17.08.2010
59.60 In DP 72, the ALRC noted that there may be reasons for credit being refused that are based on credit reporting information, but are not readily apparent from the information received by the credit provider or provided to the individual concerned.[61]
59.61 Where this is the case, notification of an adverse credit report under s 18M, or an equivalent provision in the new Privacy (Credit Reporting Information) Regulations, may not achieve the intended policy result. That is, even where the individual concerned obtains access to the credit reporting information, he or she may not be able to understand why that information contributed to credit being refused.
59.62 An example of such circumstances is where credit reporting information is used in credit scoring. Credit scoring may be described as the use of ‘mathematical algorithms or statistical programmes that determine the probable repayments of debts by consumers, thus assigning a score to an individual based on the information processed from a number of data sources’.[62] A range of different data items, derived from credit reporting information or from a credit provider’s own records, may be used in credit scoring.
59.63 If an individual is refused credit based on a credit score, this fact will not be apparent from the credit report. A credit score is not permitted content of a credit information file under s 18E.[63] Further, credit reporting agencies and credit providers may rely on the ‘evaluative information’ exception in NPP 6.2 (retained in the ‘Access and Correction’ principle in the model UPPs),[64] to avoid giving individuals credit scores or rankings and instead provide an explanation.[65]
59.64 In response to the Issues Paper, Review of Privacy–Credit Reporting Provisions (IP 32), the Australian Privacy Foundation submitted that
there should be a clear statutory right of access to credit scores and other rankings held by [credit reporting agencies] and [credit providers], together with explanatory material on scoring systems and current thresholds for acceptance, to allow individuals to better understand how they are being assessed.[66]
59.65 In DP 72, the ALRC noted that, in the United States, the Fair Credit Reporting Act 1970 (US) (FCRA) requires credit reporting agencies to provide, on request, prescribed information to individuals about the use of credit scoring.[67] The FCRA provides:
(1) In general. Upon the request of a consumer for a credit score, a consumer reporting agency shall supply to the consumer a statement indicating that the information and credit scoring model may be different than the credit score that may be used by the lender, and a notice which shall include—
(A) the current credit score of the consumer or the most recent credit score of the consumer that was previously calculated by the credit reporting agency for a purpose related to the extension of credit;
(B) the range of possible credit scores under the model used;
(C) all of the key factors that adversely affected the credit score of the consumer in the model used, the total number of which shall not exceed four …
(D) the date on which the credit score was created; and
(E) the name of the person or entity that provided the credit score or credit file upon which the credit score was created.[68]
59.66 In DP 72, the ALRC observed that, while providing rights of access to actual credit scores would not serve any useful purpose, the provision of explanatory material about the key factors that adversely affected the credit score of an individual might benefit consumers.[69]
59.67 In the United States, credit reports provided to individuals include information about the factors that affect an individual’s credit score adversely (or favourably). For example, a sample Fair Isaacs Corporation ‘MyFICO’ score summary lists the following as negative factors:
You have a public record and a serious delinquency on your credit report.
You have multiple accounts showing missed payments or derogatory descriptions.
The balances on your non-mortgage credit accounts are too high.
59.68 Factors listed as helping the credit score include:
You have an established credit history.
You have an established revolving credit history.
You currently have a good number of credit accounts.[70]
59.69 The ALRC recognised that, as information relevant to some of these factors is not available from credit reporting agencies under current credit reporting regulation, different factors would apply under Australian credit scoring conditions.[71]
Discussion Paper proposal
59.70 In DP 72, the ALRC proposed that the new Privacy (Credit Reporting Information) Regulations provide that the information to be given, if an individual’s application for credit is refused based wholly or partly on credit reporting information, should include any credit score or ranking used by the credit provider, together with explanatory material on scoring systems, to allow individuals to understand how the risk of the credit application was assessed.[72]
Submissions and consultations
59.71 Some stakeholders agreed with the ALRC’s proposal.[73] In supporting the proposal, the OPC submitted that the new regulations also should clarify the rights of access and correction that are to apply to credit scores and rankings.[74]
59.72 Credit providers and other industry stakeholders opposed the proposal, at least to the extent that it would require disclosure or detailed explanation of credit scores or rankings.[75] The reason for this opposition included that:
credit scoring processes involve highly complex and commercially sensitive methodologies, which it would be inappropriate to require organisations to disclose;[76]
credit scoring processes vary significantly over time and between credit providers, making the disclosure and explanation of credit scores or rankings difficult and of limited value to individuals;[77] and
detailed disclosure of credit scoring processes increases the risk of manipulated or fraudulent credit applications.[78]
59.73 ARCA agreed that there needs to be greater transparency with regard to the use of scoring in credit assessment, but stated that, in practice, there would be problems with providing detailed information.
Unlike the US where a single model is used to determine credit scores there is no uniform score in Australia. Different institutions use different models which represent highly complex proprietary information that differs between them, and even between different parts of a single institution.[79]
59.74 Stakeholders referred to variations in the credit scoring processes used by credit providers and credit reporting agencies. Optus stated that
providing the customer with a credit score or ranking will be meaningless, especially in the absence of a common scoring or ranking system, as per the American FICO score, which (as we understand it) is provided by the credit reporting agency, not the credit provider.[80]
59.75 The ANZ submitted that the ALRC’s proposal would not make individuals better informed about how the risk of their credit application was assessed, because
financial institutions have developed proprietary systems which rely on criteria specific to the organisations’ own credit assessment requirements. Many of these systems do not use the same terminology or the same scale for assessing customer scores. Therefore, knowing a score with one organisation is likely to serve only as a guide to whether or not the individual would (or would not) obtain credit from another organisation.[81]
59.76 GE Money Australia (GE Money) expressed concern that ‘explaining how to get a better credit score is more likely than not to increase the incidence of data manipulation by applicants for credit’.[82] Similarly, the AFC stated that
a requirement to disclose components of an application that are taken into account to arrive at a credit score would potentially enhance the opportunity for information manipulation by a customer or intermediary and inappropriately increase credit risk for the industry.[83]
59.77 GE Money noted that, in its view, one of the benefits of moving to more comprehensive credit reporting would be that ‘the numerous proprietary credit scoring systems will converge into a single credit scoring system that can be disclosed to consumers, and the incidence of applicant data manipulation can be dramatically decreased’.[84]
59.78 The OPC provided a different perspective on industry objections to the ALRC’s proposal. The OPC recognised that ‘there is significant complexity in credit scoring systems, and a range of data items other than credit reporting information may be used in creating an individual’s credit score or ranking’. It stated that individuals should still have the opportunity to compare credit scores against credit reporting information as this may provide them with ‘a general indication of whether they might want to request access to other personal information about them that is held by the credit reporting agency or credit provider’.[85]
59.79 Many stakeholders that opposed the ALRC’s proposal in DP 72 nevertheless favoured imposing an obligation to provide some form of ‘generic’ explanation about credit scoring.[86] ARCA, for example, stated that it would support credit providers giving individuals ‘a brief description, in plain English, of standard credit scoring and an explanation of how this may have been used in the credit decision’.[87]
Other information provided on refusal of credit
59.80 In DP 72, the ALRC noted that, apart from credit scoring, there may be other reasons for credit being refused that are based on credit reporting information, but are not necessarily apparent from an individual’s access to his or her credit report.[88] The CCLC submitted, for example, that:
The law should be clarified to ensure that individuals who are refused credit on the basis that their file has been cross-referenced to another file, or any other reason that is based on information held by a credit reporting agency that is not apparent from the copy of the file the individual would be given upon request, are entitled to be given adequate information to enable them to correct any inaccuracies or false assumptions attributable to the data held by the credit reporting agency.[89]
59.81 The OPC submitted that individuals should be given access to adequate information to enable them to correct any inaccuracies or false assumptions attributable to the information held by the credit reporting agency or credit provider.
For example, information about the linking of the individual’s credit file to another file should be provided to an individual, either as part of the refusal notification or as part of access to his or her credit information file.[90]
59.82 The OPC stated that the provision of adequate information where refusal of credit is notified would be consistent with the general obligation on credit providers and credit reporting agencies to take reasonable steps to ensure the credit reporting information held is accurate, complete, up-to-date and not misleading. The OPC suggested that it provide guidance on the additional information to be provided to individuals in a refusal notification to promote and maintain data accuracy. It stated that this additional information ‘could include explanatory material on practices in relation to the linking of credit information files and reviews of automated decisions’.[91]
59.83 Concerns about the linking of credit information files generally also are discussed in Chapter 58. The ALRC recommends that the credit reporting industry code[92] should promote data quality by setting out procedures dealing with, among other things, the linking of credit reporting information.[93]
ALRC’s view
59.84 The ALRC’s proposal, in DP 72, that new regulations require the provision by credit providers of information about credit scoring was influenced by the FCRA model. There are, however, important differences between credit scoring practices in the United States and Australia, which were not fully appreciated.
59.85 Australian credit scoring systems (or ‘scorecards’) are relatively more dependent for their predictive power on internal credit provider data, derived from application forms and information about existing customers, as opposed to information from credit reporting agencies. These scorecards vary significantly and are considered commercially sensitive. In contrast, the comprehensive information held by United States credit reporting agencies, and the dominant position of companies (such as the Fair Isaacs Corporation) that provide credit scoring systems based on this information, have led to more uniformity in credit scoring practices.
59.86 These differences mean that imposing detailed obligations to provide prescribed information to individuals about the use of credit scoring, as in the United States, may not be appropriate or practicable. From one perspective, a lower degree of transparency in relation to credit decisions is one price that must be paid for not having moved to a more comprehensive credit reporting system.
59.87 It is important that, when an individual’s application for credit is refused, adequate information is provided to enable the individual to correct any inaccuracies or false assumptions attributable to the personal information held by the credit reporting agency or credit provider. This outcome would be assisted by a general explanation of the use of credit scoring processes.
59.88 In light of the practical difficulties referred to above, however, it would not be appropriate for the new Privacy (Credit Reporting Information) Regulations to mandate the provision of prescribed information about credit scoring. The provision of information, including about credit scoring, on refusal of credit is an appropriate subject for OPC guidance.
[61]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [55.44].
[62] F Ferretti, ‘Re-thinking the Regulatory Environment of Credit Reporting: Could Legislation Stem Privacy and Discrimination Concerns’ (2006) 14 Journal of Financial Regulation and Compliance 254, 261. See Ch 52.
[63] New Zealand credit reporting regulation permits credit reporting information to include a credit score: Credit Reporting Privacy Code 2004 (NZ) cl 5, definition of ‘credit information’.
[64] UPP 9.2.
[65] Australian Privacy Foundation, Submission PR 275, 2 April 2007. See also N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007.
[66] Australian Privacy Foundation, Submission PR 275, 2 April 2007. See also N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007.
[67]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [55.39].
[68]Fair Credit Reporting Act 1970 15 USC § 1681 (US), § 1681g(f)(1).
[69]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [55.40].
[70] Fair Isaac Corporation, Sample FICO Score Summary (2007) <www.myfico.com/Products/
FICOOne/Sample/FICOScore/Sample_Summary.aspx> at 5 May 2008.
[71]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [55.43].
[72]Ibid, Proposal 55–3.
[73] Australian Privacy Foundation, Submission PR 553, 2 January 2008; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[74] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[75] GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; ANZ, Submission PR 467, 13 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007; AAPT Ltd, Submission PR 338, 7 November 2007.
[76] GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; ANZ, Submission PR 467, 13 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007; AAPT Ltd, Submission PR 338, 7 November 2007.
[77] Optus, Submission PR 532, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; ANZ, Submission PR 467, 13 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[78] GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.
[79] Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[80]Optus, Submission PR 532, 21 December 2007. The AFC stated that, in any case, credit scores are not generally retained on the records of a credit reporting agency or credit provider beyond the time a credit application is approved or declined: Australian Finance Conference, Submission PR 398, 7 December 2007.
[81]ANZ, Submission PR 467, 13 December 2007.
[82]GE Money Australia, Submission PR 537, 21 December 2007.
[83]Australian Finance Conference, Submission PR 398, 7 December 2007.
[84]GE Money Australia, Submission PR 537, 21 December 2007.
[85]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[86]Veda Advantage, Submission PR 498, 20 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[87] Australasian Retail Credit Association, Submission PR 352, 29 November 2007. See also National Australia Bank, Submission PR 408, 7 December 2007.
[88]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [55.44].
[89] Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Consumer Credit Legal Centre (NSW) Inc, Credit Reporting Research Report (2007), rec 23.
[90]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[91]Ibid. Automated decision review mechanisms are discussed in Ch 10.
[92] Rec 54–9.
[93] Rec 58–3.