COBCCC OMI Vulnerability Report June 2022The Report present findings drawn from an inquiry into how Code subscribers approach vulnerability and deal with issues concerning domestic and family violence and elder abuse. June 2022 (PDF, 828KB, 50 pages)

The treatment of customers experiencing vulnerability by financial services institutions and other service providers has been a growing focus of regulators and consumer advocacy groups in the last few years. This has now been reinforced by the publication of a new international standard on consumer vulnerability, ISO 22458. In updating the Customer Owned Banking Code of Practice, the Customer Owned Banking Association (COBA) has included specific obligations for the treatment of different types of vulnerability that may be experienced by customers. The new Code comes into effect on 31 October 2022 and will replace the 2018 Code, which does not specifically refer to vulnerability.

Annual Data Report 2020-21The report presents findings drawn from breach and complaints data self-reported in the 2021 Annual Compliance Statements and from detailed discussions with all Code subscribers, including insights, recommendations and examples of good practice. March 2022 (PDF, 1,585KB, 69 pages)

This data report supplements three key publications covering the same reporting period – the Annual Report, individualised Benchmark Reports, and ‘Learning by Example’ Report.


Follow-Up Inquiry into consumer credit insurance A follow-up inquiry into consumer credit insurance (CCI) has shown that, while customer owned banking institutions have stopped selling add-on CCI, they still have a duty to their customers when it comes to managing loans with active policies and providing referrals to insurance providers. June 2021 (PDF, 630KB, 25 pages)

The Report contains the inquiry’s findings regarding how Code subscribers manage customer loans with CCI cover attached to them, as well as how those subscribers who provide referrals to CCI providers ensure they manage the process appropriately and in line with their Code obligations.

Annual Data Verification Report 2019-20 This Report is an addition to the summary data published in the Committee’s Annual Report in December 2020. It contains analysis of the self-reported data collected in the 2019–20 Annual Compliance Statement (ACS) and of the Committee’s subsequent in-depth discussions with 25 subscribing customer owned banking institutions, May 2021 (PDF, 745KB, 33 pages)

The Report outlines the Committee’s observations about compliance with obligations set out in the Customer Owned Banking Code of Practice (the Code) during a year marked by devastating natural disasters and global pandemic. It also provides important recommendations and shares useful examples of better practice.


Compliance with privacy obligations follow-up inquiry outcomes – Follow-up inquiry into how Code subscribers applied recommendations issued by the Committee to improve compliance with privacy obligations under Section D23 and Key Promise 8 of the Code, June 2020 (PDF, 739KB, 40 pages)

Privacy and data security are among the foremost concerns for consumers and, with recent government moves to update and strengthen privacy laws, it is essential that financial institutions manage and protect customer information appropriately.

The Customer Owned Banking Code of Practice (the Code) requires subscribers to comply with the Privacy Act 1988 and the Australian Privacy Principles. With the increasing importance and complexity of these issues, compliance in these areas is critical.

Poor privacy compliance by customer owned banking institutions led the independent Customer Owned Banking Code Compliance Committee (the Committee) that monitors the Code to hold a 2018 Own Motion Inquiry (OMI). This resulted in the creation of a comprehensive privacy compliance checklist and a list of recommendations aimed at improving privacy and data security. A rise in reported privacy-related Code breaches since then prompted the Committee to conduct a follow-up inquiry to determine how subscribers manage privacy and whether they had implemented the OMI recommendations or checklist.


Consumer Credit Insurance Own Motion Inquiry – Sale of consumer credit insurance by customer owned banking Code subscribers, September 2019 (PDF, 712KB, 33 pages)

Scrutiny of add-on insurance products by consumers, regulators and government has increased recently, with a particular focus on the sale of consumer credit insurance (CCI). Insurers and third-party sellers have been criticised for offering poor-quality products, pressure selling and selling to consumers who were unaware they were consenting to purchase CCI.

In light of these concerns, the Customer Owned Banking Code Compliance Committee conducted an Own Motion Inquiry (inquiry) into the sale of CCI by Customer Owned Banking Code of Practice subscribers. The Committee’s aim was to establish whether and how Code subscribers sell CCI and other add-on insurance products, and to examine their compliance with related Code obligations in particular the obligation to ensure that add-on insurance products are useful, reliable and of value to consumers.

To assist Code subscribers, various Code compliance recommendations are included throughout the report, as well as the applicable recommendations from ASIC’s Report 256 on CCI for reference.
Compliance with the Code by subscribers in selling CCI will be reviewed by inclusion of relevant questions in the next ACS.

Direct Debit Second Follow Up Own Motion Inquiry – additional follow up research concerning compliance with direct debit cancellation obligations under Section D20.1 of the Customer Owned Banking Code of Practice, March 2019 (PDF, 936KB, 28 pages)

Non-compliance with this important obligation has been a long-standing concern of the Committee. The Committee first highlighted the issue in 2010, while follow-up research in 2012 and 2017 revealed that compliance had improved only slightly. Non-compliance remains an ongoing issue.

In light of these trends, the Committee has conducted additional follow-up research. This research included shadow shopping, a review of institutions’ websites and a compliance questionnaire. The questionnaire was included with the 2018 Annual Compliance Statement (ACS) and assessed the impact and implementation of the Committee’s previous recommendations.

Non-compliance remains unacceptable high.


Privacy Own Motion Inquiry – a review of customer owned banking institutions’ compliance with privacy obligations under Section D23 and Key Promise 8 of the Customer Owned Banking Code of Practice, June 2018 (PDF, 1,078KB, 55 pages)

As Australia moves towards implementing open banking, privacy and data security compliance will become both increasingly complex to manage and more vitally important.

In this context, this inquiry addressed the institutions’ high level of non-compliance with existing privacy obligations in the Code which is cause for concern.

The inquiry confirmed that all institutions have a comprehensive privacy policy that is accessible to customers. However, although all institutions also have training processes in place, the frequency of breaches caused by human processing error indicates that institutions need to do more to keep privacy requirements front-of-mind for staff. Most institutions review their privacy compliance at least once every two years, although it appears that these reviews could be more comprehensive.

As a result of the findings of this inquiry, the Committee has made 26 recommendations (see page 5 of the report) and developed a privacy compliance checklist (see page 30 of the report).


See our archive for inquiry reports published before 2012.

Back to the top