Credit Reporting Act, 2023

Act 20 of 2023


Seychelles

Credit Reporting Act, 2023

Act 20 of 2023

An Act to provide for the establishment, operation, regulation and oversight of the credit information system with the objective of ensuring the safe, reliable and efficient processing of information, to provide for the functions and duties of the central bank in relation to its responsibilities under this act, to provide for the rights and responsibilities of data providers, data users and data subjects, and for other connected or incidental matters.ENACTED by the President and the National Assembly.

Part I – Preliminary

1. Short title and commencement

(1)This Act may be cited as the Credit Reporting Act, 2023.
(2)This Act shall come into operation on such date as the Minister may, by notice in the Gazette appoint.

2. Interpretation

In this Act, unless the context otherwise requires—Central Bank” means the Central Bank of Seychelles established under section 3 of the Central Bank of Seychelles Act (Cap.26);CIS” means the Credit Information System established under section 4;CIS Operator” means a person designated and permitted by the Central Bank to access the CIS to conduct operational activities;consent” means a data subject's freely informed and specific written agreement to the collection, processing and disclosure of the subject's data;credit history” means the record of a data subject's payment behaviour over a period of time made in accordance with section 29;credit report” means a report issued by the CIS containing the recorded credit history of a data subject;credit scoring” means a method of evaluating the probability of a prospective borrower fulfilling its financial obligations associated with a facility, by considering both positive and negative data;customer credit portal” means an online platform accessible to a data subject to access the data subject's information contained within the CIS, and lodge any dispute in accordance with section 31;data provider” means an entity that is required to supply information to the CIS in a structured manner;data subject” means a natural or legal person who—(a)applies for credit;(b)is a guarantor; or(c)signs a service or product agreement that involves a payment,and whose data is collected, processed and disclosed to data users in the CIS;data user” means an entity having authorised access and use in respect of information contained in the CIS;facility” means an arrangement or means by which a debt is incurred by a data subject, including a declaration of bankruptcy by a court;guarantor” means a person who gives his or her immovable property or offers his or her guarantee as security for the repayment of a credit facility by a borrower;interbank market participants” comprises the Central Bank, banks licensed under the Financial Institutions Act, 2004 and credit unions established under the Credit Union Act, 2009;Minister” means the Minister responsible for finance;negative data” means adverse information relating to a data subject including defaults, arrears, bankruptcies and other non-compliance with contractual or legal obligations;personal data” means any information that can be used to identify a person, including name, identification number and address;positive data” means favourable information relating to a data subject on contractual or legally compliant behaviour;regulatory authority” means an authority or a public body which exercises any functions of prudential, technical or economic regulation on the basis of statutory powers;Seychelles Revenue Commission” means the Seychelles Revenue Commission established under section 3 of the Seychelles Revenue Commission Act, 2009; andsignature” means a written, and often stylized depiction of someone's name, or other mark that a person writes on documents as a proof of identity and intent.

3. Exemption from application

This Act doeps not apply to—
(a)any funds provided by the Central Bank in its capacity as lender of last resort, for resolution or financial stability purposes made in line with written law;
(b)instruments issued by the Central Bank for liquidity management;
(c)borrowing between interbank market participants, the Development Bank of Seychelles established under the Development Bank of Seychelles Decree (Cap 63), and the Housing Finance Company Limited; or
(d)Government financing.

Part II – Administration of the Act

4. Establishment of CIS

The Central Bank shall establish and operate the CIS to collect, store and process facility information on data subjects from data providers.

5. Operation of CIS

(1)No person shall establish or operate a credit information system.
(2)A person who contravenes subsection (1) commits an offence and shall be liable on conviction to a fine not exceeding level 5 on the standard scale or to imprisonment not exceeding 2 years or both.

6. Functions of the Central Bank

(1)The Central Bank shall administer and enforce this Act.
(2)Without prejudice to subsection (1), the Central Bank shall—
(a)operate the CIS for the purposes of collection, processing and dissemination of facility information of data subjects in the form of credit reports and other services including statistical reports;
(b)have oversight of the CIS for the purpose of ensuring its safety, security, efficient and effective operation;
(c)regulate the data users and data providers in respect of CIS related activities;
(d)manage disputes and complaints in accordance with this Act;
(e)provide information to data subjects in respect of their rights, and the responsibilities of data users and data providers under this Act;
(f)consult any person, organisation or institution with regard to any matter under this Act;
(g)perform such other functions as may be necessary to ensure the effective implementation and administration of this Act.

7. Powers of the Central Bank

(1)The Central Bank shall have powers to do things necessary or expedient for, or in connection with, the performance of its functions under this Act.
(2)Without prejudice to the generality of subsection (1), the powers of the Central Bank shall include the power to—
(a)access and process data in the CIS;
(b)grant access to the CIS to qualified persons for the purpose of maintenance, support and other technical work as may be required for the proper functioning of the CIS;
(c)appoint such agents, experts or consultants and procure goods or services as may be necessary for the performance of its functions;
(d)amend data within the CIS to rectify system issues;
(e)impose and collect such fees as may be prescribed under this Act;
(f)manage access to the CIS and establish procedures and rules for persons accessing the CIS;
(g)establish operating procedures and data validation processes in relation to the CIS;
(h)perform onsite and offsite examination of data providers and data users to determine and assess their compliance with this Act;
(i)coordinate and cooperate with other authorities within the scope of this Act;
(j)conduct education and advocacy programmes in relation to the functions of the CIS;
(k)issue regulations, directions and guidelines as may be necessary for the implementation of this Act;
(l)do all such other things as the Central Bank deems fit to allow for the performance of its functions under this Act or which may be incidental to or consequential upon the performance of those functions.

8. Cooperation with authorities in Seychelles

The Central Bank may share or disclose information resulting from inspections or through its supervision of the CIS with a relevant local regulatory authority or law enforcement agency if the Central Bank has the reasonable belief that such sharing or disclosure is necessary for the prevention or detection of criminal offences.

Part III – Data providers

9. Categories of data providers

(1)The categories of data providers which are required to submit data to the CIS shall be as specified in the First Schedule.
(2)Data providers shall submit data as required under the relevant category following the issuance of regulations, except data under Category 1 which shall be provided upon the coming into operation of this Act.
(3)The Central Bank may issue regulations, guidelines and rules to provide for the requirements on data submission, quality, usage and any other related matters for each category of data provider.

10. Submission of data by a data provider

(1)Data submitted by a data provider to the CIS shall only include such information as is necessary to—
(a)obtain a complete and valid identification of a data subject;
(b)evaluate the creditworthiness of a data subject; and
(c)build the credit history of a data subject.
(2)A data provider shall submit information to the CIS in respect of a data subject in accordance with the Second Schedule.
(3)A data provider shall submit information to the CIS at intervals specified by the Central Bank.
(4)A data provider which fails to provide information to the CIS as required under subsections (1), (2) and (3) shall be liable to an administrative penalty not exceeding SCR25,000 and an additional penalty of SCR1,000 for each day or part of the day during which the contravention continues.
(5)Data submitted by a data provider relating to the gender, age and nationality of a data subject shall not be processed for the sole purpose of determining a person’s creditworthiness and shall be used for statistical purposes by the Central Bank.

11. Duty to inform data subjects

(1)A data provider shall provide the following information verbally and in writing to a data subject prior to submission of the subject's data to the CIS
(a)the manner in which its information may be used and processed;
(b)the data users which may access their information;
(c)the name of the institution operating the CIS; and
(d)the procedures which allow the data subject to exercise its rights of access and verification in relation to its own data.
(2)A data provider which fails to provide information to a data subject under subsection (1) is liable to an administrative penalty not exceeding SCR 100,000.
(3)Subsection (1) shall not apply to—
(a)the Judiciary of Seychelles prior to the submission of a data subject's declaration of bankruptcy by the Court; and
(b)the Seychelles Revenue Commission prior to the submission of information pertaining to a data subject's failure to pay taxes.

12. Duty to obtain consent

(1)Subject to subsection (2), prior to accessing a data subject's information from the CIS, a data provider shall—
(a)conduct and record appropriate identity verification of the data subject; and
(b)record the data subject's consent in accordance with the form specified in the Third Schedule.
(2)A data provider shall not require the consent of the data subject to access information which a data provider had submitted to the CIS under Regulation 6 of the Central Bank of Seychelles (Credit Information System) Regulations, 2012 (S.I. 10 of 2012) as a participating institution.
(3)Upon request by the Central Bank, a data provider shall provide evidence of consent made by a data subject to submit its data to the CIS.
(4)A data provider who fails to obtain and record the consent of a data subject in accordance with subsection (1), commits an offence and is liable upon conviction to a fine of Level 5 on the Standard Scale.
(5)A data provider who fails to provide evidence of a data subject's consent to the Central Bank commits an offence and is liable upon conviction to or a fine of Level 5 on the Standard Scale.
(6)Section 12 shall not apply to the Seychelles Revenue Commission when accessing a data subject's information from the CIS to assess the suitability of a compromise agreement with the data subject, in line with section 22 of the Revenue Administration Act (Cap 308).

Part IV – Data subjects

13. Right to access own information

A data subject has the right to access and verify his, her or its information stored in the CIS through the CIS customer credit portal, or by request to a data user, in accordance with section 14.

14. Access to credit reports

(1)A data subject may, once registered by the Central Bank in the required form and manner, access the CIS customer credit portal and have unlimited and free access to the data subject's credit report.
(2)A data user shall, within two working days, upon request by its data subject, provide the data subject's credit report
(a)at no fee for credit reports which are requested twice in a calendar year; and
(b)at a fee as specified in the Fourth Schedule for any additional reports requested during the calendar year.
(3)A data user who contravenes subsection (2) is liable to an administrative penalty not exceeding SCR25,000 and an additional penalty of SCRl,000 for each day or part of a day during which the contravention continues.

15. Access reports

The CIS Operator shall provide within two working days, upon request by a data subject, an access report of the names of data users who have accessed their information and the report shall be provided—
(a)at no fee for a report requested once in a calendar year; and
(b)at a fee as specified in the Fourth Schedule, for any additional reports requested during the calendar year.

16. Data access

The Central Bank may prescribe the procedures and rules for access to the CIS by data providers, data users, data subjects and other persons provided for under this Act.

17. Restriction of access

Access to the information contained in the CIS shall be restricted to the entities and conditions specified under section 26.

18. Purpose of access

(1)A data user shall have access to the information contained in the CIS for the following purposes—
(a)to assess the creditworthiness of a data subject;
(b)to enable the data user to make informed decisions regarding the provision of credit, goods or services; and
(c)as authorised by the data subject in writing.
(2)A person who knowingly or willfully accesses or obtains information from the CIS without lawful authority or under false pretence commits an offence and is liable upon conviction to imprisonment not exceeding 2 years or to a fine of Level 6 on the Standard Scale.

19. Data quality

(1)The Central Bank shall safeguard the accuracy of data stored in the CIS by—
(a)acquiring and implementing the necessary technology, protocols and procedures for the operations and functioning of the CIS;
(b)developing validation rules and tools ensuring adequate data quality in the CIS; and
(c)conducting periodic audits of the CIS by officers of the Central Bank or by a qualified third party.

20. Validity of information

Information contained within the CIS shall be considered valid unless it has been flagged as a result of the information being—
(a)disputed in accordance with section 31;
(b)the subject of mediation or arbitration; or
(c)the subject of proceedings before a Court.

21. Accuracy of information

(1)A data provider shall submit to the CIS accurate and up to date information in accordance with the provisions of this Act.
(2)A data provider shall take reasonable measures to verify the accuracy of a data subject's information and identity prior to submission to the CIS.
(3)A data provider which furnishes inaccurate information to the CIS is liable to an administrative penalty not exceeding SCR100,000 and an additional penalty of SCR2,500 for each day or part of a day during which the contravention continues.
(4)A person who knowingly submits inaccurate information to the CIS commits an offence and is liable on conviction to a fine of Level 6 on the Standard Scale or to imprisonment not exceeding 2 years or both.

22. Data security

(1)The Central Bank shall take reasonable measures to maintain the integrity of the CIS database, network technology and infrastructure.
(2)The Central Bank may issue regulations, instructions or guidelines related to specific security measures in the CIS to data providers and data users.

23. Data protection

(1)A data provider shall ensure that its data subjects' information is protected from unauthorised access, use, modification or disclosure.
(2)A data provider shall implement data recovery and disaster plans, which shall be submitted to the Central Bank upon request.
(3)A data provider who fails to implement or submit data recovery and disaster plans to the Central Bank in accordance with subsection (2) is liable to an administrative penalty not exceeding SCR25,000 and an additional penalty of SCR 1,000 for each day or part of a day during which the contravention continues.

24. System downtime or outage

(1)The Central Bank shall not be liable for any loss or damage resulting from downtime or system outage of the CIS.
(2)The Central Bank shall, through the local media as soon as is practicable, advise stakeholders and the public of any downtime or system outage of the CIS.

25. Data processing and usage

(1)Data processed by the CIS shall be limited to the following activities—
(a)evaluating the creditworthiness of a data subject by a data user;
(b)allowing a data user to make an informed decision regarding the provision of credit, goods and services subject to deferred payment to a data subject; and
(c)monitoring and analysis of credit trends by the Central Bank which are relevant to the Central Bank's mandate, including those pertaining to price and financial stability.
(2)A person who receives, uses, compiles and processes information from the CIS for a purpose other than that which has been provided for under this Act commits an offence and is liable on conviction to a fine of Level 5 on the Standard Scale or to imprisonment not exceeding 2 years or both.

26. Data confidentiality

(1)Information contained within the CIS is confidential and may only be disclosed—
(a)to a data subject in relation to the data subject's own data;
(b)to the Central Bank in accordance with the provisions of this Act;
(c)to a third party as authorised by a power of attorney by the data subject concerned;
(d)to a legal heir or legatee of a deceased data subject;
(e)to the executor of a data subject's estate;
(f)to a local regulatory authority or law enforcement agency in accordance with written law;
(g)in accordance with a Court order; or
(h)to a data user in accordance with the First Schedule.
(2)A person who fails to comply with subsection (1), commits an offence and is liable on conviction to a fine of level 5 on the standard scale or imprisonment not exceeding 2 years or both.
(3)A person selling or offering to sell data from the CIS commits an offence and is liable on conviction to a fine of level 6 on the standard scale or imprisonment not exceeding 3 years or both.

27. Data submission

(1)A data provider shall submit identification and facility information to the CIS in respect of a data subject in accordance with the Second Schedule to this Act.
(2)A data provider who fails to provide the requisite information in the CIS in accordance with subsection (1) is liable to an administrative penalty not exceeding SCR25,000 and an additional penalty of SCR1,000 for each day or part of a day during which the contravention continues.
(3)A person who, with intent to deceive, makes false entries or fails to enter required information in the CIS, commits an offence and is liable on conviction to a fine of Level 6 on the Standard Scale or to imprisonment not exceeding 3 years or both.

28. Data validation

(1)Data submitted to the CIS by a data provider shall be validated by the CIS prior to the data upload to the CIS database.
(2)A data provider shall be informed of errors identified by the CIS following the data validation process provided for under subsection (1), and the data provider shall, within the timeframe directed by the Central Bank, correct and submit the correct data to the CIS.
(3)A data provider who fails, refuses or delays to correct and submit information in accordance with subsection (2) shall be liable to an administrative penalty not exceeding SCR25,000 and an additional penalty of SCRl,000 for each day or part of a day during which the contravention continues.

29. Data retention

(1)Information reflecting the last 24 months of repayment or non-repayment of active facilities shall be available to data subjects and data users.
(2)Positive data collected in the CIS shall be available to data users for a period of 5 years from the date of full repayment of a facility.
(3)Negative data collected in the CIS shall be available to data users for a period of 5 years as from—
(a)the date of a data subject's full repayment of outstanding balances;
(b)the date the debt is written off, settled whether by compromise or through a decision of a court releasing the data subject from liability, or otherwise liquidated; or
(c)the date of a data subject's discharge from bankruptcy.

30. Archive

(1)The Central Bank shall maintain an archive to store all data collected in the CIS for a period of 25 years from the date at which the data is no longer available to data users, and after which the data shall be erased from the archive.
(2)A request to access information stored within the archive shall be managed by the Central Bank.
(3)Access to information in the archive shall be limited—
(a)to a data subject in relation to the data subject's own information;
(b)to the CBS and data provider if relevant to a dispute submitted under section 31;
(c)as provided for by a Court order; and
(d)to a local regulatory authority or law enforcement agency in accordance with written law.
(4)The Central Bank may access and process information, in statistical format, contained within the archive to assist the Central Bank in the formulation of its policies to support financial stability, financial inclusion and monetary policy objectives.

31. Disputes and complaints

(1)Where a data subject believes that the data subject's information contained within the CIS is inaccurate, the data subject shall either submit a dispute directly to the data provider or lodge a dispute through the CIS customer credit portal.
(2)A data provider shall, within five working days of receipt of a dispute,—
(a)amend the information contained within the CIS where it is found that the information contested is erroneous, and inform the data subject and the CIS operator of the amendment in writing; or
(b)inform the data subject and the CIS operator in writing where the information contested is correct according to its records.
(3)A data provider who fails to respond to a dispute in accordance with subsection (2) is liable to an administrative penalty not exceeding SCR25,000 and an additional penalty of SCRl,000 for each day or part of a day during which the contravention continues.
(4)A data subject, being dissatisfied with the outcome of the data subject's dispute in accordance with subsection 2, may submit a complaint to the Central Bank.
(5)A data provider who is the subject of, or has information relevant to a complaint shall promptly cooperate with the Central Bank in its efforts to resolve the complaint by providing all relevant documents, information and communication to the Central Bank.
(6)A data provider who fails to comply with subsection (5) is liable to an administrative penalty not exceeding SCR25,000 and an additional penalty of SCRl,000 for each day or part of a day during which the contravention continues.

32. Examination

(1)The Central Bank may carry out an examination of a data provider or data user where the Central Bank determines it is necessary or desirable to ascertain whether they are complying with the provisions of this Act.
(2)In conducting an examination under subsection (1), the Central Bank shall have the powers to—
(a)access any premises reasonably believed to be premises at which a data provider or data user is carrying on its business;
(b)inspect relevant documents or information, and examine those documents or information where they are located or where data is processed;
(c)obtain a copy of any documents or information in a form that can be removed and is visible and legible; and
(d)inspect equipment, systems or premises used to store or process data, documents or information, and request the running, processing or managing of any such systems.
(3)An examination under subsection (1) shall be conducted during business hours by officers of the Central Bank or persons authorised by the Central Bank.
(4)The Central Bank and any person authorised under this section to examine a data provider or data user shall be subject to the confidentiality provisions of this Act and section 11 of the Central Bank of Seychelles Act in respect of information acquired in the course of performing functions under this section and may require—
(a)a director, officer, employee or agent of a data provider to furnish such information as deemed necessary for the purpose of the examination; or
(b)any such director, officer, employee or agent to produce for inspection any books, records or other documents in their possession containing or likely to contain any such information.
(5)A director, officer, employee or agent of a data provider or data user who impedes, prevents or obstructs an examination under this section commits an offence and is liable upon conviction to imprisonment not exceeding 2 years or to a fine of Level 5 on the Standard Scale.

Part V – Infringements, remedial measures and penalties

33. Offences

(1)The Central Bank may impose penalties on data providers and data users if they—
(a)contravene provisions relating to the supply of accurate, timely and up-to-date data;
(b)fail to collaborate with the Central Bank during an examination;
(c)fail to obtain or prove a data subject's consent prior to accessing the CIS;
(d)fail to disclose information as lawfully requested by a data subject; or
(e)do not adopt adequate security or consumer protection measures.

34. Enforcement action

(1)Where a data provider or data user fails to comply with any of the provisions of this Act or any regulations, directives, rules, or guidelines made under this Act, the Central Bank may, in addition to a penalty under this Act, take one or more of the following enforcement actions against the data provider or data user
(a)issue a written warning;
(b)issue written orders to cease and desist from such non-compliance and to undertake remedial action;
(c)issue written orders to perform such acts as are necessary to comply with the Act, regulations, directions or guidelines;
(d)impose administrative penalties, not exceeding SCRl,000 per day for each day or part of a day that the act constituting the non-compliance continues; or
(e)restrict, suspend or revoke access to the CIS temporarily or permanently.
(2)The enforcement actions specified under this section shall be determined in particular cases by the Central Bank and shall be applied following consideration of—
(a)the nature, duration, gravity and extent of the contravention;
(b)any loss or damage suffered as a result of the contravention;
(c)the monetary gain derived from the contravention;
(d)whether the person has previously been found in contravention of similar or different provisions of this Act; and
(e)the impact of the contravention on the functioning of the CIS.

35. Right to submit written representation and oral submissions

(1)The Central Bank shall before imposing a penalty or taking any enforcement action under section 34, give an opportunity to a data provider or data user to submit a written representation and oral submissions on a matter before the Central Bank within the timeframe specified in writing.
(2)Notwithstanding subsection (1), the Central Bank may immediately restrict or suspend a data provider or data user's access to the CIS where the Central Bank is of the reasonable belief that such action is necessary to safeguard the integrity of the CIS.
(3)Where a data provider or data subject's access to the CIS has been restricted or suspended in accordance with subsection (2), the Central Bank shall give an opportunity to the data provider or data subject to submit a written representation and oral submissions within the timeframe specified in writing as to why their access should be restored.

36. Publication and sharing of information

The Central Bank may publish in a daily newspaper or other media or share with local regulatory authorities, law enforcement agencies or international bodies the following—
(a)all general or individual measures adopted under this Act, including enforcement measures, imposition of penalties and its redress decisions; and
(b)information extracted from the CIS in a statistical format for educational or information purposes.

Part VI – Miscellaneous

37. Protection of action taken in good faith

An employee or agent of the Central Bank shall not be liable for damages for anything done or omitted to be done in good faith in the discharge or purported discharge of their functions under this Act.

38. Regulations

(1)The Central Bank may, for the purpose of granting effect to the principles and provisions in this Act, make regulations with regard to any matter required by this Act.
(2)Without prejudice to the generality of subsection (1), regulations may provide for—
(a)fees and services relating to the CIS;
(b)credit scoring;
(c)categorisation of data providers;
(d)access and submission of data to the CIS;
(e)technological security measures for use or access of the CIS;
(f)amendment of Schedules; and
(g)the efficient implementation, administration and enforcement of this Act.

39. Consequential amendment of (Cap 26) and savings

(1)The Central Bank of Seychelles Act (Cap 26) is amended—
(a)in section 2 by repealing the definition of “Credit Information System”; and
(b)by repealing section 32A.
(2)Notwithstanding the repeal under subsection (1) (b), any statutory instrument made under the repealed section shall remain in operation as if made under this Act until it is repealed in accordance with this Act.
(3)The Central Bank may amend, vary or repeal such statutory instruments.

First Schedule (sections 9(1) and 26(1)(g))

Category of data providersDataData users
Category 1Commercial banks, Development Bank of Seychelles, credit unions, Housing Finance Company LtdCredit facilities including consumer loan, credit card, overdraft and employee loansCategories 1, 2, 3, 4, 5, 6 and 8 upon their designation as a data provider.
Category 2Government, public enterprises and the Central BankEmployee loans
Category 3Entities providing hire purchase, credit sales or financial leasing facilitiesHire purchase, credit sales, financial leasing facilities
Category 4Insurance CompaniesCredit facilities 
Category 5Telecommunication and utility companiesTelecommunication and Utility bills
Category 6Seychelles Revenue CommissionTax Payments
Category 7JudiciaryBankruptcy
Category 8Private EnterprisesEmployee loans

Second Schedule (section 10(2))

Forms

[Editorial note: The forms have not been reproduced.]

Fourth Schedule (sections 14(2)(b) and 15(h))

Report fees

[Please note: numbering as in original.]
1.Any additional credit report requested by a data subject from a data user during the calendar yearSCR25.00
2.Any additional access report requested by a data subject from the CIS Operator during the calendar yearSCR50.00
3.Credit report requested by a data user from the CISSCR25.00
▲ To the top

History of this document

11 September 2024
20 November 2023 this version
Published in Official Gazette 66
06 November 2023
Assented to