Central Bank apologises for error which could impact borrowers' credit ratings

An investigation has been launched to establish whether any borrowers were impacted

Mon, 21 Aug, 2023 - 18:13

Ronan Smyth

The Central Bank of Ireland has apologised after an error in its systems resulted in borrower information being stored on its Central Credit Register (CCR) for longer than it should have potentially impacting over 20,000 people's credit rating.

The Central Bank said borrowers’ data has not been compromised or accessed by any unauthorised third parties as a consequence of this error but it does constitute a data breach and as a result, it has reported itself to the Data Protection Commissioner.

Borrower information is retained on the CCR for a maximum period of five years after which it is deleted automatically. However, due a technical error, borrower information from May, June, and July 2018, was not deleted and was subsequently included in credit reports.

The Central Bank said that the records of around 20,500 borrowers contained performance data pointing to repayment difficulties in May, June or July 2018 which could have impacted their ability to borrow money in recent months.

However, the bank said it is not in a position to determine the extent to which credit applications were adversely affected by this incident. It said one of the reasons for this is because a significant proportion of the 20,500 borrowers continued to have payment performance difficulties in the months following July 2018.

The bank said it became aware that historical payment performance data for the three months in question had not been deleted as scheduled following an enquiry by a member of the public on August 3 this year.

Due to these records being retained longer than they should have, they were included in credit reports issued to borrowers and lenders in the period June 1 to August 7.

There were approximately 476,000 total enquiries made by lenders or borrowers for information held on the CCR over the period between June 1 and August 7, 2023.

“While this information was accurate, the additional three months of information should not have been made available, and constitutes a data breach under data protection legislation,” the bank said.

“The Central Bank sincerely apologises for this error and can confirm that immediate action was taken to fix it. Remediation began on August 4 and the error was fully resolved on August 7.

“The CCR is now functioning normally and credit reports being provided since this date do not reflect any additional information. We have also commenced an investigation to establish a full account of the issue and intend to conduct a wider review of the CCR’s relevant processes and procedures.”

An investigation has been launched to establish whether any borrowers were impacted by this incident.

The Central Bank said the main way through which borrowers could have been impacted is if the information contained in these three months “may have adversely affected decisions by lenders to extend new credit or decisions by borrowers to seek new credit”.

The CCR is the register of all loans exceeding €500 in value and ensures lenders can access customer’s credit history through a central database while they are deciding whether to grant a loan.

Every month, lenders submit payment performance data on borrowers to the CCR, which includes information on whether payments on credit agreements, such as loans, overdrafts, credit cards and mortgages, were made or not.