Some financial institutions are taking an average time of 1,726 days – or more than 4.5 years – to identify significant breaches, according to a new report by corporate regulator ASIC.
ASIC’s REP 594, Review of selected financial services groups’ compliance with the breach reporting obligation, uncovered “serious” and “unacceptable” delays in the time taken by Australia’s major financial institutions in identifying, reporting, and remediating consumers for significant breaches of the law.
The report examined the breach-reporting practices of 12 financial-services groups, including big four banks ANZ, CBA, NAB, and Westpac, wealth-management firm AMP, and bancassurance giant Suncorp.
Financial institutions are legally required to report a breach to ASIC within 10 business days after they have realised that a breach occurred, but the report showed that major banks are taking an average of 150 days to submit a breach report to ASIC.
The report also revealed delays in remediation for consumer loss, with impacted customers forced to wait an average of 226 days from the end of a financial institution’s investigation into the breach for the first payment.
The significant breaches (within the scope of the review) cost consumers roughly $500m in financial losses, with millions of dollars of remediation yet to be provided.
“Breach reporting is a cornerstone of Australia’s financial services regulatory structure,” ASIC Chair James Shipton said. “Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures, and governance processes, as well as a lack of a consumer-orientated culture of escalation. Our review found that, on average, it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial-services industry. This must not stand.”
Shipton said addressing the issues require “investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives.”
On its part, the corporate regulator said it “will ensure there is a strong focus on compliance with breach reporting requirements in its new Close and Continuous Monitoring approach to supervising major institutions” and is also “actively considering enforcement action for failures to report breaches on time.”