Changes to Consumer Defaults

It is being reported by Equifax that the Office of the Australian Information Commissioner (OAIC) has provided a view that all defaults will now be recorded as a paid status regardless of whether the debt is paid or settled.

Previously Creditors had the opportunity to record a debt as being settled where a reduced amount was accepted however the OAIC has advised Equifax that by 15/02/2019 all existing accounts listed with an "S" code (settled) must be converted to a "P" code (paid). Default informaiton also being submitted by IQ Connect, XML or Data Enrichment Systems by Creditors will also need need to follow the new definition of a paid default.

When Can a Default Be Included in Your Credit Report

It's a question that is often asked and something that we have covered before in our article Recording Payment Defaults however is there a time-limit on when a credit provider can list a payment default?

The Office of the Australian Information Commissioner (OAIC) states in their Privacy Fact Sheet 35: When Can a Default Be Included in Your Credit Report -

Yes, a credit provider cannot wait more than 90 days after issuing you with the second notice to list the default.
If the credit provider does not disclose the default to a CRB within that 90 day period, it must send you another notice informing you of its intention to list the default. The credit provider must then wait at least another 14 days before disclosing the default to a CRB for inclusion in your consumer credit report.

You can find the answer to this question and more by visting the OAIC fact sheets page here.

Use & Access of Electoral Roll Data

It is being reported by the Sydney Morning Herald that electoral roll data of more than 16 million Australians is allegedly being used by buy now, pay later providers, betting agencies, marketing firms and debt collectors to identify individual consumers.

Data allegedly obtained from a data marketing company, Illion, allows companies such as Afterpay to match identities to addresses as it processes customers. The data is allegedly being accessed under recent changes to the Anti-Money Laundering and Counter-Terrorism Financing Act.

Historically, prior to changes to the way the electoral roll was accessed, the roll was being used by debtor collectors (among others), for the purpose of making enquiries to locate a debtor or verify that a debtor may be residing at an address prior to commencing further action. Changes to the laws prohibited the search of the electoral roll for this very purpose, specifically stating that information contained in the roll is protected information and that such protected information shall not be used for a commercial purpose.

The Australian Electoral Commission would not comment on whether use of the data by the companies involved was appropriate with enquiries being directed to Home Affairs.

In accordance with the Act, LCollect do not access electoral roll data for any commercial purpose and only monitor accounts on legally available search facilities complying with the requirements of the Privacy Act 1988 (Cth).

China Trials Deadbeat Map To Monitor Bad Debts

Authorities in China are trialling a new app which will enable users to check on their debt status according to ABC News.

The app, which is an add-on to Chinese social media platform, WeChat, has been rolled out in the Hebei province earlier this year. Nicknamed the "Deadbeat Map" the programs allows users to pinpoint the location of those who have failed to pay their debts within a 500 metre radius. Tapping on a person marked on the map reveals personal information about the individual including their name and the reason why they have been placed on the financial blacklist. Other information such as home addresses and identity card numbers are also partially shown.

The launch of the app has not been without criticism with many raising privacy concerns over the app. A representative of the Hebei Higher People's Court said in a statement, "The development and application of the map can further realise the connection and sharing of information on debtors and create a social honesty framework that limits those who lose their credibility in many ways." In response Delia Lin, a senior lecturer in Chinese studies at the University of Melbourne, said, "This is dangerous — it encourages people to take the law into their own hands. The people who cannot pay their debt because they are too poor, then who will be subject to this kind surveillance and this kind of public shaming. Basically, society becomes a virtual prison — instead of going to jail, those people's personal lives, and even their children's personal lives, are being affected."

China has been developing a social credit score system since 2011 with the aim of separating the "trustworthy" from the "disobedient" with behavour ratings then used to determine access to services ranging from transport to loans. Since its launch more than 18 million people have been banned from flying and 5.5 million prevented from buying rail tickets as a result of their debts.

Cash Converters Fined $650K For Breaching Guidelines

Cash Converters has again found itself in the spotlight for all the wrong reasons with ASIC finding that the company failed to meet regulatory guidelines and breaching the ASIC and ACCC Debt Collection Guidelines.

An ASIC investigation found that the pay day lender routinely breached the frequency of contact guidelines of 3 times per week or less than 10 times a month -

5. Frequency of Contact
(c) Unnecessary or unduly frequent contacts may amount to undue harassment of a debtor. We recommend that you do not contact a debtor more than three times per week, or 10 times per month at most (when contact is actually made, as distinct from attempted contact) and only when it is necessary to do so. This recommendation does not apply to face-to-face contact which is specifically addressed below. 

The investigation also uncovered that a related company, Safrock Finance Corporation (QLD), was also found to have provided incorrect information to a credit reporting agency. The error resulted in 38,500 customer being reported  inaccurate amount owing over a 1 month period. According to ASIC the financier has since worked with Equifax to ensure all incorrect credit listings have been removed.

ASIC has since imposed licence conditions on Cash Converters which includes outsourcing all of their debt recovery to a 3rd party collection agency and must seek consent from ASIC prior to bringing these activities back in-house.

In retribution this time around, Cash Converters has paid $650,000 in community benefits payments to the National Debt Helpline for breaching the Guidelines.

Peter Kell, ASIC Deputy chair, said in a statement to the media, "Consumers expect to be treated fairly and in a manner that complies with consumer protection laws. ASIC expects all financial service providers to have appropriate systems and controls in place to ensure that debt collection practices are consistent with the guidelines. It is also critical that licensees ensure that credit information provided to credit bureaus is accurate."

This is not the first time that Cash Converters has been investigated by ASIC. You may recall that in our May 2017 blog post that Cash Converters were fined and paid $1.35 million in penalties for breaching responsible lending conduct provisions and refunded consumers $10.8 million in fees through a consumer remediation program.

You can download a copy of the ASIC and ACCC Debt Collection Guidelines from their website.

Source: TheAdvisor - May 2018

Small Business Face Bankruptcy For Data Breaches

With the new cyber data breach notifications having come into effect from 22 February a study by Xpotentia shows that up to 124,000 businesses over the $3 million threshold are not ready for the new rules.

Businesses with an annual turnover of more than $3 million that trade in personal information must notify affected individuals of any data breach that is likely to result in "serious harm". The business must also inform the Office of the Australian Information Commissioner ("OAIC"). A failure to comply may incur penalties of up to $420,000 for an individual and $2.1 million for companies which has triggered warnings that a failure to notify the OAIC could result in some businesses being made bankrupt.

The Xpotentia study noted a significant number of data breaches over the years with a survey in 2017 by Telstra showing 59% of Australian companies had detected a data security breach on a monthly basis. The study also showed that 1 in 4 Australians were targeted by hackers last year with almost 50,000 Australians and 5,000 public servants from the Department of Finance, the AEC and NDIS all having data exposed after a security breach by a private contractor.

Xpetentia Managing Director, Sorina Toma said of many small businesses, "They might actually have their entire customer data base on a simple PC. You are talking about ­businesses that employ 10 to 12 people and they have a few computers and they are totally exposed. A lot of the time, a small business might not know a breach has happened". Mr Toma recommended that many small businesses look at securing their data with additional software and hardware such as firewalls and encouraged business owners to invest in a chief information security officer to identify threats and vulnerabilities.

Cyber Security Minister, Angus Taylor, said, "Not knowing how to protect client or customer data is becoming a poor excuse. There is a lot of information now available on cyber sec­urity. The onus is with business operators, with organisations and with government agencies, to put measures in place to reduce the risk of data breaches.”

Learn more about the changes, preparation and response at Data Breach Preparation and Response - A Guide to Managing Data Breaches in Accordance with the Privacy Act 1988.

Source: The Australian - February 2018

CIO Releases Credit Reporting Fact Sheet

The Credit & Investments Ombudsman ("CIO") has this month released a new fact sheet, "Credit Reporting: Enquiries".

The fact sheet covers:

• What is a credit enquiry?
• Why would a credit provider need to access my credit report?
• What information is included in a credit enquiry?
• Is my consent needed for a credit provider to access my credit report?
• How long does a credit enquiry stay on my credit report?
• What if I did not make an application, and the enquiry is incorrect?
• Do credit enquiries negatively affect my credit report?
• Can my application be declined because of the information in my credit report?

OAIC Introduces New NDB Scheme

The Office of the Australian Information Commissioner ("OAIC") has recently published new draft resources for the Notifiable Data Breaches ("NDB") scheme which commences on 22 February 2018.

The resources include:

• Assessing a suspected data breach;
• What to include in an eligible data breach statement;
• New online forms to assist organisations in preparing a statement about an eligible breach to the OAIC; and
• A new chapter in the OAIC's Guide to Privacy Regulatory Action on data breach incidents.

Recording Payment Defaults

It has now been 3 years since we covered the process involved in recording a payment default with a Credit Reporting Body ("CRB") such as Equifax.

While the process has not changed we believe that it would be an ideal time as a refresher for those that may not be familiar with the process.

Assuming that a clause exists in your Contract or Agreement to record a payment default with a CRB, any debt regulated by the National Consumer Credit Protection Act 2009 (Cth), must be issued with a series of code compliant Notices before a payment default can be recorded.

SECTION 88 DEFAULT NOTICE & FORM 12A

What Is It?
The s88 Default Notice advises the customer that their account is in arrears, the amount currently in arrears and the time in which they have to remedy the default. The Form 12A which is attached to the s88 Default Notice provides the customer with information about their rights including information about financial hardship and the dispute resolution options available.

When It Must Be Given
The s88 Default Notice must be issued 30 days prior to commencing enforcement action. This includes listing default information with a CRB. The CR Code recommends that an additional 5 days be added (35 days in total) for postage.

Can It Be Combined?
The s88 Default Notice can be combined with a s6Q Notice however it cannot be combined with a s21D Notice.

SECTION 6Q NOTICE (PRIVACY ACT)

What Is It?
The s6Q Notice informs the customer of the overdue payment amount and requests payment of that amount. This Notice indicates to the customer that the amount can be reported to a CRB once that amount is 60 days overdue.

When It Must Be Given
The s6Q Notice must be given prior to disclosing default information to a CRB.

Can It Be Combined?
The s6Q Notice can be combined with the s88 Default Notice however it cannot be combined with a s21D Notice.

SECTION 21D NOTICE (PRIVACY ACT)

What Is It?
The s21D Notice advises the customer that the credit providers intends to disclose default information to a CRB.

When It Must Be Given
The s21D Notice must be given at least 14 days prior to disclosing information to a CRB and not more than 3 months prior to disclosure.

Can It Be Combined?
The s21D Notice cannot be combined with a s88 Default Notice or s6Q Notice.

Veda To Refund Customer After Privacy Rule Breach