Skip to main content

Breach Reporting - 12 months on

The changes to ASIC’s breach reporting regime, introduced in October 2021, represent one of the more significant pieces of law reform following the Financial Services Royal Commission (FSRC). In our experience it has also been one of the reforms which has resonated most with licensees from the board room to the branch. One of the reasons for that is that under the old regime, informing ASIC that you had a suspected breach was regarded by licenses as putting them at heightened risk of further regulatory scrutiny, whether via surveillance or potentially enforcement action because reporting had a materiality test which typically meant that breaches were only assessed as such if there was considerable consumer detriment or systemic failure. Notifying a breach was therefore a high profile activity and often involved the board and most senior executives.

The introduction of a much broader deemed significance test and reporting obligation has resulted in notably higher numbers of reports and has involved:

  • an amount of ex-co and board education about why the numbers have increased – often from a low base; and,the implementation of 
  • large change programs to ensure suspected breaches were caught, triaged and reported as needed within the much tighter time frames.

Also of note was industry’s concern that ASIC, in having committed itself to reporting on the lodgements that were made, might identify licensees by name with the consequential media and public scrutiny for those with the highest number of reports.

On 28 October, ASIC released its first report in relation to breaches reported since the new breach reporting regime commenced in October 2021 - Report 740 - Insights from the reportable situations regime: October 2021 to June 2022. In the event and in our view, appropriately, ASIC resolved not to name licensees in this first report. The reasons for this are various, but ultimately it was apparent that licensees have interpreted aspects of the obligations differently with the result that there is significant variation in the reported numbers even among peers of comparable size.

Reporting at a licensee level, would at best have been unhelpful, since almost certainly the headline in the press would have focussed on those with the highest reported breaches. The unintended consequence of such headlines would likely have been two fold; firstly, potentially damaged the reputation of licensees who in fact had a comparable number of incidents to their peers but appear as an outlier because of the way they interpreted the obligation; and, secondly (and perhaps most importantly) sent a message that transparency of issues by licensees is seen in a negative light when,  in fact that is the objective of the regime. As we have learned from the FSRC, transparency to the regulator regarding failures should be encouraged at every opportunity.

So, what does the report tell the public and licensees and what are some of the key lessons to learn?

It appears a minority of the regulated population have properly understood the new obligations and responded accordingly. ASIC reports that although the volume of reporting has increased significantly compared to pre-1 October 2021, the number remains lower than they expected when combined with other data sources. In particular, they note that suspected breaches have only been reported by 6% of the regulated population.  

The obligation to report suspected breach of a much broader range of offences and the removal of the materiality threshold mean that is it almost inevitable licensees will have suspected breaches. ASIC therefore finds the notion that only 6% of Australian Financial Services Licensee (AFSL) and Australian Credit Licensee (ACL) holders had a reason to suspect a breach as unlikely. The implication then is that some licensees are either not appropriately interpreting their obligations or they do not have adequate process and systems in place to identify suspected breaches.

ASIC confirms that it will be looking into the low response rate. One approach they may take is to segment the data by sector and look to identify larger licensees in a peer group who have not reported under the new regime (or whose reporting is materially lower than comparable peers) and undertake surveillance to test compliance. For those who are not reporting, it would pin that event be advisable to test what has been done to comply with the obligations and whether the licensee is appropriately calibrated.

Firstly, reporting to ASIC that you have a suspected breach represents only part of the obligation. Just as important is answering the question as to what caused the breach. Understanding the cause of suspected breaches is foundational to the ability to rectify them in a timely way to prevent a recurrence and minimise potentially ongoing customer impact. The root cause and a licensee’s response to it also tells ASIC much about the licensee’s approach to getting things right and whether they are a responsible licensee. As an example, the Report identifies that licensees notified staff negligence or error in 60% of suspected breaches. This is very high, and experience suggests that further analysis of the root cause would likely identify issues around training, change management and processes. This next level analysis is imperative to rectify the situation.

Secondly, self-identification of suspected breaches appears to be more effective in larger licensees. In addition to testing reporting levels generally, smaller and mid-tier licensees should seek to understand the balance between self-identified and externally identified suspected breaches. If the balance favours externally identified breaches, then it suggests a licensee has more to do in its control environment to identify prospective problems early. This work relates at least to breach reporting obligations, but is of equal importance to the customer experience.

Thirdly, the Report emphasises the importance of effective product governance and ASIC’s focus in that area.  By way of example, 34% of the reports related to suspected false and misleading statements about a product and a further 14% in relation to information as to fees and costs. Tracking delivery of customer promises and ensuring each step of the value chain results in accurate customer representations and communications is imperative.

 The report identifies that only 3% of ACL holders submitted a report, but they made up the largest single cohort of reported suspected breaches (38%). Although there is significant overlap between some of Australia’s largest AFSL and ACL holders (for example, our largest banks), the obligations to report suspected breaches by ACLs under the regime is entirely new, as the previous breach reporting obligations related to AFSL holders only. Having regard to the number of reports lodged by the largest ACL’s it seems likely they are disproportionately represented in the reports. As a sense check, it would be surprising if the 97% of ACL holders who have not submitted reports have exponentially better processes and systems in place such that they have not experienced a suspected breach of their obligations. Accordingly, if they have not already done so, it would be advisable for ACLs who have not submitted reports under the new regime, to undertake a post implementation review to test compliance.

ASIC expresses the concern that often the time taken to commence an investigation is too long (median 39 days and mean 380 days). While the report indicates there has been significant improvement over the old regime (which is to be expected given the changed obligations), it is apparent there remains work for licensees to do. The focus should be on improving the monitoring and supervision environment to accelerate the identification of suspected issues to be triaged into investigation (which starts the clock ticking on the 30 days investigation period obligation). Long delays in detection in our experience can signal potential control deficiencies to ASIC and accordingly there are overwhelmingly good reasons for licensees to invest in this space.

The Report identifies the financial impact of the reported breaches on customers at $368.5m to date and that customer impact worsens the longer issues go undetected. Importantly, the report highlights that breaches with a high number of customers impacted also took longer to remediate, with the median time to finalise compensation being 37 days but the mean is 120 days and the customer segment with the highest amount of compensation due to them took in excess of 366 days. Noting ASIC has recently released updated remediation guidance RG277 Consumer remediation and emphasised on a number of occasions that unduly delayed remediation is not fair to customers and undermines the fairness generally of the licensees program, licensees should expect this area will be a continuing priority for the regulator.

 A significant focus on ASIC’s work in the wealth management sector in recent years and a focus of the FSRC case studies, was what licensees knew of suspected financial adviser breaches and whether those issues were elevated to ASIC or new licensees recruiting advisers with identified (FSRC Recommendation 2.8) issues. The FSRC recommendations have subsequently been implemented to strengthen the regime in relation to reporting suspected adviser breaches and in our experience licensees have also expended considerable resources to improve the quality and effectiveness of advice monitoring. The report identified that reports in relation to advisers make up 5% of total reports.  Given the number of licensees represented in the sample, it suggests that the advice audit changes we have observed across a range of licensees, are increasingly effective. However, it is likely those reports come from a small number of licensees since 94% of Advice licensees have not made any reports. This cohort is therefore likely to benefit from testing outputs from their adviser assurance process against the breach reporting obligations.

At Deloitte we have supported a wide range of clients, of different size, scale and complexity to either implement or review the implementation of their changes. While we have observed varying levels of maturity, we have also observed generally a significant effort to comply. The Report notes ASIC’s expectation that licensees will continue to evolve and improve their processes.  Licensees that have not made best endeavours to comply and improve compliance with the requirements might find that they become a future focus of ASIC to test the adoption of the new obligations.