Credit Information System Regulation

Unofficial English Translation CREDIT INFORMATION SYSTEM REGULATION Regulation number: 2022/R-120 (Effective 25th July 2022)

2 CREDIT INFORMATION SYSTEM REGULATION CHAPTER ONE PRELIMINARY Introduction and title

1. (a) This regulation prescribes persons required to participate in the Credit Information System established by the Authority, the measures to ensure confidentiality of the information submitted to the System, and other matters in relation to the operation of the System. (b) This regulation is issued pursuant to Section 24-1 of Law No.: 6/81 (Maldives Monetary Authority Act 1981), paragraph (b) of Section 37 and paragraph (c) subparagraph (5) of Section 66 of Law No.: 24/2010 (Maldives Banking Act). (c) This regulation shall be cited as the “Credit Information System Regulation.” Commencement 2. This regulation shall come into force from the date on which it is published in the Government Gazette. Definitions 3. In this regulation, unless the context requires otherwise: (a) “Authority” means the Maldives Monetary Authority established pursuant to Law No.: 6/81 (Maldives Monetary Authority Act 1981). (b) “Credit” means loan, deferred payment of money, and any other form of credit facilities. This does not include the following credit. (1) Credit provided by one Financial Institution to another Financial Institution; (2) credit provided to the Government of the Republic of Maldives, any authority of the Government of the Republic of Maldives, the government of any other country or any international organisation;

3 (3) credit provided by a company to any subsidiary or holding company of that company; (4) credit provided to the person’s employees, by a person that does not provide Credit to any person except that person’s employees; (5) any other credit determined by the Authority. (c) “Credit Agreement” means, an agreement entered into by a Credit Information Provider and another person for the provision of Credit to that person. (d) “Credit Application” means an application for the provision of Credit, submitted to a Credit Information Provider. (e) “Credit Information Provider” means any person specified in paragraph (b) of Section 4, and any person who has been granted participation in the System under paragraph (f) of Section 4 of this Regulation. (f) “Credit Information Report” means a report obtained from the System, based on the information submitted to the System by the Credit Information Providers. (g) “Council” means the Atoll Council, the Island Council, or the City Council as specified in Law No.: 7/2010 (Maldives Decentralization Act). (h) “Data Subject” means the following persons and shall also include any potential Data Subjects. (1) Any person that has submitted a Credit Application; (2) any person that has entered into a Credit Agreement; or (3) any person that is a Guarantor of a Credit Agreement. (i) “Financial Institution” has the meaning provided in the Law No.: 6/81 (Maldives Monetary Authority Act 1981).

4 (j) “Guarantor” means any person who, in relation to a Credit Agreement, gives, proposes to give or has given a guarantee or a security, or is or proposes to become or has become a surety. (k) “person” includes natural and legal persons. (l) “Self-Inquiry Report” means a report generated by the System and issued upon request of a person, which contains personal and Credit information of that person. (m) “System” means the Credit Information System specified in paragraph (a) of Section 4 of this Regulation. CHAPTER TWO CREDIT INFORMATION SYSTEM Credit Information System 4. (a) The Credit Information System operated by the Authority at the time this Regulation comes into force, shall be deemed as the system established and operated by the Authority under paragraph (a) of Section 24-1 of the Law No.: 6/81 (Maldives Monetary Authority Act 1981), and paragraph (b) of Section 37 of Law No.: 24/2010 (Maldives Banking Act). (b) The following institutions shall participate in the System. (1) Banks operated under the licence issued by the Authority; and (2) financing companies operated under the licence issued by the Authority. (c) All banks and financing companies that have participated in the System prior to this Regulation coming into force, shall be deemed as persons that have participated in the System pursuant to paragraph (b) of this Section. (d) Institutions specified in paragraph (b) of this Section which are established after this Regulation comes into force, shall participate in the System, within 3 (three) months from the date of commencement of their business or within such period as extended by the Authority.

5 (e) Any of the following persons that wish to participate in the System, may submit an application in writing to the Authority. The application shall be submitted through the designated application form available on the Authority’s website, together with all the documents specified in the application form. (1) Insurance companies licensed by the Authority, that provide Credit; (2) companies that provide telecommunication services on Credit; (3) companies that provide utility services on Credit; (4) government ministries and authorities, and the Councils that provide Credit to the public or part of the public; (5) entities that sell land or apartments or buildings on credit basis; and (6) other legal persons that provide goods and services to the public on credit. (f) Once an application is received to participate in the System under paragraph (e) of this Section, the Authority may decide to grant participation with or without conditions or not to grant participation, based on the application. (g) Participation in the System will not be granted if the application to participate in the System does not meet the following requirements. (1) The applicant satisfies operational requirements and other requirements as set by the Authority, in a manner or to the standard acceptable to the Authority; and (2) the Authority is satisfied that allowing the applicant to participate in the System will be beneficial to the public.

6 (h) The Authority will declare the information to which persons who participate in the System under paragraph (b) of this Section shall have access, and provide access to that information to such persons. (i) The Authority may decide to either provide or not to provide access to the information in the System, or may decide to provide access to particular information in the System, to the persons who are granted participation in the System under paragraph (f) of this Section. In deciding so, the Authority may provide different entities with access to different information. (j) All existing personal and Credit information submitted to the System by the existing participants up until the effective date of this Regulation, shall be deemed as information submitted to the System under this Regulation. (k) The Credit Information Providers shall comply with the operating rules of the System, code of conduct or any instructions issued by the Authority. (l) The Authority shall not be responsible for any acts or omissions by the Credit Information Providers, which result in inaccurate, incomplete or not up to date information regarding any Data Subject in the System. Personal information 5. (a) The following are personal information, in relation to a Data Subject who is a natural person. (1) The person’s full name and any former names (including any alias); (2) the person’s date of birth; (3) the person’s permanent address and current address; (4) the person’s contact number; (5) the person’s national identification number and any other identification information, such as the reference number allocated for the purposes of tax;

7 (6) the person’s employment status and, if employed or carrying on other activities, the person’s occupation and the sector of the economy in which the person is occupied; and (7) such other information specified by the Authority. (b) The following are personal information in relation to a Data Subject who is not a natural person. (1) Name of the Data Subject, the nature of the entity it is and any registration number issued to it by the relevant authority; (2) the address of the place where the activities of the Data Subject are carried on, or, where such activities are carried on in more than one place, the principal place and if it is a legal person, the registered address; (3) the contact number, email address and fax number of the Data Subject; (4) reference numbers allocated to the Data Subject for the purposes of tax, by the relevant authority of the Maldives or any other country; (5) the sector of the economy in which the Data Subject carries on its activities; and (6) such other information specified by the Authority. Credit information 6. The following constitute Credit information in relation to a Credit Application submitted or Credit Agreement entered into by a Data Subject or a Credit Agreement in which a Data Subject is a Guarantor. (a) The nature and term of the Credit applied for or agreed, including the amount or maximum amount of Credit, the currency in which it is denominated and the conditions in relation to disbursement or repayment.

8 (b) The nature, term and extent of any guarantee, suretyship or any security given or arranged to be given and details of any associated valuation. (c) The interest rate, service charge or finance charge payable or to be payable. (d) Any identification number allocated to the Credit Application, Credit Agreement or to the Data Subject, by the Credit Information Provider. (e) Details of any securitisation of the Credit agreed. (f) Any changes to the nature or term of the Credit agreed, or changes to any guarantee, security or suretyship given in connection with the Credit Agreement. (g) Any proposal or arrangement with respect to debts under the Credit Agreement or any guarantee, security or suretyship given in connection with the Credit Agreement. (h) Any other information relating to the performance of obligations under or relating to the Credit Agreement or any guarantee, security or suretyship given in connection with the Credit Agreement. (i) Such other information specified by the Authority. CHAPTER THREE SUBMITTING INFORMATION TO THE SYSTEM AND PROVIDING ACCESS Submitting information to the System 7. (a) Each Credit Information Provider shall submit to the System such personal information and Credit information prescribed by the Authority relating to any Data Subjects, Credit Applications and Credit Agreements, in such formats and in such frequency as specified in the operating rules of the System or as specified by the Authority. (b) Each Credit Information Provider must ensure that the information which it enters into the System is in all respects accurate, complete and up to date and is in accordance with the standards set out in the operating

9 rules, at the time the information is entered into the System and thereafter. (c) Each Credit Information Provider shall update the information submitted to the System at a frequency specified by the Authority. (d) Credit Information Providers shall rectify such information once they become aware that the information submitted to the System is inaccurate, incomplete or erroneous. (e) Where the Authority believes or has reasons to believe that the information submitted by a Credit Information Provider to the System is inaccurate, incomplete, erroneous, not up to date or not in accordance with the operating rules or instruction issued by the Authority, the Authority may take an action specified in Section 16 of this Regulation against the Credit Information Provider. Duty to keep the Data Subjects informed 8. Credit Information Providers must inform its Data Subjects that Credit Information Providers are required to submit Data Subjects’ information relating to Credit Applications and Credit Agreements to the System. Requirement to obtain Credit Information Report 9. Each Financial Institution that is a Credit Information Provider, shall obtain a Credit Information Report from the System, before providing, restructuring, renewing, or extending Credit. Access to information in the System 10. Credit Information Providers which have access to the information in the System may access the following information in the System. (a) Information in the System relating to a Data Subject who has submitted a Credit Application to the Credit Information Provider. (b) Information in the System relating to a person who proposes to give a guarantee, security or suretyship in connection with a Credit Application submitted to the Credit Information Provider. (c) Information in the System relating to a Data Subject in relation to a Credit Agreement with the Credit Information Provider, in any of the following circumstances.

10 (1) A Data Subject requests the Credit Information Provider to change the nature or term of the Credit Agreement or the guarantee, security or suretyship given in connection with that Credit Agreement or requests any other Credit Information Provider to change the nature or term of another Credit Agreement or a guarantee, security or suretyship given in connection with that Credit Agreement; or (2) a Data Subject fails to comply with any obligation under a Credit Agreement or any other Credit Agreement entered with another Credit Information Provider or any guarantee, security or suretyship given in connection with that Credit Agreement or any other Credit Agreement and has not rectified such failure. (d) Information relating to Credit Agreements entered into by that person. Permissible uses of the information in the System 11. (a) Credit Information Providers may use the Credit Information Reports and any other information obtained from the System for the following purposes only. (1) To verify the accuracy of the information provided in a Credit Application or in connection with a Credit Application; (2) to evaluate risk associated with providing Credit to, or obtaining a guarantee, security or suretyship from a Data Subject; (3) to evaluate any risk arising from any changes to the nature or term of a Credit Agreement or a guarantee, security or suretyship given in connection with a Credit Agreement; (4) to monitor any failure to comply with any obligation under a Credit Agreement or the terms of a guarantee, security or suretyship given in connection with a Credit Agreement, that has not been rectified; (5) to evaluate whether to make any proposal or arrangement with respect to the debt of a Data

11 Subject, where a Data Subject has submitted a request for such an evaluation to be made; and (6) to analyse the Credit portfolio of the Credit Information Provider. (b) Credit Information Providers may not access, collect or use any information in the System, for any purpose other than those specified in paragraph (a) of this Section. CHAPTER FOUR CONFIDENTIALITY AND DATA SECURITY Confidentiality 12. (a) Each Credit Information Provider shall maintain confidentiality of the Credit Information Reports and any other information obtained from the System. Credit Information Providers shall not provide information regarding Credit Information Reports or any other information obtained from the System, directly or indirectly, to any person, without the written consent of the Data Subject to whom such information or report belongs. (b) Any current or former member of the board of directors, employee, consultant or agent of a Credit Information Provider or any person that has or had access to any information obtained from the System shall not disclose such information or Credit Information Report to any person. (c) The non-disclosure requirement under paragraphs (a) and (b) of this Section shall not apply, where the information was previously publicly available from other sources. (d) Disclosure of information in the following manner shall be exempt from the requirements in paragraphs (a) and (b) of this Section. (1) Disclosure with the consent of the Data Subject the information belongs to; (2) disclosure of information to court, for the purpose of a civil or criminal judicial proceeding;

12 (3) disclosure of information required by a court of law. (e) Each Credit Information Provider shall establish and enforce clear procedures, to ensure that the Credit Information Report and other information obtained from the System is only disclosed to its relevant employees and employees who need to be aware of such information. Measures to be taken in respect of reports obtained from the System 13. Each Credit Information Provider shall maintain records of the Credit Information Reports and any other information obtained from the System, and establish and implement appropriate internal controls to achieve the following, relating to credit reports and other information. (a) To prevent loss and unauthorised access; (b) to protect against use for purposes not permitted in this Regulation; (c) to prevent disclosure, save in the circumstances permitted in this Regulation; and (d) to prevent modification. CHAPTER FIVE MISCELLANEOUS Complaints resolution mechanism 14. (a) Each Credit Information Provider shall establish a fair and prompt mechanism to receive and resolve complaints by Data Subjects, about the information relating to them, submitted to the System by Credit Information Providers. (b) Where the Authority believes that the mechanism established by a Credit Information Provider under paragraph (a) of this Section cannot resolve complaints in a fair and prompt manner, the Authority may instruct to rectify such mechanism. The Credit Information Provider shall comply with such instructions of the Authority. (c) Credit Information Providers shall provide the following information to Data Subjects when establishing a relationship with them and at any time a Data Subject requests for it.

13 (1) Information relating to the Data Subject’s right to seek resolution of complaints; and (2) information relating to the complaint resolution mechanism implemented by the Credit Information Provider and the deadline set for resolution of such complaint. Fees and charges 15. Credit Information Providers shall pay fees and charges as provided in the operating rules, for reports and information obtained from the System. Corrective measures 16. (a) Where a Credit Information Provider or a member of its board of directors, its employee or consultant does any of the following, an action specified in paragraph (b) of this Section may be taken against such person. (1) Fails to submit any information to the System in the manner specified in this Regulation, the operating rules or any instruction issued by the Authority; (2) uses information obtained from the System for a purpose other than the purposes stated in Section 11 of this Regulation; or (3) contravenes any provision of this Regulation or fails to comply with the operating rules of the System or any instruction of the Authority. (b) Action may be taken in accordance with Section 55 of Law No.: 24/2010 (Maldives Banking Act) where a bank commits an act specified in paragraph (a) of this Section. Action may be taken in accordance with Sections 39 and 40 of Law No.: 6/81 (Maldives Monetary Authority Act 1981), where such act is committed by any entity other than a bank. In addition to this, the Authority may suspend such person’s access to the System or terminate its participation in the System. Self-Inquiry Report 17. (a) Subjected to terms and conditions prescribed by the Authority, any person may request from the Authority, a Self-Inquiry Report of that person through the designated website, the “Credit Information Bureau Website”, or through the designated application form.

14 (b) Each person will be issued a Self-Inquiry Report relating to that person pursuant to a request submitted under paragraph (a) of this Section free of charge, once every calendar year. More than one Self-Inquiry Report in one calendar year can only be issued upon payment of the fee set by the Authority. Repealed regulation 18. Regulation number 2011/R-29 “Credit Information Regulation 2011” shall be repealed with effect from the date of publication of this Regulation in the Government Gazette.