RBI Guidelines for Credit Information Reports

TransUnion CIBIL, Equifax, CRIF High Mark, and Experian are some of the top credit rating providers in India. These four giants hold highly sensitive credit-related information, and the Reserve Bank of India (RBI) monitors the sourcing, compilation, and usage of this information. This ensures that you are safeguarded from any possible occurrences of fraud and identity theft. Learn more about the guidelines established by the RBI to ensure that your data remains protected.

In 2019, it came to the RBI’s attention that lending institutions were sharing sensitive credit information about their customers with FinTech’s. This activity was conducted to expand their business base with the help of such digital platforms. The RBI issued a notice on 16th September 2018, condemning such acts and declaring them unlawful under the RBI circular on CIBIL reporting. This was done to maintain the privacy of customers associated with lending institutions.

 

However, the Credit Information Companies (Regulation) Act, 2005 (CICRA) was amended in November 2021. The amendment states that “an entity engaged in the processing of information, for the support or benefit of credit institutions, and satisfying the criteria laid down by the Reserve Bank from time to time” may now access the credit histories of Indian citizens. This change has allowed certain entities, including FinTech’s, to access this information and issue pre-approved offers to customers.

Under the Credit Information Companies (Regulation) Act, 2005, the RBI regulates credit information companies and ensures that credit data is treated responsibly and with the utmost care. These principles govern the usage of credit information in accordance with RBI guidelines on CIBIL reporting:

• Confidentiality

Credit information can only be accessed by authorised institutions. Sharing sensitive information with unauthorised entities, such as FinTech companies, is strictly prohibited without proper amendments or legal standing.

• Accuracy

Financial institutions are mandated to keep their customers' credit information up to date and on a monthly basis to reflect accurate credit behaviour, as required by RBI guidelines on CIBIL score.

• Transparency

The guidelines require credit bureaus to be transparent about how they collect, store, and share data. This helps build trust and allows customers to raise a dispute if they find any discrepancies in their credit report.

• Fair Access

As per the guidelines issued by the RBI in 2016, every citizen has the right to access one free credit report per year from the four credit bureaus operating in India. This ensures that individuals can monitor their financial health without monetary barriers.

While the Fair Credit Reporting Act (FCRA) is a concept used in the U.S., it serves as a reference for fair practices in managing credit information. Although India does not have a direct counterpart, similar principles have been implemented within CICRA. Key considerations include:

• Consumer Rights

Borrowers can request access to their credit data and dispute any discrepancies. As per RBI guidelines, credit bureaus must resolve these complaints within 30 days. In case of delayed responses, there is a compensation mechanism in place that levies penalties for unresolved disputes. 

• Data Usage

The FCRA emphasises that consumer information must be used responsibly and only for permissible purposes. This principle is embedded in Indian regulations. For instance, FinTech companies and other entities cannot access credit data unless they comply with the stringent RBI guidelines on CIBIL reporting. 

As per the guidelines issued by the RBI on 1st September 2016, all citizens are entitled to access their credit reports for free. All four credit bureaus must provide one free credit report annually to anyone who requests it. This helps individuals monitor their credit report, score, and assess their financial health. Additionally, any changes made to their credit accounts must be accurately reflected in their credit report. Individuals who find any discrepancies in their credit score can raise a complaint and file grievances with the relevant credit authorities. These complaints are typically resolved within 30 days of filing. This ensures that your credit profile remains up to date and helps maintain your financial standing and creditworthiness.

 

The Free Full Credit Report (FFCR) comprises five sections:

• Personal information such as name, date of birth, address, and bank account details

• Account information such as credit limit, type of loan, etc.

• Days past due (DPD) information

• Any enquiry information

• Overall credit score information

The RBI guidelines on credit information companies have had a significant impact on FinTech companies. These companies relied on accessing consumer credit data to offer personalised financial products to potential customers. The changes in regulations brought about by the Credit Information Companies (Regulation) Act, 2005 have had several implications:

• Restricted Access to Credit Data

The initial RBI guidelines limited the access of FinTech companies to sensitive credit information since they were not considered authorised users under CICRA. However, since the amendment made to the Act in 2021, FinTech’s that meet specific eligibility criteria can now access credit histories, provided they benefit credit institutions. This access enables some FinTech companies to offer pre-approved loans and personalised credit products to consumers. However, they must follow strict guidelines to ensure data security and customer privacy, as the RBI circular on CIBIL reporting reiterates that unauthorised sharing of customer credit data is illegal.

• Impact on Business Models

Most FinTech’s rely on credit data to assess a borrower’s risk potential and offer customised financial products, including instant loans or Buy-Now-Pay-Later (BNPL) services. With the updated guidelines, only FinTech companies that comply with RBI regulations on CIBIL score may continue to offer such services. Non-compliant firms risk losing access to vital customer data, which could hamper their ability to offer personalised financial products.

 

Moreover, increased regulatory oversight compels FinTech’s to integrate robust data governance frameworks and obtain Non-banking Financial Company (NBFC) licenses to operate independently. Companies that have pivoted to this model ensure they can offer lending services without breaching any regulations.

• Consumer Trust and Data Security

The RBI guidelines are designed to enhance consumer trust by ensuring that sensitive credit information is only shared with authorised entities in a secure manner. FinTech’s must now notify customers when their credit data is accessed, making the process more transparent. This not only protects consumers but also ensures that FinTech’s handle customer data responsibly. Failure to comply with these guidelines can result in penalties, loss of consumer trust, and damage to the FinTech’s reputation in the market.

The RBI wants to ensure that borrowers’ sensitive credit information remains safe, so these guidelines continue to evolve to accommodate the changing needs of citizens. Some recent developments include:

• Hard Inquiry Intimation

Credit bureaus will now have to inform individuals when lenders access their credit reports. This is as per a notification issued by the Central Bank on 26th October 2023. This is part of a larger effort to increase transparency as outlined in the RBI circular on CIBIL reporting. These alerts will be sent either via SMS or email to customers. The RBI has further clarified that these messages will only be sent if the inquiry reflects in the Credit Information Report (CIR). Additionally, financial institutions must inform their customers when they forward data regarding defaults or Days Past Due (DPD) to relevant credit bureaus. These directives will take effect from 26th April 2024, six months after the notification was issued.

• Grievance Redressal

If you find any discrepancies with your credit report, you can raise a formal complaint with your credit bureau. They will contact the relevant lender and ask for an update regarding the complaint that you have raised. Upon doing so, the credit bureau is required to make the relevant changes to your credit report. This process should ideally be completed within 30 days of filing the complaint. The RBI has further proposed a compensation mechanism for delays in updating or rectifying credit information. In case the credit bureau fails to resolve such complaints within 30 days, they will be liable to pay a penalty of ₹100 per day, as per the guidelines.

 

These are some of the guidelines that affect the way credit reports are created and shared while safeguarding your sensitive credit-related information. This also protects you from any possible fraud and other malicious activities. Follow these guidelines thoroughly to ensure you stay legally compliant and have a better grasp of your credit and financial health.

The Reserve Bank of India has set clear guidelines regarding the sharing of credit information to ensure consumer privacy and data security. Under the Credit Information Companies (Regulation) Act, 2005 (CICRA), credit institutions such as banks and Non-banking Financial Companies (NBFCs) are allowed to share your credit information only with authorised entities. This includes regulated financial institutions, insurance companies, and credit rating agencies. Some of the key guidelines include:

• Access Restrictions

Only entities that have been authorised by RBI guidelines can access consumers' credit history. This excludes unauthorised FinTech’s unless they comply with specific RBI regulations.

• Transparency

Credit bureaus must ensure that consumers are informed about how their data is used, with mechanisms in place for consumers to dispute inaccuracies in their credit reports.

• Usage Limitations

Credit data can only be used within permissible limits, such as for assessments of creditworthiness, and cannot be shared for unrelated business purposes.

• Regular Updates

Credit institutions must update consumers' credit data on a frequent basis, typically monthly, to maintain data accuracy.

• Service Providers

There are four primary credit bureaus in India: Equifax, TransUnion CIBIL, CRIF High Mark, and Experian. These are responsible for managing and sharing credit information in compliance with RBI regulations.