Information about the 2022 Annual Compliance Statement (ACS)
2022 ACS Documents
Please click on the below links to access:
- the sample copy of the 2022 ACS Sample
- the 2022 ACS Information Document, and
- the 2022 Breach Data Detail Report.
Your organisation has received an individual email with the link and password for portal access.
2022 ACS Live Webinar
To watch a recording of the 2022 ACS Live Webinar click here
ACS Frequently Asked Questions
The ACS is due by 31 March 2023.
Contact us early to discuss it. We believe there is sufficient time to complete the ACS by the due date, given it has been available since December 2022, but we acknowledge that sometimes things happen that cause issues and delays.
If there is a good reason you cannot complete it by the due date, please contact us at [email protected] as soon as you can. Do not leave it to the last minute.
Yes, all Code subscribers must complete the ACS.
The IDR Data Reporting Handbook is available on ASIC’s website.
Part D of the Annual Compliance Statement asks for information about complaints. The categorisation for complaints has been aligned to ASIC’s Data Reporting requirements published in March 2022.
Following discussions with Steadfast we confirm the CCX360 system aligns with the IBCCC’s Breach Data Detail Report.
If you have any queries about using the CCX360 system, please contact [email protected].
Whether resolution of a breach was immediate or drawn out, it was a breach. As such, you must report it.
Your staff, including agents and representatives, must report a breach or potential breach of the Code to your relevant compliance department within five days of discovery (Section 8.2(a)(iv)(B) of the 2022 Code).
Reporting Code breaches has a range of benefits, both to the organisation and the industry.
It helps identify compliance risks, trends and issues. It allows us to understand the nature of breaches and offer targeted guidance and examples to help subscribers improve.
Along with information about the resolution, it can help other brokers with their practices.
Use the Breach Data Report to track the incident and the steps to remedy the breach, including short-term and long-term actions.
The 2014 and 2022 Codes are different.
When reporting a breach, consider when the breach occurred and whether it relates more clearly to a specific section in one of the Codes.
We encourage you to use your discretion when considering breaches of both the 2014 and 2022 Codes.
If the 2022 Code has a clearer obligation, but the breach occurred before 1 November 2022, it is fine to report it against the 2022 Code.
The 2014 Code does not have specific Service Standard for issuing renewal notices. But it can be considered a breach of:
- Service Standard 1 (compliance with law)
- Service Standard 4 (covered services), or
- Service Standard 5.1 (buying insurance).
We note that before the 2022 Code, there was no consistent approach for reporting renewal notices issued late.
We recommend reporting this breach against Section 7.2(a) of the 2022 Code (policy renewal). But make note in the comments that the conduct occurred before 1 November 2022.
It depends on the root cause.
Identify what the root cause of the breach is. Was it one broker who sent the renewal notices late to multiple clients because of a manual error?
If it was, this would be considered one Code breach that affected multiple clients.
If the root cause for each breach varies, record them as breaches with separate root causes. Each root cause will likely result in different remediation.
This depends on the circumstances.
First, it is important to remember the obligations in the Code and to always act in the best interests of the client.
If you have not done everything you can to get in touch with the client and help facilitate a renewal, there may be a breach.
Here are two examples:
You call a client one week before their policy expires to start the renewal process.
When you call the client, they are unable to confirm or verify information and advise you they will get back to you.
You rely on the client to give you the information when they have it.
Despite you contacting the client every day, they do not get back to you with the information you need until after the policy has expired.
You finally get the information and secure the renewal, but it is over a week late.
This is a breach of the Code because, although you were waiting on the client to give you necessary information, you did not contact him at least 14 days before the renewal expired to begin the process.
A client holds a home construction policy with you. It is a single term non-renewable contract expiring on 28 February.
Two weeks before the expiry, on 14 February, your system prompts you to send the client a form to extend the policy. But because this is a single term non-renewable contract, you decide to wait a few days to see whether the client will ask for an extension.
By 20 February, you still have not heard from the client, so you email them the form.
On 7 March, after the policy had lapsed, the client asks you to make a claim for storm damage to their property. The claim was denied.
This is a breach of the Code because you should have sought instruction from the client sooner about an extension of their policy and should have made greater effort to get in contact with them.
In the 2014 Code, privacy breaches were commonly reported against Service Standard 1 (compliance with law) and breaches of money handling were reported against Service Standard 7 (money handling).
The 2022 Code captures breaches concerning privacy and money handling in Section 3.1(b)(ii) under Code Principles. This requires compliance with all relevant laws and obligations.
The Code Principles underpin all interactions with clients and should be embedded into a company culture and reporting framework.
The 2022 Code is designed to go beyond base legal obligations. Breaches of legal requirements fall under the reporting requirements to other regulatory bodies (such as Office of the Australian Information Commissioner – OAIC, Australian Securities and Investments Commission – ASIC, Australian Prudential Regulation Authority – APRA).
We try to avoid duplicating such reporting obligations.
However, if a breach of the law has occurred and the root cause is for example a training error, report it under Section 8.1 of the 2022 Code.
NIBA has published a guide on Identifying and Supporting Vulnerable Clients. This covers obligations under Section 10.0 of the 2022 Code.
We support NIBA’s view that there will be different responsibilities for supporting vulnerable clients depending on the size of the organisation and its available resources.
All staff, regardless of their position in an organisation, should receive the required training on supporting clients experiencing vulnerability.
We encourage partnerships with community organisations or providers who can offer support to clients experiencing vulnerability. A list of support services is available on page 6 of NIBA’s guide.