ASIC mulls enforcement amid ‘unacceptable’ delays

Following its review of selected financial services groups’ compliance with breach reporting obligations (REP 594), the Australian Securities and Investments Commission (ASIC) has identified “serious, unacceptable delays in the time taken to identify, report and correct significant breaches of the law among Australia’s most important financial institutions”.

ASIC’s key findings from its review include:

• Financial institutions are taking too long to identify significant breaches, with the major banks taking an average time of 1,726 days (over 4.5 years).
• There were delays in remediation for consumer loss. It took an average of 226 days from the end of a financial institution’s investigation into the breach and first payment to impacted consumers — on top of the average across all institutions of 1,517 days before the breach is discovered and the time taken to start and complete an investigation.
• The significant breaches (within the scope of the review) caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.
• The process from starting an investigation to lodging a breach report with ASIC also takes too long, with major banks taking an average of 150 days.

ASIC noted that one in seven significant breaches (110 of 715) were reported later than the 10 business day requirement, despite the legal requirement to report significant breaches within 10 business days.

ASIC’s review also found instances where Australian financial services licensees failed to quickly recognise indicators of a breach that it claimed should have been a “red flag” which needed further investigation.

The report contained case studies, which the regulator deemed to be instanced in which “red flags” were not addressed appropriately, including an instance in which a licensee identified that nearly 200 consumer complaints received within one year were about home loan offset arrangements within the broker channel.

ASIC claimed that the licensee conducted an investigation and identified approximately 2,000 active accounts with offset account linkage errors, resulting in a number of these consumers not receiving the benefits of an offset account and paying too much interest on their home loan.

Reflecting on the findings, ASIC chair James Shipton said: “Breach reporting is a cornerstone of Australia’s financial services regulatory structure.

“Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer-orientated culture of escalation.

“Our review found that, on average, it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand.”

Mr Shipton added that there were two related problems which he sought to address.

“The first is that industry is taking far too long to identify and investigate potential breaches. While this is not of itself a breach of the reporting requirement, this is the source of longest delay and thus of most detriment for consumers,” Mr Shipton continued.

“The second problem is that even having identified an issue and concluded following an investigation that it is a breach, institutions are failing to then report it to ASIC within the required 10 business days. The delays here are much shorter (75 per cent were late by one to five days), but this is still a breach of the legal requirements.”

The ASIC chair urged financial institutions to invest in and review their compliance systems to address such issues.   

“There is an urgent need for investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives to address these significant failings,” Mr Shipton added.

In response to ASIC’s report, CEO of the Australian Banking Association Anna Bligh said that the findings have served as a “wake-up call” to the banks.

“This investigation shows that banks’ efforts to identify issues, report them to ASIC and compensate customers is not good enough,” Ms Bligh said.

“Customers expect these problems to be identified and fixed as soon as possible. Clearly, this report shows there’s a lot of work to be done.”

Ms Bligh added that the banking industry has “fully cooperated with the ASIC Enforcement Review and has supported changes, including changes to civil and criminal penalties, and the regulator’s Close and Continuous Monitoring initiative.

ASIC has also stated that it would ensure that there is a strong focus on compliance with breach reporting requirements in its Close and Continuous Monitoring approach to supervising major institutions and has said that it is “actively considering enforcement action for failures to report breaches on time”.

ASIC claimed that its review underscores the need for law reform of the breach reporting requirements, making reference to the government’s commitment to reform under the ASIC Enforcement Review.

The regulator concluded that barriers to enforcement action which would be addressed by the proposed reforms include:

• The test as to whether a breach is significant and therefore is legally required to be reported is subjective. That is, the licensee makes that decision based on its own assessment, not based on objective grounds.
• The 10 business day period for reporting only begins once an institution has determined that there is a breach and that it is significant. Institutions can delay making those decisions without breaching the law.
• Failures to report can only be prosecuted on a criminal basis with the associated high standard of proof. At the same time, the existing penalty is relatively modest.

[Related: ASIC to embed staff within big four and AMP]