Risk and compliance when reporting data

With the recent publication by SCOR of the revised Data Reporting Principles in January, to replace the existing Guidance Notes on Defaults, it was thought appropriate to provide a reminder of the legal issues which arise from data reporting, particularly in relation to data which is inaccurate and/or perceived to be misleading.


Obligations imposed by the Irresponsible Lending Guidance 2010, as well as fraud prevention and anti money laundering requirements, require lenders to play their part to avoid the consequences of overindebtedness, fraud and money laundering. This requires the sharing of data about an individual’s credit application and performance history. The sharing, and publication, of data gives rise to many different risk and compliance issues, in particular relating to:-

  1. The Data Protection Act;
The Consumer Credit Act; 

  3. The FCA Hand Book;

  4. Potential liabilities for publication of inaccurate and misleading data, including; 
    • The extent of any duty of care;
    • Liability for defamation

Data Protection Act (DPA)

As lenders will be aware, the DPA in particular requires an individual’s personal data to be processed fairly and lawfully. It also requires data to be kept accurate and up to date. The DPA gives a data subject a right to compensation for damage caused by a breach of these provisions. Usually, evidence of financial loss must be proved as well as the amount of such loss. Compensation can only be awarded for distress if damage is also caused.

Whilst clear consent should always be obtained from customers for the disclosure of credit data about the individual at or before entering into the agreement, the DPA provides exception for disclosure which is required “for the protection or detection of crime” or where disclosure is legally required, is in connection with legal proceedings or is required to enable legal rights to be enforced. Publication of credit data to a credit reference agency is not inconsistent with these data protection principles and its provision for this purpose has received judicial endorsement.

Consumer Credit Act (CCA)

Whilst the CCA imposes requirements on lenders to provide information in certain circumstances about its use of credit agencies and for customers to obtain copies of, and obtain corrections to, their credit files from credit reference agencies, none of these requirements impose any direct liabilities on the lender in relation to the publication of data. It is possible that the publication of inaccurate or misleading data could lead to a finding that there has been an unfair relationship under the CCA’s Unfair Relationship provisions.

The FCA Hand Book

From April 2014, all consumer credit will be subject to FCA regulation. Compliance with the FCA’s Principles for Business require an FCA regulated business to act with due skill, care and diligence and also to treat customers fairly. The proposed Source Book for consumer credit regulated activity (CONC) requires data to be processed fairly and lawfully. Inaccurate and misleading data could engage these principles in particular. In some circumstances, action may be brought under section 138D of the Financial Services and Markets Act 2002 for damages for a breach of any specific rule made by the FCA.

Other potential liabilities

Where there is a specific statutory provision giving a person a right of action, it would not usually be expected that a separate common law liability would exist in relation to the matter concerned*. So where any claim is based on a breach of the DPA or an FCA rule, a Claimant would usually have to rely only on the statutory right to sue. However, the recent case of Durkin v DSG Retail[2010] CSIH 49 suggests that where reliance is not placed on a specific right of action given by statute or an FCA rule breach, other duties of care may exist. It is also believed (although the legal position is not fully established), that any claim based on defamation will be subject to the defence of qualified privilege. Such a defence does not apply if publication has been malicious, but this is unlikely to be the case as far as lenders are concerned.


In general, where the customer has a claim, he or she must prove that data is inaccurate. There can be different perceptions of what is “accurate”. There may be legitimate reasons for a customer to default and this may be due to a genuine dispute but the fact of default may not be in doubt. However, care should be taken, where genuine dispute exists, to ensure that the data is reported in a way which is fair, as otherwise a breach of the FCA Handbook may occur, or a court could regard the relationship as unfair, under the Unfair Relationship provisions. Where a liability does arise, then usually the customer should prove that any loss suffered was a direct and reasonably foreseeable consequence of the inaccurate data. However, under the DPA the court can make an additional award, once financial loss is proved, for distress.


*see John Green and Paul Rowley v The Royal Bank of Scotland plc [2013] EWCA Civ 1197

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.

David Wood


I advise clients in all sectors on asset and consumer finance documentation and procedures and FCA consumer and mortgage credit regulation.