View full documentView full document Previous section | Next section
House of Representatives

National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019

Explanatory Memorandum

(Circulated by authority of the Treasurer, the Hon Josh Frydenberg MP)

Glossary

The following abbreviations and acronyms are used throughout this Explanatory Memorandum.

Abbreviation Definition
ADI Authorised Deposit-taking Institution
ASIC Australian Securities and Investments Commission
Bill National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019
Credit Act National Consumer Credit Protection Act 2009
OAIC Office of the Australian Information Commissioner

General outline and financial impact

Mandatory comprehensive credit reporting

Schedule 1 to the Bill amends the Credit Act to mandate a comprehensive credit reporting regime (the mandatory regime). Under the regime eligible licensees, who on 1 April 2020 are large ADIs, must provide credit information on consumer credit accounts to credit reporting bodies.

Schedule 2 to the Bill amends the Privacy Act 1988 to permit reporting of financial hardship information within the credit reporting framework. Schedule 2 to the Bill also makes other minor changes to improve the overall administration of credit reporting.

Date of effect: The day after Royal Assent.

Proposal announced: In the 2017-18 Budget, the Government undertook to mandate a comprehensive credit reporting regime if credit providers did not meet a threshold of 40 per cent data reporting by the end of 2017.

On 2 November 2017 the then Treasurer, the Hon Scott Morrison MP, announced that the Government would mandate comprehensive credit reporting.

On 2 August 2019, following a review into the operation of financial hardship arrangements, the Attorney-General, the Hon Christian Porter MP announced that the Government would make amendments to the Privacy Act 1988 to introduce a new type of credit information - financial hardship information - to be reported with repayment history information.

Financial impact: Nil

Human rights implications: This Bill does not raise any human rights issues. See Statement of Compatibility with Human Rights - in Chapter 3, at paragraphs 3.1 to 3.67.

Compliance cost impact: The estimated average annual regulatory cost associated with the mandatory credit reporting requirements is $8.2 million.

Summary of regulatory impact statement

Impact: The reforms to mandate the supply of comprehensive credit information will have a regulatory impact on certain credit providers and credit reporting bodies.

Main points:

The Treasury has certified that the Productivity Commission's Inquiry into Data Availability and Use as meeting the requirements of a regulation impact statement as well as through extensive consultation with industry stakeholders..
The Productivity Commission's Inquiry into Data Availability and Use can be found on the Productivity Commission's website:
https://www.pc.gov.au/inquiries/completed/data-access/report
The Productivity Commission's Inquiry into Data Availability and Use noted that the effective and efficient operation of credit markets relies upon credit providers being able to access sufficient and reliable information about borrowers as a basis for making lending decisions, and that comprehensive credit reporting would be a desirable reform in this respect.
The Productivity Commission's Inquiry into Data Availability and Use found that government action may be necessary as a 'circuit breaker' if no progress towards a critical mass of comprehensive credit information was made by mid-2017, due to the existence of a first-mover problem. Credit providers will only invest in the necessary systems and procedures necessary for comprehensive credit reporting if there is a benefit to be gained, which will only be the case if other credit providers are participating in the system.

Chapter 1 Mandatory comprehensive credit reporting

Outline of chapter

1.1 Schedule 1 to this Bill amends the Credit Act to mandate a comprehensive credit reporting regime. Under this mandatory regime, large ADIs must provide comprehensive credit information on consumer credit accounts to certain credit reporting bodies.

1.2 Schedule 1 to this Bill expands ASIC's powers so it can monitor compliance with the mandatory regime. Schedule 1 to the Bill also imposes additional requirements on where data held by a credit reporting body must be stored.

Context of amendments

1.3 Since March 2014, the Privacy Act 1988 has allowed credit providers and credit reporting bodies to use and disclose 'comprehensive credit information' about a consumer. This includes information about the maximum amount of credit available to a person and how well the person is meeting their repayment obligations.

1.4 Prior to March 2014, the information that could be shared was limited to 'negative information'. This includes details of a person's overdue payments, defaults, bankruptcy or court judgments against that person.

1.5 The Privacy Act 1988 does not mandate the disclosure of comprehensive credit information by credit providers to credit reporting bodies.

1.6 The 2014 Financial System Inquiry and the Productivity Commission Inquiry into Data Availability and Use recommended that the Government mandate comprehensive credit reporting in the absence of voluntary participation. Comprehensive credit reporting is expected to let credit providers better establish a consumer's credit worthiness and lead to a more competitive and efficient credit market.

1.7 In the 2017-18 Budget, the Government committed to mandating a comprehensive credit reporting regime if credit providers did not meet a threshold of 40 per cent of data reporting by the end of 2017.

1.8 On 2 November 2017, the then Treasurer, the Hon Scott Morrison MP, announced that the Government would introduce legislation for a mandatory regime as it was clear the 40 per cent target would not be met.

Summary of new law

1.9 Schedule 1 to the Bill amends the Credit Act to establish a mandatory comprehensive credit reporting regime which applies from 1 April 2020. The amendments do not require or allow disclosure, use or collection of credit information beyond what is permitted under the Privacy Act 1988 and the Privacy (Credit Reporting) Code 2014 (Version 2).

1.10 Australia's credit reporting system is characterised by an information asymmetry. A consumer has more information about his or her credit risk than the credit provider. This can result in mis-pricing and mis-allocation of credit.

1.11 Schedule 1 to the Bill seeks to correct this information asymmetry. It lets credit providers obtain a comprehensive view of a consumer's financial situation, enabling a provider to better meet its responsible lending obligations.

1.12 The Government expects that the mandatory regime will also benefit consumers in other ways. Consumers will have better access to consumer credit, with more reliable individuals able to seek more competitive rates when purchasing credit. Consumers that are looking to enter the housing market can better show their credit worthiness.

1.13 Consumers that possess a poor credit rating will also be able demonstrate their credit worthiness through future consistency and reliability.

1.14 The mandatory regime applies to 'eligible licensees' which initially are large ADIs that hold an Australian Credit Licence. An ADI is considered large when its total resident assets are greater than $100 billion. Other credit providers will be subject to the regime if they are prescribed in regulations.

1.15 In June 2019, large ADIs accounted for more than 80 per cent of household lending. The critical mass of information supplied by these large ADIs and their subsidiaries is expected to encourage other credit providers to also share comprehensive credit information.

1.16 The supply of information under the mandatory regime includes an initial bulk supply of credit information and an ongoing requirement to keep information up-to-date and accurate.

1.17 The initial bulk supply is split across two years:

By 29 June 2020, large ADIs must supply credit information on 50 per cent of the consumer credit accounts within the banking group to all credit reporting bodies the large ADI had a contract with on 2 November 2017.
By 29 June 2021, large ADIs must supply credit information on the remaining accounts, including those that opened after 1 April 2020 and those held by subsidiaries of the large ADI to the same credit reporting bodies as the first bulk supply.

1.18 Supplying the initial bulk supply to credit reporting bodies the large ADI had a contract with on 2 November 2017 recognises the established relationship the licensee has with that credit reporting body including an agreement on the handling of data to ensure it remains confidential and secure.

1.19 Following the bulk supply of information, large ADIs must keep the information supplied accurate, complete and up-to-date, including by supplying information on subsequently opened accounts. This information must be supplied to credit reporting bodies that received the initial bulk supply and with whom the licensee continues to have a contract under the Privacy Act 1988.

1.20 The security and privacy of a consumer's credit information will be preserved and protected. Schedule 1 to the Bill relies on the existing protections established by the Privacy Act 1988 and Privacy (Credit Reporting) Code 2014 (Version 2) and the oversight of the Australian Information Commissioner.

1.21 ASIC will be responsible for monitoring compliance with the mandatory regime. It has new powers to collect information and require audits to confirm the supply requirements are being met. ASIC can also prescribe the technical standards for the reported credit information.

1.22 The Treasurer will receive statements from large ADIs and credit reporting bodies to show that the initial bulk supply requirements have been met.

1.23 The mandatory comprehensive credit regime recognises that industry stakeholders have already taken steps to support sharing comprehensive credit information. This includes the Principles of Reciprocity and Data Exchange and supporting Australian Credit Data Reporting - Industry Requirements & Technical Standards.

1.24 To the extent possible, the mandatory comprehensive credit reporting regime operates within the established industry framework but also provides scope for future technological developments.

1.25 The Treasurer must cause an independent review of the mandatory regime to be completed and a written report provided to the Treasurer by 1 October 2023. The Treasurer must table the report in each House of Parliament within 15 sitting days of receiving the report.

Comparison of key features of new law and current law

New law Current law
Eligible licensees must supply credit information on:

50 per cent of their eligible credit accounts within 90 days of the first 1 April after becoming an eligible licensee.
All remaining eligible credit accounts, including those held by subsidiaries, within 90 days of the following 1 April.

No equivalent.
A credit provider that has supplied credit information under the mandatory regime must keep the information up to date, complete and accurate, including by supplying information on eligible accounts that are subsequently opened. No equivalent.
Regulations will set out the circumstances when a credit reporting body can share the credit information supplied through the mandatory regime. No equivalent.

Detailed explanation of new law

1.26 Before 2014, the credit reporting system, which is regulated by the Privacy Act 1988, limited the information that could be collected, used and disclosed by credit providers and credit reporting bodies to 'negative information' about an individual. Negative information includes identification information such as a person's name and address, default history and bankruptcy information about that person.

1.27 The Privacy Amendment (Enhancing Privacy Protection) Act 2012 amended the Privacy Act 1988 to let credit providers and credit reporting bodies collect, use and disclose comprehensive credit information. Comprehensive credit information includes repayment history information, the type of credit a person has and the maximum amount of credit available to a person.

1.28 The explanatory memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 stated:

'Comprehensive credit reporting will give credit providers access to additional personal information to assist them in establishing an individual's credit worthiness. The additional personal information will allow credit providers to make a more robust assessment of credit risk and assist credit providers to meet their responsible lending obligations. It is expected that this will lead to decreased levels of over-indebtedness and lower credit default rates. More comprehensive credit reporting is also expected to improve competition and efficiency in the credit market, which may result in reductions to the cost of credit for individuals.'

1.29 These amendments aligned Australia's credit reporting system with comparable international systems, including in the United States, United Kingdom and New Zealand, which also allow for the disclosure and sharing of more comprehensive credit information.

1.30 Sharing comprehensive credit information under the Privacy Act 1988 is voluntary. A credit provider is not required to share comprehensive credit information with a credit reporting body.

1.31 The mandatory regime does not alter the existing provisions set out in the Privacy Act 1988 and the Privacy (Credit Reporting) Code 2014 (Version 2) governing the use and disclosure of credit information. However, Schedule 1 to the Bill does place a new obligation on credit reporting bodies as to where data is stored.

1.32 The Privacy Act 1988 and Privacy (Credit Reporting) Code 2014 will continue to:

set out the permitted uses and disclosure of an individual's personal and credit information by credit providers and credit reporting bodies;
impose a requirement on credit providers and credit reporting bodies to ensure the accuracy and currency of information in the credit reporting system;
impose a requirement on a credit reporting body to protect the information it collects from misuse and unauthorised access;
impose a requirement on a credit reporting body to have a publicly available policy on how it collects, holds, uses and discloses credit information as well as procedures in place to ensure that the obligations under the Privacy Act 1988 and Privacy (Credit Reporting) Code 2014 are met; and
impose timeframes on both credit providers and credit reporting bodies on how long credit information can be kept before it must be destroyed.

1.33 Within the framework established by the Privacy Act 1988, Schedule 1 to the Bill provides that eligible licensees must supply certain credit information to eligible credit reporting bodies on consumer credit accounts the eligible licensee holds. The eligible licensee must supply updated information to these bodies on an ongoing basis.

1.34 Schedule 1 to the Bill requires the Treasurer to cause an independent review of the mandatory regime which must be completed and a report given to the Treasurer before 1 October 2023. The Treasurer must table the report in Parliament within 15 sitting days of receiving the report. [Schedule 1, item 4, section 133CZL]

1.35 The report will not be a legislative instrument because of the exemption in table item 12 in subregulation 6(1) of the Legislation (Exemptions and Other Matters) Regulation 2015.

1.36 Schedule 1 to the Bill is not specific on the scope of the review so as not to limit the review when it is established. However, the Government expects that the review could consider:

how the specific objectives of the mandatory regime have been met, including whether sufficient participation by credit providers in the voluntary regime has been achieved;
the benefits for consumers and small businesses from the mandatory regime;
options for broadening the scope of the mandatory regime (including access by non-Australian credit licence holders to information supplied under the regime); and
whether further measures are required to maintain the security of comprehensive credit information (including to facilitate new technological solutions for data exchange).

Mandating the supply of credit information

Which credit providers must supply credit information?

1.37 The mandatory regime applies to eligible licensees. An eligible licensee is a credit provider who holds an Australian Credit Licence, and who on 1 April 2020, or a later date is:

A large ADI; or
A body corporate of a kind prescribed in the regulations.
[Schedule 1, item 4, subsection 133CN(1) of the Credit Act]

1.38 Identifying which credit providers are subject to the mandatory regime relies on a number of existing definitions in the Credit Act and Privacy Act 1988 and some new definitions.

Existing subsection 35(1) of the Credit Act defines Australian Credit Licence as a licence that allows the holder to engage in particular credit activities.
The concept of a 'large' ADI relies on the legislative instrument made under the Banking Act 1959 as amended by the Treasury Laws Amendment (Banking Executive Accountability Regime) Act 2018. Broadly, an ADI meets the definition of large where its total resident assets exceed $100 billion. [Schedule 1, item 3, subsection 5(1) of the Credit Act]
The Part of the Credit Act inserted by this Bill relies on the definition of credit provider in sections 6G to 6K of the Privacy Act 1988. This definition includes a bank or an organisation for which a substantial part of the organisation's business is the provision of credit. [Schedule 1, item 2, subsection 5(1) of the Credit Act]

1.39 The Government expects that regulations would be made if the mandatory regime had been in operation for a period of time and other credit providers were not voluntarily supplying data.

1.40 Where a credit provider is a large ADI on 1 April 2020, it will have 90 days from that date to supply the required information for 50 per cent of its eligible credit accounts. In certain circumstances the large ADI may have longer than 90 days to supply the credit information. This is explained at paragraph 1.76. [Schedule 1, item 4, subparagraph 133CR(1)(a)(i) and subsection 133CR(2) of the Credit Act]

1.41 A large ADI can meet the requirement to supply credit information for 50 per cent of its eligible accounts from eligible accounts across the banking group for which it is the head company. [Schedule 1, item 4, subsection 133CR(2) of the Credit Act]

1.42 For example, if the large ADI is the head company across a banking group that has multiple subsidiaries each of which individually or collectively hold an Australian credit licence, the large ADI can supply information for 50 per cent of accounts across the banking group in order to meet its obligations on 1 April 2020.

1.43 How the ADI chooses to make up 50 per cent of accounts is a decision for the ADI. The information may be sourced from the head company or from within the group (its subsidiaries) or both. The information may relate to a particular type of credit while systems are put in place to supply information for more complex accounts in the second tranche. [Schedule 1, item 4, subsection 133CR(2) of the Credit Act]

1.44 On 1 April 2021, a large ADI has 90 days to supply the required information for all of the remaining eligible credit accounts that have either opened after 1 April 2020 or were not reported in the first tranche. This includes those eligible credit accounts held by other members of the banking group for which the ADI is the head company. [Schedule 1, item 4, subsections 133CR(3) and 133CR(4) of the Credit Act]

1.45 Generally, the large ADI has 90 days to supply the remaining information. There are circumstances when a longer period may apply which is explained at paragraphs 1.83 to 1.85. [Schedule 1, item 4, paragraph 133CR(3)(a) of the Credit Act]

1.46 Where a licensee becomes an eligible licensee after 1 April 2020 and is subject to the mandatory regime, the credit provider must supply information about 50 per cent of its eligible credit accounts within 90 days of the first 1 April it became an eligible licensee.

1.47 As explained at paragraph 1.41, if an eligible licensee is part of a banking group, it can meet the requirement to supply credit information for 50 per cent of its eligible accounts from across the banking group for which it is the head company. [Schedule 1, item 4, subsection 133CR(2) of the Credit Act]

1.48 In respect of its remaining eligible credit accounts, the credit provider must supply the information about those eligible credit accounts within 90 days of the 1 April that falls 12 months later.

1.49 There are circumstances when a longer period to supply the information may apply. This is explained at paragraphs 1.83 to 1.85.

Example 1.1

On 1 April 2020, an ADI has total resident assets less than $100 billion and as a result is a medium ADI and not subject to the mandatory comprehensive credit reporting regime.
However, on 25 June 2020 the ADI becomes a large ADI.
The ADI must supply mandatory credit information for 50 per cent of its eligible credit accounts within 90 days of 1 April 2021.
Information about the remaining accounts and accounts opened after 1 April 2021 must be supplied within 90 days of 1 April 2022.

How does the mandatory regime operate when a credit reporting body is not complying with the security requirements in the Privacy Act 1988 ?

1.50 The Australian Information Commissioner administers the Privacy Act 1988 and has oversight of the handling of information, including information disclosed as part of Australia's credit reporting regime. This does not change under Schedule 1 to the Bill.

1.51 The existing protections in the Privacy Act 1988 reflect that the community expects that the information shared in the credit reporting regime is given a high level of protection.

1.52 These protections include requiring credit reporting bodies to take reasonable steps to protect the information received, including from misuse, interference and unauthorised access (section 20Q of the Privacy Act 1988) and having contracts which place similar obligations on a licensee.

1.53 Publications produced by the OAIC such as the Guide to securing personal information - 'Reasonable steps' to protect personal information set out the steps that could be taken and how the reasonableness test adjusts based on the amount of information held.

1.54 While the Privacy Act 1988 places obligations on a credit reporting body, a licensee also typically places its own obligations on a credit reporting body to ensure the security of its customer's information.

1.55 These obligations are set out in the contract between the licensee and credit reporting body and could include requiring audits, reviewing the results of stress tests or requiring that certain procedures are put in place to train staff.

1.56 It is important, in the context of the mandatory regime, that a licensee's ability to have its own security requirements for the information it discloses is not weakened. A licensee is well placed to consider emerging risks and adjust requirements as the threat environment changes.

1.57 Schedule 1 to the Bill recognises this existing relationship between a licensee and credit reporting body by enabling a licensee to withhold the supply of mandatory credit information where a licensee does not reasonably believe that the credit reporting body is meeting its information security obligations under the Privacy Act 1988.

1.58 Paragraphs 1.70 to 1.74 explain what an eligible licensee needs to do if, when making the initial bulk supplies, the eligible licensee does not believe the credit reporting body is meeting its information security obligations. This includes notifying the credit reporting body, ASIC and the Australian Information Commissioner.

1.59 The notification obligations give the credit reporting body an opportunity to engage with the eligible licensee and take steps to meet its obligations in section 20Q of the Privacy Act 1988. Giving the notices to ASIC and the Australian Information Commissioner gives the regulators of the mandatory regime and the Privacy Act 1988 visibility about broader compliance with those two frameworks.

1.60 If an eligible licensee has an ongoing concern with a credit reporting body's approach to information security, there may be a role for the Australian Information Commissioner to intervene including by providing additional guidance.

1.61 The eligible licensee should have sound justification when it does not supply the mandatory information on the basis that the credit reporting body is not meeting its obligations in section 20Q of the Privacy Act 1988.

1.62 The eligible licensee bears an evidential burden where ASIC applies to a court to declare that the supply obligations have not been met (existing section 166) and order a pecuniary penalty to be paid (existing section 167).

1.63 The evidential burden is placed on the eligible licensee because the information that the eligible licensee would use to form its reasonable belief would be peculiarly within the knowledge of the licensee.

1.64 For example, an eligible licensee may hold this belief on the basis of a stress test carried out under the terms of a contract between the eligible licensee and credit reporting body. The results of such a test would only be shared with the eligible licensee.

1.65 It would be significantly more costly and difficult for the prosecution to disprove the reason for the licensee believing the credit reporting body is not meeting its information security obligations under section 20Q of the Privacy Act 1988 than for the licensee to prove.

1.66 Placing an evidential burden on the licensee also highlights the significance of the exception and the need for the licensee to have sound justification when not supplying the mandatory credit information.

1.67 A definition of 'declaration of contravention' is inserted into the Credit Act. [Schedule 1, item 3, subsection 5(1) of the Credit Act]

Timeframe to supply data - the first bulk supply

1.68 The requirement to supply information within 90 days of the first 1 April when the obligation applies only operates when the eligible licensee reasonably believes that the eligible credit reporting body meets its obligations under section 20Q of the Privacy Act 1988. [Schedule 1, item 4, subparagraph 133CR(1)(a)(ii) and subsection 133CR(5) of the Credit Act]

1.69 As explained above, section 20Q of the Privacy Act 1988 requires a credit reporting body to take reasonable steps to protect the information it receives, including from misuse, interference and unauthorised access.

1.70 If, on the first 1 April that the eligible licensee must supply data, the eligible licensee does not reasonably believe that the credit reporting body is meeting its obligations in section 20Q of the Privacy Act 1988, and the eligible licensee continues to hold that belief at the end of the 90 day period, the eligible licensee does not need to make the first bulk supply. [Schedule 1, item 4, subsection 133CS(1) of the Credit Act]

1.71 If the eligible licensee believes the credit reporting body is not meeting its obligations in section 20Q of the Privacy Act 1988 on the first 1 April, the eligible licensee must notify the credit reporting body, the Australian Information Commissioner and ASIC within 7 days. [Schedule 1, item 4, paragraphs 133CS(2)(a) and 133CS(2)(b) of the Credit Act]

1.72 If the eligible licensee still believes at the end of the 90 day period when the information should have been supplied that the credit reporting body is not meeting its obligations in section 20Q of the Privacy Act 1988, the eligible licensee must give the credit reporting body, the Australian Information Commissioner and ASIC a notice within 7 days of the end of the 90 day period. [Schedule 1, item 4, paragraphs 133CS(2)(c) and 133CS(2)(d) of the Credit Act]

1.73 Both of these notices must explain why the eligible licensee believes that the credit reporting body is not meeting its obligations in section 20Q of the Privacy Act 1988. [Schedule 1, item 4, subparagraphs 133CS(2)(a)(ii) and 133CS(2)(c)(ii) of the Credit Act]

1.74 The first notice must also explain that the credit reporting body may convince the eligible licensee of how it is meeting its obligation in section 20Q of the Privacy Act 1988. [Schedule 1, item 4, subparagraph 133CS(2)(a)(iii) of the Credit Act]

Example 1.2

On 1 April 2020 (the first 1 April), a large ADI does not reasonably believe a credit reporting body is meeting its section 20Q obligations. It still holds this belief at the end of the 90-day period.

Key: EL - eligible licensee
     CRB - eligible credit reporting body
     OAIC - Information Commissioner

1.75 The notification obligations give the credit reporting body an opportunity to engage with the credit provider and take steps to meet the obligations in section 20Q of the Privacy Act 1988. Giving the notices to ASIC and the Australian Information Commissioner also gives the regulators of the mandatory regime and the Privacy Act 1988 visibility about broader compliance with those two frameworks.

1.76 If, during the 90 day period after the first 1 April the eligible licensee believes that credit reporting body has begun to meet its section 20Q obligations the eligible licensee must supply the mandatory credit information within 14 days of holding this belief, or by the end of the original 90 day period, if this is longer. [Schedule 1, item 4, paragraph 133CR(1)(a) and subsection 133CR(5) of the Credit Act]

1.77 The eligible licensee must also notify the credit reporting body, the Australian Information Commissioner and ASIC within 7 days of the eligible licensee believing that the credit reporting body is meeting its obligations in section 20Q of the Privacy Act 1988. [Schedule 1, item 4, section 133CT of the Credit Act]

Example 1.3

On 1 April 2020 (the first 1 April), a large ADI does not reasonably believe that a credit reporting body is meeting its section 20Q obligations in the Privacy Act 1988. The large ADI stops holding this belief during the 90-day period. The original 90-day period is the longer time to supply the information.

Key: EL - eligible licensee
     CRB - eligible credit reporting body
     OAIC - Information Commissioner
Example 1.4
The longer period to supply the information is 14 days from the day the large ADI believed the credit reporting body was meeting its section 20Q obligations.
Key: EL - eligible licensee
     CRB - eligible credit reporting body
     OAIC - Information Commissioner

Timeframe to supply data - the second bulk supply

1.78 The obligation to supply information within 90 days of the second 1 April does not apply while the eligible licensee believes that the eligible credit reporting body does not meet its obligations under section 20Q of the Privacy Act 1988. [Schedule 1, item 4, subparagraphs 133CR(3)(a)(ii) and 133CR(3)(a)(iii) of the Credit Act]

1.79 Paragraphs 1.54 and 1.56 summarised the requirements in section 20Q of the Privacy Act 1988 and the steps that an eligible licensee may already be taking in order to be satisfied that the credit reporting body is meeting its obligations regarding the security of information as set out in the Privacy Act 1988.

1.80 Similar to the first 1 April bulk supply obligations, if an eligible licensee wants to rely on the exception to not supply on the basis of a credit reporting body not complying with its information security requirements, the eligible licensee must meet certain notification obligations. [Schedule 1, item 4, paragraph 133CS(1)(c) of the Credit Act]

1.81 If the eligible licensee believes the credit reporting body is not meeting its obligations under section 20Q of the Privacy Act 1988 on the second 1 April, the eligible licensee must notify the credit reporting body, the Australian Information Commissioner and ASIC within 7 days. [Schedule 1, item 4, paragraphs 133CS(2)(a) and 133CS(2)(b) of the Credit Act]

1.82 Once the eligible licensee believes the credit reporting body is meeting its obligations under section 20Q of the Privacy Act 1988 the eligible licensee must notify the credit reporting body, ASIC and the Australian Information Commissioner within 7 days of holding that belief. [Schedule 1, item 4, section 133CT of the Credit Act]

1.83 If, the eligible licensee begins to hold this belief during the 90 day period the eligible licensee must supply the mandatory credit information within 14 days of holding this belief, or by the end of the original 90 day period, if this is longer. [Schedule 1, item 4, paragraph 133CR(3)(a) and subsection 133CR(5) of the Credit Act]

1.84 If the eligible licensee does not believe the credit reporting body meets its obligations under section 20Q of the Privacy Act 1988 during the 90 day period the eligible licensee will need to notify the credit reporting body, ASIC and the Australian Information Commissioner. The eligible licensee must issue the notice within 7 days. [Schedule 1, item 4, paragraphs 133CS(2)(c) and 133CS(2)(d) of the Credit Act]

1.85 However, unlike the initial bulk supply, the eligible licensee will need to supply the mandatory credit information after the 90 day period once it believes the credit reporting body is meeting its obligations under section 20Q of the Privacy Act 1988. The eligible licensee will have 7 days to notify the credit reporting body, ASIC and the Australian Information Commissioner and 14 days to supply the mandatory credit information. [Schedule 1, item 4, subparagraph 133CR(3)(a)(ii) and section 133CT of the Credit Act]

Example 1.5

The eligible licensee does not reasonably believe the credit reporting body is meeting its section 20Q obligations on 1 April 2021 but begins to hold this belief after the 90-day period.

Key: EL - eligible licensee
     CRB - eligible credit reporting body
     OAIC - Information Commissioner

1.86 All the mandated credit information may be supplied when the second bulk supply is required if the eligible licensee was not satisfied the credit reporting body was meeting its obligations under section 20Q of the Privacy Act 1988 obligations before the end of the 90 day period for the first 1 April.

Ongoing supply obligations

1.87 The usefulness and efficiency of Australia's credit reporting system relies on credit information disclosed to a credit reporting body being complete, accurate, up-to-date, relevant and not misleading.

Section 20N of the Privacy Act 1988 requires credit reporting bodies to enter into agreements with credit providers to ensure that information provided is accurate, up-to-date and complete.
Section 21U of the Privacy Act 1988 requires a credit provider who holds credit information which has previously been disclosed to a credit reporting body, to notify the credit reporting body of a correction when the credit provider has taken steps to make the information it holds, accurate, up-to-date, complete, relevant and not misleading.

1.88 No amendments to the Privacy Act 1988 or Privacy (Credit Reporting) Code 2014 (Version 2) are required for these obligations (to keep credit information complete, up-to-date and accurate) to apply to the credit information supplied under the mandatory regime.

1.89 However, where an obligation under the Privacy Act 1988 and the Privacy (Credit Reporting) Code 2014 (Version 2) requires a credit provider who has supplied information to a credit reporting body to update that information and no timeframe is specified in the Privacy Act 1988 or Privacy (Credit Reporting) Code 2014, the amendments in Schedule 1 to this Bill provide that the information must generally be supplied within 45 days of the change or update. [Schedule 1, item 4, subsection 133CU(1) of the Credit Act]

1.90 The table inserted by Schedule 1 to the Bill includes a number of 'events', already captured by the broad obligations in the Privacy Act 1988 and Privacy (Credit Reporting) Code 2014, as well as requiring mandatory credit information for new accounts that open.

1.91 The following table lists when a licensee must supply information to a credit reporting body, including where the change occurred to an account held by a subsidiary of the licensee.

Table 1.1

Event Description
Corrections required to the information supplied to a credit reporting body necessary to keep the information accurate, up-to-date, complete, relevant and not misleading.

[Schedule 1, item 4, item 1 in the table in subsection 133CU(1) of the Credit Act]

This includes where named account holders change, for example a person ceases to be an account holder, there are corrections or changes in consumer credit liability information or where an account goes into default.
A payment has been made where default information has previously been supplied to a credit reporting body.

[Schedule 1, item 4, item 2 in the table in subsection 133CU(1) of the Credit Act]

Section 21E of the Privacy Act 1988 requires a credit provider that has provided default information to a credit reporting body to update that information once payment has been made. The Privacy Act 1988 and Privacy (Credit Reporting) Code 2014 (Version 2) set out how to establish when an overdue payment has been made and the day when it has been taken to have been made.
New accounts opened with either the licensee or a member of the banking group after the second 1 April on which the licensee is an eligible licensee. If the account is opened before the licensee has made the second bulk supply, the licensee has 90-days to supply the mandatory credit information,

[Schedule 1, item 4, subparagraph 133CU(1)(c)(iv) and item 3 in the table in subsection 133CU(1) of the Credit Act]

Mandatory credit information is required for an account opened with the licensee that has not previously been submitted to the credit reporting body. There is no requirement in the Privacy Act 1988 or Privacy (Credit Reporting) Code 2014 to supply information in this circumstance.
Default information exists for an account where mandatory credit information has already been supplied to a credit reporting body.

[Schedule 1, item 4, item 5 in the table in subsection 133CU(1) of the Credit Act]

Default information is defined in 6Q of the Privacy Act 1988 and section 9 of the Privacy (Credit Reporting) Code 2014. A credit provider remains subject to the restrictions on disclosing this information under the Privacy Act 1988, including the requirement to give a notice under paragraph 21D(3)(d) of the Privacy Act 1988.
Financial hardship information that comes into existence on or after 1 April 2021 or the first day after mandatory credit information is supplied, if that is a later date. [Schedule 2, item 18, item 4 in the table in subsection 133CU(1) of the Credit Act] Financial hardship information is a new term which will be inserted in the Privacy Act 1988 by Schedule 2 to this Bill.

1.92 A regulation making power also allows regulations to prescribe other circumstances for an eligible credit account or the consumer which would require the supply of mandatory credit information, or related information. [Schedule 1, item 4, item 6 in the table in subsection 133CU(1) of the Credit Act]

1.93 A licensee may supply information in bulk and is not required to separately supply credit information for each event. [Schedule 1, item 4, subsection 133CU(3) of the Credit Act]

1.94 Where a licensee and credit reporting body do not meet conditions prescribed in regulations (if any), the licensee must supply information for the events listed in the table. [Schedule 1, item 4, paragraph 133CU(1)(b) of the Credit Act]

1.95 The Government expects that the conditions prescribed in the regulations would recognise alternative IT solutions. For example, an approach under which a credit reporting body could request information from a licensee and receive that information in real-time.

1.96 However, before prescribing an alternative arrangement in the regulations the Government would consider the operability of such an approach and whether it could be reasonably supported by both credit reporting bodies and licensees.

1.97 The Government would also consider the implications of an alternative approach and its impact on the competitiveness and efficiency of the credit market.

1.98 The regulations made under this provision may refer to a published document such as an industry developed standard. Where this is the case, the document would be referred to as in force for time to time. It is important the regulations are dynamic and can automatically capture the changes in a document. This would allow industry to readily respond to changes, such as technological developments, without the need for the Government to remake the regulations. [Schedule 1, item 4, subsections 133CU(5) and 133CU(6) of the Credit Act]

1.99 In deciding whether to refer to a document, the Government would consider whether the document is publicly available and easily accessible for licensees and those that need to use the documents.

1.100 The table does not narrow the range of events that require updates under the Privacy Act 1988.

1.101 The Privacy Act 1988 and Privacy (Credit Reporting) Code 2014 include some specific timeframes in which a credit provider or credit reporting body must update or correct information. These are generally not disrupted by the amendments in this Bill. [Schedule 1, item 4, section 133CZK of the Credit Act]

1.102 For example, section 20T and 21V of the Privacy Act 1988 provide an individual with the right to have certain information corrected. The Privacy (Credit Reporting) Code 2014 sets out how a credit reporting body or credit provider must respond to such a request. Once a request has been made, and the credit reporting body or a credit provider is satisfied that credit-related personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, the credit reporting body or credit provider must take reasonable steps to correct the information within 30 days of the request.

1.103 Similarly, subsection 13.1 of the Privacy (Credit Reporting) Code 2014 requires a credit provider (and the receiving credit provider) to notify a credit reporting body that has received information on a credit account which is subsequently transferred between those credit providers of the transfer within 45 days of it occurring.

1.104 Subsection 6.4 of the Privacy (Credit Reporting) Code 2014 requires a credit provider to notify a credit reporting body within 45 days where credit is terminated or ceases to be in force and the credit provider has previously disclosed consumer credit liability information.

Exception to the obligation to supply information

1.105 The obligation to supply information and keep it up-to-date, accurate and complete does not apply while the eligible licensee believes that the eligible credit reporting body does not meet its obligations under section 20Q of the Privacy Act 1988. This does not apply where the correction is to an error in information previously supplied and the information was incorrect at the time it was supplied. [Schedule 1, item 4, subsections 133CV(1) and 133CV(4) of the Credit Act]

1.106 To rely on this exception the credit provider must meet a number of notification obligations. [Schedule 1, item 4, paragraph 133CV(1)(c) and subsection 133CV(2) of the Credit Act]

1.107 If the eligible licensee believes the credit reporting body is not meeting its obligations under section 20Q of the Privacy Act 1988 on the day the event occurs, the eligible licensee must notify the credit reporting body, the Australian Information Commissioner and ASIC within 7 days of that day. [Schedule 1, item 4, paragraphs 133CV(2)(a) and 133CV(2)(b) of the Credit Act]

1.108 If the eligible licensee continues to hold this belief at the end of the 45 day period in which the information should have been supplied, the eligible licensee must give the credit reporting body, the Australian Information Commissioner and ASIC a notice within 7 days of that day. [Schedule 1, item 4, paragraphs 133CV(2)(c) and 133CV(2)(d) of the Credit Act]

1.109 Both of these notices must explain why the eligible licensee believes that the credit reporting body is not meeting its obligations under section 20Qof the Privacy Act 1988. [Schedule 1, item 4, subparagraphs 133CV(2)(a)(ii) and 133CV(2)(c)(ii) of the Credit Act]

1.110 The first notice must also tell the credit reporting body that it may convince the eligible licensee as to how it is meeting its obligations under section 20Q of the Privacy Act 1988. [Schedule 1, item 4, subparagraph 133CV(2)(a)(iii) of the Credit Act]

1.111 Once the eligible licensee believes the credit reporting body is meeting its obligations in section 20Q of the Privacy Act 1988 the eligible licensee has 7 days to notify the credit reporting body, ASIC and Australian Information Commissioner. [Schedule 1, item 4, section 133CW of the Credit Act]

1.112 The eligible licensee has the longer of the remaining 45 days since the 'trigger event' or 14 days since the eligible licensee believed the credit provider was meeting its obligations under the Privacy Act 1988 to supply the required information. [Schedule 1, item 4, paragraph 133CU(1)(c) and subsection 133CU(2) of the Credit Act]

1.113 An eligible licensee has an evidential burden where the licensee withholds credit information on the basis of the credit reporting body not meeting its section 20Q obligations in the Privacy Act 1988. Paragraphs 1.62 to 1.66 explain why the evidential burden is being placed on the licensee. [Schedule 1, item 3, subsection 5(1) and item 4, subsection 133CV(3) of the Credit Act]

Which information must be supplied?

1.114 To meet its obligation under the mandatory regime, a credit provider must supply 'mandatory credit information' on its 'eligible credit accounts' to all 'eligible credit reporting bodies'. [Schedule 1, item 4, section 133CR and section 133CU of the Credit Act]

1.115 The definition of 'eligible credit account' is included in paragraphs 1.132 to 1.139. The definition of 'eligible credit reporting body' is included in paragraphs 1.142 and 1.149.

1.116 'Mandatory credit information' is 'credit information' as defined in section 6N of the Privacy Act 1988 and for a natural person is personal information (other than sensitive information), that includes:

identification information;
consumer credit liability information;
repayment history information;
default information;
payment information; and
new arrangement information
[Schedule 1, item 1, subsection 5(1) and item 4, subsection 133CP(1) of the Credit Act]

1.117 From 1 April 2021, mandatory credit information will also include financial hardship information. [Schedule 2, item 15, subsection 5(1) and item 16, paragraph 133CP(1)(c) of the Credit Act]

1.118 This term is defined in the Privacy Act 1988.

1.119 The Privacy (Credit Reporting) Code 2014 supplements and provides further guidance on terms used in the definition of 'credit information'. For example, the Privacy (Credit Reporting) Code 2014 requires credit reporting bodies to develop and maintain in conjunction with credit providers, common descriptors for 'types of consumer credit'.

1.120 The Privacy (Credit Reporting) Code 2014 also explains how to establish the date when credit was entered into or was terminated. This guidance also applies under the mandatory regime implemented by Schedule 1 to this Bill.

1.121 There may be restrictions on the use and disclosure of credit information under the Privacy Act 1988 and Privacy (Credit Reporting) Code 2014.

1.122 For example, default information can only be disclosed to a credit reporting body where the credit provider has notified the consumer that the information will be shared with a credit reporting body (see section 21D of the Privacy Act 1988).

1.123 These restrictions remain under the mandatory comprehensive credit reporting regime. That is, a licensee is only mandated to share information to the extent that is it allowed under the Privacy Act 1988 and Privacy (Credit Reporting) Code 2014. [Schedule 1, item 4, paragraphs 133CR(1)(c), 133CR(3)(c) and 133CU(1)(e) of the Credit Act]

1.124 Where these obligations have been met, and the default information can be shared, a credit provider is only required to supply default information that relates to the period from when the eligible licensee is subject to the mandatory regime. For a subsidiary within a banking group, it is the point in time from when the head company became an eligible licensee. [Schedule 1, item 4, subsection 133CP(4) of the Credit Act]

1.125 Schedule 1 to this Bill also sets out how many months of repayment history must be provided. A person may have many years of repayment history information depending on when a credit account was first opened. A credit provider is able to store repayment history information for up to two years.

1.126 However, under the mandatory credit reporting regime, a licensee will meet its obligation to supply repayment history information where it supplies repayment history information for an account for the three months preceding the 1 April from when the obligation to supply data was first triggered. [Schedule 1, item 4, subsection 133CP(2) of the Credit Act]

1.127 For example, if a licensee makes its initial bulk supply of data on 2 April 2020, the licensee would include repayment history information for 50 per cent of its eligible credit accounts for the months of January 2020, February 2020 and March 2020.

1.128 Similarly, if the provider did not make its initial bulk supply until May 2020, the first bulk supply would include repayment history information for 50 per cent of its eligible credit accounts for the months of January 2020, February 2020, March 2020 and April 2020.

1.129 For accounts included in the second bulk supply, the licensee would meet its obligations under the mandatory regime by supplying repayment history information:

For accounts open on 1 April 2020 not included in the initial supply: January 2020, February 2020, March 2020 and the period between 1 April 2020 and when the bulk supply is made; and
For accounts opened after 1 April 2020: all repayment history available at the date of the supply.

1.130 In this way, all accounts that are part of the bulk supply of data will include up to 15 months of repayment history information once both bulk supplies have been made.

1.131 A licensee will meet its obligation to supply financial hardship information where it supplies financial hardship information for an account for the three months preceding the 1 April from when the obligation to supply data is first triggered. However, if the first 1 April is 1 April 2021, financial hardship information will only be supplied from that date onwards. [Schedule 2, item 17, subsection 133CP(3) of the Credit Act]

What is an 'eligible credit account'?

1.132 An 'eligible credit account' is defined as an account on which consumer credit is or can be taken that is held by a natural person. [Schedule 1, item 4, section 133CO]

1.133 Consumer credit is defined in section 6 of the Privacy Act 1988. It includes credit for personal, family or household purposes or to purchase or renovate a house including an investment property. It includes mortgage accounts, credit cards, overdraft facilities and personal loans.

1.134 ASIC also has the power to determine by legislative instrument one or more types of account which is not an eligible credit account. [Schedule 1, item 4, paragraph 133CO(c) and subsection 133CO(2)]

1.135 Giving ASIC the power to determine a type of account which is not an eligible credit account is appropriate as it gives ASIC flexibility to respond to new and emerging products and offerings. As a determination by ASIC must be made by legislative instrument it will be scrutinised by Parliament. This includes being subject to potential disallowance under section 42 of the Legislation Act 2003. ASIC's decision will not be of an administrative nature.

1.136 The Government expects that ASIC would use this power where the supply of information of some accounts is not necessary to ensure transparency within the mandatory regime and may impose a disproportionate regulatory burden on a credit provider.

1.137 For example, the Principles of Reciprocity and Data Exchange do not require the supply of information for accounts where that type of credit can no longer be issued, the number of accounts is less than 10,000 and the total number of accounts is less than 3 per cent of the total consumer credit accounts held by that credit provider.

1.138 The Principles of Reciprocity and Data Exchange, also lists margin loans, novated leases, flexible payment option accounts, overdrawn accounts that are not formal overdrafts as accounts for which credit information does not need to be supplied.

1.139 As part of its business model a credit provider may store data outside of Australia. However, irrespective of where the data is stored, a credit provider subject to the mandatory regime must supply credit information to an eligible credit reporting body. [Schedule 1, item 4, subsections 133CR(6) and 133CU(4) of the Credit Act]

Who must the information be supplied to?

1.140 An eligible licensee will meet its obligations under the initial bulk supply requirements if it supplies 'mandatory credit information' for all its 'eligible credit accounts' to all 'eligible credit reporting bodies'. [Schedule 1, item 4, subsections 133CR(1) and 133CR(3) of the Credit Act]

1.141 Paragraphs 1.116 to 1.131 explain 'mandatory credit information' and paragraphs 1.132 to 1.139 explain 'eligible credit account'.

1.142 An eligible credit reporting body for an eligible licensee that must meet the bulk supply requirements on 1 April 2020 is a body that had a contract with the licensee under paragraph 20Q(2)(a) of the Privacy Act 1988 on 2 November 2017. [Schedule 1, item 3, subsection 5(1) and item 4, paragraph 133CN(2)(a) of the Credit Act]

1.143 This means that the credit provider will have an established relationship with the credit reporting body and will have an agreement in place on the handling of data to ensure it remains confidential and secure.

1.144 The requirement that the credit information must be supplied to all credit reporting bodies the licensee had a contract with is intended to reflect the 'consistency principle' in the Principles of Reciprocity and Data Exchange.

1.145 The 'consistency principle' is important. It ensures that all credit reporting bodies have the same information and no credit reporting body has a competitive advantage on the basis of the information it holds. It provides an environment which encourages product innovation and supports competitive pricing of credit reporting information.

1.146 The mandatory regime gives effect to the 'consistency principle' by requiring mandatory credit information be supplied to those credit reporting bodies an eligible licensee had a contract with on 2 November 2017. [Schedule 1, item 4, subsections 133CR(1) and 133CR(3) of the Credit Act]

1.147 Referring to contracts in place on 2 November 2017 does not prevent new entrants to the credit reporting sector. A new credit reporting body can still receive comprehensive credit reporting information from a credit provider subject to the mandatory regime. However, the body will negotiate the receipt of this data outside the mandatory comprehensive credit reporting regime.

1.148 Once the bulk supply of data has been made, a licensee is only required to provide ongoing updates, corrections and information on new accounts to those credit reporting bodies it had a contract with on 2 November 2017 and with whom the licensee continues to have a contract. [Schedule 1, item 4, paragraph 133CU(1)(a) and subparagraph 133CU(1)(b)(iv) of the Credit Act]

Example 1.6

On 1 April 2020, an eligible licensee must make its initial bulk supply to three eligible credit reporting bodies: CRB-Ich Pty Ltd; CRB-Ni Pty Ltd; and CRB-San Pty Ltd.
A period of time passes and the eligible licensee does not renew its contract with CRB-Ich Pty Ltd but it keeps its contracts with CRB-Ni Pty Ltd and CRB-San Pty Ltd.
Separately a new credit reporting body enters the market (CRB-Shi Pty Ltd) and the eligible licensee enters into a contract with it to supply data.
Under the mandatory regime, the eligible licensee would be required to supply data on new accounts and provide updates on information supplied under the initial bulk supply within 45-days of the event, to CRB-Ni Pty Ltd and CRB-San Pty Ltd.
There may be other obligations in the Privacy Act 1988 which would require certain updates to CRB-Ich Pty Ltd.
All data supplied to CRB-Shi Pty Ltd would be subject to the contract it has with the eligible licensee.

1.149 A licensee that becomes an eligible licensee after 1 April 2020 must make its initial bulk supply of data to a credit reporting body that meets conditions prescribed in regulations and on an ongoing basis, to a credit reporting body that it has a current contract with under section 20Q of the Privacy Act 1988. [Schedule 1, item 4, paragraph 133CN(2)(b), paragraph 133CU(1)(a) and subparagraph 133CU(1)(b)(iv) of the Credit Act]

How the data must be supplied?

1.150 To meet its obligations under the mandatory comprehensive credit reporting regime a licensee must supply data in accordance with the 'credit information supply requirements'. [Schedule 1, item 4, section 133CQ of the Credit Act]

1.151 These requirements include supplying data in accordance with the Privacy (Credit Reporting) Code 2014. Paragraphs 1.119 and 1.120 provide examples of when the Privacy (Credit Reporting) Code 2014 clarified the definitions and terms used in the Privacy Act 1988. [Schedule 1, item 4, subsection 133CQ(1) of the Credit Act]

1.152 The requirements also include supplying content or particulars of information in accordance with a determination made by ASIC. [Schedule 1, item 4, subsection 133CQ(2) of the Credit Act]

1.153 A determination made by ASIC for this purpose is not subject to subsection 14(2) of the Legislation Act 2003. [Schedule 1, item 4, subsection 133CQ(3) of the Credit Act]

1.154 In its determination ASIC may incorporate another administrative document. The Government expects that a determination made by ASIC will refer to the industry developed Principles of Reciprocity and Data Exchange which is publicly available on the Australian Retail Credit Association website.

1.155 It is necessary to apply the document as in force from time to time as the Principles of Reciprocity and Data Exchange may change and take into account new developments. The approach taken in the Bill will reduce compliance costs and ensure it is not necessary to amend the instrument each time a change is made to the Principles of Reciprocity and Data Exchange.

1.156 Finally, under the supply requirements a licensee must supply the data under a technical standard approved by ASIC. [Schedule 1, item 4, subsection 133CQ(4) of the Credit Act]

1.157 Technical standards ensure simple implementation of the mandatory regime and interoperability between credit providers and credit reporting bodies. Technical standards specify how data is to be described and recorded and enable uniform transfer methods.

1.158 While ASIC has the power to approve technical standards, the Government notes that the sector has already developed a technical standard - the ARCA Technical Standard.

1.159 The ARCA Technical Standard was developed by industry, including those ADIs and credit reporting bodies that will be subject to the mandatory regime. However, its use is only mandatory for those ADIs and credit reporting bodies who are signatories to the Principles of Reciprocity and Data Exchange.

1.160 Nonetheless, the Government does not expect to need to intervene and prescribe a technical standard even where an ADI or credit reporting body is not a signatory to the Principles of Reciprocity and Data Exchange. The Government expects ASIC would only exercise its power and prescribe a technical standard if it became apparent that the approach adopted by some in the sector was creating inefficiencies or meant that the mandatory regime was inoperable.

1.161 ASIC's power allows it to approve an existing document, or parts of an existing document, including one developed by industry such as the ARCA Technical Standard.

1.162 If there is an inconsistency between a determination made by ASIC or a technical standard and the Privacy (Credit Reporting) Code 2014, the Privacy (Credit Reporting) Code 2014 prevails. [Schedule 1, item 4, subsection 133CQ(5) of the Credit Act]

Obligations on credit reporting bodies

1.163 The Privacy Act 1988 and Privacy (Credit Reporting) Code 2014 and the Australian Information Commissioner currently regulate credit reporting bodies. As a result of amendments contained in Schedule 1 to this Bill, credit reporting bodies who receive mandatory credit information will also be regulated by ASIC for the purposes of the mandatory regime.

1.164 A definition of credit reporting body is inserted into the Credit Act which references the Privacy Act 1988. [Schedule 1, item 3, subsection 5(1) of the Credit Act]

1.165 This ensures there is no difference between the definitions in these two Acts. This is because the mandatory regime is intended to work within the framework established by the Privacy Act 1988.

1.166 Schedule 1 to this Bill limits how and when a credit reporting body that has received information under the mandatory regime may disclose that information. These restrictions apply both to the information received from the licensee and information derived by the credit reporting body. [Schedule 1, item 4, subsection 133CZA(1) of the Credit Act]

1.167 A credit reporting body who has received credit information under the mandatory regime may be restricted in disclosing that information to a credit provider when conditions in the regulations are met. [Schedule 1, item 4, subsections 133CZA(2) and 133CZA(7) of the Credit Act]

1.168 The regulations may also include circumstances when a credit reporting body must disclose the information it has received under the mandatory regime. [Schedule 1, item 4, subsections 133CZA(3) and 133CZA(7) of the Credit Act]

1.169 Where a credit reporting body is required to disclose information it has received under the mandatory regime, the information must be made in the timeframe and requirements included in regulations. [Schedule 1, item 4, subsection 133CZA(4) of the Credit Act]

1.170 The Government expects that regulations would be made which reflect 'principles of reciprocity'. The mandated regime will only apply to large ADIs and their subsidiaries on the expectation that the critical mass of information supplied by these ADIs will encourage other credit providers to supply comprehensive credit information. However, this relies on the 'principle of reciprocity' - a credit provider must contribute information to receive information.

1.171 Industry stakeholders have reflected the principles of reciprocity in the Principles of Reciprocity and Data Exchange. The regulations can set conditions with reference to the Principles of Reciprocity and Data Exchange. Despite subsection 14(2) of the Legislation Act 2003, where the regulations reference any other document, such as the Principles of Reciprocity and Data Exchange or another industry developed standard, the regulations are able to refer to such a document as in force from time to time. [Schedule 1, item 4, subsections 133CZA(5) and 133CZA(6) of the Credit Act]

1.172 The ability to refer to a document as it exists from time to time is important as it allows industry to respond to changes in the market, including technological changes, without there being a need to amend the regulations.

1.173 In developing the regulations, and deciding whether to refer to an industry developed agreement or standard, the Government would consider whether the document was publicly available. The Principles of Reciprocity and Data Exchange is publicly available on the ARCA website.

Statements to the Treasurer

1.174 Schedule 1 to the Bill requires eligible licensees and eligible credit reporting bodies to give the Treasurer statements about the mandatory comprehensive credit regime. [Schedule 1, item 4, sections 133CZC of the Credit Act]

1.175 Statements that relate to the initial bulk supply need to be provided to the Treasurer within six months after the 1 April to which the supply relates. [Schedule 1, item 4, paragraphs 133CZC(1)(c) and 133CZC(2)(c) of the Credit Act]

1.176 Regulations will specify the information which needs to be included in the statements. The Government expects the regulations would require information that enables the Treasurer to determine that the mandatory supply requirements have been met. [Schedule 1, item 4, paragraphs 133CZC(1)(a) and 133CZC(2)(a) of the Credit Act]

1.177 For example, the number of consumer credit accounts held by an eligible licensee, the proportion of those accounts supplied to a credit reporting body, the date the data transmission was made and the type of credit accounts included in each supply. For a credit reporting body, the statements may require the number of accounts for which data has been received and the type of credit accounts included in the supply.

1.178 The statements given to the Treasurer must be audited. ASIC may appoint in writing a suitably qualified person, or class of persons to be auditors. An auditor may charge a reasonable fee to produce the report on the statement. [Schedule 1, item 4, paragraphs 133CZC(1)(b) and 133CZC(2)(b), and section 133CZD of the Credit Act]

1.179 Appointments made under this provision are not legislative instruments because of the exemption in table item 8 in subsection 6(1) of the Legislation (Exemptions and other matters) Regulation 2015.

Monitoring and Compliance

1.180 ASIC is responsible for administering the Credit Act. The Credit Act includes a number of powers to assist ASIC in its role, including enforcement, information gathering and investigative powers. These powers will be extended to cover eligible licensees and credit reporting bodies in the mandatory regime.

1.181 It is expected that ASIC will take a sensible approach to ensuring that eligible licensees and credit reporting bodies are complying with the mandatory regime. ASIC can pursue one or several enforcement or non-enforcement remedies.

1.182 ASIC's broad approach to using its powers (and enforcement more generally) is set out in ASIC's approach to enforcement - Information Sheet 151, available on the ASIC website.

1.183 In deciding which tools to use, ASIC considers all the relevant facts and circumstances of each matter on a case-by-case basis, with a focus on the seriousness of the alleged contravention and the extent of the consumer harm.

1.184 In line with its broad approach to enforcement, ASIC may take into account factors such as whether the entity has taken reasonable steps to comply with the regime, the compliance record of the subject, and the effect of the misconduct on the market. In the past ASIC has also considered whether a facilitative approach to compliance is required shortly after commencement of new obligations.

1.185 The OAIC is responsible for ensuring compliance with the Privacy Act 1988. Schedule 1 to this Bill does not alter its existing functions.

Penalties under the mandatory regime

1.186 Civil penalties and offence provisions are included in the Credit Act where an eligible licensee or a credit reporting body does not meet the obligations imposed by the mandatory regime. The new provisions reflect the existing penalty framework in the Credit Act as amended by the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2019.

1.187 ASIC may seek a civil penalty where an eligible licensee:

fails to supply credit information as required under the mandatory regime. [Schedule 1, item 4, section 133CR and section 133CU)];
fails to notify the credit reporting body, ASIC and the Information Commissioner once the eligible licensee believes a credit reporting body is meeting its section 20Q obligations in the Privacy Act 1988, where the eligible licensee previously believed the credit reporting body was not meeting its obligations. [Schedule 1, item 4, sections 133CT and 133CW]; and
fails to submit audited statements to the Treasurer following the initial bulk supplies. [Schedule 1, item 4, subsection 133CZC(1)]

1.188 Similarly, ASIC may seek a civil penalty where a credit reporting body:

discloses information that it has received under the mandatory regime that it should not disclose. [Schedule 1, item 4, subsection 133CZA(2)];
fails to disclose information it has received under the mandatory regime, including not in the required timeframe or inconsistent with requirements included in the regulations. [Schedule 1, item 4, subsections 133CZA(3) and 133CZA(4)]; and
fails to submit audited statements to the Treasurer following the initial bulk supplies. [Schedule 1, item 4, subsection 133CZC(2)]

1.189 A civil penalty must be imposed by a court. The maximum penalty that can be applied under the mandatory regime in the circumstances listed above is the greater of 5,000 penalty units if the person is a natural person (currently $1,050,000), or if the court can determine the benefit gained, three times the benefit gained.

1.190 If the person is a body corporate the maximum penalty is the greater of:

ten times the pecuniary penalty;
if the court can determine the benefit gained or detriment derived - three times that amount; and
the lessor of ten per cent of the annual turn over of the body-corporate or 2.5 million penalty units.

1.191 ASIC may also seek a criminal sanction if either a licensee or credit reporting body has breached a requirement under the mandatory credit reporting regime. [Schedule 1, item 4, sections 133CX, 133CY, 133CZ, 133CZB and 133CZE of the Credit Act]

1.192 The circumstances include failing to make the initial bulk supplies or ongoing supply of credit information when the eligible licensee reasonably believes the credit reporting body is meeting its security requirements in the Privacy Act 1988, failing to supply statements to the Treasurer or failing to notify the credit reporting body, ASIC and the Australian Information Commissioner when the licensee subsequently believes the credit reporting body is meeting the security requirements.

1.193 The maximum criminal penalty that can be applied is 100 penalty units for an individual (currently $21,000) or 500 penalty units if the person is a body corporate (currently $105,000).

1.194 The criminal penalty is a 'continuing offence'. That is, the person is guilty of a separate offence for each day of non-compliance. For example, for each day that an eligible licensee fails to supply the initial bulk supply of information, the penalty amount will apply. The continuing offence provides a strong incentive to comply.

1.195 The standard geographical jurisdiction set out in section 14.1 of the Criminal Code does not apply to an offence for failing to supply information. [Schedule 1, item 4, subsections 133CX(2) and 133CY(2)]

1.196 This is because an eligible licensee may store or hold credit information outside Australia. However, irrespective of where the information is stored or held it must be included in the supplies made by the eligible licensee. If section 14.1 of the Criminal Code applied an eligible licensee would not be subject to a penalty for failing to supply information held outside Australia.

1.197 Existing subsection 288K(1) of the Credit Act allows regulations to be made which prescribe offences and civil penalty provisions for which infringement notices can be given. Regulations will be made to enable infringement notices to be issued for the mandatory credit reporting regime.

Information gathering powers

1.198 ASIC's existing powers in the Credit Act are extended to the mandatory comprehensive credit reporting regime requirement so that ASIC can monitor and ensure compliance with the supply requirements and on-disclosure restrictions. [Schedule 1, item 4, sections 133CZF, 133CZG, 133CZH, 133CZI and 133CZJ of the Credit Act]

1.199 For drafting simplicity a new term, 'Part 3-2CA body', is inserted into the Credit Act. It means an eligible licensee or an eligible credit reporting body for a licensee. [ Schedule 1, item 4, section 133CZF of the Credit Act]

1.200 Schedule 1 to the Bill amends the Credit Act to provide ASIC with the ability to:

seek information from an eligible licensee and credit reporting body;
seek assistance from an eligible licensee and credit reporting body; and
inspect books or seek information from a third party.

1.201 The penalties that ASIC may seek to apply include civil penalties and criminal penalties (including imprisonment). The penalty regime applied as part of the mandatory regime is consistent with the existing regime in the Credit Act. It is consistent with the penalties that apply for existing offences of a similar kind and of a similar seriousness.

Obligation to provide ASIC with a statement or an audit report

1.202 ASIC may issue a written notice directing an eligible licensee or a credit reporting body, to give it a statement that contains certain information about whether the licensee or body is complying with its obligations under the mandatory comprehensive credit reporting regime. [Schedule 1, item 4, subsection 133CZG(1) of the Credit Act]

1.203 ASIC can also seek a statement from either a licensee or body to assist it in determining whether another licensee or credit reporting body subject to the mandatory regime is complying with its obligations. [Schedule 1, item 4, subsection 133CZG(1)]

1.204 The notice which directs the licensee or credit reporting body can be given at any time and can be given to a licensee or credit reporting body or a class of either. The information which is required may be the same or different and could be required on a periodic basis or when certain events occur. [Schedule 1, item 4, subsection 133CZG(2)]

1.205 A written notice form ASIC is not a legislative instrument because of the exemption in table item 17 in 6(1) of the Legislation (Exemptions and Other Matters) Regulation 2015.

1.206 ASIC may also issue a written notice directing an eligible licensee or an eligible credit reporting body to obtain an audit on the statement. [Schedule 1, item 4, subsection 133CZG(3)]

1.207 Schedule 1 to the Bill clarifies that a notice directing an eligible licensee or eligible credit reporting body to obtain an audit of a statement is not a legislative instrument. This is because the notice is not a legislative instrument within the meaning of subsection 8(1) of the Legislation Act 2003. [Schedule 1, item 4, subsection 133CZG(4)]

1.208 The audit report given on the statement is subject to the existing requirements in sections 102, 103, 104, 105 and 106 of the Credit Act including that the auditor:

has a right to access the records and information that he or she needs for the purpose of conducting the audit;
may charge reasonable fees; and
must advise ASIC if it becomes aware that the eligible licensee or eligible credit reporting body is unable to meet its obligations under the mandatory comprehensive credit regime.
[Schedule 1, item 4, section 133CZJ]

1.209 An eligible licensee or eligible credit reporting body may be subject to a maximum civil penalty of 5,000 penalty units if it fails to comply with a direction from ASIC to supply a statement or audit report within the timeframe included in the written notice. [Schedule 1, item 4, subsection 133CZG(6)]

1.210 ASIC may extend the day the audit report or statement is due and where it does the written notice giving the extension will not be a legislative instrument because of the exemption in table item 29 in subsection 6(1) of the Legislation (Exemptions and Other Matters) Regulation 2015. [Schedule 1, item 4, subsection 133CZG(5)]

1.211 A civil penalty must be imposed by a court. The maximum penalty that can be applied under the mandatory regime in the circumstances listed above is the greater of 5,000 penalty units if the person is a natural person (currently $1,050,000), or if the court can determine the benefit gained, three times the benefit gained.

1.212 If the person is a body corporate the maximum penalty is the greater of:

ten times the pecuniary penalty;
if the court can determine the benefit gained or detriment derived - three times that amount; and
the lessor of ten per cent of the annual turn over of the body-corporate or 2.5 million penalty units.

1.213 An eligible licensee or eligible credit reporting body can also be subject to a criminal offence if the person fails to comply with a direction from ASIC to supply a statement or audit report. The maximum criminal penalty that could apply is six months imprisonment for a person who is a natural person or 125 penalty units for a body corporate. [Schedule 1, item 4, subsection 133CZG(7)]

Obligation to give ASIC information required by the regulations

1.214 Regulations may prescribe information that must be given to ASIC by an eligible credit provider or eligible credit reporting body, or a class of licensees or bodies. [Schedule 1, item 4, subsection 133CZH(1)]

1.215 An eligible licensee or credit reporting body may be subject to a civil penalty if it fails to give ASIC this information. [Schedule 1, item 4, subsection 133CZH(2)]

1.216 A civil penalty must be imposed by a court. The maximum penalty that can be applied under the mandatory regime in the circumstances listed above is the greater of 5,000 penalty units if the person is a natural person (currently $1,050,000), or if the court can determine the benefit gained, three times the benefit gained.

1.217 If the person is a body corporate the maximum penalty is the greater of:

ten times the pecuniary penalty;
if the court can determine the benefit gained or detriment derived - three times that amount; and
the lessor of ten per cent of the annual turn over of the body-corporate or 2.5 million penalty units.

1.218 An eligible licensee or credit reporting body can also be subject to a criminal offence if the person fails to give ASIC the prescribed information. The maximum criminal penalty that could apply is six months imprisonment for a natural person or 125 penalty units for a body corporate. [Schedule 1, item 4, subsection 133CZH(3)]

Obligation to provide ASIC with assistance

1.219 ASIC can request that an eligible licensee or a credit reporting body give it assistance to determine whether the licensee or body, or another licensee or body is complying with its obligations under the mandatory comprehensive credit regime. [Schedule 1, item 4, subsection 133CZI(1)]

1.220 The request for assistance may be in writing and where it is the request will not be a legislative instrument within the meaning of subsection 8(1) of the Legislation Act 2003. The Bill makes clear that a request in writing is not a legislative instrument to assist the reader. [Schedule 1, item 4, subsection 133CZI(2)]

1.221 An eligible licensee or eligible credit reporting body may be subject to a civil penalty if it fails to provide ASIC with assistance. [Schedule 1, item 4, subsection 133CZI(1)]

1.222 A civil penalty must be imposed by a court. The maximum penalty that can be applied under the mandatory regime in the circumstances listed above is the greater of 5,000 penalty units if the person is a natural person (currently $1,050,000), or if the court can determine the benefit gained, three times the benefit gained.

1.223 If the person is a body corporate the maximum penalty is the greater of:

ten times the pecuniary penalty;
if the court can determine the benefit gained or detriment derived - three times that amount; and
the lessor of ten per cent of the annual turn over of the body-corporate or 2.5 million penalty units.

1.224 An eligible licensee or eligible credit reporting body may also be subject to a criminal offence if it fails to assist ASIC. The maximum criminal penalty that could apply would be six months imprisonment if the person is a natural person or 125 penalty units if the person is a body corporate. [Schedule 1, item 4, subsection 133CZI(3)]

Inspection of books and audit-information gathering powers

1.225 ASIC's existing powers in Chapter 6 of the Credit Act are extended to the enforcement of the mandatory comprehensive credit regime. This includes being able to:

ask an auditor for information or books; [Schedule 1, item 5, paragraph 265(2)(c)]
ask an eligible licensee or an eligible credit reporting body or a representative, banker, lawyer or auditor of the licensee or body to provide information or statements about the mandatory comprehensive credit regime; [Schedule 1, items 6, 7 and 8, section 266]
ask a person for information in their possession relating to the activities of an eligible licensee or eligible credit reporting body and the mandatory comprehensive credit regime; and [Schedule 1, item 9, paragraph 267(1)(b)]
admit as evidence information collected about the eligible licensee or eligible credit reporting body's compliance with the mandatory comprehensive credit regime. [Schedule 1, item 10, paragraph 307(1)(b)]

Consequential amendments

Using 'financial hardship information'

1.226 Schedule 2 to the Bill amends the Credit Act to ensure that certain decisions are not made solely on the basis that financial hardship information exists.

1.227 A credit provider cannot refuse to provide further credit or reduce a customer's credit limit merely because financial hardship information exists. Where a contract allows for this, the provisions of the contract are invalid. [Schedule 2, item 17A, subsection 67(1) of the National Credit Code]

1.228 By imposing these limitations, the Government intends that financial hardship information prompts a credit provider to make further enquiries in order to make a holistic assessment of a consumer's financial situation.

1.229 To assist readability two consequential amendments are made to insert subheadings into section 67 of the National Credit Code. [Schedule 2, items 17B and 17C, subsections 67(2) and 67(4) of the National Credit Code]

Miscellaneous amendments

1.230 Without limiting its effect, Schedule 1 to this Bill makes clear that the amendments also have effect as if references to an eligible licensee or eligible credit reporting body are to a corporation in paragraph 51(xx) of the constitution. [Schedule 1, item 4, section 133CZM of the Credit Act]

Application and transitional provisions

1.231 The amendments in Schedule 1 to this Bill commence the day after the Bill receives the Royal Assent. The first day from which an eligible licensee is required to supply mandatory credit information is 1 April 2020.

1.232 Financial hardship information can only be reported from the later of the Bill receiving Royal Assent or 1 April 2021. The limitations on decisions that can be made solely on the existence of financial hardship information apply from the same date.

1.233 The reporting and use of financial hardship information applies to credit contracts entered into before, on or after the commencement of these provisions.

Chapter 2 Reporting financial hardship in credit reporting

Outline of chapter

2.1 Schedule 2 to this Bill amends the Privacy Act 1988 to permit reporting of financial hardship information within the credit reporting system and to make other minor changes to improve the overall administration of credit reporting.

Context of amendments

2.2 On 28 March 2018, the Attorney-General, the Hon Christian Porter MP, announced that the Attorney-General's Department would lead a review into the operation of financial hardship arrangements. The review considered how hardship arrangements (including hardship arrangements regulated under the Credit Act) intersect with the credit reporting system. A range of key stakeholders participated in this review, including consumer advocacy groups, regulatory agencies, major banks and credit providers, credit reporting bodies and peak industry bodies.

2.3 Following this review, the Government agreed to the reform model in schedule 2 to this Bill for reporting hardship arrangements in the credit reporting system that would improve the comprehensiveness of credit reporting and appropriately balance the interests of consumers, credit providers and credit reporting bodies. These reforms build on amendments to the Privacy Act 1988 that commenced in 2014 to introduce a more comprehensive credit reporting system that included both 'positive information' such as a consumer's ability to make repayments on time, as well as 'negative information' such as defaults on repayments.

2.4 Although hardship arrangements between consumers and their credit providers can be entered into under the Credit Act, the Privacy Act 1988 does not currently permit these arrangements to be reported as part of a consumer's credit report. This situation can reduce the efficacy of the credit reporting system by restricting the visibility of hardship information about a consumer that is relevant to their creditworthiness. This information asymmetry in turn affects the ability of credit providers to meet their responsible lending obligations.

2.5 Under the Credit Act, if a consumer considers he or she will be unable to meet their obligations under their credit contract, the consumer may give their credit provider notice (a 'hardship notice') of their inability to meet the obligations and seek relief.

2.6 The credit provider may respond to the consumer's request by not agreeing to provide relief or agreeing to permanently vary the contract. In practice, credit providers who refuse a hardship request may alternatively offer another form of relief such as a moratorium on repayments, waiver, 'forbearance' or 'indulgence'.

2.7 The measures in Schedule 2 to this Bill recognise an agreement to permanently vary the contact and the other forms of relief as a 'financial hardship arrangement'.

2.8 Under the credit reporting system, credit providers report 'repayment history information' to credit reporting bodies. Repayment history information reflects whether a consumer has been meeting their repayment obligations on a credit product each month. Repayment history information covers the previous 24 months, is reported on a monthly basis and is expressed as a code reflecting the age of the oldest outstanding payment: '0' no overdue payments (including the 14 day grace period), '1' is a payment 15-29 days late, '2' is a payment 30-59 days overdue etc. Under the credit reporting system, repayment history information allows consumers to demonstrate good credit behaviour through timely repayments.

2.9 In the absence of specific hardship arrangement information, there has been inconsistent industry practice in how repayment history information is reported-leading to potential distortions in credit assessments. Some credit providers may report a consumer's repayment history information against the original credit contract, others do not report repayment history information when a hardship arrangement is in place and other credit providers report repayment history information against the hardship arrangements that are in place. Consequently, consumers in otherwise similar financial circumstances can have markedly different repayment history information on their credit reports depending on their credit provider.

2.10 Schedule 2 to the Bill establishes a rule for reporting repayment history information in the month that a repayment is affected by a financial hardship arrangement. This will ensure that credit reporting is consistent and interpretable, and consumers in similar financial situations will have correspondingly similar information in their credit reports.

Summary of new law

2.11 Schedule 2 to this Bill amends the Privacy Act 1988 to permit reporting of financial hardship information within the credit reporting system. It also makes minor changes to improve the overall administration of credit reporting, including reducing regulation for businesses that do not participate in credit reporting.

2.12 Reporting hardship information gives credit providers an indication that a consumer is experiencing hardship (or has recently experienced hardship). This reporting facilitates better and informed lending decisions. The existence of hardship information should prompt prospective lenders to make further inquiries in order to assess a consumer's situation holistically and potentially offer them a more suitable product.

2.13 Schedule 2 to the Bill establishes a new category of credit information to accompany repayment history information known as 'financial hardship information'.

2.14 This new category will be distinguished either by the fact that a monthly payment has been affected by a permanent variation to the terms of the consumer credit or an arrangement which provides temporary relief from, or deferral of, the individual's obligations concerning the consumer credit.

2.15 When a monthly payment is affected by a financial hardship arrangement, repayment history information will reflect a consumer's ability to meet their obligations under that arrangement rather than their original contract. When a consumer exits a hardship arrangement (either through completion of the arrangement, or where the credit provider terminates the arrangement because the consumer does not meet their obligations), repayment history information will reflect the consumer's position against the original credit contract.

2.16 Financial hardship information will attract the same protections as repayment history information, which can only be accessed in more limited circumstances than other forms of information about a consumer. Credit reporting bodies will be restricted from incorporating hardship into a consumer's credit score and will only be able to retain financial hardship information for 12 months.

2.17 Reporting financial hardship information in the credit reporting system is not otherwise intended to affect the legal rights of any party to a hardship arrangement, particularly in relation to their original credit contract.

2.18 Following passage of the Bill, variations to the Privacy (Credit Reporting) Code 2014 will be progressed with the OAIC and industry to provide detailed guidance on the implementation of new credit reporting obligations in schedule 2 to this Bill.

2.19 Schedule 2 to this Bill also requires the Attorney-General to cause an independent review of the credit reporting system as set out in Part IIIA of the Privacy Act 1988. The report must be completed and given to the Attorney-General before 1 October 2023, who must then table the report in Parliament within 15 sitting days.

Comparison of key features of new law and current law

New law Current law
Credit reporting bodies are permitted to collect, use, disclose and retain financial hardship information. Credit reporting bodies are not permitted to collect, use, disclose and retain hardship information.
Credit providers are permitted to disclose financial hardship information to credit reporting bodies. Credit providers are not permitted to disclose hardship information to credit reporting bodies.

Detailed explanation of new law

2.20 Schedule 2 of the Bill amends the credit reporting system under the Privacy Act 1988 to permit reporting of financial hardship information and to make other minor amendments to improve the overall administration of the credit reporting system.

New framework for representing hardship information in the credit reporting system

2.21 Schedule 2 to the Bill introduces a new category of credit information called 'financial hardship information', permitting this kind of information to be reported within the credit reporting system for the first time. [Schedule 2, items 1 and 2, subsection 6(1) and paragraph 6N(c) of the Privacy Act 1988]

2.22 If a credit provider is disclosing repayment history information to a credit reporting body and financial hardship information is available, the provider is also required to disclose the financial hardship information corresponding to the same month's repayment history information. Failure to comply with this requirement is subject to a civil penalty of 500 penalty units. [Schedule 2, item 12, section 21EA of the Privacy Act 1988]

2.23 The purpose of this provision is to ensure that the credit reporting body and other credit providers relying on the repayment history information will have a more accurate picture of a consumer's repayment obligations and whether they are meeting those obligations. This allows credit providers to make better decisions in respect of their responsible lending obligations under the Credit Act.

2.24 Financial hardship information is either:

Information about the first monthly payment affected by a financial hardship arrangement that is a permanent variation to the terms of the consumer credit; or
Information about each monthly payment affected by a financial hardship arrangement which is providing temporary relief or deferral of the individual's obligation in relation to the consumer credit.
[Schedule 2, item 4, subsection 6QA(4)of the Privacy Act 1988]

2.25 Permanent variation: consistent with the requirements which will be set out in a variation to the Privacy (Credit Reporting) Code 2014, an indicator would appear on a consumer's credit report in the month that they make the first repayment under a permanently varied contract. This indicator would only appear once-in the month that the varied contract takes effect. In conjunction with the permanent variation indicator, the repayment history information would reflect a consumer's ability to make repayments under their permanently varied contract, rather than the original contract.

2.26 Temporary relief from or deferral of payment obligations: consistent with the requirements which will be set out in a variation to the Privacy (Credit Reporting) Code 2014, this indicator would appear on a consumer's credit report from the first month that a hardship arrangement is in place. The indicator would then recur every month a hardship arrangement is in place.

2.27 A financial hardship arrangement may arise as a result of an individual providing a notice to the credit provider (a hardship notice), orally or in writing, of the individual's inability to meet the obligations under section 72 of the National Credit Code.

2.28 Within the credit reporting system, a 'financial hardship arrangement' is any kind of agreement, arrangement or understanding that defers or reduces the obligations of a debtor for a temporary period, such as 'simple arrangements' within the meaning of ASIC Order CO 14/41, indulgences, forbearances and waivers. This broad definition is intended to recognise the diversity of arrangements that may exist between consumers and their credit providers which take into account individual circumstances. [Schedule 2, item 4, subsection 6QA(3) of the Privacy Act 1988]

2.29 However, a financial hardship arrangement must reflect a mutual understanding between the consumer and their credit provider reflecting the nature of the credit relationship. The definition of financial hardship arrangement is not intended to capture 'promises to pay' and other forms of unilateral notifications by the consumer to their credit provider. For example, where, due to a mismanagement of funds in the short term, the consumer will not make a payment (or will make a late payment) for an amount that is due and payable. In such circumstances, the credit provider has simply acknowledged that consumer will be late with their payment without agreeing to an arrangement affecting the monthly payment obligations.

2.30 Financial hardship information would not be disclosed in a month where a consumer makes a payment of an amount equal to or greater than the amount due and payable under the original credit contract. This includes, for example, a period of 'catch up payments' where the consumer agrees with their credit provider to pay more than the amount due and payable under the original contract in order to reduce the arrears that accumulated during the months of the financial hardship arrangement. If a consumer can meet their original contracted payment obligations in a month they should not be reported as being in hardship in that month. [Schedule 2, item 4, subsection 6QA(5) of the Privacy Act 1988]

Reporting repayment history information when a hardship arrangement is on foot

2.31 In conjunction with financial hardship information, repayment history information will reflect a consumer's ability to meet their obligations against a financial hardship arrangement that is in place at that time rather than the original credit contract. [Schedule 2, item 5, subsection 6V(1A) of the Privacy Act 1988]

2.32 For example, if a consumer is not required to make a monthly payment under the financial hardship arrangement, the repayment history information for that month will be expressed as '0'.

2.33 When a consumer exits a hardship arrangement (either through completion of the arrangement, or where it is terminated by the credit provider through the consumer's inability to meet their hardship arrangement obligations), the repayment history information for the subsequent month would revert to show the consumer's position against the original credit contract.

2.34 The insertion of a discrete definition of repayment history information in the month that a payment is affected by a financial hardship arrangement is necessary to clarify the general rule for reporting such information.

2.35 An effective credit reporting system requires that like contracts and arrangements be treated alike and reported in a consistent and accurate manner. These amendments will ensure that industry practice is consistent and interpretable, and consumers in similar financial situations will have correspondingly similar information in their credit reports.

Example 2.1 - Consumer and credit provider permanently vary contract

Under the Privacy (Credit Reporting) Code 2014, repayment history information is expressed on a consumer's credit report as a code signifying the age of the oldest outstanding payment:
0: Current up to and including the 14 day grace period
1: 15-29 days overdue
2: 30-59 days overdue
3: 60-89 days overdue
4: 90-119 days overdue
5: 120-149 days overdue
6: 150-179 days overdue
7: 180+ days overdue.
Ash has a loan with Oak Bank making payments of $100 per month. In February, Ash loses his job and subsequently falls behind on his payments and is unable to make payments in February, March and April. This is reported in Ash's repayment history information (RHI) as an increasing RHI code, as the full payment is not being made. In April, Ash contacts Oak Bank and asks for hardship relief.
Oak Bank agrees to permanently vary Ash's loan to extend the length of the loan and allow Ash to make lower payments. Ash is able to make these payments each month. As May is the first month that Ash is required to make a payment according to the varied contract, a financial hardship information (FHI) permanent variation indicator is reported for the month (indicated with a 'V' below).
J F M A M J J A S O N D
RHI 0 1 2 3 0 0 0 0 0 0 0 0
FHI V
Example 2.2 - Consumer enters into hardship arrangement then reverts to original contract
The circumstances are the same as in Example 2.1. However, instead of varying the contract, Oak Bank allows Ash to make payments of $50 for three months (May, June and July) as a financial hardship arrangement. Ash is able to make these payments and therefore has RHI of '0' reported for each month because Ash is meeting his obligations under the financial hardship arrangement on foot (even though Ash is actually falling $50 per month behind the original payment schedule).
Other credit providers viewing Ash's credit report are aware that Ash is not making full payments under his credit contract with Oak Bank because FHI (indicated with an 'H' below) is reported in each month that Ash makes a reduced payment under the financial hardship arrangement. Other credit providers are able to make further inquiries in order to understand the true state of Ash's financial affairs, but also know that Ash is still able to make timely repayments in accordance with the hardship arrangement on foot.
At the end of July, Ash finds another job and is able to make the original payments plus an additional amount to catch up to the original contract. For August, Ash's RHI is reported as '5' as Ash owes $450 (or the equivalent of five late payments, as credit reporting requires a full payment to be made for the payment to be considered made) behind the original payment schedule-being the three missed payments from February to April, then half a payment for each of May, June and July.
For the remainder of the year, Ash is able to make payments of $150 per month, meaning he gradually returns to the original payment schedule, and the RHI code reported reduces accordingly.
J F M A M J J A S O N D
RHI 0 1 2 3 0 0 0 5 5 4 4 3
FHI H H H
Example 2.3 - Consumer enters into financial hardship arrangement then permanently varies contract
The circumstances are the same as in Example 2.2. However, at the end of July, rather than reverting to the original contract, Ash and Oak Bank agree to vary Ash's credit contract and extend it by five months to allow Ash to repay the full amount owing (accrued from February to July) without having to make additional 'catch up' repayments. Ash is able to make his monthly repayments.
The first month where Ash makes a payment according to the varied contract is in August. Subsequently, a FHI permanent variation indicator is reported once during that month to show that the contract was permanently varied. Each month thereafter shows Ash's ability to make repayments according to the varied contract.
J F M A M J J A S O N D
RHI 0 1 2 3 0 0 0 0 0 0 0 0
FHI H H H V

Protections for hardship information in the credit reporting system

2.36 Financial hardship information has generally the same protections under the Privacy Act 1988 as repayment history information, which can only be accessed in more limited circumstances than other forms of information about a consumer .[Schedule 2, items 6, 7, 9, 11 and 13, paragraph 20C(4)(e), subsection 20E(4), paragraph 20G(2)(c), paragraph 21D(3)(c) and subsection 21G(4) of the Privacy Act 1988]

2.37 However, unlike repayment history information, which has a retention period of two years, financial hardship information will be subject to a retention period of 1 year that starts on the day on which the monthly payment to which the information relates is due and payable.

2.38 This means, for example, that financial hardship information indicators will disappear from a consumer's credit report one at a time as each indicator expires on its 1 year anniversary. A shorter retention period than repayment history information appropriately balances the interests of consumers in financial hardship. [Schedule 2, item 10, section 20W (after table item 2) of the Privacy Act 1988]

Example 2.4 - Retention periods for financial hardship information

The circumstances are the same as in Example 2.3. FHI would remain on Ash's credit report for 12 months, while RHI would remain for 24 months.
When the FHI retention period comes to an end (in this example, September of Year 3), a credit provider viewing Ash's credit report would see the RHI for the hardship arrangement period (May to August of Year 2), but not the associated FHI (highlighted grey below).
Credit providers would have 24 months of RHI (September of Year 1 to August of Year 3) and 12 months of FHI (September of Year 2 to August of Year 3) to assess Ash's ability to meet their repayments (or potential lack of ability) when making a credit product suitability assessment.
Year 1 J F M A M J J A S O N D
RHI 0 0 0 0
FHI
Year 2 J F M A M J J A S O N D
RHI 0 1 2 3 0 0 0 0 0 0 0 0
FHI H H H V
Year 3 J F M A M J J A S O N D
RHI 0 0 0 0 0 0 0 0
FHI

2.39 Credit reporting bodies will be restricted from incorporating financial hardship information into a consumer's credit score. [Schedule 2, item 8, section 20E of the Privacy Act 1988]

2.40 A credit score is a rating of an individual's credit worthiness based on an analysis of a credit report at a particular point, and is usually expressed alphanumerically. This restriction is intended to reinforce understanding in the community that suitability for credit is focussed on the information in a consumer's credit report as well as further relevant information that is sought by a credit provider. Although a credit score obtained from a credit reporting body may give preliminary guidance on a consumer's financial position, it is only one factor in a suite of considerations in the credit assessment process

2.41 The purpose of financial hardship information is to communicate to a credit provider that there is an alternative arrangement in place from the original credit contract. Reporting financial hardship information alongside repayment history information (as opposed to simply reflecting it in a credit score) prompts prospective credit providers to make further inquiries to ensure that a credit product is suitable for an applicant.

2.42 ASIC, the national regulator of consumer credit, considers that these further enquiries may include:

details of the consumer's changed circumstances that led to the hardship arrangement;
whether those circumstances have been addressed or are continuing;
how long the revised repayment obligations will continue; and
the likelihood that the circumstances which led to the arrangement will occur again.

2.43 By only permitting financial hardship information to be viewed together with repayment history information in its full context, prospective credit providers have greater information to make a proper assessment of a consumer's financial suitability for a credit product, assisting the credit provider to meet their responsible lending obligations.

2.44 Credit reporting bodies do not currently incorporate financial hardship information in the calculation of consumer's credit scores. The restriction on incorporating financial hardship information in the calculation of these scores ensures there is no change to the current position.

2.45 Recognising community concern about credit scores, and uncertainty about how certain information (such as financial hardship information) may be weighed up in the calculation of credit scores, consumers' interests are best served by excluding financial hardship information in credit score calculations by credit reporting bodies. This position maintains incentives for consumers to seek assistance when they are or will be struggling to meet their repayment obligations under a credit contract - that is, experiencing financial hardship.

Reducing the regulatory burden for non-participating businesses

2.46 Under section 6G of the Privacy Act 1988, a business that provides goods or services where payment is deferred by seven days or more is a 'credit provider'. A business is captured by this definition irrespective of whether or not that business actively participates in the credit reporting system. Such businesses must then comply with Division 3 of Part IIIA of the Privacy Act 1988, which at a minimum requires credit providers to have a policy on the management of credit information and to comply with certain notification and correction requirements.

2.47 Schedule 2 to this Bill excludes businesses from these requirements that have not and are not likely to disclose credit reporting information or credit eligibility information to a credit reporting body or other credit provider, and who have not collected such information from a credit reporting body or other credit provider. This would remove the unnecessary regulatory burden on businesses that do not, and have not, actively participated in the credit reporting system but are captured by the definition of 'credit provider'. The Australian Privacy Principles will continue to apply to non-participating credit providers who are 'APP entities' under section 6 of the Privacy Act 1988. [Schedule 2, items24, 26, 30 and 31, subsection 6(1), subsection 21B(8), subsection 21U(5) and subsection 21V(7) of the Privacy Act 1988]

2.48 If at a future point a business decides to participate in the credit reporting system, the exception would cease to apply to that business, and the business would have to comply with all the requirements of the credit reporting provisions.

Expanding the options for credit providers to participate in the credit reporting system

2.49 In order to participate in the credit reporting system, subparagraph 21D(2)(a)(i) of the Privacy Act 1988 provides that a credit provider (including for example an energy or water utility) must be a member of an external dispute resolution scheme recognised by the Australian Information Commissioner or a scheme prescribed by the regulations.

2.50 The policy intention of the credit reporting external dispute resolution scheme requirement and the Commissioner external dispute resolution scheme recognition process was to allow external dispute resolution schemes already in place to be recognised for the purposes of credit reporting. In the Australian energy and water utility sector, states and territories either had existing external dispute resolution schemes that were recognised by the Commissioner for the purposes of credit reporting, or the energy and water utilities in a jurisdiction have joined other external dispute resolution schemes that had been recognised by the Commissioner.

2.51 External dispute resolution schemes in relation to the Australian Capital Territory energy and water utilities is provided through the Australian Capital Territory Civil and Administrative Tribunal. The Australian Capital Territory Civil and Administrative Tribunal is not an organisation to which credit providers can become 'members'. As such, it is not possible for the Commissioner to recognise the Australian Capital Territory Civil and Administrative Tribunal as an external dispute resolution scheme under section 35A of the Privacy Act 1988, since subparagraph 21D(2)(a)(i) requires that a credit provider be a 'member' of the external dispute resolution scheme.

2.52 Schedule 2 to this Bill recognises that being subject to the jurisdiction of a recognised external dispute resolution scheme is sufficient and enables providers who are subject to (but not 'members' of) such external dispute resolution schemes to participate in the credit reporting system on this basis. This reduces the compliance burden on credit providers such as state and territory energy and water utilities providers that are subject to the jurisdiction of a tribunal by preventing them from being required to join multiple dispute resolution mechanisms. [Schedule 2, items 25 and 27, subparagraphs 20E(3)(c)(ii); and 21D(2)(a)(i) of the Privacy Act 1988]

2.53 To facilitate the resolution of the issues by the tribunal, Schedule 2 to this Bill allows credit providers to disclose 'credit eligibility information' to that tribunal. An explicit permission to disclose this information is necessary because of subsection 21G(1) of the Privacy Act 1988 which creates a civil penalty for disclosure of such information by a credit provider if not otherwise permitted. [Schedule 2, item 28, subparagraph 21G(3)(e)(ii) of the Privacy Act 1988]

2.54 If external dispute resolution is available in a tribunal, Schedule 2 to this Bill requires that the credit provider state this when notifying the individual of a decision to refuse to correct or access credit information, or a provider's decision following an investigation of a complaint about an act or practice engaged in by the provider. [ Schedule 2, items 29, 32 and 33, subparagraph 21T(7)(b)(i), subparagraph 21W(3)(c)(i), subparagraph 23B(4)(b)(i) of the Privacy Act 1988]

Security requirements for credit reporting bodies storing data

2.55 Schedule 1 to the Bill amends the Privacy Act 1988 to require that a credit reporting body store credit reporting information in Australia or consistently with security requirements prescribed in regulations. The regulations may provide that data may be stored outside of Australia. [Schedule 1, item 11, section 20Q of the Privacy Act 1988 ]

2.56 The term 'store' is not defined but would take its ordinary meaning being to deposit in a storehouse, warehouse or other place for keeping.

2.57 Credit reporting bodies will not be in breach of section 20Q by undertaking routine business or operations such as sending and receiving correspondence (for example, email) containing credit reporting information or using an application to view and edit the information.

Independent Review of the Credit Reporting System

2.58 Schedule 2 to the Bill requires the Attorney-General to cause an independent review of the credit reporting system as set out in Part IIIA of the Privacy Act 1988. The report must be completed and given to the Attorney-General before 1 October 2023, who must then table the report in Parliament within 15 sitting days of receiving it. [Schedule 2, item 34, section 25B of the Privacy Act 1988]

2.59 The report will not be a legislative instrument because of the exemption in table item 12 in subsection 6(1) of the Legislation (Exemptions and Other Matters) Regulation 2015.

2.60 Schedule 2 to the Bill is not specific on the scope of the review so as not to limit the review when it is established. However, the Government expects the review would, having regard to contemporary community expectations of privacy and the consumer credit industry, consider and make recommendations about:

whether the provisions continue to meet the relevant objects of the Privacy Act 1988, including facilitating an efficient credit reporting system while ensuring that the privacy of individuals is respected
the roles, responsibilities and obligations of credit providers, credit reporting bodies, consumers and other relevant participants within the credit reporting system; and
the efficacy of the operation of the credit reporting system, including comprehensive credit reporting and financial hardship information.

Application and transitional provisions

2.61 The amendments which establish the reporting of financial hardship information and repayment history information on the later of the day after Royal Assent or 1 April 2021 and apply in relation to hardship arrangements entered into on or after commencement. [Schedule 2, item 14, Application of Part 1 of Schedule 2]

2.62 Once the amendments commence, a credit provider must include financial hardship information if it exists and the credit provider is disclosing repayment history information

2.63 The amendments which cause an independent review to be undertaken, place additional security requirements on the storage of credit information, reduce regulatory burden on business and allow more credit providers to participate in the credit reporting system, commence the day after Royal Assent.

2.64 Apart from the independent review, these amendments apply in relation to consumer credit applied for or provided after the commencement of the amendments. [Schedule 2, item 35, Application of Part 2 of Schedule 2]

Chapter 3 Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019

3.1 This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview

Mandatory comprehensive credit reporting regime

3.2 This Bill amends the Credit Act to establish a mandatory comprehensive credit reporting regime.

3.3 Under the regime eligible licensees, who on 1 April 2020 are large ADIs, must provide credit information on consumer credit accounts to certain credit reporting bodies.

3.4 Credit information is defined in the Privacy Act 1988 and includes information about the maximum amount of credit available to a person, how well the person is meeting their repayments, details of the person's overdue payments and defaults.

3.5 Amendments to the Privacy Act 1988 which took effect in 2014 have permitted credit providers to disclose this information to credit reporting bodies but this is a voluntary scheme.

3.6 The Bill operates within the framework established by the Privacy Act but mandates the supply of credit information.

3.7 It is expected that by applying the measure to large ADIs and other credit providers within that banking group other credit providers will voluntarily share comprehensive credit information. In June 2019 large ADIs accounted for more than 80 per cent of household lending.

3.8 Regulations will set out conditions that must be met before a credit reporting body can share the information disclosed under the regime. Regulations will also set out circumstances when the credit reporting body must share credit information.

Reporting financial hardship information

3.9 This Bill amends the Privacy Act 1988 to create a new category of credit information called 'financial hardship information' and to permit this information to be reported within the credit reporting system.

3.10 This Bill also makes minor changes to the Privacy Act 1988 to improve the overall administration of credit reporting, including reducing regulation for businesses that do not participate in credit reporting.

3.11 Under these changes, financial hardship information about a consumer may be reported on their credit report: credit providers may report this information to credit reporting bodies, who can subsequently make this information available to other credit providers when a consumer applies for credit.

3.12 Financial hardship information will indicate that a monthly payment has been affected by either: a permanent variation to the terms of the consumer credit or a hardship arrangement which provides temporary relief from or deferral of the individual's obligation's in relation to the consumer credit. A hardship arrangement is broadly defined in order to recognise the diversity of arrangements that may exist between consumers and their credit providers which take into account individual circumstances.

3.13 Variations to the Privacy (Credit Reporting) Code 2014 will provide detailed guidance on the implementation of new credit reporting obligations in this Bill.

Human rights implications

3.14 The Bill engages the following human rights and freedoms:

the right to protection from arbitrary or unlawful interference with privacy under article 17 of the International Covenant on Civil and Political Rights (ICCPR);
the right against self-incrimination under article 14(3)(g) of the ICCPR;
the right to be presumed innocent until proved guilty according to law; and
the right to a fair and public hearing.

Right to protection from unlawful or arbitrary interference with an individual's privacy

3.15 Article 17 of the ICCPR prohibits unlawful or arbitrary interferences with a person's privacy, family, home, or correspondence. It also provides that everyone has a right to the protection of the law against such interference or attacks.

3.16 The right to privacy encompasses respect for informational privacy, including the right to respect for private information and private life, particularly the storing, use and sharing of personal and confidential information.

3.17 Division 2 of Schedule 3 of the Bill engages the right to privacy by requiring certain eligible licensees, initially large ADIs, to supply credit information to certain credit reporting bodies. Credit information is the personal information about individual bank customers.

3.18 The mandatory comprehensive credit reporting regime implemented by this Bill makes participation in the credit reporting system mandatory, but does not itself authorise the disclosure of an individual's credit information. The handling of personal information in the credit reporting system is regulated by Part IIIA of the Privacy Act 1988. That Part clearly defines and limits the uses and permitted disclosures of credit information.

3.19 At the time of the amendments to the Privacy Act 1988 that enabled more comprehensive credit reporting, the Government of the day expected that credit providers would voluntarily share credit information. This was the case in comparable jurisdictions.

3.20 A more comprehensive credit reporting regime allows credit providers to better establish a consumer's credit worthiness and lead to a more competitive and efficient credit market. A more comprehensive regime benefits consumers by enabling individuals with good credit histories to seek more competitive rates when purchasing credit and enabling those with a historically poor credit rating to demonstrate their credit worthiness through future consistency and reliability.

3.21 The explanatory memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which enabled comprehensive credit reporting explains the safeguards that were put in place to protect an individual's credit information.

3.22 Greater responsibility was placed on credit reporting bodies and credit providers to assist individuals to access, correct and resolve complaints about their personal information. Those amendments included specific rules to deal with pre-screening of credit offers and the freezing of access to an individual's personal information in cases of suspected fraud or identity theft.

3.23 The amendments also restricted access to repayment history information to those credit providers who hold an Australian Credit Licence and are therefore subject to responsible lending obligations.

3.24 Any effect on privacy rights was considered proportionate and limited by the introduction of specific safeguards, including:

only de-identified information can be used for the purpose of research, and the research must be reasonably connected to the credit reporting system, and
the use of credit reporting information for the purposes of pre-screening is expressly limited to the purpose of excluding adverse credit risks from marketing lists.

3.25 In considering the impact on a person's right to privacy, the explanatory memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 noted:

'In the consumer credit environment it is important to achieve a balance between privacy protection and the efficient operation of the credit market. Access to narrowly defined categories of credit information to ensure a more balanced picture of an individual's credit situation, taking into account positive action such as payment, and not just negative information like defaults, and to allow for more effective risk assessment by credit providers is balanced with the enhanced privacy protections set out above.
Any limitations on the prohibition against arbitrary interference with privacy in the Bill are clearly and narrowly defined, for the legitimate purpose of improving the management of personal and credit reporting information, and accompanied by sufficient safeguards to maintain reasonable privacy protections. The measures are reasonable, necessary and proportionate as they ensure the smallest possible set of data is used for the narrowest purposes to achieve the objective of providing a functional consumer credit market.'

3.26 The mandatory comprehensive credit reporting regime does not alter the existing protections set out by the Privacy Act 1988 governing the use and disclosure of credit information. The Bill clearly states the requirement to supply credit information only applies to the extent that the disclosure is permitted under the Privacy Act 1988.

3.27 Division 3 of Schedule 1 the Bill also engages the right to privacy by providing that regulations may set out the circumstances when a credit reporting body must share credit information received under the mandatory comprehensive credit regime. These circumstances will be limited and not extend beyond those circumstances in the Privacy Act 1988. Primarily this will be when a credit provider is seeking information about a customer's credit worthiness when considering a request for consumer credit.

3.28 The Bill extends the protections in the Privacy Act 1988 by amending the existing requirements to protect credit reporting information from misuse, interference and loss, and from unauthorised access, modification or disclosure. The Bill more clearly sets out where information held by a credit reporting body must be stored. A credit reporting body must store credit reporting information in Australia or in accordance with any security requirements prescribed by Regulations for storage outside Australia.

3.29 Schedule 2 of the Bill further engages the right to privacy by creating a new category of credit information called 'financial hardship information' and permitting the collection, use, storage and disclosure of this information in the credit reporting system. This engages the right to privacy by permitting the disclosure of personal information.

3.30 However, when applying for credit it is legitimate for a credit provider to access personal information that is directly relevant to an assessment of an individual's credit worthiness. This process facilitates the efficient allocation of credit in the community and may promote other rights, including the right to an adequate standard of living. In the context of mandatory consumer credit reporting, it is legitimate for financial hardship information about a consumer to be reported within the credit reporting system.

3.31 The potential limitation on the right to privacy is reasonable, necessary and proportionate because it balances the need for consumers to provide relevant information to a prospective credit provider in an efficient way with a number of safeguards.

3.32 The Bill sets out clearly defined and limited uses of financial hardship information in the credit reporting system. Like the existing protections for repayment history information, hardship information can only be disclosed to mortgage insurers and licensed credit providers who are subject to the responsible lending obligations. Additionally, financial hardship information will only be retained for one year (rather than two years in the case of repayment history information) and credit reporting bodies will be prohibited from using the information to calculate a credit score. Further, there will be restrictions on the use of hardship information as the sole reason for a credit provider to reduce or freeze a consumer's existing credit.

3.33 In the context of the existing protections and additional protections added by this Bill, the mandatory comprehensive credit regime is reasonable, necessary and proportionate to deliver a credit reporting system which is efficient and effective.

The right against self-incrimination under article 14(3)(g) of the ICCPR

3.34 Paragraph 3(g) of Article 14 of the ICCPR guarantees the right of an individual not to be compelled to testify against oneself or to confess guilt. The privilege against self-incrimination is recognised by the common law and applies unless it is expressly abrogated.

3.35 The right is engaged for the purposes of the new mandatory comprehensive credit reporting regime as existing Chapter 6 of the Credit Act is amended by the Bill to expand ASIC's existing compliance and enforcement powers, such as its power to conduct investigations, examine a person, gather information, and conduct hearings, to the new mandatory comprehensive credit regime.

3.36 Existing section 295 of the Credit Act expressly provides that it is not a reasonable excuse for a person to refuse or fail to produce a book in accordance with a requirement that the production of the book might tend to incriminate the person or make the person liable to a penalty.

3.37 However, existing subsection 295(3) of the Credit Act operates to provide that the information or documents cannot be used as evidence in criminal proceedings except to the extent that the proceedings relate to compliance with a disclosure notice or the provision of false or misleading information in response to a disclosure notice.

3.38 It is considered necessary to override the privilege against self-incrimination to allow ASIC to acquire all relevant information to administer the Credit Act.

3.39 The provision of derivative use immunity with respect to self-incriminating information would impair ASIC's ability to effectively perform its regulatory functions.

3.40 It is relatively straightforward to prove compliance with use immunity in that all of the evidence obtained under compulsion from the person concerned is easily identifiable and can be excluded from any subsequent criminal or civil penalty proceedings against that person.

3.41 In most cases, establishing compliance with derivative use immunity would be substantially more difficult. It would require persuading the court to the required standard that no part of the original information was taken into account, directly or indirectly, when obtaining the information upon which the prosecution is based.

3.42 This may require the introduction of Chinese walls in the agency who received the original information in order to avoid contagion of other employees of that agency who may be involved in obtaining the information upon which the prosecution is based. The effectiveness of these Chinese walls would also have to be proven.

3.43 In its submission to the Australian Law Reform Commission Inquiry into Traditional Rights and Freedoms: Issues Paper 46 (March 2015) ASIC notes: 'Any grant of derivative use immunity has the potential to render a person conviction-proof for an unforeseeable range of offences'.

3.44 The application of use immunity to only those who claim self-incrimination prior to the examination is consistent with other legislative provisions and the process is clearly explained to an examinee prior to the examination being conducted so it is up to the examinee to assert that right.

3.45 Existing section 296 of the Credit Act provides that if a requirement to produce books is made to a person who is a lawyer, and the book contains a privileged communication made by or on behalf of the lawyer in his or her capacity as a lawyer, the lawyer is entitled to refuse to comply.

3.46 The lawyer may not refuse to comply if the person, on behalf of whom the communication was made, or, if this person is a body corporate that is being wound up, the liquidator of the body, consents to the lawyer complying with the requirement but allows the person to maintain protection from the information being used against them in criminal proceedings or proceedings for the imposition of a penalty.

The right to be presumed innocent until proved guilty according to law

Assessment of civil penalties

3.47 Practice Note 2: Offence provisions, civil penalties and human rights observes that civil penalty provisions may engage criminal process rights under Articles 14 and 15 of the ICCPR, regardless of the distinction between criminal and civil penalties in domestic law. This is because the word 'criminal' has an autonomous meaning in international human rights law. When a provision imposes a civil penalty, an assessment is therefore required as to whether it amounts to a 'criminal' penalty for the purposes of the Articles 14 and 15 of the ICCPR.

3.48 The Bill includes new civil penalty provisions where:

an eligible licensee:

-
fails to supply credit information as required under the mandatory regime;
-
fails to notify the credit reporting body, ASIC and the Information Commissioner once the eligible licensee believes a credit reporting body is meeting its section 20Q obligations in the Privacy Act 1988, where the eligible licensee previously believed the credit reporting body was not meeting its obligations; and
-
fails to submit audited statements to the Treasurer following the initial bulk supplies.

a credit reporting body:

-
discloses information that it has received under the mandatory regime that it should not disclose;
-
fails to disclose information it has received under the mandatory regime, including not in the required timeframe or inconsistent with requirements included in the regulations;
-
fails to submit audited statements to the Treasurer following the initial bulk supplies.

3.49 While the provisions impose significant civil penalties it is considered appropriate to encourage compliance with the supply obligations. The approach is consistent with other civil penalties in the Credit Act.

3.50 The civil penalty provisions in the Bill should not be considered 'criminal' for the purposes of international human rights law.

3.51 While the civil penalty provisions included in the Bill are intended to deter people from non-compliance with the mandatory comprehensive credit reporting regime, none of the civil penalty provisions carry a penalty of imprisonment and there is no sanction of imprisonment for non-payment of penalty. The statement of compatibility therefore proceeds on the basis that the civil penalty provisions in the Bill do not create criminal offences for the purpose of Articles 14 and 15 of the ICCPR.

Criminal penalty provisions

3.52 The Bill engages Article 14 of the ICCPR, which guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial.

3.53 The Bill includes criminal penalty provisions of up to 100 penalty units where an eligible licensee has failed to supply credit information, provide a statement to the Treasurer or notify a credit reporting body, ASIC and the Information Commissioner when the credit provider no longer holds the belief that the credit reporting body is not .

3.54 For some offences, which mirror existing provisions in the Credit Act give ASIC information penalties, the penalty provisions are consistent with the existing penalties for the existing offences and are set at 25 penalty units or up to 6 months imprisonment, or both.

3.55 Paragraph 2 of Article 14 of the ICCPR protects the right of a person charged with a criminal offence to be presumed innocent until proven guilty according to law. The presumption of innocence is also a fundamental principle of the common law. As the Human Rights Committee has observed, the presumption of innocence 'imposes on the prosecution the burden of proving the charge, guarantees that no guilt can be presumed until the charge has been proved beyond reasonable doubt, ensures that the accused has the benefit of doubt, and requires that persons accused of a criminal act must be treated in accordance with this principle'.[1]

3.56 The presumption of innocence generally requires the prosecution to prove each element of a criminal offence beyond reasonable doubt. This is the case for the criminal offence provisions included in this Bill.

3.57 However, the Bill does place an evidential burden on a credit provider where a credit provider does not supply mandatory credit information to a credit reporting body within the required timeframe on the basis that it is the belief of the credit provider that the credit reporting body is not meeting its obligations in section 20Q of the Privacy Act 1988.

3.58 The imposition of an evidential burden is justified because the reason why a credit provider held the belief that the credit reporting body was not meeting its obligations under 20Q in the Privacy Act 1988will be a matter that is peculiarly within the credit provider's knowledge.

3.59 Moreover, the effect is that the credit provider must merely adduce or point to evidence that explains why the credit provider holds this 'reasonable belief'. The belief could be held as a result of stress test or audit that was conducted on the behest of the credit provider. This 'evidence' would be peculiarly within the credit provider's knowledge as such an audit or stress test would be carried out as a result of the contractual arrangement that existed between the credit provider and credit reporting body.

3.60 Once the credit provider has demonstrated why it holds this belief the prosecution must refute this beyond reasonable doubt to obtain a conviction (see section 13.3 of the Criminal Code).

3.61 As a result, the risk that a credit provider may be found guilty of an offence for not supplying credit information while the credit provider held the reasonable belief that credit reporting body was not meeting its obligations under section 20Q of the Privacy Act 1988 is low. Accordingly, to the extent this provision might be considered to limit the presumption of innocence, the limitation is reasonable in all the circumstances.

The right to a fair and public hearing

3.62 Article 14 of the ICCPR ensures that everyone shall be entitled to a fair and public hearing by a competent, independent and impartial tribunal established by law.

3.63 The amendments included in the Bill can leverage the existing regulation making power in section 331 of the Credit Act that allows regulations to be made that would allow ASIC to issue an infringement notice rather than pursue a civil penalty through a court.

3.64 The explanatory memorandum to the Bill indicates that the Government intends to make a regulation under this power for the purpose of issuing infringement notices for breaches of the Credit Act rather than seeking a civil penalty.

3.65 The ability to issue an infringement notice could be considered to engage the right to a fair and public hearing. However, the right of a person to fair and public hearing by a competent, independent and impartial hearing is not limited by the Bill because the existing regulation making power in section 331 of the Credit Act allows a person to elect to have the matter heard by a court rather than pay the amount specified in the infringement notice.

3.66 Moreover, the Regulatory Powers Act (Standard Provisions) Act 2014 requires that this right must be stated in any infringement notice given to the person. For these reasons the Bill is not considered to limit the right to a fair and public hearing.

3.67 The application of use immunity to only those who claim self-incrimination prior to the examination is consistent with other legislative provisions and the process is clearly explained to an examinee prior to the examination being conducted so it is up to the examinee to assert that right.

Human Rights Committee, General Comment No 43 Article 14: Right to equality before courts and tribunals and to a fair trial, CCPR/C/GC/32, 23 August 2007, [30].


View full documentView full documentBack to top