To complement its enhanced credit exposure reporting and credit management system, the Bangko Sentral ng Pilipinas (BSP) is expanding access to credit information, allowing individual and corporate borrowers to view their own credit data upon identity verification.

This initiative is part of a newly drafted Open Access Framework (OAFw) under a draft circular issued last week, which outlines how the central bank will share data stored in its Credit Information Management System (CRIMS).

According to the draft rule, “the BSP is expanding access to credit information for authorized external users, subject to applicable data privacy laws, rules, and regulations.” This move builds upon the BSP’s existing collection of granular borrower-level data through the Comprehensive Credit and Equity Exposures Report (COCREE).

The framework, the BSP said, aims to foster a more inclusive financial environment. BSP-supervised financial institutions (BSFIs) have until June 24 to submit their feedback on the proposal.

By opening up the registry, the BSP believes that “enabling access to comprehensive borrower data allows credit-granting entities to better serve consumers, empowering them to build reputational collateral and improve access to formal credit.”

Under the framework, authorized users are categorized into three groups: individual or corporate borrowers, BSFIs designated as accessing entities (AEs), and credit bureaus designated as special accessing entities (SAEs).

For banks and other lending institutions, access is not a one-way street. “Access granted under this agreement is anchored on the principle of reciprocity, whereby the AE, in its capacity as a contributor, submits credit information to the BSP in exchange for access to credit information through CRIMS,” the draft clarified.

To ensure the security of this sensitive financial data, the BSP is implementing rigorous accreditation standards and oversight. Accredited entities must maintain robust cybersecurity programs and are subject to a strict reporting window in the event of a breach.

Specifically, the draft mandates that “notice shall be submitted to the BSP within two hours after such an incident is discovered” if an entity suffers a major cyberattack involving data obtained from the central bank.

Furthermore, the BSP is adopting a cautious approach to the initial rollout, particularly with regard to third-party credit bureaus.

The draft rule also includes a transitory provision stating that a “maximum of three SAEs shall be accredited and allowed to access the CRIMS as a calibrated transition measure to ensure controlled and secured implementation.”

This cap allows the BSP to monitor the impact on the credit ecosystem before a full-scale expansion.

Overall, the framework is being proposed to transform credit information into a public utility that supports both borrowers and lenders while maintaining the overall stability of the local financial system.