Privacy Law and Policy Reporter
Subheadings in this submission have been edited (General Editor).
Any proposal to further regulate or restrict the exchange of personal information requires extensive consultation to ensure that the balance is maintained between the protection of individual privacy and the need for businesses to continue to operate efficiently. The extension of privacy legislation to the private sector generally will have a cost, and that cost needs to be measured and recognised by all the parties involved.
Nowhere is this cost more evident than in the provision of financial services. The Australian credit market (excluding trade credit) is worth $494 billion to the economy. It is critically important to the health and future growth of Australia. All credit transactions involve risk. Fast, effective access to reliable risk assessment information is an essential element in managing that risk.
Financial institutions in today's increasingly competitive market are essentially in the information business. Banks, finance companies, credit unions and others, when acting as intermediaries between borrowers and lenders, take risks associated with lending and use their access to information to manage those risks.
The development of sophisticated computer-based credit assessment programs has meant that financial institutions no longer accumulate large amounts of detailed information on borrowers based solely on their historical experience with those borrowers.
As part of the increase in competition and rapidly changing markets, financial institutions and suppliers of goods and services, rely more than ever on fast access to a range of proprietary and public third party databases. Customer loyalty is fragmented and as customers move from one supplier to another, so the need for some external, constant source of information grows. Specialist bodies, such as credit reporting and rating agencies are the sources of information which all credit providers now use as a basis for their risk taking decisions.
As a result of previous legislative initiatives, Australia has one of the most highly-regulated credit reporting regimes in the world. There is a cost to the community from such regulation and this is addressed later in this submission.
The Credit Reference Association of Australia (CRAA) has a strong vested interest in any review of existing Commonwealth privacy legislation, because the company plays a central role in the provision of risk management information services to the Australian business community. CRAA is the pre-eminent consumer credit reporting agency in Australia, responsible for 98 per cent of all consumer credit reports used by financial institutions. In 1995-96, over 85 per cent of all new consumer credit loans, (worth $60 billion and covering motor vehicle loans, to property mortgages) were approved subject to credit information held by CRAA.
The CRAA consumer credit database holds 60 million records, on the financial dealings of 11 million Australians. The company is one of the two principal commercial credit reporting agencies in the country, with a database of over one million companies and businesses. CRAA information plays a key role in the provision of credit to Australia's small and medium business enterprises. CRAA's 4,000 members include all banks and finance companies, credit card issuers, communications carriers, most credit unions and some 3,000 manufacturers, wholesalers and service providers.
In the current financial year, credit risk information provided by CRAA will directly contribute between $290 and $300 million to its members' bottom line. This is principally from the avoidance of bad debts and reduced administration costs. CRAA modelling indicates this saving to financial institutions is equivalent to a 1.1 per cent saving in consumer credit interest rates.
Compliance costs to CRAA and its members from current privacy legislation are an issue which needs to be examined as part of the Government's initiative.
The commitment to industry-based Codes of Practice should help ensure an effective level of private sector consultation and cooperation, thereby achieving an equitable balance between the competing interests and avoiding an environment which led to the inefficiencies and inflexibility of Pt IIIA of the present Privacy Act.
(i) preventing the establishment of a specialised, industry-wide fraud detection/prevention database, needed to control growing credit fraud losses;
(ii) restricting credit providers ability to develop new and/or recalibrate ageing credit risk management systems;
(iii) denying Australian financial institutions access to highly predictive credit risk information, available in comparable overseas economies, with resulting inefficiencies and costs equivalent to 1 per cent in consumer interest rates;
(iv) severely limiting the ability of credit providers to outsource debt collection activities to specialised collection services, by prohibiting the exchange of key information between the credit provider and the collector;
Part IIIA inhibits competition by:
(v) preventing new entrants into the Australian consumer credit market from quickly developing effective and reliable credit risk assessment systems. As a consequence, new entrants face a greater risk of bad debts and are less able to compete in the market;
(vi) limiting the ability of financial institutions to cost effectively identify potential customers and market new products to those customers.
The above points were included in CRAA's recent submission to the Financial System Inquiry. Additional comment follows.
One of the most useful pieces of information in identifying fraud is a telephone number. This is because, while people may vary their name and/or address, they generally need to provide accurate telephone numbers so that the credit provider can complete required verification checks.
Section 18E of the Act sets out the permitted content of a credit information file. The section does not permit a credit bureau to store telephone numbers. At the time the legislation was prepared, CRAA did not record telephone numbers and had no reason to do so, since credit fraud was not the problem it is today. Section 18E simply adopted existing CRAA data collection procedures. Since then the environment in which credit providers operate has changed and their information needs have also changed.
The current legislation is too prescriptive and does not allow the credit industry to react quickly enough to changing business circumstances. A fraud industry has developed, able to fully exploit new technology such as high quality photocopiers and phone redirection services. Credit providers have been prevented from taking advantage of the technology at its disposal to combat fraud by the limitations of the Act.
The solution: Amend legislation to permit the bureau to receive telephone numbers in conjunction with a credit enquiry and store them on its database. It would only pass back to a credit provider a `match key' to indicate whether the telephone number provided on an application matches telephone number(s) given previously by the applicant.
The purpose for which the file information is required in the above example is not included in the permissible purposes set out in s 18K of the Privacy Act, which limits the release of personal information by a credit reporting agency. The proposed use of the information by the credit provider is not included in the limits of use set down in s 18L.
Credit providers are prevented from using up-to-date systems and technology to support their lending decisions. The public is denied the quality and speed of customer service, provided by advanced decision systems. New entrants to the financial services market face an anti-competitive barrier.
Sections 18K and 18L mean a new credit provider is unable to build a fully effective risk assessment system using statistical data available from CRAA. This is because 18K and 18L only permit a credit provider to access and use credit bureau data for the purpose of, assessing new applicants for credit or the continuation of credit to existing customers (excepting securitisation arrangements). A new entrant to the financial services market does not have an existing customer base and the entire purpose of such an organisation wishing to access credit bureau data, is to assist in developing a risk assessment process.
This can mean a new credit provider will experience an unnecessary incidence of poorly performing accounts and bad debt write-offs.
The Privacy Act should permit the use of credit information files for statistical analysis under circumstances where personal information is used solely for this purpose.
The Privacy Act includes two sections which discriminate against debt collection agencies and impede their cost effective use by credit providers.
Section 18K (limits on disclosure of personal information by credit reporting agencies) does not include debt collection agencies as an organisation to whom a report may be furnished.
Section 18N (limits on disclosure by credit providers of personal information contained in reports relating to creditworthiness, etc) only permits a credit provider to disclose limited information about a debtor to a debt collection agency acting on its behalf. Information which may not be disclosed under 18N1(c)(iii) is the type of information most likely to assist in the recovery of the debt. Information about recent credit enquiries is highly relevant in establishing an individual's ability to repay an outstanding debt. Yet this information is specifically excluded from disclosure to the collection agency.
It is clear from any examination of the relationship between a credit provider and a collection agent, that when the agent is attempting to recover a debt owed by an individual, to the credit provider, the disclosure of personal information about that individual between credit provider and agent is fully within Information Privacy Principles 8, 9, 10 and 11.
The result of disclosure restrictions in Pt IIIA is an unnecessary cost/burden on any credit provider wishing to outsource debt collection activity to a third party;
(a) because debt collection agents may not obtain credit reports in their own right;
(b) because of the administrative work for credit providers in editing credit bureau reports before they may be disclosed to a collection agent; and
(c) because the information which must be deleted from a credit report is often the most valuable from a debt collection point of view.
The current discrimination against debt collection agents in Pt IIIA of the Privacy Act, appears to have no basis in the application of the Information Privacy Principles of the Privacy Act (1988). It appears to be unique to Australian privacy legislation.
There is a very real danger that individual state governments will unilaterally introduce privacy legislation in addition to the current Commonwealth Privacy Act.
Two States, NSW and Victoria, have announced their intention to introduce privacy legislation. There have been reports that other States are considering a similar move. The effect on the private sector of attempting to comply with possibly nine different, conflicting privacy regimes, would be extremely serious.
State and Federal Governments in Australia do not have a good record on uniform legislation. National credit providers forced for many years to operate under a multiplicity of sometimes contradictory consumer credit laws, can attest to the very high costs of compliance and the confusion which can arise from attempting to reconcile the demands of differing State bureaucracies, which, if not competing, often do not cooperate.
CRAA believes it is essential that the Commonwealth and State Governments reach firm agreement on uniform privacy legislation as a priority. The overriding legislation should be the Commonwealth's, with State legislation playing a complementary role, as required.
The restrictive provisions of Pt IIIA are believed to have contributed to an unnecessary increase in consumer credit overcommitment. In part this was due to the inability of many larger credit providers in the first two years, to make necessary changes to their customer information systems, to allow them to update reports of overdue accounts reported to CRAA.
In the context of the proposed comprehensive national privacy legislation, it is difficult to identify any rational, demonstrated need for separate, specific privacy regulation covering the collection and use of credit information. If we understand the Government's objective correctly, it wishes to see uniform privacy sensitive information principles and practices introduced across all sectors of business.
If this objective is to be achieved without undue cost and ill will, business enterprises will need clear, uncomplicated and non-contradictory guidelines, which avoid special case rules and detailed qualifications. Indeed, if the NZ experience is any guide, many private sector organisations will not seek special industry-specific codes of practice, but will prefer to work within a set of agreed privacy principles.
The collection and use of credit risk information about individuals is not materially different from the use of personal information generally in both the private and government sectors.
In proposing the repeal of Pt IIIA, CRAA acknowledges the considerable work and consultation invested in the `Credit Reporting Code of Conduct', (authorised under s 18A of the Act). The Code has been a cooperative venture between the credit industry, the Privacy Commissioner and other interested groups. It has ameliorated the worst aspects of Pt IIIA.
CRAA also recognises that there may be concern that the repeal of Pt IIIA could lead to future misuse of sensitive personal information contained in credit reports. CRAA does not believe this will be the case in an environment where all businesses (including all users of credit information) operate within national privacy legislation. CRAA is of a view however, that the activities of credit reporting agencies should be covered by a Credit Reporting Code of Practice ... to be incorporated into the provisions of an amended Privacy Act, as outlined in the Attorney-General's Discussion Paper of September 1996.
The Draft Code of Practice would replace Pt IIIA of the Commonwealth Privacy Act 1988 and the Credit Reporting Code of Conduct 1996. The Draft Code is consistent with the Information Privacy Principles of Pt III of the Privacy Act 1988 and follows a similar pattern to the Draft Credit Reporting Information Privacy Code , currently under consideration by the NZ Privacy Commissioner.
A Draft Code is attached to CRAA' s submission, but is not included here. It will be covered in a later issue (General Editor).