National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021

The National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021 amended the National Consumer Credit Protection Act 2009 and the Privacy Act 1988. Its main practical effect was to create a mandatory credit reporting regime for certain credit providers, rather than leaving comprehensive credit reporting entirely to voluntary participation.

The new regime sits alongside the Privacy Act. It requires eligible licensees to supply specified credit information to eligible credit reporting bodies, first through staged bulk supplies and then through ongoing updates when certain events happen. The Act also introduced later amendments dealing with financial hardship reporting and related matters.

For business readers, the key point is that this is not a general rule for every business that offers payment terms or trade credit. The direct obligations are targeted. The businesses most likely to be affected are large ADIs and any other credit providers specifically brought in by regulations.

The Act defines an eligible licensee as a licensee that, on 1 July 2021 or a later day, is both:

1. a large ADI, or a body corporate of a kind prescribed by regulations, and

2. a credit provider.

That means the regime mainly captures large authorised deposit-taking institutions and any other prescribed credit providers. It does not automatically apply to all Australian credit licensees, all lenders, or all businesses that extend credit in a broader commercial sense.

The Act also recognises banking groups. In several places, the reporting obligation extends to eligible credit accounts held not only with the eligible licensee itself, but also with members of the banking group of which the licensee is the head company. So a large ADI cannot look only at its own entity-level accounts if the group structure brings other relevant account holders into the reporting perimeter.

Most small businesses will usually be out of scope unless they are specifically prescribed by regulations and are credit providers. Even so, businesses that provide systems, outsourced operations, data handling, or compliance support to an in-scope lender may still need to align their processes with the lender's obligations.

An eligible credit account is an account that:

1. relates to the provision, or possible provision, of consumer credit,

2. is held by one or more natural persons with a credit provider, and

3. is not of a kind determined by ASIC for exclusion.

This definition matters because the regime is focused on consumer credit accounts held by natural persons. It is not framed as a blanket reporting rule for every account in a lender's systems. The Act also expressly allows ASIC, by legislative instrument, to determine kinds of account that are excluded. Before treating an account population as fully in or out, businesses should check whether any ASIC instrument affects the analysis.

The Act defines mandatory credit information for those accounts as personal information, other than sensitive information, covering these categories: identification information, consumer credit liability information, repayment history information, default information, payment information, and new arrangement information.

There are also timing limits on some historical information. Mandatory credit information does not include repayment history information that came into existence more than 3 months before the first relevant 1 July. It also does not include default information that came into existence before the first relevant 1 July. Those cut-offs matter when planning initial data migration and back-book uploads.

The obligation is not to send data to every credit reporting body in the market. It is to supply information to each eligible credit reporting body for the licensee.

A credit reporting body is eligible for a licensee if either:

the agreement referred to in paragraph 20Q(2)(a) of the Privacy Act 1988 between the body and the licensee was in force on 2 November 2017 and the licensee is an eligible licensee on 1 July 2021, or any conditions prescribed by regulations are met.

In practice, businesses should not assume that every CRB is automatically an eligible recipient. The starting point is to review the relevant agreements and then check whether regulations add any further pathways or conditions.

The Act also says the supply requirements must be followed. Supply is only in accordance with the law if it complies with the registered CR code, any ASIC determination about particulars of information, and any ASIC-approved technical standards. If there is an inconsistency between the registered CR code and an ASIC determination or technical standard, the registered CR code prevails to the extent of the inconsistency.

The Act uses a staged start.

First, an eligible licensee must supply mandatory credit information for at least 50% of all eligible credit accounts held on the first 1 July on which the licensee is an eligible licensee. Those accounts may be held with the licensee itself or, if relevant, with a member of the banking group of which the licensee is the head company. The deadline is before the end of the 90-day period starting on that first 1 July.

The Act expressly says the licensee may choose which eligible credit accounts make up this 50%. That gives some implementation flexibility, but it does not remove the need to reach the 50% threshold by the deadline.

Second, the licensee must supply mandatory credit information for the remaining eligible credit accounts held on the second 1 July on which it is an eligible licensee, to the extent those accounts were not already supplied to the relevant CRB. The deadline is before the end of the 90-day period starting on that second 1 July, subject to the specific extension mechanics in the Act where an information security exception applies and later ceases.

The Act also makes clear that these obligations apply whether the information is kept in or outside Australia. So offshore data hosting does not, by itself, remove the reporting obligation.

After the initial bulk supplies, the Act requires ongoing reporting when specified events happen and the other statutory conditions are met. The general deadline is before the end of the 45-day period starting on the trigger day, again subject to the Act's exception and later-cessation rules for CRB information security concerns.

The listed trigger events include: the need to correct previously supplied mandatory credit information so that, having regard to a purpose for which the information is held, it is accurate, up-to-date, complete, relevant and not misleading; the payment of an overdue payment about which default information has been supplied; the opening of an eligible credit account after the second 1 July on which the licensee is an eligible licensee; default information coming into existence for an eligible credit account already reported; and any prescribed event relating to eligible credit accounts or the natural persons who hold them.

The Act allows supplies relating to multiple events or multiple trigger days to be made together. That can help with operational batching, but it does not remove the need to stay within the statutory timeframe.

For businesses, this means the compliance task is not just a one-off migration project. It requires an ongoing operating model that can detect trigger events, validate data quality, and push updates to each relevant CRB in the required format.

The Act contains a specific exception where a licensee reasonably believes a credit reporting body is not complying with section 20Q of the Privacy Act 1988. This is narrower and more procedural than a general privacy compliance obligation.

For initial bulk supplies, the exception can apply if the licensee reasonably believes the CRB is not complying on the relevant 1 July and on the last day of the 90-day period, continues to hold that belief where required, and gives the required written notices. Those notices must be given to the CRB, with copies to the Information Commissioner and ASIC, within 7 days after the relevant 1 July and again within 7 days after the end of the 90-day period for the final notice.

For ongoing supplies, a similar exception applies if the licensee reasonably believes the CRB is not complying on the trigger day and on the last day of the 45-day period, continues to hold that belief after that period, and gives the required notices within 7 days after the trigger day and within 7 days after the end of the 45-day period.

If the licensee later ceases to hold the belief that the CRB is non-compliant, it must give a further written notice to the CRB, with copies to the Information Commissioner and ASIC, within 7 days after the day it stops holding that belief. The Act also provides timing consequences where the belief changes before the end of the ordinary reporting period.

In practical terms, if a business wants to rely on this exception, it needs a documented decision process, written reasons, and a reliable notice workflow. This is not something to handle informally.

The Act uses civil penalties as the main enforcement tool for the core reporting and notice obligations. The reporting provisions in the Act impose civil penalties of 5,000 penalty units for contraventions such as failing to make required bulk supplies, failing to make required ongoing supplies, and failing to give required notices when a CRB later complies with information security requirements.

The Act also creates criminal offences for contravening certain supply requirements, with criminal penalties stated in the legislation. However, businesses should not read the regime as mainly criminal in character. For day-to-day compliance planning, the more immediate risk is usually civil penalty exposure, together with the operational and regulatory consequences of defective reporting.

The legislation also places an evidential burden on a licensee that wants to rely on the information security exception in proceedings for a declaration of contravention or a pecuniary penalty order. That is another reason to keep clear records of the belief, the reasons for it, and the notices given.

The Act commenced in stages. Sections 1 to 3 commenced on Royal Assent, being 16 February 2021. Schedule 1, which introduced the main mandatory credit reporting amendments, commenced on 17 February 2021. Schedule 2 Part 1, dealing with financial hardship amendments, commenced on 1 July 2022. Schedule 2 Part 2 commenced immediately after that, also on 1 July 2022. Schedule 2 Part 3 commenced on 17 February 2021.

The Act includes financial hardship amendments to the Privacy Act 1988. If your business is in scope for consumer credit reporting, you should not treat the mandatory reporting regime as limited to account opening, repayment history and defaults. You should also check the later financial hardship changes and the current CR code settings that support them.

Because this page focuses on the Act itself, businesses should verify whether later legislative instruments, regulations or code changes affect the practical reporting content and format they must use now.

Before acting on this regime, a business should confirm four things.

First, whether it is actually an eligible licensee. Second, whether the accounts in question are eligible credit accounts, including whether ASIC has excluded any account types. Third, which credit reporting bodies are eligible credit reporting bodies for that licensee. Fourth, what the current registered CR code, regulations, ASIC determinations and technical standards require for the content and method of supply.

If your business is a small lender, fintech, broker platform or service provider, the answer may be that you are not directly subject to the Act's mandatory supply obligations but still need to support an in-scope institution contractually and operationally. That can still involve substantial work on data mapping, security, service levels and incident response.