The credit reporting regime that has been in operation for over 20 years is long overdue for reform. The new regime that comes into operation on 12 March 2014 should facilitate improved credit assessment decision making, but has complex features that could increase the compliance burden for industry.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (the Act), which implements long-foreshadowed reforms to the Privacy Act 1988 (Cth) (the Act), received Royal Assent on 12 December 2012. The reforms will have a significant impact on the way companies and government agencies handle various forms of personal information. One of the key elements of the privacy reforms is the long-awaited move towards a more comprehensive credit reporting system. The main provisions of the new regime will come into effect on 12 March 2014. The 15-month gap between enactment and commencement is to give industry time to prepare for the changes and also to provide further time for the Office of the Australian Information Commissioner (OAIC) to develop guidance material and for a Credit Reporting Code of Conduct to be developed, approved and registered.
The Explanatory Memorandum explains that:
"… the purpose of the credit reporting system is to balance an individual’s interests in protecting their personal information with the need to ensure sufficient personal information is available to assist a credit provider to determine an individual’s eligibility for credit following an application for credit by an individual."
Consequently, the reforms are a move to a “more comprehensive” system, not the implementation of a positive credit reporting system. It will not be a system that covers every piece of credit-related personal information about an individual, but it will include some important new data sets that should assist in the credit assessments carried out by credit providers.
The Act uses a number of core definitions to better identify information flows within the credit reporting system, rather than basing the regulatory framework on a single definition of “credit reporting information”. The intention of the amendments was to simplify the regime, but it is arguable whether this has been achieved — particularly given the increased number of definitions under the new provisions (from 7-40 or more). Many of these definitions build on each other, and different rules apply to different types of credit-related information in the hands of different participants.
Who will the changes apply to?
As with the old Pt IIIA of the Act, the new regime will regulate the collection, use and disclosure of personal information by credit providers and credit reporting bodies (previously referred to as “credit reporting agencies”). The definition of “credit provider” has been broadened to include an agency, organisation or small business that is prescribed by the regulations, as well as those that carry on a business or undertaking that involves providing credit, while a “credit providing agency” includes an organisation or prescribed agency that carries on a credit reporting business.
New categories of credit information
The current credit reporting regime has been described as a “negative” system that mainly regulates the handling of personal information that could be adverse to an individual’s creditworthiness (such as being listed for a default). One of the key amendments that is generally viewed by the credit industry as a favourable amendment (as it increases the amount of information that can be included as credit information) is a move to a more “comprehensive” consumer credit reporting regime. The Australian Law Reform Commission uses the term “comprehensive” credit reporting to describe the inclusion of additional information that would feature in a “positive” credit reporting system—that is, information that demonstrates an individual’s credit account activity.
The amendments will allow credit reporting system participants to handle five new categories of “positive” credit information, in addition to the information currently permitted in credit information files under the Act. The first new category of “positive” credit information is “repayment history information”. The other four new categories of “positive” credit information fall within the new definition of “consumer credit liability information”. Each of these definitions is considered below.
Repayment history information
This is probably the most significant new data set. “Repayment history information” is information about whether the individual has met an obligation to make a monthly payment that is due and payable in relation to consumer credit, the day on which the monthly payment is due and payable, and (if paid after the due date) the day on which the individual makes the payment.
It appears that the listing of repayment history will be standardised to a monthly cycle, irrespective of the actual repayment cycle for an individual.
The credit reporting regulations may make provision in relation to whether or not an individual has met an obligation to make a monthly payment that is due and payable in relation to consumer credit, and whether or not a payment is a monthly payment. As at the date of this article, no draft regulations have been released.
Access to repayment history information is limited to credit providers who hold Australian credit licences (ACLs) and who are subject to responsible lending obligations under Ch 3 of the National Consumer Credit Protection Act 2009 (Cth) (and to mortgage insurers in certain defined circumstances). The corollary of this restriction is that only credit providers who hold ACLs can disclose repayment history information to credit reporting bodies. There was a push by industry in submissions on the Exposure Draft of the Act to expand the category of persons who can report repayment history information to persons who do not hold an ACL. However, the Senate Finance and Public Administration Committee noted that the government’s position was very clear that non-bank data was not intended to be used and that it was never envisaged that the regime would be a “fully positive” regime.
Consumer credit liability information
“Consumer credit liability information” is defined to include the type of credit account opened by the individual, the name of the provider and whether they are a licensee, the date on which the consumer credit was entered into and terminated, and the current limit of the credit account.
Regulations and the registered credit reporting code
The regulations and the registered credit reporting code (CR Code) are expected to provide additional details on the information that can be handled by credit reporting participants as part of the five new categories of credit information.
There can be only one registered CR Code. The proposed amendments to the Act include a mechanism for the Information Commissioner to invite a CR code developer to develop a CR code and apply to the Commissioner for the code to be registered. The Australian Retail Credit Association (ARCA) is taking a lead role in facilitating industry and community feedback on the formulation of the CR Code. A draft CR Code is currently being developed by industry through the Code Industry Council, established by ARCA. The revisions to the CR Code mark the first time that the CR Code has been reviewed, and the changes are paramount in overseeing a stronger and more transparent credit reporting process. It is expected that the CR Code will impact extensively on systems used by credit reporting bodies and credit providers to handle information about credit.
The following three-pillar approach is proposed by ARCA.
- Single data standard: Ensuring that a consistent data standard underpins the integrity of the credit reporting system. A single data standard will allow for data to be transparently and efficiently viewed and exchanged. The data standard will support each of the three tiers of data (negative, partial and comprehensive) and better ensure that data in the credit reporting system is accurate, complete and up-to-date.
- Reciprocity: Applying the principal of reciprocity, which asserts that credit providers must contribute all of their chosen level of data (negative, full or partial comprehensive) in order to receive the same level back in return. ARCA believes that reciprocated information exchanges between providers and bodies is a far more effective means to maintain accurate, complete and up-to-date data than exchanges contracted individually or on a case-by-case basis.
- Compliance: Oversight by an independent regulator. ARCA recognises the need to build a framework that supports a scalable approach to CR Code compliance, and to promote an environment where compliance standards to the CR Code are achievable, realistic and address the critical needs of industry and consumers.
Complexity and additional responsibilities
While the existing credit reporting regime is complex and long-overdue for reform, the new regime is possibly even more complex. As noted above, the proposed provisions involve numerous new definitions, many of which build on each other, and different rules apply to different types of credit-related information in the hands of different participants. In particular, credit providers disclose “credit information” to credit reporting bodies, and credit reporting bodies disclose “credit reporting information” to credit providers. Further, credit providers can disclose “credit eligibility information” to other credit providers, “affected information recipients” and other parties specified in the Act.
The expansion of the categories of information that may be handled comes with increased responsibilities in a number of areas, including in terms of ensuring the quality of the data being transferred and informing participants in the system of any corrections to credit information previously disclosed.
This is coupled with prescribed dispute resolution procedures that aim to give consumers an accessible avenue for redress with respect to any perceived issues with their credit information.
- Additionally, the amendments will introduce specific rules about:
- the “pre-screening” of credit offers, in particular:
- the circumstances in which an assessment about an individual may be made by a credit reporting body on behalf of a credit provider using credit information about the individual with regard to whether or not the individual is eligible to receive the direct marketing communications of the credit provider;
- the manner in which that assessment may be used for the purposes of direct marketing by or on behalf of the credit provider; and
- when pre-screening assessments must be destroyed;
- the freezing of access by participants to an individual’s personal information in cases of suspected identity theft or fraud;
- system participants’ retention obligations for different categories of personal information; and
- the handling by credit reporting bodies of credit reporting information that is de-identified — personal information is de-identified information if it is no longer about an identifiable individual or an individual who is reasonably identifiable (currently, there are no restrictions on the use or disclosure of such information).
Statutory requirement for practices, procedures and systems
New sections 20B and 21B included in the Act are based on the obligations set out in Australian Privacy Principle (APP) 1, which has been modified to apply specifically to credit reporting bodies and their handling of credit reporting information, and credit providers and their handling of credit information and credit eligibility information. Sections 20B(2) and 21B(2) impose a general requirement on credit reporting bodies and credit providers to take “reasonable steps” to implement practices, procedures and systems relating to the credit reporting business of the body and the provider’s functions or activities as a credit provider.
The Explanatory Memorandum for these clauses provides that it is anticipated that credit reporting bodies and credit providers:
"… will demonstrate their compliance with this obligation by, for example, developing and maintaining training programs, staff manuals, standard procedures and any other relevant documents that demonstrate awareness of, and compliance with, their obligations under the Division and the registered CR code."
In addition, it is expected that credit reporting bodies and credit providers demonstrate that their business systems, such as their data management systems, comply with the requirements of the Division or the registered CR code.
Under the new section 20B(3), a credit reporting body must have a clearly expressed and up-to-date policy about the management of credit reporting information by the body that will ensure compliance with the requirements of the Division and the registered CR Code and will enable them to deal with inquiries or complaints about their compliance. Similarly, under section 21B(3), the credit provider must have a clearly expressed and up-to-date policy about the management of credit information and credit eligibility information by the credit provider.
The statutory requirement to have practices, procedures and systems in place is new to the privacy regime and clearly is intended to raise the standard of compliance expected in this area. Organisations receiving credit reports or otherwise involved in credit reporting will need to review existing policies and systems to ensure that they are sufficiently robust to meet the enhanced requirements under the new reforms.
New powers and penalties
One of the most critical elements of the new regime is that it comes with significant teeth to back up its requirements. This includes significant additional powers for the Information Commissioner, such as:
- a power to conduct an assessment of whether personal information held by an entity is being maintained according to the APPs, credit reporting provisions and other specified rules or codes (section 33C of the amended Act);
- a power to direct a Commonwealth agency to conduct a privacy assessment on any proposed activity that could have an impact on privacy;
- the ability to recognise external dispute resolution schemes that are capable of dealing with privacy related complaints — the amendments will also allow the Information Commissioner to decline to investigate a complaint if it is already being, or would be more effectively or appropriately, dealt with by a recognised external dispute resolution scheme; and
- a power to accept enforceable undertakings by entities that they will take specified action or refrain from taking specified action or take specified action directed towards ensuring that that the entity does not in future interfere with the privacy of an individual (section 33E of the amended Act)—the undertakings are enforceable by the Information Commissioner upon application to the Federal Court or the Federal Magistrates Court (section 33F of the amended Act).
The Information Commissioner’s powers to initiate own motion investigations continue in a slightly expanded form (section 40(2) of the amended Act). Actions that are available to the Information Commissioner after an investigation into an act or practice that could be an interference with an individual’s privacy include:
- making a declaration that an interference of privacy has occurred; and
- ordering an entity to take specific action to prevent further repeats of the acts or practices investigated.
Additionally, the Information Commissioner’s powers to make various determinations, including a declaration that a person is entitled to compensation, which may include injury to feelings or for humiliation suffered, remain with respect to investigations of complaints and now also apply after an own motion investigation (section 52(1A) of the proposed amended Act).
Finally, and possibly most importantly, the Act contains a significant new civil penalty regime. Certain provisions of the Act, which include many of the credit reporting obligations, are designated as civil penalty provisions. Where there is a contravention of those provisions, the Information Commissioner is able to apply to the Federal Court or the Federal Magistrates Court for a civil penalty order (section 80W(1) of the amended Act). Contraventions includes certain standard ancillary contraventions specified in section 80V of the amended Act, such as if a person aids, abets, counsels, procures or induces a contravention. Civil penalties of up to 2000 penalty units ($340,000) apply for an individual for contraventions of the credit reporting requirements, and10,000 penalty units ($1,700,000) apply for corporations.
Entities should be aware of these significant new penalties, together with the associated press attention and reputational risk potentially created by Federal Court proceedings. A further key concern here is that many of the penalties and offences are strict liability offences. As a result, under section 6.1 of the Commonwealth Criminal Code, the offences will not require the penalised party to have intent, knowledge, recklessness or negligence. For example, there is a prohibition on a credit provider disclosing credit information to a credit reporting body under section 21D if the information is false or misleading in a material particular (section 21R). This has a 2000 penalty unit civil penalty attached to it, and there is no requirement for intent.
On a personal note — the Information Commissioner’s warning
In light of the above changes, the Information Commissioner has released a warning to individuals to be aware that if they don’t pay their credit card bills and loans on time, it may impact their ability to get credit in future. Credit reporting agencies will soon be able to collect all kinds of credit-related personal information, including repayment history information. While credit providers cannot pass this information on to credit reporting agencies until the commencement of the reforms from March 2014, the information can relate to payments made or missed from December 2012.
The reforms to the Act represent major change in the manner in which personal information is collected and used by credit providers in a credit-reporting context (and more widely under the APPs). Credit providers will need to review current processes and procedures to ensure that these changes are actioned appropriately within their organisation. The Credit Reporting Code is a key component of the reforms and it will be critical for credit providers to consider the Code in detail, when it is ultimately finalised by industry and ARCA.
This article was first published in the Australian Banking and Finance Law Bulletin, March 2013
 The Act was agreed to by the House of Representatives on 17 September 2012 and the Senate on 27 November 2012. It was then passed back to the House of Representatives for consideration of amendments suggested by the Senate. The text of the Act passed both Houses on 29 November 2012. Back to article
 House of Representatives, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, Explanatory Memorandum, p 90. Back to article
 See new s 6G of the Act. Back to article
 See s 6(1) of the Act. Back to article
 See new s 6V of the Act. Back to article
 See the issues paper developed by the Australasian Retail Credit Association (ARCA): Updating the 1996 Credit Reporting Code of Conduct March 2012 pp 16–20, available at http://www.creditcodeindependentreview.com.au/. Back to article
 See new s 6V(2) of the Act. Back to article
 See new s 20E(4) of the Act. Back to article
 See new s 21D(3)(c)(i) of the Act. Back to article
 See the Explanatory Memorandum, above, n 2, p 92. Back to article
 See new s 26S(4) of the Act. Back to article
 See the new Pt IIIB Div 3 Subdiv B (ss 26P–26S) of the Act. Back to article
 See the Credit Reporting Code of Conduct Independent Review webpage at http://www.creditcodeindependentreview.com.au/. Back to article
 See the Australasian Retail Credit Association “Credit Reporting Code of Conduct” available at http://www.arca.asn.au/. Back to article
 “Credit reporting information” about an individual is comprised of “credit information” and “CRB defined information” about the individual: see the proposed new definition of “credit reporting information” in s 6 of the Act. Back to article
 For example, see the new s 22A of the Act (regulating affected information recipients). Back to article
 See the new s 20N of the Act in relation to credit reporting bodies. Back to article
 See the new s 20S of the Act in relation to credit reporting bodies. Back to article
 See the new Pt IIIA Div 5 of the Act (ss 23–23B). Back to article
 See the new ss 20G, 20H and 20J of the Act. Back to article
 See the new ss 20K (restrictions on credit reporting bodies) and 21F (restrictions on credit providers) of the Act. Back to article
 See the new ss 20W (retention periods for credit information), 20X (retention periods for credit information — personal insolvency information) and 20V (credit reporting bodies’ obligations upon the expiration of the retention period in respect of credit information) of the Act. Back to article
 See the new s 20M of the Act. Back to article
 See s 6(1) of the Act, as amended to take effect from 12 March 2014. Back to article
 See the Explanatory Memorandum, above, n 2, pp 131 and 159. Back to article
 See the Explanatory Memorandum, above, n 2, pp 131 and 159. Back to article
 See the Explanatory Memorandum, above, n 2, pp 131 and 159. Back to article
 See Privacy Commissioner “Pay your bills to avoid new year credit defaults” media release 13 December 2012, available at http://www.oaic.gov.au/. Back to article