CREDIT REFERENCE AGENCY INFORMATION NOTICE (CRAIN)
Adopted: 23rd October 2017
All information as detailed herein will be referred to as CRAIN Notice, effective from the Adopted Date as specified above, except for information as detailed in in Sections 9 (data portability right), 11 and 12. These Sections provide information that came into effect from 25th May 2018, as per the effective date of the General Data Protection Regulation (or the GDPR).
This CRAIN Notice explains how the three main credit reference agencies that are also called also called “credit reference agencies” or “CRAs” in this document use and share personal data (also called ‘bureau data’) that they receive about you and/or your business that is part of or derived from or used in credit activity.
The three main CRA’s are Callcredit, Equifax and Experian.
This CRAIN Notice is not a complete record of all the personal data each CRA may hold and process, as each has a number of different business functions operating throughout it. To find out more about each CRA’s other businesses, services and personal data processing, please visit the websites directly via the links provided in Section 14.
This CRAIN Notice document answers the following questions as laid out in the corresponding Q & A’s detailed below.
CREDIT REFERENCE AGENCY INFORMATION NOTICE (CRAIN) QUESTIONS AND ANSWERS
Q1. Who are the credit reference agencies and how can I contact them?
A1. There are three main credit reference agencies in the UK who deal with people’s personal data. Each is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency.
Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS.
Q2. What do credit reference agencies use personal data for?
(a) CREDIT REFERENCE AGENCY PROCESSING
Credit reporting and affordability checks
Credit reference agencies receive personal data about you that’s part of, derived from or used in credit activity. Each CRA uses the data it gathers to provide credit reporting services to its clients.
Organisations use credit reporting services to assess and understand the financial position of people and businesses. For example, a lender or creditor may check with a credit reference agency when an individual or business applies for credit to make a credit decision considering that person or business’s credit history.
Affordability checks also help organisations understand whether persons applying for credit or financial products are likely to be able to afford the repayments.
These activities help promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.
Verifying data like identity, age and residence, helps to prevent and detect criminal activity, fraud and money laundering. In addition, CRAs use bureau data to provide verification, crime prevention and detection services to their clients, as well as fraud and anti-money-laundering services. Listed below are some examples.
CRAs provide information including personal data to their clients for account management, which is the ongoing maintenance of the client organisation’s relationship with its customers. This could include activities designed to support the following:
Tracing and debt recovery
CRAs provide services that allow organisations to use bureau data to trace people who’ve moved. Each CRA also offers a service that allows people to be reunited with assets (like an old dormant savings account they’ve lost contact with).
CRAs may use personal data to support debt recovery and debtor tracing. An example of a tracing activity could be when a person owes money and moves address without telling the creditor where they’ve gone. The creditor may need help finding that person to claim back what they’re owed. CRAs help find missing debtors by providing creditors with updated addresses and contact details.
CRAs can use some personal data to screen people out of marketing lists.
For example, where a person’s financial history suggests they’re unlikely to be accepted for and/or afford a particular product, the relevant organisation can use that data to opt out of sending them information about that product. This helps stop people receiving irrelevant marketing and saves organisations associated costs.
This data is not used to identify, select and send marketing materials to potential new customers.
Statistical analysis, analytics and profiling
CRAs can use and allow the use of personal data for statistical analysis and analytics purposes. This can include creating scorecards, models and variables in connection with the assessment of credit, fraud, risk or to verify identities in order to monitor and predict market trends. This allows lenders to refine lending and fraud strategies and analyse activities such as loss forecasting.
CRAs carry out certain processing activities internally which support databases effectiveness and efficiencies. For example:
Each CRA has its own processes and standards for data loading, data matching and other database processing activities.
Other uses with your permission
From time to time, CRAs may use the personal data they hold or receive about you for other purposes where you’ve given your consent.
Uses as required by or permitted by law
Your personal data may also be used for other purposes where required or permitted by law.
Each credit reference agency has other lines of business not detailed in this CRAIN Notice. For example, each offers its own marketing services and direct-to-consumer services. Each CRA will provide separate information as is appropriate for services that fall outside of scope of this document.
(b) WHAT IS A FRAUD PREVENTION AGENCY?
A Fraud Prevention Agency (referred to herein as FPA) collects, maintains and shares data on known and suspected fraudulent activity. All three credit reference agencies also act as FPAs.
(c) FRAUD PREVENTION AGENCY PROCESSING
Data may be used by fraud prevention agencies. FPAs may supply the data received from lenders and creditors about you, your financial associates and your business (if you have one) to other organisations (please see Section 5 for more information on these organisations).
This may be used by them and the CRAs to prevent crime, fraud and money laundering by, for example:
Q3. What are the credit reference agencies’ legal grounds for handling personal data?
Legitimate Interests and Responsible lending
The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights or freedoms of data subjects. The law calls this the Legitimate Interests condition for personal data processing.
The Legitimate Interests being pursued here are Interest Explanation and promoting responsible lending and helping to prevent over-indebtedness.
Responsible lending means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. CRAs help ensure this by sharing personal data about potential borrowers, their financial associates (where applicable) and their financial history. A comprehensive range of measures exists in the UK to reinforce the balance so that the legitimate interests aren’t outweighed by the interests, fundamental rights and freedoms of data subjects. Further information about this balance is set out below.
Helping to prevent and detect crime, fraud, anti-money laundering and verifying identity
CRAs provide identity, fraud and anti-money laundering services to help clients meet legal and regulatory obligations. This also benefits individuals to support identity verification and support of detection/ prevention of fraud and money-laundering.
Supporting tracing and collections
CRAs provide services that support tracing and collections where there is a legitimate interest in the client conducting activity to find its customer and to recover the debt, or to reunite or confirm that an asset is connected with, the right person.
Complying with and supporting compliance with legal and regulatory requirements
CRAs must comply with various legal and regulatory requirements. CRA services also help other organisations comply with their own legal and regulatory obligations.
For example, many kinds of financial services are regulated by the Financial Conduct Authority (“FCA”) or the Prudential Regulation Authority, who impose obligations to check that financial products are suitable for the people they are being sold to. The credit reference agencies provide data to help with those checks.
The CRAs use of this personal data is subject to a wide framework of safeguards that help make sure people’s rights are protected. These include the information given to people about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected or restricted, object to it being processed, and complain if they’re dissatisfied.
These protections help sustain a fair and appropriate balance so the CRAs’ activities don’t override the interests, fundamental rights and freedoms of data subjects.
Q4. What kinds of personal data do credit reference agencies use, and where do they get it?
A4. Each credit reference agency gathers and uses information from different sources, so they often hold different information and personal data from each other. However, most of the personal data they hold falls into the categories as detailed below from the sources described (see Information type).
Information type – Identifiers
Information type – Lender provided and creditor provided data
Information type – Court judgments, decrees and administration orders
Information type – Bankruptcies, Individual Voluntary Arrangement (IVAs), debt relief orders and similar events
Information type – Fraud prevention indicators
Information type – Gone Away Information Network indicators
Information type – Search footprints
Information type – Scores and ratings
o Organisations that obtain data from CRAs may use it together with other data to provide their own scores and ratings.
o Credit scores and credit ratings are produced from data like the person’s credit commitments, whether they have made repayments on time, whether they’ve any history of insolvencies or court judgments, and how long they’ve lived at their current address. Each CRA has its own way of calculating credit scores, and most lenders have their own scoring systems too.
Information type – Other supplied data
Information type – Other derived data
o Address links: when a CRA detects that a person seems to have moved to a new house, it may create and store a link between the old and new address.
o Aliases: when a CRA believes that a person has changed their name, it may record the old name alongside the new one.
o Financial associations and linked people: when a CRA believes two or more people are financially linked with each other (for example, because they have a joint account), it may record that fact.
o Flags and triggers: through analysis of other data, CRAs can add indicators to credit files. These aim to summarise particular aspects of a person’s financial situation. For example, a Cifas flag protects those who’ve been flagged as subject to fraud and invites additional checks as a defence against further fraud risk.
Information type – Data provided by the relevant people
Q5. Who do credit reference agencies share personal data with?
A5. This Q&A section details about the types of recipient each credit reference agency can share data with. Each CRA has its own access control processes in place. Before it shares data with any another organisation, it must check that organisation’s identity and, where applicable, confirm where it is registered with regulators.
In many cases where an organisation uses CRA services, there will be information accessible, for example, from website or at point of application or service, to explain that an organisation may check your data with a credit reference agency (for things like identity authentication and fraud checking). In some cases, some organisations can compel CRAs by law to disclose data for certain purposes.
Members of the credit reference agency data sharing arrangements
Each organisation that shares financial data with CRAs is entitled to receive similar kinds of financial data contributed by other organisations. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone networks.
Fraud Prevention Agencies
If a CRA believes that fraud has been or might be committed, it may share data with fraud prevention agencies (FPAs). These FPAs collect, maintain and share data on known and suspected fraudulent activity. Some CRAs also act as FPAs.
Resellers, distributors and agents
CRAs may and do use other organisations to help provide their services to clients and may provide personal data to them in connection with that purpose.
Some data, where permitted in accordance with industry rules or where it’s public information, can be shared with other organisations that have a legitimate use for it - ID verification services, for example.
Public bodies, law enforcement and regulators
The police and other law enforcement agencies, including public bodies like local and central authorities and the CRAs’ regulators, sometimes ask the credit reference agencies to supply them with personal data.
This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.
The CRAs may use other organisations to perform tasks on their own behalf (for example, IT service providers and call centre providers).
People are entitled to obtain copies of the personal data the CRAs hold about them. You can find out how to do this in Section 9 below.
Q6. Where is personal data stored and sent?
A6. The three CRAs are based in the UK and their main databases are kept there. They may also have operations elsewhere inside and outside the European Economic Area and personal data may be accessed from those locations as well. In both instances, the personal data use in those locations is protected by European data protection standards.
From time to time, the CRAs will need to send or allow access to personal data from elsewhere in the world, for example, when a processor or client of the CRA is based in and/or uses data centres overseas.
Although countries in the European Economic Area do all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data.
For this reason, when a CRA sends personal data overseas it makes sure suitable safeguards are in place in accordance with European data protection requirements to protect the data. These safeguards might include:
If your data has been sent overseas, you can find out more about the safeguards used from the CRAs directly, whose contact details are set out in Section 1 above.
Q7. How long is personal data kept for?
A7. Personal is kept for a duration of time by CRAs that differs according to what type information it is. These terms are outlined below.
Identification data like names and addresses are kept while there’s a continuing need to keep it. This need is assessed regularly and data that is no longer needed for any purpose will be disposed of.
Financial accounts and repayment data
Data on live and settled accounts is kept on credit files for six years from the date they are settled or closed. If the account has defaulted, the data is kept for six years from the date of the default.
Court judgments, decrees and administration orders
Court judgments and other decrees and orders are kept on credit files for six years from the date of the judgment, decree or order. However, they can be removed if the debt is repaid within one calendar month of the original date or if the judgment is set aside or recalled by the courts.
Bankruptcies, IVAs, debt relief orders and similar events
Data regarding bankruptcies, IVAs and other insolvency-related events and arrangements are usually kept on credit files for six years from the date they begin.
This period is further extended if they last longer than this period. Some data, like a bankruptcy restrictions order, can also remain on the credit file for longer than six years.
The start of these events is automatically reported to the CRAs, but the end (such as a discharge from bankruptcy or completion of an IVA) might not be. People are advised to contact the CRAs when this happens to make sure their credit files are updated accordingly.
The CRAs keep search footprints for different lengths of time. Experian and Equifax keep most search footprints for one year from the date of the search, although they keep debt collection searches for up to two years. Callcredit keeps search footprints for two years from the date of the search.
Scores and ratings
CRAs may keep credit scores and credit ratings for as long as they keep a credit file about the relevant person.
Derived or created data
CRAs create data, links and matches between data. For example, CRAs keep address links and aliases for as long as they’re considered to be relevant for credit referencing purposes.
Links between people are kept on credit files for as long as the CRA believes those individuals continue to be financially connected. When two people stop being financially connected, either party can write to the CRA and ask for the link to be removed. The CRA will then follow a process to check the people are no longer associated with each other.
Other third party supplied data such as politically exposed persons (PEPs), sanctions data and mortality data will be stored for a period as determined by criteria such as the agreed contractual terms.
CRAs may hold data in an archive form for longer than the periods as detailed above for purposes like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), audit purposes and as appropriate for establishment, exercise or defence or legal claims.
The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.
Q8. Do the credit reference agencies make decisions about me or profile me? How are lending decisions made?
A8. CRAs don’t tell a lender if it should offer you credit – this is for the lender to decide. Credit reference agencies provide data and analytics that help lenders make decisions about lending.
The scoring tools and data CRAs provide may profile you and are a valuable tool in the lender’s overall processes and with the criteria they use to make their decisions. A lender’s own data, knowledge, processes and practices will also generally play a significant role in that lender’s business decisions and lender decisions will always remain for lenders to make.
The same analytics from a CRA may lead to different decisions from different lenders, as they can place differing importance on some factors than others. That’s why you may receive a “yes” from one lender but a “no” from another.
The data CRAs provide is just one of the things that a lender might consider when they make a lending decision. The lender might also consider data provided by the person applying for credit, as well as any other data available to the lender from other sources. Each lender will have its own criteria for deciding whether they will lend.
Scores and ratings
When requested, CRAs use data that they obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings; these are explained in Section 4 above. As covered above, CRAs do not tell a lender if it should offer you credit as this is for the lender to decide. Each credit reference agency, and each lender, will have its own criteria for how to calculate a credit score, but the following factors will usually have an effect:
The CRAs may provide or make available further information on profiling where necessary from time to time.
Q9. What can I do if I want to see the personal data held about me? Do I have a ‘data portability’ right in connection with my bureau data?
A9. You have a right to find out what personal data the credit reference agencies hold about you.
Data access right
Each CRA provides more information about access rights on their websites. You can request details online via the information provided in Section 1 above or make a request by post to:
Data portability right
Data protection legislation contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent.
This is not a right that will apply to bureau data as this data is processed on the grounds of legitimate interests. To find out more about legitimate interests please go to Section 3 above.
Q10. What can I do if my personal data is wrong?
A10. When the CRAs receive personal data, they perform many checks to try and detect any defects or mistakes. However, ultimately, the credit reference agencies do rely on their suppliers to provide accurate data.
If you think any personal data a CRA holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that the CRA won’t have the right to change the data without permission from the organisation that supplied it, so the credit reference agency will need to take reasonable steps to check the data first, like asking the organisation that supplied it to check and confirm its accuracy.
If the data turns out to be wrong, the CRA will update its records accordingly. If the CRA still believes the data is correct after completing their checks, they will continue to hold and keep it, although you can ask them to add a note to your file indicating that you disagree or providing an explanation of the circumstances.
If you would like to do this, you should contact the relevant CRA using their contact details in section 1 above.
Q11. Can I object to the use of my personal data and have it deleted?
A11. You have the right to lodge an objection about the processing of your personal data to a CRA. If you want to do this, you should contact the relevant CRA using the contact details set out in section 1 above.
Although you have freedom to contact a CRA with your objection at any time, under the General Data Protection Regulation, your right to object doesn’t automatically lead to a requirement for processing to stop or for personal data to be deleted, in all cases.
Please note that, because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes the personal data is needed for (like supporting responsible lending, and preventing over indebtedness, fraud and money laundering) it will be very rare that the CRAs do not have compelling, overriding grounds to carry on using the personal data following an objection.
In many cases, it won’t be appropriate for the CRAs to restrict or to stop processing or delete bureau data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit that they otherwise wouldn’t be eligible for.
This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be deleted, in connection with bureau data. To understand these rights and how they apply to the processing of bureau data, it’s important to know that the CRAs hold and process personal information in bureau data under the Legitimate Interests ground for processing (see section 3 above for more information about this), and don’t rely on consent for this processing.
Q12. Can I restrict what the credit reference agencies do with my personal data?
A12. In some cases, you can ask credit reference agencies to restrict how they use your personal data. Your rights are set out at Article 18 of the GDPR.
You can find the contact details for each CRA in Section 1.
This is not an absolute right, and your personal data may still be processed where certain grounds exist. This is:
Only one of these grounds needs to be demonstrated to continue data processing. The CRAs will consider and respond to requests they receive including assessing the applicability of these exemptions.
Please note that given the importance of maintaining complete and accurate credit records for purposes including for responsible lending, it will usually be appropriate to continue processing credit report data, in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the union or member state.
Q13. Who can I complain to if I’m unhappy about the use of my personal data?
A13. Each CRA tries to ensure that they deliver the best customer service levels. However, if you’re not happy, you should contact them so they can investigate your concerns.
Post: Callcredit Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP.
Phone: 0330 024 7574
Post: Equifax Ltd, PO Box 10036, Leicester LE3 4FS
Phone: 0333 321 4043 or 0800 014 2955
Post: Experian, PO BOX 8000, Nottingham, NG80 7WF
Phone: 0344 481 0800 or 0800 013 8888
Financial Ombudsman Service
If you’re not happy with how the CRA has investigated your complaint, you have the right to refer it to the Financial Ombudsman Service (Ombudsman) free of charge. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like CRAs.
Post: Financial Ombudsman Service, Exchange Tower London E14 9SR
Phone: 0300 123 9 123 (or from outside the UK on +44 20 7964 1000)
Information Commissioner’s Office (or ICO)
You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK.
Phone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Q14. Where can I find out more?
You have the right to object to credit reference agencies using your personal data. Please see Section 11 to find out more.
The work credit reference agencies do is complex, and this document is intended to provide only a concise overview of the key points. More information about each CRA and what it does with personal data is available directly from the CRAs as detailed in Section 1.
The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-the-public/documents/1282/credit-explained-dp-guidance.pdf