A critical analysis of credit information sharing under Nigeria’s Credit Reporting Act 2017
December 2017 | EXPERT BRIEFING | BANKING & FINANCE
Credit is the lifeblood of business and difficulty accessing credit has been the bane of many businesses in Nigeria. One of the primary reasons for the unwillingness of financial institutions to extend credit to businesses is a lack of reliable credit information. Ironically, this has also been the reason for some bad lending decisions resulting in non-performing loans. An efficient credit reporting system is therefore essential to the functioning of a strong financial system.
A primary objective of a credit reporting system is the facilitation of accurate and reliable credit information sharing. Credit information sharing enables lenders to properly assess a borrowers’ performance or non-performance record in credit transactions before making decisions. This enhances responsible lending and borrowing, improves access to credit and reduces operational costs and the risk of default and fraud.
On 30 May 2017, Nigeria’s acting president, Yemi Osinbajo, signed into law the Credit Reporting Act 2017 (CRA). Some of the objectives of the CRA, set out in section one, include promoting access to accurate, fair and reliable credit information, while protecting the privacy of the information, promoting a fair and competitive credit reporting system and facilitating credit information sharing.
Prior to the CRA, the Central Bank of Nigeria (CBN), on 14 November 2013, issued Guidelines for the Licensing, Operations and Regulations of Credit Bureaux and Credit Bureaus Related Transactions, pursuant to section 57 of the CBN Act 2007. The 2013 Guidelines replaced the earlier guidelines issued in October 2008. Prior to the Guidelines, the Credit Reporting Management System (CRMS), a public registry for financial institutions to register or check up on credits above N1m, was established pursuant to sections 28 and 52 of the CBN Act 1991.
Comedy of errors?
A comprehensive review of the CRA is beyond the scope of this piece. However, the CRA is characterised by inelegant drafting and is riddled with errors. For instance: the phrase “Central of Nigeria” is used in section 2(2). Even if Central Bank of Nigeria was intended, “Bank” which is defined in section 27 as “Central Bank of Nigeria” ought to have been used. “CRMS” is used for the first time in section 4(2) without any explanation of its meaning. Interestingly, Credit Reporting Management System is mentioned in section 4(1) without any indication that it is the same as “CRMS”. The disjunctive “or” has been misplaced thus altering the construction of section 9(2)(b) and causing it to be in conflict with sections 3(3)(e) and 12(e). Section 12(f) references “paragraphs (viii) and (ix) of the definition of Credit Information Providers”. However, lowercase letters (h) and (i) are used in listing the paragraphs. Section 13(5) requires a credit information provider to forward a rectified credit report to the “credit information provider” and the data subject. Section 27 says permissible purposes are listed in section 9 of the CRA, whereas they are set out in section 7(2). There is inconsistency in capitalising the first letters of key terms.
“Data Subject”, a key term, is used 32 times in the CRA but is not defined in section 27. In contrast, it is defined in section 2.16 of the 2013 Guidelines.
Sharing credit information with credit bureaux
Information sharing in credit reporting systems are initiated with credit information providers disclosing information to the credit bureaux. Credit information providers may disclose credit information of data subjects to credit bureaux without the data subjects’ prior consent, according to section 9(2)(a) of the CRA. Requiring consent would potentially, and unnecessarily, impede information sharing. Section 5.3.1 of the 2013 Guidelines requires notice be given to data subjects before their credit information can be disclosed to credit bureaux. This does not substantially deviate from section 9(2)(a) of CRA. A data subject’s non-concurrence will not prevent information sharing.
The absence of consent requirement may be rationalised on the ground that credit bureaux are not end-users of credit information. Credit bureaux do not rely on the information in making any transaction decisions in relation to data subjects. Furthermore, credit information is confidential and cannot be disclosed to credit information users without data exchange agreements or the data subjects’ consent. Limited exceptions, where disclosure may be made without the data subjects’ consent, include disclosures to CBN, in compliance with court orders or laws, according to section 9(3). These exceptions arguably underpin a case for notifying data subjects before the sharing of their credit information with credit bureaux.
Section 4(2) permits credit bureaux to request and obtain credit information from the CRMS and other public registries. The information may be shared with credit information users.
Sharing credit information with credit information users
Credit bureaux are required to receive, collate and compile credit information and issue credit reports, according to section 3(1). These responsibilities are in addition to the receipt of credit information from credit information providers. A credit bureau may disclose a data subject’s credit information to a credit information user where the conditions in sections 9(2)(b)(i) and 9(2)(b)(ii) are satisfied. Section 9(2)(b)(i) requires the credit information user to have a data exchange agreement with the credit bureau, and the disclosure to be for a permissible purpose. Section 9(2)(b)(ii) requires the credit information user to obtain the data subject’s written consent. In the absence of the disjunctive “or”, the logical conclusion is that both conditions must be satisfied.
Curiously, “or” is placed after section 9(2)(b)(ii) and before section 9(c). Section 9(c) deals with information sharing by credit information users to third parties – a completely different issue.
Pursuant to section 3(3)(e), credit bureaux are not permitted to provide credit information to credit information users with which they do not have data exchange agreements, unless the data subjects consent in writing. Further, section 12(e) imposes an obligation on credit information users to enter into data exchange agreements with credit bureaux to enable receipt of credit information. Section 12(e) also provides that where there is no data exchange agreement, credit information may be accessed upon a data subject’s written consent. Both sections 3(3)(e) and 12(e) would be in conflict with a conjunctive reading of the conditions in section 9(2)(b) given that sections 3(3)(e) and 12(e) make a data subject’s consent an alternative to a data exchange agreement. This conflict may be resolved by placing the disjunctive “or” between sections 9(2)(b)(i) and 9(2)(b)(ii).
Instructively, section 5.4.1 of the 2013 Guidelines makes it mandatory for all banks and other financial institutions to have data exchange agreements with at least two licensed credit bureaux. This appears to be in conflict with sections 3(3)(e), 9(2)(b) and 12(e) of the CRA, which indicate that a credit information user may access credit information if the data subject consents, notwithstanding the absence of a data exchange agreement with a credit bureau. Further, while section 12(f) of the CRA requires credit information users to obtain credit reports from at least one credit bureau before granting credit, section 5.4.2 of the 2013 Guidelines requires all banks and other financial institutions to obtain credit reports from at least two licensed credit bureaux before granting any facility.
These seeming conflicts may be resolved when it is considered that the 2013 Guidelines apply only to banks and other financial institutions. In contrast, section 27 of the CRA defines credit information users to include electricity companies, telecoms firms, leasing companies, cooperative societies and suppliers of goods or services on credit. The 2013 Guidelines provide a higher threshold for banks and other financial institutions under CBN’s regulatory purview, given their higher prudential needs. Moreover, section 12(g) of the CRA requires credit information users to fulfil any other obligations in accordance with any other law, and CBN regulations and guidelines.
Section 6(1)(b) directs credit bureaux to use credit information solely for permissible purposes. Further, section 7(1) requires credit information users to seek credit information from credit bureaux only for permissible purposes. The word “includes” is used in introducing the permissible purposes in section 7(2). This means that the list of permissible purposes is not exhaustive. Further, the permissible purpose under 7(2)(m) is stated as “such other purposes as the Bank may specify or direct”. This reinforces the view that the list of permissible purposes is open-ended. Instructively, the permissible purpose in section 5.1(b)(xii) of the 2013 Guidelines (not included in the CRA) is stated as “other purposes with the written consent from the individual or entity”. This does not conflict with the CRA’s provisions given that section 5.1(b)(xii) of the 2013 Guidelines was issued by the CBN as contemplated by section 7(2)(m) of the CRA.
Credit bureaux are not permitted to share or include information relating to data subjects’ race, ethnicity, colour, religion or political affiliation, under section 3(3)(d). This is plainly justifiable considering that these are irrelevant to data subjects’ credit history. Where the licence of a credit bureau is revoked or the firm is put in liquidation or dissolved, section 26 requires the credit bureau to immediately hand over its entire database to the CBN.
Sharing credit information with third parties
On receipt of a data subjects’ credit information from a credit bureaux, section 9(2)(c) of the CRA requires credit information users not to disclose the information to any person, and to not use the information for any purpose other than a permissible purpose. Section 12(a) and (b) reinforce section 9(2)(c) by imposing an obligation on credit information users to protect the integrity and confidentiality of information obtained on data subjects, and use credit reports from credit bureaux only for permissible purposes. Credit information users may disclose credit information to third parties or use the same for purposes outside the permissible purposes if data subjects consent in writing: section 9(2)(c).
Efficient credit information sharing is essential to the success of any credit reporting regime. To maximise the potential benefits of the CRA, all stakeholders must be fully committed to religiously performing their information sharing obligations.
Dr Kubi Udofia is a senior associate at Fidelis Oditah & Co. He can be contacted on +234 81 0289 1800 or by email: firstname.lastname@example.org.
© Financier Worldwide
Dr Kubi Udofia
Fidelis Oditah & Co.