Major banks are taking an average of 1726 days – or more than four-and-a-half years – to identify significant breaches.
A report by the corporate regulator has found “unacceptable” delays to financial institutions identifying, reporting and compensating customers for serious issues.
Institutions are legally required to report significant breaches to ASIC within 10 business days of becoming aware of them but the major banks were taking an average of 150 days to notify the regulator after starting an investigation.
ASIC reviewed data from 12 financial services firms, looking at the period between 2014 and 2017, and found customers had lost around $500 million due to breaches, with millions of that yet to be repaid.
Failure or delay in notifying the regulator is an issue that has been aired throughout the banking royal commission, with the commission’s counsel telling Kenneth Hayne he is open to make findings of breaches of the Corporations Act by a number of banks and financial services firms.
“Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer-orientated culture of escalation,” said ASIC chair James Shipton.
There is an urgent need for investment by financial services institutions in systems and processes, as well as commitment and oversight from boards and senior executives to address these significant failings.”
Breaches happening now may not be picked up until 2022
NAB was the laggard in terms of time taken to identify a breach, according to ASIC’s review, followed by Westpac.
“We found the length of time taken to identify the significant breach as an incident is the biggest factor that contributes to ASIC receiving significant breach reports about events or conduct that happened many years ago,” the report said.
If no improvements are made, ASIC said significant breaches that occur today may not be identified by financial services firms until 2022.
Mr Shipton said the resulting delays in compensating customers were unacceptable.
“Our review found that, on average, it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry,” he said.
“This must not stand.”
As a result of the findings, ASIC said it will focus on compliance, with breach reporting obligations as part of its new monitoring regime, which will see some of the regulator’s staff embedded in the big four banks and AMP from next month.