A report by the Australian Securities and Investments Commission (ASIC) has identified “serious, unacceptable delays” in the time taken to identify, report and correct significant breaches of the law among 12 of Australia’s biggest financial institutions – including the big four banks and AMP – and has said that the time taken for consumers to be remediated for breach incidents “must not stand”.
The regulator said the report found that financial institutions are taking too long to identify significant breaches, with the major banks taking an average time of over 4.5 years.
ASIC also found delays in remediation for consumer loss, with it taking an average of 226 days from the end of a financial institution’s investigation into the breach and first payment to impacted consumers.
This is on top of the average across all institutions of 1,517 days before a breach is discovered and the time taken to start and complete an investigation, ASIC said.
The regulator found the significant breaches caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.
ASIC also said the process from starting an investigation to the lodging of a breach report also takes too long, with major banks taking an average of 150 days.
ASIC pointed out that once a financial institution has investigated and determined that a breach has occurred and that it is significant, the law requires that the breach be then reported within 10 business days. However, one in seven significant breaches were reported later than that 10-business day requirement, it said.
ASIC chair James Shipton said many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer-orientated culture of escalation.
“Our review found that, on average, it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand,” he said.
Shipton said the report highlighted two related problems that ASIC wanted to change, the first being that the industry is taking far too long to identify and investigate potential breaches, the second being that even having identified an issue and concluded following an investigation that it is a breach, institutions are failing to then report it to ASIC within the required 10 business days.
“Accordingly, there is an urgent need for investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives to address these significant failings,” he said.
In response to the findings, ASIC said it will ensure there is a strong focus on compliance with breach reporting requirements in its new Close and Continuous Monitoring approach to supervising major institutions.
ASIC said it is also actively considering enforcement action for failures to report breaches on time.
