ASIC has today announced a review of breach reporting by Australian financial services (AFS) licensees in response to concerns about inconsistencies and delays in reporting significant breaches.
Speaking at the Risk Management Association of Australia Chief Risk Officers (CRO) Forum today, ASIC Deputy Chairman Peter Kell said breach reports were an important part of the regulatory framework and that failure to comply with breach reporting requirements was a criminal offence.
‘Some recent enforcement actions against both large and small firms have highlighted deficiencies in the approach to breach reports, in particular, the timeframe for reporting significant breaches.
‘Under the Corporations Act 2001 (section 912D), AFS licensees must report significant breaches to ASIC as soon as practicable and in any case within 10 business days after becoming aware of a breach.
‘To be clear, this means that a licensee should not wait until after it has completed a full investigation to satisfy itself whether or not the breach or likely breach is significant. Nor should the licensee wait until the breach or likely breach has been considered by its board of directors or by its internal or external legal advisers. If in doubt, err on the side of caution and report the breach to ASIC.
‘Breach reports provide an important source of intelligence for ASIC. They can help us identify and rectify problems with individual financial services businesses, as well as assist us to identify and assess emerging risks and issues – but to be effective, they need to be timely.
‘We expect licensees to have robust systems in place for identifying, escalating and reporting breaches in a timely manner. Inadequate or late reporting could indicate to ASIC that the licensee has broader compliance and cultural issues and would be a red flag for closer scrutiny.
‘ASIC will be closely examining the breach reports we receive, and in the coming months will conduct a proactive surveillance of those licensees identified as having a higher risk of non-compliance based on what is reported and on the timeliness of reports.
‘ASIC will work with licensees who are operating in good faith and taking their obligations seriously. However, we will take regulatory action if we find the processes for breach reporting are inadequate,’ Mr Kell said.
Background
ASIC recently wrote to the Institute of Internal Auditors Australia after they sought guidance from ASIC based on their observation that some AFS licensees consider that the period for reporting a significant breach to ASIC does not start until the AFS licensee has finally determined that the breach is significant. The Institute of Internal Auditors’ letter, and ASIC’s response, are found below.
In this letter, ASIC highlighted that licensees should not wait to report until:
- the breach (or likely breach) has been considered by the AFS licensee’s board of directors or legal advisers
- they have taken steps to rectify the breach, or
- in the case of a likely breach, the breach has in fact occurred.
Regulatory Guide 78 Breach reporting by AFS licensees (RG 78) states that the reporting period starts on the day the AFS licensee becomes aware of a breach or likely breach that it considers could be significant. ASIC considers that the AFS licensee becomes aware of a breach or likely breach when a person responsible for compliance at the relevant AFS licensee becomes aware of the breach.
Download
The Institute of Internal Auditors’ letter (PDF 204 KB)
ASIC’s response: Guidance on breach reporting to ASIC (PDF 160 KB)
Watch