This report summarises banks’ compliance with the 2013 Code in 2018–19. It is based on results from the Annual Compliance Statement (ACS), the primary compliance monitoring activity for the 2013 Code. The ACS enables the BCCC to benchmark banks’ compliance with the 2013 Code, report on current and emerging compliance issues and identify priority areas for future monitoring.
On 1 July 2019, the 2013 Code was replaced by the 2019 Code. This report focuses on the 2013 Code whereas future breach data from compliance statements will relate to the 2019 Code.
The Code Compliance Monitoring Committee (CCMC), the body that monitored compliance with the 2013 Code, was also replaced by the BCCC on 1 July 2019.
Message from the Independent Chair
As the Independent Chair of the Banking Code Compliance Committee (BCCC), it is my pleasure to present this report on Code subscribing banks’ (banks) compliance with the 2013 Code of Banking Practice (the 2013 Code) in 2018–19.
This report sets out the findings from our analysis of banks’ responses to the final Annual Compliance Statement (ACS) under the 2013 Code. The report is an opportunity for the BCCC to both report on industry’s ability to comply with and report on the 2013 Code, and to use these results to assess future challenges as banks transition to the 2019 Banking Code of Practice (the 2019 Code).
While there are indications that reporting has improved since 2017–18, questions remain about banks’ ability to identify, record and report breaches of the Code. A considerable amount of work will need to be done if banks are going to meet the BCCC’s expectations for the new reporting standards of the 2019 Code.
What are banks self-reporting?
The 15,597 Code breaches that banks reported in 2018–19 affected at least 9 million customers and had a financial impact of more than $90 million. Banks reported breaches of 33 different provisions of the 2013 Code ranging from provision of credit (4,066 breaches) to family law proceedings (4 breaches). The total number of breaches is a 54% increase from the previous reporting period, with the number of impacted customers rising by 167%.
Banks also updated the BCCC on breaches that remained under investigation in 2017–18, providing details of both an additional 300,000 affected customers and an extra financial impact of over $110 million.
Banks continue to report the highest number of breaches in privacy and confidentiality and provision of credit. Both obligations saw increases in reported breach numbers since 2017–18.
Two areas that also saw significant increases in breach numbers were internal dispute resolution and financial difficulty. These two areas are now among the top five breach categories. The BCCC has long had concerns about bank compliance in these areas and, considering the significant changes taking place in the regulatory landscape for these provisions, will continue to monitor closely.
In last year’s report, the BCCC challenged banks to take a more proactive approach to remediating breaches, and to place affected customers at the centre of these efforts. Banks appear to have improved in this area, providing details of customer remediation for 76% of breaches, up from 39% in 2017–18. While some banks appear to have gone the extra mile to remediate customers, it is apparent that banks still remediate customers far less often than addressing their own process issues. The BCCC considers that there is more work to be done in this area.
Does this accurately reflect banks’ conduct?
The 2017–18 report raised concerns about banks not sufficiently reporting breaches. In 2018–19, banks reported more breaches and those breaches include a wider range of 2013 Code obligations. It remains unclear whether the rise in breaches reflects increased non-compliance with the Code, or simply better identification and reporting of breaches.
The BCCC considers there is some evidence however of better identification of breaches by banks. This is reflected in certain provisions, such as internal dispute resolution and financial difficulties.
Despite this, the BCCC remains concerned about the quality of some banks’ compliance frameworks and their ability to identify, record and report Code breaches.
Breach numbers for certain provisions remain low and vary significantly from bank to bank. For some provisions, it is unlikely that the low number of breaches reflects industry conduct. Certain banks for instance did not report any direct debit breaches, despite the BCCC’s own independent monitoring indicating that it was highly likely that these banks will have breached the Code at some point in the last 12 months.
The trend of reporting breaches of Code provisions that mirror legislative obligations continued. Examples include the high number of reported breaches of the privacy and confidentiality, provision of credit and debt collection obligations. Few banks report on breaches of the Code’s more nuanced, unique requirements – despite the thousands of customer interactions covered every day by the 2013 Code.
Even for breaches that were reported, the consistency of reported data remains an ongoing area of concern. The BCCC found consistency issues with the recording of complaints, and the number of requests for financial difficulty assistance received and approved. The BCCC will continue to engage with industry and provide further guidance to enhance the level of consistency in all areas of reporting.
The BCCC is also aware that, in some instances where banks have improved breach identification and reporting, this is likely due to banks committing resources to this area for transition to the new Code, or because of inquiries made by the BCCC – not because of ongoing robust risk and compliance frameworks. Inquiries made by the BCCC throughout 2018-19 have led to hundreds of extra beaches being reported in this year’s ACS. The BCCC is concerned that banks would not have identified these issues if not specifically required to do so.
In the Financial Services Royal Commission final report, Commissioner Hayne outlined that the purpose of industry codes was to ‘set standards on how to comply with, and exceed, various aspects of the law’. To ensure that industry codes work effectively, the Commissioner noted that there must be ‘adequate means to identify, correct and prevent systemic failures in applying the code.’
Banks are required to report on every single identified breach of the Code. While this in some ways is an ambitious goal, it is a goal that banks should strive to achieve. The BCCC believes they are falling short.
What does this mean as we transition to the 2019 Banking Code?
This ACS confirms the BCCC’s belief that banks need to make significant improvements to ensure they comply with the 2019 Code, and to accurately report when they fall short of meeting its obligations.
The 2019 Code contains several new provisions not covered in the 2013 Code, and banks have demonstrated here that certain reported practices would continue to be a breach of several new provisions. The BCCC has found this in several of the case studies highlighted in this Report.
The new Code also has more stringent reporting requirements. Banks are required to report information to the BCCC every six months. At this stage, the Committee is concerned about banks’ ability to report timely, accurate data within these timeframes.
The BCCC challenges banks to act quickly to ensure they comply with the new Code, and to record and report in a timely and appropriate manner when they do not.
The BCCC will keep banks focused on breach identification and reporting to ensure they meet the commitments they have made to their customers.
Prof. Christopher Doogan AM FIML FAICD
Banking Code Compliance Committee
 Commonwealth, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, Final Report (2019) vol 1, 107.
Download a copy of the full report – BCCC Report: Compliance with the Code of Banking Practice 2018–19 (812KB, PDF)