The credit reporting environment in Australia is constantly evolving and changing. With the emergence of new technologies – new regulatory challenges come before us, including ensuring that privacy protections are in place, and are upheld, for Australians’ credit reporting information.
We are operating in an environment where new players are emerging that impact credit reporting in different and unexpected ways.
An example is in Buy Now Pay Later providers that have emerged since Part IIIA of the Privacy Act was introduced, alongside the need to accommodate entities such as telecommunication and utility providers into the credit system in new and innovative ways.
We are also seeing a rise in the offering of new credit products, which have impacts on everyday Australians.
It’s a juggling act
The credit reporting system involves a diverse mix of stakeholders, ranging from industry participants and representatives to consumer advocates and financial counsellors. Balancing the needs of these stakeholder groups, including the need to access credit reporting information with the individual’s right to privacy, is a constant juggling act.
As you are aware, we are also operating at a time when Part IIIA of the Privacy Act is being reviewed by government, which may result in big changes to the credit system in Australia.
The OAIC’s role remains as the credit reporting regulator under the Privacy Act. Ensuring that privacy protections are upheld and Part IIIA of the Privacy Act is complied with is an ongoing priority for my office. Another priority is showing what good looks like, and ensuring industry is aware of how to comply with its obligations.
Horizon scanning and monitoring is critical to detecting systemic and serious issues of non-compliance and this is a particular focus of the OAIC moving forward.
The recent variation to the Credit Reporting Code (CR Code) to implement proposals from the OAIC’s independent review will provide multiple benefits, which I will speak to today, including enhanced transparency requirements with regard to credit provider audits. This will contribute to, and inform, the OAIC’s regulatory strategy going forward.
The OAIC’s expectations and priorities in the credit space are informed by our engagement with individuals and industry, and adapted to changes in the regulatory environment and emerging technologies and practices. We are grateful for the feedback and active engagement we have with stakeholders, which helps to inform us about where to head next.
Variation of the CR Code
The Credit Reporting Code has been in place since 2014 and is regularly reviewed and updated to ensure it remains fit for purpose.
As you are all aware, the CR Code particularises the provisions of Part IIIA of the Privacy Act, and how industry can comply with those provisions.
Today, I want to talk to some significant developments that have occurred over the past 6 months in the credit space, and then turn to what the future may look like.
OAIC 2021 independent review of the CR Code
In the OAIC’s independent review of the CR Code, we recommended a number of amendments to the code, as well as issues with Part IIIA of the Privacy Act.
We published a roadmap for implementing the proposals following release of our final report, including key milestones relating to the review as well as other major projects in the credit reporting space.
In accordance with that roadmap, in March 2023, the OAIC updated the Guidelines for developing codes to ensure the code developer’s application would appropriately address stakeholder concerns raised during the review, and ensure sufficient and early consultation was conducted.
Approved variation of the CR Code
Following this, we requested an application from Arca to vary the CR Code, which we received on 19 December 2023.
The OAIC considered and consulted on Arca’s application in April this year. We heard what stakeholders had to say and negotiated with Arca to request an amended variation application to address stakeholder concerns.
Following an amended application from Arca after engagement with my office, on 1 October 2024, I approved a variation to the CR Code to implement a suite of major amendments arising from proposals made in our report from the independent review of the code.
The variation implemented 15 proposals from the report. Remaining proposals relating to Part IIIA of the Privacy Act were referred to the Attorney-General to be considered as part of the review of Australia’s credit reporting framework.
Key benefits to individuals and industry
The new CR Code brings many benefits for both individuals and industry, including:
- improvements to the explanatory materials to provide practical examples, particularly where we have provided further clarity on key terms for industry to assist in reporting information into the credit system
- recognising domestic abuse as a circumstance beyond an individual’s control that can lead to corrections needing to be made to their credit report.
Similarly, we have increased support for victims of fraud by:
- ensuring they can extend a ban on their credit report with minimal evidence
- including a free alert system for victims of fraud to provide notification if anyone tries to request credit during the ban period
- including the ability to correct multiple pieces of incorrect information on their credit report caused by a fraud event.
Overall, the new code provides greater transparency over how credit reporting bodies (CRBs) and banks are complying with their privacy obligations, which is key to enhancing individual trust that their credit information is safeguarded as it moves through the system.
Other benefits include that the format of the new code and explanatory materials conform to contemporary standards for legislative instruments, which will assist with the interpretation of often technical matters.
More data will be available to the OAIC, with the new CR Code requiring CRBs to provide the OAIC with a composite report of the credit providers it has audited by 31 August each year. The OAIC can also request CRBs to provide a copy of any of the audit reports listed in the composite report.
This will provide the OAIC with access to information that has not been available before and will be a valuable resource to monitor and detect systemic and serious issues of non-compliance and help to inform our regulatory priorities.
This will also demonstrate transparency in how the audits are conducted, providing a level of assurance to the Australian community that CRBs are conducting meaningful audits that satisfy the requirements of the CR Code.
Soft enquiries framework
One of the proposals from the OAIC’s review of the CR Code recommended that the code be amended to introduce a soft enquiries framework into Australia.
A soft enquiry is one that is not recorded on the individual’s credit report, such as where an individual is only seeking a quote, or to understand if they qualify for a certain product or offer.
Hard enquiries, once an individual has submitted an application for credit, will be recorded and allow the credit provider to determine the individual’s creditworthiness.
In response to stakeholder feedback, on 30 August 2024, the OAIC decided to postpone consideration of a soft enquiries framework through the CR Code until the report for the review of Australia’s credit reporting framework is released and considered.
This will allow the matter to be examined alongside the broader credit reporting landscape, and ensure issues raised by stakeholders are explored holistically alongside options to enhance the legal framework.
The OAIC will revisit the matter of introducing a soft enquiries framework via the CR Code in Q2 2025.
Complaints trends
I now wanted to turn briefly to complaints the OAIC receives about the credit reporting provisions.
I’d like to start by noting that the vast majority of complaints are referred to external dispute resolution (EDR) schemes as a first port of call. Where a matter is further referred to the OAIC, we will then assess the outcome and information provided by the EDR scheme.
Over the past decade, the OAIC has received over 2,600 complaints and 8,500 enquiries relating to Part IIIA of the Privacy Act.
Overall, the data shows that the majority of complaints to the OAIC relate to disclosure of credit information to a CRB, as well as the quality of credit reporting information, corrections of and access to credit reporting information.
Accordingly, CRBs are the main respondents of complaints, followed by the financial sector, including credit providers, and then by utilities and telecommunications.
Moving briefly into the trends for each key sector, for CRBs, individuals mostly complained that their credit information was not accurate, up to date and complete under s 20N, closely followed by complaints about requests to correct their information.
In the financial sector, individuals overwhelmingly complained about the disclosure of their credit information to CRBs. As with CRBs, we have also seen consistent complaints about the quality of credit information, as well as complaints regarding the provision of collection notices.
Finally, across the utilities, telecommunications and debt collector sectors, consistent with the financial sector, the significant majority of complaints relate to the disclosure of credit information to CRBs.
Such complaints trends regularly inform the OAIC’s regulatory activities, from the provision of guidance to assist with compliance, to generating changes to the CR Code or broader regulatory action.
Data breach trends
I would like to take this opportunity to also touch on data breach trends. Recent high-profile data breaches have focused attention on the potential impacts of a cyber security incident.
The data breach from earlier this year involving utility provider, Sumo, which involved credit scores, highlights the importance of having robust and secure information handling practices in place.
The OAIC’s Notifiable Data Breaches (NDB) report for January to June 2024 demonstrates that the finance sector remains one of the top reporters of data breaches with 58 breaches reported. Finance, along with health service providers, have consistently reported the most data breaches of all sectors since the NDB scheme began.
For the January to June 2024 period, malicious or criminal attacks were the leading cause of data breaches reported in the finance sector.
Additionally, 227 of the total data breaches reported for this period involved personal information that included financial details, representing the third most common kind of personal information affected.
This data demonstrates that industry, and the credit reporting industry in particular, need to be vigilant with their data protection and information handling practices to ensure that the impacts from any potential data breaches involving credit reporting information are minimal and handled appropriately in accordance with the law.
Our regulatory strategy moving forward
Looking ahead, there are likely to be some big developments in the credit space.
The review of the credit reporting framework just concluded, with a report due to the ministers on 1 October 2024. This included a comprehensive review of Part IIIA of the Privacy Act and provisions in the National Consumer Credit Protection Act.
The OAIC made a submission to the review informed by our observations as regulator. We engaged extensively with the Attorney-General’s Department and the independent reviewer throughout the process. The OAIC’s submission specifically noted items deferred from our review of the CR Code, as well as recommending that the review consider issues such as:
- the treatment of credit information where a debt is statute-barred
- appropriate timeframes around credit bans
- consistency with the broader Privacy Act review, such as around notices and consent, audit requirements and data security
- appropriate access to credit information, especially by real estate agents, employers, insurers and foreign credit providers
- upholding data minimisation, retention and security
- clarifying the appropriate timeframes for processing corrections and complaints.
The final report for the review was provided to the Attorney-General and Treasurer on 1 October 2024. It must be tabled within 15 sitting days and then will be public.
The report will likely contain issues and recommendations that will impact the OAIC’s role as regulator and we will be alive to these in determining our priorities into the future.
The OAIC’s expectations and priorities
Lastly, I wanted to touch on what things will look like into the future.
Once the credit reporting framework report is released, the OAIC will consider and work with government on any recommendations concerning the OAIC and our role as a priority. Of primary importance to us is ensuring that Australia continues to have a strong and streamlined credit framework able to regulate the ever-evolving credit environment.
Under the CR Code, CRBs must commission an independent review of their compliance every 3 years. These reports were due this year. Following receipt, the OAIC will consider the reports to inform our priorities and make them available on our website.
We are also considering the release of guidance setting out our expectations as to the level of quality, detail and reviewer expertise expected in future reviews. A fulsome public report is integral to ensuring transparency to the public that CRBs are complying with Part IIIA and that their credit information is being properly handled.
We are also looking to release a blog post about the access seeker provisions and compliance issues we are seeing in the industry, in order to outline our expectations.
Beyond these priorities, the OAIC will continue to actively engage in monitoring developments in the credit reporting system, which will include examining complaint and NDB trends. This will ensure that our regulatory stance is targeted and impactful.
