Our Ref. : B9/32C

20 September 2001

The Chief Executive
All authorized institutions

Dear Sir/Madam,

Sharing of Consumer Credit Data through a Credit Reference Agency

This letter provides further guidance to AIs on the sharing of consumer credit data through a credit reference agency ("CRA").

In its letter of 9 March 1998 to all AIs, the HKMA set out its recommendations on the sharing of consumer credit data through a CRA. Essentially, the HKMA supported the development of a fully-fledged CRA in Hong Kong, but given the privacy implications of sharing such data, it advised AIs that sharing of customer data must be done within the limits laid down by the Code of Practice on Consumer Credit Data issued by the Privacy Commissioner for Personal Data. Specifically, the HKMA recommended that AIs which provide consumer credit should be prepared to share the following information which is permitted under the Privacy Commissioner's Code¹:

a. data relating to account defaults;

b. credit application data reported by a credit provider including the type and amount of credit sought and the date of the credit application; and

c. credit card loss data relating to the financial loss arising from unauthorized transactions through the use of lost cards.

The recent trend of growing consumer defaults, including the large increase in bankruptcies, is a matter of supervisory concern. The HKMA believes that a number of measures can be taken to address this problem, including review by individual AIs of their lending procedures, enhanced monitoring of bankruptcy cases and greater use of debt counselling and relief as an alternative to bankruptcy. Another important step would be to extend the scope for sharing of information on consumer credit in Hong Kong. In this connection, you may be aware that the Privacy Commissioner is currently considering relaxation of some of the restrictions on sharing of information under the Code to provide a broader basis for credit assessment by credit providers. These include, inter alia, extending the permissible retention period of credit application data and file activity data by a CRA from 90 days to 5 years. While the HKMA welcomes these proposals in general, it has also suggested to the Privacy Commissioner that there is a pressing need to reconsider the case for sharing of positive data especially in view of the recent trend of rising personal bankruptcies. Specifically, as an initial step, it has proposed that AIs should be able to share information about the number of credit cards held by an individual and the amount of his outstanding borrowings on credit cards.

The HKMA believes that the discussions with the Privacy Commissioner on the general scope of collectible data for a CRA will continue for some time. In the meantime, it is important that AIs are making their best efforts to share credit data to the extent that is already permitted under the Privacy Commissioner's Code. It will be more difficult to make the case for changes to the Code to enable more comprehensive credit data to be shared while AIs are not making the best use of the current regime. In this connection, the HKMA has recently noted that there are a number of gaps in the reporting of credit data by AIs even under the existing framework. These include -

a. some AIs do not make full use of the enquiry facilities of a CRA for credit assessment;

b. AIs do not presently share information on new applications for credit and lost credit cards although sharing of such information is permitted under the Privacy Commissioner's Code;

c. the value of account default data is reduced by the fact that AIs are only reporting defaults that are already more than 90 days or in some cases 120 days overdue; and

d. the range of account types that is reported is quite limited. Some AIs are only reporting data relating to credit cards. There is a case for extending this to other types of consumer debt, including residential mortgages.

In view of recent market developments, it would seem sensible and timely for AIs to begin to make fuller use of CRAs within the limits laid down by the Privacy Commissioner's Code. Specifically, the following steps are recommended²:

a. AIs should make the fullest possible use of the enquiry facilities of a CRA for the purposes of credit assessment.
Even if an AI can make use of its own internal database for the purposes of evaluating new applications for credit or monitoring or reviewing existing credits, enquiry of a CRA can provide useful supplementary information as well as helping to build up the CRA database.

b. In the course of making enquiries with a CRA in relation to a new application for credit, AIs should indicate that the enquiry does relate to a new application and report the date of application, the account type and, where appropriate, the amount of credit sought.
The above data would help to improve AIs' ability to detect multiple applications for credit and possible over-borrowing. As noted above, the Privacy Commissioner is presently considering whether to extend the retention period for application data from the present 90 days to 5 years, which would improve its usefulness. Credit Information Services Ltd ("CIS") has undertaken to enhance its system to enable reporting of application data. AIs are therefore recommended to begin reporting this data when the system changes have been implemented, which should be before the end of this year.

c. AIs should begin to report account default data in relation to accounts that are 60 days or more past due.
This would help to increase the value of default data as a warning signal of repayment difficulties, particularly in the light of the apparent increased tendency for borrowers with early delinquency to go into bankruptcy.

In the event that the amount in default is subsequently repaid in full within 90 days from the date the default occurred³, AIs should notify CIS of such fact no later than the next monthly reporting⁴.

d. AIs should extend their scope of data sharing with a CRA to cover all types of consumer credit, including, in particular, residential mortgage loans.
This would help to obtain a full picture of the borrower's repayment record on various types of indebtedness. In particular, arrears on a mortgage loan may be an indicator of potential distressed borrowing on other forms of indebtedness, including credit cards.

The HKMA urges the management of all relevant AIs to adopt the above recommendations as soon as possible. In assessing the effectiveness of AIs' credit evaluation systems, the HKMA will continue to take into account the extent to which they make full use of collectible data obtained from a CRA.

Yours faithfully,

( D T R Carse )
Deputy Chief Executive

1. In the letter of 9 March 1998, the HKMA stated that its preference was that all relevant AIs should be prepared to share the three types of information. However, for those institutions which were reluctant to do so (e.g. because of competitive reasons), the HKMA would be prepared to accept that such institutions should participate, initially at least, only in respect of credit card data.

2. Sharing of credit card loss data is not included in the current recommendations. Such data can help prevent abuses of the limitation on the cardholders' maximum liability for unauthorized transactions on lost cards. However, the number of such cases is minimal at present and therefore this does not appear to be a specific problem at this stage. If card losses were to increase in the future, the HKMA may make relevant recommendations in this respect.

3. Clause 2.2 of the Code requires that a CRA should delete from its records any account default data if the amount in default has been settled in full within 90 days from the date the default occurred.

4. Clause 3.3 and 3.4 of the Code currently require credit providers to notify a CRA promptly of such fact. However, the Privacy Commissioner recognizes the practical difficulty of credit providers in giving prompt notification and has proposed to amend the "prompt" notification requirement to one that is "as soon as reasonably practicable". The HKMA believes that reporting of such fact no later than the next monthly report to the CRA is reasonable. The Privacy Commissioner has been consulted on this issue.