Privacy Reform 23 rd Annual Credit Law Conference Olga Ganopolsky General Counsel 3 rd October 2013 The views expressed in this presentation are the views of the author and do not constitute legal or compliance advice. The presentation is incomplete without the discussion that accompanies it. Any reference to external documents does not constitute adoption of the whole external document. Reference to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 are as at 17 September 2012.
Olga Ganopolsky, Veda: The new credit reporting code of conduct
May 22, 2015
Olga Ganopolsky, General Counsel, Veda delivered this presentation at the 2013 Credit Law conference. The event offers key insights from the regulators; thought-provoking sessions from industry leaders; and updates on all the regulatory changes impacting the sector. For more information on the annual event, please visit the conference website: http://www.informalegal.com.au/law-legal-conferences/credit-law-conference
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Privacy Reform 23rd Annual Credit Law Conference
Olga Ganopolsky General Counsel
3rd October 2013
The views expressed in this presentation are the views of the author and do not constitute legal or compliance advice. The presentation is incomplete without the discussion that accompanies it. Any reference to external documents does not constitute adoption of the whole external document. Reference to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 are as at 17 September 2012.
Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author
Privacy Amendment (Enhancing Privacy Protection) Act 2012
Passed Nov 2012
Awaiting Draft
Draft currently with the OIAC
Structure of the regulatory framework
• The Privacy Act (as amended) • Part IIIA of the Act applies to consumer credit
reporting • APPs (replacing the NPPs) will apply to other personal
information
The Act
The Regulations
Credit Reporting Code
2
Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author
Privacy Amendment (Enhancing Privacy Protection) Act 2012
“
” ….”
“
Who are the key players in the system?
Credit Reporting businesses & Credit Providers
3
Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author
Types of Information in Comprehensive Reporting
Definitions Comments
Consumer credit extended in line with the National Consumer Credit Protection Act 2009 to include credit provided to acquire, maintain, renovate or improve residential investment properties.
Consumer credit liability information
certain information where a Credit Provider provides consumer credit to an individual: name of the provider, the type of consumer credit, the terms or conditions of the consumer credit etc. There are strict use and disclosure restrictions on such information.
Credit information ‘consumer credit liability information’ in addition to the separate ‘repayment history information’.
CR derived information information that a Credit Provider derived from credit reporting information received from a credit reporting business. This is intended to capture credit ‘scorecards’
CRA derived information information that a credit reporting business may derive from credit reporting information that is held by that business.
Credit eligibility information credit reporting information held by a Credit Provider about an individual
Credit Provider the definition includes banks, certain agencies, mortgage insurers, organisations or small business operators.
Credit reporting information credit information or CRA derived information
Permitted CP disclosure permitted disclosures by a Credit Provider of credit eligibility information.
Permitted CP use permitted uses by a Credit Provider of credit eligibility information.
4
Personal information in the credit reporting system
Diagram 2 – key terms that refer to personal information in the credit reporting system Source: Privacy Amendment (Enhancing Privacy Protection) Bill 2012 Explanatory Memorandum
Credit Provider Credit Reporting Credit Provider Affected info
Recipient
Credit
information
Credit
Reporting Information
( Credit
Information + CRB derived information)
Credit Eligibility
Information
(Credit Reporting
Information + CP derived
information)
Regulated
Information
(Credit Reporting
Information OR Credit Eligibility
Information)
5
What is Comprehensive Reporting?
Negative Reporting Positive (or Comprehensive) Reporting
• personal information – name, address, date of birth, employer, drivers licence
• applications for credit made over the past five years (but not whether it was granted, or the type of credit, or the current credit limit)
• defaults
• court judgements over the past five years
• bankruptcies (seven years)
• ‘credit inquiries’
• what type of credit was offered
• what the credit limit currently is
• when the account was opened
• when the account was closed
• repayment history over the previous two years (only licensed Credit Providers)
In addition to Negative Reporting information
6
More information under tighter legal rules
Use of comprehensive reporting information for direct marketing purposes will be expressly prohibited
Pre-Screening will be expressly permitted Will have its own compliance regime which will include rights of access, handling complaints and dispute resolution.
1 2
Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author
Privacy Amendment (Enhancing Privacy Protection) Act 2012
7
• Prohibitions on collection, use and disclosure of credit reporting information
• Permitted are expressly provided as an exemption
• Substantial penalties for non compliance
More extensive powers of the regulator
• Enforcement orders
• Sizeable penalties for breach
• Enforcement orders
• Sizeable penalties for breach
Offences
Civil penalties (eg, up to 2,200 penalty units or 1.7 million dollars
Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author
Collection & Disclosure in Comprehensive Reporting
What can they collect? What can they disclose to credit providers?
What can they disclose to credit reporting businesses?
Credit Providers
• Credit information • Credit eligibility information • CRB derived information
• credit eligibility information
“credit eligibility information about an individual means: a) credit reporting information
about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; or
b) CP derived information about the individual.”
• Information relates to consumer credit or commercial credit that has been provided or applied in Australia
• repayment history information • consumer credit liability information • default information • paid status of previously reported default
information • consumer credit liability information entered
into before an individual turned 18 which is still in force and the individual has turned 18.
Credit Reporting Businesses
• Identification information • Consumer credit liability information • Repayment history information • Type and amount of consumer or
commercial credit applied for • Statement that an information request has
been made by a credit provider, mortgage insurer or trade insurer.
• Default information • Payment information • New arrangement information • Court proceedings information • Serious credit infringements • Bankruptcy • Personal insolvency agreement • Debt agreement
• credit reporting information
“credit reporting information about an individual means credit information, or CRB derived information, about the individual.”
• credit reporting information
8
Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author
New Dispute resolution processes
• Credit Providers may list overdue payment information only where the Credit Provider is a member of an external dispute resolution scheme approved by the Information Commissioner
• Individuals may complain to a credit reporting business or Credit Provider if:
• access to, of correction of, certain information is refused
• an act or practice engaged in by a credit reporting business or Credit Provider that may be a ‘credit reporting infringement’
• An individual may also complain to
• external dispute resolution scheme
• Information Commissioner
• Identity theft and ability to “freeze” files
• First point of contact and responsibility for resolving complaints
9
Credit Reporting Code
Credit Reporting Code
Topic Summary of requirements of the CR Code
Collection 1.2 Credit ID information and Capacity information can be collected by a CRB but only at the same time as credit information. CP can only disclose Credit ID information and Capacity information to a CRB.
4.1 Additional notification obligations placed on CPs before they collect personal information including: the individual’s right to access to information held by the CP to request the CP to correct their information; to make a complaint to the CP; To add a ban to information held by a CRB; and To opt-out of pre-screening.
11.1 Collection of publicly available information Information that is publicly available from non-government sources, regardless of whether it is predictive of credit risk, cannot be treated as credit information.
Disclosure 9.1 Defaults A CP can only disclose default information to a CRB it has provided a notice of intention to list default and notice debt is overdue. Default cannot be disclosed earlier than 14 days after S21D(3) notice of intention to disclose to a CRB nor later than 3 months after the date of the notice. Cannot disclose a default if individual has made a hardship request and no hardship request was made in previous 4 months.
11
Credit Reporting Code
Topic Summary of requirements of the CR Code
6.3 Consumer Credit Liability Information When a CP discloses CCLI information to a CRB they can either disclose all elements that make up CCLI or the name of the CP (a) and date credit entered into (d). Once the consumer credit is terminated CP must notify CRB within 45 days of termination.
12 Serious Credit Infringement (SCI) Draft CR Code sets out detailed rules regarding what constitutes an
13 Debt acquisition If before debt has been sold the original CP had disclosed CCLI or default information to a CRB both the original CP and the debt purchaser must ensure that the CRB is notified within 45 days of the debt acquisition.
14.1 Mistaken identity - disclosure Recipients of information that has been mistakenly supplied with information about the wrong individual must advise the CP or CRB who provided them the information of the mistake and destroy the information. CP/CRB must review its disclosure practices, procedures and systems.
12
Credit Reporting Code
Topic Summary of requirements of the CR Code
16.1 No use or disclosure of credit eligibility information or regulated information for direct marketing other than pre-screening as defined in 20G & 20H.
16.2 Disclosure for the purposes of assisting individual to avoid defaulting CP must confirm to CRB that it is aware that the individual may be at significant risk of defaulting; or CRB is aware that an event has occurred that could reasonably indicate that the individual may be at significant risk of defaulting.
19 Rights of consumers to access their information on a 12monthly basis and at the point of being rejected for credit by their credit provider. Time periods for such access: • CP - 30 days • CRBs - 10 days
Individuals can request the manner of access
21 Details as to how Complaints are to be handled, including membership of a recognised EDR shceme, information recipients and access seekers
13
12 December Royal Assent
(signature of Governor General)
Credit reporting roadmap – regulations and Codes 02/10/2013
2012 2013 2014
AGD completes regulations 2013
Credit Reporting Code of Conduct – requires OAIC approval, breach of Code is a breach of the Act (MUST have for CR to start)
15 months after Royal Assent, new credit reporting & privacy
laws start (12 March 2014)
Data submission & sharing
APH
Account payment history
14
From Royal Assent, APH possible – but notice to consumer required before collection
Sept 2013 OAIC deliberation
on Credit Reporting Code
By early Nov 2013 OAIC expected to
approve Credit Reporting Code
July 2013 Draft Credit
Reporting Code lodged with OAIC
End October Regulations
signed , made public
Industry Code of Conduct – model still being finalised, aiming for end November; ACCC must then vet.
April 2013 Draft Credit
Reporting Code out for public consultation
Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author
Summary
Issues Draft Credit Reporting Code Privacy Amendment (Enhancing Privacy Protection) Act 2012
Data fields Same but some restrictions on how data can be used or shared by the parties
Positive, 5 data fields
Users Same as the Act Credit Providers
Complexity Very high High
Dispute Resolution Enhanced More detailed
Access regime by individuals Enhanced
Enhanced
Prescriptive regime Highly prescriptive and higher regulation on use and disclosure
Highly prescriptive and higher regulation on use and disclosure
Regulatory Structure Same but introduces the concept of a Code Administrator and types of auditors
Office of the Information Commissioner (Privacy Commissioner)
Scope of Regime Broader Broader because it includes some data not previously classified as consumer credit reporting (e.g. publicly available information)
Alignment to other regimes such as responsible lending
No alignent – very specific to credit reporting Some limited alignment (e.g. NCCP licensed providers have access to repayment history)
15
Q&A
Related Documents
