RBA Securitisations Industry Forum

Availability Requirements for Loan-level Data

Following discussions with the Office of the Australian Information Commissioner, some interim adjustments to the Bank's data availability requirements for repo eligibility of marketed asset-backed securities (ABS), in particular residential mortgage-backed securities (RMBS), are being made permanent. The revised arrangements seek to promote transparency in the ABS market by giving potential access to relevant information to parties who require it to evaluate ABS for investment purposes, or for professional or academic research purposes (permitted users), while providing heightened privacy protection for some particularly sensitive data sets. The following replaces the changes to data availability requirements for repo eligibility of marketed securities notified on the Securitisation Industry Forum website on 25 June 2015:

• Information providers will not be required to make available to permitted users on a loan-level basis the following fields: Income (RL090), Non-primary Borrower Income (RL092), Offset Account Balance (RL018) and Default Balance (RL050). Information providers will, however, have to provide this information to permitted users on a pool level basis. An example template can be found in ‘Related Information’.
• Similarly, data on Claims submitted to LMI (RL058), Claims paid by LMI (RL059), Claims denied by LMI (RL060), Claims pending with LMI (RL061) and Account Status (RL049) will not be required to be made available to permitted users on a loan-level basis. However, this information will be required to be aggregated at a postcode level and re-produced in the postcode level summary template. An example of the template can be found in ‘Related Information’.
• Loan-level information on Restructuring Arrangement (RL046) and Bankruptcy Flag (RL082) will also not be required to be made available to permitted users. However, aggregate information will be required to be made available on a summary pool level basis. Information on Savings Verification (RL105) will be provided on a loan-level basis.
• Information on Credit Score (RL086), whether at a loan-level or an aggregate level, will not be required to be made available to permitted users for the time being. This is because this data field relates to externally derived credit scores, for which only very limited data are currently available. The Bank will review the status of this field, and the potential for information providers to make available to permitted users other important risk metrics such as debt serviceability, by the middle of next year. The Bank's review will be undertaken with a view to improving the comparability and completeness of the data that are made available to permitted users.

The Bank has previously recommended that information providers enter into an agreement with each permitted user that, in addition to non-disclosure obligations, clearly identifies and limits the purposes for which the permitted user may use the loan-level data to which they receive access, and requires the permitted user to implement measures to ensure that the loan-level information (which is de-identified) is not re-identified. Information providers will make the form of these agreements available to permitted users through the relevant part – normally the Investor Centre – of their websites. 

As the Bank has previously indicated, it expects that information providers will adopt a process to determine whether to approve a request by an entity for access to loan-level data taking into consideration the proposed recipient's status in relation to securitisation transactions, ability to comply with a non-disclosure agreement of the sort referred to above, and implementation of security controls to prevent unauthorised access to, or loss of, the loan-level data. The Bank is supportive of information providers taking a risk-based approach to these matters.

The Bank recognises that a risk-based approach may take into account whether an entity is subject to the Privacy Act 1988 or an equivalent foreign law and, where it is not, the extent to which the entity is willing to provide additional undertakings to adopt, or that reflect, the Australian Privacy Principles.  However, information providers are reminded that the de-identification of loan level data, together with the measures referred to above, are designed to ensure that the data do not at any stage become re-identified and hence personal information.

The Bank supports and encourages the implementation of appropriate safeguards by information providers in order to manage any privacy risks associated with their disclosure of loan-level information to permitted users, but expects safeguards to be proportionate to the relevant privacy risks.

Finally, the Bank expects information providers to work with academic organisations to arrange for the loan-level data to be able to be made available to relevant academics in a secure environment, with an appropriate approval process established to govern access to the information.