National EGovernance Services Limited (NeSL) has been registered by the Insolvency and Bankruptcy Board of India (IBBI) as an Information Utility (IU) as per the IBBI (Information Utilities) Regulations, 2017. NeSL had received in-principle approval in June this year, which has now been finalised. The registration will remain valid for a period of five years. NeSL is expected to become functional in a year’s time.

As an IU, NeSL will be the repository of all lending and borrowing transactions of financial institutions in the country and will be accessible to registered users, which will be a big help for the National Company Law Tribunal (NCLT) to make decisions in cases under the Insolvency and Bankruptcy Code, 2016.

IU stores financial information that helps to establish defaults as well as verify claims expeditiously and thereby facilitates completion of transactions under the Insolvency and Bankruptcy Code, 2016 in a time bound manner. It constitutes a key pillar of the insolvency and bankruptcy ecosystem, the other three being the Adjudicating Authority (National Company Law Tribunal and Debt Recovery Tribunal), the IBBI and Insolvency Professionals.

NeSL is owned by a group of 17 well-known public institutions, including Life Insurance Corporation of India, State Bank of India, Canara Bank, Bank of Baroda, ICICI Bank Ltd., Axis Bank Ltd., Karnataka Bank Ltd., HDFC, Indian Bank, Punjab National Bank, New India Assurance Company Ltd., Union Bank of India, Central Depository Services (India) Ltd., Dena Bank, NABARD, United India Insurance, and SIDBI.

Once NeSl has set up the IU, users will be able register in order to submit and access their financial information:

Registration of users

(1) A person shall register itself with an information utility for- (a) submitting information to; or (b) accessing information stored with any of the information utilities.

(2) The information utility shall verify the identity of the person under sub-regulation (1) and grant registration.

(3) Upon registration of a person under sub-regulation (2), the information utility shall intimate it of its unique identifier.

(4) A person registered once with an information utility shall not register itself with any information utility again.

(5) An information utility shall provide a registered user a functionality to enable its authorised representatives to carry on the activities in sub-regulation (1) on its behalf.

(6) An information utility shall- (a) maintain a list of the (i) registered users; (ii) the unique identifiers of the registered users; and (iii) the unique identifiers assigned to the debts under Regulation 20. (b) make the list under clause (a) available to all information utilities and the Board.

It’s worth noting here that when other IUs are set up, users will be able to ” access information stored with an information utility through any information utility,” i.e., they won’t have to register with more than one IU.

In regards to accessing information stored with an IU:

Access to information

(1) An information utility shall allow the following persons to access information stored with it- (a) the user which has submitted the information; (b) all the parties to the debt and the host bank, if any, if the information is of the categories in section 3 (13) (a), (c) and (d); (c) the corporate person and its auditor, if the information is of the categories in section 3 (13) (b) and (e); (d) the insolvency professional, to the extent provided in the Code; (e) the Adjudicating Authority; (f) the Board; (g) any person authorised to access the information under any other law; and (h) any other person who the persons referred to in (a), (b) or (c) have consented to share the information with.

(2) An information utility shall in all cases enable the user to view- (a) the date the information was last updated; (b) the status of authentication; and (c) the status of verification while providing access to the information.

(3) An information utility shall provide information to the Adjudicating Authority and Board free of charge.

On the users part, they need to ensure that:

Duties of the user

(1) A user shall expeditiously update the information submitted by it to an information utility.

(2) A user shall expeditiously correct information as soon as it finds it erroneous, stating the reasons, if any.


This month we learnt that two financial institutions in the United States – one private, and one public – suffered massive data breaches, which they weren’t even able to detect till months later. Then we have our very own UIDAI and the government of India, and their misadventures with the personal data of Indian citizens. In this scenario, the news of NeSL being registered as an IU isn’t the most comforting. The IBBI (Information Utilities) Regulations, 2017 mentions that IU’s need to set up a Grievance Redressal Committee, should appoint a Compliance Officer, and even has provisions for Risk Management, but in regards to data storage this is all that’s mentioned:

Storage of information

(1) An information utility shall store all information in a facility located in India.

(2) The facility under sub-regulation (1) shall be governed by the laws of India.

RBI’s Public Credit Registry

Earlier this year, RBI’s Deputy Governor Viral Acharya had made the case for a Public Credit Registry (PCR), which incorporates unique identifiers for borrowers: Aadhaar for individuals, and Corporate Identification Number for companies.

“Such registers help in enhancing efficiency of the credit market, increase financial inclusion, improve ease of doing business, and help control delinquencies. Incorporating unique identifiers for the borrowers (Aadhaar for individuals and CIN for companies), Reserve Bank’s BSR1 and CRILC datasets can quickly be converted into a useful PCR [Public Credit Registry] covering customers of SCBs [Scheduled Commercial Banks] to start with. It can then be expanded to cover other financial institutions in India. A comprehensive PCR down the road will be even more effective,” Acharya had said.

Also Read: The era of public databases of personal data