[Previous] [Next] [Title]

13. Financial services privacy

Chris Connolly, 23 May 2001

Note: this Reading Guide only covers Australian issues as yet.

13.1. Overview of financial services regulation

In the "Post Wallis Regime" (the period following the completion of the Wallis Inquiry in 1997) general regulation of financial services is now within the jurisdiction of the Australian Securities and Investments Commission. However, the ACCC and state Fair Trading Agencies maintain a role in credit, and the Privacy Commissioner maintains a role in Credit Reporting.

Privacy issues in financial services can be addressed by a number of means:

13.2. Common Law

Bankers have a special duty of confidentiality. It arises from Tournier's Case (Tournier v National Provincial & Union Bank of England [1924] 1 KB 461). The facts in that case were that Mr Tournier's account had become overdrawn. He made an arrangement with the bank manager to pay an extra one pound per week, but also missed these payments. The bank sought to contact Mr Tournier at his workplace. During a discussion with Mr Tournier's employer the bank manager revealed that he was in debt and also that he suspected Mr Tournier was a gambler as he had written several cheques to bookmakers. Mr Tournier lost his job, sued for breach of contract, and not surprisingly succeeded in his claim for damages.

The duty was determined to arise as a matter of contract and is qualified by four exceptions:

In practice, this duty is not used by plaintiffs in the Australian courts. Rather, the Australian Banking Industry Ombudsman (ABIO) attempts to apply this common law duty in its consideration of complaints.

The ABIO Bulletin No. 28 (March 2001) [not available on the web] describes the types of complaints which arise concerning breaches of confidentiality:

"In some cases the information disclosed included the customer's name and telephone number and was disclosed under the terms of arrangement with the third party with the intention that the customer be contacted by telephone. In another case the information disclosed was limited to the customer's telephone number and postcode.

Some of the purposes of contact were: to conduct market research about the particular bank's customer service; to promote and insurance policy developed with the particular bank's related life company; and to promote an insurance policy developed by the particular bank with an unrelated insurance company.

In some cases a person other than the account holder was taken to have consented to the commencement of an insurance policy on the account holder's behalf and some insurance premiums were debited to the account holder's account."

The ABIO note that one of the banks involved in the behaviour outlined above attempted to rely on the exception in Tournier that "disclosure is in the interests of the bank". The ABIO rejected this defence and note that the defence is limited to actions required to protect the bank's legal interests.

The ABIO notes that it has awarded damages for breaches of confidentiality in the range $200 to $10,000.

13.3. Credit reporting (Part IIIA etc)

13.4. Other Regulation

13.4.1. Financial Services Reform Bill 2001

The Financial Services Reform Bill 2001 completely revises the regulation of financial services. It establishes new uniform licensing and disclosure regimes and provides new enforcement powers to the Australian Securities and Investments Commission. It forces all financial service providers to belong to an approved industry complaints scheme. However, the legislation does not specifically cover privacy.

13.4.2. Codes of Conduct

Codes of conduct continue to apply in financial services, although their role is significantly diminished following the introduction of the far-reaching Financial Services Reform Bill. Individual Codes are discussed in more detail below. These codes will usually include privacy provisions.

13.4.3. Privacy (Private Sector) Amendment Act 2000

The new private sector privacy laws apply to financial services in the same way as they do to other businesses. The main discussion point in relation to financial services has been the related bodies corporate exception.

Under s13B financial institutions will be able to pass information to and collect information from related bodies corporate. However, the receiving body corporate must abide by the primary purposes identified by the body corporate which first collected the information.

The ABIO Guidelines therefore note:

"If a bank does pass customer information to its insurance arm, the primary purposes which govern how the insurance arm can use the information are those which the bank identified at the time of collecting the information from the individual. The insurance arm cannot automatically start marketing insurance products."

Other areas of areas of concern in financial services are the access and correction principle NPP 6 (which the banks fought hard to ensure excluded access to commercially sensitive evaluative material) and the anonymity principle NPP 8.

13.4.4. Financial Transactions Reporting Act 1988

The Financial Transactions Reporting Act 1988 covers the reporting requirements relating to specific financial transactions which are the subject of monitoring by AUSTRAC in its work to combat money laundering. They also establish the identification requirements for opening a bank account.

Briefly, the Act requires records to be kept of suspicious transactions, cash transactions over $10,000 and all international wire transfers.

13.5. Codes of Conduct

13.5.1. EFT Code of Conduct

The Electronic Funds Transfer Code of Conduct is the main regulatory instrument in Australia for providing consumer protection in electronic payment systems. However the existing Code is limited in scope because it contains a technology specific definition of which transactions are within the Code's jurisdiction:

"Transactions intended to be initiated by an individual through an electronic terminal by the combined use of an EFT card and a personal identification number (PIN)."

The Code has therefore been the subject of a lengthy review, chaired by the Australian Securities and Investments Commission. The EFT Code review working group issued two discussion papers and a final version of the revised Code was published on April 1, 2001.

The revised EFT Code covers any business to consumer electronic transfer of value. Business to business electronic transfers of value will be excluded where the product being used was intended primarily for business use. An `electronic transfer of value' includes coverage of credit cards in some circumstances, but not where a signature is obtained. It certainly include EFTPOS, ATM transactions, most Internet and telephone banking transactions, direct debits and direct transfers.

Stored value products, such as electronic purses and stored value smart cards, are now included in a new section of the Code - Part B.

Privacy provisions mirroring the new federal privacy legislation for the private sector must be complied with, plus some specific EFT industry privacy guidelines.

While the EFT Code has always been voluntary, it has in the past been a very successful and popular code with both business and consumers - and has achieved a very high rate of industry coverage. It will be interesting to see what proportion of new economy businesses sign up to the Code.

13.5.2. Internet industry Association Code of Conduct

The original draft Code of Conduct was split into two parts in response to the urgent need to register a code of conduct on content issues with the Australian Broadcasting Association following the passage of the Government's amendments to the Broadcasting Services Act in 1999.

A code dealing with content issues was registered with the ABA. The remaining parts of the draft Code, dealing with issues like financial transactions, advertising, privacy and general complaints handling, remain on the IIA web site but have not progressed to a formal adoption stage. No infrastructure has been put in place to administer the Code or receive complaints.

There has been some renewed interest in developing and implementing the Code later in 2001 as a result of the passage of the Privacy (Private Sector Amendments) Act 2000. A draft of a privacy specific IIA code is now under consideration.

13.5.3. Australian Direct Marketing Association (ADMA) Industry Code of Practice

The Australian Direct Marketing Association Industry Code of Practice came into effect in early 2000. It contains a short section on electronic commerce (section D) which repeats in general terms the text of the OECD Guidelines (discussed below).

The most notable provision of the Code is that it allows ADMA members to distribute unsolicited commercial email on an opt-out basis. The Code applies to the marketing of many financial services products.

13.5.4. The Model Code

The Model Code is actually a document titled "Building Consumer Sovereignty in Electronic Commerce - A Best Practice Model for Business". Earlier versions of the document included the words "model code" in the title, and that name has stuck.

The Model Code repeats (and in part develops) the text of the OECD Guidelines on Consumer Protection in Electronic Commerce.

It includes key provisions on:

Advertising - All Internet advertising must be clearly identifiable as advertising. This is an important development as it provides consumers with an opportunity to complain about buttons, services and searches etc. which are really just paid advertisements.

Spam - The Model Code requires consumer "opt-in" before unsolicited commercial email can be used.

The Model Code has no enforcement provisions, complaints process or administrative structure. It is yet to be adopted or implemented by any industry body. In these circumstances it is best seen as a `virtual code' which gives some useful guidance to business, but to date provides no consumer protection.

13.5.5. Code of Banking Practice

The Code of Banking Practice is currently under review. The new version of the Code will include the NPPs.

[Previous] [Next] [Title]