BANK CENTRALI TA� MALTA ------EUROSISTEMA------CENTRAL BANK OF MALTA
CENTRAL BANK OF MALTA
DIRECTIVE NO 14
in terms of the
CENTRAL BANK OF MALTA ACT
(CAP. 204)
CENTRAL CREDIT REGISTER
Ref: CBM/14
Directive No 14 CENTRAL CREDIT REGISTER
Issued on: 15th February 2016 st Amended on: 1 March 2018 and [..] Comment [SG1]: Date of the amendments to be inserted accordingly. INTRODUCTION
1. In terms of article 24(2) of the Central Bank of Malta Act (Cap. 204 of the Laws of Malta) (����������� �������� �� �� ���� A���), ��� C������ B��� �� M���� (����������� �������� �� �� ���� B����) ��s been empowered to make directives in respect of, inter alia, the organisation and functioning of a Central Credit Register (hereinafter �������� �� �� ���� R��������) ���� �� ��� B���.
SCOPE AND APPLICATION
2. This Directive lays down rules concerning the obligations of credit institutions to provide information in relation to the Register and the right of access to the information held on the Register by credit institutions, the Malta Development Bank, credit reference agencies and other institutions.
3. This Directive shall apply without prejudice to the Data Protection Act (Cap. 586 of the Laws of Malta) and other local and EU data protection legislation in force at the time of processing, including the GDPR.
4. Notwithstanding paragraph 3, credit institutions shall inform existing counterparties that the information on exposures, including personal data, in relation to any credit facility granted, will be made available on the said Register for the purposes of this Directive and may be shared with a credit reference agency for the issuance of a credit score in accordance with Directive No 15.
DEFINITIONS
5. In this Directive, unless the contest otherwise requires;
�C�������� �������� ������ �� ���������� ��������� ������ ��� ���� ����� �� ���������;
�C������������ means a physical or legal person who has an exposure with a credit institution in Malta, excluding a credit institution, whether licensed in Malta or abroad, and the Bank;
�C����� �����������s� means those credit institutions licensed in accordance with the Banking Act (Cap. 371 of the Laws of Malta) including those exercising the freedom of establishment in accordance with European Passport Rights for Credit Institutions Regulations (S.L. 371.1);
�C����� ��������� ������� ����� ��� ����������� �������� �� ��� T���� L�������� U��� in
March [] 2018 2
terms of regulation 47A of the Trading Licences Regulations, the main business of which is to prepare, assemble and evaluate credit information and related credit and risk management services on legal and natural persons for the purpose of issued credit scores to be furnished to third parties, provided that a credit reference agency is not precluded from carrying out other related tasks;
�C����� ������ ����� a measure of creditworthiness derived from credit information and which must under pain of nullity include data derived from the Central Credit Register;
�Directive N� 15� ����� ��� C������ B��� �� M���� D�������� N�15 �������d �S���������� �� C����� R�������� A��������;
�E������� ������������� means a natural or a legal person already having an exposure reported by a credit institution accessing the Register;
�E�������� ����� �����, ��������, ����������, ������ �����, ��������� ���������� �� ��� ����� credit facility in any currency as stipulated in Annex I, which, considered individually, exceed five thousand euros (�5,000) or the equivalent in a foreign currency calculated on the basis of exchange rates published on the website of the European Central Bank;
�GDPR� ����� R��������� (EU) 2016/679 �� ��� E������� P��������� ��� �� ��� C������ �� 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
�I������� �������� ����� �� ���������� ������� �������� �� � ���dit institution to its customer �� ����� �� ������ ����� ��� ���� �������, ������� ��������� ������������ ��� ����� ��� certain banking services over the internet, by virtue of an authenticated and secure method of access;
�L���� ������� ����� � ����� ���son as defined by article 1A of Book One of Civil Code (Cap. 16 of the Laws of Malta);
�M���� D���������� B���� has the same meaning as assigned to it by article 2 of the Malta Development Act (Cap. 574 of the Laws of Malta);
�N������ ������� ����� � ������� ������ �� ������� �� ������� 1A �� B��� O�� �� Civil Code (Cap. 16 of the Laws of Malta);
�O���� ������������� means those institutions listed under article 24(4) of the Act;
�P���������� ������������� means a natural or legal person who seeks an exposure with a
March [] 2018 3
credit institution with which it has no existing exposures;
Unless otherwise defined in this Directive, terms used in this Directive shall have the same meaning to them under the Act.
REPORTING REQUIREMENTS
6. Credit institutions shall provide the information to be held on the Register as specified in Annex I of this Directive.
Provided that credit institutions shall report to the Bank, the end-of-month balances of exposures related to the credit operations as listed in Annex I, by the twentieth calendar day of the month following the reference month to which the exposures relate. If the submission date falls on a weekend or a public holiday the credit information must be submitted on the following working day. The first reference month shall be the first month following the date of issuance of this Directive.
7. Unless otherwise provided in this Directive, only the information submitted in relation to the previous twenty-four months up to the latest reference period shall be available on the Register. Information related to exposures that were designated as at least one of (i) arrears past due for more than ninety days, (ii) forborne or (iii) written-off shall be available on the Register for a period of five years.
8. Credit institutions shall be fully responsible for the correctness and completeness of the information they submit held in the Register. They are exclusively responsible for amending or rectifying it the information submitted in the Register, either on their own initiative or at the request of their existing counterparties, or the Bank, whenever errors or omissions occur.
RIGHT TO ACCESS INFORMATION
9. The Bank may provide the information held on the Register to credit institutions, the Malta Development Bank, credit reference agencies, and other institutions.
Provided that the information shall not, in full or in part, be transmitted to third parties.
10. The information provided by the Bank to credit institutions, the Malta Development Bank, credit reference agencies, and other institutions, shall not include any reference to the credit institution granting submitting the information held on the Register.
11. nstitutions granted access to the Register shall only use the information accessed for the assessment of credit riskand
March [] 2018 4
ACCESS TO INFORMATION BY A CREDIT INSTITUTION
11. A credit institution may only request access to the information held on the Register solely for the purpose of assessing credit risk. as indicated in Annex I.
12. (Prospective Counterparty)
(1) A credit institution making a request to access information held on the Register on a prospective counterparty, shall submit the �Information Request Notification Form� found in Annex II of this Directive. The consent of the prospective counterparty on the �Information Request Notification Form� shall be executed in writing or electronically through internet banking.
(2) A ������ ����������� ����� �������������� ������ ��� �I���������� R������ N����������� F���� ������� ��� B����� ������ ������ ��� ����� ���� ���� ��� prospective counterparty gives consent in writing or electronically through internet banking.
Provided that, a credit institution shall be given access to the information held on the Register for a period of two months, unless the prospective counterparty withdraws consent.
Provided further that if a prospective counterparty withdraws consent, the credit institution shall inform the Bank without undue delay.
(3) Without prejudice to the preceding sub-paragraph, a credit institution shall inform the prospective counterparty that information held on the Register concerning such prospective counterparty may be shared with a credit reference agency for the issuance of a credit score.
Provided that the request for the issuance of a credit score on a prospective counterparty by a credit reference agency shall be made by the credit institution.
13. (Existing Counterparty)
(1) A credit institution may request the Bank for access to information held on the register on an existing counterparty whenever required, and will not necessitate the submission of a fresh �Information Request Notification Form�.
(2) Without prejudice to the preceding sub-paragraph, a credit institution shall inform the existing counterparty that information held on the Register concerning such existing counterparty may be shared with a credit reference agency, for the issuance of a credit score.
Provided that the request for the issuance of a credit score on an existing counterparty by a credit reference agency shall be made by the credit institution.
March [] 2018 5
ACCESS TO INFORMATION BY THE MALTA DEVELOPMENT BANK
12.14. The Malta Development Bank may request access to the information held on the Register solely for the purposes of fulfilling its functions under the Malta Development Bank Act.
15. (1) The provisions of paragraphs 12 and 13 shall, mutatis mutandis, apply to the Malta Development Bank to access the information held in the Register.
(2) Notwithstanding the provisions of paragraphs 12 and 13, the Malta Development Bank shall not require the consent of a natural or legal person when the request to access information from the Register relates to an exposure issued by a credit institution and such exposure is guaranteed by the Malta Development Bank.
Provided that, the credit institution shall have had to electronically submit, through ��� B����� ������, ��� �I���������� R������ N����������� F���� ����� in Annex II of this Directive, signed in writing or electronically through internet banking.
ACCESS TO INFORMATION BY A CREDIT REFERENCE AGENCY
16. Credit reference agencies licenced in accordance with regulation 47A of the Trading Licensing Regulations may request access to the information held on the Register solely for the issuance of credit scores.
17.(1) A credit reference agency making a request to access information held in the Register on a natural or legal persons, shall submit the �I���������� R������ Notification F���� ����� �� A���� III �� ���� D��������. The consent of a natural or a legal person on the �Information Request Notification Form� shall be executed in writing or electronically through an online application.
(2) The credit reference agency shall electronically submit ��� �I���������� R������ N����������� F���� ������� ��� B����� ������ ������ ��� ����� ���� ���� a natural or legal person gives consent.
(3) Upon submission of the �I���������� R������ N����������� F����, the Bank shall only grant access to the information held on the Register for a period of twenty-four hours.
18.(1) Notwithstanding the provisions of the preceding paragraph, a credit reference agency shall not require the consent of a natural or a legal person when the request to issue a credit score is made by the credit institution.
Provided that, the credit institution shall have had to electronically submit, through ��� B����� ������, the �I���������� R������ N����������� F���� ����� in Annex II, signed in writing or electronically through internet banking.
March [] 2018 6
(2) Any communication between a credit institution and a credit reference agency, which shall make reference to information on natural or legal persons held in the Register, shall be made between authorised representatives. Such authorised representatives shall correspond through a secured channel.
ACCESS TO INFORMATION BY OTHER INSTITUTIONS
19. (1) In accordance with article 24(4) of the Act, the Bank may provide access to information held in the Register:
(a) on the basis of reciprocity arrangements to central banks, to other institutions of Member States of the European Union, and to other institutions of the European Union, that create databases comparable to the Register;
(b) to the Listing Authority for the purposes of performing the functions set out in Part III of the Financial Markets Act (Cap. 345 of the Laws of Malta);
(c) to the Malta Stock Exchange for the purposes of fulfilling its objects; and
(d) to any other institution as the Bank may consider necessary.
(2) Unless otherwise provided under paragraph 22 and 23 hereunder, a written request for access to information held on the Register shall in all cases include the �I���������� R������ N����������� F���� found in Annex IV, and in the event that the request for access relates to information on a legal person a legal entity identifier shall also be required. The consent of a natural or legal person on the �Information Request Notification Form� found in Annex IV shall be executed in writing.
(3) The �I���������� R������ N����������� F���� referred to in the preceding sub-paragraph shall be uploaded on the Bank�� ������ �� an official of the Bank.
REQUEST OF INFORMATION BY A NATURAL OR LEGAL PERSON
20. (1) A natural or a legal person, or their lawful representatives, requesting to exercise the right to have an extract of the information held on the Register under article 24(3) of the Act shall first make such request in writing and subsequently call at the Bank for an appointment.
(2) When collecting the extract of the information from the Bank, a natural person shall present an official means of identification. The authorisation form under Annex VI of this Directive shall also be presented by a lawful representative of a natural person authorised to collect the extract of the information. A lawful representative of a legal person shall present a copy of the Memorandum and Articles of Association or the Statute of the legal person, or otherwise a board resolution empowering such
March [] 2018 7
lawful representative to collect the extract of the information.
(2) The Bank shall verify the identity of the natural or legal person, or their lawful representative.
Counterparties, or their lawful representatives, requesting to exercise the right to have an extract of the information kept on them on the Register under article 24(3) of the Act shall first make such request in writing and subsequently call at the Bank by appointment, presenting an identity card or passport in case of an individual or the relevant certificates of incorporation in case of a legal person. The lawful representative should also present his identity card and proof, to the satisfaction of the Bank, of a power of attorney or other ������������� ���������� ���� �� �� ���������� �� ��� �� ��� �������������� ��������������. T�� said extract of information shall comprise the details indicated in Annex I of this Directive.
EXPOSURES ON GUARANTORS AND CONNECTED PARTIES
21. (1) A credit institution and a credit reference agency may also request access to the information held in the Register on the following:
(a) natural or legal persons who are proposed to act as guarantors in relation to an exposure of an existing or prospective counterparty; and
(b) on connected parties of an existing or prospective counterparty.
Provided that the guarantors or connected parties of an existing or prospective counterparty shall give their consent, where applicable, in writing, or electronically through online application or internet banking on the �I�������ion Request Notification Form� found in Annex II of this Directive.
(2) For the avoidance of doubt, the Register does not store information on guarantees granted by natural or legal persons in relation to an exposure of an existing or prospective counterparty.
This requirement is satisfied by submission of an information request notification form drawn in accordance with Annex II. A credit institution may also access information on any exposures of persons who are proposed to act as guarantors in relation to an exposure, provided that the credit institution provides evidence by electronic means of an �Iinformation Rrequest Nnotification Fform� signed by the guarantor. For the avoidance of doubt, the Register shall not store information on the guarantees being offered by persons in relation to an exposure. A credit institution may further access information held on the Register on connected parties of a counterparty where the connected parties have given their consent by signing the �Iinformation Rrequest Nnotification Fform�. Access shall only be granted to information on the Register relating to those of the connected parties which have signedthe form. The signed form is to be submitted to the Bank in electronic format prior to obtaining access to the Register to information on connected.
March [] 2018 8
AUTHORISED REPRESENTATIVE
21.22. (1) Credit institutions, the Malta Development Bank, and credit reference agencies shall designate a number of their officials as authorised representatives who may be granted access to the information held on the Register by the Bank. The Bank shall be notified in writing with the names of such authorised representatives. The information will be accessible by means of a two-way factor authentication method. The Bank may limit the number of officials who could be granted access to the Register.
(2) Any changes to such authorised representatives shall be reported to the Bank without undue delay.
AUTHENTICATION OF SIGNATORIES
23. Credit institutions, the Malta Development Bank, and credit reference agencies shall instruct their internal auditors to carry out an annual verification audit report to confirm the authenticity �� ��� ���������� �� ��� �I���������� R������ N����������� Form�.
MISCELLANEOUS
24. The Schedule of Fees in Annex III V of this Directive shall be applicable in respect of credit institutions, the Malta Development Bank and the credit reference agencies requesting access to the information held on the Register and to any natural or to counterparties who are legal persons requesting an extract of information kept on them in held on the Register.
22.25. In case of breach of this Directive, the Bank shall have the right to impose sanctions in accordance with article 56 of the Act and the provisions of Central Bank of Malta Directive No 12 on Administrative Measures and Penalties for Infringements under the Act.
March [] 2018 9
ANNEX I - DATA ATTRIBUTES
(Paragraphs 6 and 9)
Section 1: Definition of the attributes to be reported in the credit register granular exposure template, including the feedback to lenders and counterparties and means of data transmission
The following is a list of data attributes which shall be held on the Register. All non-core attributes will become mandatory within one-year from the first reference date. However, in the case of collateral: market value (by type), specifically (a) of residential property and (b) of commercial property, these non-core attributes will become mandatory within six months from the first reference date.
Non-core attributes are to be reported meanwhile on a best effort basis.
March 2018 10
Table1: Data attributes and variables to be reported and attributes included in feedback to lenders and counterparties
Feedback to credit institutions/ credit reference Feedback to Non-core Data attributes Definition agencies/Malta counterparty attributes Development Bank/ other institution lenders
General (non-granular data) General Reporting date ✓ ✓ Return for month ending
Name of Bank Name of reporting institution ✓ Lender Legal Entity LEI Code, and contact details of the reporting institution ✓ (LEI code) attributes Identifier; Contact Person, Contact Number, Contact Email Date Date when template is submitted Total Number of Total number of exposures as reported in the template Exposures
March 2018 11
Reported
Granular data Counterparty Counterparty Households and sole traders ✓ ✓ attributes identifier Report the ID card numbers and Date of Birth in the case of Maltese (MT Individuals - ID Card number individuals, while in the case of foreigners report at least one from non- Malta issued ID card number, passport number, Social Security Foreigners � at least number or Tax number (in that order of preference). one from non-MT issued ID Card number, Passport number, Social Security number or Tax number)
VAT Numbers - (MT Core Field in case Companies/Legal of Legal persons Entities - C number , Legal entities Vat Number or For MT companies provide the C numbers for registered companies. In Other legal entity the case of those exceptions which do not have a C number report, the identifier VAT Registration number is to be reported. In the case of foreign companies report the registration number provided by the respective Foreign jurisdiction. To include also all other legal entities unique identifiers. Companies/Legal Entities � Foreign Registration Number)
Counterparty attributes In the case of joint exposures, report as separate exposures for each (continued) counterparty. 2 letter ISO code of country of residence of counterparty. ✓ ✓ Co�n�e�pa����� country of residence Co�n�e�pa����� Institutional sector (or sub-sector) of the counterparty, in accordance institutional with ESA 2010 classification. sector Co�n�e�pa����� Classification of (financial and non-financial) counterparties according Core field in case sector of economic to the main sector of economic activity using broad NACE statistical of activity classification. Refer to Section II. Households/Sole proprietors - Non-Core field otherwise March 2018 12 Enterprise size Classification of enterprises by size (into Non-SME and SME ). Not Non-core (Legal person) applicable to sole proprietors and households and government entities. Credit data Exposure IBAN number code or account number whenever an IBAN is not identifier relevant. Bank reference code if sanctioned but not signed.
variables Currency ISO code of currency in which the exposure is denominated. ✓ ✓ denomination Type of exposure Type of facility granted, such as loans, overdrafts and credit cards. ✓ ✓ Kindly refer to list in section II. Inception date Date when the sanction letter is issued. ✓ ✓ Original maturity Original maturity date of the exposure as stipulated in the initial ✓ ✓ date sanction letter.
Legal final maturity Contractual date of maturity taking into account any agreements ✓ ✓ date amending initial pacts. Default status of the Categories describing the motives for which the counterparty can be at counterparty default as regards Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms (the Capital Requirements Regulations or CRR), as follows: Non-impaired; Impaired but not in default; Default because of both, unlikely to pay and past due more than 90 days; Default because of unlikely to pay; and Default because of past due more than 90 days. Refer to Section II Credit lines ✓ ✓ Amount outstanding plus any additional unutilised credit limit that the (Limit) customer can draw upon.
In the case of a joint exposure, the amount to be reported as explained above is to be reported for each counterparty. Credit data Utilised balance Amount availed of from the authorised amount (in actual figures). ✓ ✓ variables (continued) In the case of a joint exposure, report the whole value of the exposure for each counterparty. Outstanding Amount outstanding on the utilised balance at the end of the reference ✓ ✓ balance date, excluding accrued interest. (in actual figures).
In the case of a joint exposure, report the whole value of the exposure for each counterparty.
Group of If the counterparty belongs to a group of connected counterparties, all Non-core connected the identifiers of related companies or individuals, as recognised by the counterparties credit institution given they have an exposure (even if the exposure falls under the threshold), have to be reported. The counterparty identifiers
March 2018 13
ha�e �o be �epa�a�ed b� a �,�. Number of Report the number of counterparties involved in a joint/split exposure. ✓ ✓ counterparties In the case of single counterparty, this value is set to 1. jointly liable Credit data Amount in arrears Aggregate amount of principal, interest and any fee payment ✓ ✓ measures outstanding at the reference date, which is contractually due and has not been paid (past due).
Collateral: Market Reflects the market value of the respective type of asset which backs the Non-Core (6 value (by type) exposure as per latest valuation. months) for market value of residential and commercial property, Collateral: Amount of collateral for the respective type of asset that can be Extendible value (by considered for credit risk mitigation at the reporting date type) Specific credit risk The amount of provisioning against credit risk adjustment Risk-weighted exposure amounts in accordance with the CRR Risk weighted assets Interest rate Interest rate is calculated on the basis of the Annualised Agreed Rate(AAR)
Interest rate type Indicate whether fixed, variable, mixed interest rate applies
Days past due Total Number of days past due as from day 1. ✓ ✓
Indicator of Distress �0� indica�e� no di���e��,�1!� indica�e� pa�� d�e mo�e �han 90 da��, �2� ✓ ✓ indica�e� fo�bo�ne, and �3� indica�e� ��i��en off. Refer to Section II
March 2018 14
Additional information provided to lenders
With respect to the indicator of distress, lenders credit institutions, the Malta Development Bank, credit reference agencies, other institutions and existing counterparties will be provided with a system generated variable which indicates whether the exposure is in distress (1) or otherwise (0). Granular ����������� �� ��������� ���������� �� ��� ��������� ���� be available for a period of five ����� ��� ����� ������ �� ����������� ���� �� ��������� ��� two years.
The format of the data transmission will be communicated by the Bank.
March 2018 15
Section II: Entries associated with data attributes Co�n�e�pa����� Co�n��� of Re�idence AD Andorra AE United Arab Emirates AF Afghanistan AG Antigua and Barbuda AI Anguilla AL Albania AM Armenia AO Angola AQ Antarctica AR Argentina AS American Samoa AT Austria AU Australia AW Aruba AX Aland Islands AZ Azerbaijan BA Bosnia and Herzegovina BB Barbados BD Bangladesh BE Belgium BF Burkina Faso BG Bulgaria BH Bahrain BI Burundi BJ Benin BL Saint Barthelemy BM Bermuda BN Brunei Darussalam BO Bolivia, Plurinational State of BQ Bonaire, Saint Eustatius and Saba BR Brazil BS Bahamas BT Bhutan BV Bouvet Island BW Botswana BY Belarus BZ Belize CA Canada CC Cocos (Keeling) Islands CD Congo, the Democratic Republic of the
March 2018 16
CF Central African Republic CG Congo CH Switzerland CI Cote d'Ivoire CK Cook Islands CL Chile CM Cameroon CN China CO Colombia CR Costa Rica CU Cuba CV Cabo Verde CW Curasao CX Christmas Island CY Cyprus CZ Czech Republic DE Germany DJ Djibouti DK Denmark DM Dominica DO Dominican Republic DZ Algeria EC Ecuador E$ European International Organisations EE Estonia EG Egypt EH Western Sahara ER Eritrea ES Spain ET Ethiopia FI Finland FJ Fiji FK Falkland Islands (Malvinas) FM Micronesia, Federated States of FO Faroe Islands FR France GA Gabon GB United Kingdom of Great Britain and Northern Ireland GD Grenada GE Georgia GF French Guiana GG Guernsey
March 2018 17
GH Ghana GI Gibraltar GL Greenland GM Gambia GN Guinea GP Guadeloupe GQ Equatorial Guinea GR Greece GS South Georgia and the South Sandwich Islands GT Guatemala GU Guam GW Guinea-Bissau GY Guyana HK Hong Kong HM Heard Island and McDonald Islands HN Honduras HR Croatia HT Haiti HU Hungary ID Indonesia IE Ireland IL Israel IM Isle of Man IN India IO British Indian Ocean Territory IQ Iraq IR Iran, Islamic Republic of IS Iceland IT Italy JE Jersey JM Jamaica JO Jordan JP Japan KE Kenya KG Kyrgyzstan KH Cambodia KI Kiribati KM Comoros KN Saint Kitts and Nevis KP Korea, Democratic People's Republic of KR Korea, Republic of KW Kuwait
March 2018 18
KY Cayman Islands KZ Kazakhstan LA Lao People's Democratic Republic LB Lebanon LC Saint Lucia LI Liechtenstein LK Sri Lanka LR Liberia LS Lesotho LT Lithuania LU Luxembourg LV Latvia LY Libya MA Morocco MC Monaco MD Moldova, Republic of ME Montenegro MF Saint Martin (French part) MG Madagascar MH Marshall Islands MK Macedonia, the former Yugoslav Republic of ML Mali MM Myanmar MN Mongolia MO Macao MP Northern Mariana Islands MQ Martinique MR Mauritania MS Montserrat MT Malta MU Mauritius MV Maldives MW Malawi MX Mexico MY Malaysia MZ Mozambique N$ Non-European International Organisations NA Namibia NC New Caledonia NE Niger NF Norfolk Island NG Nigeria
March 2018 19
NI Nicaragua NL Netherlands NO Norway NP Nepal NR Nauru NU Niue NZ New Zealand OM Oman PA Panama PE Peru PF French Polynesia PG Papua New Guinea PH Philippines PK Pakistan PL Poland PM Saint Pierre and Miquelon PN Pitcairn PR Puerto Rico PS Palestine, State of PT Portugal PW Palau PY Paraguay QA Qatar RE Reunion RO Romania RS Serbia RU Russian Federation RW Rwanda SA Saudi Arabia SB Solomon Islands SC Seychelles SD Sudan SE Sweden SG Singapore SH Saint Helena, Ascension and Tristan da Cunha SI Slovenia SJ Svalbard and Jan Mayen SK Slovakia SL Sierra Leone SM San Marino SN Senegal SO Somalia
March 2018 20
SR Suriname SS South Sudan ST Sao Tome and Principe SV El Salvador SX Sint Maarten (Dutch part) SY Syrian Arab Republic SZ Swaziland TC Turks and Caicos Islands TD Chad TF French Southern Territories TG Togo TH Thailand TJ Tajikistan TK Tokelau TL Timor-Leste TM Turkmenistan TN Tunisia TO Tonga TR Turkey TT Trinidad and Tobago TV Tuvalu TW Taiwan, Province of China TZ Tanzania, United Republic of UA Ukraine UG Uganda UM United States Minor Outlying Islands US United States of America UY Uruguay UZ Uzbekistan VA Holy See VC Saint Vincent and the Grenadines VE Venezuela, Bolivarian Republic of VG Virgin Islands, British VI Virgin Islands, U.S. VN Viet Nam VU Vanuatu WF Wallis and Futuna WS Samoa YE Yemen YT Mayotte ZA South Africa ZM Zambia
March 2018 21
ZW Zimbabwe
Co�n�e�pa����� In��i���ional Sec�o� S11 Non-financial corporations S123 Money market funds S124 Non-MMF investment funds S125 Other financial intermediaries, except insurance corporations and pension funds (OFIs) S126 Financial auxiliaries S127 Captive financial institutions and money lenders S128 Insurance corporations S129 Pension funds S1311 Central government (excluding social security funds) S1312 State government (excluding social security funds) S1313 Local government (excluding social security funds) S1314 Social security funds S14 Households S15 Non-profit institutions serving households
Co�n�e�pa����� Sec�o� of Economic Ac�i�i�� N/A N/A A Agriculture, forestry and fishing B Mining and quarrying C Manufacturing D Electricity, gas, steam and air conditioning supply E Water supply; sewerage waste management and remediation activities F Construction G Wholesale and retail trade; repair of motor vehicles and motor cycles H Transportation and storage I Accommodation and food service activities J Information and communication K Financial and insurance activities L Real estate activities M Professional, scientific and technical activities N Administrative and support service activities O Public administration and defence; compulsory social security P Education Q Human health and social work activities R Arts, entertainment and recreation S Other service activities U Activities of extraterritorial organisations and bodies H1 Households - Acquisition of land/dwelling for own use H2 Households - Construction, extension and completion of self-owned dwellings H3 Households - Other loans H4 Households - Purchase of goods and services
March 2018 22
N/A Non-SME SME
Currency Denomination AED United Arab Emirates Dirham Enterprise Sizes AFN Afghanistan Afghani ALL Albania Lek AMD Armenia Dram ANG Netherlands Antilles Guilder AOA Angola Kwanza ARS Argentina Peso AUD Australia Dollar AWG Aruba Guilder AZN Azerbaijan New Manat BAM Bosnia and Herzegovina Convertible Marka BBD Barbados Dollar BDT Bangladesh Taka BGN Bulgaria Lev BHD Bahrain Dinar BIF Burundi Franc BMD Bermuda Dollar BND Brunei Darussalam Dollar BOB Bolivia Boliviano BRL Brazil Real BSD Bahamas Dollar BTN Bhutan Ngultrum BWP Botswana Pula BYR Belarus Ruble BZD Belize Dollar CAD Canada Dollar CDF Congo/Kinshasa Franc CHF Switzerland Franc CLP Chile Peso CNY China Yuan Renminbi COP Colombia Peso CRC Costa Rica Colon CUC Cuba Convertible Peso CUP Cuba Peso CVE Cape Verde Escudo CZK Czech Republic Koruna DJF Djibouti Franc DKK Denmark Krone DOP Dominican Republic Peso DZD Algeria Dinar
March 2018 23
EGP Egypt Pound ERN Eritrea Nakfa ETB Ethiopia Birr EUR Euro Member Countries FJD Fiji Dollar FKP Falkland Islands (Malvinas) Pound GBP United Kingdom Pound GEL Georgia Lari GGP Guernsey Pound GHS Ghana Cedi GIP Gibraltar Pound GMD Gambia Dalasi GNF Guinea Franc GTQ Guatemala Quetzal GYD Guyana Dollar HKD Hong Kong Dollar HNL Honduras Lempira HRK Croatia Kuna HTG Haiti Gourde HUF Hungary Forint IDR Indonesia Rupiah ILS Israel Shekel IMP Isle of Man Pound INR India Rupee IQD Iraq Dinar IRR Iran Rial ISK Iceland Krona JEP Jersey Pound JMD Jamaica Dollar JOD Jordan Dinar JPY Japan Yen KES Kenya Shilling KGS Kyrgyzstan Som KHR Cambodia Riel KMF Comoros Franc KPW Korea (North) Won KRW Korea (South) Won KWD Kuwait Dinar KYD Cayman Islands Dollar KZT Kazakhstan Tenge LAK Laos Kip LBP Lebanon Pound LKR Sri Lanka Rupee LRD Liberia Dollar LSL Lesotho Loti LYD Libya Dinar MAD Morocco Dirham MDL Moldova Leu MGA Madagascar Ariary
[]March 2018 24
MKD Macedonia Denar MMK Myanmar (Burma) Kyat MNT Mongolia Tughrik MOP Macau Pataca MRO Mauritania Ouguiya MUR Mauritius Rupee MVR Maldives (Maldive Islands) Rufiyaa MWK Malawi Kwacha MXN Mexico Peso MYR Malaysia Ringgit MZN Mozambique Metical NAD Namibia Dollar NGN Nigeria Naira NIO Nicaragua Cordoba NOK Norway Krone NPR Nepal Rupee NZD New Zealand Dollar OMR Oman Rial PAB Panama Balboa PEN Peru Nuevo Sol PGK Papua New Guinea Kina PHP Philippines Peso PKR Pakistan Rupee PLN Poland Zloty PYG Paraguay Guarani QAR Qatar Riyal RON Romania New Leu RSD Serbia Dinar RUB Russia Ruble RWF Rwanda Franc SAR Saudi Arabia Riyal SBD Solomon Islands Dollar SCR Seychelles Rupee SDG Sudan Pound SEK Sweden Krona SGD Singapore Dollar SHP Saint Helena Pound SLL Sierra Leone Leone SOS Somalia Shilling SPL Seborga Luigino SRD Suriname Dollar STD Sao Tome and Principe Dobra SVC El Salvador Colon SYP Syria Pound SZL Swaziland Lilangeni THB Thailand Baht TJS Tajikistan Somoni TMT Turkmenistan Manat TND Tunisia Dinar
[]March 2018 25
TOP Tonga Pa'anga TRY Turkey Lira TTD Trinidad and Tobago Dollar TVD Tuvalu Dollar TWD Taiwan New Dollar TZS Tanzania Shilling UAH Ukraine Hryvnia UGX Uganda Shilling USD United States Dollar UYU Uruguay Peso UZS Uzbekistan Som VEF Venezuela Bolivar VND Viet Nam Dong VUV Vanuatu Vatu WST Samoa Tala XAF Communaute Financiere Africaine (BEAC) CFA Franc BEAC XCD East Caribbean Dollar XDR International Monetary Fund (IMF) Special Drawing Rights XOF Communaute Financiere Africaine (BCEAO) Franc XPF Comptoirs Frangais du Pacifique (CFP) Franc YER Yemen Rial ZAR South Africa Rand ZMW Zambia Kwacha ZWD Zimbabwe Dollar
Type of Exposure A Overdrafts on current accounts B Credit Cards C Overdrafts and Revolving Loans D Credit lines other than revolving credit E Trade Receivables F Financial Leases G Loans H Syndicated Loans I Loan Commitments J Financial Guarantees K Other Commitments
Default status of the counterparty
IMP1 Default because of both unlikely to pay and past due more than 90 days IMP2 Default because of past due more than 90 days IMP3 Default because of unlikely to pay IMP4 Impaired but not in default IMP5 Non-impaired
Indicator of distress
[]March 2018 26
0 No distress 1 Past due more than 90 days 2 Forborne 3 Written off
Interest rate type Fixed Variable Mixed N/A
[]March 2018 27
ANNEX II - INFORMATION REQUEST NOTIFICATION FORM
(Credit Institutions/Malta Development Bank)
(Paragraph 10) [Date]
Re. Access to Information on Exposures held on the Central Credit Register by a Credit Institution/Malta Development Bank
N.B. The term “exposure� is defined in the Central Bank of Malta Directive No 14 entitled “Central Credit Register.� Pursuant to Central Bank of Malta Directive No. 14 issued under the Central Bank of Malta Act (Cap. 204) which provides for the establishment of a Central Credit Register for the purposes of registering information about exposures, the undersigned declares to have received notification by [name of credit institution] that prior to the issue of any credit facility, it will verify information on any previous exposures in my regard held on the Central Credit Register. I, [name] with (fill where applicable) Local Natural Person � Malta Issued ID Card No.: [specify];
Foreign Natural Person � Non-Malta Issued ID Card: [specify]; � Passport Number: [specify]; � Social Security Number: [specify]; � Tax Number: [specify]; Local Legal Person � MFSA Company Registration Number: [specify]; � Malta Assigned VAT Number: [specify]; Foreign Legal Person � Non-Malta Issued Company Identification: [specify]; hereby acknowledge that in view of my request for the granting of an exposure credit facility from [name of credit institution/Malta Development Bank], the latter may request information concerning [myself/name of the legal person] on any previous exposures found in Central Credit Register set up in terms of the Central Bank of Malta Act (Cap. 204 of the Laws of Malta).
Furthermore, I declare acknowledge that to have received notification by [name of credit institution] that information concerning myself/ the legal person from the Central Credit Register may be shared with credit reference agencies for the issuance of a credit score in terms of paragraph in accordance with of the Central Bank of Malta Directive No 15 �������� �S���������� �� C����� R�������� A��������.
[signature of counterparty*]
Data is being collected in terms of the Central Bank of Malta Act (Cap. 204 of the Laws of Malta) for the Central Credit Register, established at the Central Bank of Malta, to be used for the following purposes: (a) centralisation of information on credit exposures; (b) analysis of the stability of the financial system; (c) implementation of monetary policy; (d) compilation of statistics; and (e) facilitating the assessment of credit risk. It is important to note that the data submitted in relation to the previous twenty-four months up to the latest reference period shall be available on the
[]March 2018 28
Register. Data related to exposures that were designated as at least one of past due more than 90 days, forborne or written-off shall be available on the Register for a period of five years. Failure to provide such data may result in the refusal of a credit facility by the credit institution. Personal data shall be processed in accordance with the requirements of local and EU legislation in force at the time of the data processing, including the General Data Protection Regulation - GDPR (Regulation (EU) 2016/679). Physical persons may exercise the right to access, rectify, erase, port their personal data and/or withdraw consent or object to processing in terms of the GDPR. Further information on the Central Credit Register may be obtained by sending an email on [email protected]. Complaints may be forwarded to the Office of the Information and Data Protection Commissioner via www.idpc. org.mt. Disclaimer: Whilst every effort has been made to present the data above as accurately as possible, the Central Bank of Malta does not assume any responsibility for incorrect data submitted by reporting credit institutions. In accordance with CBM Directive No14, credit institutions are exclusively responsible for amending or rectifying the data they provide in relation to the Central Credit Register, on their own initiative or at the request of their counterparties or the Central Bank of Malta, whenever errors or omissions occur.
* The signature of the counterparty shall be executed in writing or through internet banking.
[]March 2018 29
ANNEX III - INFORMATION REQUEST NOTIFICATION FORM
(Credit Reference Agencies)
[Date]
Access to Information on Exposures held on the Central Credit Register by a Credit Reference Agency
N.B. The term “exposure� is defined in the Central Bank of Malta Directive No 14 entitled “Central Credit Register.�
I, [name] with (fill where applicable) Local Natural Person � Malta Issued ID Card No.: [specify]; Foreign Natural Person � Non-Malta Issued ID Card: [specify]; � Passport Number: [specify]; � Social Security Number: [specify]; � Tax Number: [specify]; Local Legal Person � MFSA Company Registration Number: [specify]; � Malta Assigned VAT Number: [specify]; Foreign Legal Person � Non-Malta Issued Company Identification: [specify];
hereby acknowledge, that [name of credit reference agency] may request information concerning myself/ the legal person, from the Central Credit Register set up in terms of the Central Bank of Malta Act (Cap.204 of the Laws of Malta) for the issuance of credit scores in accordance with the Central Bank of Malta Directive No 15 entitled �S���������� �� C����� R�������� A��������.
[signature of counterparty*1]
Data is being collected in terms of the Central Bank of Malta Act (Cap. 204 of the Laws of Malta) for the Central Credit Register, established at the Central Bank of Malta, to be used for the following purposes: (a) centralisation of information on credit exposures; (b) analysis of the stability of the financial system; (c) implementation of monetary policy; (d) compilation of statistics; and (e) facilitating the assessment of credit risk. It is important to note that the data submitted in relation to the previous twenty-four months up to the latest reference period shall be available on the Register. Data related to exposures that were designated as at least one ofpast due more than 90 days, forborne or written-off shall be available on the Register for a period of five years. Failure to provide such data may result in the refusal of a credit facility by the credit institution. Personal data shall be processed in accordance with the requirements of local and EU legislation in force at the time of the data processing, including the General Data Protection Regulation - GDPR (Regulation (EU) 2016/679). Physical persons may exercise the right to access, rectify, erase, port their personal data and/or withdraw consent or object to processing terms of the GDPR. Further information on the Central Credit Register may be obtained by sending an email on [email protected]. Complaints may be forwarded to the Office of the Information and Data Protection Commissioner via www.idpc. org.mt.
[]March 2018 30
* The signature of the counterparty shall be executed in writing or by an electronic signature or through online application.
Disclaimer: Whilst every effort has been made to present the data above as accurately as possible, the Central Bank of Malta does not assume any responsibility for incorrect data submitted by reporting credit institutions. In accordance with CBM Directive 14, credit institutions are exclusively responsible for amending or rectifying the data they provide in relation to the Central Credit Register, on their own initiative or at the request of their counterparties or the Central Bank of Malta, whenever errors or omissions occur
[]March 2018 31
ANNEX IV - INFORMATION REQUEST NOTIFICATION FORM
(Other institutions as defined in article 24(4) of the Central Bank of Malta (Cap. 204 of the Laws of Malta)
[Date]
Re. Access to Information on Exposures held on the Central Credit Register by other institutions
N.B. The term “exposure� is defined in the Central Bank of Malta Directive No 14 entitled “Central Credit Register.�
I, [name] with (fill where applicable) Local Natural Person � Malta Issued ID Card No.: [specify]; Foreign Natural Person � Non-Malta Issued ID Card: [specify]; � Passport Number: [specify]; � Social Security Number: [specify]; � Tax Number: [specify]; Local Legal Person � MFSA Company Registration Number: [specify]; � Malta Assigned VAT Number: [specify]; Foreign Legal Person � Non-Malta Issued Company Identification: [specify]; hereby acknowledge, that [other institutions] shall request information concerning myself/ the legal person for the [reason of accessing the information on the Register], from the Central Credit Register set in terms of the Central Bank of Malta Act (Cap. 204 of the Laws of Malta);
[signature of counterparty*2]
Data is being collected in terms of the Central Bank of Malta Act (Cap. 204 of the Laws of Malta) for the Central Credit Register, established at the Central Bank of Malta, to be used for the following purposes: (a) centralisation of information on credit exposures; (b) analysis of the stability of the financial system; (c) implementation of monetary policy; (d) compilation of statistics; and (e) facilitating the assessment of credit risk. It is important to note that the data submitted in relation to the previous twenty-four months up to the latest reference period shall be available on the Register. Data related to exposures that were designated as at least one ofpast due more than 90 days, forborne or written-off shall be available on the Register for a period of five years. Failure to provide such data may result in the refusal of a credit facility by the credit institution. Personal data shall be processed in accordance with the requirements of local and EU legislation in force at the time of the data processing, including the General Data Protection Regulation - GDPR (Regulation (EU) 2016/679). Physical persons may exercise the right to access, rectify, erase, port their personal data and/or withdraw consent or object to processing in terms of the GDPR. Further information on the Central Credit Register may be obtained by sending an email on [email protected]. Complaints may be forwarded to the Office of the Information and Data Protection Commissioner via www.idpc. org.mt. Disclaimer: Whilst every effort has been made to present the data above as accurately as possible, the Central Bank of Malta does not assume any responsibility for incorrect data submitted by reporting credit institutions. In accordance with CBM Directive 14, credit institutions are exclusively responsible for amending or rectifying the data they provide in relation to the Central Credit Register, on their own initiative or at the request of their counterparties or the Central Bank of Malta, whenever errors or omissions occur.
[]March 2018 32
* The signature of the counterparty shall be executed in writing or by an electronic signature or through online application.
[]March 2018 33
ANNEX III V - SCHEDULE OF FEES
(Paragraph 13)
The following fees shall apply in relation to the access of information held on the Register:
(1) For every authorised representative having access to the information held on the Register, credit institutions, the Malta Development Bank and credit reference agencies shall be charged an annual fee, as the Bank may decide from time to time.
(2) A natural or legal person, requesting to exercise the right to have an extract of the information held on the Register, shall be charged a fee on twenty-five euros.
Provided that a natural person shall be entitled, free of charge, to two requests to have an extract of the information held on the Register.
A credit institution a yshall be charged an annual fee in respect of each officialof the credit institution as authorised by the Bank to access the Register calculated on a cost recovery basis and which is communicated bilaterally to respective credit institutions; and A counterparty, who is a legal person, shall be charged a fee of �25 in relation to each request made for an extract of the information kept on the Register in relation to that counterparty.
[]March 2018 34
ANNEX VI � AUTHORISATION FORM
[Date]
Authorisation form to be filled up by a natural person appointing a lawful representative to collect information concerning him or herself from the Central Credit Register.
In accordance with Paragraph 20 of the Central Bank of Malta D�������� N� 14 �������� �C������ C����� R��������, I the undersigned, [insert name and surname of the undersigned], bearing I.D. Card Number [insert I.D number], do hereby appoint as my lawful representative [insert the name of the person appointed as a lawful representative] to collect an extract of information concerning myself held on the Central Credit Register.
Signature: ______
I.D Number: ______
Name and Surname: ______
------
I the undersigned, [insert name and surname of the undersigned], bearing I.D. Card Number [insert I.D number], accepts to act as a lawful representative and collect the information concerning [insert the name of person appointing the lawful representative] held on the Central Credit Register.
Signature: ______
I.D Number: ______
Name and Surname: ______
The I.D Card (or other official means of identification) of the natural person who requested to be provided with an extract of the information concerning him or herself held on the Central Credit Register must be produced with this Authorisation Form together with the I.D Card (or other official means of identification) of the lawful representative collecting same.
The Central Bank of Malta guarantees that any personal data processed within this Authorisation shall be in accordance with the requirements of local and EU legislation on data protection in force at the time of the data processing, including the General Data Protection Regulation - GDPR (Regulation (EU) 2016/679). Personal data in this form will be processed for the collection of information from the Central Credit Register. Furthermore, personal data collected in this form will be available to the Central Credit Register Section with the Central Bank of Malta. Personal data collected in this form will be retained by the Central Bank of
[]March 2018 35
Malta for [insert retention period]. Persons have the right to access and port their personal data, rectify, erase and restrict their personal data and to object to processing in terms of the GDPR. Failure to provide personal data as required in Authorisation Form will prohibit the Central Bank of Malta from issuing an extract of information from the Central Credit Register. Complaints on data protection may also be addressed to the Office of the Information and Data Protection Commissioner via www.idpc.org.mt.
[]March 2018 36
CENTRAL BANK OF MALTA
DIRECTIVE No 15
in terms of the
CENTRAL BANK OF MALTA ACT (CAP. 204)
SUPERVISION OF CREDIT REFERENCE AGENCIES
Ref: CBM 02/2018
1
DIRECTIVE NO 15 SUPERVISION OF CREDIT REFERENCE AGENCIES Issued on[]
INTRODUCTION
1. In terms of article 24A of the Central Bank of Malta Act (Cap.204 of the Laws of Malta) (������a���� �������� �� a� ���� Ac��), ��� C����a� Ba�� �� Ma��a (������a���� �������� �� a� ���� Ba���) �a� b��� ��������� �� �a�� ����c����� �� �����c� of, inter alia, supervision of credit reference agencies.
SCOPE AND APPLICATION
2. This Directive lays down the rules concerning the supervision of credit reference agencies licenced in accordance with regulation 47A of the Trading Licences Regulations (S.L 441.07). Furthermore, the Directive lists a number of obligations imposed by the Bank, as the supervisory authority, on the credit reference agencies �a���� acc��� �� c����a� c����� �������� �a�a (������a���� �������� �� a� �CCR �a�a�) for the issuance of credit scores.
DEFINITIONS
3. In this Directive, unless the context otherwise requires:
�C����� ������������ �as the same meaning as assigned to it by paragraph 5 of Directive No 14;
�C����� ������a����� means a collection of public and non-public information and other related information, including Central Credit Register data, which when assessed, assembled and evaluated indicates the creditworthiness of a legal or natural person;
�C����� �������c� a���c�� means any undertaking licenced by the Trade Licensing Unit in terms of regulation 47A of the Trading Licences Regulations, the main business of which is to prepare, assemble and evaluate credit information and related credit and risk management services on legal and natural persons for the purpose of issued credit scores to be furnished to third parties, provided that a credit reference agency is not precluded from carrying out other related tasks;
�C����� �c���� means a measure of creditworthiness derived from credit information and which must under pain of nullity include data derived from the Central Credit Register;
�D���c���� N� 14� ��a�� ��� C����a� Ba�� �� Ma��a D���c���� N� 14 ent����� �C����a� C����� R��������;
�GDPR� ��a�� R����a���� (EU) 2016/679 �� ��� E�����a� Pa���a���� a�� �� ��� C���c�� �� 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
2
�O��-site inspection� ��a�� ����������� �� a credit reference agency through the analysis of statutory information periodically submitted in terms of their legal obligations;
�O�-site �����c����� means supervision of a credit reference agency through inspection on the operations of the credit reference agency at its business premises;
�R�������� �a� ��� �a�� ��a���� a������� �� it by paragraph 5 of Directive No.14;
�L��a� ������� ��a�� a ���a� ������ a� ������� b� A���c�� 1A �� B��� O�� �� Civil Code (Cap. 16 of the Laws of Malta);
�Na���a� ������� ��a�� a �a���a� ������ a� ������� b� A���c�� 1A �� B��� O�� �� ��� Civil Code (Cap. 16 of the Laws of Malta);
�P�����/s who effectively direct the business and the operations of a c����� �������c� a���c�� shall mean chairpersons, directors (executive and non-executive), board members, council members, and any other persons who hold similar positions, and shall unless specified otherwise hereunder include a qualifying shareholder;
�P�����c���� c�������a���� has the same meaning assigned to it by paragraph 5 of Directive No.14;
�Q�a������� ��a��������� �a� ��� �a�� ��a���� a������� �� b� A���c�� 2 �� ��� Financial Institutions Act (Cap. 376 of the Laws of Malta);
�Sc���� ������� ��a�� a �a���a� �� ���a� ������ that has been assigned a credit score;
Unless otherwise defined in this Directive, terms used in this Directive shall have the same meaning as are assigned to them under the Act.
OBLIGATIONS ON CREDIT REFERENCE AGENCIES
PART I
4. Using Central Credit Register data
(1) Pursuant to Directive No 14, the CCR data to which the Bank is the holder, can only be accessible by the credit reference agency for the issuance of a credit score.
Provided that the Bank shall provide to the credit reference agency the specific data attributes and variables found in the Register in accordance with Annex 1 of Directive No 14.
Provided further and pursuant to paragraph 7 of Directive No 14, the Bank will not be held responsible for the integrity and correctness of CCR data that a credit institution provides to the Register.
3
(2) The credit reference agency shall be fully responsible of the public and non-public credit information that it possesses, other than CCR data. The CCR data cannot be modified by a credit reference agency.
5. Issuance of a credit score
(1) Upon the request for the issuance of a credit score by a natural or legal person or a credit institution, a credit reference agency shall issue such credit score within two working days.
Provided that the date of access to the CCR data and the date of issuance of the relative credit score must coincide.
(2) The credit reference agency shall ensure that the credit scoring methodology used for the issuance of a credit score is based on both positive and negative credit information and that such credit scores are issued at the current point in time.
(3) The credit reference agency shall provide a printed copy of the credit score referred to in sub-paragraph (1), and the scored person or a lawful representative shall physically collect it upon verification of identity in accordance with paragraph [to be confirmed] of Directive No 14. The credit score shall be collected by the scored person or a lawful representative within five working days from when the credit score is issued. Should the credit score not be collected within the stipulated timeframe, such copy of the credit score shall be destroyed.
(3) Upon a request for the issuance of a credit score, a natural person shall be entitled to one printed copy per calendar year of the credit score referred to in sub-paragraph (2) free of charge.
(4) When a request for the issuance of a credit score is made by a credit institution, the credit reference agency shall submit a copy of the credit score to the credit institution through a secure electronic channel and which can be accessed by the authorised representatives designated in terms of paragraph [to be confirmed] of Directive No 14.
(5) A credit reference agency shall remain fully responsible for the integrity and correctness of the credit scores that it issues to its scored persons.
(6) The Bank may require a credit reference agency to provide the Bank with such credit scores and other information as the Bank may consider necessary to carry out its functions or fulfil its obligations under this Directive, the Act or any other law which may be applicable from time to time.
6. Obtaining consent for the issuance of a credit score
4
(1) A credit score may not be issued by a credit reference agency unless it obtains the specific consent of the natural or legal person concerned.
(2) When a request for a credit score is made by a credit institution on a prospective counterparty, the credit institution shall obtain the consent of the prospective counterparty in writing or electronically, through internet banking, in accordance with paragraph [to be confirmed] of Directive No 14.
7. Notification requirements
A credit reference agency shall notify the Bank in writing, within forty-eight hours after having become aware of the occurrence of the following events:
(i) an event that can affect the confidentiality, security or integrity of a credit score;
(ii) the credit reference agency is initiating insolvency proceedings or is unable to meet it statutory, contractual or other obligations;
(iii) any civil or criminal proceedings are initiated against any person who effectively directs the business and the operations of the credit reference agency, whether in Malta or elsewhere;
(iv) any changes in the persons who effectively direct the business and the operations of the credit reference agency;
(v) any event or irregularity that disrupts the operations of the credit reference agency;
(vi) any other event that the Bank may specify from time to time.
8. Complaints Resolution Unit
(1) A credit reference agency shall set up a Complaints Resolution Unit, and shall have policies and procedures in place for dealing with complaints submitted by a scored person, arising out of, or in connection with, the correctness of a credit score.
(2) A complaint for the correction of a credit score shall be made in writing.
Provided that when submitting a complaint, the complainant shall clearly state the reason or reasons for requesting a correction of a credit score. Documents in support of the complaint shall be attached to the written complaint.
(3) Subject to the provisions of paragraph 5(2), the complaint shall be filed within thirty days from when the credit score is collected from the credit reference agency by a person authorised in terms of paragraph 5(2).
5
(4) The credit reference agency shall submit to the Bank, on bi-annual basis, the following:
(i) the number of complaints received by the credit reference agency;
(ii) the number of complaints resolved through the c����� �������c� a���c��� Complaints Resolution Unit;
(iii) the reason/s behind the complaints submitted by a complainant;
(iv) any other information the Bank may require to conduct analysis of the complaints submitted by the scored person.
(5) Where a complaint is made to the credit reference agency under sub-paragraph (1), the credit reference agency shall, within five working days from receiving such complaint, initiate an investigation to ascertain the correctness of the disputed credit score.
(6) The credit reference agency shall, within five working days from having initiated the investigation, verify whether the information included in the compilation of the credit score conforms to the credit information available. The investigation shall be concluded within ten working days from the receipt of the complaint.
(7) Should the credit reference agency establish that incorrect credit information had been used in issuing the disputed credit score, the credit reference agency shall inform the complainant without undue delay and proceed to issue a new credit score, by not later than two working days from the conclusion of the investigation.
Provided that where the credit reference agency establishes that the incorrect information included in the credit score concerns CCR data, the credit reference agency shall inform the complainant to collect the CCR data from the Bank.
(8) Pursuant to paragraph 7 of Directive No 14, credit institutions are exclusively responsible for amending or rectifying CCR data, either on their own initiative or at the request of their counterparties or the Bank, whenever errors or omissions occur.
9. Deletion of Central Credit Register data and credit score
(1) The credit reference agency shall keep the CCR data used for the issuance of a credit score, and the credit score, for a period of not more than one year from the date indicated on the credit score.
(2) A credit reference agency shall seek to obtain authorisation from the Bank to keep the CCR data used for the issuance of a credit score, and the relative credit score, for a longer period than the one stipulated in the preceding sub-paragraph, in the event that proceedings
6 are initiated before a competent court in Malta on any matter which could concern the credit score.
10. Conflict of Interest and Confidentiality
(1) It shall not be lawful for a credit reference agency to issue a credit score on a person who effectively directs its business and operations. (2) A person who effectively directs the business and the operations of a credit reference agency shall not exercise any undue influence on the officers or agents responsible for the issuance of a credit score.
(3) No person shall disclose any information relating to the affairs of a credit reference agency or of a scored person, which was acquired in the performance of his or her duties or the exercise of his or her functions under this Directive except:
(i) when authorised to do so under the provisions of the Act and this Directive;
(ii) for the purpose of the performance of his or her duties or the exercise of his or her functions;
(iii) when lawfully required to do so by any court or under a provision of any law;
(iv) when the scored person expressly consents, in writing, to the disclosure of information relating to his affairs.
(4) Notwithstanding the preceding sub-paragraph, officers of the Bank, as well as auditors or experts acting on behalf of the Bank, shall be governed by the obligation of professional secrecy and shall not disclose information obtained from a credit reference agency in the course of carrying out supervisory duties, unless such disclosure of information is done in summary or collective form, so as not to enable the identity of the credit reference agency, and of the scored person to whom such information relates, to be ascertained.
(5) Notwithstanding the provisions of the Professional Secrecy Act (Cap. 377 of the Laws of Malta) and of article 257 of the Criminal Code (Cap. 6 of the Laws of Malta), a credit reference agency may, where necessary for the proper carrying out of its activities or for the fulfilment of its obligations, communicate any CCR data which is in its possession and which is related to the affairs of a customer or of a connected person to:
(i) any auditor or expert engaged by the credit reference agency to carry out a compliance assessment, monitoring, auditing or a similar review in relation to any of the activities of the credit reference agency;
(ii) an outsourcing service provider in whose favour a credit reference agency has outsourced any of its activities.
7
Provided that, for the purposes of this sub-paragraph, any such communication of information shall be made subject to all proper controls and safeguards, so that it shall be the responsibility of the credit reference agency to ensure that the auditor or expert, or the outsourcing service provider, as the case may be, is subject to equivalent obligations of data protection, confidentiality and care as required under Maltese law and any European Union law, including the GDPR.
Provided further, that information communicated in terms of sub-paragraph 3 and 4 shall be without prejudice to any provision of the Prevention of Money Laundering and Funding of Terrorism Regulations (S.L. 373.01).
COMPETENCE OF THE SUPERVISORY AUTHORITY
PART II
11. Annual Supervision fee
A credit reference agency shall pay the Bank an annual supervisory fee of five thousand euro (�5,000) on the date when its licence is granted in terms of regulation 47A of the Trading Licences Regulations, and thereafter, annually upon the anniversary of the date of licencing.
12. Public Register
(1) The Bank shall keep and publish on its official website a register of all credit reference agencies. The public register shall include the following information:
(i) the name, website and contact details of the credit reference agency;
(ii) the date of the granting of a licence to the credit reference agency;
(iii) the license number of the credit reference agency issued by the Trading Licenses Regulation;
(iv) the head office and the principal place of business, if applicable, of the credit reference agency;
(v) the date of the suspension or cancellation of the licence of the credit reference agency, if applicable.
(2) The credit reference agency shall inform the Bank, of any change of information in sub-paragraph (1) (i) to (iv), within three working days from when the changes take effect. The Bank shall, within five working days from receipt of such notification, update the information on its Register.
13. On-site supervision
8
(1) The Bank may carry out on-site inspections at any premises of the credit reference agency, as it may deem necessary.
(2) On-site inspections may be carried out by appointed Bank officials from time to time as the Bank may deem it necessary, after a notice in writing is sent to the credit reference agency.
(3) Prior to the carrying out of an on-site inspection, the Bank shall inform the credit reference agency of the objectives of the inspection and any other related requirements.
(4) On-site inspections shall be conducted through interviews, examination of specific documentation, and other relevant information as the Bank may deem necessary.
(5) The issues upon which the Bank may conduct an on-site inspection include the following:
(i) The credit scoring model and the validation methods used in the process of the issuance of a credit score;
Provided that the Bank, shall take the necessary measures in order to ascertain that the credit scoring methodology used for the issuance of a credit score is based on both positive and negative credit information and that such credit scores are issued at the current point in time.
(ii) The technological infrastructure and capacity in place, including but not limited to:
(a) the information system strategies and arrangements in place, including but not limited to technological solution assessments, test strategies, risk assessment;
(b) the arrangements in place for credit information to be stored in another jurisdiction or under cloud computing arrangements.
(iii) The management of risk including incident, operational threats and security breaches handling procedures to which the credit reference agency might be exposed to;
(iv) The disposal procedure in place for the deletion of CCR data and credit score;
(v) The governance framework of the credit reference agency;
9
(vi) Other critical operations of the credit reference agency which are directly or indirectly linked to the issuance of credit scores, including but not limited to data security, confidentiality arrangements, policies and procedures, business continuity and disaster recovery provisions.
Provided that during an on-site inspection, adherence to licence conditions in the Trading Licences Regulations and other statutory and regulatory obligations may also be analysed.
14. Off-site supervision
(1) The Bank may also carry out off-site supervision through the analysis of information and documentation submitted by a credit reference agency. The information and documentation upon which the Bank may conduct off-site supervision include the following:
(i) An updated list of reciprocity agreements that a credit reference agency has in place with other data providers, whenever new reciprocity agreements are entered into by a credit reference agency;
(ii) Amendments to the Memorandum and Articles of Association or the Statute, as the case may be;
(iii) Changes to the capital and reserves of a credit reference agency;
(iv) Audit reports and other reports on the operations of a credit reference agency, including but not limited to the annual report, where applicable;
(v) Changes to the type of methodology used for the issuance of a credit score;
(vi) Amendments to the policies and procedures of the operations of a credit reference agency;
(vii) Complaints received by a credit reference agency, as specified in paragraph 8(4).
15. Documentation and information
(1) Without prejudice to paragraphs 13 and 14, the Bank, by notice in writing, may require a credit reference agency or any of its officers to do all, or any, of the following:
(i) to provide the Bank with information showing that the date of access to the CCR data and the date of issuance of the relative credit score coincide;
(ii) to provide the Bank, at such time and place and in such form as it may specify, such information and documentation as it may require and of such description as may be so specified in the notice;
10
(iii) to provide the Bank any information or documentation in such manner as it may specify, as required to supervise the conformity of the operations of the credit reference agency with the requirements of this Directive and the Act, or any other law which may be applicable from time to time;
(iv) to appear before a Bank official, or before a person appointed by it, at such time and place as the Bank may specify, to provide information and documentation as the Bank may reasonably require for the performance of its functions under the Act or directives issued thereunder.
(2) If any documentation or information mentioned in paragraphs 14 and 15 is not submitted to the Bank within a stipulated timeframe, the Bank reserves the right to recommend the Trading Licencing Unit to suspend or terminate the licence of the credit reference agency.
(3) Upon the written request of the credit reference agency, the Bank may provide a minimum of twelve months of anonymised granular data in order for the credit reference agency to calibrate its scoring engine model.
16. Communication and reporting
(1) After an on-site inspection, the Bank or any of its appointed officials will draw up a report on the findings, including the appropriate and effective instructions and recommendations to be applied by the credit reference agency, within a stipulate timeframe as the Bank may reasonably require.
(2) The report is to be discussed with the credit reference agency under examination.
17. Governance
(1) Subject to regulation 47E of the Trading Licences Regulations, a credit reference agency shall require the approval of the Bank:
(i) before a decision of any person to acquire, directly or indirectly, ten per centum of the share capital of a credit reference agency or an acquisition as a result of which the proportion of ��c� �������� voting rights or of the share capital held would reach at least ten per centum; and
(ii) within one month after any person is appointed as a person who effectively directs the business and the operations of a credit reference agency. For the purposes of this and the forthcoming sub-paragraphs a �person who effectively directs the business and the operations of a credit reference agency� ��a�� ��� include a qualifying shareholder.
11
(2) The Bank shall have the discretion to consider whether or not the person is fit and proper of having ten per centum or more of the share capital and voting rights of a credit reference agency and/or to be appointed as a person who effectively directs the business and the operations of a credit reference agency.
(3) If, in any action mentioned in sub-article (1), the approval of the Bank is not obtained or, alternatively, if having obtained such approval, it subsequently appears to the Bank that the person is no longer fit and proper, the Bank shall have the power to make an order:
(i) To prohibit or restrain the person from continuing or taking the position of a person who effectively directs the business and the operations of the credit reference agency;
(ii) To restrain the person from exercising any right, if lawful, conferred upon him, including the right to receive payment or to exercise any voting rights attached to the shares acquired.
Provided further that persons who effectively direct the business and the operations of a credit reference agency shall in the execution of their duties and the exercise of their powers and discretions act with prudence, diligence and in utmost good faith, and comply with this Directive or under any other law which may be applicable from time to time.
(4) Where a person intends to take any action as set out in sub-paragraph (1), such person shall notify the Bank in writing of any such decision, indicating the size of the intended shareholding or the intended position to be taken within the credit reference agency, in the manner as the Bank may require.
Provided that the Bank shall, within three months of receiving such notification, give its approval or otherwise and if such period elapses without the Bank having notified its decision, such decision shall be deemed to be an approval.
(5) A credit reference agency shall inform the Bank and Trading Licencing Unit if it takes or intends to take an action to sell or dispose its business or any significant part thereof, merge with another credit reference agency, or undergo any reconstruction and vary its nominal or issued share capital.
(6) Any person who is aggrieved by a decision of the Bank under sub-paragraphs (3) may appeal to the Financial Services Tribunal in accordance with article 35 of the Act.
(7) The Bank shall have the power:
(i) to recommend the Trading Licencing Unit to suspend or cancel a license of a credit reference agency pursuant to regulation 47E of the Trading Licences Regulation;
(ii) to disqualify an officer of a credit reference agency if such person is adjudged bankrupt or is interdicted, incapacitated, or involved in money laundering activities or
12
in other criminal activities including theft, fraud and extortion, and affecting public trust;
(iii) to vary the scope of the audit to be carried out by the statutory auditors or audit firms, if necessary;
(iv) not to share the CCR data a credit reference agency which fails to abide by the instructions and recommendations issued by the Bank in its reports.
(8) No credit reference agency shall:
(i) outsource any of its activities for the issuance of a credit score unless the outsourced service provider is granted recognition by the Bank.
Provided that the Bank may issue requirements for the recognition of the outsourced service provider and the provision of such outsourced services.
Provided further that the outsourced service provider shall take all reasonable steps as may be necessary to ensure that the requirements of this Directive or other applicable law are abided with. The credit reference agency shall remain fully liable for any acts committed by the outsourced service provider.
(ii) Store credit information or credit scores in another jurisdiction or under cloud computing arrangements without the prior approval of the Bank.
Provided that a credit reference agency shall supply all information and documentation required by the Bank to demonstrate that risk attached to such storage has been managed and mitigated.
18. Miscellaneous
In case of breach of this Directive, the Bank shall have the right to impose sanctions in accordance with article 56 of the Act and the provisions of the Central Bank of Malta Directive No 12 on Administrative Measures and Penalties for Infringements under the Act.
13