Banks drag heels on breach reporting, until now
The Royal Commission has succeeded in shaking loose a spate of breach reports from financial services companies but the Australian Securities and Investments Commission (ASIC) has admitted that many companies still unduly drag their feet.
That is the bottom line of evidence given to Senate estimates by ASIC officials, with the regulator’s deputy chairman, Peter Kell revealing that a review of breach reporting practices involving a quantitative analysis of data from the 12 banking groups, including the four majors, had painted a very unflattering picture.
He said the average time frame from an event occurring to it being identified internally for investigation was 1,552 days—just over four years—which was a median of 1,094.
Further, Kell told Estimates the average time frame from the start of an internal investigation of a matter to lodging a breach report was 123 days—a median of 58 days and that one in four significant breaches took longer than 145 days to report to ASIC.
The ASIC deputy chairman said the institutions in question had commenced a change to their systems to address a compliance issue within an average of 18 days of an investigation concluding, but customer remediation often took a lot longer, averaging 217 days.
“These preliminary findings confirm the concerns that we've articulated publicly and before this committee about the timeliness and consistency of breach reporting and projects still underway,” he said.
However, ASIC also confirmed to the Parliamentary Committee that there had been a 39.1 per cent increase in breach reports and noted that this was not unconnected to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
Recommended for you
Financial Services Minister Stephen Jones has shared further details on the second tranche of the Delivering Better Financial Outcomes reforms including modernising best interests duty and reforming Statements of Advice.
The Federal Court has found a company director guilty of operating unregistered managed investment schemes and carrying on a financial services business without holding an AFSL.
The Governance Institute has said ASIC’s governance arrangements are no longer “fit for purpose” in a time when financial markets are quickly innovating and cyber crime becomes a threat.
Compliance professionals working in financial services are facing burnout risk as higher workloads, coupled with the ever-changing regulation, place notable strain on staff.
