As the Chair of the Banking Code Compliance Committee (BCCC), I am pleased to present our latest report on compliance with the Banking Code of Practice (Code).
We require subscriber banks to report on their compliance with the Code every six months. This report covers the findings for July to December 2021.
An overall increase in breaches
We saw a 19% increase in breaches from July to December 2021. Banks reported 24,467 breaches in this period, up from 20,605 breaches in the previous six-month period.
The increase was largely driven by Major Bank 4, which had an 86% rise in breaches. It reported 3,973 breaches in this period, up from 2,131 breaches in the previous period.
Major Bank 3 reported a 29% increase, up from 4,054 to 5,231. Major Bank 1 reported a 12% increase, up from 5,935 to 6,664.
These banks largely attributed the increase in breaches to:
- ongoing investment to improve the identification, recording and reporting of breaches
- manual processes relating to COVID packages and hardship applications that are not automated into relevant systems
- challenges in meeting notice and communication inquiries under the Code with the expiry of the COVID-19 Special Note.
Seven other banks also reported increases in breaches this period: Bank A, Bank B, Bank C, Bank D, Bank G, Bank I and Bank J. Although the banks differed this time, there were also seven banks that reported increases in the previous reporting period.
Decrease in breaches for some banks
It was a different story for some, however. One of the major banks and five other banks reported a decrease in breaches for this period.
Major Bank 2 reported a 2% decrease in breaches, coming down from 6,413 to 6,313. This bank attributed the decrease to a simplified operating model, changes in technology and process, and improved understanding of breaches among staff.
Banks E, Bank F, Bank H, Bank L, and Bank M were the others to report decreases in breaches this period.
Our data also found that Bank K reported the same number of breaches this period as it did in the previous period, and Bank N reported no breaches in July to December 2021.
Fluctuations in breaches
Since the inception of the BCCC and the 2019 Banking Code, the number of breaches reported by banks has fluctuated. In the first half of 2020, banks reported an overall decrease of 5% in breaches. This, however, was overshadowed by the 16% increase in the second half of the year.
We saw a similar result in 2021: the first half of the year saw a 10% decrease in breaches before the second half revealed a 19% increase. With the Code now more than three years old, we would like to see the breaches stabilise in a downward trend, with a greater focus on prevention.
Most banks attributed the increase in breaches to improved identification and reporting. Banks have been working to improve their compliance frameworks, systems and processes. We know that the improved monitoring has also been prompted by enhanced breach reporting obligations from ASIC.
We welcome banks’ ongoing efforts to build their capability to identify and address non-compliance. We expect banks will soon move beyond this consolidation phase with a stronger focus on preventing breaches. This should result in breach numbers coming down over time.
The effect on customers
From July to December 2021, banks provided details for a sample of 3,304 breach incidents.1 These breaches affected more than 13 million customers2 and had a financial impact of more than $69 million.3 In the last reporting period, banks reported 2,803 incidents, which affected more than 2 million customers and resulted in over $56 million in financial impact.
The sample of breach incidents indicates almost 11 million more customers were affected in this reporting period compared to the previous one. And this resulted in an increase of more than $13 million in financial impact.
No doubt the significant regulatory reform of 2021 has played a role here. However, the increase in breaches and the resulting effect on customers demonstrates that there is more work for banks to do.
I encourage all banks to note the feedback we provide them individually – this feedback is a valuable source of guidance on improving compliance with the Code. And just as important are the recommendations and good practice in our inquiry reports, especially the BCCC Building Organisational Capability report.
Impact of COVID-19 on compliance
During this reporting period, a COVID-19 Special Note was in effect, in recognition that the COVID-19 pandemic may affect the timely provision of banking services. The Special Note provided flexibility by exempting reporting of certain timing requirements as breaches. The Special Note was in place during this reporting period from 1 July to 1 September 2021.
Two major banks, out of the 18 banks, reported that they relied on the COVID-19 Special Note in this reporting period. These banks reported incidents that would have ordinarily constituted breaches.
Some banks attributed part of the overall increase in breaches observed during this reporing period to the continued impact of COVID-19 and the expiry of the COVID-19 Special Note. Banks reported an increased volume in COVID-19 packages and hardship applications, followed by further delays and increased complaints due to COVID-19 packages and hardship applications requiring manual tailored solutions.
Furthermore, banks reported higher staff turnover rates due to COVID-19, resulting in errors and increased breaches while new staff were being trained.
Improving data reporting
We continue to engage with the Australian Banking Association (ABA), Australian Securities and Investments Commission (ASIC) and banks on ways to streamline reporting requirements and the guidance needed to improve the consistency and quality of reporting.
We hope to achieve a more consistent approach to breach reporting that will align the reporting capabilities of banks with our monitoring and reporting objectives.
We have developed a comprehensive project plan that will look to address issues of reporting. It will help us to improve the process for banks, resulting in quality data and information and, ultimately, better outcomes for customers.
We are also engaging with ASIC and the Australian Financial Complaints Authority to explore the possibility of increased data sharing. However, this is a long-term project that will take time.
Ian Govey AM
Banking Code Compliance Committee
1 As well as reporting the total number of breaches in a period, banks must provide details of a sample of breaches that met certain criteria.
2 The number of impacted customers is based on the banks’ estimate of the sample of incidents provided for this reporting period. This may include duplication in reporting. For instance, the same customer could be impacted by one or more incidents.
3 The financial impact is based on the banks’ estimate of the sample of incidents provided for this reporting period. This may include financial impact on both the customer and banks.