This report provides Code-subscribing banks’ (banks) senior leaders with guidance on how to build organisational capability to improve compliance with the Banking Code of Practice (the Code).

The Banking Code Compliance Committee’s (BCCC) recommendations in this report are focused on the steps banks should take to make compliance with the Code a core part of its strategy and culture. Banks can achieve better and more consistent outcomes for customers by developing an integrated approach to Code compliance.

The BCCC is concerned that too often banks identify ‘human error’ as the cause of Code breaches without establishing, recording or acting on the ‘root cause’ of the problem. When a breach occurs for which ‘human error’ is to blame, it is often the case that staff conduct or actions have been influenced or constrained by internal systems, processes, technology, training and/or organisational culture. 1

The BCCC commissioned Deloitte’s Human Capital team to research how banks can best equip, support and enable staff to comply with the Code, and build organisational capability within a banking context.

Deloitte conducted extensive research, including engagement with banks through an industry-wide survey, a series of focus groups and interviews to gather perspectives from employees at various levels within banks. The BCCC appreciates the candid feedback banks provided to support this research.

The research identified industry challenges, opportunities for improvement and good practice with respect to compliance capabilities. This enabled Deloitte to provide the BCCC with findings about which key factors influence organisational capability for Code compliance.

This BCCC report is informed by Deloitte’s research findings and contains five key capability areas and recommendations for improved industry practice.

The BCCC considers this to be a ‘live document’ and expects banks to demonstrate how they have considered the report’s recommendations to improve Code compliance capabilities and customer outcomes when responding to future BCCC monitoring activities.

Key capability areas and recommendations for better practice:

  1. Communication strategy
  2. Learning and development
  3. Systems, processes and technology
  4. Culture
  5. Enhancing capability through robust compliance frameworks

For each key area the report contains insights from industry participants to Deloitte’s research on what banks are currently doing well and where they face challenges, along with better practice recommendations.

The recommendations should be viewed holistically – an impactful communication strategy, effective learning and development, and designing all systems, processes and technology with the needs of customers and employees at their centre – are all inevitably underpinned by an organisation’s culture and a mind-set of continuous improvement and delivering good customer outcomes.


An effective communication strategy is one that ensures employees within a bank understand the intent and importance of processes related to the Code’s customer protections. Ultimately, it is how staff ‘feel’ about the message that will gain their commitment.2  Effective communication should promote a customer-centric approach to all decision-making, proactive escalation of customer issues and encourage the reporting of compliance concerns. Communications should extend to all staff that directly and indirectly influence customer outcomes and organisational culture, including employees responsible for the design and distribution of products, systems, process, remuneration structures and talent acquisition. Messaging should be cascaded by those at the very top with sentiments reiterated down through senior leaders, middle management, and team leaders.

Better practice recommendations:

  • Deliver impactful and consistent messaging from the top down that highlights the importance of the Code commitments to successfully shift behaviours
  • Engage staff with compelling narratives and storytelling that resonates with their business unit and respective roles
  • Use breach data to guide topics for discussion in relevant team meetings, encouraging open communication by staff about real-life Code compliance case studies and learnings
  • Use a range of communication channels to ensure the message is heard by all staff.


Learning and development are crucial for ensuring Code competency among all staff within an organisation. Education about the Code should go beyond awareness. It should also educate staff right across the business about the Code’s role in the consumer-protection framework, and the importance of all staff meeting their Code obligations to customers. It should also educate staff about how to escalate, report and manage incidents/Code breaches and why these steps are important to the bank and its customers. Learning and development should be engaging and relevant to employee roles to be effective in the long term.

Better practice recommendations:

  • Code training should educate staff on the Code’s role in the consumer protection framework and the real impact that staff can have on customer outcomes
  • Continuously iterate and improve staff training programs to close knowledge gaps identified by trends in the banks’ breach data
  • Establish a central repository for all staff to access supporting resources they need to do their jobs.


Systems, processes and technology form an essential part of a bank’s compliance framework. When effectively implemented, they support and guide employees to have the right customer conversations and comply with the Code obligations. They enable Code breaches to be prevented and detected, reported and remediated, and they ultimately enhance customers’ experience with the bank. All systems, processes and technologies designed for Code compliance should have the needs of both the customer and the employee at their centre.

Better practice recommendations:

  • Develop an organisation-wide design objective that puts good customer outcomes and employee compliance at the centre of all products, systems, processes and technologies
  • Test and iterate processes and products using human-centred design in pursuit of continuous improvement
  • Consolidate data from multiple channels on a central platform to get a holistic view of Code compliance and to ensure all breaches are captured
  • Integrate learning and technology in a way that increases employee engagement, self-guided learning and compliant outcomes
  • Develop and adopt real-time reporting and analysis to proactively prevent and detect Code breaches.


Regulators and the community at large expect banks to embed a strong organisational culture that champions fairness, honesty and transparency above all else. Good organisational culture ensures that staff behaviour is not guided by misaligned incentives and conflicts of interest and can be summed up as ‘doing the right thing’ even when no-one is watching. It consistently puts the spirit of the Code at the centre of decision-making, behavioural expectations, and empowers staff to take ownership of achieving the right customer outcome.

Better practice recommendations:

  • Reinforce a culture that links employee compliance to clear customer outcomes and fosters a continuous improvement mindset
  • Review reward and recognition programs to link employee performance and incentives to positive customer outcomes and avoid creating incentives that undermine those outcomes
  • Bridge the gap between different bank functions through formal and informal feedback loops
  • People leaders should model the desired behaviours and expectations that demonstrate a customer-centric approach and the spirit of the Code
  • Create relationships between banks to share success stories and best practice.


Deloitte has developed ‘compliance capability tools’ that banks can use to benchmark their own compliance frameworks, to help:

  • Strengthen their own compliance frameworks
  • Improve their processes for identifying and addressing the root causes of Code breaches
  • Enable and support employees across the business to understand their Code obligations, recognise when Code breaches occur and report them promptly
  • Remediate Code breaches and prevent them from recurring.

Download a copy of the full Report – (683KB, PDF)

1 The issue was first identified by the Code Compliance Monitoring Committee (CCMC) from banks’ responses to the 2017–18 Annual Compliance Statement. Banks reported that the overwhelming majority of Code breaches – 93% – were attributed to human error. This trend continued in subsequent periodic self-reporting of banks’ compliance data.

On 1 July 2019 the CCMC transitioned to the BCCC to coincide with the release of the Banking Code of Practice.

2 Setting the Tone from the Top, Melinda Muth and Bob Selden, 2018 https://aicd.companydirectors.com.au/-/media/cd2/resources/director-resources/book-store/pdf/setting-tone-from-top-preview-pages.ashx