New ASIC chair James Shipton slammed the sector’s “unacceptable” approach to breach reporting, which he said was one of the cornerstones of the sector’s regulatory infrastructure.

“Our review found that, on average, it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry,” Mr Shipton said.

“This must not stand.”

Long delays in breach reporting have been a regular feature of hearings in the financial services royal commission, ahead of commissioner Kenneth Hayne handing his interim report to the Morrison government on Friday.

One of the main weaknesses in the existing legal framework has been that the 10 business-day period in which a breach must be reported to ASIC only begins once an institution has determined there has been a “significant” breach. The test is subjective rather than objective, so companies can delay making those decisions for a long time without breaking the law.

The ASIC review of 12 financial services groups from 2014 to 2017 found that, on average, the major banks took 1726 days (more than 4½ years) to identify significant breaches.

They took a further 150 days from the start of an internal investigation to lodging the required breach report with the regulator.

ANZ was the worst offender at 213 days, followed by Westpac (165 days), National Australia Bank (139 days) and Commonwealth Bank (104 days).

An ANZ spokesman said yesterday that the bank had put in place a new team, headed by responsible banking boss Sarah Stubbings, to identify and fix breach reporting issues as they arose.

NAB chief risk officer David Gall said the bank had been working hard to identify and investigate past events and improve its breach reporting processes and systems.

“Since 2016, we have seen a reduction in late breach reporting to ASIC, with zero significant breaches being reported outside the 10 business-day timeframe for 2018,” Mr Gall said.

While the bank was making progress, there were cases where it had taken longer to fix issues and remediate customers so there was “clearly more to do”.

“While we are making progress, there have been instances where it has taken us longer than we would (like).”

The other significant delay found by ASIC was remediation of customer losses.

Of the 715 significant breaches from 2014 to 2017 that were in the scope of the review, consumers suffered losses of about $500 million, with millions of dollars in remediation still to come.

In part, this reflected the average period of 226 days from the end of an institution’s investigation until the first payment to ­customers.

Mr Shipton said that ASIC was considering its options in relation to enforcement action, with 110 of the 715 significant breaches — equivalent to one in seven — not reported to the regulator within the prescribed period of 10 business days.

Supervisors to be embedded in large financial companies from next month as part of ASIC’s new continuous monitoring program would also focus on breach reporting.

The ASIC chief said many of the delays were due to inadequate systems, procedures and governance processes, as well as institutional cultures that discouraged escalation of consumer-related ­issues.

ASIC wanted to address two interrelated issues.

The first was the industry’s habit of taking “far too long” to identify and investigate potential breaches.

Of itself, this was not a breach of the law, but it was still the source of the longest delays and therefore hurt customer interests the most.

The second problem was that, having identified a breach and determined after an investigation that it was significant, institutions were still failing to report it to ASIC within 10 business days.

The delays were much shorter, with 75 per cent outside the limit by only 1-5 days, but they still amounted to breaches.

“Accordingly, there is an urgent need for investment by financial services institutions in systems and processes, as well as commitment and oversight from boards and senior executives to address these significant failings,” Mr Shipton said.

Last December, the ASIC enforcement review recommended changes to the breach reporting regime, including retention of the significance test but changing it to an objective benchmark.

Significant breaches would have to be reported within 30 days.

More related stories

Economics

PM’s reform project can’t be a one-hit wonder

The message from business to Anthony Albanese’s challenge is not to overcomplicate the process, but there has to be a real appetite for change.

Read more

Margin Call

ASIC’s Gupta case file about to get a whole lot fatter

If failing to lodge financial reports were not bad enough, former Whyalla Steelworks supremo Sanjeev Gupta’s conduct across his diminishing empire has piqued ASIC’s investigative instincts.

Read more