A new report from the Australian Securities and Investments Commission (ASIC) has identified serious, unacceptable delays in the time taken by Australia’s major financial institutions to identify, report and correct significant breaches of the law.
Released today, “REP 594: Review of selected financial services groups’ compliance with the breach reporting obligation” examined the breach reporting processes of 12 financial services groups, including the big four – ANZ, CBA, NAB and Westpac – and AMP.
The key findings revealed financial institutions are taking too long to identify significant breaches, with major banks taking an average time of 1726 days, or over 4.5 years.
There were also delays in remediation for consumer loss where it took an average of 226 days from the end of a financial institution’s investigation into the breach and the first payment to affected customers.
This is on top of the average across all institutions of 1517 days before a breach is discovered and the time taken to start and complete an investigation, the report said.
Further, significant breaches, within the scope of the review, caused financial losses to consumers of about $500 million, with millions of dollars of remediation yet to be provided.
The report also highlighted the process from starting an investigation to lodging a breach report with ASIC also takes too long, with major banks taking an average of 150 days.
Once a financial institution has investigated and determined a breach has occurred and that it is significant, the law requires that the breach be then reported to ASIC within 10 business days.
One in seven significant breaches – 110 out of 715 – were reported later than the 10-business-day requirement.
“Breach reporting is a cornerstone of Australia’s financial services regulatory structure,” ASIC chair James Shipton said.
“Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer-orientated culture of escalation.
“Our review found that on average it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand.”
ASIC expects to change and address two related problems: the industry is taking far too long to identify and investigate potential breaches, and after identifying an issue, institutions are failing to report it to the regulator within the required 10 business days.
The regulator will also ensure there is a strong focus on compliance with breach reporting requirements in its new close and continuous monitoring approach to supervising major institutions.
It is actively considering enforcement action for failures to report breaches on time.