The Australian regulator has fired a broadside at the banking sector for taking too long to report and fix a significant breach, adding to criticisms of the sector in recent months.

Australia’s main financial regulator has condemned the country’s banks for taking too long to report and tackle significant compliance failures, saying that the largest lenders take an average of more than 4.5 years to spot large breaches.

Those “significant breaches” cost consumers about A$500 million ($362.9 million), the Australian Securities And Investments Commission said yesterday.

The regulator’s report adds to the criticisms and fines slapped on a variety of Australian firms in recent months for issues ranging from overcharging for services to anti-money laundering control lapses. Last year, the Australian government set up a Royal Commission to probe problems in the financial industry. And ASIC has been fining and banning wealth advisors for misconduct over recent years.

ASIC said that the firms it scrutinised were Australia and New Zealand Banking Group; Commonwealth Bank of Australia; National Australia Bank; Westpac; AMP; Bank of Queensland; Bendigo Bank; Credit Union Australia; Greater Bank; Heritage Bank; and Suncorp.

The watchdog said it “has identified serious, unacceptable delays in the time taken to identify, report and correct significant breaches of the law among Australia's most important financial institutions”.

Banks take an average of 1,726 days to identify breaches. It also took an average of 226 days from the end of a financial institution's investigation into the breach and the first payment to affected consumers. (This is on top of the average across all institutions of 1,517 days before the breach is discovered and the time taken to start and complete an investigation.)

The process from starting an investigation to lodging a breach report with ASIC also takes too long, with major banks taking an average of 150 days.

ASIC said that it is considering taking action against firms for taking too long to report breaches.
 
The regulator said there are obstacles to more rapid reporting that need to be addressed, such as how the definition of a “significant” breach is not objective. Another issue is that failures to report can only be prosecuted as a criminal matter, requiring a high level of proof.

ASIC said it will regularly place its staff in firms to watch how breaches are managed and laws complied with.