ASIC’s breach reporting regime undershoots expectations

A report on the first nine months of the breach reporting regime released by the corporate regulator on Thursday (27 October) revealed that only 6 per cent of the licensee population lodged a report.

“This is significantly lower than expected, and we will be undertaking a range of activities to strengthen compliance with the regime,” ASIC said.

Moreover, 74 per cent of all reports were lodged by just 23 licensees.

Commenting on the findings, ASIC commissioner Sean Hughes said: “As the regime has been in place for over 12 months, we expect all licensees to be aware of their obligations and comply with the regime.

“ASIC will be undertaking a number of activities to strengthen compliance with the regime.”

Of the 8,829 reports submitted, only 878 were related to financial advice.

The breach reporting regime was first introduced in October last year and obliges Australian Financial Services (AFS) licensees and credit licensees to submit notifications about “reportable situations” to ASIC within 30 calendar days.

But by August, the corporate regulator acknowledged concerns with the regime, with commissioner Hughes conceding at the time that it has led to “a number of implementation challenges”.

“We are aware that the regime has led to a number of implementation challenges,” Mr Hughes said. “However, ASIC remains committed to the successful implementation of this regime, and we have developed a comprehensive plan of work to ensure that it meets its objectives for ASIC, industry and consumers.”

Licensees taking too long, ASIC says

In its nine-month review, the regulator also criticised licensees for “taking too long” to identify and investigate some breaches.

In 18 per cent of the reports received, the corporate regulator said it took the licensee more than one year to identify and commence an investigation into an issue after it had first occurred.

“ASIC’s review of breach reporting in 2018 found that the major banks were taking four and a half years to identify a breach,” said Mr Hughes.

“We recognise the changes to processes that have been implemented following ASIC’s review to truncate these time frames. However, continued efforts are required by all licensees to ensure that issues are rectified and customers are remediated in a timely manner.”

Moreover, the corporate regulator said that as many as 55 per cent of reports identified staff negligence or error as the sole root cause, including where the licensee had reported that there had been previous similar breaches, or multiple breaches were grouped.

As such, ASIC is concerned that licensees may not be adequately identifying and addressing the underlying root causes for breaches.