RBI Issues Master Direction on Credit Information Reporting

In a move aimed at streamlining credit information reporting and ensuring greater transparency, the Reserve Bank of India (RBI) has issued the “Master Direction – Reserve Bank of India (Credit Information Reporting) Directions, 2025” dated January 6, 2025. The master directions consolidate existing guidelines under Section 11 of the Credit Information Companies (Regulation) Act, 2005 and lays down uniform standards for credit reporting by regulated entities, including banks, financial institutions, and non-banking financial companies (NBFCs).

The key objectives of these directions are to establish a standardized framework for the dissemination of credit information, safeguard the confidentiality and security of sensitive data, and ensure that consumers have access to their credit information while providing avenues for grievance redressal.

Key Provisions of the Master Direction

• Data Format: The credit information reporting by Credit Information Companies (CICs) adhere to standardized data formats. This includes separate formats for consumer, commercial, and microfinance segments. By enforcing a uniform approach, the RBI aims to ensure clarity and consistency in the data reported by banks and financial institutions.
• Membership: All Credit Institutions (CIs), such as banks and NBFCs, must now become members of all Credit Information Companies (CICs). This provision will make it easier for CICs to collect comprehensive credit data and enhance the accuracy of credit reports across the financial ecosystem.
• Confidentiality: To protect sensitive credit information, the RBI has outlined stringent guidelines for data confidentiality and security. Credit information must be processed and stored within India, ensuring it is not transferred outside the country. Moreover, the information must be safeguarded against unauthorized access both online and offline.
• Alerts: A significant feature of the directions is the requirement for CICs to send alerts to consumers via SMS or email whenever their Credit Information Report (CIR) is accessed by specified users (SUs). This ensures that customers are informed in real-time whenever their credit data is reviewed, enhancing transparency.
• Data Correction Requests: Credit Institutions are now required to inform consumers about the reasons for rejecting data correction requests. This helps individuals better understand any discrepancies in their credit reports.
• Compensation: If a complaint is not resolved within 30 calendar days of filing, complainants are entitled to a compensation of ₹100 per calendar day. This provision aims to enhance the grievance redressal process and ensure that consumers are adequately compensated for delays.
• Third Party Sharing: The RBI has set clear guidelines for sharing credit information with third-party entities based on the consent of the individual. Credit Information Companies must implement a robust mechanism to ensure that sensitive credit data is shared only with authorized parties. They must also assess the reputation, financial stability, and legal compliance of the third-party entities before sharing data. Any third-party receiving credit information must use it solely for the agreed purpose and cannot resell or share the data with others without the explicit consent of the individual.
• Credit Data: The RBI has mandated that Credit Institutions must submit credit data to CICs on a regular basis, ideally fortnightly, with updates provided by the 7th calendar day of the subsequent reporting period. This ensures that consumer credit reports remain current and reflect the latest financial information.
• Supervision: The RBI has instructed CICs to monitor the submission timelines and report any delays to the RBI’s Department of Supervision every six months.
• Data Storage: CICs and CIs must ensure that credit information obtained from individuals is stored for no more than six months unless the individual has provided written consent for an extended period. If the purpose for retaining the information is not fulfilled within this timeframe, entities must seek fresh consent to continue storing the data.
• Unauthorized Use: Strict provisions have been put in place to prevent the unauthorized use of credit information by third parties, including subsidiaries and affiliates of the entity holding the data. Any use of credit information must be on a ‘need to know’ basis, with all employees or agents who have access to such information bound by confidentiality agreements.

With an emphasis on transparency, consumer protection, and data security, the RBI is setting the stage for a more organized and reliable credit reporting ecosystem. As India’s financial sector continues to grow, these guidelines will help ensure that credit information is handled efficiently, securely, and in a way that benefits all stakeholders, from consumers to financial institutions.