07 Jun 2012
Credit reporting privacy reforms: Comprehensive complexity?
While the existing credit reporting regime is complex and long overdue for reform, the new regime is possibly even more complex, but might be a reasonable trade-off for improved credit assessment decision-making.
The Privacy Amendment (Enhancing Privacy Protection) Bill introduced in the Commonwealth Parliament on 23 May 2012 implements long foreshadowed reforms to the Privacy Act. A key element of the privacy reforms is the long-awaited move towards a more positive credit reporting system.
The Explanatory Memorandum explains that "(T)he purpose of the credit reporting system is to balance an individual's interests in protecting their personal information with the need to ensure sufficient personal information is available to assist a credit provider to determine an individual's eligibility for credit following an application for credit by an individual".
Consequently, the reforms are a move to a "more comprehensive" system, not the implementation of a positive credit reporting system. It will not be a system that covers every piece of credit related personal information about an individual, but will include some important new data sets that should assist in the credit assessments carried out by credit providers.
New categories of credit information
Front and centre of the amended regime are five new categories of credit-related personal information that will be permitted in the credit reporting system.
The current credit reporting regime has been described as a "negative" system that mainly regulates the handling of personal information that could be adverse to an individual's creditworthiness (such as being listed for a default).
In contrast, the amendments will allow credit reporting system participants to handle a number of more "positive" categories of credit information. They include:
"repayment history information" – this is probably seen as the most significant new data set. Repayment history information is information about whether the individual has met an obligation to make a monthly payment that is due and payable in relation to the consumer credit, the day on which the monthly payment is due and payable, and (if paid after the due date) the day on which the individual makes the payment.
Repayment history information is only available to credit providers who hold Australian credit licensees and who are subject to responsible lending obligations under Chapter 3 of the National Consumer Credit Protection Act 2009 (Cth) (and to mortgage insurers in certain defined circumstances);
"consumer credit liability information" – this includes the type of credit account opened by the individual, the date on which the consumer credit was entered into and terminated and the current limit of the credit account.
Complexity and additional responsibilities
While the existing credit reporting regime is complex and long overdue for reform, the new regime is possibly even more complex. The proposed provisions involve numerous new definitions, many of which build on each other. Different rules apply to different types of credit-related information in the hands of different participants and, similarly to the current regime, there is still a registered credit reporting code to be developed that will supplement the provisions in the Privacy Act.
The expansion of the categories of information that may be handled comes with increased responsibilities in a number of areas, including in terms of ensuring the quality of the data being transferred and informing participants in the system of any corrections to credit information previously disclosed.
This is coupled with prescribed dispute resolution procedures that aim to give consumers an accessible avenue for redress with respect to any perceived issues with their credit information.
Additionally, the amendments will introduce specific rules about:
- the pre-screening of credit offers;
- the freezing of participants' access to an individual's personal information in cases of suspected identity theft or fraud;
- system participants' retention obligations for different categories of personal information; and
- the handling by credit reporting bodies of credit reporting information that is de-identified.
Statutory requirement for practices, procedures and systems
Also included in the new reforms are enhanced obligations dealing with a requirement to have a credit reporting policy in place as well as to take "reasonable steps" to implement practices, procedures and systems for credit reporting obligations.
The statutory requirement to have practices, procedures and systems in place is also new to the privacy regime more generally and arguably evokes a higher standard of compliance in this area. Organisations receiving credit reports or otherwise involved in credit reporting may need to review existing policies and systems to ensure they are sufficiently robust to meet the enhanced requirements under the new reforms.
Perhaps one of the most critical elements of the new regime is that it comes with significant teeth to back up its requirements. The Bill contains a civil penalty regime that can result in penalties of up to 2,000 penalty units for contraventions of the credit reporting requirements, which translates to $1,100,000 for corporations, as well as criminal offences.
Regardless of any increased complexity or possible preference for a full, positive credit reporting system, generally the amendments have been supported by participants in the credit industry and credit reporting industry.
Some participants have flagged the potential for more competition in credit markets, possibly making more innovative credit offerings available to consumers at a lower cost.
While participants may need to revise existing documents, policies and procedures to ensure compliance with the new regime, it is hoped this will be a reasonable trade-off for improved credit assessment decision-making arising from utilisation of the additional information now available.
You might also be interested in...