New financial year brings changes to credit reporting privacy laws

05 July 2021

Changes to Australia’s credit reporting laws commencing 1 July 2021 aim to ensure that credit reporting bodies have a more complete and comprehensive picture of consumers’ creditworthiness, by mandating that certain credit providers supply information about ‘positive’ credit matters, such as how well a person is meeting their repayment obligations.

On 3 February 2021, the Federal Parliament passed the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019. This Bill had two tranches of changes relating to credit reporting. A tranche introducing a new category of ‘financial hardship information’ into the credit reporting system is not due to commence until next year.

Changes commencing now mandate the previously voluntary provision of positive credit information by large banks.

Overview of existing credit reporting privacy framework

The credit reporting system is regulated through the Privacy Act 1988 (Cth) (Act), regulations and the Privacy (Credit Reporting) Code 2014 (CR code). The purpose of this privacy framework is to balance an individual’s interests in protecting their personal information with the need to ensure information is available to assist credit providers in determining eligibility for credit.

Part IIIA of the Act regulates the handling of personal information about individuals’ activities in relation to consumer credit. This regime is specifically for the credit reporting system, and is much stricter than the general provisions of the Act found in the Australian Privacy Principles. Part IIIA sets out:

  • The types of information permitted to be collected and disclosed by credit reporting bodies;
  • The entities that can handle the information; and
  • The limited purposes for which the information may be handled.

The Act also contains provisions designed to provide greater protection to individuals, such as by requiring credit providers to give notice before reporting defaults and having safeguards in place in the event of suspected fraud or identity theft.

Under the Act, credit providers are also to maintain a clearly expressed and up-to-date credit reporting policy outlining matters including how an individual can seek to correct his/her credit information held by the provider, how the individual may make a complaint and how the provider will handle such a complaint and whether credit information will be disclosed to overseas entities.

The CR Code supplements the Act and regulations and is a mandatory code that imposes additional requirements on credit providers and credit reporting bodies. A breach of the CR Code is a breach of the Act and may be the subject of investigation by the Office of the Australian Information Commissioner. Serious or repeated breaches may result in civil penalties.

Mandatory comprehensive credit reporting

Until 2014, the Australian credit reporting regime dealt exclusively with ‘negative’ credit information, such as overdue payments, defaults and bankruptcy.

After amendments to the Act commencing in March 2014, credit reporting bodies were also permitted to collect ‘positive’ credit information (such as information about the maximum amount of credit available to a person and how well the person is meeting their repayment obligations), forming a more ‘comprehensive’ picture of an individual’s credit history, and allowing better decisions to be made about creditworthiness.

However, participation in this more comprehensive scheme was relatively low – the Productivity Commission noted in 2017 that ‘Participation in comprehensive credit reporting has been low to date and the associated benefits are far from fully realised‘. One perceived issue said to leave credit providers disinclined to report information was the potential for a credit provider to benefit from the more comprehensive information on offer without necessarily wanting to make the effort of reporting positive information themselves. In 2015 the Australian Retail Credit Association sought to address this issue with a set of Principles of Reciprocity and Data Exchange, but take up remained slow.

The Productivity Commission’s Data Availability and Use Report of May 2017 accordingly recommended that:

The Australian Government should adopt a minimum target for voluntary participation in Comprehensive Credit Reporting of 40% of all active credit accounts, provided by Australian Securities and Investments Commission (ASIC)-licensed credit providers…

If this target is not achieved by 30 June 2017, the Government should circulate draft legislation… to impose mandatory participation in Comprehensive Credit Reporting (including the reporting of repayment history)…

The legislation commencing now largely reflects these recommendations.

In the 2017-18 Budget, the Government committed to mandating a comprehensive credit reporting regime if credit providers did not meet a threshold of 40 per cent of data reporting by the end of 2017.

On 2 November 2017, the then Treasurer, the Hon Scott Morrison MP, announced that the Government would introduce legislation for a mandatory regime as it was clear the 40 per cent target would not be met.

The regime requires large authorised deposit-taking institutions (ADIs) holding assets over $100 billion (and any other credit providers later added via regulations) to hand over more comprehensive consumer credit information to credit reporting bodies.

These major banks are now required to have supplied positive credit information for at least 50% of the consumer credit accounts within their groups to all credit reporting bodies they had a contract with on 2 November 2017. The balance needs to be provided over the next year, and then ongoing supply requirements will apply to ensure the mandatory credit information remains up-to-date.

Other changes credit reporting regime

‘Financial hardship information’ as credit information

From 1 July 2022, a new category of credit information, ‘financial hardship information’, will form part of the credit reporting system. It is intended that this will facilitate better lending decisions by providing credit providers a more accurate representation of a consumer’s repayment obligations and whether the consumer are meeting those obligations.

Importantly, the Act will prohibit credit reporting bodies from disclosing financial hardship information in certain situations. This includes prohibiting disclosure to credit providers for collecting overdue payments or assessing the individual’s suitability as a guarantor in relation to an application for credit made by another person. Credit reporting bodies are also prohibited from disclosing financial hardship information to mortgage insurers for the purposes of assessing the risk of an individual defaulting on mortgage credit for which the mortgage insurer has provided insurance to a credit provider.

Better consumer access to credit information

The Act will allow consumers to request and obtain access to their credit information held by credit reporting bodies free of charge every 3 months (as opposed to every 12 months previously).

The information that can be requested includes the credit rating of the consumer, information used by the body to derive the rating, information that explains how the individual’s credit information was weighed in deriving the rating and information on what other ratings on the scale or range used by the body are and how the individual’s credit rating relates to those other ratings.

This article was written by Luke Dale, Partner, Daniel Kiley, Special Counsel and Stephanie Leong, Solicitor.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us