Published: 3 May 2024

Dear Treasury,

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission in relation to Treasury’s draft Buy Now, Pay Later regulatory reforms.[1]

The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation), freedom of information (FOI) functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Australian Information Commissioner Act 2010 (Cth)).

Under Part IIIA of the Privacy Act, the OAIC has regulatory responsibility for the privacy protections relating to credit reporting in Australia, including the use and disclosure of credit reporting information. Part IIIA of the Privacy Act is supported by the Privacy (Credit Reporting) Code 2014 (CR Code), which provides further particularisation to regulated entities as to how they should comply with their obligations under Part IIIA of the Privacy Act.[2]

We understand that the proposed reforms will amend the National Consumer Credit Protection Act 2009 (National Credit Act) and the corresponding Regulations to bring BNPL providers under the existing regulatory framework for other credit products. This will mean that the regulatory obligations for these providers is similar to that of existing credit providers.

Credit reporting information can profoundly affect the lives of everyday Australians and can have a significant impact on an individual’s ability to receive a loan. In particular, individuals applying for low-cost credit contracts, are often in particularly vulnerable circumstances. Given this, it is important that the impact of BNPL providers on the current landscape be considered holistically, including in the privacy context, to ensure Australians are protected.

In light of the above, consideration may need to be given to whether corresponding amendments would be required to be made to the Privacy Act. The OAIC intends to also raise these matters as a part of the Review of Australia’s Credit Reporting Framework, currently being undertaken (2024 Review of Australia’s CR Framework).[3]

BNPL and the Privacy Act

In 2021, the OAIC commenced its second independent review (the 2021 Review) of the CR Code.[4] Given the proliferation and maturity of BNPL providers and products in the credit reporting landscape, the OAIC called for stakeholder input as part of the 2021 Review regarding potential regulatory changes around BNPL providers and products.[5]

The OAIC’s 2021 Review saw numerous stakeholders raise broad concerns about the regulation of BNPL providers and similar products, and concluded that these concerns should be considered holistically within the context of the broader credit reporting framework.

The report noted that BNPL providers are generally exempt from the Privacy Act where they meet the definition of a ‘non-participating credit provider’ in s 6 of the Privacy Act. This can have various implications, including that such providers are exempt from requirements to manage credit information in an open and transparent manner[6] and correct credit information in accordance with the requirements of Part IIIA of the Privacy Act.[7] Further, notification requirements regarding the collection of credit reporting information would not apply.

The OAIC 2021 Review also found that BNPL providers, and similar products, have the potential to disrupt the credit reporting industry, for example, by causing an inconsistency in reporting on individuals who are in similar financial situations based on the type of product that they are accessing.[8] The OAIC is supportive of the proposed LCC Regulations in this regard that require licensees to obtain credit information from a credit reporting body (CRB) as part of its suitability assessment before providing credit.[9]

The OAIC also heard from stakeholders during its 2021 Review that the existing regime is not well-suited to new and emerging credit products, such as BNPL.[10] Consumer advocates and other stakeholders raised concerns around BNPL entities not being subject to responsible lending obligations and the requirement to hold an Australian Credit Licence (ACL).[11]

As such, we are broadly supportive of the reforms contained in the BNPL Bill requiring low-cost credit contract providers to be regulated by the National Credit Act and National Credit Code, to hold an ACL and be subject to scalable responsible lending obligations, to address stakeholder feedback. We agree with the outcome of Treasury’s review that the current lack of regulation has the potential to result in poor consumer outcomes for individuals.[12] The protection of credit reporting information is an important step in ensuring that Australia’s credit system includes adequate privacy protections for each individual.

Review of Australia’s Credit Reporting Framework

The OAIC is engaging with the independent reviewer in relation to the review of the overall efficiency and effectiveness of Australia’s Credit Reporting Framework, which will consider Part IIIA of the Privacy Act and Part 3-2CA of the National Credit Act.[13]

The OAIC 2021 Review found that a number of issues raised were better placed to be considered as part of the broader review of Part IIIA of the Privacy Act. The Information Commissioner wrote to the Treasurer and Assistant Treasurer about the findings from the 2021 Review in December 2022, and specifically raised matters regarding the regulation of emerging finance products such as BNPL.[14]

We are broadly supportive of the regulation of BNPL providers and products, and of the approach taken in the BNPL Bill and LCC Regulations. However, we note that currently the credit reporting framework in Australia is supported by the National Credit Act, and Part IIIA of the Privacy Act. In light of this, consideration should be given to whether corresponding amendments are required to be made to Part IIIA of the Privacy Act, including the definition of a ‘non-participating credit provider’. This will ensure alignment between the two regulatory frameworks and that Australian’s privacy is adequately protected. We appreciate that these changes would need to be considered by Government as a part of the 2024 Review of Australia’s CR Framework, and intend to also raise these matters as a part of that process.

If we are able to be of further assistance to the Department please contact Assistant Commissioner, Regulation and Strategy Branch.

Yours sincerely

Angelene Falk
Australian Information Commissioner

Carly Kind
Australian Privacy Commissioner

[1] Including the draft Treasury Laws Amendment Bill 2024: Buy Now, Pay Later (BNPL Bill) and the draft National Consumer Credit Protection Amendment (Low-Cost Credit) Regulations 2024 (LCC Regulations).

[2] The CR Code is a legislative instrument made by the Information Commissioner under s 26S of the Privacy Act.

[3] Attorney-General’s Department, Review of Australia's Credit Reporting Framework.

[4] The CR Code includes an important governance mechanism, which requires the OAIC to commence an independent review of the practical operation of the CR Code every 4 years (see CR Code, paragraph 24.3). See final report, OAIC, 2021 Independent review of the Privacy (Credit Reporting) Code, September 2022.

[5] OAIC, 2021 Independent review of the Privacy (Credit Reporting) Code, September 2022, section 2.3.

[6]Privacy Act 1988, s 21B(8).

[7]Privacy Act 1988, ss 21U(5) and 21V(7).

[8]OAIC, 2021 Independent review of the Privacy (Credit Reporting) Code, September 2022, p 39.

[9]Draft National Consumer Credit Protection Amendment (Low Cost Credit) Regulations 2024, s 28HAD.

[10] OAIC (n 1) proposal 8.

[11] OAIC, 2021 Independent review of the Privacy (Credit Reporting) Code, September 2022,  section 2.3.

[12] Department of Treasury, Draft Explanatory Memorandum, Treasury Laws Amendment Bill 2024: Buy now, pay later, clause 1.16-1.17.

[13] Attorney-General’s Department, Review of Australia’s Credit Reporting Framework, 27 February 2024.

[14] OAIC, 2021 Independent review of the Privacy (Credit Reporting) Code, September 2022, proposal 8, p 39.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia