ASIC proposes relief from ‘excessively burdensome’ breach reporting

The Australian Securities and Investments Commission (ASIC) has sought feedback on a proposal to reduce the reportable situations requirements.

Reforms to the reportable situations regime in 2021 expanded what was reportable and pushed for more timely and consistent reporting, however, ASIC is now looking for ways to make it easier for licensees to comply with the regime.

“ASIC’s proposed additional relief aims to reduce the reporting burden on industry while still ensuring that ASIC receives reports of high regulatory value,” the regulator said.

Specifically, it aims to provide relief from reporting certain breaches of the misleading and deceptive conduct provisions, and certain contraventions of civil penalties where:

• The breach has been rectified within 30 days from when it first occurred (this includes paying any necessary remediation).
• The number of impacted consumers is not more than five.
• The total financial loss or damage to all impacted consumers resulting from the breach is not more than $500 (including where the loss has been remediated).
• The breach is not a contravention of the client money reporting rules and clearing and settlement rules.

The move follows a report in December that found licensees across the financial services sector need to up their game when it comes to breach reporting, with ASIC saying its surveillance showed that there is “still more work to do”.

“We encourage all licensees, not just those in the review, to review their current arrangements for complying with reportable situations against our findings, as well as the better practices we set out, and make the necessary improvements,” the regulator said.

According to the Financial Services Council (FSC), ASIC’s announcement is a welcome one, but it doesn’t go far enough.

A Positive Economics survey of 29 of the FSC’s superannuation, financial advice licensees and funds management members found that it costs $3,800 in extensive documentation, senior executive time and auditor reviews every time a minor breach is reported to the ASIC portal.

These minor breaches, the FSC said, include statements being sent to customers one day late, immaterial typos and other inconsequential oversights such as being a few hours late in removing a document from a website.

“The regulator has acknowledged industry concerns that reporting these minor breaches is excessively burdensome. These proposals go some way to addressing some of the problems, however, more work needs to be done,” FSC chief executive Blake Briggs said.

“Our survey found unnecessary regulation in the financial services breach reporting regime has resulted in almost $4,000 wasted every time a minor breach is reported, or $24 million annually, showing a significant need for streamlining the reporting system to get rid of disproportionate regulation which results in businesses and ASIC incurring unnecessary time and expense.

“This includes 34,000 hours of compliance staff time which could be more productively used to enhance governance and reduce risk, as well as resolve genuinely serious breaches where consumers are financially impacted or otherwise harmed.”

Unsurprisingly, the survey found it would ultimately be consumers bearing the cost of addressing these minor breaches though higher fees and slower resolution of more significant breaches.

“Good businesses have in place risk compliance identification and management systems, which flag incidents and minor breaches. Businesses should continue to identify minor breaches, however, the requirement to report these to the regulator is what creates unnecessary compliance costs,” Briggs said.

The FSC has also called for a more “streamlined and efficient way to report breaches”, with the regulator so far failing to address concerns around the usability and efficiency of ASIC’s portal.

In another report last year, ASIC found that just 7 per cent of reports related to financial advice in FY2023–24, which was stable compared with the previous year.