Wednesday, 13 November 2019

Questions (64)

Joan Burton


64. Deputy Joan Burton asked the Minister for Finance if his attention has been drawn to a breach of the Central Credit Register by a bank (details supplied) that resulted in customers being the subject of multiple credit inquiry requests to the registry and a representative body resulting in potential adverse effect on their credit reports by the register and the body and other future lending applications and a digital footprint which cannot be removed for five years; his plans to address same; and if he will make a statement on the matter. [46550/19]

View answer

Written answers (Question to Finance)

The Central Bank has established the Central Credit Register (CCR) under the Credit Reporting Act 2013 (the Act).

The Act obliges lenders to:

- submit personal and credit information to the CCR every month on loans of €500 or more;

- access the CCR for an applicant’s credit report, when considering loan applications of €2,000 or more.

Lenders may also, if they wish, access the CCR for an applicant’s credit report when considering loan applications for less than €2,000. Borrowers may request their credit report at any time free of charge at

A sample CCR credit report and explanation is available in the Central Bank’s factsheet at This indicates that a credit report has four parts:-

Part one shows the personal information submitted to the CCR in respect of a credit information subject.

Part two shows a summary of the active and closed credit agreements entered into by the borrower, and also information on credit applications made by the borrower. In respect of credit applications, the information in this part will include the type of loan product sought and the amount involved. (However, it should be noted that information on credit reports simply records the fact that a credit application has been made and that it does not record whether or not a credit application was approved by a lender or not taken up by the borrower; furthermore, in respect of credit applications, the name of the lending institution to which a credit application was made will be displayed only on the credit report requested by the borrower). Pursuant to section 8 of the Act, information on credit applications is retained for a period of six months (and is available for inclusion in part two only if a credit report is requested during that period).

Part three provides detailed information on outstanding credit agreements.

Part four, which is called the ‘footprint’, is a record of all the dates that a credit report has been seen, by whom and the purpose of the enquiry, and such data is kept pursuant to section 17 of the Act. (On the credit report that is produced for lenders, this ‘footprint’ is visible only for two years but the name of the lender is not published. On the credit report that is produced for borrowers, the footprint is visible for five years, and the name of the lender is published).

In respect of the specific incidence raised by the Deputy, the Central Bank has advised that the lender in question had a valid reason for accessing each applicant’s credit report once. However, searches were duplicated in error due to a technical issue experienced by the lender. This error has since been corrected and the “credit application summary” in part 2 of the relevant credit reports now correctly contains one credit application.

However, as a separate issue and as indicated above, each time a borrower’s credit report is accessed, a digital footprint is created on the credit report. In this case, in the interests of transparency, the digital footprint remains as it properly reflects that more than one enquiry was made. The Central Bank advises that there is no information to suggest that any individual borrower has been disadvantaged as a result of this incident. A borrower who believes that they may have been disadvantaged should contact the lender in question to discuss the matter. As already stated, borrowers can also request their credit report free of charge at Borrowers have a right to request an amendment to any information that they believe is incomplete, inaccurate or not up to date.

It is important to note that the CCR does not determine if a credit application is approved or not. That decision is solely made by the lender, and aside from the content of the credit report, the decision will also include consideration of other matters such as borrower’s income and assets etc.

More generally, under the Act, lenders are required to ensure that personal data is accurate, complete and up to date. The Central Bank expects that lenders have robust systems and controls in place to ensure the integrity of the data that they submit to the CCR. In the event of an error in reporting, the Central Bank expects the lender to take immediate steps to correct the data and separately to identify the root cause and ensure that the appropriate solution is applied to avoid any recurrence of the error.

The Central Bank also expects lenders to be aware of their own obligations under data protection law, in particular whether a data breach should be reported to the Data Protection Commission. Lenders may under data protection provisions also be required to write to customers explaining what has happened and what action they have taken to correct the errors. This may also require a report being made to the Data Protection Commission by the lender. Private credit bureau operators, which do not fall within the statutory or regulatory remit of the Minister or Central Bank, are nevertheless also subject to these general data protection legislation and requirements.