[TO BE PUBLISHED IN THE GAZETTE OF INDIA,

14 · th December , 2006 23 Agrahayana; 1928

2 · Definitions_ (1) In these rules, unless the context otherwise requires, (a) "access" with its grammatical variations and cognate variations means gaining entry into, instructing or communicating with logical, arithmetical or memory function resources of a computer, computer system or computer network including approach or communication or making use of data information or credit information through any means, physical or otherwise. (b) Act" means the Credit Information Companies (Regulation) Act; 2005 (30 of 2005); (c) "agent" means a person duly authorised by a company or a credit information company, as the case may be, to present an appeal or a written reply on its behalf;, before the appellate authority;

3 · Appellate authority:- The Central Government; or such other Authority or Tribunal as may be designated subsequently by the Central Government as per sub-section (1) of section 7 of the Act shall be the Appellate Authority for the purpose of sub-section (1) of section 7 of the Act.

4 · Form and procedure of appeal - (1) An appeal as per the provisions of sub-section (1) of section 7 of the Act; shall be presented in Form 1 in duplicate by an aggrieved credit information company, or its agent or by a duly authorised legal practitioner; before the appellate authority or shall be sent by registered post addressed to such authority with acknowledgement duly addressed to the appellate authority or any other officer authorised in writing by the appellate authority to receive the same:

6 · Language of appellate authority: The proceedings of the appellate authority shall be conducted in English or Hindi and the appeal, application, or any other document submitted before the appellate authority, shall be in such language and in case any of such documents is in a different language, the translation thereof in English or Hindi shall be required to be produced:

7 · . Appeal to be in writing: (1) Every appeal, application, reply, representation or any other document filed before the appellate authority shall be typewritten, cyclostyled or printed neatly and legibly on one side of the good quality paper in double space and separate sheets consecutively numbered shall be stitched together and filed in the manner as provided in sub-rule (2). (2) The appeal under sub-rule (1) shall be presented in duplicate duly signed by the agent of the aggrieved company or the credit information company, as the case may be:

9 · Documents to accompany memorandum of appeal: (1) Every memorandum of appeal shall be accompanied with copies of the order against which the appeal is filed and the documents relied upon by the appellant: (2) Where the appellant is represented by an agent; or any of its officers before the appellate authority, the document authorising him to act in such capacity shall also be appended to the memorandum of appeal:

10 · Presentation and scrutiny of memorandum of appeal. (1) If, on scrutiny of the appeal received, it is found to be in order, the same shall be duly registered by the secretariat of the appellate authority and given a serial number. (2) If on scrutiny, an appeal is found to be defective and the defect is such that it could be allowed to be rectified, the appellate authority may grant time not exceeding thirty days for such rectification and direct its secretariat to communicate to the appellant the defect and the time granted for its rectification. (3) If the appellant fails to rectify the defect within the time as allowed for the purpose as per sub-rule (2), the secretariat shall submit the report of such failure of the appellant for consideration of the appellate authority, who may by an order and for reasons to be recorded in writing, decline to register the appeal and direct the secretariat to communicate such order to the appellant within seven days from the date of the order. (4) If the appellant submits any representation within a period of fifteen days from the date of receipt of communication as per sub-rule (3), with sufficient explanation in respect of its failure to rectify the defect within the time granted for the purpose as per sub-rule (2), the secretariat shall submit such representation for consideration of the appellate authority. (5) The appellate authority may, subject to its satisfaction about the sufficiency of the explanation furnished as per sub-rule (4), by an

11 · Notice of appeal to the respondent: copy of the memorandum of appeal along with the copy of the documents submitted therewith, shall be served by the secretariat of the appellate authority on the respondent as soon as the appeal is registered as per sub-rule (1) of rule 10, by hand delivery, or by registered post or speed post:

12 · Filing of reply to the appeal and other documents: (1) The respondent may file reply in duplicate to the appeal along with documents, in the secretariat of the appellate authority, within one month of the service of the notice on him of the filing of the memorandum of appeal: (2) The respondent shall also endorse one copy of the reply to the appeal along with documents filed as per sub-rule (1) to the appellant: (3) The appellate authority may, in its discretion on an application by the respondent; allow the filing of the reply after the expiry of period referred to in sub-rule (1).

13 · Date of hearing to be communicated: (1) The appellate authority shall fix the date and place of hearing of the appeal and direct its secretariat to communicate the same to the appellant and the respondent in the manner as the appellate authority may by general or special order direct. (2) The appellate authority may subject to its satisfaction adjourn the hearing of the appeal, if so requested by any of the parties to the appeal:

14 · Hearing of appeal- (1) On the date fixed for hearing or the next date in case of adjournment; the appellant and the respondent shall be given due opportunity for putting forth their submissions in support of their plea. (2) The appellate authority may allow the parties to submit their written arguments in addition to their oral arguments. (3) In case of non-appearance of the appellant on the date fixed for hearing or the next date in case of adjournment; the appellate authority may, in its discretion adjourn the hearing or may dispose of the appeal on merits.

15 · Order to be signed and dated - (1) Every order of the appellate authority shall be in writing and shall be signed and dated by the appellate authority passing the order. (2) During the pendency of the appeal, the appellate authority shall have powers to pass such interim order as it may deem fit including one of an injunction, subject to reasons to be recorded in writing, which it considers necessary in the interest of justice.

16 · Communication of order - Every order passed on an appeal shall be communicated to the appellant and to the respondent concerned either in person or by registered post within a period of seven days from the date of the order.

17 · . Orders and directions in certain cases_ The appellate authority may make such orders or give such directions, as may be necessary or expedient to give effect to its orders or to prevent abuse of its process:

18 · Steps for security and safeguards to be taken by credit institution: Every credit institution, in existence in India on the commencement of these rules, before the expiry of three months from such commencement; and every other credit institution before the expiry of three months of commencing their business in India, shall formulate appropriate policy and procedure, duly approved by its

19 · Collection of data and maintaining credit information. (1) A credit institution shall (a) collect all such relevant data in respect of its borrower or client; as it may deem necessary and appropriate for maintaining an accurate and complete data, information and credit information in respect of such borrower or client; and (b) use such data, information and credit information subject to the provisions of the Act: (2) Without prejudice to the generality of the policy and procedure to be adopted as per rule 18 and sub-rule (1) with respect to collection and maintaining of data_ information and credit information in relation to its borrower and client, a credit institution shall also collect all relevant and authentic available data and information as per Form-II for preparing_ maintaining credit information in relation to them and for establishing their identity:

20 · Accuracy of data provided by a credit institution - (1) Every credit institution before furnishing data or an information or credit information to a credit information company or making disclosure thereof to anyone else in accordance with the provisions of the Act shall ensure that the credit information is accurate and complete with reference to the date on which such information is furnished or disclosed and adopt appropriate procedure in this behalf with the approval of their Board.

21 · Disclosure of disputed data by a credit institution - If, in the opinion of a credit institution, correction of any inaccuracy, error or discrepancy as referred to in rule 20, is likely to take further time on account of any dispute raised by a borrower in respect thereof; with the credit institution or before a court of law; or any forum; or tribunal

22 · Updating of the credit information by credit Institution: Without prejudice to the provisions of rule 21, if there is any change in the data, information or credit information, already furnished to a credit information company due to change in the liability of the borrower or his guarantor; on account of write off in full or in part of the amount of outstanding dues of the credit institution or the repayment thereof by the borrower or his guarantor; or release of the guarantor, or any scheme of arrangement entered into between the credit institution and the borrower, or the final settlement of the amount payable by the borrower pursuant to any scheme of arrangement with the credit institution, as the case may be, or on account of any such other reason, the credit institution shall, (a) continue to update such data, information or credit information promptly or in any event; by the end of each reporting period not exceeding thirty days until the

23 · Data security and system integrity safeguards. Every credit institution shall adopt such procedure and measures in relation to their daily operations as may be necessary to safeguard and protect the data, information and the credit information maintained by them; against any unauthorised access to or misuse of the same including the following safeguards, namely: (a) adopting the minimum standards for physical and operational security including site design, fire protection, environmental protection; b) keeping the round the clock physical security; issuance of instructions for removing, labeling and securing the removable electronic storage media at the end of the session or working day; (d) providing physical access to the critical systems to be on dual control basis; (e) making comprehensive succession plan for the key personnel so as to ensure that non-availability of a person does not disrupt the system; keeping of paper based records, documentation and backup data containing all confidential information in secured and locked containers or filing system, separately from all other records; (g) adopting adequate procedure to ensure that the records could be accessed only by authorized persons on need to know basis; (h) providing details of creation of firewalls and stress testing of systems through ethical hacking to evaluate and ensure its robustness; protecting systems against obsolescence; adopting procedure for change of software and hardware 8 providing for disaster recovery and management plan; and taking necessary steps while handing over systems for maintenance to prevent unauthorized access or loss of data, information and credit information maintained by them:

24 · Formulation and adoption of the procedure by credit information companies. (1) Every credit information company, in existence on the commencement of these rules within three months of the commencement of these rules; and every credit information company to whom a certificate of registration has been granted, after the commencement of these rules within three months of such grant; shall take such requisite steps, as it may deem necessary, in relation to their operations and accordingly formulate policy and procedure duly approved by their Board of Directors and adopt the same with respect to the following operations, namely:: (a) collection, processing and collating of data, information and credit information relating to their borrower, or client; obtained and received by them from a member credit institution or credit information company, as the case may be; 'b) steps to be taken for ensuring security and protection of such data, information and the credit information maintained by them; (c) appropriate and necessary steps for maintaining an accurate, complete and updated data, information and credit information; in respect of their borrower, or client; and to ensure the accuracy and completeness thereof while furnishing the same to a specified user or making disclosure thereof to anyone else, in accordance with the provisions of the Act; and (d) transmitting data, information and credit information through secured medium: (2) Without prejudice to the generality of the policy as formulated and procedure as adopted under sub-rule (1), every credit information company shall include in its such policy and procedure, the following; namely (a) it would have tested and documented internal system for evidencing robust matching levels which may in case of need be used also to provide requisite evidence and necessary examples to the Reserve Bank; (b) the procedure and parameters for verifying and providing certificate to the effect that the entire data; information and

25 · Accuracy of data provided by a credit information company: (1) Every credit information company shall adopt appropriate procedure with the approval of the Reserve Bank- (a) for verifying the data; information or credit information maintained by them on the basis of the information obtained by them from credit institution or credit information company, as the case may be; and (b) to ensure, before furnishing data, information or credit information to a specified user or making disclosure thereof to anyone else in accordance with the Act, that such data, information or credit information maintained by them is accurate, complete and updated with reference to the date mentioned therein by the respective credit institution or credit information company, as the case may be.

26 · Disclosure of disputed data by a credit information company: If;, in the opinion of a credit information company, correction of any inaccuracy , error or discrepancy referred to in rule 20, is likely to take further time on account of any dispute raised by a borrower in respect thereof with the credit institution or before a court of law; or any forum, or tribunal or any other authority, in such cases the credit information company shall adopt the following course of action, namely: - (a) if the disputed data, information or credit information has not been furnished, in such event while furnishing such data, information or credit information to a specified user or making disclosure thereof to anyone else, in accordance with the Act, the credit information company shall include an appropriate remark to reflect the nature of the inaccuracy, error or discrepancy found therein and pendency of the dispute in respect thereof and in any subsequent disclosure of such disputed data, information or

27 · . Formulation and adoption of the procedure by specified user:- (1) Every specified user, in existence on the commencement of these rules within three months of such commencement; and every specified user, coming into existence after the commencement of these rules within three months of its becoming member of a credit information company, shall take such requisite steps as it may deem necessary for ensuring and verifying the accuracy and completeness of data, information or credit information received from a credit information company before using the same in relation to a borrower, or a client; in relation to their operations and to ensure protection thereof from unauthorised access, or use and formulate and adopt an appropriate policy and procedure in this behalf with the approval of their Board of Directors. (2) Without prejudice to the generality of the policy as formulated and procedure as adopted under sub-rule (1), every specified user shall include in such policy and procedure, the provisions relating to the following, namely: - (a) the level of officers to be authorised to access the data, information and credit information received from a credit information company; (b) the parameters to be adopted for satisfying itself about the identity of the respective borrower, or the client whose credit report is to be taken into account by the specified user; (c) the appropriate measures so as to ensure that they do not fail to take note of any remark included by a credit information company in respect of any credit information; and (d) procedure relating to receiving data, information and credit information through secured medium:

28 · Prohibition from unauthorized access or use or disclosure.- (1) Every credit institution, credit information company, and specified user; existing before the commencement of these rules within three months of such commencement and every credit institution, credit information company or specified user coming into existence after the commencement of these rules within three months of commencement of their business, shall take such steps as they may deem necessary to ensure that the data, information and the credit information maintained by them is duly protected against any unauthorized access or use and formulate and adopt an appropriate policy and procedure in this behalf with the approval of their Board of Directors. (2) Without prejudice to the generality of the policy and procedure, as formulated and adopted under sub-rule (1), every credit institution, credit information company, and specified user shall include such other aspects in such policy and procedure so as to (i) secure the confidentiality of the data, information and credit Information maintained by them; (ii) ensure that access to the data, information and credit Information maintained by them is permitted only to such of their managers or employees or designated officers, who are duly authorised for the purpose on a need to know basis; (iii) ensure and control, access to the data, information and credit Information; terminals; and networks, maintained by them, by means of physical barriers including biometric access control and logical barriers by way of passwords and to ensure that the passwords used in this behalf are not shared by anyone else than who is authorised in this behalf and the passwords are changed frequently on irregular intervals; (iv) ensure that the best practices in relation to the deletion and disposal of data, especially where records or discs are to be disposed of off-site or by external contractors are followed;

29 · Obligation for fidelity and secrecy - (1) Every credit information company or credit institution or specified user, in possession or control of data, information and credit information shall adopt all

9 · Matter not pending with any other court, etc. The appellant further declares that the matter regarding which this appeal has been made is not pending before any court of law or any other authority or has not been rejected by any court of law or other authority.

10 ·

11 ·

1 · Name of the borrower: a Last Name/Surname

2 · If the borrower has been known by any other name in past ? Yes/No If yes, his Last Name/Surname First Name Middle Name 3. Occupation of the borrower- 4 Address of the borrower: (a) Residential Address Flat/Door/Block No. Name of Premises/ Building/ Village Road/Street/Lane/Post Office Area/ Locality/Taluka/Sub- Division_ Town/ City/District State/Union Territory Pin Telephone No. Fax Mobile Phone No.

5 · Address for Communication column No.4_

6 · Borrowers Father's Name Last Namelsurname Middle Name

7 · _ Sex of the borrower Tick { } as applicable: Male/Female 8. Date of birth of the borrower: (dd/mmlyyyy F 9 Nationality of the borrower

12 · E-mail address of the borrower

13 · Web URL address (if any) of the borrower

14 · Documents submitted by the borrower as proof of his address (any of the following) (i) Passport details (a) Passport No. (b) Passport issuing authority

15 · For Company/ Firm/ Body of Individuals/ Association of Persons, Local Authority;

17 · 18. 19 20_

22 ·

23 · Particulars of Insurance Policy Insurer company

24 · Names, Addresses etc. of partners/Members/Directors

26 · Name of the authorired representative

27 · Bank account Details; Name of the bank Bank account No. Type of bank account

28 · Any other information

30 · Information relating to the guarantor o the person who has given Or proposes to give guarantee or security for a borrower of a credit institution including; a) Name, full address including State and Pin Code, telephone number; date of birth date of incorporation, PAN of the guarantor; father' s name the amount guaranteed or to be guaranteed; and the amount of guarantee invoked in respect whereof default has been committed by the guarantor, if any.