ASIC finds serious delays in breach reporting from major banks

In ASIC's report, Review of selected financial services groups' compliance with the breach reporting obligation, it examined the breach reporting processes of 12 financial services groups, which included the big four banks and AMP.

The report found that the major banks took an average of 1,726 days (4.5 years) to identify significant breaches and an average of 226 days on top of that for a first payment to impacted consumers.

The breaches within the scope of the review caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.

Major banks also took an average of 150 days to report a breach to ASIC after starting an investigation.

Once a financial institution has investigated and determined that a breach has occurred, the law requires it to be reported to ASIC within 10 days.

One in seven significant breaches were reported later than that requirement, with ASIC chair James Shipton saying that time was a breach of legal requirements.

“Institutions are failing to report [breaches] to ASIC within the required 10 business days. The delays here are much shorter (75 per cent were late by one to five days) but this is still a breach of the legal requirements,” Mr Shipton said.

Mr Shipton said breach reporting was a cornerstone of the regulatory structure and many of the delays were due to poor systems.

“Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation,” he said.

ASIC also wanted address with the banks how long they took to identify and investigate breaches and said there was an urgent need to fix it.

“There is an urgent need for investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives to address these significant failings,” Mr Shipton said.

In response to the findings, ASIC will focus on compliance with breach reporting as part of its new monitoring approach.

ASIC also said its review underscored the need for law reform of breach reporting requirements that the government had said they were committed to.

Eliot Hastie

Eliot Hastie is a journalist at Momentum Media, writing primarily for its wealth and financial services platforms. 

Eliot joined the team in 2018 having previously written on Real Estate Business with Momentum Media as well.

Eliot graduated from the University of Westminster, UK with a Bachelor of Arts (Journalism).

You can email him on: [email protected]