The Credit Reporting Act ("the Act") was enacted on the 30th day of May 2017 with the primary objectives of promoting access to credit information and enhancing risk management in credit transactions. To achieve these, the Act provides for the licensing and regulation of Credit Bureaux on one hand, and stipulates the various processes to facilitate the creation, maintenance and sharing of credit information amongst key players on the other hand.
This article examines the role of the said key players in achieving the objectives of the Act and evaluates the legal and practical issues arising therefrom.
Prior to the passing into law of the Act, the activities of the Credit Bureaux were regulated by the Guidelines for the Licensing, Operations and Regulation of Credit Bureaux and Credit Bureaux Related Transactions in Nigeria 2013 (''the Guidelines''). However, with the enactment of the Act, a statutory framework for the licensing and regulation of the operations of credit bureaux in Nigeria, the promotion of a credit reporting system, and the facilitation of the sharing of credit information has now been provided.
The Act, inter alia, sets out the operations of the Credit Bureaux and the role of the key players, which are germane to the realization of the objectives of the Act. These key players include the Credit Information Providers, who provide credit information; Credit Information Users who seek credit information from Credit Bureaux for a permissible purpose; and Data Subjects comprising individuals or entities whose credit information are collated and administered by the Credit Bureaux.
Considering that the proper execution of the function of each key player is critical to the realization of the objectives of the Act, we have provided below, an overview of the rights and obligations of each key player from a legal cum practical perspective.
A Credit Bureau is an entity duly licenced and regulated by the Central Bank of Nigeria under the Act to perform specialized functions, including the creation and maintenance of a database of credit related information and issuance of credit reports based on such information. Its aim is to promote responsibility in the credit market by encouraging responsible borrowing, avoiding over-indebtedness and generally discouraging reckless granting of credit by credit providers. In other words, by the issuance of a credit report, credit providers who are also Credit Information Users, become well guided and better equipped to assess the credit worthiness or otherwise of a person before extending credit.
However, in creating a database of credit information, the Credit Bureaux receive and collate credit information from the Credit Reporting Management System, public registries and key players all known as Credit Information Providers. The reality is that a Credit Bureau is only as valuable as its database of information; and this is perhaps the reason the Act imposes an obligation on Credit Bureaux to regularly update their database regarding the nature of information stored whenever information is provided by a Credit Information Provider. Credit Bureaux are also charged with the obligation to implement strict quality control procedures to ensure the quality of information supplied and the continuity of their services.
In performing its functions, particularly when handling credit related information, a Credit Bureau must ensure the confidentiality and security of its data. However, it is noteworthy that a Credit Bureau has no obligation to verify the accuracy of credit information received unless such information appears to be inaccurate, incomplete, misleading or contains any manifest error. Conversely, the onus is on the credit information provider to ensure that they provide at all times, accurate and complete information to Credit Bureaux, as the Act makes them culpable otherwise.
Furthermore, whilst the Act imposes an obligation on Credit Bureaux to adopt measures allowing Credit Information Providers to correct data which is found to be inaccurate, invalid, incomplete or out of date, the Guidelines further impose an obligation on the Credit Bureaux to notify all Credit Information Users of specific credit information found to be incorrect, and to forward copies of the corrected credit information at no cost to such User, and the Data Subject.
The Act further authorises a Credit Bureau to issue credit reports to Credit Information Users who have obtained the written consent of a Data Subject in a form and substance satisfactory to the Credit Bureau; or who have entered into a Data Exchange Agreement with the Credit Bureau, and where the disclosure is for a permissible purpose. Accordingly, Credit Bureaux will not issue credit reports without the requisite consent of a Data Subject and/or without the execution of a Data Exchange Agreement with it.
Although it is provided that the consent must be in a form and substance satisfactory to the Credit Bureau, there is no clarity as to what constitutes "satisfactory form of consent". The Guidelines however define consent as a signed written authorization by the Data Subject, or his/her legal representative or authorized agent indicating his/her approval to inquire about his/her data from the Credit Bureaux. Accordingly, it is our view that a written and properly executed consent letter from the data subject shall be valid for this purpose.
The Act stipulates that Credit information must be maintained by a Credit Bureau for at least 6 years from the date it was provided by a Credit Information Provider to a Credit Bureau or by a Credit Bureau to a Credit Information User, whichever is later; after which same must be archived for another 10 years.
Credit Information Providers
These are entities who provide or furnish credit information to a Credit Bureau and typically include banks, microfinance institutions, cooperative societies and insurance companies. In addition, a noteworthy category of Credit Information Providers as provided by the Act are utility companies such as electricity companies, telecommunications companies and water corporations. The implication of having this category of Credit Information Providers, at least from the perspective of a Data Subject, is that a default in payment of electricity bills for instance, may be reported to and received by a Credit Bureau and thus, count towards an assessment of the credit worthiness of such Data Subject.
Due to the role a Credit Information Provider plays with respect to the obtention of credit information by the Credit Bureaux, it is critical for Credit Information Providers to ensure that they always provide accurate and complete information regarding a Data Subject. Accordingly, a Credit Information Provider and/or a Credit Bureau are first points of contact in the event of a dispute regarding the validity, accuracy or completeness of credit information or a credit report. Furthermore, the Act imposes liability on a Credit Information Provider where there are losses arising from the provision of inaccurate data as a result of the illegal activity, gross negligence or misconduct of a Credit Information Provider. Where a Credit Bureau is found culpable for any incorrect or incomplete credit information, such Credit Bureau can bring a claim against the applicable Credit Information Provider.
The Act provides that a Credit Information Provider can disclose credit information relating to a Data Subject to a Credit Bureau without the prior consent of such Data Subject. This position is logical considering the circumstances under which credit information is disclosed by a Credit Information Provider, as no Data Subject will voluntarily give consent to a Credit Information Provider to disclose its credit information to a Credit Bureau.
A Credit Information Provider, when acting in the capacity of a Credit Information User is mandated to obtain a Credit Report from at least one Credit Bureau before granting any form of credit. However, suppliers of goods and providers of services on a post-paid, deferred or instalment payment basis; and other entities who have relevant information that comply with permissible purposes and serve the purposes of a Credit Bureau are not required to obtain a Credit Report before extending credit except they are otherwise restricted under any other applicable law.
For the purpose of performing its role under the Act, any obligation of confidentiality owed to a Data Subject by a Credit Information Provider, such as by a Bank to its customer, is waived or modified to the extent required of the Credit Information Provider to perform its obligations under the Act.
Furthermore, a Credit Information Provider is entitled to receive services from a Credit Bureau if it has a valid Data Exchange Agreement with such Credit Bureau. They are also entitled to the integrity and protection of data submitted to a Credit Bureau.
Credit Information Users
As the name implies, these are users of credit information who obtain information from a Credit Bureau for a permissible purpose. Permissible purposes under the Act include: considering an application for credit or qualification as a guarantor; restructuring credit facilities; underwriting, reviewing or renewing insurance policies or analysing insurance claims; considering applications for credit contracts or other post-paid services; carrying out employment checks on prospective employees; and assessing the credit worthiness of a prospective tenant in any lease or tenancy.
In other words, Credit Information Users would include all Credit Information Providers, employers of labour and even a landlord. Indeed, one may argue against the rationale for an employer of labour as a Credit Information User for the purpose of carrying out employment checks on prospective employees, considering that it is not a credit based transaction, at least from the point of view of the employee. In fact, the reverse should be the case for the obvious reason that an employee may want to satisfy himself/herself as to the creditworthiness or capacity of the employer to pay the salary as and when due. A case may be made for a Landlord as a Credit Information User as landlords would need to make an informed judgment regarding the creditworthiness or capacity of a prospective tenant to pay rent as it becomes due.
Considering that a Credit Bureau will not release credit information to a Credit Information User in the absence of a data exchange agreement with such Credit Information User, or until the consent of the Data Subject is obtained by the Credit Information User, it behoves the Credit Information User to take practical steps to either execute a data exchange agreement with the Credit Bureau or obtain a consent letter from a Data Subject.
Having regard to the volume of Data Subjects that Credit Information Users such as financial institutions deal with, this category of Credit Information Users are encouraged to enter into data exchange agreements with Credit Bureaux which essentially serves to circumvent the need to obtain the consent of every data subject before receiving credit information from Credit Bureaux.
However, for other adhoc Credit Information Users such as landlords and employers, a practical step might be to incorporate a consent clause in an Offer of Employment Letter whereby the prospective employee gives his/her consent to the prospective employer to inquire about his/her creditworthiness from a Credit Bureaux. In that case, It will be expedient for the employer to also subject the employment to satisfactory checks with the Credit Bureau. The same principle also applies in the case of a landlord, who may by an Offer Letter or consent letter, be able to elicit the consent of the prospective tenant to obtain its credit information from a Credit Bureau for the purpose of granting a tenancy/ lease.
A Credit Information User cannot disclose credit information received from a Credit Bureau to any person, or use such information for any purpose other than a permissible purpose, except with the written consent of the Data Subject and unless such disclosure is required by applicable law, court order or by the CBN; and where the Data Subject is involved in financial or credit related malpractice e.g. the issuance of dishonoured cheques. Furthermore, considering that Credit Information Users consist of Credit Information Providers, it follows that an insurance company for instance, may function as a Credit Information Provider and a Credit Information User. Accordingly, in its dealings with the Credit Bureau, it should be borne in mind, that even though consent might not be required when acting in the capacity of a Credit Information Provider, consent is compulsorily required when acting as a Credit Information User.
It should also be noted that where a Credit Information User declines an application by, or a transaction involving a Data Subject on the basis of a Credit Report of the Data Subject, the Credit Information User must inform the Data Subject within 15 working days of the reason(s) for such denial and provide a copy of the Credit Report to the Data Subject at no cost.
A Data Subject is any person or entity, or a guarantor of any person or entity, whose Credit Information is collated and administered by the Credit Bureaux. Having regard to the permissible purposes as provided by the Act, a Data Subject will typically include seekers of credit, persons involved in credit related transactions, persons to whom utility services are provided, prospective employees or employees in whatever form; prospective tenants/ lessees etc. In other words, every/any one is a potential Data Subject.
Being a potential Data Subject, caution must therefore be exercised when entering credit related transactions to avoid credit default under a financial contract.
It is clear from the provisions of the Act that even as a tenant, you stand a chance of tainting your credit records if you default in your tenancy obligations and such information is submitted by your landlord to a Credit Bureau. Indeed, it is in the best interest of the Data Subject to comply with its financial obligations in a credit transaction to avoid having an unfavourable credit report.
The Act provides that all Data Subjects shall have the right to privacy, confidentiality, and protection of their credit information, and where such information needs to be shared, it shall be done with the consent of the Data Subject. However, as earlier stated, Credit Information Providers may disclose credit information of the Data Subject without consent. Similarly, where a Data Subject is involved in the issuance of a dishonored cheque owning to lack of funds or financial and credit related malpractices and disclosure of credit information is required, the consent of the said Data Subject shall not be required.
It is also important to note that where consent is given by a Data Subject, it is only valid for the specific purpose for which it was granted and shall lapse immediately the purpose is satisfied. This therefore means that every single transaction or purpose shall each require the consent of the data subject.
Under the Act, a Data Subject has the right to request and obtain one free credit report from a Credit Bureau; and a further right to contest the accuracy of information provided in such credit report. More importantly, where an application or transaction involving a data subject has been declined on account of information provided to a Credit Information User in a credit report, the Data Subject is entitled to be informed by the Credit Information User about the reason(s) for the denial, and be provided with a copy of the credit report. Consequently, in the scenario of the landlord and tenant as mentioned above, should the landlord choose not to grant the tenancy owing to the credit report provided on the Data Subject, the landlord must within 15 working days, inform the Data Subject of the reason for the denial and provide a copy of the credit report to the Data Subject.
A Data Subject who has any complaint regarding the accuracy of any information provided in a credit report can submit its complaint in writing to a Credit Information Provider or a Credit Bureau, upon which the Credit Bureau shall conduct investigations and reach a decision. The decision must be communicated to the Data Subject within 10 working days of the receipt of the complaint. However, where the complaint is not satisfactorily resolved by the Credit Information Provider or Credit Bureau, it may be referred to the Central Bank of Nigeria (CBN), and ultimately to a court of competent jurisdiction.
Whilst it is the expectation that the Credit Reporting Act will facilitate and promote ease of access to credit as is obtainable in other countries, the Act is a means to an end not an end in itself. Thus, to achieve the desired objectives of the Act, we all have roles to play, whether in our capacity as providers or users of credit information. Only when there is synergy and proper synchronization of credit information by the stakeholders, can the Act yield the intended outcome.
Furthermore, although the provisions of the Act are lofty considering the intended objective, the compliance cost may hinder the achievement of the objectives.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.