The Central Bank of Ireland issued a public statement on 21 August 2023 in relation to an archiving error that affected the retention period of some information on borrowers’ credit reports held on the Central Credit Register (CCR). Today (13 October 2023) the Central Bank is providing an update on the matter.
As previously outlined, certain borrower information was retained on the CCR for up to an additional three months, and was available for inclusion in credit reports between 1 June and 7 August 2023. While the information was an accurate representation of what was previously reported by lenders, the additional three months of information should not have been held or made available in credit reports during this period. This constitutes a breach under data protection legislation.
The error was first brought to the Central Bank’s attention by a member of the public on 3 August. It was fully resolved by 7 August 2023, with the database reflecting the correct five-year retention period. Credit reports provided from 7 August 2023 do not reflect any additional information.
Once the error was rectified, the Central Bank focused on establishing any impact of this incident on borrowers. The main mechanism through which borrowers could be impacted is where the CCR contained information around loan performance over these additional three months, which may have adversely affected decisions by lenders to extend new credit or decisions by borrowers to seek new credit.
As the information held on the CCR is one of many factors that lenders use when making credit decisions, assessing the impact of this error has been a complex process. The CCR does not decide if a loan is approved or not, lenders make that decision. The CCR also does not calculate a credit score. Our assessment of the impact has required extensive engagement with 270 lenders to determine whether, and if so how, the additional credit information influenced their credit decisions.
To date, the Central Bank’s investigation has established that:
- The records of 20,872 borrowers who had performance data pointing to repayment difficulties in May, June or July 2018 (the three additional months that should have been deleted as planned) were accessed by either lenders or borrowers.
- These borrowers were associated with 31,013 enquiries by lenders (as borrowers may have made more than one credit application). Within that:
- For 30,963 credit enquiries, lenders have confirmed that their credit decisions were not impacted by the excess data. There are a range of reasons for not being impacted, including lenders’ own lending policy and the timeframe that it considers.
- For 9 credit enquiries, lenders have confirmed that the excess data was one of the factors which influenced their credit decisions. These enquiries related to personal loans and credit card products.
- For 41 credit enquiries, lenders have not yet been able to confirm if there was any impact. The Central Bank continues to engage with lenders in relation to this cohort.
- There were 820 borrowers who accessed their own report, which included information that pointed to repayment difficulties during the additional three months. The records of some of these borrowers were also accessed by lenders, as above.
A phased communication process is underway and the Central Bank has written to those identified as being at highest risk of being impacted by the error. All borrowers associated with applications where lenders have confirmed that the excess data influenced their credit decisions have been contacted. The Central Bank has engaged with the lenders to ensure that there is a contact point in place for impacted borrowers should they wish to discuss their previous application or re-apply for credit. The lenders have also confirmed the excess information previously received will not impact on any new applications.
In light of this incident and to strengthen controls in this area, the Central Bank is also initiating a broader external review of the data management and data protection controls in place with respect to the operation of the CCR.
The Central Bank has engaged with the Data Protection Commission (DPC) throughout this incident. We have received notification from the DPC of the commencement of an Inquiry into this breach. The Central Bank takes our data protection obligations seriously and will continue to engage fully with the DPC on these matters.
Vasileios Madouros, Deputy Governor for Monetary and Financial Stability, said: “The Central Bank of Ireland sincerely regrets, and apologises for, this error. While we have a range of controls in place in the operation of the CCR, it is clear they were insufficient to prevent this specific incident. This falls short of our own standards and we have implemented immediate measures to prevent this error from reoccurring. We are also commissioning a broader external review of data management and data protection controls in place when operating the CCR. The CCR is an essential service to enable better credit decisions by borrowers and lenders, and it is crucial that we hold ourselves to the highest standards in operating it. We will continue to engage fully with the Data Protection Commission.”
Further information on how the Central Credit Register processes data can be viewed at http://www.centralcreditregister.ie/. Our public contacts helpline can be reached on 0818 681 681. Borrowers can request a copy of their credit report through the CCR website.
Further information
Media Relations: media@centralbank.ie
Ewan Kelly: ewan.kelly@centralbank.ie / 086 158 7094