Instruction No. 2018-01 on the Central Bank of Djibouti Risk Registry

CENTRAL BANK OF DJIBOUTI

INSTRUCTION NO. 2018-01 ON THE CENTRAL BANK OF DJIBOUTI RISK REGISTRY

The Governor of the Central Bank of Djibouti,

Having regard to Law No. 118/AN/11/6th L of January 22, 2011 establishing the Statutes of the Central Bank of Djibouti;

Having regard to Law No. 119/AN/15/7th L of July 16, 2016 establishing a credit information system;

Having regard to Law No. 119/AN/11/6th L of January 22, 2011 on the establishment and supervision of credit institutions and financial auxiliaries;

Having regard to Law No. 110/AN/11/6th L of May 25, 2011 on combating the financing of terrorism.

Having regard to Law No. 116/AN/ 11/6th L of January 22, 2011 on the establishment of Islamic Banks in Djibouti

Having regard to Law No. 112/AN/11 6th L of May 25, 2011 supplementing Law No. 196/AN/02/4th L on money laundering, confiscation, and international cooperation regarding proceeds of crime;

Having regard to Decree No. 94-89/PRE of July 12, 1994 on the prevention of offenses related to checks;

Having regard to Circular No. 01/BCD/2012 on the procedures and deadlines for transmitting documents to the Central Bank of Djibouti;

Having regard to Instruction No. 2011-07 on the accounting and reporting of doubtful debts;

Having regard to Book 3 of the Commercial Code on Corporate Rights;

Page 1 of 10

---

I. General Provisions

Article No. 1: Definitions:

For the purposes of this instruction, the following terms shall mean:

• Participating or reporting institutions: also referred to as reporting institutions, refer to credit institutions, microfinance institutions, and where applicable, public or private entities or companies participating in the credit information system.
• Customer identification: refers to data allowing the identification of a natural or legal person.
• Credit information or information(s): information including personal data concerning, in particular, credit history, payment history of a natural or legal person under private, public, or parastatal law, solvency, borrowing or repayment capacity, all credit risks, loan volume, maturity, terms and conditions, repayments, guarantees, and all other commitments or data of a financial, service, or payment nature not necessarily linked to a loan, which allow assessing at any time the financial situation, exposure to financial risks, and probability of payment performance of any concerned natural or legal person.
• Credit or solvency report: any communication of credit information made by the Risk Registry, in written or electronic form or any other manner allowing identification of a borrower, their detailed history illustrating how they manage credits, any defaults, the list of entities that have requested information on their credit file, interest rates applied to credits granted to them, and various other elements of interest to a lender. The credit report is also usable to define their capacity to repay loans or pay all financial commitments undertaken.
• International financial institutions: Institutions whose activity on the territory is authorized by treaties, agreements, or conventions to which the Republic of Djibouti is a party.
• Foreign public aid or cooperation institutions: Institutions whose activity on the territory is authorized by treaties, agreements, or conventions to which the Republic of Djibouti is a party.
• Central Bank Risk Registry: the set of computerized applications made available to it to manage credit information transmitted by reporters.
• Credit outstanding or financial outstanding: the amount effectively made available to the borrower, net of related repayments and excluding accrued interest. It notably includes disbursed credits, including credits granted from public or private allocated funds, and signature credits.

Page 2 of 10

---

• Residents: agents having their center of economic interest on the territory of the Republic of Djibouti are considered residents. Agents having their center of economic interest outside the national territory are considered non-residents.
• Central Bank: refers to the Central Bank of Djibouti, a public institution with legal personality and administrative and financial autonomy.
• Adverse action: any refusal or cancellation of credit or unfavorable change in the terms and conditions of a transaction concerning a loan or service contract, involving a natural or legal person.
• Public data: data crucial to the quality of the Risk Registry that must eventually be provided to the database thus constituted, such as the balance sheet, the business reference database, commercial registry data, and other similar databases that are very important for its completeness.
• Clients or subjects of information: the consumer or borrower, a natural person or in a business relationship with a reporting institution.
• Sensitive data: data whose communication to users is prohibited.
• User: any natural or legal person using the Risk Registry.
• Consent: any explicit manifestation of free, specific, and informed will by which the concerned person accepts that data concerning them be processed.

Article No. 2: Purpose

This instruction aims to establish the legal framework for the creation, operation, and oversight of the activities of the Central Bank of Djibouti Risk Registry. It also seeks to regulate the sharing of credit information and related operations. It is based on the key principles of reciprocity, confidentiality, and the explicit and prior consent of the concerned natural persons. The instruction places notable emphasis on protecting consumer rights, with particular focus on the principles of access, rectification, and updating of information concerning them.

This instruction applies to entities supervised by the Central Bank, hereinafter referred to as reporting institutions. It defines the procedures for transmitting credit information from their respective clients, as well as its processing and utilization at the Central Bank Risk Registry, abbreviated as the Risk Registry or CdR.

Article No. 3: Delegation of the Risk Registry

The Central Bank of Djibouti is authorized to delegate or entrust all or part of the management or operation of the credit information system to an entity it authorizes, under conditions it shall define by instruction.

Page 3 of 10

---

Article No. 4: Participating or Reporting Institutions

Under Law No. 119/AN11/7th L, all entities supervised by the Central Bank of Djibouti are considered participating or reporting institutions.

2- The reporting institutions are listed as follows:

1- Banks 2- Financial companies 3- Microfinance institutions 4- Specialized financial institutions such as leasing companies, SME/SMI guarantee funds, and the Djibouti Economic Development Fund 5- Other specialized financial companies to be defined by an instruction from the Governor of the Central Bank. 6- The Central Bank also authorizes the participation of international financial institutions and foreign public aid or cooperation institutions whose activity on the territory is authorized by treaties, agreements, and conventions to which the Republic of Djibouti is a party. 7- Or any other entity approved by the Central Bank

II. Conditions and Practical Modalities for Data Communication by Participating Institutions

Article No. 5: Obligation to Report

Participating institutions are required to individually report to the Central Bank Risk Registry, according to the nature of the data, the following identification data:

➢ For enterprises:

• Company name or trade name
• Address and contact details including telephone number
• Commercial registry number
• Tax identification number
• Full name and identification number of shareholders holding a minimum of 10% or more participation in the company
• Other information prescribed by the Central Bank of Djibouti.

➢ For individuals:

• Full name
• Mother's names
• Date of birth
• Address and contact details including telephone number
• Tax identification number
• Identification number for residents
• Passport number for non-residents
• Gender

Page 4 of 10

---

• Professions
• Employer information
• Other information prescribed by the Central Bank of Djibouti

➢ For credit accounts:

• Credit file identification number
• Credit outstanding
• Approved credit limit
• Account type
• Credit maturity
• Client rating
• Credit contract date
• Economic activity code
• Information on guarantees and securities as well as the value of the guarantee
• Country code
• Other information prescribed by the Central Bank of Djibouti

➢ Credit categories used in the Risk Registry

The credits used are grouped according to their initial duration and nature defined by current accounting rules under the following categories:

1- Short-term credits: These are credits with a maximum maturity of one (1) year. They comprise current debit accounts, advances on contracts, and other advances. 2- Medium and long-term credits: These are credits with a maturity exceeding one (1) year. They comprise equipment credits, housing credits, and other credits. 3- Off-Balance Sheet: These are signature commitments such as documentary credit openings, customs guarantees, market guarantees, and other guarantees.

Article No. 6: Obligation to Obtain a Credit Report

All participating institutions that provide information under this instruction (previously cited) are obligated to obtain a credit report from the Risk Registry before granting a new loan, renewing, or refinancing an existing loan.

Article No. 7: Access Codification

Access to the Risk Registry by its users must be subject to rigorous security measures.

The application procedures for security devices concern:

✓ User identification and their access rights ✓ The official request for registration, user replacement, or modification of access rights must be submitted to the Central Bank of Djibouti.

Page 5 of 10

---

✓ Password customization and management by the user.

Any participating institution must have at least two Risk Registry users with different access codes that must be deactivated upon any change of user.

Each reporting institution must take all necessary measures to secure and retain said access codes. It is responsible for any abusive or unauthorized use contrary to the instruction under review.

Article No. 8: Reporting Periodicity

Reports are submitted on a monthly basis. The reported data is finalized on the last business day of each month and must reach the Central Bank, on any electronic transmission medium as provided by Circular No. 01/BCD/2012 on the transmission of periodic statements, no later than the tenth (10) day of the month following the accounting statement cutoff.

Article 9: Responsibilities

The reporter is responsible to the Central Bank, borrowers, and third parties for the accuracy, completeness, and consistency of the information they transmit, as well as for the security of the transmission procedures. The same applies to the protection, retention, and transmission of data they receive from the Risk Registry under applicable legislation.

III. Duration of Reporting and Conditions for Consulting the Risk Registry

Article No. 10:

The Central Bank of Djibouti makes credit or solvency reports available to participating institutions, containing the amounts of assistance registered in the name of each beneficiary who has been reported, as well as other complementary information, notably the existence or non-existence of repayment incidents during the last two years.

The accessibility of subject institutions to the Risk Registry services is conducted via the internet through their internal management system.

Article No. 11: Reason for Consultation

For each individual consultation, the reporting institution must state the reason for the consultation: granting credit to a new client, renewing credit to a client, managing an ongoing credit, or other reason.

Page 6 of 10

---

IV. Procedures for Retention, Reporting, Archiving, and Destruction of Data Transmitted to the Risk Registry

Article No. 12: Credit Data Retention Period

Information collected on credit as well as all data and documents used to produce it must be retained in named form for a period of five (5) years by the Risk Registry, starting from the date they are made available by the reporting institutions.

Article No. 13: Use of Retained Information

Negative information regarding clients of participating institutions cannot be traced in their solvency reports upon expiration of the data retention period.

Article No. 14: Archiving of Credit Data

The information and documents referred to in Article 12 must be archived for an additional period of five (5) years by the Risk Registry upon expiration of the retention period to respond to Central Bank requests or serve as proof.

The Central Bank takes appropriate security measures to prevent any unauthorized access to archived data.

Article No. 15: Destruction of Credit Data

Upon expiration of the retention and archiving periods, the information and documents referred to in Article 14 as well as all data in electronic format used to produce them must be automatically deleted by the Risk Registry from all electronic media on which they were recorded.

Physical documents produced from these data must also be destroyed upon expiration of their retention and archiving periods.

V. Various Obligations and Rights

Article 16: Right to Be Informed

The reporting institution must, in advance, obtain the borrower's written consent authorizing it to communicate to the Risk Registry information concerning them that is accessible and consultable by other credit institutions.

The reporter must inform the borrower of their rights and responsibilities listed below:

• At any time, the borrower, through the reporter, has the right to consult said information and, where applicable, request through them the rectification of information concerning them in accordance with the procedure provided for this purpose,

Page 7 of 10

---

• The borrower remains responsible for the accuracy of the information they provided and may be held civilly and criminally liable for providing false information,
• Information concerning the borrower expressly mentioned or not in this instruction is protected by confidentiality rules and professional secrecy.

Article No. 17: Right of Access to Personal Data

The applicant exercises their right of on-site or remote access free of charge once per year. Their request shall be granted without delay.

A copy of the data concerning them, conforming to the content of the processing, shall be issued to the interested party upon request.

Article No. 18: Abusive Access Requests

The Central Bank may oppose manifestly abusive requests from the public, particularly due to their volume, repetitive, or systematic nature. In case of dispute, the burden of proof regarding the manifestly abusive nature of the requests lies with the responsible party to whom they are addressed.

Article No. 19: Right of Rectification

Any person may demand the rectification of personal data concerning them that they deem inaccurate, incomplete, ambiguous, or outdated within fifteen days following the date of obtaining them. This right of rectification may only be exercised on condition that the person invoking it provides the Central Bank with all necessary supporting documents for this purpose.

When requested by the interested party, the Central Bank must justify, free of charge to the applicant, the necessary rectifications if the data prove to be inaccurate and inform the interested party, communicating this rectification to the Risk Registry.

In case of dispute, the burden of proof lies with the responsible party to whom the right of access is exercised, unless it is established that the contested data were communicated by the interested party or with their consent.

If the Central Bank has transmitted data to a third party, it must notify them without delay of the operations performed on said data.

Article No. 20: Rules and Procedures for Handling Complaints

The borrower may send a written request for correction to the Central Bank. Within five days of receiving the request, the Central Bank is obligated to contact the reporting institution to follow up on the complaint. The reporting institution must comply with the request and respond to the Central Bank within 10 days.

Page 8 of 10

---

If the reporting institution agrees to completely or partially correct the information, a corrected credit report must be sent to the Risk Registry. The Central Bank must then provide this new credit report to the borrower. If the latter is not entirely satisfied, they must justify their disagreement with the Central Bank and have the right to incorporate and alert the Central Bank. If the reporting institution fails to respect the correction procedures within the allotted time, the Central Bank will verify the credit report file until a final solution (private agreement or judgment) is reached.

Article 21: Professional Secrecy

Persons participating in the management, administration, control, and operation of the Risk Registry are bound by professional secrecy.

It is prohibited for suppliers as well as users of information to use confidential information they have acquired in the course of their activity to directly or indirectly carry out operations for their own account or for the benefit of third parties.

VI. Security Measures of the Risk Registry

Article No. 22:

The Central Bank, through its Risk Registry management unit, protects the confidentiality of credit information and only discloses this information:

• to participating institutions for reasons limited by Law No. 119/AN/16/7th L
• to natural or legal persons
• to courts and tribunals in cases authorized by law
• to authorized public authorities or provided for by decree

Article No. 23:

The unit in charge of the Risk Registry is required:

• to have an information security incident management framework to address them appropriately and contain their impact;
• to implement prevention, detection, and correction measures to protect the information system against malicious software;
• to ensure that terminals accessing their systems are secured;
• to ensure that each system administrator, user, and data provider and their personnel have a unique account as well as access rights to information systems according to their duties;
• to have a backup policy that guarantees the integrity of data backups on appropriate media, regular restoration tests, and the offshoring of backup media within national territory.

Page 9 of 10

---

VII. Sanctions

Article No. 24:

Any violation of this Central Bank instruction shall be sanctioned in accordance with Article No. 27 of Law No. 119/AN/16/7th L on the credit information system.

The Central Bank imposes sanctions on participating institutions when they:

➢ fail to adopt necessary security measures to protect data against unauthorized access or misuse; ➢ fail to update declarations to the Risk Registry within the allotted deadlines; ➢ do not respect the confidentiality limits imposed by this regulation; ➢ do not apply and respect borrowers' rights.

Article 25: Entry into Force

This Central Bank instruction takes effect on the date of its signature.

M. AHMED OSMAN

[Stamp: CENTRAL BANK OF DJIBOUTI - The Governor - REPUBLIC OF DJIBOUTI]

Page 10 of 10