ASIC steps up breach reporting focus with ‘even deeper insights’

Licensees across the financial services sector need to up their game when it comes to breach reporting, according to the Australian Securities and Investments Commission (ASIC) following a review of AFSL and ACL compliance with the reportable situations regime.

Reforms to the reportable situations regime in 2021 expanded what was reportable and pushed for more timely and consistent reporting. However, ASIC said its surveillance shows that there is “still more work to do”.

“We encourage all licensees, not just those in the review, to review their current arrangements for complying with reportable situations against our findings, as well as the better practices we set out, and make the necessary improvements,” the regulator said.

In a recent report, ASIC found that just 7 per cent of reports related to financial advice in FY2023–24, which was stable compared with the previous year.

During the period, licensees submitted 12,298 reports, 79 per cent of which had a financial and/or non-financial impact on customers.

According to the ASIC numbers, as at 30 June 2024, licensees reported paying around $92.1 million in compensation to approximately 494,000 customers for breaches during the reporting period.

However, the number of reports was down 27 per cent over the previous corresponding period, which ASIC attributed to a greater uptake by licensees in grouping similar breaches into one report and a decrease in reportable situations relating to misleading or deceptive conduct provisions and the false or misleading statements provision.

On the back of this report, ASIC reviewed the compliance arrangements of 14 licensees of different sectors and sizes who had low numbers of reportable situations or had not reported at all.

The review found:

• Licensees were generally slow to report to ASIC. The key driver of these delays was that licensees took a long time to identify breaches in the first place and begin investigating.
• When ASIC reviewed why this was happening, ASIC found that there were deficiencies in licensees’ incident management, particularly how they identified, escalated and recorded incidents.
• Most licensees had gaps in how they monitored their own compliance with the regime.
• These poor practices had real impacts on consumers. The failures to promptly identify breaches meant that licensees were very slow to rectify breaches and remediate customers.

ASIC commissioner Kate O’Rourke stressed the importance of licensees identifying, fixing, and reporting their own problems “promptly”, adding that the regulator is looking to get more “granular” with its insights going forward.

“We have undertaken extensive work to strengthen the operation of the reportable situations regime since the introduction of the October 2021 reforms and ensuring that the objectives of the regime are met remains a priority area of work for us in 2024–25,” O’Rourke said.

“As part of this, we will consult with stakeholders on options for future granular reporting to provide even deeper insights, ahead of our fourth annual publication of reportable situations data in Q3 2025.

“In addition, we will do further work next year to consider how best to ensure ASIC receives the reports that have the most intelligence value to us, while managing the burden on industry from reporting. We will also undertake a range of work on a sector-by-sector basis to monitor and uplift compliance with the regime and consider enforcement action where necessary.”

The review identified a number of best practice questions that licensees need to consider to “uplift their own arrangements”:

• Are you identifying incidents and breaches?
• Are you escalating and investigating incidents and breaches comprehensively and in a timely way?
• Do you capture important information about incidents and breaches in a single register?
• Have you got the necessary arrangements in place to monitor your compliance with the regime?

“We have set out a range of prompts alongside our findings to help not just the review sample, but all licensees to strengthen their practices in critical areas,” O’Rourke said.

“We call on licensees to assess their own arrangements against the findings and prioritise where improvements may be required.”