ASIC has recently identified that many of Australia’s most prominent financial institutions have had severe delays in identifying, reporting and correcting significant breaches. Report 594: Review of selected financial services groups’ compliance with the breach reporting obligation examined the breach reporting processes of 12 major financial services groups, including the big 4 banks and discovered a range of issues.
Failure to report any significant breach, or likely significant breach to ASIC is a contravention of section 912D of the Corporations Act and significant penalties apply. If you are found to have breached your reporting obligations an individual may be fined a maximum of $8,500 and/or imprisonment; and, a company can be fined a maximum of $42,500. Remember, you have 10-business days after becoming aware of the breach or likely breach to make a report to ASIC. ASIC has previously noted that licensees should not wait until the breach is rectified to provide a report to ASIC, but rather, the report to ASIC must be sent within 10 business days of the licensee becoming aware of the breach.
What are the significant findings from Report 594?
Essentially, ASIC found that:
• financial institutions are taking too long to identify significant breaches;
• the delays to remediate consumer losses are substantial;
• the quantum of financial loss to consumers is in the millions of dollars (for significant breaches which were within the scope of the review); and
• the time taken from the commencement of an investigation to lodging a breach report with ASIC is too long.
There are two intertwining issues that ASIC intends to resolve in the foreseeable future:
1. the time taken to identify and investigate potential breaches – which is currently far longer than ASIC considers necessary; and
2. the failure to report significant breaches to ASIC within 10 business days.
ASIC’s Future Action
As a result of the breaches, ASIC are enforcing stringent measures to ensure compliance with the breach reporting obligations by all licensees. As part of ASIC’s new initiative, the Close and Continuous Monitoring programme, ASIC staff will be placed on site in major financial institutions to work diligently and attentively in monitoring the licensee’s breach identification and management processes, governance procedures and legislative compliance.
The Close and Continuous Monitoring programme is an intensive supervisory approach. The aim of this approach is to modify the behaviour of larger licensees in order to encourage licensees to consider consumers when making executive governance decisions and to do so in a way which is fair and equitable.
ASIC Chair James Shipton has noted that it is evident there is a need for law reform in relation to the breach reporting requirements. There are considerations which suppress enforcement action, which the law reform would appropriately address, including:
• the determination of significance is made by the licensee, and is therefore inherently subjective. Law reform could address this issue and make the test of significance based on objective grounds; and
• although failure to report a significant breach is an indictable offence, the standard of proof is very stringent with comparatively modest penalties in place.
Licensees should review their breach reporting policies and procedures to ensure they align with the legislative requirements and ASIC Regulatory Guide 78. These procedures should include, at the very minimum, a breaches register in which all breaches and incidents are recorded. In addition, licensees should consider conducting training to ensure all staff are aware:
• what a breach is;
• who breaches should be reported to internally;
• how to determine whether a breach is significant; and
• the timeframes for reporting significant breaches to ASIC.
For further information on breach reporting or for assistance with the ongoing compliance of your licence, please contact Sophie Grace directly.