Vulnerable consumers and preventing harm or abuse
The CDR Rules contain various provisions that allow data holders to not comply with specified CDR Rules where this is considered “necessary to prevent physical, psychological or financial harm or abuse”. For example, in these circumstances a data holder may:
- refuse to make a disclosure (r 3.5 and r 4.7)
- refuse to ask for an authorisation or an amendment to an authorisation (r 4.7)
- not comply with a provision of part 4A (r 4A.15, e.g. making a disclosure from a joint account without seeking the approval of a particular joint account holder or displaying common information on the consumer dashboard)
These provisions apply where the data holder has identified any person (r 4A.15; r 5.10(3)(a)) who is at risk of “physical, psychological or financial harm or abuse” (this implies the application of these provisions is not limited to account holders, secondary users, or persons with account privileges).
Treatment of historical information when a vulnerable customer flag is removed
The CDR Rules regarding prevention of “harm” or “abuse” to individuals (3.5(1)(a), 4.7(1)(a), 4A.15 and 5.10(3)(a)) do not specify what action should be taken where a consumer no longer identifies as “vulnerable”, including in relation to the treatment of historical information (e.g. information such as what disclosures the previously vulnerable person authorised). The Explanatory Statement to the Rules suggests (at paras 76 and 340) that these provisions have been introduced to “accommodate existing procedures a data holder may have to protect consumers”. As such data holders may be guided by existing internal procedures, provided they are not inconsistent with the CDR Rules or Data Standards.
Information relating to a consumer’s vulnerability can be very sensitive. Consistent with the Rules, data holders should consider whether a particular action would create a real risk of harm or abuse to an individual (whether or not the individual currently identifies as vulnerable).
As noted above, the Explanatory statement for the Principal rules states that the prevention of harm or abuse provisions are intended to “accommodate existing procedures a data holder may have to protect consumers, for example, particular account arrangements relating to consumers who may be experiencing family violence”.
Data Holders can also refer to the information at Paragraph 11 of the ACCC’s – Joint Account Guidance to develop an approach for dealing with vulnerable consumers.
Data holders should seek their own advice as to whether steps taken in particular circumstances to avoid harm or abuse comply with the rules.