Mandatory Comprehensive Credit Reporting — submission to the Treasury

23 February 2018

Our reference: D2018/001788

The Manager
Financial Services Unit
Financial System Division
The Treasury
Langton Crescent
Parkes ACT 2600

Dear Manager

Mandatory Comprehensive Credit Reporting consultation

I welcome the opportunity to comment on the exposure draft of the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (the draft Bill), the exposure draft Explanatory Memorandum (the draft EM), and the Ready Reckoner.[1]

The draft Bill would give effect to the Government’s announcement on 2 November 2017 that it would legislate for mandatory comprehensive credit reporting (CCR) to come into effect by 1 July 2018. I understand that the measures set out in the draft Bill are intended to allow credit providers (CPs)[2] to obtain a comprehensive view of a consumer’s financial situation, assisting a CP to meet its responsible lending obligations and price credit according to a consumer’s credit history.[3] They are also intended to provide consumers with better access to consumer credit and to demonstrate their credit worthiness.[4]

In my view, robust information handling practices will be essential to ensure the success and sustainability of this initiative, given it will result in a significant increase in the volume of information in the consumer credit reporting system. The protections contained in the Privacy Act 1988 (Cth) (the Privacy Act) and the Privacy (Credit Reporting) Code 2014 (the CR Code), regulated by the Office of the Australian Information Commissioner (OAIC), provide an important framework for ensuring that risks to personal information are appropriately mitigated. An increased volume of credit information in the system will require proactive oversight and accountability for participants in the scheme. To enhance consumer trust in the scheme, it will be important to ensure the OAIC is resourced to exercise its functions to effectively oversee the handling of credit information in the system.

I note that the existing privacy protections in the Privacy Act and the CR Code, will apply to exchanges of credit information required under the draft Bill.[5] I also note the amendment to s 20Q(3) of the Privacy Act, which would require CRBs to store credit reporting information in Australia, or use a service listed by the Australian Signals Directorate,[6] or in accordance with any CR Code requirements.

While I am confident that the existing privacy framework will help facilitate public trust in this initiative, it will be particularly important to ensure that the mandatory CCR regime in the National Consumer Credit Protection Act 2009 (Cth) (the NCCP Act) and the requirements of the Privacy Act interoperate effectively in practice. For example, a number of proposed amendments to the NCCP Act and the Privacy Act, to be implemented through the draft Bill, will intersect, including:

  • a CP’s supply of information to a CRB must be in accordance with the ‘supply requirements’,[7] which include that the supply is in accordance with the CR Code[8]

  • if there were any inconsistency between the CR Code, a determination made by ASIC under s 133CQ(2) or a technical standard approved by ASIC under s 133CQ(4) as to the requirements for supplying mandatory credit information, the CR Code would prevail to the extent of the inconsistency[9]

  • a CP would not be required to supply eligible credit information to a CRB if the CP reasonably believed that the CRB was not complying with s 20Q of the Privacy Act (including the proposed s 20Q(3)),[10] and provided notice of this belief to the CRB, ASIC, and my Office.[11]

To manage this interoperation, I anticipate that my Office would continue to engage with ASIC where areas of regulatory oversight coincide. Additionally, the draft Bill includes a number of provisions allowing for matters to be prescribed by regulation,[12] and I recommend that the draft Bill include a requirement to consult the Australian Information Commissioner before making any such regulations. This may assist in ensuring that regulations are consistent with the requirements of the Privacy Act and the CR Code. For a similar reason, I recommend including a requirement for ASIC to consult the Australian Information Commissioner before making a determination or approving technical standards under ss 133CQ(2) or 133CQ(4).

I appreciate the early engagement by Treasury staff with my Office, about the implications of mandatory CCR on privacy and the consumer credit reporting system in the development of the draft Bill. My Office looks forward to the continued opportunity to provide input and assistance to Treasury following this public consultation, to ensure that any privacy concerns are addressed and that the credit and privacy frameworks underpinning this initiative will function effectively.

To discuss these matters further, please contact Sophie Higgins, Director, Regulation and Strategy Branch, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

23 February 2018

Footnotes

[1] <https://treasury.gov.au/consultation/c2018-t256276/>

[2] Under the draft Bill, the relevant obligations apply to ‘eligible licensees’. Under the definition in the draft Bill, an eligible licensee must be a credit provider as defined in the Privacy Act 1988 (Cth): ss 5(1) and 133CN of the draft Bill.

[3] Draft EM, para 1.12.

[4] Draft EM, para 1.13.

[5] For example, ss 133CP(2), 133CR(1)(d), 133CR(3)(d), 133CQ(1) and 133CQ(5) of the draft Bill. See also draft EM, para 1.19.

[6] <https://www.asd.gov.au/infosec/irap/certified_clouds.htm>

[7] Sections 133CR(1)(c) and 133CR(3)(c) of the draft Bill.

[8] Section 133CQ(1)(a) of the draft Bill.

[9] Section 133CQ(5) of the draft Bill.

[10] The draft Bill would insert a new s 20Q(3) into the Privacy Act 1988 (Cth) requiring CRBs to store credit reporting information either within Australia or an external Territory, or using a service that is listed by the Australian Signals Directorate as a Certified Cloud Service,[10] or in accordance with any requirements set out in the CR Code.

[11] Section 133CS of the draft Bill.

[12] For example, ss 133CN(1)(a) and 133CP(1)(b) of the draft Bill.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au