Credit Information System Regulation

MALDIVES MONETARY AUTHORITY Malé, Maldives CREDIT INFORMATION SYSTEM REGULATION

FIRST CHAPTER INTRODUCTION

These are regulations to determine the entities required to participate in the Credit Information System established by the Authority, the measures to be taken to maintain the confidentiality of the information entered into that system, and other matters related to the operation of the system.

1. Title and Commencement (1) These are regulations drafted under the authority granted by Article 24(1)(a) of Law No. 6/81 (Maldives Monetary Authority Act 1981) and Article 37(1)(b) and Article 66(1)(d)(5) of Law No. 24/2010 (Banking Act of the Maldives). (2) These regulations shall be known as the "Credit Information System Regulation". (3) These regulations shall come into effect from the date of publication in the Government Gazette.

2. Commencement of Application Where no other meaning is explicitly defined by a phrase or word used in these regulations, the phrases and words below shall be interpreted as defined below.

3. Interpretation "Authority" refers to the Maldives Monetary Authority established under Law No. 6/81 (Maldives Monetary Authority Act 1981). (1) "Credit" refers to loans and other forms of debt where money must be repaid at a later date. The following types of credit are excluded: (1) Credit issued by one financial institution to another financial institution; (2) Credit issued to the Government of Maldives, a department of the Government of Maldives, a foreign government, or an international organization; (3) Credit issued by a company to its subsidiary or holding company; (4) Credit issued to employees of an entity by that entity, excluding credit issued to non-employees; (5) Other credit determined by the Authority. (2) "Credit Agreement" refers to an agreement between a party providing credit information and another party for the purpose of issuing credit. (3) "Credit Application" refers to a submission made to a party providing credit information in request of obtaining credit. (4) "Party Providing Credit Information" refers to any party specified in Article 4(1) and any party included in the system under Article 4(5). (5) "Credit Information Report" refers to a report generated by the system based on information entered into the system by parties providing credit information. (6) "Council" refers to an Atoll Council, Island Council, or City Council as specified in Law No. 7/2010 (Local Government Act of the Maldives). (7) "Data Subject" refers to the following parties, and includes close relatives who may become such parties in the future: (1) A party who has submitted a credit application; (2) A party to a credit agreement; or (3) A guarantor of a credit agreement. (8) "Financial Institution" refers to the definition given to Financial Institution in Law No. 6/81 (Maldives Monetary Authority Act 1981). (9) "Guarantor" refers to a party who has given or offered to give a guarantee, security, or assurance of obligation related to a credit agreement. (10) "Party" includes natural persons and legal persons. (11) "Self-Inquiry Report" refers to a report containing personal information and credit information of a party, generated by the system without request from any other party. (12) "System" refers to the Credit Information System specified in Article 4(1) of these regulations.

SECOND CHAPTER CREDIT INFORMATION SYSTEM

4. Credit Information System (1) The Credit Information System operated by the Authority at the time these regulations come into effect is considered a system established and operated under Article 24(1)(a) of Law No. 6/81 (Maldives Monetary Authority Act 1981) and Article 37(1)(b) of Law No. 24/2010 (Banking Act of the Maldives). (2) The following institutions must participate in the system: (1) Banks operating with a license issued by the Authority; and (2) Financing companies operating with a license issued by the Authority. (3) Banks and financing companies participating in the system at the time these regulations come into effect are considered parties participating in the system under Article 4(2). (4) Institutions established after these regulations come into effect, as specified in Article 4(2), must participate in the system within 3 (three) months from the date they commence business, or within an extended period if granted by the Authority. (5) Any party wishing to participate in the system may submit a written application to the Authority. Such applications must be submitted using the form specified on the Authority's website, along with the documents specified in that form. (6) The following parties may apply to participate in the system: (1) Insurance companies issuing credit among those licensed by the Authority; (2) Companies providing telecommunications services for credit; (3) Companies providing utility services for credit; (4) Government ministries, departments, and councils that issue credit to the public or a segment of the public; (5) Departments selling land, apartments, or buildings on credit terms; and (6) Other legal persons providing goods and services to the public on credit. (7) Upon receiving an application to participate in the system under Article 4(6), the Authority may decide to include the applicant in the system with or without specific conditions, or reject the application. (8) An applicant shall not be included in the system if the requirements specified below are not met: (1) The Authority must determine that the applicant's operations meet the standards set by the Authority and other additional criteria; and (2) The Authority must be satisfied that including the applicant in the system serves the public interest. (9) The Authority shall determine the specific information that parties participating in the system under Article 4(2) may access from the information in the system. (10) The Authority may determine whether to grant access to information in the system for parties participating under Article 4(6), or to grant access to specific information. Different institutions may be granted access to different information. (11) Personal and credit information entered into the system by parties participating in the system at the time these regulations come into effect is considered information entered into the system under these regulations. (12) Parties providing credit information must comply with the System's Operating Rules, Code of Conduct, and other directives issued by the Authority. (13) The Authority shall not be liable for any information in the system regarding any data subject if the information is incorrect, incomplete, or not up-to-date due to the actions or omissions of the party providing credit information.

5. Personal Information The following information is considered personal information regarding an individual data subject: (1) The person's full name and any previous names (including other names by which they are addressed); (2) The person's date of birth; (3) The person's permanent address and current residential address; (4) Phone numbers associated with the person; (5) The person's National Identity Card number and other identification numbers issued for tax purposes; (6) The person's employment status, occupation, and economic sector if employed or engaged in other activities; and (7) Other information determined by the Authority.

The following information is considered personal information regarding a data subject that is not an individual: (1) The name of the data subject, the type of institution it is, and its registration number assigned by the relevant institution; (2) The location where the data subject conducts activities, the main location if conducting activities in multiple places, and the registered address if it is a legal person; (3) Phone numbers, email addresses, and fax numbers associated with the data subject; (4) Numbers issued by the Maldives or other countries' relevant institutions for tax purposes to the data subject; (5) The economic sector in which the data subject is active; and (6) Other information determined by the Authority.

6. Credit Information The following is considered credit information regarding a credit application, existing credit agreement, or a data subject acting as a guarantor: (1) The amount of credit, the maximum credit amount that can be drawn, the currency in which this amount is determined, and the conditions set for issuing or repaying the credit, including the type and duration of the credit application or agreement; (2) The type, duration, amount, and valuation details of any guarantee, security, or assurance of obligation given or promised; (3) Interest rates, service charges, or finance charges payable; (4) A specific number assigned by the party providing credit information to the credit application, credit agreement, or data subject; (5) Details of the securitization of the agreed credit; (6) Changes to the type, duration, or guarantees/security/assurance of obligation related to the credit agreement; (7) Submissions or arrangements made regarding debts payable under the credit agreement or related guarantees/security/assurance; (8) Other information regarding the fulfillment of obligations under the credit agreement or related guarantees/security/assurance; and (9) Other information determined by the Authority.

THIRD CHAPTER SUBMISSION OF INFORMATION TO THE SYSTEM AND ACCESS

7. Submission of Information to the System Every party providing credit information must submit personal and credit information regarding credit applications submitted to them, credit agreements entered into, and data subjects, in the format and within the timeframes specified by the Authority or in the System's Operating Rules. (1) Every party providing credit information must ensure that all information submitted to the system is accurate, complete, and up-to-date, in accordance with the guidelines specified in the Operating Rules, at the time of submission and continuously thereafter. (2) Every party providing credit information must update the information submitted to the system promptly as directed by the Authority. (3) If parties providing credit information become aware that information submitted to the system is incorrect, incomplete, contains errors, or is not up-to-date, they must correct and rectify such information. (4) If the Authority determines or finds that there are reasons to believe that information submitted by parties providing credit information is incorrect, incomplete, not up-to-date, contains errors, or was not submitted in accordance with the Operating Rules or Authority directives, measures specified in Article 16 may be taken against such parties.

8. Obligation to Inform Data Subjects Parties providing credit information must inform data subjects that their credit applications and credit agreements will be submitted to the system.

9. Mandatory Extraction of Credit Information Report Every financial institution among the parties providing credit information must extract a Credit Information Report from the system before issuing, restructuring, renewing, or increasing credit.

10. Access to Information in the System Parties among the parties providing credit information who have access to information in the system may access the following information in the system: (1) Information regarding the party who submitted a credit application to that party; (2) Information regarding a party offering to provide a guarantee, security, or assurance of obligation related to a credit application submitted to that party; (3) Information regarding a party who is a data subject to a credit agreement entered into with that party, under the circumstances specified below: (1) If the data subject requests a change to the type or duration of a guarantee, security, or assurance of obligation related to the credit agreement, or from another party providing credit information; or (2) If the data subject has not fulfilled any obligations under the credit agreement or related guarantees/security/assurance, and the breach has not been rectified. (4) Information in the system regarding credit agreements entered into by that party.

11. Permissible Uses of Information in the System Credit reports or other information extracted from the system by parties providing credit information may only be used for the following purposes: (1) Verifying the accuracy of information included in or provided with a credit application; (2) Evaluating risks in issuing credit to a data subject or obtaining a guarantee, security, or assurance of obligation from them; (3) Evaluating risks in changing the type or duration of a guarantee, security, or assurance of obligation related to a credit agreement; (4) Monitoring breaches of conditions in a credit agreement or related guarantees/security/assurance and ensuring rectification; (5) Evaluating submissions or arrangements regarding debts of a data subject who has requested such action; and (6) Analyzing the credit portfolio of the party providing credit information. (2) Parties providing credit information shall not access, extract, or use information from the system for any purpose other than those specified in Article 11(1).

FOURTH CHAPTER CONFIDENTIALITY AND SECURITY OF INFORMATION

12. Confidentiality Every party providing credit information must maintain the confidentiality of Credit Information Reports and other information extracted from the system. Such reports or information shall not be disclosed directly or indirectly to any other party without the written permission of the data subject to whom the report or information relates. (1) Credit Information Reports or other information extracted from the system shall not be disclosed by any director, employee, consultant, agent, or any other person with access to such information, or any person holding such positions at any time, to any party. (2) No exemption shall apply to the non-disclosure of information specified in Article 12(1) and (2) regarding information that was previously generally available. (3) The provisions of Article 12(1) and (2) shall be exempted if information is disclosed as follows: (1) With the permission of the data subject; (2) Disclosure to the court for criminal or civil proceedings; or (3) Disclosure as ordered by the court. (4) Every party providing credit information must take appropriate measures to ensure that Credit Information Reports and other information extracted from the system are disclosed only to relevant employees and those who must know, and must implement necessary internal controls.

13. Measures to be Taken Regarding Reports Extracted from the System Every party providing credit information must maintain records of Credit Information Reports and other information extracted from the system. Appropriate internal controls must be established and implemented to secure Credit Reports and other information against the following: (1) Loss or unauthorized access; (2) Use for purposes other than those permitted by these regulations; (3) Disclosure except in circumstances permitted by these regulations; and (4) Alteration.

FIFTH CHAPTER OTHER MATTERS

14. Dispute Resolution System Every party providing credit information must establish a system to fairly and promptly review and resolve complaints submitted by data subjects regarding information submitted to the system. (1) If the Authority considers that the system established under Article 14(1) by a party providing credit information is not fair or prompt in reviewing and resolving complaints, the Authority may direct that system to be rectified. The party providing credit information must act in accordance with the Authority's direction. (2) When contact is established with the data subject, and at any time requested by the data subject, the party providing credit information must provide the data subject with the following information: (1) Information regarding the data subject's rights to seek resolution for complaints; and (2) Information regarding the process of reviewing and resolving complaints by the party providing credit information. (3)