ASIC says the big four banks are taking years to report serious breaches of the law

Oli Scarff/Getty Images
  • An ASIC review has found that it takes banks an average five years to remediate customers affected by a breach of the law.
  • The review of compliance of breach reporting looked at 12 financial services groups, including the big four banks — ANZ, CBA, NAB and Westpac — and AMP.
  • One issue is that the banks themselves get to decide what is serious and what is not before deciding to make a report to the regulator.

The banks have been taking years to get around to reporting significant breaches of the law governing their licence to operate.

Corporate regulator ASIC has identified unacceptable delays running into years in the time taken to identify, report and correct significant breaches of the law among Australia’s big banks.

The review of compliance of breach reporting examined the processes of 12 financial services groups, including the big four banks — ANZ, CBA, NAB and Westpac — and AMP.

ASIC found that financial institutions are taking too long to identify significant breaches, with the major banks taking an average of 1726 days, or more than four and a half years.

And the banks also delay remediation when consumers suffer a loss because of the breach.

The latest ASIC review, conducted with special funding granted in the May federal budget, comes as the the financial services royal commission is about to make its interim report into misconduct, including charging customers for services not provided.

The corporate regulator says its study of 715 significant breaches found that it took an average of 226 days from the end of a financial institution’s investigation into the breach and first payment to impacted consumers.

This is on top of the average across all institutions of 1517 days before the breach is discovered and the time taken to start and complete an investigation.

The significant breaches caused financial losses to consumers of $500 million, with millions of dollars of remediation yet to be provided.

The process from starting an investigation to lodging a breach report with ASIC also takes too long, with major banks taking an average of 150 days, as this chart shows:


Once a financial institution has investigated and determined that a breach has occurred and that it is significant, the law requires that the breach be then reported to ASIC within 10 business days.

One in seven significant breaches, or 110 out 715, were reported later than that 10-business day requirement.

“Breach reporting is a cornerstone of Australia’s financial services regulatory structure,” says ASIC Chair James Shipton.

“Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation.

“Our review found that, on average, it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand.”

One issue is the definition of what is a significant breach.

The bank makes that decision based on its own assessment, not on objective grounds.

The 10-business day period for reporting only begins when an institution has determined that there is a breach and that it is significant. This means that they can delay making decisions without breaching the law.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.