ASIC to Take “strong regulatory action” in Light of Second Publication on the Reportable Situations Regime

looking for, files, filing-2876776.jpg

Original media release from ASIC (31/10/2023).

ASIC has released its second publication on information lodged under the reportable situations regime. Over 16,000 reports were made to ASIC by financial services and credit licensees under the regime between 1 July 2022 and 30 June 2023.

The publication shows little improvement has been made in key areas of concern that ASIC highlighted in the first publication on insights from this regime last year. Among other things:

  • the proportion of the licensee population reporting remains very low, indicating that some licensees may not be complying with the regime
  • licensees are still taking too long to identify and investigate some breaches
  • a significant number of remediation activities are still taking too long to complete, and
  • there remain opportunities to improve identification and reporting root causes of breaches.

‘The reportable situations regime has now been in place for over two years, and licensees have had ample time to take the necessary steps to ensure full compliance with the requirements,’ said ASIC Chair Joseph Longo.

‘Since its commencement, ASIC has been working with stakeholders to improve the operation of the reportable situations regime, including through providing guidance and modifications. ASIC will now move to taking stronger regulatory action to drive improved compliance with the regime, including enforcement action where appropriate.’ 

Compliance of the licensee population with the regime

Since the regime commenced in October 2021, only 11% of the licensee population has lodged a report. This remains significantly lower than expected and indicates that some licensees may not have in place the systems and processes required to detect and report breaches.

ASIC has commenced surveillance activity targeting licensees who may not be meeting their obligations. As part of this, ASIC will focus on licensees who are not reporting or are reporting significantly less than expected given their nature, scale, complexity, and when compared to peers.

Identification and investigation of breaches

In 17% of the reports received, it took the licensee more than one year to identify and commence an investigation into an issue after it had first occurred.

ASIC expects licensees to promptly identify non-compliance. Delays create challenges for the timely investigation and rectification of issues and can mean that customers wait longer for remediation.

Timeliness of remediation activities

ASIC is concerned that licensees are still taking too long to compensate impacted customers. Licensees indicated in 247 reports (8% of the total reports involving compensation to customers) that it had taken, or was estimated to take, more than one year to finalise compensation.

As outlined in a recent article, ASIC calls on licensees to strengthen remediation procedures, ASIC will consider regulatory action where licensees fail to deliver fair and timely remediation to affected customers.

Identification of root causes

The most common root cause for breaches (66%) continues to be staff negligence or error, even where there are repeat or multiple breaches, or multiple breaches were grouped together.

ASIC remains concerned that licensees may not be adequately identifying the underlying root causes for breaches, such as by determining the underlying reasons for repeated staff negligence or error. The accurate identification of root causes is important in enabling a licensee to put in place appropriate preventative measures to reduce the likelihood of similar breaches occurring.

Background

The reportable situations regime, often referred to as breach reporting, is a cornerstone of the financial services and credit regulatory regimes, and the reports lodged by licensees are a critical source of regulatory intelligence for ASIC. The new regime commenced on 1 October 2021. For more information, see Reportable situations for AFS and credit licensees.

The regime also requires ASIC to report annually on the information lodged by licensees. Amongst other things, this publication is intended to assist industry and customers identify where significant breaches are occurring. ASIC’s approach to reporting will evolve over time, as the regime matures, and allow for greater granularity of reporting in the future.

ASIC has recently made minor modifications to the reportable situations regime so that licensees do not have to submit notifications about certain minor reportable situations. Further information is available: Reportable situations regime: ASIC modifies licensees’ obligations.

Download

Report 775 Insights from the reportable situations regime: July 2022 to June 2023

Other resources

Regulatory Guide 78 Breach reporting by AFS licensees and credit licensees

Regulatory Guide 277 Consumer remediation