CHAPTER 3
Credit reporting definitions
3.1
Schedule 2 of the Bill reforms the regulation of credit reporting in an
attempt to more accurately reflect the information flows within the credit
reporting system and the general obligations set out in the Australian Privacy
Principles.[1]
A brief overview of the credit reporting system is provided in this chapter to
provide context,[2]
followed by a discussion of some of the proposed credit reporting definitions in
Schedule 2 of the Bill and the related definition of 'Australian link' in
Schedule 4 of the Bill.
Overview of the credit reporting system
3.2
New Part IIIA of the Privacy Act 1988 (Privacy Act) sets out
provisions in relation to the privacy of information related to credit
reporting (credit reporting provisions).[3]
The credit reporting provisions will apply to three main categories of
participants in the credit reporting system: 'credit reporting bodies'; 'credit
providers'; and 'affected information recipients'.[4]
These terms are defined in the Bill and have specific meanings.[5]
3.3
The credit reporting system deals with categories of credit-related
personal information. The Explanatory Memorandum (EM) states that it is
necessary to use a number of specific terms to accurately describe the
information flows within the credit reporting system:
Because credit reporting bodies and credit providers may use
personal information in the credit reporting system to derive and add new
personal information to the system, it is important to accurately describe this
process through the use of specific and defined terms. The key terms are:
credit information; credit reporting information; credit eligibility
information; and regulated information.[6]
3.4
The definition of 'credit information' is discussed later in this
chapter;[7]
and 'credit reporting information' is defined as 'credit information' that
has been disclosed to the 'credit reporting body' by the 'credit provider', as
well as 'CRB derived information'.[8]
'Credit eligibility information' will mean 'credit reporting information' that
was disclosed to the 'credit provider' by a 'credit reporting body' and 'CP derived information'.[9]
'Regulated information' will be 'credit eligibility information' or 'credit
reporting information' that has been disclosed to 'affected information
recipients'.[10]
3.5
The EM explains that there are two main features of the credit reporting
system: first, the input side, where 'credit providers' put information into
the system by disclosing the categories of personal information to 'credit
reporting bodies'; and second, the output side, where 'credit reporting bodies'
disclose certain personal information to 'credit providers', consistent with
the permitted disclosures:[11]
Generally, information only comes out of the system following
requests from credit providers to credit reporting bodies for disclosure for
specified purposes (or where disclosures are permitted to certain recipients
for certain purposes by operation of the provisions, such as to an affected
information recipient, or where disclosure is permitted by operation of an
exception, such as where a disclosure is required or authorised by or under an
Australian law or court or tribunal order).[12]
3.6
The use and disclosure of the relevant types of personal information are
regulated by the credit reporting provisions, which provide different requirements
for the participants based on whether they are taking part in the input side or
the output side of the credit reporting system:
This means, for example, that there can't be a single
disclosure rule for credit providers, both because they have different roles in
the system and because the personal information changes as it goes through the
system. For this reason, there are provisions relating to the disclosure by
credit providers to credit reporting bodies of credit information into the
credit reporting system (and a related rule for credit reporting bodies dealing
with collection of credit information). However, there are separate provisions
relating to the disclosure by credit reporting bodies to credit providers,
since the personal information disclosed will be credit reporting information...There
is not one single category of personal information that can be regulated by a
single rule that will apply in every case.[13]
Definitions
3.7
Schedule 2 of the Bill sets out amendments relating to general
definitions in subsection 6(1) of the Privacy Act[14]
and key definitions relating to credit reporting.[15]
Many submitters commented on these proposed amendments, with commentary ranging
from general to very specific issues.
General matters of interpretation
3.8
For some submitters, the number of definitions and their location within
the Privacy Act was a concern. For example, the Australasian Retail Credit
Association (ARCA) submitted that the Bill identifies 17 different classes of
personal information, which leads to unnecessary complication and duplication.[16]
The Australian Privacy Foundation similarly commented that the number of new,
revised or defined credit reporting definitions:
...hardly constitutes the 'simplification' desired by all
parties and promised in the EM, and we submit that the scheme is now effectively
too complex to be readily explicable, posing a serious risk of non-compliance
and/or inability of consumers to effectively exercise their rights.[17]
3.9
The Law Council of Australia agreed that 'the use of multiple different
named categories of credit-related information...may over-complicate the
drafting'.[18]
Its submission expressed further concern about:
...certain structural elements of the Bill...One such concern is
the structure whereby key concepts are defined in several places within the
Bill, but distant from the Part IIIA context in which they are used. [19]
3.10
ARCA suggested as a solution the inclusion of a single definitions
directory within the Bill.[20]
However, the Office of the Australian Information Commissioner (OAIC) had an
alternative recommendation for improving the interpretation of Schedule 2 of
the Bill. Rather than restructure the proposed credit reporting definitions,
the OAIC suggested including the credit reporting provisions as a schedule in the
Privacy Act:
The Explanatory Memorandum clarifies that the insertion of
the APPs in a Schedule to the Privacy Act is intended to facilitate ease of
reference to the APPs. The OAIC suggests that this consideration is equally
relevant to the credit reporting provisions. Placing the credit reporting
provisions in a Schedule to the Privacy Act will also ensure that provisions
relevant only to specific industry sectors do not add complexity and length to
the body of the Privacy Act.[21]
3.11
In May 2012, the Australian Government responded to the Senate Finance
and Public Administration Legislation Committee's (F&PA committee) inquiry
into the Exposure Draft of the Bill (F&PA inquiry). Consistent with the
OAIC's suggestion to the current inquiry and the F&PA inquiry, the F&PA
committee recommended that consideration should be given to locating the credit
reporting provisions in a schedule to the Privacy Act.[22]
The Australian Government, however, did not accept that recommendation:
The Government considered the location of the credit
reporting provisions and determined they are best located in the same place as
the existing provisions.[23]
Departmental response
3.12
The Attorney-General's Department (Department) informed the committee
that it has implemented ALRC Recommendation 5-2, which supported redrafting the
Privacy Act to achieve greater logical consistency, simplicity and
clarity.[24]
The Department advised further that it considers that the drafting style
adopted in the Bill reflects current best drafting practice and effectively
balances competing interests.[25]
3.13
Specifically in relation to the credit reporting provisions, the
Department provided the following comprehensive explanation for the way in
which the provisions are presented in the Bill:
Consistent with modern drafting practices and the approach
adopted throughout the Bill, each division in Part IIIA that deals with
substantive rights and obligations commences with a guide to assist the reader [to]
understand the content of the Division. In addition, clause 19 sets out a guide
to Part IIIA as a whole. Guides were not inserted for Division 6 (which
contains certain offences) or Division 7 (which deals with certain court
orders) as these divisions are short and self-explanatory.
In relation to the structure of the Bill, these privacy law
reforms proceed by amending the existing Act, rather than by replacing the Act
with an entirely new Act. This means that the structure of the final
consolidated Act will remain consistent with the existing structure of the Act.
Credit reporting definitions will be located in Part II – Interpretation, which
currently contains all definitions and other provisions relevant to
interpreting the Act.
At present the credit reporting related provisions are in a
number of different places in Part II of the Act. The Bill reorganises the
definitions in Part II into a logical sequence and groups similar specific
definitions together. Part II will be divided into two divisions – Division 1
will contain all the general definitions for the Act, while Division 2 will
contain key definitions relating to credit reporting. Division 1 will include
all the credit reporting definitions in subsection 6(1). Where terms require a
more comprehensive definition, the reference in subsection 6(1) will point to
the specific definition in Division 2. In this way, Division 1 will be the
starting point for identifying and locating all defined terms in the amended
Act. The Department considers that this approach to structuring the credit
reporting provisions is consistent with the existing structure of the Act and,
once amended, will be logical, straightforward and clear.[26]
'Australian link'
3.14
Items 2 to 65 in Schedule 2 of the Bill amend general definitions in
subsection 6(1) of the Privacy Act. The general definition which most
concerned submitters and witnesses is the term 'Australian link' in section 5B
of the Privacy Act.
3.15
The EM states:
The credit reporting system is restricted to information
about consumer credit in Australia and access to the credit reporting system is
only available to credit providers in Australia. The credit reporting system
will not contain foreign credit information or information from foreign credit
providers (even if they have provided credit to an individual who is in
Australia), nor will information from the credit reporting system be available
to foreign credit reporting bodies or foreign credit providers.[27]
3.16
To effect this policy proposal, the Australian Government considered a
number of general provisions stating these limitations but:
[I]t was considered that a simpler, clearer and more
effective approach was to ensure appropriate limitations were in place in
relation to each relevant provision dealing with the collection, use and
disclosure of information by credit reporting bodies and credit providers in
Part IIIA.[28]
General comment regarding the
definition
3.17
Items 4 to 7 of Schedule 4 of the Bill will amend the definition of 'Australian link'
in subsections 5B(2) and 5B(3) of the Privacy Act. The new definition will outline
the circumstances in which an organisation or small business operator will have
an 'Australian link'. For example, under proposed new paragraph 5B(3)(c) an 'Australian
link' will exist where 'personal information was collected or held by the
organisation or operator in Australia or an external Territory', and the other
requirements of the section are satisfied.[29]
3.18
The EM states:
The collection of personal information 'in Australia' under [proposed]
paragraph 5B(3)(c) includes the collection of personal information from an
individual who is physically within the borders of Australia or an external
territory, by an overseas entity.
For example, a collection is taken to have occurred 'in
Australia' where an individual is physically located in Australia or an
external Territory, and information is collected from that individual via a
website, and the website is hosted outside of Australia, and owned by a foreign
company that is based outside of Australia and that is not incorporated in
Australia. It is intended that...entities...who have an online presence (but no
physical presence in Australia) and collect personal information from people
who are physically in Australia, carry on a 'business in Australia or an external
Territory'.[30]
3.19
The OAIC questioned whether the government's objective will be achieved
with the use of the 'Australian link' term, contending that the intention
stated in the EM is not reflected in the Bill. Its submission argued that the phrase
'in Australia' is not clear, particularly in the online context, and should be
made explicit, for example, by amending 'in Australia' to read 'from
Australia'.[31]
At the first public hearing, the Australian Privacy Commissioner, Mr Timothy
Pilgrim, specifically stated:
[T]he use of the terminology 'in Australia' in the credit
provisions may leave open to interpretation whether or not foreign credit
reporting entities can get access to the information.[32]
3.20
For many other submitters, it was not the definition of the term
'Australian link', but the manner in which the term is to be applied throughout
the credit reporting provisions, that raises concerns.
Extra-territorial operation
3.21
Several submitters and witnesses questioned the use of the term
'Australian link' in relation to proposed new paragraph 21G(3)(b) of the
Privacy Act.[33]
This provision will prevent a 'credit provider' who holds 'credit eligibility
information' about an individual from using or disclosing that information to a
related body corporate which does not have an 'Australian link'.
3.22
Industry submitters and witnesses argued that this use of the
'Australian link' requirement is excessive and inconsistent, and will significantly
affect business operations.[34]
In evidence, for example, Mrs Sue Jeffrey from ANZ Banking Group Limited (ANZ) argued:
[T]he Australian link requirement will have a major effect on
the way ANZ structures its businesses. For example, ANZ from time to time use[s]
credit assessment teams in New Zealand to assist with processing home loan
applications during periods of high volume. We would like to retain this
ability to move work across our geographies in order to best meet the needs of
our customers. [The Bill] would represent a much more significant impact than
we expect was intended. It would be a backward step in ANZ's ability to
structure its operations in a way that supports our regional footprint and
delivers our customers efficient, high quality service. At the same time it
would offer no additional privacy protection to our customers.[35]
3.23
The Law Council of Australia noted:
[S]ome authorised deposit taking institutions have
established outsourcing operations with entities based in foreign countries as
a means of providing financial services more economically and contributing to
lower overall prices...The offshore entities may be wholly-owned but foreign
incorporated subsidiaries, or may be unrelated bodies subject to strict service
agreements which require information to be used and dealt with solely for the
purposes of the principal with high levels of security.[36]
Contrast with approach in APP 8
3.24
The Australian Bankers' Association (ABA) contrasted proposed new section 21G,
which contains the general prohibition against the use or disclosure of 'credit
eligibility information' by a 'credit provider', with cross-border disclosures
of personal information (other than 'credit eligibility information') to
overseas recipients under proposed Australian Privacy Principle 8 (APP 8):
APP 8 together with proposed section 16C means a bank will
remain liable if the overseas recipient of the personal information engages in
conduct that would be a breach of an APP (other than APP 1) as if the conduct
had occurred in Australia unless certain limited exceptions in APP 8.2 apply.[37]
3.25
The ABA submitted further:
[T]here seems to be no logical reason why it is necessary for
two different regimes to apply according to the type of personal information
involved –the one, under the credit reporting provisions that imposes a
complete prohibition on the disclosure of credit eligibility information to an
overseas recipient where the recipient has no Australian link and the other,
where the cross border disclosure of personal information other than credit
eligibility information is subject to an accountability rule (section 16C) or
specific exceptions.[38]
3.26
The Australian Finance Conference, ANZ and Optus made similar comments,
noting that the disclosure of equally sensitive personal information to overseas
recipients is permitted under APP 8. For example, ANZ stated:
The Bill allows the cross-border disclosure of other forms of
sensitive information, such as health information and the customer's credit
card transactions, provided the disclosing organisation complies with APP 8...It
is not clear why the disclosure of ['credit eligibility information'] for
legitimate business purposes should be treated more restrictively than
information that is likely to be as sensitive.[39]
3.27
Several submitters recommended that the Bill should allow for the disclosure
of 'credit eligibility information' (CEI) to overseas recipients under APP 8.[40]
As ANZ argued:
[T]he Australia link requirement [should] be removed for
disclosure of CEI for legitimate business purposes to an offshore entity that
is an agent or related body corporate of the disclosing entity. ANZ also
recommends that APP 8 [should apply] to offshore disclosure of credit
information in the same way it applies to other forms of personal information.
These recommendations are predicated on the disclosing entity remaining responsible
in the event of a privacy breach.[41]
Departmental response
3.28
In evidence, a representative from the Department confirmed that the
Bill introduces for the first time a specific rule to deal with the
cross-border disclosure of credit reporting information.[42]
Departmental officers recognised that the implementation of this rule – using
the 'Australian link' requirement – is problematic for some stakeholders due to
the way in which they have structured their business operations:
We are certainly not looking to get into a situation where we
are trying to break business models that banks have established, but we are
looking to reach a more targeted policy outcome.[43]
3.29
The officers also noted APP 8, which deals with the cross border
disclosure of personal information (excluding 'credit eligibility information')
and which has a related accountability mechanism in proposed new section 16C of
the Privacy Act (item 82 of Schedule 1 of the Bill). They explained that it
would not be appropriate to extend this regime to the credit reporting
provisions:
The structure of the credit reporting provisions is to
prohibit all collection, use and disclosure of personal information in the
credit reporting system and then provide targeted exceptions for permitted acts
and practices...[T]he Department considers that simply applying APP 8 without any
modification may undermine the policy of not disclosing Australian credit
information to foreign credit providers. The Department's preferred approach
is to identify options to provide specifically for a targeted disclosure (and
associated use) to deal with off-shore processing. Such a targeted provision
could then impose obligations based on APP 8.1 and proposed section 16C of the
Privacy Amendment Bill to ensure that the Australian credit provider remains
accountable for the personal information in the hands of the overseas processor
recipient. Initial discussions with credit provider stakeholders indicate that
this approach may be acceptable to them. We will continue to work with
stakeholders to refine an approach that can be put to the Attorney-General for
consideration.[44]
'Credit provider'
3.30
Submitters and witnesses were also concerned with certain key
definitions relating to credit reporting in proposed new Division 2 of Part II
of the Privacy Act,[45]
including the definitions of: 'credit provider'; 'credit information'; 'default
information'; 'serious credit infringement'; 'new arrangement information'; and
'repayment history information'.
3.31
Proposed new section 6G (item 69 of Schedule 2) inserts a definition of
the key term 'credit provider' into the Privacy Act. The definition will
include a 'bank' and will allow for certain inclusions and exclusions, such as a
class of organisations or small business operators prescribed by the
regulations (proposed new subsection 6G(6)).
3.32
In relation to 'credit provider', submitters directed their comments
toward the breadth or, conversely, the lack of breadth in the new definition.[46]
For example, Min‑it Software argued that proposed new paragraph
6G(2)(b) of the Privacy Act[47]
widens the current definition of 'credit provider' 'solely for the benefit of
the credit reporting businesses':
Australian Credit Licence ("ACL") holders already
have to hold and retain far more personal information than is really necessary due
to [the National Consumer Credit Protection] Act, the [credit reporting] Code
and [the Australian Securities and Investments Commission's] requirements but
rather than further limiting who has access to personal information, this Bill
will allow additional credit providers to seek, hold and collect personal
information they currently cannot access. Consequently, if many others have
access to an individual's personal information through their work, an
individual's right to privacy has been considerably and directly diminished by
this legislation.[48]
3.33
On the other hand, the Communications Alliance queried whether
telecommunications providers are captured by the definition and noted that proposed
new subsection 6G(6) of the Privacy Act could result in its members being
excluded from the new definition of 'credit provider'.[49]
3.34
However, the Communications Alliance stated that one of its biggest
concerns with the Bill is that it does not allow for the existence of different
kinds of 'credit provider', the different sectors and industries involved,
and the way in which each of these stakeholders uses 'credit information':
We would suggest that the bill be reviewed with the objective
of determining whether each of the credit provider rules is relevant across all
industries and, if not, perhaps removing them from the bill and allowing that
to be dealt with in the credit reporting code.[50]
'Credit information'
3.35
Proposed new section 6N (item 69 of Schedule 2) inserts a definition of
the key term 'credit information' into the Privacy Act. This new definition comprises
certain categories of personal information about an individual (other than
sensitive information). Some of these categories will be further defined in
subsection 6(1) of the Privacy Act, and some categories will be further defined
in other proposed new sections contained in item 69 of Schedule 2 (Key
definitions relating to credit reporting).
3.36
Submitters and witnesses commented on a variety of proposed definitions
for categories of personal information comprising 'credit information'.[51]
For example, Veda contended that the definition of 'identification information'
(item 34 of Schedule 2) will affect the accuracy of approximately 2.4
million credit files and the ability of 'credit reporting bodies' to accurately
match a credit inquiry to a file.[52]
That new definition refers to an individual's current or last known
address, and two previous addresses (if any).
3.37
At the first public hearing, a representative from Veda informed the
committee:
Veda is calling for credit-reporting bureaus to be able to
hold the greater of current address plus two previous addresses or current
address plus all previous addresses over the past five years. The reason why
this is important is that there is a high-risk segment, generally younger
people, who move address very frequently. Under the proposed legislation, we
would lose all of the information that attaches to them once they have moved address
more than twice, so we would very much like that to be remedied in the bill.[53]
3.38
The Department did not agree that 'credit reporting bodies' would 'lose all
information about an individual if the individual moves more than twice in [a] five
year period':
[T]he proposed definition of 'identification information'
includes a range of other types of personal information...The Department
considers that the various types of personal information included in the
definition of 'identification information', in conjunction with the permitted
address information, should be sufficient to identify individuals.[54]
'Default information'
3.39
Proposed new subsection 6Q(1) (item 64 of Schedule 2) inserts a
definition of the key term 'default information' into the Privacy Act in relation
to consumer credit defaults. 'Default information' about an individual is
information about an overdue payment (including one which is wholly or
partially comprised of interest) in relation to consumer credit provided by a 'credit
provider' to the individual if:
- the payment is at least 60 days overdue;
- the 'credit provider' has given the individual written notice
informing the individual of the overdue payment and requesting that the
individual pay the overdue amount;
- the 'credit provider' is not prevented by a statute of
limitations from recovering the overdue amount; and
- the overdue amount is equal to or more than:
- $100; or
- such higher amount as is prescribed by the regulations.
3.40
Submitters raised a number of issues in relation to proposed new subsection 6Q(1)
of the Privacy Act. For example, submitters expressed concerns regarding the
interaction between the notification and listing processes, the threshold
amount, when a default can be listed and for how long, and the interaction
between the hardship provisions in the National Consumer Credit Protection
Act 2009 (National Consumer Credit Protection Act) and the default
provisions in privacy legislation.
Notification and listing processes
3.41
The Consumer Credit Legal Centre (NSW) (CCLCNSW) submitted that the
proposed provision is problematic for consumers 'as it allows credit providers
to subvert the process to disadvantage consumers'. CCLCNSW's submission argued
that a 'credit provider' could list a default immediately after issuing written
notice to an individual:
This is procedurally unfair as it is the notice that is
important in notifying the consumer that there actually is a default! It is
more than possible to be unaware of the default simply because there was a bank
error in direct debits for example.[55]
3.42
CCLCNSW recommended that proposed new paragraph 6Q(1)(b) should be
amended to require 30 days to have elapsed from the date of the written notice
before listing can occur.[56]
In the same vein, the Australian Communications Consumer Action Network (ACCAN)
called for a mechanism whereby consumers can challenge listings when they have
had no opportunity to be notified about an imminent listing:
ACCAN recommends that there be a specific notification requirement
related to the intention to credit list and that this requirement be such that
all reasonable attempts to contact the customer with a specific warning should
be a prerequisite to credit listing.[57]
Threshold amount
3.43
In relation to the threshold amount stipulated in proposed new
subparagraph 6Q(1)(d)(i), the Energy & Water Ombudsman NSW (EWON) supported
prescribing a minimum amount but suggested that a more realistic definition of
the overdue amount would be in the order of $300: 'This would exclude small
utility bills from the adverse consequences of credit listing'.[58]
ACCAN and CCLCNSW concurred,[59]
whereas the Hunter Community Legal Centre submitted that the minimum amount should
be $500 (excluding interest).[60]
Mr Pilgrim agreed that 'there is some merit in looking at that [$300] level'.[61]
Default listings
3.44
Both EWON and the Financial Ombudsman Service (FOS) noted that the Bill
does not specify when 'default information' can be listed.[62]
EWON advised that, in its experience:
[S]ome customers are credit default listed but there is a
delay in the listing, sometimes up to several years after the subject debt
arose. This means that the negative impact on a customer's credit report will
continue well beyond the usual five year period of a credit default listing. It
may also run over the standard period of time a provider has to take legal
action to recover a debt. It seems unreasonable and unfair for the effects of a
debt to be prolonged in this way.[63]
3.45
EWON submitted that it would be useful if the Bill were to provide
clarification on this issue,[64]
whereas the FOS submitted:
[M]andating in legislation a 12 month 'limitation period' is
not sufficiently flexible to deal with the broad range of financial
circumstances that give rise to default listings...A likely response from many
Financial Services Providers will be to no longer act with discretion and
default list all overdue customers within 12 months of the account falling more
than 60 days overdue.[65]
3.46
In its inquiry, the F&PA committee received similar evidence regarding
the timeframe for the disclosure of 'default information'. That committee
recommended that greater clarity should be provided by either the OAIC or in
the credit reporting code,[66]
a recommendation which was accepted by the Australian Government.[67]
3.47
EWON also noted that a listing is for a period of five years (item 4 in the
table to proposed new section 20W of the Privacy Act, contained in item 72 of
Schedule 2 of the Bill) regardless of whether the default amount is $300 or
$30,000. EWON suggested:
[A]nother option could be a 'sliding scale' where the credit
default listing is for a period relative to the amount of the debt, e.g. $1000
or less = 1 year listing; $1001 to $5000 = 2 years listing; $5001 to $10,000 =
3 years listing etc.[68]
3.48
ACCAN agreed that listings should be proportionate to the default amount
and, in any event, two years for telecommunications products.[69]
CCLCNSW endorsed this view with respect to listings related to credit which is
not regulated by the National Consumer Credit Protection Act:
[I]t is unreasonable and excessive to hold default
information on utilities and other debts (that are not credit as defined under
the National Consumer Credit Protection Act) for [five years]...[T]he retention
period for default information on a consumer's credit report for utilities should
be two years.[70]
National Consumer Credit Protection
Act 2009
3.49
Some submitters drew attention to the interaction between the hardship
provisions in the National Consumer Credit Protection Act[71]
and the default provisions in the Bill.[72]
The FOS, for example, advised that a common and increasing basis for complaints
is that an individual is listed while negotiating a hardship arrangement. The
FOS suggested that the Bill address the interrelationship between the two regimes:[73]
[E]ither the [Bill] or the Code of Conduct should set some
parameters as to a Financial Services Provider's obligation to properly
consider any application by a borrower for financial difficulty assistance
before default listing that borrower.[74]
3.50
ARCA similarly suggested alignment of the two legislative regimes by
using the proposed credit reporting code (to be created under Schedule 3 of the
Bill) to achieve that objective:
[This] will allow better alignment between the Privacy Act
and the National Consumer Credit Protection Act arrangements.[75]
'Serious credit infringement'
3.51
Item 63 of Schedule 2 of the Bill repeals and replaces the definition of
'serious credit infringement' in current subsection 6(1) of the Privacy
Act. 'Serious credit infringement' will mean:
(a) an act done by an individual that involves fraudulently
obtaining consumer credit, or attempting fraudulently to obtain consumer
credit; or
(b) an act done by an individual that involves fraudulently evading
the individual's obligations in relation to consumer credit, or attempting
fraudulently to evade those obligations; or
(c) an act done by an individual if:
(i) a reasonable person would
consider that the act indicates an intention, on the part of the individual, to
no longer comply with the individual's obligations in relation to consumer
credit provided by a credit provider; and
(ii) the provider has, after
taking such steps as are reasonable in the circumstances, been unable to
contact the individual about the act; and
(iii) at least 6 months have
passed since the provider last had contact with the individual.
3.52
The CCLCNSW and the Consumer Action Law Centre (CALC) submitted that the
proposed new definition of 'serious credit infringement' (SCI) is one of the
most critical consumer issues in the Bill. The CALC argued:
It is difficult to understate the significance of a credit
provider listing an SCI on a consumer's credit report. An SCI is the most
serious type of listing that can be made apart from bankruptcy, and yet it is
the only listing that can be made based purely on the opinion of a credit
provider at a particular point in time.
Once made, an SCI will ordinarily remain on a credit report
for seven years. They can be very difficult to remove earlier – even if the
consumer can demonstrate that, had the credit provider known all the
circumstances, they would not have made the listing. Further, it is often the
case that SCIs are listed merely because of an error, misunderstanding or
breakdown in communications.[76]
Six-month waiting period
3.53
The CALC expressed concerns in relation to the six-month waiting period
in proposed subparagraph (c)(iii), which it submitted does not require a
'credit provider' to attempt to contact a customer or review the appropriateness
of the listing after six months.[77]
The FOS, which supported the proposed provision, submitted:
[I]t is appropriate that the...Bill include a requirement that
the Financial Services Provider must have taken reasonable steps to contact an
individual and that at least 6 months should have passed without contact prior
to entering a serious credit infringement listing.[78]
Evidence to the F&PA
committee's inquiry and government response
3.54
The CALC referred to the F&PA inquiry where Veda Advantage (now
Veda) and a number of consumer advocates suggested that the definition of 'serious
credit infringement' should be replaced with two new definitions: 'un‑contactable
default' and 'never paid' flag.[79]
In its submission to the current inquiry, the CALC supported this proposal as more
effective and proportionate:
[I]t requires a 'never paid' flag to be automatically removed
after six months (although a default would remain) and for 'un-contactable
defaults' to be removed if contact is re-established at any point with the
consumer.[80]
3.55
In its 2008 report, the Australian Law Reform Commission did not
consider that 'serious credit infringements' should necessarily be limited to
conduct that is fraudulent:
Credit providers have a legitimate interest in sharing
information about the conduct of individuals that falls short of fraud – for
example, where an individual deliberately avoids contact with a credit provider
in order to evade his or her financial responsibilities.[81]
3.56
Further, the Department of the Prime Minister and Cabinet (which then
had portfolio responsibility for privacy matters) noted in its evidence to the
F&PA inquiry that the proposal by Veda and consumer advocates:
...appears to remove any element of fraudulent activity from
consideration, apparently reclassifying serious credit infringements into a default
that occurs when a person cannot be contacted.[82]
3.57
The F&PA committee accepted this evidence and noted its concern that
the stakeholder proposal 'does not reflect the serious nature of intentional
credit fraud as is provided for in the credit reporting system'.[83]
That committee recommended:
...that consideration be given to a change of approach in
dealing with serious credit infringements to allow for those listings, not
relating to intentional fraud, to be dealt with in a different manner.[84]
3.58
The Australian Government accepted this recommendation[85]
and in response has inserted proposed subparagraph (c)(iii) into the new
definition of 'serious credit infringement' in the current Bill.[86]
According to the EM to the Bill, this is intended to provide 'a practical
timeframe in which the individual may be able to pay the debt before a serious
credit infringement is listed'.[87]
In addition, the Department noted that the credit reporting code will:
...provide further requirements and guidance in relation to the
reasonable steps that a credit provider must take to contact an individual.
This may include requirements relating to the number of attempts to contact the
individual and other related matters.[88]
'New arrangement information'
3.59
Proposed new section 6S (item 69 of Schedule 2 of the Bill) inserts a
definition of the term 'new arrangement information' into the Privacy Act.
While similar to a hardship arrangement under the National Consumer Credit
Protection Act, 'new arrangement information' is distinguishable by the point
in time at which a 'credit provider' has disclosed the existence of 'default
information' or a 'serious credit infringement':
Where an individual is overdue in making payments in relation
to consumer credit a credit provider may choose to enter into a new arrangement
with the individual. Such a new arrangement only satisfies the definition of 'new
arrangement information' if the credit provider has previously disclosed 'default
information' or a 'serious credit infringement' in relation to the individual's
overdue payments [that is, a listing has occurred]...In some circumstances prior
to a default, the credit provider and the individual may agree on a hardship
arrangement, as provided for in the [National Consumer Credit Protection] Act.
Hardship arrangements that satisfy the requirements of the [National Consumer
Credit Protection] Act are not included within the meaning of 'new arrangement
information'.[89]
3.60
Two submitters – ARCA and ANZ – commented on the Bill addressing only
situations involving post-default hardship. Both noted that pre-default
hardship arrangements would not come to the attention of other participants in
the credit reporting system, potentially leading to consumer detriment due to
the reporting of adverse repayment history. As ANZ explained:
Where a temporary arrangement is in place, and even though an
individual is meeting the terms of that arrangement, credit providers will be
required to report that the individual did not make their required monthly
payment. The consequence is that an individual who is complying with a
temporary arrangement will be treated in the same way as an individual who has
simply failed to make required payments.[90]
3.61
ANZ argued that 'credit providers' should be able to accurately report
the status of a customer experiencing temporary hardship but who is making
agreed payments:
[T]he Bill should provide a mechanism to indicate that an
individual is subject to a hardship arrangement, such as a temporary hardship
flag. The flag would only be visible when the individual was in a hardship
arrangement and would be removed once the hardship arrangement ended. Such an
approach would reduce the chance of a consumer in hardship being
inappropriately provided additional credit but would not adversely impact the
ability of the consumer to obtain credit in the future.[91]
3.62
Mr David Niven from the Financial Ombudsman Service told the committee
that the difficulty is that 'the ground rules as to how [financial hardship]
ought [to] be treated by a credit provider acting in good practice are unclear':
[A consumer] will be making a payment arrangement but [they]
will nonetheless be behind on [their] contractual repayments. There will then
be an issue as to whether or not that is a variation: is that a binding
variation so that I am no longer a consumer in default, or is it, as the
upmarket lawyers call it, simply an indulgence so that they are prepared to
accept that without prejudice to their rights and I could still be listed?[92]
3.63
Ms Katherine Lane from CCLCNSW thought it better that the Bill remain
silent on these issues:
[I]t is essential that consumers are encouraged to request
financial hardship when needed. If there is a negative consequence of doing
that, that would be very unfortunate. I support the bill being silent on this
issue. I think it is something that could be worked out perhaps in the [regulations]
or the code.[93]
Departmental response
3.64
The Department recognised that the credit reporting industry has called
for a 'hardship flag' to be included in the 'credit information' of an
individual who has been provided with a hardship variation under section 72 of
the National Consumer Credit Protection Act. However, this argument has been
rejected by the Australian Government:
Hardship variations cannot be listed as part of an individual's
credit reporting information. The Government is concerned that permitting the
listing of hardship variations may act as a deterrent to individuals seeking
hardship variations in appropriate circumstances (including following a natural
disaster) and this would be contrary to the intention of providing the right to
request a hardship variation.[94]
'Repayment history information'
3.65
The introduction of more comprehensive, or positive, credit reporting to
provide additional information about an individual's ongoing credit
arrangements is one of the five major reforms contained in Schedule 2 of the
Bill.[95]
This reform will introduce five new data sets into the credit reporting system,
one of which will be 'repayment history information'.
3.66
Proposed new subsection 6V(1) (item 69 of Schedule 2) inserts a
definition of the term 'repayment history information' into the Privacy Act. 'Repayment
history information', in relation to consumer credit given to an individual by
a 'credit provider', will mean:
-
whether or not the individual has met an obligation to make a
monthly payment that is due and payable;
- the day on which the monthly payment is due and payable; and
-
if the individual makes the monthly payment after the day on which
the payment is due and payable – the day on which the individual makes that
payment.
3.67
Most submitters and witnesses commented on the application of the term
'repayment history information' within proposed new Part IIIA of the Privacy
Act (item 72 of Schedule 2).[96]
However, ARCA argued that the new definition of 'repayment history information'
is inconsistent with how 'credit providers' and 'credit reporting bodies'
(CRBs) determine missed repayments:
[R]ather than requiring Credit Providers and CRBs to have to
devise an alternative means of calculating missed payments (delinquency)...the
definition [should] allow the inclusion of an indicator for whether the
individual is up to date with their payments, and if not, an indicator of how
long their oldest overdue payment has been outstanding.[97]
Navigation: Previous Page | Contents | Next Page