Super tops the list for significant breaches in ASIC review

As part of the review, ASIC analysed breach data from 2014 to 2017 from these financial services groups, covering a total of 715 significant breaches. ASIC also examined internal policies and evaluated specific scenarios using case studies.

Out of the different categories of products and services affected, 40 per cent or 284 of the significant breaches were for superannuation services and products, according to ASIC Report 594.

This was followed by personal advice, which accounted for 191 significant breaches or 27 per cent of the total.

The most commonly reported breaches related to the failure of the licensee to comply with financial services laws, with this category accounting for 465 significant breaches.

Breaches for deficient disclosure of statements of advice, product disclosure statements, financial services guides, periodic statements, fee disclosure documents and marketing materials were also high on the list at 265.

Incorrect fees and charges was the third-highest category, with 174 breaches relating to this.

ASIC noted in the report that each of the breaches may relate to multiple categories of breaches and multiple financial services and products.

The corporate regulator said the review identified “serious and unacceptable delays in the time taken to identify, report and correct significant breaches”, with major banks taking over 4.5 years on average to identify significant breaches.

It also found that there were delays in remediation for consumer loss. It took an average of 226 days from the end of a financial institution’s investigation into the breach to consumers receiving the first payment.

“This is on top of the average across all institutions of 1,517 days before the breach is discovered and the time taken to start and complete an investigation,” the report stated.

According to ASIC, the significant breaches analysed within the scope of the review, caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.

Once a financial institution has investigated and determined that a breach has occurred and that it is significant, the law requires that the breach be then reported to ASIC within 10 business days.

“One in seven significant breaches, or 110 out the total 715, were reported later than that 10 business day requirement,” said ASIC.

ASIC chair James Shipton said many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer-orientated culture of escalation.

“Our review found that, on average, it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand,” said Mr Shipton.