A new Australian Credit Reporting Code: key changes that credit providers need to be aware of

November 13, 2024

Key points

• A new Privacy (Credit Reporting) Code 2024 (New CR Code) was registered on 1 October 2024 and replaces the prior version 2.3 of this code.
• Key changes in the New CR Code include clarification of some important definitions, the introduction of additional measures to protect victims of fraud and increased transparency obligations for credit reporting bodies and credit providers.
• The introduction of a soft enquiries framework has been omitted from the New CR Code pending the release of a separate review of Australia's credit reporting framework.

Background

Under section 26S of the Privacy Act 1988 (Cth) (Privacy Act), the Australian Information Commissioner can register a 'CR code' that imposes binding obligations on credit providers and credit reporting bodies. A breach of the registered CR code constitutes an interference in the privacy of the affected individuals, which allows those individuals to make a complaint under the Privacy Act.

Following a long consultation process commenced after an independent review of the CR code in 2021, the New CR Code was registered on 1 October 2024. The New CR Code was developed by the Australian Retail Credit Association and replaces the Privacy (Credit Reporting) Code 2014 (version 2.3) (Prior CR Code).

What's changed

The changes introduced in the New CR Code implement 15 of the proposals made in the 2021 independent review of the Prior CR Code. The format of the New CR Code has also been updated to align with other similar legislative instruments (although in most cases the original paragraph numbering has been retained to provide consistency). However, this change of format may make it more difficult for credit providers to determine which of their obligations have changed.

While many of the changes are minor, there are a number of key changes that credit providers need to be aware of. These include:

(a) New mandatory content for credit reporting collection notices

A new section 4(3)(a) has been added in the New CR Code that introduces an additional requirement for the contents of credit reporting collection notices (sometimes known as statements of notifiable matters).

By way of context, section 21C of the Privacy Act requires credit providers to give individuals a notice setting out certain mandatory disclosures when the credit provider collects personal information about the individual that the credit provider is likely to disclose to a credit reporting body. Section 21C(1)(a)(ii) allows the list of mandatory disclosures to be supplemented by the registered CR code.

Section 4(3)(a) of the New CR Code now requires credit providers to include additional details in their credit reporting collection notices where the disclosure of personal information to a credit reporting body will be an 'information request' (which is the defined term used in the Privacy Act for undertaking a credit check on an individual). The additional details that must be disclosed in such circumstances are:

• that the individual's consent to the disclosure is not required (i.e. informing individuals that the credit provider is not required to obtain the individual's consent before undertaking a credit check on them);
• that a record of the information request being made may be used and disclosed for the purpose of assessing the individual's credit worthiness, including calculating a credit score or credit rating (i.e. informing individuals that undertaking a credit check can affect their credit score); and
• in general terms, how the making of the information request may affect the individual's credit score.

This amendment appears to be intended to educate consumers about how their credit score is calculated and can be affected. In practice, this will require all credit providers to make an immediate update to their credit reporting collection notices to cover this new requirement. Credit providers may need to liaise with the credit reporting bodies that they deal with to understand how the making of an information request can affect an individual's credit score or credit rating with that body.

(b) Use of common descriptors for consumer credit

Amendments in the New CR Code have clarified the requirements for the development and use of common descriptors for consumer credit. Section 6(2) now requires credit reporting bodies to "in conjunction with other credit reporting bodies and credit providers, contribute to the development and maintenance of common descriptors of the types of consumer credit".

New section 6(3) then includes a positive obligation requiring credit providers to use the common descriptors developed under section 6(2) when disclosing information to a credit reporting body about the type of consumer credit they have provided to individuals.

Credit providers will now need to ensure that they implement and use any agreed common descriptors, which may require credit providers to make changes to their IT systems to ensure any information being provided to credit reporting bodies uses the appropriate descriptors.

(c) New requirement for sending section 21D(3) notices

A new section 9(3)(d) has been included in the New CR Code that imposes an additional requirement when giving a customer a notice under section 21D(3) of the Privacy Act. A section 21D(3) notice is the second of two notices required to be given to the individual prior to default information being disclosed by the credit provider to a credit reporting body (i.e. prior to default listing a customer who has not repaid an amount of credit).

The new section requires that "the credit provider must not give the section 21D(3) notice with other correspondence that a reasonable person would conclude materially reduces the prominence of the messages in the notice". Paragraph 86 in the explanatory statement that accompanied the registration of the New CR Code suggests this is intended to avoid the risk that a section 21D(3) notice would be invalidated by a minor technicality, such as the inclusion of a return envelope or the provision of additional information about seeking assistance for hardship or financial difficulty.

Credit providers will need to consider whether changes need to be made to their processes for communicating with customers in default as a result of this new requirement. In particular, credit providers that are also required to comply with the National Credit Code should ensure this new requirement does not affect their processes and procedures for sending notices under sections 87 and 88 of the National Credit Code. In practice, these issues should be unlikely to arise, as these notices under the National Credit Code are more commonly issued at an earlier stage of a default process and are more likely to be combined with the first of the two notices required to be issued under section 6Q of the Privacy Act instead.

(d) New requirements to offer a ban notification service

Section 20K of the Privacy Act currently includes the right for individuals who reasonably believe they have been, or will be, a victim of fraud to request that credit reporting bodies not use or disclose their credit reporting information. If such a request is made by an individual, then the credit reporting body is prohibited from disclosing credit reporting information to credit providers for a period of 21 days (which is extendible on request from the individual) and instead the credit reporting body must inform the credit provider that there is a ban period in place. In practice, this process serves to alert credit providers who take the prudent step of obtaining a credit report on applicants that a potentially fraudulent credit application has been made.

A new section 17(2) of the New CR Code introduces a new requirement for credit reporting bodies to offer a 'ban notification service', which is a free-of-charge service required to be offered by a credit reporting body to notify an individual of requests from a credit provider, mortgage insurer or trade insurer for credit reporting information relating to that individual when a ban period is in effect. New section 17(6) then requires the credit reporting body to notify the individual if a request for their credit reporting information has been made while a ban period is in effect.

In practice, these new obligations empower individuals who have been a victim of identity theft to be able to proactively contact credit providers to whom a fraudulent credit application has been made in their name. While no additional obligations are imposed on credit providers as a result of these new provisions, credit providers should ensure that their customer service teams are made aware of the potential for victims of fraud to proactively contact the credit provider where a fraudulent credit application has been made in their name.

(e) Clarifications regarding correction requests

A number of clarifications have also been made in section 20 of the New CR Code relating to obligations imposed on credit providers in relation to handling correction requests from individuals. These include:

• making it clear that a correction request can relate to a single piece of information or multiple pieces of information;
• in circumstances where:
  • an information request is made by the credit provider (i.e. a credit check is undertaken);
  • the credit application is subsequently refused; and
  • the individual requests a correction on the basis that the information requests were caused by fraud,

  then the credit provider must consider specific factors when asking for evidence from the individual to substantiate the fraud (including the burden on the individual of providing the evidence, whether other information could be used to determine if correction is required and if information is likely to be needed to consult with other credit providers or credit reporting bodies in relation to the correction request). A second credit provider or a credit reporting body that is consulted by the first credit provider about the request must also consider similar factors (including the views of the first credit provider) before seeking additional evidence relating to the fraud; and

• clarification that where an individual requests the correction of their information due to unavoidable consequences of circumstances beyond the individual's control, the circumstances outside of the individual's control can include domestic abuse (in addition to existing provisions that specify that such circumstances can include natural disasters, bank errors in processing a direct debit or fraud).

Credit providers should ensure that their processes and procedures for responding to correction requests are updated to reflect these clarifications.

(f) Clarification of the timing when credit starts and ends

The New CR Code provides some additional flexibility by introducing two new sub-paragraphs into the definition of 'month' to permit a month to also be defined by reference to:

• t he end of a day that is between 27 and 30 days after the start day of that month; or
• where the day before the start day is a non-business day, the end of a day that is 25 or 26 days after the start day.

The meaning of the phrases "day on which the consumer credit is entered into" and "day on which the consumer credit is terminated or otherwise ceases to be in force" in the context of the provision of credit provided relating to telecommunications or utilities has also been clarified to respectively include:

• the credit being entered into on the day that a service is first provided and where the credit provider has generated one or more active accounts for the customer; and
• the credit being terminated on the day that service provision ceases and on which there is no right to have a service reconnected under an existing contract.

These changes provide some helpful clarifications for credit providers.

Was anything not included?

One of the key omissions from the amendments introduced in the New CR Code was the proposed introduction of a 'soft enquiries' framework. As explained in the April 2024 issues paper relating to the review of Australia's credit reporting framework:

The proposed soft enquiries framework is intended to allow credit providers to use the credit reporting framework to undertake basic screening checks and to aid in pricing prior to an actual credit application being made. Unlike a 'hard' enquiry or information request, a soft enquiry will not be visible to other credit providers on an individual's credit report. One of the intended outcomes of this approach is to support consumers to shop around for consumer credit with the best terms (including pricing), without damaging their credit score.

The OAIC has indicated that it "anticipate[s] revisiting the soft enquiries framework and whether it can be implemented in the CR Code by the second quarter of 2025". Credit providers should continue to monitor developments in relation to this issue, as the introduction of a soft enquiries framework will provide a clearer regulatory basis for innovative credit products (such as risk-based pricing).

When do these changes take effect?

Except for a small number of items set out below that have a delayed commencement, the New CR Code commenced immediately on the day it was registered on the Federal Register of Legislation (which was 1 October 2024).

Credit providers have been given six months to give effect to certain parts of the changes relating to the definitions of the following terms:

• day on which the consumer credit is entered into
• day on which the consumer credit is terminated or otherwise ceases to be in force
• maximum amount of credit available under the consumer credit

In addition, the requirement for credit reporting bodies to provide a ban notification service will only come into effect 12 months after the New CR Code was registered.

What credit providers need to do

As the majority of these changes have already commenced, credit providers need to act now to review and update their processes and procedures as required.

In particular, many credit providers are likely to need to make updates to their credit reporting collection notices and to check whether any template letters to customers used for sending a section 21D notice comply with the new requirements.