Credit Reporting Regulations 2020

L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

ARRANGEMENT OF REGULATIONS

Regulation

Preliminary Provisions

1. Purpose
2. Application

Standards for Data Submission 3. Policies and procedures 4. Submission of data to credit bureaus 5. Data quality requirements

Standards for Privacy and Data Security for Credit Bureaus 6. Credit bureau to ensure integrity and protection of data 7. Confidentiality of credit information 8. Controls and security measures to be taken by credit bureaus 9. Processing of data submitted by data providers 10. Outsourcing 11. Access to data by the Bank 12. Submission of returns to the Bank

Additional Data Sources for Credit Bureaus 13. Designation of other sources as data providers 14. Responsibilities of a designated data provider

Credit Information Subjects Access to Credit Reports 15. Access to credit report by credit information subject

Corporate Governance Standards for Credit Bureaus 16. Overall responsibility of the Board 17. Oversight responsibility 18. Qualification of members of the Board 19. Composition of the Board 20. Meetings of the Board 21. Requirements for appointments or change in membership

Usage of Credit Reports 22. Access to credit reports

---

L.I. 2394 2

CREDIT REPORTING REGULATIONS, 2020

Dispute Resolution Process 23. General provisions on dispute resolution 24. Responsibilities of credit bureau 25. Responsibilities of data providers and credit report recipients 26. Responsibilities of credit information subjects

Miscellaneous Provisions 27. Guidelines, rules or directives 28. Failure to submit data 29. Breach of privacy and secrecy principles 30. Failure to conduct a credit search 31. Failure to provide information to the Bank 32. Failure of director or officer to ensure compliance 33. Other breaches 34. Interpretation

---

3 L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

In exercise of the power conferred on the Minister responsible for Finance and Economic Planning by section 60 of the Credit Reporting Act, 2007 (Act 726) and on the advice of the Bank of Ghana, these Regulations are made this 10th day of December, 2019.

Preliminary Provisions

Purpose

1. The purpose of these Regulations is to (a) set standards for the safety and security of credit information; (b) designate additional sources of data for credit bureaus as data providers, and (c) provide for rules and guidelines for credit reporting activities in line with international best practices.

Application 2. These Regulations apply to (a) credit bureaus; (b) financial institutions; and (c) a person that is permitted to provide data or have access to credit information by (i) credit bureaus, (ii) data providers, or (iii) authorised users subject to these Regulations.

Standards for Data Submission

Policies and procedures 3. (1) A data provider shall develop and implement written policies and procedures to ensure accuracy and integrity of customer information submitted to credit bureaus. (2) The policies and procedures referred to in subregulation (1) shall be appropriate to the (a) nature, (b) size, (c) complexity, and (d) scope of the activities of each data provider.

---

L.I. 2394 4

CREDIT REPORTING REGULATIONS, 2020

Submission of data to credit bureaus 4. Subject to the requirements specified in sections 24 and 25 of the Act, a data provider shall submit data to credit bureaus in accordance with the following principles: (a) a data provider shall ensure that data submitted conforms to the prescribed Credit Reporting Data Format of the Bank; (b) a data provider shall provide updates of credit information on a monthly basis in accordance with subsections (1) and (3) of section 24 of the Act and in the case of a final settlement of a loan or at the request of a customer for a repayment update, within seventy-two hours of the payment; (c) a data provider shall ensure that credit information supplied is accurate, complete and up-to-date, in accordance with the relevant update cycle; (d) a data provider ensure that an update is made in accordance with directives issued by the Bank and in the case of a monthly update, the data shall be submitted not later than the 15th day of each month or as may be specified by the Bank; (e) a data provider is accountable for any incorrect information transmitted to a licensed credit bureau; and (f) a data provider is liable for any claim from consumers regarding gross negligence or reckless behaviour that results in the submission of erroneous information resulting in an unfavourable consequence against the consumer.

Data quality requirements 5. (1) A data provider shall ensure that the data submitted to a credit bureau about a credit information subject (a) reflects the terms of and the liability of the account or other relationship; (b) reflects credit facility performance and other conduct with respect to the account of the credit information subject; (c) uniquely identifies each record of data submitted to credit bureaus; and (d) is accurate, comprehensive and up-to-date.

---

5 L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

(2) Where a data provider submits erroneous data under subregulation (1), the data provider shall ensure that the erroneous data submitted under subregulation (1) is corrected and updated within seventy-two hours after the identification of the error.

Standards for Privacy and Data Security for Credit Bureaus

Credit bureau to ensure integrity and protection of data 6. (1) A credit bureau shall ensure the integrity of the database of the credit bureau. (2) A credit bureau shall take steps to prevent (a) misuse or unauthorised access to the database, and (b) data loss or data corruption. (3) For purposes of subregulation (2), a credit bureau shall, in addition to any cyber security directives issued by the Bank, (a) maintain systems, processes and procedures to ensure data recovery and disaster plans in order to prevent data loss or data corruption; (b) restrict access of authorised users to the database of the credit bureau; (c) establish adequate mechanisms to ensure that data is used only for permissible credit bureau activities or other lawful purposes; (d) establish controls and procedures to be applied when data providersor authorised users seek access to credit reports; (e) maintain logs of accesses, amendments and audit trails; (f) review, on a regular basis, (i) patterns of usage of the information systems of credit bureaus, and (ii) password controls of relevant personnel of credit bureaus, data providers and other authorised users with a view to detecting and investigating any unusual or irregular patterns of access or use; (g) organise workshops on good security practices for authorised representatives of data providers and other authorised users; and

---

L.I. 2394 6

CREDIT REPORTING REGULATIONS, 2020

(h) develop operational guidelines, disciplinary and contractual procedures in relation to (i) the improper use of access, (ii) unauthorised entry to the credit bureau database, or (iii) the interception of communications made to and from the credit bureau database for use by personnel of credit bureaus, data providers or other authorised users. (4) A credit bureau shall, within seventy-two hours after the detection of an error in data, correct the error and establish adequate mechanisms to ensure that authorised users that have accessed the information in the last three months preceding the detection of the error are informed of the update or correction. (5) Where a credit bureau is responsible for an inaccuracy in a credit information report or any other report, the credit bureau is liable for any loss suffered by the credit information subject.

Confidentiality of credit information 7. (1) A credit bureau shall protect the confidentiality of customer information received in accordance with these Regulations and any other relevant law and shall only report or release the customer information in accordance with the Act and these Regulations. (2) Except as otherwise provided for in the Act, a director, member, officer or any other employee or agent employed in the business of a credit bureau or a data provider or an authorised user shall not disclose any credit information unless the disclosure is permitted by law. (3) The obligation not to disclose credit information shall continue to apply even after the termination of tenure, employment or relationship with the credit bureau, data provider or authorised user. (4) A director, member, officer or other employee or agent of a credit bureau or an authorised user who unlawfully or without the authority of the credit bureau discloses credit information to an unauthorised person is liable to pay an administrative penalty of not more than five thousand penalty units and in the case of a continuing breach, to an additional penalty of not more than five hundred penalty units for each day on which the breach continues.

---

7 L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

(5) A credit bureau shall not (a) transfer a database, directly or indirectly, physically or otherwise, or (b) give access to a database that contains credit information to any person or entity other than the Bank or an authorised user. (6) Where a credit bureau is required to give access to the database of the credit bureau to a consultant or a technical partner for purposes specified in the Act, the consultant and technical partner (a) are contractually bound to observe the duties of confidentiality imposed on the credit bureau under these Regulations; and (b) shall enter into agreements to enforce the duties of confidentiality.

Controls and security measures to be taken by credit bureaus 8. (1) A credit bureau shall manage a system that restricts access to (a) the operational resources and information, and (b) the premises of the credit bureau. (2) A person who has authorised access to a credit bureau shall restrict the access of an employee to system information and resources based on assigned roles and on a need-to-know basis. (3) A credit bureau shall not allow a person who has authorised access to the credit bureau system to use shared user accounts. (4) A credit bureau shall ensure that each system user is uniquely and actively identifiable in the active directory of the credit bureau. (5) A credit bureau shall protect the website of the credit bureau from application-based hacking attempts by (a) securing the application code, and (b) utilising an application security system that monitors and controls incoming and outgoing traffic based on predetermined security rules in the nature of a web application firewall. (6) A credit bureau shall encrypt network traffic that includes identification details in the nature of a username and password. (7) The process of authenticating a web-based system shall entail the use of a secured web protocol to encrypt the medium between the user and the credit bureau server.

---

L.I. 2394 8

CREDIT REPORTING REGULATIONS, 2020

(8) Encryption algorithms shall be standard and of proven reliability in a manner that they do not enable key extraction or keyless encryption. (9) A credit bureau shall implement a solution to ensure the availability of the systems of the credit bureau and prevent connectivity interruptions. (10) A credit bureau shall protect the system of a credit bureau against attacks and shall implement the following minimum security measures: (a) prevent Structured Query Language injection attacks; (b) check the inputs received and process them only after validation; (c) prohibit password saving in system code; (d) ensure session management; (e) enforce authentication between users and system components; (f) implement a mechanism for temporary access lockout in case of consecutive failed login attempts within a brief duration; (g) ensure permission management; (h) ensure system management; (i) secure database access; (j) prevent the saving of sensitive information at the end-station; and (k) handle errors. (11) A credit bureau shall ensure that activities executed in a credit bureau system, including security activities, are logged and kept securely.

Processing of data submitted by data providers 9. (1) A credit bureau shall ensure that the credit bureau maintains reasonable security and control measures in order to avoid unauthorised access or improper use or mismanagement of information. (2) A credit bureau shall take necessary precautions to ensure that credit information received or collected is properly and accurately (a) recorded, (b) maintained, (c) collated, (d) synthesized, or (e) processed within the period specified by the Bank.

---

9 L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

(3) A credit bureau shall adopt reasonable procedures to ensure that data is updated at least once every calendar month or as may be determined by the Bank.

Outsourcing 10. (1) A credit bureau that proposes to enter into a technical and management service agreement or arrangement shall (a) formalise the agreement or arrangement in writing, and (b) submit a copy of the agreement or arrangement to the Bank for prior approval. (2) Where a credit bureau makes a renewal or an amendment to an existing technical and management service agreement or arrangement, the credit bureau shall submit the renewal or amendment to the Bank for review. (3) Unless a proposed credit agent has been approved by the Bank, a credit bureau shall not contract an agent for any of the following functions: (a) delivery of credit reports to requesting persons authorised under these Regulations and the Act; (b) public sensitisation of customers, credit information subjects, institutions and other credit information providers; (c) hosting or managing the data centre of a credit bureau including Disaster Recovery Services, and (d) other purposes approved by the Bank on application by a credit bureau. (4) A credit bureau shall ensure that an agent does not have unlimited access to the credit information in the database of the credit bureau. (5) A credit bureau shall update the Bank on the exit or termination of the contract of a credit bureau agent within fourteen days of the exit or termination of the contract of the credit bureau agent.

Access to data by the Bank 11. A credit bureau, data provider and credit report recipient shall, for the purpose of supervision and investigation, provide unrestricted access to the Bank for credit information managed by the credit bureau, data provider and credit report recipient either through access to the systems of the credit bureau, data provider and credit report recipient or in a manner stipulated by the Bank.

---

L.I. 2394 10

CREDIT REPORTING REGULATIONS, 2020

Submission of returns to the Bank 12. A credit bureau, data provider and a credit report recipient shall submit returns to the Bank in the format and period specified by the Bank.

Additional Data Sources for Credit Bureaus

Designation of other sources as data providers 13. (1) A credit bureau may, in addition to sources specified in section 28 of the Act, consult other private or public databases as sources of relevant information. (2) For the purposes of subregulation (1), a credit bureau shall maintain the confidentiality of the credit information subject in accordance with permissible purposes as specified by the Act. (3) The other sources referred to in subregulation (1) include (a) utility companies; (b) telecommunication companies; (c) mobile money operators; (d) financial technology companies; (e) Government institutions that offer credit to individuals, small, medium and micro enterprises; (f) institutions that provide identification documents; (g) entities that supply goods and provide services on a post-paid or instalment payment basis; (h) the Student Loan Trust or any student loan scheme provided by the Government or private entity; and (i) other entities that have relevant data and information that complies with permissible purposes and serves the purposes of the credit bureaus. (4) The Bank shall, in consultation with credit bureaus and the designated data provider, determine the modalities of data submission to credit bureaus. (5) The Bank may, if the Bank considers necessary, prohibit a credit bureau from receiving credit information or disseminating credit information from a third party credit information provider or a public source.

---

11 L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

Responsibilities of a designated data provider 14. (1) A designated data provider which (a) is regulated, or (b) not regulated by the Bank of Ghana (2) A designated data provider shall not furnish credit information of a (a) customer, or (b) credit information subject to a credit bureau or an agent of the credit bureau unless the designated data provider obtains the prior consent of the customer or credit information subject. (3) Without limiting subregulation (2), where the credit information relates to a person who has defaulted in the payment of the obligation of that person for more than ninety days, the designated data provider may submit the credit information of the person to the credit bureau without the prior consent of the person but shall notify the person of the intention of the designated data provider to submit the credit information to the credit bureau.

Credit Information Subjects Access to Credit Reports

Access to credit report by credit information subject 15. (1) A person who establishes the identity of that person to the satisfaction of a credit bureau may request the disclosure of any credit information that the credit bureau has on that person, and the credit bureau shall provide a credit report which contains the prescribed information on the person at no cost to the person once a year. (2) Where the person referred to in subregulation (1) requests for an additional credit report within the same year, that person shall pay a fee for the provision of the additional report. (3) A credit bureau shall provide the person who requests for credit information with a copy of the credit information including (a) the name of the data provider, and (b) the list of data providers or credit information recipients that have accessed the credit information within the year preceding the date of the request. (4) A credit report shall be provided within two working days after the receipt of a request to provide the report.

---

L.I. 2394 12

CREDIT REPORTING REGULATIONS, 2020

Corporate Governance Standards for Credit Bureaus

Overall responsibility of the Board 16. The Board of a credit bureau shall oversee the implementation of the (a) strategic objectives, (b) data security, and (c) corporate governance and compliance.

Oversight responsibility 17. (1) The Board shall have oversight responsibility of the senior management of a credit bureau. (2) A credit bureau shall, as part of the system of checks and balances, (a) monitor and ensure that the actions of senior management are consistent with the strategy and policies approved by the Board, (b) hold meetings at regular intervals with senior management, (c) question and review explanations and information provided by senior management, and (d) ensure that the knowledge and expertise of senior management remains appropriate to the nature of the business of the credit bureau.

Qualification of members of the Board 18. (1) A member of the Board shall possess professional competence, experience and integrity. (2) The competencies of the members of the Board shall be diverse to facilitate effective oversight of the management of the credit bureau by the Board and shall cover a blend of the following fields: (a) Information Technology and Data Security; (b) Banking, (c) Law, (d) Finance, (e) Accounting, (f) Marketing and Business Development, and (g) any other area that the Bank considers appropriate.

---

13 L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

(3) A member of the Board shall demonstrate (a) a clear understanding of the role of that member in corporate governance, and (b) the ability to exercise a sound and objective judgment about the affairs of a credit bureau. (4) A current member of the Board is qualified for the position that the person occupies on the Board and remains qualified if that person undergoes the necessary training to meet the requirements specified in these Regulations.

Composition of the Board 19. (1) The Board of a credit bureau shall consist of a minimum of five members including the chairperson or a maximum of nine members. (2) The majority of the members of the Board shall be independent non-executive directors who are ordinarily resident in the country. (3) The Board shall have appropriate balance of power and authority between the executive and non-executive directors to ensure that an individual or a group of individuals does not dominate the decision-making process of the Board.

Meetings of the Board 20. (1) The Board shall meet at least once every quarter for the despatch of business at the time and place determined by the chairperson. (2) A director of the Board shall attend meetings of the Board and participate in the conduct of the business of the Board. (3) A member of the Board who, without sufficient reason, fails to attend at least fifty percent of the meetings of the Board of the credit bureau in a financial year ceases to be a member of the Board. (4) A non-resident director is considered to have attended a meeting of the Board if that director participates in the meeting by teleconference for the entire duration of the meeting. (5) The Board shall discuss the business affairs of the credit bureau including reports submitted by the management of the credit bureau.

---

L.I. 2394 14

CREDIT REPORTING REGULATIONS, 2020

(6) The reports referred to in subregulation (5) shall include (a) a summary of financial statements and performance review as against the approved budget and business plan of the credit bureau; (b) a statement on the extent to which the credit bureau is exposed to (i) solvency risk, (ii) data security risk, (iii) legal risk, (iv) operational risk, and (v) any other related risks; (c) a statement on the effectiveness of internal control systems and human resource issues; and (d) a statement on the compliance with the Act, these Regulations, the Data Protection Act, 2012 (Act 843) and any other relevant enactment. (7) The Board shall carry out an evaluation or self-assessment of the performance of (a) the Board, (b) a committee of the Board, and (c) each member of the Board in order to review the effectiveness of the governance practices and procedures every year.

Requirements for appointments or change in membership 21. (1) Pursuant to subsection (2) of section 14 of the Act, and to ensure that a person employed by a credit bureau is qualified for the position, the credit bureau shall (a) seek approval in writing from the Bank prior to the appointment of a Chief Executive Officer, a Deputy Chief Executive Officer or a Director of the credit bureau, and (b) notify the Bank of a change in the membership of the Board and key management personnel of the credit bureau. (2) A person shall not be appointed or re-appointed as a Chief Executive Officer or a member of key management personnel of a credit bureau unless (a) that person is ordinarily resident in the country, and

---

15 L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

(b) the appointment or re-appointment takes into account guidelines issued by the Bank in relation to fit and proper persons.

Usage of Credit Reports

Access to credit reports 22. (1) An authorised user shall have access to a credit report only with the consent of the credit information subject. (2) An authorised user shall provide evidence of the consent received from the credit information subject to the credit bureau, prior to the release of the credit report to the authorised user. (3) A person who receives a credit report about a credit information subject (a) shall keep the credit report confidential, and (b) shall not disclose the information contained in the report to a third party. (4) The Bank may upon justification that an authorised user has breached a provision of these Regulations, restrain the authorised user from accessing information from the credit bureau.

Dispute Resolution Process

General provisions on dispute resolution 23. (1) A credit bureau shall establish and maintain a complaint handling and redress mechanism that is (a) easily accessible, (b) independent, (c) fair, (d) accountable, (e) timely, and (f) efficient. (2) A credit bureau, data provider and a credit report recipient shall establish appropriate and effective procedures for the (a) receipt, (b) consideration, (c) resolution of complaints, and (d) reporting of complaints in relation to data to the Bank.

---

L.I. 2394 16

CREDIT REPORTING REGULATIONS, 2020

(3) A credit bureau or a data provider shall not treat unfairly or discriminate against (a) a credit information subject, (b) staff, or (c) any other economic actor who submits a complaint to the credit bureau, data provider, credit report recipient or the Bank. (4) A complaint or notice of dispute shall be submitted to a data provider, credit report recipient or credit bureau in the manner provided by the data provider, credit report recipient or credit bureau. (5) A person may also submit a complaint or report a dispute to the Bank in writing. (6) The Bank shall, in accordance with section 43 of the Act, investigate the matter.

Responsibilities of credit bureau 24. (1) Where a credit bureau receives a complaint or notice of a dispute on grounds of (a) an illegal disclosure of credit information, or (b) an error or inaccuracy of information in a credit report issued by the credit bureau, the credit bureau shall investigate the matter and correct the error within five working days of receipt of the complaint or notice of dispute where applicable. (2) The credit bureau shall, in consultation with the data provider or a third party which provided the information that is in dispute, investigate the completeness or accuracy of the information not later than five working days of receipt of the complaint. (3) Where the complaint or notice of dispute relates to information provided by a data provider or a third party, the credit bureau shall, within twenty-four hours of receipt of the complaint, notify the data provider or third party of the complaint. (4) The credit report generated in respect of the affected person during the investigative period, shall contain a cautionary note which indicates that the particular credit information is under investigation and is disputed.

---

17 L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

(5) Where a data provider notifies a credit bureau of a complaint with respect to the information that is in dispute, the credit bureau shall, within twenty-four hours of receipt of the notification, place a cautionary note on the credit report of the complainant until the complaint is resolved. (6) Credit information which is in dispute shall remain part of the credit report on the affected person (a) until the completion and determination of the investigation, or (b) unless the Bank otherwise directs.

Responsibilities of data providers and credit report recipients 25. (1) Where a data provider receives a complaint or notice of dispute, the data provider shall notify the credit bureau of the information in dispute within twenty-four hours of receipt of the complaint. (2) The data provider shall, either independently or jointly with the credit bureau, investigate the complaint or dispute within five working days of receipt of the complaint. (3) The data provider which co-ordinates the investigation shall notify other credit bureaus of the outcome of the investigation to enable the credit bureaus amend their records within two working days of receipt of the outcome of the investigation, where applicable. (4) The data provider shall notify the complainant of the outcome of the investigation and where the outcome requires changes in the credit information of the complainant, the data provider shall (a) update the credit information; and (b) make available a copy of the updated credit report to the complainant.

Responsibilities of credit information subjects 26. (1) A credit information subject may submit a complaint to a credit bureau, data provider or credit report recipient through the following channels: (a) in writing personally; (b) in writing through the post, or (c) any other additional communication channel prescribed by the credit bureau, data provider or credit report recipient.

---

L.I. 2394 18

CREDIT REPORTING REGULATIONS, 2020

(2) The communication channels referred to under paragraph (c) of subregulation (1) may include (a) a website, (b) an electronic mail, and (c) the location of an agent. (3) A person who is dissatisfied with the outcome of the dispute resolution process of a credit bureau, data provider or credit report recipient may seek further redress from the Bank in accordance with section 43 of the Act. (4) The Bank shall investigate the complaint and communicate the findings of the Bank to the parties concerned within twenty days after receipt of the complaint.

Miscellaneous Provisions

Guidelines, rules or directives 27. For the purposes of performing the obligations and carrying out the activities under these Regulations (a) a credit bureau, (b) a credit report recipient, (c) an agent, or (d) any other person subject to these Regulations, shall comply with the guidelines, rules or directives issued by the Bank.

Failure to submit data 28. (1) A data provider that fails to submit data (a) to a credit bureau is liable to an administrative penalty of not more than one thousand penalty units; (b) at the time specified by the Bank is liable to an administrative penalty of not more than five hundred penalty units; and (c) in the secured medium specified by the Bank is liable to an administrative penalty of not more than five hundred penalty units. (2) A data provider that fails to submit (a) complete data, or (b) accurate data in the form specified by the Bank is liable to an administrative penalty of not more than two thousand penalty units.

---

19 L.I. 2394

CREDIT REPORTING REGULATIONS, 2020

Breach of privacy and secrecy principles 29. A credit bureau which fails to observe the principles on privacy and secrecy specified in the Act is liable to an administrative penalty of not more than two thousand penalty units.

Failure to conduct a credit search 30. A financial institution which fails to conduct a credit search in respect of an applicant for a loan in contravention of subsection (4) of section 26 of the Act is liable to an administrative penalty of not more than five hundred penalty units.

Failure to provide information to the Bank 31. A credit bureau which fails to provide information to the Bank is liable to an administrative penalty of not more than one thousand penalty units.

Failure of director or officer to ensure compliance 32. A director and an officer of a credit bureau who by an act or omission fails to ensure compliance with the provisions of the Act and these Regulations shall, in the absence of exculpatory circumstances, be held personally liable for the breach.

Other breaches 33. The Bank may impose an administrative penalty of not more than one thousand penalty units for a breach of these Regulations where a penalty is not provided.

Interpretation 34. In these Regulations, unless the context otherwise requires, "authorised user" means a credit report recipient, a credit provider, a person who requires a credit report to facilitate a transaction or process and any other institution authorised by regulation or the Bank to obtain a credit report from credit bureaus; "adverse action" means a denial of credit, change in terms and conditions or terms of a contract based on credit information in a credit report; "Board" means the Board of Directors of a credit bureau; "cautionary note" means a note, an alert or an indication on a credit report suggesting possible conditions attached to the credit report;

---

L.I. 2394 20

CREDIT REPORTING REGULATIONS, 2020

"consent" means a written and voluntary authorisation signed by the borrower allowing a data provider to submit credit information held on the borrower to a credit bureau for storage, processing and dissemination and also for an authorised user to access the credit information for specific purposes within the limits of the Act and these Regulations; "consumer" means a person whose data has been or might have been included in the database of a licensed credit bureau as a consequence of a contractual relationship with a lender, or a lending application signed by that person for any other legitimate purposes; "credit bureau agent" means a person authorised by a credit bureau to undertake an activity on behalf of the credit bureau; "Credit Reporting Data Format" means a reporting template prescribed by the Bank and used by data providers to submit data to credit bureaus; "customer" means a person who purchases products or service from a data provider or designated data provider; "designated data provider" means a person who is authorised to submit data to credit bureaus under these Regulations; "economic actor" means a person who has influence on the economy by virtue of the contributions or actions of that person; and "user" means a person authorised by the credit bureau to have access to the computer system of the credit bureau for a specific purpose.

KEN OFORI-ATTA Minister responsible for Finance

Date of Gazette notification: 29th January, 2020.

Entry into force: 5th March, 2020.

GPCL/ASSEMBLY PRESS, ACCRA. GPCL/A318/1,250/04/2020 Website: www.ghanapublishing.com E-mail: info@ghanapublishing.com