Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Review of Code of Banking Practice; Submission to the Review of the Australian Bankers'' Association Code of Banking Practice (August 2008)

August 2008 Office of the Privacy Commissioner 1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals person...

pdfReview of Code of Banking Practice; Submission to the Review of the Australian Bankers’ Association Code of Banking Practice (August 2008)

August 2008

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner ('the Office') is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

About this submission

2. The Office welcomes the opportunity to comment on the Review of Code of Banking Practice - Issues Paper[1] (' the Issues Paper').The Issues Paper reviews the Code of Banking Practice ('the Code') published by the Australian Bankers' Association.[2]

3. In addition to addressing matters raised in the Issues Paper, this submission draws on the Office's submission to the Australian Law Reform Commission's (ALRC) review of privacy.

4. In particular, the Office commented on two of the credit assessment matters raised in the Issues Paper in its response to the ALRC's Review of Australian Privacy Law Discussion Paper 72 (DP72).[3] These issues were:

  • the use of credit reporting information to pre-screen customers for unsolicited credit; and
  • the calls for the expansion of the credit reporting system to allow 'positive' data to be included, a system known as 'comprehensive credit reporting'.

5. These issues, as relevant to the matters raised in the Issues Paper, are discussed below.

Comments on the Issues Paper

8.1 Credit Assessment - clause 25.1

6. As discussed in the Issues Paper, the Office understands that consumer groups and financial counsellors have called for tighter controls on the credit assessment requirements for unsolicited credit offers. However, the Office would be concerned if this was to be achieved through using credit information to 'pre-screen' customers before making unsolicited credit offers.

7. The Issues Paper discusses submissions made by a range of stakeholders relating to clause 25 of the Code, and particularly credit assessment practices for unsolicited credit offers. Clause 25.1 of the Code states that:

25.1 Before we offer or give you a credit facility (or increase an existing credit facility), we will exercise the care and skill of a diligent and prudent banker in selecting and applying our credit assessment methods and in forming our opinion about your ability to repay it.

8. The Issues Paper goes on to state that:

'Consumer groups and financial counsellors advocated tighter checks on sending out unsolicited offers of personal loans, credit cards and credit card limit increases.  At the very least, credit cards or credit card limit increases should not be offered to customers who might have difficulty in meeting repayments ...'[4]

9. In DP72, the ALRC explained pre-screening 'as the ability of credit providers to use credit reports to "exclude" individuals from direct marketing offers to increase limits or refinance loans'.[5]

10. In practice, the Office understands that the process of pre-screening will usually involve:

  • a credit provider creating a list of individuals to whom they wish to make a credit offer, for example, a new loan or a credit limit increase;
  • the credit provider discloses the potential marketing list of individuals to a credit reporting agency so that it can be 'washed' according to specified criteria against information held by the credit reporting agency; and
  • once the marketing list has been 'washed' according to the defined criteria, the credit reporting agency provides a list of individuals who meet the criteria back to the credit provider for direct marketing of unsolicited credit offers.

11. Under Part IIIA of the Privacy Act, credit reporting information cannot be used or disclosed unless that use or disclosure is specifically listed in sections 18K or 18L, respectively.

12. Further, if any of the information on the marketing list is information derived from credit information reports in the possession or control of the credit provider, it will be subject to the provisions of section18N in Part IIIA.

13. In the Office's view, sections 18K, 18L and 18N do not include provisions that allow for the use or disclosure of credit reporting information and information relating to credit worthiness for the purpose of pre-screening individuals to assess their eligibility for unsolicited credit offers.

14. In addition to being inconsistent with these regulator obligations, this process of pre-screening may reduce transparency for individuals as to how their personal information may be handled. The Office's own community attitude research has revealed the heightened sensitivity that many individuals feel toward their financial information. Accordingly, ensuring that individuals retain appropriate control over such information, including by being transparent in how it may be handled, is important to maintaining community trust and confidence.

15. The Office's response in relation to pre-screening of credit offers is discussed more fully in its submission to the ALRC.[6]

8.1.5 Credit Assessment Methodologies

16. In discussing credit assessment, the Issues Paper states that:

'A further limitation of the above [credit assessment] methodology is that, for privacy reasons, banks are not able to access information on customers or potential customers which might be held by other banks or financial institutions and which might identify for example the existence of multiple credit cards or facilities.'[7]

The Issues Paper goes on to state:

'In the United States, major credit reporting agencies hold and report detailed information about individuals' credit accounts, including current balances.'

17. The Office has commented previously on ways in which credit providers currently have access to confirm a borrower's liabilities with other credit providers via existing provisions in the Privacy Act. The Office's response to the ALRC's Review of Privacy-Credit Reporting Provisions Issues Paper 32 stated that a number of existing provisions in Part IIIA of the Privacy Act allow for more effective credit assessment to occur although they do not appear to be widely utilised.[8]

18. The Office noted that there are current provisions that allow for the handling of information which is not 'negative', that is, does not relate to the fact that an individual may have defaulted on a loan.

19. Specifically, section 18E(1)(b)(v) of the Privacy Act allows a credit provider to list themselves on an individual's credit information file held by a credit reporting agency as being a current credit provider. Additionally, sections 18N(1)(b) and 18N(1)(be)[9] permit the disclosure of information relating to current loans between, respectively, current and prospective credit providers, with the individual's consent. This enables an assessment to be made about the extent of the individual's liability and whether they have the ability to meet their current or prospective financial commitments.

20. The Office notes the reference in the Issues Paper to the additional credit reporting data (comprehensive credit reporting) that is available to credit providers in the United States.[10] The Office recommends caution when making direct comparisons. Regulatory obligations, consumer markets and community attitudes may differ between economies, making direct comparisons problematic.

21. In its response to the ALRC's DP 72, the Office recommended that independent research into comprehensive credit reporting should be conducted to inform any decision regarding changes to credit reporting regulation.

22. Such independent research could assess the impact that comprehensive credit reporting would have on the Australian financial system and Australian consumers. It should particularly focus on the potential privacy implications of establishing large databases of personal financial information. The Office's response in relation to comprehensive credit reporting is discussed more fully in its submission to the ALRC.[11]

8.1.7 Regulatory Framework (p.27)

23. The Issues Paper lists a number of laws which impact on banks in relation to the assessment and provision of credit. The Privacy Act is not listed as one of them. Part IIIA of the Privacy Act has a significant impact on a credit provider's obligations and as such it should be included in the list at 8.1.7.

8.4.4 Privacy Issues in Relation to Guarantees (p. 42)

24. The Issues Paper refers to the Office's previous comments (24 July 2007) regarding the extent to which Clause 28 of the Code is consistent with elements of section 18N of the Privacy Act. Section 18N regulates disclosures by credit providers of personal information in reports relating to credit worthiness. Sections 18N(1)(ba), (bg) and (bh) relate specifically to disclosures by guarantors.

25. Clause 28 of the Code similarly relates to guarantors. This clause lists the circumstances when information relating to the loan may be furnished to the guarantor. The Issues Paper makes an interim recommendation that:

'Clause 28.4 be amended to include a new provision (f) relating to privacy requirements in relation to the disclosure of information under clauses 24.4(b), (c), (d) and (e).'

26. The Office supports such an amendment being made to Clause 28 to clarify that disclosures of debtors' personal information to guarantors should only be made if they are permitted by Part IIIA of the Privacy Act.

8.14.2 Copies of documents - Clause 11 (p.74)

27. The Code states that:

'...you may have rights in respect of that request [for access] under the Uniform Consumer Credit Code or Chapter 7 of the Corporations Act 2001 which are greater than those which apply under this Code. We will comply with that law when it applies. Otherwise Clause 11 applies.'

28. NPP 6 and section 18H(2) of the Privacy Act (and the Credit Reporting Code of Conduct in clauses 2.20-2.22) establish obligations on credit providers to provide individuals with access to personal information. In some cases, these rights may be greater than those in the Code. Accordingly, it is suggested that this clause be amended to include reference to the Privacy Act.

8.14.6 Privacy and Confidentiality - Clause 22 (p.76)

29. The Issues Paper refers to the Office's previous comments on 24 July 2007 regarding the consistency of the privacy and confidentiality provisions in Clause 22 of the Code with section18N and NPP 2.1 in the Privacy Act. The Review proposes in an interim recommendation:

'That any changes to Clause 22 be considered in the context of the report by the Australian Law Reform Commission into privacy legislation.'

30. The Office notes that legislative changes (if any) in response to the ALRC's final recommendations may be unlikely to be enacted in the short term.  Accordingly, the Office suggests that consideration be given to making changes to Clause 22 as part of this Review.  However, if this decision is to be deferred, the Office would welcome the opportunity to make further comment about any changes proposed to clause 22 of the Code.

[1]http://www.reviewbankcode2.com.au/default.aspx?FolderID=212&ArticleID=1175

[2]http://www.bankers.asn.au/default.aspx?FolderID=102

[3]http://www.austlii.edu.au/au/other/alrc/publications/dp/72/

[4] Issues Paper, page 21.

[5] ALRC DP 72 paragraph 53.57 at p. 1488 located at http://www.austlii.edu.au/au/other/alrc/publications/dp/72/

[6] Submission to the Australian Law Reform Commission's Review of Privacy-Discussion Paper 72, pp. 600-604  located at  http://www.privacy.gov.au/materials/types/download/9111/6748

[7] Issues Paper, page 26.

[8] Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 32 Credit Reporting Provisions (April 2007) p.77, located at http://www.privacy.gov.au/materials#S

[9] These provisions are supplemented by clauses 2.12 -2.16 of the Credit Reporting Code of Conduct issued by the Privacy Commissioner under s.18A of the Privacy Act.

[10] Issues Paper, page 26.

[11]http://www.privacy.gov.au/publications/submissions/alrc_72/PartG.html#apr22