A major area of concern with submitters was the proposed complaints
handling process. Submitters noted that effective complaints handling allowed
individuals to enforce their rights, regulators to access valuable data to
identify breaches or systemic issues and the public to have trust in the
system. However, there was concern that the process contained in the Exposure
Draft would not assist consumers and would impose onerous conditions on credit
reporting agencies and credit providers. In addition, the prescriptiveness of
the operational processes contained in the Exposure Draft was seen as removing
the focus on the outcomes being sought, resulting in a complex process.
The following discussion canvasses the general concerns with the
complaints handling provisions contained in the Exposure Draft as well the
outcome of the consultation process undertaken between industry stakeholders
and consumer advocates.
The proposed complaints handling process
The Exposure Draft provides for an individual to request access to, or
correction of, certain information. Access must be granted within a reasonable
period, but not longer than 10 days, while a correction must be made within 30
days (or a longer period as agreed by the individual in writing). If the credit
reporting agency or the credit provider refuses access to, or correction of, the
information, they must within a reasonable period, provide the individual with
a written notice giving reasons for that decision, and setting out the
complaints provisions. Individuals may also complain about an act or practice
engaged in by a credit reporting agency or credit provider that may be a
'credit reporting infringement'. A credit reporting infringement involves a
contravention of Part A (which contains all the key provisions except
definitions) or of the Credit Reporting Code.
Division 5 of the Exposure Draft contains detailed provisions about how
a credit reporting agency or credit provider (the respondent) must respond to
the complaint, including:
- the respondent for the complaint must provide a written notice to
the individual making the complaint within seven days after the complaint is
made and must investigate the complaint;
- the respondent may consult with other credit reporting agencies
or credit providers in the investigation of the complaint; and
- a determination about the complaint must be made within 30 days
and the respondent must provide the individual with a written notice setting
out the determination and explaining to the individual that, if they are not
satisfied, they may make a complaint to the Information Commissioner or access
the respondent's external dispute resolution (EDR) scheme.
Division 5 also contains notification requirements in relation to
complaints concerning corrections of information or a credit reporting
infringement. Notification requirements include notification of recipients of
disclosed information. Exceptions to the notification requirements are provided
for in two circumstances:
- if it is impracticable for the credit reporting agency or credit
provider to give notification; or
- where an Australian law, or an order of a court or tribunal,
requires that notification not be given.
If a complaint cannot be resolved to the satisfaction of the individual,
the matter may be referred to an external dispute resolution (EDR) scheme or
the Australian Information Commissioner.
Issues raised in submissions
Complexity, lack of flexibility and
Submitters noted that the consumer must first apply to have information
corrected, then lodge a written complaint if the information is not corrected
and wait for an outcome to this process and then lodge in an external dispute
resolution (EDR) scheme. While ARCA supported separate procedures for complaint
handling and correction, other submitters did not.
The Office of the Australian Information Commissioner (OAIC), Consumer Action
Law Centre (Consumer Action) and Consumer Credit Legal Centre NSW (CCLC) voiced
concern that the two stop approach resulted in a complex complaints handling
The OAIC commented that the current regime in the Privacy Act requires
only a single step for a correction request, followed by refusal before an
individual may complain to the Information Commissioner. The OAIC stated that
the additional step 'may create complexity and delay for individuals' while
CCLC argued that the process provided for in the Exposure Draft 'is needlessly
cumbersome and set up to fail'.
CCLC and Consumer Action argued that a request to correct information
should be considered to be a complaint.
Consumer Action commented that most consumers were likely to believe that, in
requesting that information be changed, they are lodging a complaint. Ms Carolyn
Bond, Consumer Action, stated:
It is actually an additional step if you compare it to
complaints that people currently make under the legislation that relates to
complaints about insurance companies, banks and everything else. I think that
will be a real problem for consumers, who will not understand why they have to
lodge a complaint twice. The simple way to deal with that is to regard the
consumer saying, 'I think there is an error in my credit report,' as a
complaint for the purposes of them being able to go to external dispute
resolution if it is not fixed.
Consumer Action and the Australian Privacy Foundation (APF) also
commented that the meaning of complaint may be inconsistent with Australian Standard
ISO 10002–2006 and therefore the meaning adopted by the Australian Securities
and Investment Commission (ASIC), ASIC licensees, financial services licensees and
Consumer Action noted that according to the Australian Complaint Handling
Standard, a complaint is an 'expression of dissatisfaction made to an
organisation, related to its products, or the complaints handling process
itself, where a response or resolution is explicitly or implicitly expected'. It
was argued that 'under this definition, once someone has requested a
correction, they had made a complaint and they should not be required to make a
further complaint before they are advised about their option to take the matter
to an industry dispute resolution scheme'.
Consumer Action concluded that the mechanism as envisaged leads to a
high proportion of consumers 'dropping out' of the process:
In practice, our experience shows that the effect of this
would be that many consumers who are unsuccessful in seeking a change in their
credit information would take no further action – in part because they will be
unaware they can complain further, or that there are independent bodies that
can deal with their complaint.
Consumer Action and the CCLC supported amending the provisions in the
Exposure Draft so that a request for a correction to information is taken as a
The Energy & Water Ombudsman NSW (EWON) also raised concerns that
the complaints handling process may result in a matter relating to the accuracy
of credit information not being referred to an EDR or the Information
Commissioner for 60 days. EWON suggested that this is an unreasonable length of
time given the potential detrimental impact on a consumer.
In addition, EWON, Consumer Action and the CCLC supported an amendment
requiring the respondent to provide information to the complainant on the EDR
schemes and the Australian Information Commissioner when the respondent first
writes to the complainant and not after the complaint is determined.
Lack of flexibility
The National Australia Bank (NAB), Australian Bankers' Association (ABA)
and the APF noted that complaints had to be in writing.
Submitters commented that many consumers do not always lodge written complaints;
rather, they interact with providers through shopfronts, or by telephone, mail,
email, website, SMS, Twitter or Facebook. Optus stated that 'it is therefore disappointing
to see obligations in the Exposure Draft that require providers to give written
notice to their customers on several occasions during a complaint investigation'.
Optus concluded that 'this lack of flexibility does not provide a good customer
experience and generally adds to lengthen and complicate the complaint handling
process' and recommended that the Exposure Draft be reviewed to more thoroughly
consider the impacts on credit providers outside the banking and financial
The Communications Alliance voiced similar concerns and added that 'it would
appear that a reliance on such a formal process actually makes it more
difficult for consumers to receive a prompt response to their complaints'.
The APF commented that 'the law should not prevent consumers from taking
advantage of more accessible processes' while the ABA commented that this did
not provide flexibility for technological advances.
The NAB and ARCA also voiced concern about the obligation on the
respondent to provide a written notice to the complainant within seven days
which acknowledges the complaint and sets out how the respondent will deal with
the complaint. As a reasonable number of complaints are resolved within
48 hours of receipt, this requirement was seen as unnecessary, wasteful and
potentially irritating for the consumer. The NAB supported an approach whereby
the notification requirement is dependent on whether a complaint has already
The Telecommunications Industry Ombudsman (TIO) also queried the need
for a written acknowledgment for a complaint that has been made informally over
the telephone, particularly when the matter is simple and can be dealt with
quickly. The TIO commented that the requirement to go through a formal process
of acknowledgment may present an obstacle to speedy and effective dispute
The EWON was of a similar view and stated that such a requirement 'may be an unnecessary
burden for those credit providers who are able to resolve a consumer's
complaint in less than 7 days'.
Both the TIO and EWON commented on the timeframes for dealing with
complaints (section 158). The EWON submitted that when a customer makes a
complaint of inaccuracy about any aspect of the utility debt listed with a
credit reporting agency, 'we consider it is fair and reasonable to the customer
who has been adversely affected by this that their complaint is investigated as
soon as possible'. In most circumstances, it would be expected that any such
investigation take no more than 10 business days, and that a 30 day limit
should be an absolute maximum for a complex case.
The TIO also commented that where the complaint outcome is unfavourable to the
consumer, the notification should be made as soon as possible in order that the
individual may consider approaching alternative dispute resolution forums.
ARCA suggested that the 30 day timeframe for providing the consumer with
a determination should not start until the relevant party has received the
complaint. ARCA noted that recent industry discussions with EDR schemes
(including the Financial Ombudsman Service (FOS), the TIO, and the EWON)
supported this position.
In exceptional circumstances such as in a complex complaint involving
multiple parties, it may be necessary to extend the period for resolving such a
complaint (paragraph 158(5)(b)). The CCLC commented that it was concerned that
this requirement was contrary to the ALRC's recommendation to produce evidence
to substantiate a complaint within 30 days. The CCLC argued that individual
complainants may feel pressured into accepting a longer dispute resolution
period without any knowledge of their rights under the Privacy Act. In
addition, 'the spirit of the recommendation is that listing should not remain
without substantiation' and concluded that 'this provision creates a loop-hole
which potentially defeats this requirement'.
The committee also received comments, that the timeframes included in
the Exposure Draft are at variance with the timeframes in other regulatory
regimes such as ASIC Regulatory Guide 165 (RG165), Australian Standard ISO
10002-2006 and telecommunications sector obligations. In particular, it was
- subsection 158(5) provides for a maximum timeframe of 30 days for
resolution, or longer if the complainant agrees in writing, while RG165.9
provides for a maximum timeframe of 45 days with no possibility of extension;
- RG165.100 provides for 21 days to respond to a complaint
concerning a default notice; and
- the 30 days in the Exposure Draft begins from the date a
complaint is made, rather than when the complaint is received as provided for
Inconsistency with other standards
A further matter raised in relation to complexity was that the
obligations in the complaints handling process differ from existing industry
standards. A number of submitters commented that financial service providers
and others, such as those which provide lenders' mortgage insurance, already
comply with ASIC RG165.
RG165 applies to all credit licensees and contains specific timelines and
procedures for complaints processes. The ANZ Bank submitted that the complaints
handling requirements in the Exposure Draft differ from the requirements of
Australian Credit Licence (ACL) holders under RG165. The ANZ Bank went on to
Given that a complaint under section 157 is likely to also be
a complaint for the purposes of RG 165 it will be difficult for credit providers
who are licensees to comply with both sets of requirements.
The ANZ Bank recommended that the provisions be amended so that credit
providers, who are licensees under the National Consumer Credit Protection Act,
are under the same obligations for handling customer complaints as they are
under their ACLs.
The Insurance Council of Australia added that it was not aware of any policy
reasons for such differences and suggested that the timeframes in the Exposure
Draft to acknowledge and respond to complaints be removed.
ARCA also commented that Australian Standard ISO 10002-2006 is 'widely
recognised as best practice for managing consumer complaints, and it is widely
applied across sectors and scalable to suit a range of organisations'. ARCA
recommended aligning the timeframes in the Exposure Draft with existing
obligations for complaints handling. For example, the consultation Draft of the
Electronic Funds Transfer (EFT) Code of Conduct directs subscribers to comply
with AS ISO 10002‑2006 and RG165 instead of establishing its own
timeframes and standards.
Both the Communications Alliance and Optus commented that the proposed
provisions do not appear to take into account existing legislative and
regulatory obligations in the telecommunications sector.
It was argued that if the proposed complaints handling regime applied to the
telecommunications industry, different obligations would be imposed depending
the type of complaint received: credit reporting matters under the Privacy Act;
and other types of telecommunications complaints in accordance with the
timeframes and requirements under the Telecommunications Consumer Protections (TCP)
Code and obligations under the TIO Scheme. Optus concluded that:
This will lead to difficulties for providers having to follow
different processes for different types of complaints, and confusion for telecommunications
customers, who should be able to have a consistent experience with their
telecommunications provider regardless of the nature of their complaint.
The Communications Alliance added that the rules in the TCP Code are
more far-reaching than those proposed in the Exposure Draft including how
telecommunications providers must handle complaints and how they must interact
with the TIO.
Mr John Stanton, Communications Alliance, commented:
One concern is that, if the credit related complaints that
telcos receive need to be dealt with differently to all other complaints, then
there is an additional burden on the industry, of course, but there may in fact
be no consumer benefit to doing it that way or, potentially, consumer
detriment. That is an area of major concern for us.
The Communications Alliance concluded that the Exposure Draft 'seeks to
impose new obligations which conflict with standard practice in those
industries and will lead to consumer confusion and inconsistent approaches'.
The Communications Alliance recommended that:
- matters already dealt with under pre-existing schemes should be
removed from the legislation and instead be dealt with under the Credit Code,
which will allow flexibility for different sectors, in keeping with their
existing obligations; or
- exemptions should be included in the credit reporting legislation
for those classes of credit providers who already have pre-existing industry
The Communications Alliance argued that the implementation of these
recommendations would allow different industries to manage complaints within
their existing regulatory frameworks and in a manner that is more realistic and
reflective of how customers communicate with their providers.
In response to the Communications Alliance concerns, Mr Timothy Pilgrim,
One of the main aims that we would want to see out of the
entire process to reform the Privacy Act is to reduce complexity. We have been
talking about that in terms of the actual provisions, but that complexity also
extends to how an individual can seek to enforce their rights if they do have
an issue. What we want to see is that, to the greatest extent possible, there
is one place in which both the individual and organisations that need to comply
with the act will go to understand what their obligations are. Our starting
point would be that, under the provisions, the provisions themselves set out
the basic complaint handling requirements and then those can be extrapolated on
within the credit code that will be developed by industry. I can understand
that there are some issues that might come up in the telecommunications area;
however, I think there are more similarities than differences in the processes
we are talking about in resolving complaints. For everyone working within the
sector itself, it would probably be preferable to see those requirements all
located in the one place—the provisions and the code that sits under them.
The complaints handling process is an important element of the credit
reporting system. Consumers must be provided with a clear process for seeking a
correction to credit information held and for complaining when a correction is
not made. Submitters commented that the complaints handling process contained
in the Exposure Draft is complex, lacks flexibility and will result in an
increased burden on those entities which must comply with other complaints
handling obligations, particular in the telecommunications and utilities
The committee sought advice from the Department of the Prime Minister
and Cabinet (the department) in relation to concerns about the '2 step'
process. The department did not support an approach which combined the
correction and complaints process as it did not satisfactorily address all the
elements of the Government's existing policy on correction and complaints as
set out in the Exposure Draft. The department went on to state that the proposal
put forward appears to eliminate the '2 step' approach in the Exposure Draft
and to combine the correction provisions and the complaint provisions. As a
consequence, there is no longer a process for correction; rather an individual
will be required to lodge a complaint to seek a correction of their personal
The department stated that the Government:
...clearly intended that individuals should, consistent with
the current credit reporting provisions in the Privacy Act, have the opportunity
to seek a correction to their personal information without lodging a complaint.
In addition, the proposed definition of complaint is limited to complaints
about an organisation's products. Section 156 of the Exposure Draft provides a
guide to the complaints provisions and makes clear they apply to both failures
to provide access to, or to correct, personal information, as well as to
complaints about acts or practices that may be a credit reporting infringement.
The Department does not consider that a narrow definition of complaint which
focuses on the products of an organisation is useful in the context of the
credit reporting provisions.
The committee also supports the approach taken in the Exposure Draft as
it provides a correction mechanism and then, if a correction is not made, the
consumer may make a complaint. The advantage of this model is that it places
obligations on industry to take action before a consumer lodges a
complaint. The committee believes that this is an effective process and also
places the obligation appropriately on industry which will gain great advantage
from the new credit reporting regime.
A further benefit of the proposed complaints handling system is that it
addresses the issue raised by the NAB and ARCA concerning the large number of
'complaints' which are resolved within 48 hours of receipt and the notification
requirements for complaints. The committee considers that these would generally
not be complaints, rather they would be requests for correction. As such, there
is no requirement for written notice to be provided to the individual.
In relation to comments regarding timeframes, the committee notes that
the timeframe of 30 days for a credit reporting agency or credit provider to
correct information reflects the timeframe in APP 13 and the existing
Privacy Act and credit reporting code of conduct. Although many credit providers
will be subject to other regulatory requirements, this will not always be the
case. While the inclusion of a 30 day timeframe for both correction request
and complaint determination provides for consistent timeframes across the
Privacy Act, the committee has noted the concerns of consumer advocates about
delay in the finalisation of a complaint arising after a correction request. When
a correction request proceeds to a complaint, the timeframe for determination
may be up to 60 days (and longer if the individual agrees to an extension). The
committee considers that, if the complaints handling regime as provided for in
the Exposure Draft is maintained, then consideration should be given to a
shorter time period for a correction to be made.
5.37 The committee recommends that the time period for the correction of
credit information be amended to 15 days.
In relation to extensions of time to respond to a request to correct
records, the committee is mindful of consumer advocate concerns that
individuals may be pressured to agree to an extension. The committee notes that
any extension requires the consent of the individual. However, the committee
considers that any pressuring of consumers is not acceptable and that the
Credit Reporting Code of Conduct should address these matters, for example,
obtaining consent, industry practice etc.
5.39 The committee recommends that that issue of extensions of time to respond
to requests for correction of records be addressed in the Credit Reporting Code
The committee notes the comments concerning the lack of flexibility in
responding to consumers. There were two issues raised. First, that 'written'
notification is required. The committee notes that under the Acts
Interpretation Act and the Electronic Transactions Act the 'writing'
requirement would permit electronic communications.
The second issue raised related to the need for a written notice when a
'complaint' can be handled quickly. As noted above, these comments appear to
combine both the correction and complaint provisions. If an individual contacts
a credit provider or credit reporting agency requesting a correction, there is
no requirement for a written notification to the individual. The written
notification requirements, when the complaint process is instigated, reflects
the seriousness of the matter. In addition, the requirement for a complaint to
be in writing is consistent with the existing obligation set out in subsection
36(3) of the current Privacy Act.
The committee therefore does not consider that any amendment of these
provisions is required.
Notification requirements relating
to certain complaints
Section 159 requires notification of the complaint and the determination
about the complaint. Notification must also be provided to recipients of the
information. Exceptions are provided if it is impracticable for the credit
reporting agency or the credit provider to give the notification or if they are
required by or under Australian law, or an order of a court or tribunal, not to
ARCA commented that 'what seems to be a simple requirement under the
Exposure Draft provisions becomes complex because of the degree of prescription
of how an operational process must work rather than the outcome that it seeks
The ANZ Bank also commented that these requirements 'will be practically
difficult to comply with for both credit providers and credit reporting
agencies'. For example, a credit provider (recipient) who receives a complaint
regarding incorrect credit information is required to notify all credit
reporting agencies and other credit providers who hold the credit information
of both the complaint and the outcome. The ANZ Bank commented that the recipient
will not be able to identify all holders of the information. Rather, the
recipient will only be able to identify the credit reporting agency from whom
they obtained the information and the credit provider who initially disclosed
the information. The ANZ Bank also argued that the situation was similar for a
credit provider which discloses incorrect information: the credit provider will
not be able to identify every recipient, only those to which it disclosed the
information directly. However, as currently drafted, the credit provider may be
required to notify any indirect recipients.
The ANZ Bank went on to draw a comparison with the current Credit
Reporting Code of Conduct which requires the correction of credit information
to be provided to entities that received the incorrect information within the
previous three months and are nominated by the individual to receive the
correction notification. The ANZ Bank concluded:
This paragraph of the Code ensures the costs associated with
maintaining correct information are minimised whilst also ensuring the adverse
impact to affected individuals is minimised. Providing the correction to
entities who received the initial information more than three months ago and
who are not nominated by the individual, is unlikely to alter the credit
decisions made in relation to the individual and therefore unlikely to benefit
The ANZ Bank recommended that:
- subsection 159(3) be amended so that the receiving credit
provider is only required to notify the credit reporting agency from which it
received the information and the credit provider who initially disclosed the
- subsections 147(2), 150(2) and 159(5) be amended to clarify that
a credit provider is only required to inform direct recipients of the incorrect
credit information and that these entities are then required to disclose the
correction to any entities they provided the information to; and
- the Exposure Draft be amended so that entities only have to be
notified of a correction to credit information if they received the information
within the last three months (or other suitable period) or are nominated by the
individual to receive the correction.
The committee notes concerns about the burden placed on credit providers
in responding to a correction or complaint to also have to notify other parties
if the correction is made. The ALRC considered the notification principle in
relation to correction of credit reporting information. The ALRC commented that
it saw no reason why the general notification requirement contained in the
'Access and Correction' principle should not apply to credit reporting
information 'where it is generally practicable for a credit reporting agency to
send correcting information to credit providers to whom inaccurate information
previously has been sent'.
The Government Response makes it clear that, where it is decided that a correction
is necessary, the credit reporting agency or credit provider should be required
to take steps to advise others of the correction. The Government Response
The Government notes that where a credit reporting agency or
credit provider determines that corrections need to be made to the individual's
credit reporting information, they should take steps to advise the other party,
along with other relevant credit reporting agencies who may have listed the
information, of the corrections. This will be in accordance with the general 'access
and correction' principle.
The correction and complaints handling provisions reflect APP 13.
However, the notification requirement of APP 13 is limited to notifying
other entities to which the information has previously been disclosed only
where the individual requests notification of the other entity. In the credit
reporting system the notification requirement is broader and the committee
considers that this appropriately reflects the nature of the information used
in the credit reporting system and the use of the information in determining an
individual's credit worthiness.
The committee also notes that exceptions are provided for in the
complaints handling provisions (subsection 159(6)) and the corrections
notification provisions (subsection 122(4) and subsection 147(3)) so that
notification need not be given if it is 'impracticable to do so'. The committee
considers that this provides considerable flexibility to credit reporting
agencies and credit providers. The committee anticipates that guidance will be
provided in relation to the exemption either by the OAIC or in the Credit
Reporting Code of Conduct.
First point of contact
The ALRC recommended (Recommendation 59–5) that 'a credit reporting
agency should refer to a credit provider for resolution complaints about the
content of credit reporting information provided to the agency by that credit
provider'. The Government responded that the ALRC had 'reversed the obligation
for resolving disputes and placed the onus on the relevant credit provider who
is likely to have sufficient access to information in order to deal with the
dispute'. The Government commented that there should be clear requirements
about who should take responsibility to attempt to resolve the dispute. The
Government was concerned that the approach adopted by the ALRC would result in
an individual having to take several steps before ownership of the dispute
settles with the credit provider. The Government stated that:
..a more balanced approach is that the obligation for
attempting to resolve the dispute should lie with whichever party the
individual first makes a complaint (whether it be the credit provider to which
the listing relates or the credit reporting agency).
The Exposure Draft provides for the respondent to the complaint to
investigate the complaint and make a determination about it. 'Respondent' is
defined as the credit reporting agency or credit provider to which the
complaint is made (section 180).
The Government's approach was supported by EWON, however, it suggested that
section 156 should include the wording in the Government Response ('the
obligation for attempting to resolve the dispute should lie with whichever
party the individual first makes a complaint (whether it be the credit provider
to which the listing relates or the credit reporting agency)'). EWON commented
that this would ensure that it is clear who should accept, and attempt to
resolve, the complaint and avoid the consumer having to liaise between the
Other submitters, however, did not support this approach. It was argued
that the first point of contact may not be the most appropriate entity to deal
with the complaint.
Westpac, for example, commented that 'the provision that the first party
contracted must investigate the complaint could result in an adverse customer
outcome in instances where the complaint is unrelated to the first party'.
Submitters provided examples of where the first point of contact would
not be the most appropriate. The NAB, for example, stated:
...a consumer may complain to a credit provider who is not
responsible for the credit reporting information that is in dispute.
Operational complexities would make it difficult for the first point of contact
to effectively manage the complaint and this would adversely impact the consumer.
ARCA provided the following example:
If a consumer walks into the NAB to get a credit card and the
NAB does a credit check they may find—having received the report from the
bureau—that there is, for example, a default listed by Telstra, and the consumer
then complains to the NAB: 'I have never had a Telstra relationship. I work
with Optus. I think this is incorrect.' There is no way that the NAB can check
that and manage that complaint. It needs to go to the relevant party, which
would either be the credit reference agency that supplied the information or
Telstra, which had listed the default.
Both the NAB and ARCA suggested that industry should take responsibility
for an effective referral process for complaints. This would, it was argued, ensure
that the complaint is acknowledged, managed and resolved by the relevant
supplier of the disputed credit reporting information.
The ABA took the view that the Credit Reporting Code of Conduct could develop
an effective referral process to manage and resolve the complaint with the respondent
to be the responsible party.
ARCA also commented that the first party contacted must undertake to
notify 'everyone' who has received the incorrect information, collate the
necessary information to respond to the complaint, and then respond on behalf
of all relevant parties. ARCA submitted that 'what seems to be a simple
requirement under the Exposure Draft provisions becomes complex because of the
degree of prescription of how an operational process must work rather than the
outcome that it seeks to deliver'.
The committee notes that the Government Response to the ALRC's
recommendation makes it clear that responsibility for dispute resolution should
lie with whichever credit reporting agency or credit provider to whom the
individual first complains. The committee supports this approach as consumers
will only have to contact one entity to instigate the complaints process. The
committee further considers that there is a benefit to good consumer relations
for entities to ensure disputes raised by their customers are dealt with
External dispute resolution
If a complainant is not satisfied with the outcome of a complaint they
may seek access to an EDR scheme. Recognised EDR schemes, within the meaning of
the Privacy Act, are those to which credit providers and credit reporting
agencies are members and are one or more EDR schemes that is, or are,
recognised by the Information Commissioner (section 195).
The ALRC noted that many credit providers are members of EDR schemes,
including financial services providers which are required by the Corporations
Act 2001 to belong to EDR schemes approved by ASIC. The ALRC went on to
In the resolution of credit reporting complaints, it is appropriate
that EDR schemes provide the first line of dispute resolution beyond the credit
provider or credit reporting agency. Such schemes are funded by industry and
have expertise in the commercial environment in which their members operate.
The ALRC commented that, as the privacy regulator, it is appropriate for
the Privacy Commissioner to have oversight of EDR schemes that handle credit
reporting complaints. However, the ALRC did not envisage that the Privacy
Commissioner would implement an approval system for EDR schemes; rather, the
Privacy Commissioner would recognise EDR schemes already approved by ASIC under
the Corporations Act and those with another statutory basis such as the TIO.
The Government accepted this approach.
Membership of EDR schemes
Some submitters argued that a failure of the Exposure Draft is the lack
of an explicit requirement for credit providers or credit reporting agencies to
belong to an EDR scheme.
Veda Advantage, Consumer Action, CCLC and Legal Aid Queensland recommended that
credit reporting agencies be required to belong to an EDR scheme.
The CCLC commented that 'access to EDR is one of the key consumer protections
introduced by this legislation and it should not be left to implication'.
A further matter raised was the requirement for all credit providers and
credit agencies to be members of an EDR scheme. The ALRC considered whether
membership of an EDR scheme should be a pre-condition to any participation in
the credit reporting system, rather than only when credit providers list
overdue payments. The ALRC commented that:
Dispute resolution is needed most in relation to credit
reporting information that is adverse to, and may have serious consequences
for, the individuals concerned. Membership of an EDR scheme can be expensive.
The compliance burden may not justify imposing EDR obligations on credit
providers who may, for example, wish to provide goods or services on credit,
but do not list defaults.
The ALRC recommended that 'credit providers only may list overdue payment
or repayment performance history where the credit provider is a member of an
external dispute resolution scheme recognised by the Privacy Commissioner'
The Government accepted this recommendation with amendment and stated that
'there is significant justification to extend the requirement to be a member of
a recognised external dispute resolution (EDR) scheme to all credit reporting
agencies and credit providers that list any information about an individual in
credit reporting information'.
The Tasmanian Collection Service commented that it had 'serious
objections' to the requirement that participating credit providers need to be a
member of a recognised EDR scheme. The Service submitted that this requirement
is of limited use, costly, and overly bureaucratic and will 'effectively
provide a significant barrier to many thousands of smaller credit providers to
their continued participation in the credit reporting industry'. The Service
recommended that this requirement is removed.
The Australian Finance Conference (AFC) commented that the extension of
the requirement of membership of a recognised EDR scheme to all credit
providers and credit reporting agencies may affect commercial financiers
adversely. Currently, a commercial financier is able to access the consumer
component of a commercial customer's file. They do not list information on the file
and access is merely required to facilitate a credit assessment of the commercial
customer. The AFC argued that commercial financiers should not be required to
be a member of an EDR scheme to access the consumer component of a file. In
addition, the AFC commented that mandatory membership of EDR schemes for
providers of small business credit remains a matter of policy consideration under
the Council of Australian Governments (COAG) Phase 2 national credit reforms.
The AFC concluded:
The outcome of section 132 would appear to be at odds with
the Government's commitment to that consultative process and commitment to best
practice regulation (eg targeted regulation to address an evidence-based market
failure or consumer protection risk).
Recognition of EDR schemes
The Insurance Council of Australia stated that it strongly supported recognition
by the Information Commissioner of EDR schemes approved by ASIC, particularly
where those schemes are already adequately equipped to deal with complaints
relating to privacy in the context of credit reporting. The Insurance Council
commented that 'this will provide a clear process for potential complainants,
especially where a credit reporting complaint may be connected to other aspects
of a dispute such as debt recovery'. In addition, the Insurance Council stated
that it will ensure that the compliance obligations for lenders' mortgage
insurance providers, which are only credit providers by virtue of acquiring a
debt, are commensurate with the level the credit reporting activity being
EWON commented that electricity and gas retailers are required by their
licence conditions to be a member of an approved ombudsman scheme, and they are
bound by, and must comply with, any decision of the electricity or gas industry
ombudsman relating to a dispute or complaint involving the licence holder and a
small retail customer. EWON sought confirmation that it will be recognised by
the Information Commissioner as the Exposure Draft does not set out how EDR
schemes will be recognised.
Some submitters called for a more explicit requirement regarding
membership of an EDR scheme. The committee notes that section 132 provides that
a credit provider may not disclose credit information about an individual to a
credit reporting agency unless, amongst other matters, the credit provider is a
member of a recognised EDR scheme (paragraph 132(2)(a)). The same conditions
apply for the disclosure of credit eligibility information (paragraph
135(3)(e)). Section 108 prohibits credit reporting agencies from disclosing
credit reporting information unless, amongst other things, the disclosure is
permitted for the purpose of a recognised EDR scheme and both the credit
reporting agency and credit provider are members of the scheme (paragraph 108(3(c)).
The committee also sought advice from the department which noted that
the Government has decided that external dispute resolution should only be
compulsory for those credit providers that wish to access repayment history
information. The department noted that this implements the Government's response
to ALRC Recommendation 55–3 but does not preclude other credit providers and
credit reporting agencies from taking part in external dispute resolution
schemes, even if they do not wish to access repayment history information. The
The Veda proposal for compulsory participation of credit
providers in external dispute resolution appears to be intended to facilitate
the handling of all complaint resolution under external dispute resolution
schemes or mechanisms under other existing industry codes or statutory schemes.
The Department notes that this would create a situation where the handling of
complaints is dealt with under a wide variety of other mechanisms that may not
be consistent in either the timing that is applied, the rights given to
individuals, or the remedies that can be obtained. The Department notes that
the complaints handling provisions in the exposure draft establish common
timeframes and procedures.
The committee does not consider more explicit provisions regarding EDR
scheme membership are required.
The ALRC recommended (Recommendation 59–8) that, within 30 days, if
evidence to substantiate a disputed credit listing cannot be provided, or the
complaint is not referred to a recognised EDR scheme, then the credit reporting
agency must delete or correct the information. The Government accepted this
recommendation and stated that:
This recommendation will ensure that the onus of proving the
accuracy or appropriateness of a listing in an individual's credit reporting
information lies with credit providers and credit reporting agencies. It is
also likely to assist in encouraging the credit reporting industry to resolve
disputes as quickly and efficiently as possible.
While noting that this recommendation was accepted by the Government,
the OIAC, CCLC and the EWON commented that at present, the Exposure Draft omits
the substantiation requirement.
The OAIC commented that it supported the position in the Government Response
that credit reporting agencies and credit providers should bear the onus of
proving the accuracy of credit-related information they hold. It was noted that
this is consistent with those entities' obligation to take reasonable steps to
ensure that the information is accurate, up-to-date and complete. In addition,
such an obligation may assist with the quick and efficient resolution of
EWON also stated that 'this important provision should be included to
strengthen consumer protections and encourage efficient resolution of
CCLC commented that 'this recommendation is inextricably related to the
complaints process and the individual's right to request a correction to their
credit reporting information'.
Ms Karen Cox, CCLC, added:
We are not sure that has been well reflected in the
legislation and we think that is a hugely important thing. Again, a default or
some sort of adverse listing on a credit report has serious consequences for
people. The very least that credit providers should have to do is be able to
keep and produce adequate evidence if they are going to make a move to mar
someone's credit rating.
Consumer Action noted that the provisions of section 149, rather than
requiring the provision of substantiating evidence, 'merely requires that
credit providers consider whether or not they are satisfied that the information
is incorrect, without any effort to investigate or substantiate their
decision'. If the credit provider is satisfied the information is correct, they
need not provide any evidence to substantiate that position. In relation to the
second part of the recommendation, Consumer Action stated that this does not
seem to have been addressed at all. The Consumer Action concluded that the
provisions, if enacted will result in poor outcomes for consumers and stated:
Individuals often challenge inaccurate listings when they are
informed as part of an application for credit that their application was
rejected on the basis of information contained in a credit report. An
inaccurate listing can prevent, or delay, the individual obtaining credit, for
example, a housing loan to complete the purchase of a home. In those
circumstances it is critical that evidence substantiating the listing is
provided in a timely manner or the listing is corrected as there is often some
The OAIC recommended that to reflect the ALRC's recommendation:
- the Exposure Draft set out credit reporting agencies' and credit
providers' obligations, and individuals' rights, relevant to the onus to prove
the accuracy of information; and
- the new Credit Reporting Code deal with practical compliance
matters relevant to those requirements.
The CCLC also noted that the Government response had indicated that,
where a listing is in dispute has been referred to an EDR scheme, a note to
that effect was to be associated with the disputed listing. This has also not
been included in the Exposure Draft.
The Government accepted ALRC Recommendation 59–8 in relation to
substantiation of evidence of disputed credit reporting information.
The committee notes that this obligation is not expressly provided for in the
Exposure Draft. However, both credit reporting agencies (section 116) and
credit providers (section 143) are under a positive obligation to take
reasonable steps to ensure that credit information they collect, use or
disclose is accurate, up-to-date and complete. Subsection 116(3) provides for additional
obligations on credit reporting agencies to enter agreements with credit
providers to ensure the information they obtain from credit providers is accurate,
up-to-date and complete as well as to conduct regular audits and identify and
deal with any suspected breaches of the agreements. Credit providers are
required to take such steps, if any, as are reasonable.
The department noted that there are general rules to ensure the
integrity of credit reporting information. In addition, the department indicated
to the committee that to insert a substantiation requirement could make matters
more confusing, potentially leading to a situation where someone could argue
that they were not required to correct inaccurate information (under the
general quality requirement) until it was challenged by an individual. It would
also be difficult to reconcile with the obligations on credit reporting
agencies to have agreements in place to ensure accurate information enters the
system. Further, if a person disputes a listing, either through the correction
process or as a complaint, and the credit reporting agency has no evidence to
substantiate the listing, then the general quality obligation to ensure
accuracy of the information would require the information to be corrected.
The committee however, notes the concerns of the Office of the
Australian Information Commissioner that substantiation was part of the
privacy-enhancing regulation of the credit reporting system. The committee
agrees with the OAIC's view but is mindful of the difficulties that may be
faced in including such a requirement in the Exposure Draft.
5.83 The committee recommends that consideration be given to implementing the
recommendations of the Office of the Australian Information Commissioner in
relation to the substantiation issue.
Outcome of consultations
The committee was provided with the following outcomes from the industry
stakeholder and consumer advocates consultations:
- Definition of complaint:
- the statute should contain a single definition of 'complaint'
based on the ISO 10002:2004 and RG165:
- Expression of dissatisfaction made to an organisation, related
to its products, or the complaints-handling process itself, where a response or
resolution is explicitly or implicitly expected.
- this should eliminate the '2 step' approach in the Exposure Draft
Bill, and lead to a common approach to IDR and EDR that meets international
standards across credit reporting in Australia.
- EDR should be clearly made compulsory for all credit reporting
- Codes and timing:
- the basic principle should be that where a credit reporting
participant is already subject to a complaints-handling requirement in a
sectoral Code and EDR, or a statutory scheme, those requirements should apply
in credit reporting.
- the Privacy Commissioner should maintain a list of recognised
industry codes and standards for complaints handling purposes;
- for those with a sectoral Code or other complaints-handling
requirement, a breach of that requirement would be an interference with privacy
under the Privacy Act;
- for CRAs and others without a sectoral scheme, the statute should
provide for a 30 day requirement for the handling of a non-data correction
- a data correction complaint would have a 45 day time limit for
resolution; should the credit provider not provide substantiation, the disputed
information is resolved in the consumer's favour;
- Evidence requirements:
- detail to be included in Code of Conduct
- onus of proof lies with the party that listed the information – standard is reasonable proof
- reasonable proof explained in Code to include concrete examples
eg a copy of a default notice, proof that the debt owed was 60 days past due,
and evidence of notice to consumer listing (specific material evidence–including
record of date sent, and or that the system performed as intended to provide
notice in the specific instance)
- the development of the Code will draw upon other Code guidelines
on evidence, such as FOS guidelines, as well as seeking input from the Privacy
- reasons for decision to be provided to the consumer
- statutory obligation on parties to respond appropriately to a
- Credit providers in liquidation:
- include in the Code a provision requiring EDR schemes to deal
with consumer complaints even when a Credit Provider is in liquidation and no
longer a member of an EDR scheme, if necessary charging the costs to the CRA(s)
who are also party to the dispute;
- Notification of other parties:
- Code to provide that when a CRA makes a correction to a consumer's
- give notice of the correction to other CRAs; and
- advise the consumer that they may ask the CRA to inform any
credit provider who has accessed their file since the erroneous inclusion of
- if the consumer requests, advise those credit providers;
- EDR Scheme co-ordination:
- achieving some consistency in credit reporting dispute outcomes
across EDR schemes is important. To that end, ARCA should hold a regular forum
of EDR schemes and consumer advocates to report trends, and agree on guidelines
for resolving complaints.
Response from the Department of the
Prime Minister and Cabinet
The department responded to the outcome of the consultation and noted
that the Veda submission proposes a complete reformulation of the complaint
handling provisions in the Exposure Draft which also appears to encompass the
correction provisions. Concerns with the '2 step' approach to complaints
handling is discussed at paragraph 5.53–5.55 and matters relating to the EDR
are discussed at paragraph 5.72.
In relation to matters to be dealt with in the Code of Conduct, the department
indicated that Veda could propose matters it wished to be included in the Code
of Conduct during the process for the development of the code.
The proposal provided by Veda following consultations with consumer
advocates provides for an alternative approach to complaints handling. A number
of these issues have been addressed by the committee in the discussion above.
In addition, the committee notes the proposal concerning codes and
timing. The committee does not agree that where a credit reporting participant
is already subject to a sectoral code dealing with complaint handling, that
code should continue to apply instead of the requirements of the credit
reporting regime. The committee does not consider that this would be a
beneficial outcome for consumers as this would result in a range of complaint
handling models, depending on what other regulatory regime applies to credit
providers. The committee considers that this would add complexity to complaints
handling. However, there may be some issues which could be addressed in the Credit
Reporting Code of Conduct thus providing clear guidance in relation to application
of complaint handling under different sectoral codes.
It was also proposed to make EDR compulsory for all credit reporting
participants. The committee notes the comments of the Department of the Prime
Minister and Cabinet in this regard and does not support this approach.
The committee has addressed the issue of substantiation of evidence in
the discussion above.
The proposal for notification of other parties following a correction by
a credit reporting agency includes that the credit reporting agency will advise
the consumer that they may ask the agency to inform any credit provider who has
accessed their file since the erroneous inclusion of the correction; and if requested
by the consumer, advise those credit providers of the correction. The committee
does not support this approach. Subsection 120(2) does not provide for a
requirement that the individual must request that credit providers be informed
of the correction. The committee considers that this is a lessening of the
obligations on credit reporting agencies. Given the significance of credit
reporting information to an individual, the committee believes that the
notification provisions contained in the Exposure Draft are appropriate. The
committee further notes that the provisions of subsection 120(3) provide for an
exception if it is impracticable for the credit reporting agency to give the
notice. The committee considers that this provides a credit reporting agency
with sufficient flexibility in this matter.
The final point of the proposal relates to EDR scheme coordination. The
committee notes that the OAIC can approve EDR schemes. The committee considers
that this is the appropriate mechanism for approval of EDR schemes. It also
allows credit providers to use the EDR scheme that they already belong to for
other purposes, for example, responsible lending purposes. The committee considers
that this is a simple approach and detailed obligations in relation to EDR
schemes for the credit reporting scheme will not be required.
Navigation: Previous Page | Contents | Next Page