Annual Compliance Statement Verification Program
As we explained in the last edition of The FOS Circular, we recently held telephone conferences with 24 Code subscribers. The institutions were chosen based on the reporting of significant breaches and high volume of privacy breaches and/or complaints, and included all institutions with over $1b in assets.
The level of engagement in the verification program was generally positive and, as in previous years, provided valuable insights into institutions’ day–to-day management of their Code compliance obligations. This year’s examination of information privacy and security obligations also provided unique insights into the management of this substantial compliance area. It highlighted the challenges institutions face, including detailed identification and recording of breaches and IDR complaints.
Own motion inquiry into compliance with privacy obligations
The Code reiterates and extends institutions’ Privacy Act obligations which are set out in Australia’s key privacy legislation, the Privacy Act 1988 (Cwlth) and include thirteen Australian Privacy Principles.
The Committee recognised there was a high and increasing level of non-compliance with privacy obligations which needed in-depth investigation. To better understand the root causes of non-compliance and to highlight areas for improvement, the Committee determined it was important to conduct an Own Motion Inquiry. With the Inquiry, the Committee wanted to gain an insight into how institutions train staff, rectify non-compliance and implement long-term strategies to embed compliance with privacy obligations in their company’s risk framework.
The Inquiry was undertaken in two parts:
- a series of telephone conferences to selected institutions as part of the Annual Compliance Statement Verification Program, and
- an online questionnaire to all institutions.
The Inquiry was delayed due to institutions providing late responses to the questionnaire.
The findings are currently being reviewed and will be published in May 2018.
Case study: safeguards for co-borrowers
The customer owned banking institution accepted a customer as a co-borrower when the institution was aware, or ought to have been aware, that the customer would not receive a benefit from the loan.
These parts of the Customer Owned Banking Code of Practice (the Code) are relevant to this matter:
- Key Promise 8: we will comply with our legal and industry obligations.
- Part D section 11.1: Safeguards for co-borrowers.
Financial Ombudsman Service (FOS) Australia considered this matter and issued a determination.
In its reasoning, the determination considered and referred to Part D section 11.1 of the Code and held that the institution was not entitled to accept the customer as a co-borrower. The loan application information available to the institution showed that the customer would not obtain a benefit from the majority of the loan funds.
The common law position in relation to what constitutes a benefit under a loan is that a benefit must be a real, or tangible, benefit which must be a direct or immediate gain, not an implied benefit. A benefit through an improved lifestyle obtained through the loan is not sufficient. Common law principles provide that where a person receives a limited benefit from a loan, their liability will be restricted to those loan funds from which they received a direct benefit.
By accepting the customer as a co-borrower when it should not have, the institution breached its obligation at common law and, by extension, breached Part D section 11.1 of the Code.
Notice of proposed determination
Pursuant to the Customer Owned Banking Compliance Committee Charter, the Committee must adopt the findings made in the FOS determination.
Part C of the Code sets out the Key Promises a Code subscriber makes to a customer. These promises reflect the spirit of the Code and embody the principles and values held by Code subscribers towards their customers and the broader community.
As legal obligations include obligations at common law, the Committee considered that by breaching Part D section 11.1 of the Code, the institution also breached Key Promise 8 of the Code.
The Committee issued a notice of proposed determination saying that the institution failed to comply with Key Promise 8 and Part D section 11.1 of the Code as, in breach of the common law, it accepted a customer as a co-borrower while the institution was, or ought to have been aware, that the customer would not receive a benefit from the loan.
The institution accepted the Committee’s proposed notice of determination and acknowledged:
- breach of obligations under Key Promise 8 and Part D 11.1 of the Code
- reporting the beach in its Annual Compliance Statement
- arranging staff training, including refresher training in this area, and
- reviewing and amending its Credit Risk (Lending) Policy.
The matter was closed.
Institutions need to undertake effective due diligence procedures to ensure a borrower or co-borrower is only be accepted if it can be demonstrated that a real, substantial benefit (direct or immediate gain) is obtained by the borrower.