Commonwealth Bank shares hit a new 21-month closing high yesterday of $83 after it revealed it had done another deal with another regulator to resolve slack internal processes – this time customer privacy.
CBA shares were last at this level in September 2017 – before the Hayne Royal Commission erupted at the end of that year and really got going in early 2018.
The shares are up more than 13% so far in 2018-19, with most of that due to the 17% surge in the current quarter.
Investors seem to have lost their concerns about the impact of the Hayne inquiry on the operations of the CBA and its peers.
That’s partly due to the problems having been identified and brought into the open, the setting aside of billions of dollars to handle costs, customer remediation and fines and other penalties, management, and board changes.
Finally, there’s now a belief that the financial costs are not onerous. At the same time, regulators such as APRA have eased limits on customer home loan mortgage lending and the Reserve Bank is cutting interest rates.
While that will compress interest margins and cost to income ratios at the Big Four, it will, over time, generate more lending.
CBA now has 90 days to submit a plan under which – while overseen by an independent expert – it will review its privacy policies, procedures, and retention standards, and provide staff training to ensure compliance.
Yesterday the bank announced that it had been forced to review how it handles and stores customer data as part of its response to losing records for nearly 20 million accounts.
CBA must also assess its IT services and systems to make sure it takes appropriate steps to control access to customers’ personal information.
CBA has entered into an enforceable undertaking (EU) with the Office of the Australian Information Commissioner to review and improve the bank’s internal privacy policies, procedures, and record retention standards.
The move follows two incidents Australia’s biggest bank reported to the commissioner, one of which was the loss by a third-party company of tapes holding customer names, addresses, account numbers, and transaction details for 19.3 million accounts from between 2000 and 2016.
Australian Information Commissioner and Privacy Commissioner (OIAC) Angelene Falk said an inquiry into how CBA handled the issue took into account the Australian Prudential Regulation Authority’s recent finding that CBA was reactive to risk and compliance matters.
“The Australian community expects financial service providers, and indeed all organisations, to be proactive in protecting the personal information they hold,” Commissioner Falk said on Thursday.
“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction.”
The OAIC did not initially taken action when, in 2016, it was told the CBA couldn’t confirm whether the two magnetic tapes used to record customer statements were destroyed or not.
The loss was made public last year, when CBA also informed the OAIC of inadequate internal access controls to customer data.
CBA chief risk officer Nigel Williams said in a statement yesterday the bank was proactively engaging with regulators to ensure it continues to build better systems, processes, and controls to manage customers’ personal information.
“We have offered this EU as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the commissioner,” Mr. Williams said.
Australia’s biggest bank will report its full-year profit in early August.