Credit information and credit reporting from 12 March 2014
Note: Rules under the Privacy Act and Credit Reporting Code changed on 12 March 2014.
When a TIO complaint involves events that happened before 12 March 2014, rules from the previous Act and Code, and the TIO position statement Credit information and credit reporting before 12 March 2014 will apply.
Credit information is collected from individuals and can be disclosed by credit providers to credit reporting bodies. Credit information about an individual includes:
- applications for credit
- credit currently being provided
- default information
- a credit provider’s opinion that a person has committed a serious credit infringement.
Credit reporting bodies are organisations that store credit information about individuals and businesses given credit in Australia. Credit providers – including telecommunications providers that offer services on credit – may check this information before providing services on credit.
A default means a debt of $150 or more is overdue by at least 60 days. Credit reporting bodies keep default information for five years.
A serious credit infringement includes an act done by an individual if:
- a reasonable person would consider that the act indicates an intention, on the part of the individual, to no longer comply with the individual’s obligations in relation to consumer credit provided by a credit provider
- the provider has, after taking such steps as are reasonable in the circumstances, been unable to contact the individual about the act, and
- at least 6 months have passed since the provider last had contact with the individual.
Credit reporting bodies keep serious credit infringement information for seven years.
Complaints we commonly receive about defaults and serious credit infringements include claims that a credit provider has:
- not sent notices of an overdue debt before disclosing default information
- not updated credit information after payments have been made
- disclosed default or serious credit infringement information incorrectly
- disclosed default or serious credit infringement information while a debt was in dispute.
Laws and codes of practice
Some laws and codes of practice relevant to credit reporting are:
- Privacy Act 1988, Part IIIA - Credit reporting
- Privacy (Credit Reporting) Code 2014 (Version 1.2)
- Telecommunications Consumer Protections (TCP) Code 2015
Credit reporting rules under the Privacy Act are intended to regulate consumer credit provided to individuals: credit for personal, family or household use. We can also consider complaints about credit provided to small businesses, but these complaints are generally not covered by the same rules.
When we deal with default and serious credit infringement complaints, we consider the law, good industry practice, and fairness in all the circumstances.
Information about credit reporting
Before a credit provider collects personal information that it may give to a credit reporting body it must give certain information to the individual applying for the credit.
This includes that it may consult a credit reporting body to assess the individual’s eligibility for credit, and that it may report defaults and serious credit infringements. The credit provider must also give the contact details for the credit reporting body or bodies it plans to report to.
The credit provider can give the information verbally, in writing, or by putting it on its website and showing the individual how to find it.
Disclosing default information
Before disclosing default information the credit provider must send written notice to the credit holder saying the debt is overdue and asking for payment.
If the overdue debt is not paid, the credit provider must then send another written notice saying that it intends to disclose the default information to a credit reporting body. The second notice cannot be sent earlier than 30 days from the first notice.
The disclosure of the default information must:
- not be done earlier than 14 days or later than 3 months after the second notice is sent
- be for the amount specified in the second notice that is at least 60 days overdue, plus any accrued interest, fees and other amounts, less any part payments that have been made.
When the debt is repaid in full, waived, incorporated into a new contract, or the credit provider agrees to accept a lesser amount in full settlement, the credit provider must disclose this to the credit reporting body within 3 days for the default information to be updated.
Other rules for defaults and serious credit infringements include:
- the credit provider must be legally entitled to pursue the debt
- a debt cannot be disclosed as a default more than once
- default and serious credit infringement information must be accurate and kept up to date.
Disclosing serious credit infringement information because a person intends not to pay
A credit provider can also disclose serious credit infringement information to a credit reporting body if it believes an individual has indicated they will not abide by their repayment obligations.
The credit provider must first disclose default information for the overdue debt according to the rules for defaults.
The credit provider must also try to contact the individual to give notice that default information has been disclosed and serious credit infringement information may be disclosed. The credit provider must try to contact the individual where possible by phone, email, and mail. If any contact details are found to be out of date, the credit provider must try to find current contact details.
Before disclosing serious credit infringement information, the credit provider must wait six months from:
- the date of the last contact with the individual, or
- the date it sent the notice of intention to disclose the default
whichever is later. If there is any contact with the individual within the six months, that date becomes the date of last contact with the individual, and the six months starts again.
A credit provider must not disclose default information when an individual has made a hardship request and the credit provider is considering the request. If the credit provider refuses a hardship request it must wait 14 days before disclosing default information.
This does not apply if the individual has made any hardship requests on the same grounds within the previous four months.
Access and correction of credit related personal information
With some exceptions, a credit provider must give an individual access to their credit related personal information on request. This includes access to default and serious credit infringement information.
An individual can also ask a credit provider to correct credit related personal information it holds about them. If the credit provider agrees that the information is incorrect, it must take reasonable steps to correct the information within 30 days, or any longer time agreed with the individual in writing.
Good industry practice
Chapter 6 of the Telecommunications Consumer Protections Code has additional rules:
- Before disconnecting a service a provider must send a consumer written notice saying default information may be disclosed
- When the provider finds out that default information was disclosed by mistake, or the default is not the consumer’s fault, it must use reasonable endeavours to tell the credit reporting body within one working day
- The provider must not disclose default information if any part of the overdue payment is in dispute.
In our view, default information should be disclosed within one year of the debt becoming overdue. This includes when a provider fails to report a default within three months from sending the second written notice, so sends another notice.
Early termination fees must be overdue by at least 60 days before they can be included in default information.
Debt collection fees should not be included in default information unless the provider can show that the person agreed to pay debt collection fees as part of the credit provided.
Dealing with a dispute
To assess a complaint we ask for information from the individual and provider.
We will ask the individual for:
- a complete copy of their credit information
- evidence of any payments, for example bank or credit card statements
- personal identification if they claim default or serious credit infringement information was disclosed incorrectly
- anything else to show why the provider should not have disclosed default or serious credit infringement information, for example emails or letters to the provider.
We will ask the provider for:
- the dates it sent the required notices
- the address the notices were sent to
- copies of the required notices
- the date it disclosed the default or serious credit infringement information, and the overdue amount that was reported
- evidence to show the default or serious credit infringement information is accurate
- if the amount disclosed is different from the amount in the notices, reasons why
- details of any contact from or payments made by the individual between sending the notices and disclosing the default or serious credit infringement information.
We will ask the provider or debt holder to suspend collection activity while we consider the complaint. We may also ask the provider to buy back the debt if it has been sold.
If we think the provider followed all applicable rules before disclosing default or serious credit information we are unlikely to find that the individual’s credit information should be corrected.
Otherwise we will expect the provider to change, update or destroy the default or serious credit infringement information according to rules in the Act, Credit Reporting Code, and Telecommunications Consumer Protections Code.
Depending on the circumstances, we may also decide another remedy should be considered. This may include:
- giving access to information or reducing charges for access
- correcting inaccurate personal information
- compensating for financial loss incurred as a result of a breach, and
- compensating for injury to feelings and humiliation caused by an interference with the individual’s privacy.
We may also recommend that improvements to systems, procedures and staff training be considered by the provider.
Effective date: 11 March 2016
This position statement provides broad guidance on the law, good industry practice, and what the TIO may consider to be fair and reasonable in general circumstances. It is not a full statement of the law or good industry practice. The TIO considers each matter brought to it on its own particular merits.