Finance companies: credit check compliance under the Privacy Act 2020

Finance companies and lenders are among the heaviest users of third-party data in New Zealand. Credit checks through Centrix, Equifax, and illion are a standard part of the lending process. But each of those checks triggers obligations under the Privacy Act 2020 that many lenders are not meeting.

The obligation

When a finance company runs a credit check, they are collecting personal information about the applicant from a third-party source. IPP3A requires that the individual is made aware of this collection.

Common misconceptions

"The credit application form covers it." Maybe — but only if it specifically references the third-party data sources being accessed, the type of information being collected, and the purpose. A generic "we may conduct background checks" clause is unlikely to satisfy IPP3A.

"The Credit Reporting Privacy Code covers it." The CRPC governs what credit reporters can do with the data they hold. It does not remove the IPP3A obligation on the agency that requests the check.

"The borrower consented to the loan application." Consent to a loan application is not the same as awareness that personal information is being collected from third-party sources. IPP3A is about notification, not just consent.

The audit trail problem

When the OPC investigates, they want to see evidence that each individual credit check was conducted with proper notification or consent. If your system does not record which pathway was used for each check, you cannot provide this evidence.

Building compliance in

DEIS allows finance companies to connect their credit bureau integrations and capture the IPP3A pathway for every check. The evidence is timestamped, immutable, and exportable — exactly what the OPC wants to see.