The Royal Commission has succeeded in shaking loose a spate of breach reports from financial services companies but the Australian Securities and Investments Commission (ASIC) has admitted that many companies still unduly drag their feet.
That is the bottom line of evidence given to Senate estimates by ASIC officials, with the regulator’s deputy chairman, Peter Kell revealing that a review of breach reporting practices involving a quantitative analysis of data from the 12 banking groups, including the four majors, had painted a very unflattering picture.
He said the average time frame from an event occurring to it being identified internally for investigation was 1,552 days—just over four years—which was a median of 1,094.
Further, Kell told Estimates the average time frame from the start of an internal investigation of a matter to lodging a breach report was 123 days—a median of 58 days and that one in four significant breaches took longer than 145 days to report to ASIC.
The ASIC deputy chairman said the institutions in question had commenced a change to their systems to address a compliance issue within an average of 18 days of an investigation concluding, but customer remediation often took a lot longer, averaging 217 days.
“These preliminary findings confirm the concerns that we've articulated publicly and before this committee about the timeliness and consistency of breach reporting and projects still underway,” he said.
However, ASIC also confirmed to the Parliamentary Committee that there had been a 39.1 per cent increase in breach reports and noted that this was not unconnected to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.