Credit information and credit reporting before 12 March 2014
Note: Rules under the Privacy Act and Credit Reporting Code changed on 12 March 2014.
When a TIO complaint involves events that happened on or after 12 March 2014, rules from the new Act and Code, and the TIO position statement Credit information and credit reporting from 12 March 2014 will apply.
Credit files contain information about:
- applications for credit
- defaults and serious credit infringements
- public information, including directorships and bankruptcy data.
Credit reporting agencies keep credit files for individuals and businesses given credit in Australia.
Credit providers – including telecommunications providers that offer services on credit – may check credit files before providing services on credit.
A default is a non-payment of an overdue account. A default stays listed on a credit file for five years.
A serious credit infringement includes an act done by an individual that a reasonable person would consider indicates an intention, on the part of the individual, no longer to comply with the individual’s obligations in relation to credit.
Serious credit infringements stay listed on a credit file for seven years.
Defaults and serious credit infringements are reported to the credit reporting agency by the credit provider. In telecommunications this will be the consumer’s provider of post-paid accounts.
Complaints we commonly receive about credit reporting include claims that a credit provider has:
- not sent notice of an overdue amount before it was reported
- not updated a credit file after payments have been made
- listed a default or serious credit infringement incorrectly
- listed a default or serious credit infringement while the debt was in dispute.
Laws and codes of practice
Some laws and codes of practice relevant to credit reporting are:
- Privacy Act 1988, Part IIIA - Credit reporting (before changes starting from 12 March 2014)
- Credit Reporting Code of Conduct 1996
- Telecommunications Consumer Protections (TCP) Code 2012
Part IIIA of the Privacy Act regulates consumer credit provided to individuals: credit for domestic, family, or household use. We can also consider complaints about credit from small businesses, but these complaints are not covered by the same rules.
When we deal with default and serious credit infringement complaints, we consider the law, good industry practice, and fairness in all the circumstances.
- At the time it gives credit the credit provider must tell the account holder it may consult their credit file, and can report defaults
- Credit reports must be updated when payments are made or settlements are reached
- Defaults and serious credit infringements may not be listed
- more than once
- when the debt can no longer be enforced (for example when Statutes of Limitations apply).
Specific rules for defaults include:
- The credit provider must send written notice that an amount is overdue. The credit provider should send the notice to the account holder’s last known address
- A debt must be at least 60 days overdue before listing a default
- The credit provider must be legally entitled to pursue the debt.
Before reporting a serious credit infringement the credit provider must reasonably believe the person has:
- fraudulently obtained credit
- fraudulently avoided repayment obligations, or
- indicated they do not intend to meet their repayment obligations.
Good industry practice
At the time it gives credit a provider must tell an individual it can report defaults. It is good industry practice to send another warning before actually reporting a default. Individuals cannot reasonably be expected to recall information about credit reporting given when they applied for credit.
Chapter 6 of the Telecommunications Consumer Protections Code 2012 included additional rules:
- Before disconnecting a service the provider must send the individual written notice saying a default may be listed
- When the provider finds out a default was listed by mistake, or is not the individual’s fault, it must tell the credit reporting agency within one working day
- The provider must not list a default if any part of the debt is in dispute
- The provider must be able to update credit information as soon as practicable
- The provider must follow debt collection processes correctly.
In our view, a default should be listed within one year of the debt becoming overdue.
Before reporting a serious credit infringement a provider should take reasonable steps to contact the consumer. Depending on the circumstances this could mean:
- emailing them
- writing to their last known address
- calling them on numbers held by the provider or sourced through directories.
Dealing with a dispute
To assess a complaint we ask for information from the individual and provider.
We will ask the individual for:
- a complete copy of their credit file
- evidence of any payments, for example bank or credit card statements
- personal identification if they claim a listing was made incorrectly
- anything else to show why a listing should not have been made, for example emails or letters to the provider.
We will ask the provider for:
- the date it sent notice that it might list a default
- the address the notice was sent to
- a copy of the notice
- the date of the listing and the amount listed
- if the amount listed is different from the amount in the notice, reasons why
- details of any contact from or payments made by the individual between sending the notice and listing the default.
We will ask the provider or debt holder to suspend collection activity while we consider the complaint. We may also ask the provider to buy back the debt if it has been sold.
If our view is that the provider followed all applicable rules before reporting the default we are unlikely to find that the listing should be removed.
Otherwise we may require the listing to be changed, updated or removed. Depending on the circumstances, we may also decide another remedy should be considered. This may include:
- giving access to information or reducing charges for access
- correcting inaccurate personal information
- compensating for financial loss incurred as a result of a breach, and
- compensating for injury to feelings and humiliation caused by an interference with the individual’s privacy.
We may also recommend that improvements to systems, procedures and staff training be considered by the provider.
Effective date: 11 March 2016
This position statement provides broad guidance on the law, good industry practice, and what the TIO may consider to be fair and reasonable in general circumstances. It is not a full statement of the law or good industry practice. The TIO considers each matter brought to it on its own particular merits.