Credit Bureau Act 2016

Statute Details

• Title: Credit Bureau Act 2016
• Act Code: CBA2016
• Type: Act of Parliament
• Status: Current version (as at 26 Mar 2026)
• Long Title (summary): Regulates credit bureaus, the credit reporting business, and certain members who receive/provide customer information.
• Revised Edition: 2020 RevEd (in operation from 31 Dec 2021)
• Legislative History (selected): Amended by Acts including Act 2 of 2019, Act 40 of 2019, Act 25 of 2021, Act 18 of 2022, Act 5 of 2025
• Commencement Date: Not specified in the provided extract (note: the 2020 Revised Edition indicates operation from 31 Dec 2021)
• Key Parts: Licensing; duties of licensed credit bureaus; audit; approval of “approved members”; control of substantial shareholders/controllers/officers; inspections/investigations; offences; appeals; miscellaneous
• Notable Provision (from extract): Section 5 (Appointment of assistants) – Authority may appoint officers to exercise its functions (subject to subsection (2)).

What Is This Legislation About?

The Credit Bureau Act 2016 (“CBA”) is Singapore’s core statute governing credit bureaus and the credit reporting ecosystem. In practical terms, it creates a licensing and oversight framework for entities that collect, manage, and disclose credit-related information—so that credit reporting is conducted in a regulated, accountable, and secure manner.

The Act is designed to balance two competing interests. On one hand, credit reporting supports responsible lending and helps financial institutions assess credit risk. On the other hand, credit information is highly sensitive: it can affect consumers’ access to credit and may be used in high-stakes decisions. The CBA therefore imposes strict duties on licensed credit bureaus and their “approved members” to ensure data integrity, confidentiality, and accuracy, and to provide mechanisms for access and correction.

Beyond duties, the CBA establishes strong supervisory powers for the relevant authority (the “Authority”), including inspection and investigation powers, control measures where a licensed credit bureau is unable to meet its obligations, and enforcement through offences and penalties. It also regulates governance and control—particularly around substantial shareholding, controllers, and key officers—to reduce the risk of improper influence over credit reporting operations.

What Are the Key Provisions?

Licensing of credit bureaus (Part 2). The Act makes licensing central. A credit bureau must be licensed to carry on the regulated credit reporting business. The statute provides for: (i) licensing requirements and the process for applying for a licence (Sections 6–8); (ii) rules on “holding out” as a licensed credit bureau (Section 9); (iii) annual fees (Section 10); and (iv) consequences where licences lapse, are revoked, or are suspended (Section 11). There is also a right of appeal (Section 12), which is important for due process where licensing decisions are adverse.

Duties relating to customer information and data governance (Part 3). Once licensed, a credit bureau must comply with detailed operational duties. These include duties relating to customer information (Section 13), maintaining security and integrity of data (Section 14), and safeguarding integrity through contractual arrangements with data providers (Section 15). This is a key compliance point for practitioners: the Act does not merely require internal controls; it expects the bureau to manage the integrity of incoming data via contracts with those who supply it.

The Act also addresses consumer rights and data quality. It provides for disclosure of a credit report to the data subject or with the data subject’s written consent (Section 16), a duty to provide access to data (Section 17), and correction of data on request (Section 18). Importantly, it also requires correction on the bureau’s initiative (Section 19), which elevates accuracy obligations beyond a purely reactive model.

Further, licensed credit bureaus must notify the Authority of certain events (Section 20), provide information to the Authority (Section 21), and submit periodic reports (Section 22). These provisions support ongoing supervision and enable the Authority to monitor compliance trends, incidents, and operational risks.

Audit and record integrity (Part 4). The CBA requires auditing (Section 23). The Authority can appoint an auditor and grant the auditor powers (Section 24). There are also restrictions on the auditor’s and employees’ right to communicate certain matters (Section 25), reflecting the confidentiality and sensitivity of credit reporting data and supervisory findings. The Act creates an offence for destroying, concealing, altering, or similar conduct involving records (Section 26). For compliance teams, this is a strong deterrent against “record management” practices that could be construed as obstructive.

Approved members and their approval regime (Parts 5 and 6). The Act distinguishes between the licensed credit bureau and certain members to whom the bureau provides customer information. Part 5 sets out the approval framework for “approved members,” including rights of an approved member (Section 27), rules on holding out as an approved member (Section 28), and mechanisms for deemed approval and actual approval (Section 29). It also provides for cancellation or revocation of approval (Sections 30–31) and a right of appeal (Section 32).

Part 6 then imposes parallel duties on approved members: confidentiality of customer information (Section 33), security and integrity of data (Section 34), correction of data (Section 35), submission of data to the licensed credit bureau (Section 36), and provision of information to the Authority (Section 37). Approved members also have duties to provide information in credit facility documents (Section 38). This is particularly relevant for lenders and credit providers: disclosure and documentation obligations can affect how consumers are informed and how consent or notices are handled in practice.

Control of substantial shareholders, controllers, and officers (Part 7). Part 7 addresses governance risk. It applies to the control of shareholding in a licensed credit bureau (Section 40) and provides for objection to existing control (Section 41). The Authority may make directions (Section 42) and obtain information (Section 43), and it can grant exemptions (Section 44). The Act also includes offences, penalties, and defences relating to these control provisions (Section 45).

Crucially, Part 7 also regulates key leadership appointments. The Authority must approve the chief executive officer and directors of a licensed credit bureau and can remove them (Section 46). Appeals are available (Section 47). For corporate counsel, this means that changes in board composition and senior management are not purely internal corporate matters; they are subject to regulatory scrutiny.

Inspections, investigations, and confidentiality (Part 8). The Authority may inspect (Section 48) and investigate (Section 49) licensed credit bureaus. Reports of inspections and investigations are subject to confidentiality rules (Section 50). The Act includes a self-incrimination provision (Section 51) and a saving for advocates and solicitors (Section 52). These provisions are important for legal strategy during regulatory engagement: they shape how information may be compelled and how privilege or professional protections may be preserved.

Authority’s control measures (Part 9). Part 9 provides a structured response where a licensed credit bureau is unable to meet obligations. The Authority can take action (Section 54), assume control (Section 55), and apply other provisions concerning control (Section 56). It also sets out responsibilities of directors and officers (Section 57) and addresses remuneration and expenses in certain cases (Section 58). Certain matters require Authority approval (Section 59). Practically, this part is the “regulatory backstop” that can move beyond compliance notices to operational control.

Offences and enforcement (Part 10). The Act contains offences by corporations (Section 60), unincorporated associations or partnerships (Section 61), and officers (Section 62). It also criminalises falsification of records by officers (Section 63) and imposes a duty to use reasonable care not to provide false information to the Authority (Section 64). There is a general penalty provision (Section 65) and a mechanism for composition of offences (Section 66). For practitioners, these provisions highlight that compliance failures can carry personal and corporate exposure, not just administrative consequences.

Appeals and procedural safeguards (Part 11). Appeals to the Minister are provided (Section 67), along with an Appeal Advisory Committee (Section 68). The Act addresses disclosure of information (Section 69) and regulations for the purposes of this Part (Section 70). This framework supports review of adverse decisions while maintaining regulatory confidentiality.

Miscellaneous provisions (Part 12). The Act includes jurisdiction of the District Court (Section 71), opportunity to be heard (Section 72), and the court’s power to make certain orders (Section 73). There is a general exemption (Section 74), power for the Authority to issue written notices (Section 75), and authority to issue codes and guidelines (Section 76). It also covers regulations (Section 77), service of documents (Section 78), electronic service (Section 79), amendment of schedules (Section 80), and saving/transitional provisions (Section 81).

How Is This Legislation Structured?

The CBA is organised into 12 Parts plus schedules. Part 1 sets out preliminary matters (short title, interpretation, purpose, application, and appointment of assistants). Part 2 establishes the licensing regime for credit bureaus. Part 3 sets out duties of licensed credit bureaus, particularly around data security, integrity, access, and correction. Part 4 provides for auditing and record integrity. Parts 5 and 6 regulate “approved members” and impose confidentiality and data duties on them. Part 7 focuses on governance and control of substantial shareholders/controllers/officers, including approval and removal of key leadership. Part 8 provides inspection and investigation powers and confidentiality protections. Part 9 sets out the Authority’s control measures when obligations are not met. Part 10 creates offences and enforcement mechanisms. Part 11 provides for appeals. Part 12 contains miscellaneous procedural and regulatory provisions, including court jurisdiction and service rules. Two schedules supplement the Act: one deems certain members as approved members, and the other lists specified provisions.

Who Does This Legislation Apply To?

The CBA applies primarily to (i) credit bureaus that carry on regulated credit reporting activities, and (ii) certain members of those credit bureaus to whom the bureau provides customer information—regulated as “approved members.” It also applies to substantial shareholders, controllers, and officers of licensed credit bureaus, because Part 7 subjects them to control and approval requirements.

In addition, the Act affects data providers and lenders indirectly through contractual and documentation duties. For example, licensed credit bureaus must safeguard data integrity through contracts with data providers (Section 15), and approved members must provide information in credit facility documents (Section 38). Accordingly, compliance obligations may extend beyond the bureau itself to the broader credit ecosystem.

Why Is This Legislation Important?

The CBA is important because it operationalises trust in credit reporting. By requiring licences, imposing security and integrity duties, and mandating access and correction mechanisms, it reduces the risk of inaccurate or insecure credit information being used to make lending decisions. This is particularly significant in a consumer context, where credit reports can influence eligibility, pricing, and access to financial products.

From an enforcement perspective, the Act provides the Authority with robust oversight tools: auditing, inspections, investigations, confidentiality protections, and—most importantly—control measures including assumption of control. The offence provisions further ensure deterrence, including offences relating to record falsification and obstructive conduct.

For practitioners advising credit bureaus, lenders, or corporate governance teams, the CBA’s practical impact is substantial. Compliance is not limited to data handling; it includes licensing and renewal, governance approvals for directors and chief executive officers, contractual arrangements with data providers, and consumer-facing processes for access and correction. Legal teams should therefore treat the CBA as a whole-system compliance statute rather than a narrow data protection measure.

Related Legislation

• Banking Act 1970
• Companies Act 1967
• Credit Bureau Act 2016 (as amended by subsequent Acts)

Source Documents

• Official Text — Singapore Statutes Online
• Archived Copy — Litt Law CDN

This article provides an overview of the Credit Bureau Act 2016 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.