The Insurance Brokers Code Compliance Committee’s 2025 Annual Data Report is excellent work. The IBCCC has done something genuinely valuable: created a standardised, transparent annual snapshot of Code compliance across 414 brokers, measuring 5,417 breaches, 3,133 complaints, and client impact across the entire sector. This kind of data transparency is rare in financial services regulation and essential for industry improvement.
The report’s findings are solid. Renewal timeframes remain the biggest compliance challenge, accounting for 50% of breaches. Communication failures are rising. The insight on “reporting zero” brokers - where five out of six subsequently reported breaches - is particularly valuable because it prompts the right questions about detection maturity.
But the IBCCC report captures something important: one lens on a much wider compliance picture. Building on their excellent work, here’s what we’re observing from inside broker systems that adds important texture to the headline findings.
Source: IBCCC 2025 Annual Data Report, Snapshot, p. 03 (PDF page 5).
The Incident-to-Breach Ratio: What Good Compliance Actually Looks Like
The IBCCC’s annual reporting gives us Code breach data. What it can’t measure - because it’s not designed to - is the full incident lifecycle.
We work inside broker compliance systems daily. Here’s what we observe: a well-run insurance broker picks up an incident or potential breach roughly every month. For brokers working primarily with retail clients, it’s more frequent.
But most of those incidents don’t become reportable breaches.
Why? Because they’re caught early, managed, and remediated before client detriment occurs. A renewal notice is sent four days late, but the client calls before expiry and the broker catches it. A terms of engagement is missing, but it’s issued and signed before any service is provided. A claims file note is incomplete, but clarification happens within the IDR timeframe.
This is what good compliance looks like: high incident identification, low breach rates.
The IBCCC’s data helps validate this. Larger brokers with mature systems tend to report more breaches, not fewer - because they’re finding more. This is counterintuitive but correct. Detection capability drives reported breach volume. Better systems = higher reported breaches, not worse compliance.
Source: IBCCC 2025 Annual Data Report, Graph 2: Percentage of brokers reporting breaches over five years, p. 08 (PDF page 10).
The Scope Picture: IBCCC Data + The Broader Framework
The IBCCC report measures Code breaches with precision. What it appropriately doesn’t measure - because it’s outside their charter - is the broader compliance universe brokers navigate.
Brokers operate simultaneously under:
· Privacy Act 1988: data handling, disclosure, retention
· Corporations Act / ASIC Regulatory Guides (RG 271, RG 165, RG 234): product design, financial services law, advertising standards
· Claims handling obligations: timeliness, fairness, transparency
· Internal risk frameworks: underwriting limits, delegated authority, exposure management
A broker might have zero Code breaches but face significant privacy risks. They might have a systemic failure in their risk system that creates Corporations Act exposure but doesn’t fit Code section 5.2(a). They might fall short of ASIC’s new RG 234 advertising standards without technically breaching the Code.
The IBCCC report is rightly focused on their remit. But the full compliance landscape is broader. Brokers managing Code compliance excellently - as the IBCCC data increasingly shows - also need visibility across the entire framework. The IBCCC report is one essential piece. It’s not the whole picture, but it’s a critical one.
Source: IBCCC 2025 Annual Data Report, Table 2: Most breached Code commitments, p. 09 (PDF page 11).
The Reporting Reality: What the IBCCC Captures
The IBCCC data is based on what brokers self-report in their Annual Compliance Statements. This is appropriate and necessary. But it means the report captures breaches that brokers have identified, assessed, and logged according to their own systems and judgement.
This is actually a strength - it reflects real-world broker compliance processes. But it also means the data reflects detection capability as much as actual compliance performance.
What we’re seeing is that brokers with mature detection infrastructure report more breaches. Brokers with fragmented systems, decentralised responsibility, and reactive detection report fewer. The IBCCC appropriately can’t standardise detection methodology across 414 different firms - that’s not their role. But it means reported breach volume correlates with detection maturity, not just compliance performance.
The IBCCC’s insight on the “reporting zero” brokers is valuable precisely because it highlights this: five out of six Category A/B brokers that reported zero in 2024 subsequently reported breaches in 2025. This suggests that detection infrastructure improvements between reporting periods surfaced previously unidentified issues. That’s positive - it shows brokers improving their systems.
Source: IBCCC 2025 Annual Data Report, Spotlight: Reporting zero remains a priority issue, p. 07 (PDF page 9).
When reported breach volume depends so heavily on what brokers can detect, compliance teams need more than annual reporting — they need real-time visibility into incidents, obligations and emerging risks.
See how Curium helps brokers strengthen detection maturity and manage compliance with greater confidence.
Large Firms and Detection Maturity
The IBCCC’s data shows some variation in breach reporting by firm size. This makes sense. Large brokers managing millions of policies, operating across multiple states, and handling hundreds of claims annually will naturally surface more incidents.
What we observe is that large brokers vary significantly in detection capability:
· Mature large firms have integrated systems, centralised compliance oversight, and continuous monitoring. They report more breaches because they find more.
· Fragmented large firms have siloed systems - renewals in one platform, claims in another - decentralised compliance responsibility, and episodic audits. They report fewer breaches because they miss more.
The IBCCC report captures the outcome without measuring the underlying detection infrastructure. This is appropriate for their role. But it suggests that the variation in reported breaches across large firms reflects detection capability variation as much as compliance performance variation.
What Real Compliance Maturity Looks Like
The IBCCC’s excellent work makes one thing clear: brokers that identify and report breaches are taking compliance seriously. The firms that report zero are either genuinely exceptional - statistically unlikely at scale - or they’re missing breaches that exist.
The right metrics for compliance maturity aren’t:
· How many breaches did we report? More isn’t worse; it depends on detection.
· What’s our breach rate? This reflects detection methodology first, compliance second.
The right metrics are:
· Incident identification speed: How quickly do we catch potential breaches from incident to log?
· Remediation turnaround: How fast do we fix identified issues before customer impact?
· Recurrence prevention: Are the same breach types repeating, or are systemic issues actually fixed?
· Scope coverage: Are we detecting breaches across Code, Privacy, Corporations Act, and ASIC guides?
The IBCCC’s annual reporting model can’t measure these because it lacks transaction-level granularity. Real-time compliance visibility does. The two approaches complement each other.
Source: IBCCC 2025 Annual Data Report, Table 6: Most common methods for identifying breaches, p. 10 (PDF page 12).
Complaints Are Part of the Same Visibility Question
The report also gives useful context on complaints. Complaints increased from 2,898 in 2024 to 3,133 in 2025, and complaints reporting varies significantly across broker categories. This matters because complaints are often an early signal of process friction, unclear communication or weak issue detection.
Source: IBCCC 2025 Annual Data Report, Graph 4: Percentage of brokers reporting complaints, p. 14 (PDF page 16).
The 2027 Context: Why This Matters
A new version of the Insurance Brokers Code of Practice is coming in 2027. This refresh will update compliance obligations and expectations across the sector.
For brokers, the transition period is critical. The IBCCC’s 2025 report establishes the baseline: this is what Code compliance looks like under the current framework. As the new Code comes into effect, brokers will need to understand where their compliance gaps are now, so they can address them before new obligations take hold.
What we’re seeing from inside broker systems is the importance of this timing: brokers building detection infrastructure now - systems that surface incidents in real time, track them through resolution, and document compliance efforts - will be better positioned to transition smoothly to the updated Code.
The IBCCC report gives the industry a mirror. Brokers looking at themselves in that mirror and asking “how do we detect breaches faster, remediate them better, and prevent recurrence” are building the foundations for compliance under the refreshed framework.\
Author:
Tetiana George, CEO of Curium, Co-Chair of Insurtech Australia and member of ASIC Digital Finance Advisory Committee. LinkedIn Profile.
Source: Insurance Brokers Code Compliance Committee, 2025 Annual Data Report.