Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018



Download PDFDownload PDF

ISSN 1328-8091

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

BILLS DIGEST NO. 129, 2017-18 25 JUNE 2018

National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 Paula Pyburne Law and Bills Digest Section

Contents

The Bills Digest at a glance .............................................. 3

Purpose of the Bill ........................................................... 4

Background ..................................................................... 4

Licensing arrangements .............................................. 4

Establishing the credit reporting framework .............. 4 Regulatory code ........................................................ 5

Current information shared ...................................... 5

From voluntary to mandatory ......................................... 6

Responsible lending obligations.................................. 6

Recommendations for change ......................................... 7

Financial System Inquiry ............................................. 7

Productivity Commission inquiry ................................ 7

Move to a mandatory system ..................................... 8

Committee consideration ................................................ 8

Senate Standing Committee on Economics ................ 8 Senate Standing Committee for the Scrutiny of Bills .............................................................................. 9

Policy position of non-government parties/independents...................................................... 9

Position of major interest groups..................................... 9

Arguments for compulsory credit reporting ............... 9 Arguments against compulsory credit reporting ...... 10 Problems for lower income applicants ................... 10

Date introduced: 28 March 2018

House: House of Representatives

Portfolio: Treasury

Commencement: Sections 1-3 on Royal Assent; Schedule 1, items 1-11 on the day after Royal Assent; Schedule 1, item 12 on the later of immediately after the commencement of items 1-11 and 1 July 2018

Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through the Australian Parliament website.

When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the Federal Register of Legislation website.

All hyperlinks in this Bills Digest are correct as at June 2018.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 2

Security of data ....................................................... 10

Financial implications .................................................... 11

Statement of Compatibility with Human Rights.............. 11

Parliamentary Joint Committee on Human Rights ... 11 Key issues and provisions .............................................. 12

Entities supplying credit information ........................ 12

Key issue—other credit providers ........................... 12

Entities receiving credit information ........................ 13

Application of Part 3-2CA ........................................ 13

Scrutiny of Bills Committee comments ................... 13 Information to be supplied ....................................... 14

Key issue—interaction with the hardship provisions ................................................................ 15

Timing for supply of information .............................. 16

First bulk supply ...................................................... 16

Subsequent bulk supply .......................................... 17

Reporting to the Minister ........................................ 18

How the supply is made ............................................ 18

Ongoing requirement to supply .............................. 18

Offences .................................................................... 19

Evidential burden .................................................... 20

On-disclosing credit information .............................. 20

ASIC’s role .................................................................. 21

Review of the Part 3-2CA .......................................... 21

Other provisions ........................................................... 21

Concluding comments ................................................... 21

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 3

The Bills Digest at a glance The National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (the Bill) amends the Privacy Act 1988 and the National Consumer Credit Protection Act 2009 to mandate a comprehensive consumer credit reporting scheme.

The Bill requires large Authorised Deposit-taking Institutions (ADI) and certain other credit providers to supply comprehensive credit information to eligible credit reporting bodies—of which there are currently three.

The information that must be provided includes:

• identification information, including name, date of birth and address • consumer credit liability information, including the name of the credit provider, type of consumer credit, and maximum amount of credit available

• repayment history information, including whether or not an individual is obliged to make monthly payments in relation to a consumer credit agreement, and when those payments are due and payable

• default information, including information about payments that are overdue, and steps taken to recover the overdue amounts

• payment information including information about payments of overdue amounts that have been made by an individual and

• new arrangement information, including information about variations to a consumer credit agreement.

The information is initially to be provided in two tranches commencing on 1 July 2018 and 1 July 2019 respectively.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 4

Purpose of the Bill The primary purpose of the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (the Bill) is to amend the National Consumer Credit Protection Act 2009 (Consumer Credit Act) to establish a comprehensive credit reporting regime. The mandatory regime will require large Authorised Deposit-taking Institutions (ADIs) to provide comprehensive credit information on consumer credit accounts to certain credit reporting bodies.

The Bill also makes consequential amendments to the Privacy Act 1988.

Background

Licensing arrangements The Consumer Credit Act, which contains the National Credit Code, applies to credit contracts entered into, on, or after 1 July 20101 where:

• the lender is in the business of providing credit

• a charge is made for providing the credit

• the debtor is a natural person or strata corporation

• the credit is provided:

- for personal, domestic or household purposes or

- to purchase, renovate or improve residential property for investment purposes, or to refinance credit previously provided for this purpose.2

Under the Consumer Credit Act a person cannot engage in a credit activity if the person does not hold an Australian credit licence (AC licence).3

Establishing the credit reporting framework The collection, use and disclosure of personal information in Australia is regulated by the Privacy Act.

In 1991, Part IIIA was inserted into the Privacy Act to extend its operation to consumer credit reporting.4 It provides a framework for the collection, disclosure and use of credit-related information. The credit reporting provisions in Part IIIA facilitate the sharing of credit-related information between credit providers and credit reporting bodies. At present there are three credit reporting bodies in Australia—Equifax, Experian and Illion (formerly Dun and Bradstreet).5

Initially, the information that was shared related to ‘negative’ credit events.6

Negative reporting limits the collection of personal information to that which relates to an individual’s credit delinquency, such as defaults on payments or dishonoured cheques, and inquiries on the credit record. Positive credit reporting permits the collection of personal information which demonstrates an

1. In this Bills Digest, references to the Consumer Credit Act are by way of section numbers. However, references to the National Credit Code which is a Schedule to the Consumer Credit Act are by way of clause numbers. 2. Consumer Credit Act, Schedule 1, clause 5. 3. Consumer Credit Act, section 29. 4. Part IIIA was inserted into the Privacy Act by the Privacy Amendment Act 1990. 5. M Sukkar, ‘Second reading speech: National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit

Reporting) Bill 2018’, House of Representatives, Debates, 28 March 2018, p. 3015. 6. Financial System Inquiry, Financial system inquiry: final report, (Murray Report), Treasury, Canberra, November 2014, p. 190.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 5

individual’s credit account activity, such as the timeliness of payments, account type, the credit limit and the amounts of credit liabilities. 7

However the enactment of Privacy Amendment (Enhancing Privacy Protection) Act 2012 (2012 Amending Act), (in response to a report by the Australian Law Reform Commission)8 amongst other things:

• set out five new kinds of personal information which would be reported and

• did away with the concepts of ‘negative’ and ‘positive’ reporting, and instead introduced the concept of ‘comprehensive’ reporting.

Comprehensive credit reporting will give credit providers access to additional personal information to assist them in establishing an individual’s credit worthiness. The additional personal information will allow credit providers to make a more robust assessment of credit risk and assist credit providers to meet their responsible lending obligations. It is expected that this will lead to decreased levels of over-indebtedness and lower credit default rates. More comprehensive credit reporting is also expected to improve competition and efficiency in the credit market, which may result in reductions to the cost of credit for individuals.

9

Those amendments did not commence until 12 March 2014.

Regulatory code An industry-developed regulatory code for Australia’s credit reporting system was approved by the Office of the Australian Information Commissioner in 2014.10 Participation in the expanded system was voluntary, with information being shared on a reciprocal basis (participants have access only to the types of information that they themselves have shared). The Australian Retail Credit Association formalised this arrangement through the Principles of Reciprocity and Data Exchange, which were approved by the Australian Competition and Consumer Commission (ACCC) in December 2015.11 Notably, principle three:

… ensures that data meets a certain standard before it is exchanged, by requiring that shared data adheres to the Australian Credit Reporting Data Standard (ACRDS). The standardised system means that data is communicated in a way that it can be universally understood by other signatories to the PRDE [Principles of Reciprocity and Data Exchange].

12

Current information shared In the current voluntary credit reporting regime, credit providers (such as financial services firms and utility providers) and credit reporting bodies are permitted to share information related to:

• a credit provider having sought a credit report (from a credit bureau) in relation to an application for credit by an individual, and the amount of the credit sought

• an individual’s current credit providers

• any credit defaults (which is the failure to meet legal repayment obligations) in the previous five years

7. Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p. 14. 8. Australian Law Reform Commission, Australian privacy law and practice, ALRC report 108, 12 August 2008. Recommendations 54-59 of the report relate to credit reporting. 9. Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p. 3. 10. Office of the Australian Information Commissioner (OAIC), ‘Credit reporting’, OAIC website. See also Privacy (Credit Reporting)

Code 2014. 11. Australian Competition and Consumer Commission (ACCC), Australian Retail Credit Association Limited—Authorisation— A91482, ACCC website; Australian Retail Credit Association (ARCA), Principles of reciprocity and data exchange, ARCA website. 12. ARCA, Principles of reciprocity and data exchange, op. cit.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 6

• a credit provider’s opinion that an individual had committed a serious credit infringement (such as credit fraud)

• the type of credit account opened

• the date the account was opened

• the current limit of the account

• the date on which the account was closed.13

In addition, ASIC-licensed credit providers are permitted to share information related to payment history, including:

• whether the individual was meeting their payment obligations and

• the number of repayment cycles the individual was in arrears.14

From voluntary to mandatory Responsible lending obligations All holders of a credit licence must comply with the responsible lending obligations.15 The responsible lending obligations are aimed at better informing consumers and preventing them from being in unsuitable credit contracts. In particular:

• before providing credit assistance to a consumer, a licensee must make a preliminary assessment about whether the contract will be unsuitable for the consumer.16 To do this, the licensee must make inquiries and verifications about the consumer’s requirements, objectives and financial situation17 and

• a licensee is prohibited from providing credit assistance to a consumer in relation to a credit contract if the contract will be unsuitable for the consumer.18

Regulation 28XXF of the National Consumer Credit Protection Regulations 2010 (Consumer Credit Regulations) deems that a credit contract is unsuitable for a consumer if:

• the consumer‘s requirements and objectives are to receive an identified amount of credit

• the credit contract is part of an arrangement by which the identified amount of credit is provided, or to be provided, by:

- two or more small amount credit contracts

- two or more medium amount credit contracts or

- a combination of small amount credit contracts and medium amount credit contracts and

• the amount that is payable under the combination of credit contracts (in circumstances in which there is no default by the debtor) is higher than the maximum amount that could be charged under a single credit contract in accordance with the National Credit Code.19

Lenders are not able to fulfil the responsible lending obligations where they have incomplete or inaccurate information about the creditworthiness of a potential borrower.

13. Productivity Commission, Data availability and use, Inquiry report, 82, 31 March 2017, pp. 548-9. 14. Ibid., p. 549. 15. ASIC, Responsible lending, ASIC website. 16. ASIC issued a regulatory guide entitled Credit licensing: responsible lending conduct in November 2014. 17. Consumer Credit Act, section 117. 18. Consumer Credit Act, subsection 123(1). 19. Consumer Credit Act, Schedule 1, clause 32A provides that a credit provider must not enter into a credit contract if the annual

cost rate of the contract exceeds 48 per cent.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 7

Recommendations for change

Financial System Inquiry In December 2014, the Treasurer released the final report of Financial System Inquiry 2014 (known as the Murray Inquiry after the chair of the review, former CEO of the Commonwealth Bank David Murray AO) which examined the Australian financial system.20

Amongst other things, the Murray Inquiry acknowledged that, as the legislation which underpinned comprehensive credit reporting had come into effect in March 2014, the regime had not, at that time, been fully implemented. Nevertheless it noted:

Participation in [comprehensive credit reporting] is voluntary, so the pace and extent of eventual participation in the regime is not yet clear.

For credit providers, participation will depend on the perceived net benefits, which will differ between different classes of credit provider. For a major institution with a relatively large customer base, early and full participation may provide, at least initially, relatively larger benefits to other, smaller participants than for the institution itself.

As participation and system-wide data grow, net benefits increase for all CCR participants. Further credit providers that do not participate are at risk of adverse selection with respect to potential new borrowers; a risk that becomes more acute as industry participation increases. 21

Accordingly, the Murray Inquiry recommended that the Government ‘support industry efforts to expand credit data sharing’ and if ‘participation is inadequate, Government should consider legislating mandatory participation’.22

Productivity Commission inquiry The Productivity Commission released its final report of its inquiry into data availability and use in March 2017.23

For the purposes of that report, the Productivity Commission characterised financial data as information that is created in the provision and consumption of financial products and services, as well as data generated in the course of government regulation and supervision of the financial system.24

The Productivity Commission considered whether comprehensive credit reporting should be made mandatory or should remain voluntary. It considered that there were ‘compelling reasons to mandate participation in CCR’.25

Amongst other things, the perceived benefits of comprehensive credit reporting are:

• additional availability of credit-related information would improve credit allocation and pricing so that at least some consumers who would be able to access cheaper loans and

• allowing smaller financial businesses and potential new entrants to have access to a large pool of customer data may help to facilitate their entry into the market, which could boost competition and innovation in the finance sector26

20. J Hockey (Treasurer), Release of the Financial System Inquiry report, media release, 7 December 2014; FSI, Financial system inquiry: final report, op. cit. 21. Ibid., pp. 191-2. 22. Ibid., p. 190. 23. Productivity Commission, Data availability and use, op. cit. 24. Ibid., pp. 542-3. 25. Ibid., p. 556. 26. Ibid., pp. 556-7.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 8

• if data collected and stored by credit providers is viewed as jointly owned with the customer then the customer should be allowed to share the data with third parties, including for the purposes of a credit assessment, regardless of whether their credit provider wishes to participate in CCR.27

On the other hand, compulsory comprehensive credit reporting ‘would impose costs on all finance sector businesses legally obliged to participate in the scheme’.28 In addition, the much greater volumes of data could give rise to ‘data quality issues’.29

The Productivity Commission recommended:

The Australian Government should adopt a minimum target for voluntary participation in Comprehensive Credit Reporting of 40% of all active credit accounts, provided by Australian Securities and Investments Commission (ASIC)-licensed credit providers, for which comprehensive data is supplied to the credit bureaux in public mode. If this target is not achieved by 30 June 2017, the Government should circulate draft legislation by 31 December 2017, to impose mandatory participation in Comprehensive Credit Reporting (including the reporting of repayment history) by ASIC-licensed credit providers in 2018.

30 [emphasis added]

Move to a mandatory system As stated above, the legislation to facilitate a voluntary system of comprehensive credit reporting commenced in March 2014. However, in September 2017, it was reported that ‘the figure for voluntary participation in a CCR framework is less than one per cent, and the dial has barely shifted for years’.31

The Government committed to implementing the recommendation of the Productivity Commission in the 2017-18 Budget.32 In November 2017, the Government announced that it would legislate for a mandatory comprehensive credit reporting regime to come into effect by 1 July 2018, on the grounds that the 40 per cent target would not be met. According to the Treasurer, Scott Morrison:

The four major banks will be the first to face the mandated reporting, given they account for approximately 80 per cent of the volume of lending to households. 33

Committee consideration

Senate Standing Committee on Economics The Bill has been referred to the Senate Standing Committee on Economics (Economics Committee) for inquiry and report by 29 May 2018.34 The comments by submitters to the Economics Committee are canvassed below.

The Economics Committee recommended that the Bill be passed and that the Government ‘consider expediting its review of financial hardship arrangements’.35 Labor senators on the

27. Ibid., pp. 556-7. 28. Ibid., p. 557. 29. Ibid. 30. Productivity Commission, Data availability and use, op. cit., recommendation 5.5, p. 38. 31. R Gluyas, ‘Coalition zeroes in on credit reporting’, The Australian, 14 September 2017, p. 21. 32. S Morrison (Treasurer), Building an accountable and competitive banking system, media release, 9 May 2017. 33. S Morrison (Treasurer), Mandating comprehensive credit reporting, media release, 2 November 2017. 34. The terms of reference for the inquiry, submissions to the Economics Committee and the Committee’s final report (when

published) are available on the inquiry homepage. 35. Senate Standing Committee on Economics, National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 [provisions]—report, The Senate, Canberra, 5 June 2018, pp. 38-9.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 9

Committee made additional comments, advising that they are ‘cautiously supportive’ of the measures in the Bill, but will:

… take a very careful look at both the government's approach to regulating the use of consumer financial data and whether any benefits of mandatory comprehensive credit reporting will flow through to consumers. 36

Labor senators recommended that the Bill be amended to delay the first stage requirement by 12 months to 1 July 2019 ‘in order to allow the Attorney-General's Department to complete its review of financial hardship arrangements and for the government to provide a response to this review’.37

Senate Standing Committee for the Scrutiny of Bills The Senate Standing Committee for the Scrutiny of Bills (Scrutiny of Bills Committee) commented on the Bill in its report of 9 May 2018.38

The Scrutiny of Bills Committee acknowledged the importance of improving the administration of Australia's credit reporting regime. However, it expressed concern that requiring the disclosure of mandatory credit information has the potential to unduly trespass on the privacy of individuals— particularly the customers of the large ADIs contemplated by the Bill, as the information required to be disclosed includes a substantial amount of personal and financial information about individuals.39 Additional comments made by the Scrutiny of Bills Committee are canvassed below under the heading ‘Key issues and provisions’.

Policy position of non-government parties/independents At the time of writing, no comments had been made by non-government parties or independents in relation to the Bill, apart from the comments by Labor senators on the Economics Committee, discussed above.

Position of major interest groups

Arguments for compulsory credit reporting A 2015 report by KPMG to the Australian Retail Credit Association outlines, amongst other things, the reasons for improved credit data exchange in the following terms:

The exchange of credit data between financial institutions is important to the ability of financial institutions to manage their credit risk—that is, the risk of loss arising from the default by a borrower in respect of money lent by the financial institution. Credit risk is the single largest financial risk faced by most banks and other lenders. Reflecting this, most episodes of bank distress or failure globally have arisen primarily because of inadequate management of credit risk. The management of credit risk is the single biggest factor that influences the prudential soundness of individual financial institutions and the stability of the financial system.

40

36. Ibid., p. 41. 37. Ibid., p. 51. 38. Standing Committee for the Scrutiny of Bills, Scrutiny digest, 5, 2018, The Senate, 9 May 2018, pp. 34-9. 39. Ibid., p. 36. 40. KPMG, Report to the Australian Retail Credit Association: the benefits of enhanced credit data exchange, KPMG, January 2015,

p. 16.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 10

Generally, submitters to the Economics Committee inquiry accepted that there are sound reasons for mandatory comprehensive credit reporting on economic grounds—although there were some qualifications.

The Australian Banking Association welcomed the removal of the existing information symmetry between credit providers and credit applicants. Citing the New Zealand (NZ) model of comprehensive credit reporting, it noted that benefits identified in the NZ regime included:

• giving credit providers a more accurate and complete picture of individuals’ credit worthiness, allowing them to make better assessments of risk and facilitate a more responsible lending decision

• increasing competition in the credit industry by enabling access to better information and

• opening mainstream credit to a wider pool of individuals who may otherwise be excluded due to a lack of verifiable information about them.41

Similarly, Dr Andrew Grant of the University of Sydney Business School stated that the ‘introduction of credit sharing should improve the amount of loans funded and the cost of loan funding for good borrowers’.42

Arguments against compulsory credit reporting

Problems for lower income applicants The other side of that coin is addressed in the submission by the Queensland Law Society (QLS) to the Economics Committee. QLS acknowledged that the measures in the Bill enhance the ability of consumer credit providers to lend responsibly. However, the submission expressed concern that comprehensive credit reporting ‘may result in lower income applicants being charged more for credit due to greater differential pricing based on more available information’.43

The Financial Rights Legal Centre agreed, stating:

… some lenders are likely to use this increased information not to deny people credit where it appears their finances are already stretched, but to charge those customers more for credit. We may see a significant increase in price discrimination including an influx of expensive, priced-for-risk products, such as credit cards charging up to 48 per cent per annum for those deemed risky.

44

Security of data Of concern to some submitters was the need for enhanced privacy protections relating to notification, data quality, access and correction, and complaints.45 According to the Office of the Australian Information Commissioner, ‘robust information handling practices will be essential to ensure the success and sustainability of this initiative’ … ‘the Bill envisages active oversight by the

41. Australian Banking Association, Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, 20 April 2018, p. 2. 42. A Grant (University of Sydney Business School), Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, n.d., p. 1. 43. Queensland Law Society, Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit

Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, 20 April 2018, p. 2. 44. Financial Rights Legal Centre (jointly with Consumer Action Law Centre, Financial Counselling Australia, Australian Privacy Foundation and ACCAN), Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit

Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, 20 April 2018, p. 3. 45. Office of the Australian information Commissioner (OAIC), Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, 24 April 2018, p. 3.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 11

OAIC, particularly of security issues arising in the mandatory comprehensive credit reporting system’.46

According to one commentator, requiring the banks to release loan data to third parties increases the risk of data breaches.47 For example in 2017 US credit bureau Equifax was subjected to a cyber-attack affecting over 143 million Americans.48 The data breach has led to increased risks of identity fraud and targeted scams.

Financial implications According to the Explanatory Memorandum, the Bill will have nil financial impact.49

Statement of Compatibility with Human Rights As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.50

Parliamentary Joint Committee on Human Rights The Parliamentary Joint Committee on Human Rights (Human Rights Committee) commented on the Bill in its report of 8 May 2018.51

The starting point for its consideration was Article 17 of the International Covenant on Civil and Political Rights (ICCPR) which prohibits arbitrary or unlawful interferences with an individual's privacy.52 The right to privacy includes respect for informational privacy, including the right to respect for private and confidential information, particularly the collection, storing, use and sharing of such information. The Human Rights Committee noted that the introduction of a mandatory comprehensive credit reporting scheme engages the right to privacy by requiring large ADIs to supply comprehensive credit information to certain credit reporting bodies.53

The Human Rights Committee acknowledged:

Limitations on the right to privacy will be permissible where they are prescribed by law and are not arbitrary, they pursue a legitimate objective, are rationally connected to (that is, effective to achieve) that objective and are a proportionate means of achieving that objective. 54

The Human Rights Committee noted, amongst other things, the safeguards that were in place to protect individuals' credit information in the 2012 Amending Act but was not satisfied that the

46. Ibid., pp. 4-5. 47. J Malbon, ‘Forcing the banks to hand over our credit history might help with a home loan but it has risks’, The Conversation, 3 November 2017.

48. C Yeates, ‘How your profile may help get a loan’, The Sydney Morning Herald, 30 December 2017, p. 2; E Bagshaw, ‘Customers of banks face new database “intrusions”’, The Sydney Morning Herald, 7 May 2018, p. 5; A Andriotis and R McMillan, ‘Equifax slammed for huge data attack’, The Australian, 11 September 2017, p. 22.

49. Explanatory Memorandum, National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, p. 3. 50. The Statement of Compatibility with Human Rights can be found at pages 41-9 of the Explanatory Memorandum to the Bill. 51. Parliamentary Joint Committee on Human Rights, Human rights scrutiny report, 4, 8 May 2018, pp. 12-16. 52. International Covenant on Civil and Political Rights, done in New York on 16 December 1966, [1980] ATS 23 (entered into force

for Australia (except Art. 41) on 13 November 1980; Art. 41 came into force for Australia on 28 January 1994). 53. Parliamentary Joint Committee on Human Rights, Human rights scrutiny report, 4, 2018, op. cit., p. 13. 54. Ibid., p. 14.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 12

Privacy Act would ‘constitute an effective safeguard for the purposes of the right to privacy in the context of this particular measure’.55

The Committee has asked the Minister for additional information about the Bill. In particular, it sought information about whether the requirement to provide comprehensive credit information is sufficiently circumscribed, and information as to the adequacy and effectiveness of safeguards.56

At the time of writing, the Minister’s response had not been published by the Human Rights Committee.57

Key issues and provisions

Entities supplying credit information Item 4 of the Bill inserts proposed Part 3-2CA—Licensees supplying credit information to credit reporting bodies into the Consumer Credit Act. Part 3-2CA applies to:

• an eligible licensee and

• an eligible credit reporting body.

The holder of an AC license is an eligible licensee on 1 July 2018 or a later day provided that the licensee is a large ADI, or is a body corporate of a kind prescribed by the regulations and is a credit provider.58

The definition of large ADI is imported from the Banking Act 1959. Essentially, the Minister may, by legislative instrument, determine the kinds of ADIs that are large ADIs.59 The Government intends that the legislative instrument will provide:

• a small ADI would have less than or equal to $10 billion on a three year average of total resident assets

• a medium ADI would have between $10 billion and $100 billion on a three year average of total resident assets and

• a large ADI would be any ADI with greater than or equal to $100 billion on a three year average of total resident assets.60

Key issue—other credit providers Some submitters to the Economics Committee expressed concern that the Bill restricts the compulsory credit reporting scheme to the major banks. For instance, Westpac has stated that it holds a firm belief that it should apply to all credit providers.61 Westpac expressed its concern that whilst ‘the Government is open to including other [credit providers] at a later date, there appears

55. Ibid., p. 16. 56. Ibid. 57. Parliamentary Joint Committee on Human Rights, ‘Correspondence register’, Australian Parliament website. 58. Consumer Credit Act, proposed subsection 133CN(1). 59. Importantly, the definition is inserted into subsection 5(1) of the Banking Act by item 10 of Schedule 1 to the Treasury Laws

Amendment (Banking Executive Accountability and Related Measures) Act 2018. The relevant provision does not commence until 1 July 2018. 60. Revised Explanatory Memorandum, Treasury Laws Amendment (Banking Executive Accountability and Related Measures) Bill 2017, pp. 22-3. 61. Westpac, Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit Protection Amendment

(Mandatory Comprehensive Credit Reporting) Bill 2018, 23 April 2018, p. 1.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 13

to be no mechanism to monitor when other credit providers come on board and the speed at which that occurs’.62

On the other hand, the Customer Owned Banking Association (COBA) which is the industry association for Australia’s customer owned banking institutions such as mutual banks, credit unions and building societies, supported the Government’s decision to confine the measures in the Bill to large ADIs, for the time being, as it ‘avoids imposing unnecessary costs on smaller ADIs while creating a critical mass of CCR data to encourage all credit providers to undertake the investment needed to participate’.63

Entities receiving credit information There are two instances in which a credit reporting body is an eligible credit reporting body (CRB) for a licensee.

The first is if, on 2 November 2017, there was in force an agreement between the credit reporting body and credit providers that required the credit providers to protect credit reporting information that is disclosed to them from misuse, interference and loss; and from unauthorised access, modification or disclosure—as required by subsection 20Q(2) of the Privacy Act.64

The second instance is where the conditions (if any) prescribed by the regulations are met.65

Application of Part 3-2CA New Part 3-2CA of the Consumer Credit Act applies in addition to the Privacy Act. That is, nothing in Part IIIA of the Privacy Act which contains the framework for the collection, disclosure and use of credit-related information, is changed by this Bill.

Section 20Q of the Privacy Act The Bill references subsection 20Q(2) of the Privacy Act, which relates to the security of credit reporting information. Subsection 20Q(2) requires a credit reporting body to: (a) enter into agreements with credit providers that require the providers to protect credit

reporting information that is disclosed to them under this Division: (i) from misuse, interference and loss; and (ii) from unauthorised access, modification or disclosure; and (b) ensure that regular audits are conducted by an independent person to determine whether

those agreements are being complied with; and (c) identify and deal with suspected breaches of those agreements.

Scrutiny of Bills Committee comments The Scrutiny of Bills Committee expressed its concern that ‘the Bill appears to leave a number of relatively substantial elements of the mandatory credit reporting scheme—which may have significant privacy implications—to delegated legislation’.66 The Committee singled out the definitions of eligible licensee and eligible credit reporting body, which as discussed above, rely

62. Ibid. 63. Customer Owned Banking Association (COBA), Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, 20 April 2018, p. 1.

64. Consumer Credit Act, proposed paragraph 133CN(2)(a). 65. Consumer Credit Act, proposed paragraph 133CN(2)(b). 66. Standing Committee for the Scrutiny of Bills, Scrutiny digest, 5, 2018, op. cit., p. 36.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 14

on elements to be prescribed in regulations. The Committee was concerned that this approach could weaken the protections conferred by the Privacy Act, in particular because:

a licensee that becomes an 'eligible licensee' after 1 July 2018 must make its initial bulk supply of mandatory credit information to a credit reporting body that meets conditions prescribed by the regulations—rather than to a reporting body with which the licensee has an agreement under paragraph 20Q(2)(a) of the Privacy Act.

67

Information to be supplied Proposed subsection 133CR(1) of the Consumer Credit Act requires an eligible licensee to supply mandatory credit information to each CRB for the licensee.68 Under proposed section 133CP of the Consumer Credit Act, mandatory credit information for eligible credit accounts69 held by natural persons is personal information for those accounts that is:

• identification information about a natural person—being the individual’s full name; any alias or previous name; the individual’s date of birth; the individual’s sex; the individual’s current or last known address, and two previous addresses (if any); the name of the individual’s current or last known employer; and the individual’s driver’s licence number (if any)70

• consumer credit liability information about a natural person is the name of the consumer credit provider; whether the provider is a licensee; the type of consumer credit; the day on which the consumer credit is entered into; the terms or conditions of the consumer credit that relate to the repayment of the amount of credit and that are prescribed by the regulations; the maximum amount of credit available under the consumer credit; and the day on which the consumer credit is terminated or otherwise ceases to be in force71

• repayment history information—includes the day on which a monthly payment is due and payable; and if the individual makes the monthly payment after the day on which the payment is due and payable—the day on which the individual makes that payment72

• default information—is information in relation to payments that are at least 60 days overdue and where the provider has given a written notice to the individual informing him, or her, of the overdue payment and requesting payment of that amount; the provider is not prevented by a statute of limitations from recovering the amount of the overdue payment; and the amount of the overdue payment is equal to or more than $150; or a higher amount as is prescribed by the regulations73

• payment information—if a credit provider has disclosed default information about an individual to a credit reporting body; and on a day after the default information was disclosed, the amount of the overdue payment to which the information relates is paid; then payment information about the individual is a statement that the amount of the overdue payment has been paid on that day74

67. Ibid., p. 37. 68. This is a civil penalty provision with a maximum penalty of 2,000 penalty units for an individual and 10,000 penalty units for a body corporate. Subsection 167(3) of the Consumer Credit Act provides that the maximum pecuniary penalty that can be imposed on a body corporate for contravention of a civil penalty provision is five times the maximum number of penalty units

referred to in the civil penalty provision. Section 4AA of the Crimes Act 1914 provides that a penalty unit is equivalent to $210. This means that the maximum amount payable for a contravention of this subsection by an individual is $420,000 and by a body corporate is $2,100,000. 69. Proposed section 133CO of the Consumer Credit Act defines an eligible credit account as one that relates to the provision, or

possible provision, of consumer credit; is held by one or more natural persons with a credit provider; and is not of a kind prescribed by the regulations. 70. Privacy Act, section 6. 71. Ibid. 72. Privacy Act, subsection 6V(1). 73. Privacy Act, subsection 6Q(1). 74. Privacy Act, section 6T.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 15

• new arrangement information—if a credit provider has disclosed default information about an individual to a credit reporting body and because the individual is so overdue: the terms or conditions of the original consumer credit that relate to the repayment of the amount of credit are varied; or the individual is provided with other consumer credit; then new arrangement information about the individual is a statement that those terms or conditions of the original consumer credit have been varied, or that the individual has been provided with the new consumer credit.75

Key issue—interaction with the hardship provisions Most submitters to the Economics Committee inquiry into the Bill expressed concern about the interaction between the mandatory credit information and the hardship provisions which are contained in Part 4 of the National Credit Code.

Operation of the hardship provisions Clause 72 of the National Credit Code provides for hardship notice to be given by a debtor who is unable to meet his, or her, obligations under a credit contract and who reasonably expects to be able to discharge those obligations if the terms of the contract were changed. The credit provider may request further information from the debtor within 21 days of receiving the notice. In that case the debtor must provide the requested information. The credit provider must make its decision on the matter within strict time limits and notify the debtor of the decision. The credit provider need not agree to change the credit contract if the credit provider: • does not believe that there is a reasonable cause (such as illness or unemployment) for the

debtor’s inability to meet his, or her, obligations or • reasonably believes the debtor would not be able to meet his, or her, obligations under the contract even if it were changed. Where a credit provider enters into an agreement with a debtor to change the credit contract as a result of hardship, clause 73 of the National Credit Code requires a credit provider to give written notice to the debtor setting out the particulars of the changes to the credit contract, within 30 days of reaching that agreement. However, there are exceptions to this general rule. Clause 203A empowers the Australian Securities and Investments Corporation (ASIC) to exempt a person, contract, mortgage, guarantee or consumer lease from all or specified provisions of the National Credit Code. Accordingly, ASIC Class Order CO 14/41 exempts a credit provider from the requirement to provide written notice of an agreement with a debtor if the arrangement is a simple arrangement—being an agreement that defers or reduces the obligations of the debtor for a period of no more than 90 days.

There is a difference of opinion between submitters about the extent of reporting obligations when a debtor is in hardship. That issue lies with the requirement to provide the repayment history information which includes information about the day on which a monthly payment is due and payable and the meaning of that term.

There is a view that unless a credit default has already been listed on a consumer’s credit report, entering into a financial hardship arrangement should not affect a credit report because the consumer has come to a mutually acceptable arrangement to pay their debt.76 To assist debtors

75. Privacy Act, section 6S. 76. Financial Rights Legal Centre, Submission to the Senate Economics Committee, op. cit., p. 4.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 16

guidelines were published by the Office of the Australian Information Commissioner entitled What does the term ‘due and payable’ mean in the definition of repayment history information?77

Submitters to the Economics Committee sought greater clarity in relation to this issue.78

For instance, ANZ has expressed its belief that it cannot report customers in hardship programs as being up to date when providing repayment history information as this would not meet its reporting obligations.79 ANZ’s reasoning is as follows:

• where a customer enters into a temporary arrangement because they are experiencing financial hardship, there may not be a formal variation to the contract—for instance if it is a simple arrangement (see ASIC CO 14/41 above). In that case, the reporting of repayment information must be by reference to whether the customer has met, and/or continues to meet, their originally contracted repayments

• where a customer enters a temporary repayment arrangement which does not vary the existing contract, the original contracted repayments continue to be due and payable

• entry into a temporary arrangement will constitute a waiver by ANZ of its right to continue enforcement action in relation to the missed contractual repayments (such arrangements may also be referred to as forbearances or indulgences) and

• although ANZ is prevented from taking enforcement action for the term of any hardship arrangements, standard repayments are still due and payable under the original contract and ANZ would have an obligation to report any missed repayment(s).80

Westpac expressed a similar view that the framework provided by the Bill does not give credit providers the option to withhold the fact that customers have not met repayments in accordance with their original contract.

The current framework does not allow for a ‘hardship flag’, an indicator that the customer has suffered a short term, unexpected event and is working with their financial institution. Without the ability to report a hardship flag, Westpac will not be able to identify customers who are experiencing short term hardship with another lender.

81

What is clear is that the response by a credit provider to a hardship notice is not uniform. Whilst clause 73 of the National Credit Code refers to a change in the credit contract it does not require the credit provider to enter into a new credit contract on more favourable terms to the debtor.

There are sound reasons why this might not occur—principally that the discharge of one contract and establishment of another is likely to incur additional customer costs including stamp duty.

Timing for supply of information

First bulk supply Under the Bill, an eligible licensee must supply mandatory credit information for at least 50 per cent of all of the eligible credit accounts held with the licensee (or with a member of a banking group of which the licensee is the head company) on the first 1 July on which the licensee

77. QLS, Submission to the Senate Economics Committee, op. cit., p. 3. 78. Financial Rights Legal Centre, Submission to the Senate Economics Committee, op. cit., pp. 4-5. 79. ANZ, Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, April 2018, paras. 12-16.

80. Ibid., paras 12-16. 81. Westpac, Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, 23 April 2018, p. 3.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 17

is an eligible licensee.82 It will be up to the licensee to choose which eligible accounts make up the 50 per cent.

The general rule is that the first bulk supply of mandatory credit information to each eligible CRB for the licensee must occur before the end of the 90-day period starting on the first 1 July on which the licensee is an eligible licensee.83 This means that the first bulk supply of information must be completed by 24 September 2018.

There is an exception to this rule if the licensee reasonably believes that the CRB is not complying with section 20Q of the Privacy Act on 1 July. In that case, proposed section 133CS of the Consumer Credit Act sets out the procedures to be followed by the licensee as follows:

• Step 1: the licensee prepares a written notice setting out the licensee’s reasons for its belief that the body is not complying with section 20Q of the Privacy Act on that 1 July and stating that the body may try to convince the licensee otherwise before the end of the 90-day period starting on that 1 July84

• Step 2: the licensee gives that notice to the credit reporting body, and a copy to the Information Commissioner and ASIC, within seven days after that 1 July85

• Step 3: the licensee prepares a written notice (the final notice) reiterating the reasons for its belief that the body is not complying with section 20Q of the Privacy Act on the last day of that 90-day period86 and

• Step 4: the licensee gives the final notice to the body, and a copy to the Information Commissioner and ASIC, within seven days after the last day of that 90-day period.87

If, following steps 1 and 2, the licensee ceases to hold the belief that the CRB is not complying with section 20Q of the Privacy Act before the end of the 90-day period (called the cessation day)88 the first bulk supply of mandatory credit information in respect of that CRB for the licensee must occur before the end of the 14-day period starting on the cessation day.89

Subsequent bulk supply Under the Bill, an eligible licensee must supply mandatory credit information for all those eligible credit accounts held with the licensee (or with a member of a banking group of which the licensee is the head company) that were not supplied in the first bulk supply.90

The general rule is that the mandatory credit information is to be supplied before the end of the 90-day period starting on the second 1 July on which the licensee is an eligible licensee.91 The exception to the rule for the first bulk supply also operates for the subsequent bulk supply.92

82. Consumer Credit Act, proposed subsection 133CR(2). 83. Consumer Credit Act, proposed subparagraph 133CR(1)(a)(i). 84. Consumer Credit Act, proposed paragraph 133CS(2)(a). 85. Consumer Credit Act, proposed paragraph 133CS(2)(b). 86. Consumer Credit Act, proposed paragraph 133CS(2)(c). 87. Consumer Credit Act, proposed paragraph 133CS(2)(d). 88. Consumer Credit Act, proposed subsection 133CR(5). 89. Consumer Credit Act, proposed subparagraph 133CR(1)(a)(ii). 90. Consumer Credit Act, proposed subsection 133CR(4). 91. Consumer Credit Act, proposed subparagraph 133CR(3)(a)(i). 92. Consumer Credit Act, proposed subsections 133CR(3) and (5). Subsection 135CR(3) is a civil penalty provision with a

maximum penalty of 2,000 penalty units for an individual and 10,000 penalty units for a body corporate. Subsection 167(3) of the Consumer Credit Act provides that the maximum pecuniary penalty that can be imposed on a body corporate for contravention of a civil penalty provision is five times the maximum number of penalty units referred to in the civil penalty provision. The maximum amount payable for a contravention of this subsection by an individual is $420,000 and by a body corporate is $2,100,000.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 18

Reporting to the Minister The Bill sets out requirements for both licensees and eligible credit reporting bodies to give the Minister audited statements (in the form prescribed by regulation) about the mandatory comprehensive credit reporting regime following each of the initial bulk supply and the subsequent bulk supply. A failure to comply with the reporting requirement gives rise to civil penalties of up to 2,000 penalty units for an individual and 10,000 penalty units for a body corporate.93 In addition, a person who is subject to a requirement to provide an audited statement to the Minister commits an offence if they contravene the requirement. The maximum criminal penalty is 100 penalty units for an individual and 500 penalty units for a body corporate.94

The Australian Banking Association (ABA) questioned the necessity of providing a statement of compliance to the Minister—given that it is ‘a regulatory impost which would duplicate the role of the regulator, ASIC’. The ABA stated its view that ‘only the one process of audited compliance reporting should be made to ASIC. These statements can then be provided by ASIC to the Treasurer’.95 The Explanatory Memorandum to the Bill does not provide a rationale for the requirement.

How the supply is made Under proposed section 133CQ of the Consumer Credit Act information must be supplied in accordance with the supply requirements which will be satisfied if the supply complies with:

• the registered CR code—currently the Privacy (Credit Reporting) Code 2014 (version 1.2)

• an ASIC determination setting out the information that must be included in the supply

• a technical standard that has been approved by ASIC in writing in relation to the supply of one or more kinds of information.96

Ongoing requirement to supply

Existing provisions of the Privacy Act Subsections 20N(1) and (2) of the Privacy Act require a credit reporting body to take such steps as are reasonable in the circumstances to ensure that the credit information the body collects and the credit reporting information the body uses or discloses is accurate, up-to-date, complete and relevant. Subsection 20N(3) of the Privacy Act requires a credit reporting body to: (a) enter into agreements with credit providers that require the providers to ensure that credit

information that they disclose to the body is accurate, up-to-date and complete (b) ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with and (c) identify and deal with suspected breaches of those agreements. Section 21U of the Privacy Act provides that where a credit provider becomes aware that the

93. Consumer Credit Act, proposed subsections 133CZC(1) and (2). Subsection 167(3) of the Consumer Credit Act provides that the maximum pecuniary penalty that can be imposed on a body corporate for contravention of a civil penalty provision is five times the maximum number of penalty units referred to in the civil penalty provision. 94. Consumer Credit Act, proposed section 133CZE. Subsection 4B(3) of the Crimes Act 1914 provides that a body corporate

convicted of a Commonwealth offence is liable to a maximum penalty equal to five time the amount that could be imposed on a natural person convicted of the same offence. The Explanatory Memorandum (p. 34) states that the criminal penalty is a ‘continuing offence’. That is, the person is guilty of a separate offence for each day of non-compliance. For example, for each day that an eligible licensee fails to supply the initial bulk supply of information, the penalty amount will apply. 95. ABA, Submission to the Senate Economics Committee, Inquiry into the National Consumer Credit Protection Amendment

(Mandatory Comprehensive Credit Reporting) Bill 2018, 20 April 2018, p. 4. 96. Consumer Credit Act, proposed subsections 133CQ(1)-(4).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 19

credit information or credit eligibility information it holds about an individual is inaccurate, out-of-date, incomplete, irrelevant or misleading, the provider must take reasonable steps to correct the information.

The ongoing supply requirement in proposed section 133CU of the Consumer Credit Act complements those provisions. The section applies to a licensee which has supplied a CRB with mandatory credit information. If on a later day (called the trigger day) the licensee (or a member of a banking group of which the licensee is the head company), would reasonably be expected to have become aware that any of the events that are set out in the table in proposed subsection 133CU(1) have happened then the licensee must supply the CRB with the corresponding updated information referred to in the table. Those events are:

• changes to the information supplied to a credit reporting body which are necessary to keep the information accurate, up-to-date and complete97

• a payment has been made where default information has previously been supplied to the credit reporting body98

• new accounts opened after the two initial bulk supplies of information have been supplied to credit reporting bodies.99

The general rule is that the supply of updated information must take must take place before the end of the 45-day period starting on the trigger day.100 An exception to the rule operates in an equivalent manner to that for the first and subsequent bulk supplies.101

Offences The Bill creates a number of new offences, including:

• a person commits an offence if the person is subject to a requirement to supply mandatory credit information for the first bulk supply (under proposed subsection 133CR(1)) or the subsequent bulk supply (under proposed subsection 133CR(3)) and the person engages in conduct which contravenes the requirement102

• a person commits an offence if the person is subject to an ongoing requirement to supply mandatory credit information (under proposed subsection 133CU(1)) and the person engages in conduct which contravenes the requirement103 and

• a person commits an offence if the person must give a notice if a CRB later complies with information security requirements (under proposed sections 133CT or 133CW) and the person engages in conduct which contravenes the requirement.104

In each case the maximum penalty is 100 penalty units for an individual, being equivalent to $21,000 and 500 penalty units ($105,000) for a body corporate.105

97. Consumer Credit Act, proposed subsection 133CU(1), table item 1. 98. Consumer Credit Act, proposed subsection 133CU(1), table item 2. 99. Consumer Credit Act, proposed subsection 133CU(1), table item 3. 100. Consumer Credit Act, proposed subparagraph 133CU(1)(c)(i). Proposed subsection 133CU(1) is a civil penalty provision with a

maximum penalty of 2,000 penalty units for an individual and 10,000 penalty units for a body corporate. Subsection 167(3) of the Consumer Credit Act provides that the maximum pecuniary penalty that can be imposed on a body corporate for contravention of a civil penalty provision is five times the maximum number of penalty units referred to in the civil penalty provision. Under section 4AA of the Crimes Act 1914, a penalty unit is equivalent to $210. This means that the maximum amount payable for a contravention of this subsection by an individual is $420,000 and by a body corporate is $2,100,000. 101. Consumer Credit Act, proposed section 133CV. 102. Consumer Credit Act, proposed section 133CX. 103. Consumer Credit Act, proposed section 133CY. 104. Consumer Credit Act, proposed section 133CZ.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 20

Evidential burden The Bill inserts the definition of the term evidential burden into subsection 5(1) of the Consumer Credit Act being, in relation to a matter, the burden of adducing or pointing to evidence that suggests a reasonable possibility that the matter exists or does not exist. The defendant bears the evidential burden in respect of many of the offences in the Bill.

The Queensland Law Society (QLS) was critical of this definition on the grounds that it ‘adopts a standard of proof contrary to that developed by the law over time’ and that its drafting will ‘create confusion rather than clarification’. QLS recommended that the definition should be changed to delete the reference to ‘a reasonable possibility’ and insert ‘in the case of a civil proceeding, on the balance of probabilities and, in the case of criminal proceedings, beyond a reasonable doubt’.106

On-disclosing credit information Proposed section 133CZA of the Consumer Credit Act applies to a credit reporting body in relation to protected information being:

• any information that is supplied to the credit reporting body under Division 2 of new Part 3-2CA and

• any CRB derived information that is derived from information that has been supplied under Division 2 of new Part 3-2CA.107

Regulations may prescribe:

• the conditions in which a credit reporting body must disclose, or must not disclose, protected information to a credit provider

• the kind or amount of protected information which must be, or must not be, disclosed and

• the time within which any disclosure must take place.108

Civil penalties of up to 2,000 penalty units for an individual and 10,000 penalty units for a body corporate apply to any breach of the requirements contained in the regulations relating to protected information.109 In addition, a person commits an offence if the person engages in

conduct which contravenes a requirement set out in proposed section 133CZA for the disclosure of protected information.110 In that case, the maximum criminal penalty is 100 penalty units for an individual and 500 penalty units for a body corporate.111

105. Subsection 4B(3) of the Crimes Act 1914 provides that a body corporate convicted of a Commonwealth offence is liable to a maximum penalty equal to five time the amount that could be imposed on a natural person convicted of the same offence. Under section 4AA of the Crimes Act, a penalty unit is equivalent to $210. The Explanatory Memorandum (p. 34) states that the criminal penalty is a ‘continuing offence’. That is, the person is guilty of a separate offence for each day of non-compliance. 106. QLS, Submission to the Senate Economics Committee, op. cit., p. 2. 107. Section 6 of the Privacy Act defines CRB derived information as information about an individual being any personal

information (other than sensitive information) about the individual that is derived by a credit reporting body from credit information about the individual that is held by the body; that has any bearing on the individual’s credit worthiness and that is used, has been used or could be used in establishing the individual’s eligibility for consumer credit. 108. Consumer Credit Act, proposed subsections 133CZA(2)-(4). 109. The maximum penalty is equivalent to $420,000 for an individual and $2,100,000 for a body corporate. 110. Consumer Credit Act, proposed section 133CZB. 111. Subsection 4B(3) of the Crimes Act 1914 provides that a body corporate convicted of a Commonwealth offence is liable to a maximum penalty equal to five time the amount that could be imposed on a natural person convicted of the same offence. The maximum penalty is equivalent to $21,000 for an individual and $105,000 for a body corporate. The criminal penalty is a ‘continuing offence’. That is, the person is guilty of a separate offence for each day of non-compliance.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 21

ASIC’s role ASIC may, by writing, appoint one or more suitably qualified persons or the members of one or more classes of suitably qualified persons as auditors.112

In addition, the Bill empowers ASIC to give a written notice to a Part 3-2CA body to provide a statement containing specified information about its compliance with that Part.113 For the purposes of this obligation a Part 3-2CA body is a person that is or has been an eligible licensee or

an eligible credit reporting body for a licensee.114 The written notice may be given at any time.115

ASIC may also require, in writing, the body to obtain an audit report prepared by a suitably qualified person before the statement is given to ASIC.116

A failure to comply with such a notice in the time stipulated in the notice gives rise to both a civil penalty117 and/or a criminal offence.118

Further, the Bill imposes obligations for a Part 3-2CA body to give ASIC certain information which is specified in the regulations;119 and to provide ASIC with assistance if it is reasonably requested.120

Review of the Part 3-2CA The Bill requires the Minister to instigate an independent review to be conducted of the operation of new Part 3-2CA. The review is to be completed and a written report given to the Minister before 1 January 2022. The Minister is to table copies of the report in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister.121

Other provisions Item 11 of the Bill amends the Privacy Act by inserting proposed subsection 20Q(3) which requires a credit reporting body which holds credit reporting information to store that information in Australia or an external Territory or using a service:

• listed by the Australian Signals Directorate as a Certified Cloud Service under the program known as the Information Security Registered Assessors Program or

• meets the conditions specified in the registered Credit Reporting code.

Concluding comments The most compelling problem highlighted by the submitters to the Economics Committee was that of whether and/or how to comply with reporting obligations whilst at the same time preserving the privacy of those debtors who have entered into hardship arrangements.

112. Consumer Credit Act, proposed subsection 133CZD(1). 113. Consumer Credit Act, proposed subsection 133CZG(1). 114. Consumer Credit Act, proposed section 133CZF. 115. Consumer Credit Act, proposed subsection 133CZG(2). 116. Consumer Credit Act, proposed subsection 133CZG(3). 117. Consumer Credit Act, proposed subsection 133CZG(6). The maximum penalty is 2,000 penalty units for an individual and

10,000 for a body corporate. 118. Consumer Credit Act, proposed subsection 133CZG(7). The maximum penalty is 25 penalty units or six months imprisonment or both. 119. Consumer Credit Act, proposed section 133CZH. 120. Consumer Credit Act, proposed section 133CZI. 121. Consumer Credit Act, proposed section 133CZL.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 22

On 28 March 2018, the Attorney-General, Christian Porter, announced that there would be a review into the hardship arrangements.122 Details are available from the review webpage.123

© Commonwealth of Australia

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library’s Central Enquiry Point for referral.

Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2500.

122. C Porter (Attorney-General), Review of financial hardship arrangements, media release, 28 March 2018. 123. Attorney-General’s Department (AGD), ‘Review of financial hardship arrangements’, AGD website.