CREDIT INFORMATION BUREAUS

Banks and Insurances Examiner Office of Ecuador Dr. Camilo Valdivieso Cueva National Legal Commissioner

CREDIT INFORMATION BUREAUS ACT Law 13 Official Register 127 October 18, 2005

CODIFICATION OF RESOLUTIONS - BANKS & INSURANCES EXAMINER OFFICE AND THE BANKING BOARD

Background Article 81 of Ecuador’s Political Constitution establishes that the State shall guarantee the right of having access to data sources. Need of issuing a law that allows financial institutions, private insurance companies, the national social security system, and the corporate sector to obtain complete information as to make adequate risk decisions, in order to safeguard the interests of depositors and the general public.

Objective The regulations on this issue seek to standardize the creation, set up, operation and extinction of credit information bureaus, whose only task is to provide credit reference services.

Definitions Credit Information Bureaus (Credit Bureaus).- Stock companies whose unique corporate purpose is to provide credit references on credit holders. Credit Holder.- Individual or company to which the credit risk information refers. Data Sources.- Individuals that, due to the activities they perform, have information available regarding credit risks.

Definitions Client.- Any person authorized by law, who hires the services of a credit bureau. Prohibited Information.- Data that credit bureaus are not allowed to include in a credit risk report, since it would violate the right to individual or family privacy, as set forth in the Political Constitution. Database.- Set of credit risk information, managed by a credit bureau.

Definitions Credit Risk Information.- Data on liabilities or financial standing regarding commercial, contractual, private insurance and social security activities of an individual or company, whether public or private, and which will help establish the corresponding credit risk levels.

Credit Reference Services Credit reference services shall include actual and contingent operations to properly identifying debtors of the financial system, private insurance companies, social security and corporate sector, in order to know their debt level and credit risk level. The creation, control, management and supervision of credit bureaus shall be subject to the Credit Information Bureaus Act, the Financial Institutions Law, the Corporations Law, and the Codification of Resolutions by the Banks and Insurances Examiner Office and the Banking Board.

Credit Bureaus Stock companies whose unique corporate purpose is to provide credit reference services. The Banks and Insurances Examiner Office authorizes the operation of credit bureaus. Such entity controls and supervises all credit bureau operations. The name shall always include the term “Credit Information Bureau”. The minimum capital stock required to create a credit bureau is US$ Such capital shall be fully paid-up at the time of incorporation.

Credit Bureaus The Banks and Insurance Examiner Office assesses the stockholders qualifications, reliability and solvency, using for such purpose the same criteria applied to stockholders of financial institutions. Neither the clients of a credit bureau nor the financial institutions under the Banks and Insurances Examiner Office supervision may directly or indirectly, under no circumstances, be stockholders, partners or members of a credit information bureau.

Minimum technological and operational requirements Credit bureaus shall have installed adequate technology, in order to ensure: Top safety in data storage and handling. Powerful, flexible and highly expandable systems, in order to meet user or client needs. High speed processing and publication of files received from its clients.

Minimum technological and operational requirements 24-hour continuous and uninterrupted service, seven days a week, all year round. Contingency plan that ensures uninterrupted service if operational / communications breakdowns occur, including natural disasters and willful damages.

Minimum technological and operational requirements Equipment and applications shall be installed taking into account the operation of “front offices” and “back offices”. Such equipment and applications shall be powerful enough as to work with operational strength and completely separate one from the other. Front office: equipment and applications directly involved with customer service, such as Web servers, query applications, user interfaces, among others. Back office: equipment and applications used for database activities, its maintenance, operation and consistency.

Credit Information Includes all current and contingent liabilities recorded at the Banking Risks Office of the Banks and Insurances Examiner Office, as well as debts undertaken with the business sector or any other type of clients, whose holder authorized in advance furnishing to the credit bureau. This will allow carrying out a complete assessment of the actual borrowing capacity, as well as the borrowers’ credit and payment standing record. Excludes information on checking account, savings account or term deposits, nor any form of deposit taking or information that violates individual and family privacy rights, as well as any other information prohibited by Law.

Credit Information Credit bureaus shall not handle any information: 1.That violates individual or family privacy rights and breaches the guarantees set forth in the Political Constitution, as well as any other data that violates the guarantees set forth in international legislation, treaties and agreements; and, 2.That, as established in the Financial Institutions Law, is protected by bank secrecy. Disclosure of such information shall only take place by express court order.

Data Collection Database information is obtained from the following sources: The Banking Risks Office of the Banks and Insurances Examiner Office. Data is only furnished by the Examiner Office with information from the supervised system; Public access sources; Other sources, upon prior authorization by the corresponding credit holder; and, Credit holders.

Data Collection Credit bureaus may obtain and keep on file new credit information other than that furnished by the Banking Risks Office, only upon prior consent and knowledge by the credit holder, on a case-by-case basis. Data furnished by the Banking Risks Office does not require authorization. Credit bureaus cannot officially change the data furnished by the Banking Risks Office.

Data Collection Credit bureaus are required to process all data amendment requests that comply with the provisions of the Credit Information Bureaus Act. In such event, the bureau shall deliver the amended data to the Banks and Insurances Examiner Office, within 24 hours of such amendment, in order that this entity sends said data to the other credit information bureaus, within a 24 hour-term. Credit bureaus may exchange information with other bureaus. The exchange terms shall be negotiated between the interested parties, through agreements.

Credit Information Management All data collected by credit bureaus, other than that furnished by the Banking Risks Office or obtained from public sources, shall include the issuance date and hour. It requires prior consent and knowledge by the credit holder, and shall be duly issued by a legal source. The risk information obtained and handled by credit bureaus has the sole purpose of providing credit reference services and shall remain in the country. Credit records on individuals and companies shall not exceed six years.

Credit Information Management Credit bureau clients shall inform credit holders as follows: 1.Existence of databases being handled, its purpose and the potential users of such data; 2.Name and address of credit bureaus receiving such information; 3.Potential impact of using such information; and, 4.The rights they are entitled to.

Credit Information Management The credit bureau that obtains and stores data not furnished by the Banking Risks Office of the Banks and Insurances Examiner Office shall, upon the credit holder’s request and with no additional procedure, deliver such information, as many times as required, with no restrictions and free of charge. Credit information shall be legitimate, accurate and true. It shall reflect the actual situation of the individual involved at a given time. Credit bureaus shall specify the period covered by each report.

Credit Information Management Credit bureaus may only collect, store, update, save, organize, systematize, prepare, select, compare, interconnect in their databases credit-risks-related data. Credit bureaus may not collect, process or disclose information expressly prohibited by law, even if authorized by the credit holder. The individual/company who deems that its rights are been violated may initiate civil or criminal actions, as established by Law.

Credit Information Management Credit bureaus may only provide credit reference services to duly identified clients. Credit information bureau clients only include: 1.Entities supervised by the Banks and Insurances Examiner Office; 2.Corporations, companies, foundations and other duly authorized partnerships, which operate as lenders; and, 3.Individuals involved in lending activities.

Credit Information Management Credit bureaus may establish fees to provide credit reference services. Such fees shall be known by the public, and shall be reported to the Banks and Insurances Examiner Office. In order to remedy market flaws, the Banking Board, may limit such service fees. Credit bureaus are not allowed to commercialize their databases at general level, nor deliver all the credit information contained in their databases, or disclose such information through the mass media (radio, press, television or other means).

Credit holders protection Credit bureau clients and individuals that for any reason have access to reports been issued by the bureaus are required to keep confidential all information contained in such reports. Use of such information for other purposes than to assess credit risks is forbidden.

Credit holders protection Credit bureaus shall provide the Banks and Insurances Examiner Office unlimited access to the information contained in their databases, in order that such entity may carry out its supervision and control tasks. When collecting, processing and distributing credit risk information, bureaus shall apply the highest standards of professional ethics, using the data collected only for the purposes established by the Law and its regulations. This protects the constitutional rights of credit holders.

Credit Holders Rights Credit holders shall have the right to: 1.Know whether a credit bureau’s database includes data about him/her. Credit holders must have access to such information without limitation whatsoever; and, 2.Urge credit data sources to amend any illegal, inaccurate or erroneous data, and notify the bureau, in order that it amends the corresponding record, if applicable.

Credit Holders Rights Credit data sources shall reply in writing and with due explanation, within 15 days, all data amendment requests. Updates, changes or deletions of information deemed illegal, false, inaccurate, erroneous, incomplete or outdated should be made available to the credit holder in a new and updated credit report. The entities under control by the Examiner Office shall admit in the credit analysis performed, the “Amendment or Data Update Certificate in the Banking Risks Office”, issued by the corresponding financial entity.

Credit Holders Rights Credit bureaus shall notify every month the Banks and Insurances Examiner Office the number of claims received to update, amend or delete information contained in their databases, including the corresponding results. Credit bureaus shall create credit holder service departments. They are also required to establish adequate internal procedures, in order to effectively, efficiently and timely process all requests for data updates, amendments or deletions. They shall also establish adequate communications and coordination mechanisms with the sources from which they collect information.

Liability Bureaus and credit data sources shall be legally liable for damages to credit holders, arising from an illegal, inaccurate or erroneous data transfer. Any individual that misuses or illegally discloses information contained in a credit report or distorts the information provided by a source shall be subject to criminal actions, without prejudice of the actions and civil liabilities applicable by Law. The damaged party may claim indemnification when bureaus fail to amend erroneous information.

Liability Data sources shall provide bureaus with accurate and lawful information. Bureaus are bound to report the data without changes. In the proceedings against credit bureaus, the bureaus may request to summon the sources from which they obtained the credit data. Individuals that fraudulently or negligently use information or reports furnished by the bureaus shall also be liable for damages to the credit holder.

Violations and Penalties The Banks and Insurances Examiner Office shall impose administrative penalties and arrange for the implementation of corrective measures by bureaus that infringed the Law provisions and the Banking Board regulations. Administrative infringements are: 1.Any violation to the prohibitions set forth in the Law; and, 2.Denial of any credit holder rights, as set forth in the Law.

Violations and Penalties In the event that a bureau infringes the provisions of the Law or the Banking Board regulations or fails to proceed as instructed by the Banks and Insurances Examiner Office, the following penalties shall apply: 1.Fines ranging between US$ and US$ per infringement; 2.In the event of second offense, suspension of the operating permit up to six months; and 3.In the event of repeated offense, annulment of the operating permit, which includes the order to dissolve and extinguish the corresponding credit bureau.

Violations and Penalties If the Banking Board decides to extinguish a bureau, the liquidator shall deliver the Banking Risks Office database to the Banks and Insurances Examiner Office. The relevant corporate sector data shall be negotiated and transferred by purchase, to the bureau that submitted the highest bid at the bidding process called by the Banks and Insurances Examiner. If there is no qualified buyer, all data will be destroyed, within six months from extinction of the bureau.

Violations and Penalties When the Banks and Insurances Examiner Office receives notice that individuals or companies other than the bureaus performed or are performing operations specifically assigned to credit bureaus, it shall carry out the necessary investigations, as set forth in the Financial Institutions Law, and, if necessary, will demand immediate interruption of said operations, even with help from the police force. The Banks and Insurances Examiner shall notify the Government Attorney regarding the issue.