Or, to be exact, 2,179 days. That’s how long it takes on average for big banks to start paying back affected customers from the moment of the breach.
Big bank regulator and corporate watchdog, the Australian Securities and Investments Commission (ASIC), has released a damning report – and a nifty infographic – that reveals just how long major financial institutions take to pay back customers after a breach to their system.
The price of a breach on consumers is hefty: in the review sample size alone, customers were out of pocket by $500 million all up.
ASIC reviewed the breach reporting processes of all four major banks – NAB, the Commonwealth Bank, Westpac and ANZ – as well as AMP, the Bank of Queensland, Bendigo and Adelaide Bank, Credit Union Australia, Greater Bank, Heritage Bank, Macquarie, and Suncorp.
These institutions were exposed by the regulator for “unacceptable delays” in identifying and resolving breaches, and for processes and systems that were not up to par.
Not only that, but breach reporting was inconsistent, lessons were not learnt and there simply wasn’t a culture of stringent breach management.
The journey of an average breach report
- The breach occurs. From here, if you think big banks immediately hunker down to address the incident, you’d be wrong. On average, it takes a whopping 1,517 days – or four years – until the incident is even identified.
- After the financial institution catches wind that something’s gone wrong, it takes around a month (28 days) for the bank to start investigating the issue.
- Banks are legally obligated to report their breaches to the corporate watchdog. They’re meant to report it within ten days of finding out, but it typically takes the institution 12 times as long as it should (128 days) to let ASIC know.
- But the wait isn’t over. If your money has been compromised by this breach, you won’t see it for approximately another seven or eight months (226 days) – that’s how long it takes for the first remediation payments to be paid to affected customers.
By the time you get your money back, it will be almost six years since the breach first happened.
ASIC chairman James Shipton described breach reporting as a “cornerstone” of the regulatory structure of financial services.
“Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation,” he said, calling for banks to invest in their processes and greater commitment from executives.
What needs to be fixed?
The report highlighted two variables currently in the way of the regulator cracking down on banking institutions.
The first is that the definition of a ‘breach’ is subjective. This means the bank gets to set the bar… and gets to decide what does and doesn’t make it to ASIC.
The second is that the 10-day period for reporting the breach to the regulator only begins after the bank has indeed determined it is a breach. They can take as long as they want to decide, though, without breaking the law.
ASIC has vowed to take action to address these issues and improve breach reporting across the banks.
Paying customers back a ‘distraction’ for big banks
ASIC’s report pointed out that all four major banks had a focus on customer service and some variation of of ‘putting the customer first’ in their values, and had publicly made commitments to ‘put things right’ when problems arise.
But in practice, this was not always the case.
“Our data found that, once an investigation of a significant breach has been completed: the first communication with customers took an average of 189 days (over six months); and the first payments to customers took on average 226 days (over seven months).”
The time it took to communicate and pay customers back was an indication that customers weren’t, in fact, prioritised – and therefore not in line with the values these banks espoused, the report pointed out.
“In our review of documents more broadly, we saw evidence of remediation being perceived as a distraction from core business, and an activity which was undertaken at the expense of earning revenue.
“As a result, remediation was not given the highest priority,” the report said.
Australia’s major banking, financial services, superannuation and insurances companies have come under intense scrutiny recently thanks to the royal commission into the industries.