In a report released today, ASIC has identified serious, unacceptable delays in the time taken to identify, report and correct significant breaches of the law among Australia’s most important financial institutions.
Following the Government’s announcement in April 2016 of new measures to protect Australian consumers by improving outcomes in financial services, ASIC undertook a breach reporting review of 12 financial services groups. The report REP 594 Review examined the groups’ compliance with the breach reporting obligation examined their breach reporting processes of: the four major banks ANZ, CBA, NAB and Westpac; as well as eight others – AMP, Bank of Queensland, Bendigo Bank, Credit Union Australia, Greater Bank, Heritage Bank, Macquarie and Suncorp.
ASIC Chair James Shipton said: “Breach reporting is a cornerstone of Australia’s financial services regulatory structure. Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation.”
“Our review found that, on average, it takes over 5 years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand.”
Key findings from the report include:
- Financial institutions are taking too long to identify significant breaches, with the major banks taking an average time of 1,726 days (over 4.5 years).
- There were delays in remediation for consumer loss. It took an average of 226 days from the end of a financial institution’s investigation into the breach and first payment to impacted consumers. (This is on top of the average across all institutions of 1,517 days before the breach is discovered and the time taken to start and complete an investigation.)
- The significant breaches (within the scope of the review) caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.
- The process from starting an investigation to lodging a breach report with ASIC also takes too long, with major banks taking an average of 150 days.
- Once a financial institution has investigated and determined that a breach has occurred and that it is significant, the law requires that the breach be then reported to ASIC within 10 business days. One in seven significant breaches (110 of 715) were reported later than that 10-business day requirement.
There are two related problems here and ASIC wants change to address both of these:
The first is that industry is taking far too long to identify and investigate potential breaches. Whilst this is not of itself a breach of the reporting requirement, this is the source of longest delay and thus of most detriment for consumers.
The second problem is that even having identified an issue and concluded following an investigation that it is a breach, institutions are failing to then report it to ASIC within the required 10 business days. The delays here are much shorter (75 per cent were late by 1 – 5 days) but this is still a breach of the legal requirements.
“Accordingly, there is an urgent need for investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives to address these significant failings,” said Shipton.
In response to the review’s findings, ASIC will ensure there is a strong focus on compliance with breach reporting requirements in its new Close and Continuous Monitoring approach to supervising major institutions. ASIC is also actively considering enforcement action for failures to report breaches on time.
The review underscores the need for law reform of the breach reporting requirements, that the Government has committed to, in principle, following the ASIC Enforcement Review. Currently, there are three factors that are barriers to enforcement action which would be addressed by the proposed reforms:
The test as to whether a breach is significant and therefore is legally required to be reported is subjective. That is, the licensee makes that decision based on its own assessment, not based on objective grounds.
The 10-business day period for reporting only begins once an institution has determined that there is a breach and that it is significant. Institutions can delay making those decisions without breaching the law. Failures to report can only be prosecuted on a criminal basis with the associated high standard of proof. At the same time the existing penalty is relatively modest.