Federal Register of Legislation - Australian Government

Primary content

Regulations as made
This instrument amends the National Consumer Credit Protection Regulations 2010 to support amendments made by the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021, which established a mandatory credit reporting regime in Australia.
Administered by: Treasury
Registered 27 May 2021
Tabling HistoryDate
Tabled HR01-Jun-2021
Tabled Senate15-Jun-2021
Date of repeal 25 Aug 2021
Repealed by Division 1 of Part 3 of Chapter 3 of the Legislation Act 2003

EXPLANATORY STATEMENT

Issued by authority of the Treasurer

National Consumer Credit Protection Act 2009

National Consumer Credit Protection Amendment (Mandatory Credit Reporting) Regulations 2021

The National Consumer Credit Protection Act 2009 (the Act) establishes a national consumer credit regime that provides for the regulation of credit activities.

Section 329 of the Act provides that the Governor-General may make regulations prescribing matters required or permitted by the Act to be prescribed, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.

The purpose of the National Consumer Credit Protection Amendment (Mandatory Credit Reporting) Regulations 2021 (the Regulations) is to support the amendments made by the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021, which established a mandatory credit reporting regime in Australia.

The mandatory credit reporting regime requires credit providers that are large authorised deposit-taking institutions to supply mandatory credit information on 50 per cent of their consumer credit accounts within 90 days of 1 July 2021 to all credit reporting bodies they had an agreement with on 2 November 2017. Within 90 days of 1 July 2022, the same credit providers need to supply credit information on their remaining consumer credit accounts to the same credit reporting bodies.

Beginning on 1 July 2022, the mandatory credit reporting regime will also require the same credit providers to supply financial hardship information about an individual, where available.

The mandatory credit reporting regime will give lenders access to a deeper, richer data set so they can better assess a borrower’s true credit position, including their ability to repay a loan. This will benefit consumers as the regime will drive more competition in the market by encouraging new entrants and smaller lenders to compete for consumers with positive credit histories.

The Regulations support the mandatory credit reporting regime by prescribing:

                additional circumstances where a credit provider that is subject to the regime must make ongoing supplies of repayment history information;

                additional circumstances where a credit reporting body is restricted from disclosing information it has received under the regime;

                information that must be included in statements given to the Treasurer by credit providers and credit reporting bodies that are subject to the regime; and

                civil penalty provisions in the new regime that are subject to an infringement notice.

The Act does not specify any conditions that need to be met before the power to make the Regulations may be exercised.

Public consultation was held on an exposure draft instrument and explanatory materials from 3 June 2018 to 13 June 2018 and from 14 February 2020 to 28 February 2020. In total, 13 submissions were received in response to these consultations. As a result of the submissions, amendments were made to the Regulations to address concerns from industry stakeholders about the breadth of the information that needs to be included in the statements given to the Treasurer. The amendments address these concerns while ensuring the statements will contain relevant information about the operation of the mandatory credit reporting regime.

Details of the Regulations are set out in Attachment A.

The Regulations are a legislative instrument for the purposes of the Legislation Act 2003.

The Regulations commence on the day after they are registered on the Federal Register of Legislation.

The Productivity Commission’s Inquiry into Data Availability and Use has been certified as being informed by a process and analysis equivalent to a Regulation Impact Statement for the purposes of the Government decision to implement this reform. The Productivity Commission’s report can be accessed at this link: https://www.pc.gov.au/inquiries/completed/data-access/report

The average annual regulatory cost associated with the mandatory credit reporting requirements (including the amendments in the Regulations and in the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021) is estimated to be $8.2 million.

A Statement of Compatibility with Human Rights is at Attachment B.

ATTACHMENT A

Details of the National Consumer Credit Protection Amendment (Mandatory Credit Reporting) Regulations 2021

Section 1 — Name

The name of the instrument is the National Consumer Credit Protection Amendment (Mandatory Credit Reporting) Regulations 2021 (the Regulations).

Section 2 — Commencement

The Regulations commence on the day after registration.

Section 3 — Authority

The Regulations are made under the National Consumer Credit Protection Act 2009 (the Act).

Section 4 — Schedules

Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

Schedule 1 — Amendments

Item 1 inserts Part 3.8 in the National Consumer Credit Protection Regulations 2010. Part 3.8 sets out new requirements about:

                ongoing supplies of repayment history information;

                when a credit reporting body is restricted from disclosing mandatory credit information (and information derived from that information); and

                the information that needs to be included in the statements given to the Treasurer by credit providers and credit reporting bodies that are subject to the mandatory credit reporting regime.

Ongoing supplies of repayment history information

The usefulness and efficiency of Australia’s credit reporting system relies on credit information disclosed to a credit reporting body being kept complete, accurate and up‑to-date.

The Privacy Act 1988 and Privacy (Credit Reporting) Code 2014 (Version 2.1) (Privacy Credit Code) currently include:

                broad obligations on credit providers and credit reporting bodies to keep information complete, accurate and up-to-date; and

                specific obligations on credit providers to supply information to a credit reporting body within a specified timeframe in certain circumstances.

The broad obligation to keep information complete, accurate and up-to-date does not generally require a credit provider to disclose new repayment history information each month where repayment history information has previously been supplied for that account.

Where a timeframe for supplying information to a credit reporting body is not specified under either the Privacy Act 1988 or the Privacy Credit Code, new section 133CU of the Act generally requires credit providers that are subject to the mandatory credit reporting regime (referred to as ‘relevant credit providers’ in this document) to supply that information within 45 days. Section 133CU also sets out additional circumstances where relevant credit providers are required to make ongoing supplies of information to a credit reporting body.

To supplement the existing framework, new regulation 28TA adds a new requirement for relevant credit providers to make ongoing supplies of repayment history information to credit reporting bodies in certain circumstances.

Under regulation 28TA, relevant credit providers that have previously supplied mandatory credit information on an account under the mandatory credit reporting regime must make ongoing supplies of new repayment history information in relation to that account. However, this requirement only applies if the consumer and the relevant credit provider have not entered into an arrangement about the consumer’s repayment obligations (such as a financial hardship arrangement) at any time between the first bulk supply and 30 June 2022.

If such an arrangement was entered into in that period, the relevant credit provider is not required to supply new repayment history information under regulation 28TA until the later of 1 July 2022 and the end of the arrangement.

Example

A relevant credit provider has supplied mandatory credit information about a consumer’s account as part of the first bulk supply.

The consumer subsequently enters into a hardship arrangement with the credit provider that covers the period between 1 September 2021 and 1 December 2021. The relevant credit provider is required to supply repayment history information that comes into existence on and after 1 July 2022 in relation to that account.

However, if the consumer enters into a hardship arrangement with the credit provider that covers the period between 1 May 2022 and 1 August 2022 instead, the credit provider is required to supply repayment history information that comes into existence on and after 2 August 2022 in relation to that account.

These arrangements could take the form of an agreement, undertaking or other kind of an arrangement, whether formal or informal, whether express or implied and whether or not enforceable, or intended to be enforceable by legal proceedings.

This requirement aligns with the amendments in Schedule 2 to the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021. Under those amendments, relevant credit providers are generally required to supply financial hardship information about financial hardship arrangements that are entered into on or after 1 July 2022 under the mandatory credit reporting regime.

The rules and details included in the Privacy Act 1988 and the Privacy Credit Code must be complied with when considering this new requirement. In particular, where the disclosure of repayment history information is permitted under the Privacy Act 1988 and the Privacy Credit Code, regulation 28TA requires the ongoing supply of that information by relevant credit providers in certain circumstances. However, if the disclosure of repayment history information is not permitted under the Privacy Act 1988 and the Privacy Credit Code, that information is not to be supplied under regulation 28TA.

Restricting disclosure of protected information

In the context of the mandatory credit reporting regime, protected information means:

                information that is supplied to a credit reporting body under the regime; and

                CRB derived information (within the meaning of the Privacy Act 1988) that is derived from that information.

Subsection 133CZA(2) of the Act provides that a credit reporting body must not disclose protected information to a credit provider if certain conditions are met.

Regulation 28TB sets out these conditions. These are:

                the information is protected information;

                the information was supplied by a credit provider that was a signatory to the Principles of Reciprocity and Data Exchange (PRDE) at the time of the supply to the credit reporting body; and

                the PRDE has the effect of restricting the disclosure of the information.

This obligation applies in addition to the existing restrictions in the Privacy Act 1988 and Privacy Credit Code.

The Australian Retail Credit Association (ARCA), the peak body for organisations involved in the disclosure, exchange and application of credit reporting data, developed the PRDE as an industry standard for the collection and disclosure of credit information. The PRDE can be readily accessed free of charge on the Australian Retail Credit Association website: https://www.arca.asn.au/docs/2365/prde-version-20-effective-6-january-2020.

The PRDE operates within the existing framework set out by the Privacy Act 1988 and the Privacy Credit Code, including the limits imposed by that legislation on the use and disclosure of credit information.

Under the PRDE, a credit reporting body must only disclose information to a credit provider where the credit provider is a signatory to the PRDE and only to the level of detail being supplied by the credit provider. The exception to this is ‘negative information’, which can be disclosed to a credit provider, irrespective of whether the credit provider is a signatory to the PRDE or is supplying data to the credit reporting body.

‘Negative information’ is not a defined term in the Act or Privacy Act 1988. This term is used by industry to refer to identification information, default information, payment information and new arrangement information.

If a credit reporting body receiving information under the mandatory credit reporting regime is not itself a signatory to PRDE, regulation 28TB provides that for the purposes of determining whether the PRDE restricts the further disclosure of information, the credit reporting body is taken to be a signatory to PRDE.

Therefore, if the relevant credit provider supplying information to the credit reporting body under the mandatory credit reporting regime is a signatory to the PRDE, the credit reporting body can further disclose:

                ‘negative information’ to another credit provider, regardless of whether the receiving credit provider is a signatory to the PRDE or is supplying data to the credit reporting body;

                ‘partial information’ (which is a term used by industry to refer to mandatory credit information other than repayment history information) to another credit provider, if the receiving credit provider is a signatory to the PRDE and has disclosed information to the same level; and

                ‘comprehensive information’ (which is a term used by industry to refer to all mandatory credit information) to another credit provider, if the receiving credit provider is a signatory to the PRDE and has disclosed information to the same level.

If the relevant credit provider supplying information to the credit reporting body under the mandatory credit reporting regime is not a signatory to the PRDE, the Regulations do not restrict the further disclosure of that information. However, the existing restrictions in the Privacy Act 1988 and Privacy Credit Code will still apply in these circumstances.

The PRDE is incorporated as amended from time to time. The legislative authority for the manner of incorporation is new subsection 133CZA(5) of the Act.

Statements given to the Treasurer by credit providers

Section 133CZC of the Act requires relevant credit providers to give the Treasurer a statement about the supply of credit information under the mandatory credit reporting regime after each of the initial bulk supplies. A statement is due within six months after the 1 July to which the bulk supply relates.

Regulation 28TC sets out the information that must be included in each of these statements.

Statement relating to the first bulk supply

For the statement about the first bulk supply, the relevant credit provider must include the following information in the statement to the Treasurer:

                the number and type of accounts held by the credit provider for which mandatory credit information has been supplied and has not been supplied to each eligible credit reporting body; and

                the number and type of accounts held by each member of the banking group for which the credit provider is the head company and for which mandatory credit information has been supplied and has not been supplied to each eligible credit reporting body.

This requirement ensures that a relevant credit provider can demonstrate it has met its obligations to supply mandatory credit information on at least 50 per cent of its consumer credit accounts in the first bulk supply, both individually and across the banking group for which it is the head company.

The first statement must also include the following information for accounts that have been included in the first bulk supply:

                the number of accounts for which the credit provider has received a request to correct information in the four-month period starting on the 1 July to which the bulk supply relates;

                the number of accounts where the credit provider has corrected information (either in response to a request to correct information or at the credit provider’s initiative) in that four-month period; and

                the number of accounts for which a complaint about a privacy breach has been made to the credit provider in that four-month period.

This information only needs to cover the four-month period starting on the 1 July to which the first bulk supply relates. This ensures there is sufficient time for the relevant credit provider to gather the relevant information and have that information audited (as required under new section 133CZC of the Act).

This requirement ensures the first statement includes relevant information about the operation of the mandatory credit reporting regime over the period, including correction requests and complaints about mandatory credit information provided in the first bulk supply.

Statement relating to the second bulk supply

For the statement about the second bulk supply, the relevant credit provider must include the following information in the statement to the Treasurer:

                the number and type of accounts held by the credit provider for which mandatory credit information has been supplied to each eligible credit reporting body as part of the second bulk supply; and

                the number and type of accounts held by each member of the banking group where the credit provider is the head company and for which mandatory credit information has been supplied to each eligible credit reporting body as part of the second bulk supply.

This requirement ensures that a relevant credit provider can demonstrate it has met its obligation to supply mandatory credit information on its remaining consumer credit accounts as part of the second bulk supply, both individually and across the banking group for which it is the head company.

For accounts that have been included in the second bulk supply, the second statement also needs to include the following information:

                the number of accounts for which the credit provider has received a request to correct information in the four-month period starting on the 1 July to which the bulk supply relates;

                the number of accounts where the credit provider has corrected information (either in response to a request to correct information or at the credit provider’s initiative) in that four-month period; and

                the number of accounts for which a complaint about a privacy breach has been made to the credit provider in that four-month period.

This ensures the second statement includes relevant information about the credit information that is supplied by relevant credit providers as part of the second bulk supply.

Statements given to the Treasurer by credit reporting bodies

Section 133CZC of the Act also requires credit reporting bodies that are within the scope of the mandatory credit reporting regime to give the Treasurer a statement about the supply of credit information to those bodies under the mandatory credit reporting regime after each of the initial bulk supplies. A statement is due within six months after the 1 July to which the bulk supply relates.

Regulation 28TD sets out the information that must be included in each of these statements.

Statement relating to the first bulk supply

For the statement about the first bulk supply, the relevant credit reporting body must include the following information in the statement to the Treasurer:

                the number of accounts for which mandatory credit information has been supplied by each credit provider to the body; and

                the number of disclosures of the body’s protected information made to one or more credit providers during the four-month period starting on the 1 July to which the bulk supply relates.

In this context, the credit reporting body’s protected information means information that is supplied to the body under the mandatory credit reporting regime and any CRB derived information that is derived from that information. This mirrors the definition of protected information that is used more broadly in the context of the mandatory credit reporting regime (see new section 133CZA of the Act).

Additionally, the statement must include the following information about accounts that have been included in the first bulk supply:

                the number of accounts for which the body has received a request to correct information in the four-month period starting on the 1 July to which the bulk supply relates;

                the number of accounts where the body has corrected information (either in response to a request to correct information or at the body’s initiative) in that four-month period; and

                the number of accounts for which a complaint about a privacy breach has been made to the body in that four-month period. 

These requirements ensure the first statement contains relevant information about the operation of the mandatory credit reporting regime over the period, including on-disclosure of and correction requests about mandatory credit information provided in the first bulk supply.

Statement relating to the second bulk supply

For the statement about the second bulk supply, the relevant credit reporting body must include the following information in the statement to the Treasurer:

                the number of accounts for which mandatory credit information has been supplied by each credit provider to the body as part of the second bulk supply;

                the number of disclosures of protected information made by the body to a credit provider during the four-month period starting on the 1 July to which the second bulk supply relates; and

                for the four-month period starting on the 1 July to which the second bulk supply relates (and for accounts that have been included in the second bulk supply):

               the number of accounts for which the body has received a request to correct information;

               the number of accounts where the body has corrected information (either in response to a request to correct information or at the body’s initiative); and

               the number of accounts supplied under the mandatory credit reporting regime for which a complaint about a privacy breach has been made to the body.

This requirement ensures the second statement includes relevant information about the credit information that is supplied to credit reporting bodies as part of the second bulk supply.

Prescribing civil penalty provisions that are subject to an infringement notice

Item 2 prescribes a number of civil penalty provisions relating to the mandatory credit reporting regime as being subject to an infringement notice.

This includes the civil penalty provisions that apply where:

                the relevant credit provider has failed to meet the bulk supply or ongoing supply obligations;

                the relevant credit provider has failed to give a notice to a credit reporting body, ASIC and the Australian Information Commissioner once the credit provider believes the credit reporting body is meeting its data security obligations under the Privacy Act 1988, where the credit provider did not previously hold this belief;

                a credit reporting body has not met its obligations around disclosing (or not disclosing) the mandatory credit information it has received through the mandatory regime;

                the relevant credit provider or credit reporting body has failed to give statements to the Treasurer containing the required information within the required timeframe; and

                the relevant credit provider or credit reporting body has not complied with a notice or regulation to give ASIC certain information, or failed to give ASIC assistance when reasonably asked.

Prescribing these civil penalty provisions as being subject to an infringement notice is appropriate as there may be minor or straightforward contraventions of these provisions (for example, where certain information is not supplied or given by the required time). Such contraventions may be caused by poor internal processes. Where this is the case, the use of an infringement notice may lead to a faster rectification of processes, as entities are put on notice by ASIC sooner.

The ability to give an infringement notice gives ASIC sufficient flexibility to pursue the most appropriate action in each case, which will depend on its assessment of various considerations. These options are also consistent with the existing penalties framework in the Act.


 

ATTACHMENT B

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

National Consumer Credit Protection Amendment (Mandatory Credit Reporting) Regulations 2021

This instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Regulations

The National Consumer Credit Protection Amendment (Mandatory Credit Reporting) Regulations 2021 (the Regulations) support the amendments made by the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021, which established a mandatory credit reporting regime in Australia.

The mandatory credit reporting regime requires credit providers that are large authorised deposit-taking institutions to supply mandatory credit information on 50 per cent of their consumer credit accounts within 90 days of 1 July 2021 to all credit reporting bodies they had an agreement with on 2 November 2017. Within 90 days of 1 July 2022, the same credit providers need to supply credit information on their remaining consumer credit accounts to the same credit reporting bodies.

Beginning on 1 July 2022, the mandatory credit reporting regime will also require the same credit providers to supply financial hardship information about an individual, where available.

The mandatory credit reporting regime will give lenders access to a deeper, richer data set so they can better assess a borrower’s true credit position, including their ability to repay a loan. This will benefit consumers as the regime will drive more competition in the market by encouraging new entrants and smaller lenders to compete for consumers with positive credit histories.

The Regulations support the mandatory credit reporting regime by prescribing:

                additional circumstances where a credit provider that is subject to the regime must make ongoing supplies of repayment history information;

                additional circumstances where a credit reporting body is restricted from disclosing information it has received under the regime;

                the information that must be included in statements provided to the Treasurer by credit providers and credit reporting bodies; and

                the civil penalty provisions in the new regime that are subject to an infringement notice.

Human rights implications

The Regulations engage the right to protection from arbitrary or unlawful interference with privacy under Article 17 of the International Covenant on Civil and Political Rights by:

                requiring the ongoing supply of repayment history information (which is personal information) in certain circumstances (new regulation 28TA); and

                restricting the disclosure of protected information by credit reporting bodies in certain circumstances (new regulation 28TB).

New regulation 28TA requires credit providers (that are subject to the mandatory credit reporting regime) to supply new repayment history information to a credit reporting body where the credit provider has previously supplied credit information on the account under the mandatory credit reporting regime.

Additionally, this requirement only applies if the consumer and the credit provider have not entered into an arrangement about the consumer’s repayment obligations (such as a financial hardship arrangement) at any time between 1 July 2021 and 30 June 2022. This aspect of regulation 28TA aligns with the amendments in Schedule 2 to the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021, which provide that beginning on 1 July 2022, financial hardship information about an individual that comes into existence on and after 1 July 2022 generally needs to be supplied by relevant credit providers to credit reporting bodies under the mandatory credit reporting regime.

The purpose of regulation 28TA is to ensure the credit information held by the credit reporting body about an individual remains complete, accurate and up-to-date. This is important because credit providers generally assess whether to provide credit to an individual based on the information provided by a credit reporting body. Therefore, this requirement ensures that credit providers have the necessary information available to assess a consumer’s true credit position, including their ability to repay a loan.

The Privacy Act 1988 (and in particular, Part IIIA) sets out strict and clearly defined restrictions around the use, disclosure and collection of credit information, including repayment history information. As with the other obligations under the mandatory credit reporting regime, the requirement in new regulation 28TA only applies to the extent the disclosure is permitted under the Privacy Act 1988. This is made clear in the amendments that establish the mandatory credit reporting regime in the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021. This ensures the restrictions in the Privacy Act 1988 around the handling of credit information, including repayment history information, also apply in relation to new regulation 28TA.

As there are sufficient existing safeguards around the handling of repayment history information, the requirement in new regulation 28TA is therefore reasonable and proportionate to the legitimate objective of ensuring that lenders have sufficient information available to assess a consumer’s true credit position.

New regulation 28TB extends the protections in the Privacy Act 1988 in relation to protected information under the mandatory credit reporting regime. In this context, protected information means information that is supplied to a credit reporting body under the mandatory credit reporting regime, and certain information that is derived from that information.

Regulation 28TB provides that protected information must not be disclosed by a credit reporting body to a credit provider if:

                the information was originally supplied by a credit provider that was a signatory to the Principles of Reciprocity and Data Exchange (PRDE) at the time of the supply to the credit reporting body; and

                the PRDE has the effect of restricting the disclosure of the information.

Given regulation 28TB extends the protections in the Privacy Act 1988 around the disclosure of personal information, it therefore promotes the right to protection from arbitrary or unlawful interference with privacy.

Conclusion

This Regulations are compatible with human rights because it promotes the protection of human rights. To the extent that it limits human rights, those limitations are reasonable, necessary and proportionate to the legitimate objective of ensuring the usefulness and efficiency of Australia’s credit reporting system.