The DPC received separate breach reports from 12 credit unions that employed the services of the same processor, which was based in the UK. The breach by the processor arose from a coding error made by the processor when implementing measures introduced in response to the Covid-19 pandemic.

Credit unions are required to report information to the Central Bank of Ireland concerning their borrowers and the performance of their loans . The Central Bank utilises this information to maintain the Central Credit Register (or CCR) . Lenders and credit rating agencies in turn use this information to verify borrowers’ debts and credit histories . A large number of lenders, particularly credit unions, use the services of data processing companies to prepare such CCR returns and forward them to the Central Bank .

During 2020, the Irish Government introduced a series of measures to mitigate financial distress caused by the pandemic and resulting lockdowns . These included measures allowing financial institutions to pause loan repayments without adversely affecting borrowers’ credit ratings . Lenders were instructed to use particular codes in the CCR returns to flag paused loans. This was intended to prevent those loans being interpreted as delinquent or otherwise suggesting that the relevant borrowers’ cred- it-worthiness had deteriorated .

In this incident the processor employed by the 12 credit unions used incorrect codes on CCR returns dealing with paused loans . The incorrect codes indicated that the borrowers affected had undergone a ‘restructuring event’ — a restructuring event typically occurs when a borrower is unable to repay a loan over the agreed period, and the lender agrees to change the loan’s terms to improve the borrower’s ability to repay . This can greatly reduce a borrower’s credit rating, so an inaccurate CCR record of a restructuring event could have serious conse- quences for the persons affected.

The credit unions in question became aware of the processor’s coding error in relation to their CCR returns several weeks after the processor first sent CCR returns for them using the incorrect codes to the Central Bank .