Once more unto the breach, dear licensees – ASIC identifies room for improvement in breach reporting

On 27 October 2022, the Australian Securities and Investments Commission (ASIC) released Report 740 Insights from the reportable situations regime: October 2021 to June 2022 (ASIC Report). The ASIC Report provides high-level insights about the reportable situations regime that came into effect on 1 October 2021 (formerly known as ‘breach reporting’).[1]

The ASIC Report covers 8,829 reports lodged by Australian financial services (AFS) licensees and Australian credit licensees under the new regime from 1 October 2021 to 30 June 2022. The ASIC Report does not identify specific licensees, but future reports may. The most common issue category was ‘false and misleading statements’ (34%) – followed by ‘lending’ (21%), ‘general licensee obligations’ (19%) and ‘fees and charges or account administration’ (14%), and ‘disclosure’ (10%).

The ASIC Report provides some interesting statistics and highlights four key areas of concern that are on ASIC’s radar:

• The low volume of reports in general and in particular from smaller licensees;
• The delays by licensees in identifying, investigating, and remediating breaches;
• The inaccuracy in identifying the root cause of breaches – ASIC will release guidance on identifying the cause of a reportable situation; and
• Refusals by licensees to compensate or rectify breaches (in a very small number of cases).

What has ASIC said?

1. A much smaller proportion of licensees have reported under the regime than anticipated

a. Just 9% of the licensee population submitted a report. ASIC is concerned about the low number and attributes this to licensees failing to lodge reports, as opposed to a lower number of reportable situations arising.

b. Larger licensees are also reporting much more than smaller licensees. ASIC expects all licensees, regardless of size, to have adequate systems in place to detect and report non-compliance.

i. Only 5% of AFS licensees with less than $50m lodged a report compared to 61% of AFS licensees with a total revenue of $1,000m or more

ii. Highly concentrated - 74% of all reports were submitted by just 23 licensees

2. Licensees are still taking too long to identify and investigate some breaches

a. The median time (to identify and commence an investigation into a breach) was 39 calendar days, with a mean of 380 calendar days.

b. Only 44% of reports took 30 days or fewer, and an astounding 18% of reports took a year or more.

c. The ASIC Report states that: “We expect licensees to have systems in place for significantly swifter identification and investigation of non-compliance”.

d. ASIC found that the longer an investigation took to commence, the more customers were impacted by the breach being investigated.

e. ASIC also found that there was a significant range in the time taken to complete an investigation – the median time was 18 calendar days but the mean was 70 days. ASIC singled out the 5% of reports where investigations took, or were expected to take, more than a year to complete.

f. The ASIC Report notes that licensees must ensure they allocate sufficient resources to ensure that investigations are carried out in a timely manner. ASIC also highlighted the importance of identifying issues earlier so that fewer customers are impacted and the time and cost associated with the investigation is lower.

3. More work needs to be done to identify appropriately and report the root cause of breaches

a. Root causes – ‘staff negligence or error’ was by far the most common (60% of total reports) root cause identified, and the sole root cause for 55% of reports where the licensee had reported that there had been previous similar breaches and/or multiple breaches grouped into the relevant report.

i. ASIC is concerned that licensees are not, on the whole, undertaking appropriate root cause analysis and may not be consistently identifying and addressing the underlying root causes for breaches, by repeatedly mislabelling system or process issues as staff negligence or error.

ii. ASIC intends to provide guidance to licensees on the circumstances in which it is appropriate for licensees to select ‘staff negligence or error’ as the root cause.

4. Further improvements are needed to licensees’ practices towards remediating impacted customers

a. Whilst 96% of reports that quoted a customer financial loss had or intended to compensate financially all impacted customers, in 4% of reports, licensees said that they did not intend to compensate impacted customers.

i. ASIC is concerned about the portion of the 4% that did not say this in error.

ii. ASIC reiterated its view (as stated in RG 277 Customer Remediation) that remediation must be initiated if a licensee or one of its representatives has engaged in misconduct or other failure that caused or may have caused customer loss.

b. ASIC reiterated that licensees should properly resource remediation activities and ensure that remediation activities are conducted in a timely manner without sacrificing customer outcomes.

c. The median time taken (or expected to be taken) to finalise compensation after commencement of an investigation was 37 days, and in 22% of reports, licensees finalised compensation before commencing the investigation, but in 12% of reports, the compensation took (or was expected to take) over a year to finalise.

d. Rectification of breaches – two percent of reports stated that licensees had no intention to rectify breaches. ASIC is considering its regulatory response towards these licensees.

What was not in ASIC’s report?

The ASIC Report does not identify specific licensees that lodged reports. However, ASIC is considering whether future publications should include a list of all licensees that have reported to ASIC during the relevant reporting period.

ASIC’s statistics focused on the number of reports, not reportable situations. A report could contain one or more reportable situations – depending on a particular licensee’s approach. Licensees have also taken different approaches in calculating the number of reportable situations themselves.

The ASIC Report also does not include any data about reports that are only about additional reportable situations, reports made to ASIC about another licensee or reports made under the previous breach reporting obligation regime.

How we can help

We can advise AFS licensees on measures to be implemented with a view to ensuring compliance with the reportable situation regime and related issues.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).