Galexia

Submission - Credit Reporting Regulatory Framework: Submission to ALRC Privacy Inquiry (December 2007)

Submission - Credit Reporting Regulatory Framework: Submission to ALRC Privacy Inquiry (December 2007)

Contact: Galexia
Suite 95 Jones Bay Wharf, 26-32 Pirrama Road,
Pyrmont (Sydney) NSW 2009, Australia
ACN:097 993 498
Ph: +61 2 9660 1111
Fax: +61 2 9660 7611
WWW: www.galexia.com
Email: veda@galexia.com

 

1. Executive Summary

1.1. Objective and context

The objective of this Report is to research and develop options for a framework for stronger, more effective and more efficient consumer protection in credit reporting in Australia. This task has been initiated in response to the Australian Law Reform Commission (ALRC) review of privacy legislation.

The Report has been commissioned by Veda Advantage Limited – a large credit reporting and business intelligence organisation. Consumer protection in the regulation of credit reporting is a very complex territory and Veda Advantage wanted to assist the ALRC and stakeholders with a cogent expert’s report to guide understanding of the major issues.

The Terms of Reference for the Report were developed in conjunction with industry and consumer stakeholders, and they specifically require the consultants (Galexia) to develop and submit an independent expert report. Galexia has a long history advising government, industry and NGO stakeholders on the regulation of privacy and credit in Australia and the region.

It is important to note that the views expressed in this Report are the independent views of Galexia. The findings and recommendations contained in this Report do not represent the views of Veda Advantage or any industry or consumer stakeholders.

The Terms of reference state that the objective is to develop a credit framework that:

  • Is consistent with the broad approach outlined by the Australian Law Reform Commission (ALRC) in Discussion Paper 72 (DP72);[1]
  • Identifies the range of potential consumer harms that might arise in a credit reporting environment;
  • Considers the range of relevant regulatory instruments, entities and processes, that might be used to provide consumer protection in a credit reporting environment; and
  • Provides principles to guide the allocation of roles, rights and responsibilities for consumer protection measures that respond to potential consumer harm.

1.2. Scope

The work undertaken to develop this Report was not a consensus building exercise – the objective of the Report is to describe the views of stakeholders fairly, but to provide an independent report. The scope of this Report is limited to:

  • A broad review of key submissions to the ALRC;
  • A broad review of the ALRC proposals in DP72;
  • A broad representation of the views of regulators and External Dispute Resolution (EDR) providers; and
  • A broad representation of the views of industry and consumer representatives.

1.3. Findings

This Report finds that the development of an effective regulatory framework for credit reporting requires three broad elements:

  • General principles;
  • Detailed regulations; and
  • Industry operating rules.

However, the exact application and location of these three elements needs to take into consideration the overlap between privacy and consumer protection issues.

Using this structure, this Report makes the following findings:

Privacy Findings

Consumer Protection Findings

General principles

These would normally be the UPPs in the Privacy Act 1988, but in the case of credit reporting the Act may serve only as a place-holder for the proposed Privacy (Credit Reporting Information) Regulations which will contain the general principles for credit reporting.

The principles used in this Report for determining when an element should be included in the Privacy Act 1988 are:

  • The issue must, in substance, be a privacy issue rather than a consumer protection issue;
  • The issue requires certainty, rather than flexibility;
  • The issue relates to fundamental privacy rights, rather than minor consumer concerns or basic operational matters.

General principles

The Report finds that one of the criticisms of credit regulation in Australia is that there are no general fairness principles for credit providers, in contrast to the general principles that apply to other financial services providers.

No general principles are in place regarding responsible lending or responsible credit marketing (in stark contrast to other jurisdictions such as the UK and USA).

Detailed regulations

The Report finds that the proposed Privacy (Credit Reporting Information) Regulations are likely to form the core of privacy protection in the credit reporting environment. This Report adopts the following tests for the content of the proposed Regulations:

  • The issue must, in substance, be a privacy issue rather than a consumer protection issue;
  • The issue requires a degree of flexibility – Regulations can be amended more quickly than the Privacy Act 1988 itself;
  • The issue relates to fundamental privacy rights, rather minor consumer concerns or basic operational matters.

Detailed regulations

The Report finds that some detailed regulations are currently provided in State and Territory legislation, including the UCCC and the draft Finance Broking Bill.

However, they do not adequately cover responsible lending or responsible credit marketing across the entire credit market.

Industry operating rules and best practice

This Report finds that there is support for an industry Code to act as an additional layer of regulation. This Report adopts the following tests for the content of a potential industry Code:

  • The issue might be a privacy issue or a consumer protection issue (or both);
  • The issue requires significant flexibility – the industry Code may potentially be quick to amend;
  • The issue does not relate to fundamental privacy rights;
  • The issue relates to minor consumer concerns or basic operational matters; or
  • The issue regards industry branding or cooperation.

Industry operating rules and best practice

The Report finds that some general best practice guidance may be available through industry Codes and also sometimes through regulator guidelines (e.g. ASIC / ACCC Debt Collection Guidelines).

However, at this stage there is no best practice guidance available for responsible lending or responsible credit marketing.

 

1.4. Recommendations

The proposed regulatory framework for credit reporting developed in this Report is summarised in the following table:

Privacy Recommendations

Consumer Protection Recommendations

General principles

The Privacy Act 1988 should contain a brief section on credit reporting that includes four key elements:

  • A definition of credit reporting and credit reporting information.
  • A requirement that credit reporting and credit reporting information are to be regulated by the proposed Privacy (Credit Reporting Information) Regulations.
  • A broad principle limiting the extent of access to credit reporting information to credit providers and organisations that require access to credit reporting information for the management of credit (e.g. debt collectors).
  • A broad principle that complaints can be made to the Office of the Privacy Commissioner in relation to credit reporting in accordance with both the Act and Regulations.

General principles

A set of high-level general principles that covers all credit providers should be included in Australian law, including:

  • A requirement to act honestly and fairly.
  • A requirement to undertake training and maintain the competence of staff and representatives.
  • A requirement to join an approved EDR scheme.
  • A requirement to assess a consumers’ ability to repay a loan without suffering undue hardship.
  • These principles should be included in amended credit legislation (e.g. the UCCC) or in an amended Corporations Act 2001 that includes credit in its jurisdiction.

Detailed regulations

The proposed Privacy (Credit Reporting Information) Regulations should include both principles and detailed regulations on at least the following key privacy rights:

  • Notice
    This is a key privacy right once consent is removed as a privacy protection, and requirements for timely and effective notice need to be in the regulations in order to balance the removal of consent.
  • Accuracy
    Data accuracy is a key privacy right in credit reporting as the consequences for consumers of inadequate data are so severe.
  • Access
    Access is a key privacy right in credit reporting as the consumer is in the best position to assess the accuracy of data that is being used and must be able to review and correct this data.
  • Complaints
    Complaints play a significant role in credit reporting and consumers must be guaranteed access to simple, fast and affordable dispute resolution processes.

Detailed regulations

Detailed regulation of responsible lending and responsible credit marketing should include the following:

  • Regulation on what factors should be included in a proper assessment of a consumer’s capacity to repay a loan (e.g. verification of income, assessment of credit reporting information etc.).
  • Tests or definitions of terms, including ‘capacity’ and ‘hardship’.
  • Regulation of what content should be prohibited in responsible credit marketing (e.g. use of the term ‘pre-approved’).
  • Limits on credit marketing (e.g. regulation, if appropriate, of unsolicited credit marketing).
  • This detailed regulation should be included in amended credit legislation (e.g. the UCCC) or in an amended Corporations Act 2001 that includes credit in its jurisdiction.

Industry operating rules and best practice

Some outstanding issues may be covered in an industry Code. These might include:

  • Reciprocity.
  • Data consistency.
  • However, this Report notes that in light of the cost and complexity of developing an industry Code, some further consideration should be given to including reciprocity and data consistency in the Regulations.

Industry operating rules and best practice

This Report suggests that an industry Code (covering all credit providers) or a regulator’s guideline are the best location for detailed industry operating rules and best practice guidance in relation to responsible lending and responsible credit marketing. The content could include:

  • Guidance on what inquiries constitute a proper assessment of a consumer’s capacity to repay a loan.
  • Guidance on what content should appear in responsible credit marketing (e.g. warnings about credit risk).

 

2. Potential consumer harm in the credit reporting environment

2.1. Definition of potential harm

This Report adopts a broad definition of ‘harm’, including harm to both individual consumers and the wider community.

This Report broadly distinguishes between privacy harms and general consumer harms, even though it is recognised that consumer protection includes privacy protection. The split is useful when describing key issues and regulatory options.

This Report also describes consumer concerns about industry practice, using the terms responsible lending and responsible credit marketing. We believe the term responsible lending has, in practice, been restricted to the actual decision to provide credit. Many consumer concerns arise from an earlier stage – the marketing of credit products – and this Report attempts to address both areas of concern.

This Chapter discusses a broad range of potential consumer and privacy issues that might arise in a credit reporting environment. 

2.2. General privacy issues – notice and consent

This section discusses generic privacy concerns that apply to all personal information, usually resulting in basic privacy protections such as requirements for notice and consent regarding the use and disclosure of personal information.

Consumer harm may arise where personal information is used or disclosed without adequate notice and/or consent or where personal information is used in applications that are outside the expectation of the consumer. The nature of the harm itself may vary – sometimes the harm will be a breach of a fundamental human right to privacy, whether or not it leads to any other consequences (such as embarrassment, financial loss, increased risk of harm etc.).

In DP72, the ALRC proposes a streamlined set of Unified Privacy Principles (UPPs) to replace the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) in the Privacy Act 1988.[2] The proposed UPPs are a significant improvement and simplification of existing law, and businesses should find it easier to comply with the UPPs. The UPPs provide generic notice and consent requirements.

In the credit reporting environment there is strong support for applying notice and consent requirements to credit reporting information. However, there are practical impediments to applying the specific consent provisions contained in the proposed UPPs to credit reporting information. Consent is difficult to obtain in the credit reporting environment – as information is collected from third parties, rather than directly from the consumer.

Removing or restricting the role of consent as a privacy protection can be justified by reference to the public benefit delivered by an effective credit reporting regime. This position is now broadly accepted and there is wide support for the ALRC’s proposal to reduce reliance on consent and to instead regulate credit reporting through specific Privacy (Credit Reporting Information) Regulations.

There is debate over whether the generic notice requirements in the UPPs are adequate for the credit reporting environment. Also, the current PART IIIA provisions only require credit providers to give notice (not other parties) and only at very limited times (time of application and time of refusal).

The notice requirements may need to be strengthened to re-balance privacy protection following the loss of consent requirements. This could be achieved by adding specific notice requirements to the proposed Privacy (Credit Reporting Information) Regulations. For example, the Office of the Privacy Commissioner (OPC) Submission to the ALRC Issues Paper 32 (IP32)[3] stated:

There is value in requiring credit providers to give individuals notice when certain events occur, such as default listing or a debt assignment, which could result in an adverse listing being placed on their credit information file.[4]

The Banking and Financial Services Ombudsman (BFSO) Submission argues for a more explicit regulatory requirement (in either the Act or the recommended credit reporting industry Code[5]) requiring a credit provider to notify a consumer as part of the debt collection process:

Ideally, the credit reporting agency would notify the individual each time a default or serious credit infringement listing is made or altered, including when any publicly available information such as a court order or bankruptcy is added to the credit information file.[6]

The Nigel Waters Submission argues that the law could be clearer about the timing of notice:

[T]here should be a requirement to notify at or prior to any significant event including the initial collection, listing a default, assigning a debt, or commencing debt collection, in addition to the existing requirement to notify refusal of credit on the basis of an adverse credit report.[7]

There are similar suggestions in other non-industry submissions to the ALRC.

Overall, this Report concludes that if consent is removed as a protection, the other general privacy requirements need to be strengthened in order to re-balance generic privacy protections. Notice is the key remaining protection, and notice can be strengthened by making it clearer and more timely. Such an approach is canvassed by the ALRC in their Proposal 52-10 in DP72 – although few details are provided.

In particular, notice should be provided at a time when the consumer has a chance to take action regarding any inaccuracies in the data. The key stages are set out in the table below:

Event

Current Regulation

Future Regulation

Application for credit

Section 18E(8)(c), Part IIIA, Privacy Act 1988

Privacy (Credit Reporting Information) Regulations

Refusal of credit following use of credit reporting information

Section 18M, Part IIIA, Privacy Act 1988

Privacy (Credit Reporting Information) Regulations

Listing of a default

Notice at the time of listing a default is not subject to specific regulation, although it appears to be common practice with mainstream lenders.

Privacy (Credit Reporting Information) Regulations

Assignment of a debt

Privacy (Credit Reporting Information) Regulations

Commencement of debt collection activities

Privacy (Credit Reporting Information) Regulations

Notice requirements

 

2.3. Quality and accuracy of data

Concerns about the quality and accuracy of data include name mismatches, re-listed data, multiple listings, and disputed data. Quality concerns might also include the age of the data, as there are questions over whether old data is indicative of current risk to lenders.

It is the view of this Report that accuracy of data in the credit reporting environment is one of the most important consumer issues when analysing potential consumer harm. The consequences of inaccurate credit reporting information are significant.

Accuracy concerns have also been an obstacle to the industry’s efforts to have privacy law reformed in order to allow more comprehensive reporting.

Credit reporting agencies have made some limited internal assessment of the accuracy of credit reporting information by assessing a selection of sample files. This testing indicated that around 1% of sample credit reporting information files contained significant errors. Around 4% of sample files contained minor errors that are unlikely to have negative consequences for consumers. Around 95% of files were error free.[8]

Industry representatives note that this level of accuracy is acceptable when the volume of data and transactions is taken into account:

Despite the anecdotal evidence to the contrary, independent research demonstrates that the data quality is very high given the highly transactional nature of the data base with over 80,000 real time transactions a day.[9]

Consumer and privacy advocates have expressed significant concern over the accuracy of credit reporting information and its potential consequences. Although no comprehensive information on data accuracy has been made available, consumer and privacy representatives have identified accuracy problems through individual complaints,[10] systemic complaints,[11] previous OPC audits,[12] and small consumer surveys.[13]

Fortunately, a wide range of solutions to data accuracy issues in credit reporting is available. Many of these are discussed in detail in DP72. The following summary is not exhaustive:

  • Greater consumer involvement
    It is anticipated that any increase in consumer involvement in monitoring credit reporting information will lead to an improvement in data quality as consumers recognise mistakes in their own files. This was the experience in the small CHOICE survey where consumers quickly recognised basic errors once they obtained copies of their own credit reports. Improving consumer involvement in credit reporting is discussed in greater detail in this Report at Section 2.4 (page 12).
  • More timely notice of listings
    Consumers are in the best position to recognise the accuracy of data being added to their credit report. However, they are currently not always consulted at the key times when information is being added to their file – such as the listing of a default. It is essential to have listings sent to consumers to check while the information is fresh. It is difficult for consumers to recognise and correct inaccurate information many years later. Improvements to the notice requirements for credit reporting information are discussed in more detail in this Report at Section 2.2 (page 7).
  • Correction of data
    It is important for disputes and ‘notes on file’ to have a real impact on the accuracy of credit reporting information. In practice it appears that disputed information and notes on file do not receive due consideration in the credit scoring process and they may not be seen by potential credit providers. An effective mechanism for correcting inaccurate data and noting disputed data must be delivered.
  • Removal of old data
    Despite the intention of the existing Part IIIA rules to exclude statute-barred debt and old defaults (more than five years old) from appearing in credit reporting information, there have been some circumstances where this information has remained on the credit report with negative consequences for consumers. This issue is discussed in detail in DP72 and is likely to be the subject of tighter rules on the listing and re-listing of defaults.
  • Removal of duplicate data and multiple listings
    There are significant concerns that credit reports currently contain multiple listings and duplicate data relating to the same defaults.[14] Some submissions to the ALRC have suggested that a mechanism should be included for updating a listing rather than having multiple listings appearing on an individual’s report.
  • Audits
    Regular audits of the accuracy of data could play a significant role in improving the accuracy of credit reporting information. Industry-initiated self audits by credit reporting agencies could be just as effective as OPC audits, as there is a genuine industry interest in maintaining data accuracy. A typical audit could include a step where a selection of files was sent to consumers, as they will be in the best position to check the accuracy of the data.[15]
  • Systemic issues
    It is important to remedy systemic accuracy issues. It is not clear that this has always been done effectively in the past, although there are some examples of large-scale data cleansing following complaints against particular credit providers. Managing systemic issues is discussed in more detail in this Report at Section 2.9 (page 18).
  • Minimisation and simplification of data fields
    It is possible that data accuracy could be improved by minimising and simplifying the amount and type of data that is collected by credit reporting agencies. The Office of the Privacy Commissioner, for example, has expressed concern that ‘expanding the volume of information reported to credit reporting agencies has the potential to increase the level of inaccuracy’.[16] Links between the amount of data and data accuracy are discussed in more detail in this Report at Section 2.13 (page 23).

As data accuracy is one of the most significant issues in credit reporting it should ideally be dealt with in the proposed Privacy (Credit Reporting Information) Regulations. Data accuracy is not simply an operational issue – it is actually an essential compliance issue with significant consumer harm and human rights consequences.

However, the ALRC appears to be uncertain about the best location for the regulation of data accuracy:

Where specific concerns about data quality are serious and well-defined, and the solution is reasonably clear, it may be appropriate to deal with them through specific provisions of the Privacy (Credit Reporting Information) Regulations. In other cases, matters may be dealt with more effectively through detailed data quality requirements in the proposed credit reporting industry code, subject to the overriding obligation to ensure that credit reporting information is accurate, up-to-date, complete and not misleading.[17]

The ALRC appears to be suggesting an unusual regulatory arrangement – where the issue is simple and the solution is clear the requirements can be set out in the Regulations, but where the issue is complex and the solution is unclear it should be dealt with by a potential industry Code.

A solution adopted in this Report is that core data accuracy requirements should be located in the proposed Privacy (Credit Reporting Information) Regulations. Supplementary industry rules about data consistency (e.g. the rules and processes for the consistent presentation of data across a diverse industry) may be addressed in a potential industry Code.

2.4. Access to data

This section discusses access to data, including ease of access, cost of access and consumer awareness.

As discussed in the sections on notice and data accuracy, consent has been effectively removed from credit reporting as a privacy protection, so it is important to strengthen alternative protections, including access rights. Industry will also benefit from improvements in access, as this will lead to improvements in data accuracy.

The proposed UPP 9 provides a short, generic access right, accompanied by a long list of exceptions. It may be necessary to set out more detailed access provisions in credit reporting in the proposed Privacy (Credit Reporting Information) Regulations. The Regulations could provide more detail on the costs of access and remove the majority of the exceptions found in UPP 9.

The cost of access may be an issue in credit reporting as current industry arrangements require consumers to choose between ‘fast and expensive’ access or ‘slow and free access’.[18]

The proposed Privacy (Credit Reporting Information) Regulations should specify that some form of free, timely access to credit reporting information should be provided. The benefits of improved access arrangements will flow to both consumers and industry. Some consideration might be given to reducing the time period for free access from 10 to 5 days to reflect the nature of modern information systems and communication channels.[19]

These outcomes (free and timely access) should be specified in the proposed Privacy (Credit Reporting Information) Regulations, not an industry Code, as access is a ‘rights’ matter rather than an operational matter. Some detailed industry processes that helped to deliver these outcomes might be included in a potential industry Code if that is thought necessary by industry. 

2.5. Security of data

Potential consumer harm relating to the security of credit reporting information includes concerns regarding the amount of data (in that it may become an attractive target for fraud), data breaches, unauthorised use, data retention and destruction policies.

However, the ALRC in DP72 believes that security concerns in credit reporting do not require specific regulation:

Proposal 54-9: The proposed Privacy (Credit Reporting Information) Regulations should contain no equivalent to s 18G(b) and (c), dealing with the security of credit information files and credit reports, as these obligations are adequately covered by the proposed ‘Data Security’ principle (UPP 8).

While UPP 8 does provide coverage of data security issues, it does not address concerns about the creation of very large data sets. UPP 8 applies equally to a single file or a massive database.

Credit reporting agencies have significant data holdings (Veda Advantage holds one of the largest private sector data sets in the region with over 14 million individual records). Concerns about data breaches are based on three fears:

  • The larger and more valuable a data set becomes, the more attractive it is as a target for fraud and unauthorised access;
  • The larger and more complex a data set becomes the more vulnerable it becomes to errors, accidents and negligence that result in a data breach; and
  • There is a history of security breaches at credit reporting agencies elsewhere.

Major credit reporting agencies in the US and Canada have reported data security breaches or identity theft losses in recent years:

  • US – TransUnion
    In December 2006, the TransUnion credit bureau investigated an unauthorised entry into their database, and an illegal download of hundreds of people's personal information. It was alleged that four different scam companies across the country stole more than 1,700 people’s credit information and social security numbers.[20]
  • US – Equifax
    In May 2006, Equifax credit agency acknowledged that a laptop computer containing employee names and Social Security numbers was stolen from a worker travelling on a train near London. The theft affected nearly all of the company's 2,500 US employees.[21]
  • US – Experian
    In June 2005, a new tenant to a building in Kansas City discovered that it was formerly occupied by the Topeka Credit Bureau and the Experian credit reporting agency. Inside the building, the tenant found the previous lessee had left ‘thousands and thousands’ of printed documents and numerous computerised records behind. The documents had personal data printed on them, including names, addresses and Social Security numbers, located in cabinets and within the drives of 10 to 20 computers.[22]
  • Canada – Equifax
    In February 2004, unauthorised remote access was gained to the personal, detailed credit files of more than 1,400 people on Equifax Canada’s database. The files contained social insurance numbers, bank account numbers, credit histories, home addresses and job descriptions. The breach was discovered in March of that year. More than 1,400 Canadians were notified of the breach via registered mail asking that they contact the agency to review the contents of their respected credit files.[23]

This Report concludes that, in line with the ALRC Proposal, UPP 8 should be the main requirement for data security in credit reporting. However, it is noted that a significant security issue in credit reporting is scale. With some data sets exceeding 14 million records containing multiple data fields of highly sensitive financial data, consumers are concerned about the vulnerability of credit reporting information to deliberate attack or neglect.

This issue is closely linked with the discussion of ‘more comprehensive reporting’ proposals in this Report at Section 2.13 (page 23). 

2.6. Identity fraud

This section discusses concerns regarding identity fraud and identity theft and their relationship to credit reporting information.

There is broad support for credit reporting to play a role in the prevention of identity fraud and identity theft. The ALRC DP72 proposes that credit reports could include ‘flags’ where the individual has been the subject of identity fraud:

Proposal 52-1: The proposed Privacy (Credit Reporting Information) Regulations should provide for the recording, on the initiative of the relevant individual, of information that the individual has been the subject of identity theft.

However, such a proposal needs to work in practice, and the industry has some concerns that modern credit reporting is based on a dynamic information network rather than static files, and that the ‘flags’ may be difficult to manage and ineffective in practice.

The ALRC proposal may require some further changes to ensure that it works in practice. For example, the industry is developing proposals on ‘freezing’ credit reporting information where identity fraud is a concern. It is in everyone’s interest to develop a workable system for managing identity fraud.

Identity fraud may be a good example of a fast-moving, highly technical, operational issue that would be better located in an industry Code, rather than in the proposed Privacy (Credit Reporting Information) Regulations

2.7. Direct marketing concerns

Potential consumer harm may arise in the context of the use of credit reporting information for direct marketing purposes. The harm may be in the form of a privacy concern (direct marketing can be a highly unpopular activity with consumers and is considered a significant privacy breach by the majority of the population) or the harm may be more closely associated with consumer detriment resulting from the unsolicited marketing of consumer credit.

For both types of harm there appears to be some industry support for prohibiting the use of credit reporting information for direct marketing. The Australian Retail Credit Association (ARCA), for example, has stated that:

ARCA is absolutely consistent in its view that credit reporting information must not be used or disclosed as a source for acquiring prospects for direct marketing purposes and that a serious breach of this obligation should not only result in a civil penalty but should also include suspension from the future use of credit reporting information.[24]

With this broad consensus in place, the ALRC has proposed a complete prohibition on the use of credit reporting information for direct marketing:

Proposal 53-3: The proposed Privacy (Credit Reporting Information) Regulations should prohibit the use or disclosure of credit reporting information for the purposes of direct marketing.

However, one outstanding concern regards the use of credit reporting data in pre-screened direct marketing campaigns. ARCA has a very different view on pre-screening and states:

The regulation must clarify that pre-screening is an allowable process as it reduces the volume of direct marketing transactions per campaign and helps protect those vulnerable individuals from receiving further offers of credit.[25]

Pre-screening raises both privacy and consumer harm issues and there is a close overlap with concerns regarding unsolicited credit offers.

Pre-screening is based on a technical loophole in existing privacy law. The disclosure of personal information is avoided by providing the screened list to the mailing house (rather than returning it to the credit provider). This arrangement avoids any general breach of the current NPPs.

There are more specific restrictions on the use of credit reporting information by credit providers contained in Section 18L of Part IIIA of the Privacy Act 1988. Indeed, under Section 18L a credit provider would be committing a criminal offence if it used credit reporting information for a purpose not listed in the section (and direct marketing or pre-screening are not listed). However, the industry avoids these offence provisions because the use of the credit reporting information is conducted by the credit reporting agency, not the credit provider. Section 18L does not extend to credit reporting agencies.

Despite this technical loophole, it would seem to set a risky precedent to allow the practice to continue. It is possible to think of examples where pre-screening could be used in other sectors, and if the credit reporting database can be used to ‘filter’ direct marketing campaigns then virtually any database could be used for a similar purpose.

An additional concern is that all of this activity occurs without the general knowledge of the community that it is occurring, and pre-screening would be well outside the expectations of the specific consumers whose data is being used in this way. Again, this sets a risky precedent for other sectors.

Some potential regulatory options include:

  • Apply UPP 5
    It is possible that pre-screening is a breach of UPP 5, as it is a use of the personal information (whether or not it is a disclosure) that is outside the expectation of consumers and there has been no notice or consent. This appears to be a sound argument – hence the industry request that pre-screening should be specifically allowed.
  • Prohibit pre-screening in the Regulations
    The practice could be specifically named and prohibited in the Privacy (Credit Reporting Information) Regulations.
  • Allow pre-screening in the Regulations with additional safeguards
    The practice could be specifically named and allowed in the Privacy (Credit Reporting Information) Regulations. However, this may be difficult to justify on public benefit grounds. A compromise would be to allow pre-screening subject to certain additional safeguards. These might include a requirement to offer both a comprehensive and specific opt-out service, complemented by a requirement for specific notice.

The third option is clearly a compromise solution and may be attractive. The comprehensive opt-out service would assist those people who want to opt-out of pre-screening as a ‘use’ of their personal information at the credit reporting agency level. The specific opt-out service would assist those people who do not wish to receive any further pre-screened offers from a specific credit provider. However, it is very difficult to see how either service could work in practice. How will a consumer know that they are receiving a pre-screened offer? How will they know about their opt-out rights? How will the opt-out service work in an environment where there is more than one credit reporting agency?

It is also very important that consumers do not receive a mixed message from the ALRC reforms. If on one hand the use of credit reporting in direct marketing is to be completely and totally prohibited, why then would consumers have to specifically opt-out of pre-screening direct marketing campaigns by contacting a credit reporting agency? Consumers are likely to be confused by the obvious inconsistency between regulations that prohibit the use of credit reporting information for direct marketing, and notices in credit applications that advise them their credit reporting information will be used for pre-screened direct marketing campaigns.

The industry argument is that pre-screening helps facilitate responsible lending. However, the evidence for this is weak. The pre-screened marketing campaigns themselves are often poor examples of responsible conduct. Many of the invitations imply that credit has been pre-approved (some campaigns even include a sample plastic credit card with the target consumer’s name embossed on the front of the card). The marketing material contains little information about the risks of credit. Application forms are typically very brief and provide insufficient space for a person to list details of all of their liabilities – they are certainly shorter than the application forms available in branches for the same products.

It is possible that if the material was not pre-screened the credit providers would have to be more cautious in the language and forms used in such campaigns to avoid risking the embarrassment and reputation damage of rejecting applications from a large number of consumers who had initially believed the ‘pre-approved’ marketing. A more cautious approach to the marketing of credit may have a greater impact on responsible lending than the questionable impact of pre-screening.

It is important to remember that pre-screening does not remove or replace the requirement for responsible lenders to check credit reporting information at the time of application. It would appear that the most significant impact of pre-screening is to save marketing costs, reduce applications that are likely to be rejected, and to reduce environmental waste. Without a clear link to responsible lending, there is no justification for making a special case for credit providers to avoid the full coverage of UPP 5 in their marketing campaigns.

This Report concludes that pre-screening is contrary to both the requirements and spirit of privacy law (in particular UPP 5) and contrary to the proposed ALRC prohibition on the use of credit reporting information for direct marketing purposes. In order to avoid sending mixed messages to consumers on the use of credit reporting information in direct marketing, pre-screening should be specifically included in the direct marketing prohibition in the proposed Privacy (Credit Reporting Information) Regulations.

However, it may be necessary to consider pre-screening hand in hand with the regulation of responsible credit marketing. For example, if there was an Australian regulatory initiative on the responsible marketing of credit that helped to address this long list of concerns, support for pre-screening might improve. Unfortunately, there is no regulation of responsible credit marketing in Australia at this time. Further details are in this Report at Section 2.15 (page 32).

2.8. Compliance reviews and audits

This section discusses the use of internal and external reviews and audits to improve overall compliance and the quality/accuracy of credit reporting data.

There is strong support for an audit role in credit reporting to improve confidence levels in the accuracy of credit reporting information. Improvements in data accuracy will benefit both consumers and industry.

Audit options include audits by the regulator (the OPC), industry initiated external audits (by private sector providers), and industry initiated self audits. All three options may play a role.

The OPC has submitted that it should continue to have an audit role in credit reporting:

Given the serious consequences for individuals if adverse information is inappropriately recorded on their credit files, the Office considers that there remains a strong argument for the retention of the Office’s credit reporting audit functions.[26]

However, the OPC also acknowledge that industry audits can play a useful role and they do not seek an exclusive audit role. Credit reporting agencies may also play an enhanced role in managing data accuracy by auditing and managing both the accuracy of their own data and the data provided by credit providers.

The ALRC propose that audits requirements should be included in the proposed Privacy (Credit Reporting Information) Regulations. This Report notes that audit issues are linked to data accuracy, and therefore should be included in the proposed Privacy (Credit Reporting Information) Regulations. 

2.9. Complaints and External Dispute Resolution

Complaints handling in credit reporting is a significant issue with a long history of concern. Virtually all parties in the credit reporting environment are unhappy with the way complaints have been managed in recent years.

The ALRC proposals in DP72 appear to have wide support and may help to address these concerns.

However, the main issue is that consumer caseworkers have lost confidence in the Office of the Privacy Commissioner (OPC) as both the industry regulator and the key complaints handling body for credit reporting. Some advocates argue that the OPC should not have both roles. However, solutions to this issue are complex and may cause more problems than they solve.

This is an issue where the solution may require an acknowledgment that caseworker concerns are real as a first step. This acknowledgment is missing from both the DP72 and the OPC Submission to IP32. This Report notes it is a significant issue that neither the OPC nor the ALRC appear to acknowledge that there has been a problem in complaints handling.

Following such an acknowledgment, all parties may be able to commit to ongoing improvements to complaints handling processes, built on the ALRC recommendations as a foundation.

Consumer caseworkers have raised issues with complaints handling in credit reporting in submissions to multiple inquiries over a long period.[27] It is important to recognise that a typical consumer casework agency deals with dozens of different regulators and EDR schemes. They have consistently and unanimously rated the OPC complaints handling process for credit reporting as unsatisfactory. A breakdown of confidence in a regulator is rare in the Australian consumer sector. These issues should not be dismissed lightly, and the lack of confidence in the OPC is likely to have an ongoing impact on the regulation of credit reporting in Australia.

The current views of consumer caseworkers are well summarised in the following extracts:

With limited resources, there is always a tension between undertaking individual complaints handling and working to address broader, systemic issues. Neither function, however, should be ignored. The difficulty for the consumer is that unlike other privacy breaches, credit reporting involves the individual and at least two organisations with the individual’s personal information. Hence, the ‘respondent to the complaint’ is not easy to identify. The practice of the OPC upon receipt of these complaints is to take a vary narrow, and possibly incorrect, view of the provisions of the Act and Code, and refer the consumer to the relevant credit provider before it will take the complaint, even though the consumer has already complained to the CRA... There is a clear need for major change to the culture and practices of the OPC. The OPC should also review its approach to the acceptance of credit reporting complaints, particularly where the complainant has already complained to the relevant CRA.[28]
Consideration of the credit reporting provisions must take account of views both on the adequacy of the complaints and enforcement provisions and on the fifteen years experience of how those provisions have been used in practice. Further, failure of successive Privacy Commissioners to adequately address systemic non-compliance, and their willingness to make Determinations and issue advices that favour wider business use of credit information, seriously undermine confidence that any further discretion should be given to the Commissioner.[29]

On the positive side, the proposed UPPs and the proposed Privacy (Credit Reporting Information) Regulations will be simpler and easier to implement than existing rules, so complaints should be reduced and those complaints that do reach the EDR schemes and the OPC should be simpler.

The ALRC proposals also include significant enhancements for complaints and EDR, and credit reporting agencies will take on a greater share of responsibility for the management of complaints. Some of the key enhancements include:

  • Shifting the burden of proof to credit providers and imposing time limits
    Proposal 55-7: The proposed Privacy (Credit Reporting Information) Regulations should provide that credit providers have an obligation to provide evidence to individuals and dispute resolution bodies to substantiate disputed credit reporting information, such as default listings, and that if the information is not provided within 30 days the credit reporting agency must delete the information on the request of the individual concerned.
  • Mandating membership of an EDR scheme
    Proposal 55-6: The proposed Privacy (Credit Reporting Information) Regulations should provide that credit providers may only list overdue payment information where the credit provider is a member of an external dispute resolution scheme approved by the Office of the Privacy Commissioner.
  • Ability to require the OPC to make a determination
    Proposal 45-5 (b): Where, in the opinion of the Commissioner, all reasonable attempts to settle the complaint by conciliation have been made and the Commissioner is satisfied that there is no reasonable likelihood that the complaint will be resolved by conciliation, the Commissioner must notify the complainant and respondent that conciliation has failed and the complainant or respondent may require that the complaint be resolved by determination.
  • Clear right of appeal from OPC determinations
    The ALRC concludes that the current rights to merits review of determinations are not sufficient. They propose (Proposal 45-7) that the Privacy Act 1988 should be amended to provide that a complainant or respondent can apply to the Administrative Appeals Tribunal for merits review of a determination made by the Privacy Commissioner under Section 52. Obviously the strength of this proposal relies heavily on the ability of consumers to receive a determination in the first place.

However, it should be made clear that the ALRC proposals in DP72 will not fix complaint handling problems overnight. For example, there have been very long lead times before the involvement of EDR schemes had a significant impact on systemic issues in other sectors (e.g. telecommunications). Regular reviews, EDR summits, and reports on systemic issues will be required in order to achieve effective reform.

In addition, some further enhancements will be required to enhance consumer confidence in the complaints handling process and the key regulator – the OPC. These might include:

  • Improved links between systemic complaints and access to credit reporting information
    Where a credit provider or another party (e.g. an assignee) is the subject of consistent complaints that indicate systemic issues, their access to credit reporting information should be suspended so that the damage they can do to consumers or to the accuracy of data can be limited. This will also act as a disincentive for poor conduct.
  • Allowing and encouraging the OPC to accept a complaint that is yet to be referred to the respondent
    The requirement for complainants to first submit their claim to respondents is a highly bureaucratic requirement that unfortunately has been liberally applied by the OPC in the past.[30] It has a significant impact on consumers and has probably resulted in many consumers walking away from the complaints process entirely. The approach is very difficult to justify and is inconsistent with modern approaches to complaints handling. The OPC is just as well placed as the complainant to send the complaint to the respondent and this requirement makes no allowance for the needs of disadvantaged and confused consumers. This issue will not be solved by further information on complaints handling (as suggested by the ALRC in DP72 and by the OPC in the OPC Submission to IP32). Concerns about complaints volumes can be allayed by the effective management and referral of complaints to appropriate EDR providers – but consumers should not be turned away if their first port of call in this complex environment just happens to be the OPC.
  • Limiting OPC discretion not to investigate a complaint
    In DP72, the ALRC proposes that the OPC should be given ‘more discretion not to investigate complaints, including where an EDR mechanism could handle the complaint’. It is to be hoped that this statement refers only to situations where the OPC may use their discretion to refer a complaint to a more appropriate EDR provider, rather than expanding their general discretion not to investigate complaints at all. It is a discretion that is already widely used by the OPC with significant negative effects for consumers. The ALRC also hopes to ‘free up the Privacy Commissioner from dealing with individual complaints to enable more of a focus on systemic issues’. However, the experience of consumer caseworkers is that the OPC uses its discretion to not investigate complaints specifically as a tool to not investigate systemic complaints.
  • Bringing forward the review to 3 years
    The ALRC has proposed that the credit reporting regulatory arrangements should be reviewed after 5 years. In an environment where there are significant concerns about complaints handling processes and culture this review will need to be brought forward. This Report proposes bringing the review forward from 5 years to 3 years.

Overall, we believe there is a real risk that in three to five years time consumers will still be unhappy with the complaints process unless there is a significant change in the approach of the OPC. The other ALRC proposals and enhancements are all worthwhile, but the OPC remains at the centre of credit reporting complaints management and simply must take a more flexible, proactive role and assist in removing technical and bureaucratic obstacles to effective dispute resolution. 

2.10. Sanctions, compensation and redress

This section discusses concerns regarding the effectiveness of sanctions to change industry practice and the availability of redress and compensation for consumers.

There appears to be a general consensus in submissions and in DP72, that criminal offences should be removed from the credit reporting regulation. A more effective sanctions and remedy regime can be delivered by civil penalties, supplemented by the ability to restrict access to credit reporting information for those organisations who engage in systemic breaches.

The location of the civil penalties regime should be in the proposed Privacy (Credit Reporting Information) Regulations. The OPC should also have the ability to make specific orders in determinations to limit access to credit reporting information where organisations are found to have engaged in a systemic breach. This is possibly already covered by the DP72 proposal on systemic issues:

Proposal 45-6: Section 52 of the Privacy Act should be amended to empower the Privacy Commissioner to make an order in a determination that an agency or respondent must take specified action within a specified period for the purpose of ensuring compliance with the Act.

However, it may be useful for the industry to have a self-policing role in addition to the sanctions available in the Regulations. For example, the ability to limit access to credit reporting information where organisations are found to have engaged in a systemic breach might also apply to systemic breaches of the potential industry Code. Sanctions could be applied by a Code compliance body, and might include suspension or restricted access to credit reporting information, or requirements for specific performance such as corrective advertising, training, changes to procedures etc.

The inclusion of such sanctions in an industry Code will raise potential competition issues and may risk breaching the Trade Practices Act 1974.[31] The Code may require authorisation by the Australian Competition and Consumer Commission (ACCC) in order to overcome this concern. This issue is discussed in more detail in this Report at Section 3.2.3 (page 47). 

2.11. Use of credit reporting information

Current regulation restricts access to credit reporting information to a limited set of credit providers. However, some credit reporting agencies offer additional services and applications that require them to also collect, use and disclose non-credit reporting information. For example, personal information that forms part of credit reporting information may also be useful in verifying evidence of identity claims. This is a growing area of business following the passage of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).[32]

Some industry submissions to the ALRC have argued for consistent regulation across all of their activities. This could be achieved by broadening the definition of credit reporting information to include information used for other purposes.

It is likely that there will be some sympathy for organisations who find themselves subject to two separate, inconsistent privacy regulations (the UPPs and the Privacy (Credit Reporting Information) Regulations). However, use of personal information outside of the credit reporting environment will ultimately fail the specific credit-related public benefit test that has been used to justify the ‘special’ regulation of credit reporting information. The application of the Privacy (Credit Reporting Information) Regulations should remain as tight as possible, and credit reporting agencies will have to comply with the UPPs for all their other activities. They can draw some comfort from the simplification of the proposed UPPs compared to earlier privacy requirements.

The OPC has made some useful recommendations on this issue:

The Office suggests that consideration be given to the inclusion of an express provision in Part IIIA prohibiting the collection of an individual’s credit information file by employers, insurers and government agencies... As a general principle, the Office submits that only credit providers should be able to access information from credit information files unless there are cogent public interest reasons why other persons should.[33]

It is important to keep credit reporting regulation as simple as possible. It is already a complex area requiring specific regulation and possibly an industry Code. This regulation will be made more complex if access to credit reporting information is extended beyond credit providers.

It is also important to note that the economic/public benefit arguments used to justify the special treatment of credit reporting are based on lending dynamics – not employment or other potential applications. If other systems develop that seek access to this type of information they should be consent based and covered by the UPPs.

It may be necessary to include this restriction in the Privacy Act 1988 itself rather than in the proposed Privacy (Credit Reporting Information) Regulations. This would help to avoid future industry efforts to lobby for access to credit reporting information for specific issues or one-off incidents. The Act will need to contain a provision setting out the broad role of the regulations, so this section may provide a useful location for this restriction. 

2.12. Listing rules

This section discusses listing rules for credit reporting information, including the definition of default, minimum value of default, minimum age of data etc.

Listing rules are an area where there is a significant divergence from the UPPs. Instead of providing a general test of ‘relevance’ for whether information is collected and listed, the current Part IIIA of the Privacy Act 1988 contains a prescriptive list of items that can and cannot be included in a credit report. It is likely that this situation will continue in the future, although the listing rules will be located in the proposed Privacy (Credit Reporting Information) Regulations.

Listing rules are relatively settled, although there are few areas of ongoing concern:

  • Amount of default
    Stakeholders agree that a minimum amount of default should be specified in regulations before it can be listed. The current amount is $100 and this is widely considered to be too low by consumer stakeholders.
  • Cheques
    There no longer appears to be support for listing cheques that have bounced twice.
  • Old debts
    There is general support that statute barred debt should continue to be excluded. The current five year limit for including defaults also has support (7 years for bankruptcy). Some improvements are required for multiple listing and re-listing of old debts.
  • Unenforceable debts
    There is growing support for debts that are unenforceable not to be listed (as the credit should never have been extended – for example credit extended in breach of Section 75 of the Uniform Consumer Credit Code).[34]
  • Mandatory reporting
    There is opposition to proposals to require mandatory reporting of defaults.[35]

Listing rules should be located in the proposed Privacy (Credit Reporting Information) Regulations. It is recognised that listing rules may need to change from time to time (the growing irrelevance of cheques is a good example), and it may therefore be tempting to locate listing rules in a potential industry Code. However, it is likely that the regulations will be subject to regular review (perhaps every 3-5 years) and this should provide sufficient flexibility. Urgent changes can also be made to regulations if required.

2.13. Amount of content in credit reports

This section discusses the full range of options for regulating the amount of information that can appear in credit reports, including positive/negative reporting, comprehensive reporting, compromise positions etc. This is the most contentious area of credit reporting regulation in Australia.

The potential consumer harms related to the amount of content in credit reports include both privacy and general consumer harms.

Privacy issues arise because the amount of data collected and stored in a central location represents a significant privacy risk, and the amount of data therefore needs to be justified on public benefit grounds and/or balanced by other privacy protections.

Consumer issues arise because the amount of data collected is fundamentally linked to industry conduct in relation to responsible lending and responsible credit marketing.

2.13.1. Background

For many years, industry representatives have sought an expansion of the amount of content that can be included in a credit report. Proposals have ranged from limited expansion / more comprehensive reporting to full / positive reporting. The long history of these attempts are described in detail in by the ALRC in DP72 and do not need to be repeated in this Report. Privacy and consumer advocates have consistently opposed such proposals.

A good summary of the entrenched positions is provided by the Senate Economics Committee:

The [industry submissions] put the view that a change in the type of information that consumer credit bureaus can hold will have a positive impact on manageable levels of household debt in Australia and will lead to a more efficient allocation of financial resources. Proponents also maintain that this change would lead to sounder lending practices, particularly in relation to credit cards.
On the other hand, consumer advocates are concerned that industry calls for positive credit data are based on self-interest and if successful will lead to more opportunities for the industry but will not increase prudent lending, nor decrease default rates. Furthermore, they argue that the industry has not operated a fair and accurate limited credit reporting regime to date and existing problems can only be made worse by increasing the amount of information that the industry is permitted to gather.[36]

As all previous attempts at expansion have failed, the ALRC inquiry presents a significant opportunity to attempt reform. DP72 contains a proposal that is best described as a compromise position - a limited expansion of content is proposed under the banner ‘more comprehensive reporting’. New allowable content would include the details of accounts opened and closed and the credit limits that apply to those accounts. No balance information would be included and derogatory information would continue to be restricted to defaults, bankruptcies and serious credit infringements.

The ALRC suggests that this compromise position will provide some improvements in the predictive capability of the data for the benefit of future credit providers, without leading to an unreasonable intrusion into the affairs of individuals:

This extension of the current reporting system has some support from both industry and consumer groups. Importantly, credit providers would have access to more information about an individual’s current credit commitments to assist in promoting responsible lending. The proposed extension in credit reporting information would provide much of the additional predictiveness desired by proponents of more comprehensive reporting.[37]

However, the response to this compromise proposal has been mixed. While there appears to be some individual pockets of support, the broad grouping of industry representatives (under the banner of ARCA) opposes the proposal. They argue that the predictive benefit of this incremental expansion will be outweighed by the costs of implementation.

At the core of industry concerns is the absence of payment history – as this is potentially a useful tool in predicting creditworthiness:

In the USA, the FICO [Fair Isaac Corporation] scoring model[38] rates payment history and amounts owed as the two most important attributes influencing the score result, weighting them at 35% and 30% respectively. These two information sources are not available in Australia under the current negative only regime.[39]

ARCA has made a counter-proposal, submitting that in addition to the ALRC proposed data, some limited information on repayment history, covering a period of only two years and expressed in general ratings, should be included. It is important to note that some industry representatives, including ARCA members, continue to express support for full/positive reporting, while supporting the ARCA counter-proposal as an initial step towards that goal.

2.13.2. The economic/public benefit debate

One key aspect of the debate is that Australia is in a minority of countries that have restricted / negative credit reporting. This issue dominates industry submissions for reform across multiple inquiries. However, Australia appears to be in relatively sound company – the other countries in this minority are France, Spain and New Zealand. All four countries have mature privacy legislation, democratic freedoms, market economies and highly educated populations. All four countries are extremely wealthy with large, modern, stable economies, and low rates of default on credit products.

Nevertheless, industry insists that Australia and the other countries in this minority are missing out on the benefits of comprehensive reporting enjoyed by the majority:

Neither of the objectives of free flow of information and ensuring consumer data protection are served by a regulatory system that is allowing negative reporting only. A system that includes both types of data has the ability to provide the best information to lenders in order for them to make a lending decision.[40]

However, this Report question both the relevance and significance of these arguments once the broader economic context of credit reporting is considered.

It is important to note that in Australia the following factors are all relevant:

  • Default rates in Australia are low;
  • The impact of credit reporting on default rates is marginal when compared with other factors;
  • The costs of credit risk are already covered;
  • The financial services industry is extremely profitable; and
  • Ultimately responsible lending may or may not be influenced by credit reporting, as there are no responsible lending obligations in Australian law.

This last issue is not usually discussed in international comparisons, but some brief research has indicated that some key jurisdictions that allow positive credit reporting, including the UK and the US, also have strict regulations on responsible lending in place.

2.13.3. Default rates

The industry argument for an expansion of content in credit reports is partly based on an argument that default rates are a concern and that expanded / positive credit reporting will reduce default rates. However, default rates in Australia are considered by regulators and the industry itself to be very low. They are low by historical standards, and they are low by international standards.

Indeed, the credit industry itself is the loudest proponent of the claim that default rates are low. Some recent examples include:

  • Opposing national Credit Code reform (2000)
    In arguing against reform of the UCCC to strengthen hardship provisions, industry argued that default rates were low in Australia, and the market was adequately addressing responsible lending practices without the need for legislative intervention.[41]
  • Opposing credit card reforms (2002)
    In arguing against tighter regulation of consumer disclosure (e.g. comparison rates) for credit cards, the industry argued that “credit card default rates are low, consumers are not carrying excessive levels of debt and are better off today than 5 years ago, and low-income earners as a group are not susceptible to financial trouble due to credit card debt”.[42]
  • Opposing bank regulation proposals (2004)
    In arguing against the ALP’s 2004 banking policy on responsible lending requirements, the industry argued that “housing and credit card default rates are low indicating that banks are being responsible in their lending policies and the economy is strong”.[43]
  • Opposing responsible lending proposals (2005)
    In arguing against responsible lending reforms before the Senate Economics Committee, industry submissions argued that default rates were at historic lows in Australia and that there was no need for regulatory intervention.[44]
  • Opposing reform of consumer credit laws (2006)
    Industry argued that default rates were low in submissions to the Victorian Consumer Credit Review, where proposals for responsible lending were being discussed. They stated: “The vast majority of consumer credit contracts entered into by banks with their customers are complied with fully. Bank loan default rates have been low and stable for many years. [45]

It is difficult for the credit industry to maintain the position that default rates are low and of no concern when opposing reforms relating to the regulation of industry practices in the broad field of responsible lending, and then in the next breath to argue that default rates are high and of such great concern that privacy law should be amended in the field of credit reporting.

This is not just an interesting anecdote about industry lobbying – this is an important issue that has an impact on proposals to expand data included in credit reports. So, are default rates high or low?

Recent default rates collected by the Reserve Bank of Australia (RBA) are summarised in the table below:[46]

 

Loan type

2004

2005

2006

2007

Housing loan (full-doc)
90+ days past-due

0.2%

0.3%

0.4%

0.4%

Housing loan (low-doc)
90+ days past-due

0.5%

0.8%

1.0%

1.1%

Housing loan (non-conforming)[47]
90+ days past-due

4.1%

5.4%

6.2%

7.0%

Credit cards
90+ days past-due

1.0%

1.0%

1.1%

1.2%

Personal loans
90+ days past-due

0.8%

0.9%

1.0%

1.0%

RBA credit default rates

 

Overall, the RBA has concluded that default rates in Australia remain near ‘historic lows’ and also remain ‘significantly below international default rates’. However, they do note that default rates have risen alarmingly in certain geographic areas – notably Western Sydney in NSW. They conclude:

Despite the increase in non-performing housing loans over the past few years, the arrears rate remains low by international standards. Moreover, the recent increase is not unexpected, particularly given the strong competition in lending markets over the past decade or so, which has made housing finance available to a broader range of borrowers. The general easing of credit standards over this period has meant that the marginal borrower over recent years has been riskier than was the case a decade ago and, as a consequence, the arrears rate for a given level of interest rates and unemployment is likely to be higher than was the case in the past.[48]

Increased competition, lowering credit standards, downward pressure on house prices, pockets of unemployment, and multiple interest rate rises are all listed by the RBA as contributing to default rates. There is no mention of a contribution by credit reporting arrangements, and it is difficult to see how credit reporting arrangements could make an impact when compared to this plethora of more significant factors.

Ultimately, the potential link between default rates in Australia and changes to credit reporting arrangements are speculative. Improvements to credit reporting may help to facilitate responsible lending, but this may or may not result in improvements in responsible lending in day-to-day practice. Current competitive market forces appear to be driving lenders away from responsible lending, and no amount of additional data in credit reports will have an impact on this trend, especially in a jurisdiction such as Australia where there is no legal requirement to engage in responsible lending.

The costs of credit risk are also covered by a diverse range of industry measures. These include:

  • Core interest rates;
  • Penalty interest rates;
  • Core fees and charges;
  • Penalty fees and charges;
  • Interchange fees on credit card products;[49]
  • Insurance;[50] and
  • Security.

While consumers ultimately pay for the cost of credit risk in one form or another, it would be unlikely that all of these costs would reduce because of changes in credit reporting. Rises in all of these costs bear little relation to the level of defaults in Australia – which remain relatively stable and have even decrease from time to time.

2.13.4. Privacy harm

The Legal and Constitutional References Committee provided an excellent summary of the privacy harms that might arise from expanding the amount of content in credit reports:

The committee sees no justification for the introduction of positive credit reporting in Australia. Moreover, the experience with the current range of credit information has shown that industry has not run the existing credit reporting system as well as would be expected and it is apparent that injustice can prevail. As mentioned elsewhere in this Report, positive reporting is also rejected on the basis that it would magnify the problems associated with the accuracy and integrity of the current credit reporting system. The privacy and security risks associated with the existence of large private sector databases containing detailed information on millions of people are of major concern.[51]

As noted, one potential privacy harm is that an expansion in the amount of data may magnify data accuracy concerns – for example, the DP72 proposal would allow several new fields of data to be added to credit reports. However, the impact of this may depend on the general regulatory response to data accuracy concerns, and this is an area where the ALRC proposals are likely to lead to some improvements.

Data accuracy is also a concern if the ARCA proposal to the ALRC is successful. Under the ARCA proposal information on 2 years payment history (which may be positive or negative) would be included in credit reports. Payment history would be represented by a broad rating (e.g. a 0, 1 or 2), rather than by factual information (such as the amount and date of payment).

While at first glance the ARCA proposal appears to protect privacy as it limits the amount of data on the file, it may be difficult to maintain data accuracy. Data accuracy in the ARCA proposal may be affected by the following factors:

  • Credit providers will have to provide more information, requiring more data entry and more opportunities for errors;[52]
  • Credit providers may not have the same motivation to check the accuracy of data (especially disputed data) as they do to check default data in traditional credit reporting information, as the consequences of an inaccuracy will appear less severe;
  • A consumer checking their report may not understand the ratings;
  • A consumer checking their report may not recognise an inaccuracy in the ratings, in circumstances where they would have recognised an inaccurate factual record;
  • A consumer wishing to challenge the accuracy of data will have to look up records and potentially provide very detailed information in order to challenge a rating; and
  • It is unclear that disputed information or ‘notes on file’ have any impact on credit decisions under the current system, and this issue may be magnified by the ARCA proposal’s reliance on ratings rather than facts that can be easily corrected.

Additional potential privacy harm may arise in relation to data security if the scale of the credit reporting databases is increased. This issue is discussed in more detail in this Report at Section 2.5 (page 13).

2.13.5. Consumer harm

One issue of concern is whether more information would lead to up-selling, cross-selling, churning or differential pricing. The credit industry claims that up-selling does not form part of the motivation for positive credit reporting. However, up-selling, churning and differential pricing are entrenched elements of some jurisdictions where positive credit reporting is allowed.

A possible solution is to seek industry approval for a specific restriction on up-selling and differential pricing etc. This could be located in the proposed Privacy (Credit Reporting Information) Regulations. This may be a useful test of credit industry consensus and commitment and help to dilute one specific consumer concern.

Once particular types of information are included in credit reports, it can be difficult to anticipate how the data will be used in practice by the credit industry. For example, consumers are generally encouraged to shop around for the best price for all products, including credit, mobile phones, utility providers etc. However, according to advice from a credit reporting agency, this same practice may lead to problems in obtaining credit in the future. This results from the inclusion of all credit applications on the credit report, whether or not credit was actually extended to the client, and the claimed predictive worth of such information when measuring creditworthiness. [53]

The potential use of a wider range of information on a credit report is unknown.

There does, however, appear to be some agreement that the overall amount of credit will increase once more comprehensive credit reporting or positive credit reporting is introduced. This results in a general consumer concern that more people will be offered credit at a time when there are no obligations for responsible lending in Australian law, and consumer protections for credit customers are weak. 

2.13.6. Conclusion

There is no clear justification for more comprehensive reporting in Australia at this stage and there is significant uncertainty about what impact more comprehensive reporting might have on consumers, default rates and the broader community. Unfortunately, it is impossible to run a pilot project in the credit reporting environment – once a change is made it may be irreversible even if the results are negative.

Concerns over more comprehensive reporting will remain strong while there is no obligation to lend responsibly or to market credit responsibly in Australian law.

The ALRC is in a difficult position on this issue as they have been asked to consider the reform of credit reporting privacy regulation only and they have no brief to cover general (non-privacy) consumer protection arrangements. This is a very difficult issue to address with one hand effectively tied behind their back. However, the ALRC may be able to note some of the shortcomings in consumer protection law and the impact that this has on credit reporting privacy regulation.

Credit reporting agencies are also in a difficult position. Credit reporting agencies want to play a role in facilitating responsible lending and they have continually presented good cases for an expansion of credit reporting information using responsible lending as their key public benefit argument. However, credit reporting agencies are not, themselves, lenders. They have not traditionally been actively engaged in the wider debate on responsible lending and responsible credit marketing.

If credit providers do not have a legal obligation to engage in responsible lending and responsible credit marketing, efforts to facilitate responsible lending via more comprehensive credit reporting are misplaced.

This Report makes some recommendations on improvements to the regulation of responsible lending that might help to address this issue – see Section 3.3 (page 48) for more detail.

2.14. Debt collection and the sale of debts

This section discusses issues that might arise where there is a connection between debt collecting, debt assignment and credit reporting. Examples include the use of listing defaults as a threat in debt collection, and the inappropriate re-listing of debts when they are sold.

The law appears to be reasonably settled here and debt collection is specifically included in Part IIIA as a permissible use of credit reporting information – although information is to be supplied by credit providers rather than by a credit reporting agency. However, there have been some problems in the past with the specific practices of debt collectors and there have also been some systemic problems regarding data accuracy when debts have been sold.

Industry is keen for debt collection agencies to continue to have access to credit reporting information:

Access to the credit reporting system in debt collection is necessary for the credit industry to function efficiently. Concerns about access to, and use of credit information by industry participants can be addressed through regulations that focus on proportionality and prevention of harm. In particular, placing higher obligations on credit providers through more comprehensive subscriber agreements and rules of reciprocity will act to prevent misuse of this capability.[54]

A key improvement in this field is the ALRC proposal in DP72 that all organisations who access credit reporting information will have to belong to an approved EDR scheme, and this could potentially include debt collectors and the organisations who purchase debts.

In DP72, the ALRC notes that debt collection practices are also regulated by the ACCC and the Australian Securities and Investments Commission (ASIC) through the Debt Collection Guideline: For Collectors and Creditors.[55] The ALRC therefore appears unwilling to add any further provisions regarding the conduct of debt collectors:

It may not be effective or appropriate for the Privacy (Credit Reporting Information) Regulations to deal with issues that primarily concern debt collection practices.[56]

This Report agrees that access by debt collectors to credit reporting information should be briefly defined in the proposed Privacy (Credit Reporting Information) Regulations. All other matters relating to the practices of debt collectors should be addressed in the Debt Collection Guideline: For Collectors and Creditors. 

2.15. Responsible credit marketing

This section describes consumer concerns about industry practice, using the terms ‘responsible lending’ and ‘responsible credit marketing’. The term responsible lending has, in practice, been restricted to the actual decision to provide credit. Many irresponsible lending practices start at the marketing step – well before credit reporting information is involved.

There is some doubt that more comprehensive reporting would have a significant positive impact on the marketing of credit and the exact links between marketing and credit reporting are unclear.

Some credit marketing practices are regulated in Australia – notably the provision of false or misleading information and the requirement to include detailed information on fees and interest rates (including comparison rates).

However, many other marketing practices have raised concerns. The following list is non-exhaustive:

  • Unsolicited credit
    There is a general concern that the amount of credit and high levels of consumer debt have been fuelled by unsolicited credit offers, usually through direct marketing campaigns (although this might also include unsolicited approaches in shopping centres etc.). The marketing of credit ‘door to door’ is banned in Australia[57] and there is also a general ‘do not call’ register.[58] However, there are few other restrictions on the unsolicited marketing of credit. In December 2007 the Federal Minister for Consumer Affairs announced that he was considering an inquiry into the prohibition of unsolicited credit offers after household credit levels hit a record high.[59] It is also interesting to note that the unsolicited sale of many other financial services products is prohibited or heavily regulated under the Corporations Act 2001.[60]
  • Personalised marketing
    There are some specific concerns about using personalised marketing for credit products, as ‘personalising the offers makes it more appealing as many believe if the banks think they can afford that level of debt then they can.’[61]
  • Unsolicited limit increases
    Unsolicited credit limit increases can be sent to existing consumers. These types of offers have been a major area of concern as the consumer has not asked for additional credit and they may be targeted at consumers who have existing debts.
  • Pre-approved credit
    It is, in fact, unlikely that a lender would provide ‘pre-approved’ credit to a new customer in Australia, but the term ‘pre-approved’ (or words to that effect) are often used in credit marketing campaigns. Letters to new customers may even suggest a specific pre-approved credit limit for a new credit card. Letters to existing customers might also suggest a pre-approved cash advance. Some lenders even send sample cheques with the offer for the pre-approved cash advance sum. There may be a link between the use of the term ‘pre-approved’ and the use of credit reporting information in pre-screening. For example, direct marketing campaigns that have been pre-screened often use the term ‘pre-approved’. The question is whether the term ‘pre-approved’ represents a responsible lending practice, as it would appear to encourage an applicant to apply for additional credit whether or not they could afford it on the basis that the lender appears to believe they can afford it. Lenders are presumed to be acting professionally by most consumers.
  • Sending samples
    As discussed above, some lenders send sample cheques showing how much money a person could have under a personal loan or cash advance. Other lenders send sample plastic credit cards (sending actual credit cards is prohibited in Australia[62]) There are concerns about whether sending samples represents a responsible lending practice.
  • Balance transfer offers – no requirement to cancel existing credit
    Balance transfer offers have become an important marketing tool in recent years. They provide an opportunity for the industry to churn consumers from one provider to another. The marketing is built around lower interest rates for balance transfers, usually for a short period (3-6 months). As there is no requirement to cancel existing credit products when a balance transfer is undertaken, the overall amount of credit available to consumers increases. Consumer caseworkers and financial counsellors cite this as a common factor in consumer over-commitment.
  • Balance transfer offers – to be paid first
    There are some important tricks in balance transfer marketing. For example, the card rules usually state that balance transfer amounts will be paid off first. So any monthly payment to the card will be applied to the transfer amount, not to recent purchases or card fees, which will therefore accrue compound interest at the full rate. This issue can be exacerbated by links between new card offers and rewards schemes. A typical example is a new card product that offers a rewards points bonus on the ‘first card spend’, often with an expiry period. Balance transfers and card fees will not count for this bonus, so a consumer will spend some money on the card in the first month to claim the rewards bonus. They will then find that they cannot pay off this transaction until the transfer sum has been paid off (often years later). Compound interest will accrue on the transaction for the entire period.
  • Interest free products
    There are concerns about the use of interest free products as bait for expensive credit products. There are also instances where consumers have been offered credit limits that are substantially higher than the amount needed to cover the initial purchase.
  • Emphasising non-credit features
    There is a strong emphasis in many credit marketing campaigns on non-credit features, including rewards schemes, status (for example, products that offer exclusive access or recognition) and even fashion (for example, credit cards that are marketed as design icons or fashion accessories). This marketing tends to downplay the serious nature of credit products and the risks involved in credit over-commitment. This is in contrast to many jurisdictions where the risks of credit need to be highlighted in credit marketing. For example, regulations in the UK require all home loan marketing, including television advertising, to carry a credit ‘health warning’.

It would appear that there are links between at least some of these issues and the use of credit reporting information in marketing campaigns.

The use of credit reporting information for direct marketing is likely to be subject to a general prohibition. However, pre-screening remains an outstanding regulatory issue. It may be necessary to consider pre-screening hand in hand with the regulation of responsible credit marketing. For example, if there was an Australian regulatory initiative on the responsible marketing of credit that helped to address this long list of concerns, support for pre-screening might improve.

2.16. Responsible lending

There are numerous irresponsible lending practices in Australia and elsewhere. In recent years, there is a trend towards more detailed regulation of the credit industry in an effort to end irresponsible lending practices, although in Australia such intervention has been limited.

The credit reporting industry notes that there are links between the amount of credit reporting information available and responsible lending:

Under the current negative regime, consumers are able to accumulate more and more credit facilities and use one to pay off another until the vicious circle finally results in default and/or bankruptcy. Lenders can currently ascribe penalties to consumers’ score based on a large number of enquiries, however this cannot replace a full understanding of their total available and outstanding credit that would be available from positive data. Pre-contractual plans that demonstrate an ability to repay are the cornerstone of responsible lending but they rely on full disclosure of outstanding liabilities.[63]

However, it can be argued that the link between credit reporting information and responsible lending can only be made if there is a legal requirement to engage in responsible lending in the first place. Such an obligation is absent in Australia.

There is no general licensing scheme or regulation for credit providers in Australia that requires them to be responsible lenders. Specifically there is no requirement that lenders assess a consumers’ ability to repay a loan without suffering undue hardship.

The only relevant provisions in Australia are a very limited ‘shield’ provision in the UCCC[64] and a provision in the draft Finance Broking Bill 2007 (NSW)[65] that, even if passed, would only apply to credit transactions completed by brokers, and not to credit applications made directly with lenders.

The relevant UCCC provision is Section 70 (2)(l). It states that a court (on application) may reopen a credit contract that it believes is unjust. One of the factors it can take into consideration is:

Whether at the time the contract, mortgage or guarantee was entered into or changed, the credit provider knew, or could have ascertained by reasonable inquiry of the debtor at the time, that the debtor could not pay in accordance with its terms or not without substantial hardship.

Note that this provision has proved to be difficult to use in practice. It does not require any proactive steps by credit providers and it usually involves considerable time, expense and legal representation to re-open a credit contract on the grounds that it is unjust.

A recent development is the release of the Exposure Draft of the Finance Broking Bill 2007 (NSW).[66] Although this bill has been submitted in NSW it is designed as uniform legislation for all States and Territories, who will pass mirror legislation once the NSW bill is passed.

As it is more recent legislation than the UCCC the text has benefited from the experience of implementing the UCCC, including the difficulties of using the shield provisions in Section 70 to manage responsible lending.

As a result, the bill contains a ‘sword’ provision requiring finance brokers to take proactive steps to assess a consumer’s ability to repay:

Section 33 Consumer’s credit requirements and capacity to repay credit
(4) The matters to be established in relation to a consumer’s capacity to repay credit are:
(a) the consumer’s current income and expenditure, and
(b) the maximum amount the consumer is likely to have to pay under the credit contract for the credit, and
(c) the extent to which any existing credit contracts are to be repaid, in full or in part, from the credit advanced, and
(d) the consumer’s credit history, including any existing or previous defaults by the consumer in making payments under a credit contract, and
(e) the consumer’s future prospects, including any significant change in the consumer’s financial circumstances that is reasonably foreseeable (such as a change in the amount the consumer has to pay under the credit contract for the credit or under any other credit contract to which the consumer is party),
(5) A consumer has the capacity to repay credit of a particular type and amount if, and only if, it is reasonably certain that the consumer will, without undue hardship, be able to meet his or her obligations under a credit contract for credit of that type and amount.[67]

The result of the combination of the UCCC and the proposed finance broking legislation is a strange one. Loans arranged through brokers would be subject to a proactive requirement to assess a consumer’s ability to repay and this is likely to have a substantial impact on responsible lending for the small proportion of loans arranged by brokers. Loans arranged directly with credit providers would only be subject to the limited UCCC Section 70 shield provisions that have had no impact on responsible lending to date.

In overseas jurisdictions there is a trend towards stricter regulation of responsible lending.

In the UK ‘irresponsible lending’ has been listed as an unfair or improper practice under the Consumer Credit Act 2006 (UK).[68] The UK Office of Fair Trading has issued guidance to lenders on how to avoid this prohibition:

We consider irresponsible lending to include failing to make a proper and diligent assessment of the potential borrower's ability to repay a loan in full and to make all the periodic payments as they fall due. The OFT would consider it irresponsible for lenders and intermediaries not to take reasonable care in making loans or advancing lines of credit in revolving credit card agreements. Reasonable care would include taking steps to find out and check the borrower's creditworthiness, and ability repay the debt and to meet the full terms of the agreement. For example, we would not consider offering new lines of credit to borrowers who are exhibiting typical signs of inability to repay existing debts (such as missed payments or always making only minimum repayments on a credit card account) to be responsible lending.[69]

In addition, the UK Banking Code[70] is to be reformed to include greater restrictions on irresponsible lending practices. This follows the completion of an independent review of the Banking Code that made the following relevant recommendations:

  • The Banking Code should include a general promise that members ‘will lend responsibly’;
  • The Banking Code should include a requirement that lenders are always required to consider Credit Reference Agency (CRA) data plus at least two of the five bulleted points below (as well as any other checks not listed that the subscriber feels are necessary to meet their commitment to lend responsibly). This recommendation should also apply before offers of credit limit increases.
    • Customer’s income and financial commitments;
    • How they have handled their accounts with the subscriber in the past;
    • Internal credit scoring techniques;
    • Any security provided; and
    • Why they want to borrow and for how long.[71]

In the US a combination of Federal and State law provides guidance on responsible lending practices. The main responsible lending provision is contained in the Truth in Lending Act:

Section 129(h): Prohibition on extending credit without regard to payment ability of consumer
A creditor shall not engage in a pattern or practice of extending credit to consumers under mortgages ... based on the consumers' collateral without regard to the consumers' repayment ability, including the consumers' current and expected income, current obligations, and employment.[72]

The key recent development is the imposition of stricter regulations following the sub-prime mortgage crisis in the US. Default rates for home lending in the US are running at record highs – defaults on sub-prime variable interest loans are now 13%. Defaults on sub-prime fixed interest loans are 6%. This compares with default rates on traditional loans of around 1%.[73]

The main regulatory response has been the introduction of the Mortgage Reform and Anti-Predatory Lending Bill (2007).[74] This bill has passed the House and is now before the US Senate. It contains a range of detailed measures to combat irresponsible lending.

The most relevant provision is Section 32, which would amend the Truth in Lending Act to provide:

Presumption of Violation – There shall be a presumption that a creditor has violated this subsection if the creditor engages in a pattern or practice of making high cost mortgages without verifying or documenting the repayment ability of consumers with respect to such mortgages.

In addition, the Mortgage Reform and Anti-Predatory Lending Bill (2007) contains a number of very detailed, prescriptive requirements relating to the design of credit products – including exact formulas for the amount of credit that can be provided (based on factors such as salary) and the amount of repayments. There are also prohibitions on numerous product features, such as balloon repayments.

Overall, the responsible lending regulations in the UK and USA are surprisingly rigorous, detailed and prescriptive. They include a direct link with the use of credit reporting information. By comparison, the Australian requirements look weak and ad hoc.

There have been significant calls for this situation to be improved in Australia.

In 2006 the Senate Economics Committee recommended the introduction of a responsible lending provision in Australian law:

Recommendation 7: The Committee recommends that the States and Northern Territory develop and pass uniform consumer credit legislation requiring credit providers to undertake appropriate checks of borrowers' capacity to pay before issuing new credit cards or raising credit limits. The ACT Fair Trading Act provides an appropriate model for this legislation.[75]

Also in 2006, the Australian Securities and Investments Commission (ASIC) called for banks to adopt responsible lending practices. This followed an investigation by ASIC into personal loans arranged for borrowers in Far North Queensland, the Torres Strait, and some remote parts of South Australia. The investigation found that the eligibility criteria used by one bank to assess personal loans in these areas resulted in some loans leaving borrowers over-committed and unable to afford the repayments. ASIC stated: ‘There is a need for all financial institutions to adopt responsible lending practices. ASIC encourages all lenders that haven’t already done so recently, to review their lending guidelines to ensure that they are fair and effective’.[76]

In 2007 the Productivity Commission (PC) received submissions to amend Australian consumer laws to include a responsible lending requirement. The Consumer Action Law Centre (CALC) asked the PC to ‘provide for an up-front obligation on lenders to ensure a consumer has the capacity to repay a loan without substantial hardship before extending credit’.[77]

However, at this stage there has been no reform of responsible lending law, apart from the limited Finance Broking Bill 2007.

Some credit providers have taken their own voluntary steps to introduce responsible lending practices. For example, some major banks have placed restrictions on lending to social security welfare recipients and lending to people without requiring proof of income:

  • ANZ Customer Charter
    The 2006 Customer Charter sets benchmarks for service to personal and business customers including a formal commitment to lending in a responsible and transparent way.[78] For example, it states that ANZ ‘will not offer you a credit limit increase if we know that you are on a fixed income, for example, receiving a government pension (e.g. old age pension, veteran’s pension)’. However, there is no general requirement to assess a customer’s ability to repay.
  • Westpac - Principles for Responsible Lending
    Westpac states: ‘We seek to lend only what our customers can afford to repay. We are therefore committed to following a strict, detailed and sensible loan criteria process, including the use of credit scoring, credit reference agency checking and affordability verification to make a full assessment of a person’s capacity to repay.’[79]

Many other specific lending practices have raised concerns. However, these fall outside the scope of the current Report. The following list is non-exhaustive:

  • Equity stripping;
  • Falsely claiming a loan is for business purposes to avoid the application of the UCCC;
  • Using brokers and intermediaries to avoid the application of the UCCC; and
  • Refinancing problems.[80] 

2.17. Supply of consumer credit

2.17.1. Under-supply of consumer credit

Some consumers continue to face difficulties in obtaining credit or affordable credit. These difficulties sometimes relate to credit reporting, although there are many other factors that have an impact on the under-supply of credit in Australia.

This issue is sometimes linked to the debate on more comprehensive reporting and also to the debate on listing rules. Industry argues that supply would improve with more comprehensive reporting.

Consumer caseworkers and advocates have concerns about the under-supply of consumer credit where consumers are excluded from credit because they have minor defaults – often for late payment of utility bills. This may be an area where it is difficult to get the balance right.

There may also be concerns about access to credit if delinquency information is included in credit reports (as per the ARCA proposal). Obviously the impact of such a proposal is untested so there is no data available on the potential impact. However, it would instinctively raise concerns about minor delays in payment (which would not appear on credit reports under the current rules) reducing supply of credit to low-income and disadvantaged consumers.

2.17.2. Over-supply of consumer credit

There are also concerns regarding the over-supply of consumer credit, resulting in potential over-commitment – both for individuals and for the broader community and economy.

The Senate Economics Committee noted:

The question of whether the lending policies and practices of banks and other lenders have played a significant role in increasing household debt is contentious. Representing the banking sector, the [Australian Bankers Association] maintains that demand for credit is the primary driver of increased household debt. Nonetheless, the lenders market their products aggressively, each institution seeking to maintain market share and maximise profits. Appearing before the House of Representatives Standing Committee on Economics, Finance and Public Administration, the Governor of the RBA, Mr Macfarlane was under no illusions about the lenders' motives: ‘There is a very big industry out there which is utterly determined to put out as much credit as it can’.[81]

This Report does not include an analysis of whether more credit is good or bad for the economy. However, the concerns of consumer caseworkers and financial counsellors regarding the impact of credit over-commitment on individual consumers are significant, and need to be addressed no matter what impact the supply of credit has on the overall economy. 

3. Regulatory framework options

3.1. Regulatory framework overview

The starting point for developing an effective regulatory framework for credit reporting is to accept that credit reporting is ‘different’ to most other information practices. It raises a complex combination of privacy, consumer and economic issues that may never be adequately addressed in a single regulatory instrument.

From a privacy perspective, credit reporting needs to be dealt with by a specific approach as the usual privacy protection of consent is not available as a practical privacy protection in the credit reporting environment.

From a consumer protection perspective, credit reporting is a small subset of broader consumer issues in the marketing and provision of credit, and is difficult to regulate as a stand-alone function.

In addition, there is a broader debate about the style and structure of effective regulation in Australia:

  • Responsive regulation
    John Braithwaite has developed a theory of ‘responsive regulation’ that has become very popular in Australia. Broadly, this theory argues that the degree of government regulation should depend upon the behaviour of those regulated.[82] In the credit reporting environment this approach would encourage the development of a tiered approach to regulation, with an industry Code containing the majority of requirements, and legislation only coming in to play in ‘response’ to specific concerns. In practice, the credit reporting sector already has a long history of problems in areas like data quality that have resulted in regulation being escalated to the legislation layer. Once there, it is difficult for the industry to justify their return to the self-regulatory layer without being able to display significant improvements.
  • Hybrid regulation
    The use of hybrid regulatory systems has significant support in Australia.[83] This approach is particularly concerned with ‘quasi-regulation’, a system of regulation that is not explicitly government regulation (i.e. not all regulation is black-letter law) but with which private sector bodies are encouraged by the government to comply. Hybrid regulation might also involve ‘co-regulation’; where the regulation is created by industry, but is underpinned by legislation. The majority of financial services regulation in Australia is a form of hybrid regulation.

The following advice on the development of an efficient regulatory framework for credit reporting is based on a tiered or hybrid regulatory approach.

This broad approach is consistent with the proposals of the ALRC in DP72. Their regulatory framework is summarised as follows:

[T]he ALRC proposes a model for new credit reporting regulation. Under this model, the credit reporting provisions of the Privacy Act would be repealed and credit reporting regulated under the general provisions of the Act and the proposed UPPs. Privacy rules imposing obligations on credit reporting agencies and credit providers specifically would be promulgated in regulations under the Act in the proposed Privacy (Credit Reporting Information) Regulations.[84]

In addition, the ALRC proposes the development of an industry Code:

Proposal 50-11: Credit reporting agencies and credit providers should develop, in consultation with consumer groups and regulators, including the Office of the Privacy Commissioner, an industry code dealing with operational matters such as default reporting obligations and protocols and procedures for the auditing of credit reporting information.

The findings and recommendations in this Report are also based on several key assumptions about credit reporting:

  • Credit reporting is different from most information practices and cannot be effectively regulated by generic privacy law;
  • Credit reporting is difficult to separate from the marketing and provision of credit, so credit reporting regulation needs to be considered together with general credit regulation; and
  • The ALRC review of privacy legislation is an important opportunity to achieve reform of credit reporting regulation, but it is not the only appropriate forum for reform.

The result of applying these assumptions is that the regulatory framework clearly requires multiple elements or layers. This Report finds that the development of an effective regulatory framework for credit reporting requires three broad elements:

  • General principles;
  • Detailed regulations; and
  • Industry operating rules.

However, the exact application and location of these three elements needs to take into consideration the overlap between privacy and consumer protection issues.

Using this structure, the Report makes the following findings:

 

Privacy Findings

Consumer Protection Findings

General principles

These would normally be the UPPs in the Privacy Act 1988, but in the case of credit reporting the Act may serve only as a place-holder for the proposed Privacy (Credit Reporting Information) Regulations which will contain the general principles for credit reporting.

The principles used in this Report for determining when an element should be included in the Privacy Act 1988 are:

  • The issue must, in substance, be a privacy issue rather than a consumer protection issue;
  • The issue requires certainty, rather than flexibility;
  • The issue relates to fundamental privacy rights, rather than minor consumer concerns or basic operational matters.

General principles

The Report finds that one of the criticisms of credit regulation in Australia is that there are no general fairness principles for credit providers, in contrast to the general principles that apply to other financial services providers.

No general principles are in place regarding responsible lending or responsible credit marketing (in stark contrast to other jurisdictions such as the UK and USA).

Detailed regulations

The Report finds that the proposed Privacy (Credit Reporting Information) Regulations are likely to form the core of privacy protection in the credit reporting environment. This Report adopts the following tests for the content of the proposed Regulations:

  • The issue must, in substance, be a privacy issue rather than a consumer protection issue;
  • The issue requires a degree of flexibility – Regulations can be amended more quickly than the Privacy Act 1988 itself;
  • The issue relates to fundamental privacy rights, rather minor consumer concerns or basic operational matters.

Detailed regulations

The Report finds that some detailed regulations are currently provided in State and Territory legislation, including the UCCC and the draft Finance Broking Bill.

However, they do not adequately cover responsible lending or responsible credit marketing across the entire credit market.

Industry operating rules and best practice

This Report finds that there is support for an industry Code to act as an additional layer of regulation. This Report adopts the following tests for the content of a potential industry Code:

  • The issue might be a privacy issue or a consumer protection issue (or both);
  • The issue requires significant flexibility – the industry Code may potentially be quick to amend;
  • The issue does not relate to fundamental privacy rights;
  • The issue relates to minor consumer concerns or basic operational matters; or
  • The issue regards industry branding or cooperation.

Industry operating rules and best practice

The Report finds that some general best practice guidance may be available through industry Codes and also sometimes through regulator guidelines (e.g. ASIC / ACCC Debt Collection Guidelines).

However, at this stage there is no best practice guidance available for responsible lending or responsible credit marketing.

 

3.2. Privacy Regulation

3.2.1. General principles

General principles for privacy regulation of credit reporting will need to be different from the proposed UPPs in the Privacy Act 1988. The UPPs rely heavily on consent as the major privacy protection, and consent is not available as a practical tool in the credit reporting environment. It would be dangerous to try to amend the UPPs to allow for the specific requirements of the credit reporting environment, as this might weaken the overall protection offered by the UPPs for all types of information. Ultimately a different set of principles will need to be applied to credit reporting.

It is possible that these principles could be located in the Privacy Act 1988, as a separate section on credit reporting. Alternatively, the Privacy Act 1988 could just be used as the legislative ‘hook’ for Regulations that contain both the general principles and the detailed regulations (see below).

Also, the UPPs will be almost impossible to change quickly, so it is risky for credit reporting issues to be covered by the UPPs alone when we know that the industry is entering a period where there may be dynamic changes in the environment, leading to a need for some regulatory flexibility.

Stakeholders noted that there were good reasons for developing a regulatory response to credit reporting that goes further than the UPPs. The Office of the Privacy Commissioner stated: ‘the Office considers that credit reporting does require a certain of level of prescription to ensure that credit providers, credit reporting agencies and individuals understand their obligations and rights’.[85] The Consumer Action Law Centre stated: ‘we are strongly opposed to a reliance on the NPPs alone or to a self-regulatory system.’[86]

The Principles used in this Report for determining when an element should be included in the Privacy Act 1988 are:

  • The issue must, in substance, be a privacy issue rather than a consumer protection issue;
  • The issue requires certainty, rather than flexibility;
  • The issue relates to fundamental privacy rights, rather than minor consumer concerns or basic operational matters.

This Report recommends that the Privacy Act 1988 should contain a brief section on credit reporting that includes four key elements:

  • A definition of credit reporting and credit reporting information;
  • A requirement that credit reporting and credit reporting information are to be regulated by the proposed Privacy (Credit Reporting Information) Regulations;
  • A broad principle limiting the extent of access to credit reporting information to credit providers and organisations that require access to credit reporting information for the management of credit (e.g. debt collectors); and
  • A broad principle that complaints can be made to the Office of the Privacy Commissioner in relation to credit reporting in accordance with both the Act and Regulations.

All other credit reporting privacy regulation would be included in the proposed Privacy (Credit Reporting Information) Regulations or in a potential industry Code.

One contentious area in the approach suggested in this Report is that we argue that access to credit reporting information should be restricted in a provision in the Act to “credit providers and organisations that require access to credit reporting information for the management of credit”. This effectively establishes a ‘tight’ primary purpose for credit reporting information that should prove useful in the application of use and disclosure principles.

This is a much narrower scope than some other jurisdictions where access is granted to employers, real estate agents and other parties that do not play a role in the management of credit.

In Australia, industry is not seeking broad access to credit reporting. However, there are some calls to allow access to credit reporting information for specific secondary purposes. The most notable example is efforts to use credit reporting information for verifying evidence of identity claims. This is a growing area of business following the passage of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).[87]

We propose that secondary purposes should be strictly limited in order to avoid potential function creep. The use and disclosure of personal information for a secondary purpose cannot be managed by consent in the credit reporting environment, so other methods may need to be adopted to manage and limit secondary use in credit reporting. The current method for restricting secondary use is to rely on a list of permitted uses in the legislation (e.g. Section 18K and Section 18L of Part IIIA of the Privacy Act 1988).

At this stage identity verification is not listed as an allowable use. The direct inclusion of identity verification in this list (without further tests) may be difficult as the Parliament have had several opportunities to include identity verification and have chosen not to do so.

In relation to secondary use, the ALRC Discussion Paper 72 makes the following Recommendation:

Proposal 53-2: The proposed Privacy (Credit Reporting Information) Regulations should provide that, in addition, a credit reporting agency or credit provider may use or disclose credit reporting information for related secondary purposes, as permitted by the proposed ‘Use and Disclosure’ principle.

The secondary use provisions in UPP 5. Use and Disclosure would not allow identity verification to proceed, as it is simply not related to the primary purpose of collection of credit reporting information. None of the other exceptions in UPP 5 would appear to apply, especially as consent is unavailable.

However, an alternative method for limiting secondary purposes and function creep would be to include a detailed test for an ‘allowable’ secondary purpose in the Act. This may require further consideration, but an initial test might require any secondary purpose to satisfy all of the following conditions:

  • The secondary purpose must primarily be for the benefit of the individual;
  • The secondary purpose must be for a purpose that the individual would be likely to consent to (if effective consent were practicable);
  • The secondary purpose must be for a general public benefit or community economic benefit rather than merely for private economic gain; and
  • The secondary purpose must not result in an increased overall risk of privacy harm through either the secondary purpose itself or its contribution to ‘function creep’.

It is possible, although not certain, that the application of these tests might result in identity verification being included as an allowable secondary purpose for the use and disclosure of credit reporting information.

3.2.2. Detailed regulations

The ALRC suggests in DP72 that the proposed Privacy (Credit Reporting Information) Regulations will form the core privacy regulation for credit reporting. The regulations will include both general privacy principles that are relevant for the credit reporting environment and detailed regulations for the credit reporting agencies and organisations that access credit reporting information.

This is an approach that is supported in this Report.

It is important to note that these will be regulations made under the Privacy Act 1988 so they can only provide coverage of issues that are privacy specific – they will not be able to cover general consumer protection issues. The Regulations must be aligned with the objectives of the Privacy Act 1988 – these are likely to change as per the following ALRC recommendation:

Proposal 3-4: The Privacy Act should be amended to include an objects clause. The objects of the Act should be to:
(a) implement Australia’s obligations at international law in relation to privacy;
(b) promote the protection of individual privacy;
(c) recognise that the right to privacy is not absolute and to provide a framework within which to balance the public interest in protecting the privacy of individuals with other public interests;
(d) establish a cause of action to protect the interests that individuals have in the personal sphere free from interference from others;
(e) promote the responsible and transparent handling of personal information by agencies and organisations;
(f) facilitate the growth and development of electronic commerce, nationally and internationally, while ensuring respect for the right to privacy; and
(g) provide the basis for nationally consistent regulation of privacy.

The Regulations would also need to be consistent with the relevant credit reporting provision in the Act (as described above). This provision would contain the definition of credit reporting (thus restricting the scope of the regulations to matters covered by the definition) and a broad principle limiting the extent of access to credit reporting information.

Interestingly, the Regulations do not need to be stronger than or equivalent to the UPPs (this is a rule that only applies to registered or prescribed codes). Also, they may not necessarily need to be ‘balanced’. For example, there is no specific legal requirement that the provisions in the Regulation need to be strengthened in order to ‘balance’ the loss of consent that occurs in the credit reporting environment (although this Report expresses the view that the Regulations should be strengthened in this way).

Within these broad settings, there is great flexibility in developing Regulations. They could be very prescriptive or very broad; lengthy or short; expansive or limited; and strong or weak.

This Report therefore adopts the following tests for the content of the proposed Privacy (Credit Reporting Information) Regulations:

  • The issue must, in substance, be a privacy issue rather than a consumer protection issue;
  • The issue requires a degree of flexibility – the Regulations can be amended more quickly than the Privacy Act 1988 itself;
  • The issue relates to fundamental privacy rights, rather minor consumer concerns or basic operational matters.

On this last point, this Report has identified key privacy rights in the credit reporting environment to include Notice, Accuracy, Access and Complaints rights:

  • Notice
    This is a key privacy right once consent is removed as a privacy protection, and requirements for timely and effective notice need to be in the regulations in order to balance the removal of consent.
  • Accuracy
    Data accuracy is a key privacy right in credit reporting as the consequences for consumers of inadequate data are so severe.
  • Access
    Access is a key privacy right in credit reporting as the consumer is in the best position to assess the accuracy of data that is being used and must be able to review and correct this data.
  • Complaints
    Complaints play a significant role in credit reporting and consumers must be guaranteed access to simple, fast and affordable dispute resolution processes. 

3.2.3. Industry operating rules and best practice

Where an issue is operational in nature and requires a high degree of flexibility it can potentially be included in an industry Code or best practice guide. The Code might also be an appropriate location for some non-privacy issues to be addressed. Industry benefits of a Code include ownership, branding, flexibility and innovation.

This Report therefore adopts the following tests for the content of a potential industry Code:

  • The issue might be a privacy issue or a consumer protection issue (or both);
  • The issue requires significant flexibility – the industry Code may potentially be quick to amend;
  • The issue does not relate to fundamental privacy rights;
  • The issue relates to minor consumer concerns or basic operational matters; or
  • The issue regards industry branding or cooperation.

It is important to determine the exact nature of a potential industry Code. At the outset it should be made clear that the industry Code is not a substitute for the proposed Privacy (Credit Reporting Information) Regulations – it is an additional regulatory initiative.

It is desirable that the Code is registered as a Code under the Privacy Act 1988. This is a complex process that requires detailed stakeholder consultation, but it does ensure that the Code is aligned with privacy legislation. Indeed, the content of registered Codes must be equivalent to or stronger than the UPPs. (In this case we assume that the test will be whether the Code is equivalent to or stronger than the proposed Privacy (Credit Reporting Information) Regulations.)

In order for the Code to be registered under the Privacy Act 1988 it could be developed and submitted by an industry body – ARCA has indicated it will be the body to develop such a Code. Alternatively, the Code could be prescribed by the OPC – although this is unlikely in an environment where the industry is willing to submit a Code (it is presumed that the prescribed codes power is for circumstances where the industry is not cooperating).

There is also the question of whether such a Code will be a disallowable instrument. Currently, codes (registered under S18BB) are not disallowable instruments. However, a specific credit reporting code of conduct is a disallowable instrument (S18A). DP72 appears to say that a Code developed by the industry and subsequently approved by the OPC is not a disallowable instrument but a Code prescribed by the OPC (under the new proposed power to prescribe binding codes) is a disallowable instrument. So if the credit reporting industry proposes a Code (to supplement the Regulations on certain industry issues) and it is registered by the OPC, it is unlikely that it will be a disallowable instrument. However, this point requires final clarification from the ALRC.

This Report recommends that only prescribed Codes should be disallowable instruments.

Finally, any industry Code raises potential competition law issues. It is likely that an industry Code in the credit reporting sector will also require authorisation by the ACCC to avoid breaching the Trade Practices Act 1974. Authorisation by the ACCC is subject to a very limited test and it is important to clarify that authorisation does not equate with ‘approval’. Indeed, the test is simply whether or not the public benefit outweighs any potential lessening of competition that results from the Code.

The ACCC authorisation process has caused considerable concern in the past where an industry chose to have a privacy Code authorised by the ACCC without having it registered by the OPC. This must be avoided, as the ACCC test is very weak compared to the OPC test. The ideal approach for a potential industry Code in the credit reporting sector is to have the Code first registered by the OPC (this ensures that the content of the Code is equivalent to or stronger than privacy legislation) and then authorised by the ACCC. In these circumstances the ACCC could be asked to only amend provisions that would not alter the content registered by the OPC. For example, the ACCC could ask that sanction provisions be strengthened or weakened to meet their authorisation test, without changing the substantive provisions that have been approved by the OPC.

The worst outcome would be that the industry Code is not subject to any testing by the OPC and moves straight to ACCC authorisation. In these circumstances the Code is likely to be of little worth as the bar set by the ACCC is so low.

Overall, the industry must also decide whether the benefits of a Code outweigh the hassle and expense of a developing and managing a Code. The alternative is to comply with the Regulations alone – which may not be as difficult as industry believe. In many other industries, organisations have come to accept general privacy legislation, and have abandoned attempts to develop a Code. Indeed, some registered Codes have subsequently been withdrawn or continue to have very low membership.

At this stage, there is strong momentum behind the development of a Code by ARCA.

An issue that could be included in the Code is the issue of reciprocity. This is the term used to describe the requirement for any organisation accessing credit reporting information to also contribute its own credit reporting information.

The ALRC has recommended that industry develop a Code to help manage the reciprocity issue (Proposal 51-2). Their reasons include:

Some matters raised in the Inquiry, however, are not addressed most appropriately through legislation. For example, credit providers generally support the principle of reciprocity in credit reporting and obligations to report information consistently. Arguably, credit providers themselves and their industry associations should take responsibility for such matters, within the framework provided by legislation.

Data quality standards are also an issue that the industry would like to include in a Code – although this should more correctly be described as data consistency (data quality remains a key privacy right that will be addressed in the proposed Privacy (Credit Reporting Information) Regulations).

Data consistency standards may be different to the data quality standards required in privacy law, but the Code must be either equivalent to or stronger than privacy law. The ALRC specifically proposes that the Code should be used for improving data consistency (Proposal 54-5). Their reasons include:

Privacy principles should ensure that credit reporting agencies and credit providers are obliged to take reasonable steps to ensure the data quality of credit reporting information. The complexity of data quality issues in credit reporting means that more prescriptive regulation is generally undesirable. Prescriptive requirements may unnecessarily increase the cost of compliance with the Privacy Act 1988 and transaction costs in the finance industry generally, without any significant benefit in terms of data quality. Rather, with some exceptions—as in the case of the listing of statute barred debts—it is considered more appropriate to leave detailed data quality requirements to be dealt with in the proposed credit reporting industry code, developed with input from consumer groups and regulators. If the proposed review indicates that industry self-regulation is not successful in addressing data quality problems such as those discussed in this chapter, however, further regulation should be considered.

This Report accepts that there is strong industry interest in developing a Code and that the ALRC has recommended that reciprocity and data consistency should both be dealt with in a Code rather than in legislation. (It is difficult to list other issues that should be subject to the Code.) However, we note that the development of a Code is a timely and complex process and the benefits of a Code are often over-estimated by industry. We would not be surprised if the industry chose at some point in the future to abandon the Code and simply comply with the Regulations. For this reason, some further consideration should be given to including reciprocity and data consistency in the Regulations.

This would result in all of the privacy requirements for credit reporting being contained in one regulatory instrument.

3.3. Consumer protection regulation

3.3.1. General principles

The majority of financial services products in Australia are regulated by the Corporations Act 2001 (as amended by the Financial Services Reform Act). This legislation contains high level principles that require all financial services providers to obtain a licence. Under Section 912A of the Act, licence holders have several ‘general obligations’. These include:

  • To do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly;
  • To undertake training and maintain the competence of staff and representatives; and
  • To join an approved EDR scheme.

Unfortunately, these basic general principles do not apply to the provision of consumer credit in Australia. Credit continues to be regulated (for the most part) by the States and Territories through the application of the UCCC and other State and Territory legislation (such as local fair trading laws). These laws do not include general principles in relation to fairness, honesty training, competence or EDR schemes. There is no ‘licence’ for credit providers (although some credit providers will also be financial services licence holders under the Corporations Act 2001 as result of other lines of business – e.g. deposits and insurance).

The general principles that are contained in the UCCC focus on disclosure requirements and the conduct of the credit provider at the time of a credit application. Briefly, the key requirements include:

  • A prohibition on false and misleading information;
  • Restrictions on unconscionable conduct;
  • Disclosure requirements relating to interest rates (e.g. comparison rate information); and
  • Disclosure requirements relating to fees and charges.

As discussed in this Report in Section 2.16 (page 34), the UCCC does not include a proactive requirement for credit providers to assess a consumers’ ability to repay a loan without suffering undue hardship.

In other general consumer law the only relevant principle is contained in Section 28A of the Fair Trading Act 1992 (ACT).[88] This requires credit providers to conduct a satisfactory assessment of a consumer’s ability to repay, but it only applies to credit contracts involving consumers in the Australian Capital Territory – one of Australia’s smallest jurisdictions.

A recent development is the release of the Exposure Draft of the Finance Broking Bill 2007 (NSW).[89] Although this legislation has been submitted in NSW it is designed as uniform legislation for all States and Territories, who will pass mirror legislation once the NSW Act is passed. This proposed legislation contains a requirement to assess a consumer’s ability to repay – although it only applies to credit arranged by finance brokers.

The missing element in Australian law is a set of high-level general principles that covers all credit providers and includes the following elements:

  • A requirement to act honestly and fairly;
  • A requirement to undertake training and maintain the competence of staff and representatives;
  • A requirement to join an approved EDR scheme; and
  • A requirement to assess a consumers’ ability to repay a loan without suffering undue hardship.[90]

These elements could be packaged together and appear in specific responsible lending legislation (similar to the US Truth in Lending Act) or general credit legislation (similar to the UK Consumer Credit Act 2006[91]). This would probably be achieved in Australia by an amendment to the UCCC. Alternatively the Corporations Act 2001 could be amended so that credit was included as a financial service - the requirement to assess ability to repay could then be added to the Corporations Act 2001 as a ‘general obligation’.

Moving credit to the Corporations Act 2001 is a significant change requiring national coordination. Interestingly, such a move has been recommended by several inquiries and further consideration of this proposal is included in the policy of the incoming ALP Government. Such a move should not be dismissed lightly.

Concerns over more comprehensive reporting will remain strong while there is no obligation to lend responsibly or to market credit responsibly in Australian law.

As noted earlier in this report, the ALRC is in a difficult position on this issue as they have been asked to consider the reform of credit reporting privacy regulation only and they have no brief to cover general (non-privacy) consumer protection arrangements. This is a very difficult issue to address with one hand effectively tied behind their back. However, the ALRC may be able to note some of the shortcomings in consumer protection law and the impact that this has on credit reporting privacy regulation. 

3.3.2. Detailed regulations

In addition to the general principles discussed above, more detailed regulation may be required. The key issue is what test will be used to determine if a credit provider is acting as a responsible lender.

In the US these detailed regulations are contained in legislation.[92] In the UK the detailed regulations are contained in a Guideline issued by the regulator,[93] and further developed in industry codes, such as the Banking Code.[94]

In Australia, the likely location of detailed regulations is in the UCCC (if it were amended to include responsible lending provisions) or the Corporations Act (if it were amended to include credit). An example of detailed regulation has now been set by Section 33 of the proposed Finance Broking Bill 2007 (NSW). This includes very detailed regulations on what information should be included in an assessment of capacity to repay.

Similarly, there may need to be some further detailed regulation of responsible credit marketing. This could potentially be located in the same regulatory instrument (e.g. the UCCC). However, there is a history of addressing marketing concerns in the financial services industry through best practice guidelines issued by the regulator (usually ASIC). This may be a worthwhile option in addressing irresponsible credit marketing.

This Report suggests that legislation (either an amended UCCC or Corporation Act) is the best location for detailed regulation in relation to responsible lending and responsible credit marketing. The content could include:

  • Regulation on what factors should be included in a proper assessment of a consumer’s capacity to repay a loan (e.g. verification of income, assessment of credit reporting information etc.);
  • Tests or definitions of terms, including ‘capacity’ and ‘hardship’;
  • Regulation of what content should be prohibited in responsible credit marketing (e.g. use of the term ‘pre-approved’); and
  • Limits on credit marketing (e.g. regulation, if appropriate, of unsolicited credit marketing).

3.3.3. Industry operating rules and best practice

Industry codes may play a role in the regulation of responsible lending and responsible credit marketing.

For example, the Code of Banking Practice[95] has played a significant role in Australia and could be amended to include criteria for assessing ability to pay and guidance on the responsible marketing of credit. This may be easy to achieve as several major Australian banks have already adopted responsible lending principles.[96]

However, such an approach may limit regulation to specific credit providers. Many credit providers will not currently be signatories of an industry Code.

A more effective approach may be to develop a specific credit marketing best practice guideline (or guidelines), covering responsible lending and responsible credit marketing. This could take the form of a regulator’s best practice guideline (similar to the UK), and cover all credit providers.

An alternative is to allow the industry to develop its own self regulatory scheme – perhaps through ARCA. Industry wide self regulation may be difficult to achieve on an issue like responsible lending. In 2006 a similar scheme was proposed in the UK, where there was an attempt to develop a Responsible Lending Index (RLI) for the credit industry. The RLI proposed to voluntarily benchmark lending standards and promote best practice within the credit industry by involving suppliers of credit, customer representatives and regulators.[97] The scheme was not successful and has subsequently been replaced by reform of the Consumer Credit Act 2006 and specific guidance from the regulator.

A further source of potential guidance is to rely on scheme rules and best practice guidance issued by EDR schemes. These schemes could issue best practice guidance on responsible lending. However, the history of compliance with this type of guidance is poor. In 2002, the BFSO issued a Bulletin requiring members to complete a full assessment of income and liability for consumers as best practice for all unsolicited credit card limit increases.[98] This guidance is simply ignored by the industry and no members currently conduct such an assessment.

This Report suggests that an industry Code (covering all credit providers) or a regulator’s guideline is the best location for detailed industry operating rules and best practice guidance in relation to responsible lending and responsible credit marketing. The content could include:

  • Guidance on what inquiries constitute a proper assessment of a consumer’s capacity to repay a loan; and
  • Guidance on what content should appear in responsible credit marketing (e.g. warnings about credit risk).

3.4. Proposed Regulatory Framework

The proposed regulatory framework for credit reporting developed in this Report can be summarised in the following table:

Privacy Recommendations

Consumer Protection Recommendations

General principles

The Privacy Act 1988 should contain a brief section on credit reporting that includes four key elements:

  • A definition of credit reporting and credit reporting information.
  • A requirement that credit reporting and credit reporting information are to be regulated by the proposed Privacy (Credit Reporting Information) Regulations.
  • A broad principle limiting the extent of access to credit reporting information to credit providers and organisations that require access to credit reporting information for the management of credit (e.g. debt collectors).
  • A broad principle that complaints can be made to the Office of the Privacy Commissioner in relation to credit reporting in accordance with both the Act and Regulations.

General principles

A set of high-level general principles that covers all credit providers should be included in Australian law, including:

  • A requirement to act honestly and fairly.
  • A requirement to undertake training and maintain the competence of staff and representatives.
  • A requirement to join an approved EDR scheme.
  • A requirement to assess a consumers’ ability to repay a loan without suffering undue hardship.

These principles should be included in amended credit legislation (e.g. the UCCC) or in an amended Corporations Act 2001 that includes credit in its jurisdiction.

Detailed regulations

The proposed Privacy (Credit Reporting Information) Regulations should include both principles and detailed regulations on at least the following key privacy rights:

  • Notice
    This is a key privacy right once consent is removed as a privacy protection, and requirements for timely and effective notice need to be in the regulations in order to balance the removal of consent.
  • Accuracy
    Data accuracy is a key privacy right in credit reporting as the consequences for consumers of inadequate data are so severe.
  • Access
    Access is a key privacy right in credit reporting as the consumer is in the best position to assess the accuracy of data that is being used and must be able to review and correct this data.
  • Complaints
    Complaints play a significant role in credit reporting and consumers must be guaranteed access to simple, fast and affordable dispute resolution processes.

Detailed regulations

Detailed regulation of responsible lending and responsible credit marketing should include the following:

  • Regulation on what factors should be included in a proper assessment of a consumer’s capacity to repay a loan (e.g. verification of income, assessment of credit reporting information etc.).
  • Tests or definitions of terms, including ‘capacity’ and ‘hardship’.
  • Regulation of what content should be prohibited in responsible credit marketing (e.g. use of the term ‘pre-approved’).
  • Limits on credit marketing (e.g. regulation, if appropriate, of unsolicited credit marketing).

This detailed regulation should be included in amended credit legislation (e.g. the UCCC) or in an amended Corporations Act 2001 that includes credit in its jurisdiction.

Industry operating rules and best practice

Some outstanding issues may be covered in an industry Code. These might include:

  • Reciprocity.
  • Data consistency.

However, this Report notes that in light of the cost and complexity of developing an industry Code, some further consideration should be given to including reciprocity and data consistency in the Regulations.

Industry operating rules and best practice

This Report suggests that an industry Code (covering all credit providers) or a regulator’s guideline are the best location for detailed industry operating rules and best practice guidance in relation to responsible lending and responsible credit marketing. The content could include:

  • Guidance on what inquiries constitute a proper assessment of a consumer’s capacity to repay a loan.
  • Guidance on what content should appear in responsible credit marketing (e.g. warnings about credit risk).

4. Appendix 1: Resources

4.1. ALRC – General Resources

Australian Law Reform Commission, ALRC proposes a more comprehensive credit reporting regime, 12 September 2007, <http://www.alrc.gov.au/media/2007/mr1207_credit.html>.

Australian Law Reform Commission, Review of Australian Privacy Law, Discussion Paper 72, 31 July 2007, <http://www.austlii.edu.au/au/other/alrc/publications/dp/72/>.

Australian Law Reform Commission, Review of Privacy – Credit Reporting Provisions, Issues Paper 32, December 2006, <http://www.austlii.edu.au/au/other/alrc/publications/issues/32/IP32.pdf>.

4.2. Submissions to ALRC Issues Paper 32

Australian Privacy Foundation, Review of Privacy – Credit Reporting Provisions Issues Paper 32 – Submission to the Australian Law Reform Commission, March 2007, <http://www.privacy.org.au/Papers/CrRpting-ALRC-0703.pdf>.

Banking and Financial Services Ombudsman, Review of Privacy – Credit Reporting Provisions: Issues Paper 32 – Submission by Banking and Financial Services Ombudsman Limited, March 2007, <http://www.bfso.org.au/abioweb/ABIOWebSite.nsf/3f51d54074f36f08ca256bce00094be3/15f5fb12141475a3ca2572ba0010bdd6?OpenDocument>.

Consumer Action Law Centre, Review of Privacy – Credit Reporting Provisions Submission in response to Issues Paper 32, 30 March 2007, <http://www.consumeraction.org.au/downloads/ConsumerActionSubmissiontoIssuesPaper32.pdf>.

Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Credit Reporting Provisions, 13 April 2007, <http://www.privacy.gov.au/publications/submissions/sub-alrc-ip32-credit-reporting-200704.pdf>.

Veda Advantage, Submission to the Australian Law Reform Commission Issues Paper 32 – Credit Reporting, March 2007, <https://www.vedaadvantage.com/doc_library/63/VedaAdvantage_ALRC_IP32_Submission_March2007.pdf>.

Waters N, Implementing privacy principles in Credit Reporting Submission to the Australian Law Reform Commission on the Review of Privacy Issues Paper 32: Credit Reporting Provisions, Cyberspace Law and Policy Centre, 31 March 2007, <http://www.bakercyberlawcentre.org/ipp/publications/papers/ALRC_IP32_subm.pdf>.

4.3. Office of the Privacy Commissioner

Office of the Privacy Commissioner, Credit Reporting Advice Summaries, 18 April 2001, <http://www.privacy.gov.au/publications/casw6.pdf>.

Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, March 2005, <http://www.privacy.gov.au/act/review/revreport.pdf>.

Office of the Privacy Commissioner, Guidelines on Privacy Code Development, September 2001, <http://www.privacy.gov.au/publications/cdg_01.pdf>.

Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 31, 28 February 2007, <http://www.privacy.gov.au/publications/submissions/alrc/all.pdf>.

4.4. Australian Regulation and Commentary

ANZ, ANZ Customer Charter – Responsible lending, Website, accessed on 10 December 2007, <http://www.anz.com/australia/aboutanz/CustomerCharter/popup/popup.asp?popup=Responsible>.

Australian Bankers’ Association Inc., Australian Bankers' Association Responds to ALP Banking Policy, 20 June 2004, <http://www.bankers.asn.au/default.aspx?ArticleID=568>.

Australian Bankers’ Association, Code of Banking Practice, May 2004, <http://www.bankers.asn.au/ArticleDocuments/20040603_FINAL_CODE_MODIFIED_PDF.pdf>.

Australian Competition and Consumer Commission and Australian Securities and Investments Commission, Debt Collection Guideline: For Collectors and Creditors, 14 March 2005, <http://www.accc.gov.au/content/index.phtml/itemId/733222>.

Australian Securities & Investments Commission, CBA agrees to change lending practices in remote Indigenous communities, 19 January 2006, <http://www.asic.gov.au/asic/asic.nsf/byheadline/06-010+CBA+agrees+to+change+lending+practices+in+remote+Indigenous+communities?openDocument>.

Consumer Action Law Centre, Submission to the Productivity Commission Inquiry into Australia’s Consumer Policy Framework, June 2007, <http://www.consumeraction.org.au/downloads/ConsumerActionSubmissiontoProductivityCommission22June07Final.pdf>.

Consumer Credit (Queensland) Act 1994 (Qld), appendix 1, <http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/C/ConsumCredCode.pdf>.

Corporations Act 2001 (Cth),
<http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/F78309782A654198CA25736B0020BCEF>.

Corker J and Bond C, The merry-go-round: credit report complaint handling under the Privacy Act, Privacy Law and Policy Reporter vol 43, 2001, <http://www.austlii.edu.au/au/journals/PLPR/2001/43.html>.

Dasey D and Taverniti M, Credit's getting simpler, Sun-Herald, 9 December 2007, <http://www.smh.com.au/articles/2007/12/08/1196813081907.html?page=fullpage - contentSwap1>.

Fair Trading Act 1992 (ACT), <http://www.legislation.act.gov.au/a/1992-72/current/pdf/1992-72.pdf>.

Lanyon E, Changing direction? A perspective on Australian consumer credit regulation, November 2004, <http://www.consumer.vic.gov.au/CA256902000FE154/Lookup/CAV_SeminarsConferences_National_Credit_2004_November/$file/lanyon.pdf>.

National Australia Bank, Consumer Credit Review Submission by National Australia Bank, August 2005, <http://www.consumer.vic.gov.au/CA256902000FE154/Lookup/CAV_Credit_Review_Submissions2/$file/43NationalAustraliaBank.pdf>.

Office of the Privacy Commissioner, Credit Reporting Code of Conduct, 1996, <http://www.privacy.gov.au/publications/credit-reporting-code-of-conduct.html>.

Pedersen McKinnon N, Being canny with credit can have its pitfalls, Sun-Herald, 31 July 2005, <http://www.smh.com.au/news/banking/being-canny-with-credit-can-have-its-pitfalls/2005/07/30/1122144055721.html>.

Reserve Bank of Australia, September 2007 Financial Stability Review, September 2007, <http://www.rba.gov.au/PublicationsAndResearch/FinancialStabilityReview/Sep2007/Pdf/financial_stability_review_0907.pdf>.

Senate Economics Committee, Consenting adults deficits and household debt - Links between Australia's current account deficit, the demand for imported goods and household debt, 13 October 2005, <http://www.aph.gov.au/Senate/committee/economics_ctte/household_debt/report/report.pdf>.

Senate Legal and Constitutional Affairs Committee, The real Big Brother: Inquiry into the Privacy Act 1988, 23 June 2005, <http://www.aph.gov.au/Senate/committee/legcon_ctte/privacy/report/report.pdf>.

St. George Bank, About St. George – Our customers, Website, accessed on 10 December 2007, <http://www.stgeorge.com.au/about/governance/customers.asp?orc=>.

The Ministerial Council on Consumer Affairs, National Finance Broking Scheme Consultation Package, November 2007, <http://www.consumer.gov.au/html/download/Exposure Bill package_Nov07.pdf>

Trade Practices Act 1974 (Cth) (Australia), <http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/AD53153A08E3DD9BCA25736E0021CBFB>.

Veda Advantage, Shopping around can be risky business, 6 February 2007, <http://www.baynet.co.nz/doc_library/52/Shopping-around-for-credit.pdf>.

Westpac , Westpac unveils new responsible lending initiative, 19 September 2007, <http://www.westpac.com.au/internet/publish.nsf/content/wimcmr07 archive media release 19 sept 2007>.

Westpac, Principles for Responsible Lending, September 2007, <http://www.westpac.com.au/manage/pdf.nsf/E964FD278CA72467CA2573590021B290/$File/Westpac_Principles_for_Responsible_Lending.pdf?OpenElement>.

4.5. International Regulation and Commentary

Agencia Española de Protección de Datos, Instruction 1/1995, of 1 March, of the Data Protection Agency, regarding the rendering of information services on creditworthiness and credit, 1 March 1995,
<https://www.agpd.es/upload/Instruccion_1_1995-translation.pdf>.

British Bankers’ Association, Building Societies Association, and Association for Payment Clearing Services, Banking Code, March 2003, <http://www.bankingcode.org.uk/pdfdocs/bankcode.pdf>.

Barren J M and Staten M, The Value of Comprehensive Credit Reports: Lessons from the US Experience, March 2001, <http://www.privacyalliance.org/resources/staten.pdf>.

Bill Number H.R.3915: Mortgage Reform and Anti-Predatory Lending Act of 2007, (United States), <http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=110_cong_bills&docid=f:h3915eh.txt.pdf>.

Computerworld.com, Credit agency reports security breach, 17 March 2004, <http://www.computerworld.com/securitytopics/security/story/0,10801,91319,00.html>.

Consumer Credit Act 2006 (UK), <http://www.opsi.gov.uk/acts/acts2006/pdf/ukpga_20060014_en.pdf>.

Consumeraffairs.com, Experian Abandons Thousands of Consumer Data Records, 15 June 2005, <http://www.consumeraffairs.com/news04/2005/experian_abandons_data.html>.

Credit Today, Data sharing mandated in revised banking code, 26 November 2007, <http://www.credittoday.co.uk/news/news-item.htm?news=491>.

Djankov S, McLeish C & Shleifer A, Private Credit in 129 Countries, World Bank, 2006, <http://www.doingbusiness.org/documents/private_credit_jan23.pdf>.

Fair Credit Reporting Act 15 USC 1681 (US), <http://www.ftc.gov/os/statutes/fcradoc.pdf>.

Hong Kong Office of the Privacy Commissioner for Personal Data, Code of Practice on Consumer Credit Data, 1998, <http://www.pcpd.org.hk/english/files/ordinance/CCDCode_eng.pdf>.

Kxan.com, Credit Bureau Security Breached, 1 December 2006, <http://www.kxan.com/Global/story.asp?S=5752352>.

MyFICO, About myFICO, Website, accessed on: 5 December 2007, <http://www.myfico.com/Company/AboutUs.aspx>.

New Zealand Privacy Commissioner, Credit Reporting Privacy Code, 2004 <http://www.privacy.org.nz/filestore/docfiles/26242772.pdf>.

Office of the Comptroller of the Currency, OCC Guidelines Establishing Standards for Residential Mortgage Lending Practices, 2005, <http://www.occ.treas.gov/ftp/bulletin/2005-3a.pdf>.

Organic Law 15/1999 of 13 December on the Protection of Personal Data (Spain), <https://www.agpd.es/upload/Ley%20Org%E1nica%2015-99_ingles.pdf>.

Payplan, Irresponsible Lending - Are creditors to blame for the increase in consumer debt?, Website, accessed on 10 December 2007, <http://www.payplan.com/reasons-for-debt/irresponsible-lending.php>.

Reserve Bank of Australia, Financial Stability Review – March 2007 – Box A: Developments in the US Sub-prime Mortgage Market, March 2007, <http://www.rba.gov.au/PublicationsAndResearch/FinancialStabilityReview/Mar2007/Html/dev_us_subprime_mort_market.html>.

Searchsecurity.com, Data theft affects 88 million-plus Americans, 21 June 2006, <http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1195270,00.html>.

Thestar.com , Responsible lending spares homebuyers from U.S. fate, 1 December 2007, <http://www.thestar.com/article/280880>.

Truth in Lending Act (15 USC 1601) (US), <http://www.access.gpo.gov/uscode/title15/chapter41_.html>.

United Kingdom Office of Fair Trading, Consumer credit licensing: General guidance for licensees and applicants – Draft guidance on fitness and requirements, Consultation document, July 2007, <http://www.oft.gov.uk/shared_oft/consultations/oft920con.pdf>.

Young M, Report of the Independent Reviewer to the Sponsors of the Banking Codes’ Review 2007, May 2007, <http://www.bba.org.uk/content/1/c6/01/15/40/Independent_Code_Review_2007.pdf>.

4.6. Regulatory Theory and Commentary

Braithwaite J and Grabosky P (eds), Business Regulation and Australia’s Future, Australian Institute of Criminology, Australian studies in law, crime and justice, 1993,
<http://www.aic.gov.au/publications/lcj/business/business.pdf>.

Braithwaite J, Responsive Regulation and Developing Economies, World Development, vol 34, no 5, 2006, pages 884–898,
<http://www.anu.edu.au/fellows/jbraithwaite/_documents/Articles/Responsive_Regulation_2006.pdf>.

Braithwaite J, Rewards and Regulations, Journal of Law and Society, vol 29, no 1, March 2002, pages 12–26,
<http://www.anu.edu.au/fellows/jbraithwaite/_documents/Articles/Rewards_Regulation_2002.pdf>.

Braithwaite J, Rules and Principles: A Theory of Legal Certainty, Australian Journal of Legal Philosophy, vol 27, 2002, pages 47–82,
<http://www.anu.edu.au/fellows/jbraithwaite/_documents/Articles/Rules_and_Principles2002.pdf>.

Commonwealth Inter-Departmental Committee on Quasi-Regulation, Black-Letter Law, December 1997, <http://www.obpr.gov.au/__data/assets/pdf_file/0006/69666/greyletterlaw.pdf>.

Curtis K, The importance of self-regulation in the implementation of data protection principles: The Australian Private Sector Experience, paper presented to the 27th International Conference of Data Protection and Privacy Commissioners, Montreux, 15 September 2005, <http://www.privacy.gov.au/news/speeches/spp09_05.pdf>.

Galexia, Galexia Intelligence Report: Privacy Codes of Conduct, August 2002, <https://www.galexia.com/extranet/intelligence-reports/intelligence-reports/gc-intelligence-06-privacy-codes/>.

Greenleaf G, Private sector privacy: Problems of interpretation, Privacy Law Resources no 1, March 2001, <http://www.worldlii.org/int/other/PrivLRes/2001/1.html>.

Gunningham N and Sinclair D, Designing Smart Regulation, 5 August 2004,
<http://www.oecd.org/dataoecd/18/39/33947759.pdf>.

Henderson A and McKay C, Privacy Codes: A Valuable Asset for Industry, Gilbert + Tobin, November 2001,
<http://www.gtlaw.com.au/gt/site/articleIDs/F737B791422C4E7CCA256D1F0022E76E?open&ui=dom&template=domGT>.

Johnstone R and Sarre R (eds), Regulation: Enforcement and Compliance, Australian Institute of Criminology, Research and Public Policy Series No 57, 2004,
<http://aic.gov.au/publications/rpp/57/RPP57.pdf>.

Office of Best Practice Regulation, Best Practice Regulation Handbook, August 2007, <http://www.obpr.gov.au/__data/assets/pdf_file/0004/68998/handbook.pdf>.

Organisation for Economic Co-operation and Development, Reducing The Risk Of Policy Failure: Challenges For Regulatory Compliance, 2000,
<http://www.oecd.org/dataoecd/48/54/1910833.pdf>.

Organisation for Economic Co-operation and Development, Regulatory Policies in OECD Countries: From Interventionism to Regulatory Governance, Annex II, 2002,
<http://www.oecd.org/dataoecd/10/43/35260489.pdf>.

Senate Legal and Constitutional Affairs Committee, Privacy in the Private Sector, 1999,
<http://www.aph.gov.au/senate/committee/legcon_ctte/completed_inquiries/1999-02/privacy/report/contents.htm>.

Taskforce on Industry Self-Regulation, Industry Self-Regulation in Consumer Markets, Department of the Treasury, August 2000, <http://www.treasury.gov.au/documents/1131/PDF/final_report.pdf>.

5. Appendix 2: Table of Acronyms

 

Acronym

Expansion

ABA

Australian Bankers Association

ACCC

Australian Competition and Consumer Commission

ALRC

Australian Law Reform Commission

ARCA

Australian Retail Credit Association

ASIC

Australian Securities & Investments Commission

BFSO

Banking and Financial Services Ombudsman

CALC

Consumer Action Law Centre

CBA

Commonwealth Bank

CRA

Credit Reporting Agency

DP72

ALRC Discussion Paper 72

EDR

External Dispute Resolution

IP32

ALRC Issues Paper 32

NPP

National Privacy Principle

OECD

Organisation for Economic Co-operation and Development

OFT

Office of Fair Trading (UK)

OPC

Office of the Privacy Commissioner

PC

Productivity Commission

RBA

Reserve Bank of Australia

RLI

Responsible Lending Index

UCCC

Uniform Consumer Credit Code

UPP

Unified Privacy Principle

 


[1] Australian Law Reform Commission, Review of Australian Privacy Law, Discussion Paper 72, 2007, <http://www.austlii.edu.au/au/other/alrc/publications/dp/72/>.

[2] Privacy Act 1988 (Cth), <http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/19CF4540B05BECE4CA25736E00189940>.

[3] Australian Law Reform Commission, Review of Privacy – Credit Reporting Provisions, Issues Paper 32, December 2006, <http://www.austlii.edu.au/au/other/alrc/publications/issues/32/>.

[4] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Credit Reporting Provisions, 13 April 2007, page 34, <http://www.privacy.gov.au/publications/submissions/sub-alrc-ip32-credit-reporting-200704.pdf>.

[5] Proposal 50-11, DP72.

[6] Banking and Financial Services Ombudsman, Review of Privacy – Credit Reporting Provisions: Issues Paper 32 – Submission by Banking and Financial Services Ombudsman Limited, March 2007, page 16, <http://www.bfso.org.au/abioweb/ABIOWebSite.nsf/3f51d54074f36f08ca256bce00094be3/15f5fb12141475a3ca2572ba0010bdd6?OpenDocument>.

[7] Waters N, Implementing privacy principles in Credit Reporting Submission to the Australian Law Reform Commission on the Review of Privacy Issues Paper 32: Credit Reporting Provisions, Cyberspace Law and Policy Centre, 31 March 2007, page 12, <http://www.bakercyberlawcentre.org/ipp/publications/papers/ALRC_IP32_subm.pdf>.

[8] Catalyst market research for Veda Advantage, November 2005.

[9] Veda Advantage, Submission to the Australian Law Reform Commission Issues Paper 32 – Credit Reporting, March 2007, page 22, <https://www.vedaadvantage.com/doc_library/63/VedaAdvantage_ALRC_IP32_Submission_March2007.pdf>.

[10] Refer, for example, to Submissions to ALRC IP32 from the Consumer Credit Legal Centre NSW Inc. and the Consumers’ Federation of Australia.

[11] For example, the removal of over 65,000 records following concerns over the accuracy of default information submitted by One.Tel.

[12] OPC audits are described in some details in ALRC IP32.

[13] CHOICE – The Australian Consumers’ Association, Reporting on the Credit Reporters, Consuming Interest, Autumn 2004.

[14] Refer, for example, to Australian Privacy Foundation, Review of Privacy – Credit Reporting Provisions Issues Paper 32 – Submission to the Australian Law Reform Commission, March 2007, page 19, <http://www.privacy.org.au/Papers/CrRpting-ALRC-0703.pdf>; and Banking and Financial Services Ombudsman, Review of Privacy – Credit Reporting Provisions: Issues Paper 32 – Submission by Banking and Financial Services Ombudsman Limited, March 2007, page 16, <http://www.bfso.org.au/abioweb/ABIOWebSite.nsf/3f51d54074f36f08ca256bce00094be3/15f5fb12141475a3ca2572ba0010bdd6?OpenDocument>.

[15] Note that there is some industry concern that the Privacy Act 1988 (Cth) itself presents obstacles to using consumer records for quality audit purposes and contacting consumer in this way could be difficult. The proposed regulations may be able to clarify this issue and make it clear that clients can be contacted for the purpose of checking data accuracy.

[16] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Credit Reporting Provisions, 13 April 2007, page 42, <http://www.privacy.gov.au/publications/submissions/sub-alrc-ip32-credit-reporting-200704.pdf>.

[17] Paragraph 54.4, DP72.

[18] ALRC IP32 summarised current industry practice: Veda Advantage provides access free of charge by post within 10 working days; or for $27 within one working day by email, facsimile or mail. Dun and Bradstreet provides access free of charge by post within 10 working days; or for $25 posted by express mail within one working day. Tasmanian Collection Service provides access to credit information files free of charge ‘where the request relates to an individual’s refusal of credit, or is otherwise related to the management of the individual’s credit arrangements’ and, otherwise, for $13.

[19] This Report does not present a view on whether access to credit scores and scoring methodologies should be included under the access rights. This would appear to add considerable complexity for a limited benefit.

[20] Kxan.com, Credit Bureau Security Breached, 1 December 2006, <http://www.kxan.com/Global/story.asp?S=5752352>.

[21] Searchsecurity.com, Data theft affects 88 million-plus Americans, 21 June 2006, <http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1195270,00.html>.

[22] Consumeraffairs.com, Experian Abandons Thousands of Consumer Data Records, 15 June 2005, <http://www.consumeraffairs.com/news04/2005/experian_abandons_data.html>.

[23] Computerworld.com, Credit agency reports security breach, 17 March 2004, <http://www.computerworld.com/securitytopics/security/story/0,10801,91319,00.html>.

[24] Australasian Retail Credit Association, The ARCA response to the Review of Australian Privacy Law Discussion Paper 72 undertaken by the Australian Law Reform Commission (ALRC), 3 December 2007.

[25] Australasian Retail Credit Association, The ARCA response to the Review of Australian Privacy Law Discussion Paper 72 undertaken by the Australian Law Reform Commission (ALRC), 3 December 2007.

[26] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Credit Reporting Provisions, 13 April 2007, page 21,
<http://www.privacy.gov.au/publications/submissions/sub-alrc-ip32-credit-reporting-200704.pdf>.

[27] Refer, for example, to Consumer Action Law Centre, Submission to the Productivity Commission Inquiry into Australia’s Consumer Policy Framework, June 2007, <http://www.consumeraction.org.au/downloads/ConsumerActionSubmissiontoProductivityCommission22June07Final.pdf>.

[28] Consumer Action Law Centre, Review of Privacy – Credit Reporting Provisions Submission in response to Issues Paper 32, 30 March 2007, <http://www.consumeraction.org.au/downloads/ConsumerActionSubmissiontoIssuesPaper32.pdf>.

[29] Australian Privacy Foundation, Review of Privacy – Credit Reporting Provisions Issues Paper 32 – Submission to the Australian Law Reform Commission, March 2007, page 3, <http://www.privacy.org.au/Papers/CrRpting-ALRC-0703.pdf>.

[30] Corker J and Bond C, The merry-go-round: credit report complaint handling under the Privacy Act, Privacy Law and Policy Reporter vol 43, 2001, <http://www.austlii.edu.au/au/journals/PLPR/2001/43.html>.

[31] Trade Practices Act 1974 (Cth), <http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/AD53153A08E3DD9BCA25736E0021CBFB>.

[32] Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), <http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/893B6CC0392995E0CA257376001EE4C4/$file/AntiMoneyLaundCountTerrFin2006.pdf>.

[33] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Credit Reporting Provisions, 13 April 2007, pages 51, 58,
<http://www.privacy.gov.au/publications/submissions/sub-alrc-ip32-credit-reporting-200704.pdf>.

[34] Refer, for example, to Consumer Action Law Centre, Review of Privacy – Credit Reporting Provisions Submission in response to Issues Paper 32, 30 March 2007, page 12, <http://www.consumeraction.org.au/downloads/ConsumerActionSubmissiontoIssuesPaper32.pdf>, and Banking and Financial Services Ombudsman, Review of Privacy – Credit Reporting Provisions: Issues Paper 32 – Submission by Banking and Financial Services Ombudsman Limited, March 2007, page 11, <http://www.bfso.org.au/abioweb/ABIOWebSite.nsf/3f51d54074f36f08ca256bce00094be3/15f5fb12141475a3ca2572ba0010bdd6?OpenDocument>.

[35] Refer, for example, to Waters N, Implementing privacy principles in Credit Reporting Submission to the Australian Law Reform Commission on the Review of Privacy Issues Paper 32: Credit Reporting Provisions, Cyberspace Law and Policy Centre, 31 March 2007, page 10, <http://www.bakercyberlawcentre.org/ipp/publications/papers/ALRC_IP32_subm.pdf>, and Banking and Financial Services Ombudsman, Review of Privacy – Credit Reporting Provisions: Issues Paper 32 – Submission by Banking and Financial Services Ombudsman Limited, March 2007, page 12, <http://www.bfso.org.au/abioweb/ABIOWebSite.nsf/3f51d54074f36f08ca256bce00094be3/15f5fb12141475a3ca2572ba0010bdd6?OpenDocument>.

[36] Senate Economics Committee, Consenting adults deficits and household debt - Links between Australia's current account deficit, the demand for imported goods and household debt, 13 October 2005, <http://www.aph.gov.au/Senate/committee/economics_ctte/household_debt/report/report.pdf>.

[37] Paragraph 51.165, DP72.

[38] <http://www.myfico.com/>.

[39] Veda Advantage, Submission to the Australian Law Reform Commission Issues Paper 32 – Credit Reporting, March 2007, page 22, <https://www.vedaadvantage.com/doc_library/63/VedaAdvantage_ALRC_IP32_Submission_March2007.pdf>.

[40] Veda Advantage, Submission to the Australian Law Reform Commission Issues Paper 32 – Credit Reporting, March 2007, page 24, <https://www.vedaadvantage.com/doc_library/63/VedaAdvantage_ALRC_IP32_Submission_March2007.pdf>.

[41] KPMG, National Competition Policy Review of the Consumer Credit Code – Final Report, December 2000, <http://www.creditcode.gov.au/content/downloads/final.pdf>.

[42] Visa International, The Credit Card Report: Credit card spending in perspective, November 2002, <http://www.rtba.vic.gov.au/CA256902000FE154/Lookup/CAV_SeminarsConferences_Credit_Debt_March_2003/$file/S1 CatherineWolthuizen.pdf>.

[43] Australian Bankers’ Association, Australian Bankers' Association Responds to ALP Banking Policy, 20 June 2004, <http://www.bankers.asn.au/default.aspx?ArticleID=568>.

[44] Senate Economics Committee, Consenting adults deficits and household debt - Links between Australia's current account deficit, the demand for imported goods and household debt, 13 October 2005, <http://www.aph.gov.au/Senate/committee/economics_ctte/household_debt/report/report.pdf>.

[45] See for example ANZ Submission to the Productivity Commission Review of Australia’s Consumer Policy Framework, May 2007 <http://www.anz.com/Documents/AU/Aboutanz/ConsumerPolicySubmission.pdf>.

[46] Table data summarised from information contained in Reserve Bank of Australia, September 2007 Financial Stability Review, September 2007, <http://www.rba.gov.au/PublicationsAndResearch/FinancialStabilityReview/Sep2007/Pdf/financial_stability_review_0907.pdf>.

[47] Non-conforming loans represent less than 1% of the Australian housing loan market.

[48] Reserve Bank of Australia, September 2007 Financial Stability Review, September 2007, page 44, <http://www.rba.gov.au/PublicationsAndResearch/FinancialStabilityReview/Sep2007/Pdf/financial_stability_review_0907.pdf>.

[49] Recently limited by RBA intervention to only cover the costs of fraud and interest free periods.

[50] Widely applied to home loans for the benefit of the lender and to some consumer credit products for the benefit of the consumer.

[51] Legal and Constitutional References Committee, The real Big Brother: Inquiry into the Privacy Act 1988, 23 June 2005, <http://www.aph.gov.au/Senate/committee/legcon_ctte/privacy/report/index.htm>.

[52] Note however, industry arguments that regular reporting would be automated and would remove some manual data input errors.

[53] Veda Advantage, Shopping around can be risky business, 6 February 2007,
<http://www.baynet.co.nz/doc_library/52/Shopping-around-for-credit.pdf>.

[54] Veda Advantage, Submission to the Australian Law Reform Commission Issues Paper 32 – Credit Reporting, March 2007, page 24, <https://www.vedaadvantage.com/doc_library/63/VedaAdvantage_ALRC_IP32_Submission_March2007.pdf>.

[55] Australian Competition and Consumer Commission and Australian Securities and Investments Commission, Debt Collection Guideline: For Collectors and Creditors, 14 March 2005, <http://www.accc.gov.au/content/index.phtml/itemId/733222>

[56] Paragraph 53.52, DP72.

[57] Section 146, Uniform Consumer Credit Code, appendix 1 of the Consumer Credit (Queensland) Act 1994 (Qld), <http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/C/ConsumCredCode.pdf>.

[58] <https://www.donotcall.gov.au/>. The do not call register only covers telemarketing, not direct mail campaigns.

[59] Dasey D and Taverniti M, Credit's getting simpler, Sun-Herald, 9 December 2007, <http://www.smh.com.au/articles/2007/12/08/1196813081907.html?page=fullpage>.

[60] Section 1012C, Corporations Act 2001 (Cth),
<http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/F78309782A654198CA25736B0020BCEF>.

[61] Payplan, Irresponsible Lending - Are creditors to blame for the increase in consumer debt?, Website, accessed on 10 December 2007, <http://www.payplan.com/reasons-for-debt/irresponsible-lending.php>.

[62] Section 63A, Trade Practices Act 1974 (Cth), <http://www.austlii.edu.au/au/legis/cth/consol_act/tpa1974149/>.

[63] Veda Advantage, Submission to the Australian Law Reform Commission Issues Paper 32 – Credit Reporting, March 2007, page 51, <https://www.vedaadvantage.com/doc_library/63/VedaAdvantage_ALRC_IP32_Submission_March2007.pdf>.

[64] Appendix 1, Consumer Credit (Queensland) Act 1994 (Qld), <http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/C/ConsumCredCode.pdf>.

[65] Finance Broking Bill 2007 (NSW), Exposure Draft, <http://www.consumer.gov.au/html/download/Exposure Bill package_Nov07.pdf>.

[66] Finance Broking Bill 2007 (NSW), Exposure Draft; refer to footnote 65.

[67] Section 33, Finance Broking Bill 2007 (NSW), Exposure Draft; refer to footnote 65.

[68] Consumer Credit Act 2006 (UK) <http://www.opsi.gov.uk/acts/acts2006/pdf/ukpga_20060014_en.pdf>.

[69] United Kingdom Office of Fair Trading, Consumer credit licensing: General guidance for licensees and applicants – Draft guidance on fitness and requirements, Consultation document, July 2007, <http://www.oft.gov.uk/shared_oft/consultations/oft920con.pdf>.

[70] British Bankers’ Association, Building Societies Association, and Association for Payment Clearing Services, Banking Code, March 2003, <http://www.bankingcode.org.uk/pdfdocs/bankcode.pdf>.

[71] Young M, Report of the Independent Reviewer to the Sponsors of the Banking Codes’ Review 2007, May 2007, <http://www.bba.org.uk/content/1/c6/01/15/40/Independent_Code_Review_2007.pdf>.

[72] Truth in Lending Act (15 USC 1601) (US), section 1639(h), <http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+15USC1639>.

[73] Galexia has been using figures from the RBA, see Reserve Bank of Australia, Financial Stability Review – March 2007 – Box A: Developments in the US Sub-prime Mortgage Market, March 2007, <http://www.rba.gov.au/PublicationsAndResearch/FinancialStabilityReview/Mar2007/Html/dev_us_subprime_mort_market.html>. Other figures are available from International Herald Tribune, Default rate on U.S. subprime mortgages continues to rise, 16 October 2007, <http://www.iht.com/articles/2007/10/16/business/mortgage.php>, Finfacts, US home mortgage defaults jumped in Q4 2006; Default rates for subprime adjustable rate mortgages reached 14.44%, 13 March 2007, <http://www.finfacts.com/irelandbusinessnews/publish/article_10009416.shtml> and Reuters, US subprime loan defaults at highest this decade, 2 February 2007, <http://www.reuters.com/article/bondsNews/idUSN0241314720070202>.

[74] Mortgage Reform and Anti-Predatory Lending Act of 2007 (Bill H.R.3915) (US), <http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=110_cong_bills&docid=h3915eh.txt.pdf>.

[75] Fair Trading Act 1992 (ACT), <http://www.legislation.act.gov.au/a/1992-72/current/pdf/1992-72.pdf>.

[76] Australian Securities & Investments Commission, CBA agrees to change lending practices in remote Indigenous communities, 19 January 2006, <http://www.asic.gov.au/asic/asic.nsf/byheadline/06-010+CBA+agrees+to+change+lending+practices+in+remote+Indigenous+communities?openDocument>.

[77] Recommendation 15, Consumer Action Law Centre, Submission to the Productivity Commission Inquiry into Australia’s Consumer Policy Framework, June 2007, <http://www.consumeraction.org.au/downloads/ConsumerActionSubmissiontoProductivityCommission22June07Final.pdf>.

[78] ANZ, ANZ Customer Charter – Responsible lending, Website, accessed on 10 December 2007, <http://www.anz.com/australia/aboutanz/CustomerCharter/popup/popup.asp?popup=Responsible>.

[79] Westpac, Principles for Responsible Lending, September 2007, <http://www.westpac.com.au/manage/pdf.nsf/E964FD278CA72467CA2573590021B290/$File/Westpac_Principles_for_Responsible_Lending.pdf?OpenElement>.

[80] Refinancing is an important and effective approach to credit management. However, there are some concerns that it is not always conducted responsibly. The first concern is that the marketing of refinancing products hides the impact of the up-front costs. The second concern is that some refinancing does not actually require the current debts to be paid. The third concern is that refinancing is often used to engage in asset stripping. It is interesting to note that there is substantial regulation of refinancing in the UK and the US, including regulation or proposed regulation of all three of these concerns. See Recommendation 7, Young M, Report of the Independent Reviewer to the Sponsors of the Banking Codes’ Review 2007, May 2007, <http://www.bba.org.uk/content/1/c6/01/15/40/Independent_Code_Review_2007.pdf> and the Mortgage Reform and Anti-Predatory Lending Act of 2007 (Bill H.R.3915) (US), <http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=110_cong_bills&docid=h3915eh.txt.pdf>.

[81] Senate Economics Committee, Consenting adults deficits and household debt - Links between Australia's current account deficit, the demand for imported goods and household debt, 13 October 2005, paragraph 5.1, <http://www.aph.gov.au/Senate/committee/economics_ctte/household_debt/report/report.pdf>.

[82] Braithwaite J, Rewards and Regulations, Journal of Law and Society, vol 29, no 1, March 2002, pages 12–26,
<http://www.anu.edu.au/fellows/jbraithwaite/_documents/Articles/Rewards_Regulation_2002.pdf>.

[83] Commonwealth Inter-Departmental Committee on Quasi-Regulation, Black-Letter Law, December 1997, <http://www.obpr.gov.au/__data/assets/pdf_file/0006/69666/greyletterlaw.pdf>.

[84] Paragraph 50.160, DP72.

[85] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Credit Reporting Provisions, 13 April 2007, page 34, <http://www.privacy.gov.au/publications/submissions/sub-alrc-ip32-credit-reporting-200704.pdf>.

[86] Consumer Action Law Centre, Review of Privacy – Credit Reporting Provisions Submission in response to Issues Paper 32, 30 March 2007, page 20, <http://www.consumeraction.org.au/downloads/ConsumerActionSubmissiontoIssuesPaper32.pdf>.

[87] Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), <http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/893B6CC0392995E0CA257376001EE4C4/$file/AntiMoneyLaundCountTerrFin2006.pdf>.

[88] Fair Trading Act 1992 (ACT), <http://www.legislation.act.gov.au/a/1992-72/current/pdf/1992-72.pdf>.

[89] Finance Broking Bill 2007 (NSW), Exposure Draft; refer to footnote 65.

[90] The requirement to assess a consumer’s ability to pay should include a link to credit reporting information. This is the case in the UK and USA. Refer to Section 2.16 (page 34) in this Report for further details.

[91] Consumer Credit Act 2006 (UK), <http://www.opsi.gov.uk/acts/acts2006/pdf/ukpga_20060014_en.pdf>.

[92] Truth in Lending Act (15 USC 1601) (US), section 1639(h), <http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+15USC1639>.

[93] United Kingdom Office of Fair Trading, Consumer credit licensing: General guidance for licensees and applicants – Draft guidance on fitness and requirements, Consultation document, July 2007, <http://www.oft.gov.uk/shared_oft/consultations/oft920con.pdf>.

[94] Young M, Report of the Independent Reviewer to the Sponsors of the Banking Codes’ Review 2007, May 2007, <http://www.bba.org.uk/content/1/c6/01/15/40/Independent_Code_Review_2007.pdf>.

[95] Australian Bankers’ Association, Code of Banking Practice, May 2004, <http://www.bankers.asn.au/ArticleDocuments/20040603_FINAL_CODE_MODIFIED_PDF.pdf>.

[96] Refer to Section 2.16 (page 34) in this Report for further details.

[97] Richards M, Palmer P and Bogdanova M, Irresponsible Lending? A Case Study of a U.K. Credit Industry Reform Initiative, Journal of Business Ethics (online only), 26 July 2007, <http://www.springerlink.com/content/g7g0tl6454672h21/>.

[98] Banking and Financial Services Ombudsman, Bulletin 33, March 2002, <http://www.bfso.org.au/abioweb/ABIOWebSite.nsf/0/9751BF600EF7F1D9CA256C100009C42E/$file/Bulletin+33.pdf>.