Every year, the Customer Owned Banking Code Compliance Committee (COBCCC) seeks data about complaints and breaches of the Customer Owned Banking Code of Practice (the Code) from subscribers. At its best, this self-reported information should reflect robust compliance frameworks and a culture that regards breach and complaint reporting as triggers for ongoing improvement.

The COBCCC has published a selection of self-reported Code breaches from the 2021 Annual Compliance Statement Program here.

About the Report

Each self-reported Code breach is a miniature case study full of useful information and lessons. How was it detected? What caused it? How was it remediated short-term? What action was taken long-term to address wider implications and/or a potential systemic or process issue? Processes require ongoing maintenance – we hope these real-life examples help Code subscribers consider where work might be needed in institutions and which solutions might suit.


The anonymised breach examples used in this Report were not investigated by the COBCCC, and their inclusion is not a comment on the adequacy of any remediation. The examples might, or might not, represent wider industry issues. While many instances were chosen randomly, some priority was given to breaches with a high financial impact or affecting the greatest number of customers and also to examples that contained a high quality of information and/or demonstrated consideration, analysis and/or rectification by the customer owned banking institution.

Learning by example

The COBCCC urges all subscribers to use the examples in the Report to spark discussions about areas that could be improved. While the examples deal with specific cases, we would like to draw your attention to a few broader points:

  • Consider all potential sources of breach data, rather than relying too heavily, or exclusively, on complaint and incident registers. Breaches can be identified through audits (targeted internal audits, spot check audits by managers, and internal and external audits); reviews of policies, procedures and products; monitoring and quality assurance; and, third party feedback.
  • Institutions should record all complaints, including dissatisfaction with a third party’s product or service (these can provide useful information about arrangements with that party). A culture and framework that supports complaint-reporting is essential; as is staff training and communication.
  • Privacy protections are important, yet breaches were common – and mostly attributed to human error or a failure to follow procedures. In many cases, they were reported as being isolated incidents requiring no broader remediation. Such breaches flag the need for ongoing and refresher training, as well as routine alerts and reminders for staff. Privacy breaches involving a system error, show that regular system checks and testing are essential.
  • When privacy is breached, affected clients should be advised and, to maintain trust, this advice should state how the breach was rectified.