Information sharing under Credit Reporting Act 2017

Credit is the lifeblood of business and difficulty in accessing credit has been the bane of many businesses in Nigeria. One of the primary reasons for the unwillingness of financial institutions to extend credit to businesses is lack of reliable credit information of the businesses. Ironically, this has also been the reason for some bad lending decisions resulting to non-performing loans. An efficient credit reporting system is therefore essential to the functioning of a strong financial system.

A primary objective of a credit reporting system is the facilitation of accurate and reliable credit information sharing. Credit information sharing enables lenders to properly assess borrowers’ performance/nonperformance record in credit transactions before making decisions. This enhances responsible lending and borrowing, improves access to credit, and reduces operational costs and the risk of default and fraud.

On 30 May 2017 Acting President Yemi Osinbajo SAN signed into law the Credit Reporting Act 2017 (CRA). Some of the objectives of the CRA, set out in section 1, include promoting access to accurate, fair and reliable credit information whilst protecting the privacy of the information; promoting fair and competitive credit reporting system, and facilitating credit information sharing.

Prior to the CRA, the Central Bank of Nigeria (CBN) had on 14 November 2013 issued Guidelines for the Licensing, Operations and Regulations of Credit Bureaux and Credit Bureaus Related Transactions (2013 Guidelines) pursuant to section 57 of the CBN Act 2007. The 2013 Guidelines replaced the earlier guidelines issued in October 2008. Prior to the guidelines, the Credit Reporting Management System (CRMS), a public registry for financial institutions to register/check-up credits above N1 million, was established pursuant to sections 28 and 52 of the CBN Act 1991.

Comedy of errors?
A comprehensive review of the CRA is beyond the scope of this piece. However, the CRA is characterized by inelegant drafting and riddled with errors, which are worth pointing out. For instance:

“Central of Nigeria” is used in section 2(2). Even if Central Bank of Nigeria was intended, “Bank” which is defined in section 27 as “Central Bank of Nigeria” ought to have been used.

“CRMS” is used for the first time in section 4(2) without any explanation of its meaning. Interestingly, Credit Reporting Management System is mentioned in section 4(1) without any indication that it is the same was “CRMS”.

The disjunctive “or” has been misplaced thus altering the construction of section 9(2)(b) and causing it to be in conflict with sections 3(3)(e) and 12(e).

Section 12(f) references “paragraphs (viii) and (ix) of the definition of Credit Information Providers”. However, lowercase letters (h) and (i) are used in listing the paragraphs.

Section 13(5) requires a credit information provider to forward a rectified credit report to the “credit information provider” and the data subject.

Section 27 says permissible purposes are listed in section 9 of the CRA, whereas they are set out in section 7(2).
There is inconsistency in capitalising the first letters of key terms.

“Data Subject”, a key term, is used 32 times in the CRA but is not defined in section 27. In contrast, it is defined in section 2.16 of the 2013 Guidelines.

Sharing credit information with credit bureaux
Information sharing in credit reporting systems are initiated with credit information providers disclosing information to credit bureaux. Credit information providers may disclose credit information of data subjects to credit bureaux without the data subjects’ prior consent: section 9(2)(a) of CRA. Requiring consent would potentially and unnecessarily impede information sharing. Section 5.3.1 of the 2013 Guidelines requires notice to be given to data subjects before their credit information can be disclosed to credit bureaux.

This does not substantially deviate from section 9(2)(a) of CRA. A data subject’s non-concurrence will not prevent information sharing.

The absence of consent requirement may be rationalized on the ground that credit bureaux are not end-users of credit information. Credit bureaux do not rely on the information in making any transaction decisions in relation to data subjects. Further, the credit information are confidential and cannot be disclosed to credit information users without data exchange agreements or data subjects’ consent. Limited exceptions where disclosure may be made without data subjects’ consent include disclosures to CBN, in compliance with court orders or laws: section 9(3). These exceptions arguably underpin a case for notifying data subjects before the sharing of their credit information with credit bureaux.

Section 4(2) permits credit bureaux to request and obtain credit information from the CRMS and other public registries. The information may be shared with credit information users.

Sharing credit information with credit information users
Credit bureaux are required to receive, collate and compile credit information and issue credit reports: section 3(1). These responsibilities are sequel to the receipt of credit information from credit information providers. A credit bureau may disclose a data subject’s credit information to a credit information user where the conditions in sections 9(2)(b)(i) and 9(2)(b)(ii) are satisfied. Section 9(2)(b)(i) requires the credit information user to have a data exchange agreement with the credit bureau, and the disclosure to be for a permissible purpose. Section 9(2)(b)(ii) requires the credit information user to obtain the data subject’s written consent. In the absence of the disjunctive “or”, the logical conclusion is that both conditions must be satisfied.

Curiously, “or” is placed after section 9(2)(b)(ii) and before section 9(c). Section 9(c) deals with information sharing by credit information users to third parties; a completely different issue. The disjunctive “or” has been placed after section 9(2)(b)(ii) in error.

Pursuant to section 3(3)(e), credit bureaux are not permitted to provide credit information to credit information users with which they do not have data exchange agreements unless the data subjects consent in writing. Further, section 12(e) imposes an obligation on credit information users to enter into data exchange agreements with credit bureaux to enable receipt of credit information. Section 12(e) also provides that where there is no data exchange agreement, credit information may be accessed upon a data subject’s written consent. Both sections 3(3)(e) and 12(e) would be in conflict with a conjunctive reading of the conditions in section 9(2)(b) given that sections 3(3)(e) and 12(e) make a data subject’s consent an alternative to a data exchange agreement. This conflict may be resolved by placing the disjunctive “or” (misplaced after section 9(2)(b)(ii)) between sections 9(2)(b)(i) and 9(2)(b)(ii).

Instructively, section 5.4.1 of the 2013 Guidelines makes it mandatory for all banks and other financial institutions to have data exchange agreements with at least two licensed credit bureaux. This appears to be in conflict with sections 3(3)(e), 9(2)(b) and 12(e) of CRA which indicate that a credit information user may access credit information if the data subject consents, notwithstanding the absence of a data exchange agreement with a credit bureau. Further, while section 12(f) of CRA requires credit information users to obtain credit report from at least one credit bureau before granting credit, section 5.4.2 of the 2013 Guidelines requires all banks and other financial institutions to obtain credit reports from at least two licensed credit bureaux before granting any facility.

These seeming conflicts may be resolved when it is considered that the 2013 Guidelines apply only to banks and other financial institutions. In contrast, section 27 of CRA defines credit information users to include electricity companies, telecoms firms, leasing companies, cooperative societies and suppliers of goods/services on credit. The 2013 Guidelines provides a higher threshold for banks and other financial institutions under CBN’s regulatory purview given their higher prudential needs. Moreover, section 12(g) of CRA requires credit information users to fulfill any other obligations in accordance with any other law, and CBN regulations and guidelines.

Section 6(1)(b) directs credit bureaux to use credit information solely for permissible purposes. Further, section 7(1) requires credit information users to seek credit information from credit bureaux only for permissible purposes. The word “includes” is used in introducing the permissible purposes in section 7(2). This means that the list of permissible purposes is not exhaustive. Further, the permissible purpose under 7(2)(m) is stated as “such other purposes as the Bank may specify or direct”. This re-enforces the view that the list of permissible purposes is open-ended. Instructively, the permissible purpose in section 5.1(b)(xii) of the 2013 Guidelines (not included in CRA) is stated as “other purposes with the written consent from the individual or entity”. This does not conflict with CRA’s provisions given that section 5.1(b)(xii) of the 2013 Guidelines was issued by the CBN as contemplated by section 7(2)(m) of CRA.

Credit bureaux are not permitted to share/include information relating to data subjects’ race, ethnicity, colour, religion or political affiliation: section 3(3)(d). This is plainly justifiable considering that these are irrelevant to data subjects’ credit history. Where the licence of a credit bureau is revoked or the firm is put in liquidation or dissolved, section 26 requires the credit bureau to immediately hand over its entire database to the CBN.

Sharing credit information with third parties.
On receipt of data subjects’ credit information from credit bureaux, section 9(2)(c) of CRA requires credit information users not to (i) disclose the information to any person, or (ii) use the information for any purpose other than a permissible purpose. Section 12(a) and (b) re-enforce section 9(2)(c) by imposing an obligation on credit information users to (i) protect the integrity and confidentiality of information obtained on data subjects, and (ii) use credit reports from credit bureaux only for permissible purpose(s). Credit information users may disclose credit information to third parties or use same for purposes outside the permissible purposes if data subjects consent in writing: section 9(2)(c).

Conclusion
Efficient credit information sharing is essential to the success of any credit-reporting regime. To maximize the potential benefits of the CRA, all stakeholders therein must be fully committed to religiously performing their information sharing obligations.

Dr Udofia is an insolvency law expert and a Senior Associate at Fidelis Oditah & Co. Lagos.