On 31 October 2023, ASIC published its second report on insights from the reportable situations regime (or ‘breach reporting’) for the period July 2022 to June 2023.1 ASIC found there had been little improvement in the key areas of concern identified in its first report2 (see our related article here), and signaled it would take stronger regulatory and enforcement action to encourage and improve compliance with the regime.

In this first part of our three-part series on ASIC regulatory compliance, we discuss the key takeaways from ASIC’s report, with reference to the breach reports lodged by licensees (Breach Reports).

Content

Key takeaways from the report

ASIC’s report identified key areas of concerns including:

  • compliance with the regime;
  • identification and investigation of breaches;
  • timelines of remediation activities; and
  • identification of root causes.

Compliance with the regime

Despite a 43% growth in the volume of Breach Reports, ASIC noted:

  • the proportion of the licensee population who had lodged a Breach Report (approximately 10%) remained much lower than expected;
  • AFS licensees reported more frequently than credit licensees (despite a similarly sized licensee population); and
  • larger AFS licensees and credit licensees were more likely to report than small – mid sized licensees.

In response to the low level of reporting, ASIC stated that it will be taking stronger measures to achieve compliance with the reportable situations regime (including surveillance activities and enforcement actions). ASIC expects all licences, regardless of size, to have robust systems and procedures to detect and report non-compliance in a timely fashion. Small to medium sized licensees, in particular, should act now to prepare for greater regulatory oversight of the reportable situations regime.

Identification and investigation of breaches

ASIC remains concerned about the timeframes for identifying and investigating non-compliance. Various key concerns include:

  • licensees took longer to identify and commence an investigation into a breach compared to the previous reporting period (the average time taken to identify and start an investigation into a breach was nearly a year);
  • in 5% of the Breach Reports, licensees took more than five years to identify and commence an investigation into a breach;
  • in almost 20% of the Breach Reports, licensees needed over a year to identify and commence an investigation; and
  • the average investigation time was 49 calendar days.

ASIC remains concerned that lengthy investigations correlate with greater numbers of impacted consumers. Accordingly, licensees who proactively identify, investigate and remediate breaches quickly, are more likely to have fewer impacted customers, thus minimising the financial losses to both customers and the licensee, and reducing the risk of costly regulatory investigations.

Timelines of remediation activities

Remediation is inextricably linked with breach identification and investigation. Therefore, delays in identifying breaches necessarily hamper licensees’ remediation activities. Relevantly, ASIC found that:

  • on average, licensees took 87 days to finalise compensation after commencing an investigation (this decreased compared to the previous reporting period);
  • 8% of the Breach Reports took more than a year to finalise compensation; and
  • licensees compensated or intended to compensate around 97% of impacted consumers.

Following the release of Regulatory Guide 277 Consumer Remediation, ASIC stated it has shifted its posture from overseeing remediation programs, to considering stronger action where licensees fail to provide fair and timely remediation outcomes to impacted customers. This shift has occurred against a backdrop where over 80% of Breach Reports revealed both financial and non-financial impacts on consumers, and around 7.2 million customers suffered approximately $448.4 million in financial impacts. A larger proportion of affected customers suffered financial loss as a result of the breach, compared with the previous reporting period.

ASIC will likely shift its attention to enforcement action where there is the greatest consumer impact. Licensees are recommended to focus on identifying and addressing root causes where there is the greatest risk of consumer losses.

Subject matter of Breach Reports and identification of root causes

ASIC found:

  • false or misleading statements (44%) were the most common category of issues in Breach Reports, which was a 10% jump from the previous reporting period;
  • within this category, the top concern was information or warning statements about products or services, followed by statements about fees; and
  • human error (staff negligence and/or error) was attributed as the root cause to 66% of Breach Reports, followed by policy or process deficiency, which only accounted for 8% of Breach Reports.

Identifying the root cause (i.e. the underlying cause of a reportable situation) is critical to addressing the existing issue, and proactively detecting the triggers for its recurrence. Root cause(s) can include policy or system deficiencies, staff negligence, inadequate supervision or training of staff, staff misconduct and inadequate management controls.

Staff training on internal policies and procedures was stated as the most common method (42%) of rectifying a breach. ‘Other rectification methods’, such as system changes or proactive analysis of data, were only referred to in a quarter of the Breach Reports. Licensees should avoid narrowly focusing on one rectification method over another, and instead consider a multi-pronged approach to breach rectification. In addition to training on policies and procedures, licensees should consider greater investment in human capital, uplifting IT infrastructure and implementing measures such as data analysis to proactively identify consumer harm.

The Quality of Advice Review report identified in February 2023 that financial advice licensees operate within a complex and challenging regulatory framework.3 The frequency of human error as a root cause of many breaches may reflect the overall complexity of the regulatory framework. There is a clear need for licensees to align with ASIC’s expectations to strengthen their internal risk management activities, with the aim to proactively identify breaches earlier, and hopefully minimise consumer harm.

Going forward

It has been over 2 years since the reportable situations regime first came into force.

AFS and credit licensees are on notice that ASIC expects significant improvements in compliance, breach identification and remediation timeframes in the next reporting period. Given the significance of human error as a root cause, and ASIC’s concern about consumers’ financial losses, licensees should ensure that their risk management frameworks are operating effectively, supported by regular sampling and reviews. All licensees should heed ASIC’s caution that it intends to take a stricter approach on enforcement of the regime, regardless of whether they are small, medium or larger enterprises.

Next time, we discuss ASIC’s enforcement powers and the compliance roadmap for the reportable situations regime.

Footnotes

1

Report 775 Insights from the reportable situations regime: July 2022 to June 2023, | https://download.asic.gov.au/media/ygwpy4ee/rep775-published-31-october-2023.pdf

2

Report 740 Insights from the reportable situations regime: October 2021 to June 2022, | https://download.asic.gov.au/media/nhenjz1a/rep740-published-27-october-2022.pdf

3

Michelle Levy, ‘Quality of Advice Review – Final Report’ (8 February 2023) at p. 13 | https://treasury.gov.au/publication/p2023-358632.



Contacts

James Morris
James Morris
Partner
Email
james.morris@nortonrosefulbright.com
T: +61 2 9330 8902
Helen Taylor
Helen Taylor
Partner
Email
helen.taylor@nortonrosefulbright.com
T: +61 2 9330 8218
Rajaee Rouhani
Rajaee Rouhani
Partner
Email
rajaee.rouhani@nortonrosefulbright.com
T: +61 3 8686 6239
Andrew Riordan
Andrew Riordan
Partner
Email
andrew.riordan@nortonrosefulbright.com
T: +61 3 8686 6680
Candy Lau
Candy Lau
Special Counsel
Email
candy.lau@nortonrosefulbright.com
T: +61 2 9330 8114

Practice area:

Recent publications

Publication

Digital Operational Resilience for the Financial Sector (DORA): 10 things to know

On 16 January 2023 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) entered into force.

Global | October 2024

Financial institutions

Publication

Mission impossible? Teresa Ribera’s mission letter and the future of EU merger review

Executive Vice President Vestager’s momentous tenure as Commissioner responsible for EU competition policy is nearing its end.

Global | October 28, 2024

Antitrust and competition

Publication

Time to harmonize AML control systems for global, commercial Indian companies

For many global organisations, finding the right balance between having global, unified compliance programs, and the need to address local legal and compliance risks, is a challenge. In this blog, we will address the challenge that money laundering and related issues presents to Indian companies operating in Europe.

Global | October 28, 2024

Business ethics and anti-corruption
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now