Skip to content
Circular Home
Issue 31 - October 2017

An update from the Code Compliance and Monitoring Team

The Code team is a separately operated and funded business unit of the Financial Ombudsman Service (FOS) Australia. We support independent committees to monitor compliance with codes of practice in the Australian financial services industry to achieve service standards people can trust. Find out more about who we are and what we do.

The five committees we currently support are:

  • The Banking Code Compliance Monitoring Committee (CCMC)
  • Customer Owned Banking Code Compliance Committee (COBCCC)
  • General Insurance Code Governance Committee (GICGC)
  • Insurance Brokers Code Compliance Committee (IBCCC)
  • Life Code Compliance Committee (LCCC)

Banking Code Compliance Monitoring Committee

CCMC: Code of Banking Practice development 

In response to the Khoury reviews the ABA has been working with stakeholders to develop and deliver a new Banking Code and Mandate by the end of the 2017 calendar year. As a key stakeholder, the CCMC has met with the ABA on a number of occasions to discuss and provide feedback during this development phase. The CCMC hosted a working group in the last week of September with the ABA and some code subscribing banks to work on the proposed new Charter. The Committee will continue to engage with the ABA as the new Code and Charter are developed and implemented.

CCMC: Annual Compliance Statement (ACS) program
The CCMC has now received all subscribing banks responses to the ACS. The Code team is analysing that data with a view to releasing its finding and trends in the CCMC Annual Report, due for publication in mid-November 2017. The CCMC will also be meeting with all subscribing banks throughout late October to deliver results personally.

CCMC: Inquiry into banks’ compliance with Direct Debit obligations 
In late 2016/early 2017, the CCMC received a number of Code breach allegations from consumers and financial counsellors. These allegations raised concerns that banks were not adhering to the standards set out in Code clause 21. For consumers, the ability to cancel a direct debit via their bank is an important right that gives them control over their finances. When a bank fails to accept or process a cancellation request, the losses to customers can include overdrawing an account, additional fees and charges, dishonoured transactions, and a loss of funds that may have been needed for other purposes.

Code clause 21 states that:

            We will take and promptly process your:

  1. Instructions to cancel a direct debit request relevant to a banking service we provide you; and
  2. Complaint that a direct debit was unauthorised or otherwise irregular.

We will not direct or suggest that you should first raise any such request or complaint directly with the debit user (but we may suggest that you also contact the debit user).

Clause 21.1 does not apply to a payment service relating to a credit card account.

In response to these allegations, the CCMC conducted research and mystery shopping to assess banks compliance with their direct debit obligations. This is the third inquiry into banks compliance with their direct debit obligations since 2008.

The CCMC was disappointed with the results of its research. Fifty-four percent of all interactions with banks’ branches and contact centres indicated non-compliance with Code obligations. The CCMC has raised its concerns with each of the code subscribing banks, and with the ABA, and has asked for their input to rectify this long running issue.

The CCMC will be working with banks to improve policies and procedures and will regularly follow up banks activities to ensure compliance rates improve.

The CCMC will be releasing its report into banks compliance with direct debit obligations in late October 2017. A copy will be available on the CCMC website:

CCMC: Inquiry into banks compliance with their Internal Dispute Resolution (IDR) obligations
The CCMC will soon be carrying out an inquiry into banks compliance with their IDR obligations. Code clause 37 sets out banks obligations when handling disputes or customer expressions of dissatisfaction and is aligned with ASIC’s Regulatory Guide 165.

If you have any concerns about banks compliance with their internal dispute resolution obligations or would like to otherwise contribute to the CCMC’s inquiry, please contact the CCMC on

Customer Owned Banking Code Compliance Committee

Own motion inquiry into compliance with direct debit obligations
The own motion inquiry into Institutions’ compliance with the direct debit obligations in section 20.1 of the Customer Owned Banking Code of Practice (the Code) has been finalised and its findings have been published on the Committee’s website.

Under section 20.1 of the Code, Institutions are required to take and promptly process a request to cancel a direct debit. Institutions cannot direct or suggest that consumers first raise any such request or complaint directly with the merchant or service provider.

The ability for customers to cancel direct debits via their Institution is a powerful safeguard for customers, especially for those who are in financial difficulty. Failure for Institutions to accept or act on notice of a direct debit cancellation request may cause members who are already in financial trouble to be further impacted when fees are imposed on the account.

The outcome of previous inquiries in 2010 and 2012 were disappointing and did not meet the Committee’s expectations.

The 2017 inquiry found that while there appears to have been some improvement, compliance with the Code’s section 20.1 requirements is still patchy, and only a minority of institutions are achieving best practice performance. Given that direct debit cancellation has been a Committee focus for some time – and given that industry and consumer advocates alike recognise the issue – this finding is disappointing.

With the aim of identifying and promoting good industry practice, the Committee has made six recommendations for improvements to policy and procedures, customer information and compliance monitoring. 

A copy of the report can be downloaded here.

Own motion inquiry into compliance with privacy obligations
The next own motion inquiry undertaken by the Committee will assess institutions’ compliance with privacy obligations under Section D23 ‘Information privacy and security’ of the Code, including Key Promise 8 of the Code ‘We will comply with our legal and industry obligations’.

The Privacy Act 1988 (Privacy Act) is an Australian law which regulates the handling of personal information about individuals.

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.

The Privacy Act includes thirteen Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information (including sensitive information). 

The Code requires institutions to comply with the Privacy Act and its Principles, as well as setting out additional obligations and raising awareness of security issues.

The inquiry will be undertaken in two parts - a series of telephone conferences to selected institutions as part of the Annual Compliance Statement (ACS) Verification Program and an online questionnaire to all institutions in November 2017.

The main purpose of this inquiry is to gather information to determine the causes for the high number of breaches regarding privacy obligations and highlight areas for improvement in current industry practice and performance. It is also intended to provide an insight into what compliance activities institutions undertake to rectify compliance issues, train staff accordingly and implement long-term strategies to embed compliance with privacy obligations in their company’s risk framework.

Annual Compliance Statement data
The data for the Annual Compliance Statement for the period 1 July 2016 to 30 June 2017 has been received and analysed. Key findings include:


  • Six self-reported significant breaches; down from 11 in 2015–16.
  • 1,216 self-reported Code breaches; up from 818 in 2015–16.
  • 76% of institutions reporting breaches; up from 67% in 2015-16 (One large, one medium, two small and 12 micro institutions self-reported nil breaches for 2016-17).

Areas of concern

  • 24% of breaches concern privacy obligations (according to Section D23 of the Customer Owned Banking Code of Practice); down from 30% in 2015-16.
  • 12% of breaches concern responsible lending practices (according to Section 6 of the Customer Owned Banking Code of Practice); up from 3% in 2015-16.
  • 11% of breaches concern compliance with legal obligations (according to Key Promise 8 of the Customer Owned Banking Code of Practice); down from 15% in 2015-16.
  • 11% of breaches concern the recognising of customers' rights as owners (Key Promise 7 of the Customer Owned Banking Code of Practice). This is a new area of concern; previously only one percent of breaches covered this issue.
  • Six percent of breaches concern delivery of high customer service standards (Key Promise 5 of the Customer Owned Banking Code of Practice); down from 20% in 2015-16.

Internal dispute resolution Complaints

  • 18,662 self-reported internal dispute resolution disputes; up from 14,100 in 2015-16.
  • 88% institutions self-reporting complaints; similar to 89% in 2015-16 (One large and seven micro institutions self-reported nil complaints for 2016-17).
  • 90% of complaints resolved within 21 days; similar to 93% 2015-16.

Stakeholder engagement
For the first time, we held a webinar to assist Code subscribers with the completion of the Annual Compliance Statement. This received very positive feedback from industry and improved the integrity of the subsequent breach and complaints data received.

The Committee’s Consumer Representative Carolyn Bond AO and Compliance Manager Daniela Kirchlinde presented on Code compliance matters and concerns at the Mutuals Audit & Governance Professionals Institute (MAGPI) Conference in Melbourne in August 2017.

Insurance Brokers

Annual Compliance Statement data
The data for the Annual Compliance Statement for the period 1 January 2016 to 31 December 2016 has been received and analysed. Key findings included:


  • 34 self-reported significant Code breaches; up from 11 in 2015.
  • 1,410 self-reported Code breaches; up from 862 in 2015.
  • 42% of organisations self-reported Code breaches; up from 32% in 2015.

Areas of concern

  • Legal obligations - 33% of self-reported Code breaches concern legal obligations (Service Standard 1), including six significant Code breaches.
  • Buying insurance - 23% of self-reported Code breaches concern providing insurance broking services (Service Standard 5 'buying insurance').
  • Professionalism - 17% of self-reported Code breaches concern professionalism (Service Standard 12), including eight significant Code breaches.


  • 1,026 self-reported IDR complaints; similar to 1,023 in 2015.
  • 54% of organisations self- reported IDR complaints; similar to 52% in 2015.
  • 78% of complaints resolved within 21 days; similar to 79% in 2015.
  • 21% of self-reported complaints involved small business policies.
  • 24% of self-reported complaints resolved by mutual agreement.

Insurance Brokers Code Compliance Committee Annual Review 2016-17
The Insurance Brokers Code Compliance Committee has published its Annual Review for the 2016-17 period.

A copy of the review can be downloaded here.

The Year at a Glance section on page five of the review sets out the Committee’s key achievements for the reporting year. The report finds that:

  • Self-reported Code breaches doubled, indicative of a growing culture of positive breach reporting among insurance brokers.
  • Reporting is inconsistent: two-thirds of insurance brokers self-reported no breaches and nearly half reported no complaints.
  • Insurance brokers need to review their compliance processes and reporting to ensure that they are a true reflection of performance.
  • 33% of self-reported breaches were for non-compliance with legal obligations, 23% concerned obligations to act ‘diligently, competently, fairly and with honesty and integrity’ and 17% concerned obligations to act professionally.
  • 15% of self-reported complaints were about service issues, including general feedback and improvement suggestions.
  • The Committee issued one determination on a Code breach and investigated four Code breaches, two of them significant.

Own Motion Inquiry ‘Competency and Professionalism’
The next own motion inquiry to be undertaken by the Committee will examine Code Subscribers’ understanding of ‘competency’ and ‘professionalism’ and how competency standards are achieved within their organisation.

Service Standard 5 of the Code is the cornerstone of good insurance broking practice: ‘We will discharge our duties diligently, competently, fairly and with honesty and integrity.’

Service Standard 8 of the Code requires an Insurance Broker in particular to ensure representatives receive adequate training to competently provide insurance broking advice: ‘We will ensure that we and our representatives are competent and adequately trained to provide the relevant services and will maintain this competence.’

Competency can be defined as a standardised requirement for an individual to perform a specific job properly. Competency standards are specifications of performance determined by an industry. They highlight the skills, knowledge, attitudes and behaviours, with the performance level required to operate effectively in a specific trade or profession.

Professionalism is the competence or skill expected of a professional. It describes the standards of education and training that prepare members of the profession with the particular knowledge and skills necessary to perform the role of that profession.

The success of an organisation depends on how competent their staff and representatives are. Formal education is necessary, but does not necessarily provide staff with all the appropriate skills required to provide services competently. Staff need to be trained to meet the particular standards identified by the organisation and the Code.

This is where competency-based training comes in. Competency-based training is developed around the competency standards that have been identified for a specific job. To be assessed as competent, a person must demonstrate the ability to perform the job’s specific tasks.

The inquiry will be undertaken via an online survey to all Code subscribing Insurance Brokers in November 2017. Code Subscribers will be asked to respond to a number of multiple choice and open text questions on competency and formal education and training.

Using the information from the survey, we will analyse the response of each Code Subscriber against organisations of a comparable size and develop guidelines for best practice.

Stakeholder engagement
The Committee published an article Tip of the Month 'The importance of record keeping’ in the Insurance Adviser August 2017 edition.

General Manager Sally Davis presented at the FOS Insurance Broker Forums in Sydney and Melbourne in August 2017 regarding Code issues.

The Committee’s Chairperson Michael Gill presented at the NIBA Convention in Sydney on 12 September 2017 as part of a panel discussion with ASIC and FOS.

The Committee used the newly developed industry liaison group to obtain valuable feedback on its compliance monitoring work.

General Insurance

General Insurance Industry Data Report 2016–17
Code Subscribers have submitted their industry data for the year ending 30 June 2017. We have begun collating the data into retail classes across several data sets. These include declined and withdrawn claims data, internal disputes data and workforce data.

We have asked Code Subscribers to ensure their data is accurate and to provide reasons for any observed data variation. At the same time, we also verify the integrity of the data. Ensuring the quality of the data year to year enables the General Insurance Code Governance Committee (the Committee) to:

  • reduce the need for additional enquiries to verify integrity and settle the data
  • adequately explain data variation
  • identify and discuss trends and areas of risk, and
  • provide useful and valuable information to all stakeholders.

Own Motion Inquiry into the sale of add-on insurance products
The Committee has endorsed a new own motion inquiry (OMI). The OMI will examine the current practices relating to the sale of Consumer Credit Insurance (CCI) and other add-on insurance products by Code Subscribers.

The OMI will enable the Committee to:

  • obtain a comprehensive picture of the sales channels and practices used by Code Subscribers, including sales channels that fall outside the scope of the Code
  • assess the level of compliance and identify areas that need improvement
  • provide recommendations to Code Subscribers about how to improve compliance and service standards to consumers, including whether additional education and training for employees and authorised representatives is required
  • potentially inform the Committee’s ability to provide feedback to the Code review that the Insurance Council of Australia is conducting, and
  • provide information to enable the Committee to conduct future monitoring.

The Committee is aware of the work that ASIC is conducting concerning the sale of CCI products through car dealers. This has been taken into account in scoping the OMI to ensure as far as possible that it does not duplicate ASIC’s work.

Desktop audits on internal complaints process
The Committee has also agreed to conduct a desktop audit into Code Subscribers’ internal complaints handling processes. A desktop audit requires a Code Subscriber to inform us about how it complies with the relevant Code standards and provide evidence to support its responses. We review the Code Subscriber’s responses and supporting evidence to assess whether its processes, procedures and systems facilitate its compliance.

If we identify gaps in compliance, we work with the Code Subscriber to address these, considering factors such as (but not limited to):

  • the extent of any consumer detriment
  • impact on cost, systems and resources, and
  • timelines for the implementation of corrective measures.

Life Code Compliance Committee

Transition to the Life Insurance Code of Practice (the Code)
Since 30 June 2017 22 organisations have transitioned to the Life Insurance Code of Practice.

The list of Code subscribers can be found on the FSC website:

The Life CCC
The members of the Life CCC are:

  • Professor David Weisbrot AM (Independent Committee Chair)
  • David Goodsall (Industry Representative)
  • Alexandra Kelly (Consumer Representative)

Activities of the Life CCC
Since the 1 July 2017, the Life CCC have:

  • Held two formal meetings
  • Approved FOS as the administrator of the Code
  • Considered its obligations under the Charter
  • Discussed various monitoring tools available to monitor compliance with the Code
  • Agreed on an annual work plan for 2017-18
  • Discussed the requirement to request and report on aggregated industry data
  • Developed branding
  • Engaged with stakeholders and Code subscribers

The Life CCC’s Annual Workplan includes the following key priorities for 2017–18:

  1. Develop the Life CCC’s secretariat and reporting functions.
  2. Initiate monitoring and enforcement of Code compliance and compliance investigations of alleged or possible Code breaches, in the context of the Code’s first year of operation.
  3. Liaison with Code Subscribers and provision of guidance to facilitate compliance with the Code.
  4. Consult with Code Subscribers, FSC and regulators in order to develop base-line data requirements for the Life CCC’s aggregated industry data report.
  5. Establish a stakeholder engagement framework to develop the value of referrals of Code issues from various sources such as consumer advocacy groups, external dispute resolution providers and regulators, to further inform the scope of compliance monitoring.
  6. Stakeholder engagement including presentations to highlight the work of the Life CCC and raise awareness of the Code.
  7. Publication of annual and interim reports.
  8. Consultation with the FSC in relation to its proposed review of the Code.

Ongoing self-monitoring of Code Compliance by subscribers
The Life CCC subscribers have completed a thorough gap analysis of the organisation’s internal practice and procedures against the requirements and sections of the Code leading up to 1 July 2017.

The Life CCC would like to highlight the good practice of ongoing Code compliance monitoring and process improvement, as well as implementing remedial action when non-compliance is identified.

The Life CCC encourages a culture of compliance monitoring, breach identification, assessment of the impact of the breach and implementation of remedial action, in order to elevate customer service standards.

The Life CCC is in the process of publishing Guidance Note No. 1 on Reporting of Non-Compliance by subscribers to the Life Code Compliance Committee.