Additional Comments from Labor Senators


1.1        Labor Senators are cautiously supportive of the measures set out in this bill but will take a very careful look at both the government's approach to regulating the use of consumer financial data and whether any benefits of mandatory comprehensive credit reporting will flow through to consumers.

Repayment history information and the handling of hardship

1.2        Stakeholders from across the industry spectrum expressed concern that consumers could be left worse off if repayment history information was supplied to credit reporting bodies before the Attorney-General's Department completed its review of how hardship should be managed within the credit reporting framework.

1.3        The joint submission from the Financial Rights Legal Centre, the Consumer Action Law Centre, Financial Counselling Australia, the Australian Privacy Foundation and the Australian Communications Consumer Action Network made it clear that the government has to date not addressed problems with the current treatment of financial hardship within repayment history information:

The current legislative silence on the interaction of hardship and RHI is unhelpful to all stakeholders. The law, the Credit Reporting Privacy Code or regulatory guidance should make it clear that where there is a change to the payment arrangement with a consumer, and the consumer is meeting their payment obligations under this arrangement, then RHI should reset to zero.

Consumer Representatives strongly disagree with the Office of the Australian Information Commissioner's (OAIC's) interpretation of when an amount is 'due and payable' under the Privacy Act as per its guidance that was recently published on its website. The OAIC has limited its interpretation of 'due and payable' to the legal entitlement to maintain an action for recovery, but has not considered the requirements under the Credit Act which impact directly on when an action for recovery can be maintained.[1]

1.4        In short, the determination from the OAIC is only based on their responsibilities for regulating under the Privacy Act 1988. Consumer advocates argue that any policy position on the treatment of financial hardship must look at both the Privacy Act 1988 in conjunction with the National Consumer Credit Protection Act 2009.

1.5        If there were any doubts as to the need to clarify the treatment of financial hardship, the government, by initiating its own review of financial hardship arrangements has confirmed that this problem needs to be resolved.[2]

1.6        This legislation would require major authorised deposit-taking institutions (ADIs) to supply customer repayment history information to credit reporting bodies in addition to other data sets[3] by 1 July 2018, before the Attorney-General's review will be complete.

1.7        The Australian Banking Association (ABA) confirmed this problem of reporting repayment history information before an agreed position on the reporting of financial hardship had been set:

Without an agreed resolution and legislative change, the credit standing of those customers who are unable to meet their repayment obligations due to financial hardship are likely to be detrimentally affected. They are likely to be lumped together with those customers who simply don't comply with their repayment obligations.

Ideally, if the completion of the Attorney-General's Department's review can be brought forward, this increases the probability of a fairer and more favourable outcome for consumers, banks and other credit providers in the credit reporting system, and with the transition of RHI within the mandatory CCR legislation to be preceded by a settlement.[4]

1.8        ANZ went even further and requested:

...that the Attorney-General's Department (AGD) finalise its review before major banks are required to report repayment history information (RHI).[5]

1.9        The Australian Retail Credit Association also acknowledged there would be problems if the current legislative timetable were adhered to and advocated that the review be brought forward:

ARCA believes that the Government review is an ideal opportunity to ensure that consumers experiencing financial difficulty are protected, and the tools available to lenders to lend responsibly are strengthened. We note, however, that the review is due to report its recommendations in late 2018. As noted below, in the absence of a means in credit reports to identify consumers who have experienced hardship, the repayment history information reported for those consumers could be misleading. Given this issue will become more significant as the number of credit providers supplying comprehensive credit data increases, we strongly urge that this review be brought forward.[6]

1.10      When concerns about the handover of data before the completion of the review was raised at the hearing, the OAIC responded with:

Senator KETTER: Can you see any concerns with data being handed over before the hardship review is complete?

Ms Falk: I agree that there are complex issues raised by this, and that there are differing views from stakeholders in relation to how these provisions should operate in practice.[7]

1.11      The Australian Finance Industry Association also stated:

Senator KETTER: Do you agree with the Financial Rights Legal Centre when they say that the current legislative silence on the interaction of hardship and repayment history information is unhelpful to all stakeholders?

Ms Gordon: What is difficult in relation to this situation is that there are two laws and then there is other stuff that is relevant.[8]

1.12      The Financial Rights Legal Centre clearly stated that there would be negative outcomes for consumers if this legislation was passed before the outcome of the Attorney-General's review and supported a one year delay to allow the review to be completed:

Senator KETTER: What do you think, in a practical sense, are the detriments that consumers might suffer if we don't have the review done before the legislation commences? How does that impact on consumers?

Mrs Davis: For consumers currently in financial hardship, we think that it means that their RHI is just going to be inaccurate in a lot of cases. As consumer advocates who advise consumers on the National Debt Helpline—and between our organisations we answer 50 per cent of those calls across the country—we need to be able to tell people: 'When you ask your bank for hardship, be aware there's a good chance they're still going to report your RHI as late. Make sure you get from them, in writing, a commitment that they won't do that. If they won't give you that commitment, you need to lodge a complaint with the Financial Ombudsman.' So, in a practical sense, we will be encouraging most consumers in that situation to immediately lodge a complaint. Otherwise their RHI is going to be tarnished immediately, which we believe will affect their credit score—though credit scores are totally unregulated, so who knows how that's going to work out?

So we think the immediate detriment will be an increase in consumer complaints, mostly driven by us—and we're glad about that, because we think it's a systematic breach of the credit act—and damage to people's credit ratings when really they should have their RHI untarnished if they have made an arrangement with their bank. We think that, in the long run, it's only going to disincentivise people from reaching out to their banks about hardship, and it's just going to give new life to the credit repair universe.

Senator KETTER: In your previous answer, I think you mentioned that you support a couple of years delay to the requirement for RHI to be reported. Would you support a one-year delay?

Mrs Davis: We would, because I believe the Attorney-General's Department is aiming to have its recommendations done in time to table legislation in time to have it all in place by July 2019. Obviously, if their review is not completed or new legislation that's required hasn't actually passed, we're in this problem all over again. But I do think a one-year delay gets us a lot closer than no delay.[9]

1.13      In terms of responsible lending, consumer advocates made it quite clear that the passage of this bill is not going to impede financial institutions from making responsible lending decisions:

CHAIR: Surely, though, the obligation on lenders to inquire about income and expense information requires an honour system of the client themselves, which this bill will largely overcome.

Ms Temple: Under the legislation they need to make inquiries about people's financial situations, needs and objectives. But they also need to verify that information. The verification is a critical step and until now has often been where the lenders have fallen down. While credit reports may provide some extra information they can use to verify people's situations, they still won't provide a full picture of what's happening in their lives. The reality is that people tend to prioritise making debt repayments over other essentials, like rent and food, even in our experience. So we don't see credit reports as the silver bullet to fix irresponsible lending.[10]

1.14      In response to this evidence, Labor Senators believe it is quite reasonable for the contested dataset, repayment history information, to be supplied only after the Attorney-General's review is complete and the government has responded to its recommendations.

Concerns raised about cybersecurity risks

1.15      This legislation will lead to a significant increase in the data held on consumers by credit reporting bodies. This obviously increases risks of breaches and dramatically escalates the consequences should a breach occur.

1.16      Given the 2017 Equifax data breach in the United States where approximately 143 million American consumers had personal and financial data exposed[11], it is important that Australia learns from this experience and ensures that the comprehensive credit reporting framework provides sufficient incentives and penalties for entities who handle this information.

1.17      Labor Senators note Treasury comments in the explanatory memorandum which explain that the bill allows for credit providers to 'withhold the supply of mandatory credit information where a licensee does not reasonably believe that the credit reporting body is meeting its information security obligations under the Privacy Act' and expects that credit providers will 'typically place their own obligations on a credit reporting body to ensure the security of their customer's information that is disclosed'.[12]

1.18      When such questions were put to the ABA, the ABA said that the provisions in the bill were sufficient, assuming that the OAIC would fulfil its role. However, details were not provided as to the nature of contractual arrangements that might be agreed to between major ADIs and credit reporting bodies:

Senator KETTER: Are you satisfied with the data security requirements of the bill, especially in light of the Equifax data breach in the US? If you're not satisfied, what should be included in the legislation?

Mr Gilbert: No, we're satisfied with the uplift in those requirements and we think that that was a beneficial thing to do.

Senator KETTER: What types of terms do you think might be included in the banks' contracts with the credit-reporting bodies? For example, will there be independent third-party auditing of the credit-reporting bodies' systems?

Mr Gilbert: I have no vision at all about that. I would expect that banks would be concerned to ensure that whatever data they contributed to the CRBs—it's their data, about their customers—would be secure and properly held and managed.

Senator KETTER: The explanatory memorandum says:

... licensees ... typically place their own obligations on a credit reporting body to ensure the security of their customer's information ... These obligations are set out in the contract between the licensee and credit reporting body and could include requiring audits, reviewing the results of stress tests or requiring that certain procedures are put in place to train staff.

Are those the sorts of things that you're referring to?

Mr Gilbert: I would imagine that they would be. I have not seen any of those contracts, for obvious reasons, but I would imagine that they're the sorts of protective provisions that a bank would generally enter into with a CRB. Of course, we heard from the Information Commissioner this morning that she'll be watching this space pretty carefully as well to make sure that the sorts of security arrangements, collection, use, disclosure and all those aspects of privacy law are properly looked after.

Senator KETTER: What do you think the banks will do to satisfy themselves that the credit-reporting bodies will be handling the data appropriately?

Mr Gilbert: It won't be handing it over and forgetting about it. They will want to be sure that the credit-reporting bodies are doing the right thing with their data. As to what those measures are, as I said earlier, I haven't seen any of the contractual provisions at all, and it's probably not appropriate for me to see them given that I represent a lot of other banks as well. I can only say that they are normal provisions that would apply, similar to what APRA might require in terms of outsourcing arrangements: strong, resilient, robust requirements.[13]

1.19      With regards to penalties, answers to     questions on notice from the Attorney-General's Department indicate that the maximum civil penalty which applies Privacy Act breaches that are serious or repeated non-compliance is $2.1m (without considering compensation).[14]

1.20      Labor Senators note all of comments regarding privacy and cybersecurity and will continue to evaluate whether these current provisions are sufficient to protect consumer personal and financial data.

Concerns raised that the benefits of comprehensive credit reporting will primarily accrue to the finance industry itself

1.21      The Financial Rights Legal Centre in its testimony to the committee made it clear that they believe that credit providers and credit reporting bodies are likely to the accrue most of the efficiencies and profits that are generated via comprehensive credit reporting:

Thirdly, consumer groups strongly believe the shift to CCR in Australia is only going to result in increased profits for banks and for the credit bureau. We do not believe that it is going to bring the promised benefits for consumers, for the broader community or for the economy.[15]

1.22      In making more information available to credit providers when a consumer applied for credit, it can be expected that more credit on aggregate might be loaned out to underserved sections of the community and that non-performing credit will be reduced as credit providers will be able to more easily reduce or deny credit to those who they see as too high a risk. In aggregate, this potential increase of total credit and a reduction in non-performing credit should reduce the average cost to supply credit to the Australian market.

1.23      It can be reasonably expected that such gains to credit providers will, in a competitive market, be distributed largely between credit provider profits, credit reporting body profits and, in aggregate, reduced credit costs for consumers, even if individual consumers face increased or reduced cost of credit in their individual circumstances.

1.24      Labor Senators remain cautious that the benefits of comprehensive credit reporting are likely to accrue primarily to credit providers and credit reporting bodies given the lack of price competition that is likely to exist in both of these sectors.

1.25      In fact, the New Zealand Privacy Commissioner recently issued a report after six years of credit reporting and made a number of remarkable findings, and went even as far as considering a return to negative credit reporting if industry failed to deliver individual and community benefits:

The picture that has emerged in the review shows some evidence of benefits to participants in the credit reporting system but, so far, limited evidence of benefits to individuals, the community and the economy. It is difficult yet to say how much this can be attributed to slow uptake of positive reporting, unwillingness for reasons of commercial sensitivity for industry players to share compelling evidence of benefits or because CCR is unlikely to deliver substantial benefits beyond those accruing to CCR participants.[16]

...

The intrusion of CCR beyond the negative credit reporting system that has existed for decades cannot be justified simply by the interests of lenders. While reverting to the former negative system - which principally impacted individuals who had failed to meet their credit obligations rather than all credit active New Zealanders – would be one possible response to a failure of CCR to deliver individual and community benefits. A much better outcome would be for the credit industry to act decisively to demonstrate that it can deliver on such issues as consumer choice, competition, responsible lending, improved identification practices, quotation enquiries, lending to under-served communities and public education. A number of the report's recommendations go to these issues. [17]

1.26      One such community benefit would be a reduced cost of credit in aggregate for the Australian population.

1.27      The Australian Finance Industry Association supported this proposition:

Ms Gordon: The first question is: is the consumer going to have an interest rate that is less than what they would currently have with the fact that there is repayment information? Our understanding is yes.[18]

1.28      Experian supported the idea that saving should flow through in some degree to consumers:

Mr Konstantinidis: I can't speak on behalf of the lenders, but I would have thought that there is a greater opportunity, with some of the advantages—whether it's the lower provision for bad and doubtful debts because of the more informed credit decisions they are able to make or, I would have thought, the enhanced customer experience and operational efficiency that drives—to pass on some of those things. But, again, I cannot speak on behalf of the lender.[19]

1.29      The ABA was more circumspect and did not support or reject the proposition that consumer should stand to gain to some degree:

Mr Gilbert: I can't make any predictions about what the cost of credit is going to be in this country. As a person in an industry body representing 24 potential credit providers, I really prefer not to make any observations about what the cost of credit is going to be in this country. I don't want to be signalling one thing or the other.[20]

1.30      The Australian Retail Credit Association also did not reject the idea of reduced cost of credit and also said that consumer cost of credit could fall through competition, by making comprehensive credit reporting information available to smaller credit providers:

Senator KETTER: The theory is that, with fewer bad loans out there, there are cost savings to the lenders and that could be passed on to consumers. It is also a problem that we have lower levels of competition in the industry. So people rightly could be sceptical about whether the benefits of those cost savings are going to be passed on to consumers. What do you say about that?

Mr Laing: People can be sceptical in a marketplace where the four major banks have 60 per cent of the data—the four major banks effectively have 60 per cent of the credit accounts in this marketplace.[21]

(prior testimony)

Senator KETTER: I would appreciate that. Other witnesses today have been fairly circumspect about whether they can guarantee that the overall cost of credit to consumers would be reduced as a result of this. Are you prepared to come out with a prediction?

Mr Laing: I can't predict exact pricing and what the average price would be. We have anecdotal evidence—it is not independently verifiable—from a fintech that, as a result of CCR going into the system, they could actually reduce prices. They didn't increase prices for anyone; they only reduced prices. Competition through CCR enables a bank to treat any customer they can attract to the door as a current customer; they can treat them as if they were their own customer. I have seen anecdotal evidence from another country where, as a result of CCR going into that marketplace, they grew their overall lending by five to 10 per cent but they grew their new lending by about 30 per cent—because they could suddenly tell the credit profile of these customers and be confident that it was actually correct.

The recent Productivity Commission inquiry into competition criticised the market. It said there's actually not strong price competition within the Australian market. Comprehensive credit reporting is one of the tools that enables people to compete more on price. Repayment history is a critical piece of that puzzle that will help people better target pricing to the risks that they are actually facing.[22]

1.31      Labor Senators remain supportive of the Fintech sector and its ability to increase competition and consumer satisfaction within the financial sector.

1.32      Notwithstanding this support, given the New Zealand experience and the current competitive environment in Australia, Labor Senators remain sceptical that consumers stand to gain much at all.

1.33      While making credit reports available to smaller credit providers should increase the level of competition, such credit reports can be a double-edged sword. Credit reports, with their wealth of information, could also be used by all credit providers to more accurately establish a consumer's "maximum willingness to pay" for credit products and could enable credit providers to more easily extract the maximum profit they can from each consumer, particularly in an industry with low levels of price competition.

1.34      The balance of evidence overall suggests that where possible, most credit providers and credit reporting bodies will try to use CCR to boost profits and minimise consumer benefits. Labor Senators will continue to monitor the evolution of this sector, the level of competition and whether consumer benefit or detriment materialises.

Concerns raised about privacy risks and use of data

1.35      In the age of "big data" and recent public policy debates about the use of data by companies such as Facebook[23], it is important that the Senate grapples with this emerging challenge.

1.36      Given that this bill deals with data that is both consumer data and financial data, it is vital that there are adequate regulations and protections to ensure that this data is used for designed purposes.

1.37      This consumer financial data has a value and there are many ways that this data could be used in an unregulated market. For instance, the data could be used to enable targeted marketing campaigns or the data could be combined with other data sets, such as those held by companies like Facebook and Google to enable companies to have a better understanding of their users and could present new opportunities for such companies to generate revenue and profit.

1.38      Labor Senators note questions on notice from credit reporting bodies and other stakeholders which strongly state that Australia's privacy legislation is very robust and that there are no loopholes which would enable anonymised data or derived data to be passed on or used for purposes other than credit reporting.

1.39      Notwithstanding these answers, Labor Senators will continue to monitor whether current legislation continues to be appropriate, that regulators are enforcing the legislation adequately and whether the industry indeed only uses this data for designed purposes.

1.40      Labor Senators also note the media release put out by the largest credit reporting body, Equifax, which announced in July 2017 a partnership with Nine Entertainment[24]. The announcement states that '[t]he commercial arrangement will allow Nine to leverage Equifax's rich insights and extensive consumer segments across the Nine Digital network. Combined with their own data, this is a powerful combination for marketers, allowing them to extend their offerings to new audiences'.

1.41      Labor Senators are not accusing Equifax of engaging in illegal or immoral conduct by citing this media release, but merely point out that the existence of such partnerships confirms how important it is to continue to properly regulate this data.

1.42      In raising questions about such concerns, Senator McAllister pointed out that the FlyBuys program shares data with credit reporting providers:

Senator McALLISTER: I've got one on notice which I'm not certain you'll be able to answer at this point. I'm just looking at the privacy policy for flybuys. It says:

We and Wesfarmers group companies may exchange your personal information with service providers engaged to assist with services—

and there is a long list, but one of them is credit reporting. I would be interested just to understand a little more about other sources of information used by your members in compiling credit information on a commercial basis.[25]

1.43      Labor Senators will continue to monitor whether current and proposed arrangements are still suitable in addressing these risks.

Government's handling of regulating the financial sector

1.44      Submissions and hearing testimony indicate that the government is not taking seriously the challenges of consumer financial data protections. Just like the government was brought kicking and screaming into the establishment of a Royal Commission into the banking and financial services sector, it seems that the government has not clearly thought through key risks in this legislation.

1.45      Given access to credit is almost a necessity in today's society, it is important that legislation and regulations ensure that people are treated fairly.

1.46      Labor Senators are concerned that testimony given by Treasury and the OAIC indicates that there is insufficient coordination between Treasury, AGD, the OAIC and ASIC to provide a legislative and regulatory environment that the community would rightly expect if private credit reporting bodies are to hold such significant amounts of consumer data:

  1. It appears that Treasury are relying on a decision taken in 2012 to support the passage of this legislation[26] when, since 2012, there have been a number of public policy debates around the use and regulation of user data;
  2. Conversations with Treasury officials also raised concerns that there is insufficient coordination between the Attorney-General's Department, the Department of the Treasury, OAIC and ASIC in terms of policy development and regulation of financial data.[27]

1.47      Legislative protections only hold value if they are enforced properly. Labor Senators call on the government to demonstrate that there is sufficient coordination, resourcing and expertise within the OAIC and ASIC to properly enforce this industry.

1.48      Labor Senators call on the government to address these concerns of policy and regulatory fracture. Given the heightened risks and dire consequences of data breaches, a reactive attitude to improving legislation and enforcement is not a suitable approach.

Recommendation 1

1.49      To amend the bill so that the requirement for large ADIs to supply repayment history information be delayed by 12 months to 1 July 2019 in order to allow the Attorney-General's Department to complete its review of financial hardship arrangements and for the government to provide a response to this review.

Senator Chris Ketter      Senator Jenny McAllister
Deputy Chair   Senator for New South Wales

Navigation: Previous Page | Contents | Next Page