Credit Bureau Licensing and Supervision: A Primer June 2020 0 Official Use © 2020 The World Bank Group 1818 H Street NW Washington, DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org All rights reserved. This work is a product of the staff and external authors of the World Bank Group. The World Bank Group refers to the member institutions of the World Bank Group: The World Bank (International Bank for Reconstruction and Development); International Finance Corporation (IFC); and Multilateral Investment Guarantee Agency (MIGA), which are separate and distinct legal entities each organized under its respective Articles of Agreement. We encourage use for educational and non-commercial purposes. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of the Directors or Executive Directors of the respective institutions of the World Bank Group or the governments they represent. The World Bank Group does not guarantee the accuracy of the data included in this work. Rights and Permissions The material in this publication is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission to reproduce portions of the work promptly. All queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. Credit Bureau Licensing and Supervision: A Primer 1 Table of Contents Acknowledgements ....................................................................................................................................... 3 Preface .......................................................................................................................................................... 4 Glossary of Terms ......................................................................................................................................... 5 1 Introduction ........................................................................................................................................... 6 2 Licensing of Credit Bureaus ................................................................................................................. 8 2.1 Roles.............................................................................................................................................. 8 2.2 Process .......................................................................................................................................... 8 2.3 License types ............................................................................................................................... 10 3 Supervision of Credit Bureaus ............................................................................................................ 11 3.1 Roles and tools for conducting credit reporting supervision ...................................................... 11 3.2 Reporting requirements............................................................................................................... 12 3.3 Off-site review ............................................................................................................................. 13 3.3.1 Off-site review process and key tasks.................................................................................. 13 3.4 On-site supervision ..................................................................................................................... 17 3.4.1 On-site supervision process and key tasks .......................................................................... 17 3.5 Supervision of other entities: data providers and users.............................................................. 18 3.6 Enforcement and penalties .......................................................................................................... 19 4 How Credit Bureau Supervision Supports Bank Supervision ............................................................. 20 5 Conclusion .......................................................................................................................................... 21 Credit Bureau Licensing and Supervision: A Primer 2 Acknowledgements The publication of this Primer was made possible through the generous support of the Swiss State Secretariat for Economic Affairs (SECO). The Primer was prepared under the general direction of Mahesh Uttamchandani and was written by Shalini Sankaranarayan with key inputs provided by Gabriel Davel and Lina Sun Kee. This publication benefitted immensely from the review, participation, guidance, and insights of the following experts from the Credit Information Systems Team, including Luz Maria Salamina, Fabrizio Fraboni, Oscar Madeddu, and Colin Raymond. The team also received excellent editorial review and assistance from Hilary Johnson, and Oleksandra Svyryba. Credit Bureau Licensing and Supervision: A Primer 3 p Preface The Finance, Competitiveness and Innovation Global Practice (FCI GP) of the World Bank Group supports regional clients and the global community in addressing their most pressing financial- sector challenges by delivering a tailored package of Bank Group finance, knowledge and advisory services, and convening services. The goal of this practice is to contribute to the building of deep, diversified, efficient, and stable financial systems, which are critical to achieving the Bank Group’s goals of eliminating extreme poverty and promoting shared prosperity. The Credit Infrastructure Global Solutions Group (GSG) of FCI GP assists client governments and the global community in improving access to credit through the establishment and strengthening of credit reporting, secured transactions, and insolvency and debtor/creditor rights (ICR) systems. Under the Credit Infrastructure GSG, the practice promotes and facilitates the development of efficient credit reporting systems (CRS) to expand responsible access to credit to a significant number of individuals and firms. The practice also supports financial regulators and supervisors in order to ensure that these systems remain safe and sound, minimizing systemic risk. The CRS team uses international standards and best practices to assist governments and other stakeholders in establishing or reforming their CRS to enable the flow of reliable credit-related information in a safe and efficient manner. This is accomplished with a view to two broad policy objectives: fostering responsible access to finance and contributing to financial stability. The team works with government institutions, financial institutions, and the private sector to advance credit reporting systems. In recent years, as more and more regulators have begun to assume the role of supervision and oversight over credit bureau(s), the World Bank Group has supported supervisors in understanding and carrying out their duties as it relates to this role. The WBG has supported the development of the credit bureau supervisory framework and the capacity to supervise these systems in several countries, including Morocco, the West African Monetary Union, Jordan, Bhutan, and the Bahamas. In addition, the WBG has provided light touch assistance on the supervision of credit bureaus in several Caribbean countries including Jamaica, Belize, the OECS, Guyana and Suriname. The WBG has facilitated study tours for regulators to markets where credit bureau supervision processes are established, thereby enabling the exchange of experiences and information between regulators. Such study tours include mock audits of the credit bureau in the host country, where possible. The mock audits provide the visiting regulators with an opportunity to mimic the processes that would be followed in case of an audit. This primer draws upon the WBG’s experience across various markets and intended to provide regulators, policymakers, practitioners and financial sector specialists with a general overview of what the licensing and supervision of a credit bureau entails. Credit Bureau Licensing and Supervision: A Primer 4 Glossary of Terms Terminology referring to relevant parties in a credit reporting system along with their respective roles as used in this document are as below: a) Credit reporting service providers operate the actual credit reporting databases. They are responsible for ensuring that data processing is secure and are tasked with providing high quality and efficient services. All users having either a lending function or a supervisory role should be able to access these services under equitable conditions. A credit bureau is one type of credit reporting service provider. b) Data providers (credit information providers) are responsible for reporting accurate, timely and complete data to credit reporting service providers, on an equitable basis. c) Other data sources include data sources that are not credit providers but provide valuable data that is relevant for credit reporting. One such source is public record agencies, which should provide credit reporting service providers with access to their databases in order to expand information sharing, support data validation and increase the capacity of financial service providers to comply with KYC requirements. d) Data users are those that use the information from the credit bureau. They should only apply the information available from the credit bureau for permissible purposes and should ensure that high standards of security and confidentiality are maintained. e) Data subjects are the ultimate borrowers or consumers whose information is collected and shared. They should provide truthful and accurate information to data providers and other data sources. f) Authorities are those bodies that are responsible for licensing, regulation, supervision and oversight of the credit reporting system as a whole. Their objective is to promote a credit reporting system that is efficient and effective in satisfying the needs of the various participants and supportive of consumer rights and of the development of a fair and competitive credit market. Credit Bureau Licensing and Supervision: A Primer 5 1 Introduction Credit bureaus emerged in response to a market need to identify borrowers with negative repayment behaviour, in an effort to minimize the risk of exposure to these types of borrowers by financial institutions and other creditors. A credit reporting system is a critical component of a modern financial system. It comprises all the institutions, technologies, data and information that enable credit information sharing. Credit information sharing entails sharing of information on the credit status of individual consumers and business entities between credit information providers (or data providers) and users, for various purposes. There are different types of entities, or “credit reporting service providers” that undertake the function of credit information sharing and these are generally categorized by their primary function as follows: credit bureaus, credit registries and commercial credit reporting companies. Credit information providers are generally institutions that provide credit and generally include financial and non-financial institutions like banks, insurance companies, microfinance institutions, utility providers amongst others. The primary purpose of a credit bureau is to support credit information sharing on the credit status of individual consumers and business entities, thereby supporting financial and non-financial institutions that provide credit to improve their credit approval decision-making and credit risk management. Credit bureaus provide credit reports, credit scores and other value-added services that enable their users to make informed lending decisions. A credit report is an important factor in all phases of the credit cycle, from client selection and credit assessment to portfolio risk management, including debt collection and loan loss provisioning. The information provided by a credit bureau enables credit markets to function more efficiently, improve financial inclusion, lower the cost of credit and improve credit risk management. Why is it important to supervise credit bureaus? The first credit bureaus evolved organically to address a market need by lenders to better understand the extent of indebtedness or over-indebtedness of their borrowers. Over time, however, credit bureaus have gradually expanded in terms of the types of data collected, scope of information collected, and the purposes for which this information is being used. This has generated valid concerns about several issues: the security of (what is often) very personal data; who gets to access to this data and for what purpose; whether the underlying consumers whose data is being collected, assimilated and shared are aware of the same; what rights these consumers possess; and how they would go about exercising their rights. Appropriate legislation, regulation, oversight and governance are all crucial elements for ensuring that data providers, other data sources and credit reporting service providers are able to manage the risks related to credit information sharing. Credit reporting systems in general and credit bureaus in particular are therefore increasingly subject to rigorous consumer protection and data privacy standards, to ensure that consumer consent is obtained, that high standards of data accuracy and data security are maintained, and that consumer complaints are dealt with effectively and fairly. It is a fundamental requirement that consumers be informed of the nature of credit information sharing, their rights to obtain credit reports, and their rights in respect to complaints on data accuracy or inappropriate data sharing. If credit bureaus weren’t regulated, it could result in poor data quality, loss of data and ultimately poor lending decisions, all of which could have significant impact on a country and its citizens. Credit Bureau Licensing and Supervision: A Primer 6 Given the complexities of credit information sharing, the increasing number of participants in the system and the nature of the data held, several jurisdictions are seeking to introduce some form of entry and exit requirements for credit reporting service providers. Licensing of credit bureaus is one such mechanism for implementing entry and exit requirements, thereby establishing control over which entities are allowed to provide of credit reporting services. Regulation of credit bureaus helps to provide oversight over the various participants in the credit reporting system, as the regulator of a credit reporting system is responsible for regulating all credit reporting activities. This is not limited to the application of existing legislation only, but also includes coordination with stakeholders to promote the development of a credit reporting system in a consistent and coordinated manner. As credit reporting systems grow in complexity and the industry evolves, regulators around the world are increasingly assuming responsibility for licensing, supervision and oversight of credit reporting systems. Taking a holistic approach to regulation helps to ensure that appropriate credit information is transmitted using a safe, secure and efficient system, operating under fair conditions for all stakeholders and upholding consumer rights throughout. The supervision of credit bureaus is structured in order to monitor compliance with the applicable laws and regulations as well as with industry norms, including codes of conduct and user agreements. In view of the increasing interest globally in supervision and oversight of credit reporting systems, this primer has been developed to provide regulators, policymakers, practitioners and financial sector specialists with a general overview of what the licensing and supervision of a credit bureau 1 entails. As the legal and regulatory frameworks and market conditions vary considerably from one jurisdiction to another, this primer should be viewed as a general blueprint for developing the licensing and supervision functions of a credit bureau supervisor. Each jurisdiction will need to further adapt the information provided herein to meet their specific requirements . Accordingly:  Section Two of the report covers the general process for licensing of credit bureaux.  Section Three discusses supervision of credit bureaus and the different processes that supervisors may adopt, along with relevant tools to aid them in the process; while credit bureau supervisors may use similar tools and approaches to those used by bank and non- bank financial institution supervisors, credit bureaus are distinct from financial institutions and the this should be adequately reflected in the supervision approach.  Section Four touches upon the complementarity of credit bureau supervision statistics with bank supervision statistics, and how credit bureau supervision can support bank supervision and vice versa.  Section Five concludes and reinforces the importance of credit bureau supervision. 1As this note focuses on the licensing and supervision of credit bureaus, the term “credit bureau” is used throughout the document, though there are also other types of institutions that perform some of the functions of a credit bureau and which may also be licensed and supervised. Credit Bureau Licensing and Supervision: A Primer 7 2 Licensing of Credit Bureaus The objective of applying a licensing regime to credit bureaus is to provide a means of assessing whether credit bureau providers are suitable and eligible to operate within a jurisdiction before they begin operating. Through the licensing process the regulator assesses whether the operator of the credit bureau has the necessary expertise, management experience, and technical infrastructure to operate the credit bureau. The process requires credit bureaus to show that they can and will comply with the relevant legal and regulatory frameworks. The authority to license is usually conferred upon the central bank or other financial markets regulator through legislation. 2.1 Roles Generally, in cases where the central bank of a country is the regulator for the credit reporting system, its licensing team is given the function of licensing credit bureaus. While the structure can vary from country to country, normally a core licensing team is responsible for reviewing license applications, ensuring eligibility requirements and licensing requirements are met and then submitting a recommendation report to a licensing committee for consideration. The licensing committee reviews the recommendation, approves or rejects it, and shares it with the head or other key decision-making authority of the central bank, for consideration and approval. In some markets, the licensing team and the licensing committee may be one and the same, given small team sizes, and depending upon the number of license applications received. 2.2 Process Call for applications: Once the central bank or other regulator has determined that it will apply a licensing regime to credit bureaus, the regulator assigns a core licensing team to be responsible for undertaking all the tasks associated with the licensing process. The licensing team issues a call to eligible credit bureaus for license applications. The invitation to apply for a license can be shared in the public domain on the regulator’s website as well as through official gazettes. Depending on the complexity of licensing requirements, license application windows are open for 45 to 60 days. Initial review: Once the window for submitting license applications is closed, the core licensing team conducts a preliminary administrative check to ensure that all required documentation has been submitted. It prepares a register recording all the documentation received and making note of any missing documentation. The team can reach out to credit bureau applicants if there is any missing or incomplete information/documentation; the credit bureau applicant should be informed that processing of its application is halted until any additional information requested has been received. The team records receipt of any license application fees and ensures that any relevant required declarations are duly signed off by the management team of the credit bureau applicants. Evaluation: Credit Bureau Licensing and Supervision: A Primer 8 Applications are evaluated in the context of relevant legislation and regulations. Once all documentation is received and in order, the licensing team can review the applications. Generally, regulators take 60 to 90 days to review license applications and provide a decision. This timeframe can be affected by a number of factors, including incomplete information or requests for clarification during the evaluation process, as well as other constraints on the part of the regulator that may require additional time for the review and decision process. The team conducts due diligence on senior management of the credit bureau(s), interviewing candidates as needed, and ensures that any capital or guarantee requirements have been met. Specifically, for each application the licensing team evaluates: (a) The proposal and its alignment with the existing legal and regulatory framework. (b) The business plan of the credit bureau and whether the underlying assumptions are feasible, including projections for inquiries and growth, proposed pricing schedule and break-even estimates. (c) The financial capacity of the credit bureau to successfully undertake the proposed activity. (d) The proposed timeline for implementation and achievement of key milestones, including but not limited to: finalizing standard data formats, data testing, user testing and acceptance; proposed prioritization in loading of consumer, commercial and public data; target date for operationalization; and target data for addition of value-added services, such as scores. (e) Fit and Propriety tests for the members of the Board and senior management of the credit bureau. (f) Experience of proposed management team in setting up and running a credit bureau. (g) Relevance and quality of policies and procedures pertaining to receipt, validation and accuracy of data, data and systems security, receipt and processing of consumer complaints, release of credit reports, business continuity and disaster recovery. (h) Sample agreements with data providers and users that ensure that data is provided in a timely fashion, in pre-determined formats. Comprehensiveness of policies regarding conditions for access to data, minimum security requirements of data providers and users, obligation to respond in a timely fashion to requests to correct erroneous data, and options that the credit bureau can enforce in case of non-compliance. (i) Policies on enforcing agreements with data providers that are not regulated by the regulator, and approach to ensuring that these entities are subject to conditions that are similar or equivalent to those of regulated entities. (j) Sample credit reports or other products and value-added services provided by the credit bureau applicant. Recommendations: Based upon the evaluations and the completeness of applications, the licensing team may find that an application is either: (a) Complete and to be recommended for a license; (b) Mostly complete, but requiring that some additional conditions be met prior to licensing, or be addressed through conditional/provisional licensing; or Credit Bureau Licensing and Supervision: A Primer 9 (c) Incomplete and containing material weaknesses that result in non-compliance with the legal and regulatory framework. For applications that are likely to be rejected, the team should make every effort to seek out all additional information possible to address the weaknesses before making the recommendation to reject the application. The team prepares a recommendation report containing analysis of why each applicant should or should not be considered for a license, and under what conditions, if any. The report, along with a cover letter, is shared with the licensing committee (if there is one), or with the head or other decision-making authority of the regulatory body for review and action. Decision: In some instances, regulators may follow a two-step approach to the submission of recommendations, whereby the recommendations report is submitted to a deputy head (a Deputy Governor, for example), who then provides feedback and recommendations to the head/key decision-making authority (a Governor, for example), who then makes the final decision about whether to award a license. The head/key decision-making authority communicates the decision (approval or rejection) to each applicant. Once a license has been approved, the regulator may also choose to publicly announce the decision through the media and its websites. 2.3 License types Provisional license: In certain cases, a license may be granted on a provisional basis, and can then be converted to a full license when certain conditions have been met. For instance, in some jurisdictions the credit bureau may be required to become operational (i.e., selling credit reports) within a certain number of months, determined by the regulator. The licensor may grant a six-month conditional license that will convert into a full license when the bureau becomes operational. In cases where a conditional or provisional license is issued, the conditions for obtaining a full license must be clearly specified. The provisional license must state the period of validity, the permissible activities that can be undertaken during the provisional licensing period, and the conditions that must be met to obtain a full license. Some degree of flexibility should be built into the licensing process, as the ability to meet the necessary conditions can depend in part upon the market and the willingness and ability of data providers to share data with the credit bureau. Full license: Full licenses may be granted for a set period, such as a year, with an annual license renewal fee. This gives the supervisor the ability to assess the performance of the credit bureau over the year, request changes if necessary, and in cases of gross negligence, non-compliance with legislation, or other behavior that is detrimental to the general public, refuse to renew the license. The regulator may always revoke a license at any point if it believes that the credit bureau is non- compliant with the legal and regulatory framework. Credit Bureau Licensing and Supervision: A Primer 10 3 Supervision of Credit Bureaus Credit bureau supervision entails overseeing the functioning of the overall system, with the primary focus being to supervise the credit reporting service provider or credit bureau itself, as well as other participants in the system, including data providers and users. Practices in credit bureau supervision closely mimic processes for bank and non-bank supervision. However, it is important to point out that credit bureaus themselves are not deposit-taking institutions and do not have fiduciary responsibilities, and should not, therefore, be treated exactly like banks or other financial institutions. Instead, credit bureaus should be regulated using a different set of criteria that are relevant from the perspective of the existing legal and regulatory frameworks and best practices in credit reporting. This includes oversight to ensure the following:  Information being collected is permitted under the respective legislation and regulations;  Sources of information are permitted under the legislation and regulations;  Data is accurate and measures are taken to ensure adequacy of the data collected;  System has adequate security measures in place;  Information is being disseminated and used for permissible purposes; and  Rights of consumers are being observed, including any requirement to obtain consent. Supervision of credit bureaus is critical in ensuring that credit bureaus and participating data providers and users are upholding the rights of consumers. Consumer rights include the right to know what information is being captured and shared, to access one’s own data, to request corrections, and to dispute erroneous data. At the credit bureau level, the supervisor needs to ensure that the credit bureau has the necessary security in the architecture of its system (organizational, physical, and logical) to ensure that consumer data is handled with extreme care and that the risks of loss, misuse or destruction are as low as possible. 3.1 Roles and tools for conducting credit reporting supervision Roles: Generally, the credit bureau supervision team is a small unit within a central bank or other regulatory body that has the explicit mandate to undertake supervision of the credit bureau(s) as well as data providers and users that participate in the system. The credit bureau supervision team works closely with bank and non-bank financial institution (NBFI) supervision teams in carrying out is functions, and assists bank and non-bank supervision teams in: (a) Identifying regulated financial institutions which may potentially be non-compliant, (b) Providing relevant information which would support the bank and non-bank supervision staff in addressing areas of non-compliance, and (c) Attending subsequent resulting bank on-site investigations. Based on reports received from the credit bureau(s), the credit bureau supervision team is responsible for identifying areas of increased credit risk to financial institutions and bringing it to the attention of the bank supervision department and any other department within the regulatory body as appropriate. The bank supervision department has the primary (lead) responsibility for the Credit Bureau Licensing and Supervision: A Primer 11 review of compliance by regulated financial institutions with the relevant legal and regulatory frameworks. Tools: Not unlike bank supervision or other financial institution supervision practices, credit bureau supervision generally entails some combination of reporting and off-site and on-site supervision processes. Credit bureau supervisors use a number of tools to support the supervision function, and guidance around the objectives of supervision and how to undertake off-site and on-site reviews are generally captured in a Credit Bureau Supervision Manual. The Manual includes checklists for undertaking both off-site and on-site supervision; such checklists lay out the key areas to be assessed in accordance with legislation and regulations and any other codes of conduct, as well as the key documents and information that must be reviewed. The Manual also provides templates for the reporting requirements that credit bureau(s) have to meet, with guidance around each data element, including frequency of reporting required. 3.2 Reporting requirements As part of the licensing process, regulators will generally require credit bureaus to provide reporting on a periodic basis regarding the operations of the bureau in the form of an annual report. The degree of reporting required by a credit bureau can depend on the size and maturity of the credit bureau, as well as the supervisor’s needs. For instance, in the initial stages when a bureau is being set up and just beginning to roll out operations, the requirement to report may be lighter to allow the bureau to focus on operations. As the bureau matures, however, a variety of different reports can be required by the supervisor. The regulator may request the following types of reports:  Annual audited financial statements;  Annual signed compliance reports (if required by legislation and regulations);  Quarterly compliance statistics that report monthly statistics on records submitted, including inquiries made by users, applicable rejected records, and hit rate percentages, all on an aggregate and per data provider or user;  Statistics on consumer usage of the credit bureau(s), such as number of self-inquiries by consumers, disputes filed, resolved, outstanding, number of disputes not resolved within the legally established time limits, disputes rejected, average time taken to resolve a dispute, analysis of complaints by category, and a list of data providers most complained about with nature of complaints; and  Quarterly credit market report, which contains the data on credit growth and credit quality, by product, by user-group and by geographical area; the credit market report contains relevant credit market variables, including at least: (i) number and value of active loans; (ii) number and value of new loans approved; (iii) number and value of active and new loans per primary product; (iv) number and value of new loans in standard loan size categories; (v) number and value of new loans in standard loan term categories; and (vi) number and value of arrears in standard categories, all broken out by data provider and user as well as on an aggregated basis. Credit Bureau Licensing and Supervision: A Primer 12 Legislation may stipulate the timeframes for submitting each of these reports. The credit bureau supervision team must: maintain a record of all reports received; identify outstanding reports and notify the credit bureau of the late reports; review and analyze the reports; digitize the reports if they are not already submitted electronically; and compare the reports against previously submitted reports. 3.3 Off-site review During the off-site review, the credit bureau supervision team reviews the reports and documentation submitted by the credit bureau(s). The objective of the off-site review is to ensure that the bureau(s) are operating in compliance with the relevant legal and regulatory framework and that the data hosted is complete, up to date, accurate, being used for proper purposes, and being kept secure. The review also aims to ensure that consumer rights are being upheld, and that there is an adequate management and governance structure in place. In addition to monitoring the credit bureau(s), the off-site supervision process also looks at compliance by data providers with the relevant legal and regulatory frameworks. 3.3.1 Off-site review process and key tasks During the off-site review process, the credit bureau supervision team reviews all the reports provided by the credit bureau(s) to ensure compliance with the law and regulations. This can be complemented with a review of media and other reports regarding the credit bureau(s). The team compares the reports submitted by the credit bureau(s) with information submitted by banks and other regulated financial institutions to understand if there is any under reporting or weaknesses in data quality, and to ensure that inquiries are performed for permissible purposes and with consumer consent as appropriate. The team can issue ad-hoc requests for information from the credit bureau(s), and from regulated financial institutions if additional information is required. Based on the findings from the off-site review, the supervisors may: (a) Identify areas that require special investigation in on-site inspections; (b) Propose a specific on-site inspection in order to investigate areas of serious weakness; (c) Make recommendations to bank, non-bank financial institution supervisors or other industry regulators (e.g., telco regulators or data privacy regulators) for follow-up action in respect to data providers or users; or (d) Take other appropriate action as necessary. The following is a summary of the supervisory tasks that form part of the off-site compliance program. These tasks should generally be performed annually, over the course of the off-site compliance cycle. General compliance monitoring: General compliance monitoring covers the general compliance functions, including the maintenance of records for the regulatory reports submitted by the credit bureau(s), and the review and reporting of compliance by the bureau(s). Credit Bureau Licensing and Supervision: A Primer 13 Monitoring of compliance statistics: This consists of analysis of statistical and compliance reports submitted by credit bureau(s), and identification of areas of non-compliance. Analysis of activity of individual institutions as reported to the credit bureau(s): Credit bureau reports include statistics on data submission and inquiries by individual banks as well as statistics on credit trends in individual banks' credit portfolios, together with the number of consumer disputes and the time to resolve them. This part of off-site compliance deals with the analysis of data on regulated banks and other regulated financial institutions, in order to: (a) ensure that data submission by regulated entities is complete and accurate and that inquiries are performed on all loans issued according to permissible purpose and with customer consent (as per the requirements contained in legislation and regulations); (b) identify areas of risk with respect to trends observed in the credit activity of regulated banks and financial institutions; and (c) identify institutions and practices that give rise to a disproportionate number of consumer disputes. The analysis entails periodic meetings with the bank supervision department to identify and discuss areas of non-compliance with respect to the behavior of regulated banks and financial institutions. Analysis of credit market trends: The statistical returns that are submitted by credit bureaus provide quantitative indicators on credit market trends, which are valuable in assessing credit quality, institutional risk and trends in different segments of the credit market. The off-site review team processes and analyzes the returns to gain insights into market trends and risks. Monitoring of consumer complaints and adherence to consumer protection standards: Over the course of a year the credit bureau(s) and data providers are likely to receive consumer complaints that would need to be addressed. The aggregated complaint statistics should be reported to the credit bureau supervision team in order to monitor consumer complaint resolution and identify areas of concern. The credit bureau supervision team can also monitor reporting by consumer journalists, social media and other public sources to detect any consumer protection concerns. If there are serious areas of concern, the team can direct an inquiry to the credit bureau(s) or to the data providers, as the case may be. Activities and findings with respect to consumer complaints and consumer protection standards should be summarized and included in the periodic briefs prepared by the credit reporting supervision team and summarized in the annual report on credit reporting supervision activities prepared by the credit bureau supervision team. In some jurisdictions, supervision activities related to the credit reporting system are included in the annual report on overall banking supervision activities. Areas of non-compliance in respect to specific banks and data providers must be brought to the attention of the relevant supervisors. Thematic reviews: Credit Bureau Licensing and Supervision: A Primer 14 Periodic thematic reviews may be conducted in respect of areas of priority or specific concerns. Thematic reviews may cover specific areas of compliance and business practices of both credit bureaus and regulated data providers, from the perspective of legal compliance, consumer protection or sound business practices. Examples of thematic reviews can include a review on the policies and procedures for handling consumer disputes across data providers and credit bureau(s), a review of security processes and procedures across data providers, credit bureau(s) and users, or any other topic that is of relevance to all or a number of data providers, credit bureau(s), or users. Thematic reviews can be resource intensive and are generally more appropriate when the credit reporting industry has matured and achieved critical mass as represented by the volume of data submitted, data providers integrated, or coverage of borrowers in the market. Thematic reviews may also be more appropriate in markets where multiple bureaus operate, and the review addresses common areas of concern that emerge from the collective experience of the industry. Annual tri-lateral meeting with credit bureau and independent auditor: Licensed credit bureau(s) should be subject to an annual audit by independent external auditors. The supervisors meet with the bureau management and its external auditors after the completion of the external audit. The purpose of the meeting is to discuss the findings of the auditors and to identify any issues that may have a bearing on the bureau’s compliance with legal and regulatory requirements, and to discuss any business risks that may impact the operational sustainability of the bureau. The supervisors may also identify areas of concern which require special attention immediately or in the following external audit. Governance and board oversight: It is the responsibility of the boards of directors of licensed credit bureau(s), data providers and users to ensure that the institutions comply with the applicable laws and regulations. Off-site supervision should include measures to ensure that these boards perform their functions effectively. This may involve reviewing board meeting minutes, ensuring all meetings and decisions are documented, following up on the actions of the board pursuant to recommendations made by the auditors or by the supervision team following on-site visits, monitoring the status of board action items, following up with the board on recommendations made by the external auditor, etc. The supervisor may elect to meet with credit bureau board biennially or more frequently if required. Off-site supervision also includes measures to ensure that external auditors, internal auditors and compliance officers understand the regulatory requirements and perform their duties effectively. These may entail reviewing the duties and roles of auditors and compliance officers, reviewing audit and compliance reports and arranging for meetings once a year with the internal audit and compliance team. General and specific compliance letters and circulars: Problems in credit information exchange can occur amongst various data providers and users and often require corrective action by various parties. The credit bureau(s) should have a code of conduct that applies to all data providers and users, which generally lays out different actions that the bureau(s) can take in case of non-compliance. For instance, the bureau(s) my initially warn or reprimand a data provider for not submitting data in the agreed format or timeframe. In case the Credit Bureau Licensing and Supervision: A Primer 15 data provider repeatedly fails to submit data correctly, the bureau may impose fines on the data provider or in an extreme situation may choose to terminate the agreement with the data provider. If these measures do not result in corrective action, the regulator may choose to intervene, by issuing general compliance letters or notices to all relevant parties, or more specific compliance letters aimed at specific data providers or users depending on the issue at hand. If such letters or notices are sent to regulated financial institutions, it should be done in cooperation with the bank supervision department. Workshops with credit bureau(s), data providers and users: When there are common industry or sector-wide priorities or compliance concerns, there may be value in arranging a broad workshop to which all bureau(s), data providers and users are invited. This provides the opportunity for discussion of common challenges and identification of common solutions. In certain circumstances it may be appropriate to limit the workshop to the representatives of the credit bureau(s) or of the different industry associations that represent data providers and users (including the banking association, MFI association and others). Compliance assessment of unregulated data providers and users: Data providers and users include many categories of institutions which are not under the regulatory mandate of the credit bureau supervisor. Examples of unregulated data providers and users could be: telcos, public utilities, retail credit providers, fintech lenders, and any other data providers and users that do not fall within the supervision mandate of the financial sector regulator. These institutions are still subject to the legal and regulatory requirements applicable to data providers and users under the relevant credit reporting legislation and regulations, as well as any industry code of conduct, service agreements with the credit bureau(s). However, it would not be appropriate for the credit bureau supervision team to perform on-site inspections of such entities or take enforcement action against such institutions. Compliance supervision over unregulated data providers and users therefore takes place off-site. Annual Report on activities of credit reporting supervision unit: The credit bureau supervision team produces an annual report on all the supervisory activities of each year. This is an internal report that is submitted to the head of the regulatory body and the board of directors or senior management of the regulator. It includes a list of specific supervisory activities, primary observations, areas of concern, interventions and penalties. Relevant extracts from the report may also be included in the annual report of the regulatory body. Preparation of compliance reports: A general compliance report on each credit bureau should be prepared once a year and should include information on the following aspects:  The financial performance of the credit bureau(s) operation and financial sustainability;  All specific compliance requirements as defined in the legislation, regulations, code of conduct or guidelines; Credit Bureau Licensing and Supervision: A Primer 16  Confirmation that all reports and submissions had been submitted on time and that copies thereof are filed on the relevant credit bureau’s compliance file;  Confirmation that the standard service provider contract utilized by the credit bureau(s) contains all appropriate requirements;  Review of key service and outsource contracts such as software license agreements, maintenance and support agreements, hosting agreements and other key service provider agreements; and  Confirmation that up to date copies of key policies and procedures are on file and include all appropriate requirements. Key policies include: (a) policy on data and systems security; (b) policy on receipt and processing of credit information from data providers [including validity and reasonability tests]; (c) policy on receipt and processing of consumer complaints; (d) policy on data security and release of consumer credit reports. 3.4 On-site supervision The objective of on-site supervision is to supplement off-site supervision with a particular focus on problematic areas that were uncovered during the off-site supervision process. Problematic areas or issues may surface initially through off-site reviews, through reports received from bank supervisors, consumer complaints, or media reports. The team members involved in on-site supervision must have knowledge of bank supervision processes and should have received training to this effect, as the process closely emulates the bank supervision process. In some countries, bank supervisors may also be on the credit bureau supervision team. The team must be well versed in the following topics: information technology, consumer protection, credit information and credit risk management. The on-site inspection can be carried out on annual basis, or a biennial basis if there are no major issues with the performance of the credit bureau(s). The costs of an on-site inspection may be borne by the credit bureau(s), depending on the legal and regulatory framework. The key areas of focus for the on-site inspection are:  Compliance with the relevant legislation, regulations and guidelines;  Data completeness and data accuracy;  Security, data recovery systems and continuity of service;  All aspects of consumer protection and consumer complaints resolution;  Adequate corporate governance practices;  Financial statements and budgets;  Policies and procedures;  Disaster recovery and continuity of service;  Complaint management and dispute resolution; and  Submission of reports and statistical returns to the regulator. 3.4.1 On-site supervision process and key tasks The credit bureau supervision team can plan the on-site visit in coordination with the credit bureau. Generally, a plan for the upcoming twelve months is created, with date(s) for the on-site and the areas of focus for the on-site. A month prior to the on-site, the credit bureau supervision team meets to plan out the scope of the on-site and the requirements of the team that will perform the on-site. Subsequent to the planning meeting, the credit bureau supervision team will notify the Credit Bureau Licensing and Supervision: A Primer 17 credit bureau at least two weeks prior to the on-site and make any requests for documentation or additional preparation on the part of the credit bureau. Such documentation may include copies of minutes, internal and external audit reports, policies and other relevant documentation, depending on the areas that will be addressed during the on-site inspection. The on-site is carried out by members of the credit bureau supervision team, and the team size is a function of the scope of the on-site, but generally not more than three members. During the on- site, the team will hold meetings with the credit bureau(s) management, compliance officers, internal audit teams and other relevant staff, as well as review existing files on record keeping, policies and procedures, etc. In some instances, the team may contract an external specialist to undertake certain areas of the inspection that require specialized expertise, such as an inspection of IT infrastructure and disaster recovery systems, or credit bureau functionality to ensure data integrity. For instance, specialized experts may perform ethical hacking to test the vulnerabilities of the credit bureau’s technical platform and database. The following are the key tasks that result from the on-site:  Analysis of findings and report compilation: The credit bureau supervision team prepares an inspection report with all of its findings, including areas of non-compliance and proposed recommendations for follow up or enforcement. The report will be shared with the credit bureau for its review, before being submitted for approval to the head of the credit bureau supervision team. Any meetings that take place prior to, during or after the off-site are recorded with minutes. The team should maintain two sets of files for each credit bureau: one set containing permanent documentation that is valid for several years (including for instance, governance documents, policy documentation, etc.), and a second set containing documents relevant to the current inspection (including current year minutes of board meetings, current year financial statements, and current year statistics).  Meeting with credit bureau management: Following the actual on-site, the credit bureau supervision team arranges a formal meeting with the credit bureau management to discuss findings of the inspection and areas of non- compliance, and to agree on an action plan to address these areas. 3.5 Supervision of other entities: data providers and users In addition to supervising the actual credit reporting service provider, the supervisor is also responsible for supervising the data providers and users of the credit reporting system. These entities may be directly regulated credit providers, but they can also include non-regulated providers of credit information or other users that are either unregulated or regulated by other regulators, such as telecoms or utility sector entities. The following aspects of the interaction of participants with the credit reporting system should be covered by supervision: Credit Bureau Licensing and Supervision: A Primer 18  Data collection from consumers (KYC): Financial institutions and other regulated lenders are generally required to collect adequate identification information from their customers as part of regular Know Your Client processes. This information is critical from the perspective of the credit reporting system, and the information should be reported to the credit bureau(s) on a regular basis as part of the trade files. The supervisor needs to ensure that the information is being collected as required, the data is accurate and up-to-date, and is regularly shared with the credit bureau.  Data reporting to the credit bureau: Financial institutions may or may not be mandated to share credit information with a credit bureau, depending on the existing legal and regulatory framework. Regardless of whether or not information sharing is mandatory, if a financial institution participates in the credit reporting system and provides data to the credit bureau, the supervisor is responsible for ensuring that the FI does so on a regular basis and that the data submitted is of adequate quality for the purpose of credit reporting.  Querying the credit bureau/using the information: Financial institutions may or may not be mandated to inquire with the credit bureau prior to making an assessment on granting credit. In some jurisdictions, creditors must make inquiries prior to granting credit, including consulting with the credit bureau, as a means to mitigate the risk to the portfolio as well as to practice responsible lending practices. In these instances, the supervisor of the credit reporting system needs to monitor the usage of the credit bureau by financial institutions and other users of the system.  Data correction: Data providers are responsible for correcting erroneous information on consumer credit files. These errors may be detected by the bureau during its upload and validation process or may be reported by the consumer. The credit bureau cannot make any changes to the data, but instead must follow up with the reporting data provider to make necessary changes within the timeframes stipulated under the legislation. The supervisor plays an important role in ensuring that these timeframes and roles are respected by all parties.  Consumer protection: Data providers may be required to notify consumers or collect consent prior to sharing data with the credit bureau (as per the law and regulations). Similarly, users may be required to notify consumers or collect their consent prior to inquiring with the credit bureau. Data providers and users should have relevant policies and procedures in place to meet these requirements and should provide relevant training to their employees that deal with consumer credit histories. Further they may have to preserve evidence that consumers were notified or that their consent was collected. The supervisor will have to ensure that data providers and users are playing their part in notifying consumers and collecting consent as appropriate. 3.6 Enforcement and penalties  The off-site review and on-site inspection may result in specific enforcement action and/or administrative and financial penalties as defined by the legal and regulatory framework. The regulator should pursue a variety of enforcement actions before applying any Credit Bureau Licensing and Supervision: A Primer 19 administrative penalties. An enforcement action could include a letter to the credit bureau recording findings, identifying areas of non-compliance with a general statement that these should be rectified, specifying actions required, specific timelines for achieving various actions and requiring the bureau to provide written confirmation of implementation of corrective action in cases of non-compliance. Administrative penalties may be applied when a credit bureau fails to comply with the enforcement actions undertaken. These can range from simple fines for delayed filing of required reports to more severe financial penalties for serious infractions, such as a lapse in security policies resulting in a data breach that exposes sensitive consumer information. 4 How Credit Bureau Supervision Supports Bank Supervision As part of the reporting requirements established by the regulator, each credit bureau may be asked to submit quarterly reports on credit market activity statistics covering data on credit growth and credit quality, by product, by user-group and by geographical area (see section 3.2) broken down at the data supplier level and presented in aggregate. In addition, the credit bureau supervision team receives useful information from the credit bureau(s) regarding the performance of financial institutions in terms of: (a) Total number of credit accounts; (b) Statistics on arrears and NPLs; (c) Number of inquiries; (d) Number of new credit facilities approved by credit institutions, and (e) Number of reports pulled. The credit bureau supervision team should compare the different statistics received from credit bureau(s) with statistics submitted by regulated data providers to the banking and non-banking institutions supervisor on a quarterly basis. The review of statistics will enable the supervision team to: (a) identify any inconsistencies and potential errors in statistics submitted by the credit bureau(s) or data providers; (b) identify potential credit risk in respect to specific licensed data providers or high risk business practices; and (c) identify areas of potential credit market risk which may affect all financial institutions or any sub-segment of the licensed data providers, and take appropriate action in each case. Examples include the following: - If data provider A reports only on 1,000 credit clients to the credit bureau each month, but the bank supervision team’s reports show that the same data provider has 10,000 active credit clients, then this discrepancy can be flagged to the bank supervision team to follow up with the relevant data provider and inquire as to why the data provider is not submitting data on all of its credit accounts. Incomplete data submission can affect the integrity of the credit bureau database as it will not hold complete information on the underlying borrower. Moreover, when a data provider does not submit all of its files to the bureau, it can create general distrust of the credit bureau amongst other data providers and affect the effectiveness of the credit bureau as a whole. - Another example of how credit bureau statistics and bank supervision statistics can complement each other occurs in some jurisdictions where regulated users (like banks) may be mandated to inquire with the credit bureau prior to granting any credit to ensure the stability Credit Bureau Licensing and Supervision: A Primer 20 of their portfolios. Statistics from the credit bureau may show that user A only had 5,000 inquiries with the bureau in a month, but bank supervision statistics may show that user A actually granted 10,000 new loans in the same month. This indicates that the user is not inquiring on every new credit granted, which presents a credit risk and compliance risk for the relevant (bank) supervisor to then handle. The results of the review and analysis are generally summarized by the credit bureau supervision team, with detailed statistical tables and graphs depicting trends in the credit markets and a brief commentary. The resulting analysis should be circulated, preferably on a quarterly basis, to internal users including bank and non-bank supervision departments, statistics and research, senior management of the regulatory body and any other relevant department. The commentary in the report can highlight significant changes in credit market risk, areas needing specific attention, matters impacting financial stability in the market, increased debt stress, potential asset bubbles, etc. The report should also be an input into discussions between the credit bureau supervision team and the bank supervision teams. Bank supervisors can follow up with “problem” data providers to understand discrepancies in numbers reported via the credit bureau and directly to the supervision team, as well as to address data reporting or other challenges. 5 Conclusion Credit bureaus play a critical role in supporting credit markets and ensuring that retail, micro, small and medium sized consumers can access credit to support various needs, such as buying a home or a vehicle. The information that credit bureaus hold and disseminate are critical to determining consumer eligibility for credit and the prices that they pay for accessing different credit products. While credit bureaus were not always regulated in prior years, with the increasing scrutiny around data, its collection, treatment and use, more and more jurisdictions are choosing to regulate the activity of credit bureaus. This primer broadly provides regulators and supervisors with a general blueprint for how to go about setting up a credit reporting supervision function. Ultimately, the design of the credit bureau supervision team, and of the relevant policies and procedures have to be tailored to each jurisdiction’s needs, respective legal and regulatory frameworks and market size. The supervision process ensures that credit bureaus are in compliance with legislation, regulations, and codes of conduct. The objective of supervision, in addition to assessing compliance is to ensure that they are fair to all participants that share data with the bureaus and that the information disseminated does not unfairly discriminate against borrowers. Another key objective is to ensure that bureaus uphold safe practices in information sharing and protecting the rights of consumers. While the process for supervision closely follows the approach undertaken for bank or non-bank FI supervision, regulators should remember that the objectives for credit bureau supervision are a bit different. Credit bureaus should not be compared with deposit-taking institutions or lenders and should not be treated like banks or other financial institutions. Bureaus should be assessed on a different set of criteria that are relevant from the perspective of the existing legal and regulatory frameworks and best practices in credit reporting. The information gained from supervising credit bureaus, however, can be complementary to the supervision of banks and non-bank FIs, and credit bureau supervisors and bank supervisors should work closely to effectively use the information coming from the supervision of credit bureaus as well as financial institutions. Credit Bureau Licensing and Supervision: A Primer 21