The tribunal said the widespread vulnerability was a "serious breach", despite the small number of actual occurrences, which opened the bank up to a maximum penalty of $500,000.
"A significant number of client accounts were able to be accessed by unauthorised individuals and were vulnerable to activity that could have had a significant impact on clients in terms of financial loss and violations of client privacy and account security," it said.
The breach was reported in August 2018, when a customer inadvertently viewed her ex-husband's trading account despite no longer having access permission.
This weakness occurred as ASB employees had to manually delink shared trading accounts when requested, but routinely failed to do so.
Across a three-year sample period, 21 employees, or most of ASB's client services team, failed to properly action requests to delink accounts.
The tribunal criticised ASB for failing to have effective processes and supervision to ensure staff were fully complying with these delinking requirements.
"ASB Securities did not have an audit or compliance testing process to assess whether staff were carrying out the manual delinking sequence required by ASB Securities' standard operating procedures," it said.
This breached the NZX rules which require brokers to "ensure the accuracy, integrity and bona fides of all trading" and to "maintain appropriate security procedures designed to prevent unauthorised entry into the trading system".
However, NZX and ASB agreed to an $80,000 fine - well below the $500,000 maximum - and a public censure, as the breaches were unintentional and there was no financial loss to clients, or financial gain for the bank.
- BusinessDesk
