An increase in breaches
Banks reported 19,766 Code breaches for the six-month period. Combined with the 20,863 breaches for the previous reporting period, this amounts to over 40,000 breaches of the Code for the year – July 2019 to June 2020. This represents a 160% increase in the number of breaches reported when compared to 15,597 for the 2018–19 period.
While a small percentage of this increase can be attributed to the additional Code obligations that came into effect in 2019 and six new subscribers, banks have explained that the main reason for there being so many more breaches is a result of increased awareness and monitoring of Code compliance, and improvements to risk culture.
The BCCC has for many years viewed increased breach reporting as a positive development, and commended banks for their efforts to identify problems and fix them. It appears that Code compliance is more and more becoming a central part of banks’ overall compliance and risk management systems, as well as becoming embedded in staff communications and training.
However, there will come a time where the BCCC, and the broader community, will expect banks to have gained sufficient insight from this breach data to prevent compliance incidents from happening in the first place. The data indicates that in some areas, such as privacy and confidentiality, large numbers of breaches have been reported for many years and the BCCC will expect to see a significant decrease in the number of reported breaches. For other Code obligations, for example taking extra care with customers experiencing vulnerable circumstances, breaches may continue to increase as banks continue to improve compliance monitoring practices and strengthen staff awareness of their commitments.
The BCCC cannot predict when the tipping point will come, and the total number of breaches will start to decrease, but when it does it will be a welcome demonstration that banks are meeting the high ethical standards set out in the Code. The BCCC recently published its Report on Building Organisational Capability, which provides banks with guidance as they shift from building robust systems to detect breaches, to building more robust systems to prevent breaches.2
What are banks self-reporting?
As with the BCCC’s previous compliance reports, we have analysed and reported on breaches of the 10 ‘Parts’ of the Code and provided an analysis of trends and the nature of breaches of Chapters and obligations within these Parts. Banks reported notable increases in the number of breaches under Part 4 Inclusive and accessible banking, which includes the obligation to take extra care when dealing with a customer experiencing vulnerable circumstances, and Part 6 Lending to small business. However, Part 2 of the Code continues to account for the largest number of breaches.
COVID-19 related breaches
The BCCC would be remiss if it did not address the impact of the COVID-19 pandemic upon banks’ compliance with the Code. For this report we have assessed breach incidents that were reported as, or appear to be, a direct result of conditions created by the pandemic.
Some banks reported an increased workload and resourcing issues as a direct cause of some breaches. Other breaches point to ongoing work that may need to be addressed by banks, such as privacy concerns with staff working from home.
However, COVID-19 does not appear to have significantly affected banks’ ability to comply with the Code when it is considered in the context of the overall impact of the pandemic on the Australian economy, customers’ lives and livelihoods and banks’ business operations.
Scams and fraud
While the Code does not contain any specific provisions related to scams and fraud, banks play a crucial role in protecting customers from the predatory behaviour of scammers and criminals.
Banks reported a number of significant and upsetting scam and fraud events that were often recorded as breaches of obligations relating to privacy and confidentiality provisions, taking extra care when dealing with customers experiencing vulnerable circumstances, or staff training and fair and reasonable conduct.
Our main intention in highlighting these incidents in this report is to indicate where banks’ real-time monitoring and systems controls could be improved to protect customers at risk.
Data consistency and quality
As the BCCC confirmed in its previous compliance data report, there can be a wide variance between banks in terms of the quality and consistency of the data provided in their responses, and we remain concerned that if banks apply different standards in monitoring, detection and reporting of Code breaches it makes the data less reliable and reduces transparency.
The BCCC is engaging with the Australian Banking Association (ABA) as it works with its member banks to understand the issues that lead to data quality and consistency issues. The BCCC welcomes this work by the ABA and anticipates that it will lead to more streamlined and reliable breach data reporting in the future.
Ian Govey AM
Banking Code Compliance Committee
Download a copy of the full report – BCCC Report: Compliance with the Banking Code of Practice – January to June 2020 (598KB, PDF)
1 Further information about the Banking Code Compliance Statement is provided on Page 6 of this report and in the BCCC’s Guidance Note 1: Breach Identification and Reporting, published in September 2019