While revising its master directions for regulated entities (REs) on credit information reporting, the Reserve Bank of India (RBI) has asked credit information companies (CICs) to send alert to customers when their credit information report (CIR) is accessed by the specified users (SUs). Lenders have to inform customers the reasons for the rejection (of credit or loan) and pay compensation for not resolving consumer complaints within 30 working days.
The master direction consolidates the existing instructions on credit information reporting and dissemination, issued to REs of RBI. These directions aim to establish a standardised framework for the reporting and dissemination of credit information; safeguard the confidentiality and security of sensitive credit data; provide mechanisms for consumers to access their credit information and redress grievances on matters related to credit information reporting.
According to the master direction, CICs have to send alerts through SMS or email to customers when their CIR is accessed by the SUs. The master direction Reserve Bank of India (Credit Information Reporting) Directions, 2025 says, “The alerts shall be sent by CICs only when the CIR enquiry reflects in the CIR of the customer.”
Credit institutions (CIs), which include non-banking financial companies (NBFCs), will have to inform customers the reasons for the rejection of their request for data correction, if any, to enable such customers to better understand the issues in the CIR.
Further, RBI says, “Complainants shall be entitled to a compensation of Rs100 per calendar day in case their complaint is not resolved within 30 calendar days from the date of the initial filing of the complaint by the complainant with a CI or CIC.”
Regarding the sharing of credit information with third party entities based on consent of individuals, RBI says, “It is observed that the CICs are sharing credit information based on consent of an individual, with entities which are not SUs, by entering into an agreement with such entities. Given the sensitivity and possible misuse while sharing such credit information, the CICs shall put in place a suitable mechanism for the purpose.”
It says CICs shall put in place a robust due diligence and control mechanism while sharing credit information of an individual based on his/her consent with entities which are not specified users, by entering into agreement with such entities. “This shall involve an evaluation of all the available information about the entity, including the general character of management should not be prejudicial to public interest; business reputation, ownership structure, compliance/ governance standards, grievance redressal mechanism and outstanding litigation; financial soundness and ability to service commitments even under adverse conditions; necessary technological, entrepreneurial and managerial resources to support the proposed activity of the customers over the contracted period; information security and internal control, audit coverage, monitoring and reporting environment and business continuity management,” the directive says.
Further, CICs, while sharing credit information of an individual with an entity based on consent, shall ensure from the entity that the entity, in its capacity as an authorised representative of the individual, shall use the CIR solely for the limited end use as agreed between them and shall not use or sell or resell or pass on information to any other person or engage itself in obtaining CIR other than for the consented purpose. 'Individual Consent' means the prior written consent of the individual by any documented means, stored as an electronic or physical record verifiable from time to time and permanent in nature.
Regarding the reporting of credit information by CIs, RBI asked all CIs to submit data on credit information of its borrowers (including historical data) to all CICs. “CICs and CIs shall keep the credit information collected/ maintained by them, updated regularly on a fortnightly basis (i.e., as on 15th and last day of the respective month) or at shorter intervals as mutually agreed upon between the CI and CIC. The fortnightly submission of credit information by CIs to CICs shall be ensured within seven calendar days of the relevant reporting fortnight. CICs shall provide a list of CIs which are not adhering to the fortnightly data submission timelines to RBI’s department of supervision at half yearly intervals (as on 31st March and 30th September each year) for information and monitoring purposes,” the central bank says.
CIs should ensure that the records submitted to CICs are updated regularly and that no instances of repayment, including that of the last instalment, are left unreported, RBI added.
In order to address the challenges in updating credit information of borrowers of CI whose certification of registration (CoR) or licence has been cancelled, CICs and CIs are asked to implement, before 10 April 2025, a credit information reporting mechanism subsequent to cancellation of licence or CoR of banks and NBFCs.
RBI also directed that the credit information shared by CICs with these entities is stored only for a limited time period of six months, or till such time the credit information is required to be retained to satisfy the purpose for which it was intended, or the individual withdraws his/her consent to store such credit information, whichever is earlier and thereafter, the stored credit information shall be deleted. If the purpose for which such credit information so obtained by the entities is not fulfilled, then these entities would be required to seek a fresh consent from the concerned individual for retaining credit information beyond a period of six months as stated above. “The information system auditor appointed for the purpose shall examine compliance to the above,” says RBI.
It also directs that there is no unauthorised use by any other third party including but not limited to any of its group companies, subsidiaries, affiliates or associates in violation of the provisions of CICRA, 2005 and other applicable laws.
Such information can be shared with its employees or agents on a ‘need to know basis’ only, while ensuring that such employees or agents with access to the said information are subjected to obligation of confidentiality.
The credit information received is to be duly protected both online and offline against any unauthorised access or use, to ensure the confidentiality and security of all transactions except for disclosures made as agreed to between the entity and the individual.
Also, the credit information received shall be processed and stored in India and not transferred outside India.