media release (22-295MR)

Breach reporting: ASIC publishes insights from the reportable situations regime

Published

Today, ASIC has released its first publication of information lodged under the reportable situations regime. Over 8000 reports were made to ASIC by financial services and credit licensees under the regime between 1 October 2021 and 30 June 2022.

The numbers show, among other things, that:

  • a much smaller proportion of licensees have reported under the regime than anticipated;
  • licensees are still taking too long to identify and investigate some breaches;
  • more work needs to be done to appropriately identify and report the root cause of breaches; and
  • further improvements are needed to licensees’ practices towards remediating impacted customers.

ASIC Commissioner Sean Hughes said, ‘This publication includes significant insights about the implementation of the reportable situations regime. The data ASIC has been receiving under this regime demonstrates how industry is monitoring and responding to non-compliance. It also highlights where compliance with the regime itself requires greater regulatory attention.’

‘As part of its 2022-23 priorities, ASIC is focussing on improving the operation of the reportable situations regime. We will continue to work with stakeholders to address issues that have arisen from implementation of the regime, including by providing additional guidance where needed. Greater alignment of reporting practices by licensees will facilitate the publication of more comparative data at the licensee level in coming years,’ said Mr Hughes.

Low proportion of the licensee population reporting

Only 6% of the licensee population lodged a report during the first nine months of the regime. This is significantly lower than expected and suggests that some licensees may not have in place the systems and processes required to detect and report non-compliance.  

‘As the regime has been in place for over 12 months, we expect all licensees to be aware of their obligations and comply with the regime. ASIC will be undertaking a number of activities to strengthen compliance with the regime,’ said Mr Hughes.

Improvements required to remediation practices

The total customer financial loss identified to date across the reports received was approximately $368.5 million. Of concern, licensees indicated that they did not intend to compensate impacted customers in 4% of reports that had identified customer financial loss.

The report also shows that where remediation is planned, in many cases it is taking licensees too long to complete. Licensees indicated in 236 reports (12% of the total 1,952 reports involving compensation to customers) that it had taken or was estimated to take more than one year to finalise.  

ASIC will engage further with those licensees indicating they have failed to remediate a breach. ‘We remind licensees that where things do go wrong, we expect proactive and timely action to remediate impacted customers,’ said Mr Hughes. 

Identification and investigation of breaches

In 18% of the reports received, it took the licensee more than one year to identify and commence an investigation into an issue after it had first occurred. ASIC expects licensee systems to promptly identify non-compliance. Delays create challenges for the timely investigation and rectification of issues and can mean that customers wait longer for remediation.

Mr Hughes said, ‘ASIC’s review of breach reporting in 2018 found that the major banks were taking four and a half years to identify a breach. We recognise the changes to processes that have been implemented following ASIC’s review to truncate these timeframes. However continued efforts are required by all licensees to ensure that issues are rectified and customers are remediated in a timely manner.’

Identification of root causes

A high proportion of reports (55%) identified staff negligence or error as the sole root cause, including where the licensee had reported that there had been previous similar breaches, or multiple breaches were grouped together.

ASIC is concerned that licensees may not be adequately identifying and addressing the underlying root causes for breaches, such as by determining the underlying reasons for repeated staff negligence or error.

ASIC will give further guidance to industry on this issue.

Download

Report 740 Insights from the reportable situations regime: October 2021 to June 2022

Background

The reportable situations regime, often referred to as breach reporting, is a cornerstone of the financial services and credit regulatory regimes, and the reports are a critical source of regulatory intelligence for ASIC. The new regime, which applies to Australian Financial Services (AFS) Licensees and Credit Licensees, commenced on 1 October 2021.

Further information is available at Reportable situations for AFS and credit licensees

Under the reportable situations regime, ASIC is obliged to report annually on information that is provided under the reportable situations regime. Amongst other things, this public report is intended to assist industry and consumers identify where significant breaches are occurring.

Due to inconsistencies in reporting practices arising through the implementation of the reform, our first report does not name licensees or provide data with a high degree of granularity.

ASIC’s approach to reporting will evolve over time, as the regime matures, and allow for greater granularity of reporting in the future.

Media enquiries: Contact ASIC Media Unit