Major banks are taking an average of 1,726 days — or more than four-and-a-half years — to identify significant breaches.

Key points: Major banks take an average of 1,726 days to identify significant legal breaches

Major banks take an average of 1,726 days to identify significant legal breaches The banks take a further 150 days, on average, to notify ASIC that they have started an investigation into a breach

The banks take a further 150 days, on average, to notify ASIC that they have started an investigation into a breach The Corporations Act requires banks to report breaches to ASIC within 10 business days

A report by the corporate regulator has found "unacceptable" delays to financial institutions identifying, reporting and compensating customers for serious issues.

Institutions are legally required to report significant breaches to ASIC within 10 business days of becoming aware of them but the major banks were taking an average of 150 days to notify the regulator after starting an investigation.

ASIC reviewed data from 12 financial services firms, looking at the period between 2014 and 2017, and found customers had lost around $500 million due to breaches, with millions of that yet to be repaid.

Failure or delay in notifying the regulator is an issue that has been aired throughout the banking royal commission, with the commission's counsel telling Kenneth Hayne he is open to make findings of breaches of the Corporations Act by a number of banks and financial services firms.

"Many of the delays in breach reporting and compensating consumers were due to the financial institutions' inadequate systems, procedures and governance processes, as well as a lack of a consumer-orientated culture of escalation," said ASIC chair James Shipton.

"There is an urgent need for investment by financial services institutions in systems and processes, as well as commitment and oversight from boards and senior executives to address these significant failings."

Breaches happening now may not be picked up until 2022

NAB was the laggard in terms of time taken to identify a breach, according to ASIC's review, followed by Westpac.

"We found the length of time taken to identify the significant breach as an incident is the biggest factor that contributes to ASIC receiving significant breach reports about events or conduct that happened many years ago," the report said.

If no improvements are made, ASIC said significant breaches that occur today may not be identified by financial services firms until 2022.

If nothing changes, ASIC says breaches occurring from today may not be identified until 2022. (Supplied: ASIC)

Mr Shipton said the resulting delays in compensating customers were unacceptable.

"Our review found that, on average, it takes over five years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry," he said.

"This must not stand."

The chief executive of the Australian Banking Association, Anna Bligh, has agreed that banks must lift their game.

"This investigation shows that banks efforts to identify issues, report them to ASIC and compensate customers is not good enough," she said.

"Customers expect these problems to be identified and fixed as soon as possible. Clearly this report shows there's a lot of work to be done.

"The industry has fully cooperated with the ASIC Enforcement Review and has supported changes including increasing penalties and introducing a civil penalty in addition to the criminal offence for failing to report within the required timeframe."

As a result of the findings, ASIC said it will focus on compliance, with breach reporting obligations as part of its new monitoring regime, which will see some of the regulator's staff embedded in the big four banks and AMP from next month.