Order No. 4 [2021] of the People’s Bank of China
The Measuresfor the Administration of Credit Reporting Services, adopted on September 17, 2021 at the ninth executive meeting of the People’s Bank of China in 2021, is hereby issued and shall come into force as of January 1, 2022.
Yi Gang, Governor of the People’s Bank of China
September 27, 2021
Measures for the Administration of Credit Reporting Services
Chapter I General Provisions
Article 1 This Measures is formulated in accordance with the Law of the People Republic of China on the People Bank of China, the Personal Information Protection Law of the People Republic of China, the Regulation on the Administration of Credit Reporting Industry, and other applicable laws and regulations to regulate credit reporting services and related activities, protect the legitimate rights and interests of information subjects, promote the healthy development of the credit reporting industry, and strengthen the social credit system.
Article 2 This Measures applies to the credit reporting services and related activities conducted within the mainland of the People’s Republic of China in relation to corporations and unincorporated organizations (hereinafter referred to as “enterprises”) and individuals.
Article 3 For the purpose of this Measures, credit reporting services refer to the collection, organization, preservation, and processing of the credit information of enterprises and individuals and the provision of such credit information to information users.
For the purpose of this Measures, credit information refers to the basic information, lending information, and other relevant information lawfully collected to identify and assess the credit status of enterprises and individuals to facilitate financial and other activities, as well as the analyses and evaluations made based on the forgoing information.
Article 4 Businesses that engage in credit reporting services for individuals shall lawfully obtain the consumer credit reporting agency license from the People’s Bank of China (“PBC”); businesses that engage in credit reporting services for enterprises shall lawfully complete the filing process for commercial credit reporting agencies; businesses that engage in credit rating services shall lawfully complete the filing process for credit rating agencies.
Article 5 Financial institutions shall not enter a business relationship with any market entity for its credit services if the market entity is not legally qualified to provide credit reporting services.
For the purpose of this Measures, financial institution refers to any institution that engages in financial business under the regulation and supervision of the financial regulatory authority under the State Council.
Local financial organizations regulated and supervised by local financial regulatory authorities are subject to the provisions of this Measures on financial institutions.
Article 6 Any businesses that engage in credit reporting services and related activities shall protect the lawful rights and interests of the information subjects, ensure the safety and security of information, and prevent the leakage, loss, destruction, or misuse of credit information, and shall not undermine state secrets, invade personal privacy, or commit breach of confidential business information.
Credit reporting services and related activities shall be conducted on an independent, objective, and impartial basis and shall not violate relevant laws and regulations or offend public order or good morals.
Chapter II Collection of Credit Information
Article 7 Consumer credit information shall be collected in a lawful and proper manner, in accordance with the principles of data minimization, and strictly on an “as needed” basis.
Article 8 A credit reporting agency shall not collect credit information:
(1) through deception, coercion, or inducement;
(2) by charging a fee from the information subjects;
(3) through illegitimate channels; or
(4) through any other method that harms the legitimate rights and interests of the information subjects.
Article 9 Where a credit reporting agency obtains credit information from an information provider, the credit reporting agency shall establish relevant rules to conduct the necessary checks on such matters as the source, quality, and safety and security of such information and the authorization from the information subjects.
Article 10 Credit reporting agencies and information providers, in conducting business and collaborations, shall comply with laws and regulations including the Personal Information Protection Law of the People Republic of China and specify, through an agreement or other means, the principles governing information collection and their respective rights, obligations, and responsibilities in relation to such matters as the obtainment of customer consent; the collection, processing, and correction of information; dispute resolution; and information safety and security.
Article 11 Any credit reporting agency that engages in consumer credit reporting services shall develop an information collection plan and report to the PBC such matters as the data items to be collected, source of information, methods of collection, and rules governing the protection of information subjects as well as any changes to the foregoing.
Article 12 Any credit reporting agency that collects consumer credit information shall obtain consent from the information subjects and expressly inform them of the purpose of collection, except for information that is made publicly available according to laws and regulations.
Article 13 Where a credit reporting agency obtains personal consent through an information provider, the information provider shall fulfil the informing obligation to relevant information subjects.
Article 14 Each consumer credit reporting agency shall report to the PBC its partnering information providers that collect, organize, process, and analyze consumer credit information.
A consumer credit reporting agency shall standardize its collaboration agreements with information providers. An information provider shall accept the risk assessments conducted by consumer credit reporting agencies and the fact checks by the PBC with respect to its handling of consumer credit information.
Article 15 Enterprise credit information shall be collected for lawful purposes and not in a manner that constitutes a breach of confidential business information.
Chapter III Organization, Preservation, and Processing of Credit Information
Article 16 A credit reporting agency shall observe the principles of objectivity in organizing, preserving, and processing credit information and shall not tamper with the original information.
Article 17 A credit reporting agency shall take Measures to improve the accuracy of information in its credit reporting system and ensure the quality of information.
Article 18 Where a credit reporting agency identifies any error in credit information during information organization, preservation, or processing, it shall promptly notify the relevant information provider to make corrections if the error is transmitted from the information provider, or promptly correct the error and optimize its internal processing procedures for credit information if the error originates from its internal processing.
Article 19 A credit reporting agency shall cross-check the information obtained from different information providers and verify and resolve inconsistencies in a timely manner.
Article 20 Each credit reporting agency shall retain an individual’s negative entry for five years from the day when the negative behavior or event ceases to exist.
Upon the expiration of this retention period, the negative entry shall be removed by the credit reporting agency from its external services and applications, or, if it is to be used as sample data, be anonymized.
Chapter IV Provision and Use of Credit Information
Article 21 In providing credit reporting products and services to external parties, a credit reporting agency shall observe the principle of fairness by not establishing any unreasonable commercial terms and conditions that restrict the use of information by different information users or by taking advantage of its position to provide discriminatory or exclusive products and services.
Article 22 Credit reporting agencies shall take appropriate Measures to check the identity, business qualifications, purpose of use of information, and other pertinent aspects of information users.
Credit reporting agencies shall assess the security and compliance management Measures of the networks and systems used by information users to access the credit reporting system, and shall monitor their queries. A credit reporting agency shall promptly verify any security risk or abnormal behavior and, upon discovering any illegal activity or misconduct, terminate its service.
Article 23 Each information user shall take the necessary Measures to ensure that it has obtained the consent of the relevant information subjects when querying consumer credit information and that it is using such information for the purposes agreed upon.
Article 24 An information user shall use the credit information provided by a credit reporting agency for lawful and legitimate purposes and shall not misuse it.
Article 25 Each individual information subject is entitled to his own credit report twice a year without charge. Credit reporting agencies may provide such credit report services over the internet, at places of business, or by other means.
Article 26 An information subject believing that there is any error or omission in its credit information may file a dispute with the relevant credit reporting agency or information provider. An information subject believing that its legitimate rights and interests are violated may file a complaint with the relevant branch of the PBC. Such disputes and complaints shall be handled in accordance the Regulation on the Administration of Credit Investigation Industry and other relevant provisions.
Article 27 No credit reporting agency may charge information subjects a fee for removing or not collecting negative entries.
Article 28 A credit reporting agency that provides credit reports and other credit information products and services shall present the requested credit information in an objective manner and provide explanations on the contents and specialized terms therein.
An information subject has the right to require a credit reporting agency to include a note of dispute or a consumer statement in its credit report.
Article 29 Any credit reporting agency that provides credit assessment products and services, such as credit profiling, scoring, or rating, shall establish the assessment criteria, which may not contain any element that is irrelevant to the credit status of the information subjects.
Before officially providing credit assessment products or services to external parties, a credit reporting agency shall perform the necessary internal tests and assessment and verification procedures to ensure its evaluation rules can be explained and the information is traceable.
Credit reporting agencies that provide credit rating products and services for economic entities or debt financing instruments shall conduct such businesses in accordance with the Interim Measures for the Administration of Credit Rating Industry (Order No. 5 [2019] of the People’s Bank of China, the National Development and Reform Commission, the Ministry of Finance, and the China Securities Regulatory Commission) and other relevant provisions.
Article 30 A credit reporting agency that offers anti-credit fraud products and services shall establish the criteria for determining fraudulent credit information.
Article 31 A credit reporting agency that offers credit information query, credit evaluation, and anti-credit fraud products and services shall submit the following to the PBC or one of its branches at or above the level of central sub-branch of the capital city of a province or autonomous region:
(1) the template and contents of its credit report;
(2) the assessment methodology, models, and major analytical dimensions and elements of its credit assessment products and services; and
(3) for anti-fraud products and services, the sources of data and determination criteria for fraudulent credit information.
Article 32 No credit reporting agency may:
(1) make promises on the results of credit assessment;
(2) advertise products and services using implicit languages in regard to the credit assessment results;
(3) market its products or services in the name of government agencies or trade associations without their consent;
(4) provide credit reporting products or services to information subjects or information users through coercion, deception, or inducement;
(5) engage in false advertising for its credit reporting products or services; or
(6) offer any other credit reporting products or services that would undermine the objectivity and impartiality of credit reporting services.
Chapter V Safety and Security of Credit Information
Article 33 Credit reporting agencies shall implement the cybersecurity multi-level protection scheme; establish security protocols for relevant business activities, equipment, and facilities; and take effective safeguards to ensure the safety and security of the credit reporting system.
Article 34 Each consumer credit reporting company and each commercial credit reporting company that preserves or processes the credit information of 1,000,000 or more enterprises shall meet the following requirements:
(1) the core business information system has attained Level 3 in the cybersecurity multi-level protection scheme or above;
(2) the positions of head of information security and head of personal information protection have been established and are assumed by the officers designated in the corporate articles of association; and
(3) a specialized department is set up which is responsible for information security and protection of personal information and for periodically reviewing the enforcement of rules and regulations on credit reporting services, system safety and security, and protection of personal information.
Article 35 A credit reporting agency shall ensure the safety and security of the operational facilities and equipment, security control facilities and equipment, and internet application programs of its credit reporting system; properly manage the system’s day-to-day operation and maintenance; and ensure the safety and security of the physical system, communication networks, zone boundaries, computing environment, and administration center, to protect the credit reporting system from unauthorized access and sabotage.
Article 36 A credit reporting agency shall properly manage the personnel-related safety and security issues in relation to recruitment, termination, evaluation, safety and security education, training, and visitor management.
Article 37 A credit reporting agency shall strictly limit the authority and scope of its staff members who can query and access credit information through internal systems.
A credit reporting agency shall retain the activity log of its staff members ’ query and access of credit information, which should clearly record the time, method, contents, and purpose of such queries and access.
Article 38 A credit reporting agency shall have in place an emergency response framework such that, at the occurrence or likely occurrence of a leak of credit information or a similar event, it can take immediate and necessary actions to mitigate the damage and promptly report the situation to the PBC and one of its branches at or above the level of central sub-branch of the capital city of a province or autonomous region.
Article 39 With respect to the credit reporting services and related activities provided or conducted within the mainland of the People’s Republic of China by a credit reporting agency, the enterprise and consumer credit information so collected shall be stored within the mainland of the People’s Republic of China.
Article 40 A credit reporting agency shall comply with applicable laws and regulations when providing consumer credit information to overseas parties.
Any credit reporting agency that offers enterprise-credit-information query products and services to overseas information users shall conduct the necessary checks on the identity of the information users and their purposes of use, so as to ensure that such information is used for cross-border trades, investment and financing, or other reasonable purposes and will not harm national security.
Article 41 Any credit reporting agency that collaborates with an overseas credit reporting agency shall file the collaboration agreement with the PBC after executing it and before commencing the collaboration program.
Chapter VI Supervision
Article 42 A credit reporting agency shall disclose the following information to the public and accept public supervision:
(1) the types of credit information collected;
(2) the basic format and contents of the credit report;
(3) the dispute handling process; and
(4) other items whose disclosure is deemed necessary by the PBC.
Article 43 A consumer credit reporting company shall conduct annual audits of the compliance of its consumer credit reporting services with the Personal Information Protection Law of the People Republic of China and the Regulation on the Administration of Credit Investigation Industry, and submit the compliance audit reports to the PBC in a timely manner.
Article 44 The PBC and its branches at or above the level of central sub-branch of the capital city of a province or autonomous region shall supervise and inspect the following aspects of a credit reporting agency:
(1) its internal controls for credit reporting services, including the completeness, compliance, and viability of various rules and procedures;
(2) the state of compliance of its credit reporting services, covering the compliance of its collection of credit information, provision and use of credit information, handling of disputes and complaints, user management, and other relevant matters;
(3) the safety and security of its credit reporting system, covering IT rules, security management, and system development; and
(4) other aspects related to its credit reporting activities.
Article 45 The PBC and its branches at or above the level of central sub-branch of the capital city of a province or autonomous region shall inspect and penalize any information provider or information user that violates the provisions of the Regulation on the Administration of Credit Investigation Industry by harming the legitimate rights and interests of information subjects.
Chapter VII Legal Liabilities
Article 46 Any businesses that violate Article 4 of this Measures by engaging in consumer credit reporting services without approval will be penalized by the PBC in accordance with Article 36 of the Regulation on the Administration of Credit Investigation Industry. Any businesses that engage in enterprise credit reporting services without approval will be penalized by the relevant PBC branches at or above the level of central sub-branch of the capital city of a province or autonomous region in accordance with Article 37 of the Regulation on the Administration of Credit Investigation Industry.
Where a financial institution violates Article 5 of this Measures by entering a business relationship with a market entity for credit reporting services even though the market entity is not legally qualified to provide such services, the PBC shall order the financial institution to make corrections and impose a fine of not more than RMB30,000 on the financial institution and a fine of not more than RMB1,000 on the person-in-charge with direct responsibilities.
Article 47 A credit reporting agency that violates Article 8, Article 16, Article 20, Article 27, or Article 32 of this Measures will be penalized by the PBC or the relevant branches at or above the level of central sub-branch of the capital city of a province or autonomous region in accordance with Article 38 of the Regulation on the Administration of Credit Investigation Industry.
Article 48 A credit reporting agency that violates Article 14, Article 21, Article 31, Article 34, Article 39, or Article 42 of this Measures will be ordered to make corrections by the PBC or the relevant PBC branches at or above the level of central sub-branch of the capital city of a province or autonomous region, have its illegal gains confiscated, and be imposed a fine of not more than RMB30,000 on the credit reporting agency itself and a fine of not more than RMB1,000 on the person-in-charge with direct responsibilities. Where laws and administrative regulations provide otherwise, those provisions shall prevail.
Chapter VIII Ancillary Provisions
Article 49 This Measures applies mutatis mutandis to the submission and query of credit information at the Financial Credit Information Basic Database by institutions connected to the database and engaged in credit reporting services or lending activities.
Article 50 This Measures applies to institutions that substantively provide credit reporting services to external parties in the name of “credit information service,” “credit service,” “credit scoring,” “credit rating,” or “credit repair.”
Article 51 Institutions that substantively engage in credit reporting services but have not obtained license for consumer credit reporting services or completed filing for commercial credit reporting companies before the effectiveness of this Measures, shall achieve compliance within 18 months from the effectiveness of this Measures.
Article 52 The PBC reserves the right to interpret this Measures.
Article 53 This Measures takes effect on January 1, 2022.