Reporting on the reportable: Industry consultation prompts regime changes

How did we get here?

Since the Regime was implemented in October 2021 as part of major regulatory reforms, only an extremely small proportion of licensees have lodged reports.² Where they have done so, it appears that the obligations of RG 78 have not been interpreted or implemented in a uniform way. These issues, which became apparent in ASIC’s consultation with industry in recent months, are some of the drivers behind changes to RG 78.

The revisions are intended to clarify multiple aspects of existing regulatory guidance and provide practical guidance to support licensees in operationalising the requirements under the Regime. These changes may trigger licensees to conduct a comprehensive review of their existing processes and systems, and uplift their existing framework where required.

Key takeaways from the changes

ASIC’s guide, “Reportable situations: Overview of changes to RG 78 announced in April 2023” summarises the relevant changes to RG 78. Some of the key updates intended to address inconsistent practices include:

1. How far back do licensees need to look when considering if a ‘similar’ reportable situation has previously occurred?

• Due to inconsistent practices among licensees, ASIC has clarified that it expects licensees to apply professional judgment to determine whether reportable situations are ‘similar’, and if there is a certain time period preceding the reportable breach that should be investigated to identify similar reportable situations.
• Licensees are reminded to consider whether there may be a broader systemic issue involved. ASIC expects that licensees should look back until at least 1 October 2021 when responding to the question, while leaving it open for licensees to determine if they need to report any significant breaches that occurred under the previous breach reporting regime.
• ASIC has also provided a non-exhaustive list of factors that should be taken into account when determining similarity, including which legislative provision(s) have been breached, what controls are relevant and how the clients have been impacted by the issue(s).
• This emphasises the need for licensees to have robust systems in place to record, track and monitor issues across the entire business and to regularly analyse any emerging trends in the available data.

   

2. When can related reportable situations be grouped into a single notification?

• Licensees have been responding inconsistently to this issue. Following industry consultation, ASIC has developed a new ‘grouping test’ which requires both of the following criteria to be met before reportable situations can be grouped together:
  1. there is similar, related or identical conduct; and
  2. the conduct has the same root cause.
• Grouping of reports may be acceptable if staff negligence or human error is identified as the root cause. However, caution needs to be exercised where the negligent conduct or error was made by various members of staff – in those situations, licensees are expected to satisfy themselves that no broader failure or other root cause(s) are identified before grouping. This reinforces the importance of having effective frameworks to accurately identify and address root cause(s), supported by systems to analyse data available across the organisation.

   

• ASIC indicates that professional judgment should be exercised to determine what situations are appropriate to report together. Table 9 in RG 78 provides illustrations as to when multiple reportable situations can be reported together in a single report.

   

3. How often do I need to provide updates on the progress and status of reported breaches?

• ASIC has introduced an expectation that licensees provide it with an update on status or progress at least once every 6 months in respect of reported breaches. In certain circumstances (such as the completion of an investigation or a material change to a licensee’s understanding of the nature, impact or extent of the reportable situation), licensees are expected to provide an update to ASIC when additional information comes to light.
• Maintaining reliable systems to identify triggers for providing updates to ASIC are key to meeting regulator expectations.

   

4. How are licensees expected to respond to the question ‘when did you first become aware that a breach, serious fraud or gross negligence had occurred—or that you were no longer able to comply with a core obligation?’

• ASIC has indicated that most licensees have interpreted this question to mean ‘the date on which they determined that a reportable situation had arisen under the law’, which does not align with ASIC’s intention.  
• ASIC expects licensees to provide the date on which the licensee first discovered that there may be a breach or likely breach that is significant, serious fraud or gross negligence, but before they made the determination that a reportable situation exists.

• The question has now been redrafted as ‘specify the date when the potential breach, serious fraud and/or gross negligence was first discovered’. For example, if an incident of serious fraud is entered into the licensee’s Risk and Compliance system on 15 December 2022 but escalated to the Board and determined to be a reportable situation on 2 January 2023, ASIC is interested in the former date, being 15 December 2022.  This date is an important data point to inform regulatory insights as it illustrates a licensee’s incident and breach detection capabilities. 

What do the changes mean for me?

Getting it right when it comes to reportable situations can make a world of difference. Providing scant detail or misunderstanding what information is actually sought may invite ASIC to make further enquiries, divert your resources from other matters and potentially expose you to reputational damage. Many of these risks can be mitigated through being upfront and transparent with the regulator and by providing correct information and regular updates.

ASIC is continuing to consult with the industry with respect to other aspects of the Regime, including the calculation of the number of reportable situations and the number of instances that relate to a reportable situation.

Where to next?

Moving forward, licensees should be better placed to navigate the Regime in alignment with regulator expectations. The changes seek to enhance licensees’ current capability to comply with the Regime, rather than replace or introduce significant processes in existing regulatory compliance frameworks. For those who have managed to set a successful rhythm and workflow for reporting, these updates may require an in-depth review, and process uplifts supported by appropriate training. Whether ASIC’s clear regulatory focus on these matters will translate to more streamlined compliance by licensees remains to be seen as we watch industry tackle the next stage of the implementation process.

Our global financial services regulatory team and risk advisory specialists are experienced in advising licensees on compliance with the reportable situations regime and client remediation programs.