Chapter 7

Chapter 7

Credit provider provisions


7.1        Division 3 sets out the rules for credit providers. The rules mainly apply to the handling of credit information or credit eligibility information as well as rules in relation to specific types of personal information. The rules apply to credit providers that are subject to the Australian Privacy Principles (APPs) in addition to, or instead of the APPs. The following discussion focuses on the major matters raised in relation to Division 3. Other issues raised in relation to specific provisions are listed in appendix 3.

Subdivision B – Dealing with credit information

7.2        Subdivision B provides for the collection of personal information and the disclosure of credit information to credit reporting agencies. Disclosure to a credit reporting agency is prohibited unless certain obligations are met including that the credit provider is a member of a recognised external dispute resolution (EDR) scheme and that the information relates to someone aged at least 18 years. This subdivision, at section 134, also provides for a limitation on the disclosure of credit information during a ban period. This matter was raised during the committee's hearings and discussed during the consultations between Veda Advantage and stakeholders. The issues in relation to ban periods are canvassed in chapter 4 of this report.

Section 131 – Additional notification requirements for the collection of personal information

7.3        Section 131 provides that a credit provider, at or before the time of collecting personal information about an individual, which is likely to be disclosed to a credit reporting agency, must notify the individual of the details of the credit reporting agency as well as notifying the individual of any matters specified in the Credit Reporting Code or ensure the individual is aware of those matters. These requirements are in addition to APP 5 for APP entities.

7.4        The Australian Finance Conference (AFC) commented that the notification requirement was a 'challenge' for credit providers, while Westpac added that it would result in high compliance costs for credit providers.[1] Westpac stated that at the time of collection, credit providers may not know which credit reporting agency or agencies will be used. Credit providers would have to include all credit reporting agencies which, Westpac argued, would involve significant costs 'when compared to the limited benefit to the individual (insofar as CRAs are permitted to share this information)'. Westpac recommended that the requirement be removed.[2]

7.5        The National Australia Bank (NAB) noted that ALRC's recommendation on notification included a 'reasonableness' test in relation to the provision of notification by a credit provider to an individual. However, this has not been included in section 131. The NAB commented that a reasonableness test is required for phone applications to ensure that full notification disclosure can be provided as reasonably practicable after the verbal application is received.[3] The AFC also raised this point and stated that a reasonableness test would minimise compliance risk. The AFC submitted that a better approach may be to continue the current practice of requiring a customer to be informed at, or before, the time of collection in a general way about information exchanges between the credit provider and credit reporting agencies. The requirement for the provision of more specific details could then be at a later, more relevant point, for example, when a query is raised about accuracy of data following an access request.[4]

7.6        The Australian Privacy Foundation (APF) commented that the section leaves the detail of content of the required notice to the proposed Credit Reporting Code. The APF submitted that the detailed content requirements, as well as more specific requirements as to the timing of notice, should be included in the Act.[5]

Committee comment

7.7        The committee notes that the ALRC commented that it is important that there is a requirement that credit providers inform individuals about information handling by credit reporting agencies. Recommendation 56–10 included that 'a credit provider must take such steps as are reasonable, if any, to ensure the individual is aware of' certain matters.[6] The Government in accepting this recommendation stated that:

The Government agrees that more specific 'notification' requirements should be placed on credit providers to provide notice to individuals about not only the credit providers own information handling practices but also about specific practices of a credit reporting agency. The Government considers it is appropriate that this notification should occur at or before the time of the collection of the personal information to be disclosed to the credit reporting agency (ie at the time of applying for credit) rather than at any other time.

These 'notification' requirements will ensure that individuals are fully aware of how their information will be utilised in the credit reporting system. Notice of credit reporting agencies' practices is important given that individuals will most often not receive this information directly from credit reporting agencies.[7]

7.8        The committee notes comments about the lack of a 'reasonable test'. Informing individuals about information handling practices is an important aspect of the credit reporting regime. The committee considers that the notification provisions of section 131 reflect this importance and it is appropriate that credit providers have a clear obligation to inform individuals. Thus a provision in relation to 'reasonableness' is not warranted. In addition, credit providers have a direct relationship with individuals accessing credit and therefore should ensure that their customers are fully informed of all aspects of obtaining credit and doing business with the credit provider.

Section 132 – Disclosure of credit information to a credit reporting agency

7.9        Section 132 prohibits the disclosure by a credit provider of credit information about an individual to a credit reporting agency except where certain obligations are met:

7.10      A number of substantial matters were raised in relation to the EDR scheme requirements. These matters are canvassed in the discussion on complaints handling in chapter 5 of the report. Comments regarding the requirement that the credit information does not relate to an act, omission, matter or thing that occurred or existed before the person turned 18 were also raised in relation to section 106. These matters are discussed in chapter 6.

7.11      The Office of the Australian Information Commissioner (OAIC) raised concern about the 'gap' in regulation of credit providers' disclosure of 'credit information' collected from sources other than a credit reporting agency, for example, collected from an individual in a credit application. The OAIC commented:

'Credit information' is a central concept in the revised credit reporting system. It includes information about an individual's current and applied for credit accounts, their personal solvency, and certain court judgments against them. The circumstances in which 'credit information' may be disclosed is very significant to an individual. Serious consequences may arise if it is disclosed to some third parties, such as insurers, employers or real estate agents. Accordingly, it is important that a credit provider's disclosure of all 'credit information' be subject to the same limitations, regardless of source.[8]

7.12      The OAIC recommended that credit providers' disclosure obligations apply, at a minimum, to all 'credit information' in addition to 'credit eligibility information' (which only includes 'credit information' collected from a credit reporting agency). The OAIC argued that this may also better reflect the protection proposed in the Government Response.[9]

Requirement for credit provider to be a licensee

7.13      A credit provider must be a licensee under the National Credit and Consumer Protection Act 2009 (NCCP Act) for credit information to be disclosed to a credit reporting agency. Dun & Bradstreet submitted that this has the effect of excluding a large number of organisations, such as telecommunication companies and energy utilities, from fully participating in the credit reporting system. Dun & Bradstreet argued that non-bank data is extremely valuable in the credit assessment process so that the unavailability of this data limits the capacity of the credit reporting system to meet the Government's aim of improving lending decisions. Dun & Bradstreet also pointed out that non-bank data has been included in the credit reporting regimes of overseas jurisdictions as it:

7.14      While there are arguments that the inclusion of non-bank repayment data will prevent some people from accessing mainstream banking products, Dun & Bradstreet commented that there are greater benefits from better identification of consumers experiencing financial difficulties and allowing other consumers to access mainstream credit. In addition, Dun & Bradstreet pointed to research which showed that entities that are able to report repayment information acquire a distinct advantage when consumers prioritise their bills. Consumers will pay the bills of those credit providers who report default and repayment history to a credit reporting agency first. Those organisations that are prohibited from reporting this data will be at a significant disadvantage when seeking payment for services.

7.15      Dun & Bradstreet concluded that reporting of repayment information by all credit providers should be permitted. It stated that, while permitting non-bank credit providers to report repayment information to credit reporting agencies presents challenges for the Government:

...research clearly demonstrates that non-bank data is highly predictive of financial services credit performance and provides important insight in the credit assessment process. As with bank data, the reporting of repayment non-bank data provides even deeper insight. Accordingly, permitting the reporting of this data can ensure the spirit, and not just the letter, of responsible lending obligations are met while also improving access to mainstream credit for currently under-served consumers. The reporting of this data would also ensure non-bank credit providers are not disadvantaged in the payment cycle.[11]

7.16      ARCA also supported making full comprehensive credit reporting available to all credit providers, not just licensees as this would provide a fuller picture of an individual's financial obligations.[12]

Disclosure of default information

7.17      Paragraph 132(2)(e) permits the disclosure of default information if the credit provider has given the individual a written notice of the intended disclosure and a reasonable period has passed since the giving of the notice. Both the Telecommunications Industry Ombudsman (TIO) and the APF commented on the lack of a specific timeframe in the section.

7.18      The TIO noted that many of the complaints received from consumers related to not receiving information about a default or that their credit information was to be provided to a credit reporting agency. The TIO submitted that it would perhaps be preferable for a credit provider to give a defined period of notice to the individual as this would allow any potential grievances to be identified and resolved early. In addition, the TIO supported a specific timeframe after which a credit provider can disclose information to a credit reporting agency. The TIO went on to state:

The provision that credit providers must wait 'a reasonable period' after having notified the individual could cause confusion for providers, individuals and EDR schemes tasked with assessing complaints. Also, given that credit defaults are noted against a person's credit file for a fixed period, it would seem fair that the listing be placed within a short period of time so as not to disadvantage that person for a longer period of time.[13]

7.19      Similarly, the APF stated that a 'reasonable period' is too subjective and leaves the judgement to the credit provider. The APF suggested that a minimum time period, such as 14 days, be specified. In addition, the APF commented that there should be a fairness provision that requires credit providers to consider any special hardship circumstances, such as hospitalisation, natural disaster, bank error, etc. that they are aware of, before listing defaults or adverse repayment history.[14]

7.20      In relation to notification, the APF commented that 'there appears to be a major gap in the scheme in terms of notification of individuals close to the time that a CP lists default or SCI information with a CRA – the legislation appears to allow a CP to rely on the initial notice given at the time the loan was taken out, to warn borrowers of the risk of listing'. The APF stated that the Act should require that consumers are notified at the time their personal information is collected (at the time they apply for credit) as well as within a reasonably short time period before any listing is made, irrespective of what notice has been provided earlier.[15]

7.21      Experian stated a different view. It noted that by the time the written notice is provided to the individual, the payment will already be at least 60 days overdue and payment would already have been sought by the credit provider. Experian submitted that credit providers should be able to provide the default information to a credit reporting agency promptly after having notified the individual of its intention to do so. In addition, a specific timeframe for provision of the information should be prescribed under the Credit Reporting Code of Conduct. Experian argued that a prescribed timeframe will achieve greater certainty both for credit reporting agencies for receiving default information, and for consumers in understanding when default information will be passed to a credit reporting agency for the purpose of the individual making any access and correction application. Experian also saw a timeframe prescribed by the Code as being consistent with the overarching data quality obligations imposed on credit reporting agencies and, in particular, ensuring that the credit reporting information used and disclosed by the credit reporting agency is accurate, up-to-date, complete and relevant.[16]

Committee comment

7.22      The OAIC's submission highlighted concerns with credit providers' disclosure obligations in relation to 'credit information' collected from sources other than a credit reporting agency. The committee has noted these concerns and considers that section 132 should be reviewed to ensure that there is no 'gap' in the regulation of credit providers' disclosure of credit information to a credit reporting agency.

Recommendation 19

7.23      The committee recommends that section 132 be reviewed to ensure that the disclosure obligations on credit providers in relation to 'credit information' protect all credit information collected by credit providers.

7.24      The committee has noted the arguments for allowing credit providers which are not licensees under the NCCP Act to fully participate in the credit reporting system. The committee was provided with information by Dun & Bradstreet pointing to the benefits of non-bank data being disclosed to a credit reporting agency. However, the committee notes that the Government's position is clear in this regard. Moreover, the committee understands that it was never envisaged that a fully 'positive' reporting system would be implemented, rather a more comprehensive regime.

7.25      In relation to the timeframes for notification to an individual of the disclosure of default information, the committee supports the need for greater certainty. Individuals also need to be aware of the timeframe in which the default information will be provided to a credit reporting agency.

Recommendation 20

7.26      The committee recommends that greater clarity be provided as to the timeframes for disclosure of default information pursuant to paragraph 132(2)(e) either in the Credit Reporting Code or in guidance from the Office of the Australian Information Commissioner.

Subdivision C – Dealing with credit eligibility information etc

7.27      Subdivision C provides for the permitted uses and disclosures of credit eligibility information. The subdivision also provides, in part:

Section 135 – Use or disclosure of credit eligibility information

7.28      Section 135 prohibits the disclosure and use of credit eligibility information except in the circumstances provided. Westpac noted that section 135 does not contain an equivalent to section 18N(1)(gb) of Part IIIA of the current Privacy Act which permits disclosure of the credit report or information to 'another person who is authorised by the individual to operate the account'. Westpac recommended that such a permitted disclosure be included.[17]

7.29      The AFC and ANZ Bank noted that subsection 135(4) prohibits disclosure if the credit eligibility information is, or was derived from, repayment history information. The AFC stated that as there is a broad interpretation of repayment history, the provision may result in limiting the information that can be exchanged between credit providers under current credit reference exchanges. The AFC suggested that this would be avoided if the repayment history information in subsection 135(4) is limited to CRA derived information.[18]

7.30      The ANZ Bank also stated that there are inconsistencies in permitted disclosures provisions. It noted that the disclosure of credit eligibility information, which includes repayment history information, to mortgage insurers is permitted for 'any purpose arising under a contract for mortgage insurance that has been entered into between the provider and the insurer'. However, subsection 135(4) prohibits the disclosure of repayment history information. The ANZ Bank went on to state that the removal of repayment history information from credit eligibility information would be 'problematic due to repayment history information being embedded in credit reporting information and credit eligibility information'. In addition, access to repayment history information is required by mortgage insurers, debt collectors and assignees so that they can manage their portfolios and have accurate conversations with the consumer about the debt due. The ANZ Bank recommended that section 135 be amended so that repayment history information can be disclosed to entities such as mortgage insurers, debt collectors and assignees as a permitted credit provider disclosure.[19]

7.31      The APF commented on paragraph 135(3)(b) which permits disclosure to a related body corporate of the credit provider. The APF commented that ownership should not override the purpose limitations. Rather, uses and disclosures by, and to, 'related bodies corporate' should be subject to the same rules as for other third parties. While section 153 (use or disclosure by a related body) places some limits on related bodies corporate, the APF submitted that it does not adequately address this concern. The APF concluded that 'this is a more general criticism of the Privacy Act but has particular significance in the context of credit reporting'.[20]

Committee comment

7.32      The committee does not consider that section 135 requires amendment to allow for the disclosure of credit eligibility information derived from repayment history information. The Government was clear in its intention to limit access to repayment history. As to problems with embedded data, the committee considers this to be a data management issue and not one which should impact on the credit reporting system. Similarly, the committee does not consider that management of their portfolios by mortgage insurers or debt collectors is a matter for the credit reporting system.

Section 136 – Permitted CP uses in relation to individuals

7.33      Section 136 provides the permitted credit provider uses in relation to individuals. Two of the permitted uses are for 'the internal management purposes of the provider that are directly related to the provision or management of consumer credit by the provider' and 'the purpose of assisting the individual to avoid defaulting on his or her obligations'.

7.34      Consumer Action Law Centre (Consumer Action) commented that while 'internal management purposes of the provider that are directly related to the provision or management of any credit by the provider' reflects the current legislation, it is unclear what the 'internal management' purposes are. The current Privacy Code provides the example of the building of scorecards. However, Consumer Action noted that more information will be provided to credit providers which 'would be of significant value to them in relation to marketing to current customers' and the lack of clarity in defining 'internal management purposes' could enable credit providers to use credit information to market credit to individuals.

7.35      Consumer Action recommended that 'internal management purposes' be more closely defined in the Credit Reporting Code. At the very least, Consumer Action stated that the Act should state that as well as excluding debt collection, the term 'internal management purposes' excluding adding information to customer relationship databases and offering or suggesting to the customer an increase in credit limit or other credit products.[21]

7.36      Consumer Action commented that the provisions relating to assisting individuals to avoid defaults should be more tightly defined as it appeared that the provision allowed the credit provider on-going access to a consumer's credit report and it could allow inappropriate marketing of additional credit. While Consumer Action acknowledged the benefits of this provision, for example, allowing the credit provider to reduce a credit limit, it could also be used in ways to exacerbate hardship such as offering a credit limit increase, a different type of credit card or debt consolidation. Consumer Action recommended that item 5 be amended to specify that offers of further credit or additional credit products, including debt consolidation, as it is not considered to be 'assisting the individual to avoid defaulting'.[22]

Committee comment

7.37      The committee considers that the Credit Reporting Code of Conduct should provide guidance in relation to the meaning of 'the internal management purposes of the provider that are directly related to the provision or management of consumer credit by the provider' and 'the purpose of assisting the individual to avoid defaulting on his or her obligations'.

Section 137 – Permitted CP disclosures between credit providers

7.38      Section 137 provides for permitted disclosures of credit eligibility information between credit providers including:

7.39      Westpac commented that the reference to 'credit eligibility information' in section 137 does not reflect business practices. Westpac stated that lenders currently operate a 'Banker's Opinion'/reference service, based on consent obtained from applicants, completely outside of the credit reporting environment. This service discloses information sourced directly from internal systems and does not rely on interaction with a credit reporting agencies. Westpac stated that, 'as such, it is important to clarify that this service would not be limited to "credit eligibility information" which brings in a requirement to source information from a CRA'. If this was the case, Westpac considered that it would introduce additional cost and complexity to what is a relatively straight-forward and transparent process in the current operating environment.[23]

7.40      The APF commented that the use of 'a' particular purpose in paragraph 137(1)(a) is 'too loose/permissive, as it could be read, in conjunction with (b), as "any" particular purpose to which the individual has consented'. The APF further stated that given the common practice of requiring consent as a condition of financial transactions, this provision 'opens the door for disclosures to other credit providers which are wholly unrelated to either the particular transaction the individual has entered or the limited exchange of credit reporting information allowed under this regime'.

7.41      The APF also commented that paragraph 137(2)(a)(i) appears to mean that no consent is required for credit assessments. The APF viewed this as having very significant implications and noted that under the current Act (Part IIIA), consent is required. The APF commented:

We have been critical of this as consent is effectively mandatory as a condition of a loan application – it is not freely given and cannot be revoked. In such circumstances we have argued for 'notice and acknowledgement' in place of consent, as a more accurate reflection of what is actually happening. If the effect of s137(2)(a)(i) is to remove the requirement for written consent then we submit that it needs to substitute an express requirement for notice and acknowledgement.[24]

Committee comment

7.42      In relation to the matters raised by Westpac, the committee notes that consent is obtained for the Banker's Opinion/reference service. Further, if this disclosure is outside the credit reporting system, it would appear that the APPs would apply. The committee considers that this matter, and the matter raised by the APF in the wording of paragraph 137(1)(a), should be further addressed in either the Explanatory Memorandum or the Credit Reporting Code of Conduct.

7.43      The committee also considers that the section should be reviewed to ensure that the consent provisions are clear and that there has been no lessening of the consent requirements for credit assessments as submitted by the APF.

Section 142 –Notification of a refusal of an application for consumer credit

7.44      Pursuant to section 142, a consumer must be given written notification, within a reasonable period, that an application for consumer credit has been refused. The ABA questioned the provision of notification in relation to applications where there is more than one individual. The ABA suggested that this matter needs to be clarified and noted that subsection 18M(2) of the current Privacy Act makes a clear distinction between the positions of an individual applicant and joint applicants, and to whom, in the case of joint applicants, such a notice is given. Alternatively, the use of 'individual' throughout could include the other applicants. The ABA also commented that clarity is required regarding whether the notice is given only to the individual (or individuals) whose information resulted in the application being declined or to the other applicants whose information would not have resulted in the application being declined. The ABA commented that there would seem to be a privacy protection issue if this is not made clear.[25]

7.45      The TIO also considered that a notification under section 142 should, where applicable, include details of relevant credit default listing(s), including the name and contact details for the credit provider that requested the listing(s). The TIO commented that this may be relevant where the individual subsequently seeks to dispute the information upon which their application has been refused, particularly as section 121 currently specifies that it may take a credit reporting agency up to 30 days to correct an inaccurate listing.[26]

Committee comment

7.46      In relation to joint applications, the committee considers that this is a matter for the Credit Reporting Code of Conduct or guidance from the OAIC.

Subdivision E–Access to, and correction of, information

7.47      Subdivision E provides for access to, and correction of, eligibility information. The access provisions provide for exceptions to access, dealing with requests, access charges and notification when access is refused. The correction of credit information and credit eligibility information go to notices of correction to recipients of the information, requests for corrections and notices of corrections to individuals.

Section 146 – Access to credit eligibility information

7.48      Submitters noted that section 146 requires credit providers to provide credit eligibility information to access seekers on request. The ANZ Bank, ARCA and the NAB argued that given the definition of credit eligibility information, credit providers may be required to disclose commercially sensitive credit assessment methodologies such as internal assessment scorecards and other evaluative information that may be derived from credit reporting information as there appear to be very limited circumstances in which access can be refused.[27]

7.49      The ANZ Bank went on to note that the current credit reporting regime does not require access to personal information where that access would reveal evaluative information that was disclosed by a credit reporting agency. Further, the ANZ Bank pointed to both the draft APPs and the NCCP Act and ASIC Regulatory Guide 209 (RG 290) which provide for a limit to the disclosure of commercially sensitive information. APP 12 provides that in the case of commercially sensitive information, the entity may give an explanation for the commercially sensitive decision rather than direct access to the information. RG 209 requires a credit provider to ensure that the assessment given to a consumer is 'concise and easy to understand' and includes reference to the relevant factual information. However, ASIC has stated that is does not expect the credit provider to disclose commercially sensitive information on which the provider has based its decision.[28]

7.50      The ANZ Bank and ARCA concluded that credit providers should not be required to disclose commercially sensitive information as this may allow individuals to 'artificially structure applications for credit to enhance their chances of fraudulently obtaining credit' and could severely compromise the intellectual property of the organisation.[29]

Committee comment

7.51      The ALRC considered arguments about access to credit scores or other rankings used by a credit provider, if an individual's application for credit has been refused wholly or partly on credit reporting information. The ALRC noted some practical difficulties, including the range of methodologies used by credit providers, in detailed obligations to provide prescribed information to individuals about the use of credit scoring. The ALRC concluded that in light of these difficulties, it would not be appropriate to mandate the provision of prescribed information about credit scoring. Rather, the provision of information, including about credit scoring, on refusal of credit is an appropriate subject for guidance from the OAIC.[30]

7.52      The committee agrees that these matters should be the subject of guidance from the OAIC.

Section 149 – Individual may request the correction of credit information etc

7.53      An individual may request a credit provider to correct credit information, CRA derived information or CP derived information. The credit provider must take such steps (if any) as are reasonable in the circumstances to correct the information within 30 days from the day on which the request has been made or within a longer period if the individual has agreed in writing. The committee has commented on the timeframe for correction of information as well as evidence to substantiate a disputed listing in chapter 5.

Section 150 – Notice of correction etc must be given

7.54      Pursuant to section 150, credit providers must, within a reasonable period, give the individual, any interested parties or recipients a written notice of the correction. If the credit provider does not correct the information within a reasonable period, the individual must be provided with a written notice as to why the correction has not been made and sets out the complaints provisions. An exception is provided when it is impracticable for the credit provider to give notice to recipients or if the credit provider is required by or under an Australian law, or an order of a court or tribunal, not to give notice.

7.55      Legal Aid Queensland (LAQ) commented that a time limit should apply to disputes referred to external dispute resolution schemes. The LAQ commented that in some instances consumers have to wait many months to have matters addressed through the external dispute resolution scheme and as a result incorrect listings are not removed for considerable periods of time. In such cases, this results in significant harm to the consumer.[31]

7.56      The LAQ went on to suggest that the legislation could incorporate a mechanism for consumers to receive compensation for loss as a result of delays in correcting information on their credit file. The LAQ stated that 'this would ensure that credit providers are more careful before they list, the credit reporting agency is more careful in identifying the right party when recording default listing and the external dispute resolution scheme prioritises those cases where time is of the essence'.[32]

Committee comment

7.57      The committee has made comments in relation to the notification requirements when a correction is made in chapter 5 of this report.

Navigation: Previous Page | Contents | Next Page