This article originally appeared in the April 2018 edition of Lexis Nexis' Financial Services Newsletter.
Comprehensive credit reporting is planned to commence on 1 July 2018.
An exposure draft has been released, proposing to amend the National Consumer Credit Protection Act 2009 (Cth) to mandate comprehensive credit reporting.
Mandatory comprehensive credit reporting will only apply to large authorised- deposit taking institutions.
Other credit providers can volunteer to participate in comprehensive credit reporting. Credit providers that want to receive comprehensive credit information will need to comply with the requirements under the proposed regime.
The Australian Retail Credit Association is promoting the Principles of Reciprocity and Data Exchange to work in conjunction with the proposed regime. The Principles of Reciprocity and Data Exchange promote reciprocity, namely, a credit provider cannot get comprehensive credit information unless it supplies comprehensive credit information and are a signatory to the Principles of Reciprocity and Data Exchange.
The proposed regime does not reflect the need to be a signatory to the Principles of Reciprocity and Data Exchange. Credit providers will only be required to comply with the requirements under the proposed regime to access comprehensive credit information.
The Australian government has become the first to actively mandate comprehensive credit reporting. In its 2017 Budget, the Government committed to mandating comprehensive credit reporting if credit providers did not meet a threshold of 40 per cent data reporting by the end of 2017.
Treasurer Scott Morrison, in a media release on 2 November 2017, reported that the uptake of comprehensive reporting had been less than1 per cent.1 Subsequently, Treasury released an exposure draft on 8 February 2018, proposing to amend the National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) to mandate comprehensive credit reporting.2
This response will outline the main features of the exposure draft, shortcomings and issues with the exposure draft, and how comprehensive credit reporting will fit into the current comprehensive credit reporting system, namely the Principles of Reciprocity and Data Exchange (PRDE).
1. Comprehensive Credit Reporting exposure draft – summary and comments
The National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (Exposure Draft) proposes to amend the NCCP Act to mandate comprehensive credit reporting. This is unusual, as the regulation of credit reporting is dealt with in Part IIIA of the Privacy Act 1988 (Cth) (Privacy Act).
1.1 Key definitions
The exposure draft introduces several new concepts.
1.1.1 Eligible licensees
The first concept is “eligible licensee”. The mandatory reporting obligation applies to eligible licensees. An eligible licensee is defined as a large authorised-deposit taking institution (ADI), a subsidiary of a large ADI, or a person of a kind prescribed by the regulations, and a credit provider.3 The exposure draft intends to adopt the definition of large ADI in the Banking Act 1959 (Cth) (Banking Act).4 However, there is no definition of large ADI in the most recent version of the Banking Act. The Treasury Laws Amendment (Banking Executive Accountability and Related Measures) Bill 2017 (Banking Act Amendment Bill), which intends to amend the Banking Act, defines large ADI. However, this definition does not provide much clarification. It simply provides that the Minister, by legislative instrument, is able to determine the kinds of ADIs that are large ADIs.5 Despite this ambiguity, it is evident that mandatory comprehensive credit reporting will not apply to all credit providers. At the very least, it will include the big four banks (i.e. National Australia Bank, Commonwealth Bank, Australia and New Zealand Banking Group and Westpac).
1.1.2 Eligible credit reporting body
The second concept is “eligible credit reporting body”. Eligible licensees are required to disclose mandatory credit information to eligible credit reporting bodies. An eligible credit reporting body for a licensee is defined as a credit reporting body that has entered into a section 20Q(2)(a) agreement6 with an eligible licensee that was in force on 2 November 2017 and the licensee is an eligible licensee on 1 July 2018.7 This means that an eligible licensee does not need to report mandatory credit reporting information to all credit reporting bodies, but only those credit reporting bodies that satisfy the aforementioned requirements. This definition, however, is limited. For example, it does not capture credit reporting bodies that an eligible licensee has entered into a section 20Q(2)(a) agreement after 2 November 2017.
1.1.3 Eligible account
The third concept is “eligible account”. An eligible licensee is only required to provide mandatory credit information on eligible accounts. An eligible account is an account that relates to the provision, or possible provision of consumer credit (within with meaning of the Privacy Act 1988), held by one or more natural persons with a credit provider and not excluded under the regulations.8 This means that eligible licensees do not need to report comprehensive credit information on commercial accounts.
1.1.4 Mandatory credit information
The fourth concept is “mandatory credit information”. Mandatory credit information is the information that an eligible licensee is required to disclose to an eligible credit reporting body. Mandatory credit information is defined as credit information of a natural person or information of a kind prescribed by the regulations, collected by or for the credit provider for eligible accounts held by natural persons with a credit provider.9 The exposure draft adopts the definition of credit information in the Privacy Act.
Credit information is defined in section 6N of the Privacy Act to mean personal information (other than sensitive information) that is:10
(a) identification information about the individual, or
(b) consumer credit liability information about the individual, or
(c) repayment history information about the individual, or
(d) a statement that an information request has been made in relation to the individual by a credit provider, mortgage insurer or trade insurer, or
(e) the types of consumer credit or commercial credit, and the amount of credit sought in an application that has been made by the individual to a credit provider, and in connection with which the provider has made an information request in relation to the information, or
(f) default information about the individual, or
(g) payment information about the individual, or
(h) new arrangement information about the individual, or
(i) court proceedings information about the individual, or
(j) personal insolvency information about the individual, or
(k) publicly available information about the individual that relates to the individual’s activities in Australia or the external Territories and the individual’s credit worthiness, and that is not court proceedings information about the individual or information about the individual that is entered or recorded on the National Personal Insolvency Index, or
(l) the opinion of a credit provider that the individual has committed, in circumstances specified by the provider, a serious credit infringement in relation to consumer credit provided by the provider to the individual.
The disclosure of this information to all eligible credit reporting bodies will have a positive impact, as it will add detail and depth to consumer credit profiles. This will allow credit providers to better assess a consumer’s credit worthiness, and promote better consumer outcomes through informed lending.
1.1.5 Supply requirements
The fifth concept is “supply requirements”. Information supplied under the regime will need to be supplied in accordance with the supply requirements. Information is supplied in accordance with the supply requirements, if the supply is in accordance with the registered credit reporting code, and any determination or technical standards from ASIC.11 There are a couple of shortcomings with this definition. First, it does not reference to the Australian Credit Reporting Data Standards, which are the technical standards and specifications used for exchanging credit information and credit reporting information under the PRDE. Furthermore, it is unusual that ASIC has been prescribed as the regulator responsible for determining the technical standards and specified used for exchanging credit information and credit reporting information, when the Information Commissioner will be responsible for managing the comprehensive credit reporting scheme.
1.2 The mandatory reporting obligation
Under the exposure draft, an eligible licensee must supply in accordance with the supply requirements, to each eligible credit reporting body for the licensee, mandatory credit information for at least 50% of the eligible credit accounts held with the licensee on the first 1 July that the licensee becomes an eligible licensee.12 The eligible licensee must supply in accordance with the supply requirements, to each eligible credit reporting body for the licensee, mandatory credit information for the remainder of eligible accounts with the eligible licensee on the second 1 July after the eligible licensee becomes an eligible licensee.13 The initial supply and the bulk supply of the remaining information must be provided within 90 days of the relevant 1 July.14
These bulk supply requirements could cause system issues for both eligible licenses and eligible credit reporting bodies. They require the reporting of mass data. Eligible licensees will need to ensure that their systems are able to report all the data that needs to be reported in an accurate manner, and eligible credit reporting bodies will need to ensure that their systems will be able to handle the significant influx of credit information.
In addition to the bulk supply requirements, an eligible licensee that remains an eligible licensee, must comply with the ongoing supply requirements subject to the conditions in the exposure draft being satisfied. These ongoing supply requirements include providing:15
(a) details of changed information to ensure that information is accurate, up-to-date and complete
(b) payment information relating to payment of an overdue payment about which default information has been supplied
(c) mandatory credit information for all eligible credit accounts that are opened or re- opened
(d) details pertaining to the closing of an eligible credit account, and
(e) mandatory credit information of the kind prescribed in the regulations for any events prescribed in the regulations.
1.3 The exemption
The bulk supply requirements do not need to be complied with, if an eligible licensee reasonably believes that an eligible credit reporting body is not complying with the requirements under section 20Q of the Privacy Act.16 This provision pertains to the security of credit reporting information and requires credit reporting bodies to take reasonable steps to protect credit reporting information from misuse, inference and loss, and from unauthorised access, modification or disclosure.17 A licensee that intends to rely on this exemption will need to prepare a written notice stating that it believes the credit reporting body is not complying with section 20Q, setting out reasons for the belief and stating that the credit reporting body has 90 days to convince the licensee otherwise.18 This notice needs to be given to the credit reporting body, the Information Commissioner and ASIC within 7 days after the relevant 1 July.19 If, after the 90-day period following 1 July, the eligible licensee continues to hold this suspicion, it will need to issue a final notice within 7 days that it believes that the credit reporting body is not complying with section 20Q.20
If an eligible licensee has a suspicion that an eligible credit reporting body is not complying with the requirements under section 20Q, but it ceases to hold that suspicion within the 90-day period after the relevant 1 July, it has 14 days starting on the day that it ceases to hold that belief to comply with the supply requirements.21 It will also be required to prepare a written notice to be provided to the credit reporting body, the Information Commissioner and ASIC within 7 days, stating that the it has ceased to too hold that belief, and setting out its reasons for ceasing to hold that belief.22
This exemption to disclosing mandatory credit information to an eligible credit reporting body is limited and will impose an administrative burden on an eligible licensee. Furthermore, even if this exemption applies to an eligible credit reporting body, an eligible licensee will still be required to provide mandatory credit information to all other eligible credit reporting bodies that are not subject to the exemption.
1.4 Conditions on credit reporting bodies on-disclosing credit information
The exposure draft imposes conditions regarding the on-supply of comprehensive credit information to credit providers.
(a) Condition 1: If a credit provider has not disclosed credit information for at least 50% of eligible credit accounts, then a credit reporting body is prohibited from on- supplying comprehensive credit information to that credit provider.23
(b) Condition 2: If a credit provider has disclosed comprehensive credit information for at least 50% of eligible credit accounts, but less than 100% of eligible credit accounts, and less than 12 months have elapsed since credit information for at least 50% of eligible credit accounts has been disclosed, the credit reporting body is required to comply with information requests from the credit provider within 10 business days of receipt of a request.24
(c) Condition 3: If a credit provider has disclosed comprehensive credit information for 100% of eligible accounts, the credit reporting body is required to comply with information requests from the credit provider within 10 business days of receipt of a request.25
If a credit provider and credit reporting body are signatories to the PRDE, and a service agreement is in force between the credit reporting body and credit provider, the conditions outlined above are met.26
These conditions seem to replicate the conditions under the PRDE regarding the supply of information. For example, condition 2 regarding the supply of comprehensive credit information for at least 50% of eligible credit accounts, but less than 100% of eligible credit accounts, reflects the transitional requirement in paragraph 54 of the PRDE.27
However, there are some limitations to the conditions in their current form. For one, the conditions do not consider the situation where a credit provider has supplied comprehensive credit information for at least 50% of eligible accounts, but has failed to provide comprehensive credit information for at least 100% of accounts within 12 months. There are three options available in this circumstance:
the credit reporting body ceases to provide comprehensive credit information to the credit provider
the credit reporting body continues to provide comprehensive credit information to the credit provider, or
the credit reporting body provides partial credit information to the credit provider.
Option (c) would be the most reasonable if there is a reasonable explanation for why the credit provider has failed to comply the second bulk supply of credit information. However, option (a) or option (b) would be more appropriate if there is no reasonable explanation. The legislator should provide further guidance on how credit reporting bodies should respond in this circumstance.
The exception relating to signatories under the PRDE is unclear. This exception provides that if a credit provider and credit reporting body are signatories to the PRDE scheme, and have entered into a service agreement, conditions 1 to 3 set out above are met. However, the impact of this on supply is not clear. This provision should clarify the supply requirements when a credit provider and credit reporting body are signatories to the PRDE and reliant on the exception. For example, the exception could provide that supply requirements in this circumstance should correspond with the applicable supply requirements under the PRDE. Therefore, if a credit provider that is a signatory to the PRDE has selected the partial information tier, and is providing only partial information to a credit reporting body that is a signatory under the regime, then the credit reporting body should only be able to provide partial information to the credit provider in response to any information request.
In addition, although the exposure draft deals with the supply of comprehensive credit information from credit reporting bodies, it does not address the on-supply of this credit information by recipients of the information. The PRDE adequately deals with the issue of on-supply to other credit providers or designated entities, namely related entities of the credit provider that has received the credit information.
1.5 Additional reporting requirements
An eligible licensee must prepare a written statement after their first initial bulk supply. This written statement must contain information relating to the mandatory credit information, or the eligible credit accounts to which the mandatory credit information relates.28 The licensee must also arrange for an appropriate person to audit that statement and prepare a written report of the audit.29 The written statement and the audit report are to be provided to the Minister within 6 months of the first 1 July supply.30 A written statement must also be prepared and audited for ongoing supplies of credit information.31
Credit reporting bodies who are required to disclose information during a financial year must prepare a written statement containing the information prescribed by the regulations and arrange for an appropriate person to audit that statement. This statement and the audit report are to be provided to the Minister within 3 months after that financial year.32
These requirements will impose an administrative and financial burden on eligible licensees and credit reporting bodies.
1.6 Assisting ASIC
ASIC can provide an eligible licensee or credit reporting body a notice directing them to lodge with ASIC a written statement containing information about whether the body is complying with the comprehensive credit reporting requirements.33 These notices may be given at any time and must specify a day by which the licensee or credit reporting body must comply.
It is interesting that this power has been provided to ASIC. The Information Commissioner is responsible for managing the comprehensive credit reporting scheme, credit reporting generally and will receive reports from credit providers and credit reporting bodies about the supply of credit information. It appears that under the exposure draft, the Information Commissioner has been assigned an administrative role, whilst ASIC has been assigned an enforcement role. This regulator cross-over is arguably attributable to the fact that the exposure draft proposes to amend the NCCP Act. ASIC has regulatory oversight over the NCCP Act, whereas the Information Commissioner has regulatory oversight over the Privacy Act, where the current regulation of credit reporting can be found. Even if the Information Commissioner is assigned a purely administrative role under this regime, one would expect that all statements or reports that ASIC has directed a body to provide, must also be provided to the Information Commissioner. If there is going to be regulator cross-over, there needs to be clear direction in terms of the role and purpose of each regulator.
1.7 What happens when it goes wrong?
If an eligible licensee or eligible credit reporting body fail to comply with their obligations under the proposed regime, they could be subject to substantial fines. For example, the bulk supply requirements (see 1.2 above) are civil penalty units with a maximum penalty of 2000 penalty units.
Section 4B of the Crimes Act 1914 (Cth) (Crimes Act) provides that where a body corporate is convicted of an offence, a court may impose a monetary penalty on the body corporate of up to five times the monetary penalty applicable to that offence.36 Similarly, section 167(3) of the NCCP Act and section 80W(5) of the Privacy Act provide that for contravention of a civil penalty provision by a body corporate, a court may impose a monetary penalty on the body corporate of up to five times the monetary civil penalty applicable to that provision.
Therefore, the maximum penalty for body corporates for breaching the bulk supply requirements is in fact $2,1000,000 AUD.
2. Comprehensive Credit Reporting exposure draft and the PRDE
The PRDE is a set of industry-developed data exchange rules promoting comprehensive credit reporting. The PRDE is voluntary regime and is premised on reciprocity.37 Signatories are required to select one of three reporting tiers: negative information, partial information or comprehensive information.38 A credit provider signatory is only able to receive information that corresponds with their respective reporting tier. Therefore, a credit provider is only able to receive comprehensive credit information under the PRDE, if the credit provider is a signatory to the PRDE and has provided or is in the process of providing comprehensive credit information on all eligible accounts to eligible credit reporting bodies.
Treasury appears to have considered the PRDE in its preparation of the exposure draft. For example, the bulk supply requirements under the exposure draft mirror those in the PRDE. Furthermore, the exposure draft seems to propose a ‘dual system’, where the mandatory comprehensive credit reporting regime will co-exist with the voluntary PRDE regime. It achieves this through providing an exemption to the credit reporting body supply conditions for PRDE signatories. However, the exposure draft does not protect the fundamental principles underpinning the PRDE. One of these fundamental principles is that that only signatories to the PRDE will be able to obtain comprehensive information under the regime. The exposure draft allows credit providers to obtain comprehensive credit information of a PRDE signatory without being a signatory to the PRDE. This is concerning, as the exposure draft in its current form is not as holistic as the PRDE. For example, it does not adequately address the handling and supply obligations of a credit provider that is not an eligible licensee. It also poses a threat to the integrity of the PRDE.
There are two options available:
(a) the mandatory credit reporting legislation can be amended to complement the PRDE and protect its integrity, or
(b) the mandatory credit reporting legislation can be amended to supplement the PRDE.
The first option seems the most favourable, as it allows industry to continue to have a role in the management of credit reporting. Treasury and industry representatives will need to meet to discuss how the exposure draft can be amended to protect the integrity of the PRDE and to allow for the ‘dual system’ of regulation.
Australia is on the dawn of a new era of credit reporting. The exposure draft reveals that it only a matter of time before comprehensive credit reporting is mandated in Australia.
However, the exposure draft in its current form is flawed and does require substantial amendments before it can achieve its objective. Most importantly, careful consideration will need to be had as to how the mandatory comprehensive credit reporting will fit into the current comprehensive credit reporting regime, if at all. Regardless, comprehensive credit reporting will transform the credit industry. It has the potential to provide better consumer outcomes by allowing credit providers to make more informed lending decisions.
Andrea Beatty, Consulting Principal
Daniel Taha, Lawyer
3 Exposure Draft, s 133CN(1)
4 Exposure Draft, s 5(1)
5 Banking Act Amendment Bill, 37G(3)(a)
6 A section 20Q(2)(a) agreement is an agreement of the kind entered under section 20Q(2)(a) of the Privacy Act 1988 (Cth). This provision requires credit reporting bodies to enter into agreements with credit providers that require the providers to protect credit reporting information that has been disclosed them
7 Exposure Draft, s 133CN(2)
8 Exposure Draft, s 133CO
9 Exposure Draft, s 133CP
10 Privacy Act, s 6N
11 Exposure Draft, s 133CQ
12 Exposure Draft, s 133CR(1)
13 Exposure Draft, s 133CR(3)
14 Exposure Draft, s 133CR(1) and s 133CR(3)
15 Exposure Draft, s 133CT(1)(b
16 Exposure Draft, s 133CS
17 Privacy Act, s 20Q
18 Exposure Draft, s 133CS(2)(a)
19 Exposure Draft, s 133CS(2)(b)
20 Exposure Draft, s 133CS(2)(c)
21 Exposure Draft, s 133CS (3)
22 Exposure Draft, s 133CS(3)
23 Exposure Draft, s 133CV(1)
24 Exposure Draft, s 133CV(2)
25 Exposure Draft, s 133CV(3)
26 Exposure Draft, s 133CV(4)
27 PRDE, para 54.
28 Exposure Draft, s 133CX(1)(a)
29 Exposure Draft, s 133CX(1)(b)
30 Exposure Draft, s 133CX(1)(c)
31 Exposure Draft, s 133CY
32 Exposure Draft, s 133CZ
33 Exposure Draft, division 5
34 Exposure Draft, s 133CQ
35 Crimes Act, s 4AA
36 Crimes Act, s 4B
38 PRDE, definition