The Customer Owned Banking Code Compliance Committee has released its Annual Compliance Report 2017-18.

The Chair observed that “the central purpose of a code of practice is to support a culture of trust in accordance with community expectations and to ensure fair and enforceable self-regulation. It should impose accountability and responsibility on the boards and executives who determine the culture and operations of a business. It should streamline regulations and bring transparency and accountability to the conduct of institutions…Training is critical, as is creating a culture of compliance, and whistle-blowing when necessary.”

The Customer Owned Banking Association has scheduled a review of the Code in 2019.

The Report highlights four areas for improvement:

Direct debit cancellation obligations
Online information for customers about direct debit cancellations is identified as a particular concern. Some websites used wording that was unclear or, in one case, incorrect and non-compliant. Some provide no information at all and, whilst others contain information, it is difficult to find with keyword searches.

Privacy
The Committee’s inquiry found that all subscriber institutions have a comprehensive privacy policy accessible to customers. All provide training, but the number of Code breaches caused by human processing error shows that staff need to be made more aware of privacy obligations. While most institutions review their privacy compliance at least once every two years, the inquiry revealed that these reviews could be more comprehensive.

Identification of breaches
The Committee recommends an incident management system by which all incidents – not only those related to licence and regulatory obligations – are assessed against the Code’s key promises and provisions.

Management of complaints
The Committee recommends a simplified process for recording, managing, monitoring and reporting complaints. It suggests documenting even the simplest of complaints and using a scale of likelihood to see if they have a potential regulatory impact. If flagged as such, the legal and compliance team should assess the incident to determine whether it involves a Code breach. Complaints and breach data should be analysed.