On 16 September Peter Kell, Deputy Chairman of ASIC, delivered a speech to the Risk Management Association of Australia CRO Forum about ‘Why breach reporting is important’. Breach  reporting is expected to be timely and to occur in a coherent compliance framework. Mr Kell said  that it had become apparent to ASIC that breach reporting was not occurring across the industry in  a consistent manner and that breaches were not being reported in a timely manner. Failing to report  significant breaches to ASIC is a criminal offence.

ASIC is conducting a review of breach reports that have been made by licensees. It will then  conduct a proactive review of some licensees that they identify as high risk and engage with them  to ensure that their processes are robust for identifying and escalating breaches in the  organisation and reporting to ASIC. ASIC will consider taking action if the licensee’s processes  are inadequate.

Mr Kell focussed on the importance of a licensee’s compliance culture. A poor compliance culture is  considered to be more likely to result in breaches and to undermine customer trust and confidence  in the licensee and sector. Compliance culture should be entrenched in the organisation, and Mr  Kell said that the organisation’s culture will affect the regulatory outcome that ASIC pursues. If  business models and incentive structures undermine consumer outcomes, then the organisation is  likely to be considered more closely by ASIC. Mr Kell suggested that tying remuneration to  compliance culture rather than, for instance, sales, might assist.

The speech highlighted the following:

Why breach reporting is important

Firms are expected to play a role in identifying and reporting market problems. Section 912D of the  Corporations Act requires licensees to notify ASIC of any significant breach or likely breach of  financial services laws and ASIC’s RG 78 deals with ASIC’s breach reporting guidelines. This has  not changed, but notable recent problems have resulted in ASIC’s renewed focus on the area.

When breaches must be reported

Reports must be lodged as soon as practicable and in any event within 10 business days of the  licensee:

  • becoming aware of:
    • the breach (where a breach has occurred and the licensee has discovered it), or
    • a likely breach (where the licensee becomes aware that they will no longer be able to comply  with the obligation before a breach actually occurs); and
  • determining that the breach or likely breach could be significant.

ASIC considers that systems must be in place that allow the licensee to determine the significance  of breaches and likely breaches within the 10 business days of discovering them. In particular, the  licensee should not delay reporting until:

  • it has fully investigated the circumstances to satisfy itself that the breach or likely breach  is significant,
  • the matter has been considered by the licensee’s board or legal advisers,
  • they have taken steps to rectify the problem, or
  • in the case of a likely breach, the breach has actually occurred.

When does the licensee become aware of a breach?

ASIC considers that the licensee becomes aware of a breach when the person responsible for  compliance becomes aware of the breach or likely breach. Internal systems should ensure that  relevant persons become aware in a timely and efficient manner and licensees should have a clear,  well understood and documented process for:

  • identifying breaches or likely breaches,
  • ensuring that those responsible for compliance are aware of the breaches,
  • determining whether identified breaches are significant,
  • reporting to ASIC significant breaches or likely breaches,
  • rectifying the breach or likely breach, and
  • ensuring that arrangements are in place to prevent recurrence of the breach.

What ASIC does with breach reports

ASIC carefully assesses the reports and some result in formal action, although most do not. The  reports provide information that assists ASIC to determine matters to prioritise for investigation,  to identify patterns of misconduct for an organisation or industry, and to determine whether  systems to detect and report problems are robust.

In most cases where ASIC does not take action, the licensee is acting to rectify the breach.  Serious or systemic breaches may need formal ASIC action, which may include:

  • conducting a formal surveillance to see if there is a systemic compliance problem,
  • working with the licensee to improve their compliance procedures,
  • taking enforcement action against an individual who is, or was, within the firm, or
  • taking regulatory action against the licensee.

In determining what action to take, ASIC takes into account:

  • the timing of the matters reported,
  • the plan for rectifying the failure,
  • whether   the   consequences, particularly to consumers, can   be   dealt   with  comprehensively,
  • the organisation’s culture of reporting breaches and the quality of their breach reports, and
  • whether the breach suggests there are more significant compliance issues within the business.

ASIC’s current focus

The review is part of ASIC’s ‘detect, understand and respond’ approach. ASIC recognises that things  can go wrong. Reporting is a measure of how effectively the firm responds to problems - timely and  transparent or slow and confused or cover up. A system’s failure or liberal interpretation of  breach reporting obligations are both considered a problem.

Conclusion

AFS licensees should review their breach reporting framework and ensure their processes reflect Mr  Kell’s comments, in particular, the timing aspects of identifying and reporting significant breaches.