Changes introduced to the Good Payers’ Registry Act entered into force on July 9, 2019. Law No. 12,414/2011 now allows the automatic inclusion of individuals into the Good Payers’ Registry. On July 25, 2019, Presidential Decree No. 9,936/2019 was enacted, regulating important aspects of the Good Payers’ Registry Act and on July 29, 2019, the Brazilian National Monetary Council issued Resolution No. 4,737/2019, which establishes specific registration requirements for registry database managers with the Brazilian Central Bank.
The Good Payers’ Registry is a database that collects information related to the financial and payment history of an individual in different types of obligations with financial institutions and service providers. The registry was originally created in 2011, but required consumer consent before they could be included into the database. Under the revision, consumers are now added to the database automatically and they will be notified within 30 days when their profile has been created.
According to the estimates of Serasa Experian, the number of participants in the Good Payers’ Registry may increase from 11 million to 137 million profiles, reducing informational asymmetries and promoting the use of adequate interest rates for each consumer profile. It is also expected the registry will become a tool to help ease over-indebtedness. By having financial information consolidated in one database, consumers can now consult their information and check payment obligations in a centralized way, allowing a better control of personal finances and conscious use of credit.
Despite automatic registration, individuals keep the right to opt-out of participating in the registry. According to the Presidential Decree, opt-out requests may be exercised at any time and by electronic means, and database managers must cancel or suspend consultant (third parties that consult the database) access to the consumer’s credit score within two business days. Database managers must also transmit the request to other database managers, who must comply with the request within two business days of receiving the notification.
To safeguard participant privacy, database managers should provide only the individual’s credit score to consultants, which is based on the stored financial information. In the former registry system, there was no clear limitation on what type of information could be accessed by third parties, allowing for the possible disclosure of the consumer’s entire credit and financial history. In this new system, access to the full payment and financial history will be possible only with the prior and specific consent of the participant. Individual consent may be granted for each access or for a fixed term of up to three months. The financial data processed under the Good Payers’ Registry includes information regarding the credit concession and other financial operations; including date, amount, number of installments, payment dates, installments paid (in full or in part) or in default/delayed, among other.
The new Act expressly prohibits the use of information considered excessive (i.e., those that are not linked to the analysis of consumer credit risk) or sensitive data (i.e., information revealing social and ethnic origin, health, genetic information, sexual orientation and political beliefs, religious and philosophical) to form the financial history and/or credit score.
Any entity who intends to manage the Good Payers’ Registry (and multiple entities may do that at the same time) need to register with the Brazilian Central Bank. The CMN Resolution established specific requirements for this particular purpose.
Information handled under the Good Payers’ Registry shall be confidential among the database managers and unauthorized disclosure shall imply a violation of banking secrecy. The Presidential Decree introduced specific security requirements, that will be observed by database managers, such as obtaining a certification issued by an independent entity to attest the integrity and confidentiality of the data being processed, and the use of best security practices from time to time.
Data breaches and security incidents involving the Good Payers’ Registry may need to be reported to the National Data Protection Authority, the Brazilian Central Bank and the Consumer National Secretariat linked to the Ministry of Justice. The notification should occur within two business days of knowledge of the data breach or security incident.
Because the registry deals with personal data, the principles and obligations set forth in the Brazilian Data Protection Act shall also be observed.
Photo by Rafaela Biazi on Unsplash