Suffice it to say, NAB hasn’t had a good royal commission.

When it announced a reverse-lemming earlier this month and kept variable mortgage rates on hold, Thorburn had a single, overriding explanation: the need to restore trust.

A week or so later, NAB’s head of consumer and wealth Andrew Hagger is leaving, commendably taking accountability for “what has occurred on my watch”.

“I accept that alongside our successes there were failures, including instances where we did not act with the pace required,” Hagger said in a note to staff, obtained by this column.

“I did seek to find and fix issues to benefit our customers. And I know that recent announcements in wealth will drive further improvements.”

In the last round of hearings on superannuation, senior counsel assisting Michael Hodge said Hagger “showed a disrespect for the role of the regulator (ASIC) and a disregard for the gravity of the events in question”.

NAB, according to Hodge, was not full and frank on members’ likely losses from wrongly imposed plan service fees, or the expected amount of remediation.

Instead, in a bid to minimise reputational damage, the bank was silent when ASIC asked if the figures in its breach report were accurate.

Hodge took a dim view of Hagger’s evidence that he “left the door open” for the regulator to ask the question.

The word inside NAB is that Hagger spoke to Thorburn about a desire to run his own shop well before his fateful August appearance before Kenneth Hayne.

He is believed to have applied unsuccessfully for the CEO position at MLC that went to former Perpetual boss Geoff Lloyd, and for the same role at AMP taken by Francesco De Ferrari.

Hagger has runs on the board that mitigate his royal commission experience.

As head of marketing, he led the “breakup” campaign that attracted one million new customers to NAB, set up the partnership agreement with Nippon Life for the life insurance business, and helped grow the digital bank U Bank.

His initial priority will be a move to San Francisco in December to take up the position of senior international adviser at a social venture called Not for Sale, which works to end exploitation from human trafficking.

It could lead to a permanent position or a period of freshening up for a new role.

Word on the street

Way back in early April, before the dawn of time, only regulators who needed to get out more were animated by the repeated failure of large financial institutions to lodge timely breach reports with ASIC.

Since then, courtesy of revelations in the financial services royal commission, you’d be forgiven for thinking that breach reporting has spawned an entire industry devoted to slowing the whole process down, or circumventing it entirely.

That’s why the imminent completion of the watchdog’s surveillance project on breach reporting, which began in June 2016, will generate a high level of interest.

The word on the street is that ASIC will release a final report on the project in the next week or so.

The report will incorporate 2017 data and include additional information from case studies.

The Corporations Act requires Australian financial services licensees to lodge a report with ASIC within 10 business days of becoming aware of a “significant” breach.

However, ASIC deputy chair Peter Kell said in a witness statement for the financial advice round of hearings by the royal commission that some licensees had adopted complex reporting and assessment systems that delayed the communication of breaches.

For example, the key decision about the significance of a breach was often left to a single manager or specific committee.

This became problematic when a referral was only considered after completion of an internal investigation.

Among the key preliminary findings in the project, based on data from 12 banking groups, including the big four, over the 2014-16 period, was that it took just over four years from the occurrence of an event for an internal investigation to commence.

The average time frame from the start of an internal investigation to the lodging of a breach report with ASIC was 123 days, with one in four significant breaches taking longer than 145 days.

Why does this matter?

Time and again, delays in breach reporting have been shown to undermine ASIC’s ability to take timely and appropriate enforcement action, raising the risk of consumer loss or detriment.

The regulator has already issued guidance that licensees should not wait to lodge a breach report until it’s been considered by the board or legal advisers, or until they have taken steps to rectify it.

Despite this, the long delays persist.

One solution is to clear up any confusion surrounding the concept of significance by making it an objective test based on what a reasonable person would regard as significant.

Cultural change is also required.

As Kell said, large financial services entities were often focused too narrowly and pedantically on technical legal compliance.

Instead, the focus should be on producing good outcomes for their customers.

gluyasr@theaustralian.com.au

Twitter: @Gluyasr

More related stories

Richard Gluyas

P2P lenders warned over risks

If a shiver went down the spine of the $1.4bn peer-to-peer lending industry yesterday, it did a masterful job covering it up.

Read more

Richard Gluyas

Bank fee scandal bill mounts

Provisions by the finance sector for its fees-for-no-service scandal continue to grind towards $2bn and there’s more to come.

Read more