On 16 September Peter Kell, Deputy Chairman of ASIC, delivered a speech to the Risk Management Association of Australia CRO Forum about ‘Why breach reporting is important’. Breach reporting is expected to be timely and to occur in a coherent compliance framework. Mr Kell said that it had become apparent to ASIC that breach reporting was not occurring across the industry in a consistent manner and that breaches were not being reported in a timely manner. Failing to report significant breaches to ASIC is a criminal offence.
ASIC is conducting a review of breach reports that have been made by licensees. It will then conduct a proactive review of some licensees that they identify as high risk and engage with them to ensure that their processes are robust for identifying and escalating breaches in the organisation and reporting to ASIC. ASIC will consider taking action if the licensee’s processes are inadequate.
Mr Kell focussed on the importance of a licensee’s compliance culture. A poor compliance culture is considered to be more likely to result in breaches and to undermine customer trust and confidence in the licensee and sector. Compliance culture should be entrenched in the organisation, and Mr Kell said that the organisation’s culture will affect the regulatory outcome that ASIC pursues. If business models and incentive structures undermine consumer outcomes, then the organisation is likely to be considered more closely by ASIC. Mr Kell suggested that tying remuneration to compliance culture rather than, for instance, sales, might assist.
The speech highlighted the following:
Why breach reporting is important
Firms are expected to play a role in identifying and reporting market problems. Section 912D of the Corporations Act requires licensees to notify ASIC of any significant breach or likely breach of financial services laws and ASIC’s RG 78 deals with ASIC’s breach reporting guidelines. This has not changed, but notable recent problems have resulted in ASIC’s renewed focus on the area.
When breaches must be reported
Reports must be lodged as soon as practicable and in any event within 10 business days of the licensee:
- becoming aware of:
- the breach (where a breach has occurred and the licensee has discovered it), or
- a likely breach (where the licensee becomes aware that they will no longer be able to comply with the obligation before a breach actually occurs); and
- determining that the breach or likely breach could be significant.
ASIC considers that systems must be in place that allow the licensee to determine the significance of breaches and likely breaches within the 10 business days of discovering them. In particular, the licensee should not delay reporting until:
- it has fully investigated the circumstances to satisfy itself that the breach or likely breach is significant,
- the matter has been considered by the licensee’s board or legal advisers,
- they have taken steps to rectify the problem, or
- in the case of a likely breach, the breach has actually occurred.
When does the licensee become aware of a breach?
ASIC considers that the licensee becomes aware of a breach when the person responsible for compliance becomes aware of the breach or likely breach. Internal systems should ensure that relevant persons become aware in a timely and efficient manner and licensees should have a clear, well understood and documented process for:
- identifying breaches or likely breaches,
- ensuring that those responsible for compliance are aware of the breaches,
- determining whether identified breaches are significant,
- reporting to ASIC significant breaches or likely breaches,
- rectifying the breach or likely breach, and
- ensuring that arrangements are in place to prevent recurrence of the breach.
What ASIC does with breach reports
ASIC carefully assesses the reports and some result in formal action, although most do not. The reports provide information that assists ASIC to determine matters to prioritise for investigation, to identify patterns of misconduct for an organisation or industry, and to determine whether systems to detect and report problems are robust.
In most cases where ASIC does not take action, the licensee is acting to rectify the breach. Serious or systemic breaches may need formal ASIC action, which may include:
- conducting a formal surveillance to see if there is a systemic compliance problem,
- working with the licensee to improve their compliance procedures,
- taking enforcement action against an individual who is, or was, within the firm, or
- taking regulatory action against the licensee.
In determining what action to take, ASIC takes into account:
- the timing of the matters reported,
- the plan for rectifying the failure,
- whether the consequences, particularly to consumers, can be dealt with comprehensively,
- the organisation’s culture of reporting breaches and the quality of their breach reports, and
- whether the breach suggests there are more significant compliance issues within the business.
ASIC’s current focus
The review is part of ASIC’s ‘detect, understand and respond’ approach. ASIC recognises that things can go wrong. Reporting is a measure of how effectively the firm responds to problems - timely and transparent or slow and confused or cover up. A system’s failure or liberal interpretation of breach reporting obligations are both considered a problem.
AFS licensees should review their breach reporting framework and ensure their processes reflect Mr Kell’s comments, in particular, the timing aspects of identifying and reporting significant breaches.