Skip to content
Circular Home
Issue 34 - August 2018

An update from the Code Compliance and Monitoring Team

The Code team is a separately operated and funded business unit of the Financial Ombudsman Service (FOS) Australia. We support independent committees to monitor compliance with codes of practice in the Australian financial services industry to achieve service standards people can trust. You can read more about who we are and what we do here

We support these committees:

  • The Banking Code Compliance Monitoring Committee
  • Customer Owned Banking Code Compliance Committee
  • Insurance Brokers Code Compliance Committee
  • General Insurance Code Governance Committee
  • Life Code Compliance Committee


Banking Code Compliance Monitoring Committee (CCMC)

Inquiry into banks’ compliance with direct debit obligations 

On 28 June 2018, the CCMC published the report of its inquiry into banks’ reporting of Code breaches.

The CCMC had identified inconsistencies in how banks record and report Code breaches and undertook the inquiry to better understand banks’ data and to improve its data collection strategy. The inquiry investigated breaches previously reported in the 2016-17 Annual Compliance Statement (ACS), the CCMC’s core data collection tool.

The report outlines the CCMC’s key findings, and sets out its expectations of banks for monitoring Code compliance and reporting breaches.

In summary, the CCMC expects banks will:

  • always provide accurate and complete data in response to requests for information
  • use breach data to identify patterns and develop systems and system controls to prevent repeated human errors
  • use information about breaches caused by human error to review the effectiveness of staff training
  • fully investigate how each breach has affected customers
  • remediate customers appropriately, and record and report all corrective actions
  • test systems regularly and comprehensively, wherever they rely on systems to fulfil their obligations to customers.

The CCMC has provided feedback individually to banks to ensure the consistency and quality of breach reporting in the ACS is of the highest possible standard.

The CCMC will report outcomes from the 2017-18 ACS in its next Annual Report, due in November 2018.


Financial Difficulty Inquiry

The CCMC is currently conducting an inquiry into the Code’s financial difficulty obligations. It covers compliance with the 2013 Code as well as a ‘transitional inquiry’ to account for revised Code provisions.

The CCMC expects the revised Banking Code to expand the financial difficulty provisions of the current Code and introduce a strong focus on vulnerable customers. In anticipation of the revised Code, the CCMC is starting to help banks with their transition.

Through this Inquiry, the CCMC will assess current levels of compliance with the 2013 Code, while also gathering information to provide guidance to banks on best practice principles. The Inquiry will:

  • assess, benchmark, and report on banks’ level of compliance with clause 28 of the 2013 Code
  • share examples of good practice with the industry and community
  • assess the adequacy of banks’ financial difficulty frameworks and provide guidance about alterations required to meet the revised Code obligations relating to financial difficulty
  • develop guidance for the industry on best practice principles when working with customers to overcome financial difficulty.

The CCMC plans to publish its findings by September 2018.

If you have information to contribute to the inquiry, please contact the CCMC’s Compliance Manager, Donna Stevens:


Annual Compliance Statement (ACS)

The CCMC has asked banks to complete the 2017–18 Annual Compliance Statement (ACS). Following on from the breach reporting inquiry, banks are also being asked to provide a detailed breakdown of Code compliance data to enable the CCMC to fully explore trends and emerging issues.

The CCMC consulted with banks in April this year on the development of the ACS, and will continue this engagement in coming months to understand banks’ challenges when completing it.

The outcomes of the ACS program, including any emerging risks and identified good industry practice, will be discussed with key stakeholders directly and published in the CCMC’s Annual Report for 2017-18.


Code of Banking Practice development 

On 31 July 2018, the Australian Securities and Investments Commission (ASIC) together with the Australian Banking Association (ABA) announced ASIC’s approval of the new Banking Code of Practice.

In its media release, the CCMC – now renamed the Banking Code Compliance Committee (BCCC) – acknowledged ASIC’s approval of the new Code. It also welcomed its wider remit to monitor banks’ practices and enforce compliance with the Code.

The new Code gives the BCCC increased sanctioning powers and a greater ability to obtain breach data from banks. The CCMC will work with the ABA on the transition of code monitoring arrangements prior to commencement of the Code.

The new Code will come into effect on 1 July 2019.

Customer Owned Banks (COBCCC)

Own motion inquiry into compliance with privacy obligations

The COBCCC finalised a review of customer owned banking institutions’ compliance with privacy obligations under Section D23 and Key Promise 8 of the Customer Owned Banking Code of Practice (the Code). You can read the June 2018 report here.

As Australia moves towards implementing open banking, privacy and data security compliance will become both increasingly complex to manage and more vitally important. In this context, the inquiry addressed the institutions’ concerning high level of non-compliance with existing privacy obligations in the Code.

The inquiry confirmed that all institutions have a comprehensive privacy policy that is accessible to customers. However, although all institutions also have training processes in place, the frequency of breaches caused by human processing error indicates that institutions need to do more to keep privacy requirements front-of-mind for staff. Most institutions review their privacy compliance at least once every two years, but it appears these reviews could be more comprehensive.

As a result of the findings of this inquiry, the COBCCC has made 26 recommendations (see page 5 of the report) and developed a privacy compliance checklist (see page 30 of the report).  


2018 Annual Compliance Statement

Each year the Annual Compliance Statement (ACS) program is a central component of the COBCCC’s monitoring work. The 2018 ACS program was developed with a selection of Code subscribers and the Customer Owned Banking Association (COBA).

The ACS asks for information about institutions’ Code compliance frameworks, including breach and complaints reporting and monitoring, as well as institutions’ overall culture of compliance and examples of good practice.

This year, the ACS also includes questions about compliance with obligations under section D13 (Direct Debit) and D20 (Third party products) of the Code. These sections have been identified by the COBCCC as areas of concern and will form the basis of own motion inquiries scheduled for 2018-19.

For the first time, the 2018 ACS is also requesting detailed information for each self-reported breach.

To ensure the quality and consistency of the data, each Code subscriber has been called in the lead up to the ACS to discuss and clarify any issues they may have. Data collected through the ACS program will be aggregated, de-identified, analysed for trends and patterns, and reported in the COBCCC’s Annual Compliance Report in December 2018.


Three-part miniseries – Lessons from the 2017 Annual Compliance Statement Verification Program

Each year, the COBCC holds in-depth compliance discussions with a sample of institutions for the Annual Compliance Statement Verification Program. This gives the COBCCC valuable insights into institutions’ day-to-day management of their Code compliance obligations. These insights can inform best practice for institutions and improvements to the COBCCC’s own compliance monitoring activities.

Twenty-four institutions participated in the ACS Verification Program, including all large institutions (over $1b assets), all institutions that reported a privacy breach in their 2016-17 ACS, and a sample of micro, small and medium institutions.

The COBCCC issued three papers containing insights from the ACS Verification Program:

Part 1 Managing Privacy Compliance (published 18 May 2018) includes good practice examples:

  • Actively engaging staff in training
    One micro institution learned that although staff signed a confirmation statement after completing training, they weren’t very engaged with the training. To encourage more active engagement, the institution created a follow-up 10-question quiz with questions that are reviewed and updated annually. The institution reports that this tool has helped staff to engage more in the training and remember what they have learned.
  • Reaching more staff with compliance monitoring
    One large institution conducted a compliance monitoring exercise in which a case study or scenario would be read out over the phone, followed by questions testing the staff member’s knowledge of compliance issues. Staff were selected for telephone surveys based on key risk areas, previous breaches or other data, and the exercise reached three or four people each month. Recently, the institution expanded this monitoring exercise with email quizzes. Some quizzes are mandatory and others are voluntary, but there are incentives to participate. With this approach, the compliance team reached a larger and more diverse group, engaging around 200 staff.

Part 2 Better breach reporting (published 25 May 2018) includes good practice examples:

  • Flagging potential Code breaches
    When logging a complaint, it is now mandatory for staff at one large institution to consider, using a scale of likelihood, whether the complaint has a potential regulatory impact. If something is flagged, the legal and compliance team assesses whether the incident involves a Code breach. The institution now also has a dedicated data analyst in its consumer advocacy team to analyse the complaints and breach data.
  • Improving the incident management system
    One large institution implemented a new incident management system. All incidents – not only those related to licence and regulatory obligations – are assessed against the ten key promises and the provisions of the Code. In the year following implementation, this change led to a large increase in recorded Code incidents, up from 100 to 300.

Part 3 Better complaint reporting (published 1 June 2018):

  • Documenting all complaints
    All staff at this micro institution are encouraged to document even the simplest complaints. Management can therefore check that the resolutions were appropriate and identify any emerging issues and trends. Any such matters are discussed as part of a fortnightly feedback and learning process.
  • Simplifying complaint recording 
    One large institution has introduced a simplified process for recording, managing, monitoring and reporting complaints. IT made a number of categorisation changes in the drop-down menu of its complaints register, and staff can now record a complaint in a matter of a few clicks. The institution is looking at how it can simplify further by merging its enterprise risk management system to its customer service system to create a single core operating system.
Insurance Brokers (IBCCC)

Own Motion Inquiry ‘Competency and Professionalism’

The IBCCC undertook the inquiry to better understand how insurance brokers think about competency and achieve it within their organisations, given recent breaches of the Code’s training standards and the focus on professionalism in financial services.

Some 280 organisations responded to the inquiry’s multiple choice and open text questions, representing more than 15,000 staff in client-facing, management and support roles.

The inquiry found that formal education provides a solid foundation for professional practice but alone does not give staff the skills, knowledge and behaviours needed to provide services competently. Staff needed to supplement their educational qualifications with on-the-job support and experience to develop the required competencies.

Organisations said detailed knowledge – of products, systems, specific industries and rules (including legislation and codes) – was an integral part of competency for insurance brokers. Such knowledge was gained through a combination of formal education, training and on-the-job experience.

Many organisations said they consider positive attitudes and behaviour, such as client focus, commitment to quality, respect and empathy, to be equally important as the knowledge and ability to undertake tasks.

The inquiry found that insurance brokers typically understood competency as referring to a person’s skills, knowledge, attitudes, behaviours, qualifications and training.

The inquiry found that:

  • file audits, client feedback and claims outcomes are generally used to monitor staff competency
  • in 96% of organisations, all client-facing staff were qualified to advise on more complex Tier 1 products such as life insurance and sickness and accident insurance but about 1 in 20 organisations had some client-facing staff with neither Tier 1 nor Tier 2 qualifications.
  • The vast majority of Code subscribers demonstrated a commitment to professionalism through competency frameworks and staff training requirements. To maintain and further develop competency and professionalism and build client and community trust, the IBCCC recommended to:
  • incorporate the Code into their company structure and strategy
  • develop and communicate a common organisational understanding of competency focused on meeting client expectations
  • treat competency-based training as equally important as educational qualifications
  • train all staff in Code obligations.

The final report will be published in August 2018.


Annual Compliance Statement (ACS) 2017 – preliminary findings

The ACS program is a central component of the IBCCC’s work to assess Code subscribers’ compliance with the Insurance Brokers Code of Practice.

The ACS asks for information about Code compliance frameworks and breach and complaints reporting and monitoring, as well as an organisation’s overall culture of compliance and examples of good practice.

The IBCCC has made several amendments to the document following feedback and consultation with the industry liaison group and the National Insurance Brokers Association (NIBA).

An additional section was included to assess whether organisations implemented the recommendations issued by the IBCCC following its own motion inquiry into internal dispute resolution processes. This has been identified by the IBCCC as an area of concern and will form the basis of a follow-up own motion inquiry scheduled for 2018-19.

ACS data forms part of  the IBCCC Annual Review 2017-18, which was published on 20 August 2018.

Here are some of the key findings:

  • In 2017, Code subscribers self-reported 1,359 breaches of the Code, slightly fewer than the 1,410 breaches reported in 2016. Significant breaches decreased more markedly, down from 34 to 17 in 2017.
    (One Code subscriber reported 9,355 individual Code breaches of Service Standard 5. Based on the operating system, all renewals not invoiced within 14 days are recorded as a breach. This has been counted as one breach in the report.)
  • 59% of Code subscribers self-reported nil Code breaches and 43% self-reported nil complaints. This is a concern regarding accuracy of self-reported breach and complaints data and the effectiveness of recording and monitoring processes insurance brokers have in place.
  • 52% of Code breaches relate to Service Standard 5, ‘Buying insurance’, including failure to issue renewal of policies within 14 days.
  • 23% of Code breaches relate to Service Standard 1, ‘We will comply with the law’, including the failure to comply with privacy and licensing obligations.
  • In 2017, Code subscribers received 1,047 complaints that were handled via their internal dispute resolution processes – only slightly more than the 1,026 in 2016.
  • The two main products involved in internal dispute resolution are small business (20%) and home building (16%).
  • 58% of complaints relate to service issues, including claims service (32%).
  • 61% of complaints are resolved within 21 days, down from 78% in 2016.
General Insurance Code Governance Committee (GICGC)

Inquiry and report into the sale of add-on insurance products

On 20 June 2018, the Committee published a report Who is selling insurance? which reveals the extent of general insurance products sold as add-on insurance and the central role of external sellers who account for the vast majority (97%) of sales. The report was the result of the Committee’s inquiry into the sale of add-on insurance products, and drew on data provided by the 23 Code subscribers selling this insurance in the September 2017 quarter, as well as input from consumer advocates.

Add-on insurance products are typically sold to consumers when their main focus is on acquiring a primary product or service such as a credit card, car, loan or airline tickets, or when renting a car or apartment. In these circumstances, consumers’ attention is focused on buying or arranging the primary product, and the acquisition of an insurance product is incidental.

The Committee found more than half a million add-on insurance products were sold in a single quarter (July-September) in 2017, suggesting that the total annual sales could be 2 million products a year. The inquiry revealed that the range of add-on insurance products was much wider than previously known, and identified 28 types of general insurance products sold in this way by Code subscribers. The most commonly sold of the 28 add-on insurance products are travel insurance and ticket event or cancellation insurance, which accounted for two-thirds (65%) of add-on insurance sales, followed by customer credit insurance (12% of sales). 

The Committee made 22 recommendations for improving how add-on insurance is sold by Code subscribers. Although the Code does not apply to all add-on insurance sales by external sellers, the Committee believes there is much that Code subscribers could do to increase the protections available to consumers when add-on insurance products are sold to them. Its recommendations cover oversight of external sellers, education and training, compliance frameworks, service level agreements, monitoring, feedback, complaints and data collection. 

You can read a copy of the report here.


Desktop audit examining internal complaints processes

Subscribers have now submitted their responses and supporting evidence describing how they comply with the Code’s internal complaints handling obligations, and whether they have identified any non-compliance. We will work with relevant subscribers to resolve any compliance gaps we identify after assessing the submissions. The CGC expects to publish a report on the findings of the desk top audit, including any recommendations to enhance the relevant standards and/or improve subscribers’ compliance, by 31 December 2018.

Life Code Compliance Committee (LCCC)

These are some of the things the Life CCC did during the June quarter:

  • held two Life CCC meetings and a Strategy session
  • prepared the Work Plan and Budget for 2018-19
  • launched the Life Annual Data and Compliance Programme (due back from subscribers on 24 August 2018)
  • investigated and issued decisions on referred Code breach allegations
  • assessed and made decisions on subscribers’ self-reported non-compliance
  • engaged with subscribers and other stakeholders
  • attended the Financial Services Council Life Board Committee and presented our Proposed Work Plan and Budget for 2018-19
  • submitted suggested Code changes or improvements to the FSC, in accordance with clause 2.1(j) of the Life CCC Charter
  • started preparing its inaugural Annual Report, to be published on 1 October 2018.

At its strategy meeting on 27 April 2018, the Life CCC agreed on this purpose statement:

The purpose of the Life Code Compliance Committee is to support the Code objectives of high customer service standards to increase trust and confidence in the life insurance industry.

In accordance with our Charter, we will:

  1. Monitor, enforce and report on Code compliance.
  2. Work collaboratively to improve Code standards and promote industry best practice.