Compliance Essentials

Credit Reporting Privacy Code registered

Category: Consumer Credit, Governance and Compliance, Financial Services, Privacy | by David Jacobson

The Credit Reporting Privacy Code (CR Code), a mandatory code that binds credit providers and credit reporting bodies, was registered on the OAIC’s Codes Register on 22 January 2014 and will take effect from 12 March 2014.

Among other things, the new Part IIIA of the Privacy Act and the Privacy Regulations 2013 restricts the types of credit information that may be disclosed to Credit Reporting Bodies (CRBs), the circumstances in which that information may be disclosed by a CRB to Credit Providers (CPs) and affected information recipients and their handling of that disclosed information.

The CR code supplements the new credit reporting laws by further defining the obligations of CRBs, CPs, and affected information recipients. It replaces the Credit Reporting Code of Conduct issued under Section 18A of the Privacy Act 1988 (which will be repealed on 12 March 2014).

The CR code contains both mandatory provisions and a high level summary of the provisions of Part IIIA of the Privacy Act 1988 that provide the context for the CR code obligations.

A breach of a mandatory provision of the CR code is a breach of the Privacy Act and the Information Commissioner can use his enhanced powers under the privacy reforms, including agreeing enforceable undertakings or seeking civil penalties, in relation to any breaches.

The CR code was developed by the Australian Retail Credit Association (ARCA) in consultation with industry and consumer groups.

While the CR code adds to aspects of the credit reporting obligations, the CR code does not encompass all aspects of Part IIIA: compliance with the CR code alone will not achieve full compliance with Part IIIA.

From 12 March 2014, a credit provider must be a member of an EDR scheme recognised under the Privacy Act to be able to participate in the credit reporting system.

Commercial lenders and businesses who are not already in a consumer credit EDR scheme will be required to join an EDR scheme.

Credit providers, as defined in s 6G of the Privacy Act, includes a bank, an entity where a substantial part of its business is provision of credit, a retailer that issues a credit card in connection with sale of goods or supply of services, a supplier which provides credit in relation to sale of goods or supply of services where repayment of credit is deferred for at least 7 days and a lessor who provides credit in connection with hiring, leasing or renting of goods and credit is in force for at least 7 days.

Only credit providers who are licensees under Chapter 3 of the National Consumer Credit Protection Act or prescribed by the Regulations and mortgage insurers will be able to access repayment history information. But all credit providers will be able to access an expanded range of consumer credit information.

Print Friendly, PDF & Email
LinkedIn
 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.

Support Plans