Rwanda
Regulation relating to Credit Reporting System
Regulation 27 of 2019
- Published in Official Gazette 40 on 14 October 2019
- Assented to on 9 September 2019
- Commenced on 14 October 2019
- [This is the version of this document from 14 October 2019.]
Chapter One
General provisions
Article One – Purpose of this regulation
This regulation aims at:1°implementing the law governing credit reporting system;2°setting standards for the effectiveness of credit reporting system and;3°enhancing consumers’ right.Article 2 – Definitions of terms
In this regulation, unless the context requires otherwise, the following terms shall mean:1°Accurate data: data which is free of errors, truthful, complete and up-to-date;2°Capital: permanent shareholder’s equity in form of issued and fully paid-up shares of common stock plus all disclosed reserves, less goodwill and any other intangible assets computer software excluded;3°Central Bank: the National Bank of Rwanda;4°Credit information: information concerning a data subject’s identification and credit history, as defined under this regulation;5°Credit report: service provided through credit reporting systems and including relevant information about credit payment history by individuals or legal entities;6°Credit reporting service provider: a legal entity that administers a credit reporting system as a credit registry or credit bureau;7°Data delivered timely: data available to users through the credit bureau in a prompt manner to enable users to carry out their functions without unnecessary delays;8°Data provider: creditors and other entity that, in a structured fashion, supplies information to the credit reporting service providers;9°Data subject: an individual or a legal entity whose data may be collected, processed, and disclosed to third parties in a credit reporting system;10°Free credit report: a credit report got from the operator of credit bureau without any cost;11°Manager: a person who has an executive authority and a member of the executive committee of an operator of credit bureau;12°Sufficient data: relevant data comprises both negative and positive data;13°Significant shareholder: Shareholder who owns or acquires in an operator of credit bureau, directly or indirectly, alone or in conjunction with others, represents at least five percent (5%) of the equity capital or voting rights, or that makes it possible to exercise a significant influence over the management of that operator of credit bureau;14°Operator of credit bureau: a legal entity that is licensed by the Central Bank to operate credit bureau business;15°Participants: both mandatory and voluntary participants including both data providers and users;16°User: an individual or a legal entity that requests credit reports, files or other related services from credit reporting service providers, under predefined conditions and rules in accordance with this regulation.Chapter II
Licensing of the operator of credit bureau
Article 3 – Required minimum paid up capital
A person applying to conduct credit bureau activities shall have a minimum paid up capital of not less than One Hundred Million Rwandan francs (FRW 100,000,000).Article 4 – Application for license
A registered company wishing to conduct business as an operator of credit bureau shall submit an application letter to the Central Bank for a license and submit it either as hard copy or electronically.The application letter shall be addressed to the Governor of the Central Bank and shall be accompanied by documents and information stated in article 5 of this regulation.Article 5 – Required documents and information accompanying the application
An application shall be accompanied by the following documents and information:1°A duly filled application form set out in appendix 1;2°A copy of the applicant’s certificate of incorporation;3°Memorandum and Articles of Association;4°Proof of a minimum paid up capital evidenced by certificate of investment in short-term instrument such as T-bills or short term deposit.5°A non-refundable application fee of One Million Rwandan francs (FRW 1,000,000) paid to the Central Bank account;6°A non-objection letter from the home regulator for a foreign operator of credit bureau intending to operate in Rwanda;7°A feasibility study by an applicant that shows the business plan, organizational structure and internal monitoring procedures of the company and data on:i.Mission statement and goals;ii.Market analysis;iii.Ownership structure;iv.Governance structure;v.Management structure;8°A description of projected investments;9°Financial projections for at least three coming years;10°A business continuity plan;11°Details of the applicant’s significant shareholders, directors and managers, as stated in the personal information sheet set out in appendix 2;12°A description of the applicant’s premises and suitability for credit bureaus activities;13°The overview of operations including a description of systems, designs of the data collection and dissemination and management processes including:i.The development schedule of the computer software required for the operations;ii.Characteristics of products and services to be provided to users;iii.Policy on service provision;iv.Proposed security and control measures to prevent improper access to data;v.Operational manuals designed to ensure accuracy of data contained in the database and its update, andvi.The proposed fees and costs structure of service to be delivered.Article 6 – Letter of acknowledgement
Upon receipt of an application form together with the requisite supporting documents as provided under article 5 of this regulation, the Central Bank shall, within ten (10) working days send to the applicant a letter of acknowledgement informing that the file submitted for license is complete or incomplete.When there is incomplete information and/or a material error found in the application file, the Central Bank shall notify the applicant to complete and/or rectify the situation within thirty (30) calendar days after receipt of the notification.If the application file submitted for license is found to be complete, a thorough assessment or evaluation of the file will commence.Article 7 – Criteria for assessing the application
The Central Bank assesses the application based on information provided by the applicant and/or information gathered from other reliable sources.The Central Bank shall further assess whether the applicant fulfils the following:1°to be a company incorporated in Rwanda according to the Law relating to companies;2°where a shareholder is a bank, a microfinance institution, any other financial institution or any other user, such a shareholder should not have more than fifteen per cent (15%) of shares or the voting rights in the proposed credit bureau;3°whether the business plan includes the long-term investments for the credit bureau operations;4°to have sufficient transparency in the ownership structure and governance arrangements of the company;5°to have human and operational resources that are adequate to perform its function efficiently and safely;6°to have premises, networks, data governance and supporting infrastructure which are suitable for the intended business;7°to have adequate security systems in place to avoid loss, corruption, destruction or unauthorized access to data and network;8°assess the fitness and propriety of shareholders, directors and managers as well as the source of funds;Article 8 – The Central Bank decision to the applicant
The Central Bank shall, within three (3) months after receipt of a complete application, respond to the application and communicate the final decision to the applicant.The Central Bank decision shall:1°grant the license, if it is convinced that the application satisfies the requirements for licensing;2°grant the license subject to the fulfilment of certain conditions that it may deem necessary;3°grant the applicant with a limited license covering only part of the credit bureau business for which the applicant meets the requirements;4°or refuse to grant the license for reasons stated in the letter of refusal.The Central Bank shall notify in writing the applicant of its decision to grant or refuse license and reasons for the refusal.Article 9 – Additional requirements
Where the Central Bank decides to grant a license, it shall in the notice, communicating the decision to grant a license, require the applicant to submit the following:1°the IT audit report done by a recognized audit firm approved by the Central Bank.2°information related to material outsourcing services together with information on service providers;3°pay the license fee prescribed under this regulation;4°provide any other documents or information that may be deemed necessary by the Central Bank.Article 10 – Onsite visit of the applicant premises
Notwithstanding the granting of a license, no operator of credit bureau shall start credit bureau business without prior clearance from the Central Bank, which shall conduct a pre-opening inspection of the proposed premises.The pre-opening inspection is to confirm among other requirements operational tools, the adequacy of the premises for the proposed business, effectiveness of IT tools and infrastructure, security and data protection system.Article 11 – Issuance of license to the applicant and license fee
Upon satisfaction of licensing requirements, the Central Bank shall issue the certificate of license to the applicant.Any newly licensed operator of credit bureau shall pay to the Central Bank a license fee of two million Rwandan francs (FRW 2,000,000).Article 12 – Validity of license
The delivered license is perpetual unless revoked in accordance with provisions of this regulation.The license is the property of the credit bureau, it shall not be transferable, assignable or encumbered in any way.Article 13 – Annual supervision fee
After each financial year, operator of credit bureau shall pay to the Central Bank a supervision fee of 0.5% of the operator of credit bureau’s gross income generated in the previous financial year. This amount shall be paid within four (4) months after the end of the foregoing financial year.The annual supervision fee may be modified by the Central Bank whenever deemed necessary. The modification shall be notified to the operator of credit bureau at least one month before the beginning of the following financial year.Article 14 – Revocation or suspension of operator of credit bureau license
The Central Bank may revoke or suspend a license granted to an operator of credit bureau at any time if the operator of credit bureau:1°has not commenced business within twelve (12) months from the date on which the license was issued;2°has ceased operating for a period of more than one month;3°has obtained the license through incorrect statements or fraudulent means;4°no longer meets the applicable licensing criteria;5°is found to be in violation of provisions of the law governing credit reporting system or in material breach of this regulation, which affects its solvency, the effectiveness of its operations or the public trust.In case of suspension, the suspension period shall not exceed twelve (12) months.The Central Bank may immediately notify the operator of credit bureau of any decision including revocation of license.Article 15 – Conditions for the existing operator of credit bureau
Existing operators of credit bureau shall comply with provisions of chapter II on licensing, within six (6) months from the date of publication of this regulation in the Official GazetteChapter III
Shareholding and governance of the operator of credit bureau
Article 16 – Shareholding
No person shall become a significant shareholder, acquire or transfer directly or indirectly a significant holding or controlling interest unless such a person is deemed fit and proper and approved by the Central Bank.An operator of credit bureau shall submit to the Central Bank a duly completed form annexed to this regulation in appendix 3, for the prospective new significant shareholder of an operator of credit bureau.A participant shall not hold more than fifteen per cent (15%) of shares or voting rights in the credit bureau.A participant shall not invest in more than one credit bureau.Article 17 – Board of Directors
An operator of a credit bureau must have a Board of Directors consisting of members who must have an overall understanding of the operations and information technology systems of the credit bureau.Every operator of credit bureau shall have a Board of Directors consisting of not less than five (5) members of which 3/5 shall be independent.The Board of directors shall elect an independent chairperson from amongst its members.Members of the Board of Directors shall;1°meet at least once quarterly in any manner, including teleconferencing;2°ensure that the activities conducted in all offices of the operator of credit bureau are in full conformity with this regulation;3°appoint a competent Chief Executive Officer and Chief data technology officer;4°ensure that the operator of credit bureau maintains, at all times, an effective system of internal controls;5°ensure that the operator of credit bureau maintains a data subject’s claims and inquiries service to assist data subjects who may be affected by the data contained in the database and who allege that the data is illegal, inaccurate, erroneous or outdated.6°ensure that the operator of credit bureau has adequate staff to undertake the functions of the operator of credit bureau and to sufficiently meet the demands of data subjects;7°promote fair conditions for all participants in the credit data system;8°promote transparency regarding pricing policies;9°Strengthen security measures, policy on the overall service, and other policies and procedures necessary for the sound operation of the credit bureau.Article 18 – Board of Directors Committees
To increase efficiency and allow deeper focus, the Board of Directors of an operator of credit bureau must have at least the following two (2) board committees:1°Board audit committee; and2°Board IT and Operations Committee.Article 19 – Board of Directors audit committee
The Board of Directors is required to establish an audit committee to review the financial conditions of the institution, its internal controls, the performance and findings of the internal audit function and of the external auditors, and to recommend appropriate corrective measures regularly, at least quarterly.The audit committee, which must be distinct from other committees, shall be made up of independents and non-executive directors who must have experience in audit practices, financial reporting and accounting.The Board audit committee shall be chaired by an independent board member.The primary responsibilities of the audit committee shall include, but not limited to the following:1°Framing policy on internal audit and financial reporting, among other things;2°Overseeing the financial reporting;3°Process and review the financial statement; including the explanatory notes, the management report and the external auditor report;4°recommend to the board or shareholders, for their approval, the appointment, remuneration and dismissal of external auditors;5°review and approve the audit scope and frequency;6°Receiving key audit reports and ensuring that senior management is taking necessary corrective measures in a timely manner to address control, weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions.Article 20 – Board IT & Operations Committee
IT Committee members should be technically competent. At least one member must have substantial IT expertise in managing technology.The Board IT Committee shall be chaired by an independent board member.The primary responsibilities of the IT Committee shall include, but not limited to the following:1°perform oversight functions over the IT system;2°ensure that relevant aspects related to data integrity, security, accessibility, business continuity, product development, data governance and privacy are adequately addressed;3°Ensure that the primary data of the operator of credit bureau are hosted in Rwanda.Article 21 – Management
The Operator of credit bureau shall be managed by a managing director who is skilled in credit bureau business, financial sector business or related field.The Board of Directors shall determine the Managing Director’s responsibilities and other requirements.The Managing Director shall develop the code of conduct policy that shall be approved by the Board of Directors.Article 22 – Prior approval by the Central Bank
No person shall become a member of the Board of Directors of an operator of credit bureau unless such a person is approved by the Central Bank.An operator of credit bureau shall submit to the Central Bank a duly completed form annexed to this regulation in appendix 3, for the prospective member of the Board of Directors or a senior manager of a credit bureau.Article 23 – Multiple functions
No person shall combine duties of chairperson of the Board of Directors and duties of the Managing Director of an operator of credit bureau.A Managing Director of an operator of credit bureau is not allowed to hold any other permanent position or being a Managing Director in any another company.No shareholder with a significant holding shall be appointed as a chairperson or deputy chairperson of the Board of Directors.Article 24 – Conflict of interest
Board of Directors and senior managers shall not engage directly or indirectly in any business activity that competes or conflicts with the credit bureau’s interest. Whenever possible, they must avoid situations that would give rise to a conflict of interest.If a transaction with the credit bureau cannot be avoided, it is done in the regular course of business and upon terms not less favorable to the credit bureau than those offered to others.A director, senior manager or a staff shall not use his/her position to make profit or to acquire benefit or advantage for him/herself or his/her related interests.Where a director, senior manager or a staff has a financial interest in a transaction undertaken by the operator of credit bureau, such an interest must be disclosed immediately. Following such disclosure, the affected director or the staff shall not be directly involved in any decision affecting that particular transaction as long as the interest continues to exist.The code of conduct developed by the Management may provide for a board-level review of key transactions, including intra-group transactions, as well as require public disclosure of reported conflicts of interest in order to manage and control potential conflicts of interest.Chapter IV
The operator of credit bureau business
Article 25 – Permissible activities of the operator of credit bureau
The operator of credit bureau may engage in the following activities:1°the collection, collation, inspection, storage, management, evaluation, updating and dissemination of data subject information as provided by this regulation;2°the provision of other services including, but not limited to:a)credit scoring;b)credit application processing;c)default notice or “watch services;d)statistical research;e)debtor tracking services with respect to credits lawfully granted;3°the sale of specialized literature, software and other material related to its activities;4°the assessment of business debtors at the time of the sale of the business and other transactions;5°fraud detection;6°dissemination of information for strategic risk information for market expansion or contraction purposes;7°training and advisory services;8°such other activities as may be approved by the Central Bank in writing.Article 26 – Management and hosting of data
The operator of credit bureau shall collect, collage, process and store the credit data from the data subject.The operator of credit bureau shall maintain data on the territory of the Republic of Rwanda with all systems and computer software required for credit bureau business.The Board of Directors shall be responsible for the implementation of strict quality control procedures in order to ensure the quality, accuracy and security of data and reliability of its database.Article 27 – Outsourcing requirements
An operator of credit bureau cannot outsource the following core management functions:1°planning;2°organisational structure;3°management and audit;4°data management;5°decision making functions like determination of compliance with applicable laws and regulations;An operator of credit bureau that intends to outsource any other activity shall get approval from the Central Bank.Chapter V
Data standards and privacy note
Article 28 – Data Standards
The operator of credit bureau shall get the information provided for by the law from the data providers.Data shall be collected using standard data format determined by the Central Bank.The Central Bank may determine additional data that must be collected by data providers and submitted to the credit reporting service providers.Article 29 – Privacy note
Data providers must, using a standard privacy note prescribed in appendix 4, inform data subjects about their data transmission to the operator of credit bureau or to credit registry.The privacy note specified in Paragraph One of this article includes the following:1°information related to the type of data processing that is going to take place using data subjects’ information;2°categories of users that can access the processed information;3°names of the operator of credit bureau;4°specific procedures for data subjects to exercise their rights.Chapter VI
Reporting requirements
Article 30 – General principles for credit reporting
The credit data shall be accurate, timely and sufficient.Article 31 – Required data to be submitted to the operator of credit bureau by data providers
Data provider shall provide with the operator of credit bureau the following information:1°sufficient data to confirm the identity of the data subject;2°data on credits, collaterals and on guarantees from third parties;3°data on bounced cheques issued;4°Data subject’s internal credit facility number;5°Data on insurance policy and related claims;6°Other data as may be reasonably required by the operator of credit bureau and approved by the Central Bank.The report shall be submitted only in soft copy. The deadline is set not later than 10th day of the following month.Chapter VII
Data subject’s rights
Article 32 – Right to consent on data usage
The data user obtains consent from the data subject prior to using its information.Data user and credit reporting service providers must prove that no information has been used without data subject’s consent.Failure to present such a proof, data subject, data user and credit reporting services providers are subject to sanctions as provided in appendix 5 of this regulation.However, this requirement does not apply to the Central Bank or any other State organ in the exercise of its responsibilities and to the data subject on its own data.The standard template of the consent clause is attached in appendix 6 of this regulation.Article 33 – Data subject’s right to access own data
The Data subject has the right to receive a copy of the operator of credit bureau report relating to him/her without charge, in the following cases:1°when an application for credit is rejected by a subscriber or for other authorized purpose;2°once per six (6) months, after making a request to have inaccurate data corrected in the database;3°once a year;4°The Data subject also has the right to receive a copy of the operator of credit bureau report at any time, upon payment of the fees determined by the credit bureau.Article 34 – Modalities to be followed by data subjects to review their own data
Where a data subject believes that the data contained in the operator of credit bureau report is inaccurate, erroneous, insufficient and/or incomplete or outdated, the data subject may notify the operator of credit bureau in writing of the data disputed.Within five (5) working days of being informed that data in its report is disputed, the operator of credit bureau shall:1 °attach a note to the report warning that the disputed data is under investigation, and that notice shall remain in the file until resolution of the dispute;2°give the data provider a notice of dispute requesting for confirmation of the accuracy of the disputed data.Within twenty (20) working days, the operator of credit bureau shall conduct a reasonable investigation, based on all relevant data provided by the data subject, and contact the data provider if necessary.Where the investigation reveals an error, the operator of credit bureau shall promptly remedy it.If the operator of credit bureau does not complete its investigation within twenty (20) working days, the complaint shall be referred to the Central Bank or corrected as requested by the data subject. If the operator of credit bureau later completes its investigation, it may complete or correct disputed data based on the results of such investigation.After dispute resolution or an amendment notice from a data provider, the operator of credit bureau shall immediately update its system accordingly and within five (5) working days send a notice of change to any subscriber that has in the previous six (6) months obtained a credit report from the operator of credit bureau containing the incorrect data, indicating the correction of the disputed data.Should the data subject disagree with the resolution of the disputed data, the data subject may request the operator of credit bureau to attach its report, a short statement setting out the data subject’s claim that the data is not accurate and the operator of credit bureau shall take reasonable steps to comply with the data subject’s request.When the investigation is completed, the operator of credit bureau shall communicate to the data subject the results of investigation in writing and provide to the data subject a free copy of credit report if the disputed data has been changed.The above stated free copy of credit report shall not be considered as an annual free credit report.Article 35 – Data subject’s request for Central Bank to review the investigation decision of the operator of credit bureau
A data subject who is not satisfied with the result of the investigation by the operator of credit bureau may submit the request to the Central Bank for review.After receiving the request, the Central Bank shall investigate and respond within thirty (30) calendar days from the date of receipt of the data subject request.The Central Bank decision on the data subject’s request shall be final.Exhaustion of the above dispute resolution process shall be a condition precedent for exercising any judicial remedies (court process) available to the complainant.Chapter VIII
Administrative and pecuniary sanctions
Article 36 – Administrative sanctions to directors, managers or other staff of the operator of credit bureau
The Central Bank may warn, suspend or dismiss a director, manager or a staff of the operator of credit bureau who:1°fails to comply with the provisions of the law governing credit reporting system and this regulation or any other legal instrument issued by the Central Bank;2°fails to meet vetting requirements on an on-going basis;3°has non-performing credit in any financial institution;4°has issued bounced cheques and;5°Commits any other act that may demoralize his/her fit and proper standardsArticle 37 – Administrative sanctions to the operator of credit bureau
If an operator of credit bureau violates or fails to comply with provisions of the law governing the Credit Reporting System and its implementing regulation or any other regulation, directive and decision issued by the Central Bank, the Central Bank may impose one or more of the following correctives measures against the operator of credit bureau depending on the gravity of the fault:1°written warning;2°prohibition on declaring or paying dividends;3°prohibition from declaring any types of bonuses, severance packages, or other discretionary compensation to Board of Directors;4°prohibition from declaring any types of salary incentives or other discretionary compensation to senior managers and staff;5°prohibitions of payment of management and technical fees to parent companies and related parties;6°Any other administrative sanction provided in any other Central Bank regulation and directive.Article 38 – Pecuniary sanctions applied to the operator of credit bureau or data providers
Without prejudice to other provisions of this regulation, where an operator of credit bureau or a data provider fails to comply with the provisions of the law governing credit reporting system or other relevant legal instruments, relevant sanctions specified in the appendix 6 shall apply.Article 39 – Mode of payment of penalty fee
The Central Bank shall notify in writing an operator of credit bureau or a data provider of the violation made and the related pecuniary sanction.The amount of the fine shall be paid to the Central Bank account within ten (10) calendar days upon reception of the notification.Failure to pay within the determined deadline, the delay fee of 2% per day of the due amount of the fine is registered.Chapter IX
Miscelllaneous and final provisions
Article 40 – Financial reporting
An operator of credit bureau shall maintain its accounts in accordance with acceptable accounting principles or as directed by the Central Bank.The financial statements of an operator of credit bureau shall comply with the International Financial Reporting Standards (IFRS).An operator of credit bureau shall submit, to the Central bank, annual audited financial statements not later than 31st March of the following year.Article 41 – Drafting and consideration of this Regulation
This regulation was drafted, considered and approved in English.Article 42 – Repealing provision
All prior regulatory provisions inconsistent with this regulation are hereby repealed.Article 43 – Commencement
This Regulation shall come into force on the date of its publication in the Official Gazette of the Republic of Rwanda.History of this document
14 October 2019 this version
Commenced
09 September 2019
Assented to