National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021
(5 of 2021)
An Act to amend the law relating to credit reporting, and for other purposes
[Assented to 16 February 2021]
The Parliament of Australia enacts:
1 Short title
This Act is the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021.
2 Commencement
(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
|
Commencement information |
||
|---|---|---|
|
Column 1 |
Column 2 |
Column 3 |
|
Provisions |
Commencement |
Date/Details |
|
1. Sections 1 to 3 and anything in this Act not elsewhere covered by this table |
The day this Act receives the Royal Assent. |
16 February 2021 |
|
2. Schedule 1 |
The day after this Act receives the Royal Assent. |
17 February 2021 |
|
3. Schedule 2, Part 1 |
The later of: (a) the day after this Act receives the Royal Assent; and (b) 1 July 2022. |
1 July 2022 (paragraph (b) applies) |
|
4. Schedule 2, Part 2 |
Immediately after the commencement of the provisions covered by table item 3. |
1 July 2022 |
|
5. Schedule 2, Part 3 |
The day after this Act receives the Royal Assent. |
17 February 2021 |
Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.
(2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.
3 Schedules
Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.
Schedule 1 Main amendments
National Consumer Credit Protection Act 2009
1 Subsection 5(1)
Insert:
banking group means a relevant group of bodies corporate (within the meaning of the Banking Act 1959) that includes a body corporate covered by paragraph 133CN(1)(a) (about large ADIs).
credit information has the same meaning as in the Privacy Act 1988.
2 Subsection 5(1) (definition of credit provider)
Repeal the definition, substitute:
credit provider :
(a) when used in Part 3-2CA - has the same meaning as in the Privacy Act 1988; and
(b) otherwise - has the same meaning as in section 204 of the National Credit Code, and includes a person who is a credit provider because of section 10 of this Act.
3 Subsection 5(1)
Insert:
credit reporting body has the same meaning as in the Privacy Act 1988.
declaration of contravention means a declaration made under section 166.
eligible credit account : see section 133CO.
eligible credit reporting body : see subsection 133CN(2).
eligible licensee : see subsection 133CN(1).
evidential burden , in relation to a matter, means the burden of adducing or pointing to evidence that suggests a reasonable possibility that the matter exists or does not exist.
head company , of a banking group, means the member of the group covered by paragraph 133CN(1)(a) (about large ADIs).
large ADI has the same meaning as in the Banking Act 1959.
mandatory credit information : see section 133CP.
Part 3-2CA body : see section 133CZF.
personal information has the same meaning as in the Privacy Act 1988.
sensitive information has the same meaning as in the Privacy Act 1988.
supply requirements : see section 133CQ.
4 After Part 3-2C
Insert:
Part 3-2CA - Licensees supplying credit information to credit reporting bodies etc.
Division 1 - Introduction
133CM Guide to this Part
This Part has rules that apply to licensees that are large ADIs or are of a prescribed kind.
Each licensee must supply certain information to eligible credit reporting bodies about all of the open credit accounts held with the licensee or with other members of the licensee's corporate group.
Each licensee must then supply updated information to those credit reporting bodies on an ongoing basis.
Conditions may need to be met before the credit reporting bodies who are supplied with this information can further disclose this information to credit providers.
This Part applies in addition to the Privacy Act 1988.
133CN Meanings of eligible licensee and eligible credit reporting body
(1) A licensee is an eligible licensee , on 1 July 2021 or a later day, if on that day the licensee:
(a) is a large ADI, or is a body corporate of a kind prescribed by the regulations; and
(b) is a credit provider.
(2) A credit reporting body is an eligible credit reporting body for a licensee if:
(a) the following conditions are met:
(i) an agreement of the kind referred to in paragraph 20Q(2)(a) of the Privacy Act 1988 between the body and the licensee was in force on 2 November 2017;
(ii) the licensee is an eligible licensee on 1 July 2021; or
(b) the conditions (if any) prescribed by the regulations are met.
133CO Meaning of eligible credit account
(1) An eligible credit account is an account that:
(a) relates to the provision, or possible provision, of consumer credit (within the meaning of the Privacy Act 1988); and
(b) is held by one or more natural persons with a credit provider; and
(c) is not of a kind determined under subsection (2).
(2) ASIC may, by legislative instrument, determine one or more kinds of account for the purposes of paragraph (1)(c).
133CP Meaning of mandatory credit information
(1) Mandatory credit information , for eligible credit accounts held by natural persons with a credit provider, is personal information (other than sensitive information) for those accounts that is:
(a) identification information (within the meaning of the Privacy Act 1988) about the natural persons; or
(b) consumer credit liability information (within the meaning of the Privacy Act 1988) about the natural persons; or
(c) repayment history information (within the meaning of the Privacy Act 1988) about the natural persons; or
(e) default information (within the meaning of the Privacy Act 1988) about the natural persons; or
(f) payment information (within the meaning of the Privacy Act 1988) about the natural persons; or
(g) new arrangement information (within the meaning of the Privacy Act 1988) about the natural persons.
(2) Despite paragraph (1)(c), mandatory credit information does not include repayment history information (within the meaning of the Privacy Act 1988) that comes into existence more than 3 months before the first 1 July on which:
(a) if the credit provider is a member of a banking group - the head company of the group is an eligible licensee; or
(b) otherwise - the credit provider is an eligible licensee.
(4) Despite paragraph (1)(e), mandatory credit information does not include default information (within the meaning of the Privacy Act 1988) that comes into existence before the first 1 July on which:
(a) if the credit provider is a member of a banking group - the head company of the group is an eligible licensee; or
(b) otherwise - the credit provider is an eligible licensee.
133CQ Meaning of supply requirements
(1) Information is supplied in accordance with the supply requirements if the supply is in accordance with:
(a) the registered CR code (within the meaning of the Privacy Act 1988); and
(b) any determination under subsection (2); and
(c) any technical standards approved under subsection (4).
(2) For one or more kinds of information to be supplied under this Part, ASIC may, by legislative instrument, determine particulars of the information that must be included in the supply.
(3) Despite subsection 14(2) of the Legislation Act 2003, a determination under subsection (2) may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in any other instrument or writing as in force or existing from time to time.
(4) ASIC may, in writing, approve technical standards for supplying one or more kinds of information under this Part.
(5) If there is an inconsistency between:
(a) the registered CR code (within the meaning of the Privacy Act 1988); and
(b) a determination under subsection (2) or a technical standard approved under subsection (4);
the registered CR code prevails to the extent of the inconsistency.
Division 2 - Supplying credit information to credit reporting bodies etc.
Subdivision A - Initial bulk supplies of credit information
133CR Requirement to supply
First bulk supply for at least 50% of total eligible credit accounts
(1) An eligible licensee must supply mandatory credit information for the accounts referred to in subsection (2) to each eligible credit reporting body ( CRB ) for the licensee:
(a) before the end of the later of the following periods:
(i) the 90-day period starting on the first 1 July on which the licensee is an eligible licensee;
(ii) if subsection (5) applies - the 14-day period starting on the cessation day referred to in that subsection; and
(b) in accordance with the supply requirements; and
(c) to the extent that the licensee is not prevented by the Privacy Act 1988 from doing so.
Civil penalty: 5,000 penalty units.
(2) For the purposes of subsection (1), the accounts are at least 50% of all of the eligible credit accounts held:
(a) on the first 1 July on which the licensee is an eligible licensee; and
(b) with the licensee, or with a member of a banking group of which the licensee is the head company.
The licensee may choose which eligible credit accounts make up this 50%.
Bulk supply for remaining eligible credit accounts
(3) An eligible licensee must supply mandatory credit information for the accounts referred to in subsection (4) to each eligible credit reporting body ( CRB ) for the licensee:
(a) before the end of the latest of the following periods:
(i) the 90-day period starting on the second 1 July on which the licensee is an eligible licensee;
(ii) if subsection (5) applies - the 14-day period starting on the cessation day referred to in that subsection;
(iii) if, because paragraph 133CS(1)(b) is no longer satisfied, subsection 133CS(1) ceases to provide the licensee with an exception to this subsection for the CRB - the 14-day period starting on the day that exception ceases to apply; and
(b) in accordance with the supply requirements; and
(c) to the extent that the licensee is not prevented by the Privacy Act 1988 from doing so.
Civil penalty: 5,000 penalty units.
(4) For the purposes of subsection (3), the accounts are all of the eligible credit accounts held:
(a) on the second 1 July on which the licensee is an eligible licensee; and
(b) with the licensee, or with a member of a banking group of which the licensee is the head company;
for which mandatory credit information was not supplied under subsection (1) to the CRB.
Possible extension of time if credit reporting body later complies with information security requirements before end of 90-day period
(5) For the purposes of subsection (1) or (3), this subsection applies if:
(a) the licensee reasonably believes that the CRB is not complying with section 20Q of the Privacy Act 1988 on the 1 July referred to in that subsection; and
(b) the licensee complies with paragraphs 133CS(2)(a) and (b) in relation to that belief; and
(c) the licensee ceases to hold that belief on a day (the cessation day ) before the end of the 90-day period starting on that 1 July.
Requirements apply whether the information is kept in or outside this jurisdiction
(6) Subsection (1) or (3) applies whether the mandatory credit information is kept in or outside this jurisdiction.
133CS Exception if credit reporting body not complying with information security requirements
(1) Subsection 133CR(1) or (3) does not apply, and is taken never to have applied, to a licensee for a credit reporting body if:
(a) the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988:
(i) on the 1 July referred to in that subsection; and
(ii) on the last day of the 90-day period starting on that 1 July; and
(b) in the case of subsection 133CR(3) - the licensee continues to hold that belief after that 90-day period; and
(c) the licensee satisfies subsection (2) of this section.
Note 1: Paragraph (b) means that, if the licensee ceases to hold that belief after the 90-day period starting on the 1 July in subsection 133CR(3), this exception will cease to apply and the supply requirement in subsection 133CR(3) will apply.
Note 2: A person who wishes to rely on this subsection bears an evidential burden in relation to the matters in this subsection (see subsection (3) of this section and subsection 13.3(3) of the Criminal Code).
(2) The licensee satisfies this subsection if:
(a) the licensee prepares a written notice:
(i) stating that the licensee reasonably believes that the credit reporting body is not complying with section 20Q of the Privacy Act 1988 on that 1 July; and
(ii) setting out the licensee's reasons for that belief; and
(iii) stating that the body may try to convince the licensee otherwise, but that in the case of subsection 133CR(1) the body will need to do so before the end of the 90-day period starting on that 1 July; and
(b) the licensee gives that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after that 1 July; and
(c) the licensee prepares a written notice (the final notice ):
(i) stating that the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988 on the last day of that 90-day period; and
(ii) setting out the licensee's reasons for that belief; and
(d) the licensee gives the final notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the last day of that 90-day period.
(3) A licensee who wishes to rely on subsection (1) in proceedings for a declaration of contravention or a pecuniary penalty order bears an evidential burden in relation to the matters in that subsection.
133CT Licensee must give notice if credit reporting body later complies with information security requirements
If:
(a) an eligible licensee reasonably believes that an eligible credit reporting body for the licensee is not complying with section 20Q of the Privacy Act 1988 on the first or second 1 July on which the licensee is an eligible licensee; and
(b) the licensee complies with paragraphs 133CS(2)(a) and (b) in relation to that belief; and
(c) the licensee ceases to hold that belief:
(i) in the case of subsection 133CR(1) - on a day during the 90-day period starting on that first 1 July; or
(ii) in the case of subsection 133CR(3) - on any day after that second 1 July;
the licensee must:
(d) prepare a written notice:
(i) stating that the licensee has ceased to hold that belief; and
(ii) setting out the licensee's reasons for ceasing to hold that belief; and
(e) give that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the day the licensee ceases to hold that belief.
Civil penalty: 5,000 penalty units.
Subdivision B - Ongoing supplies of credit information
133CU Requirement to supply
(1) If:
(a) a licensee has supplied a credit reporting body (the CRB ) with mandatory credit information under this Division; and
(b) on a later day (the trigger day ):
(i) the conditions (if any) prescribed by the regulations are not met for the licensee and the CRB; and
(ii) the licensee, or a member of a banking group of which the licensee is the head company, would reasonably be expected to have become aware that an event in an item of the following table has happened; and
(iii) the licensee is still an eligible licensee; and
(iv) an agreement of the kind referred to in paragraph 20Q(2)(a) of the Privacy Act 1988 is in force between the CRB and a body referred to in subparagraph (ii) of this paragraph;
the licensee must supply to the CRB the information referred to in that table item:
(c) before the end of the latest of the following periods:
(i) the 45-day period starting on the trigger day;
(ii) if subsection (2) applies - the 14-day period starting on the cessation day referred to in that subsection;
(iii) if, because paragraph 133CV(1)(b) is no longer satisfied, subsection 133CV(1) ceases to provide the licensee with an exception to this subsection for the CRB - the 14-day period starting on the day that exception ceases to apply;
(iv) if the trigger day happens because of table item 3 and is before the licensee supplies the CRB with mandatory credit information under subsection 133CR(3) - the 90-day period starting on the trigger day; and
(d) in accordance with the supply requirements; and
(e) to the extent that the licensee is not prevented by the Privacy Act 1988 from doing so.
|
O ngoing supplies of mandatory credit information |
||
|---|---|---|
|
Item |
If this event happens: |
This information must be supplied: |
|
1 |
the need to correct any mandatory credit information the licensee has supplied under this Division to ensure that, having regard to a purpose for which the information is held by: (a) the licensee; or (b) a member of a banking group of which the licensee is the head company; the information is accurate, up-to-date, complete, relevant and not misleading |
details of the corrected information |
|
2 |
the payment of an overdue payment about which default information (within the meaning of the Privacy Act 1988) has been supplied under this Division |
payment information (within the meaning of the Privacy Act 1988) relating to the payment |
|
3 |
the opening of an eligible credit account with: (a) the licensee; or (b) a member of a banking group of which the licensee is the head company; provided this happens after the second 1 July on which the licensee is an eligible licensee |
mandatory credit information for that account |
|
5 |
default information (within the meaning of the Privacy Act 1988) comes into existence for an eligible credit account for which mandatory credit information has previously been supplied by the licensee to the CRB under this Division |
the default information |
|
6 |
an event: (a) of a kind prescribed by the regulations; and (b) that relates to eligible credit accounts or to the natural persons who hold those accounts |
information that: (a) is, or relates to, mandatory credit information; and (b) is of a kind prescribed by the regulations for that kind of event |
Civil penalty: 5,000 penalty units.
(2) For the purposes of subparagraph (1)(c)(ii), this subsection applies if:
(a) the licensee reasonably believes that the CRB is not complying with section 20Q of the Privacy Act 1988 on the trigger day; and
(b) the licensee complies with paragraphs 133CV(2)(a) and (b) in relation to that belief; and
(c) the licensee ceases to hold that belief on a day (the cessation day ) before the end of the 45-day period starting on the trigger day.
(3) Supplies under subsection (1) of information relating to multiple events, or multiple trigger days, may be made together.
(4) Subsection (1) applies whether the information referred to in the table is kept in or outside this jurisdiction.
(5) Regulations made for the purposes of subparagraph (1)(b)(i) may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in any other instrument or writing as in force or existing from time to time.
(6) Subsection (5) has effect despite subsection 14(2) of the Legislation Act 2003.
133CV Exception if credit reporting body not complying with information security requirements
(1) Subsection 133CU(1) does not apply, and is taken never to have applied, to a licensee for a credit reporting body if:
(a) the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988:
(i) on the trigger day referred to in that subsection; and
(ii) on the last day of the 45-day period starting on the trigger day; and
(b) the licensee continues to hold that belief after that 45-day period; and
(c) the licensee satisfies subsection (2) of this section.
Note 1: Paragraph (b) means that, if the licensee ceases to hold that belief after that 45-day period, this exception will cease to apply and the supply requirement in subsection 133CU(1) will apply.
Note 2: A person who wishes to rely on this subsection bears an evidential burden in relation to the matters in this subsection (see subsection (3) of this section and subsection 13.3(3) of the Criminal Code).
(2) The licensee satisfies this subsection if:
(a) the licensee prepares a written notice:
(i) stating that the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988 on the trigger day; and
(ii) setting out the licensee's reasons for that belief; and
(iii) stating that the body may try to convince the licensee otherwise; and
(b) the licensee gives that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the trigger day; and
(c) the licensee prepares a written notice (the final notice ):
(i) stating that the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988 on the last day of that 45-day period; and
(ii) setting out the licensee's reasons for that belief; and
(d) the licensee gives the final notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the last day of that 45-day period.
(3) A licensee who wishes to rely on subsection (1) in proceedings for a declaration of contravention or a pecuniary penalty order bears an evidential burden in relation to the matters in that subsection.
(4) Subsection 21U(2) of the Privacy Act 1988 does not require a licensee to give a credit reporting body notice of a correction of certain information if:
(a) subsection (1) of this section is providing the licensee with an exception from a requirement under subsection 133CU(1) of this Act; and
(b) that requirement is to supply the corrected information to the body;
unless the reason under subsection 21U(1) of the Privacy Act 1988 for the correction is that the information is inaccurate, and it was inaccurate when earlier supplied to the body under this Division.
133CW Licensee must give notice if credit reporting body later complies with information security requirements
If:
(a) an eligible licensee reasonably believes that an eligible credit reporting body for the licensee is not complying with section 20Q of the Privacy Act 1988 on the trigger day referred to in subsection 133CU(1); and
(b) the licensee complies with paragraphs 133CV(2)(a) and (b) in relation to that belief; and
(c) the licensee ceases to hold that belief on any day after the trigger day;
the licensee must:
(d) prepare a written notice:
(i) stating that the licensee has ceased to hold that belief; and
(ii) setting out the licensee's reasons for ceasing to hold that belief; and
(e) give that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the day the licensee ceased to hold that belief.
Civil penalty: 5,000 penalty units.
Subdivision C - Offences
133CX Offence relating to initial bulk supplies
(1) A person commits an offence if:
(a) the person is subject to a requirement under subsection 133CR(1) or (3); and
(b) the person engages in conduct; and
(c) the conduct contravenes the requirement.
Criminal penalty: 100 penalty units.
(2) Section 14.1 of the Criminal Code does not apply to an offence against subsection (1).
Note: For an exception to an offence against subsection (1), see subsection 133CS(1). A defendant bears an evidential burden in relation to the matters in subsection 133CS(1) (see subsection 13.3(3) of the Criminal Code).
133CY Offence relating to ongoing supplies
(1) A person commits an offence if:
(a) the person is subject to a requirement under subsection 133CU(1); and
(b) the person engages in conduct; and
(c) the conduct contravenes the requirement.
Criminal penalty: 100 penalty units.
(2) Section 14.1 of the Criminal Code does not apply to an offence against subsection (1).
Note: For an exception to an offence against subsection (1), see subsection 133CV(1). A defendant bears an evidential burden in relation to the matters in subsection 133CV(1) (see subsection 13.3(3) of the Criminal Code).
133CZ Offence relating to giving notice if credit reporting body later complies with information security requirements
A person commits an offence if:
(a) the person is subject to a requirement under section 133CT or 133CW; and
(b) the person engages in conduct; and
(c) the conduct contravenes the requirement.
Criminal penalty: 100 penalty units.
Division 3 - Conditions on credit reporting bodies on-disclosing credit information
133CZA On-disclosing information supplied under Division 2 etc.
(1) This section applies to a credit reporting body in relation to the following information (the protected information ):
(a) any information that the credit reporting body is supplied under Division 2;
(b) any CRB derived information (within the meaning of the Privacy Act 1988) that is derived from information that the credit reporting body is supplied under Division 2.
When protected information must not be disclosed
(2) If the conditions prescribed by the regulations are met for the credit reporting body and a credit provider, the credit reporting body must not disclose to the credit provider so much of the protected information as:
(a) is prescribed by the regulations; or
(b) is of a kind or kinds prescribed by the regulations.
Civil penalty: 5,000 penalty units.
When protected information must be disclosed
(3) If the conditions prescribed by the regulations are met for the credit reporting body and a credit provider, the credit reporting body must disclose to the credit provider so much of the protected information as:
(a) the regulations require to be disclosed; or
(b) is of a kind or kinds prescribed by the regulations;
and which the Privacy Act 1988 does not prevent the credit reporting body from disclosing.
Civil penalty: 5,000 penalty units.
(4) If the credit reporting body is required under subsection (3) to disclose information, the credit reporting body must make the disclosure by the time, and in accordance with the requirements, prescribed by the regulations.
Civil penalty: 5,000 penalty units.
Incorporation of other instruments
(5) Regulations made for the purposes of subsection (2), (3) or (4) may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in any other instrument or writing as in force or existing from time to time.
(6) Subsection (5) has effect despite subsection 14(2) of the Legislation Act 2003.
Matters regulations may deal with
(7) Without limiting subsection (2), (3) or (4), a matter prescribed for the purposes of that subsection may depend on a person or body being satisfied of one or more specified matters.
133CZB Offence
A person commits an offence if:
(a) the person is subject to a requirement under subsection 133CZA(2), (3) or (4); and
(b) the person engages in conduct; and
(c) the conduct contravenes the requirement.
Criminal penalty: 100 penalty units.
Division 4 - Reporting to the Minister
133CZC Reports about initial bulk supplies of credit information
(1) A licensee who is required under subsection 133CR(1) or (3) to supply mandatory credit information must arrange:
(a) for the preparation of a written statement containing information of the kinds prescribed by the regulations relating to:
(i) the mandatory credit information; or
(ii) the eligible credit accounts to which the mandatory credit information relates; and
(b) for a person appointed under section 133CZD to audit that statement and prepare a written report of the audit; and
(c) for that statement and audit report to be given to the Minister within 6 months after the 1 July referred to in that subsection.
Civil penalty: 5,000 penalty units.
(2) A credit reporting body to whom mandatory credit information is required under subsection 133CR(1) or (3) to be supplied must arrange:
(a) for the preparation of a written statement containing information of the kinds prescribed by the regulations relating to:
(i) the mandatory credit information; or
(ii) the eligible credit accounts to which the mandatory credit information relates; and
(b) for a person appointed under section 133CZD to audit that statement and prepare a written report of the audit; and
(c) for that statement and audit report to be given to the Minister within 6 months after the 1 July referred to in that subsection.
Civil penalty: 5,000 penalty units.
(3) For the purposes of subsection (1) or (2), disregard section 133CS when working out whether a person is required under subsection 133CR(1) or (3) to supply mandatory credit information to another person.
133CZD Auditors
(1) ASIC may, in writing, appoint as auditors for the purposes of this Division:
(a) one or more suitably qualified persons; or
(b) the members of one or more classes of suitably qualified persons.
(2) The reasonable fees and expenses of an auditor for preparing an audit report under this Division are payable by the person required to arrange for the preparation of the statement to which the audit report relates.
(3) The auditor may recover those fees by action against that person.
133CZE Offence
A person commits an offence if:
(a) the person is subject to a requirement under subsection 133CZC(1) or (2); and
(b) the person engages in conduct; and
(c) the conduct contravenes the requirement.
Criminal penalty: 100 penalty units.
Division 5 - Assisting ASIC
133CZF Meaning of Part 3-2CA body
A Part 3-2CA body is a person that is or has been:
(a) an eligible licensee; or
(b) an eligible credit reporting body for a licensee.
133CZG Obligation to provide a statement or obtain an audit report if directed by ASIC
Notice to Part 3-2CA body to provide a statement
(1) ASIC may give a Part 3-2CA body a written notice directing the body to lodge with ASIC a written statement containing specified information about whether the body, or another Part 3-2CA body, is complying with this Part (other than Division 4).
(2) Notices under subsection (1):
(a) may be given at any time; and
(b) may be given to one or more particular Part 3-2CA bodies, or to each Part 3-2CA body in one or more classes of Part 3-2CA bodies, or to all Part 3-2CA bodies; and
(c) may require all the same information, or may contain differences as to the information they require; and
(d) may require a statement containing information to be given on a periodic basis, or each time a particular event or circumstance occurs, without ASIC having to give a further written notice.
Notice to Part 3-2CA body to obtain an audit report
(3) ASIC may also give a Part 3-2CA body a written notice directing the body to obtain an audit report prepared:
(a) by a suitably qualified person specified in the notice; and
(b) on a statement, or on each statement in a class of statements, under subsection (1); and
(c) before the statement is given to ASIC.
(4) A notice under subsection (3) is not a legislative instrument.
Notice must specify day by which Part 3-2CA body must comply
(5) A notice given under this section must specify the day by which the Part 3-2CA body must comply with the notice (which must be a reasonable period after the notice is given). ASIC may extend the day by giving a written notice to the Part 3-2CA body.
Requirement to comply with notice
(6) The Part 3-2CA body must comply with a notice given under this section within the time specified in the notice.
Civil penalty: 5,000 penalty units.
Offence
(7) A person commits an offence if:
(a) the person is subject to a requirement under subsection (6); and
(b) the person engages in conduct; and
(c) the conduct contravenes the requirement.
Criminal penalty: 6 months imprisonment.
133CZH Obligation to give ASIC information required by the regulations
Regulations may require Part 3-2CA body to give information
(1) The regulations may require:
(a) a Part 3-2CA body; or
(b) each Part 3-2CA body in a class of Part 3-2CA bodies;
to give ASIC specified information about whether the body, or another Part 3-2CA body, is complying with this Part (other than Division 4).
Requirement to comply with regulations
(2) If regulations under subsection (1) require a Part 3-2CA body to give ASIC information, the body must give ASIC that information.
Civil penalty: 5,000 penalty units.
Offence
(3) A person commits an offence if:
(a) the person is subject to a requirement to give ASIC information under subsection (2); and
(b) the person engages in conduct; and
(c) the conduct contravenes the requirement.
Criminal penalty: 6 months imprisonment.
133CZI Obligation to provide ASIC with assistance if reasonably requested
Requirement to provide assistance
(1) If ASIC, or a person authorised by ASIC, reasonably requests assistance from a Part 3-2CA body (the assisting body ) about whether:
(a) the assisting body; or
(b) another Part 3-2CA body;
is complying with this Part (other than Division 4), the assisting body must give ASIC or the authorised person the requested assistance.
Civil penalty: 5,000 penalty units.
(2) If the request is in writing, it is not a legislative instrument.
Offence
(3) A person commits an offence if:
(a) the person is subject to a requirement to give ASIC or an authorised person assistance under subsection (1); and
(b) the person engages in conduct; and
(c) the conduct contravenes the requirement.
Criminal penalty: 6 months imprisonment.
133CZJ Extended application of Division 4 of Part 2-5
(1) Division 4 of Part 2-5 also applies in relation to an audit report required under subsection 133CZG(3) as if the substitutions in the following table, and the modification in subsection (2) of this section, were made.
|
Substitutions to be made |
||
|---|---|---|
|
Item |
For a reference in Division 4 of Part 2-5 to: |
substitute a reference to: |
|
1 |
licensee |
Part 3-2CA body |
|
2 |
subsection 49(3) |
subsection 133CZG(3) |
|
3 |
financial records or other credit books |
records |
(2) For the purposes of subsection (1), assume that paragraphs 104(2)(a) and (b) were replaced with the following:
"(a) constitutes or may constitute a contravention of Part 3-2CA (other than Division 4); or".
Division 6 - Miscellaneous
133CZK This Part does not limit the Privacy Act 1988
Subject to subsection 133CV(4), this Part does not limit the operation of the Privacy Act 1988.
133CZL Review of the operation of this Part
(1) The Minister must cause an independent review to be conducted of the operation of this Part.
(2) The persons who conduct the review must complete it, and give the Minister a written report of the review, before 1 October 2024.
(3) The Minister must cause copies of the report to be tabled in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister.
133CZM Main constitutional basis
The main constitutional basis for this Part is set out in Part 1-3.
133CZN Other constitutional bases
(1) Independently of section 133CZM, this Part also has effect as provided by subsections (2), (3), (4) and (5).
Other constitutional bases - eligible licensees
(2) This Part also has the effect it would have if a reference in it to an eligible licensee were expressly confined to an eligible licensee that is a corporation to which paragraph 51(xx) of the Constitution applies.
(3) This Part also has the effect it would have if a reference in it to an eligible licensee were expressly confined to an eligible licensee acting:
(a) in the course of; or
(b) in relation to;
the carrying on of the business of banking, other than State banking (within the meaning of paragraph 51(xiii) of the Constitution) not extending beyond the limits of the State concerned.
Other constitutional bases - credit reporting bodies
(4) Division 3, subsection 133CZC(2) and Division 5 also have the effect they would have if a reference in them to a credit reporting body were expressly confined to a credit reporting body that is a corporation to which paragraph 51(xx) of the Constitution applies.
(5) Division 3, subsection 133CZC(2) and Division 5 also have the effect they would have if a reference in them to a credit reporting body were expressly confined to a credit reporting body acting:
(a) in the course of; or
(b) in relation to;
the carrying on of the business of banking, other than State banking (within the meaning of paragraph 51(xiii) of the Constitution) not extending beyond the limits of the State concerned.
5 At the end of paragraph 265(2)(c)
Add:
(iii) is of a provision of Part 3-2CA (about mandatory comprehensive credit reporting); or
6 Section 266 (at the end of the heading)
Add " or credit reporting ".
7 Section 266
Before "ASIC may give", insert "(1)".
8 At the end of section 266
Add:
(2) ASIC may give to:
(a) a Part 3-2CA body that is, or has been, subject to a requirement under Part 3-2CA (other than Division 4), either alone or together with any other person or persons; or
(b) a representative, banker, lawyer or auditor of a person referred to in paragraph (a);
a written notice requiring the production to a specified ASIC member or ASIC staff member, at a specified place and time, of specified books relating to:
(c) information, or a statement, to which that requirement relates; or
(d) the character or financial situation of, or a business carried on by, a person who is, or has been, subject to that requirement.
Note 1: Part 3-2CA is about mandatory comprehensive credit reporting.
Note 2: Failure to comply with a requirement made under this subsection is an offence (see section 290).
9 Paragraph 267(1)(b)
After "paragraph 266(1)(d) or (e)", insert "or (2)(c) or (d)".
10 Paragraph 307(1)(b)
After "paragraph 266(1)(d) or (e)", insert "or (2)(c) or (d)".
Privacy Act 1988
11 At the end of section 20Q
Add:
(3) Without limiting subsection (1), if a credit reporting body holds credit reporting information, the body must store the information:
(a) either:
(i) in Australia or an external Territory; or
(ii) in accordance with any security requirements prescribed by the regulations for storing the information outside of Australia and the external Territories; and
(b) in accordance with any security requirements prescribed by the regulations.
Note: Requirements prescribed for paragraph (b) apply wherever the information is stored.
Schedule 2 Financial hardship and other amendments
Part 1 Financial hardship amendments
Privacy Act 1988
1 Subsection 6(1)
Insert:
financial hardship arrangement has the meaning given by subsection 6QA(1).
financial hardship information has the meaning given by subsection 6QA(4).
National Credit Code has the same meaning as in the National Consumer Credit Protection Act 2009.
2 Subsection 6(1) (definition of residential property)
Omit "(within the meaning of the National Consumer Credit Protection Act 2009)".
3 After paragraph 6N(c)
Insert:
(ca) financial hardship information about the individual; or
4 After section 6Q
Insert:
6QA Meanings of financial hardship arrangement and financial hardship information
Financial hardship arrangement
(1) If:
(a) a credit provider provides consumer credit to an individual; and
(b) the National Credit Code applies to the provision of the credit; and
(c) the individual is or will be unable to meet the individual's obligations in relation to the consumer credit; and
(d) as a result of the inability, an arrangement covered by subsection (3) affecting the monthly payment obligations of the individual is made between the credit provider and the individual which is either:
(i) a permanent variation to the terms of the consumer credit; or
(ii) a temporary relief from or deferral of the individual's obligations in relation to the consumer credit;
then the arrangement is a financial hardship arrangement .
Note: Financial hardship arrangements affect repayment history information: see subsection 6V(1A).
(2) For the purposes of this section, it does not matter whether the arrangement was initiated by the credit provider or the individual.
(3) This subsection covers any kind of agreement, arrangement or understanding, whether formal or informal, whether express or implied and whether or not enforceable, or intended to be enforceable, by legal proceedings.
Examples: An arrangement might involve a credit provider agreeing to:
(a) defer or reduce required monthly payments for a temporary period; or
(b) accept interest-only payments for a temporary period; or
(c) extend the term of a loan to reduce monthly payments.
Financial hardship information
(4) If subsection 6V(1A) (about financial hardship arrangements) applies in determining repayment history information about an individual, then the following information is financial hardship information about the individual:
(a) for an arrangement referred to in subparagraph (1)(d)(i) (about permanent variations) - information, relating only to the first monthly payment affected by the arrangement, that indicates that the monthly payment is the first monthly payment affected by a financial hardship arrangement of that kind;
(b) for an arrangement referred to in subparagraph (1)(d)(ii) (about temporary relief or deferral of obligations) - information, relating to each monthly payment affected by the arrangement, that indicates that the monthly payment was affected by a financial hardship arrangement of that kind.
Note: Paragraph (b) may apply even if, under the arrangement, the individual is not required to make a payment for a month: see subsection 6V(1B).
(5) Paragraph (4)(b) does not apply in relation to a monthly payment under a financial hardship arrangement if:
(a) the individual met the obligation to make the monthly payment, as affected by the arrangement; and
(b) the amount paid was equal to, or greater than, the amount the individual would have been obliged to pay apart from the arrangement.
5 After subsection 6V(1)
Insert:
(1A) If an obligation of the individual to make a monthly payment is, or is taken by subsection (1B) to be, affected by a financial hardship arrangement, then repayment history information is to be determined by reference to that obligation as so affected.
Note: In this case, there may be financial hardship information: see subsections 6QA(4) and (5).
(1B) If, under a financial hardship arrangement, an individual is not required to make a monthly payment for a month, then, for the purposes of subsections (1) and (1A) and section 6QA:
(a) a monthly payment is taken to have been due and payable on the day on which it would have been due and payable apart from the arrangement; and
(b) the individual is taken to have met the obligation to make the monthly payment; and
(c) the obligation to make the monthly payment is taken to be affected by the arrangement.
6 Paragraph 20C(4)(e)
After "repayment history information", insert "or financial hardship information".
7 Subsection 20E(4)
After "repayment history information", insert "or financial hardship information".
7A After subsection 20E(4)
Insert:
(4A) Despite subsection (3), if the credit reporting information is, or was derived from, financial hardship information about the individual, the credit reporting body must not disclose the information under paragraph (3)(a) or (f) to a credit provider or mortgage insurer if the provider or insurer requested the information for the purpose of:
(a) in the case of a credit provider:
(i) collecting payments that are overdue in relation to consumer credit provided by the provider to the individual; or
(ii) collecting payments that are overdue in relation to commercial credit provided by the provider to a person; or
(iii) assessing whether to accept the individual as a guarantor in relation to credit for which an application has been made to the provider by a person other than the individual; or
(b) in the case of a mortgage insurer - assessing the risk of the individual defaulting on mortgage credit in relation to which the insurer has provided insurance to a credit provider.
Civil penalty: 2,000 penalty units.
8 At the end of section 20E
Add:
No disclosure of financial hardship information as part of credit score
(7) Subsection (3) does not apply to the disclosure of CRB derived information which contains or takes the form of a credit score where the credit information from which the credit score is derived includes financial hardship information.
9 Paragraph 20G(2)(c)
Omit "or repayment history information,", substitute "repayment history information, or financial hardship information".
10 Section 20W (after table item 2)
Insert:
|
2A |
financial hardship information |
the period of 1 year that starts on the day on which the monthly payment to which the information relates is due and payable. |
11 Paragraph 21D(3)(c)
After "repayment history information", insert "or financial hardship information".
12 After section 21E
Insert:
21EA Financial hardship information must be disclosed
If:
(a) a credit provider discloses to a credit reporting body repayment history information about an individual in relation to a monthly payment under section 21D; and
(b) financial hardship information about that individual exists in relation to that monthly payment;
the credit provider must, at the same time, disclose the financial hardship information to the credit reporting body.
Civil penalty: 500 penalty units.
13 Subsection 21G(4)
After "repayment history information", insert "or financial hardship information".
14 Application
The amendments made by this Part apply in relation to arrangements made on or after the commencement of this Part, regardless of whether the consumer credit was applied for before, on or after that commencement.
Part 2 Related amendments
National Consumer Credit Protection Act 2009
15 Subsection 5(1)
Insert:
financial hardship information has the same meaning as in the Privacy Act 1988.
16 After paragraph 133CP(1)(c)
Insert:
(d) financial hardship information about the natural persons; or
17 After subsection 133CP(2)
Insert:
(3) Despite paragraph (1)(d), mandatory credit information does not include financial hardship information that comes into existence:
(a) before 1 July 2022; or
(b) more than 3 months before the first 1 July on which:
(i) if the credit provider is a member of a banking group - the head company of the group is an eligible licensee; or
(ii) otherwise - the credit provider is an eligible licensee.
Note: Paragraph (b) is included to deal with the case where the first 1 July is in 2023 or a later year.
18 Subsection 133CU(1) (after table item 3)
Insert:
|
4 |
financial hardship information comes into existence for an eligible credit account on or after the later of: (a) 1 July 2022; and (b) the day after the first day mandatory credit information for the account is supplied by the licensee to the CRB under this Division |
the financial hardship information |
19 Before subsection 67(1) of the National Credit Code
Insert:
Changes merely because financial hardship information exists
(1A) A provision of a continuing credit contract has no effect to the extent that a credit provider purports to rely on the provision to:
(a) refuse to provide any further credit to the debtor; or
(b) reduce the debtor's credit limit;
merely because financial hardship information (within the meaning of the Privacy Act 1988) about the debtor exists.
Credit contracts continue for any credit previously provided
20 Before subsection 67(2) of the National Credit Code
Insert:
Giving notice of decision not to provide further credit or of decision to reduce credit limit
21 Before subsection 67(4) of the National Credit Code
Insert:
Credit limits may only be increased at request or with consent
National Consumer Credit Protection ( Transitional and Consequential Provisions) Act 2009
22 In the appropriate position
Insert:
Schedule 9 - Application provisions for the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021
23 Application
The amendments of the National Credit Code made by Part 2 of Schedule 2 to the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021 apply in relation to credit contracts entered into before, on or after the commencement of that Part.
Part 3 Other amendments
Privacy Act 1988
24 Subsection 6(1)
Insert:
non-participating credit provider means a credit provider to which all of the following apply:
(a) the credit provider has not disclosed credit reporting information or credit eligibility information about an individual to a credit reporting body or another credit provider;
(b) the credit provider is not likely to disclose credit reporting information or credit eligibility information about an individual to a credit reporting body or another credit provider;
(c) the credit provider has not collected credit reporting information or credit eligibility information about an individual from a credit reporting body or another credit provider.
25 Subparagraph 20E(3)(c)(ii)
After "member of", insert "or subject to".
25A Subsection 20R(1)
Repeal the subsection, substitute:
Access
(1) If a credit reporting body holds credit reporting information about an individual, the body must, on request by an access seeker in relation to the information, give the access seeker access to:
(a) the information; and
(b) if the body is a corporation to which paragraph 51(xx) of the Constitution applies, and the credit reporting business of the body involves deriving CRB derived information about individuals in the form of a rating (a credit rating ) of the individuals on a credit score scale or range - the information referred to in subsection (1A).
(1A) The information is:
(a) the credit rating of the individual, as derived by the body after the request is made; and
(b) information that identifies the particular credit information that is held by the body and from which the credit rating was derived; and
(c) information about the relative weighting of the credit information described in paragraph (b) in deriving the credit rating; and
(d) information about what the other ratings on the scale or range are, and how the individual's credit rating relates to those other ratings.
25B At the end of subsection 20R(2)
Add:
; or (d) for information referred to in subsection (1A) - the credit information about the individual that is held by the body is insufficient for the body to be able to derive the credit rating of the individual in the ordinary course of its credit reporting business within the period referred to in subsection (3).
25C Subsection 20R(5)
Omit "12 months", substitute "3 months".
26 At the end of section 21B
Add:
Exemption for certain non-participating credit providers
(8) This section does not apply to a non-participating credit provider.
27 Subparagraph 21D(2)(a)(i)
After "member of", insert "or subject to".
28 Subparagraph 21G(3)(e)(ii)
After "member of", insert "or subject to".
29 Subparagraph 21T(7)(b)(i)
After "member", insert "or to which it is subject".
30 At the end of section 21U
Add:
Exemption for certain non-participating credit providers
(5) This section does not apply to a non-participating credit provider.
31 At the end of section 21V
Add:
Exemption for certain non-participating credit providers
(7) This section does not apply to a non-participating credit provider.
32 Subparagraph 21W(3)(c)(i)
After "member", insert "or to which it is subject".
33 Subparagraph 23B(4)(b)(i)
After "member", insert "or to which it is subject".
34 At the end of Part IIIA
Add:
Division 8 - Review
25B Review of operation of this Part
(1) The Minister must cause an independent review to be conducted of the operation of this Part.
(2) The persons who conduct the review must complete it, and give the Minister a written report of the review, before 1 October 2024.
(3) The Minister must cause a copy of the report to be tabled in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister.
35 Application
(1) The amendments made by this Part, apart from items 25A, 25B, 25C and 34, apply in relation to consumer credit applied for, or provided, after the commencement of this Part.
(2) The amendments made by items 25A, 25B and 25C apply to requests made under subsection 20R(1) of the Privacy Act 1988 on or after the commencement of this Part.