This document has been archived and is no longer in use by the Office. A list of the Office's current Credit Provider Determinations is available on the Credit Reporting page - http://www.privacy.gov.au/act/credit/

Explanatory Statement : Credit Provider Determination No. 2006-2 (Classes of credit providers)

This Explanatory Statement has been drafted for the purpose of fulfilling the Office of the Privacy Commissioner's obligations under section 26(1) of the Legislative Instruments Act 2003 .

1. PURPOSE

The purpose of Credit Provider Determination No. 2006-2 (Classes of credit providers) (this Determination) is to determine that a corporation belonging to the following classes are regarded as credit providers for the purposes of section 11B(1)(b)(v)(B) of the Privacy Act:

• a corporation where, in relation to a transaction, it is considering providing or has provided a loan in respect of the provision of goods or services on terms which allow the deferral of payment, in full or in part, for at least 7 days; or
• a corporation engaged in the hiring, leasing or renting of goods, where, in relation to a transaction, no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least 7 days duration.

This Determination affects those businesses which are not already credit providers by virtue of paragraphs (a) or (b)(iii) to (iv) of s. 11B(1) of the Privacy Act .

A corporation deemed to be a credit provider by virtue of the Determination is regarded as the credit provider in respect of the specific loan only.

Section 11B(1)(c) extends the operation of this Determination to assignees that are not a corporation and deems such persons credit providers.

The Determination continues the effect of Determination 2003 No.1 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning classes of credit providers dated 14 February 2003 which lapses on 25 February 2006. The new Determination is substantively the same as all of the previous six Determinations issued over the past 15 years.

By being granted credit provider status under the terms of this Determination, a business falling within the class will be permitted to conduct credit reporting only in relation to the particular loan transaction in accordance with Part IIIA of the Privacy Act. In particular, they will be able to directly access an individual customer's credit report, held by a credit reporting agency in some circumstances.

If they need to, a business covered by the Determination will be permitted to directly access the individual customer's credit report held by a credit reporting agency in accordance with Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct for purposes including: assessing the loan application, collecting a payment on the loan that is overdue, listing either an overdue payment or a serious credit infringement in relation to the loan, updating as paid an existing default or serious credit infringement listing in relation to the loan, or making corrections to information they have previously reported in relation to the loan.

1.1 Provisions for Credit Provider Determinations

Section 11B of the Privacy Act defines ''credit providers''. Credit providers that can conduct credit reporting include banks and certain other private sector organisations. Section 11B(1)(b)(v)(B) also allows the Privacy Commissioner to determine that a corporation that carries on a business or undertaking involving the provision of loans, (including the provision of loans by issuing credit cards), is a credit provider if is included in a class of corporations.

''Credit'' is defined in section 6(1) to mean a loan sought or obtained by an individual from a credit provider in the course of the credit provider carrying on a business or undertaking as a credit provider, being a loan that is intended wholly or primarily for domestic, family or household purposes.

1.2 Authority for making these determinations

Determination 2005 No.1 is made under s.11B(1)(b)(v) (B) of the Privacy Act. Section 11B(1) states:

1. For the purposes of this Act … a person is a credit provider if the person is:
   1. (b) a corporation (other than an agency)

      (v) that

      1. carries on a business or undertaking that involves the provision of loans (including the provision of loans by issuing credit cards); and
      2. is included in a class of corporations determined by the Commissioner to be credit providers for the purposes of this Act.

Section 28A(1)(d) states that the Commissioner has the following function in respect of credit reporting:

1. to make such determinations as the Commissioner is empowered to make under section 11B or Part IIIA.

1.3 Document incorporated by reference

The following document is incorporated by reference in this Determination and is attached as an appendix to this statement:

• Determination 2003 No.1 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning classes of credit providers dated 14 February 2003 which lapses on 25 February 2006 (Attachment A).

2. REASONS FOR MAKING THE DETERMINATION

2.1 Background to Determination

The term of the new Determination is limited to approximately six months in order that the Privacy Commissioner may undertake consultation with stakeholders affected by this Determination which include individual credit consumers and their representatives; privacy advocates; those businesses whilst not offering loans as a substantial part of their business or undertaking may allow some customers to defer payment of a debt or to incur a debt and defer its payment, which include some retail businesses, telephone companies and some energy utilities; and credit reporting agencies. The purpose of the consultation is to ascertain stakeholders' views regarding the operation of the current and related previous Determinations and the terms upon which any new Determination should be cast.

A Determination concerning classes of credit providers was made in 1991 then re-issued without substantive amendment in 1993, 1996, 2001, 2002 and 2003. The Determination issued in 2003 was made for three years until 25 February 2006.

Prior to the making of the Determination in 2003 the Office issued a consultation paper to stakeholders and sought comments on: (a) whether access to the credit reporting system was too broad; (b) whether non-conformance with the credit reporting requirements is systemic in certain industries; (c) whether credit providers, as prescribed by Determination, be required to offer a minimum amount of credit; (d) whether a 7 day credit term is a sufficient benchmark. After considering 18 submissions that were received, the then Commissioner issued a new Determination in 2003. The background to the Determination stated that the increase in levels of credit activity did not show a corresponding increase in complaints; noted that there may be signs of emerging concerns such as a lack of credit providers' understanding of their credit obligations; and the information did not warrant an amendment to the scope of the Determination.

The then Commissioner noted, however, that he expected that business would take steps to raise its awareness of its compliance obligations and that compliance with the requirements of the credit reporting system would be improved over the life of the previous Determination.

2.2 Public interest and other relevant considerations

In considering making a short-term Determination, the Privacy Commissioner has taken account of section 29 of the Privacy Act. Section 29 requires the Commissioner in the performance of her functions and the exercise of her powers under the Act to have due regard to the protection of important human rights and social rights that compete with privacy. In particular, the Commissioner has taken account of the following matters:

1. It is in the public interest that businesses covered by the Determination continue to have access to the credit reporting system regulated by Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct while consultation occurs with stakeholders affected by this Determination on any new issues that may be relevant, and with regard to the terms upon which any new Determination should be cast. Such credit providers should be permitted to manage existing delinquent loan accounts by conducting credit reporting in accordance with Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct during the consultation stage.
2. In this way, the public interest is served by individuals being able to demonstrate to potential lenders through access to their credit reports held by a credit reporting agency that they have an acceptable credit history and are an acceptable credit risk. Similarly, customers with existing listings on their credit reports held by a credit reporting agency should also continue to benefit by the continuing access of such credit providers to the credit reporting system, inter alia , by being able to update existing customer default listings when overdue accounts are paid in full.

The Privacy Commissioner has concluded that it substantially in the public interest to make this Determination for a period of approximately six months during which time consultation will occur with stakeholders affected by this Determination.

3. ATTACHMENT

Attachment A :

Determination 2003 No.1 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning classes of credit providers dated 14 February 2003 (which lapses on 25 February 2006).

Attachment A

Determination 2003 No.1 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning classes of credit providers

Under s.11B(1)(b)(v)(B) of the Privacy Act 1988 , I DETERMINE that:

1. All corporations belonging to the following classes are to be regarded as credit providers for the purposes of the Act:
   • a corporation where, in relation to a transaction, it is considering providing or has provided a loan in respect of the provision of goods or services on terms which allow the deferral of payment, in full or in part, for at least 7 days; or
   • a corporation engaged in the hiring, leasing or renting of goods, where, in relation to a transaction, no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least 7 days duration.
2. This Determination affects those businesses which are not already credit providers by virtue of paragraphs (a) or (b)(iii) to (iv) of s. 11B(1) of the Act.
3. This Determination is effectively a continuation of Determination No.1 of 2002, which expires on 25 February 2003 . Determination No.1 of 2002 was effectively a continuation of Determination No. 1 of 2001, which was effectively a continuation of Determination No.1 of 1996, which was effectively a continuation of Determination No.1 of 1993, which was effectively a continuation of Determination No.1 of 1991.
4. This Determination shall take effect on 26 February 2003 and shall lapse, unless continued by a further Determination of the Federal Privacy Commissioner, on 25 February 2006 .

MALCOLM CROMPTON Federal Privacy Commissioner

14 February 2003

DETERMINATION 2003 No. 1 UNDER s.11B(1)(b)(v)(B) - CONCERNING CLASSES OF CREDIT PROVIDERS: REASONS FOR DETERMINATION

Background

On 11 September 1991 , the then Commissioner issued Determination No. 1 of 1991 under section 11B(1)(b)(v)(B) of the Privacy Act 1988 (the Act), which deals with the definition of "credit provider" for the purposes of the Act. Under that Determination all corporations belonging to certain classes were to be regarded as credit providers. At the same time, the Commissioner issued a Statement of Reasons for the Determination.

Determination No. 1 of 1991 lapsed on 25 August 1993 and was continued, without amendment, by Determination No.1 of 1993. It was again continued, without amendment, by Determination No.1 of 1996, Determination No.1 of 2001, and Determination No.1 of 2002. Those Determinations will collectively be referred to as ''the earlier Determinations''.

When Determination No.1 of 2001 was reviewed in January 2002, some submissions expressed concern regarding the credit reporting system in general and the consequences of the earlier Determinations in particular. It was claimed there were widespread compliance failures within the credit reporting system, especially by corporations permitted access to the system by virtue of Determination No. 1 of 2001.

At that time, I decided there was insufficient information before me to justify a decision not to issue a Determination in similar terms to Determination No. 1 of 2001. Given the issues raised, however, I took the view that they warranted further consideration, and Determination No. 1 of 2002 was therefore only issued for a period of twelve months. This was to enable my Office to further investigate the issues relating to that Determination.

Consultation in 2002/3

Review Process

Throughout 2002, the Office has engaged with a range of stakeholders in the credit reporting sector on a number of issues, including those which relate to this Determination. During the course of this activity, the Office has borne in mind the issues raised in relation to this Determination. As a consequence, in September 2002, the Office released the ''Consultation Paper for the Review of Credit Reporting Determination 2002, No. 1' and called for submissions.

The Consultation Paper requested submissions concerning the Determination and its operation within the credit reporting system. Areas given detailed consideration included:

• organisations' access to the credit reporting system;
• claims of non-compliance involving organisations using the credit reporting system; and
• issues such as, minimum default listings and the 7-day credit term.

The Office received 18 submissions, including six from credit reporting agencies and credit providers, three from consumer credit advocate bodies and two from government agencies.

As well as receiving, reviewing and analysing information arising from submissions to the review of Determination No.1 of 2002, further data has also been gathered and considered. The Office has reviewed its own complaint and enquiries data relating to the credit reporting system generally, and more particularly in relation to those credit providers given access to the credit reporting system by virtue of the earlier Determinations - this has included reviewing the types and rates of complaints and enquiries received for the 18-month period between July 2001 and December 2002.

The Office also sought further qualitative data on complaints-related matters from industry stakeholders, other regulators and consumer bodies. This information has been sought and reviewed, to assist in making a decision about the further life and scope of this Determination, if any.

Information arising from submissions: claims and qualitative data

During the consultation phase, I requested information on the views and experiences of those involved in the credit reporting system in relation to this Determination. Most importantly, however, I sought statistical and other qualitative data in relation to the operation of the credit reporting system, especially regarding assertions about the impact of this Determination on consumers and business. This information was sought to augment the Office's understanding of the system, derived from its own statistical data relating to complaints and enquiries, and its experience in regulating the credit reporting system through complaints and audits.

Some key issues and information that arose during the consultation process:

1. Some submissions suggested there has been an increase in the use of the credit reporting system in relation to those businesses that are ''traditional' credit providers under s.11B(1) of Part IIIA of the Act (e.g. businesses in the financial services and telecommunications sectors), as well as by those given access to the reporting system by way of the earlier Determinations (e.g. some retailers and professional service providers, such as legal and health care practitioners).
2. Some submissions highlighted particular business sectors as harbouring systemic compliance problems. For instance, submissions from consumer advocate groups suggested these compliance issues were specific to businesses that access the reporting system through the earlier Determinations. Claims were made that complaints and enquiries in relation to these businesses have increased substantially, including one estimate of a five-fold rise. Submissions from some businesses, however, suggested the compliance problems were more widespread throughout the system and not specific to businesses with access to the system through the earlier Determinations. The kinds of compliance issues raised through the submissions included lack of providing consumers with adequate notice of the potential for listing, and inappropriately handling disputed defaults.

3. The Office considered data regarding the current annual rate of consumer credit checking and in turn the number of complaints about the credit reporting system received by the Office.

   This information indicated that the rate of complaints about credit reporting is small, relative to the number of credit checks undertaken. For example, one major credit reporting agency processes in the order of 11 million consumer credit checks annually. Yet, in the period from 1 July 2001 to 31 December 2002 , the Office received approximately 300 complaints relating to the whole credit reporting sector (equating to around 200 complaints annually). Of these only 32 related to businesses covered by the Determination. This represents about 11% of all complaints received about credit reporting.

4. One party submitted that in its view, the earlier Determinations broadened the types of businesses classified as credit providers to such an extent that the Determinations were beyond the Commissioner's statutory powers. Dealing with that issue here, and having considered it closely, I am of the view that the Commissioner's power to make such determinations under s.11B(1)(b)(v)(B) must be read in conjunction with s.11B(1)(b)(v)(A) and the definition of ''loan' found in s6, and that in light of those sections this Determination is a valid exercise of the Commissioner's powers under the Privacy Act.

Analysis

In considering and analysing the issues raised through the consultation process, I will deal with these as set out in the order above:

1. It appears that the claims regarding the growth in the credit sector and hence the credit reporting sector, relate to the perception that increased activity in these areas results in greater non-compliance overall with the regulatory framework, and so a greater risk to consumer privacy.

   Only limited statistical data was presented to the Office to support these claims, I am able only to draw observations from this information, as well as publicly available data on the operation of the credit sector, and the annual rate of complaints that my Office receives. While not specific to those classes of business covered by this Determination, Reserve Bank data released on the 11 February 2003 indicates a rise in credit activity within Australia through increasing transaction card use, including a growth in interest free credit card accounts of almost 20% over the past 3 years. This data is available at the Reserve Bank's website www.rba.gov.au/NewsArchive/index.html . Greater longitudinal data published by the Reserve Bank also reflects the rising rates and quantum of home finance and fixed loan lending over past 10 years, including for instance a sharp rise of some 35% in the amount of fixed loan lending between mid-2001 and late-2002. This data is available at http://www.rba.gov.au/Statistics/Bulletin/D05hist.xls .

   That Australians are seeking and gaining more credit, including in more and different ways, and that they are involved in more credit transactions is something we can observe as a changing trend in the personal finances of the community. This, in itself, is not a difficulty for the Determination; the question remains whether there are significant problems in the operation of the Determination by way of those businesses that operate under it. Given the increase in credit activity, it might be expected that there would be a corresponding increase in complaints. Indeed, a greater than proportionate increase might signify a systemic failure caused by the growth in the sector. This possibility is not borne out by the Office's experience in receiving and handling complaints. The Office has not seen such an upturn in the numbers of complaints.

2. Of the assertion that some businesses and business sectors harbour systemic compliance problems with the credit reporting provisions in the Privacy Act, some claims point toward the biggest growth in such problems involving those with access to the credit reporting system by virtue of the Determination.

   I note the reports from consumer advocate bodies that claim there is a rise in consumer enquiries and concerns relating mainly to those businesses covered by the Determination, and including the claim of a five-fold increase in consumer enquiries in this context. This is not reflective of the Office's experience , however, with no such growth in complaints having occurred.

3. Turning to the Office's complaints data specifically, the rate of credit-related complaints overall (around 200 annually) is not unexpectedly high, given the amount of credit activity in Australia . Most significantly, the Office's figures indicate that only a small proportion of complaints relate to businesses covered by the Determination - as noted earlier, for the period reviewed ( 1 July 2001 to 31 December 2002 ) only about 11 per cent of all credit complaints related to those businesses covered by the Determination. In my view, our data and experience, together with the data made available to the Office (limited though it is) does not reflect a system in crisis.

In the analysis of the submissions and other information gathered, it is apparent that significant importance is placed on the credit reporting system by businesses, as a means to undertake risk management in their provision of loans, goods and other services. In my view, this indicates that decisions surrounding the operation of the Determination are not a ''one-way street'.

If businesses are denied access to the system, such as by significantly varying the Determination or by not making any further Determination, this may reduce the number of complaints by a small number, but it will not do so in a way cost-neutral to consumers and the community in general. Business will surely seek to manage risk in other ways, such as by requiring bonds and deposits, or by limiting the range and delivery of services so as not to over-expose their financial risk. Such a reduction in the range of services, or in those who are able to gain credit due to the use of such risk management strategies may seriously disadvantage many consumers and their ability to gain access to a range of business products and services.

The analysis above relates specifically to the Determination, and indicates no significant systemic problem in its operation that could be addressed through changing the scope of the Determination. There may, however, be signs of broader emerging concerns in the system, as a number of submissions, both from consumer advocate bodies and the business sector, claim there is at least some lack of understanding about credit providers' compliance obligations within the sector, especially regarding notice provisions. This includes where listings are not made concordant with the Credit Reporting Code of Conduct, such that listings are made prior to the debt being 60 days overdue or the individual is not advised that the information will be listed with a credit reporting agency.

This is disturbing if it indicates a breadth of non-compliance in the credit reporting system, particularly after more than a decade of its operation, including that of the Determination currently under consideration. If this turns out to be the case, then it calls for close consideration by the credit reporting sector of its compliance obligations, including those of the businesses that use the system.

Conclusion

On the information gathered during the past year, and most especially during the recent consultation process, in my view the policy direction set out by this Determination has not erred in seeking to find a balance between consumer and business needs. The information gathered to date does not warrant amendment to the scope of this Determination at the present time.

In my opinion, the issues raised and considered during this review are not specific to the industries or sectors that gain access to the credit reporting system by virtue of this Determination. Rather, the assertions about the compliance issues raised during consultation are more general, reflecting either missing knowledge and/or failures in compliance management by a broader set of businesses that use the credit reporting system. While there is limited data on the compliance-related concerns, that they have been raised is troubling and this could reflect something more than my Office is seeing by way of complaints received.

That there are submissions asserting compliance failure is concerning, especially after so many years of the operation and maturation of the credit reporting system. For businesses participating in this system, this may be an early warning for them to closely consider the issues identified during the consultation process, and to act to assess their compliance and rectify any problems found. It would be most unfortunate if this opportunity were not taken, leading to more regulatory compliance activity or the need for legislative change to deliver more strict regulatory oversight.

In deciding to renew the Determination in its existing form, therefore, I do so expecting that business will take steps to raise its awareness of its compliance obligations, and that compliance with the requirements of the system will be improved. These are things that need to be achieved during the life of the Determination through improved vigilance to these issues by business, and through the efforts of this Office in its regulatory role. If these aims are not achieved, then consideration of the on-going status of this Determination would be warranted.

Determination

I have decided to re-issue the Determination, without amendment as Determination No. 1 of 2003.

As to the life of the Determination, I again take the view that it should not be open-ended, but should be the subject of further review following sufficient time for improved compliance measures to be instituted. I consider that a period of three years, commencing on 26 February 2003 , is appropriate for this purpose.

I have therefore included in Determination No. 1 of 2003 that it is to lapse, unless continued by a further determination, on 25 February 2006.

MALCOLM CROMPTON Federal Privacy Commissioner

14 February 2003