The Government has released an exposure draft National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 for consultation.
The Bill amends the National Credit Act to establish a mandatory comprehensive credit reporting regime which will apply from 1 July 2018.
Who will it affect?
The mandatory regime applies to ‘eligible licensees’ which initially will be large ADIs and their subsidiaries that hold an Australian credit licence. An ADI is considered large where its total resident assets on a 3 year average are greater than $100 billion.
Other credit providers will be subject to the regime if they are prescribed in regulations.
What are the obligations of eligible licensees?
Eligible licensees are required to supply credit information on 50 per cent of their active and open credit accounts by 28 September 2018.
The information on the remaining open and active credit accounts, including those that open after 1 July 2018, will need to be supplied by 28 September 2019.
Large ADIs and their affected subsidiaries must, on a monthly basis, keep the information supplied accurate and up-to-date, including by supplying information on accounts that have subsequently opened.
Credit providers that are not subject to the mandatory regime will be able to access credit information supplied under the regime by voluntarily supplying comprehensive credit information to a credit reporting body or becoming a signatory to the Principles of Reciprocity and Data Exchange (PRDE).
The bulk supply of information must be given to all credit reporting bodies the eligible licensee had a contract with on 2 November 2017 which covers the handling of data to ensure it remains confidential and secure.
Obligations of credit reporting bodies
Section 20Q of the Privacy Act requires a credit reporting body to take reasonable steps to protect the information it receives, including from misuse, interference and unauthorised access.
Credit reporting bodies must only share credit information collected through the mandatory regime with credit providers who are providing the same level of credit information.
If, on 1 July the eligible licensee must supply data to an eligible credit reporting body but the licensee does not reasonably believe that the body meets its section 20Q obligations, the licensee is not required to supply mandatory credit information to that body.
However, if the eligible licensee holds this belief, the eligible licensee must notify the eligible credit reporting body, the Information Commissioner and ASIC. The notification must explain why the licensee believes the credit reporting body is not meeting its obligations. The notice must be given within 7 days of the 1 July from when the supply of information needs to be made.
ASIC will be responsible for monitoring compliance with the mandatory regime. It has new powers to collect information and require audits to confirm the supply requirements are being met. ASIC will also have the ability to expand the content to be supplied under the mandatory regime and prescribe the technical standards for the format of the information.
Before 2014, the Privacy Act limited the information that could be collected, used and disclosed by credit providers and credit reporting bodies to ‘negative information’ about an individual. Negative information includes identification information, such as a person’s name and address, and default history and bankruptcy information about that person.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 amended the Privacy Act to enable credit providers and credit reporting bodies to collect, use and disclose comprehensive credit information also known as ‘positive credit information’. Comprehensive credit information includes repayment history information, the maximum amount of credit available to a person and the number of credit accounts a person holds.
However, the Privacy Act does not mandate the disclosure of comprehensive credit information by credit providers to credit reporting bodies.
New civil penalties and offence provisions will be included in the Credit Act where a licensee or a credit reporting body does not meet the obligations imposed by the mandatory regime.
ASIC may seek a civil penalty where an eligible licensee fails to supply credit information as required under the mandatory regime.
Similarly, ASIC may seek a civil penalty where a credit reporting body does not disclose information (or discloses information when it should not) that it has received under the mandatory regime.
A civil penalty must be imposed by a court. The maximum penalty that can be applied is 2,000 penalty units if the person is a natural person (currently $420,000) and 10,000 penalty units if the person is a body corporate (currently $2.1 million).