National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021 (5 of 2021)

Schedule 1   Main amendments

National Consumer Credit Protection Act 2009

4   After Part 3-2C

Insert:

Part 3-2CA - Licensees supplying credit information to credit reporting bodies etc.

Division 1 - Introduction

133CM Guide to this Part

This Part has rules that apply to licensees that are large ADIs or are of a prescribed kind.

Each licensee must supply certain information to eligible credit reporting bodies about all of the open credit accounts held with the licensee or with other members of the licensee's corporate group.

Each licensee must then supply updated information to those credit reporting bodies on an ongoing basis.

Conditions may need to be met before the credit reporting bodies who are supplied with this information can further disclose this information to credit providers.

This Part applies in addition to the Privacy Act 1988.

133CN Meanings of eligible licensee and eligible credit reporting body

(1) A licensee is an eligible licensee , on 1 July 2021 or a later day, if on that day the licensee:

(a) is a large ADI, or is a body corporate of a kind prescribed by the regulations; and

(b) is a credit provider.

(2) A credit reporting body is an eligible credit reporting body for a licensee if:

(a) the following conditions are met:

(i) an agreement of the kind referred to in paragraph 20Q(2)(a) of the Privacy Act 1988 between the body and the licensee was in force on 2 November 2017;

(ii) the licensee is an eligible licensee on 1 July 2021; or

(b) the conditions (if any) prescribed by the regulations are met.

133CO Meaning of eligible credit account

(1) An eligible credit account is an account that:

(a) relates to the provision, or possible provision, of consumer credit (within the meaning of the Privacy Act 1988); and

(b) is held by one or more natural persons with a credit provider; and

(c) is not of a kind determined under subsection (2).

(2) ASIC may, by legislative instrument, determine one or more kinds of account for the purposes of paragraph (1)(c).

133CP Meaning of mandatory credit information

(1) Mandatory credit information , for eligible credit accounts held by natural persons with a credit provider, is personal information (other than sensitive information) for those accounts that is:

(a) identification information (within the meaning of the Privacy Act 1988) about the natural persons; or

(b) consumer credit liability information (within the meaning of the Privacy Act 1988) about the natural persons; or

(c) repayment history information (within the meaning of the Privacy Act 1988) about the natural persons; or

(e) default information (within the meaning of the Privacy Act 1988) about the natural persons; or

(f) payment information (within the meaning of the Privacy Act 1988) about the natural persons; or

(g) new arrangement information (within the meaning of the Privacy Act 1988) about the natural persons.

(2) Despite paragraph (1)(c), mandatory credit information does not include repayment history information (within the meaning of the Privacy Act 1988) that comes into existence more than 3 months before the first 1 July on which:

(a) if the credit provider is a member of a banking group - the head company of the group is an eligible licensee; or

(b) otherwise - the credit provider is an eligible licensee.

(4) Despite paragraph (1)(e), mandatory credit information does not include default information (within the meaning of the Privacy Act 1988) that comes into existence before the first 1 July on which:

(a) if the credit provider is a member of a banking group - the head company of the group is an eligible licensee; or

(b) otherwise - the credit provider is an eligible licensee.

133CQ Meaning of supply requirements

(1) Information is supplied in accordance with the supply requirements if the supply is in accordance with:

(a) the registered CR code (within the meaning of the Privacy Act 1988); and

(b) any determination under subsection (2); and

(c) any technical standards approved under subsection (4).

(2) For one or more kinds of information to be supplied under this Part, ASIC may, by legislative instrument, determine particulars of the information that must be included in the supply.

(3) Despite subsection 14(2) of the Legislation Act 2003, a determination under subsection (2) may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in any other instrument or writing as in force or existing from time to time.

(4) ASIC may, in writing, approve technical standards for supplying one or more kinds of information under this Part.

(5) If there is an inconsistency between:

(a) the registered CR code (within the meaning of the Privacy Act 1988); and

(b) a determination under subsection (2) or a technical standard approved under subsection (4);

the registered CR code prevails to the extent of the inconsistency.

Division 2 - Supplying credit information to credit reporting bodies etc.

Subdivision A - Initial bulk supplies of credit information

133CR Requirement to supply

First bulk supply for at least 50% of total eligible credit accounts

(1) An eligible licensee must supply mandatory credit information for the accounts referred to in subsection (2) to each eligible credit reporting body ( CRB ) for the licensee:

(a) before the end of the later of the following periods:

(i) the 90-day period starting on the first 1 July on which the licensee is an eligible licensee;

(ii) if subsection (5) applies - the 14-day period starting on the cessation day referred to in that subsection; and

(b) in accordance with the supply requirements; and

(c) to the extent that the licensee is not prevented by the Privacy Act 1988 from doing so.

Civil penalty: 5,000 penalty units.

(2) For the purposes of subsection (1), the accounts are at least 50% of all of the eligible credit accounts held:

(a) on the first 1 July on which the licensee is an eligible licensee; and

(b) with the licensee, or with a member of a banking group of which the licensee is the head company.

The licensee may choose which eligible credit accounts make up this 50%.

Bulk supply for remaining eligible credit accounts

(3) An eligible licensee must supply mandatory credit information for the accounts referred to in subsection (4) to each eligible credit reporting body ( CRB ) for the licensee:

(a) before the end of the latest of the following periods:

(i) the 90-day period starting on the second 1 July on which the licensee is an eligible licensee;

(ii) if subsection (5) applies - the 14-day period starting on the cessation day referred to in that subsection;

(iii) if, because paragraph 133CS(1)(b) is no longer satisfied, subsection 133CS(1) ceases to provide the licensee with an exception to this subsection for the CRB - the 14-day period starting on the day that exception ceases to apply; and

(b) in accordance with the supply requirements; and

(c) to the extent that the licensee is not prevented by the Privacy Act 1988 from doing so.

Civil penalty: 5,000 penalty units.

(4) For the purposes of subsection (3), the accounts are all of the eligible credit accounts held:

(a) on the second 1 July on which the licensee is an eligible licensee; and

(b) with the licensee, or with a member of a banking group of which the licensee is the head company;

for which mandatory credit information was not supplied under subsection (1) to the CRB.

Possible extension of time if credit reporting body later complies with information security requirements before end of 90-day period

(5) For the purposes of subsection (1) or (3), this subsection applies if:

(a) the licensee reasonably believes that the CRB is not complying with section 20Q of the Privacy Act 1988 on the 1 July referred to in that subsection; and

(b) the licensee complies with paragraphs 133CS(2)(a) and (b) in relation to that belief; and

(c) the licensee ceases to hold that belief on a day (the cessation day ) before the end of the 90-day period starting on that 1 July.

Requirements apply whether the information is kept in or outside this jurisdiction

(6) Subsection (1) or (3) applies whether the mandatory credit information is kept in or outside this jurisdiction.

133CS Exception if credit reporting body not complying with information security requirements

(1) Subsection 133CR(1) or (3) does not apply, and is taken never to have applied, to a licensee for a credit reporting body if:

(a) the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988:

(i) on the 1 July referred to in that subsection; and

(ii) on the last day of the 90-day period starting on that 1 July; and

(b) in the case of subsection 133CR(3) - the licensee continues to hold that belief after that 90-day period; and

(c) the licensee satisfies subsection (2) of this section.

Note 1: Paragraph (b) means that, if the licensee ceases to hold that belief after the 90-day period starting on the 1 July in subsection 133CR(3), this exception will cease to apply and the supply requirement in subsection 133CR(3) will apply.

Note 2: A person who wishes to rely on this subsection bears an evidential burden in relation to the matters in this subsection (see subsection (3) of this section and subsection 13.3(3) of the Criminal Code).

(2) The licensee satisfies this subsection if:

(a) the licensee prepares a written notice:

(i) stating that the licensee reasonably believes that the credit reporting body is not complying with section 20Q of the Privacy Act 1988 on that 1 July; and

(ii) setting out the licensee's reasons for that belief; and

(iii) stating that the body may try to convince the licensee otherwise, but that in the case of subsection 133CR(1) the body will need to do so before the end of the 90-day period starting on that 1 July; and

(b) the licensee gives that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after that 1 July; and

(c) the licensee prepares a written notice (the final notice ):

(i) stating that the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988 on the last day of that 90-day period; and

(ii) setting out the licensee's reasons for that belief; and

(d) the licensee gives the final notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the last day of that 90-day period.

(3) A licensee who wishes to rely on subsection (1) in proceedings for a declaration of contravention or a pecuniary penalty order bears an evidential burden in relation to the matters in that subsection.

133CT Licensee must give notice if credit reporting body later complies with information security requirements

If:

(a) an eligible licensee reasonably believes that an eligible credit reporting body for the licensee is not complying with section 20Q of the Privacy Act 1988 on the first or second 1 July on which the licensee is an eligible licensee; and

(b) the licensee complies with paragraphs 133CS(2)(a) and (b) in relation to that belief; and

(c) the licensee ceases to hold that belief:

(i) in the case of subsection 133CR(1) - on a day during the 90-day period starting on that first 1 July; or

(ii) in the case of subsection 133CR(3) - on any day after that second 1 July;

the licensee must:

(d) prepare a written notice:

(i) stating that the licensee has ceased to hold that belief; and

(ii) setting out the licensee's reasons for ceasing to hold that belief; and

(e) give that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the day the licensee ceases to hold that belief.

Civil penalty: 5,000 penalty units.

Subdivision B - Ongoing supplies of credit information

133CU Requirement to supply

(1) If:

(a) a licensee has supplied a credit reporting body (the CRB ) with mandatory credit information under this Division; and

(b) on a later day (the trigger day ):

(i) the conditions (if any) prescribed by the regulations are not met for the licensee and the CRB; and

(ii) the licensee, or a member of a banking group of which the licensee is the head company, would reasonably be expected to have become aware that an event in an item of the following table has happened; and

(iii) the licensee is still an eligible licensee; and

(iv) an agreement of the kind referred to in paragraph 20Q(2)(a) of the Privacy Act 1988 is in force between the CRB and a body referred to in subparagraph (ii) of this paragraph;

the licensee must supply to the CRB the information referred to in that table item:

(c) before the end of the latest of the following periods:

(i) the 45-day period starting on the trigger day;

(ii) if subsection (2) applies - the 14-day period starting on the cessation day referred to in that subsection;

(iii) if, because paragraph 133CV(1)(b) is no longer satisfied, subsection 133CV(1) ceases to provide the licensee with an exception to this subsection for the CRB - the 14-day period starting on the day that exception ceases to apply;

(iv) if the trigger day happens because of table item 3 and is before the licensee supplies the CRB with mandatory credit information under subsection 133CR(3) - the 90-day period starting on the trigger day; and

(d) in accordance with the supply requirements; and

(e) to the extent that the licensee is not prevented by the Privacy Act 1988 from doing so.

O ngoing supplies of mandatory credit information

Item

If this event happens:

This information must be supplied:

1

the need to correct any mandatory credit information the licensee has supplied under this Division to ensure that, having regard to a purpose for which the information is held by:

(a) the licensee; or

(b) a member of a banking group of which the licensee is the head company;

the information is accurate, up-to-date, complete, relevant and not misleading

details of the corrected information

2

the payment of an overdue payment about which default information (within the meaning of the Privacy Act 1988) has been supplied under this Division

payment information (within the meaning of the Privacy Act 1988) relating to the payment

3

the opening of an eligible credit account with:

(a) the licensee; or

(b) a member of a banking group of which the licensee is the head company;

provided this happens after the second 1 July on which the licensee is an eligible licensee

mandatory credit information for that account

5

default information (within the meaning of the Privacy Act 1988) comes into existence for an eligible credit account for which mandatory credit information has previously been supplied by the licensee to the CRB under this Division

the default information

6

an event:

(a) of a kind prescribed by the regulations; and

(b) that relates to eligible credit accounts or to the natural persons who hold those accounts

information that:

(a) is, or relates to, mandatory credit information; and

(b) is of a kind prescribed by the regulations for that kind of event

Civil penalty: 5,000 penalty units.

(2) For the purposes of subparagraph (1)(c)(ii), this subsection applies if:

(a) the licensee reasonably believes that the CRB is not complying with section 20Q of the Privacy Act 1988 on the trigger day; and

(b) the licensee complies with paragraphs 133CV(2)(a) and (b) in relation to that belief; and

(c) the licensee ceases to hold that belief on a day (the cessation day ) before the end of the 45-day period starting on the trigger day.

(3) Supplies under subsection (1) of information relating to multiple events, or multiple trigger days, may be made together.

(4) Subsection (1) applies whether the information referred to in the table is kept in or outside this jurisdiction.

(5) Regulations made for the purposes of subparagraph (1)(b)(i) may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in any other instrument or writing as in force or existing from time to time.

(6) Subsection (5) has effect despite subsection 14(2) of the Legislation Act 2003.

133CV Exception if credit reporting body not complying with information security requirements

(1) Subsection 133CU(1) does not apply, and is taken never to have applied, to a licensee for a credit reporting body if:

(a) the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988:

(i) on the trigger day referred to in that subsection; and

(ii) on the last day of the 45-day period starting on the trigger day; and

(b) the licensee continues to hold that belief after that 45-day period; and

(c) the licensee satisfies subsection (2) of this section.

Note 1: Paragraph (b) means that, if the licensee ceases to hold that belief after that 45-day period, this exception will cease to apply and the supply requirement in subsection 133CU(1) will apply.

Note 2: A person who wishes to rely on this subsection bears an evidential burden in relation to the matters in this subsection (see subsection (3) of this section and subsection 13.3(3) of the Criminal Code).

(2) The licensee satisfies this subsection if:

(a) the licensee prepares a written notice:

(i) stating that the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988 on the trigger day; and

(ii) setting out the licensee's reasons for that belief; and

(iii) stating that the body may try to convince the licensee otherwise; and

(b) the licensee gives that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the trigger day; and

(c) the licensee prepares a written notice (the final notice ):

(i) stating that the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988 on the last day of that 45-day period; and

(ii) setting out the licensee's reasons for that belief; and

(d) the licensee gives the final notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the last day of that 45-day period.

(3) A licensee who wishes to rely on subsection (1) in proceedings for a declaration of contravention or a pecuniary penalty order bears an evidential burden in relation to the matters in that subsection.

(4) Subsection 21U(2) of the Privacy Act 1988 does not require a licensee to give a credit reporting body notice of a correction of certain information if:

(a) subsection (1) of this section is providing the licensee with an exception from a requirement under subsection 133CU(1) of this Act; and

(b) that requirement is to supply the corrected information to the body;

unless the reason under subsection 21U(1) of the Privacy Act 1988 for the correction is that the information is inaccurate, and it was inaccurate when earlier supplied to the body under this Division.

133CW Licensee must give notice if credit reporting body later complies with information security requirements

If:

(a) an eligible licensee reasonably believes that an eligible credit reporting body for the licensee is not complying with section 20Q of the Privacy Act 1988 on the trigger day referred to in subsection 133CU(1); and

(b) the licensee complies with paragraphs 133CV(2)(a) and (b) in relation to that belief; and

(c) the licensee ceases to hold that belief on any day after the trigger day;

the licensee must:

(d) prepare a written notice:

(i) stating that the licensee has ceased to hold that belief; and

(ii) setting out the licensee's reasons for ceasing to hold that belief; and

(e) give that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the day the licensee ceased to hold that belief.

Civil penalty: 5,000 penalty units.

Subdivision C - Offences

133CX Offence relating to initial bulk supplies

(1) A person commits an offence if:

(a) the person is subject to a requirement under subsection 133CR(1) or (3); and

(b) the person engages in conduct; and

(c) the conduct contravenes the requirement.

Criminal penalty: 100 penalty units.

(2) Section 14.1 of the Criminal Code does not apply to an offence against subsection (1).

Note: For an exception to an offence against subsection (1), see subsection 133CS(1). A defendant bears an evidential burden in relation to the matters in subsection 133CS(1) (see subsection 13.3(3) of the Criminal Code).

133CY Offence relating to ongoing supplies

(1) A person commits an offence if:

(a) the person is subject to a requirement under subsection 133CU(1); and

(b) the person engages in conduct; and

(c) the conduct contravenes the requirement.

Criminal penalty: 100 penalty units.

(2) Section 14.1 of the Criminal Code does not apply to an offence against subsection (1).

Note: For an exception to an offence against subsection (1), see subsection 133CV(1). A defendant bears an evidential burden in relation to the matters in subsection 133CV(1) (see subsection 13.3(3) of the Criminal Code).

133CZ Offence relating to giving notice if credit reporting body later complies with information security requirements

A person commits an offence if:

(a) the person is subject to a requirement under section 133CT or 133CW; and

(b) the person engages in conduct; and

(c) the conduct contravenes the requirement.

Criminal penalty: 100 penalty units.

Division 3 - Conditions on credit reporting bodies on-disclosing credit information

133CZA On-disclosing information supplied under Division 2 etc.

(1) This section applies to a credit reporting body in relation to the following information (the protected information ):

(a) any information that the credit reporting body is supplied under Division 2;

(b) any CRB derived information (within the meaning of the Privacy Act 1988) that is derived from information that the credit reporting body is supplied under Division 2.

When protected information must not be disclosed

(2) If the conditions prescribed by the regulations are met for the credit reporting body and a credit provider, the credit reporting body must not disclose to the credit provider so much of the protected information as:

(a) is prescribed by the regulations; or

(b) is of a kind or kinds prescribed by the regulations.

Civil penalty: 5,000 penalty units.

When protected information must be disclosed

(3) If the conditions prescribed by the regulations are met for the credit reporting body and a credit provider, the credit reporting body must disclose to the credit provider so much of the protected information as:

(a) the regulations require to be disclosed; or

(b) is of a kind or kinds prescribed by the regulations;

and which the Privacy Act 1988 does not prevent the credit reporting body from disclosing.

Civil penalty: 5,000 penalty units.

(4) If the credit reporting body is required under subsection (3) to disclose information, the credit reporting body must make the disclosure by the time, and in accordance with the requirements, prescribed by the regulations.

Civil penalty: 5,000 penalty units.

Incorporation of other instruments

(5) Regulations made for the purposes of subsection (2), (3) or (4) may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in any other instrument or writing as in force or existing from time to time.

(6) Subsection (5) has effect despite subsection 14(2) of the Legislation Act 2003.

Matters regulations may deal with

(7) Without limiting subsection (2), (3) or (4), a matter prescribed for the purposes of that subsection may depend on a person or body being satisfied of one or more specified matters.

133CZB Offence

A person commits an offence if:

(a) the person is subject to a requirement under subsection 133CZA(2), (3) or (4); and

(b) the person engages in conduct; and

(c) the conduct contravenes the requirement.

Criminal penalty: 100 penalty units.

Division 4 - Reporting to the Minister

133CZC Reports about initial bulk supplies of credit information

(1) A licensee who is required under subsection 133CR(1) or (3) to supply mandatory credit information must arrange:

(a) for the preparation of a written statement containing information of the kinds prescribed by the regulations relating to:

(i) the mandatory credit information; or

(ii) the eligible credit accounts to which the mandatory credit information relates; and

(b) for a person appointed under section 133CZD to audit that statement and prepare a written report of the audit; and

(c) for that statement and audit report to be given to the Minister within 6 months after the 1 July referred to in that subsection.

Civil penalty: 5,000 penalty units.

(2) A credit reporting body to whom mandatory credit information is required under subsection 133CR(1) or (3) to be supplied must arrange:

(a) for the preparation of a written statement containing information of the kinds prescribed by the regulations relating to:

(i) the mandatory credit information; or

(ii) the eligible credit accounts to which the mandatory credit information relates; and

(b) for a person appointed under section 133CZD to audit that statement and prepare a written report of the audit; and

(c) for that statement and audit report to be given to the Minister within 6 months after the 1 July referred to in that subsection.

Civil penalty: 5,000 penalty units.

(3) For the purposes of subsection (1) or (2), disregard section 133CS when working out whether a person is required under subsection 133CR(1) or (3) to supply mandatory credit information to another person.

133CZD Auditors

(1) ASIC may, in writing, appoint as auditors for the purposes of this Division:

(a) one or more suitably qualified persons; or

(b) the members of one or more classes of suitably qualified persons.

(2) The reasonable fees and expenses of an auditor for preparing an audit report under this Division are payable by the person required to arrange for the preparation of the statement to which the audit report relates.

(3) The auditor may recover those fees by action against that person.

133CZE Offence

A person commits an offence if:

(a) the person is subject to a requirement under subsection 133CZC(1) or (2); and

(b) the person engages in conduct; and

(c) the conduct contravenes the requirement.

Criminal penalty: 100 penalty units.

Division 5 - Assisting ASIC

133CZF Meaning of Part 3-2CA body

A Part 3-2CA body is a person that is or has been:

(a) an eligible licensee; or

(b) an eligible credit reporting body for a licensee.

133CZG Obligation to provide a statement or obtain an audit report if directed by ASIC

Notice to Part 3-2CA body to provide a statement

(1) ASIC may give a Part 3-2CA body a written notice directing the body to lodge with ASIC a written statement containing specified information about whether the body, or another Part 3-2CA body, is complying with this Part (other than Division 4).

(2) Notices under subsection (1):

(a) may be given at any time; and

(b) may be given to one or more particular Part 3-2CA bodies, or to each Part 3-2CA body in one or more classes of Part 3-2CA bodies, or to all Part 3-2CA bodies; and

(c) may require all the same information, or may contain differences as to the information they require; and

(d) may require a statement containing information to be given on a periodic basis, or each time a particular event or circumstance occurs, without ASIC having to give a further written notice.

Notice to Part 3-2CA body to obtain an audit report

(3) ASIC may also give a Part 3-2CA body a written notice directing the body to obtain an audit report prepared:

(a) by a suitably qualified person specified in the notice; and

(b) on a statement, or on each statement in a class of statements, under subsection (1); and

(c) before the statement is given to ASIC.

(4) A notice under subsection (3) is not a legislative instrument.

Notice must specify day by which Part 3-2CA body must comply

(5) A notice given under this section must specify the day by which the Part 3-2CA body must comply with the notice (which must be a reasonable period after the notice is given). ASIC may extend the day by giving a written notice to the Part 3-2CA body.

Requirement to comply with notice

(6) The Part 3-2CA body must comply with a notice given under this section within the time specified in the notice.

Civil penalty: 5,000 penalty units.

Offence

(7) A person commits an offence if:

(a) the person is subject to a requirement under subsection (6); and

(b) the person engages in conduct; and

(c) the conduct contravenes the requirement.

Criminal penalty: 6 months imprisonment.

133CZH Obligation to give ASIC information required by the regulations

Regulations may require Part 3-2CA body to give information

(1) The regulations may require:

(a) a Part 3-2CA body; or

(b) each Part 3-2CA body in a class of Part 3-2CA bodies;

to give ASIC specified information about whether the body, or another Part 3-2CA body, is complying with this Part (other than Division 4).

Requirement to comply with regulations

(2) If regulations under subsection (1) require a Part 3-2CA body to give ASIC information, the body must give ASIC that information.

Civil penalty: 5,000 penalty units.

Offence

(3) A person commits an offence if:

(a) the person is subject to a requirement to give ASIC information under subsection (2); and

(b) the person engages in conduct; and

(c) the conduct contravenes the requirement.

Criminal penalty: 6 months imprisonment.

133CZI Obligation to provide ASIC with assistance if reasonably requested

Requirement to provide assistance

(1) If ASIC, or a person authorised by ASIC, reasonably requests assistance from a Part 3-2CA body (the assisting body ) about whether:

(a) the assisting body; or

(b) another Part 3-2CA body;

is complying with this Part (other than Division 4), the assisting body must give ASIC or the authorised person the requested assistance.

Civil penalty: 5,000 penalty units.

(2) If the request is in writing, it is not a legislative instrument.

Offence

(3) A person commits an offence if:

(a) the person is subject to a requirement to give ASIC or an authorised person assistance under subsection (1); and

(b) the person engages in conduct; and

(c) the conduct contravenes the requirement.

Criminal penalty: 6 months imprisonment.

133CZJ Extended application of Division 4 of Part 2-5

(1) Division 4 of Part 2-5 also applies in relation to an audit report required under subsection 133CZG(3) as if the substitutions in the following table, and the modification in subsection (2) of this section, were made.

Substitutions to be made

Item

For a reference in Division 4 of Part 2-5 to:

substitute a reference to:

1

licensee

Part 3-2CA body

2

subsection 49(3)

subsection 133CZG(3)

3

financial records or other credit books

records

(2) For the purposes of subsection (1), assume that paragraphs 104(2)(a) and (b) were replaced with the following:

"(a) constitutes or may constitute a contravention of Part 3-2CA (other than Division 4); or".

Division 6 - Miscellaneous

133CZK This Part does not limit the Privacy Act 1988

Subject to subsection 133CV(4), this Part does not limit the operation of the Privacy Act 1988.

133CZL Review of the operation of this Part

(1) The Minister must cause an independent review to be conducted of the operation of this Part.

(2) The persons who conduct the review must complete it, and give the Minister a written report of the review, before 1 October 2024.

(3) The Minister must cause copies of the report to be tabled in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister.

133CZM Main constitutional basis

The main constitutional basis for this Part is set out in Part 1-3.

133CZN Other constitutional bases

(1) Independently of section 133CZM, this Part also has effect as provided by subsections (2), (3), (4) and (5).

Other constitutional bases - eligible licensees

(2) This Part also has the effect it would have if a reference in it to an eligible licensee were expressly confined to an eligible licensee that is a corporation to which paragraph 51(xx) of the Constitution applies.

(3) This Part also has the effect it would have if a reference in it to an eligible licensee were expressly confined to an eligible licensee acting:

(a) in the course of; or

(b) in relation to;

the carrying on of the business of banking, other than State banking (within the meaning of paragraph 51(xiii) of the Constitution) not extending beyond the limits of the State concerned.

Other constitutional bases - credit reporting bodies

(4) Division 3, subsection 133CZC(2) and Division 5 also have the effect they would have if a reference in them to a credit reporting body were expressly confined to a credit reporting body that is a corporation to which paragraph 51(xx) of the Constitution applies.

(5) Division 3, subsection 133CZC(2) and Division 5 also have the effect they would have if a reference in them to a credit reporting body were expressly confined to a credit reporting body acting:

(a) in the course of; or

(b) in relation to;

the carrying on of the business of banking, other than State banking (within the meaning of paragraph 51(xiii) of the Constitution) not extending beyond the limits of the State concerned.