Chapter 1


Introduction

1.1        On 28 March 2018, the Senate referred the provisions of the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (the bill) to the Economics Legislation Committee for inquiry and report by 29 May 2018.[1] On 22 May 2018, the committee requested an extension of time to report to 5 June 2018 to allow it to consider the evidence received and to conclude its deliberations.[2]

1.2        The bill implements the government's commitment announced in the 2017–18 Budget to mandate a comprehensive credit reporting (CCR) regime if credit providers did not meet a threshold of 40 per cent data reporting by the end of 2017.

1.3        The bill seeks to address the information asymmetry that currently characterises Australia's credit reporting system; that is, where a consumer has more information about their credit risk than the credit provider, resulting in the potential for mis-pricing and mis-allocation of credit.[3]

1.4        By correcting this information asymmetry, the bill seeks to allow credit providers to obtain a comprehensive view of a consumer's financial situation, enabling a provider to better meet its responsible lending obligations. The Assistant Minister to the Treasurer, the Hon Michael Sukkar MP, stated that the benefits of a mandatory CCR regime are:

...credit providers will be able to make lending and risk pricing decisions on the basis of comprehensive information, rather than a small fragment of the overall picture.

All lenders who participate in comprehensive credit reporting will have an enhanced capacity to meet their responsible lending obligations. Those obligations are an important part of consumer protection arrangements.

Small credit providers, including innovative fintech firms and new entrants, will be better able to serve customers and assess the lending capacity of potential borrowers.

Placing smaller lenders on a more level playing field with the major banks, in respect of access to credit information, will drive competition in the consumer lending market.[4]

1.5        The mandatory CCR regime also seeks to benefit consumers and small business as the lending market becomes more competitive and more effective at delivering loans. The Assistant Minister to the Treasurer stated:

Greater competition in the lending market should benefit consumers, by being offered greater access to finance and better pricing.

Those customers who are currently disadvantaged by the existing negative system—by having a thin credit file, or by having a single default marked against them—will have a better chance to build and repair their credit history prior to applying for a major loan.

Small-business owners, entrepreneurs, and sole traders will be empowered to borrow to build their businesses on the basis of strong consumer credit histories.[5]

Conduct of the inquiry

1.6        The committee advertised the inquiry on its website. It also wrote to relevant stakeholders and interested parties inviting written submissions by 20 April 2018. The committee received 13 submissions, which are listed at Appendix 1.

1.7        The committee held a public hearing in Melbourne on 15 May 2018 for this inquiry. A list of witnesses who appeared at the hearing can be found at Appendix 2.

1.8        References to the Committee Hansard are to the Proof Hansard and page numbers may vary between Proof and Official Hansard transcripts.

1.9        The committee would like to thank all the individuals and organisations that made written submissions and participated in the public hearing.

Context of amendments

Credit reporting—negative, positive and comprehensive credit information

1.10      Credit reporting involves credit reporting bodies collecting consumer and business credit information from a range of public and private sources, including from credit providers. This information is then used by credit reporting bodies to provide reports about an individual's or business' credit worthiness to credit providers.

1.11      A credit report usually includes a 'credit score' which is designed to give the credit provider an indication of the individual or business' ability to repay a line of credit. Consumers are also able to apply to access their credit report.[6]

1.12      The major credit reporting bodies in Australia are Equifax (formerly Veda), illion (formerly Dun & Bradstreet), and Experian.

1.13      Consumer credit information is often categorised as 'negative' or 'positive'. Negative consumer credit information includes credit application enquiries, payment defaults, bankruptcies and court judgements.

1.14      Positive consumer credit information can be categorised as 'Consumer Credit Liability Information' (CCLI) and 'Repayment History Information' (RHI).

  • CCLI includes: the type of credit account, how the consumer's credit is to be paid, whether the term of the credit is fixed or revolving, the length of the term, whether the credit is secured or unsecured.
  • RHI includes information about whether or not an individual has met an obligation to make a periodic payment that is due and payable in relation to consumer credit.[7]

2014 Privacy Act amendments

1.15      The Australian consumer credit reporting system is regulated by Part 3 of the Privacy Act 1988 (Privacy Act). Historically, in Australia, the information permitted to be shared between credit providers and credit reporting bodies was limited to negative consumer credit information.

1.16      In 2006, the Australian Law Reform Commission (ALRC) commenced an inquiry to address matters relating to the extent to which the Privacy Act and related laws continue to provide an effective framework for the protection of privacy in Australia. The ALRC tabled its inquiry report in 2008, in which it recommended that Australia adopt a system of comprehensive credit reporting to encourage more responsible lending.[8]

1.17      The Privacy Act was amended in 2012[9] to allow for the collection and disclosure of positive consumer credit information (CCLI and RHI) in addition to negative information, with the amendments coming into effect in March 2014. By allowing more diverse and positive information to be shared, these 2014 credit reporting reforms opened the door to comprehensive credit reporting and brought Australia more in line with credit reporting systems in other developed economies.

Financial System Inquiry

1.18      In December 2013, the then Treasurer, the Hon Joe Hockey MP, appointed an independent committee to examine how the financial system could be positioned to best meet Australia's evolving needs and support Australia's economic growth (the Financial System Inquiry (FSI)). The final report of the FSI was released in
December 2014.

1.19      The FSI recognised that:

More comprehensive sharing of credit data would reduce information imbalances between lenders and borrowers. It would also facilitate borrowers switching between lenders and greater competition among lenders. Overall, more comprehensive credit reporting would likely improve credit conditions for borrowers, including SMEs[10].  

1.20      The FSI also acknowledged industry efforts being undertaken at the time to implement a voluntary CCR regime through development of a data-sharing agreement—later formalised through the Principles of Reciprocity and Data Exchange (PRDE)—based on reciprocity between credit providers.[11]

1.21      The final report of the FSI noted that as participation in the CCR regime is voluntary, 'the pace and extent of eventual participation in the regime is not yet clear'.[12] The report recommended that if, over time, participation under the new voluntary CCR regime is inadequate, government should consider legislating mandatory participation.[13]

1.22      In its response to the FSI, the government agreed to support industry efforts to implement the CCR regime, but indicated it would not legislate for mandatory participation at this stage. The response noted that 'the CCR regime has been in place for a little over a year and authorised deposit-taking institutions are still in the process of working to participate in the regime'.[14]

Productivity Commission Inquiry—Data Availability and Use

1.23      In response to a recommendation of the FSI[15], in March 2016, the Treasurer tasked the Productivity Commission (the Commission) to undertake an inquiry into the benefits and costs of options for increasing availability and improving the use of public and private sector data by individuals and organisations.

1.24      The Commission reported that 'to date, none of the major banks has begun sharing comprehensive credit data publicly'.[16]  The Commission recognised that:

The incentives for an institution to participate in comprehensive credit reporting can be mixed and quite complex. Participation depends on the perceived net benefits, which will differ between different classes of credit provider.

For a major institution with a relatively large customer base, early and full participation may provide, at least initially, relatively small benefits than to other participants—thus diluting their competitive advantage.[17]

1.25      In light of the above, the Commission recommended that:

The Australian Government should adopt a minimum target for voluntary participation in Comprehensive Credit Reporting of 40% of all active credit accounts, provided by Australian Securities and Investments Commission (ASIC)-licensed credit providers, for which comprehensive data is supplied to the credit bureaux in public mode.

If this target is not achieved by 30 June 2017, the Government should circulate draft legislation by 31 December 2017, to impose mandatory participation in Comprehensive Credit Reporting (including the reporting of repayment history) by ASIC-licensed credit providers in 2018.[18]

1.26      The government agreed with this recommendation, giving the industry a further six months, to the end of 2017, to meet the 40 per cent target.[19]

Announcement to introduce mandatory regime

1.27      On 2 November 2017, the Treasurer, the Hon Scott Morrison MP, announced that the government would introduce legislation for a mandatory regime as it was clear the 40 per cent target would not be met. At the time of the Treasurer's announcement, participation was at less than one per cent.[20]

Draft bill released for consultation

1.28      On 8 February 2018, the government released exposure draft legislation: the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, and accompanying explanatory material, which proposed to legislate a mandatory CCR regime, for consultation. The closing date for submissions on the draft legislation was 23 February 2018, and the submissions are publicly available.[21]

Overview of the bill

1.29      The bill amends the National Consumer Credit Protection Act 2009 (Credit Act) and the Privacy Act to:

  • establish a mandatory CCR regime to apply from 1 July 2018;
  • expand the Australian Securities and Investments Commission's (ASIC) powers so it can monitor compliance with the mandatory regime; and
  • impose additional requirements as to where and how data held by a credit reporting body must be stored.

1.30      As noted in the Explanatory Memorandum, the mandatory CCR regime 'recognises that industry stakeholders have already taken steps to support sharing comprehensive credit information' (including the PRDE and Australian Credit Reporting Data Standard)[22] and that, to the extent possible, the mandatory regime 'operates within the established industry framework but also provides scope for future technological developments'.[23]

Application

1.31      The mandatory CCR regime will apply to 'eligible licensees' and their subsidiaries. An eligible licensee is a credit provider who holds an Australian credit license, and who is a 'large' Authorised Deposit-taking Institution (ADI) on
1 July 2018.  An ADI is considered large when its total resident assets are greater than $100 billion (i.e. the big four banks).[24]

1.32      Other credit providers will be subject to the regime if they are prescribed in regulations.[25] The government expects that regulations would be made after the mandatory regime has been in operation for a period of time and other credit providers are not voluntarily supplying data.[26]

Implementation

1.33      Those credit providers who are eligible licensees as at 1 July 2018 will be required under the mandatory CCR regime to undertake an initial bulk supply of credit information. This initial bulk supply of credit information is split across two years:

  • By 28 September 2018 (within 90 days of the mandatory regime's commencement), large ADIs must supply credit information on 50 per cent of the consumer credit accounts within the banking group to all credit reporting bodies the large ADI had a contract with on 2 November 2017.
  • By 28 September 2019, large ADIs must supply credit information on the remaining accounts, including those that open after 1 July 2018 and those held by subsidiaries of the large ADI to the same credit reporting bodies as the first bulk supply.[27]

1.34      Large ADIs that have supplied credit information under the mandatory CCR regime will also be subject to an ongoing requirement to keep information accurate, complete and up-to-date, including by providing information on subsequently opened accounts.[28]

Meeting obligations under the mandatory regime

1.35      To meet its obligations under the mandatory CCR regime, a credit provider must supply 'mandatory credit information' on its 'eligible credit accounts' to all 'eligible credit reporting bodies'.[29]

1.36      'Mandatory credit information' is 'credit information' as defined by the Privacy Act. It includes:

  • identification information;
  • consumer credit liability information;
  • repayment history information;
  • default information;
  • payment information; and
  • new arrangement information.[30]

1.37      An 'eligible credit account' is defined in the bill as an account on which 'consumer credit' is or can be taken that is held by a natural person. Consumer credit is defined in the Privacy Act, and includes credit for personal, family or household purposes or to purchase or renovate a house (i.e. mortgage accounts, credit cards, overdraft facilities and personal loans).[31]

1.38      The regulation making power in the bill enables the prescription of a type of credit account which is not an eligible credit account. The government expects that this regulation making power could be used where the supply of information of some accounts is not necessary to ensure transparency within the mandatory CCR regime and may impose a disproportionate regulatory burden on a credit provider. [32]

1.39      An 'eligible credit reporting body' for an eligible licensee that must meet the bulk supply requirements on 1 July 2018 is defined as 'a body that had a contract with the licensee under paragraph 20Q(2)(a) of the Privacy Act on 2 November 2017'.[33]

Monitoring and compliance

1.40      ASIC is responsible for administering the Credit Act. The bill extends ASICs monitoring and compliance powers—including enforcement, information gathering and investigative powers—to cover eligible licensees and credit reporting bodies in the mandatory CCR regime.[34]

1.41      Credit reporting bodies are currently regulated by the Privacy Act and Privacy Code and the Office of the Australian Information Commissioner (OAIC). As a result of amendments in the bill, credit reporting bodies who receive mandatory credit information will be regulated by ASIC for the purposes of the mandatory CCR regime.

1.42      The amendments proposed in the bill provide ASIC with the ability to:

  • seek information from an eligible licensee and credit reporting body;
  • seek assistance from an eligible licensee and credit reporting body; and
  • inspect books or seek information from a third party.[35]

1.43      The bill proposes that new civil and criminal penalties and offence provisions be included in the Credit Act where a licensee or a credit reporting body does not meet their obligations under the mandatory CCR regime. These include the following:

  • ASIC may seek a civil penalty where an eligible licensee fails to supply credit information as required under the mandatory regime.
  • ASIC may seek a civil penalty where a credit reporting body does not disclose, or where it discloses when it should not, information that it has received under the mandatory regime.
  • ASIC may also seek a criminal sanction if either a licensee or credit reporting body has breached a requirement under the mandatory regime.[36]

1.44      Circumstances in which ASIC may seek a criminal sanction include:

...failing to make the initial bulk supplies or ongoing supply of credit information when the eligible licensee reasonably believes the credit reporting body is meeting its security requirements in the Privacy Act, failing to supply statements to the Treasurer or failing to notify the credit reporting body, ASIC and the Information Commissioner when the licensee subsequently believes the credit reporting body is meeting the security requirements.[37]

1.45      The penalty regime applied as part of the mandatory CCR regime is consistent with that already existing under the Credit Act. Civil penalties sought by ASIC must be imposed by a court. The maximum penalty that could be applied under the mandatory CCR regime is 2000 penalty units for an individual (currently $420,000) and 10,000 penalty units for a body corporate (currently $2.1 million). The maximum criminal penalty that can be applied is 100 penalty units ($21,000) for an individual.[38]

1.46      The explanatory memorandum notes that the government intends make a regulation under the existing powers of the Credit Act for the purposes of the mandatory CCR regime to provide ASIC with the ability to issue infringement notices as an alternative to pursuing civil proceedings in court.[39] To date, an exposure draft of this regulation has not been released.

1.47      In addition to the monitoring and compliance measures outlined, credit providers and eligible credit reporting bodies will be required to provide statements to the Treasurer relating to their compliance with the initial bulk supply of credit information under the mandatory regime. Statements must be provided to the Treasurer within 6 months of both the first and second bulk supply.[40]

Privacy and security of data

1.48      The amendments proposed in the bill 'do not require or allow disclosure, use or collection of credit information beyond what is already permitted under the Privacy Act and Privacy Code'.[41] The bill is reliant on the existing protections under the Privacy Act and Privacy Code, as well as the oversight of the OAIC,[42] to preserve the security and privacy of consumers’ credit information.[43]

1.49      However, the bill amends the Privacy Act such that credit reporting bodies will have a new obligation as to where credit reporting information is stored. Specifically, credit reporting bodies will be required to store credit reporting information in Australia, with a service that is a certified Cloud Service listed by the Australian Signals Directorate (ASD), or that meets the conditions of the Privacy Code.[44]

1.50      Section 20Q of the Privacy Act requires a credit reporting body to take reasonable steps to protect the information it receives, including from misuse, interference and unauthorised access.

1.51      The bill enables a licensee to withhold the supply of mandatory credit information where a licensee does not believe the credit reporting body is meeting its information security obligations under the Privacy Act. In such circumstances, a licensee is required to notify the credit reporting body, ASIC and the Australian Information Commissioner.[45] The bill sets out the process and timeframes relating to these notification obligations.[46]

1.52      The intent of these provisions of the bill is to ensure that 'a licensee's ability to have its own security requirements for the information it discloses is not weakened'.[47]

Statutory review

1.53      The bill contains a statutory review provision, whereby the Treasurer must cause an independent review of the mandatory CCR regime to be completed by
1 January 2022.[48] The Assistant Minister to the Treasurer outlined the government's expectations of the review:

We expect that this review will provide an opportunity for the government to confirm that the system is operating as intended; and to consider the impacts of the system on consumers and industry, whether the scope of the system should be expanded, and whether alternate frameworks for credit reporting would be more appropriate given technological changes or, again, changes in the security environment.[49]

Legislative scrutiny

1.54      In its Scrutiny Digest 5 of 2018, the Senate Standing Committee for the Scrutiny of Bills noted that the bill leaves significant elements of the proposed mandatory CCR regime to delegated legislation, and is seeking advice from the Treasurer as to the appropriateness of leaving matters that may have significant impacts on individuals' privacy to delegated legislation.[50]

1.55      In its Scrutiny Report 4 of 2018, the Parliamentary Joint Committee on Human Rights raised questions as to the compatibility of the mandatory CCR scheme with the right to privacy and is seeking advice from the Treasurer as to: whether there is reasoning or evidence that establishes that the stated objective addresses a pressing or substantial concern or whether the proposed changes are otherwise aimed at achieving a legitimate objective;  how the measure is effective to achieve (that is, rationally connected to) that objective; and whether the limitation is a proportionate limitation on the right to privacy (including whether the requirement to provide comprehensive credit information is sufficiently circumscribed, and information as to the adequacy and effectiveness of safeguards).[51]

Review of financial hardship arrangements and OAIC guidance

1.56      Financial hardship arrangements are currently regulated under the National Credit Code in the National Consumer Credit Protection Act 2009 (NCCP Act). However, under the Privacy Act, a person who has entered into a hardship arrangement with a credit provider does not have that arrangement reflected in their RHI or, consequently, in their consumer credit report. Stakeholders in the government's consultation on the draft legislation, as well as to this inquiry, highlighted this as a significant issue to be resolved as a priority.

1.57      On 28 March 2018, the Attorney-General, the Hon Christian Porter MP, announced that the government will conduct a review of financial hardship arrangements, including looking into the intersection between hardship arrangements and the credit reporting framework.[52]

1.58      As noted in the Attorney-General's announcement:

The review will respond to concerns raised by industry and consumer-advocacy groups around how hardship arrangements are treated and will make recommendations on whether reforms are required.[53]

1.59      The review is expected to be completed by late 2018.

1.60      In an effort to enhance clarity in regards to the way credit providers report information about an individual's RHI to credit reporting bodies, the OAIC has published guidance about the reporting of RHI and default information in circumstances of financial hardship. The OAIC has also published guidance about the meaning of 'repayment history information' where a consumer credit contract is varied or an arrangement, known to the industry as an indulgence, is in place.[54]

Compatibility with Human Rights

1.61      As required under the Human Rights (Parliamentary Scrutiny) Act 2011, the government has assessed the bill's compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The government considers that the bill is compatible.[55]

Navigation: Previous Page | Contents | Next Page