On 27 October 2022, ASIC released its first publication pertaining to information lodged under the reportable situations regime (formerly known as ‘breach reporting’).
By way of background, the reportable situations regime commenced on 1 October 2021. The regime’s purpose was to strengthen the obligations of Australian Financial Services (AFS) licensees and to extend this obligation to Australian Credit (ACL) licensees. Licensees are obliged to self-report specified matters to ASIC under the regime.
The Report analyses lodgements made to ASIC during the period 1 October 2021 and 30 June 2022. These lodgements detail significant breaches of core obligations, as well as situations in which the licensee can no longer comply with a core obligation and if/when the breach occurs, it will be significant.
The Report’s key takeaways include that:
Only 6% of licensees lodged a report with ASIC during the first nine months of the regime. This figure is significantly lower than ASIC had expected and suggests that some licensees may not have the appropriate systems and processes necessary to detect a breach and report non-compliance.
ASIC noted that it was imperative that all licensees, regardless of their size, have adequate structures in place to identify and report breaches.
ASIC detailed in the Report that approximately a quarter of the breach reports involved financial loss for customers. As at 30 June 2022, it was estimated that the total financial loss suffered by customers during this time period was approximately AU$368.5 million. Where a financial loss suffered by a customer was recorded, 68% experienced a loss of less than AU$10,000.
Of those affected by financial loss resulting from a breach, licensees either had, or intended to, financially compensate all impacted customers in 96% of all cases. ASIC expressed its concern for the remaining 4% of reports where the customers were not being compensated for their financial loss.
The Report also demonstrated that in situations where remediation was planned, in many cases, it was taking licensees far too long to complete, with it often taking more than a year to finalise. ASIC noted it will engage further with those licensees indicating they have failed to remediate a breach.
It was noted in ASIC’s Report that 79% of the reported breaches were first identified by internal sources of the licensees, thereby portraying and reinforcing the importance of internal risk management activities. The median time to identify a potential breach and to commence an investigation into it was 39 days, although this figure was found to differ significantly across the lodged breach reports, as approximately 18% of lodged reports took greater than a year to identify a breach and commence an investigation into it after it had first occurred. In addition to these statistics, ASIC was concerned that in 582 reported incidents, the licensee took over five years to identify and commence an investigation into a breach.
The Report stated that 38% of reportable situations related to credit product lines, followed by general insurance at 19% and deposit-taking at 10% of reportable situations. The high volume of credit licensee breaches were reported as separate and one-off breaches pertaining to specific responsible lending obligations that were caused by staff negligence or error. Staff negligence or error was identified as the sole root cause in 55% of reports, including where the licensee had previously had similar breaches and/or there were multiple breaches grouped into the relevant report.
In conclusion, this Report has provided valuable insights into the breach reporting regime after analysing a year’s worth of data. The results will assist no doubt ASIC in refining their practical guidance as to when a breach report should be lodged and how it is to be undertaken. ASIC has stated it will give further guidance to industry on the issue.
If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.
Authored by:
Matthew Bode, Partner
Elizabeth Ziegler, Associate