A new report has found it takes major banks more than four and a half years to identify significant breaches.
The Australian Securities and Investments Commission (ASIC) has examined the breach reporting processes of 12 financial services groups, including the four major lenders and AMP.
The group found “unacceptable” delays in the time taken to identify, report and correct significant breaches of the law among Australia’s most important financial institutions.
The key findings also showed that once the breach had been identified it took an average of 226 days from the end of an investigation for customers to be remediated.
The average time taken to identify and then investigate a breach was 1,517 days.
These breaches caused financial losses to consumers of around $500million, with millions of dollars still to be provided.
ASIC also found the process from starting an investigation to lodging a breach report with the regulator took the major banks an average of 150 days, which the group said was “too long”.
Once a financial institution has investigated and determined that a breach has occurred and that it is significant, the law requires that the breach be then reported to ASIC within 10 business days.
One in seven significant breaches (110 of 715) were reported later than the 10-business day requirement.
ASIC Chair James Shipton said, “Breach reporting is a cornerstone of Australia’s financial services regulatory structure.
“Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation.
“Our review found that, on average, it takes over 5 years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand.
“There are two related problems here and ASIC wants change to address both of these.
“The first is the industry is taking far too long to identify and investigate potential breaches. Whilst this is not of itself a breach of the reporting requirement, this is the source of longest delay and thus of most detriment for consumers.
“The second problem is that even having identified an issue and concluded following an investigation that it is a breach, institutions are failing to then report it to ASIC within the required 10 business days. The delays here are much shorter, 75% were late by 1 – 5 day, but this is still a breach of the legal requirements.
“Accordingly, there is an urgent need for investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives to address these significant failings.”
In response to the review's findings, ASIC said it will ensure there is a strong focus on compliance with breach reporting requirements in its new Close and Continuous Monitoring approach to supervising major institutions.
ASIC is also actively considering enforcement action for failures to report breaches on time.
The review underscores the need for law reform of the breach reporting requirements, that the Government has committed to, in principle, following the ASIC Enforcement Review. Currently, there are three factors that are barriers to enforcement action which would be addressed by the proposed reforms: