Privacy and data security are among the foremost concerns for consumers and, with recent government moves to update and strengthen privacy laws, it is essential that financial institutions manage and protect customer information appropriately.
The Customer Owned Banking Code of Practice (the Code) requires subscribers to comply with the Privacy Act 1988 and the Australian Privacy Principles. With the increasing importance and complexity of these issues, compliance in these areas is critical.
Poor privacy compliance by customer owned banking institutions led the independent Customer Owned Banking Code Compliance Committee (the Committee) that monitors the Code to hold a 2018 Own Motion Inquiry (OMI). This resulted in the creation of a comprehensive privacy compliance checklist and a list of recommendations aimed at improving privacy and data security. A rise in reported privacy-related Code breaches since then prompted the Committee to conduct a follow-up inquiry to determine how subscribers manage privacy and whether they had implemented the OMI recommendations or checklist.
Scrutiny of add-on insurance products by consumers, regulators and government has increased recently, with a particular focus on the sale of consumer credit insurance (CCI). Insurers and third-party sellers have been criticised for offering poor-quality products, pressure selling and selling to consumers who were unaware they were consenting to purchase CCI.
In light of these concerns, the Customer Owned Banking Code Compliance Committee conducted an Own Motion Inquiry (inquiry) into the sale of CCI by Customer Owned Banking Code of Practice subscribers. The Committee’s aim was to establish whether and how Code subscribers sell CCI and other add-on insurance products, and to examine their compliance with related Code obligations in particular the obligation to ensure that add-on insurance products are useful, reliable and of value to consumers.
To assist Code subscribers, various Code compliance recommendations are included throughout the report, as well as the applicable recommendations from ASIC’s Report 256 on CCI for reference.
Compliance with the Code by subscribers in selling CCI will be reviewed by inclusion of relevant questions in the next ACS.
Non-compliance with this important obligation has been a long-standing concern of the Committee. The Committee first highlighted the issue in 2010, while follow-up research in 2012 and 2017 revealed that compliance had improved only slightly. Non-compliance remains an ongoing issue.
In light of these trends, the Committee has conducted additional follow-up research. This research included shadow shopping, a review of institutions’ websites and a compliance questionnaire. The questionnaire was included with the 2018 Annual Compliance Statement (ACS) and assessed the impact and implementation of the Committee’s previous recommendations.
Non-compliance remains unacceptable high.
As Australia moves towards implementing open banking, privacy and data security compliance will become both increasingly complex to manage and more vitally important.
In this context, this inquiry addressed the institutions’ high level of non-compliance with existing privacy obligations in the Code which is cause for concern.
The inquiry confirmed that all institutions have a comprehensive privacy policy that is accessible to customers. However, although all institutions also have training processes in place, the frequency of breaches caused by human processing error indicates that institutions need to do more to keep privacy requirements front-of-mind for staff. Most institutions review their privacy compliance at least once every two years, although it appears that these reviews could be more comprehensive.
As a result of the findings of this inquiry, the Committee has made 26 recommendations (see page 5 of the report) and developed a privacy compliance checklist (see page 30 of the report).
This inquiry follows two previous Committee inquiries dealing with the same Code obligation conducted in 2010 and 2012. Under section D20.1, an institution is required to stop a direct debit arrangement linked to a member’s transaction account upon the member’s request – and to do so promptly.
This inquiry developed a better understanding of how subscribing institutions have adopted the recommendations following the Committee’s 2012 inquiry and whether compliance in this area has improved.
This inquiry confirmed that, while there appears to have been some improvement, compliance with section D20.1 remains patchy and only a minority of subscribing institutions are achieving best practice standards. As a result of the findings of this inquiry, the Committee has made six recommendations for improvements to policy and procedures, customer information and compliance monitoring.
Some of the key findings include:
This inquiry developed a better understanding of how institutions manage this obligation, the identification and promotion of good business practices for engaging with communities and the assessment of the effectiveness of institutions’ impact on the wider community. It benchmarks current industry practice and makes recommendations for good industry practice based on the data collected.
The inquiry confirmed that the customer owned banking sector is community focused, reflecting its history and the culture and frameworks that underpin its dealing with customers.
Some of the key findings include:
This inquiry examined whether customer owned banking institutions are meeting their obligations to help their customers in financial difficulty. We found that
We recommended that Code Subscribers review their processes to ensure that the individual circumstances of all customers in financial difficulty are considered and that repayment arrangements are tailored to meet the individual’s situation.
This inquiry examined whether customer owned banks are complying with their Code obligations to adequately train staff, agents and representatives in the Code’s requirements.
We found that while most Code Subscribers have embedded Code training in their learning and development programs, the training content, method and frequency vary depending on the Code Subscriber’s size.
We also found that some Code Subscribers need to improve their monitoring and supervision frameworks to ensure that their staff apply Code obligations in daily operations.
This inquiry examined compliance with Section 20.1 of the Code (2007 version). This section requires Code Subscribers to stop or cancel a direct debit facility linked to a member’s transaction account promptly on request by that member.
Some 70% of disclosure documents we reviewed provided correct information about the cancellation process to members, in line with Code obligations. However, our shadow shopping exercise showed no change or improvement in the verbal advice provided by Code Subscribers since our previous inquiry in 2011.
See our archive for inquiry reports published before 2012.