Credit Reporting Businesses Auditing the compliance of credit providers Olga Ganopolsky General Counsel 21 May 2014 The views expressed in this presentation are the views of the author and do not constitute legal or compliance advice. The presentation is incomplete without the discussion that accompanies it. Any reference to external documents does not constitute adoption of the whole external document.
15
Embed
Olga Ganopolsky - Veda - Credit Reporting Bureaus: Auditing the compliance of credit providers
Olga Ganopolsky delivered the presentation at 2014 Privacy Reform in Credit Reporting Forum.
From reviewing the journey toward day one compliance readiness to longer term transitional issues, the inaugural Privacy Reform in Credit Reporting Forum assessed all the critical factors industry professionals will want to know regarding the impact of privacy reform on credit reporting.
For more information about the event, please visit: http://www.informa.com.au/privacycredit14
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Credit Reporting Businesses Auditing the compliance of credit providers
Olga Ganopolsky
General Counsel
21 May 2014
The views expressed in this presentation are the views of the author and do not constitute legal or compliance advice. The presentation is incomplete without the discussion that accompanies it. Any reference to external documents does not constitute adoption of the whole external document.
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 2
Overview
Credit Provider
•Credit Information
to Credit Reporting Body
•Credit Reporting Information
( = Credit Information + CRB derived information)
to Credit Provider
•Credit Eligibility Information
( = Credit Reporting Information + CP derived information)
to Affected Info Recipient
•Regulated Information
( = Credit Reporting
Information OR Credit Eligibility
Information)
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 3
Privacy Act 1988 as Amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012
Categories of regulation
Personal information held by Commonwealth
Government Agencies and their contracted
service providers
Regulated by the Australian Privacy Principles (APPs)
Personal information held by private sector
organisation other than small businesses
Regulated by the Australian Privacy Principles (APPs)
Credit reporting information or credit eligibility
information and information derived from that
information held by credit reporting businesses
or credit providers
Regulated by Part IIIA of the Act
What is regulated?
“Personal Information”
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: a) whether the information or opinion is true or
not; and b) whether the information or opinion is recorded
in a material form or not.
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 4
Types of Information
Definitions Comments
Consumer credit extended in line with the National Consumer Credit Protection Act 2009 to include credit provided to acquire, maintain, renovate or improve residential investment properties.
Consumer credit liability information
certain information where a Credit Provider provides consumer credit to an individual: name of the provider, the type of consumer credit, the terms or conditions of the consumer credit etc. There are strict use and disclosure restrictions on such information.
Credit information ‘consumer credit liability information’ in addition to the separate ‘repayment history information’.
CP derived information information that a Credit Provider derived from credit reporting information received from a credit reporting business. This is intended to capture credit ‘scorecards’
CRB derived information information that a credit reporting business may derive from credit reporting information that is held by that business.
Credit eligibility information credit reporting information held by a Credit Provider about an individual
Credit Provider the definition includes banks, certain agencies, mortgage insurers, organisations or small business operators.
Credit reporting information credit information or CRB derived information
Permitted CP disclosure permitted disclosures by a Credit Provider of credit eligibility information.
Permitted CP use permitted uses by a Credit Provider of credit eligibility information.
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 5
Privacy Act 1988 as Amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012
20N Quality of credit reporting information
(1) A credit reporting body must take such steps as are reasonable in the circumstances to ensure
that the credit information the body collects is accurate, up-to-date and complete.
(2) A credit reporting body must take such steps as are reasonable in the circumstances to ensure
that the credit reporting information the body uses or discloses is, having regard to the purpose
of the use or disclosure, accurate, up-to-date, complete and relevant.
(3) Without limiting subsections (1) and (2), a credit reporting body must:
(a) enter into agreements with credit providers that require the providers to ensure that
credit information that they disclose to the body under section 21D is accurate, up-to-date
and complete; and
(b) ensure that regular audits are conducted by an independent person to determine
whether those agreements are being complied with; and
(c) identify and deal with suspected breaches of those agreements.
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 6
Privacy Act 1988 as Amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012
20Q Security of credit reporting information
(1) If a credit reporting body holds credit reporting information, the body must take such steps as
are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
(2) Without limiting subsection (1), a credit reporting body must:
(a) enter into agreements with credit providers that require the providers to protect credit
reporting information that is disclosed to them under this Division:
(i) from misuse, interference and loss; and
(ii) from unauthorised access, modification or disclosure; and
(b) ensure that regular audits are conducted by an independent person to determine
whether those agreements are being complied with; and
(c) identify and deal with suspected breaches of those agreements.
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 7
Credit Reporting Privacy Code - scope
23.1 To ensure that CRBs are able to tailor the frequency and extent of the audits required by sections 20N and 20Q to the CPs that present the greatest risk of non-compliance, a CRB must establish a documented, risk based program to monitor CPs' compliance with their obligations under Part IIIA, incorporated in their agreements with the CRB, to ensure:
(a) that credit information that the CP discloses to the CRB is accurate, up-to-date and complete;
(b) that credit reporting information that the CRB discloses to the CP is protected by the CP from misuse, interference and loss and from unauthorised access, modification or disclosure; and
(c) that the CP takes the steps in relation to requests to correct credit-related personal information required by Part IIIA, the Regulations and this CR code.
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 8
Credit Reporting Privacy Code - scope
23.2 The risk based program established by a CRB for the purposes of paragraph 23.1 must: (a) identify and evaluate indicators of risk of non-compliance by CPs with the obligations referred
to in paragraph 23.1; (b) assess the risk posed by CPs of significant non-compliance with those obligations utilising
those risk indicators and the range of information available to the CRB including correction requests and complaints;
(c) utilise a reasonable range of monitoring techniques to validate and update those risk assessments from time to time (which could, for example, include questionnaires or attestations);
(d) include an audit program for CPs to assess compliance with the obligations referred to in paragraph 23.1.
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 9
Credit Reporting Privacy Code
23.3 To be independent and so eligible under Part IIIA to conduct an audit of a CP as part of the CRB’s auditing program referred to in paragraph 23.2: (a) an auditor must not be a director or employee of the CP, have a significant financial interest
in the CP or, at any time during the previous 12 months, had any such relationship or interest;
(b) if the auditor is an employee of the CRB – the CRB’s organisational structure and supervision arrangements must achieve functional independence for the auditor;
(c) if the auditor is an employee of an industry funded organisation – the organisation’s governance and supervision arrangements must achieve functional independence for the auditor; and
(d) the auditor must not have any other association that would impair the perception of the auditor’s independence, nor had any such association at any time during the previous 12 months.
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 10
Credit Reporting Privacy Code
23.4 A CRB must take reasonable steps to ensure that a person who conducts an audit of a CP as
part of the CRB’s auditing program referred to in paragraph 23.2 has sufficient expertise for the
role including:
(a) knowledge of the requirements of Part IIIA, the Regulations and this CR code;
(b) knowledge of audit methodology and previous experience in conducting audits; and
(c) credit reporting system experience.
23.5 Subject to paragraphs 23.3 and 23.4, a CRB's CP auditing program for the purposes of
paragraph 23.2(d) may utilise as auditors:
(a) a CRB’s compliance or auditing team;
(b) consultants engaged by the CRB;
(c) consultants engaged by the CP where the CRB is satisfied as to the consultant’s
independence and expertise; or
(d) an industry funded organisation where the CRB is satisfied as to that organisation's
independence and expertise.
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 11
Credit Reporting Privacy Code - CP obligations
23.6 The CRB must take reasonable steps to ensure that its audit oversight, including reporting
arrangements, is sufficient to enable the CRB to form a view as to whether the CP is complying
with the obligations referred to in paragraph 23.1.
23.7 A CP must permit a person, who conducts an audit of a CP as part of the CRB’s auditing
program referred to in paragraph 23.2, to have reasonable access to the CP's records for the
purposes of carrying out the audit.
23.8 A CP must take reasonable steps to rectify issues identified in the course of an audit
undertaken pursuant to the CRB's auditing program referred to in paragraph 23.2.
23.9 Where a CP fails to meet its contractual obligations to a CRB to comply with Part IIIA, the
Regulations and this CR code and in particular fails to:
(a) ensure that the credit information that the CP discloses to the CRB is accurate, up-to-date and
complete; or
(b) protect credit reporting information disclosed to the CP by a CRB from misuse, interference
or loss, or unauthorised access, modification or disclosure;
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 12
Credit Reporting Privacy Code - consequences
the CRB will take such action as is reasonable in the circumstances, which may include
termination of the agreement. However, termination may only occur if the CRB first provides the
CP with reasonable notice of its intention to terminate the agreement and an opportunity to
trigger the dispute resolution procedures in paragraph 23.10.
23.10 Where disputes arise between two or more CRBs, CPs and affected information recipients
in relation to actions undertaken or required to fulfil their obligations under Part IIIA, the
Regulations or this CR code, the parties to the dispute must endeavour to resolve the dispute in a
fair and efficient way.
Industry Issues
13
• Scope of audits
• Timing of audits
• Expertise and independence
• Clarity of roles
• CRB
• CP
• Data breach and the path to mandatory reporting
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author
Conclusions
14
• Lessons learned so far
• Major milestones
Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author