RBI tells Supreme Court that credit rating firms can access your banking data without consent
The Reserve Bank of India (RBI) has defended the practice of credit rating companies collecting financial data of banking users to prepare credit scores, stating that it is essential for assessing creditworthiness and is permitted under the Credit Information Companies (Regulation) Act, 2005. The RBI made this submission before the Supreme Court in response to a petition challenging the collection of financial data without borrowers’ consent.
What is the Case About?
The petition was filed by Surya Prakash, a Bengaluru-based entrepreneur, who accused Credit Information Companies (CICs) of illegally collecting financial data through “forced consent” and selling it to their members. Prakash alleged that this practice violates the right to privacy and accused the Centre and RBI of having an “unholy alliance” with CICs to undermine citizens’ rights.
The Supreme Court, hearing the plea, issued a notice on May 6, 2024, and appointed Senior Advocate K. Parameswar as amicus curiae (an impartial advisor to the court). The case is set to be heard next on February 17 by a bench led by Justice Surya Kant.
RBI’s Stand on Data Collection
In its affidavit filed on December 23, 2024, the RBI dismissed the petitioner’s claims as “baseless, unfounded, and speculative.” It clarified that the Credit Information Companies (Regulation) Act, 2005, was enacted to mitigate risks in the banking sector and reduce non-performing assets (NPAs). The law allows CICs to collect, process, and share credit information of borrowers to help banks and financial institutions make informed lending decisions.
The RBI emphasized that the Act explicitly empowers CICs to collect and maintain credit information, making borrower consent unnecessary. It also highlighted that the RBI has registered four CICs—TransUnion CIBIL Ltd, Experian Credit Information Company of India Private Ltd, Equifax Credit Information Services Pvt Ltd, and CRIF High Mark Credit Information Services Pvt Ltd—to operate under strict regulatory guidelines.
Data Security and Privacy Concerns
Addressing concerns about data misuse, the RBI assured that the Act mandates CICs to implement robust security measures to protect credit information from unauthorized access, loss, or disclosure. Violations of these guidelines can attract fines of up to ₹1 crore.
The petitioner also raised concerns about CICs retaining data beyond the seven-year minimum period prescribed by the Act, arguing that this violates privacy rights. The RBI countered that while the Act mandates a minimum retention period of seven years, it does not specify an upper limit, allowing CICs to retain data for longer periods if necessary.
Allegations of Financial Discrimination
The petitioner alleged that CICs, by generating credit scores and credit histories, unfairly label citizens as “creditworthy” or “not creditworthy,” leading to financial discrimination. The RBI dismissed these allegations as “frivolous” and based on a misunderstanding of the Act. It clarified that the RBI does not set any minimum credit score requirements for loan approvals and that CICs merely provide data to assist lenders in decision-making.
Government’s Response
In a separate affidavit, the Indian Cyber Crime Coordination Centre (I4C), under the Ministry of Home Affairs (MHA), stated that it had sought information from state and union territory cybercrime units regarding any cases filed against CICs and fintech companies for data theft. However, no responses have been received so far.
Conclusion
The RBI’s defense underscores the importance of credit information systems in maintaining the stability of the banking sector. While the petitioner’s concerns about privacy and data misuse are being examined, the RBI has reaffirmed its commitment to ensuring that CICs operate within the legal framework and safeguard borrowers’ data.
The Supreme Court’s upcoming hearing on February 17 will likely provide further clarity on the balance between financial transparency and individual privacy rights.
