Bills Digest No. 83, 2019–20

National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019

Treasury

Author

Jonathan Mills and Paula Pyburne

Go to a section

Introductory Info Date introduced: 5 December 2019
House: House of Representatives
Portfolio: Treasury
Commencement: Schedule 1 and Schedule 2, Part 3 commence the day after Royal Assent. Schedule 2, Part 1 commences on the later of the day after Royal Assent or 1 April 2021. Schedule 2, Part 2 commences immediately after Schedule 2, Part 1.

The Bills Digest at a glance

The National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019 (the Bill) amends the National Consumer Credit Protection Act 2009 (Consumer Credit Act) to establish a comprehensive credit reporting regime. The mandatory regime will require large Authorised Deposit-taking Institutions (ADIs) to provide comprehensive credit information on consumer credit accounts to certain credit reporting bodies.

Schedule 1 achieves this purpose through provisions that substantially repeat the provisions of the lapsed National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (the 2018 Bill)[1] amending the Consumer Credit Act, as well as making consequential amendments to the Privacy Act 1988 . The 2018 Bill lapsed at the end of the 45th Parliament, on 1 July 2019.

The Bill requires large ADIs and certain other credit providers to supply comprehensive credit information to eligible credit reporting bodies—of which there are currently three.

The information that must be provided includes:

  • identification information, including name, date of birth and address
  • consumer credit liability information, including the name of the credit provider, type of consumer credit, and maximum amount of credit available
  • repayment history information, including whether or not an individual is obliged to make monthly payments in relation to a consumer credit agreement, and when those payments are due and payable
  • default information, including information about payments that are overdue, and steps taken to recover the overdue amounts
  • payment information including information about payments of overdue amounts that have been made by an individual and
  • new arrangement information, including information about variations to a consumer credit agreement.

The information is initially to be provided in two tranches commencing on 1 April 2020 and 1 April 2021 respectively.

Schedule 2 of the Bill contains new amendments to the Privacy Act establishing a financial hardship information scheme under that Act, as well as other matters. Schedule 2 also contains related amendments to the Consumer Credit Act. The proposed amendments will have the effect of permitting credit reporting bodies to collect, use, disclose and retain financial hardship information. This is not currently permitted.

The amendments will also permit credit providers to disclose financial hardship information to credit reporting bodies.

The proposed changes include certain safeguards for the financial hardship information scheme, such as a one year retention period, security requirements and an independent review of the system to be completed by 1 October 2023.

Purpose of the Bill

The primary purpose of the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019 (the Bill) is to amend the National Consumer Credit Protection Act 2009 (Consumer Credit Act) to establish a comprehensive credit reporting regime. The mandatory regime will require large Authorised Deposit-taking Institutions (ADIs) to provide comprehensive credit information on consumer credit accounts to certain credit reporting bodies.

Schedule 1 achieves this purpose through provisions that substantially repeat the provisions of the lapsed National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (the 2018 Bill)[2] amending the Consumer Credit Act, as well as making consequential amendments to the Privacy Act 1988. The 2018 Bill lapsed at the end of the 45th Parliament, on 1 July 2019.

Schedule 2 contains new amendments to the Privacy Act dealing with how financial hardship arrangements and information are to be dealt with under that Act, as well as other matters. Schedule 2 also contains related amendments to the Consumer Credit Act.

Accordingly, this Bills Digest substantially reproduces the Bills Digest prepared for the 2018 Bill by Paula Pyburne, with updated and additional commentary where required by new material that has been introduced in the Bill.

Background

Licensing arrangements

The Consumer Credit Act, which contains the National Credit Code, applies to credit contracts entered into, on, or after 1 July 2010[3] where:

  • the lender is in the business of providing credit
  • a charge is made for providing the credit
  • the debtor is a natural person or strata corporation
  • the credit is provided:
    • for personal, domestic or household purposes or
    • to purchase, renovate or improve residential property for investment purposes, or to refinance credit previously provided for this purpose.[4]

Under the Consumer Credit Act a person cannot engage in a credit activity if the person does not hold an Australian credit licence (AC licence).[5]

Establishing the credit reporting framework

The collection, use and disclosure of personal information in Australia is regulated by the Privacy Act.

In 1991, Part IIIA was inserted into the Privacy Act to extend its operation to consumer credit reporting.[6] It provides a framework for the collection, disclosure and use of credit-related information. The credit reporting provisions in Part IIIA facilitate the sharing of credit-related information between credit providers and credit reporting bodies. At present there are three credit reporting bodies in Australia—Equifax, Experian and Illion (formerly Dun and Bradstreet).[7]

Initially, the information that was shared related to ‘negative’ credit events.[8]

Negative reporting limits the collection of personal information to that which relates to an individual’s credit delinquency, such as defaults on payments or dishonoured cheques, and inquiries on the credit record. Positive credit reporting permits the collection of personal information which demonstrates an individual’s credit account activity, such as the timeliness of payments, account type, the credit limit and the amounts of credit liabilities.[9]

However the enactment of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (2012 Amending Act), (in response to a report by the Australian Law Reform Commission)[10] amongst other things:

  • set out five new kinds of personal information which would be reported and
  • did away with the concepts of ‘negative’ and ‘positive’ reporting, and instead introduced the concept of ‘comprehensive’ reporting.

Comprehensive credit reporting will give credit providers access to additional personal information to assist them in establishing an individual’s credit worthiness. The additional personal information will allow credit providers to make a more robust assessment of credit risk and assist credit providers to meet their responsible lending obligations. It is expected that this will lead to decreased levels of over-indebtedness and lower credit default rates. More comprehensive credit reporting is also expected to improve competition and efficiency in the credit market, which may result in reductions to the cost of credit for individuals.[11]

Those amendments did not commence until 12 March 2014.

Regulatory code

An industry-developed regulatory code for Australia’s credit reporting system was approved by the Office of the Australian Information Commissioner in 2014.[12] Participation in the expanded system was voluntary, with information being shared on a reciprocal basis (participants have access only to the types of information that they themselves have shared). The Australian Retail Credit Association formalised this arrangement through the Principles of Reciprocity and Data Exchange, which were approved by the Australian Competition and Consumer Commission (ACCC) in December 2015.[13] Notably, principle three:

... ensures that data meets a certain standard before it is exchanged, by requiring that shared data adheres to the Australian Credit Reporting Data Standard (ACRDS). The standardised system means that data is communicated in a way that it can be universally understood by other signatories to the PRDE [Principles of Reciprocity and Data Exchange].[14]

Current information shared

In the current voluntary credit reporting regime, credit providers (such as financial services firms and utility providers) and credit reporting bodies are permitted to share information related to:

  • a credit provider having sought a credit report (from a credit bureau) in relation to an application for credit by an individual, and the amount of the credit sought
  • an individual’s current credit providers
  • any credit defaults (which is the failure to meet legal repayment obligations) in the previous five years
  • a credit provider’s opinion that an individual had committed a serious credit infringement (such as credit fraud)
  • the type of credit account opened
  • the date the account was opened
  • the current limit of the account
  • the date on which the account was closed.[15]

In addition, ASIC-licensed credit providers are permitted to share information related to payment history, including:

  • whether the individual was meeting their payment obligations and
  • the number of repayment cycles the individual was in arrears.[16]

From voluntary to mandatory

Responsible lending obligations

All holders of a credit licence must comply with the responsible lending obligations.[17] The responsible lending obligations are aimed at better informing consumers and preventing them from being in unsuitable credit contracts. In particular:

  • before providing credit assistance to a consumer, a licensee must make a preliminary assessment about whether the contract will be unsuitable for the consumer. To do this, the licensee must make inquiries and verifications about the consumer’s requirements, objectives and financial situation[18] and
  • a licensee is prohibited from providing credit assistance to a consumer in relation to a credit contract if the contract will be unsuitable for the consumer.[19]

Lenders are not able to fulfil the responsible lending obligations where they have incomplete or inaccurate information about the creditworthiness of a potential borrower.

Recommendations for change

Financial System Inquiry

In December 2014, the Treasurer released the final report of Financial System Inquiry 2014 (known as the Murray Inquiry after the chair of the review, former CEO of the Commonwealth Bank David Murray AO) which examined the Australian financial system.[21]

Amongst other things, the Murray Inquiry acknowledged that, as the legislation which underpinned comprehensive credit reporting had come into effect in March 2014, the regime had not, at that time, been fully implemented. Nevertheless it noted:

Participation in [comprehensive credit reporting] is voluntary, so the pace and extent of eventual participation in the regime is not yet clear.

For credit providers, participation will depend on the perceived net benefits, which will differ between different classes of credit provider. For a major institution with a relatively large customer base, early and full participation may provide, at least initially, relatively larger benefits to other, smaller participants than for the institution itself.

As participation and system-wide data grow, net benefits increase for all CCR participants. Further credit providers that do not participate are at risk of adverse selection with respect to potential new borrowers; a risk that becomes more acute as industry participation increases.[22]

Accordingly, the Murray Inquiry recommended that the Government ‘support industry efforts to expand credit data sharing’ and if ‘participation is inadequate, Government should consider legislating mandatory participation’.[23]

Productivity Commission inquiry

The Productivity Commission released its final report of its inquiry into data availability and use in March 2017.[24]

For the purposes of that report, the Productivity Commission characterised financial data as information that is created in the provision and consumption of financial products and services, as well as data generated in the course of government regulation and supervision of the financial system.[25]

The Productivity Commission considered whether comprehensive credit reporting should be made mandatory or should remain voluntary. It considered that there were ‘compelling reasons to mandate participation in CCR’.[26]

Amongst other things, the perceived benefits of comprehensive credit reporting are:

  • additional availability of credit-related information would improve credit allocation and pricing so that at least some consumers would be able to access cheaper loans
  • allowing smaller financial businesses and potential new entrants to have access to a large pool of customer data may help to facilitate their entry into the market, which could boost competition and innovation in the finance sector[27]
  • if data collected and stored by credit providers is viewed as jointly owned with the customer then the customer should be allowed to share the data with third parties, including for the purposes of a credit assessment, regardless of whether their credit provider wishes to participate in CCR.[28]

On the other hand, compulsory comprehensive credit reporting ‘would impose costs on all finance sector businesses legally obliged to participate in the scheme’.[29] In addition, the much greater volumes of data could give rise to ‘data quality issues’.[30]

The Productivity Commission recommended:

The Australian Government should adopt a minimum target for voluntary participation in Comprehensive Credit Reporting of 40% of all active credit accounts, provided by Australian Securities and Investments Commission (ASIC)-licensed credit providers, for which comprehensive data is supplied to the credit bureaux in public mode. If this target is not achieved by 30 June 2017, the Government should circulate draft legislation by 31 December 2017, to impose mandatory participation in Comprehensive Credit Reporting (including the reporting of repayment history) by ASIC-licensed credit providers in 2018.[31] [emphasis added]

Move to a mandatory system

As stated above, the legislation to facilitate a voluntary system of comprehensive credit reporting commenced in March 2014. However, in September 2017, it was reported that ‘the figure for voluntary participation in a CCR framework is less than one per cent, and the dial has barely shifted for years’.[32]

The Government committed to implementing the recommendation of the Productivity Commission in the 2017–18 Budget.[33] In November 2017, the Government announced that it would legislate for a mandatory comprehensive credit reporting regime to come into effect by 1 July 2018, on the grounds that the 40 per cent target would not be met. According to then Treasurer, Scott Morrison:

The four major banks will be the first to face the mandated reporting, given they account for approximately 80 per cent of the volume of lending to households.[34]

The 2018 Bill

The 2018 Bill[35] contained provisions amending the Privacy Act and the Consumer Credit Act to mandate a comprehensive consumer credit reporting scheme. The 2018 Bill lapsed at the end of the 45th Parliament, on 1 July 2019, and its provisions are now reintroduced with slight alterations in Schedule 1 of the present Bill.

Financial hardship arrangements scheme

In addition to the provisions in Schedule 1 that reproduce the provisions of the 2018 Bill, Schedule 2 of the Bill introduces amendments to the Privacy Act and the Consumer Credit Act to establish a scheme for reporting of financial hardship information in the credit reporting system.

The amendments to implement the financial hardship reporting arrangements were developed following concerns raised in submissions made in response to the 2018 Bill and a review conducted by the Attorney-General’s Department over 2018–19.[36]

Most submitters to the Economics Committee inquiry into the 2018 Bill expressed concern about the interaction between the mandatory credit information and the hardship provisions which are contained in Part 4 of the National Credit Code.

There was a difference of opinion between submitters about the extent of reporting obligations when a debtor is in hardship. That issue lies with the requirement to provide the repayment history information which includes information about the day on which a monthly payment is due and payable and the meaning of that term.

There was a view that unless a credit default has already been listed on a consumer’s credit report, entering into a financial hardship arrangement should not affect a credit report because the consumer has come to a mutually acceptable arrangement to pay their debt.[37] To assist debtors guidelines have been published by the Office of the Australian Information Commissioner.[38]

Following the review of financial hardship arrangements undertaken by the Attorney-General’s Department, the Attorney-General issued a media release on 2 August 2019, outlining details of the Government’s proposed amendments:

New credit reporting arrangements will improve transparency for credit providers of customers who have entered into financial hardship arrangements and enable people experiencing financial difficulty to demonstrate good credit behaviour by complying with the hardship arrangement...

Currently, due to provisions in the Privacy Act, when a person is engaged in a hardship arrangement with one credit provider, this arrangement cannot be disclosed to other credit providers. This has seen circumstances arise where people who are struggling to repay one credit provider, are provided with another line of credit from a different provider. The changes announced today aim to address this situation and provide these people with more confidence to apply for hardship.

“Proposed changes to the Privacy Act will make sensible changes to allow for transparent and responsible lending practices where people are subject to hardship arrangements,” Attorney-General, Christian Porter said.

...

“Draft legislation will be released shortly to enable public consultation on the proposed changes which will introduce a new category of information within credit reporting, enabling hardship information to be reported alongside repayment history information.

“Under the proposed changes, hardship indicators will identify where a hardship arrangement is in place and whether a consumer is making payments in accordance with that arrangement.

“A separate indicator will show where there has been an agreed permanent variation to a credit contract. Hardship information will be subject to the same protections as repayment history information concerning collection, use and disclosure under the Privacy Act, but will be subject to a shorter retention period.

...

“Importantly, while hardship information will appear on a consumer’s credit report, credit reporting bodies will be prohibited from using hardship information to calculate a consumer’s credit score.”[39]

Treasury then conducted a consultation process on an exposure draft of the proposed amendments between August and September 2019.[40] Submissions to that process have not been made public.

Committee consideration

The Selection of Bills Committee recommended that the Bill not be referred to Committee for inquiry and report.[41] The Senate Standing Committee for the Scrutiny of Bills (Scrutiny of Bills Committee) made no comment on the Bill.[42]

However, the following Committees commented on the 2018 Bill.

Senate Standing Committee on Economics

The 2018 Bill was referred to the Senate Standing Committee on Economics (Economics Committee) for inquiry and report by 29 May 2018.[43]

The Economics Committee recommended that the 2018 Bill be passed and that the Government ‘consider expediting its review of financial hardship arrangements’.[44] Labor Senators on the Committee made additional comments, advising that they were ‘cautiously supportive’ of the measures in the Bill, but would:

... take a very careful look at both the government's approach to regulating the use of consumer financial data and whether any benefits of mandatory comprehensive credit reporting will flow through to consumers.[45]

Labor Senators recommended that the 2018 Bill be amended to delay the first stage requirement by 12 months to 1 July 2019 ‘in order to allow the Attorney-General's Department to complete its review of financial hardship arrangements and for the government to provide a response to this review’.[46]

The comments by submitters to the Economics Committee are canvassed below.

Senate Standing Committee for the Scrutiny of Bills

The Scrutiny of Bills Committee commented on the 2018 Bill in its report of 9 May 2018.[47]

The Scrutiny of Bills Committee acknowledged the importance of improving the administration of Australia's credit reporting regime. However, it expressed concern that requiring the disclosure of mandatory credit information has the potential to unduly trespass on the privacy of individuals—particularly the customers of the large ADIs contemplated by the Bill, as the information required to be disclosed includes a substantial amount of personal and financial information about individuals.[48] Additional comments made by the Scrutiny of Bills Committee are canvassed below under the heading ‘Key issues and provisions’.

Policy position of non-government parties/independents

In addition to the comments relating to the 2018 Bill by Labor senators on the Economics Committee, discussed above, the following comments have been made by non-government parties or independents in relation to the Bill.

Labor members indicated support for the Bill in the House of Representatives. However an intention was indicated to possibly introduce amendments in the Senate to allow individuals to access credit information more readily.[49]

Centre Alliance supports the Bill, but has expressed concerns regarding the financial hardship arrangements scheme in Schedule 2, echoing the concerns of various consumer groups as discussed below:

... we are concerned that the hardship arrangement indicators scheme, as outlined in schedule 2, may lead to unfair outcomes for people who are financially vulnerable. However, it has been noted by both the Financial Rights Legal Centre and the Consumer Action Law Centre that the retention of hardship information for a period of 12 months may ultimately mean people are less likely to reach out to credit providers to help for fear of having a hardship flag placed on their file. As noted by the Financial Rights Legal Centre, this may have a perverse impact on those families and businesses that are coming to terms with the financial consequences of the bushfires.[50]

Position of major interest groups

Arguments for compulsory credit reporting

A 2015 report by KPMG to the Australian Retail Credit Association outlines, amongst other things, the reasons for improved credit data exchange in the following terms:

The exchange of credit data between financial institutions is important to the ability of financial institutions to manage their credit risk—that is, the risk of loss arising from the default by a borrower in respect of money lent by the financial institution. Credit risk is the single largest financial risk faced by most banks and other lenders. Reflecting this, most episodes of bank distress or failure globally have arisen primarily because of inadequate management of credit risk. The management of credit risk is the single biggest factor that influences the prudential soundness of individual financial institutions and the stability of the financial system. [51]

Generally, submitters to the Economics Committee inquiry accepted that there are sound reasons for mandatory comprehensive credit reporting on economic grounds—although there were some qualifications.

The Australian Banking Association welcomed the removal of the existing information asymmetry between credit providers and credit applicants. Citing the New Zealand (NZ) model of comprehensive credit reporting, it noted that benefits identified in the NZ regime included:

  • giving credit providers a more accurate and complete picture of individuals’ credit worthiness, allowing them to make better assessments of risk and facilitate a more responsible lending decision
  • increasing competition in the credit industry by enabling access to better information and
  • opening mainstream credit to a wider pool of individuals who may otherwise be excluded due to a lack of verifiable information about them.[52]

Similarly, Dr Andrew Grant of the University of Sydney Business School stated that the ‘introduction of credit sharing should improve the amount of loans funded and the cost of loan funding for good borrowers’.[53]

Arguments against compulsory credit reporting

Problems for lower income applicants

The other side of that coin is addressed in the submission by the Queensland Law Society (QLS) to the Economics Committee. QLS acknowledged that the measures in the Bill enhance the ability of consumer credit providers to lend responsibly. However, the submission expressed concern that comprehensive credit reporting ‘may result in lower income applicants being charged more for credit due to greater differential pricing based on more available information’.[54]

The Financial Rights Legal Centre agreed, stating:

... some lenders are likely to use this increased information not to deny people credit where it appears their finances are already stretched, but to charge those customers more for credit. We may see a significant increase in price discrimination including an influx of expensive, priced-for-risk products, such as credit cards charging up to 48 per cent per annum for those deemed risky.[55]

Security of data

Of concern to some submitters was the need for enhanced privacy protections relating to notification, data quality, access and correction, and complaints.[56] According to the Office of the Australian Information Commissioner, ‘robust information handling practices will be essential to ensure the success and sustainability of this initiative’ ... ‘the Bill envisages active oversight by the OAIC, particularly of security issues arising in the mandatory comprehensive credit reporting system’.[57]

According to one commentator, requiring the banks to release loan data to third parties increases the risk of data breaches.[58] For example in 2017 US credit bureau Equifax was subjected to a cyber-attack affecting over 143 million Americans.[59] The data breach has led to increased risks of identity fraud and targeted scams.

Financial hardship arrangements scheme

In a joint submission led by the Financial Rights Legal Centre to the Attorney-General’s Department review of financial hardship arrangements discussed above, various consumer groups recommended against the recording of financial hardship information on consumer credit reports.[60] In particular, the submission notes ‘that any additional information permitted to be shared or held as part of the credit reporting system is inherently a further privacy intrusion and must be clearly justified in the public interest’ and that this presents the risk of discouraging consumers from seeking hardship assistance.[61] The submission states that if hardship is to be included in credit reports then regulatory controls should also be introduced to appropriately limit the uses of the information, for example to assessing new credit applications and not for pricing credit.[62]

Financial implications

The Explanatory Memorandum states that the Bill will have nil financial impact for the Government.[63]

However it is estimated that the ‘average regulatory cost associated with the mandatory credit reporting requirements is $8.2 million’.[64]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[65]

Parliamentary Joint Committee on Human Rights

In consideration of the present Bill, the Parliamentary Joint Committee on Human Rights (Human Rights Committee) had no comment.[66]

The Human Rights Committee commented on the 2018 Bill in its report of 8 May 2018.[67]

The starting point for its consideration was Article 17 of the International Covenant on Civil and Political Rights (ICCPR) which prohibits arbitrary or unlawful interferences with an individual's privacy.[68] The right to privacy includes respect for informational privacy, including the right to respect for private and confidential information, particularly the collection, storing, use and sharing of such information. The Human Rights Committee noted that the introduction of a mandatory comprehensive credit reporting scheme engages the right to privacy by requiring large ADIs to supply comprehensive credit information to certain credit reporting bodies.[69]

The Human Rights Committee acknowledged:

Limitations on the right to privacy will be permissible where they are prescribed by law and are not arbitrary, they pursue a legitimate objective, are rationally connected to (that is, effective to achieve) that objective and are a proportionate means of achieving that objective.[70]

The Human Rights Committee noted, amongst other things, the safeguards that were in place to protect individuals' credit information in the 2012 Amending Act but was not satisfied that the Privacy Act would ‘constitute an effective safeguard for the purposes of the right to privacy in the context of this particular measure’.[71]

The Committee asked the Minister for additional information about the Bill. In particular, it sought information about whether the requirement to provide comprehensive credit information is sufficiently circumscribed, and information as to the adequacy and effectiveness of safeguards.[72]

The Minister responded to explain the objective of the measures and the safeguards limiting both the amount of data to be collected and the purposes to which it could be used, and the Human Rights Committee responded that ‘having regard to the information provided by the minister as to the safeguards in place to protect the right to privacy, the committee considers that the measure is likely to be a proportionate limitation on the right to privacy’.[73]

Key issues and provisions: Schedule 1—main amendments

Entities supplying credit information

Item 4 of Schedule 1 of the Bill inserts proposed Part 3‑2CA—Licensees supplying credit information to credit reporting bodies into the Consumer Credit Act. Part 3-2CA applies to:

  • an eligible licensee and
  • an eligible credit reporting body.

The holder of an AC license is an eligible licensee on 1 April 2020 or a later day provided that the licensee is a large ADI, or is a body corporate of a kind prescribed by the regulations and is a credit provider.[74]

The definition of large ADI is imported from the Banking Act 1959. Essentially, the Minister may, by legislative instrument, determine the kinds of ADIs that are large ADIs. The current legislative instrument provides:

  • a small ADI has less than or equal to $10 billion on a three year average of total resident assets
  • a medium ADI has between $10 billion and $100 billion on a three year average of total resident assets and
  • a large ADI is any ADI with greater than or equal to $100 billion on a three year average of total resident assets.[75]

Key issue—other credit providers

Some submitters to the Economics Committee expressed concern that the Bill restricts the compulsory credit reporting scheme to the major banks. For instance, Westpac has stated that it holds a firm belief that it should apply to all credit providers.[76] Westpac expressed its concern that whilst ‘the Government is open to including other [credit providers] at a later date, there appears to be no mechanism to monitor when other credit providers come on board and the speed at which that occurs’.[77]

On the other hand, the Customer Owned Banking Association (COBA) which is the industry association for Australia’s customer owned banking institutions such as mutual banks, credit unions and building societies, supported the Government’s decision to confine the measures in the Bill to large ADIs, for the time being, as it ‘avoids imposing unnecessary costs on smaller ADIs while creating a critical mass of CCR data to encourage all credit providers to undertake the investment needed to participate’.[78]

Entities receiving credit information

There are two instances in which a credit reporting body is an eligible credit reporting body (CRB) for a licensee.

The first is if, on 2 November 2017, there was in force an agreement between the credit reporting body and credit providers that required the credit providers to protect credit reporting information that is disclosed to them from misuse, interference and loss; and from unauthorised access, modification or disclosure—as required by subsection 20Q(2) of the Privacy Act.[79]

The second instance is where the conditions (if any) prescribed by the regulations are met.[80]

Application of Part 3-2CA

New Part 3‑2CA of the Consumer Credit Act applies in addition to the Privacy Act. That is, nothing in Part IIIA of the Privacy Act which contains the framework for the collection, disclosure and use of credit-related information, is changed by this Bill.

Scrutiny of Bills Committee comments

The Scrutiny of Bills Committee expressed its concern that ‘the [2018] Bill appears to leave a number of relatively substantial elements of the mandatory credit reporting scheme—which may have significant privacy implications—to delegated legislation’.[81] The Committee singled out the definitions of eligible licensee and eligible credit reporting body, which as discussed above, rely on elements to be prescribed in regulations. The Committee was concerned that this approach could weaken the protections conferred by the Privacy Act, in particular because:

a licensee that becomes an 'eligible licensee' after 1 July 2018 must make its initial bulk supply of mandatory credit information to a credit reporting body that meets conditions prescribed by the regulations—rather than to a reporting body with which the licensee has an agreement under paragraph 20Q(2)(a) of the Privacy Act.[82]

Information to be supplied

Proposed subsection 133CR(1) of the Consumer Credit Act requires an eligible licensee to supply mandatory credit information to each CRB for the licensee.[83] Under proposed section 133CP of the Consumer Credit Act, mandatory credit information for eligible credit accounts[84] held by natural persons is personal information for those accounts that is:

  • identification information about a natural person—being the individual’s full name; any alias or previous name; the individual’s date of birth; the individual’s sex; the individual’s current or last known address, and two previous addresses (if any); the name of the individual’s current or last known employer; and the individual’s driver’s licence number (if any)[85]
  • consumer credit liability information about a natural person is the name of the consumer credit provider; whether the provider is a licensee; the type of consumer credit; the day on which the consumer credit is entered into; the terms or conditions of the consumer credit that relate to the repayment of the amount of credit and that are prescribed by the regulations; the maximum amount of credit available under the consumer credit; and the day on which the consumer credit is terminated or otherwise ceases to be in force[86]
  • repayment history information—includes the day on which a monthly payment is due and payable; and if the individual makes the monthly payment after the day on which the payment is due and payable—the day on which the individual makes that payment[87]
  • default information—is information in relation to payments that are at least 60 days overdue and where the provider has given a written notice to the individual informing him, or her, of the overdue payment and requesting payment of that amount; the provider is not prevented by a statute of limitations from recovering the amount of the overdue payment; and the amount of the overdue payment is equal to or more than $150; or a higher amount as is prescribed by the regulations[88]
  • payment information—if a credit provider has disclosed default information about an individual to a credit reporting body; and on a day after the default information was disclosed, the amount of the overdue payment to which the information relates is paid; then payment information about the individual is a statement that the amount of the overdue payment has been paid on that day[89]
  • new arrangement information—if a credit provider has disclosed default information about an individual to a credit reporting body and because the individual is so overdue: the terms or conditions of the original consumer credit that relate to the repayment of the amount of credit are varied; or the individual is provided with other consumer credit; then new arrangement information about the individual is a statement that those terms or conditions of the original consumer credit have been varied, or that the individual has been provided with the new consumer credit.[90]

Timing for supply of information

First bulk supply

Under the Bill, an eligible licensee must supply mandatory credit information for at least 50 per cent of all of the eligible credit accounts held with the licensee (or with a member of a banking group of which the licensee is the head company[91]) on the first 1 April on which the licensee is an eligible licensee.[92] It will be up to the licensee to choose which eligible accounts make up the 50 per cent.

The general rule is that the first bulk supply of mandatory credit information to each eligible CRB for the licensee must occur before the end of the 90‑day period starting on the first 1 April on which the licensee is an eligible licensee.[93] This means that the first bulk supply of information must be completed by 29 June 2020.

There is an exception to this rule if the licensee reasonably believes that the CRB is not complying with section 20Q of the Privacy Act on 1 April. In that case, proposed section 133CS of the Consumer Credit Act sets out the procedures to be followed by the licensee as follows:

  • Step 1: the licensee prepares a written notice setting out the licensee’s reasons for its belief that the body is not complying with section 20Q of the Privacy Act on that 1 April and stating that the body may try to convince the licensee otherwise before the end of the 90‑day period starting on that 1 April[94]
  • Step 2: the licensee gives that notice to the credit reporting body, and a copy to the Information Commissioner and ASIC, within seven days after that 1 April[95]
  • Step 3: the licensee prepares a written notice (the final notice) reiterating the reasons for its belief that the body is not complying with section 20Q of the Privacy Act on the last day of that 90‑day period[96] and
  • Step 4: the licensee gives the final notice to the body, and a copy to the Information Commissioner and ASIC, within seven days after the last day of that 90‑day period.[97]

If, following steps 1 and 2, the licensee ceases to hold the belief that the CRB is not complying with section 20Q of the Privacy Act before the end of the 90-day period (called the cessation day)[98] the first bulk supply of mandatory credit information in respect of that CRB for the licensee must occur before the end of the 14-day period starting on the cessation day, or at the end of the 90 day period beginning on 1 April—whichever is later.[99]

Subsequent bulk supply

Under the Bill, an eligible licensee must supply mandatory credit information for all those eligible credit accounts held with the licensee (or with a member of a banking group of which the licensee is the head company) that were not supplied in the first bulk supply.[100]

The general rule is that the mandatory credit information is to be supplied before the end of the 90‑day period starting on the second 1 April on which the licensee is an eligible licensee.[101] The exception to the rule for the first bulk supply also operates for the subsequent bulk supply.[102]

Reporting to the Minister

The Bill sets out requirements for both licensees and eligible credit reporting bodies to give the Minister audited statements (in the form prescribed by regulation) about the mandatory comprehensive credit reporting regime following each of the initial bulk supply and the subsequent bulk supply. A failure to comply with the reporting requirement gives rise to a civil penalty[103] and is also an offence. The maximum criminal penalty is 100 penalty units for an individual and 500 penalty units for a body corporate.[104]

In its submission on the 2018 Bill, the Australian Banking Association (ABA) questioned the necessity of providing a statement of compliance to the Minister—given that it is ‘a regulatory impost which would duplicate the role of the regulator, ASIC’. The ABA stated its view that ‘only the one process of audited compliance reporting should be made to ASIC. These statements can then be provided by ASIC to the Treasurer’.[105] The Explanatory Memorandum to the Bill does not provide a rationale for the requirement.

How the supply is made

Under proposed section 133CQ of the Consumer Credit Act information must be supplied in accordance with the supply requirements which will be satisfied if the supply complies with:

  • the registered CR code—currently the Privacy (Credit Reporting) Code 2014 (Version 2)
  • an ASIC determination setting out the information that must be included in the supply
  • a technical standard that has been approved by ASIC in writing in relation to the supply of one or more kinds of information.[106]

Ongoing requirement to supply

The ongoing supply requirement in proposed section 133CU of the Consumer Credit Act complements those provisions. The section applies to a licensee which has supplied a CRB with mandatory credit information. If on a later day (called the trigger day) the licensee (or a member of a banking group of which the licensee is the head company), would reasonably be expected to have become aware that any of the events that are set out in the table in proposed subsection 133CU(1) have happened then the licensee must supply the CRB with the corresponding updated information referred to in the table. Those events are:

  • corrections to the information supplied to a credit reporting body which are necessary to keep the information accurate, up-to-date, complete, relevant and not misleading [107]
  • a payment has been made where default information has previously been supplied to the credit reporting body[108]
  • new accounts opened after the two initial bulk supplies of information have been supplied to credit reporting bodies[109]
  • default information comes into existence for an eligible account[110]
  • an event prescribed by the regulations, related to an eligible account or account holder.[111]

The general rule is that the supply of updated information must take must take place before the end of  the 45‑day period starting on the trigger day.[112] An exception to the rule operates in circumstances where the credit provider reasonably believes that the CRB is not complying with section 20Q of the Privacy Act, in an equivalent manner to that for the first and subsequent bulk supplies.[113]

Offences

The Bill creates a number of new offences, including:

  • a person commits an offence if the person is subject to a requirement to supply mandatory credit information for the first bulk supply (under proposed subsection 133CR(1)) or the subsequent bulk supply (under proposed subsection 133CR(3)) and the person engages in conduct which contravenes the requirement[114]
  • a person commits an offence if the person is subject to an ongoing requirement to supply mandatory credit information (under proposed subsection 133CU(1)) and the person engages in conduct which contravenes the requirement[115] and
  • a person commits an offence if the person must give a notice if a CRB later complies with information security requirements (under proposed sections 133CT or 133CW) and the person engages in conduct which contravenes the requirement.[116]

In each case the maximum penalty is 100 penalty units for an individual, being equivalent to $21,000 and 500 penalty units ($105,000) for a body corporate.[117]

Evidential burden

Item 3 of Schedule 1 of the Bill inserts the definition of the term evidential burden into subsection 5(1) of the Consumer Credit Act being, in relation to a matter, the burden of adducing or pointing to evidence that suggests a reasonable possibility that the matter exists or does not exist. The defendant bears the evidential burden in respect of elements of some of the offences in the Bill.

In comments on the 2018 Bill, the Queensland Law Society (QLS) was critical of the definition of evidential burden on the grounds that it ‘adopts a standard of proof contrary to that developed by the law over time’ and that its drafting will ‘create confusion rather than clarification’. QLS recommended that the definition should be changed to delete the reference to ‘a reasonable possibility’ and insert ‘in the case of a civil proceeding, on the balance of probabilities and, in the case of criminal proceedings, beyond a reasonable doubt’.[118]

On‑disclosing credit information

Proposed section 133CZA of the Consumer Credit Act applies to a credit reporting body in relation to protected information being:

  • any information that is supplied to the credit reporting body under Division 2 of new Part 3-2CA and
  • any CRB derived information that is derived from information that has been supplied under Division 2 of new Part 3-2CA.[119]

Regulations may prescribe:

  • the conditions in which a credit reporting body must disclose, or must not disclose, protected information to a credit provider
  • the kind or kinds of protected information which must be, or must not be, disclosed and
  • the time within which any disclosure must take place.[120]

Civil penalties apply to any breach of the requirements contained in the regulations relating to protected information.[121] In addition, a person commits an offence if the person engages in conduct which contravenes a requirement set out in proposed section 133CZA for the disclosure of protected information.[122] In that case, the maximum criminal penalty is 100 penalty units for an individual and 500 penalty units for a body corporate.[123]

ASIC’s role

ASIC may, by writing, appoint one or more suitably qualified persons or the members of one or more classes of suitably qualified persons as auditors.[124]

In addition, the Bill empowers ASIC to give a written notice to a Part 3-2CA body to provide a statement containing specified information about its compliance with that Part.[125] For the purposes of this obligation a Part 3‑2CA body is a person that is or has been an eligible licensee or an eligible credit reporting body for a licensee.[126] The written notice may be given at any time.[127]

ASIC may also require, in writing, the body to obtain an audit report prepared by a suitably qualified person before the statement is given to ASIC.[128]

A failure to comply with such a notice in the time stipulated in the notice gives rise to a civil penalty[129] and a criminal offence.[130]

Further, the Bill imposes obligations for a Part 3-2CA body to give ASIC certain information which is specified in the Regulations;[131] and to provide ASIC with assistance if it is reasonably requested.[132]

Review of the Part 3-2CA

The Bill requires the Minister to instigate an independent review of the operation of new Part 3‑2CA. The review is to be completed and a written report given to the Minister before 1 October 2023. The Minister is to table copies of the report in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister.[133]

Schedule 1—other provisions

Item 11 of Schedule 1 of the Bill amends the Privacy Act by inserting proposed subsection 20Q(3) which requires a credit reporting body which holds credit reporting information to store that information in Australia or an external Territory or in accordance with any security requirements prescribed by the regulations for storing the information outside of Australia and the external Territories, and in accordance with any security requirements prescribed by the regulations.

Key issues and provisions: Schedule 2—financial hardship amendments

The proposed amendments in Schedule 2 will have the effect of permitting credit reporting bodies to collect, use, disclose and retain financial hardship information. This is not currently permitted.

The amendments will also permit credit providers to disclose financial hardship information to credit reporting bodies.

The proposed changes include certain safeguards for the financial hardship information scheme, such as a one year retention period, security requirements and an independent review of the system.

Financial hardship amendments to the Privacy Act

Items 1–13 of Schedule 2, Part 1, amend the Privacy Act to introduce a scheme for dealing with financial hardship information.

Relevant terms

Item 4 introduces the definitions of financial hardship arrangement and financial hardship information.

Proposed subsections 6QA(1)–(3) of the Privacy Act provide that a financial hardship arrangement is an arrangement where a credit provider provides consumer credit to person and:

  • the National Credit Code applies to the provision of the credit
  • the person is or will be unable to meet their credit obligations
  • as a result of the inability, an arrangement is made which is either a permanent variation to the terms of the consumer credit or a temporary relief from or deferral of the individual’s obligations.

It does not matter whether the person or credit provider initiated the arrangement.[134]

The arrangement may be ‘any kind of agreement, arrangement or understanding, whether formal or informal, whether express or implied and whether or not enforceable, or intended to be enforceable, by legal proceedings’.[135]

Item 5 inserts proposed subsections 6V(1A) and (1B) into the Privacy Act to provide that obligations to make repayments and related repayment history information is to be determined in light of obligations as affected by any financial hardship arrangement that is in place. In particular, if, under a financial hardship arrangement a person is not required to make a monthly payment for a month, then a monthly payment is taken to have been due and payable on the day on which it would have been due and payable apart from the arrangement and the person is taken to have met the obligation to make the monthly payment.

Proposed subsections 6QA(4) and (5) provide that financial hardship information is information used in determining repayment history information under financial hardship arrangements. In particular, proposed subsection 6QA(4) sets out the following information as financial hardship information:

  • where an arrangement is made under proposed subsection 6QA(1) for a permanent variation to the credit terms, information relating only to the first monthly payment affected by the arrangement, that indicates that it is the first monthly payment affected by the arrangement, and
  • where an arrangement is made under proposed subsection 6QA(1) for temporary relief or deferral of obligations, information relating to each monthly payment affected by the arrangement, that indicates that the monthly payment was affected by the arrangement.

Safeguards

Proposed subsection 6QA(5) of the Privacy Act provides that the above discussed information relating to a temporary relief or deferral of obligations does not fall within the scope of financial hardship information if the person met the obligation to make the monthly payment under the arrangement and the amount paid was equal to, or greater than, the amount that would have been due without the arrangement being in place.

Item 6 amends paragraph 20C(4)(e) to add financial hardship information as a class of information that is able to be collected by credit reporting bodies in the same circumstances and under the same conditions as already exist for repayment history information in section 20C of the Privacy Act. Similarly, item 7 adds financial hardship information alongside repayment history information as a source of credit reporting information that is protected through restrictions being imposed on the disclosure of the resulting credit reporting information under existing subsection 20E(4).

Item 8 further amends section 20E by adding proposed subsection 20E(7) to clarify that the existing exemptions allowing permitted disclosures of credit reporting information under subsection 20E(3) (for instance, disclosure permitted for credit reporting, dispute resolution and law enforcement purposes) do not apply to information from credit reporting bodies containing a credit score where the credit information from which the credit score is derived includes financial hardship information.

Item 9 adds financial hardship information to the list of credit information in paragraph 20G(2)(c) of the Privacy Act that credit reporting bodies are not permitted to use for purposes of direct marketing.

Item 10 adds an item to the table in section 20W to set the retention period for financial hardship information as one year, starting on the day on which the monthly payment to which the information relates is due and payable.

Existing section 21D of the Privacy Act provides that a credit provider must not disclose credit information about an individual to a credit reporting body unless certain conditions are met. For example, the information to be disclosed must not relate to something that occurred before a person turned 18, the credit must have been provided or applied for in Australia and the individual must have been given notice of 14 days if default information is to be disclosed. Additionally, if the information is repayment history information:

  • the credit provider must be a licensee or prescribed by the regulations
  • the consumer credit to which the information relates must be consumer credit in relation to which the provider also discloses, or a credit provider has previously disclosed, consumer credit liability information about the individual to the credit reporting body; and
  • the provider must comply with any disclosure requirements that are prescribed by the regulations.[136]

Item 11 adds financial hardship information to ‘repayment history information’ as information to which the above conditions must apply before a disclosure is permitted under section 21D.

Item 12 inserts proposed section 21EA to provide that financial hardship information must be disclosed to a credit reporting body if repayment history information is disclosed about an individual in relation to a monthly payment under section 21D and financial hardship information related to that monthly payment exists. There is a civil penalty of 500 penalty units if a credit provider fails to disclose the relevant financial hardship information under this section.

Item 13 adds financial hardship information to ‘repayment history information’ as information to which existing subsection 21G(4) applies. This has the effect of excluding credit eligibility information derived from repayment history information or financial hardship information from the information that may be otherwise disclosed in certain circumstances under section 21G. Note that existing subsection 21G(5) provides that disclosure of such information may still be made if the disclosure is:

  • to another credit provider who is a licensee
  • a permitted credit provider disclosure within the meaning of section 21L (to an Australian mortgage insurer for a relevant purpose)
  • to a related body corporate of the credit provider, for processing a credit application or managing credit, for recognised dispute resolution, or authorised under law, or
  • related to a serious credit infringement and made to an enforcement body.

Item 14 provides that the above amendments to the Privacy Act apply to arrangements made on or after their commencement, regardless of when the consumer credit was applied for.

Financial hardship amendments to the Consumer Credit Act

Items 15–21 of Schedule 2 introduce related amendments to the Consumer Credit Act.

These amendments introduce a definition of financial hardship information as having the same meaning as in the Privacy Act,[137] and ensure that financial hardship information is dealt with appropriately in the Consumer Credit Act.

Item 16 adds financial hardship information to the list of information that is considered to be mandatory credit information in proposed subsection 133CP(1).[138]

Item 17 inserts proposed subsection 133CP(3) into the Consumer Credit Act to clarify that mandatory credit information does not include financial hardship information that comes into existence before 1 April 2021 or more than three months before the first 1 April on which the credit provider (or head company) is an eligible licensee.

Item 18 inserts a proposed table item 4 into the table at proposed subsection 133CU(1), which sets out information to be supplied by a licensee to a credit reporting body on an ongoing basis, where certain events occur.[139] Proposed table item 4 requires financial hardship information to be supplied where it comes into existence on or after the later of 1 April 2021 or the day after the first day mandatory credit information for the account is supplied.

Item 19 inserts proposed subclause 67(1A) into the National Credit Code to ensure that a provision of a continuing credit contract has no effect where a provider seeks to rely on the provision to refuse further credit or reduce a credit limit merely because of financial hardship information about the debtor.

Schedule 2—other provisions

Items 24 to 33 introduce other amendments to the Privacy Act relating to a new category of non-participating credit provider.

Item 24 of Schedule 2 inserts a definition of non-participating credit provider into subsection 6(1), being a provider that has not and is not likely to disclose credit reporting information or credit eligibility information about an individual to a credit reporting body or another credit provider, and has not collected such information from a credit reporting body or another credit provider. Items 26, 30 and 31 add exemptions for such non-participating credit providers from relevant regulatory requirements.

Item 34 of Schedule 2 inserts proposed section 25B to require the Minister to cause an independent review to be conducted of the operation of the credit reporting system set out in Part IIIA of the Privacy Act. The review must be completed and presented to the Minister before 1 October 2023, and must be tabled in each House of Parliament within 15 sitting days.

Concluding comments

The most compelling problem highlighted by the submitters to the Economics Committee regarding the 2018 Bill was that of whether and/or how to comply with reporting obligations whilst at the same time preserving the privacy of those debtors who have entered into hardship arrangements. The amendments in Schedule 2 represent a response to these concerns following the review conducted by the Attorney-General’s Department and the subsequent consultation process carried out by Treasury.[140]