Establishment of the Australian Financial Complaints Authority — submission to the Treasury

1 November 2017

Our reference: D2017/009189

Head of Secretariat
AFCA Transition Team,
Financial Services Unit
The Treasury
Langton Crescent, Parkes, ACT 2600

By email:

Dear Secretariat

Establishment of the Australian Financial Complaints Authority

I welcome the opportunity to provide comments on the Establishment of the Australian Financial Complaints Authority (AFCA) Consultation Paper (the Consultation Paper).[1] I understand that the purpose of this consultation is to inform the advice that will be provided by Dr Edey, as Chairman of the AFCA transition team, to the Minister for Revenue and Financial Services on key elements relating to the Minister’s authorisation of AFCA, including AFCA’s terms of reference, governance and funding arrangements.

My comments build on previous comments made in June 2017, in response to Treasury’s External Dispute Resolution and Complaints Framework consultation paper.[2] I also appreciate the transition team’s subsequent engagement with my Office.

As noted in the Consultation Paper the handling of privacy-related complaints by recognised EDR schemes is an important aspect of the privacy regulatory framework.[3] In particular, section 35A of the Privacy Act 1988 (Cth) permits me, as Australian Information Commissioner, to recognise external dispute resolution schemes to handle certain privacy-related complaints. Any credit provider or credit reporting body participating in the credit reporting system covered by Part IIIA of the Privacy Act, is required to be a member of a recognised EDR scheme.[4]

While I understand privacy is one of several issues still being considered by the transition team, this submission addresses three questions in the Consultation Paper relevant to the recognition requirements in s 35A of the Privacy Act. My comments are intended to assist the transition team in ensuring that AFCA’s operations are consistent with the recognition requirements. Given privacy is still being actively considered, I would also welcome further engagement with the transition team and the AFCA Board, which I understand will ultimately be responsible for developing the terms of reference, funding and governance arrangements.

Question 11—independent reviews

Issue 4 of the Consultation Paper considers independent reviews, and question 11 asks whether other aspects of AFCA’s operations, other than a review of the impact of the higher compensation cap, should be subject to an independent review within the first three years of AFCA’s commencement.

My Office’s Guidelines for recognising external dispute resolution schemes (the EDR Guidelines) require an EDR scheme to commission an independent review of the EDR scheme’s privacy-related complaint handling, operations and procedures at least once every five years. This review can be conducted as part of a broader independent review of the EDR scheme.[5]

I suggest that this requirement should be taken into account in developing any program of reviews for AFCA. As a complaint handling body, I would also expect AFCA to have in place mechanisms for recording data about the complaints it receives and its performance in responding to complaints.

Question 22—accessibility

Question 22 of the Consultation Paper asks what requirements relating to accessibility should be included in AFCA’s terms of reference.

Under s 35A(2)(a) of the Privacy Act, one of the matters which the Commissioner must take into account when considering whether to recognise an EDR scheme is the accessibility of that scheme. This is consistent with the ‘general considerations’ under the proposed s 1051A of the Corporations Act 2001 in the Treasury Laws Amendment (Putting Consumers First—Establishment of the Australian Financial Complaints Authority) Bill 2017.

The EDR Guidelines set out examples of the mechanisms that an EDR scheme could use to demonstrate its accessibility for the purposes of s 35A recognition. These include:

  • actively promoting its services to individuals
  • ensuring access to and ease of use of its services
  • generally providing its services to individuals free of charge
  • training its staff to handle complaints and to be able to explain the functions and powers of the EDR scheme in simple and clear terms
  • encouraging informal and alternative methods of dispute resolution
  • encouraging parties to only involve legal representatives if special circumstances require this expertise.

Including these mechanisms in the AFCA terms of reference may support AFCA’s recognition under s 35A of the Privacy Act.

Questions 39—key stakeholders and accountability

Question 39 of the consultation paper asks which stakeholders AFCA is accountable to, and what the key objective and measure of importance to each stakeholder is.

As you are likely aware, my Office is a key stakeholder given the need for recognition under s 35A of the Privacy Act and the important role that recognised EDR schemes have in the privacy-complaints framework.

The objectives of recognition are set out in the EDR Guidelines, and include to:

  • simplify the resolution of privacy-related complaints for individuals
  • ensure credit providers can become members of schemes (a prerequisite for credit providers to disclose credit information to a credit reporting body)
  • implement Parliament’s decision to formally create a tiered complaint process in relation to privacy complaints
  • increase consistency and best practice in privacy-related complaint-handling across industries
  • maximise the use of specialist industry knowledge
  • avoid fragmenting among multiple dispute resolution bodies of an individual’s complaint, which may include a privacy and service-delivery aspect
  • align the requirements for recognition as much as possible with relevant existing regulatory schemes for EDR recognition.[6]

These objectives are generally aligned with ASIC’s Regulatory Guides RG 139 and RG 165, and could be referenced in AFCA’s Constitution or terms of reference.

My Office looks forward to engaging with you in the coming months as privacy issues are considered further.

To discuss these matters further, please contact Sophie Higgins, Director, Regulation and Strategy Branch, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner

November 2017


[1] <>

[2] <>

[3] Consultation paper, p 31.

[4]Privacy Act 1988 (Cth), s21D; Privacy (Credit Reporting) Code 2014, para 21.2.

[5] EDR Guidelines, para 4.7.

[6] EDR Guidelines, para 1.15.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at