Mandatory CCR is here – what's actually different?

CCR buttresses voluntary scheme with new obligations 6 min read

The mandatory comprehensive credit reporting scheme is finally in operation. We explain what's changed, who it affects, and the key considerations, risks and obligations — including steps you need to take soon.

Key takeaways

• The mandatory comprehensive credit reporting scheme (CCR) has finally come into effect, establishing a statutory framework to buttress the voluntary comprehensive credit reporting regime that has already been largely embraced by the banking sector on a voluntary basis.
• The mandatory CCR regime is unlikely to have a significant impact on the industry, given the existing degree of voluntary adoption. However, from the end of September this year, large banks must supply credit information on 50% of their consumer credit accounts, and must also report on all consumer credit accounts by September 2022.
• The mandatory CCR regime also now includes additional consumer protections.

CCR explained: a recap

• CCR was first introduced by Bill into Parliament in 2017 (see our previous Insight) and an amended version finally passed both Houses in February 2021.
• The final version largely reflects the Bill introduced in 2017, with two key additions to address criticisms from consumer groups:
  • new protections to prevent credit reporting bodies (CRBs) from disclosing financial hardship information about an individual in certain situations; and
  • a new right for consumers to access their credit file (including their credit score) every three months.

The credit reporting landscape is already well established

• Under the Australian credit reporting system governed by Part IIIA of the Privacy Act 1988 (Cth) and the Credit Reporting Privacy Code (the Code), credit providers can voluntarily provide comprehensive credit information to CRBs.
  • Comprehensive means both 'positive' credit information (such as data regarding on-time repayments and the amount of credit available to a person) and 'negative' information (such as default or bankruptcy information).
• After an initially drawn out process, there has recently been a high degree of voluntary participation in CCR. The majority of consumer lenders are already sharing comprehensive credit information with Australia’s three nationally operating CRBs through the Australian Retail Credit Association's business-to-business rules and data standards, the Principles of Reciprocity and Data Exchange and supporting Australian Credit Data Reporting – Industry Requirements & Technical Standards (PRDE).

Mandatory CCR: key players

• Eligible licensees must report mandatory credit information to CRBs under the regime. Broadly, eligible licensees are authorised deposit-taking institutions (ADIs) with total resident assets greater than $100 billion, and their subsidiaries, that hold an Australian credit licence, or others as prescribed by the regulations.¹
• CRBs receiving data will be subject to restrictions and requirements under the new regime.
• ASIC will monitor and ensure compliance of eligible licensees and CRBs under the mandatory regime, with its enforcement, information gathering, audit and investigative powers under the National Consumer Credit Protection Act 2009 (Cth).

Mandatory CCR: key obligations

Mandatory credit information to be supplied to CRBs

• Mandatory credit information as prescribed by the Privacy Act includes identification information; consumer credit liability information; repayment history information; default information; payment information; new arrangement information, and from 1 July 2022, hardship information.
• The supply of credit information will be mandated in two stages.

Stage one: initial bulk supply

By 28 September 2021, large ADIs must supply credit information on 50 per cent of consumer credit accounts to all CRBs the ADI had a contract with on 2 November 2017.

How the ADI chooses to make up 50% of accounts is a decision for the ADI – the information may relate to a particular type of credit while systems are put in place to supply information on more complex accounts in the second tranche.

The Federal Treasurer will receive statements from large ADIs and CRBs to show that the initial bulk supply requirements have been met.

Stage two: remaining bulk supply

By 28 September 2022, large ADIs must supply credit information on the remaining accounts to the same CRBs as the first bulk supply.

Ongoing obligations

A credit provider that has supplied credit information under the mandatory regime must keep the information up to date, complete and accurate, including by supplying information on eligible accounts that are subsequently opened.

Mandatory CCR: key risks and considerations

Eligible licensees must comply or face potential civil and criminal penalties

ASIC may seek a civil penalty against an eligible licensee for any breach of the mandatory regime. A body corporate could face a maximum civil penalty of the greater of:

• 10 times the pecuniary penalty; or,

If the court can determine the benefit gained or detriment derived from the breach:

• three times that amount; and
• the lessor of 10% of the annual turnover of the body-corporate or 2.5 million penalty units(currently $555 million).
• The body corporate could also face criminal sanctions based on a continuing offence of 500 penalty units (currently $111,000) per day.

Non-eligible licensees may also comply to receive the benefit of reciprocity – a credit provider must contribute information to receive information

• Credit providers that are not large ADIs (and are therefore not technically subject to the mandatory reporting obligations) may subject themselves to the same CCR obligations in order to be able to access the data that the large ADIs provide.
• The Government expects that the critical mass of information supplied by eligible licensees will encourage other credit providers to voluntarily supply comprehensive credit information.

Other privacy obligations regarding data security, use and disclosure will still have to be adhered to

• Restrictions on the use and disclosure of credit information under these regimes, such as notification requirements before default listing, remain under the mandatory CCR.
• The Bill relies on the existing protections established by the Privacy Act and the Credit Reporting Privacy Code, and the oversight of the Australian Information Commissioner, to ensure that the security and privacy of consumers' credit information will be preserved and protected.
• A licensee’s ability to have its own contractual security requirements for the information it discloses to CRBs is not affected. The regime also enables an eligible licensee to withhold the supply of mandatory credit information to a CRB if the CRB is not meeting its information security obligations under the Privacy Act.

Next steps

• Take note of commencement dates: Remember, eligible licensees must provide their first batch of reporting by 28 September 2021, to the extent they have not already done so under the voluntary PRDE scheme.
• Keep an eye on the regulations and industry standards: ASIC may prescribe a new approach in the regulations, or refer to a published document such as an industry developed standard. This would allow industry to readily respond to changes, such as technological developments, without the need for the Government to remake the regulations. This could include alternative IT solutions: eg an approach under which a CRB could request information from a licensee and receive that information in real time.²
• If you are not an eligible licensee, consider whether you wish to voluntarily participate in the regime (if you aren't already): Credit providers that are not bound by the regime may wish to subject themselves to the same CCR obligations in order to be able to access the data that the large ADIs provide.