2021-05-28
Added
The Monetary Authority of Singapore issued this notice to establish governance, operational, and data integrity requirements for licensed credit bureaus and approved members under the Credit Bureau Act 2016. It mandates specific Code of Conduct standards, the formation of Dispute Resolution and Approved Members Committees, and strict timelines for investigating and correcting disputed data. Additionally, the notice outlines obligations for identity verification, business continuity planning, periodic reporting to the Authority, and prior approval for hosting data outside Singapore.
MAS Notice No.: CBN01 Issue Date: 28 May 2021 NOTICE TO LICENSED CREDIT BUREAUS AND APPROVED MEMBERS CREDIT BUREAU ACT 2016, CAP. [Act 27 of 2016]
1 INTRODUCTION 1.1 This Notice is issued pursuant to section 75(1) of the Credit Bureau Act 2016 (Act 27 of 2016) (“the Act”) and applies to all licensed credit bureaus and approved members. 2 DEFINITIONS 2.1 For the purposes of this Notice — “AMC” means an Approved Members Committee referred to in paragraph 3.5; “Code of Conduct” means the Code of Conduct referred to in paragraph 3.1; “DRC” means a Dispute Resolution Committee referred to in paragraph 3.3; “identity card” has the same meaning as in section 2(1) of the National Registration Act (Cap. 201); “legal person” means an entity other than a natural person that can own property; “work pass” has the same meaning as section 2 of the Employment of Foreign Manpower Act (Cap. 91A). 2.2 The expressions used in this Notice shall, except where defined in this Notice or where the context otherwise requires, have the same meanings as in section 2 of the Act.
3 REQUIREMENTS FOR LICENSED CREDIT BUREAU Governance Requirements for Licensed Credit Bureau Code of Conduct 3.1 A licensed credit bureau must have a Code of Conduct for the licensed credit bureau and its approved members. The Code of Conduct must cover, at the very minimum, standards of conduct in respect of the following: (a) the manner in which the licensed credit bureau and its approved members protect the integrity of any data and mitigate the operational risks relating to credit reporting processes; (b) the manner in which an approved member reports data and the scope, definitions, classification and retention period of any data collected, used or disclosed by the licensed credit bureau; (c) the process and the frequency for an approved member to provide, receive or request data; (d) the process for investigating and correcting any error or omission in any data or information in a credit report; (e) the process for resolving matters referred to in paragraph 3.3, apart from the matter mentioned in paragraph 3.1(d); (f) the action that would be taken against any approved member that fails to comply with the Code of Conduct; and (g) the process for processing a data subject’s purchase of a copy of a credit report. 3.2 The Code of Conduct must be reviewed by the licensed credit bureau at least once a year, or when there is a change in the terms of the contract or arrangement between the licensed credit bureau and its approved members. Dispute Resolution Committee (“DRC”) 3.3 A licensed credit bureau must establish a DRC, or an equivalent body, to be responsible for resolution of matters that remain unresolved after an investigation has been conducted by the licensed credit bureau or its approved members, or both, as the case may be. This includes the following: (a) a complaint made by a data subject in respect of any error or omission in any data in the data subject’s credit report;
(b) a complaint made by a natural person or legal person who is appointed by the data subject to act on the data subject’s behalf in respect of any error or omission in any data in the data subject’s credit report; (c) a dispute between a data subject and the licensed credit bureau in respect of any error or omission in any data in the data subject’s credit report; and (d) a dispute between a data subject and an approved member in respect of any error or omission in any data in the data subject’s credit report. 3.4 The licensed credit bureau must provide for the DRC to – (a) report directly to the Board of Directors of the licensed credit bureau; and (b) be a standing committee of at least 5 persons (“DRC members”), with at least onefifth of the DRC members being independent of the licensed credit bureau and its approved members. Approved Members Committee (“AMC”) 3.5 A licensed credit bureau must establish an AMC, or an equivalent body, to be responsible for reviewing and making recommendations on the policies concerning the credit reporting processes between the approved members and the licensed credit bureau. 3.6 The licensed credit bureau must provide for the AMC to – (a) adhere to the licensed credit bureau’s terms of reference in the AMC’s review and coordination of the matters mentioned in paragraph 3.5; and (b) be a standing committee of at least 5 persons (“AMC members”), with at least – (i) one officer from each class of approved members specified in the First Schedule to the Act; and (ii) one-fifth of the AMC members being independent of the licensed credit bureau and its approved members. For the purpose of paragraph 3.6(b)(i), where the licensed credit bureau does not have any member or is unable to appoint any officer from a class of approved members specified in the First Schedule to the Act, the licensed credit bureau must appoint an officer from another class of approved members specified in the First Schedule where it has members. 3.7 The licensed credit bureau must notify the Authority of any change in the composition of AMC or DRC members not more than 7 calendar days after the occurrence of the change.
3.8 The licensed credit bureau must have terms of reference that set out the duties and responsibilities of the AMC and DRC. Business Continuity Management 3.9 A licensed credit bureau must maintain at all times a plan of action (referred to in this Notice as a business continuity plan) that allows it to continue to fulfill its duties in the event of a disruption. The business continuity plan must set out the procedures and establish the systems necessary to restore safe and efficient operations of the licensed credit bureau in the event of any disruption to the licensed credit bureau’s operations. 3.10 The licensed credit bureau must review and test the procedures and systems referred to in paragraph 3.9 on a regular basis. The frequency of review must be specified in the business continuity plan. 3.11 The licensed credit bureau must immediately notify the Authority of any activation of its business continuity plan. 3.12 The licensed credit bureau must, within 14 calendar days or such longer period as may be permitted by the Authority, inform the Authority of any material change to the business continuity plan and must submit a copy of the new plan to the Authority. Verification of Identity of a Data Subject and Persons Appointed to Act on the Behalf of the Data Subject 3.13 Where a data subject (who is an individual) requests his credit report in person, a licensed credit bureau must, before releasing a copy of the credit report to the data subject, verify the identity of the data subject. 3.14 Where a data subject appoints a legal person or a natural person to act on his or its behalf in requesting his or its credit report in person, the licensed credit bureau must, before releasing a copy of the credit report, verify – (a) the identity of the legal person or natural person who acts on behalf of the data subject; and (b) the due authority of the legal person or natural person appointed to act on behalf of the data subject by obtaining the appropriate documentary evidence authorising the appointment of such natural or legal person by the data subject to act on his or its behalf, including the written consent from the data subject.
3.15 For the purposes of paragraphs 3.13 and 3.14, a licensed credit bureau must obtain and verify at least the following information, which is based on reliable, independent source data, documents or information provided by a competent government authority (such as the Immigration and Checkpoints Authority (or an equivalent foreign public authority), the Ministry of Manpower, or the Accounting and Corporate Regulatory Authority): (a) full name, including any aliases; (b) unique identification number (such as an identity card number, work pass number, birth certificate number or passport number, incorporation number or business registration number, as may be appropriate); (c) photograph, where the data subject or person acting on behalf of the data subject is a natural person; (d) date of birth, establishment, incorporation or registration (as may be appropriate); and (e) nationality, place of incorporation or place of registration (as may be appropriate). 3.16 The licensed credit bureau must be able to provide evidence that the identity of the data subject or the legal person or natural person appointed to act on behalf of the data subject has been verified, upon request by the Authority. 3.17 For the avoidance of doubt, if the licensed credit bureau is unable to implement the verification measures described in paragraphs 3.13 to 3.16, it must not disclose the credit report to the data subject or the natural or legal person appointed to act on behalf of the data subject. 3.18 The licensed credit bureau must take reasonable care to ensure that any third party that it appoints to act on its behalf complies with paragraphs 3.13 to 3.17, as if the third party is the licensed credit bureau. Validation of Approved Members’ Requests for Credit Reports and Other Customer Information 3.19 Where an approved member or the approved member’s officer requests access to any customer information (including a credit report) in the possession or under the control of the licensed credit bureau, the licensed credit bureau must take reasonable steps to ensure that the request made by the approved member or any of the approved member’s officers is made for the purpose mentioned in section 33(2) of the Act.
Investigation and Correction of Disputed Data by a Licensed Credit Bureau 3.20 Where a data subject or a data provider makes a request under section 18 of the Act to correct an error or omission in any data that is in the possession or under the control of a licensed credit bureau (referred to in this paragraph and paragraphs 3.21 to 3.23 as “disputed data”), the licensed credit bureau must conduct and complete an investigation to ascertain the accuracy and completeness of the disputed data within 10 business days from – (a) the date when the request was received by the approved member, if the data subject had made the request with an approved member; (b) the date when the request was received by the licensed credit bureau, if the request is made by the data subject directly with the licensed credit bureau; or (c) the date when the request was received by the licensed credit bureau, if the request is made by the data provider with the licensed credit bureau. 3.21 Notwithstanding paragraph 3.20, where the licensed credit bureau requires more time to conduct and complete the investigation of the disputed data and the need for extension is due to factors beyond the licensed credit bureau’s control, such as – (a) the time taken by an approved member to inform the licensed credit bureau of the request by the data subject (in a case where the data subject had made the request with the approved member); or (b) the time taken by the data subject or data provider to respond to the licensed credit bureau’s investigation, it must notify the data subject or data provider (as the case may be) and the Authority about the anticipated delay in the investigation and the period of extension that it will require. Upon the Authority’s request, the licensed credit bureau must submit information on the cases where an extension of time was required. 3.22 In relation to paragraph 3.21, the period of time taken to conduct and complete the investigation must not be more than 20 business days from the dates mentioned in paragraph 3.20 (a), (b) or (c) (as the case may be), or such other period approved by the Authority. 3.23 Where any disputed data has to be corrected, the licensed credit bureau must correct the data and send the corrected data to every approved member (to which the licensed credit bureau disclosed the data within a year before the date the correction was made), within 10 business days from the dates mentioned in paragraph 3.20 (a), (b) or (c), or the extended period referred to in paragraph 3.21, as the case may be. The licensed credit
bureau must also inform the data subject or data provider of the outcome of the investigation and follow up action taken, if any, in writing. Maintaining Data Integrity 3.24 Where a data subject has raised a dispute in respect of any error or omission in any data in the data subject’s credit report, the licensed credit bureau must indicate clearly in the credit report that the data is being disputed if the dispute has not been resolved. Regular Validation of Credit Scoring Model 3.25 A licensed credit bureau must ensure that its credit scoring methodology is robust and sufficiently predictive of credit risk. 3.26 The licensed credit bureau must validate its credit scoring models using sanitised historical data from approved members at least once every 2 years. The sanitised historical data must not contain personal identifiable information. 4 REQUIREMENTS FOR APPROVED MEMBERS Maintenance of Records for Periodic Audits or Investigation 4.1 An approved member must maintain a record of the evidence used to support its request for access to customer information (which is made pursuant to section 33(1) of the Act) for a period of at least 5 years from the date of its request. Such evidence must be made available to the licensed credit bureau for audit or investigation purposes. Duty to Maintain Confidentiality of Customer Information 4.2 Where an approved member or the approved member’s officer requests access to any customer information (including credit report) in the possession or under the control of the licensed credit bureau, for the purpose of assessing the creditworthiness of a customer of the approved member, the approved member or the approved member’s officer must ensure that the request for access is supported by the following documents: (a) if the request for access is made for the purpose of a credit application, a valid, time-stamped consent by the data subject; or
(b) if the request for access is made for the purpose of a periodic credit review, documentary evidence to prove that the data subject is an existing customer of the approved member at the time of the request. 4.3 For the purpose of the licensed credit bureau’s periodic audit or investigation of the approved member’s requests for access to any customer information, an approved member must make available the documents mentioned in paragraph 4.2 to the licensed credit bureau. Investigation and Correction of Disputed Data by Approved Member 4.4 Where a data subject makes a request under section 35(1) of the Act to an approved member to correct an error or omission in any data of the data subject that has been processed by the licensed credit bureau and is in the possession or under the control of the approved member (referred to in this paragraph and paragraphs 4.5 to 4.6 as “disputed data”), the approved member must conduct and complete an investigation to ascertain the accuracy and completeness of the disputed data within 10 business days from – (a) the date when the request was received by the licensed credit bureau, if the data subject had made the request with a licensed credit bureau; or (b) the date when the request was received by the approved member, if the data subject had made the request directly with the approved member. 4.5 Notwithstanding paragraph 4.4, where the approved member requires more time to conduct and complete the investigation of the disputed data and the need for extension is due to factors beyond the approved member’s control, such as – (a) the time taken by the licensed credit bureau to inform the approved member of the request by the data subject (in a case where the data subject had made the request with the licensed credit bureau); or (b) the time taken by the data subject to respond to the approved member’s investigation, it must notify the licensed credit bureau about the anticipated delay in the investigation and the period of extension that it will require from the licensed credit bureau. Upon the Authority’s request, the licensed credit bureau must submit information on the cases where an extension of time was required.
4.6 In relation to paragraph 4.5, the period of time taken by the approved member to conduct and complete the investigation must not be more than 20 business days from the dates mentioned in paragraph 4.4 (a) or (b) (as the case may be), or such other period approved by the Authority. 4.7 Where any disputed data has to be corrected, the approved member must correct the data and inform the licensed credit bureau in writing of its assessment that a correction to the data should be made, within 10 business days from the dates mentioned in paragraph 4.4(a) or (b), or the extended period referred to in paragraph 4.5, as the case may be. The approved member must inform the data subject of the outcome of the investigation and follow up action taken, if any, in writing. Notwithstanding the above, the approved member must also inform the licensed credit bureau where it has assessed that the correction to the disputed data should not be made. Timely Submission of Data to Licensed Credit Bureau 4.8 An approved member must submit any data that it is obliged to provide to a licensed credit bureau for the purposes of the licensed credit bureau’s credit reporting business by the 15th day of each month. 5 PROVISION OF INFORMATION TO THE AUTHORITY AND FOREIGN ENTITIES Submission of Data by Licensed Credit Bureau to the Authority 5.1 A licensed credit bureau must furnish, or must ensure that any person acting on its behalf furnishes, to the Authority, on or before 21st day of each month, the following information: (a) the number of enquiries received for the previous calendar month from each approved member; (b) the number of resolved and unresolved disputes raised by data subjects in relation to the confidentiality, security or integrity of the data processed by the licensed credit bureau for the previous calendar month; (c) the number of errors in relation to the completeness and accuracy of data submitted by each approved member in the previous calendar month that was discovered by the licensed credit bureau; (d) the number of late submissions of data by each approved member for the previous calendar month; and (e) such other information as the Authority may require for the purposes of the Act.
5.2 The information must be submitted to the Authority in a form and in a manner specified by the Authority. Submission of Periodic Reports by Licensed Credit Bureau to the Authority 5.3 A licensed credit bureau must submit to the Authority the following reports: (a) within 3 months after the end of its financial year or such longer period as the Authority may permit, copies of the following documents: (i) financial statements (including consolidated financial statements) and directors’ report prepared in accordance with the provisions of the Companies Act (Cap. 50); (ii) auditors’ long form report; and (b) a report relating to the business of operating the licensed credit bureau, at such time or on such periodic basis as may be specified by the Authority. 5.4 The auditors’ long form report referred to in paragraph 5.3(a)(ii) must include the following findings and recommendations of the auditors, if any, on: (a) the internal controls of the licensed credit bureau; and (b) the non-compliance with any of the following: (i) provision of the Act; (ii) direction issued by the Authority under the Act; and (iii) other relevant laws or regulations. 6 TRANSMISSION OR STORAGE OF DATA OUTSIDE SINGAPORE 6.1 A licensed credit bureau must seek the prior approval of the Authority in writing before entering into any arrangement to host or process data outside Singapore. 6.2 The licensed credit bureau applying for approval to host or process data outside Singapore must submit to the Authority the following documents: (a) a written application that addresses the following: (i) states its intention to host or process data outside Singapore; (ii) explains the background for its intention to host or process data outside Singapore; (iii) discusses and explains the impact on the licensed credit bureau, approved members and data subjects; and (iv) provides an assessment of the associated risks (e.g. confidentiality, integrity, security, correction, retention and disposal of data) and the
mitigating measures. (b) a consumer education and public awareness plan and corresponding timelines; (c) a dispute resolution plan; and (d) a written statement by each approved member’s officer on the licensed credit bureau’s AMC – (i) stating their support of the licensed credit bureau to host or process the data outside Singapore; and (ii) their agreement with (a)(i) to (iv). Effective Date 7 This Notice shall take effect on 31 May 2021. Transitional Provisions 8 Despite paragraph 7, paragraphs 3.3 to 3.8 will take effect on 30 November 2021.