The changes to ASIC’s breach reporting regime, introduced in October 2021, represent one of the more significant pieces of law reform following the Financial Services Royal Commission (FSRC). In our experience it has also been one of the reforms which has resonated most with licensees from the board room to the branch. One of the reasons for that is that under the old regime, informing ASIC that you had a suspected breach was regarded by licenses as putting them at heightened risk of further regulatory scrutiny, whether via surveillance or potentially enforcement action because reporting had a materiality test which typically meant that breaches were only assessed as such if there was considerable consumer detriment or systemic failure. Notifying a breach was therefore a high profile activity and often involved the board and most senior executives.
The introduction of a much broader deemed significance test and reporting obligation has resulted in notably higher numbers of reports and has involved:
Also of note was industry’s concern that ASIC, in having committed itself to reporting on the lodgements that were made, might identify licensees by name with the consequential media and public scrutiny for those with the highest number of reports.
On 28 October, ASIC released its first report in relation to breaches reported since the new breach reporting regime commenced in October 2021 - Report 740 - Insights from the reportable situations regime: October 2021 to June 2022. In the event and in our view, appropriately, ASIC resolved not to name licensees in this first report. The reasons for this are various, but ultimately it was apparent that licensees have interpreted aspects of the obligations differently with the result that there is significant variation in the reported numbers even among peers of comparable size.
Reporting at a licensee level, would at best have been unhelpful, since almost certainly the headline in the press would have focussed on those with the highest reported breaches. The unintended consequence of such headlines would likely have been two fold; firstly, potentially damaged the reputation of licensees who in fact had a comparable number of incidents to their peers but appear as an outlier because of the way they interpreted the obligation; and, secondly (and perhaps most importantly) sent a message that transparency of issues by licensees is seen in a negative light when, in fact that is the objective of the regime. As we have learned from the FSRC, transparency to the regulator regarding failures should be encouraged at every opportunity.
So, what does the report tell the public and licensees and what are some of the key lessons to learn?
At Deloitte we have supported a wide range of clients, of different size, scale and complexity to either implement or review the implementation of their changes. While we have observed varying levels of maturity, we have also observed generally a significant effort to comply. The Report notes ASIC’s expectation that licensees will continue to evolve and improve their processes. Licensees that have not made best endeavours to comply and improve compliance with the requirements might find that they become a future focus of ASIC to test the adoption of the new obligations.