Lesotho’s Credit Reporting Act 2011 establishes a supervised, registration based framework that governs how credit information is collected, stored, used, and shared. The Act empowers the Central Bank of Lesotho, acting through the Governor, to register and oversee credit bureaus, to enforce standards of accuracy and confidentiality, and to protect consumers through access rights, correction procedures, security safeguards, and defined periods for retention and public display of information. The law applies to processing by local and foreign bureaus, as well as suppliers and users of credit data, and it excludes only information that has been deidentified in a manner that cannot be reversed.
Operating a credit bureau is a licensed activity. No person may collect, record, collate, store, or disseminate consumer credit information as a business unless registered as a credit bureau. Applicants must demonstrate qualified personnel, adequate financial and operational capacity, and client service systems that resolve queries promptly and with courtesy. The Governor may request additional information, refuse an application that does not meet statutory requirements, publish registrations and cancellations in the Gazette and other media, and cancel a registration for contraventions. Natural persons may not be registered as credit bureaus, and each registered entity must use its allocated registration number.
Only defined sources may lawfully supply information to a credit bureau. These sources include organs of state, courts, credit providers, insurers, educational institutions, employers, and debt collectors. Before or at the time of supplying data, the contributor must notify the consumer of the information being furnished, the identity of the receiving bureau, the lawful purpose for the disclosure, and the bureau’s address. Contributors must provide information that is relevant, accurate, complete, and not misleading, and they must keep it updated. Bureaus and contributors must implement technical and organisational measures to prevent loss, damage, unauthorised destruction, or unlawful access, and information that has been removed following a dispute may not be resubmitted without a proper basis.
Use of credit information is limited to lawful purposes set out in the Act. These purposes include assessing creditworthiness and affordability before granting credit, prescreening of prospective clients, investigations by law enforcement and statutory bodies, detection of economic crime and identity theft, insurance underwriting and claims assessment, verification of qualifications and employment, assessment of applicants for roles where good credit standing is inherent to the position, tracing of debtors, and analysis of debtor books for legitimate business decisions. Any other use is prohibited.
Consumers have the right, upon adequate proof of identity, to obtain their credit information from a registered bureau within sixty days. At least one report per year must be provided without charge, and additional reports may be provided for a reasonable fee. Consumers may request the correction or removal of information that is incorrect, incomplete, misleading, or out of date, and the bureau must investigate and respond within the prescribed period. A bureau may not display information that it is not authorised to display and may not report a disputed entry while an investigation is underway. The Governor determines retention and display periods in line with international norms, and limited internal retention for research and scoring may be permitted within those standards.
Credit providers must take reasonable steps before extending credit to assess the consumer’s likelihood of paying on time and the consumer’s ability to meet the terms of the agreement. Providers may use data from registered bureaus for this purpose, and failure to conduct a proper assessment is an offence.
Cross border processing of credit information is allowed only where the destination offers adequate protection that is consistent with the Act and with international principles for personal information, or where an approved code of conduct applies, or where the consumer has given express consent. If none of these conditions is present, transfers outside Lesotho are restricted.
Complaints may be directed to accredited alternative dispute resolution, to the Governor, or to the Data Protection Commission in matters that concern information protection. The Governor may investigate complaints and issue a compliance notice that identifies the breach and the remedial steps required. A recipient of a compliance notice may object to the Ombudsman within the statutory time frame. Hindering administration of the Act or failing to comply with a compliance notice is an offence, and penalties include a fine of up to M250,000. The Governor may also make regulations after a process of public consultation.
For lenders, credit bureaus, and consumers, the practical outcome is straightforward. Register before carrying out bureau activities. Notify consumers when supplying data. Keep records accurate, secure, and confidential. Limit use of credit information to the lawful purposes in the Act. Honour access and correction requests within the timelines. Manage cross border transfers only under the permitted grounds. Be ready to evidence compliance to the Central Bank of Lesotho on request.