A Credit Reference Bureau (CRB) is an entity that gathers past and current credit information on customers of financial institutions such as banks, microfinance institutions, saving and co-operative societies, analyses the information and generates reports on the credit standing of those individuals.

The Cabinet Secretary for the National Treasury and Planning promulgated the CRB Regulations on 8th April 2020 (the new Regulations), pursuant to section 31(3) of the Banking Act (Cap. 488) Laws of Kenya. The new Regulations repealed previous Regulations published in 2013. The new Regulations provide a framework for sharing customers’ credit information and seek to enhance the protection of borrowers.

The Central Bank of Kenya (CBK) advised that the new Regulations were developed through a consultative process that lasted about two (2) years, with one of the key objectives being to strengthen Kenya’s Credit Information Sharing System (CIS) which has been operational since 2010.

Registering a CRB Business
In order to operate a CRB business in Kenya, the company must obtain a licence from the CBK. The application should be submitted in the prescribed form together with supporting documents. These documents include the company registration documents, sworn declarations of the proposed officials, the company’s audited financial statements for the last three (3) years and a prototype of the credit report. The application must be accompanied by a non-refundable fee of KES 10,000 (USD 100).

Since CRBs are expected to handle vital financial information, a site inspection of the applicant’s premises may also be conducted. This is intended to enable the CBK to determine the adequacy of the applicant’s safety and security systems. The application for a licence should be determined by the CBK within ninety (90) days from the date of receipt of all the required information.

Once a licence is issued, a CRB is required to submit to the CBK an irrevocable Bank Guarantee for KES 1,000,000 (USD 10,000). The guarantee may be used by the CBK to recover penalties that may be imposed on the CRB from time to time, and which the CRB does not settle as and when required. Whenever such recovery is made from the guarantee, the CBK shall notify the CRB, which is required to furnish the CBK with a new guarantee within thirty (30) days of the notification.

It is important to note that a CRB licence is non-transferable to third-parties. Further, the holder of the licence is required to renew it annually on or before the 31st of December each year.

Information Sharing
Previously, there were complaints by disgruntled members of the public who had been blacklisted for loans they had never taken or had cleared a long ago. With this in mind, CRBs are now obligated to ensure that customer information is obtained from credible and verifiable sources and is accurate. The new Regulations seek to achieve these objectives by several means.

First, a CRB must undertake a due diligence and suitability assessment on any third-party information provider it seeks to engage. This exercise should unravel the nature and character of the third-party’s ownership, business, soundness of the third-party’s information management system and the accuracy and integrity of the third-party’s information records. A CRB should not engage a third-party whose information is based on estimates.

Secondly, a CRB must seek approval of the CBK, in order to obtain or disseminate information obtained from a third-party or is publicly available. Such information includes information from government registries, licensing authorities, county governments or the Kenya Revenue Authority (KRA). This approval is necessary given that some information in public offices may not be up to date or the records may be missing or misplaced.

Where public information is obtained, the CRB is required to undertake measures to confirm the information’s accuracy and authenticity from an independent source with direct knowledge of the information, prior to including it in a report. Similarly, where information relates to Court proceedings, the CRB is required to verify the accuracy of the information not more than twenty-one (21) days before the information is included in the report. This is to ensure that such information is both accurate and current.

Thirdly, all customer information shall be submitted to CRBs with such identification details as would enable them link a customer to all transactions with another person or persons. Where incomplete or inaccurate information is submitted to a CRB, the CBK may impose a penalty on the financial institution or third-party, as it may consider appropriate.

Lastly, the officials of CRBs, financial institutions or third-party credit information providers are under a perpetual duty of confidentiality as regards information that may be exchanged between the parties pursuant to the Regulations. The duty is indeterminate as it extends beyond the persons’ tenure of employment or association of any of the parties. Moreover, any unauthorized disclosure of information amounts to a criminal offence.

Reporting Requirements
The new Regulations also impose strict reporting requirements on CRBs, in terms of which information may or may not be held or disclosed. In this regard, a CRB should not include in its database or credit report, information concerning a customer’s race, belief, colour, ethnic origin, religion, political affiliation, sexual orientation, physical and mental handicaps, state of health or medical information. This is to prevent the CRB’s clients from developing any bias when processing loan applications from their customers. However, noting that Shar’iah compliant products usually infuse the Islamic religion to commerce, the above restriction does not apply to them.

A credit score may be computed in such a manner as the CBK may specify. Every report is required to contain the credit score of the person to whom the information relates and a customer’s credit score should not solely be used to deny the customer a facility. However, it is one of factors to be considered in arriving at the decision. A credit appraisal by an institution integrating the customer’s credit score is required to be in writing and to be provided to the customer as part of its notification to the customer.

Customer Safeguards
The new Regulations have included some progressive provisions, to safeguard a customer’s interest in the exchange of information between concerned parties. For example, a third-party must obtain its customer’s written consent before furnishing a CRB with the customer’s credit information.

Moreover, where an institution intends to submit negative credit information to a CRB, it should furnish the customer with thirty (30) days’ written notice or such a shorter notice as the contract between
the institution and the customer may provide.

A CRB should not charge for any first application by a customer for a clearance certificate. Further, a customer has a right to access his/her credit report free of charge from a CRB in any of the following cases:

• Once a year
• Within thirty (30) days of receiving an adverse action notice
• Once every six (6) months after requesting the CRB to correct inaccurate information

Finally, a minimum threshold has been introduced in the regulations, to the effect that a CRB shall not receive from any third-party a report on any negative credit information involving a customer where the value of the subject matter is less than KES 1,000 (USD 10). This is an important safeguard for customers, as it will ensure only relevant information is exchanged and considered in the credit evaluation.

Offences
As is often said, “with great power comes great responsibility”. Since CRBs are at the epicenter of a network handling sensitive customer information, the law has established some offences related to the mishandling of such information.

Such offences include the unauthorised disclosure of information by a director, member, officer or other employee of a CRB or subscriber, where the penalty upon conviction is a fine of KES 500,000 (USD 5,000) or two (2) years imprisonment or both.

Failure by a CRB to comply with any of its responsibilities under the new Regulations is also punishable upon conviction through a fine of KES 500,000 (USD 5,000) or such other sanction as might be issued by the CBK.

The denial of a customer of a credit facility or other financial service solely on the basis of a credit score is also proscribed at the penal consequence upon conviction of a fine of KES 2,000,000 (USD 20,000) or such other sanctions as might be prescribed by law.

Failure to comply with the requirements governing the cross-border sharing of information attracts a potentially heavy penalty, upon conviction, of a fine of up to KES 10,000,000 (USD 100,000) together with such other sanction as the CBK might prescribe.

Conclusion
CRBs have been previously accused of misusing sensitive or confidential information of Kenyans. They include the questionable blacklisting of persons as uncreditworthy, even where loans have been long paid, thereby denying such persons financing. Other complaints have centered around the materiality of debt, as some people with minimal loan balances have also found themselves listed by these organizations.

The new Regulations have clearly demonstrated the government’s attempt to sanitize the industry, whether in terms of heavily regulating information circulation, relevance or materiality of information in CRB reports or the creation of offences in the event of a CRB’s non-compliance. Apart from penal sanctions, CRBs also run the risk of losing their licences in the event of contravention of the new Regulations. This will hopefully tilt the balance of power in favour of customers, as the dissemination of their sensitive information will going forward be undertaken by CRBs under strict protocols.

It is also important to note that all information held by a CRB is the property of the CBK. Upon the CRB’s winding up or cessation of operations, the information shall revert to the CBK. This guarantees the safety of customer information, so that it is at all times safeguarded from access by unauthorized persons.