Breach reporting regime ASICs insights one year in

What you need to know

• ASIC has issued Report 740: Insights from the reportable situations regime: October 2021 to June 2022.  This is its inaugural report summarising trends seen in the first year of the new breach reporting regime
• While there was a significant increase in reporting (which is to be expected given the changes to the regime), the number of licensees that lodged reports was significantly lower than ASIC had expected with only 6% of licensees lodging reports. ASIC is also concerned with inconsistencies in licensees' approaches to reports which has made it difficult for ASIC to extract and analyse data
• Over the coming year, ASIC is likely to shift from its current facilitative approach to focus on investigation and enforcement action into areas of greatest concern to drive higher levels of compliance.  We anticipate that ASIC will focus on licensees who are either not reporting, or submitting a disproportionately low number of reports, as well as those who may not be effectively identifying and investigating issues, remediating customers or rectifying breaches

What you need to do

• Licensees should critically analyse their internal breach reporting data to identify how they compare with the overall population, reflecting on each of ASIC's areas of concern
• If a licensee is an outlier in ASIC's areas of concern, they should take steps to understand why, and strengthen their internal systems and processes to mitigate enforcement risk (and associated compliance and conduct risk)
• ASIC is currently consulting on changes to ASIC's Regulatory Guide 78: Breach reporting by AFS and credit licensees guidance, to drive greater consistency in reporting data.  Licensees should engage with ASIC on these changes, and be prepared to uplift systems and processes to reflect changes to the guidance

Executive Summary

On 27 October 2022, ASIC published its inaugural "Insights from the reportable situations regime: October 2021 to June 2022", which provides high level observations on trends observed during the first year of the new breach reporting regime.

As foreshadowed by ASIC, licensees have not been named and data has not been provided at a granular level.  In response to the volume of reports and inconsistency in reporting practices, ASIC is currently working on a program of consultation to provide additional guidance on key areas of data inconsistency.

Although ASIC has adopted a facilitative approach to compliance over the last year while licensees have worked to implement the new regime, ASIC is likely to shift its attitude over the coming year to take a more active regulatory approach.

We anticipate that ASIC will commence investigation and enforcement action to drive compliance in areas of concern, including where licensees have not lodged any reports (especially in relation to credit licensees), inadequate reporting of root cause, lack of timely identification and investigation of incidents, inadequate customer remediation, and failures to take steps to rectify or prevent breaches.

All licensees should analyse their internal breach reporting data to assess how they compare with the general population. Licensees should particularly identify any areas where they are outliers in the highlighted areas of concern. If any areas are identified, licensees should review their existing breach reporting frameworks and procedures, and take steps to further embed systems and processes that address those deficiencies to mitigate the risk of enforcement action (and associated compliance and conduct risk).

Volume of reports and lodgers

A total of 11,070 reports (including updates) were submitted to ASIC in the period 1 October 2021 to 30 June 2022, compared to 2,435 reports in the period 1 July 2020 to 30 June 2021. The nearly five-fold increase demonstrates that the extended reporting requirements and changes to the significance test have, as expected, significantly increased licensee reporting.  The regime, however, has placed an enhanced compliance burden on licensees and an increased burden on ASIC to identify the key issues from a vast amount of data.  ASIC has already asked licensees to call ASIC when lodging reports that are material to ensure it stays abreast of key emerging issues given the large volumes of data it is now receiving.

Interestingly, only 6% of the licensee population has lodged a report, across both AFS licensees (9%, 548 licensees in total) and credit licensees (3%, 126 licensees in total). The lower number of credit licensee reporting is not entirely unexpected given they were not previously subject to the regime.  Given one of the key changes to the regime was to deem many contraventions significant, the lower than expected levels of reporting overall might suggest that a number of licensees are grappling with identifying conduct that contravenes the law.

Further, larger licensees lodged far more reports than smaller licensees, with only 23 licensees lodging 74% of all reports.  This may be a result of larger licensees having a larger volume of incidents to be assessed under the new regime and more extensive resources, processes and systems to accommodate the expected increase in reporting. 

What's ahead: While ASIC acknowledges that there has been a period of transition, the low proportion of the licensee population lodging reports is a key concern to ASIC. A key area of ASIC's focus is likely to be licensees who have not lodged any reports, to ascertain whether they have adequate frameworks and systems to detect, investigate and report non-compliance. Credit licensees and smaller licensees are more likely to be in the spotlight given the low levels of reporting.

A licensee who is found to have breached these requirements faces significant penalties, including potential criminal and civil penalties, where they are found to not have adequate breach reporting systems and processes.

Subject matter of reports

Misleading and deceptive conduct was the most commonly reported issue, comprising 34% of all reports, followed by lending (21%), general licensee obligations (19%) and account administration/fees and charges (14%). The large volume of misleading or deceptive conduct reports is largely due to these obligations being deemed significant, with even minor misleading or deceptive conduct having to be reported.

The majority of reports related to credit products (38%), with the main driver being one-off breaches of responsible lending obligations.

What's ahead: The deemed significant nature of misleading and deceptive conduct is a key driver behind the large number of reports being submitted to ASIC and has been identified as an area causing a greater compliance burden on licensees. This is a topic ASIC is currently consulting on but any change would require legislative intervention.

In a tightening market with increasing interest rates, it will be interesting to watch what action ASIC might take to understand the causes of responsible lending breaches.

Root causes of breaches

The majority of reports specified staff negligence or error (60%) as the root cause, with process deficiencies (9%) and system deficiencies (6%) well behind as the identified root cause. Staff negligence or error was reported as the root cause in 55% of reports where the licensee also reported that there had been previous similar breaches, or multiple breaches grouped into one relevant report. 

What's ahead: According to ASIC, the number of staff negligence or error reports may indicate that licensees are not adequately considering the underlying root cause of the staff error, such as a process or system deficiency, especially where those same reports identify multiple or similar previous breaches.

Licensees should focus on ensuring adequate competency and capability to identify common root causes among those responsible for assessing and reporting incidents, as well as embedding systemic issue analysis to identify incidents across their entire incident population with a common root cause. This analysis has the potential to decrease the compliance burden of multiple reports as licensees may group incidents into one report where there is a common root cause.

ASIC intends to provide guidance on the circumstances in which "staff negligence or error" should be selected as the root cause, with the intention that it should only be used where a licensee has determined there is no other underlying root cause.

Identification and investigation

The introduction of the new regime appears to have led to a significant decrease in the time taken to identify and commence investigations into breaches (an average of 39 days), and the time then taken to investigate breaches (an average of 18 days). Prior to the new regime, it took major banks an average of 1,726 days to identify significant breaches, and an average 150 days to investigate. However, ASIC is particularly concerned that 582 reports took five or more years to identify and commence an investigate into a breach, and 464 reports where the investigation took, or is expected to take, more than one year to complete.  ASIC's view appears to be that taking more than one year to investigate is too long.

ASIC also found a direct correlation between the number of customers impacted and the time taken to identify and investigate an incident, with a greater number of customers impacted where the investigation took longer to commence. Further, ASIC also found that the time taken to complete an investigation increased where more customers were impacted.

What's ahead:  Despite an improvement in identification and investigation times, a key focus of the new regime is ensuring prompt identification and investigation, with substantial criminal and civil penalties where licensees fail to do so.  ASIC is likely to focus its regulatory activities on licensees that are outliers in identification and investigation times, to ensure they have sufficient resources to identify and investigate potential non-compliance in a timely manner.  Practically speaking, it will often be easier to report small-scale matters and so, in future, ASIC is likely to focus on the time taken to report more material breaches.

Customer impact

Customer impact occurred in 82% of reports (both financial or non-financial), impacting approximately 43.7 million customers and resulting in $368.5 million in financial loss. The majority of reports (56%) only impacted a single customer, while 23% of reports involved financial loss (with 68% of those involving a financial loss of less than $10,000). ASIC believes these figures are likely to be understated due to a number of reports where financial loss is not obvious to the licensee and those reports where investigations are still in progress.

What's ahead: The number of reports lodged impacting only a single customer and the majority of reports not involving any financial loss raises questions about the balance struck by the regime.  On the one hand, the detection of "significant non-compliant behaviours earlier" may not be achieved through the submission of single customer reports with little or nominal customer impact. On the other, many instances of one-off customer issues within a licensee or across multiple licensees may, when considered together, reveal a broader issue.

Remediation

Licensees have remediated, or plan to remediate, affected customers in 96% of reports where there was financial loss, with licensees reporting that they did not intend to compensate customers in the remaining 4% of cases. In 12% of reports, licensees took over a year to finalise remediation, with ASIC indicating that more than one year to remediate is too long.

What's ahead: ASIC is concerned about the time taken to remediate and the failure to remediate at all for 4% of reports where financial loss was reported. ASIC considers that remediation must be initiated if a licensee or its representatives have engaged in misconduct or other failures. Additionally, licensees must be properly resourced to ensure that remediation activities occur in a timely manner without sacrificing customer outcomes. While ASIC is considering its regulatory response, it is likely to focus on the 4% of reports where licensees indicated they had no intention to remediate for financial loss.  Licensees should be aware of ASIC's remediation expectations set out in ASIC's recently released Regulatory Guide 277: Consumer Remediation.

Rectification

As at 30 June 2022, 78% of breaches had been rectified and a further 6% were intended to be rectified, with 53% of reports rectified within seven days (including 22% that were rectified immediately upon the breach occurring).  This again raises questions about the practicality of the regime where licensees face a significant compliance burden to lodge reports where rectification is prompt and customers are unlikely to have incurred material detriment.

What's ahead: ASIC is concerned about the small percentage of reports (2%) where licensees have indicated that they have no intention to rectify.  ASIC expects licensees to take timely action to fix and prevent the recurrence of issues. While ASIC has indicated that it will consider its regulatory response to these reports, it is likely to be an area of focus. 

Authors: Morgan Spain, Partner; Lucinda Hill, Partner; Mark Bradley, Partner; Jonathan Gordon, Partner; Elizabeth Hristoforidis, Director; Louisa Borchers, Lawyer; and Michael Deighton-Smith, Lawyer.