Credit Reporting Regulations, 2013

LESOTHO Government Gazette Vol. 58 Friday – 19th July, 2013 No. 37 CONTENTS No. Page LEGAL NOTICE 68 Credit Reporting Regulations, 2013 . . . . . . . . . . . . . . . . . . . . . . . . . 275 OTHER NOTICES (See Supplement of the Gazette) Published by the Authority of His Majesty the King Price: M31.00

LEGAL NOTICE NO. 68 OF 2013 Credit Reporting Regulations, 2013 Arrangement of Regulations Regulations PART I – PRELIMINARY

1. Citation and commencement
2. Interpretation PART II – REGISTRATION REQUIREMENTS, CRITERIAAND PROCEDURES FOR CREDIT BUREAU
3. Registration requirements
4. Minimum registration requirements
5. Conditions of registration
6. Review of conditions of registration
7. Certificate of registration PART III – REGULATION AND SUPERVISION OF CREDIT BUREAU Chapter A - Annual Compliance Reporting
8. Annual Compliance Report
9. Time-frame for submission of annual compliance report
10. Processing of Annual Compliance Report by the Central Bank Chapter B – Credit Information Reporting Standards
11. Standards for the filing, retention and reporting of credit information PART IV – CREDIT BUREAU REPORTING
12. Quarterly synoptic report by credit bureau
13. Data Supplier Report
14. Processing of Reports submitted in terms of this chapter by the Central 275

Bank PART V – RECORD-KEEPING AND PRESCRIBED FORMS 15. Records of registered activities to be retained by credit bureaux 16. Use of forms 17. Electronic submission of forms Schedule A: PRESCRIBED FORMS Schedule B: PRESCRIBED FEES, GUIDELINES, CREDIT INFORMATION REPORTING STANDARDS 276

LEGAL NOTICE NO. 68 OF 2013 Credit Reporting Regulations, 2013 Pursuant to section 41 of the Credit Reporting Act, 2011 1 , I, DR. RET◊ELISITSOE MATLANYANE Governor of the Central Bank of Lesotho make the following regulations - Citation and commencement

1. These regulations may be cited as the Credit Reporting Regulations, 2013 and shall come into operation on the date of publication in the Gazette PART I – PRELIMINARY Interpretation
2. In these Regulations unless the context otherwise requires - “Act” means the Credit Reporting Act, 2011 “annual financial statements” means the audited annual financial state￾ments as required for each specific registrant; “auditor” means a member of the Lesotho Institute of Accountants cer￾tified to provide, attest or perform auditing functions recognised by the Lesotho Institute of Accountants; “delivered” means sending a document by hand, fax, e-mail, or registered mail to an address chosen in the agreement by the proposed recipient, if no such address is available, the recipient’s registered address; “general management” when referring to juristic persons means the directors of a company registered in terms of the Companies Act, 2011, for all other juristic persons, the individuals who perform a similar func￾tion to the board of directors; 277

“the Central Bank” means the Central Bank of Lesotho continued in existence by the Central Bank of Lesotho Act 2000 2 ; PART II – REGISTRATION REQUIREMENTS CRITERIAAND PROCEDURES FOR A CREDIT BUREAU Registration requirements 3. (1) A person who applies for registration as a credit bureau opera￾tor in terms of section 12 of the Act shall submit, to the Central Bank, the fol￾lowing - (a) a completed application form on Form CB1 as set out in Schedule A; (b) a resolution by the applicant to apply for registration as a credit bureau on Form CB2 as set out in Schedule A; (c) a document detailing the organisational structure of the applicant, and business activity within that structure, to establish that the applicant is not engaging in any busi￾ness activity inconsistent with operating an independent and objective credit bureau; (d) a certified strategic and operational competence report from an auditor on Form CB3 as set out in schedule A, to confirm the capacity of the applicant to promote the objectives of the Act under section 3, and compliance with the registration requirements under section 12 of the Act; (e) any additional documents required in the relevant appli￾cation form; and (f) receipt of the non refundable application fee as set out in Schedule B. (2) A person who applies for registration shall, within 15 business days of receipt of a request, provide any further information required by the Cen￾tral Bank in terms of section 13 of the Act. 278

Minimum registration requirements 4. (1) The Central Bank may only register a person as a credit bureau operator, if the person has - (a) submitted a completed and signed application form; (b) submitted a completed and signed resolution by an authorised person; (c) satisfied the Central Bank that it does not engage in any business activity inconsistent with operating an inde￾pendent and objective credit bureau; (d) submitted proof of registration with relevant taxation authorities; (e) submitted a certified strategic and operational compe￾tence report by an independent auditor on Form CB3, confirming the capacity of the applicant to promote the objectives of the Act set out in section 3, and compli￾ance with the registration requirements set out in section 12 of the Act; (f) submitted credible plans to remedy areas of lack of ca￾pacity or non compliance, if referred to in the report by the independent auditor, within a reasonable time as agreed between the Central Bank and the applicant; (g) submitted a receipt of the non refundable initial regis￾tration fee, as set out in Schedule B. Conditions of registration 5. (1) The Central Bank may, having regard to the objects, and pur￾poses of the Act, the circumstances of the application for registration, and the registration requirements, impose conditions on the registration of an applicant, where the applicant has not satisfied the requirements of registration. (2) The applicant may be notified of the conditions contemplated in 279

subregulation (1) and the reasons for the conditions imposed. (3) An applicant who has received a notification of conditions im￾posed on the applicant, shall respond to the Central Bank within 15 business days after that date on which the applicant first received notification. (4) If the applicant consents, the Central Bank shall register the ap￾plicant subject to the conditions imposed. (5) If the applicant does not respond to the notice or objects, the Central Bank may consider any objection lodged and may finally determine the conditions to be imposed, and register the applicant. (6) The Central Bank shall inform the applicant, in writing, of a de￾cision in terms of subregulation (5). Review of conditions of registration 6. (1) A registrant may on compelling grounds apply to the Central Bank for the review or variation of any condition of registration. (2) On receipt of an application under subregulation (1), the Cen￾tral Bank may determine the application having regard to - (a) the purposes and objectives of the Act; (b) the prescribed registration requirements; and (c) the compelling grounds submitted by the applicant. (3) A determination under subregulation (2), may be referred by an applicant to a competent court for review. Certificate of registration 7. A certificate of registration issued in terms of section 16 of the Act, shall specify - (a) the identity of the registrant; 280

(b) the company registration number and, in the case of a partnership, the words “trading in partnership” shall be specified; (c) the activities that the registration permits the registrant to engage in, conduct or make the activities available to the public; (d) registration number of the registrant issued by the Cen￾tral Bank; (e) signature of a duly authorised representative of the Cen￾tral Bank; (f) certificate number; (g) date on which the certificate was issued. PART III – REGULATION AND SUPERVISION OF CREDIT BUREAU Chapter A – Annual Compliance Reporting The annual compliance report 8. A registrant shall submit to the Central Bank an annual compliance re￾port, compiled by an auditor following special investigations, due diligence and factual findings in accordance with the guidelines stipulated in Guideline CB1 set out in Schedule B, addressing the following matters - (a) adequacy of policies, processes and procedures em￾ployed by it to ensure - (i) the accuracy and integrity of data received, maintained and reported by it; (ii) the confidentiality and security of data received, maintained and reported by it; (iii) data released as permitted by the Act; 281

(iv) the display of data for fixed reasonable periods, as stipulated in the Credit Information Report￾ing Standards stipulated under guideline CB2; (v) rights of a consumer to access their reports and challenge information contained in it; (vi) compliance with the Credit Information Report￾ing Standards stipulated under guideline CB2. (b) Incidence of requests for correction of data in terms of sections 27(2) and 27(3) of the Act, and resolution of such requests, more particularly - (i) total requests for correction of data; (ii) reasons for requests to correct data; (ii) incidence of data corrected at the request of the consumer. Time-frame for submission of annual compliance report 9. A compliance report submitted by a registered credit bureau in terms of regulation 8 above shall be submitted to the Central Bank on or before the 15th March each year for the period starting 1st January and ending on 31st Decem￾ber. Processing of Annual Compliance Report by the Central Bank 10. On receipt of an annual compliance report from a registered credit bu￾reau, the Central Bank shall - (a) in writing, acknowledge receipt of the report; (b) make an assessment of the report and communicate the outcome of the assessment to the registrant credit bureau; (c) If the outcome of the assessment of the report reflects 282

areas of non compliance found, the Central Bank may - (i) provide the registrant with an opportunity to remedy the shortcomings found; (ii) issue a compliance notice in terms of section 35 of the Act; (iii) cancel the registration in terms of section 17 of the Act if the registrant has repeatedly contra￾vened the Act. Chapter B – Credit Information Reporting Standards Standards for the filing, retention and reporting of credit information 11. (1) In terms of section 7(2) of the Act, the Central Bank may pre￾scribe standards for the filing, retention and reporting of credit information in the Credit Information Reporting Standards. (2) The Credit Information Reporting Standards shall, among other things, address matters such as display and retention periods for credit informa￾tion; maintenance, retention and reporting of credit information by credit bu￾reau. (3) The Credit Information Reporting Standards set out in Schedule B may be amended, varied or supplemented by the Central Bank by written no￾tification to all registrants. PART IV – CREDIT BUREAU REPORTING Quarterly synoptic report to be submitted by registered credit bureau 12. (1) A registered credit bureau shall in terms of sections 9(1)(a) and 8 of the Act submit a quarterly synoptic report in accordance with the report template and report Guidelines prescribed in form CB4, and definitions stipu￾lated in Guideline CB2, regarding - (a) the total number of credit active consumers that are natural persons; 283

(b) the total number of credit active consumers that are juristic persons; (c) the credit standing of the consumers that are natural per￾sons, in particular, the number of the consumers that are natural persons in good standing; and the number of the consumers that are natural persons with impaired records; (d) the total number of consumer accounts pertaining to nat￾ural persons, in good standing, and the total number of the consumer accounts pertaining to natural persons with impaired records; (e) the total number of the consumer accounts, pertaining to juristic persons in good standing and with impaired records; (f) credit market activity, with respect to the following credit products, mortgages, vehicle and asset finance, unsecured credit loans, credit facilities, and telecommu￾nication services in respect of which payment is made in arrears; (g) total outstanding book debt per credit product, amount in arrears per credit product and amount in relation to ad￾verse information and civil court judgment information for debt. (2) A report on each credit product in terms of subregulation (1)(f) shall be in the following categories - (a) small credit agreement; (b) medium credit agreement; and (c) large credit agreement. (3) In reporting in terms of subregulation (1), a registered credit bu￾reau shall report on credit extended in Lesotho or credit extended in other coun￾284

try to natural persons that are Lesotho citizens, or juristic persons registered in Lesotho. (4) A registered credit bureau shall submit a quarterly synoptic re￾port referred to in subsection (1), in accordance with the report template on Form CB4 set out in Schedule A, in respect of the quarters and by the following due dates - (a) quarter1 1 January – 31 March 15 May; (b) quarter2 1 April – 30 June 15 August; (c) quarter3 1 July – 30 September 15 November; (d) quarter4 1 October – 31 December 15 February. (5) The Central Bank may, after consultation with a registered credit bureau, vary or amend the content of the quarterly synoptic report. Data supplier report 13. A registered credit bureau shall, in terms of section 9(1)(b) of the Act, submit a data supplier report to the Central Bank on or before the 10th working day of each month, regarding - (a) credit providers, with a place of business in Lesotho, from whom the registrant has accepted and loaded credit information; (b) credit providers, with a place of business in Lesotho, who have supplied credit information which the regis￾trant has rejected, and the reason for the rejection; (c) credit providers with a place of business in Lesotho, who have not supplied credit information; (d) credit providers with a place of business in Lesotho, who have accessed credit information for credit assessment in accordance with section 30 of the Act. 285

(2) A credit bureau data liaison officer shall be appointed by the Central Bank for purposes of regulating the submission of accurate, complete and up-to-date credit information by all credit providers extending credit in Lesotho to a registered credit bureau. Processing of reports submitted in terms of this chapter by the Central Bank 14. On receipt of a quarterly synoptic report or data supplier report from a registered credit bureau, the Central Bank shall - (a) acknowledge receipt of the report in writing; (b) make an assessment of the report within a reasonable period; (c) In the case of a quarterly synoptic report, communicate the outcome of the assessment to all stakeholders within the credit market; (d) In the case of a data supplier report, take reasonable steps based on the outcome of the report to ensure that credit providers with a place of business in Lesotho, submit complete, accurate and up-to-date credit information to a registrant credit bureau; (e) If a credit provider with a place of business in Lesotho fails to submit a complete, accurate and up-to-date credit information to a registrant credit bureau, the Central Bank may, after consulting with the credit provider - (i) require that the credit provider submit within a reasonable period, specified categories of credit information, not previously submitted; or (ii) issue the credit provider with a compliance notice for failing to comply with its obligation in terms of section 19(2) of the Act; (f) If a registered credit bureau fails to submit a report, or 286

submits an incomplete or inaccurate report, the Central Bank may, after consulting with the registrant - (i) provide the registrant with a reasonable oppor￾tunity to remedy the shortcomings found; (ii) issue a compliance notice in terms of section 35 of the Act; or (iii) cancel the registration in terms of section 17 of the Act if the registrant has repeatedly contra￾vened the Act. PART V – RECORD-KEEPING AND PRESCRIBED FORMS Records of registered activities to be retained by credit bureaux 15. A registrant shall maintain records of registered activities, in paper or electronic format, readily accessible for a period of three years from the date on which the registrant created, signed or received the document. Forms and use of forms 16. (1) The forms to be used, for the purposes of these regulations, shall be as set out in Schedule A. (2) If a prescribed form is used with any other information or doc￾ument not prescribed, the prescribed form shall be clearly distinguishable from the information or document not prescribed. (3) If a prescribed form is used in conjunction with another pre￾scribed form, each shall be clearly distinguishable from the other. (4) Where a form or document is prescribed in these regulations - (a) it shall be sufficient if a person required to prepare such a form or document does so in a form that satisfies all the substantive requirements as to content and design of the prescribed form; and 287

(b) any deviation from the prescribed form shall not invali￾date the form, unless the deviation fails to satisfy the requirements set out in paragraph (a), negatively affects the substance of the document or is deceptive or misleading. Electronic submission of forms 17. A form that has to be submitted to the Central Bank may be submitted electronically. DATED: DR. RET◊ELISITSOE MATLANYANE GOVERNOR OF THE CENTRAL BANK OF LESOTHO

1. Act No. 1 of 2012
2. Act No. 12 of 2000 288

SCHEDULE A (regulation 3) FORM CB1 – APPLICATION TO BE REGISTERED AS A CREDIT BUREAU (Application form CBI is obtainable from the Central Bank of Lesotho) FORM CB2 – RESOLUTION BY APPLICANT TO APPLY TO BE REG￾ISTERED AS A CREDIT BUREAU Resolution of the Members/Directors/Trustees/Partners of .......................................................................................................................(the entity) ........................................................................... Registration number (if applicable) taken at ..................... on .................... date ................... of..................... month................... year RESOLVED THAT -

1. The entity ....................................................................... applies to the Central Bank for registration as a credit bureau.
2. ................................................................. (full name of person) be and is hereby authorised by the entity, to sign all such documentation and take all such steps as may be necessary to give effect to the above mentioned decision.
3. The entity understands that it will be liable for any action by any broker or agent who acts on behalf of the entity. FULL NAME(S): ..................................................................................................... SIGNED: ................................................. ........................................ (Properly mandated Date representative of the applicant) 289

FULL NAME(S): ..................................................................................................... SIGNED: ................................................ ........................................ (Properly mandated Date representative of the applicant) • One member/director/trustee/partner to sign who is not nominated as the competent person; • Two members/directors/trustees/partners to sign if the competent person is not a member/director/trustee/partner of the company. FORM CB3 - STRATEGIC AND OPERATIONAL COMPETENCE RE￾PORT TO BE COMPLETED BY THE APPLICANT CREDIT BUREAU AND CERTIFIED BY AN INDEPENDENT AUDITOR The Central Bank of Lesotho Form CB3 – Strategic and Operational Competence Report Part A – Applicant’s Details Name of applicant Company registration number Name of person that completed this Form E- Mail Contact telephone number Date of submission Part B – Strategic Competence

1. Business Plan Please confirm - 290

(1) the existence of business plans; (2) lower-level supporting procedures; (3) remediation plans to address known deficiencies, for purposes of operating a credit bureau to serve the Lesotho market, and (4) provide a brief high level summary of the contents of such busi￾ness plan; (5) The business plan should specifically refer to the strategy to col￾lect, host and report credit information on - (a) all persons that are the recipients of credit in Lesotho; and (b) all natural persons that are Lesotho citizens, or juristic persons registered in Lesotho that are recipients of credit in any other country. 2. Organizational Overview Please indicate - (1) existing personnel holding key positions within the applicants’ organisation as well as (2) the overall organizational structure. More Specifically: (a) Resource Strategy & Planning i. Indicate sufficiency of resources (IT, adminis￾tration or call centre) to manage data to be re￾ceived and administration requests; ii. If no or inadequate resource available, indicate plan to acquire additional resource; 291

iii. Indicate qualifications/experience of adminis￾tration or call centre staff to manage consumer, data supplier and other requests. 3. Site Overview Please describe the applicant’s building and site facilities for purposes of demon￾strating its conduciveness to business operations. 4. Business Integrity The object is to establish the integrity of the juristic person applying for mem￾bership as well as the integrity of the natural persons exercising management and control of the juristic person. More specifically provide background reports on - (a) persons who exercise management and control of the ap￾plicant, including a certification that - (i) such persons are “fit and proper” persons of good standing, and do not have any criminal records; (ii) have not been subject to insolvency proceedings; and (iii) have a good standing with the relevant govern￾ment taxation authorities; (b) the juristic person /company applying for membership; including confirmation of record of registration of com￾pany; and that the company has a good standing with the relevant government taxation authorities. 5. Corporate Finance: Sources of Finance For purposes of financial due diligence, please indicate sources of finance re￾292

lating to the applicant. More specifically - (a) confirm that the applicant has sufficient financial re￾sources to operate a credit bureau to service the Lesotho market; and (b) confirm that the applicant has adequate liability insurance. Part C - Operational Assessment

1. Information Systems (IT) Assessing the current applicant’s computer processing environment to ensure that the key information technology areas are addressed by controls implemented by the applicant. In this regard, please indicate implementation of controls specifically covering the following areas - (a) Information Systems Operations including technological capacity; (b) Information Security around critical servers and fire￾walls; (c) Change Control over application and operating systems, databases, networks and hardware; and (d) Resource and Continuity Planning, including a descrip￾tion of the current procedures and plans in place to acquire and train resources, and indicate whether conti￾nuity planning is in place to ensure the applicants’ busi￾ness and IT operations are a going concern. More Specifically: (a) Information Systems Operations: (i) High level indication of systems; 293

(ii) High level indication of operational process; (b) Information Security - (i) Protection of data collected (couriers, FTP, e-mail etc.); (ii) Protection of data on CD’s, cartridges, disks, e-mail etc. at bureau site (e.g. fireproof cabinets, physical media filing and cataloguing, encryp￾tion, access security etc.); (iii) Protection of data on the database against unau￾thorized access, removal or amendment (e.g. password control, firewalls, intrusion detection etc.); (iv) High level indication of physical security (premises, computer room etc) (c) Change Control (over application and operating systems, databases, networks and hardware); indication of change control process followed when making changes to the above data; (d) Business Continuity Procedures (i) Indication of disaster recovery process (ii) Indication of disaster recovery site (iii) High level indication of business continuity plan. 2. Credit Information Integrity and Accuracy More Specifically: (i) High level indication of key measures of match￾ing credit information to consumers; 294

(ii) High level indication of credit information qual￾ity process followed prior to loading data to the database; (iii) Indication of measures to remove credit infor￾mation from display at the expiration of the pre￾scribed data display period. 3. Processing Credit Information for purposes specified in law More specifically: High level indication of key measures to ensure that credit information will only be reported or released for purposes prescribed in the Act. Part D – Declaration I confirm that: (a) I am duly authorised to sign this report; (b) this report is to the best of my knowledge and belief accurate and complete; (c) appropriate methods have been implemented to ensure that the information in this report is accurate. ............................................................................................................ Name of Duly Authorised Officer of Applicant Credit Bureau ............................................................................................................ Signature of Duly Authorised Officer of Applicant Credit Bureau Form CB4 Quarterly Synoptic Report (Application Form CB4 is obtainable from the Central Bank of Lesotho) 295

SCHEDULE B (regulation 3(1)(f)) FEES Application Fee

1. The prescribed application fee in terms of section 14(1)(a) of the Act is 20 000 Maloti - (a) payable by each applicant upon application for registra￾tion as a credit bureau; (b) must be paid to the Central Bank upon submission of the application for registration or within 20 business days from receipt of notice from the Central Bank for pay￾ment of the application fee for applications already sub￾mitted; and (c) must be paid by cheque made out to the Central Bank or by electronic transfer to the bank account of the Central Bank. Initial Registration Fee
2. The prescribed initial registration fee in terms of section 14(1)(b) of the Act is 10, 000 Maloti - (a) payable by each registrant upon initial registration as a credit bureau; (b) must be paid to the Central Bank upon registration of the applicant as a credit bureau or within 20 business days from receipt of notice from the Central Bank for pay￾ment of the initial registration fee for an applicant already registered; and (c) must be paid by cheque made out to the Central Bank or by electronic transfer to the bank account of the Central 296

Bank. Annual Registration Renewal Fee 3. The prescribed annual registration renewal fee in terms of section 14(1)(c) of the Act is 5, 000 Maloti - (a) payable by each registrant annually for purposes of renewing registration as a credit bureau; (b) must be paid to the Central Bank upon renewal of regis￾tration or within 20 business days from receipt of notice from the Central Bank for payment of the annual regis￾tration fee for registration already renewed; and (c) must be paid by cheque made out to the Central Bank or by electronic transfer to the bank account of the Central Bank. GUIDELINES (regulation 8(1)) Guideline CB1 Guidelines for Annual Compliance Reporting Guideline and Explanatory Notes for the Certification of Annual Compliance Report Guide for Independent Auditors of Credit Bureau 297

SUMMARY Guideline in respect of the Certification of Annual Compliance Report This document constitutes guidelines issued by the Central Bank of Lesotho, in terms of Regulations issued in terms of the Credit Reporting Act, 2011. This guideline is intended for independent auditors of the registered credit bu￾reaus who by regulation are required to submit an annual compliance report which is certified by their independent auditors. This document provides guid￾ance and explanatory notes pertaining to the certification of an annual compli￾ance report, which must be submitted to the Central Bank of Lesotho on an annual basis. CONTENTS 1 Definitions 2 Introduction 3 General 4 Company Details 5 Section 1: Company Profile (only update if applicable) 6 Section 2: Data Integrity 7 Section 3: Dispute resolution 8 Section 4: Non-compliance 9 Section 5: Confidentiality of Information 10 Section 6: Declaration 298

1. Definitions “Act” - Credit Reporting Act, 2011 “CBL” - Central Bank of Lesotho “Credit record” - Any consumer record with one or more account, pay￾ment profile entry, adverse record, judgment, or default. With the ex￾clusion of any enquiries. “Credit report” - (direct to consumer) Report issued to consumer with or without charge which contains credit information. “Data supplier” - Any party who supplies credit information to a credit bureau, irrespective of whether there is a written contractual relation￾ship between the party and the credit bureau. Examples: credit providers, service providers, judgement information providers, information on-sellers etc. “Deemed valid dispute” - Where a change or correction on a credit record is required due to the prescribed investigation period that has lapsed. “Dispute” - Where investigation is required and feedback is expected. “ID fraud” - Identity fraud is a synonym for unlawful identity change. It indicates an unlawful and intentional misrepresentation by using the identity of another person or of a non-existing person as a target or principal tool. Identity fraud can occur without identity theft, as in the case where the fraudster has been given someone's identity information for other reasons but uses it to commit fraud, or when the person whose identity is being used is colluding with the person who is committing the fraud. “Information” - Credit information as defined in the Credit Reporting Act, 2011. “Juristic person” - Includes a partnership, association or other body of persons, corporate or unincorporated, or a trust if (a) there are three or more individual trustees; or (b) the trustee is itself a juristic person. 299

“Regulations” - Credit Bureau Regulations in terms of the Credit Re￾porting Act, 2011. “Service provider” - An entity that provides services to consumers or other entities. Such as a medical practitioner, a telecommunication serv￾ice provider etc. “The Act” - The Credit Reporting Act, 2011. “Valid dispute” - Where a change or correction on a credit record is required after investigation. Where a definition, within these guidelines does not coincide with that of the Act, in all instances the definition in the Act will supersede and take precedence over any definition provided within these guidelines. 2. Introduction This guideline applies to independent auditors of credit bureaus who have registered with the CBL. The guidance and explanatory notes have been com￾piled by the CBL to provide assistance to those responsible for certifying the Annual Compliance Report. This document provides guidelines on the annual compliance report that must be certified by an independent auditor for submission to the CBL. 3. General 3.1. Submission Time The annual compliance report must be submitted by the credit bureau to the CBL by the 15th March each year for the period 1 January to 31 December of the previous year. 3.2. Submission Procedure and Address The signed annual compliance report must be submitted in duplicate, with only one being signed as the original, together with an electronic version of the completed return. The signed copy and duplicate must be sent to: 300

The Central Bank of Lesotho Cnr Moshoeshoe & Airport Roads Maseru 100 Lesotho E-mail:…………………………………… If applicable, a nil return may be submitted in accordance with the above guide￾lines and procedures. 4. Company Details Name of registered entity: registered name. CBL Registration Number: unique registration number that is allocated to each credit bureau at registration by the CBL. Name of contact: is the person who completed/compiled the compliance report. Telephone and e-mail contact: telephone and e-mail contact details of the person who completed/compiled the annual compliance report. Year covered in return: the starting and ending dates pertaining to the relevant reporting period. 5. Company Profile (only update if applicable) 5.1. Material changes to company Any changes in ownership or directors; acquisition or disposal of major assets; relocation of business premises; etc. 6. Data Integrity 6.1. Key measures to verify the data accuracy (a) Obtain copy of policies and procedures in respect of any data received from any party, irrespective of whether there is an existing contractual relationship between the 301

party and credit bureau, implemented by a credit bureau to - (i) validate and verify the data accuracy before loading onto its database and sending off to other parties, such as consumers, subscribers etc.; (ii) validate and verify the data accuracy to avoid re￾loading or overriding previously rejected, removed or amended data; (iii) communicate with the suppliers whose data was rejected due to inaccuracy; or who have not been submitting data; (iv) monitor turnaround time for data correction and reloading previously rejected data etc.; (v) observe and interview the staff members who execute the tasks; and report on such findings. 6.2. Display Periods in terms of the Credit Information Reporting Stan￾dards set out in Schedule B to the Regulations In terms of assessing compliance the auditors are required to - (a) obtain copies of policies and procedures of full process flows and functions in each process, including opera￾tional resources and systems, which have been imple￾mented by the credit bureau to ensure compliance with the prescribed display periods; (b) observe and interview the staff members who execute the tasks; and report on such findings; (c) sample on the basis of 5% of population or 100,000 records of each category of display periods, whichever is the lesser, and automate tests; (d) on the basis of a sample, indicate the extent to which 302

credit information records, held by credit bureau, com￾ply with prescribed display periods; (e) obtain a list of all disputes lodged in the last 3 months of commencing the audit, and report on - (i) the percentage of disputes related to data display periods; (ii) the percentage of valid disputes related to data display periods; and (iii) provide reasons and explanations for non-com￾pliance with data display periods. 6.3. Non-displayable data in terms of the Credit Information Reporting Standards set out in Schedule B to the Regulations In assessing compliance, the auditors are required to - (a) obtain a list of fields displayed on the database; (b) compare the list of fields with that of the fields held on credit bureau databases; and report on the deviations if any. 6.4. Investigation of requests to correct information (a) obtain copies of policies and procedures of full process flows and functions in each process, including opera￾tional resources and systems, which have been imple￾mented by the credit bureau for the investigation of requests for correction of information by natural and juristic persons; (b) observe and interview the staff members who execute the tasks, and report on such findings. 303

6.4.1. Incorrect information is not repeatedly reflected on credit bureau (a) obtain copies of policies and procedures of full process flows and functions in each process, including opera￾tional resources and systems, which are implemented by the credit bureau to ensure that information which was previously rejected, removed or amended is not repeat￾edly reflected on the credit bureau database; (b) observe and interview the staff members who execute the tasks; and (c) report on such findings. 6.5. Combating or preventing ID fraud (a) obtain copies of policies and procedures of full process flows and functions in each process, including opera￾tional resources and systems, which have been imple￾mented by credit bureau to ensure that consumer records and information held on the credit bureau database are not unlawfully accessed by any other consumer or third party for possible fraudulent and/or other illegal activi￾ties; and (b) observe and interview the staff members who execute the tasks; and report on such findings. 6.6. Data security and confidentiality (a) obtain copies of policies and procedures of full process flows and functions in each process, including opera￾tional resources and systems, which have been imple￾mented by the credit bureau for keeping data, in any form and any source, confidential; (b) observe and interview the staff members who execute the tasks; and (c) report on such findings. 304

7. Dispute Resolution 7.1. Disputes in respect of credit records Agree the numbers with relevant supporting documents. 7.2. Valid disputes in respect to judgments Agree the numbers with relevant supporting documents. 7.3. Valid disputes where a particular credit agreement was reflected to the incorrect natural or juristic person Agree the numbers with relevant supporting documents. 7.4. Valid disputes where the credit report was reflected to the incorrect natural or juristic person Agree the numbers with relevant supporting documents. 7.5. Valid disputes where the amount reported in respect to a judgment was incorrect Agree the numbers with relevant supporting documents. 7.6. Valid disputes about information that must be erased Agree the numbers with relevant supporting documents. 7.7. Valid disputes about other instances Agree the numbers with relevant supporting documents.
8. Non- compliance 8.1 Problems and reasons of non-compliance Agree that the problems and reasons of non-compliance are reported accurately. 305

8.2 Resolutions Agree that corrective action plans are in place and have been agreed to at senior management level. 9. Confidentiality of Information 9.1 Enquiries done for prescribed purposes Provide and illustrate full process flows and functions in each process, includ￾ing operational resources and systems, which have been implemented by the credit bureau to ensure that credit information is being used for the prescribed purpose and that consumer consent, where applicable, has been obtained prior to accessing/releasing credit information. 10. Declaration This section confirms that the person who is authorised to sign off the Annual Compliance Report as an accurate reflection and truthful account of the content disclosed to the CBL, is so duly authorised. Guideline 2: Credit Bureau Quarterly Reporting CBL Central Bank of Lesotho 306

GUIDELINE CB2 Guideline and Explanatory Notes for Quarterly Synoptic Reporting Definitions; For the purposes of regulation 12 of these regulations requiring the submission of a quarterly synoptic report by a registered credit bureau, the following words, and phrases shall bear the meanings as set out below: “accounts in good standing” means accounts that are current or 1 to 2 months in arrears; “accounts with impaired record” means accounts that are 3 or more months in arrears, or accounts that have adverse listings, judgments, se￾questration order, liquidation order, rehabilitation order, or administra￾tion orders; “a consumer in good standing” means a consumer who may be a natu￾ral or a juristic person with all accounts in good standing; “a consumer with an impaired records” means a consumer who may be a natural or juristic person, with one or more accounts with an impaired record. “consumer” shall mean a natural or juristic person, who is the recipient of a credit product. “ credit product” shall mean a mortgage; vehicle and asset finance; unsecured credit loans; credit facilities; and telecommunications serv￾ices billed in arrears. “credit facility” shall mean the extension of credit as defined in the Act, and where the credit provider defers the obligation to pay for any part of the goods or services or any part of an amount extended; or bills peri￾odically for any part of goods or services or any part of an amount ex￾tended; and a charge, fee or interest is payable to the credit provider in respect of an amount deferred or billed periodically and not paid within the time provided in the agreement. 307

“juristic person” means a juristic person as defined in the Act with an￾nual turnover less than five million maloti. “mortgage” shall mean a pledge of immovable property that serves as se￾curity for a mortgage agreement. “outstanding book debt per credit product” shall mean the total out￾standing principal debt per credit product. “unsecured credit loan” shall mean the payment of a monetary amount, within the definition of the phrase “extension of credit” in the Act, and the deferment of the repayment of such monetary amount, which debt is not supported by any pledge, or other right in property or suretyship or any other form of security. “vehicle and asset finance” shall mean the extension of credit for pur￾poses of facilitating the purchase of a vehicle or other asset. Credit Information Reporting Standards Standards for the Filing, Maintenance, Retention, Display and Reporting of Credit Information

1. Display periods for credit information Credit information as per the following Table may be displayed and used for the purposes of credit assessment for a maximum period as indicated: Categories of Description Period for which Credit Information Information must be retained from date of commencement of the event
2. Details and results Number and nature 18 months of disputes/requests of complaints lodged lodged by consumers and whether complaint was rejected. No information may be displayed on complaints 308

that were upheld. 2. Enquiries Number of enquiries made 2 years on a consumer's record, including the name of the entity / person who made the enquiry and a contact person if available 3. Payment Profile Factual information 5 years pertaining to the Payment profile of the consumer 4. Adverse Information Qualitative information on 1 years consumer behaviour consumer behaviour 5. Adverse Information Classification related to 2 years enforcement action enforcement action by a credit provider 5. Civil court judgments Civil court judgments for The earlier of debt including default 5 years or until judgments the judgment is rescinded by a court. 7. Administration Orders As per the court order The earlier of 10 years or until order is rescind￾ed by a court 8. Sequestrations As per the court order The earlier of 10 years or until rehabilitation order is granted 9. Liquidations As per the court order Unlimited period 10. Rehabilitation Orders As per the court order 5 years 309

(1) The date of commencement of the event is the date on which the relevant order was given or the date on which the conduct occurred which re￾sulted in the listing; (2) Adverse classifications of consumer behaviour are subjective classifications of consumer behaviour, and include classifications such as “delin￾quent”, “slow payer”, “default”, ”absconded”, “not contactable”; (3) Adverse classifications of enforcement action are classifications related to enforcement action taken by the credit provider, including classifica￾tionssuch as “handed over for collection or legal recovery”, “legal action” or “write off”; (4) Payment profile refers to the consumer’s payment history in re￾spect of a particular transaction. (5) Any information not included in any category above may be dis￾played and used for purposes of credit assessment for a maximum period of two years. (6) Upon receiving a court order rescinding any judgment, a credit bureau must first verify the authenticity of such court order prior to removing the judgment from display in terms. 2. Maintenance of credit information by credit bureaux (1) Records of credit information must be maintained in accordance with the following standards - (a) identified by the consumer’s identity number or passport number, or where no identity number or passport num￾ber is available for a particular person, any other reasonable method to identify the record; (b) collected, processed and distributed in a manner that ensures that the records remain confidential and secure; (c) protected against accidental, unlawful destruction and unlawful intrusion; 310

(d) protected against loss or wrongful alteration, and (e) protected against unauthorised disclosure or access by any unauthorised person. (2) The credit bureau must take all reasonable steps to ensure that all records are kept up to date. (3) Credit information relating to the following subjects may not be contained on the records of the credit bureau: (a) race; (b) political affiliation; (c) medical status or history; (d) religion or thought, belief or opinion; (e) sexual orientation, except to the extent that such infor￾mation is self-evident from the record of the consumer’s marital status and list of family members; and (f) membership of a trade union, except to the extent that such information is self-evident from the record of the consumer’s employment information. 3. Right to access credit reports (1) Registered credit bureau must provide consumers with credit re￾ports on the following basis, one free credit report per annum and thereafter upon payment of the credit bureau’s reasonable fee. (2) The consumer request for a credit report must provide - (i) full names, date of birth and identity number; or passport number and date of birth if no identity number is available; (ii) If it is a personal request, the requestor should 311

provide proof of full names, date of birth and identity number by providing a copy of the national identity document, if the identity docu￾ment is unavailable, a copy of the passport and full birth certificate or a valid driver’s licence; (iii) If a request is made on behalf of another person, there must be proof of the capacity of the re￾questor, and explicit written instructions by the person in respect of whom the request is being made, authorising the requestor to make the re￾quest on his behalf, which instructions must be verifiable. Whenever a request is made on be half of another person, proof must be provided of both the requestor’s identity and the identity of the person on behalf of whom the request is being made. (3) The requestor must be provided with the opportunity to indicate the method of delivery of the credit report from options made available by the credit bureau; and how the requestor would like to be informed of the decision on the request, by written reply, fax or e-mail. (4) When a consumer requests a credit report, the report must dis￾close the same information that will be displayed to other parties when such re￾port is displayed. Printed by the Government Printer, P.O. Box 268, Maseru 100 Lesotho 312