INSOLVENCY AND BANKRUPTCY BOARD OF INDIA (INFORMATION UTILITIES) REGULATIONS, 2017 – PART II

[Mr. M. GOVINDARAJAN]

Shareholding and Governance

The information utility is to have its shareholding and governance for the purpose of registration.   In respect of shareholding it is provided that no person shall at any time, directly or indirectly, either by itself or together with persons acting in concert, acquire or hold more than 10% of the paid up equity share capital or total voting power of an information utility.  The following persons may, directly or indirectly, either by themselves or together in concert, acquire or holdup to 25% of the paid up equity share capital or total voting power of an information utility-

• Government company;
• Stock exchange;
• Depository;
• Bank;
• Insurance company; and
• Public financial institution.

A person resident in India may, directly or indirectly, either by itself or together with persons acting in concert, hold up to 51% of the paid up equity share capital or total voting power of the information utility till the expiry of 3 years from the date of its registration, or such period as may be extended by the Board.  This will not be applicable to the holding of shares of voting power by the Central Government or a State Government.

More than half of the directors shall be independent directors at the time of their appointment and at all times during the tenure as directors.  No meeting of the Governing Board shall be held without the presence of at least one independent director.  The directors shall elect an independent director as the Chairperson of the Governing Board.

Bye laws

Framing bye-laws is also another criterion for registration.  An information utility for the conduct of its operations shall have bye-laws consistent with the Code.  The bye-laws shall be consistent with and provide for all matters contained in the Technical Standards, if any.  The bye-laws shall provide for-

• the manner and process of providing core services and other services under these regulations;
• risk management;
• rights of users; and
• grievance redressal.

The bye-laws of the information utility, as amended from time to time shall be published on its website.

The Governing Board may amend the bye-laws of the information utility by a resolution passed by votes in favor being not less than 3 times the number of votes, if any, cast against the resolution, by the directors.  A resolution passed shall be filed with the Board within 7 days from the date of its passing, for its approval.  The amendments to the bye-laws shall come into effect on the 7^th day of the receipt of the approval, unless otherwise directed by the Board.  The information utility shall file a printed copy of the amended bye-laws with the Board within 15 days from the date when such amendment is made effective.  The Board  may direct an information utility to amend any provision in its bye-laws.

Core services

An information utility shall provide code services and other services and also services incidental to the services with the permission of the Board.  An information utility shall comply with the applicable technical standards, while providing services. 

Technical standards

The Board shall lay down the technical standards based on the recommendations of a Technical Committee constituted by it.  The Technical Committee shall comprise of at least 3 members who have special knowledge and experience in the field of law, finance, economics, information technology or data management.  The Board may invite the Chief Executive Officers or Managing Directors of the information utilities to attend the meetings of the Technical Committee.

The Board may lay down Technical Standards for all or any of the following matters-

• the Application Programming Interface;
• standard terms of service;
• registration of users;
• unique identifier for each record and each user;
• submission of information;
• identification and verification of persons;
• authentication of information;
• verification of information;
• data integrity;
• consent framework for providing access to information to third party;
• security of the system;
• security of information;
• risk management framework;
• porting of information;
• exchange of transfer of information between information utilities;
• inter-operability among information utilities;
• preservation of information; and
• purging of information.

Registration of users

A person shall register itself with an information utility for submitting information to or accessing information stored with any of the information utilities.  The information utility shall verify the identity of the person and grant registration.  Upon registration the information utility shall intimate of its unique identifier.  A person registered once with an information utility shall not register itself with any information utility again.  An information utility shall provide a registered user a functionality to enable its authorized representatives to carry on the activities on its behalf.  An information utility shall maintain a list of registered users, the unique identifiers of the registered users and the unique identifiers assigned to the debts and make the list available to all information utilities and the Board.

Using different information utilities

A registered user may submit information to any information utility.  Different parties to the same transaction may use different information utilities to submit, or access information in respect of the same transaction.  A user may access information stored with an information utility through any information utility.

Acceptance and receipt of information

An information utility shall accept information submitted by a user in Form C.  On receipt of the same the information utility shall-

• assign a unique identifier to the information, including records of debt;
• acknowledge its receipt and notify the user of-

• the unique identifier of the information;
• the terms and conditions of authentication and verification of the information; and
• the manner in which the information may be accessed by other parties.

Information in default

On receipt of information of default, an information utility shall expeditiously undertake the processes of authentication and verification of the information.   On completion of the same the information utility shall communicate the information of default and the status of authentication to registered users who are-

• creditors of the debtor who has defaulted;
• parties and sureties, if any, to the debt in respect of which the information of default has been received.

Storage and access of information

An information utility shall store all information in a facility located in India, which shall be governed by the laws of India.  An information utility shall allow the following persons to access information stored with it-

• the user which has submitted the information;
• all the parties to the debt and the host bank, if any, if the information is of the following-

• records of the debt of the person;
• records of assets of person over which security interest has been created;
• records, if any, of instances of default by the person against any debt.

• the corporate person and its auditor, if the information is of the following categories-

• records of liabilities when the person is solvent;
• records of the balance sheet and cash flow statements of the person

• the insolvency professional, to the extent provided in the Code;
• the Adjudicating Authority;
• the Board;
• any person authorized to access the information under any other law; and
• any other person who the persons – the user, the bank, the corporate person – have consented to share the information with.

An information utility shall in all cases enable the user to view the date the information was last updated, the status of authentication and the status of verification while providing access to the information.  An information utility shall provide information to the Adjudicating Authority and Board free of charge.

An information utility shall provide a functionality to enable users to access information stored with any information utility, which they are entitled to access.  The functionality shall enable other information utilities to provide access to information to the user directly.  The functionality shall ensure privacy and confidentiality of information.

Annual Statement

An information utility shall provide every user an annual statement of all information pertaining to the user, free of charge.

Porting information from registries

An information utility may import information from such registries as may be notified by the Board from time to time.  An information utility shall render the core services for the information imported.

Duties of the user

A user shall expeditiously update the information submitted by it to an information utility.  A user shall expeditiously correct information as soon as it finds it erroneous, stating the reasons, if any.

Duties of information utilities

An information utility shall provide services with due and reasonable care, skill and diligence.  An information utility shall hold the information as a custodian.  It shall provide services without discrimination in any manner.   An information utility shall-

• provide services to a user based on its explicit consent;
• guarantee protection of the rights of users;
• establish adequate procedures and facilities to ensure that its records are protected against loss or destruction;
• adopt secure systems for information flows;
• protect itsdata processing systems against unauthorized access, alteration, destruction, disclosure or dissemination of information; and
• transfer all the information submitted by a user, and stored with it to another information utility on the request of the user.

It shall not-

• outsource the provision of core services to a third party service provider;
• use the information stored with it for any purpose other than providing services under these Regulations, without the prior approval of the Board;
• seek data or details of users except as required for the provision of the services under these regulations.

Insurance

An information utility shall make adequate arrangements including insurance for indemnifying the users for losses that may be caused to them by any wrongful act, negligence or default of the information utility, its employees or any other person whose services are used for the provision of services.

Fee

The information utility shall charge uniform fee for providing the same service to different users.  The fee structure is to be disclosed on its website.  Any proposed increase in the fees also to be uploaded on its website at least three months before the increase in fees is effected.

The fee charged for providing services shall be a reasonable reflection of the service provided and providing access information shall not exceed the fee charged for submission of information to the information utility.

Risk management

An information utility shall establish an appropriate risk management framework in accordance with the Technical standards, if any, which provides matters, including-

• reliable, recoverable and secure systems;
• provision of core services during disasters and emergencies; and
• business continuity plans which shall include disaster recovery sites.

Audit of technology framework

An information utility shall appoint one external auditor having relevant qualification to audit the information technology framework, interface and data processing systems every year.  The auditor shall submit a report to the Governing Board.  The information utility shall submit the report received along with the comments of the Governing Board, if any, to the Board within one month from the receipt of the report from the external auditor.

Preservation policy

An information utility shall have a Preservation Policy providing for the form, manner and duration of preservation of information stored with it and details of the transactions of the information utility with each user in respect of the information stored with it.  The Policy shall be consistent with the Technical Standards, if any.

Compliance Officer

An information utility shall designate or appoint a compliance officer who shall be responsible for ensuring compliance with the provisions of the Code applicable to the information utility, in letter and spirit.  The said compliance officer shall report to the Board any non compliance of any provision of the Code observed by him.  He shall submit a compliance certificate to the Board annually, verifying that the information utility has complied with the requirements of the Code and has redressed customer grievances.  The Government shall appoint or remove a compliance officer only by means of a resolution passed at its meeting.

Regulatory Committee

An information utility may constitute a Regulatory Committee from amongst the independent directors.  The Committee shall oversee the information utility’s compliance with the Code.  The Compliance Officer shall report to the Regulatory Committee, wherever constituted.

Grievance redressal policy

An information utility shall have a Grievance Redressal Policy to deal with any grievance from any user or any other person or class of persons as may be provided by the Governing Board in respect of its services.  The Grievance policy shall provide for-

• the constitution of a Grievance Redressal Committee;
• the functions of the Committee;
• the format and manner for filing grievances;
• maximum time and format for acknowledging receipt of a grievance;
• maximum time for the disposal of the grievance by way of dismissal, resolution or the initiation or mediation;
• details of the mediation mechanism;
• provision of a report of the grievance and mediation proceedings to the parties to the grievance upon dismissal or resolution of the grievance;
• action to be taken in case of malicious or false complaints;
• maintenance of a register of grievances received and resolutions arrived at;
• disclosure of receipt and disposal of grievances to the public in the form and manner directed by the Board;
• periodic reporting of the receipt and disposal of grievances to the Governing Board; and
• periodic review of the Grievance Redressal Mechanism by the Governing Board.

Information to Board

An information utility shall provide such information as required by the Board.  It shall provide a report to the Board annually stating the-

• number and types of records collected;
• number and types of users registered;
• number and types of unique debts recorded;
• number and types of security interests recorded;
• volume of debts recorded;
• volume of secured debts recorded;
• number of instances and types of defaults recorded;
• number and types of disputes recorded;
• number of times information was accessedby the Adjudicating Authority and Board; and
• any other information as may be directed by the Board.

Storing information

An insolvency professional may submit reports, registers and minutes in respect of any insolvency resolution, liquidation or bankruptcy proceedings to an information utility for storage.  It shall not provide access to the reports, registers and minutes submitted to any person other than the concerned insolvency professionals, the Board or the Adjudicating Authority.

Inspection

The Board shall inspect an information utility with such periodicity as may be considered necessary.  The information utility shall extend all assistance and co-operation to the Board to carry out an inspection.

Disciplinary proceedings

The Board on the findings of an inspection or investigation or on material otherwise available on record, is of the prima facie opinion that sufficient cause exists to take actions shall issue a show cause notice to the information utility.  The show cause notice shall state-

• the provisions of the Code under which it has been issued;
• the details of the alleged facts;
• the details of evidence in support of the alleged facts;
• the provisions of the Code allegedly violated or the manner in which the public interest has allegedly been affected;
• the actions or directions that the Board proposes to take or issue if the allegations are established;
• the manner in which the information utility is required to respond to the show cause notice;
• consequences of failure to respond to the show cause notice within the given time; and
• procedure to be followed for disposal of the show cause notice.

The show cause notice shall enclose copies of relevant documents and extracts of relevant portions from the report of investigation or inspection or other records. 

The show cause notice shall be served on the information utility in the following way-

• by sending it to the information utility as its registered office, by registered post with acknowledgement due; and
• by an appropriate electronic means to the email address provided by the information utility to the Board.

The Disciplinary Committee shall dispose of the notice by a reasoned order after giving the opportunity of being heard.  The Committee shall endeavor to dispose the notice within a period of six months of the issue of show cause notice.  The order may provide for no action, warning, or any action as under section 220(2) to (4) of the Act.

The order shall be effective only on expiry of 30 days from the date of issue of the order unless otherwise it is stated in the order along with the reasons for the same. 
The order shall be communicated to the information utility and also to be uploaded on the website of the Board.  If the order suspends of cancels the registration the information utility is to discharge the pending obligations and to continue its functions till such time as may be directed, only to enable users to transfer information stored with it to another information utility and to comply with any other directions.

An appeal may be filed within  a period of 30 days of the receipt of the order to the National Company Law Tribunal.

Exit Management plan

An information utility at all times shall have an exit management plan that shall include-

• mechanisms to enable users to transfer information to other information utilities expeditiously;
• mechanism for preservation and transfer of information; and
• timelines and cost estimates of implementing the exit management plan.

The exit management plan shall not be amended without the prior approval of the Board.

Surrender of registration

An information utility may submit an application for surrender of its certificate of registration to the Board, providing-

• the reasons for such surrender;
• details of its pending and on-going activities; and
• details of how the exit management plan shall be implemented.

The Board shall within seven days of receipt of the application, publish a notice of receipt of such application on its website and invite objections to the surrender of registration to be submitted within 14 days of the publication of notice.

The Board after considering the application and the objections received, if any, may approve the application for surrender of registration subject to such conditions as it deems fit.  The approval may require the information utility to discharge any pending obligations or continue such functions till such time as may be directed.  The Board after being satisfied that the requirements have been complied with, shall publish a notice on its website stating that the surrender of registration by the information utility has taken effect.