I welcome our guests. I draw their attention to the fact that while members of the joint committee have absolute privilege, the same privilege does not apply to witnesses appearing before the committee. Members are reminded of the parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official, either by name or in such a way as to make him or her identifiable. We will hear a short presentation by Mr. Séamus Ó Tighearnaigh of the Irish Credit Bureau, which will be followed by a question and answer session.
Credit Agreements: Discussion with Irish Credit Bureau.
Mr. Séamus Ó Tighearnaigh
I am the secretary general of Irish Finance Houses Association, a member of the complaints committee of the Institute of Chartered Accountants in Ireland and an expert adviser to the European Commission's expert group on credit histories. I mention these positions in case they are relevant during the course of the meeting.
The Irish Credit Bureau was formed in 1965. It is owned by its members, which are mainly financial institutions. Its objectives, which have the support of regulatory authorities and consumer groups, are to assist in reducing the cost of credit, to enable faster decisions on providing credit to be made, to aid the avoidance of over-indebtedness and to assist in fraud prevention. The bureau complies fully with the Council of Europe Convention on Data Protection and the Data Protection Acts of 1988 and 2003. Therefore, private individuals may inspect their personal Irish Credit Bureau records.
The Irish Credit Bureau considers itself to be an electronic library which contains information on the performance of credit agreements between financial institutions and borrowers. Credit agreements are registered with the bureau by its members, with the consent of the borrower, which is crucial. Credit agreements include mortgages and car loans, etc. Overdraft agreements that are the subject of legal proceedings are also included. The account holder data stored include the person's surname, forename, date of birth and address. The loan data stored include the account opening date, the coded member details to identify the lending institution in question, the amount of the loan, the currency code, the loan term in months and the loan type, such as those I have mentioned. The account association code which indicates whether it is a credit agreement, a joint credit agreement or a guaranteed agreement is also retained. The date for which we have the latest balance and the balance amount on that date are also stored. The data on repayment frequency indicate whether repayments are made monthly, fortnightly or quarterly. We also store information used to indicate the person's repayment history. We will see examples of this later. That is the crucial information. A "0" code indicates that there were no arrears on the account in the last month for which information is available. A "1" code indicates that the account is one month in arrears, in the case of a monthly agreement. Such information is stored for 24 months. An example of this will also be given later.
The Irish Credit Bureau's database has over 80 members. Almost 40 of its members are the traditional financial institutions. A further 48 of its active members are credit unions which have become involved in the database in recent times. A further 30 credit unions have applied for membership and are gearing up for it. The bureau holds approximately 5.5 million account records. It holds positive and negative information. We do not interpret the information in any way. For the purposes of measuring indebtedness, we have information on accounts that are fully up to date and paid, as well as accounts that are not. We were processing approximately 11,000 inquiries each day, but that figure has decreased to approximately 8,500 for obvious reasons. Approximately 35,000 people check their records each year. That is the litmus test of accuracy. I can answer questions on this aspect of our work. The service is entirely automated. Electronic data go in and electronic data are fed back out. There are no documents. Data are retained for five years from the date a loan is closed, regardless of the repayment performance on the loan. It does not matter if the loan was repaid perfectly every month, or if there were troubles and the loan was eventually closed, written off or settled. The information is held for five years from that date on. It is important to emphasise that the bureau does not make lending decisions. We are electronic librarians. Our aim is to hold data in an efficient and accurate manner and to provide it in legitimate circumstances, where consents are provided, on a timely basis.
I do not propose to go through the sample credit report I have furnished to the committee. I will refer to the document, if necessary, when questions arise. There is probably far too much detail in the report, in any case. The sample report is also available on the Irish Credit Bureau's website. It explains the credit bureau scoring service provided for certain members. I thank the committee for its attention.
I welcome the representatives of the Irish Credit Bureau. I propose to concentrate on people who have problems. I refer to subprime lenders which are defaulting. Will Mr. Ó Tighearnaigh explain the process by which the bureau is notified in such circumstances? A couple of my constituents have defaulted on their mortgages. The amount of money involved is quite small. They believe their details were referred to the bureau quite quickly and, as a result, they cannot go to any other lender. I appreciate that many finance companies are registered with the bureau. They set the regulations themselves. I accept that the bureau does not involve itself with the frequency of the defaults referred to it, or the speed with which that process happens. Does it have any information in that regard?
Mr. Séamus Ó Tighearnaigh
We have a technical manual for dealing with such cases. I have a copy with me. Essentially, a single template is used for all members. Members do not have a choice when it comes to frequency. If the payment frequency is monthly, our members have a contractual obligation to update their records each month. The terms of the calculation used to ensure there is objectivity and consistency are outlined in the technical manual. If somebody pays half of an instalment each month——
Could it be from any lender such as a sub-prime lender?
Mr. Séamus Ó Tighearnaigh
No, there are no money lenders in the Irish Credit Bureau, for reasons I can amplify. The position on money lenders may change. The initial criteria for becoming a member included being regulated by the Financial Regulator. For a period of time the lenders referred to by the Deputy were regulated by the Office of the Director of Consumer Affairs. Perhaps a change will be made in this respect. The membership of the bureau does not include any money lenders.
I wish to speak about what happens if somebody pays half of an instalment in a particular month. Every member should process this consistently in the same way, by reference to the standard contract. It is actually rounded down. If that were the only level of arrears, a "0" code would be applied to the database. For these purposes, it does not matter whether an institution is a clearing bank, a credit card company or a sub-prime lender — a "0" or "1" code will be applied on the same timely basis.
I am trying to understand this. I am concerned about what happens when somebody borrows money from a subprime lender. That information is passed on to the Irish Credit Bureau quickly, which means the person cannot go to any other lender. The person in question might be paying 8.9% interest on his or her mortgage to the subprime lender. The process I have mentioned means that a person who defaults on one payment loses the opportunity to pay a lower rate such as 5% to another lender. Depending on which of the various rules is applied in such a case, other lenders might not deal with that person until there is a six-month period during which there is no liability, as reported to the bureau, after clearing the debt.
Mr. Séamus Ó Tighearnaigh
I do not want to become too technical. The sample report I have furnished to the committee contains a window of 24 characters. The character on the left is the most recent piece of information and typically relates to October 2008. If the October 2008 character were a zero, the character behind it would be the second most recent, which would be September 2008. For example, the character 1 could represent September, the character 2 could represent August and so on across the 24 characters. A lender will look at this window and decide that although the person was two months in arrears, all arrears have been paid off. As a further 24 months elapse, the window falls away to the right.
It takes two years for that to occur. While I do not wish to labour the point, it appears that those who borrow more money than they are capable of repaying and are given more money than they should receive quickly default. This results in cases such as one reported today involving an application by Start Mortgages for possession of a house during which a judge stated that reckless lending as well as reckless borrowing is taking place. Does the Irish Credit Bureau have a role in examining or commenting on this issue?
Mr. Séamus Ó Tighearnaigh
The role of the Irish Credit Bureau is one of electronic librarian whose function is to ensure its data is as complete, up-to-date and timely as possible. Therefore, when an individual approaches a financial institution, gives it consent to check with the Irish Credit Bureau and applies for credit, we will provide the best possible information to the lender. However, we have no part——
The problem is that the bureau is effectively the credit rater for all the financial institutions and has no role other than that which the financial institutions have allocated to it.
Mr. Séamus Ó Tighearnaigh
No, we do not have any other role. We must be cautious as a misconception has arisen. Credit rating agencies and credit reference agencies are two totally different types of entities. The former include Moody's, Standard & Poor's and Fitch's, which are in some opprobrium for failing to foresee the calibre and quality of debt and the problems which recently manifested as a result. The Irish Credit Bureau is not a credit rating agency. It is purely a credit reference agency.
If a person has borrowed too much and been given too much——
Mr. Séamus Ó Tighearnaigh
That will be shown in our records.
While I understand that, such a person cannot get out of the trap in which he finds himself. That is not a reflection on the Irish Credit Bureau but it shows the system does not help that person.
Mr. Séamus Ó Tighearnaigh
There are two real time cycles. The first is the 24-month time cycle on the window. At the point at which the final code comes in indicating that the balance is zero and the debt is complete or written off or whatever, there is a five-year period during which information is retained. However, only the final 24 characters are retained. There was a period when the markets were fluid and particular lenders would target particular types of lending opportunity. Obviously, sub-prime lenders did not have difficulty lending to people with less than perfect credit histories. In fact, they risk-priced or so they said, whereas I know anecdotally of other entities whose attitude is that they do not want to deal with people who have experienced arrears, full stop. One also has everything in between.
I welcome Mr. Ó Tighearnaigh's clarification of the position vis-à-vis credit rating versus credit referencing. The objectives set out by the Irish Credit Bureau are clear and a distinction has been made in that sense. An issue arises regarding the objective of aiding avoidance of over-indebtedness. If my mode of putting questions is wrong, Mr. Ó Tighearnaigh may correct me. If somebody who is not part of the group of 80 members seeks information on a particular person, is a facility available whereby the ICB will provide information on a particular individual to third parties? Is information on the credit histories of individuals freely available to the 80 members of the ICB?
Mr. Séamus Ó Tighearnaigh
The Deputy asked two questions. As to whether we give information to non-members or non-members, the answer is "absolutely not" and that applies right across the board. To do so would be in breach of data protection law. The only circumstances in which information is provided to third parties relates to the work we do with the Garda Bureau of Fraud Investigation and the drugs squad. To keep those good people and ourselves honest; when either body requires information as part of a criminal investigation, it applies to the courts under section 63 for an order. The Irish Credit Bureau obviously complies with court orders and the Data Protection Commissioner, having examined the issue, has given his imprimatur to that.
As to whether we make information freely available to members, the answer is "No". I am not being facetious in this regard. Consent must be given and a form requiring four separate consents is standard across the industry. I can amplify further if the Deputy wishes but one of the consents is to permit an institution to make an inquiry, while a second consent is to permit, in the event that an inquiry is made and a loan is granted, the registration of the details of the loan in the Irish Credit Bureau.
To clarify, is it correct that the Irish Credit Bureau does not make lending decisions, as such, and is, as has been stated, a librarian or facility for storing data?
Mr. Séamus Ó Tighearnaigh
The bureau is a data storage facility with the proviso that it also provides what is known as a credit bureau score. Information on this is available in the pack circulated. This score is not provided in all circumstances and is given only to certain financial institutions, namely, Fair Isaac, the oldest credit scoring company in the world which was established, I understand, in the 1950s, and a company called CRIF. What they try to do is translate all the information in the database into an indicative score which they pass on, in some instances, with the pure electronic librarian data.
There is, in effect, an element of rating involved in the activity of the Irish Credit Bureau.
Mr. Séamus Ó Tighearnaigh
No, it is not a rating but a predictability indicator. Based on the entire database of 5.5 million entries, it will conclude that a person of a specific profile borrowing would fit on a score of, let us say, between 300 and 600, although these are not exact numbers. We go on to say that this Fair Isaac or CRIF score has to be interpreted correctly. A high score will not guarantee that a person secures a loan and a low score will not disadvantage a person seeking a loan. The reasons for this are set out in the pack.
I beg Mr. Ó Tighearnaigh's indulgence on this issue. I am trying to enhance my understanding of the issue and ask him to forgive me if my questioning appears persistent. Is there scope for the Irish Credit Bureau to develop as a credit rating agency?
Mr. Séamus Ó Tighearnaigh
No.
Arising from that question, could the Irish Credit Bureau pull out of its database a list of people who have defaulted perhaps twice in a six-month period? If so, would it make such data available to an institution which requested it?
Mr. Séamus Ó Tighearnaigh
In a nutshell, we would not and it would be contrary to data protection to do so. In each instance, the bureau requires a consent and a report. We put up a footprint by stamping the record to indicate that on a specific date an inquiry was made against a specific individual by a specific institution and the following specific information was sent back.
It is a very precise function.
Mr. Séamus Ó Tighearnaigh
Yes, and the data subject, of whom 35,000 have come to us, see not only what the information is but who inquired and what was sent back to the inquirer.
Does the Irish Credit Bureau not provide general statistical data?
Mr. Séamus Ó Tighearnaigh
We have provided such data since May 2008. Following a meeting with the Financial Regulator, it was agreed that we would produce generic data for loan types, terms and sizes. This information is purely generic and consists of global statistics which do not allow for any institution or individual to be identified.
It would have a certain "canary in the coal mine" function.
Mr. Séamus Ó Tighearnaigh
Yes.
I shared my colleagues' view that the Irish Credit Bureau engaged in credit rating. Is it correct that the information the bureau provides enables each lender to carry out its own credit scoring?
Mr. Séamus Ó Tighearnaigh
Yes.
Mr. Ó Tighearnaigh may have given half an answer to my next question. In the case of a person who decides he is in serious trouble and attempts to obtain four loans in a single month, would he slip through the Irish Credit Bureau's net, given that its data is updated only once per month or thereabouts? If such a person had four loans sanctioned within a one or two month period, would the Irish Credit Bureau cop him? Can that person slip through the net by going to four different places to obtain four loans within a month or two, or would that person be picked up by the system?
Mr. Séamus Ó Tighearnaigh
We would know because as soon as an inquiry is made we get an instantaneous footprint of the history of inquiries. That is stamped. If lender No. 4 gets the consent and makes an inquiry he or she will see that within the previous 24 hours the individual——
That is very clear.
Mr. Séamus Ó Tighearnaigh
Yes. The details of any loans from the first three visits might not have hit the system but the inquiries will be instantaneously shown.
Approximately 48 credit unions are members but another 453 credit unions are not members. Does Mr. Ó Tighearnaigh think they should be members or would he like them to be?
Mr. Séamus Ó Tighearnaigh
It is probably no harm to explain the journey we have travelled. Five years ago we went to Dungannon, Bantry and other places North and South, to GAA clubhouses and other such places, at the request of the Irish League of Credit Unions to explain what we do. In certain quarters there was a philosophical difficulty to working with banks because some people saw the ethos of the credit union as community based, therefore rubbing shoulders with banks was not perceived to be good. When the other merits were explained such as over-indebtedness, speeding up access to credit and preventing fraud, it became clear that the hearts and minds were won over.
None of us foresaw what was around the corner. We thought the bulk of the work was done in terms of the contractual deals and the credit unions changing their forms to get the right data protection consent clauses. What we did not anticipate was that the IT side would present a great big speed-bump. There were 14 different IT suppliers and when they looked at the complexity of the technical specification some said it would involve four years of man work. The problem was that individual credit unions said "Yes" but asked how much it would cost to change their IT systems. The suppliers initially said that depended on how many credit unions signed up as they could do the work once and distribute it over time. That process took approximately three years. The bulk of those IT suppliers have made their systems IT compliant, so it is only a matter of time.
While it would be wrong to mention any part of the country, in a part of west Clare the credit union opens for only two days a week and there are 600 members. There will probably have to be a process of amalgamation or consolidation for credit unions like that to have the IT capability to gear up on a realistic cost basis to something like this.
Does Mr. Ó Tighearnaigh think there should be a national database? The issue has been raised with other groups also. Does he think it is possible to do that?
Mr. Séamus Ó Tighearnaigh
I have just attended two meetings in Brussels as I have been appointed as an expert adviser to the European Commission. The Commission has the objective, as one of its missions, to facilitate cross-border lending and greater consumer choice. The first two meetings were spent dealing with all the obstacles, which are many, but better people than I see that completeness would better assist the objectives I set out initially.
Does the ICB have a way of checking the information given by its members? Does one have to assume they are giving the correct information? They are in competition with each other. I assume the ICB has to trust the information it receives and that it is not its job to check the information.
Mr. Séamus Ó Tighearnaigh
There are approximately seven safety checks in place. Reference was made to the canary in the mine — the 35,000 people who check their records well serve that purpose. We were fully audited by the Data Protection Commissioner in 2005 and his annual report was laid before the Oireachtas detailing satisfactory findings in that regard. In certain years the Data Protection Commissioner has also chosen to fully audit financial institutions and the ICB is a key component of those audits. There are other checks and balances in our system as I have described it. We have self-auditing capability. If somebody tells us that in December a customer was one month in arrears he or she can hardly turn around in October and say that the customer is now eight months in arrears. Were that to happen we would block that information, revert and notify.
Can an individual apply to get his or her record?
Mr. Séamus Ó Tighearnaigh
Yes, 35,000 people do that every year.
It is open to everybody. What does a person do if he or she is unhappy with the record?
Mr. Séamus Ó Tighearnaigh
A person can go through approximately four processes. The first obvious process is to contact the bank and say "That is wrong."From my experience, because of the litigious environment, it is in the bank’s interest, if it knows it is in the wrong, tosort out the matter very quickly. A person can also go to the Irish Credit Bureau and make a complaint of 200 words telling his or her side of the story and disputing the accuracy of the bank’s case. We advise in those circumstances that individuals go to level 3, which is to make a formal complaint to the Data Protection Commissioner. The fourth level is the courts.
In regard to the job of the members of this committee dealing with economic and regulatory affairs, given that a potential national or European database is probably a long way off, is there anything we should do to tighten up the area of lending to protect people who are vulnerable to multiple borrowing?
Mr. Séamus Ó Tighearnaigh
Yes, I suspect the answer lies in data protection law. In preparation for the meeting, my colleague, Mr. Gerard O'Neill, and I had a chat. We said we were not worried about data timeliness. We believe our timeliness is as good as it gets but we have issues on data completeness. The two obvious issues were that at one point we never registered credit cards or overdrafts unless they were in legal difficulty because credit cards were rightly or wrongly traditionally seen to be payment instruments that one used to pay off debt at the end of the month and one probably only had a balance of approximately €1,000. As we now know, some people have five or six credit cards with balance limits of €20,000 and they do not pay them off every month. A credit card must now be seen as a lending instrument. The good news is that credit card information is coming in. The problem is that under data protection law unless a financial institution had captured the consent retrospectively when it decided to change course and put all the credit card information in positively, it found it could not do that because it did not have data protection consents so that it can only capture the consents in the future.
I do not wish to be critical but at times I wonder whether it suits the credit unions that they do not have a legal obligation to register retrospectively because they can use the absence of a consent as a reason. Different credit institutions would take a view. I know of one credit card company that took the lead and wrote to its customers stating that it thought it would be a good idea and encouraged people to give consent retrospectively. That is another way around the problem but that is a large logistical exercise. That company's philosophy is that if it is going to lend €15,000 to an individual on a credit card, it wants the ICB to put all the other credit card companies on notice that an individual is at a certain level of indebtedness and throwing more money at him or her would put it and other companies in trouble.
To follow from Deputy English's question on what a person can do if he or she is unhappy about his or her rating, how many individuals among the 35,000 have expressed dissatisfaction and how many reported the ICB to the Data Protection Commissioner or went to court?
Mr. Séamus Ó Tighearnaigh
Less than one case per annum goes to court. Between 25 and 50 cases were reported to the Data Protection Commissioner. That information is contained in the Data Protection Commissioner's annual report. I must confess I do not have the exact information. I am chief executive and the troubled cases come to me. In some instances it is not what one would anticipate.
The cases with which I have most difficulty are the marriage breakdown cases one would not anticipate, in which a husband might forge his wife's signature on a joint application following the breakdown. She, in turn, so many months later, might apply for a loan and discover the other loan. One can anticipate her anger. In such circumstances, we would very much appreciate the intervention of the Data Protection Commissioner to keep matters on a professional basis.
To use the example of Joe Bloggs, I presume the only people entitled to access the information on Joe Bloggs would be Joe Bloggs himself and the 80 or so members of the Irish Credit Bureau.
Mr. Séamus Ó Tighearnaigh
Where they have consent.
What security mechanisms are in place to prevent A. N. Other from accessing Joe Bloggs's details?
Mr. Séamus Ó Tighearnaigh
The empirical evidence of 24 years demonstrates the system has never been breached. We would like to believe we have best-in-class security encryption standards. We have been audited on those standards three times so far this year by international firms such as KPMG. It is always a worry and we are never complacent about it. There is a risk and it requires commensurate professional attention, which I believe it receives.
Mr. Ó Tighearnaigh should correct me if I am wrong in saying that, if Joe Bloggs wants to access information on himself, the details he needs to provide to do so include his name, address, telephone number and occupation. These details would surely be known to many people, including his parents, children and wife.
Mr. Séamus Ó Tighearnaigh
We allow an on-line inquiry to generate the report but we never give the report on-line. We will only send the Joe Bloggs report to an address we independently corroborate as being his. Many journalists made attempts many times to gain access to the records of a former Taoiseach who is sadly no longer with us and who had something to do with the renovation of the building we are in, but none succeeded.
Did Mr. Ó Tighearnaigh see them?
Mr. Séamus Ó Tighearnaigh
I have not been allowed look at the records since an audit in 1998.
I am intrigued. Quite a number of people would know the address, phone numbers and occupation of Joe Bloggs. No other details are requested in the sample given to us.
Mr. Séamus Ó Tighearnaigh
Let us say Joe Bloggs has three records in the Irish Credit Bureau. If somebody other than Joe Bloggs sends in a form with the details the Senator describes and forges Mr. Bloggs's signature, he will obviously claim he has changed address. We will not release the information until we have confirmed Joe Bloggs has changed address. The forger may cause Mr. Bloggs to receive a report he did not ask for but at least it will be Mr. Bloggs who will receive it. We have had a few such incidents but the integrity of the system and confidentiality have not been breached.
Speaking of former Taoisigh who are no longer with us, I would not mind seeing the records of former Taoisigh who are still with us. They would also be interesting.
The Deputy should stick to his own party.
Consider the consequences if one comes from overseas. If I were Australian and living in Ireland for two years and intended to buy a house, to what extent could I carry my records or credit rating with me?
Mr. Séamus Ó Tighearnaigh
Very poorly. That is why the EU Commission set up the expert group, of which I am a member, and which will report on 1 May.
Paradoxically, we have a phenomenon that I call the Polish factor. Ten or 15 years ago, letters of complaint that came to my desk were usually to ask why the bureau held information on the sender. I used to write back stating consent was given, that the information was accurate and that, if the sender did not like this, he should contact the Data Protection Commissioner. Today people are writing in to complain that the bureau does not have information on them. They may have taken a loan from a certain institution, such as a local credit union, three years previously, saved a great deal of money and intend to return to Poland to get married and buy a house but the credit institution may not yet be a member. That is frequently the case. The Deputy is correct in stating people want to use their credit rating so they can move across borders without facing the types of difficulties he mentioned. There is much work to be done to achieve that goal.
Friends of mine who have left Ireland over the years and gone to the United States have contacted me about this matter. The chicken-and-egg problem arises in that if one does not have a credit record in the United States, one will not get credit. Individuals make arrangements to have their Irish Credit Bureau records sent to the United States before they can set up businesses.
The 20 experts in the EU Commission's group are from a wide variety of organisations, including data protection bodies and EU consumer protection groups. The latter highlight the fact that a German going to work in Portugal has considerable difficulty opening up a bank account and accessing credit for a certain period.
It is a shame there is not some kind of credit passport. There is not really an EU banking system as such.
Mr. Séamus Ó Tighearnaigh
I would favour that but I am in a minority of approximately one——
There are two now.
Mr. Séamus Ó Tighearnaigh
——because of the possibility of fraud.
From certain countries.
Mr. Séamus Ó Tighearnaigh
A paternal company that makes a certain beverage in Dublin set up a trust fund for its employees who fell on hard times. One day a very nice gentleman who worked for the trust voluntarily asked me why I use so much Tipp-Ex. I did not know what he was talking about and he said his organisation gets its people to check the records. We do not know the reason an individual comes in to check his or her record. The man stated the applicant attaches his or her ICB record to the application for funds and that most of the applications have Tipp-Ex. Therein lies the answer as to why the credit rating passport might be a problem. It would be a great idea if it could be achieved securely but, in believing this, I am in a minority of one. It would also be the cheapest way of implementing the system.
What about reciprocity of membership involving the Irish Credit Bureau and all the other bureaux around Europe?
Mr. Séamus Ó Tighearnaigh
That day will come. There is some reciprocity at present. There are eight member states, including Belgium and France, whose financial regulators have set up mandatory credit reference agencies, operated by the central banks, but only on a negative basis. They have reciprocity because there are Walloons in the French-speaking part of Belgium who borrow in France, and so on. The procedure operates only on a negative basis and applies only if somebody has gone wrong for 90 days. I saw the figures and noted that Belgium made 228 inquiries against France in 2007 and that France made 460 inquiries against Belgium. These are inexact figures. Similar arrangements apply between parts of Holland and Belgium and between German-speaking southern Holland and Germany. However, the numbers are infinitesimally small and certainly would not warrant the setting up of a data network.
Since we have two jurisdictions on the island of Ireland, I would have believed we were prime candidates for the introduction of cross-Border lending and reciprocity. In practice, it simply does not happen, unless one is involved in quarrying and other activities.
How safe are the bureau's data? Is there no chance of a memory chip being left behind? How secure is the system physically?
Mr. Séamus Ó Tighearnaigh
No. Where the issue has arisen recently, certain financial institutions have, with the agreement of the Data Protection Commissioner, included in our records an alert to state an individual's data may have been compromised by the loss of a memory chip. They are obliged to advise the individual that it is in his interest to take action such that, if somebody obtains his data and attempts to use them to obtain credit in his name, the bureau can erect a higher barrier.
How secure are the bureau's data? I presume they are on a mainframe.
Mr. Séamus Ó Tighearnaigh
Our data are on the mainframe system and are highly encrypted.
Mr. Gerard O’Neill
The data is on our main computer systems in our Clonskeagh offices. Any time it is accessed, it is through a highly secure system with full encryption. The only way members can get at the data is from their computer rooms to our computer room.
Mr. Ó Tighearnaigh said he cannot access the data. A winner of the euro millions lottery had her records accessed 35 times in the Department of Social and Family Affairs. What safeguards are in place that bureau staff will not access the data to find out information on, say, their next door neighbour?
Mr. Séamus Ó Tighearnaigh
Our standards are excellent. That was one reason I was knocked off the authorised list to look at data. There are only three people in the company entitled to look at the data.
We had a bad episode in the mid 1990s. A female employee — fortunately she has gone to a better place — had a substance abuse problem and borrowed money from various banks. She had the ability to delete the records of her borrowings and repeat loan applications. It sadly came to a bad end. Eight banks sent in letters because of her status and position.
In 1998, as a result of this, we introduced an Oracle-based system. Fundamental to this system is that any change to data must be logged, the purpose of that change logged and authorised. It is on a "need-to" basis. For the three people in the bureau who have access, everything is logged and it is password and encryption controlled. Our new systems have not let us down in that regard.
What is the staff complement of the Irish Credit Bureau?
Mr. Séamus Ó Tighearnaigh
It is 19 staff, five of which have Masters degrees. They tend to be highly educated.
Up to 8,500 inquires are processed every day. With only three people authorised to access data, that seems to be a very large workload.
Mr. Séamus Ó Tighearnaigh
The inquiries are totally automated over secure systems. The three staff members are the only ones allowed to look at the actual data. The scope of the problem in the Department of Social and Family Affairs is restricted to three people in our operation. Their purposes for examining data are logged and they cannot access those logs.
Is all the other work automated?
Mr. Séamus Ó Tighearnaigh
Yes, there are point-to-point computer links over highly secure networks for our members.
How does the bureau ensure staff in one of the bank members is not inputting false information, say?
Mr. Séamus Ó Tighearnaigh
That happened in the early 1990s. The solution is to come down like a ton of bricks and call in the Data Protection Commissioner.
How does one detect that?
Mr. Séamus Ó Tighearnaigh
I do not want to go into specific cases but a gentleman, an actuary, who worked for a financial institution was instructed to set up a pension subsidiary. Over a pint with a fellow actuary one night, he told him his gripe was that he was expected to set up a greenfield pension company and give six crucial management people responsibility for managing an awful lot of money when he did not really know them. All he could base his judgment on was an interview and a CV. His fellow actuary said his wife worked in so-and-so and had access to the Irish Credit Bureau database. She checked it obliquely by asking a colleague to do it for her.
She sounds like a politician.
Mr. Séamus Ó Tighearnaigh
She then passed on the information to the actuary. He had the audacity to put the credit report before the individuals setting up the company. Needless to say, that pension subsidiary never went ahead. The actuary lost his job and so too did his friend's wife who provided the information
We have never had a problem in the Irish Credit Bureau, other than the lady with the substance abuse problem. She did not hurt any individuals but herself and the financial institutions that lent to her. We have had some external problems — not many — like that of the pension subsidiary. The lady in that case broke the law. If people are prepared to break the law, it is in remedy stage rather than prevention.
I had a constituent whose husband had a serious mental health problem. He borrowed recklessly without her knowledge and eventually she was forced to sell the family home. When she wanted to buy another house, she could not because of her husband's credit rating. It was up to her lender to accept her evidence.
Mr. Séamus Ó Tighearnaigh
The only role we can play in such cases is a compassionate one, offering advice and guidance to the individual. We have specially trained staff fulfilling that role. Sad cases emerge, such as the one described, and our staff will advise the individual affected to write, outlining the case, to the financial institutions. I would have thought in the Deputy's case that the financial institution would have taken the facts into account. If the institution accepts this case, it can then instruct us to remove the data held on the individual's rating.
On behalf of the committee I thank the Irish Credit Bureau for attending the meeting.
The joint committee adjourned at 3 p.m. until 4 p.m. on Tuesday, 25 November 2008.