In a report released today, ASIC has identified serious, unacceptable delays in the time taken to identify, report and correct significant breaches of the law among Australia’s most important financial institutions.
The report REP 594 Review of selected financial services groups’ compliance with the breach reporting obligation examined the breach reporting processes of 12 financial services groups, including the big four banks (ANZ, CBA, NAB and Westpac) and AMP.
Key findings from the report include:
- Financial institutions are taking too long to identify significant breaches, with the major banks taking an average time of 1,726 days (over 4.5 years).
- There were delays in remediation for consumer loss. It took an average of 226 days from the end of a financial institution’s investigation into the breach and first payment to impacted consumers. (This is on top of the average across all institutions of 1,517 days before the breach is discovered and the time taken to start and complete an investigation.)
- The significant breaches (within the scope of the review) caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.
- The process from starting an investigation to lodging a breach report with ASIC also takes too long, with major banks taking an average of 150 days.
Once a financial institution has investigated and determined that a breach has occurred and that it is significant, the law requires that the breach be then reported to ASIC within 10 business days. One in seven significant breaches (110 of 715) were reported later than that 10-business day requirement.
ASIC Chair James Shipton said:
‘Breach reporting is a cornerstone of Australia’s financial services regulatory structure.
‘Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation.
‘Our review found that, on average, it takes over 5 years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand.
‘There are two related problems here and ASIC wants change to address both of these:
- The first is that industry is taking far too long to identify and investigate potential breaches. Whilst this is not of itself a breach of the reporting requirement, this is the source of longest delay and thus of most detriment for consumers.
- The second problem is that even having identified an issue and concluded following an investigation that it is a breach, institutions are failing to then report it to ASIC within the required 10 business days. The delays here are much shorter (75% were late by 1 – 5 days) but this is still a breach of the legal requirements.
‘Accordingly, there is an urgent need for investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives to address these significant failings.’
In response to the review’s findings, ASIC will ensure there is a strong focus on compliance with breach reporting requirements in its new Close and Continuous Monitoring approach to supervising major institutions. ASIC is also actively considering enforcement action for failures to report breaches on time.
The review underscores the need for law reform of the breach reporting requirements, that the Government has committed to, in principle, following the ASIC Enforcement Review. Currently, there are three factors that are barriers to enforcement action which would be addressed by the proposed reforms:
- The test as to whether a breach is significant and therefore is legally required to be reported is subjective. That is, the licensee makes that decision based on its own assessment, not based on objective grounds.
- The 10-business day period for reporting only begins once an institution has determined that there is a breach and that it is significant. Institutions can delay making those decisions without breaching the law.
- Failures to report can only be prosecuted on a criminal basis with the associated high standard of proof. At the same time the existing penalty is relatively modest.
Following the Government’s announcement in April 2016 of new measures to protect Australian consumers by improving outcomes in financial services, ASIC undertook a breach reporting review of 12 financial services groups.
The financial services groups were: the four major banks ANZ, CBA, NAB and Westpac; as well as eight others – AMP, Bank of Queensland, Bendigo Bank, Credit Union Australia, Greater Bank, Heritage Bank, Macquarie and Suncorp.
The review considered the institutions’ compliance with reporting requirements under section 912D of the Corporations Act. The law requires all Australian Financial Services (AFS) licensees to report to ASIC a ‘significant breach’ within 10 business days of becoming aware of it.
ASIC analysed the financial services groups’ breach data from 2014 to 2017, covering a total of 715 significant breaches. ASIC also examined internal policies and evaluated specific scenarios using case studies.
The review covered key stages of the breach management process – from identifying an issue or incident to reporting the significant breach to ASIC; and rectifying the breach including remediating consumers.
Breach reporting law reform
Subjectivity and ambiguity in the current legal requirements have led to inconsistent decisions about what breaches are ‘significant’ across different financial services groups. As noted by the ASIC Enforcement Review Taskforce, this has undermined ASIC’s ability to take enforcement action for non-compliance.
The Taskforce in its report to the Government concluded that ‘the current regime is not conducive to pursuing action against non-compliant licensees’. [Page 11 of the report]
Law reform has been recommended by the Taskforce and accepted in-principle by the Government. This reform would make breach reporting rules stronger, clearer, and more enforceable as well as extending the requirement to cover breaches of credit laws and introducing a civil penalty for failure to report.
Close and continuous monitoring
The review’s findings re-emphasise the need to implement new and more intensive supervisory approaches.
ASIC will now be regularly placing ASIC staff on site in major financial institutions to closely monitor their breach management, governance and compliance with laws – this new programme of work is called Close and Continuous Monitoring.
- Report 594 Review of selected financial services groups’ compliance with the breach reporting obligation
- ASIC’s submission to the ASIC Enforcement Review Taskforce: Self reporting of contraventions by financial services and credit licensees (May 2017)
© Australian Securities & Investments Commission. Reproduced with permission.