Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Economics Legislation Committee—Senate Standing—National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 [Provisions]—Report, dated June 2018


Download PDF Download PDF

The Senate

Economics

Legislation Committee

National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 [Provisions]

June 2018

ii

© Commonwealth of Australia 2018

ISBN 978-1-76010-775-8

This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia License.

The details of this licence are available on the Creative Commons website: http://creativecommons.org/licenses/by-nc-nd/3.0/au/

Printed by the Senate Printing Unit, Parliament House, Canberra.

iii

Senate Economics Legislation Committee

Committee members Senator Jane Hume (Chair) Victoria, LP

Senator Chris Ketter (Deputy Chair) Queensland, ALP

Senator David Bushby Tasmania, LP

Senator Jenny McAllister New South Wales, ALP

Senator Peter Whish-Wilson Tasmania, AG

Senator Amanda Stoker Queensland, LP

Secretariat Mr Mark Fitt, Secretary Ms Ashlee Hill, Senior Research Officer Ms Hannah Dunn, Administrative Officer

PO Box 6100 Ph: 02 6277 3540

Parliament House Fax: 02 6277 5719

Canberra ACT 2600 E-mail: economics.sen@aph.gov.au

v

Table of Contents

Membership of the Committee ........................................................................ iii

Chapter 1.............................................................................................................. 1

Introduction .............................................................................................................. 1

Conduct of the inquiry ............................................................................................ 2

Context of amendments .......................................................................................... 2

Overview of the bill ................................................................................................ 5

Review of financial hardship arrangements and OAIC guidance ........................ 11

Compatibility with Human Rights ....................................................................... 11

Chapter 2............................................................................................................ 13

Views on the bill ...................................................................................................... 13

General support for the bill................................................................................... 13

Benefits of CCR ................................................................................................... 14

Interaction with the hardship provisions .............................................................. 18

Scope of mandatory CCR ..................................................................................... 26

Data privacy and security ..................................................................................... 28

Vulnerable and lower income consumers ............................................................ 33

Other matters raised .............................................................................................. 36

Committee view .................................................................................................... 37

Additional Comments from Labor Senators .................................................. 41

Repayment history information and the handling of hardship ............................. 41

Concerns raised about cybersecurity risks ........................................................... 44

Concerns raised that the benefits of comprehensive credit reporting will primarily accrue to the finance industry itself ...................................................................... 46

Concerns raised about privacy risks and use of data ............................................ 49

Government's handling of regulating the financial sector .................................... 50

Appendix 1: Submissions, additional information, answers to questions on notice and tabled documents ............................................................................ 53

Appendix 2: Public hearings ............................................................................ 55

Chapter 1 Introduction

1.1 On 28 March 2018, the Senate referred the provisions of the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (the bill) to the Economics Legislation Committee for inquiry and report by 29 May 2018.1 On 22 May 2018, the committee requested an extension of time to report to 5 June 2018 to allow it to consider the evidence received and to conclude its deliberations.2

1.2 The bill implements the government's commitment announced in the 2017-18 Budget to mandate a comprehensive credit reporting (CCR) regime if credit providers did not meet a threshold of 40 per cent data reporting by the end of 2017.

1.3 The bill seeks to address the information asymmetry that currently characterises Australia's credit reporting system; that is, where a consumer has more information about their credit risk than the credit provider, resulting in the potential for mis-pricing and mis-allocation of credit.3

1.4 By correcting this information asymmetry, the bill seeks to allow credit providers to obtain a comprehensive view of a consumer's financial situation, enabling a provider to better meet its responsible lending obligations. The Assistant Minister to the Treasurer, the Hon Michael Sukkar MP, stated that the benefits of a mandatory CCR regime are:

…credit providers will be able to make lending and risk pricing decisions on the basis of comprehensive information, rather than a small fragment of the overall picture.

All lenders who participate in comprehensive credit reporting will have an enhanced capacity to meet their responsible lending obligations. Those obligations are an important part of consumer protection arrangements.

Small credit providers, including innovative fintech firms and new entrants, will be better able to serve customers and assess the lending capacity of potential borrowers.

Placing smaller lenders on a more level playing field with the major banks, in respect of access to credit information, will drive competition in the consumer lending market.4

1 Journals of the Senate, No. 94, 28 March 2018, p. 2978.

2 Senate Economics Legislation Committee, Progress Report, Inquiry into the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 [Provisions], 22 May 2018.

3 Explanatory Memorandum, p. 6.

4 The Hon Michael Sukkar MP, Assistant Minister to the Treasurer, House of Representatives Hansard, 28 March 2018, pp. 3016-3017.

2

1.5 The mandatory CCR regime also seeks to benefit consumers and small business as the lending market becomes more competitive and more effective at delivering loans. The Assistant Minister to the Treasurer stated:

Greater competition in the lending market should benefit consumers, by being offered greater access to finance and better pricing.

Those customers who are currently disadvantaged by the existing negative system—by having a thin credit file, or by having a single default marked against them—will have a better chance to build and repair their credit history prior to applying for a major loan.

Small-business owners, entrepreneurs, and sole traders will be empowered to borrow to build their businesses on the basis of strong consumer credit histories.5

Conduct of the inquiry 1.6 The committee advertised the inquiry on its website. It also wrote to relevant stakeholders and interested parties inviting written submissions by 20 April 2018. The committee received 13 submissions, which are listed at Appendix 1.

1.7 The committee held a public hearing in Melbourne on 15 May 2018 for this inquiry. A list of witnesses who appeared at the hearing can be found at Appendix 2.

1.8 References to the Committee Hansard are to the Proof Hansard and page numbers may vary between Proof and Official Hansard transcripts.

1.9 The committee would like to thank all the individuals and organisations that made written submissions and participated in the public hearing.

Context of amendments

Credit reporting—negative, positive and comprehensive credit information

1.10 Credit reporting involves credit reporting bodies collecting consumer and business credit information from a range of public and private sources, including from credit providers. This information is then used by credit reporting bodies to provide reports about an individual's or business' credit worthiness to credit providers.

1.11 A credit report usually includes a 'credit score' which is designed to give the credit provider an indication of the individual or business' ability to repay a line of credit. Consumers are also able to apply to access their credit report.6

1.12 The major credit reporting bodies in Australia are Equifax (formerly Veda), illion (formerly Dun & Bradstreet), and Experian.

5 The Hon Michael Sukkar MP, Assistant Minister to the Treasurer, House of Representatives Hansard, 28 March 2018, pp. 3017.

6 ACCC, Final Determination—Australian Retail Credit Association—A91482, 3 December 2015, p. 7.

3

1.13 Consumer credit information is often categorised as 'negative' or 'positive'. Negative consumer credit information includes credit application enquiries, payment defaults, bankruptcies and court judgements.

1.14 Positive consumer credit information can be categorised as 'Consumer Credit Liability Information' (CCLI) and 'Repayment History Information' (RHI).

• CCLI includes: the type of credit account, how the consumer's credit is to be

paid, whether the term of the credit is fixed or revolving, the length of the term, whether the credit is secured or unsecured.

• RHI includes information about whether or not an individual has met an

obligation to make a periodic payment that is due and payable in relation to consumer credit.7

2014 Privacy Act amendments

1.15 The Australian consumer credit reporting system is regulated by Part 3 of the Privacy Act 1988 (Privacy Act). Historically, in Australia, the information permitted to be shared between credit providers and credit reporting bodies was limited to negative consumer credit information.

1.16 In 2006, the Australian Law Reform Commission (ALRC) commenced an inquiry to address matters relating to the extent to which the Privacy Act and related laws continue to provide an effective framework for the protection of privacy in Australia. The ALRC tabled its inquiry report in 2008, in which it recommended that Australia adopt a system of comprehensive credit reporting to encourage more responsible lending.8

1.17 The Privacy Act was amended in 20129 to allow for the collection and disclosure of positive consumer credit information (CCLI and RHI) in addition to negative information, with the amendments coming into effect in March 2014. By allowing more diverse and positive information to be shared, these 2014 credit reporting reforms opened the door to comprehensive credit reporting and brought Australia more in line with credit reporting systems in other developed economies.

Financial System Inquiry

1.18 In December 2013, the then Treasurer, the Hon Joe Hockey MP, appointed an independent committee to examine how the financial system could be positioned to best meet Australia's evolving needs and support Australia's economic growth (the Financial System Inquiry (FSI)). The final report of the FSI was released in December 2014.

7 ACCC, Final Determination—Australian Retail Credit Association—A91482, 3 December 2015, p. 8.

8 Australian Law Reform Commission, Australian Privacy Law and Practice (ALRC Report 108), 12 August 2008, https://www.alrc.gov.au/publications/report-108 (accessed 5 June 2018).

9 See Privacy Amendment (Enhancing Privacy Protection) Act 2012.

4

1.19 The FSI recognised that:

More comprehensive sharing of credit data would reduce information imbalances between lenders and borrowers. It would also facilitate borrowers switching between lenders and greater competition among lenders. Overall, more comprehensive credit reporting would likely improve credit conditions for borrowers, including SMEs10.

1.20 The FSI also acknowledged industry efforts being undertaken at the time to implement a voluntary CCR regime through development of a data-sharing agreement—later formalised through the Principles of Reciprocity and Data Exchange (PRDE)—based on reciprocity between credit providers.11

1.21 The final report of the FSI noted that as participation in the CCR regime is voluntary, 'the pace and extent of eventual participation in the regime is not yet clear'.12 The report recommended that if, over time, participation under the new voluntary CCR regime is inadequate, government should consider legislating mandatory participation.13

1.22 In its response to the FSI, the government agreed to support industry efforts to implement the CCR regime, but indicated it would not legislate for mandatory participation at this stage. The response noted that 'the CCR regime has been in place for a little over a year and authorised deposit-taking institutions are still in the process of working to participate in the regime'.14

Productivity Commission Inquiry—Data Availability and Use

1.23 In response to a recommendation of the FSI15, in March 2016, the Treasurer tasked the Productivity Commission (the Commission) to undertake an inquiry into the benefits and costs of options for increasing availability and improving the use of public and private sector data by individuals and organisations.

1.24 The Commission reported that 'to date, none of the major banks has begun sharing comprehensive credit data publicly'. 16 The Commission recognised that:

The incentives for an institution to participate in comprehensive credit reporting can be mixed and quite complex. Participation depends on the perceived net benefits, which will differ between different classes of credit provider.

10 Financial System Inquiry, Final Report, December 2014, p. 191.

11 Financial System Inquiry, Final Report, December 2014, p. 191.

12 Financial System Inquiry, Final Report, December 2014, p. 191.

13 Financial System Inquiry, Final Report, December 2014, p. 190.

14 Australian Government, Improving Australia's financial system—Government response to the Financial System Inquiry, October 2015, p. 17.

15 The 2014 Financial System Inquiry recommended that the government task the Productivity Commission to review the benefits and costs of increasing the availability and improving the use of data.

16 Productivity Commission, Data Availability and Use—Inquiry Report, March 2017, p. 555.

5

For a major institution with a relatively large customer base, early and full participation may provide, at least initially, relatively small benefits than to other participants—thus diluting their competitive advantage.17

1.25 In light of the above, the Commission recommended that:

The Australian Government should adopt a minimum target for voluntary participation in Comprehensive Credit Reporting of 40% of all active credit accounts, provided by Australian Securities and Investments Commission (ASIC)-licensed credit providers, for which comprehensive data is supplied to the credit bureaux in public mode.

If this target is not achieved by 30 June 2017, the Government should circulate draft legislation by 31 December 2017, to impose mandatory participation in Comprehensive Credit Reporting (including the reporting of repayment history) by ASIC-licensed credit providers in 2018.18

1.26 The government agreed with this recommendation, giving the industry a further six months, to the end of 2017, to meet the 40 per cent target.19

Announcement to introduce mandatory regime

1.27 On 2 November 2017, the Treasurer, the Hon Scott Morrison MP, announced that the government would introduce legislation for a mandatory regime as it was clear the 40 per cent target would not be met. At the time of the Treasurer's announcement, participation was at less than one per cent.20

Draft bill released for consultation

1.28 On 8 February 2018, the government released exposure draft legislation: the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, and accompanying explanatory material, which proposed to legislate a mandatory CCR regime, for consultation. The closing date for submissions on the draft legislation was 23 February 2018, and the submissions are publicly available.21

Overview of the bill 1.29 The bill amends the National Consumer Credit Protection Act 2009 (Credit Act) and the Privacy Act to:

• establish a mandatory CCR regime to apply from 1 July 2018;

17 Productivity Commission, Data Availability and Use—Inquiry Report, March 2017, p. 556.

18 Productivity Commission, Data Availability and Use—Inquiry Report, March 2017, p. 235.

19 The Hon Michael Sukkar MP, Assistant Minister to the Treasurer, House of Representatives Hansard, 28 March 2018, p. 3015.

20 The Hon Scott Morrison MP, Treasurer, 'Mandating comprehensive credit reporting', Media Release, 2 November 2017.

21 Treasury, Mandatory Comprehensive Credit Reporting, https://treasury.gov.au/consultation/c2018-t256276/ (accessed 5 June 2018).

6

• expand the Australian Securities and Investments Commission's (ASIC)

powers so it can monitor compliance with the mandatory regime; and

• impose additional requirements as to where and how data held by a credit reporting body must be stored.

1.30 As noted in the Explanatory Memorandum, the mandatory CCR regime 'recognises that industry stakeholders have already taken steps to support sharing comprehensive credit information' (including the PRDE and Australian Credit Reporting Data Standard)22 and that, to the extent possible, the mandatory regime 'operates within the established industry framework but also provides scope for future technological developments'.23

Application

1.31 The mandatory CCR regime will apply to 'eligible licensees' and their subsidiaries. An eligible licensee is a credit provider who holds an Australian credit license, and who is a 'large' Authorised Deposit-taking Institution (ADI) on 1 July 2018. An ADI is considered large when its total resident assets are greater than $100 billion (i.e. the big four banks).24

1.32 Other credit providers will be subject to the regime if they are prescribed in regulations.25 The government expects that regulations would be made after the mandatory regime has been in operation for a period of time and other credit providers are not voluntarily supplying data.26

Implementation

1.33 Those credit providers who are eligible licensees as at 1 July 2018 will be required under the mandatory CCR regime to undertake an initial bulk supply of credit information. This initial bulk supply of credit information is split across two years:

• By 28 September 2018 (within 90 days of the mandatory regime's

commencement), large ADIs must supply credit information on 50 per cent of the consumer credit accounts within the banking group to all credit reporting bodies the large ADI had a contract with on 2 November 2017.

• By 28 September 2019, large ADIs must supply credit information on the

remaining accounts, including those that open after 1 July 2018 and those held by subsidiaries of the large ADI to the same credit reporting bodies as the first bulk supply.27

22 The Australian Credit Reporting Data Standard (ACRDS) has been developed by ARCA Members to define the requirements for reporting of credit accounts, and events relating to those accounts, between credit providers and credit reporting bodies in Australia.

23 Explanatory Memorandum, p. 7.

24 Explanatory Memorandum, p. 6.

25 Explanatory Memorandum, p. 6.

26 Explanatory Memorandum, p. 11.

27 Explanatory Memorandum, pp. 6-7.

7

1.34 Large ADIs that have supplied credit information under the mandatory CCR regime will also be subject to an ongoing requirement to keep information accurate, complete and up-to-date, including by providing information on subsequently opened accounts.28

Meeting obligations under the mandatory regime

1.35 To meet its obligations under the mandatory CCR regime, a credit provider must supply 'mandatory credit information' on its 'eligible credit accounts' to all 'eligible credit reporting bodies'.29

1.36 'Mandatory credit information' is 'credit information' as defined by the Privacy Act. It includes:

• identification information;

• consumer credit liability information;

• repayment history information;

• default information;

• payment information; and

• new arrangement information. 30

1.37 An 'eligible credit account' is defined in the bill as an account on which 'consumer credit' is or can be taken that is held by a natural person. Consumer credit is defined in the Privacy Act, and includes credit for personal, family or household purposes or to purchase or renovate a house (i.e. mortgage accounts, credit cards, overdraft facilities and personal loans).31

1.38 The regulation making power in the bill enables the prescription of a type of credit account which is not an eligible credit account. The government expects that this regulation making power could be used where the supply of information of some accounts is not necessary to ensure transparency within the mandatory CCR regime and may impose a disproportionate regulatory burden on a credit provider. 32

1.39 An 'eligible credit reporting body' for an eligible licensee that must meet the bulk supply requirements on 1 July 2018 is defined as 'a body that had a contract with the licensee under paragraph 20Q(2)(a) of the Privacy Act on 2 November 2017'.33

28 Explanatory Memorandum, pp. 6 and 7.

29 Explanatory Memorandum, p. 25.

30 Explanatory Memorandum, p. 25. Note each of these terms is defined in the Privacy Act.

31 Explanatory Memorandum, p. 27.

32 Explanatory Memorandum, p. 27.

33 Explanatory Memorandum, p. 28.

8

Monitoring and compliance

1.40 ASIC is responsible for administering the Credit Act. The bill extends ASICs monitoring and compliance powers—including enforcement, information gathering and investigative powers—to cover eligible licensees and credit reporting bodies in the mandatory CCR regime.34

1.41 Credit reporting bodies are currently regulated by the Privacy Act and Privacy Code and the Office of the Australian Information Commissioner (OAIC). As a result of amendments in the bill, credit reporting bodies who receive mandatory credit information will be regulated by ASIC for the purposes of the mandatory CCR regime.

1.42 The amendments proposed in the bill provide ASIC with the ability to:

• seek information from an eligible licensee and credit reporting body;

• seek assistance from an eligible licensee and credit reporting body; and

• inspect books or seek information from a third party. 35

1.43 The bill proposes that new civil and criminal penalties and offence provisions be included in the Credit Act where a licensee or a credit reporting body does not meet their obligations under the mandatory CCR regime. These include the following:

• ASIC may seek a civil penalty where an eligible licensee fails to supply credit

information as required under the mandatory regime.

• ASIC may seek a civil penalty where a credit reporting body does not

disclose, or where it discloses when it should not, information that it has received under the mandatory regime.

• ASIC may also seek a criminal sanction if either a licensee or credit reporting

body has breached a requirement under the mandatory regime.36

1.44 Circumstances in which ASIC may seek a criminal sanction include:

…failing to make the initial bulk supplies or ongoing supply of credit information when the eligible licensee reasonably believes the credit reporting body is meeting its security requirements in the Privacy Act, failing to supply statements to the Treasurer or failing to notify the credit reporting body, ASIC and the Information Commissioner when the licensee subsequently believes the credit reporting body is meeting the security requirements.37

1.45 The penalty regime applied as part of the mandatory CCR regime is consistent with that already existing under the Credit Act. Civil penalties sought by ASIC must be imposed by a court. The maximum penalty that could be applied under the

34 Explanatory Memorandum, pp. 7, 32 and 35.

35 Explanatory Memorandum, p. 35.

36 Explanatory Memorandum, pp. 33-34.

37 Explanatory Memorandum, p. 34.

9

mandatory CCR regime is 2000 penalty units for an individual (currently $420,000) and 10,000 penalty units for a body corporate (currently $2.1 million). The maximum criminal penalty that can be applied is 100 penalty units ($21,000) for an individual.38

1.46 The explanatory memorandum notes that the government intends make a regulation under the existing powers of the Credit Act for the purposes of the mandatory CCR regime to provide ASIC with the ability to issue infringement notices as an alternative to pursuing civil proceedings in court.39 To date, an exposure draft of this regulation has not been released.

1.47 In addition to the monitoring and compliance measures outlined, credit providers and eligible credit reporting bodies will be required to provide statements to the Treasurer relating to their compliance with the initial bulk supply of credit information under the mandatory regime. Statements must be provided to the Treasurer within 6 months of both the first and second bulk supply.40

Privacy and security of data

1.48 The amendments proposed in the bill 'do not require or allow disclosure, use or collection of credit information beyond what is already permitted under the Privacy Act and Privacy Code'.41 The bill is reliant on the existing protections under the Privacy Act and Privacy Code, as well as the oversight of the OAIC,42 to preserve the security and privacy of consumers’ credit information.43

1.49 However, the bill amends the Privacy Act such that credit reporting bodies will have a new obligation as to where credit reporting information is stored. Specifically, credit reporting bodies will be required to store credit reporting information in Australia, with a service that is a certified Cloud Service listed by the Australian Signals Directorate (ASD), or that meets the conditions of the Privacy Code.44

1.50 Section 20Q of the Privacy Act requires a credit reporting body to take reasonable steps to protect the information it receives, including from misuse, interference and unauthorised access.

38 Explanatory Memorandum, pp. 34 and 35

39 Explanatory Memorandum, pp. 34-35.

40 Explanatory Memorandum, pp. 31-32.

41 Explanatory Memorandum, p. 6.

42 The Privacy Act confers on the Australian Information Commissioner a range of privacy regulatory powers. These include powers that allow the Office of the Australian Information Commissioner to work with entities to facilitate legal compliance and best privacy practice, as well as investigative and enforcement powers to use in cases where a privacy breach has occurred.

43 Explanatory Memorandum, pp. 7 and 9.

44 Explanatory Memorandum, p. 38.

10

1.51 The bill enables a licensee to withhold the supply of mandatory credit information where a licensee does not believe the credit reporting body is meeting its information security obligations under the Privacy Act. In such circumstances, a licensee is required to notify the credit reporting body, ASIC and the Australian Information Commissioner.45 The bill sets out the process and timeframes relating to these notification obligations.46

1.52 The intent of these provisions of the bill is to ensure that 'a licensee's ability to have its own security requirements for the information it discloses is not weakened'.47

Statutory review

1.53 The bill contains a statutory review provision, whereby the Treasurer must cause an independent review of the mandatory CCR regime to be completed by 1 January 2022.48 The Assistant Minister to the Treasurer outlined the government's expectations of the review:

We expect that this review will provide an opportunity for the government to confirm that the system is operating as intended; and to consider the impacts of the system on consumers and industry, whether the scope of the system should be expanded, and whether alternate frameworks for credit reporting would be more appropriate given technological changes or, again, changes in the security environment.49

Legislative scrutiny

1.54 In its Scrutiny Digest 5 of 2018, the Senate Standing Committee for the Scrutiny of Bills noted that the bill leaves significant elements of the proposed mandatory CCR regime to delegated legislation, and is seeking advice from the Treasurer as to the appropriateness of leaving matters that may have significant impacts on individuals' privacy to delegated legislation.50

1.55 In its Scrutiny Report 4 of 2018, the Parliamentary Joint Committee on Human Rights raised questions as to the compatibility of the mandatory CCR scheme with the right to privacy and is seeking advice from the Treasurer as to: whether there is reasoning or evidence that establishes that the stated objective addresses a pressing or substantial concern or whether the proposed changes are otherwise aimed at achieving a legitimate objective; how the measure is effective to achieve (that is, rationally connected to) that objective; and whether the limitation is a proportionate limitation on the right to privacy (including whether the requirement to provide

45 Explanatory Memorandum, p. 13.

46 See Explanatory Memorandum, pp. 14-21.

47 Explanatory Memorandum, p. 13.

48 Explanatory Memorandum, p. 8.

49 The Hon Michael Sukkar MP, Assistant Minister to the Treasurer, House of Representatives Hansard, 28 March 2018, pp. 3018.

50 Senate Standing Committee for the Scrutiny of Bills, Scrutiny Digest 5 of 2018, 9 May 2018, pp. 34-39.

11

comprehensive credit information is sufficiently circumscribed, and information as to the adequacy and effectiveness of safeguards).51

Review of financial hardship arrangements and OAIC guidance 1.56 Financial hardship arrangements are currently regulated under the National Credit Code in the National Consumer Credit Protection Act 2009 (NCCP Act). However, under the Privacy Act, a person who has entered into a hardship arrangement with a credit provider does not have that arrangement reflected in their RHI or, consequently, in their consumer credit report. Stakeholders in the government's consultation on the draft legislation, as well as to this inquiry, highlighted this as a significant issue to be resolved as a priority.

1.57 On 28 March 2018, the Attorney-General, the Hon Christian Porter MP, announced that the government will conduct a review of financial hardship arrangements, including looking into the intersection between hardship arrangements and the credit reporting framework.52

1.58 As noted in the Attorney-General's announcement:

The review will respond to concerns raised by industry and consumer-advocacy groups around how hardship arrangements are treated and will make recommendations on whether reforms are required.53

1.59 The review is expected to be completed by late 2018.

1.60 In an effort to enhance clarity in regards to the way credit providers report information about an individual's RHI to credit reporting bodies, the OAIC has published guidance about the reporting of RHI and default information in circumstances of financial hardship. The OAIC has also published guidance about the meaning of 'repayment history information' where a consumer credit contract is varied or an arrangement, known to the industry as an indulgence, is in place.54

Compatibility with Human Rights 1.61 As required under the Human Rights (Parliamentary Scrutiny) Act 2011, the government has assessed the bill's compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The government considers that the bill is compatible.55

51 Parliamentary Joint Committee on Human Rights, Scrutiny Report 4 of 2015, pp. 12-16.

52 The Hon Christian Porter MP, Attorney-General for Australia, 'Review of financial hardship arrangements', Media Release, 28 March 2018.

53 The Hon Christian Porter MP, Attorney-General for Australia, 'Review of financial hardship arrangements', Media Release, 28 March 2018.

54 Office of the Australian Information Commissioner, Submission 12, p. 3.

55 Explanatory Memorandum, p. 41.

Chapter 2 Views on the bill

2.1 This chapter summarises the views held by stakeholders on the provisions of the bill and its effects.

General support for the bill 2.2 Submitters and witnesses were broadly supportive of the bill and its key intention of increasing competition and providing Australians with better access to finance through mandating comprehensive credit reporting (CCR).1

2.3 The Australian Retail Credit Association (ARCA) welcomed the certainty that the introduction of mandatory CCR will provide, noting that it agrees with the Treasurer, the Hon Scott Morrison MP's, description of a functioning CCR system as 'a vital part of Australia's economic infrastructure'.2

2.4 ARCA further submitted that:

ARCA considers that the Bill establishes an appropriate mechanism for mandating the supply of credit reporting data by the major banks, and— subject to the finalisations of the Regulations—ensures that the industry developed frameworks relating to on-disclosure are supported.3

2.5 Mr Michael Laing, Executive Chairman of ARCA, told the committee that because of the introduction of a mandatory CCR regime for the four major banks, as proposed by the bill, 'other credit providers have joined or are close to the point of joining the system'.4 Mr Laing also noted that 'one of the major banks, the National Australia Bank, is already reporting, with the other three having invested in and developed systems to share their comprehensive information shortly'.5

2.6 ANZ characterised CCR as 'an important tool for credit providers (CP) to improve outcomes for consumers and the quality of credit decisions'. ANZ also noted that 'CCR will help credit providers improve the level and efficiency of compliance with responsible lending provisions in the National Consumer Credit Protection Act 2009 (NCCP Act)'.6

1 See, for example, Australian Finance Industry Association, Submission 6, p. 1; Australian Retail Credit Association, Submission 7, pp. 2-3; illion, Submission 4, pp. 1 and 4-5.

2 Australian Retail Credit Association, Submission 7, p. 2.

3 Australian Retail Credit Association, Submission 7, p. 3.

4 Mr Michael Laing, Executive Chairman, Australian Retail Credit Association, Committee Hansard, 15 May 2018, p. 44.

5 Mr Michael Laing, Executive Chairman, Australian Retail Credit Association, Committee Hansard, 15 May 2018, p. 44.

6 ANZ, Submission 13, p. 2.

14

2.7 Westpac Group (Westpac) expressed its support for the bill, noting that it 'will provide long term benefits for both consumers and credit providers'.7

2.8 illion submitted that with poor take-up of CCR following its introduction in 2014, it 'strongly concurs with the need for a mandatory approach'.8 illion described the bill as 'an important and pressing next step towards the full implementation of an effective CCR regime in Australia'.9

2.9 Mr Poli Konstantinidis, Executive General Manager, Credit Services and Decision Analytics A&NZ, Experian, applauded the progress which has been made on CCR in Australia. Mr Konstantinidis further commented that 'I think we are well on our way to an effective CCR regime'.10

Benefits of CCR 2.10 Inquiry participants were in broad agreement with regard to the consumer and economic benefits of CCR. Specifically, submitters and witnesses noted the positive impact that an effective CCR regime will have with regard to increasing competition in the market. Overall, participants agreed that by better supporting credit providers' understanding and thereby the pricing of credit risk, CCR will facilitate consumers' access to suitable credit and better enable credit providers to meet their responsible lending obligations.

Increased competition

2.11 The provision of CCR data into the credit-reporting system will facilitate competition in the market by allowing for a more granular assessment of consumer credit risk. As summarised by ANZ, 'CCR allows CPs [credit providers] to share information and gain a more detailed picture of a consumer's financial situation'.11

2.12 Mr Steven Brown, Director, Bureau Engagement at illion, explained for the committee how CCR would increase competition and thereby benefit consumers by reducing information asymmetries and 'levelling the playing field' between credit providers:

Not only does an information asymmetry exist between lenders and borrowers, there are also data differences between lenders. In other words, if I am a very large bank, I may have a lot of information on which to draw upon to make credit decisions; if I am a small fin tech, a start-up lender, clearly I would have less information available to me to make a credit decision, so the information asymmetry between borrowers and lenders is even greater if I am a smaller player. The provision of this information into the credit-reporting system allows a level playing field across lenders,

7 Westpac Group, Submission 11, p. 1.

8 illion, Submission 4, p. 1.

9 illion, Submission 4, p. 4.

10 Mr Poli Konstantinidis, Executive General Manager, Credit Services and Decision Analytics A&NZ, Experian, Committee Hansard, 15 May 2018, p. 37.

11 ANZ, Submission 13, p. 2.

15

which makes the small lenders more competitive. So borrowers should expect higher degrees of competition in financial services. They should also expect to see a lender that's got a greater understanding of their ability to take on additional credit and therefore better credit decision-making.12

Consumer benefits

2.13 PERC summarised the flow-on benefits to consumers of a CCR system that promotes competition between credit providers:

Improved access to credit, particularly for the under-served, lower costs for both consumers and lenders, and lower default rates have all been proven to be the outcome of a CIS [credit information system] system designed to promote competition among lenders, particularly in markets where monopolies or oligopolies exist.13

2.14 Similarly, illion submitted that for consumers, 'CCR will facilitate greater competition in the market, thereby increasing access to more affordable and innovative products'. illion elaborated on this point, commenting that:

Borrowers with positive credit histories, for example, will have greater opportunities to benefit from their actions and behaviour, while those previously excluded due to a lack of information may now be able to access mainstream credit (as opposed to being unable to borrow at all, or reverting to unscrupulous credit providers).14

2.15 Importantly, illion also noted that the introduction of CCR data better allows for individuals in a vulnerable credit situation to be identified and assisted earlier.15

2.16 ARCA referred the committee to a KPMG report on the benefits of enhanced credit data. The KPMG report recognised that the more detailed assessments of consumers' ability to service debts 'would reduce the proportion of credit applications declined on a relatively arbitrary basis due to lack of credit data' and that, in turn, 'this could provide considerable social benefits to those currently marginalised by the financial system'.16

2.17 Mr Laing of ARCA argued that the increased competition brought about by the supply of CCR data 'is already delivering benefits to Australian consumers through better-tailored products, empowering fintech entrants to challenge the

12 Mr Steven Brown, Director, Bureau Engagement, illion, Committee Hansard, 15 May 2018, p. 37.

13 PERC, Submission 1, p. 2.

14 illion, Submission 4, p. 3.

15 illion, Submission 4, p. 3.

16 KPMG, Report to the Australian Retail Credit Association: The benefits of enhanced credit data exchange, January 2015, p. 7, as cited in Australian Retail Credit Association, Submission 7, p. 4.

16

established financial service providers and spark industry into better servicing Australians'.17 Mr Laing provided the committee with the following example:

Recent advice from a well-known fintech is that, following the sharing of comprehensive data by NAB and HSBC, fintech found it could reduce interest rates that it was already charging for most of those banks' customers, saving those customers, on average, up to $1,000 over the term of a three- to five-year loan.18

2.18 Mr Brown from illion presented the committee with examples of the benefits of CCR experienced in other jurisdictions, including better access to credit, particularly for those consumers who are younger or on lower incomes, and reductions in the number of individuals that default on loans:

For example, in the US, CCR enabled an uplift of 40 per cent for what we classify as the underserved segments—so some of the lower income, younger segments—according to 2010 research by the Organisation for Economic Cooperation and Development. In Hong Kong, credit card lending increased by almost 10 per cent in two years following the introduction of CCR according to the Hong Kong monetary authority. And in Japan, we saw the probability of delinquencies greater than 16 days past due date reduced by 34 per cent, according to the policy and economic research council.19

Meeting responsible lending obligations

2.19 Under the NCCP Act, holders of an Australian credit licence must comply with the responsible lending conduct obligations. The responsible lending obligations are aimed at ensuring that credit licensees do not enter into a credit contract with a consumer, suggest a credit contract to a consumer, or assist a consumer to apply for a credit contract if the credit contract is unsuitable for the consumer.20

2.20 Before providing credit assistance to a consumer, a credit licensee must make a preliminary assessment about whether the credit contract will be unsuitable for the consumer. To do this, a credit licensee must make reasonable inquiries about the consumer's financial situation, and their requirements and objectives; and take reasonable steps to verify the consumer's financial situation.21 A credit licensee is

17 Mr Michael Laing, Executive Chairman, Australian Retail Credit Association, Committee Hansard, 15 May 2018, p. 44.

18 Mr Michael Laing, Executive Chairman, Australian Retail Credit Association, Committee Hansard, 15 May 2018, p. 44.

19 Mr Steven Brown, Director, Bureau Engagement, illion, Committee Hansard, 15 May 2018, p. 37. See also Mr Michael Laing, Executive Chairman, Australian Retail Credit Association, Committee Hansard, 15 May 2018, p. 48.

20 Australian Securities and Investments Commission, Responsible lending, https://asic.gov.au/regulatory-resources/credit/responsible-lending/ (accessed 28 May 2018).

21 National Consumer Credit Protection Act 2009, s. 117.

17

prohibited from providing credit assistance to a consumer in relation to a credit contract if the contract will be unsuitable for the consumer.22

2.21 Mr Ian Gilbert, Executive Director, Legal and Regulation at the Australian Banking Association (ABA), explained how CCR will allow credit providers to better meet their responsible lending obligations once a consumer is already approved for a loan:

A customer's financial situation is important to understand. We've heard this morning, and we support, that the responsible lending obligations under the National Credit Code or the National Consumer Credit Protection Act are very strong provisions. But they don't provide for what happens after a loan has been made, responsibly, and a customer subsequently falls into financial difficulty. The credit-reporting system is going to provide that additional piece of information about how that customer's going with their credit facility, including the fact that the bank may record the fact that there's a missed payment and to understand why that has occurred.23

2.22 Mr Laing of ARCA also commented on the benefits that CCR will provide with regard to credit providers meeting their lending obligations under the NCCP Act, noting that the need to enhance responsible lending has been a key matter under consideration in the current financial services Royal Commission:

[CCR] will ensure a more robust environment that enables financial service providers to lend more responsibly, which benefits both consumers and lenders. The need to enhance responsible lending has been a key take-out of the current royal commission into banking. The commissioner has already highlighted the need to use actual data to verify information on a lending application. And I can say with certainty that comprehensive information is a critical independent verification tool that will better support responsible lending. It's a tool that allows a lender to have greater transparency over what credit cards, home loans, personal loans and other types of credit a consumer has and, equally important, their track record for repayment.24

Other consumer benefits

2.23 Mr Brown from illion argued that, by increasing the overall transparency of credit reporting, CCR will have benefits for consumers in the form of increased financial literacy:

I think what we should expect from a comprehensive credit-reporting system with all the big banks data in it as a result of this bill is a much more understandable system for consumers. By relying more on the repayment history information, with their performance as a borrower being more clearly visible then consumers can reasonably understand whether they can

22 National Consumer Credit Protection Act 2009, ss. 123(1).

23 Mr Ian Gilbert, Executive Director, Legal and Regulation, Australian Banking Association Incorporated, Committee Hansard, 15 May 2018, p. 27.

24 Mr Michael Laing, Executive Chairman, Australian Retail Credit Association, Committee Hansard, 15 May 2018, p. 44.

18

afford additional credit and understand how their credit worthiness is measured and impacted and understood by borrowers. It's a much more transparent system.25

2.24 The committee also heard from Mr Brown that effective CCR will result in a fairer system for consumers, whereby borrowers are better able to 'rehabilitate' their credit history when they acquire a default on their credit report:

The other thing that consumers should expect is obviously a fairer system. If we think about how the system operates today in a negative credit-reporting environment, we've got a situation where I can have a default on my credit report, which could essentially lock me out of mainstream credit for up to five years. In a properly operating comprehensive credit-reporting environment I have the ability to rehabilitate myself through making regular repayments. Those repayments then become visible to lenders and, indeed, I can then take on more mainstream credit. Borrowers should expect a fairer credit-reporting system under this bill.26

Interaction with the hardship provisions 2.25 A key concern raised by most inquiry participants was the interaction between the mandatory credit information required to be provided under the CCR regime— specifically, the requirement to provide repayment history information (RHI) in accordance with section 6V of the Privacy Act 1988 (Privacy Act)—and the hardship provisions contained under the National Credit Code (NCC).

Operation of financial hardship provisions

2.26 Financial hardship is regulated under the NCC in Schedule 1 of the NCCP Act, which is overseen by the Australian Securities and Investments Commission (ASIC).

2.27 Section 72 of the NCC provides for a debtor to give a credit provider a 'hardship notice', either orally or in writing, when they are unable to meet their repayment obligations under a credit contract, and when they reasonably expect to be able to discharge those obligations if the terms of the contract were changed.27

2.28 The credit provider may request further information from the debtor, either orally or in writing, within 21 days of receiving the hardship notice. The debtor must provide the relevant information within 21 days of the credit provider's request. The credit provider must respond to the debtor's hardship notice within a set time frame, notifying the debtor of the decision and, if the hardship notice is refused, the reasons for refusal.28

25 Mr Steven Brown, Director, Bureau Engagement, illion, Committee Hansard, 15 May 2018, p. 38.

26 Mr Steven Brown, Director, Bureau Engagement, illion, Committee Hansard, 15 May 2018, p. 38.

27 National Credit Code, ss. 72(1).

28 National Credit Code, ss. 72(2).

19

2.29 Where a credit provider agrees to enter into an agreement with the debtor to change a credit contract as a result of financial hardship (a financial hardship agreement), section 73 of the NCC requires that the credit provider give the consumer a notice in writing within 30 days after the agreement is made stating the particulars of the change.29

2.30 However, there is an exception to this section 73 requirement for a credit provider to provide a written notice to a debtor. Under section 203A of the NCC, ASIC may exempt a person, contract, mortgage, guarantee or consumer lease from all or specified provisions of the NCC.30

2.31 Accordingly, ASIC Class Order [CO 14/41] exempts a credit provider from the obligation to provide a written notice to a debtor if the financial hardship agreement entered into is a 'simple agreement'. A simple agreement is defined as 'an agreement that defers or reduces the obligations of a lessee [debtor] for a period of no more than 90 days'.31

2.32 A range of different payment arrangements may be made between a credit provider and an individual where the individual is in financial hardship and unable to meet the terms of a consumer credit contract. An arrangement may involve a formal variation to the terms of a consumer credit contract. Alternatively, a simple agreement made between a credit provider and debtor may not result in a formal variation— known to industry as an 'indulgence'.

2.33 Ms Angelene Falk, the Acting Information Commissioner and Acting Privacy Commissioner, summarised in simple terms what an indulgence may look like:

In other cases there might be what's known in the industry as an indulgence made—that is, perhaps not a formal variation to a contract but a meeting of the minds between the consumer and the credit provider that monthly payments have been changed for perhaps a particular period of time and that the credit provider will not call on the original contract price for payment.32

Reporting of Repayment History Information

2.34 Concurrent to the financial hardship requirements under the NCC, as outlined above, credit providers have obligations under the Privacy Act 1988 (Privacy Act) in regards to the way they report an individual's repayment history information (RHI) to credit reporting bodies.

2.35 Credit providers are required to report an individual's RHI in accordance with section 6V of the Privacy Act. Subsection 6V(1) of the Privacy Act defines repayment history information as:

29 National Credit Code, ss. 73(1).

30 National Credit Code, s. 203A.

31 ASIC Class Order [CO 14/41], National Credit Code, ss. 203A(3).

32 Ms Angelene Falk, Acting Information Commissioner and Acting Privacy Commissioner, Office of the Australian Information Commissioner, Committee Hansard, 15 May 2018, p. 3.

20

(1) If a credit provider provides consumer credit to an individual, the following information about the consumer credit is repayment history information about the individual:

(a) whether or not the individual has met an obligation to make a monthly payment that is due and payable in relation to the consumer credit;

(b) the day on which the monthly payment is due and payable;

(c) if the individual makes the monthly payment after the day on which the payment is due and payable—the day on which the individual makes that payment.33

2.36 As explained by Ms Falk, in circumstances where an individual has made an application to a credit provider for hardship assistance, currently, the Privacy Act prevents the credit provider from disclosing to a credit reporting body the fact that a hardship application has been made by that individual. Consequently, this information—often referred to by industry representatives as a 'hardship flag'—cannot be included in an individual's credit report.34

2.37 The ABA described how the reporting of RHI works in practice under the current legislative framework for CCR:

Currently, the CCR system provides for a bank to report to its credit bureau whether the customer has met the monthly payment(s) due under their credit facility. If the payment is made on time (within the 14 days period of grace) the CCR system records a "0". If the payment is missed (after the grace period of 14 days) the system will record this as "1" (missed payment) and so on if the payment remains unpaid (for the next month as "2" etc). These entries are maintained as a record of performance by the customer for 24 months.

OAIC Guidance

2.38 As noted in Chapter 1, in an effort to enhance clarity in regards to the way credit providers report information about an individual's RHI to credit reporting bodies, the Office of the Australian Information Commissioner (OAIC) has published guidance about the reporting of RHI and default information in circumstances of financial hardship. The OAIC has also published guidance about the meaning of 'repayment history information' where a consumer credit contract is varied or an 'indulgence' is in place.35

2.39 The OAIC guidance clarifies how the term 'due and payable', which is not defined in the Privacy Act, is to be interpreted. For the purposes of section 6V of the Privacy Act (see paragraph 2.35), the OAIC understands the term 'due and payable' to

33 Privacy Act 1988, ss. 6V(1).

34 Ms Angelene Falk, Acting Information Commissioner and Acting Privacy Commissioner, Office of the Australian Information Commissioner, Committee Hansard, 15 May 2018, p. 2. See also Australian Banking Association, Submission 3, p. 2.

35 Office of the Australian Information Commissioner, Submission 12, p. 3.

21

mean 'that the credit provider has a legal entitlement to maintain an action for recovery against a consumer in respect of a missed monthly payment'.36

2.40 The OAIC guidance also clarifies how the meaning of 'due and payable' is applied in regard to the different financial hardship arrangements that may be made between a credit provider and an individual where the individual is unable to meet the terms of a consumer credit contract:

1. Where the arrangement is a variation to the terms of the consumer credit contract, then an assessment of whether RHI is 'due and payable' under s 6V(1) should be by reference to the terms of the varied contract.

2. Where there is no variation to the consumer credit contract and an indulgence is made, whether RHI should be assessed by reference to the terms of the indulgence or by reference to the underlying credit contract will depend on the nature of that arrangement, particularly, whether the credit provider could maintain enforcement action against the individual for default of the original contract despite compliance with the indulgence.37

2.41 ARCA submitted that it and industry welcome the legal clarity given by the OAIC's guidance.38

Stakeholder views

2.42 Submitters and witnesses had differing opinions as to the extent of credit providers' RHI reporting obligations when an individual is in financial hardship.

2.43 Consumer representatives strongly contested the OAIC's guidance as to when an amount is 'due and payable', submitting that:

Consumer Representatives strongly disagree with the Office of the Australian Information Commissioner's (OAIC's) interpretation of when an amount is 'due and payable' under the Privacy Act as per its guidance that was recently published on its website. The OAIC has limited its interpretation of 'due and payable' to the legal entitlement to maintain an action for recovery, but has not considered the requirements under the Credit Act which impact directly on when an action for recovery can be maintained.39

36 Office of the Australian Information Commissioner, What does the term ‘due and payable’ mean in the definition of repayment history information?, https://www.oaic.gov.au/agencies-and-organisations/faqs-for-agencies-orgs/businesses/what-does-the-term-due-and-payable-mean-in-the-definition-of-repayment-history-information (accessed 30 May 2018).

37 Office of the Australian Information Commissioner, What does the term ‘due and payable’ mean in the definition of repayment history information?, https://www.oaic.gov.au/agencies-and-organisations/faqs-for-agencies-orgs/businesses/what-does-the-term-due-and-payable-mean-in-the-definition-of-repayment-history-information (accessed 30 May 2018).

38 Australian Retail Credit Association, Submission 7, p. 9.

39 Financial Rights Legal Centre, Submission 8, p. 5.

22

2.44 Consumer representatives argued that, if an arrangement has been made with a consumer to change their payments in circumstances of financial hardship, and the consumer is meeting their payment obligations under that arrangement, then the original amount cannot be due and payable.40

2.45 ANZ disagreed with this view and expressed concern that, when reporting RHI, it cannot report customers in hardship programs as being up to date as this would not meet its reporting obligations.41

2.46 ANZ further outlined its position with regard to its reporting obligations under the Privacy Act, submitting that:

ANZ sees its obligations under the Privacy Act as requiring the reporting of RHI based on the customer’s status in relation to contractual minimum monthly repayments. Where a customer enters into a temporary arrangement because they are experiencing financial hardship, and this does not involve a variation to the contract, our view is that reporting of repayment information must be by reference to whether the customer has met, and/or continues to meet, their originally contracted repayments, not the repayments under their temporary arrangement.42

2.47 Westpac expressed a similar view, commenting that, under the current legislative framework, credit providers 'will not have the option to withhold the fact that customers have not met repayments in accordance with their original contract'.43

Consequences and concerns

2.48 While the reporting obligations for the CCR regime are well established under the Privacy Act, a number of inquiry participants expressed concern that they thought the bill had proceeded to legislative enactment without clear legislative provision as to how credit providers must report repayment history information where a customer has entered into a financial hardship agreement with the credit provider.44

2.49 In their joint submission to the inquiry, consumer representatives commented:

Consumer representatives are deeply concerned that RHI data will be wildly inaccurate if the banks start reporting customers as making payments late when those consumers have called up and arranged a hardship variation as they are legally able to do under the credit law. It is our strong view that they are not making late payments since the contract has been mutually agreed to be varied. It is critical that this area of the law (and how it will work in practice) is clarified as soon as possible.45

40 Financial Rights Legal Centre, Submission 8, p. 5.

41 ANZ, Submission 13, p. 3.

42 ANZ, Submission 13, p. 4.

43 Westpac Group, Submission 11, p. 3.

44 See, for example, Australian Banking Association, Submission 3, p. 3; Australian Finance Industry Association, Submission 6, p. 2; Queensland Law Society, Submission 2, p. 3.

45 Financial Rights Legal Centre, Submission 8, p. 4.

23

2.50 Similarly, the Australian Finance Industry Association (AFIA) argued that this 'is a critical issue for consumers and industry alike and should be resolved as a priority'.46 AFIA also warned that omitting information relating to customers financial hardship 'devalues the credit reporting process' and 'potentially creates risk of inadvertent irresponsible lending to consumers'.47

2.51 AFIA further reflected on the importance of obtaining clarity on this issue to ensure that individual's credit reports are accurate and do not adversely affect consumer credit decisions:

Credit providers regularly work with their customers when they experience periods of financial difficulty to provide relief and a way for the customer to 'get back on track'. We believe the issue of how these situations should be reported needs to be addressed so that an individual's credit report remains a clear and objective historic record of all facts relevant to future consumer credit decisions.48

2.52 The ABA underlined that, without an agreed resolution and legislative change as to how financial hardship arrangements are to be reported under the CCR framework, customers in financial hardship are likely to be detrimentally affected and 'lumped together with those customers who simply don't comply with their repayment obligations'.49

2.53 Consumer representatives noted that most consumers will have limited understanding of how entering into financial hardship arrangements with a credit provider and how their credit report may be adversely affected. This could lead to further distrust of the industry and increased complaints.50

2.54 Consumer representatives also expressed concern that the potential for the mandatory reporting of RHI to reflect negatively on a consumer's credit standing may 'discourage people from accessing the financial hardship arrangements that they are legally entitled to'.51 Consumer representatives provided the following context:

The consumers we speak to on the National Debt Helpline are overwhelmingly concerned about their credit reports and credit scores and the impact upon this information by any actions they take. These people need to be confident that they will be treated fairly if they do the right thing and contact their credit provider for a financial hardship arrangement when they cannot pay, but will be able to get back on track within a reasonable time.52

46 Australian Finance Industry Association, Submission 6, p. 2.

47 Australian Finance Industry Association, Submission 6, p. 2.

48 Australian Finance Industry Association, Submission 6, p. 2.

49 Australian Banking Association, Submission 3, p. 4.

50 Financial Rights Legal Centre, Submission 8, p. 6.

51 Financial Rights Legal Centre, Submission 8, p. 4.

52 Financial Rights Legal Centre, Submission 8, p. 4.

24

2.55 The Queensland Law Society (QLS) emphasised the importance of mandatory CCR not reducing the flexibility of credit providers responses to circumstances where a consumer is in financial hardship, including whether or not to report a default. Elaborating on this point, QLS observed that:

There may be particularly sensitive circumstances giving rise to the default, such as financial abuse or domestic violence, and it is crucial that lenders be able to take appropriate steps, including making indulgences, to ensure that the consumer is not further disadvantaged.53

Hardship flag

2.56 As noted at paragraph 2.36, the Privacy Act does not currently permit a credit provider to disclose to a credit reporting body the fact that an individual is in financial hardship—often referred to by industry as a 'hardship flag'.

2.57 Most inquiry participants were supportive of proposals to amend the Privacy Act to introduce a hardship flag into the credit reporting system to identify that a consumer has asked their credit provider to change their credit contract on the grounds of financial hardship and provide a true indications of their financial position.54

2.58 ARCA noted that additional hardship data would allow for differentiation between repayment history that is reported for a varied credit contract, compared to that being reported for a consumer's original payment obligations.55

2.59 The ABA drew the committee's attention to what it considered the potential risks posed to consumers by inconsistent and inaccurate RHI reporting under different financial hardship arrangements:

Some options mean the credit provider has no visibility that the customer is in financial difficulty and may extend further credit, while other options will not reflect that the customer is actively engaged with the credit provider to work through their current difficulties.

On the other hand, if the payment is recorded as paid because the customer is adhering to a different payment arrangement made with their bank, other credit providers could conclude the individual is a good credit risk and may place the customer under greater hardship by extending further credit.56

2.60 The ABA considered this to be 'an unacceptable exposure of customers to risk' and one that could be avoided 'if a hardship indicator is permitted to be added to the relevant RHI reporting under the Privacy Act'.57

53 Queensland Law Society, Submission 2, p. 3.

54 See, for example, Australian Retail Credit Association, Submission 7, p. 9-10; ANZ, Submission 13, p. 3; Westpac Group, Submission 11, p. 3; Australian Banking Association, Submission 3, p. 3; Australian Finance Industry Association, Submission 6, p. 2.

55 Australian Retail Credit Association, Submission 7, pp. 9-10.

56 Australian Banking Association, Submission 3, p. 3.

57 Australian Banking Association, Submission 3, p. 3.

25

2.61 Westpac also supported the proposals for inclusion of a hardship flag to RHI reporting, arguing that it would enable credit providers to perform better lending assessments and ensure the quality of credit information:

In Westpac’s view, the customer benefits from including a 'hardship flag' because it allows for a transparent and fair representation of a customer’s situation—it would represent the current status of the arrears and protect customers from inappropriate lending when the customer is at the height of their financial stress.58

2.62 In contrast, consumer representatives disagreed with these views, arguing that '[h]ardship flags will only serve to further disincentivise consumers from proactively reaching out to lenders when they are in financial difficulty, undermining the current financial hardship protections'.59

Attorney-General's review

2.63 On 28 March 2018, the Attorney-General, the Hon Christian Porter MP, announced that the government will conduct a review of financial hardship arrangements, including looking into the intersection between hardship arrangements and the credit reporting framework.60

2.64 Inquiry participants were generally welcoming of the Attorney-General's review, however noted that the timing of the review and any resultant changes are unlikely to be completed prior to the proposed commencement of the mandatory CCR regime.61

2.65 ARCA noted that, in the absence of a means to identify consumers in financial hardship in consumer credit reports, 'the repayment history information reported for those consumers could be misleading'. ARCA contended that:

Given this issue will become more significant as the number of credit providers supplying comprehensive credit data increases, we strongly urge that this review be brought forward.62

2.66 Similarly, AFIA recommended that the government expedite the review into hardship reporting with the purpose of allowing credit providers to transparently report instances of customers in hardship.63

58 Westpac Group, Submission 11, p. 3.

59 Financial Rights Legal Centre, Submission 8, p. 8.

60 The Hon Christian Porter MP, Attorney-General for Australia, 'Review of financial hardship arrangements', Media Release, 28 March 2018.

61 See, for example, Australian Banking Association, Submission 3, p. 4; Australian Finance Industry Association, Submission 6, p. 3.

62 Australian Retail Credit Association, Submission 7, p. 9.

63 Australian Finance Industry Association, Submission 6, p. 3.

26

2.67 Westpac also submitted that an earlier review time frame is necessary in order to 'ensure the fairest possible outcome for any customers who are in hardship during the reporting period'.64

Scope of mandatory CCR 2.68 Some inquiry participants expressed concern that the bill restricts the mandatory CCR regime to large ADIs with total resident assets are greater than $100 billion—effectively compelling the Australia's big four banks to participate in CCR.65

2.69 For instance, Westpac contended that the CCR regime should apply to all credit providers. Westpac reasoned that:

Restricting the Scheme to the majors leaves 20 per cent of consumer credit lending out of the picture…Without full coverage, Westpac will not have access to the credit history details of accounts a customer holds with CPs who are not supplying comprehensive information, potentially resulting in an incomplete assessment of their financial situation.

2.70 Westpac recognised that while 'the Government is open to including other [credit providers] at a later date'66, there appears to be no mechanism to monitor which and when other credit providers come on board. Westpac suggested that the statutory review of the mandatory CCR regime, to be completed by 1 January 2022, examine any unintended consequences for customers of smaller credit providers not contributing comprehensive credit information.67

2.71 illion acknowledged that mandating the major banks to participate in CCR 'will undoubtedly prove significantly more effective than the voluntary CCR framework currently in place'. However, illion considered that the mandated CCR participation threshold 'be lowered to $50 billion so that large, "second tier" ADIs are also obliged to participate in CCR 12 months after the largest institutions if this has not occurred voluntarily'.68

2.72 illion also contended that restricting the scope of the mandatory CCR regime to the big four banks will limit the potential positive impact on competition in the market that would result from a more fully inclusive regime:

By restricting mandatory CCR to effectively only the largest four lenders, illion contends the competitive effects arising from the regime will fall far short of what is possible, in that competition is likely to be largely felt between the big four rather than with other lenders…Should competition only be improved amongst Australia’s four largest lenders, consumers will

64 Westpac Group, Submission 11, p. 3. See also ANZ, Submission 13, p. 4.

65 See, for example, illion, Submission 4, p. 5; Westpac Group, Submission 11, p. 1.

66 Westpac Group, Submission 11, p. 1.

67 Westpac Group, Submission 11, p. 1.

68 illion, Submission 4, p. 5.

27

be faced with an unchanged market amongst small lenders that are not compelled to participate.69

2.73 In further evidence to the committee, Mr Brown from illion argued that broad-based adoption of CCR 'is key to making sure that the maximum information is available to ensure that banks can detect undisclosed liabilities and lend responsibly'.70

2.74 The Customer Owned Banking Association (COBA), the industry association for Australia's customer owned banking institutions such as mutual banks, credit unions and building societies, took a differing view. COBA supported the government's decision to limit mandatory CCR to only large ADIs. COBA submitted that this approach avoids 'imposing unnecessary costs on smaller ADIs while creating a critical mass of CCR data to encourage all credit providers to undertake the investment needed to participate'.71

Regulation to prescribe eligible licensees

2.75 The bill allows for the extension of the mandatory CCR regime to credit providers other than those considered 'large' ADIs under a regulation-making power. As noted in the explanatory memorandum, the government expects that regulations would be made after the mandatory regime has been in operation for a period of time and other credit providers are not voluntarily supplying data.72

2.76 The ABA reminded the committee of the burden that ongoing regulatory change has on its members, and particularly for regional and smaller ADIs with more limited resources. The ABA recommended that, if the government were to consider prescribing regulation to extend the mandatory CCR regime to smaller ADIs, an additional period of consultation with these ADIs be afforded 'to identify an appropriate and achievable implementation timeframe'.73

2.77 AFIA conveyed support for the current scope of the CCR regime as proposed in the bill, where mandated participation is restricted to large ADIs.74 However, AFIA stressed that its preferred position is not to mandate CCR participation across the sector as a 'one-size fits all' approach. AFIA reasoned that industry participation outside the mandated large ADIs will grow organically over time. 75

69 illion, Submission 4, p. 5.

70 Mr Steven Brown, Director, Bureau Engagement, illion, Committee Hansard, 15 May 2018, p. 36.

71 Customer Owned Banking Association, Submission 5, p. 1.

72 Explanatory Memorandum, p. 11.

73 Australian Banking Association, Submission 3, p. 5.

74 Ms Helen Gordon, Chief Executive Officer, Australian Finance Industry Association, Committee Hansard, 15 May 2018, p. 10.

75 Australian Finance Industry Association, answers to written questions on notice (received 27 May 2018).

28

2.78 Ms Helen Gordon, Chief Executive Officer of AFIA, elaborated on this point in evidence to the committee:

Our position there is really that the smaller entities will benefit from that information in the system, so they will want to participate. They will want to include their data about their customers in the system because they will get the benefit of information from other players, which have a lot more information about a lot more people, in return. There'll be an organic kind of outcome, if you like. So that statutory obligation is not appropriate for all of the players in the system. The government will achieve the outcomes it's seeking, but not necessarily through having to mandate compliance across all participants.76

2.79 AFIA also reflected on the internal resources required to engage in CCR, noting that smaller credit providers would need 'a significant lead time to make the necessary capital expenditure in IT, credit criteria redevelopment and retraining'.77

Data privacy and security 2.80 The Privacy Act sets out the regulatory model for credit reporting information including use and disclosure, de-identification of credit reporting information, using credit reporting information for marketing purposes, and how this information must be protected from unauthorised access or misuse.78

2.81 Part IIIA of the Privacy Act, supported by the Privacy (Credit Reporting) Code 2014 (Privacy Code) and the Privacy Regulation 2013, regulates consumer credit reporting in Australia. As summarised by the Attorney-General's Department (AGD):

Part IIIA of the Privacy Act provides the statutory basis for limitations on how credit reporting information may be used. Credit reporting information means credit information or 'CRB derived information' and broadly extends to any information that has a bearing on an individual’s credit worthiness or could be used to establish an individual’s eligibility for consumer credit.79

2.82 The OAIC has regulatory oversight of credit reporting, ensuring that credit reporting bodies and credit providers comply with their requirements under the Privacy Act, including the requirements in Part IIIA. The Privacy Act confers broad powers on the Australian Information Commissioner, via the OAIC, in relation to monitoring, investigation and enforcement.

76 Ms Helen Gordon, Chief Executive Officer, Australian Finance Industry Association, Committee Hansard, 15 May 2018, p. 10. See also Mr Ian Gilbert, Executive Director, Legal and Regulation, Australian Banking Association Incorporated, Committee Hansard, 15 May 2018, p. 29.

77 Australian Finance Industry Association, Submission 6, p. 4.

78 Attorney-General's Department, answers to written questions on notice (received 25 May 2018).

79 Attorney-General's Department, answers to written questions on notice (received 25 May 2018).

29

2.83 As noted in Chapter 1, the amendments proposed in the bill 'do not require or allow disclosure, use or collection of credit information beyond what is already permitted under the Privacy Act and Privacy Code'.80

2.84 Inquiry participants were generally welcoming of the fact the bill preserves and is reliant on the existing consumer protections under the Privacy Act and Privacy Code relating to the security and privacy of consumers' credit information.

2.85 Ms Falk, the Acting Information Commissioner and Acting Privacy Commissioner, contended that '[t]hese laws provide a robust and effective framework for ensuring that risks to personal information are appropriately mitigated'.81

2.86 ARCA expressed a similar view, submitting that:

Given the detailed and extensive consumer protections already contained in Part IIIA and the CR Code, we consider that the draft Bill does not raise additional issues in relation to consumer rights.82

2.87 In relation to data privacy, ARCA pointed out that under a mandatory CCR regime, existing consumer records will be expanded, rather than created. ARCA further explained:

Most consumers will already have identity information held by a credit reporting body. Anyone who has applied for credit; including loans by banks and other finance providers, such as in-store finance or motor vehicle finance; a telecommunications service, such as a mobile telephone; or access to an energy supplier, will have a record at a bureau.83

Non-compliance with section 20Q

2.88 Section 20Q of the Privacy Act requires a credit reporting body to take reasonable steps to protect the information it receives, including from misuse, interference and unauthorised access.

2.89 The bill enables an eligible licensee to withhold the supply of mandatory credit information where a licensee does not believe the credit reporting body is meeting its information security obligations under section 20Q of the Privacy Act. In such circumstances, a licensee is required to notify the credit reporting body, ASIC and the Australian Information Commissioner.84

2.90 Representatives from the Treasury outlined the reasoning behind the inclusion of these additional security obligations in the bill:

80 Explanatory Memorandum, p. 6.

81 Ms Angelene Falk, Acting Information Commissioner and Acting Privacy Commissioner, Office of the Australian Information Commissioner, Committee Hansard, 15 May 2018, p. 1.

82 Australian Retail Credit Association, Submission 7, p. 8. See also, Mr Michael Laing, Executive Chairman, Australian Retail Credit Association, Committee Hansard, 15 May 2018, p. 44.

83 Australian Retail Credit Association, Submission 7, p. 8.

84 Explanatory Memorandum, p. 13.

30

The risk in mandatory participation in comprehensive credit reporting was that if they were mandated to provide data, whatever the circumstances, in a sense, they would lose their bargaining power around the contracts. So the bill makes provision that if a bank has concerns about the security of the data it's providing to a credit bureau then it can go through various steps. Effectively, it can make the decision not to supply that data, and then there are various kinds of processes and time lines that sit in the bill in respect of that.85

2.91 Some submitters noted their support for the enhanced security obligations imposed by the bill in relation to suspected non-compliance by a credit reporting body with section 20Q of the Privacy Act.

2.92 For example, in their joint submission to the inquiry, consumer

representatives commented that:

We believe this subsection will drive better security standards across the entire industry by forcing banks to take responsibility for the security compliance of CRBs when they hand over customer data. This subsection also empowers banks to cease supplying customer data if a CRB demonstrates a major security breach which the banks reasonably believe amounts to non-compliance with s. 20Q.86

2.93 Westpac Group also welcomed the addition of a mechanism to raise concerns with credit reporting bodies security management, arguing that:

In today's fast-moving data security landscape, data security standards will be ever changing. A breach of security of personal or credit information in Australia would be disastrous for confidence in the Australian financial system.87

2.94 illion expressed a differing view, arguing that this mechanism by which credit providers can be exempted from their obligation to share information with credit reporting bodies is 'superfluous' given the existing safeguards enshrined in the Privacy Act. Elaborating on this point, illion submitted that:

Our view is also based on the fact that the adequate information security protocols are already in place, allowing CRBs to receive credit enquiries from a bank in the present ‘negative’ data environment, is prima facie evidence that information security is adequate in a more comprehensive regime. There is no added risk associated with the sharing of further data, as current safeguards in place do not differentiate between the volume or type of protected data.88

85 Mr James Kelly, Chief Adviser, Financial System Division, Treasury, Committee Hansard, 15 May 2018, p. 58.

86 Financial Rights Legal Centre, Submission 8, p. 12.

87 Westpac Group, Submission 11, p. 3.

88 illion, Submission 4, p. 9.

31

2.95 illion also commented on what it considers potential practical effects of such an exemption; specifically, that it may be utilised by credit providers as a barrier to the provision of data.89

Interaction with existing Privacy Act provisions

2.96 Under existing section 21U of the Privacy Act, credit providers are required to take reasonable steps to correct credit information that is inaccurate, out-of-date, irrelevant or misleading. Further, section 21U provides that where a credit provider corrects information in this way, it must, with some limited exceptions, notify credit reporting bodies to which it has previously given the information.90

2.97 The OAIC expressed concern that proposed section 133CV(4) of the bill— which provides an exception to the bulk and ongoing supply requirements where an eligible licensee has a reasonable belief that a credit reporting body is not complying with its security obligations under the section 20Q of the Privacy Act—will limit the operation of requirements regarding notices of correction in existing section 21U of the Privacy Act.

2.98 The OAIC acknowledged that while it appreciates the intent of these provisions in not mandating disclosures of credit information where there may be security risks, the operation of these provisions could have a detrimental effect on data quality and flow on consequences for a consumer's credit report. The OAIC explained:

An effect of proposed section 133CV(4) of the Bill appears to be that other CPs may obtain information from the relevant CRB that is out-of-date, incomplete, irrelevant or misleading. The OAIC's concern is that CPs may then make credit worthiness decisions on the basis of poor quality information. The quality of credit reporting information is of fundamental importance to individuals, given the significant consequences that may flow, in terms of future access to credit, from an adverse credit report.91

2.99 The OAIC suggested that the enhanced security protections envisaged by these provisions 'could be achieved by limiting the mandated supply requirements under the bill, without limiting the correction requirements under the Privacy Act'.92 The OAIC further stated that:

89 illion, Submission 4, p. 9.

90 Office of the Australian Information Commissioner, answers to written questions on notice, (received 25 May 2018). See also Office of the Australian Information Commissioner, Submission 12, pp. 6-7.

91 Office of the Australian Information Commissioner, answers to written questions on notice, (received 25 May 2018). See also Office of the Australian Information Commissioner, Submission 12, pp. 6-7.

92 Office of the Australian Information Commissioner, answers to written questions on notice, (received 25 May 2018). See also Office of the Australian Information Commissioner, Submission 12, pp. 6-7.

32

This would mean that an eligible licensee would not be required to disclose information about individuals as envisaged under the Bill, while preserving the data quality protections in the Privacy Act.93

Increased amount of data in the system

2.100 Consumer representatives drew the committee's attention to the significant increase in the amount of data on a consumer's credit report as credit providers are mandated to participate in the CCR regime.94 In their joint submission, the Financial Rights Legal Centre (FRLC) and other consumer representatives argued that this increase in data:

…will proportionally increase the potential errors that might occur that consumers will need to dispute. This is particularly the case with RHI which will be updated monthly with up to two years of data available at any one time.95

2.101 The OAIC also recognised the increased volume of credit information in the consumer credit reporting system as a result of the mandating of CCR. The OAIC submitted that this 'will require proactive oversight and accountability for participants in the scheme', and further contended that:

To enhance consumer trust in the scheme, it will be important to ensure the OAIC is resourced to exercise its functions to effectively oversee the handling of credit information in the system.96

2.102 Ms Falk, the Acting Information Commissioner, explained to the committee the practical implications of the legislation with regard to the OAIC's regulatory oversight of the credit reporting system:

We would expect that the mere fact of having an increased volume of credit-reporting information in the system would result in increased regulatory activity required by the OAIC.

Similarly, we would expect an increase in the volume of complaints. When the credit-reporting provisions were amended in 2014, we experienced a significant increase in complaints from consumers in terms of credit reporting. On average, about 25 per cent of about 2½ thousand complaints that we receive relate to credit reporting. However, in 2014 we received more than 2,000 complaints simply on credit-reporting matters.

We've also got powers—they're outlined in pages 4 to 5 of the submission—to undertake regulatory activity on our own initiative where

93 Office of the Australian Information Commissioner, answers to written questions on notice, (received 25 May 2018). See also Office of the Australian Information Commissioner, Submission 12, pp. 6-7.

94 Financial Rights Legal Centre, Submission 8, p. 3.

95 Financial Rights Legal Centre, Submission 8, p. 3.

96 Office of the Australian Information Commissioner, Submission 12, p. 5.

33

issues arise. The bill will also envisage a role for the OAIC where a credit provider has some security concerns about a credit-reporting body. Under that provision a notice would need to be given to the OAIC and we would then need to apply our regulatory action policy to decide what, if any, further regulatory action is needed.97

2.103 In response to questions on notice regarding the regulatory environment supporting CCR and the OAIC's oversight role in consumer credit reporting, AGD advised the committee that:

AGD and OAIC have been consulted through the development of the proposed legislation and AGD considers that the powers conferred on the OAIC are appropriate for the OAIC to be able to effectively regulate the credit reporting sector after the introduction of mandatory comprehensive credit reporting.98

Vulnerable and lower income consumers 2.104 The implications of the mandatory CCR regime as proposed by the bill for vulnerable and lower income consumers was raised by a number of submitters and witnesses. In particular, the potential for increased price differentiation, consumer use of 'credit-cleaning' organisations, and the use of pre-screening for marketing purposes were highlighted as matters of concern.

Increased price differentiation

2.105 QLS expressed concern that the increase in available credit information resulting from mandatory CCR 'may result in lower income applicants being charged more for credit due to greater differential pricing'.99

2.106 QLS took the view that:

This is likely to push these applicants more towards higher cost lower-tiered lenders, like the providers of small amount and medium amount credit contracts. It may also mean that a consumer’s credit score/risk score is going to increase and could have a negative affect when a person tries to purchase credit.100

2.107 The committee heard a similar view from consumer representatives, who submitted that:

We are also concerned that some lenders are likely to use this increased information not to deny people credit where it appears their finances are already stretched, but to charge those customers more for credit. We may see a significant increase in price discrimination including an influx of

97 Ms Angelene Falk, Acting Information Commissioner and Acting Privacy Commissioner, Office of the Australian Information Commissioner, Committee Hansard, 15 May 2018, p. 3.

98 Attorney-General's Department, answers to written questions on notice (received 25 May 2018).

99 Queensland Law Society, Submission 2, p. 2.

100 Queensland Law Society, Submission 2, p. 2.

34

expensive, priced-for-risk products…Risk based pricing exacerbates inequality, as consumers deemed higher risk not only pay more for credit, but are at greater risk of default because of those higher repayments.101

2.108 Reflecting on the possibility of increased price differentiation between consumers as a result of CCR, Mr Konstantinidis from Experian suggested that increased price differentiation based on consumers' credit history would be a reflection of more responsible lending practices:

Senator McALLISTER: Will the system create a capacity for rewards to consumers with positive credit histories?

Mr Konstantinidis: Yes.

Senator McALLISTER: By implication, it will also create penalties, relative to those with positive histories, for people with poor credit histories, will it not? You can't have one without the other.

Mr Konstantinidis: That is a fair question. I would probably look at it in the way that there will definitely be the reward element. Whether it is a penalty, I look at it going back to using the terminology more-responsible or appropriate—whether or not it is an extension of credit, and I think in a better position not to place a consumer in a vulnerable situation.102

Use of 'credit-cleaning' organisations

2.109 QLS considered that, as a consequence of greater price differentiation, the introduction of mandatory CCR may drive more consumers to use credit repair—often called 'credit-cleaning'—organisations. QLS noted that, in some cases, such organisations 'have not led to the best consumer outcomes'.103

2.110 Dr Andrew Grant from the University of Sydney also cited the growth of 'credit-cleaning' businesses as a possible outcome of introducing CCR:

The outcomes for individuals on the lower end of the credit spectrum may be negative; evidence from Dun and Bradstreet's implementation of CCR in New Zealand has indicated as much. This may lead to the growth of so-called 'credit-cleaning' businesses or the introduction of products specifically targeting the borrowers with adverse events in their credit histories.

2.111 Similarly, Ms Katherine Temple, Senior Policy Officer at the Consumer Action Law Centre (CALC), asserted that the increase in information on consumers' credit reports as a result of CCR 'will just turbo-charge these unregulated and harmful businesses'.104

101 Financial Rights Legal Centre, Submission 8, p. 3.

102 Mr Poli Konstantinidis, Executive General Manager, Credit Services and Decision Analytics A&NZ, Experian, Committee Hansard, 15 May 2018, pp. 40-41.

103 Queensland Law Society, Submission 2, p. 2.

104 Ms Katherine Temple, Senior Policy Officer, Consumer Action Law Centre, Committee Hansard, 15 May 2018, p. 19.

35

2.112 Consumer representatives described the unscrupulous practices of unregulated credit-cleaning organisations in their joint submission to the inquiry:

DMFs [debt management firms] target people struggling with debt, promising to clean or fix their credit reports. DMFs regularly mislead people about the nature of their service/product and charge thousands of dollars for poor quality services. They also use customer's enquiries about fixing their credit report as an opportunity to steer debtors into unsuitable debt agreements or other expensive and often inept debt negotiation services.105

2.113 Representatives from the Treasury recognised the concerns raised by consumer groups with regard to the provisions proposed in the bill giving rise to growth in the credit-cleaning industry, and advised that it thinks it is 'an issue that needs further consideration'.106 Mr James Kelly, Chief Advisor, Financial System Division, Treasury, further told the committee that:

My understanding is that consumer affairs ministers, Commonwealth and state, have also flagged that as an area requiring consideration, and it is something that's on the agenda to look at.107

Pre-screening

2.114 Consumer representatives highlighted the use of 'pre-screening' under section 20G of the Privacy Act to direct marketing of more costly credit products to consumers whose credit information indicates that they are of higher risk.108

2.115 However, as clarified by a number of industry representatives, under section 20G of the Privacy Act, pre-screening is limited to using 'negative only' data and, moreover, only to assess whether the individual is eligible to receive the communication.109 Pre-screening 'is a safeguard to ensure that offers of credit are not sent to consumers who, because they already have defaults and other adverse information on their credit report, are unlikely to be approved if they take up the offer and apply for the product'.110

105 Financial Rights Legal Centre, Submission 8, pp. 3-4.

106 Mr James Kelly, Chief Adviser, Financial System Division, Treasury, Committee Hansard, 15 May 2018, p. 54.

107 Mr James Kelly, Chief Adviser, Financial System Division, Treasury, Committee Hansard, 15 May 2018, p. 54.

108 Financial Rights Legal Centre, Submission 8, p. 3.

109 See, for example, Experian, answers to written questions on notice (received 22 May 2018); Australian Banking Association, answers to written questions on notice (received 24 May 2018); Australian Retail Credit Association, answers to written questions on notice, (received 23 May 2018).

110 Australian Retail Credit Association, answers to written questions on notice (received 23 May 2018).

36

2.116 As explained by AFIA:

A key objective of this provision was to assist credit providers ensure financially vulnerable customers, in particular, do not receive offers potentially increasing their exposure to credit and financial difficulties.111

Other matters raised 2.117 Other matters raised by inquiry participants in relation to the bill included: the drafted definition of 'evidential burden'; and the requirement to provide statements of compliance to the Treasurer.

Drafted definition of 'evidential burden'

2.118 The bill inserts the definition of the term 'evidential burden'—that being, 'in relation to a matter, means the burden of adducing or pointing to evidence that suggests a reasonable possibility that the matter exists or does not exist'—into subsection 5(1) of the NCCP Act.112

2.119 QLS criticised this definition as drafted in the bill, contending that it 'adopts a standard of proof contrary to that developed by the law over time'.113 QLS argued that this drafting 'will create confusion rather than clarification', and advocated for a 'more orthodox approach'.114

2.120 Specifically, QLS recommended that:

Where the evidential burden relates to a civil matter, the normal civil burden, on the balance of probabilities, should apply and, in the case of the evidential burden relating to a criminal matter, the standard should be beyond a reasonable doubt.115

Statements of compliance to the Treasurer

2.121 As noted in Chapter 1, credit providers and eligible credit reporting bodies will be required to provide statements to the Treasurer relating to their compliance with the initial bulk supplies of credit information under the mandatory CCR regime.116

2.122 The ABA questioned why this requirement to make statements of compliance to the Treasurer is necessary, contending that it is a regulatory impost which duplicates the role of the regulator, ASIC. The ABA submitted that it 'believes only

111 Australian Finance Industry Association, answers to written questions on notice (received 27 May 2018).

112 National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, cl. 3.

113 Queensland Law Society, Submission 2, p. 2.

114 Queensland Law Society, Submission 2, p. 2.

115 Queensland Law Society, Submission 2, p. 2.

116 Explanatory Memorandum, pp. 31-32.

37

the one process of audited compliance reporting should be made to ASIC. These statements can then be provided by ASIC to the Treasurer'.117

2.123 In response to a question from the committee regarding the reasoning behind this requirement in the bill to provide statements of compliance, representatives from the Treasury explained:

It's an accountability measure on the banks. It reflects the history of what has been a very long process to actually establish a comprehensive reporting regime. When it was set up and legislated in 2012, the expectation was that we would now have a fully functioning comprehensive credit-reporting regime. It has always been a disappointment. So, in some ways, I think you can see that report to the Treasurer as a way of emphasising the importance the government attaches to it.118

Committee view 2.124 There is broad agreement amongst stakeholders with regard to the consumer and economic benefits of comprehensive credit reporting. Participants in the inquiry noted the positive impact that an effective CCR regime will have with regard to increasing competition in the market by reducing information advantages and levelling the playing field between lenders. Stakeholders agreed that by allowing credit providers to obtain a comprehensive view of an individual's financial situation, effective CCR will also facilitate consumers' access to tailored and suitable credit, and ensure credit providers better meet their responsible lending obligations.

2.125 Importantly, the committee notes that CCR's 'principle of reciprocity' ensures that all present and future credit providers must supply their own collected credit information into the CCR system in order to get information out. In these terms, it is recognised that all credit providers can have the confidence that everyone participates in the system on equal terms providing full credit data.

2.126 However, it is also apparent to the committee that there is a disjunct between credit providers' RHI reporting obligations under the Privacy Act and financial hardship arrangements under the NCCP Act. Stakeholders strongly disagreed on how circumstances of financial hardship are to be reflected, or in fact not reflected, in an individual's credit information, and the potentially adverse consequences this can have on a consumer's credit report.

2.127 The committee agrees that this is an issue that should be resolved as a matter of urgency and welcomes the government's review of financial hardship arrangements. However, the committee is cognisant that, under the current time frame, outcomes of the review will come after the enactment of the bill.

117 Australian Banking Association, Submission 3, p. 4.

118 Mr James Kelly, Chief Adviser, Financial System Division, Treasury, Committee Hansard, 15 May 2018, p. 54.

38

Recommendation 1

2.128 The committee recommends that the Australian Government consider expediting its review of financial hardship arrangements.

2.129 Regarding the scope of CCR as proposed in the bill, the committee is confident that mandating the big four banks to participate in CCR will create a critical mass of data and should encourage other credit providers to voluntarily partake in the CCR regime. The committee also recognises the significant resources required for credit providers to engage in CCR, and is of the view that considered consultation be undertaken should the government decide to extend the mandatory CCR regime to credit providers other than large ADIs in future.

2.130 Credit-related information is one of the most strictly regulated forms of personal information under the Privacy Act. The committee is confident that the existing consumer protections under the Privacy Act, as well as the security enhancements in the bill in relation to how and where credit information is stored and suspected non-compliance, will ensure that risks to consumers' personal information are mitigated.

2.131 The committee notes the OAIC's concerns regarding the interaction of certain provisions in the bill with those existing in the Privacy Act. The committee also acknowledges the concerns of some stakeholders regarding the implications of the mandatory CCR regime for vulnerable and lower income consumers; in particular, a potential growth in so-called 'credit-cleaning' businesses as a result of CCR. The committee suggests that any implications of the credit reporting framework— including unintended interactions or limitations imposed on other legislation and consumer use of 'credit-cleaning' services—be examined as part of the Treasurer's statutory review into the operation of the credit reporting system.

2.132 The committee also encourages the relevant regulatory bodies to engage early with plain English information campaigns to facilitate greater public awareness and financial literacy of these new arrangements.

2.133 Australians have been waiting for comprehensive credit reporting for a long time. The committee considers the reforms in the bill to be an important and essential next step in transforming Australia's current negative and assumption-based credit reporting system into one that provides for a holistic, accurate and comprehensive view of consumers' credit standing. A fully functioning and effective CCR regime will bring Australia into line with arrangements equivalent to CCR in other OECD countries.

2.134 The committee notes that the reforms proposed by the bill are not new, and have been born out of recommendations from multiple and extensive inquiries and consultations. The legislative framework for comprehensive credit reporting has been in place since March 2014 when amendments to the Privacy Act came into effect. The changes proposed by the bill will ensure that the full benefits of comprehensive credit reporting are realised.

39

Recommendation 2

2.135 The committee recommends that the bill be passed.

Senator Jane Hume Chair

Additional Comments from Labor Senators 1.1 Labor Senators are cautiously supportive of the measures set out in this bill but will take a very careful look at both the government's approach to regulating the use of consumer financial data and whether any benefits of mandatory comprehensive credit reporting will flow through to consumers.

Repayment history information and the handling of hardship 1.2 Stakeholders from across the industry spectrum expressed concern that consumers could be left worse off if repayment history information was supplied to credit reporting bodies before the Attorney-General's Department completed its review of how hardship should be managed within the credit reporting framework.

1.3 The joint submission from the Financial Rights Legal Centre, the Consumer Action Law Centre, Financial Counselling Australia, the Australian Privacy Foundation and the Australian Communications Consumer Action Network made it clear that the government has to date not addressed problems with the current treatment of financial hardship within repayment history information:

The current legislative silence on the interaction of hardship and RHI is unhelpful to all stakeholders. The law, the Credit Reporting Privacy Code or regulatory guidance should make it clear that where there is a change to the payment arrangement with a consumer, and the consumer is meeting their payment obligations under this arrangement, then RHI should reset to zero.

Consumer Representatives strongly disagree with the Office of the Australian Information Commissioner's (OAIC's) interpretation of when an amount is 'due and payable' under the Privacy Act as per its guidance that was recently published on its website. The OAIC has limited its interpretation of 'due and payable' to the legal entitlement to maintain an action for recovery, but has not considered the requirements under the Credit Act which impact directly on when an action for recovery can be maintained.1

1.4 In short, the determination from the OAIC is only based on their

responsibilities for regulating under the Privacy Act 1988. Consumer advocates argue that any policy position on the treatment of financial hardship must look at both the Privacy Act 1988 in conjunction with the National Consumer Credit Protection Act 2009.

1.5 If there were any doubts as to the need to clarify the treatment of financial hardship, the government, by initiating its own review of financial hardship arrangements has confirmed that this problem needs to be resolved.2

1 Financial Rights Legal Centre, Submission 8, p. 5.

2 Australian Government, Attorney-General's Department, accessed via https://www.ag.gov.au/RightsAndProtections/Pages/Review-of-financial-hardship-arrangements.aspx

42

1.6 This legislation would require major authorised deposit-taking institutions (ADIs) to supply customer repayment history information to credit reporting bodies in addition to other data sets3 by 1 July 2018, before the Attorney-General's review will be complete.

1.7 The Australian Banking Association (ABA) confirmed this problem of reporting repayment history information before an agreed position on the reporting of financial hardship had been set:

Without an agreed resolution and legislative change, the credit standing of those customers who are unable to meet their repayment obligations due to financial hardship are likely to be detrimentally affected. They are likely to be lumped together with those customers who simply don't comply with their repayment obligations.

Ideally, if the completion of the Attorney-General's Department's review can be brought forward, this increases the probability of a fairer and more favourable outcome for consumers, banks and other credit providers in the credit reporting system, and with the transition of RHI within the mandatory CCR legislation to be preceded by a settlement.4

1.8 ANZ went even further and requested:

…that the Attorney-General's Department (AGD) finalise its review before major banks are required to report repayment history information (RHI).5

1.9 The Australian Retail Credit Association also acknowledged there would be problems if the current legislative timetable were adhered to and advocated that the review be brought forward:

ARCA believes that the Government review is an ideal opportunity to ensure that consumers experiencing financial difficulty are protected, and the tools available to lenders to lend responsibly are strengthened. We note, however, that the review is due to report its recommendations in late 2018. As noted below, in the absence of a means in credit reports to identify consumers who have experienced hardship, the repayment history information reported for those consumers could be misleading. Given this issue will become more significant as the number of credit providers supplying comprehensive credit data increases, we strongly urge that this review be brought forward.6

1.10 When concerns about the handover of data before the completion of the review was raised at the hearing, the OAIC responded with:

Senator KETTER: Can you see any concerns with data being handed over before the hardship review is complete?

3 Financial Rights Legal Centre, Submission 8, p. 2. 4 Australian Banking Association, Submission 3, p. 4.

5 ANZ, Submission 13, p. 4.

6 Australian Retail Credit Association, Submission 7, p. 9.

43

Ms Falk: I agree that there are complex issues raised by this, and that there are differing views from stakeholders in relation to how these provisions should operate in practice.7

1.11 The Australian Finance Industry Association also stated:

Senator KETTER: Do you agree with the Financial Rights Legal Centre when they say that the current legislative silence on the interaction of hardship and repayment history information is unhelpful to all stakeholders?

Ms Gordon: What is difficult in relation to this situation is that there are two laws and then there is other stuff that is relevant.8

1.12 The Financial Rights Legal Centre clearly stated that there would be negative outcomes for consumers if this legislation was passed before the outcome of the Attorney-General's review and supported a one year delay to allow the review to be completed:

Senator KETTER: What do you think, in a practical sense, are the detriments that consumers might suffer if we don't have the review done before the legislation commences? How does that impact on consumers?

Mrs Davis: For consumers currently in financial hardship, we think that it means that their RHI is just going to be inaccurate in a lot of cases. As consumer advocates who advise consumers on the National Debt Helpline—and between our organisations we answer 50 per cent of those calls across the country—we need to be able to tell people: 'When you ask your bank for hardship, be aware there's a good chance they're still going to report your RHI as late. Make sure you get from them, in writing, a commitment that they won't do that. If they won't give you that commitment, you need to lodge a complaint with the Financial Ombudsman.' So, in a practical sense, we will be encouraging most consumers in that situation to immediately lodge a complaint. Otherwise their RHI is going to be tarnished immediately, which we believe will affect their credit score—though credit scores are totally unregulated, so who knows how that's going to work out?

So we think the immediate detriment will be an increase in consumer complaints, mostly driven by us—and we're glad about that, because we think it's a systematic breach of the credit act—and damage to people's credit ratings when really they should have their RHI untarnished if they have made an arrangement with their bank. We think that, in the long run, it's only going to disincentivise people from reaching out to their banks about hardship, and it's just going to give new life to the credit repair universe.

7 Ms Angelene Falk, Acting Australian Information Commissioner and Acting Privacy Commissioner, Office of the Australian Information Commissioner, Committee Hansard, 15 May 2018, p. 6.

8 Ms Helen Gordon, Chief Executive Officer, Australian Finance Industry Association, Committee Hansard, 15 May 2018. p. 14.

44

Senator KETTER: In your previous answer, I think you mentioned that you support a couple of years delay to the requirement for RHI to be reported. Would you support a one-year delay?

Mrs Davis: We would, because I believe the Attorney-General's Department is aiming to have its recommendations done in time to table legislation in time to have it all in place by July 2019. Obviously, if their review is not completed or new legislation that's required hasn't actually passed, we're in this problem all over again. But I do think a one-year delay gets us a lot closer than no delay.9

1.13 In terms of responsible lending, consumer advocates made it quite clear that the passage of this bill is not going to impede financial institutions from making responsible lending decisions:

CHAIR: Surely, though, the obligation on lenders to inquire about income and expense information requires an honour system of the client themselves, which this bill will largely overcome.

Ms Temple: Under the legislation they need to make inquiries about people's financial situations, needs and objectives. But they also need to verify that information. The verification is a critical step and until now has

often been where the lenders have fallen down. While credit reports may provide some extra information they can use to verify people's situations, they still won't provide a full picture of what's happening in their lives. The reality is that people tend to prioritise making debt repayments over other essentials, like rent and food, even in our experience. So we don't see credit reports as the silver bullet to fix irresponsible lending.10

1.14 In response to this evidence, Labor Senators believe it is quite reasonable for the contested dataset, repayment history information, to be supplied only after the Attorney-General's review is complete and the government has responded to its recommendations.

Concerns raised about cybersecurity risks 1.15 This legislation will lead to a significant increase in the data held on consumers by credit reporting bodies. This obviously increases risks of breaches and dramatically escalates the consequences should a breach occur.

1.16 Given the 2017 Equifax data breach in the United States where approximately 143 million American consumers had personal and financial data exposed11, it is important that Australia learns from this experience and ensures that the comprehensive credit reporting framework provides sufficient incentives and penalties for entities who handle this information.

9 Mrs Julia Davis, Policy and Communications Officer, Financial Rights Legal Centre, Committee Hansard, 15 May 2018, p. 23.

10 Ms Katherine Temple, Senior Policy Officer, Consumer Action Law Centre, Committee Hansard, 15 May 2018, p. 20.

11 US Federal Trade Commission, 8 September 2017, accessed via https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do

45

1.17 Labor Senators note Treasury comments in the explanatory memorandum which explain that the bill allows for credit providers to 'withhold the supply of mandatory credit information where a licensee does not reasonably believe that the credit reporting body is meeting its information security obligations under the Privacy Act' and expects that credit providers will 'typically place their own obligations on a credit reporting body to ensure the security of their customer's information that is disclosed'.12

1.18 When such questions were put to the ABA, the ABA said that the provisions in the bill were sufficient, assuming that the OAIC would fulfil its role. However, details were not provided as to the nature of contractual arrangements that might be agreed to between major ADIs and credit reporting bodies:

Senator KETTER: Are you satisfied with the data security requirements of the bill, especially in light of the Equifax data breach in the US? If you're not satisfied, what should be included in the legislation?

Mr Gilbert: No, we're satisfied with the uplift in those requirements and we think that that was a beneficial thing to do.

Senator KETTER: What types of terms do you think might be included in the banks' contracts with the credit-reporting bodies? For example, will there be independent third-party auditing of the credit-reporting bodies' systems?

Mr Gilbert: I have no vision at all about that. I would expect that banks would be concerned to ensure that whatever data they contributed to the CRBs—it's their data, about their customers—would be secure and properly held and managed.

Senator KETTER: The explanatory memorandum says:

… licensees … typically place their own obligations on a credit reporting body to ensure the security of their customer's information … These obligations are set out in the contract between the licensee and credit reporting body and could include requiring audits, reviewing the results of stress tests or requiring that certain procedures are put in place to train staff.

Are those the sorts of things that you're referring to?

Mr Gilbert: I would imagine that they would be. I have not seen any of those contracts, for obvious reasons, but I would imagine that they're the sorts of protective provisions that a bank would generally enter into with a CRB. Of course, we heard from the Information Commissioner this morning that she'll be watching this space pretty carefully as well to make sure that the sorts of security arrangements, collection, use, disclosure and all those aspects of privacy law are properly looked after.

Senator KETTER: What do you think the banks will do to satisfy themselves that the credit-reporting bodies will be handling the data appropriately?

12 Explanatory Memorandum, p. 13.

46

Mr Gilbert: It won't be handing it over and forgetting about it. They will want to be sure that the credit-reporting bodies are doing the right thing with their data. As to what those measures are, as I said earlier, I haven't seen any of the contractual provisions at all, and it's probably not appropriate for me to see them given that I represent a lot of other banks as well. I can only say that they are normal provisions that would apply, similar to what APRA might require in terms of outsourcing arrangements: strong, resilient, robust requirements.13

1.19 With regards to penalties, answers to questions on notice from the Attorney-General's Department indicate that the maximum civil penalty which applies Privacy Act breaches that are serious or repeated non-compliance is $2.1m (without considering compensation).14

1.20 Labor Senators note all of comments regarding privacy and cybersecurity and will continue to evaluate whether these current provisions are sufficient to protect consumer personal and financial data.

Concerns raised that the benefits of comprehensive credit reporting will primarily accrue to the finance industry itself 1.21 The Financial Rights Legal Centre in its testimony to the committee made it clear that they believe that credit providers and credit reporting bodies are likely to the accrue most of the efficiencies and profits that are generated via comprehensive credit reporting:

Thirdly, consumer groups strongly believe the shift to CCR in Australia is only going to result in increased profits for banks and for the credit bureau. We do not believe that it is going to bring the promised benefits for consumers, for the broader community or for the economy.15

1.22 In making more information available to credit providers when a consumer applied for credit, it can be expected that more credit on aggregate might be loaned out to underserved sections of the community and that non-performing credit will be reduced as credit providers will be able to more easily reduce or deny credit to those who they see as too high a risk. In aggregate, this potential increase of total credit and

a reduction in non-performing credit should reduce the average cost to supply credit to the Australian market.

1.23 It can be reasonably expected that such gains to credit providers will, in a competitive market, be distributed largely between credit provider profits, credit reporting body profits and, in aggregate, reduced credit costs for consumers, even if individual consumers face increased or reduced cost of credit in their individual

circumstances.

13 Mr Ian Gilbert, Executive Director, Legal and Regulation, Australian Banking Association Incorporated, Committee Hansard, 15 May 2018, p. 33. 14 Attorney-General's Department, answers to written questions on notice (received 25 May 2018). 15 Mrs Julia Davis, Policy and Communications Officer, Financial Rights Legal Centre,

Committee Hansard, 15 May 2018, p. 18.

47

1.24 Labor Senators remain cautious that the benefits of comprehensive credit reporting are likely to accrue primarily to credit providers and credit reporting bodies given the lack of price competition that is likely to exist in both of these sectors.

1.25 In fact, the New Zealand Privacy Commissioner recently issued a report after six years of credit reporting and made a number of remarkable findings, and went even as far as considering a return to negative credit reporting if industry failed to deliver individual and community benefits:

The picture that has emerged in the review shows some evidence of benefits to participants in the credit reporting system but, so far, limited evidence of benefits to individuals, the community and the economy. It is difficult yet to say how much this can be attributed to slow uptake of positive reporting, unwillingness for reasons of commercial sensitivity for industry players to share compelling evidence of benefits or because CCR is unlikely to deliver substantial benefits beyond those accruing to CCR participants.16

The intrusion of CCR beyond the negative credit reporting system that has existed for decades cannot be justified simply by the interests of lenders. While reverting to the former negative system - which principally impacted individuals who had failed to meet their credit obligations rather than all credit active New Zealanders - would be one possible response to a failure of CCR to deliver individual and community benefits. A much better outcome would be for the credit industry to act decisively to demonstrate that it can deliver on such issues as consumer choice, competition, responsible lending, improved identification practices, quotation enquiries, lending to under-served communities and public education. A number of the report's recommendations go to these issues. 17

1.26 One such community benefit would be a reduced cost of credit in aggregate for the Australian population.

1.27 The Australian Finance Industry Association supported this proposition:

Ms Gordon: The first question is: is the consumer going to have an interest rate that is less than what they would currently have with the fact that there is repayment information? Our understanding is yes.18

1.28 Experian supported the idea that saving should flow through in some degree to consumers:

16 New Zealand Privacy Commissioner, Comprehensive Credit Reporting Six Years On, p. 8, accessed via https://www.privacy.org.nz/assets/Uploads/Report-on-Review-of-CRPC-Amendments-No-4-and-No-5-PDF.pdf

17 New Zealand Privacy Commissioner, Comprehensive Credit Reporting Six Years On, pp. 9-10, accessed via https://www.privacy.org.nz/assets/Uploads/Report-on-Review-of-CRPC-Amendments-No-4-and-No-5-PDF.pdf

18 Ms Helen Gordon, Chief Executive Officer, Australian Finance Industry Association, Committee Hansard, 15 May 2018. p. 15.

48

Mr Konstantinidis: I can't speak on behalf of the lenders, but I would have thought that there is a greater opportunity, with some of the advantages— whether it's the lower provision for bad and doubtful debts because of the more informed credit decisions they are able to make or, I would have thought, the enhanced customer experience and operational efficiency that drives—to pass on some of those things. But, again, I cannot speak on behalf of the lender.19

1.29 The ABA was more circumspect and did not support or reject the proposition that consumer should stand to gain to some degree:

Mr Gilbert: I can't make any predictions about what the cost of credit is going to be in this country. As a person in an industry body representing 24 potential credit providers, I really prefer not to make any observations about what the cost of credit is going to be in this country. I don't want to be signalling one thing or the other.20

1.30 The Australian Retail Credit Association also did not reject the idea of reduced cost of credit and also said that consumer cost of credit could fall through competition, by making comprehensive credit reporting information available to smaller credit providers:

Senator KETTER: The theory is that, with fewer bad loans out there, there are cost savings to the lenders and that could be passed on to consumers. It is also a problem that we have lower levels of competition in the industry. So people rightly could be sceptical about whether the benefits of those cost savings are going to be passed on to consumers. What do you say about that?

Mr Laing: People can be sceptical in a marketplace where the four major banks have 60 per cent of the data—the four major banks effectively have 60 per cent of the credit accounts in this marketplace.21

(prior testimony)

Senator KETTER: I would appreciate that. Other witnesses today have been fairly circumspect about whether they can guarantee that the overall cost of credit to consumers would be reduced as a result of this. Are you prepared to come out with a prediction?

Mr Laing: I can't predict exact pricing and what the average price would be. We have anecdotal evidence—it is not independently verifiable—from a fintech that, as a result of CCR going into the system, they could actually reduce prices. They didn't increase prices for anyone; they only reduced prices. Competition through CCR enables a bank to treat any customer they can attract to the door as a current customer; they can treat them as if they

19 Mr Poli Konstantinidis, Executive General Manager, Credit Services and Decision Analytics A&NZ, Experian, Committee Hansard, 15 May 2018, p. 39. 20 Mr Ian Gilbert, Executive Director, Legal and Regulation, Australian Banking Association Incorporated, Committee Hansard, 15 May 2018, p. 30. 21 Mr Michael Laing, Executive Chairman, Australian Retail Credit Association, Committee

Hansard, 15 May 2018, p. 49.

49

were their own customer. I have seen anecdotal evidence from another country where, as a result of CCR going into that marketplace, they grew their overall lending by five to 10 per cent but they grew their new lending by about 30 per cent—because they could suddenly tell the credit profile of these customers and be confident that it was actually correct.

The recent Productivity Commission inquiry into competition criticised the market. It said there's actually not strong price competition within the Australian market. Comprehensive credit reporting is one of the tools that enables people to compete more on price. Repayment history is a critical piece of that puzzle that will help people better target pricing to the risks that they are actually facing.22

1.31 Labor Senators remain supportive of the Fintech sector and its ability to increase competition and consumer satisfaction within the financial sector.

1.32 Notwithstanding this support, given the New Zealand experience and the current competitive environment in Australia, Labor Senators remain sceptical that consumers stand to gain much at all.

1.33 While making credit reports available to smaller credit providers should increase the level of competition, such credit reports can be a double-edged sword. Credit reports, with their wealth of information, could also be used by all credit providers to more accurately establish a consumer's "maximum willingness to pay" for credit products and could enable credit providers to more easily extract the maximum profit they can from each consumer, particularly in an industry with low levels of price competition.

1.34 The balance of evidence overall suggests that where possible, most credit providers and credit reporting bodies will try to use CCR to boost profits and minimise consumer benefits. Labor Senators will continue to monitor the evolution of this sector, the level of competition and whether consumer benefit or detriment materialises.

Concerns raised about privacy risks and use of data 1.35 In the age of "big data" and recent public policy debates about the use of data by companies such as Facebook23, it is important that the Senate grapples with this emerging challenge.

1.36 Given that this bill deals with data that is both consumer data and financial data, it is vital that there are adequate regulations and protections to ensure that this data is used for designed purposes.

1.37 This consumer financial data has a value and there are many ways that this data could be used in an unregulated market. For instance, the data could be used to

22 Mr Michael Laing, Executive Chairman, Australian Retail Credit Association, Committee Hansard, 15 May 2018, p. 48. 23 'Facebook is about to tell users if they've been affected by the Cambridge Analytica scandal', ABC News, 10 April 2018, accessed via http://www.abc.net.au/news/2018-04-10/facebook-to-

tell-users-if-data-used-by-cambridge-analytica/9635658

50

enable targeted marketing campaigns or the data could be combined with other data sets, such as those held by companies like Facebook and Google to enable companies to have a better understanding of their users and could present new opportunities for such companies to generate revenue and profit.

1.38 Labor Senators note questions on notice from credit reporting bodies and other stakeholders which strongly state that Australia's privacy legislation is very robust and that there are no loopholes which would enable anonymised data or derived data to be passed on or used for purposes other than credit reporting.

1.39 Notwithstanding these answers, Labor Senators will continue to monitor whether current legislation continues to be appropriate, that regulators are enforcing the legislation adequately and whether the industry indeed only uses this data for designed purposes.

1.40 Labor Senators also note the media release put out by the largest credit reporting body, Equifax, which announced in July 2017 a partnership with Nine Entertainment24. The announcement states that '[t]he commercial arrangement will allow Nine to leverage Equifax's rich insights and extensive consumer segments across the Nine Digital network. Combined with their own data, this is a powerful combination for marketers, allowing them to extend their offerings to new audiences'.

1.41 Labor Senators are not accusing Equifax of engaging in illegal or immoral conduct by citing this media release, but merely point out that the existence of such partnerships confirms how important it is to continue to properly regulate this data.

1.42 In raising questions about such concerns, Senator McAllister pointed out that the FlyBuys program shares data with credit reporting providers:

Senator McALLISTER: I've got one on notice which I'm not certain you'll be able to answer at this point. I'm just looking at the privacy policy for flybuys. It says:

We and Wesfarmers group companies may exchange your personal information with service providers engaged to assist with services—

and there is a long list, but one of them is credit reporting. I would be interested just to understand a little more about other sources of information used by your members in compiling credit information on a commercial basis.25

1.43 Labor Senators will continue to monitor whether current and proposed arrangements are still suitable in addressing these risks.

Government's handling of regulating the financial sector 1.44 Submissions and hearing testimony indicate that the government is not taking seriously the challenges of consumer financial data protections. Just like the government was brought kicking and screaming into the establishment of a Royal

24 Equifax, Nine launches new data partnership with Equifax, 12 July 2017, accessed via https://www.equifax.com.au/news-media/nine-launches-new-data-partnership-equifax 25 Committee Hansard, 15 May 2018, p. 52.

51

Commission into the banking and financial services sector, it seems that the government has not clearly thought through key risks in this legislation.

1.45 Given access to credit is almost a necessity in today's society, it is important that legislation and regulations ensure that people are treated fairly.

1.46 Labor Senators are concerned that testimony given by Treasury and the OAIC indicates that there is insufficient coordination between Treasury, AGD, the OAIC and ASIC to provide a legislative and regulatory environment that the community would rightly expect if private credit reporting bodies are to hold such significant amounts of consumer data:

(a) It appears that Treasury are relying on a decision taken in 2012 to support the passage of this legislation26 when, since 2012, there have been a number of public policy debates around the use and regulation of user data;

(b) Conversations with Treasury officials also raised concerns that there is insufficient coordination between the Attorney-General's Department, the Department of the Treasury, OAIC and ASIC in terms of policy development and regulation of financial data.27

1.47 Legislative protections only hold value if they are enforced properly. Labor Senators call on the government to demonstrate that there is sufficient coordination, resourcing and expertise within the OAIC and ASIC to properly enforce this industry.

1.48 Labor Senators call on the government to address these concerns of policy and regulatory fracture. Given the heightened risks and dire consequences of data breaches, a reactive attitude to improving legislation and enforcement is not a suitable approach.

Recommendation 1

1.49 To amend the bill so that the requirement for large ADIs to supply repayment history information be delayed by 12 months to 1 July 2019 in order to allow the Attorney-General's Department to complete its review of financial hardship arrangements and for the government to provide a response to this review.

Senator Chris Ketter Senator Jenny McAllister

Deputy Chair Senator for New South Wales

26 Committee Hansard, 15 May 2018, p. 53. 27 Committee Hansard, 15 May 2018, p. 62.

Appendix 1

Submissions, additional information, answers to questions on notice and tabled documents

Submissions 1 PERC

2 Queensland Law Society 3 Australian Banking Association (ABA) 4 illion

5 Customer Owned Banking Association (COBA) 6 Australian Finance Industry Association (AFIA) 7 Australian Retail Credit Association (ARCA) 8 Financial Rights Legal Centre 9 Australian Small Business and Family Enterprise Ombudsman (ASBFEO) 10 Dr Andrew Grant, The University of Sydney 11 Westpac Group 12 Office of the Australian Information Commissioner (OAIC) 13 ANZ

Additional information 1 Additional information received from Experian on 22 May 2018 2 Additional information received from Experian on 22 May 2018 3 Clarification of evidence provided by the Office of the Australian Information

Commissioner following a public hearing held in Melbourne on 15 May 2018

Answers to questions on notice 1 Answers to written questions on notice, received from Experian on 22 May 2018 2 Answers to written questions on notice, received from the Australian Credit

Retail Association on 23 May 2018 3 Answers to written questions on notice, received from the Australian Banking Association on 24 May 2018 4 Answers to written questions on notice, received from the Treasury on

25 May 2018 5 Answers to written questions on notice, received from illion on 25 May 2018 6 Answers to written questions on notice, received from the Office of the Australian Information Commissioner on 25 May 2018

54

7 Answers to written questions on notice, received from the Attorney-General's Department on 25 May 2018 8 Answers to written questions on notice, received from the Australian Finance Industry Association on 27 May 2018

Tabled documents 1 Document tabled by the Financial Rights Legal Centre at a public hearing in Melbourne on 15 May 2018

Appendix 2 Public hearings

Melbourne, 15 May 2018

Members in attendance: Senators Hume, Ketter and McAllister

BROWN, Mr Steven, Director, Bureau Engagement, illion

CREMIN, Miss Geraldine, Head of Regulatory Compliance and Principles of Reciprocity and Data Exchange, Australian Retail Credit Association

DAVIS, Mrs Julia, Policy and Communications Officer, Financial Rights Legal Centre

FALK, Ms Angelene, Acting Australian Information Commissioner, and Acting Privacy Commissioner, Office of the Australian Information Commissioner

GILBERT, Mr Ian, Executive Director, Legal and Regulation, Australian Banking Association Incorporated

GORDON, Ms Helen, Chief Executive Officer, Australian Finance Industry Association

HIGGINS, Ms Sophie, Director, Regulation and Strategy, Office of the Australian Information Commissioner

KELLY, Mr James, Chief Adviser, Financial System Division, Treasury

KONSTANTINIDIS, Mr Poli, Executive General Manager, Credit Services and Decision Analytics A&NZ, Experian

LAING, Mr Michael, Executive Chairman, Australian Retail Credit Association

LANDIS, Ms Fiona, Director, Government Relations, Australian Banking Association Incorporated

NAMGYAL, Mr Danny, Policy Analyst, Financial System Division, Treasury

RAK, Ms Michelle, Senior Analyst, Law Design Office, Treasury

SCHNEIDER RUMBLE, Ms Anna, Law Design Office, Treasury

TEMPLE, Ms Katherine, Senior Policy Officer, Consumer Action Law Centre