The report, Review of selected financial services groups' compliance with the breach reporting obligation, examined the breach reporting processes of 12 financial services groups which included the big four banks and AMP.
The report found that the major banks took an average of 1,726 days (4.5 years) to identify significant breaches and an average of 226 days on top of that for a first payment to impacted consumers.
The breaches, within the scope of the review caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.
Major banks also took an average of 150 days to report a breach to ASIC after starting an investigation.
Once a financial institution has investigated and determined that a breach has occurred, the law requires it to be reported to ASIC within 10 days.
One in seven significant breaches were reported later than that requirement with ASIC chair James Shipton saying that time was a breach of legal requirements.
“Institutions are failing to report it [breaches] to ASIC within the required 10 business days. The delays here are much shorter (75 per cent were late by 1 – 5 days) but this is still a breach of the legal requirements,” Mr Shipton said.
Mr Shipton said breach reporting was a cornerstone of the regulatory structure and many of the delays were due to poor systems.
“Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer-orientated culture of escalation,” he said.
ASIC also wanted address with the banks how long they took to identify and investigate breaches and said there was an urgent need to fix it.
“There is an urgent need for investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives to address these significant failings,” Mr Shipton said.
In response to the findings, ASIC will focus on compliance with breach reporting as part of its new monitoring approach.
ASIC also said its review underscored the need for law reform of breach reporting requirements that the government had said they were committed to.