RBI Credit Information Companies (CIC) Directions, 2025

Dec 2, 2025 Banking

The Reserve Bank of India (RBI) has issued the Credit Information Companies Directions, 2025, creating a unified, modern framework for how credit information is collected, processed, shared, corrected, and governed across India’s financial system. These Directions came into effect immediately on November 28, 2025 and replace all earlier guidelines and circulars on CICs. This post explains the key points, practical impacts, and compliance actions.

Source: Reserve Bank of India (Credit Information Companies) Directions, 2025 dated 28/11/2025

1. Who the Directions Apply To

These Directions apply to all four Credit Information Companies (CICs) registered with the RBI:

  • CRIF High Mark
  • Equifax
  • Experian
  • TransUnion CIBIL

Their registration dates are noted in paragraph 4 of the Directions.

The Directions also apply to Credit Institutions (CIs) such as:

  • Banks (Commercial, Small Finance, RRBs, Urban/State/Central Cooperative Banks)
  • All-India Financial Institutions (EXIM Bank, NABARD, SIDBI, NHB, NaBFID)
  • NBFCs and Housing Finance Companies
  • Asset Reconstruction Companies

These institutions are responsible for reporting borrower-level data to CICs.

Further, the Directions impact Specified Users (SUs), entities allowed to access credit data under CICRA. CICs must also monitor SU eligibility and track ownership changes.

2. Governance Requirements for CIC Boards

RBI places strong emphasis on CIC-level governance. Boards must approve policies on:

  • Offering Free Full Credit Reports (FFCRs) to individuals
  • Reviewing the Search & Match algorithm used to assemble credit information (at least every six months)
  • Sharing SHG-related information in aggregated form
  • Customer grievance redressal, as described in paragraph 45

Boards must also conduct quarterly reviews, including:

  • Information Security (IS) audit reports for entities receiving consent-based data
  • Root Cause Analyses (RCAs) from complaints and updates to search/match logic
  • All complaints received and resolved

These requirements ensure CICs remain transparent and accountable.

3. Updated Investment and Ownership Framework

The Directions introduce a detailed investment structure:

  • General rule: No individual or entity may hold more than 10% equity in a CIC, directly or indirectly.
  • Exceptions:
    RBI may allow higher foreign investment only for entities with a proven track record of running credit bureaus in well-regulated environments.

    • Up to 49% if ownership is not well-diversified
    • Up to 100% if ownership is diversified or if specific board composition and residency criteria are met

Additionally, when the investor is part of an operating group providing technical know-how, that operating entity must satisfy all investment conditions.

FPIs and FIIs must stay below 10%, report acquisitions above 1%, and cannot seek board representation.

4. Data Reporting Requirements and the Data Quality Index (DQI)

CIs must update credit information fortnightly, i.e., as of the 15th and last day of each month. CICs must submit lists of non-compliant CIs to the RBI’s Department of Supervision every six months.

A major addition is the Data Quality Index (DQI):

  • CICs must compute DQI every month for Consumer, Commercial, and Microfinance segments.
  • DQI must be provided at both institution level and file level.
  • CICs must compute industry benchmarks based on six-month rolling averages.
  • If a CI’s DQI declines or falls below the benchmark, the CIC must explain the reason.
  • CICs must submit DQI data to RBI on a half-yearly basis.

This DQI system ensures consistent improvement in credit reporting quality.

5. Uniform Credit Reporting Format (UCRF): Forms 1, 2, and 3

The Directions mandate the use of non-proprietary, standardized formats for all credit data submissions. These are:

  • Form 1 (Consumer)
  • Form 2 (Commercial)
  • Form 3 (Microfinance)

These forms appear in Annex I and include detailed identity fields, account-level fields, collateral structures, repayment data, income data, and loan statuses. New catalogue values, such as additional account types, newer ID types, and collateral categories, have been added. (See page 39 of the PDF for Form 1 fields.)

Two additional reporting requirements apply:

Commercial Papers (CPs): Issuing and Payment Agents must report CP issuance details and defaults fortnightly, as described in Annex II. When multiple IPAs exist, each reports the portion under its responsibility.

Unhedged Foreign Currency Exposure (UFCE): The lending CI (or consortium leader/largest lender) must report borrower UFCE data fortnightly.

6. SHG (Self-Help Group) Member-Level Reporting: Threshold Clarification

SHG reporting requirements include two clear thresholds:

  1. Credit data reporting: SHG member-level credit information must be reported when the group loan exceeds ₹1,00,000.
  2. Detailed member information: If the loan amount attributed to a specific member exceeds ₹30,000, further detailed data must be collected (Annex IV Tables 1–3).

All SHG members must provide non-credit information whenever the SHG applies for a loan. CICs may share only aggregate SHG data for research, ensuring privacy.

7. Credit Information Reports (CIR) and the Free Full Credit Report (FFCR)

CICs must provide a single, unified CIR for each borrower, even if multiple addresses exist. The matching prioritizes unique identifiers such as PAN, Voter ID, Passport, or Driving License. Each CIR must show:

  • Borrower, co-borrower, and guarantor details
  • Open accounts first, followed by closed accounts
  • NPA classifications, wilful default status, and suit-filed information
  • Disputed information with borrower comments
  • Loan rejections must not be reported

CICs may also offer a Comprehensive CIR (CCIR) combining Consumer, Commercial, and MFI modules.

Every individual must receive one Free Full Credit Report (FFCR) per calendar year, including credit score calibrated from 300 to 900. Links to access FFCR must be prominently displayed on CIC websites.

8. Disclosure of Large Defaulters and Wilful Defaulters

The Directions require CICs to increase transparency by:

  • Providing non-suit filed large defaulters lists to all credit institutions
  • Displaying suit-filed large defaulters publicly on CIC websites
  • Displaying all wilful defaulters (suit-filed and non-suit filed) publicly

This helps institutions identify high-risk borrowers more effectively.

9. Sharing Credit Information With Third Parties (Non-SUs)

CICs may share data with non-SU entities only with explicit consent from the individual and only after rigorous due diligence. The due diligence covers management character, governance, data security, litigation, financial soundness, and business continuity.

Strict protections apply:

  • Data must be used only for the consented purpose.
  • The entity must not resell, share, or repurpose the data.
  • Access must be on a strict need-to-know basis.
  • Storage must be only in India.
  • Credit data must be deleted within six months, unless renewed consent is obtained.
  • CISA-certified IS audit is mandatory annually.
  • CICs must terminate agreements if violations occur.

These safeguards ensure borrower privacy and prevent misuse.

10. Customer Service, Grievance Redress, and Compensation

Consumer protection sees major strengthening:

Alerts and Data Processing

CICs must send SMS/email alerts whenever a customer’s CIR is accessed. They must ingest CI-submitted data within five calendar days and communicate data rejections within seven days.

30-Day Resolution Timeline

Under CICRA Section 21(3) and Rule 20(3)(c), complaints must be resolved within 30 days.

  • CIs have up to 21 days to correct and furnish updated data.
  • CICs have the remaining days (up to 9) to complete the correction.
    (This is a maximum split, not a fixed allocation.)

₹100-per-day Compensation

If the complaint is not resolved within 30 days, the complainant must be paid ₹100 per day until resolution. Liability is divided proportionately among CIs and CICs according to who caused the delay.

The Notification provides detailed illustrations (pages from 27–32) showing how delays are apportioned.

Post-Correction Rights

Consumers must receive a free corrected credit report when a correction affects any CIR issued in the previous six months. Complaints must include clear reasons for rejection, and status-tracking transparency is mandatory. Escalation may be made to the RBI Ombudsman.

11. Best Practices for CICs

The Directions provide a set of best-practice recommendations, including:

  • Structured, well-defined grievance redressal processes
  • Appointment of a nodal officer for complaints
  • Training programs for CIs on accurate data reporting
  • Alerts when multiple CIC enquiries occur on a borrower within one month
  • Tracking behavioural patterns and offering value-added services
  • ISO 27001 certification for information security
  • Creating a Board-level Consumer Protection Committee

These best practices complement (but do not replace) mandatory requirements.

12. Final Thoughts

The RBI Credit Information Companies Directions, 2025 bring much-needed modernization and standardization to India’s credit ecosystem. By tightening reporting formats, improving data accuracy through DQIs, strengthening customer rights, defining SHG reporting, regulating third-party access, and enhancing governance, the Directions help build a more transparent and resilient credit infrastructure.

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.