Code breach classifications

We encourage a positive culture of self-reporting in the customer owned banking industry through our Annual Compliance Statement program.

This program enables participating credit unions, mutual banks and mutual building societies to self-report breaches of the Customer Owned Banking Code of Practice.


We classify these breaches into the following categories:

1. Breaches

A breach is defined as a failure to comply with the obligations of the Code in providing a service.

2. Significant breaches

A significant breach of Code obligations is determined on a case-by-case basis by taking into account the:

  • number of customers affected or likely to be affected
  • actual or potential loss experienced by consumers arising from the breach
  • adequacy of a Code Subscriber’s arrangements to ensure compliance with the Code
  • duration of time over which the breach occurred
  • number and duration of similar breaches
  • actions to remedy the breach and the costs incurred
  • impact on the breach of the Code Subscriber’s ability to provide services, and
  • extent to which the breach indicates the Code Subscriber’s arrangements for compliance with the Code are inadequate.

We also take into account the:

  • Australian Securities and Investments Commission’s Regulatory Guideline 78 – Breach Reporting by AFS Licensees
  • Australian Standard AS 3806 2006 – Compliance Programs, and
  • Section 912D of the Corporations Act 2001.

By definition, significant breaches have the most impact on customers.

3. Serious breaches

A serious breach is non-compliance with the Code that is considered to be fraudulent, grossly negligent or wilful. It may also include instances where a Code Subscriber has not remedied the conduct or errors that led to the breach, or wilfully ignores or fails to act on our Determination or undertaking related to a previously self-reported significant and/or systemic breach.

A serious breach will always also be considered significant.

4. Systemic breaches

A systemic breach is non-compliance that has implications beyond the immediate actions and parties affected by the non-compliance with the Code.

Systemic breaches are those which have affected or are likely to affect more than one person. It is likely to involve a process, policy or technological issue within the Code Subscriber’s operations.

A systemic breach may or may not be also considered significant.

Remedying breaches

We work with Code Subscribers to remedy Code breaches, and if necessary, implement a range of actions to enforce compliance with the Code.

Find out more

Fact Sheet: Classification of non-compliance (PDF, 1 MB, one page)

Back to the top