Olga Ganopolsky - Veda - Credit Reporting Bureaus: Auditing the compliance of credit providers

564 views

Published on

Olga Ganopolsky delivered the presentation at 2014 Privacy Reform in Credit Reporting Forum.

From reviewing the journey toward day one compliance readiness to longer term transitional issues, the inaugural Privacy Reform in Credit Reporting Forum assessed all the critical factors industry professionals will want to know regarding the impact of privacy reform on credit reporting.

For more information about the event, please visit: http://www.informa.com.au/privacycredit14

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
564
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Olga Ganopolsky - Veda - Credit Reporting Bureaus: Auditing the compliance of credit providers

  1. 1. Credit Reporting Businesses Auditing the compliance of credit providers Olga Ganopolsky General Counsel 21 May 2014 The views expressed in this presentation are the views of the author and do not constitute legal or compliance advice. The presentation is incomplete without the discussion that accompanies it. Any reference to external documents does not constitute adoption of the whole external document.
  2. 2. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 2 Overview Credit Provider •Credit Information to Credit Reporting Body •Credit Reporting Information ( = Credit Information + CRB derived information) to Credit Provider •Credit Eligibility Information ( = Credit Reporting Information + CP derived information) to Affected Info Recipient •Regulated Information ( = Credit Reporting Information OR Credit Eligibility Information)
  3. 3. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 3 Privacy Act 1988 as Amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 Categories of regulation  Personal information held by Commonwealth Government Agencies and their contracted service providers  Regulated by the Australian Privacy Principles (APPs)  Personal information held by private sector organisation other than small businesses  Regulated by the Australian Privacy Principles (APPs)  Credit reporting information or credit eligibility information and information derived from that information held by credit reporting businesses or credit providers  Regulated by Part IIIA of the Act What is regulated? “Personal Information” personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: a) whether the information or opinion is true or not; and b) whether the information or opinion is recorded in a material form or not.
  4. 4. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 4 Types of Information Definitions Comments Consumer credit extended in line with the National Consumer Credit Protection Act 2009 to include credit provided to acquire, maintain, renovate or improve residential investment properties. Consumer credit liability information certain information where a Credit Provider provides consumer credit to an individual: name of the provider, the type of consumer credit, the terms or conditions of the consumer credit etc. There are strict use and disclosure restrictions on such information. Credit information ‘consumer credit liability information’ in addition to the separate ‘repayment history information’. CP derived information information that a Credit Provider derived from credit reporting information received from a credit reporting business. This is intended to capture credit ‘scorecards’ CRB derived information information that a credit reporting business may derive from credit reporting information that is held by that business. Credit eligibility information credit reporting information held by a Credit Provider about an individual Credit Provider the definition includes banks, certain agencies, mortgage insurers, organisations or small business operators. Credit reporting information credit information or CRB derived information Permitted CP disclosure permitted disclosures by a Credit Provider of credit eligibility information. Permitted CP use permitted uses by a Credit Provider of credit eligibility information.
  5. 5. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 5 Privacy Act 1988 as Amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 20N Quality of credit reporting information (1) A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit information the body collects is accurate, up-to-date and complete. (2) A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit reporting information the body uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant. (3) Without limiting subsections (1) and (2), a credit reporting body must: (a) enter into agreements with credit providers that require the providers to ensure that credit information that they disclose to the body under section 21D is accurate, up-to-date and complete; and (b) ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with; and (c) identify and deal with suspected breaches of those agreements.
  6. 6. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 6 Privacy Act 1988 as Amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 20Q Security of credit reporting information (1) If a credit reporting body holds credit reporting information, the body must take such steps as are reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; and (b) from unauthorised access, modification or disclosure. (2) Without limiting subsection (1), a credit reporting body must: (a) enter into agreements with credit providers that require the providers to protect credit reporting information that is disclosed to them under this Division: (i) from misuse, interference and loss; and (ii) from unauthorised access, modification or disclosure; and (b) ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with; and (c) identify and deal with suspected breaches of those agreements.
  7. 7. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 7 Credit Reporting Privacy Code - scope 23.1 To ensure that CRBs are able to tailor the frequency and extent of the audits required by sections 20N and 20Q to the CPs that present the greatest risk of non-compliance, a CRB must establish a documented, risk based program to monitor CPs' compliance with their obligations under Part IIIA, incorporated in their agreements with the CRB, to ensure: (a) that credit information that the CP discloses to the CRB is accurate, up-to-date and complete; (b) that credit reporting information that the CRB discloses to the CP is protected by the CP from misuse, interference and loss and from unauthorised access, modification or disclosure; and (c) that the CP takes the steps in relation to requests to correct credit-related personal information required by Part IIIA, the Regulations and this CR code.
  8. 8. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 8 Credit Reporting Privacy Code - scope 23.2 The risk based program established by a CRB for the purposes of paragraph 23.1 must: (a) identify and evaluate indicators of risk of non-compliance by CPs with the obligations referred to in paragraph 23.1; (b) assess the risk posed by CPs of significant non-compliance with those obligations utilising those risk indicators and the range of information available to the CRB including correction requests and complaints; (c) utilise a reasonable range of monitoring techniques to validate and update those risk assessments from time to time (which could, for example, include questionnaires or attestations); (d) include an audit program for CPs to assess compliance with the obligations referred to in paragraph 23.1.
  9. 9. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 9 Credit Reporting Privacy Code 23.3 To be independent and so eligible under Part IIIA to conduct an audit of a CP as part of the CRB’s auditing program referred to in paragraph 23.2: (a) an auditor must not be a director or employee of the CP, have a significant financial interest in the CP or, at any time during the previous 12 months, had any such relationship or interest; (b) if the auditor is an employee of the CRB – the CRB’s organisational structure and supervision arrangements must achieve functional independence for the auditor; (c) if the auditor is an employee of an industry funded organisation – the organisation’s governance and supervision arrangements must achieve functional independence for the auditor; and (d) the auditor must not have any other association that would impair the perception of the auditor’s independence, nor had any such association at any time during the previous 12 months.
  10. 10. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 10 Credit Reporting Privacy Code 23.4 A CRB must take reasonable steps to ensure that a person who conducts an audit of a CP as part of the CRB’s auditing program referred to in paragraph 23.2 has sufficient expertise for the role including: (a) knowledge of the requirements of Part IIIA, the Regulations and this CR code; (b) knowledge of audit methodology and previous experience in conducting audits; and (c) credit reporting system experience. 23.5 Subject to paragraphs 23.3 and 23.4, a CRB's CP auditing program for the purposes of paragraph 23.2(d) may utilise as auditors: (a) a CRB’s compliance or auditing team; (b) consultants engaged by the CRB; (c) consultants engaged by the CP where the CRB is satisfied as to the consultant’s independence and expertise; or (d) an industry funded organisation where the CRB is satisfied as to that organisation's independence and expertise.
  11. 11. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 11 Credit Reporting Privacy Code - CP obligations 23.6 The CRB must take reasonable steps to ensure that its audit oversight, including reporting arrangements, is sufficient to enable the CRB to form a view as to whether the CP is complying with the obligations referred to in paragraph 23.1. 23.7 A CP must permit a person, who conducts an audit of a CP as part of the CRB’s auditing program referred to in paragraph 23.2, to have reasonable access to the CP's records for the purposes of carrying out the audit. 23.8 A CP must take reasonable steps to rectify issues identified in the course of an audit undertaken pursuant to the CRB's auditing program referred to in paragraph 23.2. 23.9 Where a CP fails to meet its contractual obligations to a CRB to comply with Part IIIA, the Regulations and this CR code and in particular fails to: (a) ensure that the credit information that the CP discloses to the CRB is accurate, up-to-date and complete; or (b) protect credit reporting information disclosed to the CP by a CRB from misuse, interference or loss, or unauthorised access, modification or disclosure;
  12. 12. Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author 12 Credit Reporting Privacy Code - consequences the CRB will take such action as is reasonable in the circumstances, which may include termination of the agreement. However, termination may only occur if the CRB first provides the CP with reasonable notice of its intention to terminate the agreement and an opportunity to trigger the dispute resolution procedures in paragraph 23.10. 23.10 Where disputes arise between two or more CRBs, CPs and affected information recipients in relation to actions undertaken or required to fulfil their obligations under Part IIIA, the Regulations or this CR code, the parties to the dispute must endeavour to resolve the dispute in a fair and efficient way.
  13. 13. Industry Issues 13 • Scope of audits • Timing of audits • Expertise and independence • Clarity of roles • CRB • CP • Data breach and the path to mandatory reporting Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author
  14. 14. Conclusions 14 • Lessons learned so far • Major milestones Olga Ganopolsky, General Counsel, Veda Advantage Ltd – May 2014 Not to be reproduced without the permission of the author
  15. 15. Q&A

×