CONSUMERS LEFT OUT OF POCKET BY DELAYS IN BREACH REPORTING BY FINANCIAL INSTITUTIONS
WHAT DID ASIC FIND?
* Serious and unacceptable delays in time taken to identify, report and correct significant breaches by 12 major financial services groups including the big four banks and AMP
WHAT IS THE AVERAGE TIME FOR THE KEY BREACH REPORTING STAGES?
* 1517 days (over four years) to identify an incident; for the four major banks it’s 1726 days
* 28 days for an investigation to begin
* 128 days from investigation beginning to lodging breach report with ASIC
* 226 days until compensation for affected customers starts
* All up that’s 1899 days or over five years
WHAT IS THE IMPACT ON CONSUMERS?
* ASIC says consumers out of pocket for an excessive period
* In some cases consumers are permanently disadvantaged (as firm was not able to return all funds to consumers financially affected by the significant breach)
* Total financial loss $497.2 million to 4.96 million consumers
– Average loss of $1.8 million per significant breach
– Average loss of $100 per consumer
* So far $437 million in financial remediation paid
WHAT DID ASIC’S REVIEW COVER?
* Big four banks – ANZ, CBA, NAB and Westpac
* AMP, Bank of Queensland, Bendigo and Adelaide Bank, Credit Union Australia, Greater Bank, Heritage Bank, Macquarie and Suncorp
* 715 significant breaches reported to ASIC between 2014 and 2017 (279 involved financial loss to consumers)
* Superannuation accounted for 40 per cent of the significant breaches
WHAT MUST BE REPORTED?
* Significant breaches of financial services laws and licence conditions must be reported to ASIC within 10 business days of institution determining there is a significant breach
* Test of whether breach is significant is subjective
* One in seven significant breaches reported late; majority were from NAB
WHAT ARE THE CONSEQUENCES?
* Failure to report within 10 business days is a criminal offence
* ASIC says current penalty – maximum of $52,000 for a corporation – is too low to have a deterrent effect
* A taskforce last December recommended making breach reporting rules stronger, clearer and more enforceable; extending requirement to cover breaches of credit laws; introducing a civil penalty for failure to report
* Government accepted recommendations in-principle, but deferred their implementation until it has the findings of the banking royal commission.