The Australian Banking Association has rejected a recommendation that the Banking Code Compliance Committee have the power to compel banks to publish details of their compliance breaches on their websites.
The ABA released its response to a review of the BCCC on Friday, saying it accepted eight of the nine review recommendations within its remit, including a recommendation that banks be named in BCCC reports.
But its embrace of greater transparency did not extend to a recommendation that the BCCC should have the power to compel a signatory bank that has been named by the BCCC to publish the fact of its naming on its website, with information about the cause and impact of a breach and its corrective action.
The ABA said the recommendation “does not align with the code’s status of self-regulation or the BCCC’s role in monitoring (but not enforcement) of code compliance.”
Consultant Cameron Ralph Khoury reviewed the BCCC last year and released its report last December. It made 19 recommendations – 10 of which are within the remit of the BCCC and all of which are being addressed.
Among the other recommendations within its remit, the ABA has agreed that:
• the BCCC’s charter will be amended to describe the committee’s role as both monitoring code compliance and promoting best practice code implementation;
• the BCCC will be given power to require a bank to undertake a compliance review of any rectification action if the BCCC considers the seriousness of the breach warrants it;
• the BCCC’s power to report serious or systemic non-compliance to ASIC will be extended so it is not limited to situation where the non-compliance is ongoing; and
• the BCCC will have a referral power to the Australian Financial Complaints Authority, where it finds non-compliance that warrants customer remediation.
Speaking at a BCCC Forum last week, ABA chief executive Anna Bligh said the move to naming banks in breach reports would be dependent on the ABA being satisfied that that BCCC’s breach reporting was “consistent”.
Bligh asked, as a hypothetical, whether a breach impacting 10,000 customers was a single breach or 10,000 breaches.
This was a curious question to raise, since the BCCC’s Breach Identification and Reporting Guidance Note makes clear that “where an incident results in multiple breaches of the same type, this is to be counted as one breach of the relevant code chapter or obligation”.
Among the recommendations within the BCCC’s remit, Cameron Ralph Khoury said it should revitalise its small business and agribusiness panel, improve the speed of reporting and adopt a continuous improvement approach to data collection.