CICs: A need for stronger safeguards

By Shriram Subramanian

The fintech and digital revolutions have transformed how Indians transact, transfer money, and access financial products and services. Aadhaar-based KYC (know your customer), centralised credit information databases, United Payments Interface and Unified Lending Interface have enabled seamless money transfers and quick credit disbursals. However, as the industry expands, concerns regarding data misuse and identity theft have intensified. Additionally, errors in credit history can often go unnoticed, leading to significant consequences for consumers.

RBI’s direction on credit information reporting

On January 6, the Reserve Bank of India (RBI) issued a master direction on credit information reporting. The RBI observed that credit information companies (CICs) have been sharing credit information based on individual consent with entities that are not specified users, through agreements with such entities. Given the sensitivity of the information and the risk of misuse, CICs must implement appropriate mechanisms to ensure responsible data-sharing. Among other measures, the RBI has mandated that:

CICs must establish robust due diligence and control mechanisms while sharing credit information with non-specified user entities.

The evaluation of such entities must include comprehensive scrutiny of available data to mitigate risks.

Currently, four CICs are registered with the RBI: CRIF High Mark; Equifax; Experian; and TransUnion CIBIL

Importance of credit information & CICs’ role

Credit information plays a crucial role in decision-making for individual and institutional credit data and decisions. Accurate, reliable, and secure credit data is essential for risk assessment, economic planning, and financial stability. CICs aggregate data from diverse sources — including banks, non-banking financial companies, and utility providers — to create detailed credit reports that influence loan approvals, interest rates, and even employment opportunities. However, increased reliance on such data also necessitates stringent data privacy measures. Financial reporting bureaus handle vast amounts of sensitive data, including individuals’ loan histories, repayment behaviours, and credit scores. If compromised, this data can lead to identity theft, financial fraud, and reputational damage.

While India has introduced the Digital Personal Data Protection Act of 2023, its enforcement mechanisms remain unclear compared to global standards like the General Data Protection Regulation. This regulatory gap exposes vulnerabilities in financial data handling, making CICs prime targets for cyberattacks. Data breaches not only compromise sensitive financial details but also erode public trust in the financial system.

Parliamentary concerns and regulatory action

Concerns about the reliability and accountability of credit scores maintained by the CICs have been raised in Parliament. More than 11 crore Indians accessed their credit scores on CIBIL as of August 2024, with a 70% growth in women tracking their scores. The RBI has emphasised the need for CICs to safeguard data privacy and reduce the reliance on a limited number of players in the market. The central bank has previously imposed penalties on CICs for non-compliance. In 2023, it fined TransUnion CIBIL Rs 26 lakh for failing to maintain accurate and complete credit information. Similarly, in 2022, Equifax was fined Rs 20 lakh for not adhering to data accuracy and consumer grievance redressal norms. CRIF High Mark paid a penalty of Rs 15 lakhs in 2021 due to deficiencies in data protection and compliance measures. Such breaches highlight the necessity for stringent regulations to protect consumers from inaccurate credit data.

CICs have very high profit margins, and are held significantly by foreign parent companies. For example, TransUnion CIBIL had revenues of Rs 1,430 crores and a profit after tax of Rs 656 crores in FY23. Consequently, CICs must ensure higher accountability, transparency, and data protection in line with Indian regulations to justify their profitability and social responsibility.

Limited redress mechanisms for consumers

A significant challenge in India’s financial data ecosystem is the lack of an efficient grievance redress mechanism for consumers facing credit report inaccuracies. Errors such as misreported defaults, outdated credit histories, and incorrect loan accounts are not uncommon. However, disputing and correcting such errors remains cumbersome, opaque, and time-consuming. Many individuals are unaware of their rights regarding credit data and the procedures for rectifying discrepancies. Though the RBI has outlined a framework for compensation to customers for delayed updation/rectification of credit information to address this issue, more can be done as suggested below:

The RBI must strengthen its oversight of CICs to ensure strict compliance with grievance redress norms.

Efficient, transparent, and time-bound processes for resolving disputes should be implemented to empower consumers.

Financial literacy initiatives should educate individuals on credit data rights and how to rectify inaccuracies.

Ensuring fair and error-free financial data is fundamental to building trust in India’s financial ecosystem, and more importantly in credit information companies that handle sensitive data. As digital and financial landscapes evolve, prioritising robust data protection, regulatory oversight, and consumer redressal mechanisms will be crucial in safeguarding individual rights and strengthening the economy.

The writer is Founder and MD, InGovern Research Services.

Disclaimer: Views expressed are personal and do not reflect the official position or policy of FinancialExpress.com. Reproducing this content without permission is prohibited.