Credit score is a measure of credit worthiness on the basis of which various players in the lending ecosystem extend credit to potential borrowers. The Credit Information Companies (Regulation) Act, 2005 ("CICR Act") and the related rules and regulations together form the regulatory framework governing the manner in which the credit information of borrowers is accessed by the various players of the lending ecosystem thereby facilitating the efficient distribution of credit.

Credit Information Companies ("CICs") are companies formed under the Companies Act which are governed and regulated by the RBI and granted a certificate of registration under the CICR Act to undertake the business of a CIC. The business of a CIC, is as follows:

  1. to collect, process and collate information on trade, credit and financial standing of the borrowers of the credit institution which is a member of the credit information company;
  2. to provide credit information to its specified users or to the specified users of any other credit information company or to any other credit information company being its member;
  3. to provide credit scoring to its specified users or specified users of any other credit information company or to other credit information company being its member;
  4. to undertake research projects; and
  5. to undertake any other form of business which the RBI may specify by

Section 2(d) of the CICR Act defines 'Credit Information' as any information relating to-

  1. the amounts and the nature of loans or advances, amounts outstanding under credit cards and other credit facilities granted or to be granted, by a credit institution to any borrower;
  2. the nature of security taken or proposed to be taken by a credit institution from any borrower for credit facilities granted or proposed to be granted to him;
  3. the guarantee furnished or any other non-fund based facility granted or proposed to be granted by a credit institution for any of its borrowers;
  4. the credit worthiness of any borrower of a credit institution;
  5. any other matter which the Reserve Bank may, consider necessary for inclusion in the credit information to be collected and maintained by credit information companies, and, specify, by notification, in this behalf;

According to the CICR Act, only the members of the CICs can have access to the credit scores and credit information of individuals and only 'Specified Users' are permitted to become members of a CIC. Specified Users, as per Section 2(l), are the entities as notified from time to time by the RBI which are permitted to obtain credit information from CICs.

The entities recognised as 'Specified Users' provided under Section 2(l) of the CICR Act read with Regulation 3 of the Credit Information Companies Regulation, 2006 prior to the 2021 amendment were as follows:

  1. Credit Institutions as defined under the CICR Act;
  2. CICs becoming members as per Section 15 of the CICR Act;
  3. an insurance company as defined in the Insurance Act, 1938 and registered with the IRDAI;
  4. a company providing cellular or phone services and registered with TRAI;
  5. a credit rating agency registered with SEBI;
  6. a stock broker as defined in the SEBI (Stock Brokers and Sub-Brokers) Regulations, 1992 and registered under Section 12 of the SEBI Act, 1992;
  7. a trading member registered with a recognized commodity exchange;
  8. the SEBI;
  9. the IRDAI;
  10. an information utility as defined in the IBC, 2016;
  11. a resolution professional appointed under the IBC, 2016, in so far as the credit information of the corporate debtor, in respect of which he has been so


Banks and NBFCs, which fall under the definition of 'Credit Institutions', are one such example of Specified Users permitted to become members of CICs. However, in the past, it had become a prevalent practice for Banks and NBFCs to share the credit information sourced by them from the CICs with third parties.

The RBI sent an admonishing letter, dated 16th September 2019, to several banks and NBFCs to discourage this practice. The letter pointed out that such information sharing was not permitted under the extant regulatory framework governing credit information and the RBI required banks and NBFCs to employ measures to ensure compliance within 15 days of the letter.


However, the RBI in November 2021 introduced an amendment to the Credit Information Companies Regulation, 2006 through a gazette notification. The amendment modified Regulation 3 to add the following to the list of Specified Users:

"an entity engaged in the processing of information, for the support or benefit of credit institutions, and satisfying the criteria laid down by the Reserve Bank from time to time."

The amendment therefore allows for third parties which satisfy the criteria laid down by the RBI to legitimately source credit information directly from CICs.

Vide a press release dated 5th January 2021, the RBI has laid down the following criteria, satisfying which an entity may apply to a CIC to become a member as a 'Specified User':

  • The entity shall be a company incorporated in India or a Statutory Corporation established in
  • The governing statute of the Statutory Corporation or Memorandum of Association of the Company, as the case may be, should allow the business/activity of processing of information for the support or benefit of credit
  • In the case of a company, it should have a net worth of not less than INR 2 crores as per the latest audited balance sheet and shall meet the requirement on a continuing
  • In the case of a company, it shall be owned and controlled by resident Indian citizens/Indian company owned and controlled by resident Indian
  • The ownership of the company shall be well
  • In the case of a company, it shall have not less than three (3) years of experience in running the business/activity of processing information for the support or benefit of credit institutions and shall have a clean track
  • The company, nor its promoter(s), or any director(s) of the company should not have at any time in the past been convicted of any offence involving moral turpitude or any economic
  • The entity should have a certification from CISA certified auditor that it has a robust and secure Information Technology (IT) system in place for preserving and protecting the data relating to the credit information as per the provision of the Credit Information Companies (Regulation) Act, 2005 and Rules and Regulations framed thereunder and any other applicable Regulations, Guidelines in this regard.


The amendment, by democratising access to credit information, will significantly benefit various players across the fintech sector and more particularly in the digital lending process. It shall enable access to formal credit data even by unregulated entities in a regulated manner, thereby enforcing the implementation of data protection and security protocols.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.