The Reserve Bank of India (RBI) recently shortened the timelines within which credit information needs to be reported and updated by credit institutions and Credit Information Companies (CICs), respectively through a notification on 8 August 2024 (Notification). Noting the pace at which short term credit is growing and digital credit underwriting is being undertaken, the RBI highlighted that Credit Information Reports (CIRs) must reflect information that is as close as possible to the current date. Prior to the Notification, credit institutions were reporting credit information to CICs on a monthly basis, resulting in outdated data which was 30-60 days old. Credit institutions are now required to report credit information to CICs within seven calendar days following the 15th and last day of each month. Correspondingly, the CICs are required to update the information on a fortnightly basis. Moreover, CICs are to ingest received credit information within five calendar days from the date of its receipt instead of seven days. To ensure compliance, CICs will be required to submit a list of credit institutions which fail to comply with the Notification to the Department of Supervision, RBI on a biannual basis. Noting the changes required to existing operations, credit institutions and CICs have been given time till 1 January 2025 to implement the Notification. 

The Digital Personal Data Protection Act 2023 (Act) places the primary obligation on ‘data fiduciaries’ to protect digital personal data of individuals and implement consent artifacts, including for any outsourcing arrangements for processing. Entities who merely process such data at the behest of another entity, called ‘data processors’ have been excluded from the statutory compliance obligations under the Act. The Act defines ‘data fiduciary’ as any entity determining the means and purpose of processing personal data. Entities handling data are required to undertake this classification exercise as the first step, i.e., whether they are merely data processors or can be classified as data fiduciaries.