I have earlier discussed in these columns matters related to my following RTI application in which I had queried both the RBI and the Ministry of Finance that Trans Union International Inc, an US based Company increased its share holding in Credit Information Bureau (India) Limited or CIBIL, from 10% in around 2009 to 92.1 % in 2017. In the process it acquired shares earlier held by public sector banks.
This foreign private company is now holding sensitive critical information about Indian borrowers. We donot know if this company is holding its data in India or abroad and violating the “Data Localization Norms”.
The Company CIBIL came into existence as a result of the recommendations of the N H Siddiqui committee way back in 1999. This working group submitted its report in October 1999. It had recommended interalia that
(a) a Credit Information Bureau be set up under the Companies Act, 1956 with equity participation from commercial banks, FIs and NBFCs registered with Reserve Bank of India;
(b) a foreign technology partner be included as a collaborator in setting up of a Bureau;
(c) an appropriate legal framework be put in place to provide adequate protection to the Bureau as also the credit institutions sharing information with the Bureau;
(d) pending enactment of a master legislation/legal amendments, a beginning could be made for setting up a Bureau which can operate initially by pooling information on suit-filed accounts as also transactions on which the borrower has given consent, for sharing amongst the user group.
In the Monetary and Credit Policy for the year 2000-2001, the Governor, Reserve Bank of India, announced the setting up of Credit Information Bureau in India.
Credit Information Bureau (India) Ltd., (CIBIL) was set up by State Bank of India in association with HDFC in January 2001, with an authorised capital of Rs.50 crore and a paid up capital of Rs.25 crore, with equity participation of 40 per cent each and two foreign technology partners viz., M/s. Dun & Bradstreet Information Services (India) Pvt. Ltd., and Trans Union International Inc., U.S.A. sharing the remaining 20 per cent equity stake.
With a view to strengthening the legal mechanism and facilitating the Bureau to collect, process and share credit information on the borrowers of banks and financial institutions, a draft legislation covering, inter alia, responsibilities of the Bureau, rights and obligations of the member credit institutions and safeguarding privacy rights, was prepared by Reserve Bank of India and submitted for Government’s approval in May 2001.
A Copy of this report is available here
This report examined the legal issues and recommended that under the (then) existing legal framework, CIBIL or any other CIB may collect, process and disseminate credit information relating to;
- suit-filed accounts regardless of amount claimed in the suit or amount of credit granted by a banking company or a credit institution; and
- such transactions where the constituent has given consent for disclosure for such purpose.
A Code of conduct was also prescribed for CIBIL pending a detailed legislation.
The entire discussion at this stage was under the presumption that CIBIL was an institution owned 80% by SBI and HDFC and had accommodated foreign companies only for their technical expertise. This must be considered the “Constitutional Basis” for CIBIL.
Subsequently, in 2005 the Credit Information Companies (Regulation) Act (CICRA) was enacted and apart from CIBIL , three other Creidt Information Companies (CICs) were also set up.
Subsequently in January 2014, the Aditya Puri Committee of RBI gave its report to recommend data format for furnishing of credit information to credit information companies.
Copy of this report is available here
According to the Act, a Credit Information Company was one which had been granted a certificate of registration by RBI. The condition of registration was to be set by RBI taking into account the public interest.
It is interesting to note that the Act itself prescribed Information Privacy Principles under Chapter VI which required “Consent” as well as maintenance of “Accuracy” and “Security” of Credit information.
“A credit information company or credit institution or specified user, as the case may be, in possession or control of credit information, shall take such steps (including security safeguards) as may be prescribed, to ensure that the data relating to the credit information maintained by them is accurate, complete, duly protected against any loss or unauthorised access or use or unauthorised disclosure thereof.”
It also said
“Every credit information company, credit institution and specified user, shall adopt the following privacy principles in relation to collection, processing, collating, recording, preservation, secrecy, sharing and usage of credit information, namely:—
(a) the principles—
(i) which may be followed by every credit institution for collection of information from its borrowers and clients and by every credit information company, for collection of information from its member credit institutions or credit information companies, for processing, recording, protecting the data relating to credit information furnished by, or obtained from, their member credit institutions or credit information companies, as the case may be, and sharing of such data with specified users;
(ii) which may be adopted by every specified user for processing, recording, preserving and protecting the data relating to credit information furnished, or received, as the case may be, by it;
(iii) which may be adopted by every credit information company for allowing access to records containing credit information of borrowers and clients and alteration of such records in case of need to do so;
(b) the purpose for which the credit information may be used, restriction on such use and disclosure thereof;
(c) the extent of obligation to check accuracy of credit information before furnishing of such information to credit information companies or credit institutions or specified users, as the case may be;
(d) preservation of credit information maintained by every credit information company, credit institution, and specified user as the case may be (including the period for which such information may be maintained, manner of deletion of such information and maintenance of records of credit information);
(e) networking of credit information companies, credit institutions and specified users through electronic mode;
(f) any other principles and procedures relating to credit information
Since the Act envisaged that a CIC was a company under the Indian Companies Act, other requirements of share holding of such a company and FDI should come under the general norms of allowing Foreign Direct Investments.
It was in 2016 when TransUnion was allowed to take over 82% of the stake in CIBIL to become Trans Union CIBIL. At this time, the Modi Government was in place and Mr Arun Jaitely was the Finance Minister. It is therefore under this regime that CIBIL’s ownership transformed and all the Public Sector and other Banks transferred their shares to Trans Union. During this time Mr Raghuram Rajan ( A nominee of Mr P Chidambaram) was still the RBI Governor and Mr Urjit Patel took over in September 2016.
Each of these Banks are corporate entities and hence there must have been a debate on the pricing of the shares and why the shares should be or should not be sold in their respective organizations and Boards.
It is possible that the Finance Ministry must have given a direction by way of a circular or an informal instruction to the Chairmen that they should sell their shares in CIBIL to TransUnion at a given price.
RBI being the custodian of these Banks and also the licensing authority under CICRA must have been consulted if the license given to CIBIL in its earlier ownership model is extendable to the new ownership or it has any objections.
In the CICRA regulations issued by RBI, RBI made the rules for implementing the Act. The rules expanded the user base of the information to stock brokers and Mobile companies which must be considered as “Ultravires the Act”.
The regulations failed to recognize the possibility that critical data of Indian citizens could land in foreign hands if the ownership of the Company is not restricted to Indians. (It may be noted that the ITA 2000 rules on Certifying Authorities restricts the foreign ownership and hence this neeed was within the radar of the Government regulators).
The privacy principles included in this regulation is worth taking a look and being compared with the current standards of Privacy under the proposed PDPA.
There are also security guidelines to safeguard the information in the form of a separate notification.
In framing these rules, RBI appears to have ignored the need to take a stand on the nationality of the ownership of such companies and the need to protect the value of the information from falling into the hands of foreign hands.
Further it appears that the licensing does not have a fixed term and need to review it periodically though the power to cancel the license is available.
Now RBI has issued Data Localization mandate to Banks which should also in principle should apply to CIBIL. Hence the transfer of ownership from Indian Banks to a foreign technology company is sufficient ground to cancel the license issued to CIBIL.
RBI should take suo moto action in this regard failing which I request some of my friends to take up a PIL in Supreme Court to direct the RBI to cancel the license to CIBIL unless it tranfers its share holding to Indian Banks as it was existing before 2016 or more ideally the entire share holding.
In a recent RTI application made in this regard to know how RBI allowed this “Laundering of Sensitive Personal Data of Indian Individuals” from the hands of Indian Banks to foreign hands, RBI has replied that it does not possess this information. Given the fact that the TransUnion acquisition of shares was from other Banks, it is difficult to accept the contention that RBI does not have the information. Obviously, RBI refuses to get into a controversy as it may expose an unsustainable decision of its former Governor and perhaps also expose some irregularities of the Ministry of Finance.
RBI has however hinted that the information on how the FDI was permitted could be obtained from the Foreign Investment Promotion Board (FIPB) which is the organization which has landed Mr P Chidambaram in jail today and CBI is investigating some of the cases related to the approvals.
I request CBI to also consider this FIPB clearance given to various Banks to sell their shares in CIBIL to TransUnion as part of its current investigation.
In the meantime, I am still awaiting response from the Ministry of Finance under the RTI to understand how FIPB gave this clearance. Shareholders of each of the Banks which held the shares of CIBIL and sold it off to TransUnion should also question their respective Boards to disclose why that decision was taken.
If properly investigated, this could unearth a scam of its own. I request public spirited advocates to take up a PIL in this regard in Delhi preferably at the Supreme Court and bring the details of the take over deal to the public domain.
This is important for the protection of Privacy of Indian Bank customers. I personally have no objection for Indian Banks to exchange credit data because it is in the interest of our Banking industry but there is no reason why a US based technology company should own the critical financial transaction data of Indian citizens.
Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?
Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?