For years, ASIC has complained that the reporting of significant breaches under the Corporations Act, by Australian Financial Services License (AFSL) holders, has been too slow and lacked transparency. ASIC undertook work across a number of projects to prove its concerns as an evidence point for legislative reform. Following the ASIC Enforcement Taskforce Review, a report was released in December 2017 which made 50 recommendations for significant reform of the breach reporting obligations. In that context, the timing of the Hayne led Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission) was opportune. In particular, the Royal Commission reported on case studies whereby deficiencies were identified in relation to:
Fast forward nearly two years from the Royal Commission, Schedule 11 of the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (the Act) implements recommendations 7.2 and 2.8 of the Royal Commission in relation to breach reporting reforms. The purpose of this reform is to:
Despite the industry’s efforts to improve breach reporting practices and to improve public trust by licensees, since the release of the Royal Commission report and the ASIC Enforcement Taskforce Review report, we expect there is a lot more to do prior to October.
The breach reporting requirements come into effect on 1 October 2021. These requirements add to the sweeping reforms the financial services industry is currently in the process of implementing. This requires the industry to understand the intricacies of the vast regulatory changes and deliver these in record time.
The crux of the changes
The changes and the implications of the breach reporting reforms are wide-ranging and varied. The scope of what is reportable is significantly broader and the time from the identification of an incident to reporting it, whether or not the investigation of the suspected breach is ongoing, is now much shorter. There is anecdotal evidence that some licensees may see increases in reportable incidents between five to ten times of current volumes. In any case, that is going to place a significant strain on existing assessment resources, and on compliance and risk teams, unless there are marked changes to design of processes and practices.
In addition, the form of what must be reported is set to be more prescriptive. The reforms will also impact organisations differently based on their size, complexity and structure. The changes mean:
Why do the changes matter and what are the next steps for the financial services industry?
The industry is facing challenges in understanding and operationalising their full end-to-end breach management frameworks. For example:
It is important to consider the impacts across all components of the breach management framework to achieve successful implementation of the complex requirements.
Furthermore, other regulatory changes, such as Significant Dealing under the Design and Distribution Obligations (DDO) and the upcoming complaints requirements under ASIC’s Regulatory Guide 271 relating to raising internal dispute resolution standards across the financial sector, intersect with the breach reporting requirements. As such, the synergies between these reforms needs to be assessed and implemented together. In doing so, it is worth noting that Treasury included breach reporting as a particular responsibility in the proposal paper for the Financial Accountability Regime (FAR). We eagerly await the release of the draft legislation to understand whether organisations will be required to appoint an accountable person responsible for this.
We understand organisations would be at different levels of maturity based on their size and complexity. In order to achieve compliance by 1 October, we recommend organisations should focusing on the following:
We are already seeing large programs of work dedicated to the implementation of this regime. With the updated regulatory guide due to be released by ASIC any day, organisations need to quickly grapple with the vast impacts of these changes and the ever-looming deadline.