Financial institutions are not meeting the requirements of the ‘cornerstone of the financial services regulatory structure’.
“Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer-orientated culture of escalation,” Australian Securities and Investments Commission (ASIC) Chairman James Shipton said, on the day of the release of Review of selected financial service groups’ compliance with breach reporting obligation.
This Review is based on work conducted by the regulator between 2017 and 2018, in which they looked at 12 authorised deposit-taking institutions (ADIs) and associated entities.
The major financial groups were:
And the other financial groups are:
Bendigo and Adelaide Bank
Credit Union Australia
The Review then looked at 715 significant breaches reported between 2014 and 2017.
Weaknesses in the process
The Review identified that it takes four-and-a-half years to identify significant breaches. The regulator also identified that there are major delays in remediation, with the Review suggesting it takes financial institutions up to 266 days after the investigation has been concluded.
The process of lodging the breach can take up to 150 days. This is contrary to ASIC’s requirement that an organisation report a serious breach within 10 days.
ASIC has indicated that this Review illustrates a need for law reform when it comes to breach-reporting requirements.
The test as to whether a breach is significant and therefore is legally required to be reported is subjective. That is, the licensee makes that decision based on its own assessment, not based on objective grounds.
The 10-business day period for reporting only begins once an institution has determined that there is a breach, and that it is significant. Institutions can delay making those decisions without breaching the law.
Failures to report can only be prosecuted on a criminal basis with the associated high standard of proof. At the same time, the existing penalty is relatively modest.
“Each breach, whether significant or not, highlights a weakness that must be understood so that improvements can be made to prevent the recurrence of the breach in the future. Internal reporting on the root causes and the effects of the breach, as well as the current and intended responses, need to be escalated to senior management or higher,” ASIC writes.
The Review also considers admissions before the Royal Commission into misconduct in the banking, superannuation and the financial services industry that, in some cases, the regulator was supplied with misleading information.
“Without trust, breach reporting is less effective. We would have to investigate and corroborate all the information in a breach report every time one was made. We would also have to devote substantial resources to investigate failures to lodge breach reports.”
The regulator also addressed the need to correct ‘ambiguities’ in the reporting framework around terminology, like ‘significant’ and ‘becoming aware’.
Anna Bligh, from the Australian Bankers’ Association (ABA), responded to ASIC’s Review, saying it shows that the banks’ efforts to compensate consumers has not been good enough.
“The industry has fully cooperated with the ASIC Enforcement Review and has supported the changes, including increasing penalties and introducing a civil penalty in addition to the criminal offence for failing to report within the required timeframe,” Bligh added.
The industry is still bracing itself for the interim report of the Royal Commission, set to be released at the end of this month. It is expected to have implications for the entire financial sector—including those who did not have to face the Commission.
There may also be implications for the corporate regulator in relation to misconduct and breaches in financial institutions with regards to the application of court-ordered enforceable undertakings and related penalties.