CHAPTER 3

Credit reporting definitions

3.1 Schedule 2 of the Bill reforms the regulation of credit reporting in an attempt to more accurately reflect the information flows within the credit reporting system and the general obligations set out in the Australian Privacy Principles.[1] A brief overview of the credit reporting system is provided in this chapter to provide context,[2] followed by a discussion of some of the proposed credit reporting definitions in Schedule 2 of the Bill and the related definition of 'Australian link' in Schedule 4 of the Bill.

Overview of the credit reporting system

3.2 New Part IIIA of the Privacy Act 1988 (Privacy Act) sets out provisions in relation to the privacy of information related to credit reporting (credit reporting provisions).[3] The credit reporting provisions will apply to three main categories of participants in the credit reporting system: 'credit reporting bodies'; 'credit providers'; and 'affected information recipients'.[4] These terms are defined in the Bill and have specific meanings.[5]

3.3 The credit reporting system deals with categories of credit-related personal information. The Explanatory Memorandum (EM) states that it is necessary to use a number of specific terms to accurately describe the information flows within the credit reporting system:

Because credit reporting bodies and credit providers may use personal information in the credit reporting system to derive and add new personal information to the system, it is important to accurately describe this process through the use of specific and defined terms. The key terms are: credit information; credit reporting information; credit eligibility information; and regulated information.[6]

3.4 The definition of 'credit information' is discussed later in this chapter;[7] and 'credit reporting information' is defined as 'credit information' that has been disclosed to the 'credit reporting body' by the 'credit provider', as well as 'CRB derived information'.[8] 'Credit eligibility information' will mean 'credit reporting information' that was disclosed to the 'credit provider' by a 'credit reporting body' and 'CP derived information'.[9] 'Regulated information' will be 'credit eligibility information' or 'credit reporting information' that has been disclosed to 'affected information recipients'.[10]

3.5 The EM explains that there are two main features of the credit reporting system: first, the input side, where 'credit providers' put information into the system by disclosing the categories of personal information to 'credit reporting bodies'; and second, the output side, where 'credit reporting bodies' disclose certain personal information to 'credit providers', consistent with the permitted disclosures:[11]

Generally, information only comes out of the system following requests from credit providers to credit reporting bodies for disclosure for specified purposes (or where disclosures are permitted to certain recipients for certain purposes by operation of the provisions, such as to an affected information recipient, or where disclosure is permitted by operation of an exception, such as where a disclosure is required or authorised by or under an Australian law or court or tribunal order).[12]

3.6 The use and disclosure of the relevant types of personal information are regulated by the credit reporting provisions, which provide different requirements for the participants based on whether they are taking part in the input side or the output side of the credit reporting system:

This means, for example, that there can't be a single disclosure rule for credit providers, both because they have different roles in the system and because the personal information changes as it goes through the system. For this reason, there are provisions relating to the disclosure by credit providers to credit reporting bodies of credit information into the credit reporting system (and a related rule for credit reporting bodies dealing with collection of credit information). However, there are separate provisions relating to the disclosure by credit reporting bodies to credit providers, since the personal information disclosed will be credit reporting information...There is not one single category of personal information that can be regulated by a single rule that will apply in every case.[13]

Definitions

3.7 Schedule 2 of the Bill sets out amendments relating to general definitions in subsection 6(1) of the Privacy Act [14] and key definitions relating to credit reporting.[15] Many submitters commented on these proposed amendments, with commentary ranging from general to very specific issues.

General matters of interpretation

3.8 For some submitters, the number of definitions and their location within the Privacy Act was a concern. For example, the Australasian Retail Credit Association (ARCA) submitted that the Bill identifies 17 different classes of personal information, which leads to unnecessary complication and duplication.[16] The Australian Privacy Foundation similarly commented that the number of new, revised or defined credit reporting definitions:

...hardly constitutes the 'simplification' desired by all parties and promised in the EM, and we submit that the scheme is now effectively too complex to be readily explicable, posing a serious risk of non-compliance and/or inability of consumers to effectively exercise their rights.[17]

3.9 The Law Council of Australia agreed that 'the use of multiple different named categories of credit-related information...may over-complicate the drafting'.[18] Its submission expressed further concern about:

...certain structural elements of the Bill...One such concern is the structure whereby key concepts are defined in several places within the Bill, but distant from the Part IIIA context in which they are used. [19]

3.10 ARCA suggested as a solution the inclusion of a single definitions directory within the Bill.[20] However, the Office of the Australian Information Commissioner (OAIC) had an alternative recommendation for improving the interpretation of Schedule 2 of the Bill. Rather than restructure the proposed credit reporting definitions, the OAIC suggested including the credit reporting provisions as a schedule in the Privacy Act:

The Explanatory Memorandum clarifies that the insertion of the APPs in a Schedule to the Privacy Act is intended to facilitate ease of reference to the APPs. The OAIC suggests that this consideration is equally relevant to the credit reporting provisions. Placing the credit reporting provisions in a Schedule to the Privacy Act will also ensure that provisions relevant only to specific industry sectors do not add complexity and length to the body of the Privacy Act.[21]

3.11 In May 2012, the Australian Government responded to the Senate Finance and Public Administration Legislation Committee's (F&PA committee) inquiry into the Exposure Draft of the Bill (F&PA inquiry). Consistent with the OAIC's suggestion to the current inquiry and the F&PA inquiry, the F&PA committee recommended that consideration should be given to locating the credit reporting provisions in a schedule to the Privacy Act.[22] The Australian Government, however, did not accept that recommendation:

The Government considered the location of the credit reporting provisions and determined they are best located in the same place as the existing provisions.[23]

Departmental response

3.12 The Attorney-General's Department (Department) informed the committee that it has implemented ALRC Recommendation 5-2, which supported redrafting the Privacy Act to achieve greater logical consistency, simplicity and clarity.[24] The Department advised further that it considers that the drafting style adopted in the Bill reflects current best drafting practice and effectively balances competing interests.[25]

3.13 Specifically in relation to the credit reporting provisions, the Department provided the following comprehensive explanation for the way in which the provisions are presented in the Bill:

Consistent with modern drafting practices and the approach adopted throughout the Bill, each division in Part IIIA that deals with substantive rights and obligations commences with a guide to assist the reader [to] understand the content of the Division. In addition, clause 19 sets out a guide to Part IIIA as a whole. Guides were not inserted for Division 6 (which contains certain offences) or Division 7 (which deals with certain court orders) as these divisions are short and self-explanatory.

In relation to the structure of the Bill, these privacy law reforms proceed by amending the existing Act, rather than by replacing the Act with an entirely new Act. This means that the structure of the final consolidated Act will remain consistent with the existing structure of the Act. Credit reporting definitions will be located in Part II – Interpretation, which currently contains all definitions and other provisions relevant to interpreting the Act.

At present the credit reporting related provisions are in a number of different places in Part II of the Act. The Bill reorganises the definitions in Part II into a logical sequence and groups similar specific definitions together. Part II will be divided into two divisions – Division 1 will contain all the general definitions for the Act, while Division 2 will contain key definitions relating to credit reporting. Division 1 will include all the credit reporting definitions in subsection 6(1). Where terms require a more comprehensive definition, the reference in subsection 6(1) will point to the specific definition in Division 2. In this way, Division 1 will be the starting point for identifying and locating all defined terms in the amended Act. The Department considers that this approach to structuring the credit reporting provisions is consistent with the existing structure of the Act and, once amended, will be logical, straightforward and clear.[26]

'Australian link'

3.14 Items 2 to 65 in Schedule 2 of the Bill amend general definitions in subsection 6(1) of the Privacy Act. The general definition which most concerned submitters and witnesses is the term 'Australian link' in section 5B of the Privacy Act.

3.15 The EM states:

The credit reporting system is restricted to information about consumer credit in Australia and access to the credit reporting system is only available to credit providers in Australia. The credit reporting system will not contain foreign credit information or information from foreign credit providers (even if they have provided credit to an individual who is in Australia), nor will information from the credit reporting system be available to foreign credit reporting bodies or foreign credit providers.[27]

3.16 To effect this policy proposal, the Australian Government considered a number of general provisions stating these limitations but:

[I]t was considered that a simpler, clearer and more effective approach was to ensure appropriate limitations were in place in relation to each relevant provision dealing with the collection, use and disclosure of information by credit reporting bodies and credit providers in Part IIIA.[28]

General comment regarding the definition

3.17 Items 4 to 7 of Schedule 4 of the Bill will amend the definition of 'Australian link' in subsections 5B(2) and 5B(3) of the Privacy Act. The new definition will outline the circumstances in which an organisation or small business operator will have an 'Australian link'. For example, under proposed new paragraph 5B(3)(c) an 'Australian link' will exist where 'personal information was collected or held by the organisation or operator in Australia or an external Territory', and the other requirements of the section are satisfied.[29]

3.18 The EM states:

The collection of personal information 'in Australia' under [proposed] paragraph 5B(3)(c) includes the collection of personal information from an individual who is physically within the borders of Australia or an external territory, by an overseas entity.

For example, a collection is taken to have occurred 'in Australia' where an individual is physically located in Australia or an external Territory, and information is collected from that individual via a website, and the website is hosted outside of Australia, and owned by a foreign company that is based outside of Australia and that is not incorporated in Australia. It is intended that...entities...who have an online presence (but no physical presence in Australia) and collect personal information from people who are physically in Australia, carry on a 'business in Australia or an external Territory'.[30]

3.19 The OAIC questioned whether the government's objective will be achieved with the use of the 'Australian link' term, contending that the intention stated in the EM is not reflected in the Bill. Its submission argued that the phrase 'in Australia' is not clear, particularly in the online context, and should be made explicit, for example, by amending 'in Australia' to read 'from Australia'.[31] At the first public hearing, the Australian Privacy Commissioner, Mr Timothy Pilgrim, specifically stated:

[T]he use of the terminology 'in Australia' in the credit provisions may leave open to interpretation whether or not foreign credit reporting entities can get access to the information.[32]

3.20 For many other submitters, it was not the definition of the term 'Australian link', but the manner in which the term is to be applied throughout the credit reporting provisions, that raises concerns.

Extra-territorial operation

3.21 Several submitters and witnesses questioned the use of the term 'Australian link' in relation to proposed new paragraph 21G(3)(b) of the Privacy Act.[33] This provision will prevent a 'credit provider' who holds 'credit eligibility information' about an individual from using or disclosing that information to a related body corporate which does not have an 'Australian link'.

3.22 Industry submitters and witnesses argued that this use of the 'Australian link' requirement is excessive and inconsistent, and will significantly affect business operations.[34] In evidence, for example, Mrs Sue Jeffrey from ANZ Banking Group Limited (ANZ) argued:

[T]he Australian link requirement will have a major effect on the way ANZ structures its businesses. For example, ANZ from time to time use[s] credit assessment teams in New Zealand to assist with processing home loan applications during periods of high volume. We would like to retain this ability to move work across our geographies in order to best meet the needs of our customers. [The Bill] would represent a much more significant impact than we expect was intended. It would be a backward step in ANZ's ability to structure its operations in a way that supports our regional footprint and delivers our customers efficient, high quality service. At the same time it would offer no additional privacy protection to our customers.[35]

3.23 The Law Council of Australia noted:

[S]ome authorised deposit taking institutions have established outsourcing operations with entities based in foreign countries as a means of providing financial services more economically and contributing to lower overall prices...The offshore entities may be wholly-owned but foreign incorporated subsidiaries, or may be unrelated bodies subject to strict service agreements which require information to be used and dealt with solely for the purposes of the principal with high levels of security.[36]

Contrast with approach in APP 8

3.24 The Australian Bankers' Association (ABA) contrasted proposed new section 21G, which contains the general prohibition against the use or disclosure of 'credit eligibility information' by a 'credit provider', with cross-border disclosures of personal information (other than 'credit eligibility information') to overseas recipients under proposed Australian Privacy Principle 8 (APP 8):

APP 8 together with proposed section 16C means a bank will remain liable if the overseas recipient of the personal information engages in conduct that would be a breach of an APP (other than APP 1) as if the conduct had occurred in Australia unless certain limited exceptions in APP 8.2 apply.[37]

3.25 The ABA submitted further:

[T]here seems to be no logical reason why it is necessary for two different regimes to apply according to the type of personal information involved –the one, under the credit reporting provisions that imposes a complete prohibition on the disclosure of credit eligibility information to an overseas recipient where the recipient has no Australian link and the other, where the cross border disclosure of personal information other than credit eligibility information is subject to an accountability rule (section 16C) or specific exceptions.[38]

3.26 The Australian Finance Conference, ANZ and Optus made similar comments, noting that the disclosure of equally sensitive personal information to overseas recipients is permitted under APP 8. For example, ANZ stated:

The Bill allows the cross-border disclosure of other forms of sensitive information, such as health information and the customer's credit card transactions, provided the disclosing organisation complies with APP 8...It is not clear why the disclosure of ['credit eligibility information'] for legitimate business purposes should be treated more restrictively than information that is likely to be as sensitive.[39]

3.27 Several submitters recommended that the Bill should allow for the disclosure of 'credit eligibility information' (CEI) to overseas recipients under APP 8.[40] As ANZ argued:

[T]he Australia link requirement [should] be removed for disclosure of CEI for legitimate business purposes to an offshore entity that is an agent or related body corporate of the disclosing entity. ANZ also recommends that APP 8 [should apply] to offshore disclosure of credit information in the same way it applies to other forms of personal information. These recommendations are predicated on the disclosing entity remaining responsible in the event of a privacy breach.[41]

Departmental response

3.28 In evidence, a representative from the Department confirmed that the Bill introduces for the first time a specific rule to deal with the cross-border disclosure of credit reporting information.[42] Departmental officers recognised that the implementation of this rule – using the 'Australian link' requirement – is problematic for some stakeholders due to the way in which they have structured their business operations:

We are certainly not looking to get into a situation where we are trying to break business models that banks have established, but we are looking to reach a more targeted policy outcome.[43]

3.29 The officers also noted APP 8, which deals with the cross border disclosure of personal information (excluding 'credit eligibility information') and which has a related accountability mechanism in proposed new section 16C of the Privacy Act (item 82 of Schedule 1 of the Bill). They explained that it would not be appropriate to extend this regime to the credit reporting provisions:

The structure of the credit reporting provisions is to prohibit all collection, use and disclosure of personal information in the credit reporting system and then provide targeted exceptions for permitted acts and practices...[T]he Department considers that simply applying APP 8 without any modification may undermine the policy of not disclosing Australian credit information to foreign credit providers. The Department's preferred approach is to identify options to provide specifically for a targeted disclosure (and associated use) to deal with off-shore processing. Such a targeted provision could then impose obligations based on APP 8.1 and proposed section 16C of the Privacy Amendment Bill to ensure that the Australian credit provider remains accountable for the personal information in the hands of the overseas processor recipient. Initial discussions with credit provider stakeholders indicate that this approach may be acceptable to them. We will continue to work with stakeholders to refine an approach that can be put to the Attorney-General for consideration.[44]

'Credit provider'

3.30 Submitters and witnesses were also concerned with certain key definitions relating to credit reporting in proposed new Division 2 of Part II of the Privacy Act,[45] including the definitions of: 'credit provider'; 'credit information'; 'default information'; 'serious credit infringement'; 'new arrangement information'; and 'repayment history information'.

3.31 Proposed new section 6G (item 69 of Schedule 2) inserts a definition of the key term 'credit provider' into the Privacy Act. The definition will include a 'bank' and will allow for certain inclusions and exclusions, such as a class of organisations or small business operators prescribed by the regulations (proposed new subsection 6G(6)).

3.32 In relation to 'credit provider', submitters directed their comments toward the breadth or, conversely, the lack of breadth in the new definition.[46] For example, Min‑it Software argued that proposed new paragraph 6G(2)(b) of the Privacy Act [47] widens the current definition of 'credit provider' 'solely for the benefit of the credit reporting businesses':

Australian Credit Licence ("ACL") holders already have to hold and retain far more personal information than is really necessary due to [the National Consumer Credit Protection] Act, the [credit reporting] Code and [the Australian Securities and Investments Commission's] requirements but rather than further limiting who has access to personal information, this Bill will allow additional credit providers to seek, hold and collect personal information they currently cannot access. Consequently, if many others have access to an individual's personal information through their work, an individual's right to privacy has been considerably and directly diminished by this legislation.[48]

3.33 On the other hand, the Communications Alliance queried whether telecommunications providers are captured by the definition and noted that proposed new subsection 6G(6) of the Privacy Act could result in its members being excluded from the new definition of 'credit provider'.[49]

3.34 However, the Communications Alliance stated that one of its biggest concerns with the Bill is that it does not allow for the existence of different kinds of 'credit provider', the different sectors and industries involved, and the way in which each of these stakeholders uses 'credit information':

We would suggest that the bill be reviewed with the objective of determining whether each of the credit provider rules is relevant across all industries and, if not, perhaps removing them from the bill and allowing that to be dealt with in the credit reporting code.[50]

'Credit information'

3.35 Proposed new section 6N (item 69 of Schedule 2) inserts a definition of the key term 'credit information' into the Privacy Act. This new definition comprises certain categories of personal information about an individual (other than sensitive information). Some of these categories will be further defined in subsection 6(1) of the Privacy Act, and some categories will be further defined in other proposed new sections contained in item 69 of Schedule 2 (Key definitions relating to credit reporting).

3.36 Submitters and witnesses commented on a variety of proposed definitions for categories of personal information comprising 'credit information'.[51] For example, Veda contended that the definition of 'identification information' (item 34 of Schedule 2) will affect the accuracy of approximately 2.4 million credit files and the ability of 'credit reporting bodies' to accurately match a credit inquiry to a file.[52] That new definition refers to an individual's current or last known address, and two previous addresses (if any).

3.37 At the first public hearing, a representative from Veda informed the committee:

Veda is calling for credit-reporting bureaus to be able to hold the greater of current address plus two previous addresses or current address plus all previous addresses over the past five years. The reason why this is important is that there is a high-risk segment, generally younger people, who move address very frequently. Under the proposed legislation, we would lose all of the information that attaches to them once they have moved address more than twice, so we would very much like that to be remedied in the bill.[53]

3.38 The Department did not agree that 'credit reporting bodies' would 'lose all information about an individual if the individual moves more than twice in [a] five year period':

[T]he proposed definition of 'identification information' includes a range of other types of personal information...The Department considers that the various types of personal information included in the definition of 'identification information', in conjunction with the permitted address information, should be sufficient to identify individuals.[54]

'Default information'

3.39 Proposed new subsection 6Q(1) (item 64 of Schedule 2) inserts a definition of the key term 'default information' into the Privacy Act in relation to consumer credit defaults. 'Default information' about an individual is information about an overdue payment (including one which is wholly or partially comprised of interest) in relation to consumer credit provided by a 'credit provider' to the individual if:

the payment is at least 60 days overdue;
the 'credit provider' has given the individual written notice informing the individual of the overdue payment and requesting that the individual pay the overdue amount;
the 'credit provider' is not prevented by a statute of limitations from recovering the overdue amount; and
the overdue amount is equal to or more than:
- $100; or
- such higher amount as is prescribed by the regulations.

3.40 Submitters raised a number of issues in relation to proposed new subsection 6Q(1) of the Privacy Act. For example, submitters expressed concerns regarding the interaction between the notification and listing processes, the threshold amount, when a default can be listed and for how long, and the interaction between the hardship provisions in the National Consumer Credit Protection Act 2009 (National Consumer Credit Protection Act) and the default provisions in privacy legislation.

Notification and listing processes

3.41 The Consumer Credit Legal Centre (NSW) (CCLCNSW) submitted that the proposed provision is problematic for consumers 'as it allows credit providers to subvert the process to disadvantage consumers'. CCLCNSW's submission argued that a 'credit provider' could list a default immediately after issuing written notice to an individual:

This is procedurally unfair as it is the notice that is important in notifying the consumer that there actually is a default! It is more than possible to be unaware of the default simply because there was a bank error in direct debits for example.[55]

3.42 CCLCNSW recommended that proposed new paragraph 6Q(1)(b) should be amended to require 30 days to have elapsed from the date of the written notice before listing can occur.[56] In the same vein, the Australian Communications Consumer Action Network (ACCAN) called for a mechanism whereby consumers can challenge listings when they have had no opportunity to be notified about an imminent listing:

ACCAN recommends that there be a specific notification requirement related to the intention to credit list and that this requirement be such that all reasonable attempts to contact the customer with a specific warning should be a prerequisite to credit listing.[57]

Threshold amount

3.43 In relation to the threshold amount stipulated in proposed new subparagraph 6Q(1)(d)(i), the Energy & Water Ombudsman NSW (EWON) supported prescribing a minimum amount but suggested that a more realistic definition of the overdue amount would be in the order of $300: 'This would exclude small utility bills from the adverse consequences of credit listing'.[58] ACCAN and CCLCNSW concurred,[59] whereas the Hunter Community Legal Centre submitted that the minimum amount should be $500 (excluding interest).[60] Mr Pilgrim agreed that 'there is some merit in looking at that [$300] level'.[61]

Default listings

3.44 Both EWON and the Financial Ombudsman Service (FOS) noted that the Bill does not specify when 'default information' can be listed.[62] EWON advised that, in its experience:

[S]ome customers are credit default listed but there is a delay in the listing, sometimes up to several years after the subject debt arose. This means that the negative impact on a customer's credit report will continue well beyond the usual five year period of a credit default listing. It may also run over the standard period of time a provider has to take legal action to recover a debt. It seems unreasonable and unfair for the effects of a debt to be prolonged in this way.[63]

3.45 EWON submitted that it would be useful if the Bill were to provide clarification on this issue,[64] whereas the FOS submitted:

[M]andating in legislation a 12 month 'limitation period' is not sufficiently flexible to deal with the broad range of financial circumstances that give rise to default listings...A likely response from many Financial Services Providers will be to no longer act with discretion and default list all overdue customers within 12 months of the account falling more than 60 days overdue.[65]

3.46 In its inquiry, the F&PA committee received similar evidence regarding the timeframe for the disclosure of 'default information'. That committee recommended that greater clarity should be provided by either the OAIC or in the credit reporting code,[66] a recommendation which was accepted by the Australian Government.[67]

3.47 EWON also noted that a listing is for a period of five years (item 4 in the table to proposed new section 20W of the Privacy Act, contained in item 72 of Schedule 2 of the Bill) regardless of whether the default amount is $300 or $30,000. EWON suggested:

[A]nother option could be a 'sliding scale' where the credit default listing is for a period relative to the amount of the debt, e.g. $1000 or less = 1 year listing; $1001 to $5000 = 2 years listing; $5001 to $10,000 = 3 years listing etc.[68]

3.48 ACCAN agreed that listings should be proportionate to the default amount and, in any event, two years for telecommunications products.[69] CCLCNSW endorsed this view with respect to listings related to credit which is not regulated by the National Consumer Credit Protection Act:

[I]t is unreasonable and excessive to hold default information on utilities and other debts (that are not credit as defined under the National Consumer Credit Protection Act) for [five years]...[T]he retention period for default information on a consumer's credit report for utilities should be two years.[70]

National Consumer Credit Protection Act 2009

3.49 Some submitters drew attention to the interaction between the hardship provisions in the National Consumer Credit Protection Act [71] and the default provisions in the Bill.[72] The FOS, for example, advised that a common and increasing basis for complaints is that an individual is listed while negotiating a hardship arrangement. The FOS suggested that the Bill address the interrelationship between the two regimes:[73]

[E]ither the [Bill] or the Code of Conduct should set some parameters as to a Financial Services Provider's obligation to properly consider any application by a borrower for financial difficulty assistance before default listing that borrower.[74]

3.50 ARCA similarly suggested alignment of the two legislative regimes by using the proposed credit reporting code (to be created under Schedule 3 of the Bill) to achieve that objective:

[This] will allow better alignment between the Privacy Act and the National Consumer Credit Protection Act arrangements.[75]

'Serious credit infringement'

3.51 Item 63 of Schedule 2 of the Bill repeals and replaces the definition of 'serious credit infringement' in current subsection 6(1) of the Privacy Act. 'Serious credit infringement' will mean:

(a) an act done by an individual that involves fraudulently obtaining consumer credit, or attempting fraudulently to obtain consumer credit; or

(b) an act done by an individual that involves fraudulently evading the individual's obligations in relation to consumer credit, or attempting fraudulently to evade those obligations; or

(c) an act done by an individual if:

(i) a reasonable person would consider that the act indicates an intention, on the part of the individual, to no longer comply with the individual's obligations in relation to consumer credit provided by a credit provider; and

(ii) the provider has, after taking such steps as are reasonable in the circumstances, been unable to contact the individual about the act; and

(iii) at least 6 months have passed since the provider last had contact with the individual.

3.52 The CCLCNSW and the Consumer Action Law Centre (CALC) submitted that the proposed new definition of 'serious credit infringement' (SCI) is one of the most critical consumer issues in the Bill. The CALC argued:

It is difficult to understate the significance of a credit provider listing an SCI on a consumer's credit report. An SCI is the most serious type of listing that can be made apart from bankruptcy, and yet it is the only listing that can be made based purely on the opinion of a credit provider at a particular point in time.

Once made, an SCI will ordinarily remain on a credit report for seven years. They can be very difficult to remove earlier – even if the consumer can demonstrate that, had the credit provider known all the circumstances, they would not have made the listing. Further, it is often the case that SCIs are listed merely because of an error, misunderstanding or breakdown in communications.[76]

Six-month waiting period

3.53 The CALC expressed concerns in relation to the six-month waiting period in proposed subparagraph (c)(iii), which it submitted does not require a 'credit provider' to attempt to contact a customer or review the appropriateness of the listing after six months.[77] The FOS, which supported the proposed provision, submitted:

[I]t is appropriate that the...Bill include a requirement that the Financial Services Provider must have taken reasonable steps to contact an individual and that at least 6 months should have passed without contact prior to entering a serious credit infringement listing.[78]

Evidence to the F&PA committee's inquiry and government response

3.54 The CALC referred to the F&PA inquiry where Veda Advantage (now Veda) and a number of consumer advocates suggested that the definition of 'serious credit infringement' should be replaced with two new definitions: 'un‑contactable default' and 'never paid' flag.[79] In its submission to the current inquiry, the CALC supported this proposal as more effective and proportionate:

[I]t requires a 'never paid' flag to be automatically removed after six months (although a default would remain) and for 'un-contactable defaults' to be removed if contact is re-established at any point with the consumer.[80]

3.55 In its 2008 report, the Australian Law Reform Commission did not consider that 'serious credit infringements' should necessarily be limited to conduct that is fraudulent:

Credit providers have a legitimate interest in sharing information about the conduct of individuals that falls short of fraud – for example, where an individual deliberately avoids contact with a credit provider in order to evade his or her financial responsibilities.[81]

3.56 Further, the Department of the Prime Minister and Cabinet (which then had portfolio responsibility for privacy matters) noted in its evidence to the F&PA inquiry that the proposal by Veda and consumer advocates:

...appears to remove any element of fraudulent activity from consideration, apparently reclassifying serious credit infringements into a default that occurs when a person cannot be contacted.[82]

3.57 The F&PA committee accepted this evidence and noted its concern that the stakeholder proposal 'does not reflect the serious nature of intentional credit fraud as is provided for in the credit reporting system'.[83] That committee recommended:

...that consideration be given to a change of approach in dealing with serious credit infringements to allow for those listings, not relating to intentional fraud, to be dealt with in a different manner.[84]

3.58 The Australian Government accepted this recommendation[85] and in response has inserted proposed subparagraph (c)(iii) into the new definition of 'serious credit infringement' in the current Bill.[86] According to the EM to the Bill, this is intended to provide 'a practical timeframe in which the individual may be able to pay the debt before a serious credit infringement is listed'.[87] In addition, the Department noted that the credit reporting code will:

...provide further requirements and guidance in relation to the reasonable steps that a credit provider must take to contact an individual. This may include requirements relating to the number of attempts to contact the individual and other related matters.[88]

'New arrangement information'

3.59 Proposed new section 6S (item 69 of Schedule 2 of the Bill) inserts a definition of the term 'new arrangement information' into the Privacy Act. While similar to a hardship arrangement under the National Consumer Credit Protection Act, 'new arrangement information' is distinguishable by the point in time at which a 'credit provider' has disclosed the existence of 'default information' or a 'serious credit infringement':

Where an individual is overdue in making payments in relation to consumer credit a credit provider may choose to enter into a new arrangement with the individual. Such a new arrangement only satisfies the definition of 'new arrangement information' if the credit provider has previously disclosed 'default information' or a 'serious credit infringement' in relation to the individual's overdue payments [that is, a listing has occurred]...In some circumstances prior to a default, the credit provider and the individual may agree on a hardship arrangement, as provided for in the [National Consumer Credit Protection] Act. Hardship arrangements that satisfy the requirements of the [National Consumer Credit Protection] Act are not included within the meaning of 'new arrangement information'.[89]

3.60 Two submitters – ARCA and ANZ – commented on the Bill addressing only situations involving post-default hardship. Both noted that pre-default hardship arrangements would not come to the attention of other participants in the credit reporting system, potentially leading to consumer detriment due to the reporting of adverse repayment history. As ANZ explained:

Where a temporary arrangement is in place, and even though an individual is meeting the terms of that arrangement, credit providers will be required to report that the individual did not make their required monthly payment. The consequence is that an individual who is complying with a temporary arrangement will be treated in the same way as an individual who has simply failed to make required payments.[90]

3.61 ANZ argued that 'credit providers' should be able to accurately report the status of a customer experiencing temporary hardship but who is making agreed payments:

[T]he Bill should provide a mechanism to indicate that an individual is subject to a hardship arrangement, such as a temporary hardship flag. The flag would only be visible when the individual was in a hardship arrangement and would be removed once the hardship arrangement ended. Such an approach would reduce the chance of a consumer in hardship being inappropriately provided additional credit but would not adversely impact the ability of the consumer to obtain credit in the future.[91]

3.62 Mr David Niven from the Financial Ombudsman Service told the committee that the difficulty is that 'the ground rules as to how [financial hardship] ought [to] be treated by a credit provider acting in good practice are unclear':

[A consumer] will be making a payment arrangement but [they] will nonetheless be behind on [their] contractual repayments. There will then be an issue as to whether or not that is a variation: is that a binding variation so that I am no longer a consumer in default, or is it, as the upmarket lawyers call it, simply an indulgence so that they are prepared to accept that without prejudice to their rights and I could still be listed?[92]

3.63 Ms Katherine Lane from CCLCNSW thought it better that the Bill remain silent on these issues:

[I]t is essential that consumers are encouraged to request financial hardship when needed. If there is a negative consequence of doing that, that would be very unfortunate. I support the bill being silent on this issue. I think it is something that could be worked out perhaps in the [regulations] or the code.[93]

Departmental response

3.64 The Department recognised that the credit reporting industry has called for a 'hardship flag' to be included in the 'credit information' of an individual who has been provided with a hardship variation under section 72 of the National Consumer Credit Protection Act. However, this argument has been rejected by the Australian Government:

Hardship variations cannot be listed as part of an individual's credit reporting information. The Government is concerned that permitting the listing of hardship variations may act as a deterrent to individuals seeking hardship variations in appropriate circumstances (including following a natural disaster) and this would be contrary to the intention of providing the right to request a hardship variation.[94]

'Repayment history information'

3.65 The introduction of more comprehensive, or positive, credit reporting to provide additional information about an individual's ongoing credit arrangements is one of the five major reforms contained in Schedule 2 of the Bill.[95] This reform will introduce five new data sets into the credit reporting system, one of which will be 'repayment history information'.

3.66 Proposed new subsection 6V(1) (item 69 of Schedule 2) inserts a definition of the term 'repayment history information' into the Privacy Act. 'Repayment history information', in relation to consumer credit given to an individual by a 'credit provider', will mean:

whether or not the individual has met an obligation to make a monthly payment that is due and payable;
the day on which the monthly payment is due and payable; and
if the individual makes the monthly payment after the day on which the payment is due and payable – the day on which the individual makes that payment.

3.67 Most submitters and witnesses commented on the application of the term 'repayment history information' within proposed new Part IIIA of the Privacy Act (item 72 of Schedule 2).[96] However, ARCA argued that the new definition of 'repayment history information' is inconsistent with how 'credit providers' and 'credit reporting bodies' (CRBs) determine missed repayments:

[R]ather than requiring Credit Providers and CRBs to have to devise an alternative means of calculating missed payments (delinquency)...the definition [should] allow the inclusion of an indicator for whether the individual is up to date with their payments, and if not, an indicator of how long their oldest overdue payment has been outstanding.[97]

Navigation: Previous Page | Contents | Next Page