Breach Reporting – ASIC’S Insights

ASIC has released its first report into the reportable situations regime that commenced in October 2021, highlighting some key action items for Australian Financial Services (AFS) and credit licensees.

AFS and credit licensees, both large and small, should ensure:

  • There are adequate systems in place to identify breaches and report these internally;
  • Their risk and compliance function is adequately resourced to investigate and, where required, report breaches to ASIC;
  • All communications with clients accurately represent the products and services the licensee offers and are not misleading or false in substance, or in the impression they give;
  • Staff are adequately trained and understand their obligations as an employee of a licensee, especially in relation to breaches and escalating any incidents; and
  • Prompt action is taken to investigate a breach and remediate any clients affected.

 

ASIC’s Insights

ASIC’s Report 740 covers reports lodged to the regulator under the new regime between 1 October 2021 and 30 June 2022.

Volume and nature of breach reports

Of particular interest are the statistics regarding the volume and nature of those lodging breach reports to ASIC. Whilst the number of reports and updates to reports being lodged has significantly increased, the proportion of AFS and credit licensees lodging these reports is very small. ASIC’s report notes:

  • 6% of licence holders lodged reports during the period; and
  • 74% of all reports were lodged by just 23 licensees.

The increase in breach reports lodged with ASIC is to be expected, with credit licensees now included in the regime and a change to the significance test which includes a new definition of breaches that are ‘deemed significant’ under section 912D of the Corporations Act. ASIC’s report notes that over 90% of the breach reports received were from breaches that are deemed significant.

Report 740 notes:

  • ASIC’s concern regarding the low proportion of licensees reporting breaches and reiterates the role licensees have in raising industry standards by reporting breaches to ASIC in a timely manner.
  • To date, ASIC has recognised a period of transition in relation to its enforcement of the new regime, allowing licensees to put the appropriate compliance procedures in place.
  • Going forward, ASIC envisages a more active approach to enforcement to ensure compliance with the regime.
Content of Reports
Considerations for Licensees

· Most breach reports related to a financial service or credit activity, with reports about credit making up 38% of reports lodged during the period.

· These reports largely related to breaches of the responsible lending obligations.

Credit licensees should consider their procedures for implementing the responsible lending obligations and whether further training is required for credit representatives and employees.

False or misleading statements was the most common issue to which breach reports related – making up 34% of all reports.

This is a significant number and highlights the need for vigilance in all communications with clients and investors, especially as it relates to information about the products and services licensees provide. 

ASIC’s report also notes that the most commonly reported root cause of the breaches was staff negligence or error.

This highlights the need to ensure staff are adequately trained and aware of their compliance obligations.

Where there were multiple breaches, or similar or previous breach, ASIC noted that staff negligence or error was selected in 55% of reports.

All licensees must ensure that when breaches are identified, the root cause is considered and appropriate action to address any inadequacies in systems or processes, or systemic issues is taken.

Timeliness

ASIC notes its concerns with the time taken to identify a breach and commence an investigation, with 582 reports lodged where it took the licensee 5 or more years to identify and commence an investigation. ASIC’s findings also indicate that the longer an investigation took to commence, the more clients of the licensee were impacted by the breach. The importance of early identification and investigation of breaches is crucial to effective compliance with the new regime.

With approximately a quarter of reports involving financial loss for clients, and a number (12%) of planned client remediations taking over a year, it is clear that ASIC expects licensees to improve their remediation process. ASIC Commissioner Sean Hughes said:

‘We remind licensees that where things do go wrong, we expect proactive and timely action to remediate impacted customers.’ 

Background

The new breach reporting regime commenced on 1 October 2021, leading to a new era of breach reporting for Australian financial services licensees and Australian credit licensees. Licensees are required to submit reportable situations to ASIC via the ASIC Regulatory Portal. Regulatory Guide 78 Breach reporting by AFS licensees and credit licensees (RG 78) provides further guidance for licensees including what and when to report to ASIC.

Further Reading

Check our our Compliance Portal

Subscribe to our Newsletter

Contact Us

=