Key Principles for Effective
Regulation and Supervision of
Credit Reporting Service Providers
�© 2022 International Bank for Reconstruction
and Development / The World Bank
1818 H Street NW
Washington DC 20433
Telephone: 202-473-1000
Internet: www.worldbank.org
This work is a product of the staff of The World Bank with external contributions. The findings, interpretations,
and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of
Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of
the data included in this work. The boundaries, colors, denominations, and other information shown on any
map in this work do not imply any judgment on the part of The World Bank concerning the legal status of
any territory or the endorsement or acceptance of such boundaries.
Rights and Permissions
The material in this work is subject to copyright. Because The World Bank encourages dissemination of
its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full
attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be
addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433,
USA; fax: 202-522-2625; e-mail: ubrights@worldbank.org.
�Key Principles for Effective
Regulation and Supervision of
Credit Reporting Service Providers
��TABLE OF CONTENTS
Abbreviations v
Acknowledgements vii
EXECUTIVE SUMMARY 1
1. INTRODUCTION 4
2. CREDIT REPORTING SYSTEMS IN THE FINANCIAL INFRASTRUCTURE 5
3. GENERAL PRINCIPLES RELATED TO REGULATION AND SUPERVISION 7
3.1. The Five Principles 8
3.2. Recommendations for Effective Oversight 11
4. KEY RISKS IN CREDIT REPORTING 13
Strategic Risk 13
4.1.
Operational Risk 14
4.2.
Cyber Risk 15
4.3.
Model Risk 16
4.4.
Reputation Risk 16
4.5.
4.6. Legal and Compliance Risk 16
5. KEY CONSIDERATIONS FOR A REGULATORY AND SUPERVISORY FRAMEWORK 19
5.1. Preconditions for Regulation and Supervision 19
5.2. Scope of Application of the Key Principles 19
5.3. Scope of the Responsibilities of Authorities 20
6. KEY PRINCIPLES FOR REGULATION AND SUPERVISION OF CRSPS 21
Principle 1: Regulatory Framework 22
Principle 2: The Authority 23
Principle 3: Supervisory Approach 23
Principle 4: Cooperation and Collaboration 24
Principle 5: Permissible Activities 25
Principle 6: Access and Transparency 26
Principle 7: Governance 26
iii
�iv • CROSS-BORDER CREDIT REPORTING
Principle 8: Risk Management 27
Principle 9: Data Security 28
Principle 10: Data Collection 28
Principle 11: Personal Data 29
Principle 12: Consumer Rights 29
SUGGESTED APPROACH FOR REGULATORY AND SUPERVISORY AUTHORITIES 31
7.
7.1. Risk-Based Supervision 31
7.2. Supervisory Program 32
7.2.1. Off-Site Review 33
7.2.2. On-Site Supervision 33
7.3. Considerations in Adopting the Principles 34
7.3.1. Scope 34
7.3.2. Credit Registries 34
7.3.3. Business Information Providers 35
7.3.4. Alternative Credit Reporting Service Providers 35
7.3.5. Oversight of Credit Scoring Models 35
7.3.6. Promoting Comprehensive Information Sharing 36
7.3.7. Collaboration with Industry Associations 37
ASSESSMENT METHODOLOGY 38
8.
Assessment Framework 38
8.1.
APPENDIX: GENERAL PRINCIPLES ON CREDIT REPORTING 40
BIBLIOGRAPHY 42
GLOSSARY 43
BOXES, FIGURES, and TABLES
Box 1 Overview of Credit Reporting Regulations 7
Box 2 Regulatory Examples of GP1 8
Box 3 Regulatory Examples of GP2 9
Box 5 Regulatory Examples of GP4 10
Box 7 Regulatory Examples of GPCR Oversight Recommendations 12
Box 8 Implications of COVID-19 for Credit Reporting 15
Box 9 Major Cybersecurity Incidents 16
Box 10 �Key Principles for Effective Regulation and Supervision of Credit Reporting Systems 21
Box 11 Supervisory Approach 32
Figure 1 Risk Assessment 32
Figure 2 Supervisory Program 33
Table 1 Assessment Rating System 39
�ABBREVIATIONS
ACCIS Association of Consumer Credit Information Suppliers
AI Artificial intelligence
AISP Account information service provider
API Application program interface
BCBS Basel Committee on Banking Supervision
BIS Bank for International Settlements
BoR Bank of Russia
CFPB Consumer Financial Protection Bureau
CRSP Credit reporting service provider
DLT Distributed ledger technology
EBA European Banking Authority
ECB European Central Bank
EDPB European Data Protection Board
FCA Financial Conduct Authority
FCRA Fair Credit Reporting Act
Fintech Technology-enabled financial services
FSAP Financial Sector Assessment Program
FSB Financial Stability Board
GDPR General Data Protection Regulation
GPCR General Principles for Credit Reporting
ICCR International Committee on Credit Reporting
IFC International Finance Corporation
IMF International Monetary Fund
LEI Legal Entity Identifier
MAS Monetary Authority of Singapore
MSME Micro, small, and medium enterprise
ML Machine learning
NPL Nonperforming loan
OCC Office of the Comptroller of the Currency
PBOC People’s Bank of China
P2P Peer to peer
SME Small and medium enterprise
UEMOA West African Monetary and Economic Union
v
��ACKNOWLEDGMENTS
This report is a product of the International Committee on Credit Reporting (ICCR) and the World Bank
Group. The report was prepared by Dr. Talha Ocal (independent consultant) under the leadership and
guidance of Collen Masunda, Secretariat of the ICCR and the ICCR Regulatory Oversight Framework
Working Group, co-chaired by Neil Munroe (BIIA) and Jorge Laguna (Banco de México).
The document benefited from a consultation process and the contributions of plenary members, representa-
tive organizations, and peer reviewers. The committee gratefully acknowledges valuable inputs and com-
ments from peer reviewers Hung Hoang Ngovandan (Lead Financial Sector Specialist, World Bank Group)
and Nan Jiang (Senior Economist, World Bank Group).
The ICCR would also like to thank the Chairman of the ICCR, Mahesh Uttamchandani and Secretariat mem-
bers Luz Maria Salamina and Collen Masunda for guiding the process. Susan Boulanger provided editorial
services. The layout and design of the report was prepared by Naylor Design, Inc.
vii
�� EXECUTIVE SUMMARY
C
redit reporting systems have emerged to be a key part The first section of this report briefly introduces the topic and
of the financial infrastructure, playing multiple support- explains the role of credit reporting systems in the financial infra-
ive roles in areas such as sustainable access to credit, structure. The second section briefly discusses the role of the
financial inclusion, prudential supervision, and financial stability. different types of CRSPs and recognizes alternative credit report-
Credit reporting systems effectively support the sound and fair ing service providers as emerging players in the industry. It also
extension of credit in an economy as the foundation for robust sheds light on the use of new technologies in credit reporting
and competitive credit markets. Hence, failure of the credit and their potential implications.
reporting infrastructure can significantly impact the effective
functioning of credit markets and as a result impact domes- The third section discusses GPCR as published by the ICCR in
tic and global financial stability. Like any other activity, credit 2011. GPCR represents the only universal set of standards for
information sharing as facilitated by credit reporting service credit reporting as included under the Financial Stability Board
providers (CRSPs) has inherent risks and vulnerabilities. CRSPs (FSB) noncore compendium of standards for the financial sec-
face operational, cyber, reputation, model, regulatory, and com- tor. GPCR’s five principles describe the respective roles of key
pliance risks, among others. The adoption of innovative technol- stakeholders, accompanying guidance, and recommendations
ogies and the use alternative data sources also increase the level for effective oversight. The section elaborates on the relevance
of inherent risks. Further, the high levels of interconnectedness of GPCR for developing key principles for the effective regula-
of the financial sector emphasizes the importance of effectively tion and supervision of CRSPs. In doing so, it provides numerous
managing risks in credit reporting systems to avoid potential examples of how GPCR applies in the regulatory frameworks of
impact on the financial infrastructure. different jurisdictions around the globe.
Against this background, supervisory and regulatory authorities The fourth section discusses the major types of risks related to
as well as other stakeholders in the credit reporting industry credit reporting systems. These risks are not necessarily mutually
have renewed their attention to the regulation and supervision exclusive and interrelate in many ways, but they can be termed
of credit reporting activities. There are vast differences in the strategic risk, operational risk, cyber risk, model risk, reputation
existing frameworks across jurisdictions around the globe, how- risk, and legal and compliance risk, among others. The sec-
ever, and no global standard setting body (SSB) has as yet issued tion focuses on the evolving role of credit reporting with a for-
comprehensive guidance on regulating and supervising CRSPs. ward-looking approach to identify risks and vulnerabilities.
The General Principles on Credit Reporting (GPCR), published by
the ICCR, provide guidance on risk management and legal and The fifth section discusses the key considerations for regulatory
regulatory frameworks, as well as high-level recommendations and supervisory principles. The section outlines the precondi-
for the effective oversight of credit reporting systems, but the tions for developing and implementing an effective regulatory
need remains for comprehensive, granular guidance that builds and supervisory framework and explains the scope of application
on existing principles and other relevant guidance documents, of the key principles and the responsibilities of regulatory and
taking into account the changes in the credit reporting environ- supervisory authorities.
ment resulting from technological innovations that bring in new
risks and opportunities for regulatory arbitrage.
1
�2 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
The sixth section then introduces twelve principles for safe PRINCIPLE 7: Governance. Credit reporting systems should
and efficient credit reporting along with the roles and respon- be administered using a governance framework commensu-
sibilities of the supervisory authority. The objective of the key rate with the risks and the scope of the activities. The frame-
principles is to ensure the effective functioning of the credit work should establish policies and procedures, a proper
reporting systems. The authority is expected to oversee the internal control environment, and an appropriate organiza-
credit reporting system as a whole to accomplish the objec- tional structure with clearly defined duties and responsibilities
tive of the key principles. This can be achieved through a risk- that ensures system efficiency and effectiveness in serving the
based supervisory approach that makes proportionate use of markets.
the authority’s powers, tools, and resources. The principles are
as follows: PRINCIPLE 8: Risk Management. Credit reporting systems
should be monitored within a comprehensive risk manage-
PRINCIPLE 1: Regulatory Framework. Credit reporting activi- ment framework and culture to identify, assess, evaluate, man-
ties should be subject to regulation and supervision by author- age, and mitigate all risks related to credit reporting activities
ities with clearly defined responsibilities and objectives. An on an ongoing basis.
appropriate regulatory framework should be in place for each
authority responsible for supervision to provide the necessary PRINCIPLE 9: Data Security. An appropriate information secu-
legal powers to oversee credit reporting activities. rity framework should govern credit reporting activities to pro-
tect the confidentiality, integrity, and availability of information
PRINCIPLE 2: The Authority. The authority should be granted, and ensure business continuity and operational resilience.
by an appropriate legal framework, operational indepen-
dence, effective organizational structure, and adequate human PRINCIPLE 10: Data Collection. Data providers should pro-
capital and financial resources to discharge its duties. The vide relevant, accurate, timely, and sufficient information on
authority should define, disclose, and review its objectives and data subjects, including positive data, to CRSPs to enable a
be accountable for executing its duties and for the use of its comprehensive credit information sharing mechanism. CRSPs
resources. can collect data from all legal, reliable, appropriate, and avail-
able sources and retain this information for a sufficient time for
PRINCIPLE 3: Supervisory Approach. The authority should credit reporting.
adopt a risk-based supervisory approach to identify and assess
risks related to credit reporting activities, evaluate these risks PRINCIPLE 11: Personal Data. Personal data collection, pro-
by on-site and off-site supervision tools as appropriate, and cessing, and distribution should be undertaken only for the
employ proportionate enforcement actions (with their corre- purposes for which the data was collected, including credit-
sponding dispute resolution mechanisms) to address these worthiness assessment, credit risk analysis, indebtedness and
risks and ensure compliance. repayment capacity, ID confirmation, fraud prevention, and
prudential supervision.
PRINCIPLE 4: Cooperation and Collaboration. The authorities
should coordinate and cooperate with each other, at both the PRINCIPLE 12: Consumer Rights. Consumers should have
jurisdictional and the international level, to promote the devel- clear rights regarding the use of their personal data for credit
opment, safety, and efficiency of credit reporting systems, as reporting. These rights should include consent, dispute, noti-
well as the cross-border exchange of credit information. fication, and access rights; right to restrict data use; and right
to request transfer of data, as appropriate. Effective dispute
PRINCIPLE 5: Permissible Activities. The regulatory frame- resolution mechanisms should be established for handling
work should define and cover permissible activities in credit consumer disputes related to credit reporting activities. Credit
reporting. Appropriate permission mechanisms, including mar- reporting products should be explainable, transparent, and fair.
ket entry requirements, should be governed by the authority.
The seventh section of the report discusses the suggested
PRINCIPLE 6: Access and Transparency. Credit reporting sys- approach authorities should adopt in applying the principles.
tems should allow fair and open access to their services, on This discussion emphasizes the importance of maintaining
the basis of reciprocity, by data providers, data users, data holistic oversight of how the credit reporting system functions
subjects, and other relevant stakeholders. Credit reporting sys- to ensure that the players in credit reporting activities are able
tems should be subject to a clearly defined disclosure frame- to manage the risks related to credit information sharing. The
work to enable participants to have an accurate understanding section provides further guidance on the risk-based supervi-
of credit reporting activities. sion approach followed by supervisory programs to be imple-
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 3
mented by authorities. The section also provides additional tional level. The assessment methodology is primarily intended
considerations with respect to different types of CRSPs, the for international financial institutions (IFIs), but it is also helpful
oversight of artificial intelligence-based scoring models, and for national authorities and other internal and external asses-
the role of industry associations. sors. Assessment responsibility for observing adherence to the
key principles primarily lies with individual countries’ regulatory
Finally, the eighth section presents the methodology for assess- and supervisory authorities.
ing the regulatory and supervisory frameworks at the jurisdic-
� 1
INTRODUCTION
C
redit reporting systems, as facilitated by credit reporting less on supervising their activities. CRSPs in many jurisdictions
service providers (CRSPs), represent one of the key pil- operate under a voluntary code of conduct that aims to repli-
lars in global economies’ financial infrastructures. Robust cate regulatory requirements, but by their nature such codes lack
credit reporting systems promote access to credit, financial inclu- oversight functions. Only in a handful of countries does a com-
sion, prudential supervision, and financial stability. As the financial prehensive approach to regulating and supervising CRSPs exist.
infrastructure is highly interconnected, failure of credit reporting
systems could significantly hamper the effective functioning of The International Committee on Credit Reporting (ICCR) issued
credit markets, which in turn can impact financial stability. its General Principles on Credit Reporting (GPCR) to address the
need to ensure sound and effective credit reporting systems (see
CRSP activities present inherent risks and vulnerabilities. CRSPs the Appendix). General Principle 3 on Governance and Risk Man-
face a number of risks, including operational, cybersecurity, rep- agement identifies risks inherent in credit reporting activities.
utational, legal, regulatory, compliance, and model risks. CRSPs At the same time, General Principle 4 on Legal and Regulatory
are commonly technology-intensive operators dealing with mul- Frameworks provides high-level guidance on what such frame-
tiple parties that provide and use very large amounts of data. works should cover. GPCR also includes high-level recommenda-
Potential losses from operational and cybersecurity risks can thus tions for the effective oversight of credit reporting systems. Since
be significant and can also lead to legal and reputational risks. the introduction of the GPCR, the ICCR has published additional
Continuous innovations in technology, new business models, detailed guidance on various topics to complement the general
and emerging new players also increase the level of risk in CRSP principles (ICRR 2018, 2019a, 2019b).
activities.
Despite the growing recognition of the need for them, a coher-
Effective regulation and supervision are vital to ensuring that ent framework and comprehensive guidance on the regulation
CRSPs can manage the risks related to credit reporting. Consid- and supervision of CRSPs do not currently exist. Building on the
ering the importance of CRSPs, the need is growing for regula- existing principles and guidance documents developed by the
tory and supervisory oversight of credit reporting activities. Vast ICCR, it is believed that a globally applicable, principles-based
differences in existing frameworks across jurisdictions interfere framework for effective regulation and supervision of CRSPs
with this process. Many countries have no specific regulations. would help develop the credit reporting system. These princi-
In those cases, CRSPs are governed by general provisions and ples should define the critical elements needed for a regulatory
treated as regular businesses, subject mainly to personal data and supervisory framework that can support a sound, efficient,
protection or data privacy regulations. Some countries do have and effective credit reporting system. The framework should also
CRSP regulations in place, but they focus more on licensing and take into account the ongoing innovations occurring in the credit
reporting environment and the risks and opportunities that could
result from these changes.
4
� 2
CREDIT REPORTING SYSTEMS IN THE
FINANCIAL INFRASTRUCTURE
C
redit reporting is facilitated by credit reporting service Alternative credit reporting service providers are emerging as a
providers (CRSPs), which are entities that manage a new type of CRSP. These entities use innovative methodologies
credit information sharing system. CRSPs collect and and nontraditional data, such as digital footprints, social media
compile permissible information on individuals and/or firms data, phone data, and browser histories, to assess credit risk and
and provide this data to third-party users, as well as offering val- produce credit scores. They often focus on developing credit
ue-added products based on such data. Defined broadly, CRSPs reporting products in niche markets that traditional credit report-
encompass private credit bureaus, public credit registries, busi- ing systems do not cover. From a regulatory perspective, these
ness information providers, and alternative credit reporting ser- entities do not generally fall under existing regulatory frame-
vice providers.1 While they all serve the common purpose of works, and their activities have increasingly begun to attract the
supporting credit risk management through credit reporting, attention of regulatory authorities.
their core focus can differ. They are categorized mainly based
on these differences. Credit reporting systems comprise the institutions, individuals,
rules, procedures, standards, and technology that enable the
A private credit bureau is a credit information exchange with the information flows that support decision-making processes regard-
primary objective of improving the quality and availability of data ing extension of credit (World Bank 2011). They are a vital part
for creditors so they can make better-informed decisions. Private of the financial infrastructure, playing multiple supportive roles in
credit bureaus collect credit data from banks, nonbank financial sustainable access to credit, financial inclusion, micro-prudential
institutions (NBFIs), and other financial or nonfinancial creditors. supervision, and financial stability. Developing an effective credit
They generally focus on retail and MSME lending markets. A reporting system requires commitment from various stakehold-
public credit registry is a model of credit information exchange ers. The credit information-sharing cycle involves CRSPs, indi-
the primary objective of which is to support prudential super- viduals, businesses, data providers, data users, regulators, and
vision and enable access to credit data by financial institutions supervisors.
to improve the quality of credit portfolios. Credit registries are
typically owned and operated by central banks or other financial Over the years, advances in technology and growing market
supervisors and mainly collect credit information from regulated needs have enabled CRSPs to move beyond credit reports. As
financial institutions. Business information providers are entities a result, CRSPs developed capabilities to process, analyze, and
that collect information on businesses, including sole proprietor- transform data to produce ready-to-use tools to support users
ships, partnerships, and corporations for credit risk assessment, and data subjects. In essence, value-added products apply to
credit scoring, or other business purposes, such as the extension all differentiated credit reporting services. The range of such
of trade credit (World Bank 2011). While there are distinctions products is extensive and evolving, but they include tools such
in the role of these entities, in many cases it is also possible to as consumer and commercial credit scores, ID verification and
combine multiple functions within a single CRSP. fraud detection, credit portfolio monitoring, behavioral scoring,
debt collection services, business insights, marketing services,
and personal financial management tools.
Credit bureaus can also be termed credit reference agencies, credit reference bureaus, consumer reporting agencies, or credit reporting agencies; business
1. �
information providers can also be known as commercial credit reporting providers or business credit reporting agencies.
5
�6 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
Technology is at the core of credit reporting systems. From the v. Electronic payment systems that create transactional data for
era of paper-based credit reports to automated lending systems, payers and payment acceptors.
CRSPs have adopted technological advances and updated the
vi. Artificial intelligence (AI) techniques that make processing
way credit reports are created and delivered. In parallel to the
vast amounts of data easier, faster, and more cost-effective.
innovations, the role of credit reporting has evolved, and CRSPs
are transforming into technology-intensive entities that provide
By adopting new technologies and business models, the credit
a wide range of data analytics solutions. Several new technol-
reporting ecosystem has evolved significantly over the past
ogies have recently emerged in the credit reporting industry to
decade. The accuracy, depth, and breadth of credit data has
improve capabilities for CRSPs. These include those listed below
improved, and delivery of credit reports is much faster, if not
(World Bank 2019d), but there are many more.
instant. Where new technologies enabled CRSPs to enhance
i. Cloud computing technologies that allow CRSPs to facilitate their services, alternative credit reporting service providers
efficient storing, processing, and transferring data, to lower emerged as competitors. Despite its benefits, improved technol-
costs, and to improve service delivery. ogies present a source of risk for credit reporting systems, adding
to the risks traditionally associated with credit reporting activities.
ii. Biometrics, national identity, and digital identity systems that
Key risks associated with the emergence of financial technologies
improve the ability to authenticate identities of data subjects
include strategic risk, operational risk, cyber risk, and compliance
properly.
risk (BCBS 2019).
iii. Open data platforms that offer available “big data” for use.
iv. Distributed ledger technologies (blockchain) that allow trans-
actions and data to be securely processed across a distributed
network.
� 3
GENERAL PRINCIPLES RELATED TO
REGULATION AND SUPERVISION
S
ince its publication in 2011 by the ICCR, GPCR has been the ii. Facilitates inclusive, sustainable, efficient access to finance in
only set of universal standards for credit reporting included the economy on competitive terms.
in the Financial Stability Board (FSB) noncore compendium iii. Supports authorities in supervising financial institutions to
of standards for the financial sector. GPCR has five principles ensure the safety and soundness of the financial system and
(see the Appendix) describing key stakeholders’ respective roles, oversight of systemic risk.
accompanying guidelines, and recommendations for effective
oversight. ICCR has also published guidelines to complement the iv. Encourages individuals and businesses to manage their
general principles on topics such as cybersecurity, credit scoring finances responsibly by rewarding responsible behavior, avoid-
approaches, and the use of alternative data. GPCR lists the follow- ing overindebtedness, and contributing to financial literacy.
ing as key attributes of an effective credit reporting system:
GPCR is extensively used by regulators, supervisors, and policy
i. Supports financial and nonfinancial creditors in accurately makers in decision-making processes regarding credit reporting
assessing creditworthiness, sound management of credit risk, systems and CRSPs. Box 1 provides an overview of the two main
and well-performing credit portfolios. credit reporting regulatory approaches.
BOX 1
Overview of Credit Reporting Regulations
In general, two main approaches to regulating credit report- The second group enacted specific credit reporting
ing systems are in use around the globe. Many countries laws, mainly covering consumer credit reporting activities
regulate credit reporting activities using broad data protec- and credit bureaus. The US was a pioneer in this approach,
tion laws, while others enact specific credit reporting laws passing the Fair Credit Reporting Act (FCRA) in 1971,
or regulations. amended in 2011 with the Dodd-Frank Wall Street Reform
The first group includes the European Union (EU), which and Consumer Protection Act creating the Consumer Finan-
enacted the General Data Protection Regulation (GDPR). cial Protection Bureau (CFPB) as an oversight authority.
GDPR covers credit reporting activities and any other Other countries with specific credit reporting laws include
business activities involving personal data management Russia, India, and the Bahamas; countries with credit report-
and data exchange. Specific legislation like the Consumer ing regulations include Vietnam, Egypt, and Morocco. Such
Credit Directive also covers credit reporting activities in the specific laws or regulations generally focus on the entry and
EU. Other countries following this data protection frame- exit requirements for credit bureaus; data collection, reten-
work approach include Argentina, Chile, and Uruguay. In tion, and security provisions; access, confidentiality, and
countries without specific credit reporting regulations, permissible purposes rules; corporate governance rules;
credit reporting systems may operate under self-regulatory consumer rights and dispute resolution mechanisms; and
mechanisms. In these countries, CRSPs usually have codes oversight and enforcement.
of conduct for good governance (for example, the Czech
Republic and New Zealand).
7
�8 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
3.1 The Five Principles the rules that require systematic collection of personal data to pro-
vide effective financial services to the people and the rules that
General Principle (GP) 1 on data outlines the following attributes protect the privacy of personal data of the very same people. In
of what constitutes properly collected and distributed data for this sense, credit reporting activities are under the scope of data
credit reporting systems: protection laws in many countries. It is worth noting that consent
and permissible purposes requirements of personal data protec-
i. Accurate, to the extent possible, free of error, truthful, com-
tion are mainly applicable to consumer credit bureaus. In the case
plete, and up to date.
of credit registries, it is typically required by the relevant financial
ii. Systematically collected from all data providers using consis- supervisor for all regulated creditors to share data with the registry.
tently applied, appropriate rules and procedures. Also, for business information providers, the information related to
iii. Updated on a predefined schedule or at specific triggers, business entities is generally not subject to data protection reg-
including prompt adjustment of errors and upon significant ulations, except for the data of business owners. Box 2 provides
events like credit exposures, arrears, defaults, and fraud. selected examples of jurisdictional approaches related to GP1.
iv. Promptly accessible by data users to support their functions
GP2, addressing data processing: security and efficiency, stipu-
without delays.
lates the following as attributes of credit reporting systems that
v. Comprehensive, covering all relevant information, including should be ensured:
negative and positive data, and any nontraditional information.
i. Data is protected against any loss, corruption, destruction,
vi. Available to data users for defined purposes within a specified misuse, or undue access.
period of time.
ii. Precautions are taken to ensure business continuity and avoid
Countries apply the attributes of GP1 in a variety of regulatory disruptions in users’ access to data.
rules. From a broader viewpoint, natural tension exists between
iii. Efficient operations are maintained to provide cost-effective
services that meet high standards.
BOX 2
Regulatory Examples of GP1
Most countries facilitate the reporting of both positive and credit bureaus and credit registries share information for a
negative information in credit reports. A few, however, have period of five years or less (World Bank 2019a).
regulations allowing reporting negative credit information Countries generally allow CRSPs to collect all data rel-
only (Spain, Costa Rica) and prohibit collecting and sharing evant for creditworthiness assessment, including data in
positive information. public records. To protect against discrimination, however,
Regulations often require that CRSPs and data provid- jurisdictions can prohibit collecting certain data types. Most
ers take all reasonable steps to ensure data are accurate, regulations protect to some degree against discriminatory
up-to-date, and valid. To avoid errors in data, regulations practices in credit scoring (US, EU). However, the use of arti-
can determine the specific minimum inputs for consumer ficial intelligence (AI) is a particular area of concern, because
credit reports (Rwanda). proprietary AI algorithms are black boxes with unclear deci-
Many countries require the consent of individual data sion-making methods, creating the potential for discrimina-
subjects for data collection and/or access to credit reports. tion. As such, countries are considering the risks of AI from
In countries such as Australia and Panama, explicit borrower many perspectives and exploring ways to regulate it. The
consent is required for a data provider to share information EU recently proposed a regulation to introduce harmonized
with a CRSP. Countries like the US do not require explicit rules on AI. In the US, AI models must address the adverse
borrower consent for information sharing in general but action notice requirements in the FCRA, which requires the
require explicit consent if the information is used for specific CRSP to disclose key factors that adversely affect a credit
purposes, like employment. score.2 As a guideline, the Monetary Authority of Singapore
Countries generally specify the length of time for which (MAS) published principles to promote fairness, ethics,
information can be stored and shared. Different types of accountability, and transparency (FEAT) in the use of AI and
data may have different retention periods. The majority of data analytics for the financial sector.
� draft bill before the US Congress (the Algorithmic Accountability Act) requires entities to conduct impact assessments of high-risk automated decision
2. A
systems to evaluate the impact of the system’s design process and training data on accuracy, fairness, bias, discrimination, privacy, and security.
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 9
Data security is at the core of safe credit reporting systems, and iii. Appropriate risk management guidelines for effective gover-
authorities take an interest in the accuracy, confidentiality, and nance of activities related to credit reporting activity.
integrity of credit information databases. Countries apply the
iv. Assessment of all relevant risks by the entity management and
attributes of GP2 in a variety of regulatory rules. Box 3 provides
reporting the assessment outcomes to the respective authority.
selected examples of the jurisdictional approaches related to GP2.
v. Sound internal control and risk management functions related
GP3 on governance and risk management outlines the importance to credit reporting activity within the entity.
of proper governance to ensure risks associated with credit report-
vi. Procedures to ensure fair access to data by all users under
ing systems are effectively managed. As such, CRSPS and their
proper conditions.
data providers should be subject to the following mechanisms:
i. Proper accountability with clearly defined management and Sound governance is key to managing risks associated with
board responsibilities as well as independent external audits. credit reporting activities. Thus regulations in many countries
include a broad range of governance rules for CRSPs. Box 4
ii. Procedures to ensure disclosure of relevant matters relating to
provides selected examples on the jurisdictional approaches as
the entity and/or its activities in a timely fashion to the respec-
related to GP3.
tive authority.
BOX 3
Regulatory Examples of GP2
The majority of countries have regulations to deal with Countries can introduce rules to avoid disruptions in
cybersecurity and information security (ICCR 2019b). For credit reporting services. In Russia, qualified credit bureaus
example, the New York State Department of Financial Ser- are expected to establish IT systems with the highest level of
vices (NYSDFS) introduced a cybersecurity regulation in redundancy and reliability to ensure business continuity. The
2018 that requires CRSPs to adopt the core requirements of UK issued guidelines on operational resilience that require
a cybersecurity program and risk assessments, establish a identifying critical business services; assessing impact toler-
cybersecurity policy to protect consumer and business data, ances; identifying key employees, processes, and technol-
install effective access privileges like multifactor authenti- ogy to ensure uninterrupted operations; and conducting
cation and encryption, conduct training and monitoring for scenario analysis to plan communication strategies.
authorized personnel, appoint a chief information security Countries can also regulate the use of cloud-based ser-
officer, and report known cyber breaches to the department vices by CRSPs. For example, regulations can include data
within 72 hours. localization rules for cloud services for the transfer of per-
sonal data outside the country (Australia) or prohibit per-
sonal data transfers abroad (Rwanda).
BOX 4
Regulatory Examples of GP3
Countries may regulate the shareholding requirements to Countries can require that CRSPs establish effective
restrict commercial banks’ shares in a credit bureau (Nigeria). internal controls and audit and risk management functions.
The board of directors and senior management may While these governance functions may be mentioned
be subject to minimum qualifications and/or fit and proper explicitly in credit reporting regulations (Korea), most CRSPs
requirements, with their responsibilities stipulated in the are governed by general corporate laws and codes of con-
regulations (India). Failure of employees, officers, and major duct that cover the policies of these functions.
shareholders to be “fit and proper” can be a condition for To complement the internal control and audit functions,
revoking a credit bureau’s license (Singapore). regulators can also impose mandatory external audits to
ensure the CRSPs’ accountability and transparency (Rwanda).
�10 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
GP4 on the legal and regulatory environment states that credit distribution of data held about them, the right to access data
reporting systems should be subject to a legal and regulatory held about them periodically at little or no cost, and the right
framework that is clear, predictable, nondiscriminatory, propor- to challenge the accuracy of information about them.
tionate, and supportive of data subject and consumer rights,
v. The data subjects’ and consumers’ privacy issues are
including effective judicial or extrajudicial dispute resolution
addressed and/or subjects and consumers are referred to the
mechanisms. In addition, the framework should have the follow-
relevant data protection regulations.
ing attributes:
vi. Effective judicial and extrajudicial dispute resolution struc-
i. Clear rules with consistent terminology and predictable con-
tures aim for expeditious solutions to disputes and provide
sequences for CRSPs, data providers, data users, and data
appropriate enforcement and redress tools.
subjects for actions related to credit reporting activities.
While attention to the need for a regulatory framework and
ii. Nondiscriminatory rules that are applied equally and fairly supervisory oversight of credit reporting systems is growing, vast
regardless of the nature of the participants. differences remain in the existing regulatory frameworks across
jurisdictions. Countries apply a combination of credit reporting
iii. Proportionate and practical rules that support an effective
laws, banking laws, data protection laws, commercial laws, and
credit reporting system, ensure a high degree of compliance,
consumer protection laws to credit reporting activities. These
avoid overly restrictive obligations, and include commensu-
laws may be complemented with fair credit granting and con-
rate corrective actions.
sumer credit regulations and with corporate secrecy and bank
iv. Protection of the rights of data subjects and consumers, includ- secrecy provisions. In general, regulatory requirements that apply
ing, at a minimum, the right to object to collection or use of to consumer credit bureaus do not apply to business informa-
their information for specific purposes and/or use, the right to tion providers that mainly deal with business-related information.
be informed on the conditions of collection, processing, and Box 5 provides selected examples of jurisdictional approaches
related to GP4.
BOX 5
Regulatory Examples of GP4
Market Entry Countries can also impose licensing requirements for
Several jurisdictions enacted provisions for entry and exit specific activities related to credit reporting instead of
requirements, mainly for credit bureaus, in the form of licensing CRSPs. One notable example of the activity-based
licensing (Singapore) by or registration (South Africa) with licensing approach is the account information service pro-
the relevant regulator. Licensing regulations generally stip- vider (AISP) licensing procedure in the EU. CRSPs with an
ulate minimum paid-in capital, governance requirements, AISP license in the EU can retrieve, process, and aggregate
and operational and business standards for CRSPs. In coun- consumers’ bank account and payment data seamlessly.
tries with licensing requirements, conditions for revoking
licenses can be stipulated in the regulation (Namibia). In the Alternative Credit Reporting Service Providers
EU, approximately half of the CRSPs are subject to a specific From a regulatory perspective, these innovative entities
regulatory procedure for entering the market, and a signif- do not generally fall under existing regulatory frameworks.
icant minority of the CRPSs are further subject to specific Regulating new technologies necessitates a balanced
regulatory provisions. More than one-third of the CRSPs approach that promotes innovation while overseeing their
are subject to direct supervision by a national supervisory risk implications. Countries adopt varying approaches
authority (ACCIS 2020). to regulating fintechs and new technologies, such as
Whereas multiple credit bureaus operate in many coun- (i) observing and monitoring the implications of innova-
tries, most countries have a single credit registry founded tion before intervening where and when necessary; (ii)
by and operating under a specific law (Spain). Also, busi- following a light-touch supervisory approach, with a “no
ness information providers are not generally subject to objection letter” to allow entities to operate in a live
entry requirements and are not within the scope of credit environment, followed by a more stringent framework if
reporting regulations. They can, however, be subject to deemed necessary; (iii) promoting innovation facilitators,
some degree of oversight by data protection agencies or such as innovation hubs or regulatory sandboxes; and (iv)
commerce ministries.
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 11
BOX 5, continued
introducing new laws, regulations, or licensing frameworks complaints generally consist of claims for correcting fac-
to cover either a broad range of fintech activities or spe- tual inaccuracies, such as data entry or process errors, and
cific activities (World Bank 2020c). claims on legal status and liability, such as mixed files,
As an example, the People’s Bank of China (PBOC) proof of transactions, and fraud or identity theft (World
has issued the Measures for the Administration of Credit Bank 2019a).
Reporting Services. The new measures clearly define the
boundaries and scope of credit information, taking alterna- Dispute Resolution
tive data into regulation. (Source: PBOC). Many regulations establish dispute resolution mechanisms
for consumers. The structures of these mechanisms can dif-
Consumer Rights fer with regard to the type of dispute and the applicable
Most countries enact consumer protection regulations that legal framework. Examples of dispute resolution mech-
include requirements governing the lawful grounds or per- anisms include (i) internal complaints handling services
missible purposes for data processing and for disclosing of CRSPs, (ii) credit ombudsmen (South Africa), (iii) credit
consumer data. reporting review commissions (Bahamas), and (iv) alterna-
Most regulations also give consumers the right to dis- tive dispute resolution service providers (Singapore).
pute any inaccurate information in their files. Consumer
BOX 6
Regulatory Examples of GP5
Notwithstanding its technical difficulties, cross-border A legal framework that enables shared regional credit
credit reporting is only possible where legal frameworks reporting only exists in the West African Monetary and
allow credit information to be shared across borders. In Economic Union (UEMOA), which covers eight countries.
this respect, many countries impose data localization rules Also, the AnaCredit Project aims to enable a credit informa-
that require personal data be stored and processed in tion-sharing mechanism between national banks through
the country (India, Malaysia). Other than data sovereignty the European Central Bank (ECB) in the EU. AnaCredit
restrictions, practical challenges exist for cross-border credit allows national central banks and financial supervisors to
reports, such as lack of unique identifiers for individuals and collect and share harmonized and standardized loan infor-
companies and absence of standard data formats.3 mation at a granular level.
GP4 on cross-border data flows outlines the facilitation of cross- iv. A mutual agreement exists for cooperation and coordination
border data transfers, where appropriate, provided the following between the relevant authorities.
requirements are in place:
Cross-border data sharing enables a data subject’s credit history
i. Transfers are feasible based on a cost-benefit analysis that
to be leveraged in multiple countries. It helps borrowers access
considers the conditions of the credit markets, the level of
credit in countries where they have no credit history despite
economic and financial integration between the countries,
having one in their country of origin. Globalization leads to the
the respective laws and regulations, and the CRSPs’ needs
extensive migration of consumers and businesses from one coun-
for the data.
try to another, whether digitally or in person, spurring the need
ii. Procedures are clearly identified, including standard data for- for regionalized or globalized credit reporting. Box 6 provides
mats and transfer protocols. selected examples of jurisdictional approaches related to GP5.
iii. Potential sources of risk are adequately assessed and appro-
priately managed.
� or more discussion on the legal and technical challenges for cross-border credit reporting and for policy recommendations for potential solutions, see ICCR
3. F
2021, “Cross-border Credit Reporting.”
�12 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
3.2 Recommendations for Effective Oversight and oversight objectives, rules, and policies. GPCR should be
adopted in the rules and guidelines, where relevant, and applied
GPCR also includes high-level recommendations for the effec- consistently throughout credit reporting systems. The authorities
tive oversight of credit reporting systems and suggests that should cooperate with each other on both the jurisdictional and
credit reporting systems should be subject to appropriate and the international level to promote the development, safety, and
effective regulation and oversight by a central bank, a financial efficiency of credit reporting systems.
supervisory authority, or another relevant authorities. In cases
where the relevant regulations in a jurisdiction relate to more Regulatory and supervisory authorities for credit reporting sys-
than one authority, one of these authorities should undertake tems can comprise central banks, financial supervisors, data
the primary role in the oversight function. The central banks, protection agencies, consumer protection agencies, or finance
financial supervisory authority, and other relevant authorities ministries. Supervisory oversight can be exercised over CRSPs,
should have the necessary powers and resources to carry out data providers, and data users. Box 7 provides selected exam-
their responsibilities to credit reporting systems effectively. The ples of jurisdictional approaches related to the oversight recom-
authorities should have clearly defined and disclosed regulatory mendations of the GPCR.
BOX 7
Regulatory Examples of GPCR Oversight Recommendations
Most countries with specific credit reporting regulations ensure compliance. Noncompliance cases on specific rules,
have on-site supervision and inspection provisions for super- as opposed to processes, usually cannot be corrected
visory authorities. Having assigned central banks as author- through notice; instead, an appropriate penalty must be
ities, the supervision processes of CRSPs closely mimic imposed.
bank supervision in many countries (World Bank 2020a). Most regulations include monetary fines for noncompli-
Like regulated financial institutions, CRSPs are obligated ance. For example, GDPR has provisions for fines that can
to regularly submit a set of off-site reports to the authority. be high, depending on the severity of the infringement,
Also, while not as often as at banks, the supervision teams and administered by data protection regulators in member
can conduct on-site supervision at CRSP facilities. It is not countries. In this case, stringent enforcement of detailed
uncommon for on-site examinations to be accompanied by regulatory rules can hamper the effective functioning of
IT examinations that assess supervised entities’ information credit reporting activities.
security governance. Some countries follow a closer approach to oversight on
Effective oversight is only possible with appropriate credit reporting activities. In Nigeria and Uganda, central
enforcement mechanisms. As such, most countries estab- banks require regulatory evaluation and approval of credit
lished enforcement provisions in their credit reporting reporting products before the CRSPs can introduce them to
regulations. These provisions can include various tools for the market. In the case of specific offenses, some countries
authorities, such as issuing notices and warnings, requests have credit reporting laws that lead to imprisonment of the
for corrective actions, and penalties and fines imposed to responsible officer (Singapore).
� 4
KEY RISKS IN CREDIT REPORTING
M
ajor types of risks related to credit reporting systems Strategic risk is primarily a concern for the CRSP’s board of direc-
include strategic risk, operational risk, cyber risk, tors and senior management. It is management’s responsibility to
model risk, reputation risk, compliance risk, and legal develop and implement robust strategic and business planning
risk. CRSPs are technology-intensive operations and deal with processes. In a fast-changing industry, business models must be
multiple parties that provide and use large amounts of data. reviewed and updated if necessary to satisfy data users’ needs.
The potential loss from operational errors is therefore signifi- For example, management’s failure to follow advances in tech-
cant. Operational risk can be related to failures in information nology can result in obsolescence of IT systems.
technology and infrastructure, human errors, or attempted fraud.
Such risks can also lead to legal risks, stemming from failure to Strategic risk emphasizes the importance of sound governance.
comply with applicable laws and regulations. Reputational risk is Failures in CRSP governance can result from lack of oversight
particularly relevant to CRSPs due to the extensive amounts of by the board of directors, inefficient administration by senior
personal data processing. Continuous innovations in technology, management, insufficient monitoring and control, and lack of
new business models, and emerging new players also increase business resilience. Negative consequences may arise if manage-
the level of risks in CRSP activities. Cybersecurity risks have been ment and staff do not have the necessary knowledge, skills, and
on the rise, as evidenced by the number of CRSPs that have been qualifications to assess the risks of new technologies and inno-
subject to cyber incidents in the last few years. The incidents have vative business models. Cyber incidents or noncompliance with
caused severe financial, operational, and reputational loss for the data privacy regulations can be attributed to a failure in good
targeted entities and the industry in general. It cannot be ruled governance in most cases.
out that realized risks in CRSP activities can result in wide-scale
failures in lending markets. The risks in credit reporting activities Adverse business decisions can result in inaccurate credit reports.
are not necessarily mutually exclusive; they are interrelated and Errors in credit reports can cause loss of market share, a decrease
overlap in many ways. Also, a given CRSP activity or function will in profits and enterprise value, a decline in customer confidence,
in most cases be associated with more than a single risk type. and potential regulatory enforcement actions. Inaccurate credit
reports and flawed credit scores can also cause consumers to
be excluded from access to credit. Due to the inherent opera-
4.1 Strategic Risk tional and technical details, credit reports can be prone to error
even in established markets. A study of the US credit reporting
Strategic risk is the risk to current or projected financial resilience industry found that five percent of consumers had errors on one
arising from adverse business decisions, poor implementation of their three major credit reports (FTC 2021). While these errors
of business decisions, or lack of responsiveness to changes in are attributable to the data providers in many cases, the man-
the business environment (OCC 2019). Strategic risk covers all agement of CRSPs should have proper governance strategies to
risks that affect a CRSP’s business strategy and strategic objec- ensure the accuracy of credit reports.
tives and includes any risks that can decrease a CRSP’s profitabil-
ity and viability, such as any unexpected declines in revenues or Governance strategies should assess, evaluate, and manage the
increases in costs. risks of innovative credit reporting products. CRSPs must take
into account the potential risks of adopted technologies and
13
�14 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
possible regulatory interventions. In the absence of sound new ees allowed access to the credit reporting network. With respect
product approval and change management processes, innova- to the commercial value of credit reporting data, rogue staff
tive products can implicate risks for credit reporting systems if members who aim to steal data are also a potential source of
their reliability, consistency, and integrity are not ensured. vulnerability.
Competition risk is evident as most CRSPs operate in a com- Failures in operational resilience can damage the credit report-
petitive environment. Management should be able to develop ing systems in the event of unexpected incidents. Given their
strategies and respond to changing conditions, especially in intermediation role, CRSPs should make every effort to continue
challenging cases of regulatory arbitrage and unfair competi- their activities in the event of severe incidents. Failure to establish
tion. For example, alternative credit reporting service provid- effective business continuity and disaster management plans can
ers can emerge in any credit reporting market. Where credit disrupt credit reporting services, which can also interrupt access
bureaus are licensed and regulated, but new players in the to credit. A recent example of the importance of business conti-
same market operate without a license, a regulatory arbi- nuity is the COVID-19 pandemic, which affected most businesses
trage case can arise for the unlicensed players. Unscrupulous, globally. It was vital during the pandemic for CRSPs to continue
practices such as predatory lending by new players, may also credit reporting services even though most employees had to
lead to regulatory arbitrage and become sources of potential work remotely. Box 8 briefly discusses the implications of COVID-
instability. In addition, credit registries may sell credit reports, 19 for the credit reporting industry.
in competition with credit bureaus. This is expected in a free
market, but operating conditions should be the same for all the Security vulnerabilities, also a component of cyber risk, can be a
competitors. Credit registries with privileges in data collection significant threat for CRSPs that lack adequate information secu-
can create conditions of unfair competition for other CRSPs in rity protocols. Increased connectivity to the internet improves
the same market. Finally, the credit reporting industry is increas- operational efficiency significantly. Yet it can give rise to security
ingly internationalized in the sense that globally recognized vulnerabilities to cyberattacks. Failures in adequate cybersecu-
players compete with local CRSPs in numerous markets. CRSPs rity investments could cause obsolescence in systems and make
that operate in multiple countries can benefit from operational CRSPs vulnerable to cyber threats. In particular, CRSPs that oper-
cost efficiencies, an advantage against local competitors that ate in developing countries with limited financial resources can
could lead to consolidation of CRSPs. be impeded by the high cost of the most recent technologies.
Contagion risk is another concern, as leading CRSPs have
4.2 Operational Risk global operations in which many functions are managed from
a central or regional headquarters. Global operations provide
Operational risk is the probability of loss resulting from inade- cost-effective management and reduce infrastructure overhead
quate or failed internal processes, people, systems, or external at the country level. It is possible, however, for a service inter-
events (BCBS 2011). Any event that disrupts the normal flow of ruption in a globally active CRSP to affect operations in multiple
business and generates loss or damage to a CRSP can put opera- countries across its network. Also, CRSPs with global operations
tions at risk. Operational risk is inherent in all products, activities, can be victims of fraud schemes tailored to the regions where
processes, and systems of credit reporting. they operate.
Above all, deficiencies in the control environment, such as lack Outsourcing risk is also a major issue. Most CRSPs outsource to
of adequate management oversight, can form a basis for many third parties at least some of their services, including IT infra-
risks. A sound governance framework covers an internal con- structure, software, and data platforms. Where data centers are
trol environment throughout the CRSP organization. Any gaps commonly outsourced in Africa and Europe, professional services
in internal control points or weaknesses in control practices can such as websites and call centers are outsourced in the Ameri-
give rise to fraud losses, product errors, system outages, or secu- cas (ICCR 2019b). Third-party vendors provide many benefits to
rity breaches. CRSPs, such as improved business focus, cost efficiencies, and
greater flexibility, scalability, and connectivity. Despite its certain
Lack of human capital capacity can affect CRSPs, as to operate benefits, the reliance on outsourcing is a source of risk for CRSPs
they must employ staff with necessary technical qualifications to in cases where third-party contractors or fourth-party subcontrac-
carry out credit reporting activities. The absence of adequate tors do not comply with cybersecurity, information security, and
training and competency policies has implications. Employees’ data privacy standards. That said, a cyber-attack at a contractor
errors or omissions and the misbehavior of employees can be or subcontractor can also affect the CRSP’s systems. For example,
a major source of operational, legal, and reputational risks. For the Equifax breach in 2017 was due to a bug on an outsourced
example, social engineering techniques can target the employ- enterprise system.
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 15
BOX 8
Implications of COVID-19 for Credit Reporting
The COVID-19 pandemic has significantly impacted credit reporting services if the third-party providers’ services
reporting systems, financial institutions, and countries’ are disrupted due to lockdowns in distant locations.
economies in general. In many jurisdictions, access to com-
iii. CRSP employees moved to remote working on a mass
plete, up-to-date public data was severely affected because
scale, increasing risks to data protection and from pro-
company/business registries or courts were either closed or
fessional conduct and lack of managerial oversight. Also,
had moratoriums imposed. From an operational risk per-
contingency plans for key staff were needed that could
spective, a severe but plausible scenario had become a
help maintain continuity of services if that staff could not
reality. The pandemic has the following key implications for
work.
CRSPs:
The pandemic has had a potential impact on the integrity
i. The high degree of interconnectedness of the financial
of credit reporting systems. In particular, inadequate and
sector and interdependencies across firms and markets
untimely data provided by CRSPs undermines the key role
underlines the importance of ensuring business continu-
of the credit reporting systems. Other potential impacts
ity at the financial system level to avoid systemic impacts
include possible credit rationing, increased cost of credit,
resulting from operational incidents at the CRSP level.
and exclusion of borrowers. ICCR (2020) provides policy
ii. Increasing dependence of CRSPs on third-party ser- recommendations for CRSPs facing the operational implica-
vice providers, especially outsourcing agreements with tions of the pandemic.
cloud service providers, raises risks of disruption in credit
4.3 Cyber Risk In a digital world, the potential impacts of a cyber incident can be
disastrous. In this sense, cybersecurity often goes beyond a busi-
Cyber risk is the risk of financial loss, operational disruption, or ness concern and becomes a concern of national security. Credit
damage from the failure of the digital technologies used for reporting systems use digital technologies extensively, which
operational functions via electronic means due to unauthorized expands the potential sources of vulnerabilities. As controllers of
access, use, disclosure, disruption, modification, or destruction of valuable data, CRSPs and other participants in the credit report-
the credit reporting system (NIST 2017). The definition of cyber ing ecosystem are potential targets for cybercrime actors. Box 9
risk encompasses multiple aspects of risk, and effectively manag- provides examples of recent major cybercrime incidents. Com-
ing cyber risk, as opposed to a technical risk overseen by IT staff, mon types of cybercrime incidents that can affect credit reporting
requires organization-wide governance. The general categories systems include (ICCR 2019b):
of cyber risk can summarized as follows (World Bank 2018a):
i. Breaches of data belonging to data subjects or the CRSP, in
i. Continuity risk that the performance and availability of sys- the form of unauthorized access, transmission, reproduction,
tems and data are impacted and information systems are dis- dissemination, or sale of data.
rupted.
ii. Deletion or corruption of data by a type of malware.
ii. Data integrity risks that data collected, stored, and processed
iii. Unauthorized encryption of data by ransomware that pre-
are incomplete, inaccurate, and inconsistent across different
vents access to data.
systems.
iv. Malfunction of the system because of manipulation by a third
iii. Change risk as failure in proper management of system
party.
changes and updates in a timely and controlled manner.
v. Malfunction of network communication because of an attack
iv. Outsourcing risk that problems at third-party providers
such as a distributed denial-of-service.
adversely impacts the CRSP.
vi. Disruption at the outsourced systems, such as the cloud
v. Security risk of unauthorized access to information systems
servers.
from within or outside the CRSP.
vii. Illegitimate financial transactions as a result of a system
intrusion.
�16 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
Cybercrime incidents can result in severe consequences for the v. Disruption in access to credit as a result of failures in services
credit reporting systems in the form of economic, financial, legal, where data users and subjects cannot access credit reports.
and reputational costs. Risk implications for cybercrime incidents
vi. Adverse outcomes on the general economy caused by cred-
include, but are not limited to, the following:
itors adopting a cautious approach to lending and lacking
i. Economic costs such as fraudulent loans and credit cards faith in credit reporting systems.
granted in the name of data subjects can ultimately result in
New technologies can be a source of vulnerability for CRSPs.
defaults and incurred losses for creditors.
Innovations in credit reporting such as DLT/blockchain, APIs,
ii. Financial costs such as declines in market value, redress pay- cloud computing, and AI/ML have risk implications for the indus-
ments to data subjects, increased insurance premiums, and try. While there are many potential benefits for CRSPs from new
additional IT infrastructure costs. technologies, these can also expose the credit reporting system
to new sources of cyber risk.
iii. Legal and compliance costs, including fines and penalties
imposed by authorities, communication costs from negotia- CRSPs’ high degree of interconnectedness can affect public data
tion with authorities and affected parties, and forensic inves- networks, banks, and other financial and nonfinancial institutions
tigation costs. within the credit reporting system. New participants, such as
iv. Reputational costs, including loss of confidence in the CRSP alternative data sources, fintechs, alternative lenders, and new
among data subjects, providers, and users and public rela- data users, join the credit reporting systems daily. The intercon-
tions, communication, and other costs to rebuild trust. nectedness of the credit reporting systems can lead to conta-
gion effects if a CRSP’s systems are compromised. Also, a cyber
breach in a player of the system can harm the CRSP as well.
BOX 9
Major Cybersecurity Incidents
Solar Winds Cyber Attack in the US fraudster’s hardware was impounded and the misappro-
In December 2020, IT products and services company priated data was secured. The breach incident continued
SolarWinds was hacked, and its IT monitoring and manage- when an unknown individual posted the data files on a
ment product was corrupted by sophisticated malware. This restricted file-sharing website; that file too was later deleted
malware then spread through software updates to several (Experian 2021).
customers, including financial services institutions. NYSDFS
in its investigative report on the incident recommended that Irish Credit Bureau
entities should (i) fully assess and address third party risk; Between June and August of 2018, a personal data breach
(ii) adopt a “zero trust” approach and implement multiple occurred at the Irish Credit Bureau (ICB) database when the
layers of security; (iii) address vulnerabilities without delay ICB implemented a code change to its database that con-
through patch deployment, testing, and validation; and (iv) tained a technical error. The ICB inaccurately updated the
address supply chain compromise in cybercrime incident records of 15,120 closed accounts, and before it had fixed
response plans (NYSDFS 2021). the issue the ICB had disclosed these inaccurate account
records to financial institutions or data subjects (DPC 2021).
Experian South Africa
In May 2020, Experian South Africa experienced a data Equifax Data Breach in the US
breach that exposed a suspected fraudster some personal During the period from May to July in 2017, cybercriminals
information belonging to roughly 25 million individuals and exploited a US website application vulnerability to access
800,000 entities. The perpetrator impersonated a director Equifax files. The data breach exposed records containing
of a known client and proceeded to procure services from the Social Security numbers, birth dates, addresses, and,
Experian as a client. The data was shared with the perpetra- in some cases, driver’s license numbers of more than 143
tor using Experian’s secure data transfer protocols. Experian million consumers.
reported the incident to local authorities, after which the
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 17
4.4 Model Risk CRSPs may also use AI algorithms developed by third-party pro-
viders. Notwithstanding other risks, such as the risks of vendor
Model risk is the potential for adverse consequences from deci- lock-in and lack of third-party knowledge, these providers can
sions based on incorrect or misused financial or statistical model operate outside the scope of any data protection or other rel-
outputs (FDIC 2017). Credit scores as analytical credit risk man- evant regulations. In this case, these AI models can learn dis-
agement models are at the very center of the value-added prod- criminatory biases if they are trained using data sources without
ucts that CRSPs offer to users. While traditional logistic regression a legitimate ethical basis. In this case, CRSPs must ensure the
models are still common for credit scores, AI-based models explainability, transparency, and fairness of credit products
are increasingly used to leverage alternative data. AI facilitates developed by third parties.
innovative statistical approaches in credit scoring. They are bet-
ter equipped to process data with nonlinear interrelationships,
as is often the case with big data. However, the AI algorithms 4.5 Reputation Risk
used for alternative credit scores lack transparency in how data is
collected and used and how output is generated. Among other Reputation risk arising from negative perceptions by consumers,
risks, the black box attribute of AI brings a discriminative bias risk data providers, data users, shareholders, investors, or regula-
for consumers. Therefore, credit scores as an output of AI models tors can adversely affect a CRSP’s ability to maintain existing or
bear risks of not being explainable, transparent, and fair. establish new business relationships (BCBS 2019). The negative
perception regarding a CRSPs’ business practices, whether true
Explainability implies that an adverse decision regarding a credit or not, can have multiple consequences, including (i) damage
application is based on clear reasons. Due to the complex algo- to business relationships, (ii) loss of confidence of consumers
rithmic decision mechanisms of AI-based scoring models, the and businesses, (iii) loss of existing and future customers and
ability to understand, explain, and justify the decisions made decline in revenue, (iv) exit of key personnel and management
using such models is challenging. In particular, AI scoring mod- and inability to recruit a qualified workforce, (v) decline in market
els that use deep neural networks, random forests, and gradi- capitalization, and (vi) fines, penalties, and litigation costs where
ent boosting machines are considered black-box models (ICCR applicable.
2019a). These models employ complex transformations between
the data inputs and the results. A strong business reputation is key to the success of credit
reporting activities. If an incident damages a CRSP’s reputation,
Transparency suggests that the decision-making methods and it can require an extended effort to rebuild and recover. Critical
the scope of data used in an AI-based scoring model must be threats to a CRSP’s reputation include, but are not limited to, the
assessable by an independent party, usually an oversight author- following:
ity. The model should be traceable and auditable to track all the
i. Data security and data privacy breaches.
steps, criteria, and choices throughout the process for enabling
the repetition of the process to understand the decisions made ii. Enforcement actions or penalties due to noncompliance.
by the model (EBA 2020). Due to the lack of transparency in AI
iii. Negative news on traditional or social media.
algorithms’ decision-making methods, authorities can find it dif-
ficult to assess (i) how data is collected and used, (ii) which types iv. A high number of customer complaints.
of data affect scores, and (iii) whether consumers are subject to
v. Ineffective crisis management of significant events related to
discriminatory biases.
the CRSP.
Fairness requires inclusive scoring models, that is, the absence
of any discriminatory or biased practices. AI models can use dis-
4.6 Legal and Compliance Risk
criminatory factors in alternative data sources either directly or
by approximating them indirectly. The design of an AI algorithm
Compliance risk is the risk of penalties, sanctions, financial loss,
can be applied in a manner that uses information as a proxy for
or loss to reputation a CRSP can suffer. It can result from a fail-
sensitive attributes. Or the input data can be incomplete, unrep-
ure to comply with laws, regulations, rules, self-regulatory indus-
resentative, or poorly weighted to reflect bias against protected
try standards, or codes of conduct applicable to their activities
attributes (World Bank 2021). The risk of unfair practices increases
(BCBS 2005). Similarly, legal risk is the risk of financial or reputa-
with the extensive use of alternative data, depending on the type
tional loss resulting from any type of legal obligation. It includes a
of data used in the AI model.
lack of awareness, misinterpretation, or misunderstanding of how
�18 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
laws and regulations apply to credit reporting activities. Legal risk ii. Noncompliant innovations. The credit reporting industry
covers, but is not limited to, litigation settlements and fines or evolves rapidly, and innovations may not fit within the appli-
penalties resulting from supervisory actions. Legal and compli- cable regulatory framework. In particular, CRSPs must care-
ance risks overlap to some extent, and both also fall under the fully assess compliance issues regarding the use of alternative
definition of operational risk. Critical considerations for legal and data and innovative technologies.
compliance risk include the following:
iii. Inappropriate resolution of consumer complaints. CRSPs
i. Financial risks in the form of litigation. In regulations with no have regulatory responsibilities to deal with consumer dis-
caps on class-action lawsuit settlements (for example, in the putes, such as specific deadlines for responding to the filings.
US), CRSPs can be required to make high payments to data Failures to effectively manage consumer complaints can lead
subjects. For example, Equifax has agreed to a settlement to customer distress, reputational loss, and potential fines
that includes up to US$425 million to compensate affected imposed by the authorities.
people (Equifax 2021).
� 5
KEY CONSIDERATIONS FOR A REGULATORY
AND SUPERVISORY FRAMEWORK
5.1 Preconditions for Regulation and Supervision 5.2 Scope of Application of the Key Principles
An effective regulatory and supervisory framework should pro- The scope of application of the key principles for effective regu-
vide the authorities necessary tools to develop, implement, lation and supervision covers both credit reporting activities and
monitor, and enforce policies under both normal and stressed the systems used to carry them out. As facilitated by traditional
conditions. From a broader perspective, an effective regulatory CRSPs as well as alternative CRSPs, credit reporting activities
and supervisory framework should be supported by sound and cover collecting and compiling information on individuals and
sustainable macroeconomic policies; a well-formulated financial businesses, processing this information to produce structured
stability policy framework; an established public infrastructure; data, developing value-added products based on this data,
a crisis management, recovery, and resolution framework; an and disclosing or selling this data to users. In addition, credit
appropriate level of systemic protection; and effective market reporting activity aids in creditworthiness assessment and sup-
discipline (BCBS 2012). ports the credit-granting decisions of financial or nonfinancial
creditors and prudential oversight. In this sense, the key princi-
A sound credit reporting infrastructure is an essential building ples are applicable to credit bureaus, credit registries, business
block for the safety and soundness of credit markets and the information providers, and alternative credit reporting service
financial system in general. The main components of a sound providers. They can be applied on a risk-based approach and
credit reporting infrastructure include, but are not limited to, the a proportionate basis, as necessary. They are not intended to
following (BIS 2012): apply to credit rating agencies that typically provide debt or
securities rating services for businesses or to companies that
i. A well-founded, clear, transparent, and enforceable legal
provide proprietary scoring services, including audit firms.
basis that covers each aspect of credit reporting activities.
ii. An appropriate governance structure to promote the safety The key principles were developed to be applicable universally;
and efficiency of the credit reporting infrastructure and sup- however, they do not aim to provide detailed action plans at the
port the stability of the broader financial system. jurisdictional level. Instead, authorities can use the principles as
iii. A comprehensive risk management framework that covers the a guide to (i) evaluate the status quo of the credit reporting sys-
risks and vulnerabilities inherent in credit reporting activities. tems, (ii) identify, review, or update regulatory and supervisory
objectives, and (iii) develop regulations, strategies, and policies
iv. Objective, risk-based, publicly disclosed criteria that allow for achieving these objectives. In addition, international finan-
participants fair and open access. cial institutions (IFIs) such as the World Bank Group, the Interna-
v. Efficient and effective satisfaction of evolving needs of partic- tional Monetary Fund, regional development banks, and others
ipants and credit markets. can use these key principles when assessing credit reporting
systems and providing technical assistance to countries. Also,
vi. Transparent rules and procedures that enable sufficient disclo-
the principles may be reviewed in light of significant changes
sure of information to participants on credit reporting activities.
in credit reporting systems due to the evolving nature of credit
vii. Consistently enforced laws and regulations that include fair reporting activities.
dispute resolution mechanisms for participants.
viii. Appropriate and effective regulation, supervision, and over-
sight by a relevant authority.
19
�20 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
Scope of the Responsibilities of Authorities effective supervision. The success of a regulatory framework
is therefore contingent on the supervisory role of a competent
Credit reporting activities should be subject to appropriate and authority. In addition to its crucial role in enforcing rules, the
effective regulation, supervision, and oversight by an authority. supervisor can have a role in interpreting the rules and sug-
Regulatory and supervisory authorities have a vital role in ensur- gesting changes if necessary. This role is of particular relevance
ing that CRSPs are able to manage their risks effectively and that for the challenge of dealing with the inherent complexity, inno-
their function in the financial system is not disrupted. This role vations, and continuous change in credit reporting activities.
cannot be fulfilled if any of the essential functions of regulation, Also, effective supervision can support good business practices
supervision, or oversight are not working.4 This report consid- in the industry and promote trust in the credit reporting sys-
ers an “authority” to be the agency in charge of regulating and tem. The supervisory authority should have the necessary legal
supervising credit reporting systems. The supervisory authority5 powers and financial and human resources to effectively carry
varies across countries. Often a banking supervisory authority, out its responsibilities in regulating, supervising, and oversee-
either the central bank or an independent agency, is a data pro- ing CRSPs. The authority should cooperate with other relevant
tection agency that oversees the activities of CRSPs to the extent authorities, both domestically and internationally, as appropri-
they process personal data. If more than one authority is respon- ate, to promote the safety and soundness of CRSPs.
sible for regulating and supervising CRSPs, one of them should
function as the primary overseer (World Bank 2011). The authority should adopt the GPCR along with the key princi-
ples for effective regulation and supervision of CRSPs and make
To best ensure the safety and efficiency of credit reporting sys- its best effort to apply them consistently. Consistent application
tems, a regulatory framework should be comprehensive. Reg- of principles in a jurisdiction and across different jurisdictions is
ulation of CRSPs should protect data subjects’ rights, identify critical as credit reporting systems can depend on each other,
the responsibilities of data providers, and ensure fair access to compete with each other, or both. The authority should promote
credit reporting services and unbiased application of specific consistency and transparency by disclosing the policies appli-
standards to the participants in the credit reporting system. cable to the credit reporting systems it owns or operates. Also,
While regulations define the rules of the playing field, their the authority should apply an appropriate level of separation
practical implementation is driven by, among other factors, between the oversight and operational functions.
� here “regulation” refers to the whole set of laws and rules applicable to credit reporting activities, “supervision” is defined as the monitoring of credit
4. W
reporting activities and the enforcement of relevant regulations by the authorities. “Oversight” is a function of the authority whereby regulatory and
supervisory objectives are promoted by monitoring ongoing activities, assessing them against the objectives, and, where necessary, enforcing change.
� or simplicity, this document refers to a single “authority” as a supervisory authority, unless stated otherwise, assuming that a single supervisory authority
5. F
is also responsible for regulation, although this is not the case for all jurisdictions.
� 6
KEY PRINCIPLES FOR REGULATION AND
SUPERVISION OF CRSPs
T
he objective of the key principles is to ensure the effective mation sharing mechanism that covers collecting and compiling
functioning of the credit reporting systems. Credit report- information on individuals or businesses, processing this infor-
ing systems should effectively support the sound and fair mation to produce structured data, and disclosing or selling this
extension of credit in an economy as the foundation for robust data to or creating value-added products with this data for third-
and competitive credit markets. In doing so, credit reporting sys- party users to assess creditworthiness and manage credit risk.
tems should be safe and efficient and should fully support data
subjects’ and consumers’ rights. The framework includes twelve principles for safe and efficient
credit reporting activities, along with the roles and responsibilities
To ensure this objective is met, the key principles framework of the supervisory authority (Box 10). The authority is expected
covers all credit reporting activities instead of referring to spe- to oversee the credit reporting system as a whole to accomplish
cific types of CRSPs. This is of particular importance given the the objective of the key principles. This is achieved through a risk-
evolving nature of credit reporting systems. Credit reporting, as based supervision approach by using supervisory powers, tools,
facilitated by credit reporting service providers, is the credit infor- and resources on a proportionate basis.
BOX 10
Key Principles for Effective Regulation and Supervision of Credit Reporting Systems
PRINCIPLE 1: Regulatory Framework PRINCIPLE 3: Supervisory Approach
Credit reporting activities should be subject to regulation The authority should adopt a risk-based supervisory
and supervision by authorities with clearly defined respon- approach to identify and assess risks related to credit
sibilities and objectives. An appropriate regulatory frame- reporting activities, evaluate these risks by on-site and
work should be in place for each authority responsible for off-site supervision tools as appropriate, and employ pro-
supervision to provide the necessary legal powers to over- portionate enforcement actions (with their corresponding
see credit reporting activities. dispute resolution mechanisms) to address these risks and
ensure compliance.
PRINCIPLE 2: The Authority
The authority should be granted, by an appropriate legal PRINCIPLE 4: Cooperation and Collaboration
framework, operational independence, effective organi- The authorities should coordinate and cooperate with each
zational structure, and adequate human capital and finan- other, at both the jurisdictional and the international level,
cial resources to discharge its duties. The authority should to promote the development, safety, and efficiency of credit
define, disclose, and review its objectives and be account- reporting systems, as well as the cross-border exchange of
able for executing its duties and for the use of its resources. credit information.
21
�22 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
BOX 10, continued
PRINCIPLE 5: Permissible Activities PRINCIPLE 9: Data Security
The regulatory framework should define and cover permis- An appropriate information security framework should gov-
sible activities in credit reporting. Appropriate permission ern credit reporting activities to protect the confidentiality,
mechanisms, including market entry requirements, should integrity, and availability of information and ensure business
be governed by the authority. continuity and operational resilience.
PRINCIPLE 6: Access and Transparency PRINCIPLE 10: Data Collection
Credit reporting systems should allow fair and open access Data providers should provide relevant, accurate, timely,
to their services, on the basis of reciprocity, by data provid- and sufficient information on data subjects, including posi-
ers, data users, data subjects, and other relevant stakehold- tive data, to CRSPs to enable a comprehensive credit infor-
ers. Credit reporting systems should be subject to a clearly mation sharing mechanism. CRSPs can collect data from all
defined disclosure framework to enable participants to have legal, reliable, appropriate, and available sources and retain
an accurate understanding of credit reporting activities. this information for a sufficient time for credit reporting.
PRINCIPLE 7: Governance PRINCIPLE 11: Personal Data
Credit reporting systems should be administered using a Personal data collection, processing, and distribution should
governance framework commensurate with the risks and be undertaken only for the purposes for which the data was
the scope of the activities. The framework should establish collected, including creditworthiness assessment, credit risk
policies and procedures, a proper internal control envi- analysis, indebtedness and repayment capacity, ID confir-
ronment, and an appropriate organizational structure with mation, fraud prevention, and prudential supervision.
clearly defined duties and responsibilities that ensures sys-
tem efficiency and effectiveness in serving the markets. PRINCIPLE 12: Consumer Rights
Consumers should have clear rights regarding the use of
PRINCIPLE 8: Risk Management their personal data for credit reporting. These rights should
Credit reporting systems should be monitored within a include consent, dispute, notification, and access rights;
comprehensive risk management framework and culture right to restrict data use; and right to request transfer of
to identify, assess, evaluate, manage, and mitigate all risks data, as appropriate. Effective dispute resolution mech-
related to credit reporting activities on an ongoing basis. anisms should be established for handling consumer dis-
putes related to credit reporting activities. Credit reporting
products should be explainable, transparent, and fair.
PRINCIPLE 1: Regulatory Framework owner or operator of the credit registry, the management and
oversight functions of the credit registry should be separated
Credit reporting activities should be subject to regulation and by a clear mandate.
supervision by authorities with clearly defined responsibilities
and objectives. An appropriate regulatory framework should be The responsibilities and objectives of the authorities involved in
in place for each authority responsible for supervision to provide oversight of credit reporting activities should be clearly defined
the necessary legal powers to oversee credit reporting activities. in laws or regulations. The primary objective of oversight is to
ensure that the credit reporting systems effectively support the
Credit reporting activities should be subject to oversight by an sound and fair extension of credit in the economy as the founda-
appropriate regulatory framework to ensure that a type of credit tion for robust and competitive credit markets. To this end, credit
reporting activity is regulated by the same rules for any type of reporting systems should be safe and efficient and should fully
CRSP that undertakes such activity. The same set of rules for the support the rights of data subjects and consumers.
same kind of credit reporting activities enables that all CRSPs,
whether a credit bureau, credit registry, business information The authority should have the legal power to reasonably and
provider, or alternative credit reporting service provider, to be confidentially access the board of directors, senior manage-
governed by regulations that promote fair competition and ment, staff, policies and procedures, functions, and any relevant
block regulatory arbitrage. If the regulatory authority is also the records of CRSPs. In particular, the authority should have access
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 23
to the essential sources of information to undertake the following oversight responsibilities. The organizational structure of the
(i) understand the functions, activities, and overall condition of authority should be appropriate for the effective use of these
CRSPs; (ii) assess the risks inherent in credit reporting systems, resources. The financial resources of the authority should be
the financial system, and the broader economy; and (iii) evalu- sufficient to (i) employ and retain qualified staff with necessary
ate the CRSP’s compliance with relevant regulations and policies. skills, (ii) allocate adequate staff for the sole purpose of over-
The power to access includes gathering information through reg- sight, (iii) provide function-focused training programs regularly,
ular or ad hoc reports, on-site visits, inspections, and dialogues (iv) invest in necessary physical and technological infrastruc-
with stakeholders in the credit reporting systems. In addition, the ture, and (v) engage with external resources, such as technical
authority should be able to access relevant confidential infor- experts, when and where needed. The duties for the regulatory
mation from CRSPs and confidentially share it with other rele- oversight functions within the organization should be clearly
vant authorities to minimize gaps in regulation or oversight. The defined, with proper delegation of tasks. Staff should have
authority should have the legal power to oversee all the activi- the necessary tools to perform their daily operations, monitor
ties within the scope of credit reporting, including the power to credit reporting activities, conduct on-site inspections, and take
supervise foreign-owned credit reporting activities operating in enforcement actions when necessary.
its jurisdiction.
The authority should clearly define and disclose its regulatory
The authority can encourage CRSPs to form industry associations and supervisory objectives, roles, and policies concerning credit
to facilitate communication and collaboration among stake- reporting activities. A clear framework for oversight objectives
holders and develop codes of conduct. While codes of conduct creates a basis for policy-making decisions and provides a
constitute a type of self-regulation and can be beneficial in estab- benchmark by which the effectiveness of achieving the objec-
lishing consensus for acceptable practices in the industry, they tives can be evaluated. Public disclosure promotes transparency,
cannot substitute for a regulatory framework. Codes of conduct accountability, and consistency in policy implementation by the
for credit reporting activities support the regulatory framework authority. Consistent with the regulatory framework, the objec-
by outlining the norms, rules, responsibilities, and common good tives should be supported by specific policy documents, guide-
practices for the industry. lines, notices, circulars, standards, and supervisory letters that are
regularly reviewed. The authority should support accountability
forits responsibilities and objectives by publishing information on
PRINCIPLE 2: The Authority its oversight activities in annual or ad hoc activity reports. The
disclosure of regulations, rules, objectives, policies, and func-
The authority should be granted, by an appropriate legal frame- tions should be in plain-language documents to ensure they
work, operational independence, effective organizational struc- are available to and understandable by credit reporting system
ture, and adequate human capital and financial resources to participants. While public disclosures facilitate compliance with
discharge its duties. The authority should define, disclose, and applicable requirements and standards, the primary responsibil-
review its objectives and be accountable for executing its duties ity for complying with regulatory and oversight principles rests
and for the use of its resources. with the CRSPs.
The authority should be granted, by appropriate provisions,
operational independence to ensure no third-party interference PRINCIPLE 3: Supervisory Approach
occurs that compromises the decision-making processes for dis-
charging the oversight duties of credit reporting activities. Where The authority should adopt a risk-based supervisory approach
the authority has broader oversight responsibilities, the indepen- to identify and assess risks related to credit reporting activities,
dence of the oversight function should not be undermined by evaluate these risks by on-site and off-site supervision tools as
the authority’s other supervisory functions and objectives. appropriate, and employ proportionate enforcement actions
(with their corresponding dispute resolution mechanisms) to
The authority should have a transparent governing body for the address these risks and ensure compliance.
oversight function of credit reporting activities. Its organization
should be designed to avoid conflicts of interest and enable The authority should adopt a risk-based approach for deter-
effective oversight with timely decisions and enforcement actions mining and assessing the nature, impact, and scope of the risks
when necessary. The staff should have essential credibility in their related to credit reporting activities. The authority should estab-
professional conduct and integrity, appropriate knowledge and lish a forward-looking risk assessment framework with a well-
skills, and accountability under appropriate legal provisions. defined methodology to address the risk profile, scope of activ-
ities, governance, risk management, and internal control envi-
The authority should have adequate financial resources and ronment of CRSPs against the oversight objectives. The risk
qualified human resources to perform its regulatory and assessment should include the following elements:
�24 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
i. Occurs regularly to determine the priority and scope of super- The findings of both off-site and on-site supervision functions
vision of CRSPs. should be communicated to the CRSPs by appropriate letters,
notices, and reports.
ii. Identifies the emerging risks, trends, and innovations in the
credit reporting system as a whole.
The authority should be granted, by an appropriate legal frame-
iii. Takes into account the overall environment and develop- work, an adequate range of supervisory tools to impose enforce-
ments in related sectors, such as the banking system. ment actions. These actions include written warnings, penalties,
fines, corrective actions, restrictive orders, interventions, and
iv. Recognizes the supervisory inputs, feedbacks, and concerns
other means deemed necessary and proportionate. The author-
from the other relevant authorities.
ity should have the tools needed for corrective actions when the
v. Complements an assessment of compliance with relevant CRSP is not compliant with the regulations, engages in unsafe
regulations as necessary. credit reporting activities, and fails to establish sound gover-
nance and control practices and proper risk management. The
The authority should employ the appropriate range of tools to
relevant regulations should clearly define the supervisory tools
supervise credit reporting activities based on the risk assessment
for enforcement.
outcomes. The scope of activities undertaken by different types of
CRSPs can vary greatly. Therefore, a one-size-fits-all CRSP super-
The enforcement tools should be applied, without undue delay,
visory treatment may not be appropriate. This is the fundamental
on a proportionate basis according to the nature of the super-
reason why the authority should adopt a risk-based approach.
visory concern at the CRSP. The authority should prioritize the
Supervisory tools should include appropriate on-site and off-site
objectives of the safety and efficiency of the CRSP and of the
supervision, and allocation of supervisory resources should be
credit reporting system in deciding the appropriate enforcement
based on the results of the risk assessment.
actions. The enforcement actions should be subject to an appro-
priate judicial dispute resolution mechanism for solving disputes
The on-site and off-site supervision tools should be used within
regarding the enforcement action. The range of enforcement
a coherent supervisory planning process. The authority should
tools can include the following:
ensure that on-site and off-site functions are deployed with clear
responsibilities, objectives, and outputs with an effective coordina- i. Supervisory letters that identify areas of concern and require
tion and information-sharing mechanism between both functions. improvement.
ii. Administrative penalties and fines.
The off-site reporting framework should include an appropriate
variety of information to regularly assess compliance with rele- iii. Notices that require prompt corrective actions or requests for
vant regulations, determine the safety and efficiency of credit specific action plans, or
reporting activities, evaluate the inherent and emerging risks,
iv. Restrictions and prohibitions on specific type of activities,
and identify areas of supervisory concern. Off-site reports should
applying stringent limits and requirements, and requesting
cover all relevant information, submitted ad hoc or regularly,
changes in organization and management.
such as audit reports, statistics on data subjects, data inquiries,
and consumer complaints. v. License revocation or exclusion from the official (state) regis-
ter, if appropriate.
On a proportionate basis, on-site supervision should be con-
ducted based on the results of the risk assessment, the evalua-
tion of the off-site reports, and the availability of resources. The PRINCIPLE 4: Cooperation and Collaboration
on-site supervision team should consist of the authority’s supervi-
sors; however, the authority can use external auditors for inspec- The authorities should coordinate and cooperate with each other,
tions that require technical expertise. The on-site supervision at both the jurisdictional and the international level, to promote
function should include, among others, the following objectives: the development, safety, and efficiency of credit reporting sys-
tems, as well as the cross-border exchange of credit information.
i. Evaluate the adequacy of governance structures and control
environment.
Consistent with the relevant legal powers and regulatory frame-
ii. Develop a better understanding of the strategy, business works, cooperation arrangements should be designed to support
model, activities, and products of the CRSP. authorities’ mutual objectives of maintaining safe and efficient
iii. Validate and confirm the accuracy and reliability of the off-site credit reporting systems. The ideal arrangements will be formal,
reports provided by the CRSP. as appropriate, and will include mechanisms to fulfill oversight
roles efficiently and in a manner that minimizes duplication of
iv. Inspect areas of supervisory concern and follow up with previ- efforts and inconsistent policy decisions.
ous supervisory findings.
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 25
Formal arrangements backed by relevant regulations are nec- Cooperation arrangements, either domestic or international,
essary for cooperation with regulation and supervision of credit should include crisis management plans as appropriate. Where
reporting systems with significant cross-border linkages or oper- an authority identifies any activities or functions as unsafe or
ations in multiple jurisdictions. CRSPs that operate across bor- unsound, the relevant authorities should immediately be notified
ders and serve more than one jurisdiction should be subject to to ensure corrective actions are carried out without delay.
oversight by a designated authority with primary responsibility,
supplemented by a committee of competent regulators and Authorities of respective countries should coordinate to develop
supervisors of the relevant jurisdictions. The authority primarily policies to facilitate cross-border credit reporting. Provided that
responsible should formulate effective cooperation and consulta- individuals benefit from transferring their credit reports over
tion mechanisms with relevant authorities to develop policies on national borders with their consent, authorities should permit and/
common issues and stay abreast of developments related to the or encourage cross-border exchange of data, including fostering
credit reporting systems. regulatory changes to allow for it. Credit reporting industry asso-
ciations should support the authorities in developing efficient and
At the jurisdictional level, if more than one authority exercises secure systems to enable cross-border flow of credit reports.
the oversight function of credit reporting activities, one of them
should be identified as having primary responsibility. Cooperation
arrangements should ensure consistent regulatory and supervi- PRINCIPLE 5: Permissible Activities
sory policies and minimize duplication of efforts and the regulatory
burden on CRSPs. Also, relevant authorities in a jurisdiction should The regulatory framework should define and cover permissible
address any existing gaps in regulation or supervision of CRSPs activities in credit reporting. Appropriate permission mecha-
through changes in rules, where possible, or by other means. nisms, including market entry requirements should be governed
by the authority.
It is the responsibility of the primary authority to carry out com-
prehensive assessments of the credit reporting ecosystem and The authority can impose reasonable market entry requirements
related activities and systems as a whole. A comprehensive for CRSPs to ensure effective oversight of the credit reporting
assessment can only be facilitated by the following: activities. Entry requirements should also provide for the cancella-
tion of licenses and appropriate mechanisms for ongoing custody
i. Efficient communication channels among authorities and rel-
or disposal of the credit information database. Entry requirements
evant stakeholders.
can include one or more of the following frameworks:
ii. Adequate inputs of analysis and information by the relevant
i. Licensing regime as a requisite for entry that allows the
authorities, as shared on a regular or ad hoc basis.
authority to assess whether a CRSP is suitable and eligible
iii. Consultation processes to exchange interests and concerns to operate within the jurisdiction before starting activities.
regarding policy decisions. Licensing regimes should be accompanied by clear eligibility
conditions, such as necessary expertise, technical infrastruc-
iv. Consensus on issues of common interest related to risks in
ture, and management experience. Licensing regimes can be
credit reporting activities.
limited to a specific type of CRSP, such as a credit bureau.
The authority should cooperate with relevant regulators of alter- ii. Registration regime that requires CRSPs to be recorded on a
native data, such as telecommunications or insurance regulators, directory at the authority. While registration does not involve
to facilitate the lawful sharing of such data with CRSPs. a process for granting approval, it allows the authority to have
proper oversight of the entities dealing with credit reporting
The authorities should adopt best practices on international activities. Registration regimes should be accompanied by an
cooperative agreements. Cooperation arrangements with non- appropriate regulatory framework for operational rules. The
domestic authorities should be designed to fulfill the oversight list of registered CRSPs can be published by the authority to
responsibility of CRSPs that operate in multiple jurisdictions. For support the transparency of the industry.
internationally active CRSPs, the primarily responsible author-
iii. Activity-based licensing that requires a specific type of credit
ity can be the authority in the location of its headquarters or as
reporting activity subject to a licensing regime. The activ-
determined cooperatively by all authorities in relevant countries.
ity-based approach enables a closer oversight role for the
International cooperation arrangements should ideally be con-
authority for credit reporting activities with more relative
tained in a formal agreement to exchange supervisory concerns,
importance. Priority assessment of activities uses a risk-based
insights, and policy discussions. To increase the efficiency of
approach, updated regularly and when necessary.
cooperation, authorities can leverage regulatory roundtables,
supervisory colleges, joint research initiatives, and mutual con- iv. Custom licensing that adopts a sequenced or phased
sultations in addition to formal exchanges of information. approach. The custom licensing approach allows new CRSPs
�26 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
to begin operations in a testing environment, like innovation subjects should be able to access their data through user-friendly
hubs, or a live setting with limited activities. Activity-based channels. The authority can establish rules that allow consumers
and custom licensing regimes are particularly relevant for to request their credit reports at little or no cost. The authority
alternative credit reporting service providers seeking to lever- should promote consumers’ financial literacy, enabling them to
age innovative technologies or alternative data. benefit to the greatest extent from credit reporting systems.
In line with the market entry requirements, the regulation should CRSPs should disclose information to the public on the scope of
restrict use of “credit bureau” or similar names subject to licens- their credit reporting activities, governance policies, and codes
ing frameworks. The authority should disclose the list of licensed of conduct. CRSPs should share financial statements, prepared
or registered CRSPs to the public and monitor whether any other using internationally accepted standards, that fairly reflect their
entities deal with permissible activities in the market. financial condition, along with a qualified independent external
auditor’s opinion.
The authority should closely monitor credit reporting activities
with respect to the applicable permission requirements and The CRSPs should be subject to external audit annually and to
should prevent regulatory arbitrage in the credit reporting mar- information security audit as deemed necessary by the authority.
ket and ensure fair competition by enforcing permission rules for The annual external audit should cover assessing and assuring
all players equitably. the accuracy and reliability of the financial statements following
internationally accepted financial reporting standards. The exter-
nal audit reports should include any identified weaknesses in the
PRINCIPLE 6: Access and Transparency governance and control process of the CRSP and any discovered
cases of noncompliance. The information security audit provides
Credit reporting systems should allow fair and open access to a technical assessment to evaluate the adequacy of the CRSP’s
their services, on the basis of reciprocity, by data providers, data information security framework, identify vulnerabilities, if any,
users, data subjects, and other relevant stakeholders. Credit and provide recommendations on mitigation of risks.
reporting systems should be subject to a clearly defined dis-
closure framework to enable participants to have an accurate
understanding of credit reporting activities. PRINCIPLE 7: Governance
CRSPs should identify, assess, and manage all potential risks aris- Credit reporting systems should be administered using a sound
ing from a new participant, whether a data provider or a data user, governance framework commensurate with the risks and the
to the credit reporting system. Participation in the credit reporting scope of the activities. The framework should establish sound
system should have a well-founded basis to ensure the informa- policies and procedures, a proper internal control environment,
tion-sharing mechanism complies with relevant regulations. and an appropriate organizational structure with clearly defined
duties and responsibilities to ensure system efficiency and effec-
Participants in the credit reporting system should comply with tiveness in serving the markets.
the established principles, such as reciprocity, rules, regulations,
and codes of conduct, on an ongoing basis. The authority should CRSPs should establish sound governance policies, processes,
monitor data providers’ and data users’ compliance, as well as and procedures to undertake safe and efficient activities and
that of CRSPs, to the relevant rules. Appropriate enforcement manage the inherent and emerging risks of credit reporting. To
tools should be applied to participants to ensure the safety and this end, the regulations can impose appropriate fit-and-proper
integrity of the overall credit reporting system. requirements for the board of directors and senior management.
Credit reporting systems should establish appropriate precau- In line with their fitness and probity criteria, regulatory authorities
tions to ensure uninterrupted access by the participants. CRSPs should ensure that the shareholding and governance structures
should set up necessary procedures for business continuity and of CRSPs minimizes potential for conflict of interest and anticom-
operational resilience of their services to avoid disruptions. Such petitive behavior.
procedures should determine critical business services, assess
impact tolerances, and identify key processes for ensuring con- The board of directors should be appropriately qualified to exer-
tinuous services in severe conditions. The authority should con- cise its duties of care and loyalty. The board should approve and
sider the continuity of access to the credit information sharing oversee the CRSP’s business strategies; establish sound policies,
mechanism in exceptional circumstances. procedures, and control environment; and create a corporate
code of conduct that is communicated throughout the organi-
Credit reporting systems should facilitate fair and unbiased access zation. Such policies should be reviewed on a regular basis to
to credit reporting products on competitive terms. Individual data confirm they are still fit for purpose. CRSPs are encouraged to
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 27
cooperate with each other to develop codes of conduct to estab- PRINCIPLE 5: Risk Management
lish industry best practices, set operating standards, and promote
the safety and efficiency of the overall credit reporting system. Credit reporting systems should be monitored within a compre-
hensive risk management framework and sound risk manage-
Senior management should have the necessary qualifications to ment culture to identify, assess, evaluate, manage, and mitigate
fulfill their administrative duties and assess, control, manage, and all risks related to credit reporting activities on an ongoing basis.
mitigate the risks related to credit reporting activities. Manage-
ment should establish a proper organizational structure with ade- CRSPs should develop a risk management framework and estab-
quate and qualified staff, implement sound business practices in lish it throughout the organization. The framework should take a
line with established policies and procedures, maintain a control forward-looking approach, facilitating in-depth understanding of
environment with appropriate segregation of duties, and ensure future risks and their potential impact on credit reporting activ-
proper oversight of day-to-day activities. ities. The framework should be adequately documented, regu-
larly reviewed, and appropriately adjusted to reflect changes in
A robust internal control framework should be established within the business environment. Policies and procedures should be
the organization for a sound operating environment covering consistent with risk management strategies and should cover
all credit reporting activities. It should be reviewed on a regular clearly defined management responsibilities to monitor and con-
basis to confirm it remains fit for purpose. The internal control trol risk. Management should ensure that a sound risk manage-
framework should address, at a minimum, the following consid- ment culture is communicated throughout the organization. A
erations: proper risk management function with the necessary resources,
independence, and authority should be established to cover all
i. Clear definitions of duties and responsibilities.
material risks. This function is complemented by a sound internal
ii. Delegation of authorities and segregation of duties through- control environment and an independent internal audit function.
out the organization.
CRSPs should have an adequate operational risk management
iii. Decision-making processes and separation of critical func-
framework commensurate with the scope of credit report-
tions.
ing activities. Operational risk management relates closely to
iv. Access privileges and physical safeguarding ofassets. sound governance policies, processes and procedures, and
the internal control environment throughout the organization.
CRSPs should have an independent, permanent, and effective The framework should include effective disaster recovery and
internal audit function responsible for assessing the effective- business continuity plans, including scenario analysis, to ensure
ness, sufficiency, and compliance of policies, processes, and continuity of services under severe conditions that could disrupt
internal controls within the organization. The internal audit func- credit reporting activities.
tion should have sufficient powers, including a direct reporting
line to the board, and adequate resources and staff with the nec- CRSPs should establish policies and processes to assess, man-
essary qualifications and experience to understand and evaluate age, and monitor outsourced activities. Outsourcing arrange-
the credit reporting activities. ments should cover conducting appropriate due diligence for
selecting service providers, managing risks associated with the
Credit reporting systems should efficiently and effectively meet outsourcing agreement, ensuring an effective control environ-
the needs of their participants and the markets they serve. The ment, and maintaining viable contingency plans.
authority should encourage CRSP to form industry associations
that establish a collaborative environment for reviewing the effi- The authority should require CRSPs to establish a model gov-
ciency and effectiveness of credit reporting activities. Industry ernance framework for credit scoring models to ensure that the
associations can also develop and promote good practices for credit score is explainable, transparent, and fair. The model gov-
the industry to ensure efficient and effective services. ernance framework should meet the following standards:
i. The models use lawfully obtained, clear, understandable, and
Competition is an effective tool to promote the efficiency of credit
disclosable data.
reporting systems. In coordination with the relevant authority, the
authority should promote competitiveness in the credit reporting ii. The methods and techniques employed are independently
industry. The authority should promote comprehensive informa- assessable and auditable.
tion-sharing mechanisms and evaluate the roles of all CRSPs in
iii. The score is free of any discriminatory practices.
the market to determine whether unfair access privileges hamper
competition. Also, CRSPs should avoid anticompetitive prac-
CRSPs are responsible for ensuring these standards are devel-
tices, such as price fixing, setting restrictive terms of use, and
oped and used by third parties.
unfair price differentiation.
�28 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
CRSPs should have an effective compliance function with an viii. Outsourcing policies for third-party providers that include
adequate number of staff with the necessary qualifications and appropriate and proportionate information-security policy
with experience managing the legal and compliance risks. The requirements, such as minimum cybersecurity standards, data
compliance function should ensure ongoing compliance assess- retention periods, data encryption requirements, network
ments in credit reporting activities. The function should be com- security processes, and cybercrime incident handling plans.
plemented with a sound evaluation process for all new sources of
data, products, activities, and data users to assess legal, compli- The authority should develop and enforce information-sharing
ance, and other potential risks. mechanisms that facilitate cybersecurity-focused collaboration in
the credit reporting industry. These mechanisms should promote
sharing of timely, actionable, and relevant unclassified infor-
PRINCIPLE 9: Data Security mation related to cyber threats, vulnerabilities, and emerging
risks to collectively protect the integrity of the credit reporting
An appropriate information security framework should govern systems. Information-sharing mechanisms can be encouraged
credit reporting activities to protect the confidentiality, integrity, through industry associations.
and availability of information and ensure business continuity
and operational resilience.
PRINCIPLE 10: Data Collection
The authority should develop an appropriate information security
framework with cybersecurity strategies for credit reporting sys- Data providers should provide relevant, accurate, timely, and
tems covering all stakeholders such as data providers, data users, sufficient information on data subjects, including positive data,
and third-party service providers. This framework can either be to CRSPs to enable a comprehensive credit information-shar-
part of the national cyber strategy framework or the financial sec- ing mechanism. CRSPs can collect data from all legal, reliable,
tor information security framework or be developed for the credit appropriate, and available sources and retain this information for
reporting industry. The information security framework should a sufficient time for credit reporting.
enable interagency cooperation for monitoring cybersecurity
threats and vulnerabilities. The authority should encourage a comprehensive information-
sharing system. Data providers should send CRSPs positive and
The information security framework should include the following: negative information with the most depth and breadth possible,
and as appropriate. To the extent possible, the information sub-
i. A cyber governance framework with effective board oversight, mitted should be free of error, truthful, complete, and up to date.
clearly defined and documented roles and responsibilities for
information security functions, and allocation of adequate Data providers should include, at a minimum, banks and NBFIs
staff with necessary qualifications and appropriate budgets to operating within the jurisdiction’s borders. To the extent possi-
ensure the sound management of information security and ble, alternative lenders, if any, and nonfinancial creditors such
cyber risks. as utilities, rental companies, phone companies, retailers, and
e-commerce companies should be recognized as data providers.
ii. Information security policies and procedures that identify,
assess, monitor, and manage all risks related to the use of
Data should be collected systematically by consistently applying
information and communication technologies.
appropriate rules and procedures for all data providers. Data
iii. Information security strategies, as part of overall business should be collected at regular intervals and as frequently as pos-
strategies, which are reviewed and updated as necessary. sible and appropriate. The frequency can be predefined or can
depend on specific triggers like defaults, arrears, or fraud. Rules
iv. Control and risk mitigation tools, such as minimum access,
and procedures for data submission can be defined by a com-
access recertification, user accountability, activity logs, or
mon code of conduct developed by the relevant stakeholders
authentication measures.
and approved by the authority.
v. Regular cyber audits to assess and assure, with a risk-based
approach, the organization’s compliance with the information CRSPs are encouraged to collect nontraditional data from alter-
security framework. native sources. To the extent possible, the authority should pro-
mote access to alternative data. It is the responsibility of the
vi. Cybercrime incident, disaster recovery, and business continu-
CRSP to ensure that alternative data is lawfully shared, relevant,
ity plans, to ensure continuity of services under severe condi-
accurate, complete, and up to date.
tions, such as cyberattacks.
vii. Cyberattack simulations to assess the effectiveness of cyber The regulation should also enable CRSPs access to public
incident response plans and update information security poli- records, to the extent possible, as appropriate and relevant for
cies in line with simulation results. credit reporting.
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 29
CRSPs should only retain data for a specific period sufficient for PRINCIPLE 12: Consumer Rights
the purpose of credit reporting. If deemed appropriate, the regu-
lations can determine different periods for negative and positive Consumers should have clear rights regarding the use of their
information. Data should be deleted or restricted for statistical personal data for credit reporting. These rights should include
or modeling purposes after the end of the retention periods as consent, dispute, notification, and access rights; the right to
specified in the regulation. restrict data use; and the right to request transfer of data, as
appropriate. Effective dispute resolution mechanisms should
be established for handling consumer disputes related to credit
PRINCIPLE 11: Personal Data reporting activities. Credit reporting products should be explain-
able, transparent, and fair.
Personal data collection, processing, and distribution should be
undertaken only for the purposes for which the data was col- Individual data subjects, as consumers, should have clear rights
lected, including creditworthiness assessment, credit risk anal- regarding the use of their personal data. Depending on the
ysis, indebtedness and repayment capacity, ID confirmation, applicable data protection framework, these rights can include
fraud prevention, and prudential supervision. provisions on the following topics:
i. Dispute incomplete or inaccurate personal data and request
Data collected and processed for credit reporting purposes can
correction within a reasonable time.
only be disclosed, sold, or distributed to data users for the same
purposes, in the form of credit reports, scores, ID verification, ii. Be informed about the purpose of processing and time of
fraud prevention, or similar products, by any means of commu- retention of personal data and the third parties with whom
nication. personal data is shared.
iii. Have access and receive a copy of personal data.
CRSPs should ensure the following conditions regarding collect-
ing, processing, and disclosing personal data of individual data iv. Ask for a consumer credit score.
subjects:
v. Request the erasure, as appropriate, of personal data.
i. Types of personal data collected are relevant to credit report-
vi. Request restrictions on the use of personal data.
ing purposes and include only as much data as necessary for
credit reporting purposes. vii. Request the move, copy, or transfer of personal data.
ii. As appropriate, individuals are informed of the processing of viii. Suspend access in case of ID theft or fraudulent activity.
their personal data and the distribution of their credit reports
ix. File for compensation for violation of rights.
to data users.
iii. Personal data is kept accurate and up to date and retained for If required by relevant laws and/or regulations, data providers
only as long as necessary for the credit reporting purposes. should obtain consent for collecting, storing, and distributing the
personal data of data subjects.
iv. Credit reports should not include any type of personal data
irrelevant to credit reporting or any type of personal data or
Effective dispute resolution mechanisms should include inter-
creditworthiness assessment that can lead to discrimination
nal complaint handling functions at the CRSPs as well as other
against the individual.
extrajudicial mechanisms. CRSPs should establish easily accessi-
v. Data users cannot use the credit reports for any purpose other ble in-house dispute resolution functions to address in a timely
than the purpose specified for the distribution. manner any disputes raised by data subjects. These functions,
including the websites of CRSPs, should include communication
CRSPs should ensure that data users can promptly, without of consumer rights in clear, plain language. The CRSP’s website
delay, access credit reports used to support their credit-granting should ideally have online tools to file disputes.
decisions. Credit reports should cover all the negative and posi-
tive information, including relevant nontraditional information, as CRSPs should establish policies and procedures for the proper
appropriate for the creditworthiness assessment. Data subjects handling and resolution of data subjects’ complaints. These poli-
should be able to access their data at CRSPs under conditions cies should have the following key considerations:
similar to those under which data users access the data.
i. Establishing appropriate channels for submission of complaints.
ii. Convenient, affordable, and prompt resolution of disputes.
iii. Internal procedures covering the steps of the dispute resolu-
tion process, including specific communication channels with
�30 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
data providers. the effectiveness of the dispute resolution tools in terms of their
convenience, diligence, and promptness.
iv. Adequate training and independence of the staff responsible
for handling complaints.
CRSPs should ensure the fairness of the models, techniques, and
v. Clear communication of the consumers’ rights, including the technologies employed in developing products. In particular,
right to apply to the extrajudicial mechanism. credit reporting products should protect the fundamental rights
of individuals and not entail any discriminatory biases. Credit
vi. Keeping appropriate dispute records to ensure accountability.
reporting products, including credit scores, should be explain-
able, transparent, and fair, that is:
The extrajudicial mechanisms can include appeals to a credit
ombudsman as established by the regulation or appeals to an i. The types of data that provide the basis of the products are
alternative dispute resolution service provider offering tools legitimate, clear, understandable, and disclosable to the data
such as arbitration, mediation, or online dispute resolution. An subjects.
appropriate regulatory framework should support these mech-
ii. The methods and techniques employed and the scope of
anisms. This framework should cover the rights, responsibilities,
data used in the model are assessable and auditable by an
and objectives of the mechanism and provide proper resources
independent third party.
to fulfill these objectives. The authority should assess and ensure
iii. The model is inclusive in the sense that it is free of any dis-
criminatory biases.
� 7
SUGGESTED APPROACH FOR REGULATORY
AND SUPERVISORY AUTHORITIES
A
n effective regulatory framework for credit reporting sys- i. The types and sources of collected data are permitted.
tems is possible with a properly functioning supervisory
ii. The data are accurate, adequate, and to the extent possible,
framework. Holistic oversight of the functioning of the
updated.
credit reporting system is vital to ensure that the players in credit
reporting activities are able to manage the risks related to credit iii. The security of data is ensured by adequate technical, physi-
information sharing. While the primary focus of supervision has cal, and governance measures.
traditionally been on credit bureaus, the authority should now
iv. The data are distributed to and used by data users for per-
make other types of CRSPs, data providers, and data users part
missible purposes.
of the supervisory framework. Considering the differences in
the nature of CRSP credit reporting activities and their varying v. Consumer rights are protected, and consumer complaints are
risk implications for the credit reporting system, the supervisory appropriately handled.
framework should adopt a risk-based, proportionately applied
vi. Services are provided to data users on an ongoing basis using
approach for effective oversight.
a sound risk management framework with disaster recovery
and business continuity plans.
Supervision of credit reporting activities should be undertaken
with a risk-based approach to ensure that (i) supervisory resources
are deployed effectively, and (ii) the most relevant risks and areas
7.1 Risk-Based Supervision
of concern in credit reporting activities are adequately identified
and addressed. The risk-based approach enables the applica-
The risk-based approach differs from compliance-based super-
tion of key principles on a proportionate basis. A proportionate
vision, which conducts mainly backward-looking oversight of
approach is particularly important as (i) the scope of activities of
entities’ adherence to regulatory requirements. Risk-based
CRSPs varies to a great extent, (ii) credit reporting systems are
supervision focuses on assessing the most significant risks for the
evolving, and (iii) innovations facilitate new business models.
entities and how effectively these risks are managed, allowing for
Therefore, attempting to apply a one-size-fits-all approach is not
better allocation of supervisory resources.
productive.
The key characteristics of risk-based supervision for authorities
In many countries’ existing regulatory frameworks, central banks,
responsible for oversight of credit reporting systems can be sum-
or financial sector supervisors are responsible for supervising
marized as follows:
CRSPs. This, in practice, makes the authority’s approach to CRSP
supervision similar to financial institution supervision. While the i. The supervisory focus is on the most important risks, that is,
primary function of CRSPs is to support the creditworthiness those that have the potential to cause maximum damage for
assessments of financial institutions, they are not financial enti- the CRSP, the credit reporting system, and the financial sys-
ties that deal with lending activities and should not be treated as tem in general. In determining the importance of a risk, con-
such. The core activity of a CRSP is to collect, store, process, pro- sideration is given to both impact (the extent of losses if the
duce, distribute, and use data to support lenders’ credit-granting risk were to materialize) and likelihood (the possibility of the
decisions. In essence, CRSPs deal with data management. There- risk to materialize). However, the overall risk depends on how
fore, the objective of oversight with regard to the applicable reg- the identified risks are controlled and managed by the CRSP
ulatory framework should be whether: (see Figure 1).
31
�32 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
FIGURE 1: Risk Assessment
Risk Factor Governance Net Supervisory
Impact × Likelihood and controls risk program
ii. Risks can originate from a broad range of
sources, which must be taken into consid-
eration. Risks can be entity-specific, credit BOX 11
reporting industry-related, or arise from Supervisory Approach
external factors on a broader, macroeco-
NET RISK SUPERVISORY FOCUS SUPERVISORY ACTIONS
nomic level. While CRSPs may not be able
to control risks from external sources, the Low Normal oversight
potential implications for such risks should Low to medium Normal oversight Address minor deficiencies
be managed. Medium to high Increased oversight Address deficiencies
iii. The risks of CRSPs are assessed and graded, Corrective action plans
often using a risk matrix, to provide a struc- High Increased oversight Immediate corrective actions
tured way of thinking about them and to Restrictive orders
form a basis for comparing, evaluating, and Changes in management
prioritizing the risk types and their effects on
CRSPs and the credit reporting sector.
iv. Risk assessment criteria and their evalua-
tions are documented and updated as necessary. The assess- i. Loss or misuse of personal data, causing identity theft or
ments can be entity-specific (focused on individual CRSPs) or financial loss.
thematic (focused on activities, such as credit scores, or risk
ii. Consumers excluded from credit products or borrowed inap-
types, such as cybersecurity risk). Thematic assessment covers
propriately based on poorly designed credit reporting prod-
the selected theme in all credit reporting industry entities.
ucts, ineffective product governance, and poor data quality.
The risk-based approach is dynamic and forward-looking iii. Disruption in services, with creditors and consumers unable to
(Toronto Center 2018). It aims to identify and address emerging access credit reporting services or credit data.
areas of risk and to evaluate the effectiveness of the CRSPs’ risk iv. Inappropriate resolution of complaints, causing consumer
management. Risk assessments are performed consistently to loss or distress.
form a foundation for annual or biennial supervisory programs.
Also, outcomes of previous supervisory actions are evaluated as
part of the assessment. 7.2 Supervisory Program
The risk-based approach facilitates, in most cases, allocating The authorities carry out their supervisory activities through
scarce supervisory resources to the most effective areas by priori- annual or biennial supervisory programs, which mandate supervi-
tizing entities, sectors, activities, or risk types. Supervisory actions sion of entities as part of the authority’s responsibility. In line with
should focus on identified risks and proportionate in resource the key principles, credit reporting systems should also be part of
allocation (see Box 11). supervisory programs.
To develop and maintain effective communication with regulated Applying a risk-based approach, the authority assesses the
entities, authorities can share their risk assessments with the potential impacts and probabilities for the key risks in CRSP
CRSPs to express concerns and expectations and get feedback activities. Following the assessment of key risks, the adequacy
on the assessments. For example, the Financial Conduct Author- and effectiveness of risk governance is evaluated to develop
ity (FCA) shares with CRSPs (credit reference agencies) its view of an understanding of the net risks (see Figure 1). Outcomes of
the key risks of harm, as summarized here (FCA 2020): risk assessments form the basis for developing the supervisory
program. The supervisory program includes risk assessment,
supervisory planning, off-site reviews, on-site supervision, and
supervisory action components (see Figure 2).
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 33
FIGURE 2: Supervisory Program The off-site review process covers (i) general compliance monitor-
ing based on the regular reports, (ii) analysis of credit reporting
Supervisory activities to identify potential risks, (iii) analysis of credit market
actions trends, (iv) assessment of the scope and scale of consumer com-
plaints, and (v) reviews focused on specific themes such as infor-
mation security. Based on the findings from the off-site review,
the team can identify particular areas of focus for on-site super-
vision; prepare recommendations of policy actions for the CRSP,
data providers, or users; or propose enforcement actions in cases
Ongoing of noncompliance.
supervision
From the supervisory authority’s perspective, it is essential that
the information sent by CRSPs is properly reviewed, assessed,
and analyzed and any identified vulnerabilities or areas of concern
Supervisory Risk
or noncompliance are reported as appropriate. Off-site reviews
planning assessment
provide an effective tool for the authorities, especially to assess
compliance. However, the effectiveness of such reviews depends
on the adequacy of the reports’ analyses. Off-site reports provide
The authority should assign a dedicated team or department with little value without adequate review by the authority. This is a
clearly established roles and responsibilities for the oversight of particular concern for authorities in developing countries, which
credit reporting activities. The team responsible for oversight of may have limited staff resources available to dedicate to off-site
CRSPs should have the necessary knowledge and qualifications review of credit reporting systems.
to analyze the nature and scope of credit reporting. An effec-
tive oversight function consists of both off-site review and on-site Authorities with limited supervisory resources can leverage super-
supervision. visory technology (SupTech) tools for off-site reviews. SupTechs
use technology to facilitate and enhance authorities’ supervisory
processes. SupTechs can help authorities process information
7.2.1 Off-Site Review quickly and in large quantities, automate and streamline pro-
The main objective of the off-site review is to ensure that CRSPs cesses, identify trends, and analyze key risks for CRSPs (World
and data providers operate in compliance with the relevant reg- Bank 2020d). Examples of SupTech tools for specific use cases
ulations. Supervisors should establish an off-site reporting frame- include the following:
work to fulfill this objective. This framework should be automated i. Automated reporting: Used with efficient staff allocation, auto-
to the possible extent and should allow data extraction by super- mated reporting requires less manual work and more judg-
visors from the CRSPs’ information systems and/or a regular ment-based analytical work.
reporting mechanism prepared and sent by CRSPs. Supervisors
can require CRSPs to submit various types of information, as ii. Early warning indicators: Indicators are useful for analyzing
appropriate, such as: the trends of credit exposures, monitoring overindebtedness,
and providing systemic oversight.
i. Annual audited financial statements and external audit
reports. iii. Validation: Validation ensures integrity and consistency of
data through cross-checking algorithms.
ii. Data quality statements, statistics on credit reports, data sub-
jects, data inquiries, and consumer complaints. iv. Text-mining and natural language processing (NLP): NLP pro-
ductively evaluates licensing applications and improves pro-
iii. Credit market reports on credit growth, quality, borrower seg- cesses.
mentation, and arrears.
As part of the off-site review, the team responsible for the CRSP 7.2.2. On-Site Supervision
should evaluate the adequacy, accuracy, consistency, and time- The main objective of on-site supervision is to complement off-
liness of its reports to ensure the CSRP is complying with reg- site reviews, with a focus on high-risk areas identified during the
ulations. Regular off-site reports can be supplemented by ad off-site review process. The team responsible for on-site super-
hoc requests for information from the CRSP and other available vision should understand CRSP operations fully and be able
sources of information. Statistical data from CRSPs can also be to identify governance, risk management, and internal control
compared to data regularly submitted by regulated financial weaknesses during the on-site supervision process. To this end,
institutions to confirm compliance. the team should receive the necessary training before being
�34 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
assigned to a CRSP and should possess the essential background 7.3.1 Scope
in information technology, credit information and reporting,
Traditionally, credit bureaus are the most regulated and super-
consumer protection, and risk management. The team should
vised entities among the different types of CRSP. This is because
include, where necessary, specialist IT supervisors to perform IT
(i) the types of data collected by credit bureaus are treated as
consistency checks focused on fraud prevention and maintaining
confidential under banking laws or personal data protection laws;
data integrity.
(ii) CSRPs often operate under a licensing regime to provide, or
sometimes force, structured data flows from banks, as historical
The on-site supervision task focuses on areas of concern identi-
experience shows voluntary data collection is ineffective; and (iii)
fied in the off-site review process: business strategy, compliance
credit scores provided by credit bureaus are a key tool for pro-
checks, data accuracy and security, cyber resilience, resolution of
moting access to finance. IFIs and national authorities therefore
consumer complaints, governance policies and procedures, inter-
promote the incorporation of credit bureaus and regulate and
nal controls and risk management, and financial performance. The
oversee the safety and efficiency of their operations.
team should have the legal rights and the means to request and
access any information from the CRSP, including trade secrets, as
On the other hand, the key principles suggest different types of
long as the information is relevant to the scope of the supervi-
CRSPs should be covered by a regulatory and supervisory frame-
sion. The findings of the on-site supervisory team and any areas of
work. In essence, the key principles provide a framework for
concern should be drafted in a report and discussed in a meeting
credit reporting activities rather than pinpointing specific CRSPs
with the senior management and the CRSP board.
in most cases. This is particularly important as the definitions of
different types of CRSPs are not as clear as they were in the past.
The root causes of issues revealed during the on-site supervision
The competitive environment in the credit reporting system is
should be identified, as they may indicate potential problems
evolving, making the following considerations important for eval-
with the data providers or users. Examples include inaccurate
uating the status of different types of CRSP against the principles.
data submission by providers, improper access or use of the
data by users, and handling of consumer disputes or a dispro-
portionate number of disputes. These issues can also indicate 7.3.2 Credit Registries
increased credit risk to the financial institutions or potential
Where public credit registries are known to support prudential
areas of noncompliance. If the findings concern regulated finan-
supervision as a primary objective, many credit registries collect
cial institutions or other regulated data providers, the authority
and process personal data and, in some cases, operate as compet-
should bring the findings to the attention of the bank supervision
itors to the private credit bureaus. Therefore, as the key principles
department or other relevant authority.
suggest, credit registries should be subject to the same rules to
the extent that their credit reporting activities involve serving the
The off-site review and on-site supervision can result in enforce-
market. A key challenge in applying the key principles to a credit
ment actions, penalties, or fines as defined by the regulation.
registry is that the supervisory authority is also the credit registry
Such actions include, but are not limited to, (i) official letters to the
operator. In this case, the functions of supervising the CRSPs and
CRSP regarding identified areas of concern requiring improve-
operating the registry should be clearly separated under different
ment, (ii) noncompliance cases that demand corrective actions,
departments, or, ideally, under different directorships.
and (iii) administrative penalties and financial fines as defined in
the regulation. For cases that necessitate extended action plans,
The authority should ensure that the credit registry and other
CRSPs should be required submit board- or senior-manage-
CRSPs operate on a level playing field while they are serving the
ment-approved plans with specific actions required to be com-
market. For example, credit registries can have access to public
pleted within a defined timeline.
records databases that other CRSPs cannot. It is also not uncom-
mon for credit registries to collect data directly from credit bureaus.
This is expected, considering the systemic oversight role of credit
7.3 Considerations in Adopting the Principles
registries. In this case, the authority should fulfill the objective of
promoting comprehensive information-sharing mechanisms but
The key principles provide regulatory and supervisory guidance
also evaluate the roles of all CRSPs in the market to determine
to ensure the effective functioning of credit reporting systems. In
whether unfair access privileges hamper competition.
essence, these principles build on existing guidance such as the
GPCR, guidance documents of the ICCR and IFIs, common reg-
Credit registries play an essential role in supporting the pruden-
ulatory rules in jurisdictions, and industry best practices. The key
tial supervision of the financial system and provide a key tool for
principles also provide a risk-based approach to the authority for
systemic oversight. Credit registries play a growing role for policy
proportionate application. In applying the principles to address
makers overseeing financial stability. To this end, applying the
the evolving risks of credit reporting systems, the authority can
key principles to the credit registries, as appropriate, can provide
benefit from the following considerations.
certain benefits such as:
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 35
i. Improved comprehensiveness of data sources enables the 7.3.4 Alternative Credit Reporting Service Providers
credit registry to provide an accurate overview of credit expo-
The key principles also set forth the regulatory oversight of alter-
sures, emerging risks of overindebtedness, and early warning
native credit reporting service providers as a type of CRSP. As an
indicators on credit concentrations.
emerging type, correctly identifying these entities is important,
ii. Enhanced governance, control, and risk management policies as no widely accepted definition for alternative credit reporting
ensure the safety of operations. service providers exists. Broadly speaking, two types of innova-
tive entities are involved with credit reporting activities. The first
iii. Oversight of activities provides a line of defense against the
group focuses on developing innovative solutions by leverag-
risks inherent in credit registry activities.
ing scores from credit bureaus. The second group focuses on
developing credit scores by leveraging alternative data sources,
7.3.3 Business Information Providers innovative technologies, or both. While the difference between
the two groups may not be clear, alternative credit reporting ser-
Business information providers play an essential role in extend-
vice providers fall into the second category. From an authority’s
ing trade credit by producing business intelligence for credit risk
perspective, the key consideration is to identify the nature of the
assessment. The business credit reports produced by these enti-
entity’s activities and decide whether it is a CRSP.
ties are generally based on public databases or retrieved directly
from businesses (for example, trade receivables information). His-
The authority should determine whether the innovative entity,
torically, activities of business information providers often did not
or fintech, is an alternative credit reporting service provider. This
fall under the scope of credit reporting regulations. In general,
decision requires evaluating whether its business model actually
they did not collect personal data, and they were not granted
falls under the definition of credit reporting. Credit reporting
access privileges by a credit information-sharing mechanism.
involves a credit information sharing mechanism that covers col-
However, this may not be the case today for a few reasons.
lecting and compiling information on individuals or businesses,
processing this information to produce structured data, and dis-
First, business information providers must collect personal data,
closing or selling this data or creating value-added products on
mainly the personal data of business owners, shareholders, or
this data to third-party users to assess creditworthiness and man-
sole entrepreneurs. This is primarily because regulations such as
age credit risk. The decision process for evaluating the status of
GDPR do not differentiate between the personal data of an indi-
an innovative entity can require the following steps for proper
vidual and a sole entrepreneur or between private personal data
consideration:
and the publicly available personal data found in public business
registers. Second, business information providers can collect per- i. Assessing the entity by its business model and/or its innova-
sonal data because they provide a range of value-added prod- tion by focusing on the function rather than the entity itself.
ucts that deal with personal information and so can compete
ii. Applying relevant regulatory frameworks to the function and
with credit bureaus for credit reporting services in some markets,
determining whether this function falls under the scope of
and vice versa. Therefore, as the key principles suggest, business
credit reporting regulation and/or other applicable regula-
information providers should follow the same rules to the extent
tions such as alternative lenders, AISPs, or similar entities.
that they are involved in credit reporting activities and collect and
process personal data. iii. Consulting and collaborating with other relevant authorities,
especially if the oversight of fintechs falls under the responsi-
Business information providers have an important role to play in bility of another authority.
managing the risks of trade credit. To this end, applying the key
iv. Deciding whether the entity is an alternative credit reporting
principles to business information providers, as appropriate, can
service provider.
provide benefits such as:
v. Applying the relevant regulatory framework, including custom
i. Improved mechanisms for comprehensive information shar-
licensing rules if appropriate.
ing to facilitate services and products.
ii. Enhanced governance, control, and risk management policies
7.3.5 Oversight of Credit Scoring Models
to ensure the safety of operations.
The authority should oversee the credit scoring models of CRSPs
iii. A clearly defined and consistently applied set of regulatory
to ensure that the credit scores are explainable, transparent, and
rules to improve the competitive environment.
fair. This is particularly relevant when using AI models, which usu-
iv. Oversight of activities to support and improve the efficiency ally involve complex algorithms. Notwithstanding the technical
of the overall credit reporting sector. complexity of these models, the authority must take ethical con-
siderations into account. The mitigation of bias risk in algorithmic
models is not only a technical problem: it requires policy con-
�36 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
siderations at a broad level to define and promote ethical and 7.3.6 Promoting Comprehensive Information Sharing
responsible innovation (CDEI 2020).
The authority should promote the use of alternative data sources
to support comprehensive information-sharing mechanisms and
The authority should ensure that CRSPs establish and document
advocate for the inclusion of individuals and MSMEs into the
an appropriate governance and accountability framework to
credit markets. Despite its potential benefits, the use of alterna-
assure the reliability, fairness, accuracy, auditability, and rele-
tive data sources has inherent risks and challenges. The authority
vance of the AI models, the data used, and the outputs. To guide
can use a range of policy tools to mitigate these risks while pro-
the CRSPs in establishing effective model governance frame-
moting alternative data and ensuring the accuracy, quality, and
works, the authority should consider the following (ICCR 2019a):
completeness of credit reports.
i. Governance policies to assess unintended consequences,
disregard protected types of data, perform regular reviews, The authority can introduce regulations, circulars, or guidelines
and back-test and validate model performance. for collecting and processing alternative data while ensuring its
lawful collection. Often separate regulators of alternative data,
ii. A rights-based ethical policy framework that upholds funda-
such as telecommunications or insurance regulators, must be
mental human rights and ethical principles as part of model
consulted to facilitate sharing their data with CRSPs. In this sense,
governance. This ethical framework can be established with
the authority can prioritize regulating and enforcing the collec-
the active involvement of industry associations and CRSPs to
tion of data from sources that provide the most benefit. Sources
support the responsible use of AI.
of alternative data with the most potential benefits include finan-
iii. A data accountability framework that covers policies to ensure cial data that is widely used, structured, accurate, and up to date,
data security, privacy of personal data, accuracy of data, and such as digital loans, utility payments, rental payments, tax pay-
legitimacy of data sources. ments, P2P transactions, e-commerce transactions, mobile trans-
actions, and registries of assets. These sources can vary at the
iv. Collaborative initiatives with stakeholders to exchange knowl-
jurisdictional level.
edge, support financial literacy, and foster innovative models
while mitigating risks.
Alternative lenders play a growing role in the financial inclusion
v. Building capacity and/or engaging with independent quali- of unserved or underserved consumers. Activities of alterna-
fied experts to develop skills at the authority to understand tive lenders do not usually fall within the scope of regulations.
and oversee innovations in the credit scoring models. In addition to potential benefits in building an inclusive credit
system, alternative data is important to avoid the risk of con-
In particular, CRSPs should include the following practices to sumer overindebtedness, a significant bottleneck to financial
establish sound model governance frameworks (World Bank inclusion (AFI 2016). To support a comprehensive informa-
2021). tion-sharing mechanism, the authority should emphasize that
alternative lenders’ credit information be included in the credit
i. Assess potential limitations of the composition of the training
reporting system.
data.
ii. Review the representativeness and reliability of the training The authority should consider introducing regulations aimed at
data. improving the availability, quality, and accuracy of alternative
data. Depending on the varying needs of jurisdictions, these reg-
iii. Identify groups of most concern for data errors and unequal
ulations can include tools such as (ICCR 2018):
treatment to test for potential biased use.
i. Standard IDs for individuals and businesses.
iv. Ensure that an appropriate definition of fairness is applied
when designing AI systems and that the applied definition of ii. Access to public databases for ID validation purposes.
fairness is measured and tested.
iii. Digitized government services and an open data approach
v. Identify thresholds for detecting, measuring, and correcting facilitating for CRSP access.
for potentially biased outputs.
iv. Digital footprints, such as incentivizing the use of digital pay-
ments.
The authority can require regular external audits of AI models
as appropriate. Audits should assess input data, training data, v. An expanded list of data providers in the credit reporting sys-
design and testing processes, decision factors, and outputs for tem to cover the most creditors possible.
potential negative impacts. Assessments can involve testing AI
vi. Lowered or, if possible, eliminated minimum thresholds for
models using hypothetical scenarios to identify potential nega-
data collection.
tive impacts and recommend appropriate risk mitigation mea-
sures.
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 37
While the authority can introduce regulations to promote collec- develop guidelines, under the oversight of the authority, on the
tion of alternative data, often technical impediments arise associ- following topics:
ated with collecting data from new sources. As such, the authority
i. Standards for harmonizing data attributes and improving
can benefit from collaborating with industry associations and
the depth and breadth of data shared by data providers (for
relevant agencies to develop and introduce these regulations.
example, Consumer Data Industry Association developed the
The risks, challenges, costs, and potential benefits of leveraging
Metro2 system for data providers).
new data sources should be discussed with the credit reporting
industry to develop policies that will benefit stakeholders to the ii. A code of business ethics covering areas of concern, such as
greatest possible extent. the use of AI-based scoring models.8
iii. Principles of responsible innovation to guide handling of
7.3.7 Collaboration with Industry Associations potential risks, like predatory lending.
The credit reporting industry has a long history of self-regulation iv. Cyber threat information-sharing mechanisms to protect the
in many ways. Considering the technical details and associated overall credit reporting system against cyber risks.
risks of dealing with massive numbers of individuals, businesses,
v. Financial literacy programs to increase consumer awareness
data, and intelligence, many jurisdictions introduced general
on topics like data privacy and credit scores.
legislation for credit reporting systems, while CRSPs developed
their own codes of conduct.6 In this sense, self-regulatory mecha- Codes of conduct have multiple potential benefits for the credit
nisms developed in credit reporting industry associations in many reporting industry. For example, they can promote greater indus-
jurisdictions. Industry associations exist throughout the world at try transparency, enhance stakeholder or investor confidence,
both the national and the regional levels.7 Considering the highly ensure compliance with regulations to minimize breaches, estab-
technical nature of credit reporting activities, the authority can lish quality control and minimum service levels, and help create
benefit from collaborations with industry associations, which can cost-effective complaint handling mechanisms (ACCC 2011).
�n jurisdictions such as the Pacific Islands, voluntary codes of conduct, in lieu of formal regulations, have been used to govern behavior.
6. I
�CCR has industry associations among its members. They include ACCIS, the Association of Credit Information Sharing Africa (ACISA), Asociación Latino-
7. I
americana de Crédito (ALACRED), US Consumer Data Industry Association (CDIA), Federation of Business Information Service Europe (FEBIS), and Business
Information Industry Association (BIIA).
� or a broad overview of the existing ethics guidelines on AI, see Hagendorff (2020). A guidance document on responsible use of technology in credit report-
8. F
ing is also forthcoming from the ICCR.
� 8
ASSESSMENT METHODOLOGY
T
he key principles outlined in this report are intended to ers in the credit reporting system, including regulators, CRSPs,
help countries assess the quality of their CRSP regulatory data providers, data users, and bodies representing consumers.
and supervisory frameworks and to provide guidance for
identifying areas for improvement. An assessment of a coun- The team of assessors should have the necessary set of skills,
try’s current regulatory and supervisory framework against the relevant experience, and strong ethics to ensure a quality assess-
principles should identify weaknesses in the existing framework ment. The set of skills include the expertise to evaluate regula-
and assist government authorities and supervisors to develop a tory and supervisory frameworks, knowledge of the policy issues
reform agenda. A country’s regulatory and supervisory author- regarding regulations and oversight, thorough understanding of
ities bear primary responsibility for conducting reviews against the credit reporting activities, and knowledge of CRSP products
the key principles. and the underlying technologies.
This section provides a methodology for assessing the regulatory
and supervisory frameworks at the national level.9 The assess- 8.1 Assessment Framework
ment methodology is primarily intended for IFIs, but it is also
helpful for national authorities and other internal and external Assessment of the observance of the key principles and recom-
assessors. A complete and accurate assessment requires the mendations for improving regulation and supervision should be
cooperation of the relevant regulatory and supervisory author- done at the country or jurisdictional level. Although some prin-
ities. Assessors should have the necessary access to all public ciples can require that assessors review regulators or CRSPs at
information and all relevant parties for their study. Also, relevant the individual level, conclusions and, if any, ratings to reflect
nonpublic information, such as internal policies and procedures, the degree of observance should be drawn at the country level.
supervisory manuals, and statistical data, should be disclosed for The scope of the assessment should be clearly determined and
the purposes of conducting the assessment. Nonpublic informa- agreed with the relevant regulatory and supervisory authorities
tion provided to the assessors should be treated confidentially and communicated in advance to the relevant stakeholders. As
and not disclosed to or shared with third parties. If assessors can- part of their conclusions, assessors are also expected to provide
not access key information or staff, or other challenges impair the insights on ways to improve the framework.
assessment’s quality, the report should reflect that.
Assessors should gather the facts necessary to develop conclu-
The relevant regulatory and supervisory framework of a country, sions on each of the key principles. The existing situation should
as documented in the applicable laws, regulations, and circulars, be analyzed on the basis of the principles and key considerations
forms the basis of the assessment. In some cases, the actual appli- associated with them, as provided in Section 7. Assessors can
cation of the framework can differ from that called for in the formal use the following questions to gain general understanding of the
framework, so assessors should observe the actual interpretation framework during the assessment:
of the framework in practice. This in-practice assessment requires
i. Which laws and regulations apply to the country’s credit
formal meetings and/or other communication with the stakehold-
reporting activities? This can include credit reporting laws,
9. �This section follows the methodology for assessment of the GPCR as outlined in ICCR (2013).
38
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 39
data protection laws, consumer protection laws, commercial For each of the principles, assessors should summarize the coun-
laws, banking laws, cybersecurity regulations, or any other rel- try’s current framework and practices. For any areas of concern,
evant legislative framework. assessors should describe the issue, the underlying reasons for it,
and its potential implications for the regulatory and supervisory
ii. What are the national regulatory and supervisory authorities
framework and the credit reporting system as a whole. In describ-
responsible for overseeing the observance of the applicable
ing these concerns, assessors should review the materiality and
laws and regulations? The credit reporting activities can be
relative importance of the concern and how it interrelates with
subject to the oversight by more than one authority.
the other principles. Recommendations should build on the facts
iii. Which types of CRSPs operate in the country, and to what as described regarding the concern and be accompanied by one
extent are they covered within the applicable laws and regula- or more potential solutions to guide the responsible authorities.
tions? All types of entities that deal with credit reporting activ-
ities in the country should be identified, which may include Assessors can use ratings as part of their conclusions on the
unregulated data providers. observance of the key principles. Country ratings support a bet-
ter understanding of the assessment result and promote consis-
iv. What is the authorities’ approach to observing the key princi-
tent assessments over time. It should be noted, however, that
ples? Do the relevant authorities conduct self-assessments of
ratings are not country rankings of regulatory and supervisory
their observance of the country’s regulatory and supervisory
frameworks. Table1 presents a rating system based on the rating
framework against the key principles?
scale used in assessments by the Financial Sector Assessment
v. Have the relevant authorities developed a roadmap for Program (FSAP) of the IMF and the World Bank. The rating is built
strengthening the regulatory and supervisory framework in on the assessment’s conclusions and reflects assessors’ judg-
response to the results of any self-assessment? Authorities ment regarding the materiality and importance of the associated
can identify areas of reform and establish ongoing projects to areas of concerns and the potential risk implications. To guide
improve observance of the framework. the authorities in establishing timeframes for action, assessors
should establish priorities based on the level of materiality of any
vi. Does any other evidence support the assessment of the
areas of concern. If observance of a particular principle could not
observance of the key principles? Stakeholders such as
be assessed adequately, the assessors should explain and docu-
CRSP associations can conduct their own assessment studies
ment those instances.
regarding the framework.
TABLE 1: Assessment Rating System
RATING DESCRIPTION
Observed The principle is observed. Identified gaps, if any, are not areas of concern and could be considered in
the normal course of business.
Broadly Observed There are one or more areas of concern that the authority is encouraged to address within a defined
timeline. Such areas require attention, but that is not critical for the whole credit reporting system.
Partly Observed There are one or more areas of concern that require the attention of the authorities and should be
addressed in a timely manner.
Not Observed The principle is not observed. There are one or more critical areas of concern that require the immediate
attention of the authorities and are addressed accordingly.
Not Applicable The principle is not applicable due to the particular legal, structural, or institutional characteristics of the
country’s credit reporting system.
�APPENDIX
GENERAL PRINCIPLES ON CREDIT REPORTING
The General Principles are aimed at meeting the following public Roles of Key Players
policy objectives for credit reporting systems: Credit reporting ROLE A: Data providers should report accurate, timely and com-
systems should effectively support the sound and fair extension plete data to credit reporting service providers on an equitable
of credit in an economy as the foundation for robust and compet- basis.
itive credit markets. To this end, credit reporting systems should
ROLE B: Other data sources, in particular public records agencies,
be safe and efficient and fully supportive of data subject and con-
sumer rights. should facilitate access to their databases to credit reporting ser-
vice providers.
Data ROLE C: Credit reporting service providers should ensure that
GENERAL PRINCIPLE 1: Credit reporting systems should have rel- data processing is secure and should provide high quality and
evant, accurate, timely, and sufficient data, including positive efficient services. All users having either a lending function or a
data, collected on a systematic basis from all reliable, appropri- supervisory role should be able to access these services under
ate, and available sources and should retain this information for a equitable conditions.
sufficient amount of time.
ROLE D: Users should make proper use of the information avail-
Data Processing: Security and Efficiency able from credit reporting service providers.
GENERAL PRINCIPLE 2: Credit reporting systems should have rig- ROLE E: Data subjects should provide truthful and accurate infor-
orous standards of security and reliability and should be efficient. mation to data providers and other data sources.
Governance and Risk Management ROLE F: Authorities should promote a credit reporting system that
GENERAL PRINCIPLE 3: The governance arrangements of credit
is efficient and effective in satisfying the needs of the various par-
reporting service providers and data providers should ensure ticipants and supportive of data subject/consumer rights and of
accountability, transparency, and effectiveness in managing the the development of a fair and competitive credit market.
risks associated with the business and provide users with fair
access to the information. Recommendations for Effective Oversight
Legal and Regulatory Environment RECOMMENDATION A: Credit reporting systems should be sub-
GENERAL PRINCIPLE 4: The overall legal and regulatory framework
ject to appropriate and effective regulation and oversight by a
for credit reporting should be clear, predictable, nondiscrimina- central bank, a financial supervisor, or other relevant authorities.
tory, proportionate, and supportive of data subject and con- It is important that one or more authorities exercise the function
sumer rights. The legal and regulatory framework should include as primary overseer.
effective judicial or extrajudicial dispute resolution mechanisms.
RECOMMENDATION B: Central banks, financial supervisors, and
Cross-Border Data Flows other relevant authorities should have the powers and resources
GENERAL PRINCIPLE 5: Cross-border credit data transfers should
needed to carry out effectively their responsibilities in regulating
be facilitated, where appropriate, provided adequate require- and overseeing credit reporting systems.
ments are in place.
40
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 41
RECOMMENDATION C: Central banks, financial supervisors, and RECOMMENDATION E: Central banks, financial supervisors, and
other relevant authorities should clearly define and disclose their other relevant authorities, both domestic and international,
regulatory and oversight objectives, roles, and major regulations should cooperate with each other, as appropriate, to promote
and policies with respect to credit reporting systems. the safety and efficiency of credit reporting systems.
RECOMMENDATION D: Central banks, financial supervisors, and
other relevant authorities should adopt, where relevant, the Gen-
eral Principles for credit reporting systems and related roles and
apply them consistently.
�GLOSSARY
TERM DEFINITION SOURCE
Code of conduct A self-regulatory framework for credit reporting service providers that governs their relationship World Bank (2018a)
to data providers, users, borrowers, other bureaus, and the supervisory authority.
Consumer See data subject.
Consumer con- A data subject’s freely informed and specific agreement, written or verbal, to the collection, World Bank (2011)
sent processing, and disclosure of personal data.
Credit bureau Model of credit information exchange with the primary objective of improving the quality and World Bank (2011)
availability of data for creditors to make better-informed decisions.
Credit registry Model of credit information exchange whose main objectives are to assist prudential World Bank (2011)
supervision and enable data access to regulated financial institutions to improve the quality of
their credit portfolios.
Credit risk The risk that a counterparty will not settle the full value of an obligation – neither when it ECB (2022)
becomes due, nor at any time thereafter.
Credit score Form of statistical analysis that provides an estimate of the probability that a loan applicant, ICCR
existing borrower, or counterparty will default or become delinquent. (2019a)
Creditworthiness The ability of a borrower to repay current and prospective financial obligations in a timely World Bank (2011)
manner. It is used as an assessment of a borrower’s past credit behavior to assist a potential
lender to decide whether to extend new credit.
Data provider Creditors and other entities that proactively and in a structured fashion supply information to World Bank (2011)
the credit reporting service providers.
Data subject An individual or a business whose data could be collected, processed, and disclosed to third World Bank (2011)
parties in a credit reporting system.
Data user An individual or business that requests credit reports, files, or other related services from credit World Bank (2011)
reporting service providers, typically under predefined conditions and rules.
Default Failure to complete a payment obligation under a credit or loan agreement. World Bank (2011)
Negative Statements about defaults or arrears and bankruptcies. It may also include statements about World Bank (2011)
information lawsuits, liens, and judgments obtained from courts or other official sources.
Personal data Information relating to an identified or identifiable natural person (“data subject”). An ICCR (2021)
identifiable person is one who can be identified, directly or indirectly, in particular by reference
to an ID number or one or more factors specific to the person’s physical, physiological, mental,
economic, cultural, or social identity.
Positive Information that covers facts of contractually compliant behavior. It includes detailed statements World Bank (2011)
information about outstanding credit, amount of loans, repayment patterns, assets, and liabilities, as well as
guarantees and/or collateral.
Structured data Any data that reside in a fixed field within a record or file. Typically, the data reside in the form ICCR (2019b)
of relational databases and spreadsheets. The formal structure allows one to easily enter, store,
query, and analyze the data.
Unstructured data Data that do not have a predefined data model or are not organized in a predefined manner. ICCR (2019b)
They exist typically in the form of text files, images, social media data, and sensor data.
42
� BIBLIOGRAPHY
ACCC (Australian Competition & Consumer Commission). 2011. BIS (Bank for International Settlements). 2012. “Principles for
“Guidelines for Developing Effective Voluntary Industry Financial Market Infrastructures.” Bank for International
Codes of Conduct.” https://www.accc.gov.au/system/ Settlements, Basel. https://www.bis.org/cpmi/publ/d101a.
files/Guidelines%20for%20developing%20effective%20 pdf.
voluntary%20industry%20codes%20of%20conduct.pdf. CDEI (Centre for Data Ethics and Innovation). 2020. “Review
ACCIS. 2020. “ACCIS Membership Survey 2020.” https://accis. into Bias in Algorithmic Decision-making.” Centre for Data
eu/facts-and-figures/. Ethics and Innovation, London. https://assets.publishing.
AFI (Alliance for Financial Inclusion). 2016. “The service.gov.uk/government/uploads/system/uploads/
Policy Framework on Responsible Digital Credit.” https:// attachment_data/file/957259/Review_into_bias_in_
www.afi-global.org/sites/default/files/publications/2020-04/ algorithmic_decision-making.pdf.
EN_Policy_Framework_for_Responsible_Digital_Credit.pdf. Consumer Financial Protection Bureau (CFPB). 2020a.
Barci, G., G. Andreeva, and S. Bouyon. 2019. “Data Sharing “Supervision and Examination Manual.” https://files.
in Credit Markets: Does Comprehensiveness Matter?” consumerfinance.gov/f/documents/cfpb_supervision-and-
European Credit Research Institute Research Report No. 23. examination-manual.pdf.
http://www.ecri.eu/sites/default/files/accis_ecri-ceps-ue_ Consumer Financial Protection Bureau (CFPB). 2020b.
data_sharing_in_credit_markets-web_0.pdf. “Supervisory Highlights on Consumer Reporting.” https://
BCBS (Basel Committee for Banking Supervision). 2005. www.consumerfinance.gov/compliance/supervisory-
“Compliance and the Compliance Function in Banks.” Bank highlights/.
for International Settlements, Basel. https://www.bis.org/ Credit Information Sharing Association of Kenya (CIS). 2021.
publ/bcbs113.pdf “Code of Conduct for Third-Party Credit Information
BCBS (Basel Committee for Banking Supervision). 2011. Providers.” https://ciskenya.co.ke/wp-content/files/2021/05/
“Principles for the Sound Management of Operational Risk.” Code-of-Conduct-2021-Final-as-Approved.pdf.
Bank for International Settlements, Basel. https://www.bis. Creditinfo. 2020. “Global Lending Industry Trends.”
org/publ/bcbs195.pdf. Creditinfo, Reykjavík. https://creditinfo.com/wp-content/
BCBS (Basel Committee for Banking Supervision). 2012. “Core uploads/2017/08/creditinfo_trends_2020.pdf.
Principles for Effective Banking Supervision.” Bank for DPC (Data Protection Commission of Ireland). 2021. “Inquiry
International Settlements, Basel. https://www.bis.org/publ/ to the Irish Credit Bureau.” Data Protection Commission of
bcbs230.htm. Ireland, Dublin. https://www.dataprotection.ie/sites/default/
BCBS (Basel Committee for Banking Supervision). 2019. files/uploads/2021-05/Summary%20of%20Decision%20
“Supervisory Review Process: Risk Management.” Bank for Irish%20Credit%20Bureau.pdf.
International Settlements, Basel. https://www.bis.org/basel_ EBA (European Banking Authority). 2019. “EBA Guidelines
framework/chapter/SRP/30.htm. on ICT and Security Risk Management.” European
Berg, T., V. Burg, A. Gombović, and M. Puri. 2019. “On the Banking Authority, Paris. https://www.eba.europa.eu/sites/
Rise of FinTechs — Credit Scoring Using Digital Footprints.” default/documents/files/document_library/Publications/
Michael J. Brennan Irish Finance Working Paper Series Guidelines/2020/GLs%20on%20ICT%20and%20
Research Paper No.18-12. http://dx.doi.org/10.2139/ security%20risk%20management/872936/Final%20draft%20
ssrn.3163781. Guidelines%20on%20ICT%20and%20security%20risk%20
management.pdf.
43
�44 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
EBA (European Banking Authority). 2020. “EBA Report on Big Frost, J., L. Gambacorta, Y. Huang, H. S. Shin, P. Zbinden.
Data and Advanced Analytics.” European Banking Authority, 2019. “BigTech and the Changing Structure of Financial
Paris. https://www.eba.europa.eu/sites/default/documents/ Intermediation.” BIS Working Papers No. 779. Bank for
files/document_library/Final%20Report%20on%20Big%20 International Settlements, Basel. https://www.bis.org/publ/
Data%20and%20Advanced%20Analytics.pdf. work779.pdf.
ECB (European Central Bank). 2018. Anacredit. European Gambacorta, L., Y. Huang, and J. Wang. 2019. “How Do ML
Central Bank, Frankfurt Am Main. https://www.ecb.europa. and Non-Traditional Data Affect Credit Scoring? New
eu/stats/money_credit_banking/anacredit/html/index. Evidence from a Chinese Fintech Firm.” BIS Working Papers
en.html. No: 834. Bank for International Settlements, Basel. https://
ECB (European Central Bank). 2022. Glossary. European Central www.bis.org/publ/work834.pdf.
Bank, Frankfurt Am Main. Ghosh, S. 2019. “Loan Delinquency in Banking Systems: How
https://www.ecb.europa.eu/services/glossary/html/glossc. Effective Are Credit Reporting Systems?” Research in
en.html International Business and Finance, Elsevier, 47(C): 220–36.
Equifax. 2021. “Equifax Data Breach Settlement.” Equifax, https://ideas.repec.org/a/eee/riibaf/v47y2019icp220-236.
Atlanta. html.
https://www.equifaxbreachsettlement.com/. Last accessed June Girault, M. G., and J. Hwang. 2010. “Public Credit Registries as
24, 2021. a Tool for Bank Regulation and Supervision.” Policy Research
European Union (EU). 2016. “General Data Protection Working Paper No. WPS 5489. World Bank, Washington,
Regulation.” European Union, Brussels. https://gdpr-info.eu/. DC. http://hdl.handle.net/10986/3972.
European Union (EU). 2021. “Proposal for a Regulation of the Hagendorff, T. 2020. “The Ethics of AI Ethics: An Evaluation of
European Parliament and of the Council Laying Down Guidelines.” Minds and Machines 30: 99–120. https://doi.
Harmonized Rules on Artificial Intelligence (Artificial org/10.1007/s11023-020-09517-8.
Intelligence Act) and Amending Certain Union Legislative Hengel, E. 2010. “Discussion Paper on Credit Information
Acts.” European Union, Brussels. https://eur-lex.europa.eu/ Sharing.” Facilitating Access to Finance Discussion
legal-content/EN/TXT/?qid=1623335154975&uri=CELEX% Paper Series. OECD, Paris. https://www.oecd.org/global-
3A52021PC0206. relations/45370071.pdf.
Experian South Africa Data Incident. 2021. Experian, Dublin. ICCR (International Committee on Credit Reporting). 2013.
https://www.experian.co.za/fraudulent-data-incident. Last “Assessment Methodology for the General Principles for
accessed June 24, 2021. Credit Reporting.” World Bank, Washington, DC. http://hdl.
FCA (Financial Conduct Authority). 2020. “Credit handle.net/10986/21813.
Reference Agencies Portfolio Letter.” Financial Conduct ICCR (International Committee on Credit Reporting). 2014.
Authority, London. https://www.fca.org.uk/publication/ “Facilitating SME Financing through Improved Credit
correspondence/cra-cisp-portfolio-letter.pdf. Reporting.” World Bank, Washington, DC. http://hdl.handle.
Federal Deposit Insurance Corporation (FDIC). 2017. net/10986/21810.
“Supervisory Guidance on Model Risk Management.” Federal ICCR (International Committee on Credit Reporting). 2016.
Deposit Insurance Corporation, Washington, DC. https://www. “The Role of Credit Reporting in Supporting Financial Sector
fdic.gov/news/financial-institution-letters/2017/fil17022a.pdf. Regulation and Supervision.” World Bank, Washington,
Federal Trade Commission (FTC). 2021. “Five Percent of DC. https://consultations.worldbank.org/consultation/role-
Consumers Had Errors on Their Credit Reports That Could credit-reporting-supporting-financial-sector-regulation-and-
Result in Less Favorable Terms for Loans.” Federal Trade supervision.
Commission, Washington, DC. https://www.ftc.gov/news- ICCR (International Committee on Credit Reporting). 2018. “Use
events/press-releases/2013/02/ftc-study-five-percent- of Alternative Data to Enhance Credit Reporting to Enable
consumers-had-errors-their-credit-reports. Access to Digital Financial Services by Individuals and SMEs
Financial Conduct Authority (FCA). 2021. “Building Operational Operating in the Informal Economy.” Global Partnership for
Resilience.” Financial Inclusion Guidance Note. World Bank, Washington
https://www.fca.org.uk/publications/policy-statements/ps21-3- DC. https://www.gpfi.org/sites/gpfi/files/documents/Use_of_
building-operational-resilience. Alternative_Data_to_Enhance_Credit_Reporting_to_Enable_
Financial Stability Board (FSB). 2021. “The Compendium of Access_to_Digital_Financial_Services_ICCR.pdf.
Key Standards.” Financial Conduct Authority, Basel. https:// ICCR (International Committee on Credit Reporting).
www.fsb.org/work-of-the-fsb/about-the-compendium-of- 2019a. “Credit Scoring Approaches Guidelines.” World
standards/wssb/. Bank, Washington, DC. https://thedocs.worldbank.org/
en/doc/935891585869698451-0130022020/original/
CREDITSCORINGAPPROACHESGUIDELINESFINALWEB.
pdf.
� KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS • 45
ICCR (International Committee on Credit Reporting). 2019b. NYSDFS (New York State Department of Financial Services).
“Cybersecurity in Credit Reporting Guidelines.” World 2018. “Cybersecurity Requirements for Financial Services
Bank, Washington, DC. https://thedocs.worldbank.org/ Companies.” https://govt.westlaw.com/nycrr/Browse/
en/doc/735641585870130697-0130022020/original/ Home/NewYork/NewYorkCodesRulesandRegulations?guid=
Cybersecurityincreditreportingguidelinefinal.pdf. I5be30d2007f811e79d43a037eefd0011&origination
ICCR (International Committee on Credit Reporting). 2020. Context=documenttoc&transitionType=Default&context
“Treatment of Credit Data in Credit Information Systems Data=(sc.Default).
in the Context of the COVID-19 Pandemic.” World NYSDFS (New York State Department of Financial Services).
Bank, Washington, DC. https://thedocs.worldbank.org/ 2021. “Report on the SolarWinds Cyber Espionage Attack
en/doc/972911586271609158-0130022020/original/ and Institutions Response.” https://www.dfs.ny.gov/system/
COVID19ICCRCreditReportingPolicyRecommendations files/documents/2021/04/solarwinds_report_2021.pdf.
fordistribution6346.pdf. OCC (Office of the Comptroller of the Currency). 2019.
ICCR (International Committee on Credit Reporting). 2021. “Comptroller’s Handbook: Corporate and Risk Governance.”
“Cross-border Credit Reporting.” World Bank, Washington, Office of the Comptroller of the Currency, Washington,
DC. https://www.biia.com/wp-content/uploads/2021/08/ DC. https://www.occ.treas.gov/publications-and-resources/
ICCR-Cross-Border-Report-final-July-2021.pdf. publications/comptrollers-handbook/files/corporate-risk-
International Finance Corporation, Arab Monetary Fund. governance/pub-ch-corporate-risk.pdf.
2015. “Arab Credit Reporting Guide.” International Owens, John, Wilhelm, Lisa. 2017. “Alternative Data
Finance Corporation, Washington, DC. http://hdl.handle. Transforming SME Finance.” Washington, DC: World
net/10986/25979. Bank Group. http://documents.worldbank.org/curated/
International Monetary Fund (IMF) and World Bank. 2018. “The en/701331497329509915/Alternative-data-transforming-
Bali Fintech Agenda.” International Monetary Fund (IMF), SME-finance.
Washington, DC; World Bank, Washington, DC. https://www. Steering Committee on Reciprocity (SCOR). 2018. “Information
imf.org/en/Publications/Policy-Papers/Issues/2018/10/11/ Sharing: Principles of Reciprocity.” https://scoronline.co.uk/
pp101118-bali-fintech-agenda. principles/.
International Monetary Fund (IMF) and World Bank. n.d. Sutherland, A. 2018. “Does Credit Reporting Lead to a Decline
“Financial Sector Assessment Program (FSAP).” International in Relationship Lending? Evidence from Information Sharing
Monetary Fund (IMF), Washington, DC; World Bank, Technology.” Journal of Accounting and Economics,
Washington DC. https://www.worldbank.org/en/programs/ Elsevier, 66 (1): 123–41. https://ideas.repec.org/a/eee/
financial-sector-assessment-program. jaecon/v66y2018i1p123-141.html.
Liu, C., and C. Hou. 2021. “Challenges of Credit Reference Toronto Center. 2018. “Risk-based Supervision.” TC Notes.
Based on Big Data Technology in China.” Mobile Networks https://res.torontocentre.org/guidedocs/Risk-Based%20
and Applications 27 (2022): 47–57. https://doi.org/10.1007/ Supervision%20FINAL.pdf.
s11036-020-01708-y. Toronto Center. 2020. “Cloud Computing: Issues for
Martinez, P., S. Maria, and S. Singh. 2014. “The Impact of Credit Supervisors.” TC Notes.
Information Sharing Reforms on Firm Financing.” Policy https://res.torontocentre.org/guidedocs/Risk-Based%20
Research Working Paper, No. 7013. World Bank Group, Supervision%20FINAL.pdf.
Washington, DC. http://hdl.handle.net/10986/20348. U.S. Congress. 2019. Algorithmic Accountability Act, H.R.
Monetary Authority of Singapore (MAS). 2018. “Principles to 2231, 116th Congress. https://www.congress.gov/bill/116th-
Promote Fairness, Ethics, Accountability and Transparency congress/house-bill/2231/all-info. Last accessed September
(FEAT) in the Use of Artificial Intelligence and Data Analytics 19, 2021.
in Singapore’s Financial Sector.” https://www.mas.gov.sg/~/ World Bank. 2011. “General Principles for Credit Reporting.”
media/MAS/News%20and%20Publications/Monographs%20 World Bank, Washington DC.
and%20Information%20Papers/FEAT%20Principles%20Final. http://hdl.handle.net/10986/12792.
pdf. World Bank. 2017. “How Credit Reporting Systems Contribution
National Credit Bureau of Thailand (NCB). 2016. “Internal Audit to Financial Inclusion.” International Committee on Credit
Charter.” National Credit Bureau of Thailand, Bangkok. Reporting Policy Brief, World Bank, Washington, DC. https://
https://www.ncb.co.th/about-us/internal-audit-charter-en. consultations.worldbank.org/consultation/how-credit-
NIST (National Institute of Standards and Technology). 2017. reporting-contributes-financial-inclusion.
“Cybersecurity Framework.” National Institute of Standards World Bank Group. 2018a. “Financial Consumer Protection
and Technology, Gaithersburg, MD. https://nvlpubs.nist.gov/ and New Forms of Data Processing Beyond Credit
nistpubs/ir/2017/NIST.IR.8183.pdf. Reporting.” World Bank, Washington, DC. http://hdl.handle.
net/10986/31009.
�46 • KEY PRINCIPLES FOR EFFECTIVE REGULATION AND SUPERVISION OF CREDIT REPORTING SERVICE PROVIDERS
World Bank Group. 2018b. “Financial Sector’s Cybersecurity: World Bank. 2020b. “Doing Business 2020: Comparing Business
Regulations and Supervision.” Finance, Competitiveness Regulation in 190 Economies.” World Bank, Washington,
& Innovation Insight Series. World Bank, Washington, DC. DC. http://hdl.handle.net/10986/32436.
https://openknowledge.worldbank.org/handle/10986/29378. World Bank. 2020c. “How Regulators Respond to FinTech:
World Bank. 2018c. “Improving Access to Finance for SMEs Evaluating the Different Approaches — Sandboxes and
Through Credit Reporting: Opportunities through Credit Beyond.” Fintech Note No. 4. World Bank, Washington, DC.
Reporting, Secured Lending, and Insolvency Practices.” http://hdl.handle.net/10986/33698.
World Bank, Washington, DC. https://documents1. World Bank. 2020d. “A Roadmap to SupTech Solutions for Low
worldbank.org/curated/en/316871533711048308/ Income (IDA) Countries.” Fintech Note No. 7. World Bank,
pdf/129283-WP-PUBLIC-improving-access-to-finance-for- Washington, DC. http://hdl.handle.net/10986/34662.
SMEs.pdf. World Bank. 2021. “Consumer Risks in Fintech: New
World Bank Group. 2019a. “Credit Reporting Knowledge Guide Manifestations of Consumer Risks and Emerging Regulatory
2019.” World Bank, Washington, DC. http://hdl.handle. Approaches.” World Bank, Washington, DC. http://hdl.
net/10986/31806. handle.net/10986/35699.
World Bank. 2019b. “Credit Reporting Without Borders: A World Bank and Cambridge Centre for Alternative Finance
Regional Credit Reporting Project.” Washington, DC: World (CCAF). 2019. “Regulating Alternative Finance: Results from
Bank Group. http://documents.worldbank.org/curated/ a Global Regulator Survey.” World Bank, Washington, DC;
en/482141547662326461/Credit-Reporting-Without- Cambridge Centre for Alternative Finance, Cambridge, UK.
Borders-A-Regional-Credit-Reporting-Project. http://hdl.handle.net/10986/32592.
World Bank Group. 2019c. “Developing a Strong Credit World Bank and Consultative Group to Assist the Poor (CGAP).
Reporting System: A Toolkit for Practitioners.” International 2018. “Data Protection and Privacy for Alternative Data.”
Finance Corporation, Washington, DC. http://hdl.handle. Global Partnership for Financial Inclusion Discussion Paper.
net/10986/31362. World Bank, Washington, DC; Consultative Group to Assist
World Bank Group. 2019d. “Disruptive Technologies in the the Poor, Washington, DC. https://www.gpfi.org/sites/
Credit Information Sharing Industry: Developments and gpfi/files/documents/Data_Protection_and_Privacy_for_
Implications.” Fintech Note, No.3. World Bank, Washington, Alternative_Data_WBG.pdf.
DC. http://hdl.handle.net/10986/31714. Yong, J., and J. Prenio. 2021. “Humans Keeping AI in Check:
World Bank. 2020a. “Credit Bureau Licensing and Supervision: Emerging Regulatory Expectations in the Financial Sector.”
A Primer.” World Bank, Washington, DC. http://hdl.handle. FSI Insights on Policy Implementation No. 35. Bank for
net/10986/34760. International Settlements, Basel. https://www.bis.org/fsi/
publ/insights35.pdf.
���