Regulation relating to Credit Reporting System

Citation
Regulation 27 of 2019
Date
14 October 2019
Language
English
Type
Legislation
Rwanda

Regulation relating to Credit Reporting System

Regulation 27 of 2019

Pursuant to Law N° 48/2017 of 23/09/2017 governing the Central Bank of Rwanda, especially in Articles 6, 8, 9, 10 and 15;Pursuant to Law N° 73/2018 of 31/08/2018 governing credit reporting system, especially in articles 6, 8, 9, 18, 24, 30, 31, 36 and 38;The National Bank of Rwanda, hereinafter referred to as “Central Bank”, decrees:

Chapter One
General provisions

Article One – Purpose of this regulation

This regulation aims at:implementing the law governing credit reporting system;setting standards for the effectiveness of credit reporting system and;enhancing consumers’ right.

Article 2 – Definitions of terms

In this regulation, unless the context requires otherwise, the following terms shall mean:Accurate data: data which is free of errors, truthful, complete and up-to-date;Capital: permanent shareholder’s equity in form of issued and fully paid-up shares of common stock plus all disclosed reserves, less goodwill and any other intangible assets computer software excluded;Central Bank: the National Bank of Rwanda;Credit information: information concerning a data subject’s identification and credit history, as defined under this regulation;Credit report: service provided through credit reporting systems and including relevant information about credit payment history by individuals or legal entities;Credit reporting service provider: a legal entity that administers a credit reporting system as a credit registry or credit bureau;Data delivered timely: data available to users through the credit bureau in a prompt manner to enable users to carry out their functions without unnecessary delays;Data provider: creditors and other entity that, in a structured fashion, supplies information to the credit reporting service providers;Data subject: an individual or a legal entity whose data may be collected, processed, and disclosed to third parties in a credit reporting system;10°Free credit report: a credit report got from the operator of credit bureau without any cost;11°Manager: a person who has an executive authority and a member of the executive committee of an operator of credit bureau;12°Sufficient data: relevant data comprises both negative and positive data;13°Significant shareholder: Shareholder who owns or acquires in an operator of credit bureau, directly or indirectly, alone or in conjunction with others, represents at least five percent (5%) of the equity capital or voting rights, or that makes it possible to exercise a significant influence over the management of that operator of credit bureau;14°Operator of credit bureau: a legal entity that is licensed by the Central Bank to operate credit bureau business;15°Participants: both mandatory and voluntary participants including both data providers and users;16°User: an individual or a legal entity that requests credit reports, files or other related services from credit reporting service providers, under predefined conditions and rules in accordance with this regulation.

Chapter II
Licensing of the operator of credit bureau

Article 3 – Required minimum paid up capital

A person applying to conduct credit bureau activities shall have a minimum paid up capital of not less than One Hundred Million Rwandan francs (FRW 100,000,000).

Article 4 – Application for license

A registered company wishing to conduct business as an operator of credit bureau shall submit an application letter to the Central Bank for a license and submit it either as hard copy or electronically.The application letter shall be addressed to the Governor of the Central Bank and shall be accompanied by documents and information stated in article 5 of this regulation.

Article 5 – Required documents and information accompanying the application

An application shall be accompanied by the following documents and information:A duly filled application form set out in appendix 1;A copy of the applicant’s certificate of incorporation;Memorandum and Articles of Association;Proof of a minimum paid up capital evidenced by certificate of investment in short-term instrument such as T-bills or short term deposit.A non-refundable application fee of One Million Rwandan francs (FRW 1,000,000) paid to the Central Bank account;A non-objection letter from the home regulator for a foreign operator of credit bureau intending to operate in Rwanda;A feasibility study by an applicant that shows the business plan, organizational structure and internal monitoring procedures of the company and data on:i.Mission statement and goals;ii.Market analysis;iii.Ownership structure;iv.Governance structure;v.Management structure;A description of projected investments;Financial projections for at least three coming years;10°A business continuity plan;11°Details of the applicant’s significant shareholders, directors and managers, as stated in the personal information sheet set out in appendix 2;12°A description of the applicant’s premises and suitability for credit bureaus activities;13°The overview of operations including a description of systems, designs of the data collection and dissemination and management processes including:i.The development schedule of the computer software required for the operations;ii.Characteristics of products and services to be provided to users;iii.Policy on service provision;iv.Proposed security and control measures to prevent improper access to data;v.Operational manuals designed to ensure accuracy of data contained in the database and its update, andvi.The proposed fees and costs structure of service to be delivered.

Article 6 – Letter of acknowledgement

Upon receipt of an application form together with the requisite supporting documents as provided under article 5 of this regulation, the Central Bank shall, within ten (10) working days send to the applicant a letter of acknowledgement informing that the file submitted for license is complete or incomplete.When there is incomplete information and/or a material error found in the application file, the Central Bank shall notify the applicant to complete and/or rectify the situation within thirty (30) calendar days after receipt of the notification.If the application file submitted for license is found to be complete, a thorough assessment or evaluation of the file will commence.

Article 7 – Criteria for assessing the application

The Central Bank assesses the application based on information provided by the applicant and/or information gathered from other reliable sources.The Central Bank shall further assess whether the applicant fulfils the following:to be a company incorporated in Rwanda according to the Law relating to companies;where a shareholder is a bank, a microfinance institution, any other financial institution or any other user, such a shareholder should not have more than fifteen per cent (15%) of shares or the voting rights in the proposed credit bureau;whether the business plan includes the long-term investments for the credit bureau operations;to have sufficient transparency in the ownership structure and governance arrangements of the company;to have human and operational resources that are adequate to perform its function efficiently and safely;to have premises, networks, data governance and supporting infrastructure which are suitable for the intended business;to have adequate security systems in place to avoid loss, corruption, destruction or unauthorized access to data and network;assess the fitness and propriety of shareholders, directors and managers as well as the source of funds;

Article 8 – The Central Bank decision to the applicant

The Central Bank shall, within three (3) months after receipt of a complete application, respond to the application and communicate the final decision to the applicant.The Central Bank decision shall:grant the license, if it is convinced that the application satisfies the requirements for licensing;grant the license subject to the fulfilment of certain conditions that it may deem necessary;grant the applicant with a limited license covering only part of the credit bureau business for which the applicant meets the requirements;or refuse to grant the license for reasons stated in the letter of refusal.The Central Bank shall notify in writing the applicant of its decision to grant or refuse license and reasons for the refusal.

Article 9 – Additional requirements

Where the Central Bank decides to grant a license, it shall in the notice, communicating the decision to grant a license, require the applicant to submit the following:the IT audit report done by a recognized audit firm approved by the Central Bank.information related to material outsourcing services together with information on service providers;pay the license fee prescribed under this regulation;provide any other documents or information that may be deemed necessary by the Central Bank.

Article 10 – Onsite visit of the applicant premises

Notwithstanding the granting of a license, no operator of credit bureau shall start credit bureau business without prior clearance from the Central Bank, which shall conduct a pre-opening inspection of the proposed premises.The pre-opening inspection is to confirm among other requirements operational tools, the adequacy of the premises for the proposed business, effectiveness of IT tools and infrastructure, security and data protection system.

Article 11 – Issuance of license to the applicant and license fee

Upon satisfaction of licensing requirements, the Central Bank shall issue the certificate of license to the applicant.Any newly licensed operator of credit bureau shall pay to the Central Bank a license fee of two million Rwandan francs (FRW 2,000,000).

Article 12 – Validity of license

The delivered license is perpetual unless revoked in accordance with provisions of this regulation.The license is the property of the credit bureau, it shall not be transferable, assignable or encumbered in any way.

Article 13 – Annual supervision fee

After each financial year, operator of credit bureau shall pay to the Central Bank a supervision fee of 0.5% of the operator of credit bureau’s gross income generated in the previous financial year. This amount shall be paid within four (4) months after the end of the foregoing financial year.The annual supervision fee may be modified by the Central Bank whenever deemed necessary. The modification shall be notified to the operator of credit bureau at least one month before the beginning of the following financial year.

Article 14 – Revocation or suspension of operator of credit bureau license

The Central Bank may revoke or suspend a license granted to an operator of credit bureau at any time if the operator of credit bureau:has not commenced business within twelve (12) months from the date on which the license was issued;has ceased operating for a period of more than one month;has obtained the license through incorrect statements or fraudulent means;no longer meets the applicable licensing criteria;is found to be in violation of provisions of the law governing credit reporting system or in material breach of this regulation, which affects its solvency, the effectiveness of its operations or the public trust.In case of suspension, the suspension period shall not exceed twelve (12) months.The Central Bank may immediately notify the operator of credit bureau of any decision including revocation of license.

Article 15 – Conditions for the existing operator of credit bureau

Existing operators of credit bureau shall comply with provisions of chapter II on licensing, within six (6) months from the date of publication of this regulation in the Official Gazette

Chapter III
Shareholding and governance of the operator of credit bureau

Article 16 – Shareholding

No person shall become a significant shareholder, acquire or transfer directly or indirectly a significant holding or controlling interest unless such a person is deemed fit and proper and approved by the Central Bank.An operator of credit bureau shall submit to the Central Bank a duly completed form annexed to this regulation in appendix 3, for the prospective new significant shareholder of an operator of credit bureau.A participant shall not hold more than fifteen per cent (15%) of shares or voting rights in the credit bureau.A participant shall not invest in more than one credit bureau.

Article 17 – Board of Directors

An operator of a credit bureau must have a Board of Directors consisting of members who must have an overall understanding of the operations and information technology systems of the credit bureau.Every operator of credit bureau shall have a Board of Directors consisting of not less than five (5) members of which 3/5 shall be independent.The Board of directors shall elect an independent chairperson from amongst its members.Members of the Board of Directors shall;meet at least once quarterly in any manner, including teleconferencing;ensure that the activities conducted in all offices of the operator of credit bureau are in full conformity with this regulation;appoint a competent Chief Executive Officer and Chief data technology officer;ensure that the operator of credit bureau maintains, at all times, an effective system of internal controls;ensure that the operator of credit bureau maintains a data subject’s claims and inquiries service to assist data subjects who may be affected by the data contained in the database and who allege that the data is illegal, inaccurate, erroneous or outdated.ensure that the operator of credit bureau has adequate staff to undertake the functions of the operator of credit bureau and to sufficiently meet the demands of data subjects;promote fair conditions for all participants in the credit data system;promote transparency regarding pricing policies;Strengthen security measures, policy on the overall service, and other policies and procedures necessary for the sound operation of the credit bureau.

Article 18 – Board of Directors Committees

To increase efficiency and allow deeper focus, the Board of Directors of an operator of credit bureau must have at least the following two (2) board committees:Board audit committee; andBoard IT and Operations Committee.

Article 19 – Board of Directors audit committee

The Board of Directors is required to establish an audit committee to review the financial conditions of the institution, its internal controls, the performance and findings of the internal audit function and of the external auditors, and to recommend appropriate corrective measures regularly, at least quarterly.The audit committee, which must be distinct from other committees, shall be made up of independents and non-executive directors who must have experience in audit practices, financial reporting and accounting.The Board audit committee shall be chaired by an independent board member.The primary responsibilities of the audit committee shall include, but not limited to the following:Framing policy on internal audit and financial reporting, among other things;Overseeing the financial reporting;Process and review the financial statement; including the explanatory notes, the management report and the external auditor report;recommend to the board or shareholders, for their approval, the appointment, remuneration and dismissal of external auditors;review and approve the audit scope and frequency;Receiving key audit reports and ensuring that senior management is taking necessary corrective measures in a timely manner to address control, weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions.

Article 20 – Board IT & Operations Committee

IT Committee members should be technically competent. At least one member must have substantial IT expertise in managing technology.The Board IT Committee shall be chaired by an independent board member.The primary responsibilities of the IT Committee shall include, but not limited to the following:perform oversight functions over the IT system;ensure that relevant aspects related to data integrity, security, accessibility, business continuity, product development, data governance and privacy are adequately addressed;Ensure that the primary data of the operator of credit bureau are hosted in Rwanda.

Article 21 – Management

The Operator of credit bureau shall be managed by a managing director who is skilled in credit bureau business, financial sector business or related field.The Board of Directors shall determine the Managing Director’s responsibilities and other requirements.The Managing Director shall develop the code of conduct policy that shall be approved by the Board of Directors.

Article 22 – Prior approval by the Central Bank

No person shall become a member of the Board of Directors of an operator of credit bureau unless such a person is approved by the Central Bank.An operator of credit bureau shall submit to the Central Bank a duly completed form annexed to this regulation in appendix 3, for the prospective member of the Board of Directors or a senior manager of a credit bureau.

Article 23 – Multiple functions

No person shall combine duties of chairperson of the Board of Directors and duties of the Managing Director of an operator of credit bureau.A Managing Director of an operator of credit bureau is not allowed to hold any other permanent position or being a Managing Director in any another company.No shareholder with a significant holding shall be appointed as a chairperson or deputy chairperson of the Board of Directors.

Article 24 – Conflict of interest

Board of Directors and senior managers shall not engage directly or indirectly in any business activity that competes or conflicts with the credit bureau’s interest. Whenever possible, they must avoid situations that would give rise to a conflict of interest.If a transaction with the credit bureau cannot be avoided, it is done in the regular course of business and upon terms not less favorable to the credit bureau than those offered to others.A director, senior manager or a staff shall not use his/her position to make profit or to acquire benefit or advantage for him/herself or his/her related interests.Where a director, senior manager or a staff has a financial interest in a transaction undertaken by the operator of credit bureau, such an interest must be disclosed immediately. Following such disclosure, the affected director or the staff shall not be directly involved in any decision affecting that particular transaction as long as the interest continues to exist.The code of conduct developed by the Management may provide for a board-level review of key transactions, including intra­-group transactions, as well as require public disclosure of reported conflicts of interest in order to manage and control potential conflicts of interest.

Chapter IV
The operator of credit bureau business

Article 25 – Permissible activities of the operator of credit bureau

The operator of credit bureau may engage in the following activities:the collection, collation, inspection, storage, management, evaluation, updating and dissemination of data subject information as provided by this regulation;the provision of other services including, but not limited to:a)credit scoring;b)credit application processing;c)default notice or “watch services;d)statistical research;e)debtor tracking services with respect to credits lawfully granted;the sale of specialized literature, software and other material related to its activities;the assessment of business debtors at the time of the sale of the business and other transactions;fraud detection;dissemination of information for strategic risk information for market expansion or contraction purposes;training and advisory services;such other activities as may be approved by the Central Bank in writing.

Article 26 – Management and hosting of data

The operator of credit bureau shall collect, collage, process and store the credit data from the data subject.The operator of credit bureau shall maintain data on the territory of the Republic of Rwanda with all systems and computer software required for credit bureau business.The Board of Directors shall be responsible for the implementation of strict quality control procedures in order to ensure the quality, accuracy and security of data and reliability of its database.

Article 27 – Outsourcing requirements

An operator of credit bureau cannot outsource the following core management functions:planning;organisational structure;management and audit;data management;decision making functions like determination of compliance with applicable laws and regulations;An operator of credit bureau that intends to outsource any other activity shall get approval from the Central Bank.

Chapter V
Data standards and privacy note

Article 28 – Data Standards

The operator of credit bureau shall get the information provided for by the law from the data providers.Data shall be collected using standard data format determined by the Central Bank.The Central Bank may determine additional data that must be collected by data providers and submitted to the credit reporting service providers.

Article 29 – Privacy note

Data providers must, using a standard privacy note prescribed in appendix 4, inform data subjects about their data transmission to the operator of credit bureau or to credit registry.The privacy note specified in Paragraph One of this article includes the following:information related to the type of data processing that is going to take place using data subjects’ information;categories of users that can access the processed information;names of the operator of credit bureau;specific procedures for data subjects to exercise their rights.

Chapter VI
Reporting requirements

Article 30 – General principles for credit reporting

The credit data shall be accurate, timely and sufficient.

Article 31 – Required data to be submitted to the operator of credit bureau by data providers

Data provider shall provide with the operator of credit bureau the following information:sufficient data to confirm the identity of the data subject;data on credits, collaterals and on guarantees from third parties;data on bounced cheques issued;Data subject’s internal credit facility number;Data on insurance policy and related claims;Other data as may be reasonably required by the operator of credit bureau and approved by the Central Bank.The report shall be submitted only in soft copy. The deadline is set not later than 10th day of the following month.

Chapter VII
Data subject’s rights

Article 32 – Right to consent on data usage

The data user obtains consent from the data subject prior to using its information.Data user and credit reporting service providers must prove that no information has been used without data subject’s consent.Failure to present such a proof, data subject, data user and credit reporting services providers are subject to sanctions as provided in appendix 5 of this regulation.However, this requirement does not apply to the Central Bank or any other State organ in the exercise of its responsibilities and to the data subject on its own data.The standard template of the consent clause is attached in appendix 6 of this regulation.

Article 33 – Data subject’s right to access own data

The Data subject has the right to receive a copy of the operator of credit bureau report relating to him/her without charge, in the following cases:when an application for credit is rejected by a subscriber or for other authorized purpose;once per six (6) months, after making a request to have inaccurate data corrected in the database;once a year;The Data subject also has the right to receive a copy of the operator of credit bureau report at any time, upon payment of the fees determined by the credit bureau.

Article 34 – Modalities to be followed by data subjects to review their own data

Where a data subject believes that the data contained in the operator of credit bureau report is inaccurate, erroneous, insufficient and/or incomplete or outdated, the data subject may notify the operator of credit bureau in writing of the data disputed.Within five (5) working days of being informed that data in its report is disputed, the operator of credit bureau shall:1 °attach a note to the report warning that the disputed data is under investigation, and that notice shall remain in the file until resolution of the dispute;give the data provider a notice of dispute requesting for confirmation of the accuracy of the disputed data.Within twenty (20) working days, the operator of credit bureau shall conduct a reasonable investigation, based on all relevant data provided by the data subject, and contact the data provider if necessary.Where the investigation reveals an error, the operator of credit bureau shall promptly remedy it.If the operator of credit bureau does not complete its investigation within twenty (20) working days, the complaint shall be referred to the Central Bank or corrected as requested by the data subject. If the operator of credit bureau later completes its investigation, it may complete or correct disputed data based on the results of such investigation.After dispute resolution or an amendment notice from a data provider, the operator of credit bureau shall immediately update its system accordingly and within five (5) working days send a notice of change to any subscriber that has in the previous six (6) months obtained a credit report from the operator of credit bureau containing the incorrect data, indicating the correction of the disputed data.Should the data subject disagree with the resolution of the disputed data, the data subject may request the operator of credit bureau to attach its report, a short statement setting out the data subject’s claim that the data is not accurate and the operator of credit bureau shall take reasonable steps to comply with the data subject’s request.When the investigation is completed, the operator of credit bureau shall communicate to the data subject the results of investigation in writing and provide to the data subject a free copy of credit report if the disputed data has been changed.The above stated free copy of credit report shall not be considered as an annual free credit report.

Article 35 – Data subject’s request for Central Bank to review the investigation decision of the operator of credit bureau

A data subject who is not satisfied with the result of the investigation by the operator of credit bureau may submit the request to the Central Bank for review.After receiving the request, the Central Bank shall investigate and respond within thirty (30) calendar days from the date of receipt of the data subject request.The Central Bank decision on the data subject’s request shall be final.Exhaustion of the above dispute resolution process shall be a condition precedent for exercising any judicial remedies (court process) available to the complainant.

Chapter VIII
Administrative and pecuniary sanctions

Article 36 – Administrative sanctions to directors, managers or other staff of the operator of credit bureau

The Central Bank may warn, suspend or dismiss a director, manager or a staff of the operator of credit bureau who:fails to comply with the provisions of the law governing credit reporting system and this regulation or any other legal instrument issued by the Central Bank;fails to meet vetting requirements on an on-going basis;has non-performing credit in any financial institution;has issued bounced cheques and;Commits any other act that may demoralize his/her fit and proper standards

Article 37 – Administrative sanctions to the operator of credit bureau

If an operator of credit bureau violates or fails to comply with provisions of the law governing the Credit Reporting System and its implementing regulation or any other regulation, directive and decision issued by the Central Bank, the Central Bank may impose one or more of the following correctives measures against the operator of credit bureau depending on the gravity of the fault:written warning;prohibition on declaring or paying dividends;prohibition from declaring any types of bonuses, severance packages, or other discretionary compensation to Board of Directors;prohibition from declaring any types of salary incentives or other discretionary compensation to senior managers and staff;prohibitions of payment of management and technical fees to parent companies and related parties;Any other administrative sanction provided in any other Central Bank regulation and directive.

Article 38 – Pecuniary sanctions applied to the operator of credit bureau or data providers

Without prejudice to other provisions of this regulation, where an operator of credit bureau or a data provider fails to comply with the provisions of the law governing credit reporting system or other relevant legal instruments, relevant sanctions specified in the appendix 6 shall apply.

Article 39 – Mode of payment of penalty fee

The Central Bank shall notify in writing an operator of credit bureau or a data provider of the violation made and the related pecuniary sanction.The amount of the fine shall be paid to the Central Bank account within ten (10) calendar days upon reception of the notification.Failure to pay within the determined deadline, the delay fee of 2% per day of the due amount of the fine is registered.

Chapter IX
Miscelllaneous and final provisions

Article 40 – Financial reporting

An operator of credit bureau shall maintain its accounts in accordance with acceptable accounting principles or as directed by the Central Bank.The financial statements of an operator of credit bureau shall comply with the International Financial Reporting Standards (IFRS).An operator of credit bureau shall submit, to the Central bank, annual audited financial statements not later than 31st March of the following year.

Article 41 – Drafting and consideration of this Regulation

This regulation was drafted, considered and approved in English.

Article 42 – Repealing provision

All prior regulatory provisions inconsistent with this regulation are hereby repealed.

Article 43 – Commencement

This Regulation shall come into force on the date of its publication in the Official Gazette of the Republic of Rwanda.

Appendices 1 - 5

Forms

[Editorial note: The forms have not been reproduced.]

Appendix 6

Pecuniary sanctions

I. Nature of violation by the Operator of Credit BureauSanction (FRW)
1.If an operator of credit bureau fails to:
request for approval of the appointment of members of the Board of Directors and Management, the sanction shall be;Five hundred thousand Rwandan Francs (FRW 500,000) per member.
pay supervision fee within the determined deadline;Fifty thousand Rwandan Francs (FRW 50,000) per day of delay;
notify the Central Bank about any material changes in licensing’s initial conditions;One million Rwandan Francs (FRW 1, 000,000) per each case of material change;
submit accurate report or information to the Central bank;Three hundred thousand Rwandan Francs (FRW 300,000) per inaccurate report or information
update data subject information;Three hundred thousand Rwandan Francs (FRW 300,000) per case;
comply with any other provisions of the law governing Credit Reporting System, this regulation, Central Bank directives and decisions;Three hundred thousand Rwandan Francs (FRW 300,000) per violation;
comply with restrictions on payment of dividends;20% of dividend distributedAlternatively or in addition, the Central Bank may:direct recall of all the dividends, payments or distribution made.order removal or suspension of directors and officers who authorized the payments.
implement on-site examination recommendations as per the action plan deadline;One hundred thousand FRW 100,000 per each recommendation
implement prudential meeting resolutions within the set deadlines.One hundred thousand FRW 100,000 per each resolution
2.Where an operator of credit bureau engages in activities other than those specified in the license;One million Rwanda Francs 1, 000,000 FRW for each activity
II. Nature of violation by the Data ProviderSanction (FRW)
1.If the data provider does not submit to the operator of the credit bureau the required reports within the deadline, submitting an incomplete report, erroneous or outdated reports,If the data provider is:
i.Banks or Insurance companies;Five hundred thousand Rwandan Francs (FRW 500,000) per report;
ii.Telecommunication company/public service utilities;Two hundred thousand Rwanda Francs (FRW 200,000) per report;
iii.Micro-finance institution;One hundred thousand Rwanda Francs (FRW 100,000) per report;
iv.Umurenge SACCOs;Fifty thousand Rwandan Francs (FRW 50,000) per report;
2.If the data provider does not submit to the operator of the credit bureau a bounced cheque, the later shall be liable with a fine of;Five hundred thousand Rwandan Franc (FRW 500,000) per bounced cheque;
▲ To the top

History of this document

14 October 2019 this version
Commenced
09 September 2019
Assented to