1 June 2017

Our reference: D2017/004529

EDR implementation team
Financial Services Unit
Financial System Division
The Treasury
Langton Crescent
PARKES ACT 2600

By Email: EDR@treasury.gov.au

External Dispute Resolution and Complaints Framework—consultation paper on improving dispute resolution in the financial system

I welcome the opportunity to make this submission to Treasury on the External Dispute Resolution and Complaints Framework consultation paper (the consultation paper), the exposure draft Treasury Laws Amendment (External Dispute Resolution) Bill 2017 (the draft Bill), the exposure draft Explanatory Memorandum (the draft Explanatory Memorandum), and the exposure draft Treasury Laws Amendment (External Dispute Resolution) Regulations 2017 (the draft Regulations).[1]

The draft Bill would amend the Corporations Act 2001 (Cth) and other laws to introduce a new ‘one-stop shop’ external dispute resolution (EDR) scheme for the financial sector, the Australian Financial Complaints Authority (AFCA). The AFCA is intended to replace the Financial Ombudsman Service (FOS), the Credit and Investments Ombudsman (CIO) and the Superannuation Complaints Tribunal.

I understand that the new framework is aimed at ensuring that consumers and small businesses have access to a financial EDR system that ‘is accessible and fast and makes determinations that are fair and binding.’[2] I am supportive of initiatives that increase efficiency in dispute resolution processes and benefit consumers by providing a simplified complaints framework. This submission builds upon my earlier submissions to the Review of the financial system external dispute resolution and complaints framework (Ramsay review) issues paper[3] and interim report.[4]

Introductory comments

The Office of the Information Commissioner (OAIC), plays an important role in the financial system’s dispute resolution and complaint handling framework. This includes having regulatory oversight of the:

  • Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act), which covers personal information handling by Australian Government agencies and many private sector and not-for-profit entities
  • Part IIIA of the Privacy Act, which regulates the handling of credit-related personal information by credit reporting participants.

The APPs and Part IIIA apply to a significant number of participants in the finance sector, who handle a large volume of personal information, including credit information. The OAIC’s complaint statistics reflect the high level of privacy regulatory activity in this sector. For example, statistics on the most complained about sectors in the OAIC’s Annual Report 2015–16 ranked the finance sector (including superannuation) first, and the credit reporting bodies sector fifth.[5]

EDR schemes that have been recognised by the Australian Information Commissioner, form part of the complaint handling framework in the Privacy Act. All credit providers participating in the credit reporting system under Part IIIA of the Privacy Act must be a member of a recognised EDR scheme.[6] FOS and CIO are recognised EDR schemes under the Privacy Act, as are a number of other sector-specific schemes.[7] An individual who considers that an entity has interfered with their privacy may make a complaint to a recognised EDR scheme of which the entity is a member (if the complaint falls within the scope of the scheme’s recognition), before making a complaint to the OAIC.

Reforms to EDR in the financial system should not adversely impact existing dispute resolution mechanisms available to individuals under the Privacy Act nor access by credit providers, to the credit reporting system under Part IIIA of the Privacy Act.

Information Commissioner recognition of EDR schemes

Section 35A(1) of the Privacy Actgives the Information Commissioner, the discretion to recognise EDR schemes to handle privacy-related complaints. ‘Recognition’ has important consequences under the Privacy Act. In particular:

  • credit providers participating in the credit reporting system under Part IIIA of the Privacy Act must be a member of a recognised EDR scheme[8]
  • an individual who considers that an entity has interfered with their privacy may make a complaint to a ‘recognised’ EDR scheme of which the entity is a member (if the complaint falls within the scope of the scheme’s recognition), before making a complaint to me, as Information Commissioner[9]
  • the Privacy Act gives me, as Information Commissioner, the discretion to decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made if I am satisfied that the act or practice:
    • is being dealt with by a recognised EDR scheme[10]
    • would be more effectively or appropriately dealt with by a recognised EDR scheme.[11]

Section 35A(2) of the Privacy Act sets out the matters which must be taken into account when considering whether to recognise an EDR scheme:

  • the accessibility of the scheme
  • the independence of the scheme
  • the fairness of the scheme
  • the accountability of the scheme
  • the efficiency of the scheme
  • the effectiveness of the scheme
  • any other matter the Commissioner considers relevant.

Further detail on the requirements for recognition is provided in the Guidelines for recognising external dispute resolution schemes (the EDR Guidelines).[12]

Recognition of the new EDR scheme

The consultation paper does not consider the interoperation of the new EDR scheme with the framework for recognising EDR schemes under the Privacy Act. It is therefore difficult to assess whether it will be possible for the Information Commissioner to ‘recognise’ AFCA under s 35A(1) of the Privacy Act.

Without this recognition, credit providers subject to the AFCA scheme may be unable to disclose credit information to credit reporting bodies,[13] limiting the ability of those credit providers to participate in the credit reporting system.

The draft Bill includes a number of requirements that appear to go some way to addressing the requirements of recognition. In particular:

  • item 2, draft s 1046(2) of the draft Bill sets out the matters that the Minister must take into account when considering whether to authorise an EDR scheme, and these matters appear to be aligned with those under s 35A(2)
  • item 2, draft s 1047(k) provides that the functions of an EDR scheme include commissioning independent reviews of the scheme’s operations and procedures.

These broadly align with many of the conditions for recognition under ss 35A(2) and (3) of the Privacy Act. However, it is not clear to me whether AFCA’s proposed structure and functions will address the two particular matters relevant to recognition of an EDR scheme by me, in the EDR guidelines. These matters being remedies the EDR scheme can provide for privacy-related complaints and the EDR scheme’s commitment to privacy.[14]

Additionally, as a condition of recognition, EDR schemes are required to conduct an independent review of their privacy-related complaint handling and to report to my Office on serious or repeated interferences with privacy and systemic issues and data on privacy-related complaints.[15] Whilst item 2, draft ss 1047(h) and 1065 of the draft Bill require reporting breaches of any law to ASIC and APRA, the draft Bill does not appear to provide a requirement that the EDR scheme would report contraventions of the Privacy Act to the OAIC.

AFCA structure and membership

I understand from the draft Bill and the consultation paper that AFCA will operate on an ombudsman model, established by the industry as a company limited by guarantee,[16] with functions to include (under item 2, draft s 1047(a) of the draft Bill):

to make membership of the scheme open to every entity that is required, under a law of the Commonwealth or under the conditions of a licence or permission issued under such a law, to be a member of an external dispute resolution scheme authorised under this Part[.]

As mentioned above, s 21D(2)(a)(i) requires a credit provider to be a ‘member’ of a recognised EDR scheme in order to disclose credit information about an individual to a credit reporting body. In particular, if AFCA’s structure did not allow for ‘members’ (e.g. if AFCA was set up as a tribunal or arbitrator), credit providers would effectively be unable to participate in the credit reporting system, unless they became members of a recognised EDR scheme in addition to participating in AFCA. This may be inconsistent with the intended policy objective of enhancing dispute resolution efficiencies for in the financial system.

In addition, to ensure a smooth transition for the complaint handling framework under the Privacy Act, in my view it will be important to ensure that AFCA membership remains open to all existing members of FOS and CIO. I would appreciate clarification as to whether this is the intended effect of item 2, draft s 1047(a).

Credit representatives

Question 7 of the consultation paper asks whether there are any reasons why credit representatives should be required to be a member of an EDR scheme. The consultation paper notes that credit licensees are generally responsible and liable for the actions of their credit representatives.[17]

Removing the requirement for credit representatives to be AFCA members may impact the credit reporting system under Part IIIA of the Privacy Act.

Under the Privacy Act, an agent of a principal credit provider, performing a task that is reasonably necessary in processing an application for credit made to the principal or in managing credit provided by the principal, is itself a credit provider.[18] As such, it may also need to be a member of an EDR scheme to disclose credit information to a credit reporting body.[19]

If the requirement for credit representatives were removed, it would be important that credit representatives who are agents of credit providers under the Privacy Act were nevertheless able to become members of AFCA if they chose to, allowing these credit representatives to continue to disclose credit information and participate in the consumer credit reporting system.

Future engagement

The handling of privacy-related complaints by recognised EDR schemes is an important aspect of the privacy regulatory framework, I would welcome further clarification about how the proposed structure and functions of AFCA would interoperate with the dispute resolution framework in the Privacy Act.

I would also welcome further engagement with Treasury to ensure that AFCA can be ‘recognised’ by the Australian Information Commissioner under s 35A(1) of the Privacy Act, for example in the process of establishing AFCA’s terms of reference to ensure that these allow for recognition.

To discuss these matters further, please contact Sophie Higgins, Director (A/g), Regulation and Strategy Branch, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

June 2017

Footnotes

[1] See External dispute resolution and complaints framework.

[2] Draft Explanatory Memorandum, paragraph 1.4.

[3] See Review of the financial system external dispute resolution framework – Issues Paper — submission to the Treasury.

[4] See Review of the financial system external dispute resolution framework — Interim Report.

[5] OAIC Annual Report 2015–16, p 42.

[6] See s 21D(2)(a)(i) of the Privacy Act.

[7] See Recognised EDR schemes.

[8] See s 21D(2)(a)(i) of the Privacy Act.

[9] OAIC complaints resource, Handling Privacy Complaints.

[10] See s 41(1)(dc) of the Privacy Act.

[11] See s 41(1)(dd) of the Privacy Act.

[12] See Guidelines for recognising external dispute resolution schemes.

[13] See s 21D(2)(a) of the Privacy Act.

[14] EDR guidelines, paragraph 3.2.

[15] EDR guidelines, paragraph 4.5.

[16] Consultation paper, p 2.

[17] Consultation Paper, p 8.

[18] See s 6H of the Privacy Act.

[19] See s 21D(2)(a) of the Privacy Act.