Chapter 5

Complaints handling

Introduction

5.1        A major area of concern with submitters was the proposed complaints handling process. Submitters noted that effective complaints handling allowed individuals to enforce their rights, regulators to access valuable data to identify breaches or systemic issues and the public to have trust in the system. However, there was concern that the process contained in the Exposure Draft would not assist consumers and would impose onerous conditions on credit reporting agencies and credit providers. In addition, the prescriptiveness of the operational processes contained in the Exposure Draft was seen as removing the focus on the outcomes being sought, resulting in a complex process.[1]

5.2        The following discussion canvasses the general concerns with the complaints handling provisions contained in the Exposure Draft as well the outcome of the consultation process undertaken between industry stakeholders and consumer advocates.

The proposed complaints handling process

5.3        The Exposure Draft provides for an individual to request access to, or correction of, certain information. Access must be granted within a reasonable period, but not longer than 10 days, while a correction must be made within 30 days (or a longer period as agreed by the individual in writing). If the credit reporting agency or the credit provider refuses access to, or correction of, the information, they must within a reasonable period, provide the individual with a written notice giving reasons for that decision, and setting out the complaints provisions. Individuals may also complain about an act or practice engaged in by a credit reporting agency or credit provider that may be a 'credit reporting infringement'. A credit reporting infringement involves a contravention of Part A (which contains all the key provisions except definitions) or of the Credit Reporting Code.

5.4        Division 5 of the Exposure Draft contains detailed provisions about how a credit reporting agency or credit provider (the respondent) must respond to the complaint, including:

• the respondent for the complaint must provide a written notice to the individual making the complaint within seven days after the complaint is made and must investigate the complaint;
• the respondent may consult with other credit reporting agencies or credit providers in the investigation of the complaint; and
• a determination about the complaint must be made within 30 days and the respondent must provide the individual with a written notice setting out the determination and explaining to the individual that, if they are not satisfied, they may make a complaint to the Information Commissioner or access the respondent's external dispute resolution (EDR) scheme.

5.5        Division 5 also contains notification requirements in relation to complaints concerning corrections of information or a credit reporting infringement. Notification requirements include notification of recipients of disclosed information. Exceptions to the notification requirements are provided for in two circumstances:

• if it is impracticable for the credit reporting agency or credit provider to give notification; or
• where an Australian law, or an order of a court or tribunal, requires that notification not be given.

5.6        If a complaint cannot be resolved to the satisfaction of the individual, the matter may be referred to an external dispute resolution (EDR) scheme or the Australian Information Commissioner.

Issues raised in submissions

Complexity, lack of flexibility and timing issues

Complexity

5.7        Submitters noted that the consumer must first apply to have information corrected, then lodge a written complaint if the information is not corrected and wait for an outcome to this process and then lodge in an external dispute resolution (EDR) scheme. While ARCA supported separate procedures for complaint handling and correction, other submitters did not.[2] The Office of the Australian Information Commissioner (OAIC), Consumer Action Law Centre (Consumer Action) and Consumer Credit Legal Centre NSW (CCLC) voiced concern that the two stop approach resulted in a complex complaints handling process.[3]

5.8        The OAIC commented that the current regime in the Privacy Act requires only a single step for a correction request, followed by refusal before an individual may complain to the Information Commissioner. The OAIC stated that the additional step 'may create complexity and delay for individuals' while CCLC argued that the process provided for in the Exposure Draft 'is needlessly cumbersome and set up to fail'.[4]

5.9        CCLC and Consumer Action argued that a request to correct information should be considered to be a complaint.[5] Consumer Action commented that most consumers were likely to believe that, in requesting that information be changed, they are lodging a complaint. Ms Carolyn Bond, Consumer Action, stated:

It is actually an additional step if you compare it to complaints that people currently make under the legislation that relates to complaints about insurance companies, banks and everything else. I think that will be a real problem for consumers, who will not understand why they have to lodge a complaint twice. The simple way to deal with that is to regard the consumer saying, 'I think there is an error in my credit report,' as a complaint for the purposes of them being able to go to external dispute resolution if it is not fixed.[6]

5.10      Consumer Action and the Australian Privacy Foundation (APF) also commented that the meaning of complaint may be inconsistent with Australian Standard ISO 10002–2006 and therefore the meaning adopted by the Australian Securities and Investment Commission (ASIC), ASIC licensees, financial services licensees and others.[7] Consumer Action noted that according to the Australian Complaint Handling Standard, a complaint is an 'expression of dissatisfaction made to an organisation, related to its products, or the complaints handling process itself, where a response or resolution is explicitly or implicitly expected'. It was argued that 'under this definition, once someone has requested a correction, they had made a complaint and they should not be required to make a further complaint before they are advised about their option to take the matter to an industry dispute resolution scheme'.[8]

5.11      Consumer Action concluded that the mechanism as envisaged leads to a high proportion of consumers 'dropping out' of the process:

In practice, our experience shows that the effect of this would be that many consumers who are unsuccessful in seeking a change in their credit information would take no further action – in part because they will be unaware they can complain further, or that there are independent bodies that can deal with their complaint.[9]

5.12      Consumer Action and the CCLC supported amending the provisions in the Exposure Draft so that a request for a correction to information is taken as a complaint.[10]

5.13      The Energy & Water Ombudsman NSW (EWON) also raised concerns that the complaints handling process may result in a matter relating to the accuracy of credit information not being referred to an EDR or the Information Commissioner for 60 days. EWON suggested that this is an unreasonable length of time given the potential detrimental impact on a consumer.[11]

5.14      In addition, EWON, Consumer Action and the CCLC supported an amendment requiring the respondent to provide information to the complainant on the EDR schemes and the Australian Information Commissioner when the respondent first writes to the complainant and not after the complaint is determined.[12]

Lack of flexibility

5.15      The National Australia Bank (NAB), Australian Bankers' Association (ABA) and the APF noted that complaints had to be in writing.[13] Submitters commented that many consumers do not always lodge written complaints; rather, they interact with providers through shopfronts, or by telephone, mail, email, website, SMS, Twitter or Facebook. Optus stated that 'it is therefore disappointing to see obligations in the Exposure Draft that require providers to give written notice to their customers on several occasions during a complaint investigation'. Optus concluded that 'this lack of flexibility does not provide a good customer experience and generally adds to lengthen and complicate the complaint handling process' and recommended that the Exposure Draft be reviewed to more thoroughly consider the impacts on credit providers outside the banking and financial services sector.[14] The Communications Alliance voiced similar concerns and added that 'it would appear that a reliance on such a formal process actually makes it more difficult for consumers to receive a prompt response to their complaints'.[15]

5.16      The APF commented that 'the law should not prevent consumers from taking advantage of more accessible processes' while the ABA commented that this did not provide flexibility for technological advances.[16]

5.17      The NAB and ARCA also voiced concern about the obligation on the respondent to provide a written notice to the complainant within seven days which acknowledges the complaint and sets out how the respondent will deal with the complaint. As a reasonable number of complaints are resolved within 48 hours of receipt, this requirement was seen as unnecessary, wasteful and potentially irritating for the consumer. The NAB supported an approach whereby the notification requirement is dependent on whether a complaint has already been resolved.[17]

5.18      The Telecommunications Industry Ombudsman (TIO) also queried the need for a written acknowledgment for a complaint that has been made informally over the telephone, particularly when the matter is simple and can be dealt with quickly. The TIO commented that the requirement to go through a formal process of acknowledgment may present an obstacle to speedy and effective dispute resolution.[18] The EWON was of a similar view and stated that such a requirement 'may be an unnecessary burden for those credit providers who are able to resolve a consumer's complaint in less than 7 days'.[19]

Timeframes

5.19      Both the TIO and EWON commented on the timeframes for dealing with complaints (section 158). The EWON submitted that when a customer makes a complaint of inaccuracy about any aspect of the utility debt listed with a credit reporting agency, 'we consider it is fair and reasonable to the customer who has been adversely affected by this that their complaint is investigated as soon as possible'. In most circumstances, it would be expected that any such investigation take no more than 10 business days, and that a 30 day limit should be an absolute maximum for a complex case.[20] The TIO also commented that where the complaint outcome is unfavourable to the consumer, the notification should be made as soon as possible in order that the individual may consider approaching alternative dispute resolution forums.[21]

5.20      ARCA suggested that the 30 day timeframe for providing the consumer with a determination should not start until the relevant party has received the complaint. ARCA noted that recent industry discussions with EDR schemes (including the Financial Ombudsman Service (FOS), the TIO, and the EWON) supported this position.[22]

5.21      In exceptional circumstances such as in a complex complaint involving multiple parties, it may be necessary to extend the period for resolving such a complaint (paragraph 158(5)(b)). The CCLC commented that it was concerned that this requirement was contrary to the ALRC's recommendation to produce evidence to substantiate a complaint within 30 days. The CCLC argued that individual complainants may feel pressured into accepting a longer dispute resolution period without any knowledge of their rights under the Privacy Act. In addition, 'the spirit of the recommendation is that listing should not remain without substantiation' and concluded that 'this provision creates a loop-hole which potentially defeats this requirement'.[23]

5.22      The committee also received comments, that the timeframes included in the Exposure Draft are at variance with the timeframes in other regulatory regimes such as ASIC Regulatory Guide 165 (RG165), Australian Standard ISO 10002-2006 and telecommunications sector obligations. In particular, it was noted that:

• subsection 158(5) provides for a maximum timeframe of 30 days for resolution, or longer if the complainant agrees in writing, while RG165.9 provides for a maximum timeframe of 45 days with no possibility of extension;
• RG165.100 provides for 21 days to respond to a complaint concerning a default notice; and
• the 30 days in the Exposure Draft begins from the date a complaint is made, rather than when the complaint is received as provided for in RG165.[24]

Inconsistency with other standards and obligations

5.23      A further matter raised in relation to complexity was that the obligations in the complaints handling process differ from existing industry standards. A number of submitters commented that financial service providers and others, such as those which provide lenders' mortgage insurance, already comply with ASIC RG165.[25] RG165 applies to all credit licensees and contains specific timelines and procedures for complaints processes. The ANZ Bank submitted that the complaints handling requirements in the Exposure Draft differ from the requirements of Australian Credit Licence (ACL) holders under RG165. The ANZ Bank went on to state that:

Given that a complaint under section 157 is likely to also be a complaint for the purposes of RG 165 it will be difficult for credit providers who are licensees to comply with both sets of requirements.[26]

5.24      The ANZ Bank recommended that the provisions be amended so that credit providers, who are licensees under the National Consumer Credit Protection Act, are under the same obligations for handling customer complaints as they are under their ACLs.[27] The Insurance Council of Australia added that it was not aware of any policy reasons for such differences and suggested that the timeframes in the Exposure Draft to acknowledge and respond to complaints be removed.[28]

5.25      ARCA also commented that Australian Standard ISO 10002-2006 is 'widely recognised as best practice for managing consumer complaints, and it is widely applied across sectors and scalable to suit a range of organisations'. ARCA recommended aligning the timeframes in the Exposure Draft with existing obligations for complaints handling. For example, the consultation Draft of the Electronic Funds Transfer (EFT) Code of Conduct directs subscribers to comply with AS ISO 10002‑2006 and RG165 instead of establishing its own timeframes and standards.[29]

5.26      Both the Communications Alliance and Optus commented that the proposed provisions do not appear to take into account existing legislative and regulatory obligations in the telecommunications sector.[30] It was argued that if the proposed complaints handling regime applied to the telecommunications industry, different obligations would be imposed depending the type of complaint received: credit reporting matters under the Privacy Act; and other types of telecommunications complaints in accordance with the timeframes and requirements under the Telecommunications Consumer Protections (TCP) Code and obligations under the TIO Scheme. Optus concluded that:

This will lead to difficulties for providers having to follow different processes for different types of complaints, and confusion for telecommunications customers, who should be able to have a consistent experience with their telecommunications provider regardless of the nature of their complaint.[31]

5.27      The Communications Alliance added that the rules in the TCP Code are more far-reaching than those proposed in the Exposure Draft including how telecommunications providers must handle complaints and how they must interact with the TIO.[32] Mr John Stanton, Communications Alliance, commented:

One concern is that, if the credit related complaints that telcos receive need to be dealt with differently to all other complaints, then there is an additional burden on the industry, of course, but there may in fact be no consumer benefit to doing it that way or, potentially, consumer detriment. That is an area of major concern for us.[33]

5.28      The Communications Alliance concluded that the Exposure Draft 'seeks to impose new obligations which conflict with standard practice in those industries and will lead to consumer confusion and inconsistent approaches'.[34] The Communications Alliance recommended that:

• matters already dealt with under pre-existing schemes should be removed from the legislation and instead be dealt with under the Credit Code, which will allow flexibility for different sectors, in keeping with their existing obligations; or
• exemptions should be included in the credit reporting legislation for those classes of credit providers who already have pre-existing industry requirements.[35]

5.29      The Communications Alliance argued that the implementation of these recommendations would allow different industries to manage complaints within their existing regulatory frameworks and in a manner that is more realistic and reflective of how customers communicate with their providers.[36]

5.30      In response to the Communications Alliance concerns, Mr Timothy Pilgrim, OAIC, commented:

One of the main aims that we would want to see out of the entire process to reform the Privacy Act is to reduce complexity. We have been talking about that in terms of the actual provisions, but that complexity also extends to how an individual can seek to enforce their rights if they do have an issue. What we want to see is that, to the greatest extent possible, there is one place in which both the individual and organisations that need to comply with the act will go to understand what their obligations are. Our starting point would be that, under the provisions, the provisions themselves set out the basic complaint handling requirements and then those can be extrapolated on within the credit code that will be developed by industry. I can understand that there are some issues that might come up in the telecommunications area; however, I think there are more similarities than differences in the processes we are talking about in resolving complaints. For everyone working within the sector itself, it would probably be preferable to see those requirements all located in the one place—the provisions and the code that sits under them.[37]

Committee comment

5.31      The complaints handling process is an important element of the credit reporting system. Consumers must be provided with a clear process for seeking a correction to credit information held and for complaining when a correction is not made. Submitters commented that the complaints handling process contained in the Exposure Draft is complex, lacks flexibility and will result in an increased burden on those entities which must comply with other complaints handling obligations, particular in the telecommunications and utilities sector.

5.32      The committee sought advice from the Department of the Prime Minister and Cabinet (the department) in relation to concerns about the '2 step' process. The department did not support an approach which combined the correction and complaints process as it did not satisfactorily address all the elements of the Government's existing policy on correction and complaints as set out in the Exposure Draft. The department went on to state that the proposal put forward appears to eliminate the '2 step' approach in the Exposure Draft and to combine the correction provisions and the complaint provisions. As a consequence, there is no longer a process for correction; rather an individual will be required to lodge a complaint to seek a correction of their personal information.

5.33      The department stated that the Government:

...clearly intended that individuals should, consistent with the current credit reporting provisions in the Privacy Act, have the opportunity to seek a correction to their personal information without lodging a complaint. In addition, the proposed definition of complaint is limited to complaints about an organisation's products. Section 156 of the Exposure Draft provides a guide to the complaints provisions and makes clear they apply to both failures to provide access to, or to correct, personal information, as well as to complaints about acts or practices that may be a credit reporting infringement. The Department does not consider that a narrow definition of complaint which focuses on the products of an organisation is useful in the context of the credit reporting provisions.[38]

5.34      The committee also supports the approach taken in the Exposure Draft as it provides a correction mechanism and then, if a correction is not made, the consumer may make a complaint. The advantage of this model is that it places obligations on industry to take action before a consumer lodges a complaint. The committee believes that this is an effective process and also places the obligation appropriately on industry which will gain great advantage from the new credit reporting regime.

5.35      A further benefit of the proposed complaints handling system is that it addresses the issue raised by the NAB and ARCA concerning the large number of 'complaints' which are resolved within 48 hours of receipt and the notification requirements for complaints. The committee considers that these would generally not be complaints, rather they would be requests for correction. As such, there is no requirement for written notice to be provided to the individual.

5.36      In relation to comments regarding timeframes, the committee notes that the timeframe of 30 days for a credit reporting agency or credit provider to correct information reflects the timeframe in APP 13 and the existing Privacy Act and credit reporting code of conduct. Although many credit providers will be subject to other regulatory requirements, this will not always be the case. While the inclusion of a 30 day timeframe for both correction request and complaint determination provides for consistent timeframes across the Privacy Act, the committee has noted the concerns of consumer advocates about delay in the finalisation of a complaint arising after a correction request. When a correction request proceeds to a complaint, the timeframe for determination may be up to 60 days (and longer if the individual agrees to an extension). The committee considers that, if the complaints handling regime as provided for in the Exposure Draft is maintained, then consideration should be given to a shorter time period for a correction to be made.

Recommendation 12

5.37      The committee recommends that the time period for the correction of credit information be amended to 15 days.

5.38      In relation to extensions of time to respond to a request to correct records, the committee is mindful of consumer advocate concerns that individuals may be pressured to agree to an extension. The committee notes that any extension requires the consent of the individual. However, the committee considers that any pressuring of consumers is not acceptable and that the Credit Reporting Code of Conduct should address these matters, for example, obtaining consent, industry practice etc.

Recommendation 13

5.39      The committee recommends that that issue of extensions of time to respond to requests for correction of records be addressed in the Credit Reporting Code of Conduct.

5.40      The committee notes the comments concerning the lack of flexibility in responding to consumers. There were two issues raised. First, that 'written' notification is required. The committee notes that under the Acts Interpretation Act and the Electronic Transactions Act the 'writing' requirement would permit electronic communications.

5.41      The second issue raised related to the need for a written notice when a 'complaint' can be handled quickly. As noted above, these comments appear to combine both the correction and complaint provisions. If an individual contacts a credit provider or credit reporting agency requesting a correction, there is no requirement for a written notification to the individual. The written notification requirements, when the complaint process is instigated, reflects the seriousness of the matter. In addition, the requirement for a complaint to be in writing is consistent with the existing obligation set out in subsection 36(3) of the current Privacy Act.

5.42      The committee therefore does not consider that any amendment of these provisions is required.

Notification requirements relating to certain complaints

5.43      Section 159 requires notification of the complaint and the determination about the complaint. Notification must also be provided to recipients of the information. Exceptions are provided if it is impracticable for the credit reporting agency or the credit provider to give the notification or if they are required by or under Australian law, or an order of a court or tribunal, not to give notification.

5.44      ARCA commented that 'what seems to be a simple requirement under the Exposure Draft provisions becomes complex because of the degree of prescription of how an operational process must work rather than the outcome that it seeks to deliver'.[39]

5.45      The ANZ Bank also commented that these requirements 'will be practically difficult to comply with for both credit providers and credit reporting agencies'. For example, a credit provider (recipient) who receives a complaint regarding incorrect credit information is required to notify all credit reporting agencies and other credit providers who hold the credit information of both the complaint and the outcome. The ANZ Bank commented that the recipient will not be able to identify all holders of the information. Rather, the recipient will only be able to identify the credit reporting agency from whom they obtained the information and the credit provider who initially disclosed the information. The ANZ Bank also argued that the situation was similar for a credit provider which discloses incorrect information: the credit provider will not be able to identify every recipient, only those to which it disclosed the information directly. However, as currently drafted, the credit provider may be required to notify any indirect recipients.[40]

5.46      The ANZ Bank went on to draw a comparison with the current Credit Reporting Code of Conduct which requires the correction of credit information to be provided to entities that received the incorrect information within the previous three months and are nominated by the individual to receive the correction notification. The ANZ Bank concluded:

This paragraph of the Code ensures the costs associated with maintaining correct information are minimised whilst also ensuring the adverse impact to affected individuals is minimised. Providing the correction to entities who received the initial information more than three months ago and who are not nominated by the individual, is unlikely to alter the credit decisions made in relation to the individual and therefore unlikely to benefit the individual.[41]

5.47      The ANZ Bank recommended that:

• subsection 159(3) be amended so that the receiving credit provider is only required to notify the credit reporting agency from which it received the information and the credit provider who initially disclosed the information;
• subsections 147(2), 150(2) and 159(5) be amended to clarify that a credit provider is only required to inform direct recipients of the incorrect credit information and that these entities are then required to disclose the correction to any entities they provided the information to; and
• the Exposure Draft be amended so that entities only have to be notified of a correction to credit information if they received the information within the last three months (or other suitable period) or are nominated by the individual to receive the correction.[42]

Committee comment

5.48      The committee notes concerns about the burden placed on credit providers in responding to a correction or complaint to also have to notify other parties if the correction is made. The ALRC considered the notification principle in relation to correction of credit reporting information. The ALRC commented that it saw no reason why the general notification requirement contained in the 'Access and Correction' principle should not apply to credit reporting information 'where it is generally practicable for a credit reporting agency to send correcting information to credit providers to whom inaccurate information previously has been sent'.[43]

5.49      The Government Response makes it clear that, where it is decided that a correction is necessary, the credit reporting agency or credit provider should be required to take steps to advise others of the correction. The Government Response stated:

The Government notes that where a credit reporting agency or credit provider determines that corrections need to be made to the individual's credit reporting information, they should take steps to advise the other party, along with other relevant credit reporting agencies who may have listed the information, of the corrections. This will be in accordance with the general 'access and correction' principle.[44]

5.50      The correction and complaints handling provisions reflect APP 13. However, the notification requirement of APP 13 is limited to notifying other entities to which the information has previously been disclosed only where the individual requests notification of the other entity. In the credit reporting system the notification requirement is broader and the committee considers that this appropriately reflects the nature of the information used in the credit reporting system and the use of the information in determining an individual's credit worthiness.

5.51      The committee also notes that exceptions are provided for in the complaints handling provisions (subsection 159(6)) and the corrections notification provisions (subsection 122(4) and subsection 147(3)) so that notification need not be given if it is 'impracticable to do so'. The committee considers that this provides considerable flexibility to credit reporting agencies and credit providers. The committee anticipates that guidance will be provided in relation to the exemption either by the OAIC or in the Credit Reporting Code of Conduct.

First point of contact

5.52      The ALRC recommended (Recommendation 59–5) that 'a credit reporting agency should refer to a credit provider for resolution complaints about the content of credit reporting information provided to the agency by that credit provider'. The Government responded that the ALRC had 'reversed the obligation for resolving disputes and placed the onus on the relevant credit provider who is likely to have sufficient access to information in order to deal with the dispute'. The Government commented that there should be clear requirements about who should take responsibility to attempt to resolve the dispute. The Government was concerned that the approach adopted by the ALRC would result in an individual having to take several steps before ownership of the dispute settles with the credit provider. The Government stated that:

..a more balanced approach is that the obligation for attempting to resolve the dispute should lie with whichever party the individual first makes a complaint (whether it be the credit provider to which the listing relates or the credit reporting agency).[45]

5.53      The Exposure Draft provides for the respondent to the complaint to investigate the complaint and make a determination about it. 'Respondent' is defined as the credit reporting agency or credit provider to which the complaint is made (section 180).

5.54      The Government's approach was supported by EWON, however, it suggested that section 156 should include the wording in the Government Response ('the obligation for attempting to resolve the dispute should lie with whichever party the individual first makes a complaint (whether it be the credit provider to which the listing relates or the credit reporting agency)'). EWON commented that this would ensure that it is clear who should accept, and attempt to resolve, the complaint and avoid the consumer having to liaise between the parties.[46]

5.55      Other submitters, however, did not support this approach. It was argued that the first point of contact may not be the most appropriate entity to deal with the complaint.[47] Westpac, for example, commented that 'the provision that the first party contracted must investigate the complaint could result in an adverse customer outcome in instances where the complaint is unrelated to the first party'.[48]

5.56      Submitters provided examples of where the first point of contact would not be the most appropriate. The NAB, for example, stated:

...a consumer may complain to a credit provider who is not responsible for the credit reporting information that is in dispute. Operational complexities would make it difficult for the first point of contact to effectively manage the complaint and this would adversely impact the consumer.[49]

5.57      ARCA provided the following example:

If a consumer walks into the NAB to get a credit card and the NAB does a credit check they may find—having received the report from the bureau—that there is, for example, a default listed by Telstra, and the consumer then complains to the NAB: 'I have never had a Telstra relationship. I work with Optus. I think this is incorrect.' There is no way that the NAB can check that and manage that complaint. It needs to go to the relevant party, which would either be the credit reference agency that supplied the information or Telstra, which had listed the default.[50]

5.58      Both the NAB and ARCA suggested that industry should take responsibility for an effective referral process for complaints. This would, it was argued, ensure that the complaint is acknowledged, managed and resolved by the relevant supplier of the disputed credit reporting information.[51] The ABA took the view that the Credit Reporting Code of Conduct could develop an effective referral process to manage and resolve the complaint with the respondent to be the responsible party.[52]

5.59      ARCA also commented that the first party contacted must undertake to notify 'everyone' who has received the incorrect information, collate the necessary information to respond to the complaint, and then respond on behalf of all relevant parties. ARCA submitted that 'what seems to be a simple requirement under the Exposure Draft provisions becomes complex because of the degree of prescription of how an operational process must work rather than the outcome that it seeks to deliver'.[53]

Committee comment

5.60      The committee notes that the Government Response to the ALRC's recommendation makes it clear that responsibility for dispute resolution should lie with whichever credit reporting agency or credit provider to whom the individual first complains. The committee supports this approach as consumers will only have to contact one entity to instigate the complaints process. The committee further considers that there is a benefit to good consumer relations for entities to ensure disputes raised by their customers are dealt with efficiently.

External dispute resolution

5.61      If a complainant is not satisfied with the outcome of a complaint they may seek access to an EDR scheme. Recognised EDR schemes, within the meaning of the Privacy Act, are those to which credit providers and credit reporting agencies are members and are one or more EDR schemes that is, or are, recognised by the Information Commissioner (section 195).

5.62      The ALRC noted that many credit providers are members of EDR schemes, including financial services providers which are required by the Corporations Act 2001 to belong to EDR schemes approved by ASIC. The ALRC went on to comment that:

In the resolution of credit reporting complaints, it is appropriate that EDR schemes provide the first line of dispute resolution beyond the credit provider or credit reporting agency. Such schemes are funded by industry and have expertise in the commercial environment in which their members operate.[54]

5.63      The ALRC commented that, as the privacy regulator, it is appropriate for the Privacy Commissioner to have oversight of EDR schemes that handle credit reporting complaints. However, the ALRC did not envisage that the Privacy Commissioner would implement an approval system for EDR schemes; rather, the Privacy Commissioner would recognise EDR schemes already approved by ASIC under the Corporations Act and those with another statutory basis such as the TIO.[55] The Government accepted this approach.[56]

Membership of EDR schemes

5.64      Some submitters argued that a failure of the Exposure Draft is the lack of an explicit requirement for credit providers or credit reporting agencies to belong to an EDR scheme.[57] Veda Advantage, Consumer Action, CCLC and Legal Aid Queensland recommended that credit reporting agencies be required to belong to an EDR scheme.[58] The CCLC commented that 'access to EDR is one of the key consumer protections introduced by this legislation and it should not be left to implication'.[59]

5.65      A further matter raised was the requirement for all credit providers and credit agencies to be members of an EDR scheme. The ALRC considered whether membership of an EDR scheme should be a pre-condition to any participation in the credit reporting system, rather than only when credit providers list overdue payments. The ALRC commented that:

Dispute resolution is needed most in relation to credit reporting information that is adverse to, and may have serious consequences for, the individuals concerned. Membership of an EDR scheme can be expensive. The compliance burden may not justify imposing EDR obligations on credit providers who may, for example, wish to provide goods or services on credit, but do not list defaults.[60]

5.66      The ALRC recommended that 'credit providers only may list overdue payment or repayment performance history where the credit provider is a member of an external dispute resolution scheme recognised by the Privacy Commissioner' (Recommendation 59–7).[61] The Government accepted this recommendation with amendment and stated that 'there is significant justification to extend the requirement to be a member of a recognised external dispute resolution (EDR) scheme to all credit reporting agencies and credit providers that list any information about an individual in credit reporting information'.[62]

5.67      The Tasmanian Collection Service commented that it had 'serious objections' to the requirement that participating credit providers need to be a member of a recognised EDR scheme. The Service submitted that this requirement is of limited use, costly, and overly bureaucratic and will 'effectively provide a significant barrier to many thousands of smaller credit providers to their continued participation in the credit reporting industry'. The Service recommended that this requirement is removed.[63]

5.68      The Australian Finance Conference (AFC) commented that the extension of the requirement of membership of a recognised EDR scheme to all credit providers and credit reporting agencies may affect commercial financiers adversely. Currently, a commercial financier is able to access the consumer component of a commercial customer's file. They do not list information on the file and access is merely required to facilitate a credit assessment of the commercial customer. The AFC argued that commercial financiers should not be required to be a member of an EDR scheme to access the consumer component of a file. In addition, the AFC commented that mandatory membership of EDR schemes for providers of small business credit remains a matter of policy consideration under the Council of Australian Governments (COAG) Phase 2 national credit reforms. The AFC concluded:

The outcome of section 132 would appear to be at odds with the Government's commitment to that consultative process and commitment to best practice regulation (eg targeted regulation to address an evidence-based market failure or consumer protection risk).[64]

Recognition of EDR schemes

5.69      The Insurance Council of Australia stated that it strongly supported recognition by the Information Commissioner of EDR schemes approved by ASIC, particularly where those schemes are already adequately equipped to deal with complaints relating to privacy in the context of credit reporting. The Insurance Council commented that 'this will provide a clear process for potential complainants, especially where a credit reporting complaint may be connected to other aspects of a dispute such as debt recovery'. In addition, the Insurance Council stated that it will ensure that the compliance obligations for lenders' mortgage insurance providers, which are only credit providers by virtue of acquiring a debt, are commensurate with the level the credit reporting activity being undertaken.[65]

5.70      EWON commented that electricity and gas retailers are required by their licence conditions to be a member of an approved ombudsman scheme, and they are bound by, and must comply with, any decision of the electricity or gas industry ombudsman relating to a dispute or complaint involving the licence holder and a small retail customer. EWON sought confirmation that it will be recognised by the Information Commissioner as the Exposure Draft does not set out how EDR schemes will be recognised.[66]

Committee comment

5.71      Some submitters called for a more explicit requirement regarding membership of an EDR scheme. The committee notes that section 132 provides that a credit provider may not disclose credit information about an individual to a credit reporting agency unless, amongst other matters, the credit provider is a member of a recognised EDR scheme (paragraph 132(2)(a)). The same conditions apply for the disclosure of credit eligibility information (paragraph 135(3)(e)). Section 108 prohibits credit reporting agencies from disclosing credit reporting information unless, amongst other things, the disclosure is permitted for the purpose of a recognised EDR scheme and both the credit reporting agency and credit provider are members of the scheme (paragraph 108(3(c)).

5.72      The committee also sought advice from the department which noted that the Government has decided that external dispute resolution should only be compulsory for those credit providers that wish to access repayment history information. The department noted that this implements the Government's response to ALRC Recommendation 55–3 but does not preclude other credit providers and credit reporting agencies from taking part in external dispute resolution schemes, even if they do not wish to access repayment history information. The department added:

The Veda proposal for compulsory participation of credit providers in external dispute resolution appears to be intended to facilitate the handling of all complaint resolution under external dispute resolution schemes or mechanisms under other existing industry codes or statutory schemes. The Department notes that this would create a situation where the handling of complaints is dealt with under a wide variety of other mechanisms that may not be consistent in either the timing that is applied, the rights given to individuals, or the remedies that can be obtained. The Department notes that the complaints handling provisions in the exposure draft establish common timeframes and procedures.[67]

5.73      The committee does not consider more explicit provisions regarding EDR scheme membership are required.

Substantiation

5.74      The ALRC recommended (Recommendation 59–8) that, within 30 days, if evidence to substantiate a disputed credit listing cannot be provided, or the complaint is not referred to a recognised EDR scheme, then the credit reporting agency must delete or correct the information. The Government accepted this recommendation and stated that:

This recommendation will ensure that the onus of proving the accuracy or appropriateness of a listing in an individual's credit reporting information lies with credit providers and credit reporting agencies. It is also likely to assist in encouraging the credit reporting industry to resolve disputes as quickly and efficiently as possible.[68]

5.75      While noting that this recommendation was accepted by the Government, the OIAC, CCLC and the EWON commented that at present, the Exposure Draft omits the substantiation requirement.[69] The OAIC commented that it supported the position in the Government Response that credit reporting agencies and credit providers should bear the onus of proving the accuracy of credit-related information they hold. It was noted that this is consistent with those entities' obligation to take reasonable steps to ensure that the information is accurate, up-to-date and complete. In addition, such an obligation may assist with the quick and efficient resolution of disputes.[70]

5.76      EWON also stated that 'this important provision should be included to strengthen consumer protections and encourage efficient resolution of complaints'.[71] CCLC commented that 'this recommendation is inextricably related to the complaints process and the individual's right to request a correction to their credit reporting information'.[72] Ms Karen Cox, CCLC, added:

We are not sure that has been well reflected in the legislation and we think that is a hugely important thing. Again, a default or some sort of adverse listing on a credit report has serious consequences for people. The very least that credit providers should have to do is be able to keep and produce adequate evidence if they are going to make a move to mar someone's credit rating.[73]

5.77      Consumer Action noted that the provisions of section 149, rather than requiring the provision of substantiating evidence, 'merely requires that credit providers consider whether or not they are satisfied that the information is incorrect, without any effort to investigate or substantiate their decision'. If the credit provider is satisfied the information is correct, they need not provide any evidence to substantiate that position. In relation to the second part of the recommendation, Consumer Action stated that this does not seem to have been addressed at all. The Consumer Action concluded that the provisions, if enacted will result in poor outcomes for consumers and stated:

Individuals often challenge inaccurate listings when they are informed as part of an application for credit that their application was rejected on the basis of information contained in a credit report. An inaccurate listing can prevent, or delay, the individual obtaining credit, for example, a housing loan to complete the purchase of a home. In those circumstances it is critical that evidence substantiating the listing is provided in a timely manner or the listing is corrected as there is often some urgency.[74]

5.78      The OAIC recommended that to reflect the ALRC's recommendation:

• the Exposure Draft set out credit reporting agencies' and credit providers' obligations, and individuals' rights, relevant to the onus to prove the accuracy of information; and
• the new Credit Reporting Code deal with practical compliance matters relevant to those requirements.[75]

5.79      The CCLC also noted that the Government response had indicated that, where a listing is in dispute has been referred to an EDR scheme, a note to that effect was to be associated with the disputed listing. This has also not been included in the Exposure Draft.[76]

Committee comment

5.80      The Government accepted ALRC Recommendation 59–8 in relation to substantiation of evidence of disputed credit reporting information.[77] The committee notes that this obligation is not expressly provided for in the Exposure Draft. However, both credit reporting agencies (section 116) and credit providers (section 143) are under a positive obligation to take reasonable steps to ensure that credit information they collect, use or disclose is accurate, up-to-date and complete. Subsection 116(3) provides for additional obligations on credit reporting agencies to enter agreements with credit providers to ensure the information they obtain from credit providers is accurate, up-to-date and complete as well as to conduct regular audits and identify and deal with any suspected breaches of the agreements. Credit providers are required to take such steps, if any, as are reasonable.

5.81      The department noted that there are general rules to ensure the integrity of credit reporting information. In addition, the department indicated to the committee that to insert a substantiation requirement could make matters more confusing, potentially leading to a situation where someone could argue that they were not required to correct inaccurate information (under the general quality requirement) until it was challenged by an individual. It would also be difficult to reconcile with the obligations on credit reporting agencies to have agreements in place to ensure accurate information enters the system. Further, if a person disputes a listing, either through the correction process or as a complaint, and the credit reporting agency has no evidence to substantiate the listing, then the general quality obligation to ensure accuracy of the information would require the information to be corrected.

5.82      The committee however, notes the concerns of the Office of the Australian Information Commissioner that substantiation was part of the privacy-enhancing regulation of the credit reporting system. The committee agrees with the OAIC's view but is mindful of the difficulties that may be faced in including such a requirement in the Exposure Draft.

Recommendation 14

5.83      The committee recommends that consideration be given to implementing the recommendations of the Office of the Australian Information Commissioner in relation to the substantiation issue.

Outcome of consultations

5.84      The committee was provided with the following outcomes from the industry stakeholder and consumer advocates consultations:

• Definition of complaint:
  • the statute should contain a single definition of 'complaint' based on the ISO 10002:2004 and RG165:
    • Expression of dissatisfaction made to an organisation, related to its products, or the complaints-handling process itself, where a response or resolution is explicitly or implicitly expected.
  • this should eliminate the '2 step' approach in the Exposure Draft Bill, and lead to a common approach to IDR and EDR that meets international standards across credit reporting in Australia.
• EDR should be clearly made compulsory for all credit reporting participants;
• Codes and timing:
  • the basic principle should be that where a credit reporting participant is already subject to a complaints-handling requirement in a sectoral Code and EDR, or a statutory scheme, those requirements should apply in credit reporting.
    • the Privacy Commissioner should maintain a list of recognised industry codes and standards for complaints handling purposes;
    • for those with a sectoral Code or other complaints-handling requirement, a breach of that requirement would be an interference with privacy under the Privacy Act;
    • for CRAs and others without a sectoral scheme, the statute should provide for a 30 day requirement for the handling of a non-data correction complaint; and
    • a data correction complaint would have a 45 day time limit for resolution; should the credit provider not provide substantiation, the disputed information is resolved in the consumer's favour;
• Evidence requirements:
  • detail to be included in Code of Conduct
    • onus of proof lies with the party that listed the information – standard is reasonable proof
    • reasonable proof explained in Code to include concrete examples eg a copy of a default notice, proof that the debt owed was 60 days past due, and evidence of notice to consumer listing (specific material evidence–including record of date sent, and or that the system performed as intended to provide notice in the specific instance)
    • the development of the Code will draw upon other Code guidelines on evidence, such as FOS guidelines, as well as seeking input from the Privacy Commissioner
    • reasons for decision to be provided to the consumer
    • statutory obligation on parties to respond appropriately to a complaint;
• Credit providers in liquidation:
  • include in the Code a provision requiring EDR schemes to deal with consumer complaints even when a Credit Provider is in liquidation and no longer a member of an EDR scheme, if necessary charging the costs to the CRA(s) who are also party to the dispute;
• Notification of other parties:
  • Code to provide that when a CRA makes a correction to a consumer's information, they:
  • give notice of the correction to other CRAs; and
  • advise the consumer that they may ask the CRA to inform any credit provider who has accessed their file since the erroneous inclusion of the correction;
  • if the consumer requests, advise those credit providers;
• EDR Scheme co-ordination:
  • achieving some consistency in credit reporting dispute outcomes across EDR schemes is important. To that end, ARCA should hold a regular forum of EDR schemes and consumer advocates to report trends, and agree on guidelines for resolving complaints.

Response from the Department of the Prime Minister and Cabinet

5.85      The department responded to the outcome of the consultation and noted that the Veda submission proposes a complete reformulation of the complaint handling provisions in the Exposure Draft which also appears to encompass the correction provisions. Concerns with the '2 step' approach to complaints handling is discussed at paragraph 5.53–5.55 and matters relating to the EDR are discussed at paragraph 5.72.

5.86      In relation to matters to be dealt with in the Code of Conduct, the department indicated that Veda could propose matters it wished to be included in the Code of Conduct during the process for the development of the code.

Committee comment

5.87      The proposal provided by Veda following consultations with consumer advocates provides for an alternative approach to complaints handling. A number of these issues have been addressed by the committee in the discussion above.

5.88      In addition, the committee notes the proposal concerning codes and timing. The committee does not agree that where a credit reporting participant is already subject to a sectoral code dealing with complaint handling, that code should continue to apply instead of the requirements of the credit reporting regime. The committee does not consider that this would be a beneficial outcome for consumers as this would result in a range of complaint handling models, depending on what other regulatory regime applies to credit providers. The committee considers that this would add complexity to complaints handling. However, there may be some issues which could be addressed in the Credit Reporting Code of Conduct thus providing clear guidance in relation to application of complaint handling under different sectoral codes.

5.89      It was also proposed to make EDR compulsory for all credit reporting participants. The committee notes the comments of the Department of the Prime Minister and Cabinet in this regard and does not support this approach.

5.90      The committee has addressed the issue of substantiation of evidence in the discussion above.

5.91      The proposal for notification of other parties following a correction by a credit reporting agency includes that the credit reporting agency will advise the consumer that they may ask the agency to inform any credit provider who has accessed their file since the erroneous inclusion of the correction; and if requested by the consumer, advise those credit providers of the correction. The committee does not support this approach. Subsection 120(2) does not provide for a requirement that the individual must request that credit providers be informed of the correction. The committee considers that this is a lessening of the obligations on credit reporting agencies. Given the significance of credit reporting information to an individual, the committee believes that the notification provisions contained in the Exposure Draft are appropriate. The committee further notes that the provisions of subsection 120(3) provide for an exception if it is impracticable for the credit reporting agency to give the notice. The committee considers that this provides a credit reporting agency with sufficient flexibility in this matter.

5.92      The final point of the proposal relates to EDR scheme coordination. The committee notes that the OAIC can approve EDR schemes. The committee considers that this is the appropriate mechanism for approval of EDR schemes. It also allows credit providers to use the EDR scheme that they already belong to for other purposes, for example, responsible lending purposes. The committee considers that this is a simple approach and detailed obligations in relation to EDR schemes for the credit reporting scheme will not be required.

Navigation: Previous Page | Contents | Next Page