What are banks self-reporting?
Banks reported 20,863 Code breaches for the six-month period. These breaches affected at least 4.4 million customers and had a financial impact of more than $100 million.
Privacy and confidentiality remains the most commonly breached Code obligation. In a change to previous reporting, the second highest category of Code breaches is now Chapter 4 which includes banks’ obligations to train staff to understand the Code and engage with customers in a fair, reasonable and ethical manner.
Table 1. Top 6 Code Chapters breached
Banks’ reporting about how they remediate customers continued to improve since previous periods. They provided remediation details for approximately 97% of Code compliance incidents.
An increase in breaches
For the 2018–19 12-month period, banks reported 15,597 breaches. The 20,863 breaches identified between July and December 2019 represents a significant increase in reporting. This increase raises complex questions for the BCCC – does the increase mean that some banks are finally taking on board previous feedback about under-reporting Code breaches? Or is the increase a cause for concern – is there a growing trend of more customers not receiving the full protection that the Code provides?
The Committee has long held a view that some banks continuously under-report on their compliance with the Code. We are still unable to conclude definitively whether the increase in breaches reported each year represents a deterioration in bank conduct, or is a demonstration that banks are better able to identify and fix problems. The Committee considers that the latter explanation remains the more likely explanation.
In our Report on Banks Transition to the 2019 Code, published in November 2019, the BCCC noted:
Banks’ compliance frameworks may not currently be mature enough to comprehensively monitor Code compliance from 1 July 2019 to the BCCC’s satisfaction. Banks’ responses often indicated that they would be continuing to amend their controls and compliance frameworks post 1 July 2019, particularly for small business, vulnerability and financial difficulty obligations.
This raises a concern that non-compliance may go undetected in the interim and remain that way until banks have improved their Code monitoring controls.
With this increase in breaches, the BCCC is encouraged that some banks are making progress. Banks often explained that the increases in reporting were the result of efforts to increase awareness and monitoring of Code compliance, and improve risk culture.
Nevertheless, it is worth noting that the overall increase in breaches for this period is due to significant increases reported by just two banks, which account for 72% of the total number of breaches.
These banks have explained that their revised approach to reporting is largely in response to guidance and feedback provided by the BCCC. The BCCC requires banks to consider all Code obligations when conducting any compliance assessments and not just those that are aligned to existing legislation or regulation. In addition, while we recognise that banks may report legislative or regulatory breaches to regulators based on an assessment of a breach’s significance or materiality, the Code and BCCC Charter make no reference to such thresholds – banks are required to record all Code breaches.
We strongly encourage all banks to make sure they are taking this approach and ensure compliance frameworks enable them to identify, record and report Code breaches.
Data quality concerns
While the quality of data reported is generally better than we have received previously, there remains substantial room for improvement. Now, more than ever, it is important that banks’ data is of a high standard because banks are reporting data every six months. High quality responses reduce the need for the BCCC to seek clarification about data from banks or ask banks to address any data gaps.
Some banks appear to be copying data directly from internal systems without proper curation or regard for reporting requirements. We recognise the BCCC’s reporting requirements are extensive, but the data provided must sufficiently explain what has occurred, and the steps taken to remediate customers and prevent recurrence.
Thorough and accurate breach reporting is a demonstration of a customer-focused culture and a bank’s commitment to embedding the Code. We will pay close attention to whether banks are taking their obligations seriously and we strongly encourage banks to ensure that sufficient resources and time are applied to the BCCC’s reporting requirements.
We have provided banks with additional time to respond to the next Compliance Statement, to ensure banks can focus on supporting customers during the COVID-19 pandemic. In addition, we have reduced the scope of the information we will request under the next Compliance Statement.
The BCCC will provide individual feedback about data quality issues to relevant banks. Banks should ensure the issues are addressed for future reporting.
Ian Govey AM
Banking Code Compliance Committee
Download a copy of the full report – BCCC Report: Compliance with the Banking Code of Practice – July to December 2019 (880KB, PDF)
Guidance Note No. 1: Breach Identification and Reporting, September 2019
Guidance Note No. 2: Clause 10 – fair, reasonable and ethical behavior, November 2019