Olga Ganopolsky, Veda: The new credit reporting code of conduct

591 views

Published on

Olga Ganopolsky, General Counsel, Veda delivered this presentation at the 2013 Credit Law conference. The event offers key insights from the regulators; thought-provoking sessions from industry leaders; and updates on all the regulatory changes impacting the sector. For more information on the annual event, please visit the conference website: http://www.informalegal.com.au/law-legal-conferences/credit-law-conference

Published in: Economy & Finance, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
591
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
41
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Olga Ganopolsky, Veda: The new credit reporting code of conduct

  1. 1. Privacy Reform 23rd Annual Credit Law Conference Olga Ganopolsky General Counsel 3rd October 2013 The views expressed in this presentation are the views of the author and do not constitute legal or compliance advice. The presentation is incomplete without the discussion that accompanies it. Any reference to external documents does not constitute adoption of the whole external document. Reference to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 are as at 17 September 2012.
  2. 2. Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author Privacy Amendment (Enhancing Privacy Protection) Act 2012 Passed Nov 2012 Awaiting Draft Draft currently with the OIAC Structure of the regulatory framework • The Privacy Act (as amended) • Part IIIA of the Act applies to consumer credit reporting • APPs (replacing the NPPs) will apply to other personal information The Act The Regulations Credit Reporting Code 2
  3. 3. Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author Privacy Amendment (Enhancing Privacy Protection) Act 2012 “ ” ….” “ Who are the key players in the system? Credit Reporting businesses & Credit Providers 3
  4. 4. Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author Types of Information in Comprehensive Reporting Definitions Comments Consumer credit extended in line with the National Consumer Credit Protection Act 2009 to include credit provided to acquire, maintain, renovate or improve residential investment properties. Consumer credit liability information certain information where a Credit Provider provides consumer credit to an individual: name of the provider, the type of consumer credit, the terms or conditions of the consumer credit etc. There are strict use and disclosure restrictions on such information. Credit information ‘consumer credit liability information’ in addition to the separate ‘repayment history information’. CR derived information information that a Credit Provider derived from credit reporting information received from a credit reporting business. This is intended to capture credit ‘scorecards’ CRA derived information information that a credit reporting business may derive from credit reporting information that is held by that business. Credit eligibility information credit reporting information held by a Credit Provider about an individual Credit Provider the definition includes banks, certain agencies, mortgage insurers, organisations or small business operators. Credit reporting information credit information or CRA derived information Permitted CP disclosure permitted disclosures by a Credit Provider of credit eligibility information. Permitted CP use permitted uses by a Credit Provider of credit eligibility information. 4
  5. 5. Personal information in the credit reporting system Diagram 2 – key terms that refer to personal information in the credit reporting system Source: Privacy Amendment (Enhancing Privacy Protection) Bill 2012 Explanatory Memorandum Credit Provider Credit Reporting Credit Provider Affected info Recipient Credit information Credit Reporting Information ( Credit Information + CRB derived information) Credit Eligibility Information (Credit Reporting Information + CP derived information) Regulated Information (Credit Reporting Information OR Credit Eligibility Information) 5
  6. 6. What is Comprehensive Reporting? Negative Reporting Positive (or Comprehensive) Reporting • personal information – name, address, date of birth, employer, drivers licence • applications for credit made over the past five years (but not whether it was granted, or the type of credit, or the current credit limit) • defaults • court judgements over the past five years • bankruptcies (seven years) • ‘credit inquiries’ • what type of credit was offered • what the credit limit currently is • when the account was opened • when the account was closed • repayment history over the previous two years (only licensed Credit Providers) In addition to Negative Reporting information 6 More information under tighter legal rules Use of comprehensive reporting information for direct marketing purposes will be expressly prohibited Pre-Screening will be expressly permitted Will have its own compliance regime which will include rights of access, handling complaints and dispute resolution. 1 2
  7. 7. Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author Privacy Amendment (Enhancing Privacy Protection) Act 2012 7 • Prohibitions on collection, use and disclosure of credit reporting information • Permitted are expressly provided as an exemption • Substantial penalties for non compliance More extensive powers of the regulator • Enforcement orders • Sizeable penalties for breach • Enforcement orders • Sizeable penalties for breach  Offences  Civil penalties (eg, up to 2,200 penalty units or 1.7 million dollars
  8. 8. Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author Collection & Disclosure in Comprehensive Reporting What can they collect? What can they disclose to credit providers? What can they disclose to credit reporting businesses? Credit Providers • Credit information • Credit eligibility information • CRB derived information • credit eligibility information “credit eligibility information about an individual means: a) credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; or b) CP derived information about the individual.” • Information relates to consumer credit or commercial credit that has been provided or applied in Australia • repayment history information • consumer credit liability information • default information • paid status of previously reported default information • consumer credit liability information entered into before an individual turned 18 which is still in force and the individual has turned 18. Credit Reporting Businesses • Identification information • Consumer credit liability information • Repayment history information • Type and amount of consumer or commercial credit applied for • Statement that an information request has been made by a credit provider, mortgage insurer or trade insurer. • Default information • Payment information • New arrangement information • Court proceedings information • Serious credit infringements • Bankruptcy • Personal insolvency agreement • Debt agreement • credit reporting information “credit reporting information about an individual means credit information, or CRB derived information, about the individual.” • credit reporting information 8
  9. 9. Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author New Dispute resolution processes • Credit Providers may list overdue payment information only where the Credit Provider is a member of an external dispute resolution scheme approved by the Information Commissioner • Individuals may complain to a credit reporting business or Credit Provider if: • access to, of correction of, certain information is refused • an act or practice engaged in by a credit reporting business or Credit Provider that may be a ‘credit reporting infringement’ • An individual may also complain to • external dispute resolution scheme • Information Commissioner • Identity theft and ability to “freeze” files • First point of contact and responsibility for resolving complaints 9
  10. 10. Credit Reporting Code
  11. 11. Credit Reporting Code Topic Summary of requirements of the CR Code Collection 1.2 Credit ID information and Capacity information can be collected by a CRB but only at the same time as credit information. CP can only disclose Credit ID information and Capacity information to a CRB. 4.1 Additional notification obligations placed on CPs before they collect personal information including: the individual’s right to access to information held by the CP to request the CP to correct their information; to make a complaint to the CP; To add a ban to information held by a CRB; and To opt-out of pre-screening. 11.1 Collection of publicly available information Information that is publicly available from non-government sources, regardless of whether it is predictive of credit risk, cannot be treated as credit information. Disclosure 9.1 Defaults A CP can only disclose default information to a CRB it has provided a notice of intention to list default and notice debt is overdue. Default cannot be disclosed earlier than 14 days after S21D(3) notice of intention to disclose to a CRB nor later than 3 months after the date of the notice. Cannot disclose a default if individual has made a hardship request and no hardship request was made in previous 4 months. 11
  12. 12. Credit Reporting Code Topic Summary of requirements of the CR Code 6.3 Consumer Credit Liability Information When a CP discloses CCLI information to a CRB they can either disclose all elements that make up CCLI or the name of the CP (a) and date credit entered into (d). Once the consumer credit is terminated CP must notify CRB within 45 days of termination. 12 Serious Credit Infringement (SCI) Draft CR Code sets out detailed rules regarding what constitutes an 13 Debt acquisition If before debt has been sold the original CP had disclosed CCLI or default information to a CRB both the original CP and the debt purchaser must ensure that the CRB is notified within 45 days of the debt acquisition. 14.1 Mistaken identity - disclosure Recipients of information that has been mistakenly supplied with information about the wrong individual must advise the CP or CRB who provided them the information of the mistake and destroy the information. CP/CRB must review its disclosure practices, procedures and systems. 12
  13. 13. Credit Reporting Code Topic Summary of requirements of the CR Code 16.1 No use or disclosure of credit eligibility information or regulated information for direct marketing other than pre-screening as defined in 20G & 20H. 16.2 Disclosure for the purposes of assisting individual to avoid defaulting CP must confirm to CRB that it is aware that the individual may be at significant risk of defaulting; or CRB is aware that an event has occurred that could reasonably indicate that the individual may be at significant risk of defaulting. 19 Rights of consumers to access their information on a 12monthly basis and at the point of being rejected for credit by their credit provider. Time periods for such access: • CP - 30 days • CRBs - 10 days Individuals can request the manner of access 21 Details as to how Complaints are to be handled, including membership of a recognised EDR shceme, information recipients and access seekers 13
  14. 14. 12 December Royal Assent (signature of Governor General) Credit reporting roadmap – regulations and Codes 02/10/2013 2012 2013 2014 AGD completes regulations 2013 Credit Reporting Code of Conduct – requires OAIC approval, breach of Code is a breach of the Act (MUST have for CR to start) 15 months after Royal Assent, new credit reporting & privacy laws start (12 March 2014) Data submission & sharing APH Account payment history 14 From Royal Assent, APH possible – but notice to consumer required before collection Sept 2013 OAIC deliberation on Credit Reporting Code By early Nov 2013 OAIC expected to approve Credit Reporting Code July 2013 Draft Credit Reporting Code lodged with OAIC End October Regulations signed , made public Industry Code of Conduct – model still being finalised, aiming for end November; ACCC must then vet. April 2013 Draft Credit Reporting Code out for public consultation
  15. 15. Olga Ganopolsky – Privacy Reform 23rd Annual Credit Law Conference 3rd October 2013 Not to be reproduced without the permission of the author Summary Issues Draft Credit Reporting Code Privacy Amendment (Enhancing Privacy Protection) Act 2012 Data fields Same but some restrictions on how data can be used or shared by the parties Positive, 5 data fields Users Same as the Act Credit Providers Complexity Very high High Dispute Resolution Enhanced More detailed Access regime by individuals Enhanced Enhanced Prescriptive regime Highly prescriptive and higher regulation on use and disclosure Highly prescriptive and higher regulation on use and disclosure Regulatory Structure Same but introduces the concept of a Code Administrator and types of auditors Office of the Information Commissioner (Privacy Commissioner) Scope of Regime Broader Broader because it includes some data not previously classified as consumer credit reporting (e.g. publicly available information) Alignment to other regimes such as responsible lending No alignent – very specific to credit reporting Some limited alignment (e.g. NCCP licensed providers have access to repayment history) 15
  16. 16. Q&A

×