The Federal Government has introduced draft legislation to establish a long-awaited mandatory comprehensive credit reporting regime for the major banks from 1 July 2018. Partner Gavin Smith, Senior Associate Emily Cravigan and Lawyer Dougald Coulson report.
How does it affect you?
- If the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (the Bill) is passed, these key changes will follow.
- large authorised deposit taking institutions (ADIs) must supply comprehensive credit information on 50 per cent of their active credit accounts by 28 September 2018 (and on their remaining accounts by 28 September 2019). The data must be provided to all credit reporting bodies (CRBs) with which the ADI had a contract as at 2 November 2017.
- CRBs in receipt of such data must only share it with credit providers that are providing the same level of information (unless both the CRB and the credit provider are signatories to the industry-developed Principles of Reciprocity and Data Exchange).
- This means that:
- large ADIs will need to ensure they are able to supply large tranches of data to each of Equifax, Experian and illion (formerly known as Dun & Bradstreet) by 28 September 2018, to the extent they have not already done so, with a further tranche to be provided 12 months later;
- CRBs may see a shift in the competitive landscape as a result of the obligation for large ADIs to supply the same information to each CRB with which it has a contract; and
- credit providers that are not large ADIs (and are therefore not subject to the mandatory reporting obligations) will need to consider carefully whether they wish to subject themselves to the same comprehensive credit reporting obligations in order to be able to access the data that the large ADIs provide.
The credit reporting system in Australia is governed by Part IIIA of the Privacy Act 1988 (Cth) and the Credit Reporting Privacy Code (the Code). Under the system, credit providers provide certain credit-related personal information to CRBs, which collate the information and disclose it to other credit providers, as permitted by the Privacy Act and the Code.
Part IIIA of the Privacy Act was overhauled in 2014 to permit comprehensive credit reporting – ie to allow for 'positive' or 'comprehensive' credit information (such as data regarding on-time repayments and the amount of credit available to a person) to be exchanged within the credit reporting system. Previously, only 'negative' information (such as default or bankruptcy information) could be included.
Currently, the reporting of comprehensive credit information to CRBs is not mandatory. Although some peer-to-peer lenders have already begun to report comprehensive information1, the big banks are yet to participate (although NAB has recently announced that its comprehensive reporting is scheduled to commence this month).2
In May 2017, the Productivity Commission recommended that comprehensive credit reporting be made mandatory if voluntary participation remained limited. The Government responded in the 2017–2018 Budget by pledging to implement a mandatory comprehensive credit reporting regime unless 40 per cent of data was voluntarily provided by the end of 2017. In November of last year (as it became clear that this target would not be met), the Treasurer announced that legislation would be introduced to require the major banks to start reporting this year.
The Government claims that comprehensive credit reporting will bring Australia into line with the US, UK and New Zealand, and benefit both:
- credit providers (by allowing them to better establish a consumer's creditworthiness and price accordingly – leading, eg, to lower default rates); and
- consumers (by assisting those with good credit to seek more competitive rates)3.
This proposal comes at a time of rapid change for the handling of data in the financial services sector. The Government has also published its Review into Open Banking, which makes 50 recommendations to implement open banking in Australia. (Please see our Focus: Federal Government Review into Open Banking.
Obligations on 'eligible licensees'Initial 'bulk supply' of comprehensive credit information
Under the Bill, 'eligible licensees' will be obligated to participate in mandatory comprehensive credit reporting. Broadly, eligible licensees are large ADIs (ie those with total resident assets greater than $100 billion), and their subsidiaries, that hold an Australian credit licence.
An eligible licensee must supply comprehensive credit information for 50 per cent of its open and active consumer credit accounts by 28 September 2018. Eligible licensees may decide which accounts to include in this initial bulk supply. Eg NAB has announced that it will start with personal loans, credit cards and overdrafts4, while Commonwealth Bank has stated that it will start with home loan accounts.5
The data must be supplied to all CRBs with which the eligible licensee had a contract on 2 November 2017. Section 20Q of the Privacy Act requires CRBs to enter into an agreement with each credit provider it provides credit information to.
The eligible licensee then has until 28 September 2019 to supply to the relevant CRBs comprehensive credit information:
- for the remaining 50 per cent of its consumer credit accounts; and
- for all new consumer credit accounts opened after 1 July 2018.
Similar requirements will apply to ADIs that become eligible licensees after 1 July 2018.
Requiring an eligible licensee to provide the same information to all CRBs with whom it has a contract is intended to ensure that no CRB has a competitive advantage over another on the basis of the amount of data it holds. This is intended to reflect the 'consistency' principle in the Principles of Reciprocity and Data Exchange.
Ongoing supply requirements
Following the initial 'bulk supply' of data, an eligible licensee must keep the information supplied to the relevant CRBs up to date, including by supplying information on new accounts to the relevant CRBs within 20 days of the end of the month in which the accounts were opened.
The Privacy Act and the Code include comprehensive provisions allocating responsibility for the integrity of credit reporting information within the credit reporting system, and procedures for access to and correction of such information.
The Bill relies on these existing provisions, rather than imposing a new set of protections for the handling of comprehensive information shared under the new regime.
However, in relation to the new regime, the Bill places responsibility on eligible licensees to satisfy themselves of the relevant CRBs' security systems. An eligible licensee is required to supply comprehensive credit information to a CRB only if the eligible licensee believes that the CRB is meeting the security obligations imposed by s20Q of the Privacy Act. If the eligible licensee does not hold this belief, it must notify the CRB, the Information Commissioner and ASIC, giving reasons why.
Standards regarding supply of data
An eligible licensee must supply data according to:
- the Code; and
- a determination made by ASIC.
The Government expects that a determination made by ASIC will refer to the Principles of Reciprocity and Data Exchange (PRDE) developed by the Australian Retail Credit Association (ARCA), the key industry body for organisations handling credit data.6 The PRDE is a voluntary, multilateral arrangement, binding upon its signatories, that governs the exchange of data entered into the credit reporting system and aims to facilitate comprehensive credit reporting.
Data must also be supplied according to a 'technical standard' approved by ASIC. The Government expects that ASIC will only prescribe a technical standard if inefficiencies in the mandatory regime become apparent, noting that the industry-developed Australian Credit Data Reporting – Industry Requirements & Technical Standards already bind those ADIs and CRBs that are signatories to the PRDE.7
Obligations on credit reporting bodies
Restrictions on sharing data obtained under the new regime
Under the Bill, CRBs that receive data under the new regime may not share such data with a credit provider unless the credit provider is providing the same level of information (ie comprehensive credit information on its active credit accounts). This restriction applies only where both the credit provider and the CRB are not signatories to the PRDE.
The restriction on CRBs sharing data with credit providers that are not contributing comprehensive credit information reflects the 'principle of reciprocity' in the PRDE. The idea is that:
- the benefits of comprehensive credit reporting cannot be fully realised until there is widespread adoption amongst all credit providers (not just eligible licensees);
- as eligible licensees account for approximately 80 per cent of household lending, the new regime will result in a 'critical mass' of comprehensive credit information in the system; and
- the prospect of accessing this 'critical mass' of data will incentivise other credit providers to participate in comprehensive credit reporting.8
Data storage requirements
The Bill imposes a new requirement on CRBs regarding the storage of data. All CRBs will have to store credit information:
- within Australia; or
- through a 'Certified Cloud Service' as currently listed by the Australian Signals Directorate. Such 'Certified Cloud Services' currently include Amazon Web Services, Microsoft Azure and IBM Bluemix.
New penalty regime and enforcement powers for ASIC
ASIC's new powers
The Bill will expand ASIC's existing powers under the National Consumer Credit Protection Act 2009 (Cth) to assist it to enforce the new regime. Eg ASIC will be able to direct eligible licensees or CRBs to provide compliance statements, and obtain external audits of such statements.
Regular statements to Treasurer
Eligible licensees and CRBs will be required to regularly provide the Treasurer with statements illustrating that the mandatory supply requirements have been met (both the initial 'bulk supply' and the ongoing supply). Such statements will be audited by an independent auditor appointed by ASIC.
Under the regime, ASIC may seek both criminal and criminal penalties against eligible licensees and CRBs.
It may seek civil penalties of up to 2000 penalty units ($420,000 for individuals or $2.1 million for bodies corporate) in a number of circumstances, including where:
- an eligible licensee fails to supply credit information as required under the new regime;
- a CRB does not disclose information (or discloses information when it should not) that it has received under the new regime; and
- an eligible licensee or CRB does not provide compliance statements to the Treasurer (please see above).
Circumstances in which ASIC may seek criminal penalties include where:
- an eligible licensee fails to comply with a direction from ASIC to supply a statement or audit report; or
- an eligible licensee fails to provide ASIC with assistance when requested.
There appears to be widespread support for comprehensive credit reporting among the various stakeholders, including credit providers, credit reporting bodies and industry bodies (eg Fintech Australia9). Many have listed the benefits for both lenders and consumers. Eg MoneyPlace, a peer-to-peer lending platform and self-described 'early adopter' of comprehensive reporting, has claimed that it has already observed an improvement in its reliable customers' credit scores.10
However, a number of consumer groups and other commentators have raised concerns regarding the broader impact of mandatory comprehensive credit reporting on marginalised consumers and society as a whole. Examples are set out below.
- Some have raised concerns that comprehensive credit reporting will exacerbate the problem of inaccuracies in data collected by CRBs. Mistakes on credit files can have a significant negative impact on individuals, and there are fears that more data in the credit reporting system will inevitably mean more errors.11 Further, some have expressed concerns that this will be taken advantage of by operators that promise to 'fix' credit reports.12
- Concerns have been raised that mandatory comprehensive credit reporting could make it harder for those with bad credit to get credit at fair rates.13 Some have claimed that it will result in an increase in 'toxic products' (ie expensive, priced-for-risk products), and vulnerable Australians being charged even more for credit
The Government is seeking views on the draft Bill, with submissions closing 23 February 2018.
If the Bill passes in its current form:
- an independent review of the mandatory regime must be completed by 1 January 2022; and
- the regime may be extended to capture other types of credit providers if it becomes clear that the proposed regime is not having its intended effect of incentivising all credit providers (and not just eligible licensees) to share comprehensive credit information.14
- Eg SocietyOne has announced that it commenced comprehensive reporting in November 2017, and MoneyPlace has indicated that at November 2017, it had already been contributing for six months.
- 'NAB Announces Start to Comprehensive Credit Reporting', 9 October 2017.
- National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, Exposure Draft Explanatory Materials, paragraphs 1.12 and 1.13.
- 'NAB Announces Start to Comprehensive Credit Reporting', 9 October 2017.
- 'CBA Confirms Support for Comprehensive Credit Reporting', 9 October 2017.
- National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, Exposure Draft Explanatory Materials, paragraph 1.104.
- Ibid, paragraphs 1.108–1.110.
- Ibid, paragraph 1.37.
- 'Australian Fintech Industry Backs Mandated Positive Credit Reporting', 2 November 2017.
- James Hurwood, 'Australia Now Has Credit Reporting – And You Will Benefit', 2 November 2017.
- Financial Rights Legal Centre, Joint Media Release: Penalised for Poverty – Consumer Groups say Morrison Announcement Will Make the Poor Pay More, 2 November 2017.
- National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, Exposure Draft Explanatory Materials, paragraph 1.136.