Compliance with privacy obligations follow-up inquiry outcomes – Follow-up inquiry into how Code subscribers applied recommendations issued by the Committee to improve compliance with privacy obligations under Section D23 and Key Promise 8 of the Code, June 2020 (PDF, 739KB, 40 pages)

Privacy and data security are among the foremost concerns for consumers and, with recent government moves to update and strengthen privacy laws, it is essential that financial institutions manage and protect customer information appropriately.

The Customer Owned Banking Code of Practice (the Code) requires subscribers to comply with the Privacy Act 1988 and the Australian Privacy Principles. With the increasing importance and complexity of these issues, compliance in these areas is critical.

Poor privacy compliance by customer owned banking institutions led the independent Customer Owned Banking Code Compliance Committee (the Committee) that monitors the Code to hold a 2018 Own Motion Inquiry (OMI). This resulted in the creation of a comprehensive privacy compliance checklist and a list of recommendations aimed at improving privacy and data security. A rise in reported privacy-related Code breaches since then prompted the Committee to conduct a follow-up inquiry to determine how subscribers manage privacy and whether they had implemented the OMI recommendations or checklist.


Consumer Credit Insurance Own Motion Inquiry – Sale of consumer credit insurance by customer owned banking Code subscribers, September 2019 (PDF, 712KB, 33 pages)

Scrutiny of add-on insurance products by consumers, regulators and government has increased recently, with a particular focus on the sale of consumer credit insurance (CCI). Insurers and third-party sellers have been criticised for offering poor-quality products, pressure selling and selling to consumers who were unaware they were consenting to purchase CCI.

In light of these concerns, the Customer Owned Banking Code Compliance Committee conducted an Own Motion Inquiry (inquiry) into the sale of CCI by Customer Owned Banking Code of Practice subscribers. The Committee’s aim was to establish whether and how Code subscribers sell CCI and other add-on insurance products, and to examine their compliance with related Code obligations in particular the obligation to ensure that add-on insurance products are useful, reliable and of value to consumers.

To assist Code subscribers, various Code compliance recommendations are included throughout the report, as well as the applicable recommendations from ASIC’s Report 256 on CCI for reference.
Compliance with the Code by subscribers in selling CCI will be reviewed by inclusion of relevant questions in the next ACS.

Direct Debit Second Follow Up Own Motion Inquiry – additional follow up research concerning compliance with direct debit cancellation obligations under Section D20.1 of the Customer Owned Banking Code of Practice, March 2019 (PDF, 936KB, 28 pages)

Non-compliance with this important obligation has been a long-standing concern of the Committee. The Committee first highlighted the issue in 2010, while follow-up research in 2012 and 2017 revealed that compliance had improved only slightly. Non-compliance remains an ongoing issue.

In light of these trends, the Committee has conducted additional follow-up research. This research included shadow shopping, a review of institutions’ websites and a compliance questionnaire. The questionnaire was included with the 2018 Annual Compliance Statement (ACS) and assessed the impact and implementation of the Committee’s previous recommendations.

Non-compliance remains unacceptable high.


Privacy Own Motion Inquiry – a review of customer owned banking institutions’ compliance with privacy obligations under Section D23 and Key Promise 8 of the Customer Owned Banking Code of Practice, June 2018 (PDF, 1,078KB, 55 pages)

As Australia moves towards implementing open banking, privacy and data security compliance will become both increasingly complex to manage and more vitally important.

In this context, this inquiry addressed the institutions’ high level of non-compliance with existing privacy obligations in the Code which is cause for concern.

The inquiry confirmed that all institutions have a comprehensive privacy policy that is accessible to customers. However, although all institutions also have training processes in place, the frequency of breaches caused by human processing error indicates that institutions need to do more to keep privacy requirements front-of-mind for staff. Most institutions review their privacy compliance at least once every two years, although it appears that these reviews could be more comprehensive.

As a result of the findings of this inquiry, the Committee has made 26 recommendations (see page 5 of the report) and developed a privacy compliance checklist (see page 30 of the report).


Direct Debit Follow Up Own Motion Inquiry – an inquiry into compliance with section D20.1 of the Code to stop a direct debit arrangement linked to a member’s transaction account upon the member’s request – and to do so promptly, September 2017 (PDF, 438KB, 22 pages)

This inquiry follows two previous Committee inquiries dealing with the same Code obligation conducted in 2010 and 2012. Under section D20.1, an institution is required to stop a direct debit arrangement linked to a member’s transaction account upon the member’s request – and to do so promptly.

This inquiry developed a better understanding of how subscribing institutions have adopted the recommendations following the Committee’s 2012 inquiry and whether compliance in this area has improved.

This inquiry confirmed that, while there appears to have been some improvement, compliance with section D20.1 remains patchy and only a minority of subscribing institutions are achieving best practice standards. As a result of the findings of this inquiry, the Committee has made six recommendations for improvements to policy and procedures, customer information and compliance monitoring.

Some of the key findings include:

  • Subscribing institutions appear to have a range of procedural approaches to direct debit cancellation in place. While only a minority of institutions measure processing times for direct debit cancellation requests, all stated that these cancellations are processed promptly and typically on the same day.
  • An audit of 17 large institutions’ website information indicated that there are still problems with the written advice provided to customers online. One third of the institutions included in the audit still used wording that was either unclear or, in one case, incorrect and non-compliant. These results suggest no improvement since 2012.
  • Most institutions are lagging behind best practice with regard to the availability and accessibility of online information about direct debit cancellation. Some institutions do not provide such information and, where they do, it is rarely easily discoverable via keyword searches.
  • 52% of institutions have conducted a compliance review using the Committee’s 2012 Compliance Checklist. For most of these institutions, the review was a valuable process that highlighted compliance problems or best practice improvements to be made.

Community Engagement Own Motion Inquiry – an inquiry into Key Promise 9 of the Code which reflects the customer owned banking sector’s commitment to serving both its communities and its customers, January 2017 (PDF, 491KB, 23 pages)

This inquiry developed a better understanding of how institutions manage this obligation, the identification and promotion of good business practices for engaging with communities and the assessment of the effectiveness of institutions’ impact on the wider community. It benchmarks current industry practice and makes recommendations for good industry practice based on the data collected.

The inquiry confirmed that the customer owned banking sector is community focused, reflecting its history and the culture and frameworks that underpin its dealing with customers.

Some of the key findings include:

  1. Many institutions reported that they engage with over 100 different community groups on an annual and ongoing basis.
  2. Over 50% of institutions engage with communities on a weekly or monthly basis.
  3. 73% of institutions spent more than $20,000 on community engagement activities including 19% of the largest institutions that spent over $500,000 during the 2014-15 period.
  4. Philanthropic or voluntary community engagement, where the engagement does not provide direct benefit to the institution is wide-spread.
  5. Community engagement brings benefits to both communities and institutions – increasing community trust and cohesion.


Financial Difficulty Own Motion Inquiry – Examining Customer Owned Banking Institutions’ compliance with section 24 of the Customer Owned Banking Code of Practice: “If you are in financial difficulty”, December 2014 (PDF, 527 KB, 28 pages)

This inquiry examined whether customer owned banking institutions are meeting their obligations to help their customers in financial difficulty. We found that

  • Code Subscribers are willing to work with their customers to help them with their financial difficulties.
  • Most are meeting their training commitments and monitoring compliance with their Code obligations.
  • More than two thirds of financial counsellors agreed that on balance Code Subscribers’ financial hardship arrangements sometimes result in fair, reasonable and appropriate outcomes for their clients.

We recommended that Code Subscribers review their processes to ensure that the individual circumstances of all customers in financial difficulty are considered and that repayment arrangements are tailored to meet the individual’s situation.


Review of Mutuals’ Compliance with their Code Training Obligations (in relation to Key Promises 5 and 10, and Part E, Section 2 of the Code), September 2012, (PDF, 309 KB, 23 pages)

This inquiry examined whether customer owned banks are complying with their Code obligations to adequately train staff, agents and representatives in the Code’s requirements.

We found that while most Code Subscribers have embedded Code training in their learning and development programs, the training content, method and frequency vary depending on the Code Subscriber’s size.

We also found that some Code Subscribers need to improve their monitoring and supervision frameworks to ensure that their staff apply Code obligations in daily operations.

Mutual Banking Code of Practice: Stopping a Direct Debit Arrangement, June 2012, (PDF, 290 KB, 20 pages)

This inquiry examined compliance with Section 20.1 of the Code (2007 version). This section requires Code Subscribers to stop or cancel a direct debit facility linked to a member’s transaction account promptly on request by that member.

Some 70% of disclosure documents we reviewed provided correct information about the cancellation process to members, in line with Code obligations. However, our shadow shopping exercise showed no change or improvement in the verbal advice provided by Code Subscribers since our previous inquiry in 2011.


See our archive for inquiry reports published before 2012.

Back to the top