The treatment of customers experiencing vulnerability by financial services institutions and other service providers has been a growing focus of regulators and consumer advocacy groups in the last few years. This has now been reinforced by the publication of a new international standard on consumer vulnerability, ISO 22458. In updating the Customer Owned Banking Code of Practice, the Customer Owned Banking Association (COBA) has included specific obligations for the treatment of different types of vulnerability that may be experienced by customers. The new Code comes into effect on 31 October 2022 and will replace the 2018 Code, which does not specifically refer to vulnerability.
This data report supplements three key publications covering the same reporting period – the Annual Report, individualised Benchmark Reports, and ‘Learning by Example’ Report.
The Report contains the inquiry’s findings regarding how Code subscribers manage customer loans with CCI cover attached to them, as well as how those subscribers who provide referrals to CCI providers ensure they manage the process appropriately and in line with their Code obligations.
The Report outlines the Committee’s observations about compliance with obligations set out in the Customer Owned Banking Code of Practice (the Code) during a year marked by devastating natural disasters and global pandemic. It also provides important recommendations and shares useful examples of better practice.
Privacy and data security are among the foremost concerns for consumers and, with recent government moves to update and strengthen privacy laws, it is essential that financial institutions manage and protect customer information appropriately.
The Customer Owned Banking Code of Practice (the Code) requires subscribers to comply with the Privacy Act 1988 and the Australian Privacy Principles. With the increasing importance and complexity of these issues, compliance in these areas is critical.
Poor privacy compliance by customer owned banking institutions led the independent Customer Owned Banking Code Compliance Committee (the Committee) that monitors the Code to hold a 2018 Own Motion Inquiry (OMI). This resulted in the creation of a comprehensive privacy compliance checklist and a list of recommendations aimed at improving privacy and data security. A rise in reported privacy-related Code breaches since then prompted the Committee to conduct a follow-up inquiry to determine how subscribers manage privacy and whether they had implemented the OMI recommendations or checklist.
Scrutiny of add-on insurance products by consumers, regulators and government has increased recently, with a particular focus on the sale of consumer credit insurance (CCI). Insurers and third-party sellers have been criticised for offering poor-quality products, pressure selling and selling to consumers who were unaware they were consenting to purchase CCI.
In light of these concerns, the Customer Owned Banking Code Compliance Committee conducted an Own Motion Inquiry (inquiry) into the sale of CCI by Customer Owned Banking Code of Practice subscribers. The Committee’s aim was to establish whether and how Code subscribers sell CCI and other add-on insurance products, and to examine their compliance with related Code obligations in particular the obligation to ensure that add-on insurance products are useful, reliable and of value to consumers.
To assist Code subscribers, various Code compliance recommendations are included throughout the report, as well as the applicable recommendations from ASIC’s Report 256 on CCI for reference.
Compliance with the Code by subscribers in selling CCI will be reviewed by inclusion of relevant questions in the next ACS.
Non-compliance with this important obligation has been a long-standing concern of the Committee. The Committee first highlighted the issue in 2010, while follow-up research in 2012 and 2017 revealed that compliance had improved only slightly. Non-compliance remains an ongoing issue.
In light of these trends, the Committee has conducted additional follow-up research. This research included shadow shopping, a review of institutions’ websites and a compliance questionnaire. The questionnaire was included with the 2018 Annual Compliance Statement (ACS) and assessed the impact and implementation of the Committee’s previous recommendations.
Non-compliance remains unacceptable high.
As Australia moves towards implementing open banking, privacy and data security compliance will become both increasingly complex to manage and more vitally important.
In this context, this inquiry addressed the institutions’ high level of non-compliance with existing privacy obligations in the Code which is cause for concern.
The inquiry confirmed that all institutions have a comprehensive privacy policy that is accessible to customers. However, although all institutions also have training processes in place, the frequency of breaches caused by human processing error indicates that institutions need to do more to keep privacy requirements front-of-mind for staff. Most institutions review their privacy compliance at least once every two years, although it appears that these reviews could be more comprehensive.
As a result of the findings of this inquiry, the Committee has made 26 recommendations (see page 5 of the report) and developed a privacy compliance checklist (see page 30 of the report).
See our archive for inquiry reports published before 2012.