Circulation of credit information: RBI notification paves the way for “Specified Users”
– Team Finserv | finserv@vinodkothari.com
Background
One of the important elements of the lending process is credit evaluation of customers, which involves referring to the credit information of such customers. Credit information is the information relating to credit performance or credit worthiness of the customer. Procurement, storage and distribution of such credit information is regulated by the Credit Information Companies (Regulation) Act, 2005 (‘Act’)[1] and the regulations made thereunder.
The ecosystem of the Act consists of credit information companies (‘CICs’)- who store and manage the credit information; credit institutions and specified users- who are the users who can access such credit information in a regulated manner, under the provisions of the Act.
The prevalent model in the financial industry is that financial institutions have technology companies as partners (group companies or independent entities), which assist them in processing customer related information. These entities, till now, were not recognised as specified users and hence, could not have access to credit information of customers. In this regard, the RBI had also issued a letter to several fintech companies in September 2019, directing financial institutions to discontinue the sharing of credit information with their technology partners.
The Reserve Bank of India removed this roadblock by issuing an amendment to include entities processing data for providing support to the credit institutions within the definition of Specified User vide notification issued on November 29, 2021 and the press release dated January 5, 2022[2] laid down the eligibility criteria for such Specified Users.
The following write-up discusses the implication of such inclusion of information processing companies and breaks down the eligibility criteria and gives an overview of actionables for eligible entities.
Genesis of the change
Section 2 of the Act defines specified user as (l) “specified user” means any credit institution, credit information company being a member under sub-section (3) of section 15, and includes such other person or institution as may be specified by regulations made, from time to time, by the Reserve Bank for the purpose of obtaining credit information from a credit information company.
As per the Credit Information Companies Regulations, 2006 (‘Regulations’)[3], a specified user can be insurance companies, IRDAI, cellular service providers, rating agencies and brokers registered with SEBI, SEBI itself and trading members registered with Commodity Exchange.
Further, as per section 17(4) of the Act, only specified users can have access to credit information of customers. Any sharing of information to other than specified users is an unauthorised use of credit information and strictly barred by the Act.
Furthermore, the RBI issued a letter to several fintech companies on September 16, 2019, reiterating the aforementioned bar and directing financial institutions to stop sharing credit information with their technology partners for processing.
The amendment is, however, contrary to the view taken by the RBI which made emphasis on non-disclosure of credit information by credit institutions to any person, as imposed under Section 17 of the Act. The letter was particularly in context of disclosure of credit information to the fintech lending partners of the credit institutions[4].
This resulted in disruption of several fintech models, which were based on the credit information sharing model.
Considering the ever increasing growth of fintechs in the country and the need for having specialised customer information processing, the RBI recognised the need for allowing access of credit information to tech companies and accordingly, vide a notification issued on 29th November, 2021[5], amended regulation 3 of the Regulations. The amendment widened the ambit of the term “specified user” to include an entity engaged in the processing of information, for the support or benefit of credit institutions and satisfying the criteria laid down by the Reserve Bank from time to time.
The RBI vide press release dated January 5, 2022[6] notified the eligibility criteria for such institutions, which is discussed in the forthcoming paragraphs.
Understanding role of Specified User
A specified user obtains credit information from CIC and uses the same for the permitted uses specified under regulation 9 of the Regulations, which includes making effective credit decisions, deterring concurrent borrowers and serial defaulters, reviewing and evaluating risk of its customers, judging credit worthiness of a borrower, and taking credit decisions and providing a person with his own credit information.
The role of specified user, essentially, is to obtain credit information and process the same in order to facilitate credit institutions in taking credit decisions.
The Act and the Regulations also lay down certain obligations on them:
- Ensuring accuracy of credit information- section 19;
- Adopting principles for maintaining privacy of credit information and protecting the information from unauthorised use- section 20 and 22.
Similar obligations are imposed on credit institutions as well.
Are specified users different from credit institutions?
As discussed above, the role of specified user is that of a ‘user’ of the information, while on the contrary, the role of credit institutions (which are a type of specified user) is not limited to using the credit information but also ‘providing’ the same to CICs for collating the same in Credit Information Reports (CIRs).
While the primary distinction lies in the nature of the two entities, the Act also lays down different roles and powers to be exercised by them.
The differences have been tabulated below:
| Point of Difference | Credit Institution | Specified User |
| Mandatory Registration | Para 100 of Master Directions read with section 15 (1) of the Act requires every credit institution to register itself with all the CICs.
Hence, membership with each of the CICs is a mandatory requirement. |
Section 15 (8) of the Act stipulates that every specified user shall be eligible to receive credit information only from CICs of which it is a member.
Registration is not mandatory, although, in order to access information, membership of the CIC is to be obtained. However, unlike credit institutions, a specified user has the option to become a member of any one of the CICs from which it intends to access information. |
| Furnishing of Credit Information to CICs | Section 17(2) of the Act provides for mandatory furnishing of information by the credit institutions to the CICs based on their agreement with the CIC. | No such requirement. |
| Requirements for data preservation | Regulation 11 (4) prescribes that the credit institutions are required to maintain data obtained from CICs for a minimum period of 7 years. | No such requirement has been imposed on specified users. |
Impact of Change in Definition
The Act bars CICs or credit institutions from sharing information with anyone other than specified users. With the inclusion of tech companies in the definition, these entities shall be able to access credit information, process the same and provide credit evaluation reports to the credit institutions for taking credit decisions.
With this, the unregulated access of credit information by non-regulated entities comes within regulatory ambit.
Examining the eligibility criteria
The amendment in the definition and prescription of the eligibility criteria seem to be specifically directed to technology companies engaged in information processing for facilitating credit institutions. The eligibility criteria has been specified as follows:
| Requirement | Our comments |
| The entity should be in the form of a company incorporated in India. Alternatively, a statutory corporation established in India may also act as a specified user. | This seems to reinforce the data localisation norms, as had been proposed in the report of the Joint Committee on the Data Protection Bill,2019.[7]
|
| Should have a minimum net-worth of Rs. 2 crores. Further, the net worth is to be maintained at all times. | The networth requirement has been kept at par with that of NBFC-ICCs. The intention of the regulator is to create an entry barrier.
Currently, several fintechs or tech companies which are engaged in data processing may not have the networth and hence, this may become a challenge. |
| Should be owned or controlled by resident Indian citizens/Indian company owned and controlled by resident Indian citizens
|
The same shall include indirect control as well. Hence, Foreign Ownedand/ or Controlled Companies (FOCCs) as well as entities having downstream investments from FOCCs shall not be eligible.
Several fintechs engaged in information processing are owned or controlled by foreign companies. They may not be able to fit in the eligibility criteria. |
| The company should have well-diversified ownership. | The criteria remains silent on what constitutes well-diversified ownership.
Our view is that such specified user shall be an independent entity and shall not be a subsidiary, associate or a part of a group of companies.
The intention of the regulator here seems to bar entities from obtaining credit information through companies that merely act as conduits on behalf of an entity which itself cannot access credit information. Several fintechs engaged in information processing are holding companies or wholly owned subsidiaries of credit institutions. Such tech companies or fintechs may not be able to satisfy the eligibility criteria. |
| The company should be seasoned in information processing, having minimum 3 years of experience in the relevant field. | Since the entity would be dealing with the credit information of the customer which is both confidential and personal, adequate experience becomes essential. |
| The company should have certification from a CISA certified auditor stating that it has a robust and secure Information Technology system in place for preserving and protecting the data relating to the credit information. | The entire processing of credit information would depend on the IT infrastructure of the entity and hence, the same must be secured and safe. |
Conclusion
Technology companies will now be able to obtain credit information upon fulfilling the eligibility criteria and becoming members of CICs. The mandatory registration requirement with the CICs, for companies intending to operate as specified users, brings a highly unregulated segment within the regulatory purview.
With the function of credit information processing and evaluation being carried out by specified users, the credit institutions shall be better placed to focus on the core lending activity. This, however, does not release the credit institutions from their responsibility of carrying out credit evaluation as a lender. Further, the onus of taking the lending decisions based on the credit information would also rest with the credit institution.
[1] https://www.indiacode.nic.in/handle/123456789/2057?view_type=browse&sam_handle=123456789/1362
[2] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=53055
[3] https://upload.indiacode.nic.in/showfile?actid=AC_CEN_2_11_00003_200530_1517807317795&type=regulation&filename=the_credit_information_companies_(regulation)_2005_-_regulations.pdf
[4] Our detailed analysis of the issue may be read here- https://vinodkothari.com/2019/09/sharing-of-credit-information-to-fintech-companies-implications-of-rbi-bar/
[5] https://egazette.nic.in/WriteReadData/2021/231472.pdf
[6] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=53055
[7] http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf
Does Credit Information Company has right to perform audit of Specified User Company?