I am pleased to present the Banking Code Compliance Committee’s (BCCC) latest report on Code subscribing banks’ (banks) compliance with the Banking Code of Practice (Code).
The BCCC requires banks to report on their compliance with the Code every six months. This report covers banks’ self-reported breach data from January to June 2021.
A separate report in relation to comprehensive Part B data provided for the first time in full by banks for the 2020-21 reporting period will be published at a later date.
An overall decrease in breaches
Banks reported 20,605 breaches for the period, approximately a 10% decrease from the previous six-month period where they reported 22,876 breaches.
The decrease in breaches was largely driven by Major Bank 1 reporting a 38% decrease, from 10,370 to 6,413. As reported previously, this bank said its monitoring and reporting systems for Code compliance have matured so that it is confident it is detecting every Code breach, and is now re-allocating resources to preventing breaches.
Major Bank 4 reported a 10% decrease from the previous reporting period, from 2,357 to 2,131.
Seven other banks (Banks A, B, C, E, H, J, K) reported a decrease in breaches compared to the previous reporting period.
Increase in breaches for some banks
Major Bank 2 reported a 50% increase in breaches from the previous reporting period, from 3,945 to 5,935. This bank reported that ASIC’s more stringent reporting requirements, along with maturing compliance regimes and the ongoing effects of the pandemic, drove increases in monitoring and therefore detection.
Major Bank 3 reported a 5% increase from the previous reporting period, from 3,863 to 4,054.
Six other banks (Bank D, F, G, I, L, N) reported an increase in breaches compared to the previous reporting period, while two other banks (Bank M, N) reported the same number of breaches for both periods.
While the overall 10% decrease is a positive development, there is further work to be done and room for improvement.
One bank reported a large drop in the number of its privacy breaches. Based on feedback we provided in previous reporting periods, the bank improved some of its systems and staff awareness, leading to a drop in both the number and seriousness of privacy breaches.
As with the large reduction in breaches reported by Major Bank 1, these results show the value of the BCCC’s breach data collection and reporting. I encourage all banks to note the feedback we provide them individually, as well as the improvements being made by their co-subscribers.
Impact of COVID-19 on banks’ compliance
As with our previous reports, published in April and August 2021, COVID-19 and its impact on banks and their customers was a key focus for the BCCC.
The COVID-19 Special Note remained in place for this reporting period. The BCCC required banks to provide information about instances that would have constituted breaches of the timing requirements under the Code but for these exemptions. Five banks reported 1,481 incidents which may have constituted breaches if not for the exemptions, a significant reduction on the 4,651 incidents reported in the previous period.
Several banks reported breach incidents where customers on COVID-19 deferral packages, or customers who had exited the packages, were not quarantined from other bank systems. For example, many customers were sent default notices or were referred to banks’ recovery departments while they were on a deferral package. Many customers who had exited the deferrals remained on banks’ hardship systems.
These errors would have caused distress to the customers involved and may have impacted their credit ratings.
Our analysis of these incidents indicates that overall banks worked hard to assist customers affected by the pandemic and rapidly deployed human and IT resources to that end. However, many of their internal systems were not concurrently updated.
Improving data reporting
The BCCC is continuing to engage with the Australian Banking Association (ABA) and banks about ways to streamline reporting requirements and develop additional guidance to improve the consistency and quality of banks’ breach data.
Breach data was examined in both the Banking Code and BCCC Reviews. The BCCC will consult with stakeholders in relation to the recommendations made on this issue.
Ian Govey AM
Banking Code Compliance Committee