporting system participants play an impor- cases other authorities (e.g. Ministry of Finance) gen- tant part in achieving regulatory and oversight objec- erally share the common objective of ensuring the tives. In many cases, an authority may be able to rely safety and efficiency of credit reporting systems. The on moral suasion in discussing public policy interests primary responsibility for ensuring a credit report- with credit reporting system participants and in car- ing system’s safety and efficiency, however, lies with rying out its regulatory and oversight responsibilities. the system’s owner, designer, and operator. Regulators Moral suasion, however, works best when there are and overseers should have the appropriate powers and credible regulatory or other legal remedies available to resources in order to administer their regulatory and the relevant authorities. Where appropriate, authori- oversight responsibilities effectively. ties may want to consider publicly disclosing their as- sessments of certain credit reporting systems. 219. Authorities should have appropriate powers or other capacity to obtain timely information necessary 221. In promoting effective regulation and oversight, for effective regulation and oversight. In particular, rel- authorities should have sufficient resources to carry evant authorities should have access to: i) information out their regulatory and oversight functions, includ- that enables them to understand and assess the risks ing adequate funding, qualified and experienced staff, borne or created by credit reporting systems; ii) adher- and appropriate and ongoing training. In addition, au- GENERAL PRINCIPLES 47 thorities should adopt an organizational structure that authority’s objectives, roles, regulations, and poli- allows these resources to be used effectively. It should cies provide a basis for consistent policymaking and be clear where the responsibility for regulatory and a benchmark by which the authority can evaluate its oversight functions lies within a relevant authority. effectiveness in achieving its objectives. Typically, the Regulatory and oversight functions may include gath- primary objectives of an authority with respect to ering information on credit reporting systems, assess- credit reporting systems are to promote their safety ing their operation and design, taking action to pro- and efficiency. The objectives of an authority are usu- mote observance of relevant policies and standards, ally implemented through specific policies, such as and conducting on-site visits or inspections when nec- minimum standards or expectations. The objectives, essary. Where relevant, staff should have appropriate roles, and policies of an authority should be consis- legal protections in carrying out their responsibilities. tent with the legislative framework for the authority. In many countries, authorities may find it beneficial to consult with key stakeholders and/or the broader Oversight Recommendation C: Disclosures of public regarding their objectives and policies. In many objectives and policies with respect to credit countries, such consultations may be required by law. reporting systems 223. Authorities should publicly disclose their regu- Central banks, financial supervisors, and other latory and oversight objectives, roles, regulations, relevant authorities should clearly define and and policies with respect to credit reporting systems. disclose their regulatory and oversight objectives, Public disclosure promotes a transparent policy envi- roles, and major regulations and policies with ronment and consistency in regulation and oversight. respect to credit reporting systems. Such disclosures typically communicate an authority’s regulatory and oversight principles, which facilitates compliance with applicable policy requirements and Key considerations standards. Furthermore, public disclosures communi- cate the roles and responsibilities of authorities to the • Authorities should clearly define their regulatory wider public and promote the accountability of rel- and oversight objectives, roles, regulations, evant authorities. These disclosures, however, do not and policies to set clear expectations for credit shift the burden of responsibility from credit report- reporting systems and facilitate compliance with ing system participants to authorities in ensuring the applicable policy requirements and standards. safety and efficiency of the system. Authorities should emphasize that primary responsibility for comply- • Authorities should publicly disclose their ing with the regulatory and oversight principles rests objectives, roles, regulations, and policies to with the specific credit reporting system participants provide accountability in the exercise of regulation themselves. and oversight of credit reporting systems. 224. Authorities can publicly disclose their objectives, 222. Central banks, financial supervisors, and other roles, regulations, and policies in a variety of forms. relevant authorities should clearly define their regula- These forms include plain-language documents, pol- tory and oversight objectives, roles, regulations, and icy statements, and relevant supporting material. The policies with respect to credit reporting systems. An mechanism for disclosing these documents or state- Section IV. Recommendations for Effective Oversight for Credit Reporting Systems 48 GENERAL PRINCIPLES Box 5: Principles for International Cooperative Oversight The principles below in no way prejudice the statutory or other responsibilities of authorities participating in a cooperative arrange- ment. Rather, they are intended to provide a mechanism for mutual assistance among authorities in carrying out their individual responsibilities in pursuit of their shared public policy objectives for the efficiency and stability of credit reporting arrangements. Cooperative oversight principle 1: Notification The primary overseer(s) of a jurisdiction that has identified the actual or proposed operation of a cross-border credit reporting system should inform other countries’ authorities that may have an interest in the prudent design and management of the system. For the purposes of deciding whether or not to set up a cooperative oversight arrangement, the authorities to be informed of the existence of the system, or the proposal to create the system, will normally include those where the main operations of the system are located. These authorities should, in turn, seek to inform any other domestic authorities that may have an interest in the pru- dent design and management of the system. In the case of a major system that is already in existence and which serves multiple jurisdictions, this principle could be met by requiring the system itself to inform the relevant authorities or to publicly disclose its cross-border activities in a way that meant they were transparent to the relevant central authorities. Financial supervisors and Central banks which have the relevant powers may also find it useful to require financial institutions to report their provision of or participation in any cross-border system. Cooperative oversight principle 2: Primary responsibility Cross-border credit reporting systems should be subject to oversight by authorities which accept primary responsibility for such oversight, and there should be a presumption that the primary overseer where the system is located will have this primary respon- sibility. One of the authorities in the cooperative arrangement should, by mutual agreement, have primary responsibility for oversight of the system (“the authority with primary responsibility”). The acceptance by a central bank of primary responsibility means that it agrees to carry out the role set out in Cooperative oversight principle 3. It does not prejudice the ability of other authorities to fulfill their individual responsibilities and does not represent any delegation of responsibility to the authorities with primary responsibility from the other authorities. The authority with primary responsibility needs to be able and willing to carry out the agreed role. Determination of which author- ity is best placed to carry out the role involves consideration of a range of factors including the oversight powers available to that authority, the relevance of the overseen system to local financial markets and the authority’s capacity to carry out effective oversight. These criteria are often fulfilled best by the primary overseer where the system is located (in terms of incorporation, management and operations) and thus there is a presumption that this authority bank will have primary responsibility. However, it could be agreed that another authority will have the primary responsibility. This flexibility enables an effective oversight framework to be created in many circumstances, for example if the system has little importance in the country where it is located or if it is located in more than one country. GENERAL PRINCIPLES 49 Box 5: Principles for International Cooperative Oversight (continued) Cooperative oversight principle 3: Assessment of the system as a whole In its oversight of credit reporting systems, the authorities with primary responsibility should periodically assess the design and operation of the system as a whole. In doing so it should consult with other relevant authorities. A key element of the role of the authority with primary responsibility is to carry out periodic comprehensive assessments of the design and operation of the system as a whole on the basis of agreed policies and standards, including the General Principles for credit report- ing systems. In carrying out the assessments, the authority with primary responsibility should actively solicit the opinions of the other authorities in the cooperative arrangement, recognize their interests and concerns through a process of consultation, and draw on their expertise where relevant. The authority with primary responsibility has several other functions relating to the cooperative oversight arrangement, including (1) organizing an effective, efficient and clear process for cooperation, (2) facilitating the distribution of the information needed to satisfy the respective responsibilities of the central banks and other authorities in the arrangement, (3) seeking agreement on the policies and standards to apply in carrying out the assessments, (4) seeking consensus on issues of common interest related to risks and risk management of the system, (5) providing effective communication and coordination in both routine and stressful situations involving the system, and (6) when appropriate, using its powers and influence over the system to induce necessary change. To avoid duplication, inconsistencies or gaps in oversight, all authorities in the cooperative arrangement should agree on their respon- sibilities and expectations, for example in a memorandum of understanding (MoU) or similar document. It is particularly important to be clear about the objectives of the cooperative oversight, the policy requirements and standards against which the system will be assessed, the scope and frequency of the information to be shared, and the procedures for assessing the system. Cooperative oversight principle 4: Unsound systems In the absence of confidence in the soundness of the design or management of any cross-border credit reporting system, authorities should, if necessary, discourage use of the system or the provision of services to the system, for example by identifying these activities as unsafe and unsound practices In the course of their consultations, relevant authorities should endeavor to ensure the prudent operation of the cross-border systems on terms acceptable to them. However, if this is not possible in some cases, it is clear that authorities must maintain its discretion to discour- age the use of a system or the provision of services to a system, if, in their judgment, the system is not prudently designed or managed. Section IV. Recommendations for Effective Oversight for Credit Reporting Systems 50 GENERAL PRINCIPLES ments should ensure they are readily available, for ex- systems. Consistent application of standards is impor- ample, by posting them to a public website. tant because different systems may be dependent on each other, or in direct competition with each other, or both. Where central banks or other authorities them- Oversight Recommendation D: Application selves own or operate key components of credit report- of the General Principles for credit reporting ing systems, they should apply the same international systems standards. Central banks or other authorities can fur- ther promote consistency, as well as transparency, by Central banks, financial supervisors, and other disclosing the policies applicable to the systems they relevant authorities should adopt, where relevant, own or operate. Further, clarification of the central the General Principles for credit reporting systems bank’s or other authorities’ oversight and operational and apply them consistently. functions including an appropriate level of separation between them, where appropriate, helps ensure consis- tent application of the principles. Key considerations • To establish key minimum standards, authorities Oversight Recommendation E: Cooperation should adopt the General Principles for credit among authorities reporting systems, providing a consistent regulatory and oversight framework within and Central banks, financial supervisors, and other across national and regional jurisdictions relevant authorities, both domestic and international, should cooperate with each other, as appropriate, in • Authorities should ensure that the General promoting the development, safety and efficiency of Principles and related roles are applied consistently credit reporting systems. to all credit reporting system participants. 225. Central banks, financial supervisors, and other Key considerations relevant authorities can enhance their regulation and oversight of credit reporting through the adoption of • Authorities should cooperate with each other, as the principles, guidelines and roles presented in this appropriate, to support more efficient and effective report. These standards draw on the collective experi- regulation and oversight of credit reporting ence of many authorities and industry representatives systems. and have been subject to public consultation. They also represent common interests which make it easier • Authorities should adopt current and evolving for different authorities to work cooperatively and en- best practices on international cooperative hance the effectiveness and consistency of regulation arrangements. and oversight. 227. Central banks, financial supervisors, and other 226. Authorities should strive to apply these prin- relevant authorities should cooperate with each other, ciples consistently across jurisdictions (including as appropriate, to support the mutual objectives of across borders) and similar types of credit reporting safe and efficient credit reporting systems, particu- GENERAL PRINCIPLES 51 larly those conducting business in multiple jurisdic- tions. Cooperative arrangements provide a mechanism whereby the individual responsibilities of the authori- ties of credit reporting systems can be fulfilled more efficiently and effectively through mutual assistance. Cooperative arrangements should be addressed in a way that delivers regulation and oversight consistent with each relevant authority’s responsibilities and minimizes the duplication of effort and the burden on credit reporting system participants. Cooperation should also help avoid inconsistency in policy ap- proaches and reduce the probability of gaps in regula- tion and oversight that could arise if authorities acted independently of each other. Cooperative arrange- ments, however, should be consistent with an author- ity’s statutory powers and other legal frameworks. 228. Cooperative regulatory and oversight arrange- ments for systems that have important cross-border links or serve multiple jurisdictions will need to in- volve a formal arrangement because of the involve- ment of non-domestic authorities. The case of cross- border data transfers is covered in the discussion under General Principle 5. A credit reporting system that operates across borders and serves more than one jurisdiction should be subject to day-to-day regulation and oversight by an authority that accepts primary re- sponsibility, although that could potentially be supple- mented by a committee of regulators and overseers. In most cases, the primary regulator or overseer is the relevant authority where the credit reporting system is located, as it has the authority to provide effective reg- ulation and oversight and the relevant local market ex- perience. Where necessary, the primary regulatory or overseer should organize an effective process for coop- erating and consulting with other relevant authorities to seek consensus on common issues and keep each other informed of developments related to the credit reporting system. The following box presents some principles for international cooperative oversight. Section IV. Recommendations for Effective Oversight for Credit Reporting Systems 52 GENERAL PRINCIPLES Annex 1: Information Cycle for the Creation of a Credit Report Credit reports and related value added services and products are the result of a combination of data pieces which, when put together in structured manner, become useful information for creditors in order to make lending decisions. This annex explains in detail the main elements and steps necessary for the creation of a credit report. First Step: Data Collection Information is collected from each data provider according to a specific template or form containing all the relevant fields necessary for the elaboration of a credit report. At the minimum, this form would contain identification data, including those that would be helpful to uniquely identify data subjects; variables of interest regarding credit account information and the history of enquiries related to that account. Too often a poor form design interferes with proper capturing of data. As an example of a bad design, the word “NAME” followed by a line leaves sufficient room for very different responses: nicknames, formal names, no initials, titles, and so on. The data format is frequently designed jointly by users and service providers. In the United States, the “credit reporting agencies” (CRAs) developed a specific format, called METRO 2, and encourage all parties contribut- ing data to the CRAs in the country to use this format for consistent reporting. Since each piece of information should be placed in the adequate field to make the resulting information meaningful across organizations, it is particularly relevant that all participating organizations have harmonized rules for completing the fields Ensuring a timely and systematic data contribution/updating is also crucial. Data providers generally supply data on a monthly basis as the frequency tends to be related to the billing cycles or installment payments due. In most devel- oped markets, some data providers do provide/update data on a weekly basis and even on a daily basis.47 Data can be provided through different methods, including on–line electronic data transfers through the Internet or a dedicated connection, or the physical delivery of tapes and magnetic disks. Many data providers commonly consider more than one way to provide the information in case the primary method is not available. Data security is a crucial part of this step as there are several risks associated with data handling and transferring which may end up in data mishandling, misplacement or unauthorized access. Data providers and credit reporting service providers frequently agree on terms to mitigate these risks (e.g. data encryption). Many credit reporting service providers also collect information from other data sources, mainly public records, as referred to throughout this report. In these cases it is typically the credit reporting service provider who proactively collects the data from the public sector agency or agencies holding those records. 47 In the U.S. credit reporting agencies collect data every month, and they typically update their credit records within one to seven days after receiving new information (Avery et al. 2004, 298). GENERAL PRINCIPLES 53 Figure 4: Data Sources for Credit Reporting A credit report is built on data provided by different sources, the figure below shows the sources of each of the type of data of a credit report. Data subjects and creditors both contribute data related to the credit account. Data on enqui- ries is generated by the credit reporting service provider based on enquiries made by users on a specific data subject. Data on collections is mostly provided by either collection agencies or creditors themselves. Finally there is a group of other sources which contribute data and do not necessarily use the system (e.g. most government agencies). Second Step: Data validation In order to validate the authenticity, completeness, consistency and accuracy of data received from data providers and other data sources, credit reporting service providers apply a number of techniques and processes conducive to pre- venting errors and enhancing data quality at data gathering. Techniques may include digit checking, data monitoring, double keying, checking allowable ranges of values for a field and hash totals. All these processes are typically run by the credit reporting service provider, with no intervention from the data provider unless the file is rejected for incon- sistencies found, large number of errors or other similar reasons. In such cases, it is common for service providers to Annex 1 54 GENERAL PRINCIPLES send back to each data provider an error file with a description of the errors found in their respective files, prompting them to review the files and send back a corrected one. Third Step: Data dissemination Once data is cleaned and organized in a structured manner, it is presented to users according to their interests. The most common form of showing the data is on the form of a credit report that includes a summary of the data subjects’ account, detailed information of each line and a history of the payment performance for the past 24 months. Users can also sign up for additional services (see discussion on value added services below). The most frequent means of accessing credit reports is through on-line electronic data transfers. Frequently, credit reporting service providers offer users a 24/7/365 access to the credit reporting databases. This capability depends very much on the type of connectivity between the service provider and the final users, as well as on the technologi- cal capacity of the service provider to process concurrent requests from a large number of users, including multiple sub-users from the same user. Value-added services The quality and quantity of historical data available are the most important factors to determining what type of value added services can be developed by the credit reporting service provider. In the absence of positive data only a limited number of value added services can be developed. Although value-added services continue evolving as needs grow in different areas, the most common services available include the following: (i) credit scoring; (ii) anti-fraud tools; (iii) portfolio monitoring services; (iv) debt collection services; and (v) marketing services. Value-added services such as scoring models built with sufficient data including negative and positive tend to be more predictive than those built only with negative data. Anti-fraud products are developed using data from applications and other data sources in addition to credit account data. Debt collection and marketing oriented products and services rely extensively on geo-demographical data such as a compilation of addresses of the debtor or applicant and recent enquiries regarding specific financial products among types of data. It is current practice that credit registries do not develop value-added services. GENERAL GUIDELINES 55 Annex 2: Basic Existing Models of Credit Reporting Services 1. Credit Registry In this model, banks and other regulated financial institutions act as data providers, sending data to the credit reg- istry, generating a database where information from all creditors is centralized. Most likely the database will be ad- ministered by the central bank, or in some cases another financial sector supervisory authority, that also sets data requirements to be fulfilled by regulated institutions. Once the data is cleaned and organized -including in some cases a classification of debt according to pre-defined rules-, this is made available to regulated financial institutions, which then become also the users of the service. This information is used by regulated financial institutions and also by other units within the central bank or financial supervisory authority, including mainly the banking supervision and statistics units. Data subjects may also access the information and request the correction of erroneous personal data. It should be noted that data subjects are not able to access and dispute errors regarding information collected exclusively for supervision. Figure 5: Typical Model of a Credit Registry Banks/ Other Regulated Financial Institutions Annex 2 56 GENERAL PRINCIPLES Figure 6: Typical model of a credit bureau In a credit registry, users are usually only able to access consolidated information concerning prospective custom- ers (i.e. information reflecting financial obligations undertaken with all other creditors reporting to the registry). Frequently the credit registry collects historic data although such data is not always distributed back to users. Users therefore might only be able to access a report covering a portion of the credit account or so–called “snapshot”. In this type of model, value-added services for users are very seldom developed. When detailed information at account level is provided back to the regulated financial institutions, consumers/data subjects are frequently granted the same rights as in credit bureau models. However, when information is provided back to regulated financial institutions in a consolidated manner or de-personalized those rights do not necessary apply. GENERAL GUIDELINES 57 Figure 7a: Example of a Model involving both a Credit Registry and Credit Bureau(s) 2. Credit Bureau A credit bureau network is usually more complex than that of a credit registry, mostly because it involves various types of data sources as well as a greater variety of users. Apart from banks and other financial institutions, sources of information in this case include other non-financial credit card companies, retailers and suppliers extending trade credit. In addition, non-traditional sources of information to bolster information on “thin-file” clients (i.e. those who lack relevant information from traditional sources) are also included, like data on payments associated with utilities or telecom services. On the side of the users, entities other than banks and financial institutions are usually able to access the service. This frequently includes the data subjects, which can access their reports and other products and services based on data held on them as regular users. Data subjects are also able to access data held on them free-of- charge one or more times per year, and request correction of errors. In the case of a credit bureau it is also worth noting that some of the users will not be contributing with data. This could be the case, for example, of landlords or employers. The reciprocity principle is therefore more difficult to ap- ply in some cases. Finally, a variety of value-added services is frequently available given greater data availability and broader coverage. Annex 2 58 GENERAL PRINCIPLES 3. Example of a model involving both a Credit Registry and one or more Credit Bureaus In some countries, a credit registry and one or more credit bureaus can co-exist without any type of formal interaction between the different service providers (see Figure 7a). The credit registry collects data from banks and other regu- lated financial institutions and provides back data to those institutions, as well as uses the information for supervisory purposes. The credit bureau(s) may collect data from a variety of sources besides the banking/regulated financial institutions and provide several products and services to a wider range of users. In a hybrid type of arrangement, data is collected from a variety of sources and housed in a central database, typically operated by the relevant financial supervisory authority in the country. Information held in this database is provided by the latter to one or more credit reporting service providers operating in the country. These networks further aug- ment the basic data obtained from the central database with other pieces of information from other non- regulated creditors as well as other data sources. In terms of users, this set up frequently provides information to a large number of users including the bank supervi- sor and other units within the central bank, banks and financial institutions, micro-finance institutions, telecoms and utilities, insurers, and when permitted even landlords and employers. In this model, value-added services are frequently developed by the credit bureaus and offered to final users together with the reports. Figure 7b: Example of a Model involving both a Credit Registry and Credit Bureau(s) GENERAL GUIDELINES 59 Annex 3: Privacy, Data Protection and Consumer Protection 1. Consumer Protection and Preserving Privacy Consumer protection in the context of credit reporting can be summarized as the right of any data subject to be aware that his/her information is being collected, shared or consulted (information/notice and access), to challenge data (petition to correct or delete information), and claim compensation for damages suffered as a result of the misuse of personal data held on them in credit reporting systems. There are two main paradigms for safeguarding privacy rights or interests, with some overlap between them. As a broad generalization, the paradigm followed by the European Union views privacy as a fundamental right and relies on a prescriptive and static set of rules. Under that paradigm, privacy of any given individual is protected via requirement of individual’s consent, i.e. the individual’s decisional role to determine the manner and extent to which his/her data are collected and processed by others.48 The commercial privacy paradigm favored by the United States and APEC focuses on flexible application of high level principles depending on context, such as the nature of the transaction. Table 2 shows a comparison between key features of each privacy framework, highlighting commonalities among them. 49 The European Union framework relies on five principles followed by Directive 95/46/EC which should be transposed into EU Member States’ legislation. The OECD, APEC and International Standards set a framework al- lowing for more flexible implementation than that contained in the European framework. In all existing frameworks, the role of the data subject as an active participant is highlighted. So is the concern for data quality accountability and transparency. Some disparities between the frameworks are also evident (e.g. proportionality vs. collection limitation, international transfers). 2. Dispute Resolution One of the key elements of consumer/privacy protection in credit reporting is the existence of a mechanism for solv- ing disputes regarding the information contained in the system. Redress mechanisms enable the identification and correction of errors. These mechanisms are frequently built into laws and regulations, which among other things al- low data subjects to access and correct errors in personal data held on them in credit reporting systems. Figure 8 illustrates a type of consensual data dispute mechanism. The data subject initiates a dispute. The relevant credit reporting service provider(s) then initiates the review process, which is likely to involve the data provider or data source. In this example it is assumed that the process takes between 15 and 30 days. The resolution of the dispute is notified not only to the data subject itself, but also to other interested parties, namely users showing recent enqui- ries on that particular data subject. In this last regard, it is particularly relevant that data subjects be provided with a 48 Consent is frequently analyzed together with the principle of proportionality based on: (i) suitability, (ii) necessity, and (iii) non-excessiveness. 49 More recently, an international effort led by fifty National Data Protection Authorities resulted in the issuing of the so-called Madrid Resolution, containing international standards on privacy and data protect protection This Resolution was adopted in Madrid on November 6, 2009. An English version of the Madrid Resolution can be obtained at https://www.agpd.es. Annex 3 60 GENERAL PRINCIPLES Table 2: A Comparison of Key Data Protection Frameworks OECD (1980) European Union (1995) APEC (2004) Madrid Resolution (2009) Protecting rights; Protecting rights Preventing Harm; (a)Remedies for (a)Proactive measures to prevent and (a)Administrative and Judicial rem- Preventing Harm: (a)from wrong- privacy infringements, (b) design for detect breaches (b) Data Protection edies, (b) compensation to the data ful collection, (b) from misuse preventing harm Officers (c) Privacy Impact Assessments subject (d) audits and codes of practice Notice: (a) when data is collected from Notice Openness (a) data collected from the the data subject, (b) data collected Notice (a) for individuals to Unless it is already in the public do- data subject (b) data collected from from a third party unless involves a know(b) purpose specification main third party disproportionate effort Data Quality: (a)Fair and Lawful (b) col- Collection Limitation (a) lawful Collection Limitation(Relevant informa- lection limitation (c) adequate, relevant (a)Lawfulness and fairness (b) data and fair(b) purpose specification tion according to specific purposes) and non-excessive (d) accurate and quality in reference to the collection kept up to date(e) data retention Uses of PI (a) in reference to the See accountability and legitimate data purposes of collection (b) con- Uses of PI (Specific purposes) Purpose specification processing sent (c) interest of the individual (d) legal obligation Legitimate Data processing (a) Choice (a) where appropriate Legitimacy (a) consent (b) legitimate Choice(b) contract(c) legal obligation(d) Choice (b) accessible and affordable interest (c) legal contract (c) legal obli- interest of the data subject(e) public mechanisms to provide choice gation (d) exceptions interest Integrity (a)accuracy and com- Integrity (Accuracy and completeness) (see data quality) pleteness (b) up to date (c) for (see data quality) the purpose of the use Security Safeguards (a) propor- (a)Security (a)Security Measures Security Safeguards tional to likelihood of harm (b) (b)Confidentiality (b) Confidentiality proportional to severity of harm Access and Correction (a) conditions on timing, fees and Access and rectification Access, rectification and deletion Access and Correction process (b) sufficient proof of Notification to third parties Notification to third parties identity (c) explanation of codes included Right to Object (a) justified by personal Right to object: (a) legitimate reason, circumstances(b) when a decision is (b) when a decision is based Solely on based SOLELY on automated process- automated processing of data with ex- ing of data to evaluate his creditwor- ceptions related to legal relations. thiness Accountability (a) single purpose or Accountability :(i) ensure compliance, Accountability: (a) ensure com- related purposes (b)register open to (ii) mechanisms to show compliance to Accountability (Data Controllers) pliance with the principles, (b) consultation (c) prior checking by data subjects and supervisory authori- subject to conditions authorities ties Transfer to third parties subject to International transfer subject to ad- See accountability adequate level of protection equate level of protection GENERAL GUIDELINES 61 Figure 8: Example of a Data Dispute Mechanism list of users who accessed their data lately in order to ensure that such users have been notified of any corrections in data, if applicable. It should be noted that the outcome of the resolution process does not preclude the data subject from seeking redress of grievances in a court of law. However, compensation for damages must be alleged only when appropriate (e. g damage is the result of a wrongful act by any of the credit reporting system participants or when the damage has had a significant impact on the data subject). On some occasions the data is not corrected retrospectively in the relevant database up to the moment where the er- ror was initially generated. This has the potential to cause adverse impacts for consumers, especially in those credit reporting products and services where historical data comprising longer periods of time is used. Annex 3 62 GENERAL PRINCIPLES Annex 4: Select Bibliography 1. Basic publications and select relevant legal texts and references Asian-Pacific Economic Co-operation (APEC), Privacy Framework, November, 2004. Basel Committee on Banking Supervision, (1) Basel Accord I (several documents); (2) Basel II Framework and Basel II Implementation (several documents); (3) Credit Risk Assessment and Valuation for Loans, BIS 2006. (4) Credit Risk Modeling Practices and Application, BIS 1999. (5) Principles for the Management of Credit Risk, BIS 2000. Centre for Latin American Monetary Studies, (1) Credit and Loan Reporting Systems in Argentina, 2010; (2) Credit and Loan Reporting Systems in Brazil, 2005; (3) Credit and Loan Reporting Systems in Chile, 2008; (4) Credit and Loan Reporting Systems in Colombia, 2005; (5) Credit and Loan Reporting Systems in Costa Rica, 2006; (6) Credit and Loan Reporting Systems in Guatemala (forthcoming); (7) Credit and Loan Reporting Systems in Mexico, 2005; (8) Credit and Loan Reporting Systems in Panama (forthcoming); (9) Credit and Loan Reporting Systems in Paraguay (forthcoming); (10) Credit and Loan Reporting Systems in Peru, 2006; (11) Credit and Loan Reporting Systems in Trinidad and Tobago (forthcoming); (12) Credit and Loan Reporting Systems in Uruguay, 2006. Committee on Payment and Settlement Systems (CPSS), (1) Core Principles for Systemically Important Payment Systems, BIS, 2001; (2) CPSS, Central Bank Oversight on Payment and Settlement Systems, BIS, 2005; and (3) discussions surrounding the revision of the CPSS-IOSCO standards on Financial Market Infrastructure, to be released in mid-2011. Directives for Harmonisation of Data Protection in the Ibero-American Community, adopted by the Ibero-American Data Protection Network, November 2007. European Commission, Report of Expert Group on Credit Histories, DG Internal Markets and Services, May 2009. European Parliament and the Council, (1) Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, October 1995; (2) Directive 2003/98/EC of the European Parliament and of the Council on the re-use of public sector information, November 2003; (3) Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS Nº 108) and its Additional Protocol regarding Supervisory Authorities and Trans-border Data Flows (ETS Nº 181). International Conference on Data Protection and Privacy Commissioners, Madrid Resolution, a joint proposal for international standards on data protection, Madrid 2009. Memorandum of Understanding on the Exchange of Information among National Central Credit Registers for the Purpose of Passing it to Reporting Institutions, February 2003. GENERAL PRINCIPLES 63 Organization for Economic Co-operation and Development, (1) Guidelines on the Protection of Privacy and Trans- border Flows of Personal Data, September 1980; (2) Principles of Corporate Governance, 1999 (r. 2004). Principles on Privacy and Personal Data Protection for Law Enforcement Purposes, agreed by the United States and the European Union, May 2008. Steering Committee on Reciprocity (U.K.), Voluntary principles for credit reporting systems on reciprocity, 2010. United Nations, Resolution 45/95 “Guidelines concerning computerized personal data files”. December 1990. U.S. Department of Commerce, Safe harbor privacy principles and related frequently asked questions. World Bank Group, (1) Credit Reporting Systems Around the Globe: The State of the Art in Public Credit Registries and Private Credit Reporting Firms, Margaret Miller 2006; (2) Credit Bureau Knowledge Guide, International Finance Corporation, 2006. 2. Select academic and empirical research on credit reporting and related matters Akerlof, George A. “The Market for “Lemons”: Quality Uncertainty and the Market Mechanism.” The Quarterly Journal of Economics 84 (August 1970): 488-500. Published by The Oxford Press. Avery, Robert B., Paul S. Calem, and Glenn B. Canner. “Credit Report Accuracy and Access to Credit.” Federal Reserve Board 2004. Ayyagari, Meghna, Thorsten Beck, and Asli Demirguc-Kunt, “Small and Medium Enterprises across the Globe.” Small Business Economics 29 (December 2007): 415-434. Barron, John, and Michael Staten. “The Value of Comprehensive Credit Reports: Lessons from the U.S. Experience.” 2000. Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital Standards: a Revised Framework, Basel, Switzerland, 2006. Bostic, R.W. and P.S. Calem. “Privacy Restrictions and the Use of Data at Credit Registries.” In Credit Reporting Systems and the International Economy, edited by Margaret Miller. Cambridge: MIT Press, 2003. Brown, M. and C. Zehnder. “Credit Reporting, Relationship Banking and Loan Repayment.” Journal of Money, Credit and Banking 39 (December 2007): 1883-1918. Annex 4 64 GENERAL PRINCIPLES Cowan, K, and Jose de Gregorio. “Credit Information and Market Performance: The Case of Chile.” In Credit Reporting Systems and the International Economy, edited by Margaret Miller. Cambridge: MIT Press, 2003. De Janvry, A. Craig McIntosh and Elisabeth Sadoulet. “The Supply- and Demand-Side Impacts of Credit Market Information.” Forthcoming in the Journal of Development Economics. September 2009. Djankov, S., C. McLiesh and A. Shleifer. “Private Credit in 129 Countries.” 2007. Doing Business. Getting Credit. www.doingbusiness.org Falkenheim, M. and Anthony Powell. “The Use of Public Credit Registry Information in the Estimation of Appropriate Capital and Provisioning Requirements.” In Credit Reporting Systems and the International Economy, edited by Margaret Miller. Cambridge: MIT Press, 2003. Galindo, Arturo and Margaret Miller, “Can Credit Registries Reduce Credit Constraints? Empirical Evidence on the Role of Credit Registries in Firm Investment Decisions”, IDB-IIC 42nd Annual Meeting, Santiago, Chile, 2001. Gehrig, T. and R. Stenbacka. “Information sharing and lending market competition with switching costs and poach- ing.” European Economic Review 51 (January 2007):77-99. He, Xuehui and Yiming Wang. “Bank Loan Behavior and Credit Information Sharing: An Insight from Measurement Costs.” Journal of Economic Policy Reform 10 (2007): 325-333. Jappelli Tullio and Marco Pagano. “Information Sharing in Credit Markets: The European Experience.” Centre for Studies in Economics and Finance, Working Paper No. 35 (March 2000). Jentzsch, Nicola and Amparo San José Riestra, “Information Sharing and its Implication for Consumer Credit Markets: United States vs. Europe.” Paper prepared for the European University Institute Workshop “The Economics of Consumer Credit: European Experience and Lessons from the U.S.,” Florence, May 13-14, 2003. Joseph E. Stiglitz and Andrew Weiss. “Credit Rationing in Markets with Imperfect Information.” The American Economic Review 71 (June 1981): 393-410. Klapper, Leora. “The Role of Factoring for Financing Small and Medium Enterprises.”Journal of Banking and Finance 30 (2006). Love, Inessa and Nataliya Mylenko. “Credit Reporting and Financing Constraints.” World Bank Policy Research Working Paper 3142, October 2003. Luoto, Jill, Craig McIntosh, and Bruce Wydick. “Credit Information Systems in Less-Developed Countries: Recent History and a Test.” 2004. GENERAL PRINCIPLES 65 Medine, David, Margaret Miller, and Nataliya Mylenko, “Principles and Guidelines for Credit Reporting Systems”, 2004. Mishkin, Frederic S. The Economics of Money, Banking and Financial Markets. Addison-Wesley, 2004, 7th edition. Olegario, Rowena. A Culture of Credit: Embedding Trust and Transparency in American Business. Harvard University Press 2006. Repullo, R., Jesus Saurina, and Carlos Trucharte, “Mitigating the pro-cyclicality of Basel II.” Economic Policy 25 (201): 659–702. doi: 10.1111/j.1468-0327.2010.00252.x Padilla, A. Jorge and Marco Pagano. “Endogenous Communication Among Lenders and Entrepreneurial Incentives.” The Review of Financial Studies, 10 (Spring 1997): 205-236. Pagano, Marco and Tullio Jappelli. “Information Sharing in Credit Markets.” The Journal of Finance, 43 (1993): 1693-1718. Rothschild, Michael and Joseph Stiglitz. “Equilibrium in Competitive Insurance Markets: An Essay on the Economics of Imperfect.” The Quarterly Journal of Economics 90 (November 1976): 629-649. Published by: The MIT Press. Spence, Michael. “Job Market Signaling.” The Quarterly Journal of Economics 87 (August 1973): 355-374. Published by The Oxford Press. Saurina, Jesus, and Carlos Trucharte. “The impact on Lending to Small-and-Medium-Sized Firms. A Regulatory Policy Assessment Base on Spanish Credit Register Data.” Journal of Financial Services Research 26 2004:121-144. Salas, Jesus Saurina and Carlos Trucharte. “An Assessment of Basel II Procyclicality in Mortgage Portfolios.” Journal of Financial Services Research 32 (2007): pp. 81-101. Semenova, Maria. “Information sharing in credit markets: incentives for incorrect information reporting.” Comparative Economic Studies 50 (September 2008): 381-415. Sorge M., and C. Zhang. “Credit information quality and corporate debt maturity: theory and evidence.” The World Bank Policy Research Working Paper, Series 4239, 2007. Trucharte, Carlos. “A Review of Credit Registers and their Use for Basel II.” Financial Stability Institute (September 2004). Turner, Michael A., Patrick Walker, and Katrina Dusek. “New to Credit from Alternative Data.” PERC, March 2009. Turner, Michael A., R. Varghese, P. Walker and Dusek, K. “Optimal Consumer Credit Bureau Market Structure in Singapore: Theory and Evidence.” PERC, May 2009. Annex 4 66 GENERAL PRINCIPLES Annex 5: Glossary Below is a short glossary of some key terms relating to credit reporting as used in this report. Account Type: Refers to the use and payment method of credit selected by the consumer (e.g. revolving, installments). Arrears: Failure to pay an obligation when due. Borrower: see Debtor. Commercial Credit Reporting Companies: Entities that collect information on businesses, including sole propri- etorships, partnerships and corporations for the purpose of credit risk assessment, credit scoring or for other business purposes such as the extension of trade credit. Collection agencies: businesses specialized in collecting delinquent accounts. Consent: A data subject’s freely informed and specific agreement, written or verbal, to the collection, processing and disclosure of personal data. Consumer: (see data subject) Credit Bureau: Model of credit information exchange whose primary objective is to improve the quality and avail- ability of data for creditors to make better-informed decisions. Credit Rating Agency: An entity that typically assigns a credit grade or rating to issuers of certain types of debt obligations. More recently credit rating agencies assign a credit rating to some financial institutions, despite whether the latter are issuing securities in the marketplace or not, and have even entered into new business lines, including in some cases credit reporting. Credit Registries: Model of credit information exchange whose main objectives are assisting bank supervision and enabling data access to regulated financial institutions to improve the quality of their credit portfolios. Credit Reporting Service Provider: An entity that administers a networked credit information exchange. Credit Reporting System: Credit reporting systems comprise the institutions, individuals, rules, procedures, stan- dards and technology that enable information flows relevant to making decisions related to credit and loan agreements. Credit Reporting System Participant: Any individual or business that intervenes at one or more points throughout the cycle of collecting, storing, processing, distributing and, finally, using information to support credit-granting deci- sions and financial supervision. GENERAL PRINCIPLES 67 Credit Scoring: A statistical method for evaluating the probability of a prospective borrower fulfilling its financial obligations associated with a loan. Credit Type: Refers to the purpose of the credit (e.g. mortgage, credit card, consumer credit). Creditor: One to whom a financial obligation is owed. Also, an individual or legal person who is engaged in the busi- ness of lending money or selling items for which immediate payment is not demanded but an obligation of repayment exists as of a future date. Creditworthiness: The ability of a borrower to repay current and prospective financial obligations on a timely man- ner. It is used as an assessment of a borrower’s past credit behavior to assist a potential lender to decide whether or not to extend new credit. Data Privacy: Ability to control one’s personal information. See also Data Protection. Data Protection: Discipline that aims at creating adequate safeguards to prevent misuse of individual data subjects’ information. Comparable to consumer protection in other areas. Data Providers: Creditors and other entities that pro-actively and in a structured fashion supply information to the credit reporting service providers. Data Subject: An individual or a business whose data could be collected, processed and disclosed to third parties in a credit reporting system. Debtor: An individual or a business that owes a financial obligation to a creditor. Default: Failure to complete a payment obligation under a credit or loan agreement (see delinquency). Delinquency: Situation where the borrower fails to meet his/her financial obligations as and when due. Financial Infrastructure: The underlying foundation for a country’s financial system. It includes all institutions, information, technologies, rules and standards that enable financial intermediation. Hit: A positive match from an inquiry on a data subject is made by a creditor or other party and the data stored in a credit reporting service provider. Late Payment: Any payment posted after the due date (see arrears). In the credit report is represented by the number of days after the due date. Lender: See Creditor. Annex 5 68 GENERAL PRINCIPLES Moral Hazard: The risk that a party to a transaction has not entered into the contract in good faith. For example, this may include that party providing misleading information about its assets, liabilities or credit capacity. National Credit Reporting System: Describes the broader institutional framework for credit reporting in an econo- my, including the following: (1) the public credit registry, if one exists; (2) private credit reporting firms, if they exist, including those run by chambers of commerce, bank associations, and any other organized database on borrower per- formance available in the economy; (3) the legal framework for credit reporting; (4) the legal framework for privacy, as it relates to credit reporting activities; (5) the regulatory framework for credit reporting, including the institutional capacity in government to enforce laws and regulations; (6) the characteristics of other pertinent borrower data avail- able in the economy, such as data from court records, utility payments, employment status; (7) the use of credit data in the economy by financial intermediaries and others, for example, the use of credit scoring or use of credit data in creating digital signatures; and (8) the cultural context for credit reporting, including, for example, the society’s view on privacy and the importance accorded to reputation collateral. (See credit reporting system). Negative data: It consists of statements about defaults or arrears and bankruptcies. It may also include statements about lawsuits, liens and judgments that are obtained from courts or other official sources. Networked Credit Information Exchange: Mechanism enabling credit information collection, processing and fur- ther disclosure to users of data as well as value added services based on such data. Other Data Sources: Entities that collect information for purposes different than credit granting decision-making and/or financial supervision. These entities typically do not pro-actively provide the information they collect to credit reporting service providers but rather can be consulted upon request. Payment history: A detailed compilation of past and current payment behavior. Positive Data: Information that covers facts of contractually compliant behavior. It includes detailed statements about outstanding credit, amount of loans, repayment patterns, assets and liabilities, as well as guarantees and/or collateral. The extent to which positive information is collected typically depends on national legislation, including the data protection regime. Public Records: Information filed or recorded by government agencies that is made available to the public under existing laws. Typical public records include corporate and property records, court judgments, and identification information, among others. These records are subject to be made available to the public. Reciprocity: Mutual exchange of information. Sensitive Data: Personal data that affect the individual’s most intimate sphere or that could lead a party that gets hold of such data to discriminate against, or create a serious risk to, certain individuals. Sensitive data typically includes GENERAL PRINCIPLES 69 gender, health status, marital status, national origin, political affiliation, race, sexual orientation, or union member- ship, among others. User: An individual or business that requests credit reports, files or other related services from credit reporting ser- vice providers, typically under pre-defined conditions and rules. Annex 5 70 GENERAL PRINCIPLES Annex 6: Members of the Task Force Chairman Massimo Cirasino, The World Bank Members Agencia Española de Protección de Datos José Leandro Nuñez Arab Monetary Fund Nabil Al-Mubarak Asociación Latinoamericana de Crédito Luz Maria Salamina Association of Consumer Credit Information Suppliers Neil Munroe Banco Central do Brasil Sidnei Marques Ramón Santillán Banco de España Nuria Armas (alternate) Banca D’Italia Maria Pia Ascenzo Bank for International Settlements Marc Hollanders Business Information Industry Association Joachim Bartels Kenneth Coates (until March, 2010) Center for Latin American Monetary Studies Javier Guzmán Calafell Ayse Dagistan (until September, 2010) Central Bank of the Republic of Turkey Derya Karaburçak Consultative Group to Assist the Poor Nataliya Mylenko Stuart Pratt Consumer Data Industry Association Eric Ellman (alternate) Deutsche Bundesbank Michael Ritter Frederique Dahan European Bank for Reconstruction and Development Alexander Plekhanov (alternate) GENERAL PRINCIPLES 71 European Commission Maria Dolores Montesinos Federal Reserve Bank of New York Kevin Coffey Rebecca Kuehn Federal Trade Commission Hugh Stevenson (alternate) Inter-American Development Bank Morgan Doyle International Finance Corporation Tony Lythgoe International Monetary Fund S. Rajcoomar Xiaolei Wang People’s Bank of China Fujun Shao Vinay Baijal Reserve Bank of India Shirish Chandra Murmu (alternate) Guillermo Zamarripa (until December, 2010) Secretaría de Hacienda y Crédito Público de México German Saldivar Gabriel Davel (until September, 2010) South Africa’s National Credit Regulator Darrel Beghin The World Bank Mario Guadamillas Secretariat Fredesvinda Montes The World Bank Shalini Sankaranarayanan Annex 6