ASIC Report 594: Review of selected financial services groups' compliance with breach reporting obligations found that financial institutions take 'too long' to identify and report breaches, and too long to remediate customers. ASIC Chair James Shipton has reiterated that breach reporting is an area of immediate focus for the regulator, and has called on firms to improve. In addition, Mr Shipton has said that the report underscores the need for law reform.
Australian Securities and Investments Commission (ASIC) Report 594: Review of selected financial services groups' compliance with breach reporting obligations sets out the findings of ASIC's review of Australian financial services (AFS) licensees' compliance with their breach reporting obligation under s912D of the Corporations Act 2001 (Cth). The review examined the breach reporting processes of 12 financial services groups which provide services such as banking, superannuation, investment management, insurance and financial advice. The sample included the big four banks (ANZ, CBA, NAB and Westpac) and AMP. The report found that there are 'serious, unacceptable delays in the time taken to identify, report and correct significant breaches of the law among Australia's most important financial institutions'.
Some key findings
- Delays in identifying 'significant breaches': Overall, the report found that 'financial institutions are taking too long to identify significant breaches'. ASIC states that on average 1,517 days (over 4 years) pass until the incident is identified. For major banks, the average time was 1,726 days (over 4.5 years) to identify a breach.
- Delay in lodging a breach report: Once a financial institution has investigated and determined that a breach has occurred and that it is significant, firms are required to report the breach to ASIC within 10 business days. According to the report, one in seven significant breaches (110 of 715) were reported later than that 10-business day requirement. The report found that the major banks take an average of 150 days to report a breach (from starting an investigation) which is 'double that of the other groups' reviewed (which averaged 73 days).
- Delays in remediating customers: According to the report, it took an average of 226 days from the end of a financial institution's investigation into the breach and first payment to impacted consumers. ASIC notes that this is in addition to the average 1,517 days before the breach is discovered and the time taken to start and complete and investigation. Overall, the report found that it takes financial institutions 1,899 days (over 5 years) to begin remediating customers.
- Remediation yet to be provided: According to the report, financial losses to consumers due to 'significant breaches' within the scope of ASIC's review totalled approximately $500m with many customers yet to be compensated.
ASIC Chair has called on industry to improve
ASIC Chair James Shipton attributed many of the delays 'the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation'. More particularly, he highlighted the time taken to identify and investigate potential breaches and the time taken to report it within the 10 day time-frame as areas for improvement.
He went on to call on industry to invest in 'systems and processes' as well as for boards and senior executives to commit to address these significant failings.'
Breach reporting confirmed as an area of immediate focus: Mr Shipton also reiterated that breach reporting will be an area of focus in ASIC's 'Close and Continuous Monitoring approach to supervising major institutions' (see: Governance News 10/09/2018). He added that 'ASIC is also actively considering enforcement action for failures to report breaches on time'.
Need for law reform? Mr Shipton said that the review 'underscores the need for law reform of the breach reporting requirements, that the Government has committed to in principle, following the ASIC Enforcement Review'. He the identified three 'barriers' to enforcement action, which in his view, would be addressed by the proposed reforms.
- The test as to whether a breach is significant and therefore is legally required to be reported is subjective. That is, the licensee makes that decision based on its own assessment, not based on objective grounds.
- The 10-business day period for reporting only begins once an institution has determined that there is a breach and that it is significant. Institutions can delay making those decisions without breaching the law.
- Failures to report can only be prosecuted on a criminal basis with the associated high standard of proof. At the same time the existing penalty is relatively modest.
[Note: Among the reforms proposed by the Taskforce were changes in relation to the self-reporting of contraventions by financial services and credit licensees. These included clarification of the 'significance test' to 'ensure that the significance of breaches is determined objectively'. The report also recommended that the time for reporting should be extended from 10 to 30 days, but that licensees should be required to make a report if they commence investigating a breach and have not yet determined within 30 days whether it meets the significance threshold. The report states that 'failures to report, objectively determined as such, can be more effectively sanctioned and increasing the incidence of reports, by requiring a report to be made within 30 days, even if a breach investigation has not been finalised'. See: Governance News 23/04/2018.]
[Sources: ASIC media release 25/09/2018; Report 594: Review of selected financial services groups' compliance with the breach reporting obligations]
The Australian Banking Association (ABA) released a statement in response to the report, which said it is a 'further wake up call to the banks to lift their game in quickly fixing issues in their business'. ABA CEO said 'this investigation shows that banks efforts to identify issues, report them to ASIC and compensate customers is not good enough. Customers expect these problems to be identified and fixed as soon as possible. Clearly this report shows there’s a lot of work to be done'. Ms Bligh went on to note that the industry had cooperated fully with the ASIC Enforcement Review and 'supported changes including increasing penalties and introducing a civil penalty in addition to the criminal offence for failing to report within the required timeframe'. She added that industry is also supportive of ASIC's continuous monitoring program.
[Source: Australian Banking Association media release 25/09/2018]