Code breaches and complaints should prompt subscribers to seek out root causes and act to prevent similar instances. Here, we share examples of good practice found in the latest ACS.
Consumer expectations evolve, laws change, mergers occur, IT systems are updated, products develop, and staff come, go and move. Mistakes and problems in this everchanging industry are inevitable but, when responded to meaningfully, Code breaches and complaints should drive improvements that lead to better practice and greater consumer trust.
Every year, the Insurance Brokers Code Compliance Committee (the Committee) seeks data about complaints and breaches of the Insurance Brokers Code of Practice (the Code) from subscribers. At its best, this self-reported information should reflect robust compliance frameworks and a culture that regards breach and complaint reporting as triggers for ongoing improvement.
What do the examples demonstrate?
- The subscribers involved had multiple systems in place for detecting breaches.
- They routinely analyse breach and complaint data to identify the root cause (and the main Service Standard breached).
- Most importantly, they had addressed underlying issues as well as fixing the problem in each case.
- However, some of the 1,700-plus instances reported in the 2020 Annual Compliance Statement (ACS) were mis-categorised by Service Standard and showed little evidence of rectification beyond an immediate fix such as an apology or reimbursement.
The Committee urges all subscribers to use the examples below to spark discussions about areas that could be improved and to consider whether any of the long-term remediation could be of value to you. While the examples deal with specific cases, the Committee draws your attention to a few broader points:
- Consider all potential sources of breach data, rather than relying too heavily, or exclusively, on complaint and incident registers. Breaches can be identified through audits (targeted internal audits, spot check audits by managers, and internal and external audits); reviews of policies, procedures and products; monitoring and quality assurance; and, third party feedback.
- Institutions should record all complaints, including dissatisfaction with a third party’s product or service (these can provide useful information about arrangements with that party). A culture and framework that supports complaint-reporting is essential; as is staff training and communication.
- Privacy protections are important, yet breaches were common – and mostly attributed to human error or a failure to follow procedures. In many cases, they were reported as being isolated incidents requiring no broader remediation. Such breaches flag the need for ongoing and refresher training, as well as routine alerts and reminders for staff. Privacy breaches involving a system error, show that regular system checks and testing are essential.
- When privacy is breached, affected clients should be advised and, to maintain trust, this advice should state how the breach was rectified.
Breach examples from the 2020 ACS by Service Standard
St1 Legal standards
- A business failed to notify ASIC that an ASIC responsible manager had resigned, and a replacement was not appointed within the acceptable time period. Mergers and subsequent retrenchments had left the business with staff who had not dealt with ASIC and did not know the procedures. Training was provided to the new compliance person on ASIC requirements.
- An external review found that a broking firm was ignoring trust distributions when calculating the Required Cash Position for RG166, which should be based on expected cash outflows rather than just expenses. A template managing this was implemented within a month.
- A call audit found that three domestic insurance clients were improperly given advice by a Tier 2 employee. The employee had not correctly understood the definition of “advice”. The clients were re-advised by a Tier 1 employee and training documents were rewritten for clarity.
- A client reported that they had been sent renewal documents for another client. The incorrect email address was attached to the account but, as the IT system didn’t show who last changed details, investigators were unable to determine whether it was a data migration issue or a manual error by the client management team or industry team. Apologies for the breach of privacy were issued to both clients and the IT system has been amended to ensure that any changes to client details are noted.
St3 Who we act for
- Over several months, renewal invoices sent to 211 clients under a Binder arrangement were missing the disclosure that the broker was acting on the insurer’s behalf rather than the client’s for particular transactions. The clients were given the missing disclosure and another copy of the Financial Services Guide (FSG) with the relevant points highlighted. Staff training followed, and procedures were adjusted to ensure no binders are commenced without written instruction from the compliance manager. The IT system has been updated to automate the disclosure. ASIC was notified.
- A firm’s broking manager noticed that its Facebook page showed the incorrect cluster group membership. It was corrected immediately and procedures for updating Facebook were amended.
St4 Scope of covered services
- Errors in a coverage summary were identified during a file audit and attributed to system error in a new online system. Staff were urged via email and in staff meetings to be vigilant when checking documentation generated by the system.
- A documentation review found that the ‘Important Notices’ information supplied with all invoices had not been updated at the same time as the FSG, resulting in conflicting information about the commission range and the relationship to its parent company. ‘Important Notices’ now forms part of the quarterly review of the FSG.
- An account manager did not think a Statement of Advice (SOA) needed to be completed as the client was a relative. This breach was detected in an internal randomised, monthly process and procedural failures audit. The conditions for issuing an SOA were discussed, training followed, and the importance of internal compliance paperwork raised at the annual performance review.
- Incorrect or missing FSG and/or Product Disclosure Statements were identified in 12 instances through file reviews, periodic compliance and/or portfolio transfers. A new admin support process was implemented in response. Significant improvements have been observed and ongoing monitoring continues.
St5 Buying insurance
- A complaint and subsequent file reviews showed that five clients had been given incorrect renewal terms by an Authorised Representative (AR), with schedule discrepancies between the insurer offer and client documentation. The AR was required to pay for any premium adjustments and had their authorisation with the licensee revoked. The licensee instigated monthly external client file reviews to be completed on all staff and ARs.
- A client asked to suspend their insurance due to COVID, but a Cyber Policy that should have stayed in place was also cancelled. The broker did not tell the client there might be issues with lack of cover if this policy was cancelled. When a cyber claim was made, there was no cover in place. The client received an apology and the firm implemented training on the possible issues that could still occur while a business is not trading.
- At renewal time, it was discovered that the client had never paid their premium. This had not been adequately followed up, and formal cancellation notices had not been sent. As credit control processes were not followed, the insurer had not been notified of non-payment, and its instructions were not obtained. The firm has tightened its credit control management and provided additional training on handling instances of non-payment by clients.
St5 Claims handling
- A client complained via email about communication issues with the claims team and delays in making claims. The broker account manager called the client to apologise, the divisional manager was notified, and the rest of the management team informed. Additional resources were made available to allow for improved claims-related response times.
- A communication breakdown between a client and a new staff member who failed to follow procedure led to debt collectors being appointed by the insurer. Procedures have been reviewed and amended and training has been implemented.
- A client called a complaints line 13 times, left a post on social media and sent an email via the complaints inbox in an attempt to seek help with a damages claim and to complain about his payout. His file was reviewed, and the total amount claimed was paid. A full review of the claims handling process by the responsible team was conducted and measures put in place for more effective and transparent service.
St5 Acting for insurer
- A failure to provide a special premium deal that was offered to specific clients under a facility binder agreement. The error occurred as the special premium deals were not applied by the online quote system. The broker reissued the policies to three impacted clients with the special deal applied. The IT fault was identified and fixed, and further monitoring of the system is applied to ensure no further recurrence.
St6 Remuneration
- A failure to provide income details on retail renewals was identified during a regular compliance training session, affecting an estimated 100 clients. Procedures were updated immediately, and relevant staff training updated. Regular training and file checks are now occurring.
- A broker fee was incorrectly charged as a Special Fee. This was identified when processing the insurer payment. The client was advised and additional training was provided to staff.
- An annual compliance review found that the FSG had not been updated to show an increase in commission. The increase had no impact on premiums charged to clients. The online FSG was updated immediately, relevant procedures amended, and administration urged to be more vigilant about amendments to key forms.
St7 Money handling
- A broker failed to action a client’s request to cancel a policy within a timely manner, which affected the client’s premium funding contract. The client complained to the Australian Financial Complaints Authority, which found in favour of the complainant and ordered a refund of the full premium amount of around $2,300, plus interest. Procedures were amended in response.
- The amount in the trust account briefly fell below the correct level when a new ‘Dual Authority’ security system resulted in small delays in the processing of payments. The funds were returned, and internal checks adjusted and tightened. A payments spreadsheet for daily use has been developed and implemented and all users access the new spreadsheet to calculate the balance in the Trust after payments. Daily reconciliation of the trust will show procedures are being followed.
- An external compliance audit found that financial statements did not show that trust balances and premiums receivable are not an asset of the business, but of the insurer. Procedures were revised and changed, and the matter discussed with the accountant to correct the particulars.
St8 Training
- A custom report on the brokers’ computer system showed that 20 retail policies had been incorrectly flagged by staff as wholesale policies. Procedures were revised and updated, and all staff trained on the correct way to identify policies.
- An external compliance audit revealed that there were no qualification certificates, induction, or police checks on file for a new employee. Since then, a review of procedures has seen the implementation of a new employee policy and the establishment of an onboarding procedure manual.
St10 Dispute resolution
- A broking firm realised its compliance team had not been notified about a complaint in line with its Internal Dispute Resolution process. Training was provided about the need to inform compliance about all complaints immediately, or as soon as practicable. A reminder is issued and discussed at regular meetings.
St11 Promotion of Code
- An Annual Compliance Statement review revealed that a broker’s website contained no information about the Insurance Brokers Code of Practice, nor about IDR and EDR processes. The information was due to be included in a website redesign, the roll out of which was delayed by the COVID-19 pandemic. The existing website has been updated and IDR/EDR and Code information have been added to marketing procedures and checklists.
St12 Professionalism
- A client file audit showed that when a client did not pay premiums within the insurer credit terms, the account manager failed to follow debtor control procedures. Some insurers issued cancellation instructions, leaving the client uninsured and unaware the policies had been cancelled. During remedial action, the account manager discovered the client was experiencing financial hardship. Insurers offering relief were contacted and assisted the client who, in the end, funded the policies. The account manager was reprimanded because if processes had been followed, the client could have been offered assistance much earlier.
- A review of outstanding payments during a staff meeting led to the discovery that a representative had failed to follow up payments from six clients and had mislabelled tasks on the system to hide her mistakes. The cover-up prevented the licensee from identifying the issues in its monthly compliance reviews. The representative resigned. The Licensee has expanded its regular audit program to include a review of cancelled policies while random client reviews are done monthly. Policies requiring a third follow-up for payment must have relevant correspondence copied to the direct manager, who is also to be copied in on all cancellation correspondence.
- An insurer informed a branch manager that for four years one of its brokers had been bypassing proper channels to secure a discount on premiums by guessing a six-digit authorisation code – sometimes making 50 attempts. Discounts should have been sought via an underwriter who would assess the risks and supply a code for approved policies. The broker reviewed the files of the 30 clients impacted to see how remedial action would affect them and notified ASIC. The insurer amended its code system.