Personal Finance

Credit Reference Agencies – Their Regulation

A man is paying for a car using his credit card

The UK Credit Score Guide 2018
Chapter Four

Story Highlights:

Like any other financial institution, CRAs are both licensed and regulated. In this article, we look at how far consumers are protected in their interaction with credit reference agencies and whether the system is open to abuse. You can read about:

  • The regulation of credit reference agencies
  • The terms of the Data Protection Act of 1998 for CRAs
  • How to access your credit report
  • Changes to data protection because of the GDPR
  • The use of your financial data for marketing purposes

We start this article by examining the key roles played by the FCA (Financial Conduct Authority) and the Information Commissioner’s Office (ICO) in the regulation and supervision of credit reference agencies. We look at what circumstances they’re permitted to collect data about us and what rights we have. Finally, are these agencies allowed to sell the data which they possess about us?

Regulation of credit reference agencies

Anything that concerns consumer credit, including the activities of credit reference agencies, comes under the terms of the Consumer Credit Act of 1974. This sector of the finance industry is now regulated by the FCA. This means that all agencies must be licensed by the FCA before they can operate. Although the FCA regulate them, they have no control nor are they entitled to scrutinise how credit scores and ratings are compiled.

The data collected by credit reference agencies is often accessed by the FCA

The data collected by credit reference agencies is often accessed by the FCA when they wish to carry out regulatory and market investigations. This helps the regulatory body to make changes to credit for the benefit of consumers.

The terms of the Data Protection Act of 1998 for credit reference agencies

The ICO (Information Commissioner’s Office) is responsible for how your personal data is compiled and used by CRAs. It might come as a surprise to learn that details of your spending habits and credit history aren’t considered to be sensitive data in the same way that details of your medical history are, for example.

A group of friends are walking on a shopping street

Credit reference agencies don’t need your consent to process information about you as long as they have a legitimate reason for doing so. You may be surprised to hear that you have given your permission for such data to be shared. Every time that you sign a credit agreement with a lender, this consent is hidden in all the pages of terms and conditions which you sign. How many times have you read all these pages through to the end?

However, the terms of the Data Protection Act make it clear that data relating to identifiable living individuals must be relevant, accurate, held for a proper purpose and must be kept up-to-date. Consumers also have a legal right to access their credit report. How can you do this?

How to access your credit report

All credit reference agencies offer consumers the opportunity to read their credit file and recommend that consumers do so regularly. If you don’t wish to sign up for a free trial or subscription to one of the agencies, you can receive a statutory copy of your credit file by applying online or by post at a cost of £2.

All credit reference agencies offer consumers the opportunity to read their credit file and recommend that consumers do so regularly.

To prevent mistakes, agencies recommend that you supply them with the following information:

  • Your full name
  • Other names used in the past 6 years (such as your maiden name)
  • Your full address (including the postcode)
  • Other addresses used in the past 6 years
  • Your date-of-birth

They may need proof of your name and address and if so, will ask for a utility bill or bank statement to ensure that no one gets a copy of your credit file by mistake or fraudulently. Once they have all the information they need, you should receive a copy within 7 working days.

Changes to Data Protection because of the GDPR

The GDPR (General Data Protection Regulation) comes into effect from 25th May 2018. These new rules will require credit reference agencies to follow certain guidelines on handling the data of both individuals and businesses. From this date, consumers will have more say about what companies can do with their personal data. Also, there will be tougher fines for non-compliance.

A phone salesman is using marketing data to succeed with a phone sale

The use of your financial data for marketing

One of the worries that consumers have is that data held about them might be used for marketing purposes. They’re concerned that they might be bombarded with offers for financial products which they have no interest in because of data supplied by credit reference agencies.

Although credit reference agencies also operate as lead generators, the data that they sell for direct marketing purposes are collected by other means. This information is bought from local authorities especially from individuals who haven’t opted out of the full (or open) electoral roll. Other data comes from lifestyle questionnaires, consumer surveys and competition entries when you haven’t ticked the box to say you don’t want your information to be passed onto third parties.

All credit reference agencies keep their credit referencing data completely separate from their marketing data. After all, their role of compiling a report about your credit history is from data supplied by the lenders themselves who use this shared data to make a decision about whether to approve a credit agreement. As a data processor, the information CRAs hold for credit referencing doesn’t strictly belong to them.

Conclusions about the regulation of CRAs

Like any company which offers consumer credit, credit reference agencies are both licensed and regulated. There are also guidelines in place to prevent them from using information held about you for their own commercial gain.

The best way to protect yourself from unwanted marketing materials is to always tick the box so your personal details aren’t shared. The GDPR will make it easier for consumers to do so.

Interested In This Article?

Continue to Chapter 5

Go to article introduction and table of contents

About the author

Thomas Henderson

Thomas worked as a consultant in personal finance in the UK for 18 years. He has found a passion in sharing his experience on

Thomas also takes pleasure in woodworking, reading and observing stock market trends.

Jump To A Category

Quick Read: Money Magazine