The corporate regulator, ASIC, has found that major banks are taking an average of 1,726 days — or about 4.5 years — to identify significant breaches.
In a survey that included the big four banks and AMP, ASIC also found that it took an average of 226 days from the end of an investigation into paying the impacted consumer their compensation.
Further, CBA, ANZ, Westpac and NAB take about 150 days to lodge a breach report with ASIC.
Financial losses to Australian consumers from a significant breach total about $500 million, ASIC estimates, with millions yet to be paid to victims.
“Our review found that, on average, it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand,” said ASIC chair James Shipton.
ASIC said it has held fears about financial services institutions not reporting breaches for “some time”.
However, the corporate regulator has been under fire in the wake of the royal commission for not identifying and appropriately handling breaches committed by the major banks.
For example, earlier this month, the royal commission heard that ASIC allowed a 96 per cent penalty to CBA after it misled consumers in its marketing. Further, ASIC allowed CBA to draft a media release on the issue.