Video
Let's talk antitrust: Discussing recent cases and emerging competition issues
Recent cases and judgments have shone a light on some emerging themes and trends that companies will want to consider as part of their risk management framework.
Australia | Publication | december 2023
On 31 October 2023, ASIC published its second report on insights from the reportable situations regime (or ‘breach reporting’) for the period July 2022 to June 2023.1 ASIC found there had been little improvement in the key areas of concern identified in its first report2 (see our related article here), and signaled it would take stronger regulatory and enforcement action to encourage and improve compliance with the regime.
In this first part of our three-part series on ASIC regulatory compliance, we discuss the key takeaways from ASIC’s report, with reference to the breach reports lodged by licensees (Breach Reports).
ASIC’s report identified key areas of concerns including:
Despite a 43% growth in the volume of Breach Reports, ASIC noted:
In response to the low level of reporting, ASIC stated that it will be taking stronger measures to achieve compliance with the reportable situations regime (including surveillance activities and enforcement actions). ASIC expects all licences, regardless of size, to have robust systems and procedures to detect and report non-compliance in a timely fashion. Small to medium sized licensees, in particular, should act now to prepare for greater regulatory oversight of the reportable situations regime.
ASIC remains concerned about the timeframes for identifying and investigating non-compliance. Various key concerns include:
ASIC remains concerned that lengthy investigations correlate with greater numbers of impacted consumers. Accordingly, licensees who proactively identify, investigate and remediate breaches quickly, are more likely to have fewer impacted customers, thus minimising the financial losses to both customers and the licensee, and reducing the risk of costly regulatory investigations.
Remediation is inextricably linked with breach identification and investigation. Therefore, delays in identifying breaches necessarily hamper licensees’ remediation activities. Relevantly, ASIC found that:
Following the release of Regulatory Guide 277 Consumer Remediation, ASIC stated it has shifted its posture from overseeing remediation programs, to considering stronger action where licensees fail to provide fair and timely remediation outcomes to impacted customers. This shift has occurred against a backdrop where over 80% of Breach Reports revealed both financial and non-financial impacts on consumers, and around 7.2 million customers suffered approximately $448.4 million in financial impacts. A larger proportion of affected customers suffered financial loss as a result of the breach, compared with the previous reporting period.
ASIC will likely shift its attention to enforcement action where there is the greatest consumer impact. Licensees are recommended to focus on identifying and addressing root causes where there is the greatest risk of consumer losses.
ASIC found:
Identifying the root cause (i.e. the underlying cause of a reportable situation) is critical to addressing the existing issue, and proactively detecting the triggers for its recurrence. Root cause(s) can include policy or system deficiencies, staff negligence, inadequate supervision or training of staff, staff misconduct and inadequate management controls.
Staff training on internal policies and procedures was stated as the most common method (42%) of rectifying a breach. ‘Other rectification methods’, such as system changes or proactive analysis of data, were only referred to in a quarter of the Breach Reports. Licensees should avoid narrowly focusing on one rectification method over another, and instead consider a multi-pronged approach to breach rectification. In addition to training on policies and procedures, licensees should consider greater investment in human capital, uplifting IT infrastructure and implementing measures such as data analysis to proactively identify consumer harm.
The Quality of Advice Review report identified in February 2023 that financial advice licensees operate within a complex and challenging regulatory framework.3 The frequency of human error as a root cause of many breaches may reflect the overall complexity of the regulatory framework. There is a clear need for licensees to align with ASIC’s expectations to strengthen their internal risk management activities, with the aim to proactively identify breaches earlier, and hopefully minimise consumer harm.
It has been over 2 years since the reportable situations regime first came into force.
AFS and credit licensees are on notice that ASIC expects significant improvements in compliance, breach identification and remediation timeframes in the next reporting period. Given the significance of human error as a root cause, and ASIC’s concern about consumers’ financial losses, licensees should ensure that their risk management frameworks are operating effectively, supported by regular sampling and reviews. All licensees should heed ASIC’s caution that it intends to take a stricter approach on enforcement of the regime, regardless of whether they are small, medium or larger enterprises.
Next time, we discuss ASIC’s enforcement powers and the compliance roadmap for the reportable situations regime.
Report 775 Insights from the reportable situations regime: July 2022 to June 2023, | https://download.asic.gov.au/media/ygwpy4ee/rep775-published-31-october-2023.pdf
Report 740 Insights from the reportable situations regime: October 2021 to June 2022, | https://download.asic.gov.au/media/nhenjz1a/rep740-published-27-october-2022.pdf
Michelle Levy, ‘Quality of Advice Review – Final Report’ (8 February 2023) at p. 13 | https://treasury.gov.au/publication/p2023-358632.
Video
Recent cases and judgments have shone a light on some emerging themes and trends that companies will want to consider as part of their risk management framework.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023