Consumers wait years for compensation following bank breaches

CBA was the slowest of the big four at remediating customers at the end of an investigation, the ASIC review found

Consumers wait years for compensation following bank breaches

Consumers affected by significant bank breaches had to wait up to six years before being compensated by the largest financial institutions, a new ASIC report has revealed.

From the start of a breach to the first pay-out to customers, it took the major banks 2,179 days (six years) and the smaller financial groups 1,977 days (5 ½ years). The breaches reviewed in ASIC’s report, nearly half of which had to do with superannuation, caused consumers about $500m in financial losses, with millions of that still outstanding.

CBA was the slowest of the big four at remediating customers. After ending its investigation, it took the bank an average of 352 days to remediate consumers, while it took NAB 265 days and ANZ 198 days.

Westpac took significantly less time with an average of 69 days; however the bank also had the highest median consumer financial loss per breach.

Furthermore, ASIC said it found “historical documents from two of these major financial groups that referred to remediation for consumers as a ‘distraction’. This is evidence of a misalignment in these two groups’ cultures with their stated values of prioritising consumers”.

The lag in paying customers who suffered financially as a result of these breaches was just one of the damning findings of ASIC’s review into the banks’ compliance of breach reporting obligations. The review involved ANZ, CBA, NAB, Westpac, Macquarie, Suncorp, AMP, BOQ, Bendigo and Adelaide Bank, Credit Union Australia, Greater Bank and Heritage Bank.

The report also found that the banks were significantly delayed in identifying breach incidents in the first place, and noted that cumbersome legacy systems and poor breach management culture made it that much harder for them to react in a timely fashion. It took the major banks an average of over 4 ½ years to identify significant breaches.

Secondly, about one in seven breach cases were reported to ASIC well after the mandatory 10-day notification period. The largest banks took an average of 150 days to start investigating a breach before reporting it, while the other financial groups took an average of 73 days.

ASIC also stated that the banks could have done more to learn from their mistakes.

Banks respond

Anna Bligh, CEO of the ABA, said the report was a “further wake up call to the banks to lift their game”.

“This investigation shows that banks’ efforts to identify issues, report them to ASIC and compensate customers is not good enough,” she said.

“Customers expect these problems to be identified and fixed as soon as possible. Clearly this report shows there’s a lot of work to be done.”

NAB also responded to the review, noting that since 2016 it has seen a reduction in late breach reporting to ASIC, with zero significant breaches being reported outside the 10 business day timeframe in 2018.

“While we are making progress, there have been instances where it has taken us longer than we would have liked to find and fix issues and remediate customers.

“There is clearly more to do. Recently we established a new centre for customer remediation which will ensure that impacted customers are compensated more quickly,” David Gall, NAB’s group chief risk officer, said in a statement.

What’s next for ASIC?
As part of ASIC’s crackdown, the regulator said it will:

  • Conduct onsite supervision to assess banks’ compliance and reporting mechanisms
  • Continue to pursue remediation for affected consumers and take enforcement action
  • Support a move to officially define what a “significant breach” is
  • Support law reform for broader enforcement powers