In news

ASIC Gets Tough on Breach Reporting

Since 1 October 2021, Australian Financial Services (AFS) licensees and Australian credit licensees have been required to submit notifications about reportable situations (previously breach reports) to ASIC in writing through the online portal. Reportable situations run a whole gamut of events ranging from likely breaches to significant breaches.

For example, a likely breach occurs when professional indemnity insurance is required as a licence condition, but the licensee discovers that their policy has lapsed and was unable to secure another renewal policy in time. Some examples of significant breaches include any events where there was a material loss or damage to clients, or failure to act in the interests of clients.

While licensees are required to submit notifications under the reportable situations regime, ASIC is also required to report annually on the information lodged by these licensees to assist industry and customers identify where significant breaches are occurring. In its second report which covers the period between 1 July 2022 and 30 June 2023, ASIC noted that over 16,000 reports were made.

According to ASIC’s report, little improvement has been made in key areas of concern that were previously highlighted in the first report last year. It is concerned that the proportion of the licensee population reporting remains very low, with only 11% lodging a report since the commencement of the regime, indicating that some licensees may not be complying with the requirement.

To improve compliance, ASIC has commenced surveillance activity targeting licensees who may not be meeting their obligations. The focus will be on licensees who are not reporting or are reporting significantly less than expected given their nature, scale, complexity and with comparable organisations.

Another concern of ASIC is that licensees are still taking too long to identify and investigate some breaches. The reportable situations data indicate that in 17% of the reports received, licensees took more than a year to identify and commence an investigation into the issue after the first occurrence. ASIC notes that this is contrary to the intent of the regime and disadvantages customers in terms of remediation.

Further, in relation to customer remediation, which consisted of 8% of total reports, more than a year occurred between the breach and the finalisation of compensation. ASIC repeated its previous highly publicised stance that it will consider regulatory action where licensees fail to deliver fair and timely remediation to affected customers.

Lastly, ASIC’s report pointed out concerns that licensees may not be adequately identifying the underlying root causes for breaches. While the most common cited cause for breaches continued to be staff negligence or error at 66%, ASIC noted that the underlying reason for repeated staff negligence should be identified to enable licensees to put in place appropriate preventative measures.

According to ASIC Chair, Joseph Longo, since the commencement of the reportable situations regime, ASIC has been working with stakeholders to improve its operations, including providing guidance and modifications. Licensees have had two years which is ample time to take the necessary steps to ensure full compliance, and ASIC will now move to taking stronger regulatory action to drive improved compliance with the regime, including enforcement action where appropriate.

Recent Posts