ASIC has recently released its first publication setting out insights into the effectiveness of reporting and the performance of licensees under the new reportable situations regime, Report 740 Insights from the reportable situations regime (Report 740).
While the report did not name and shame any individual licensees, ASIC has indicated that in future publications its approach to reporting practices will evolve and provide greater detail, including the possibility of naming licensees.
Notwithstanding the limits of the report, it does contain some surprising findings.
- Number of reports: Industry bodies had previously forewarned that the regime would result in large increases in the number of reports lodged, however the data suggests that this concern has not materialised. ASIC has expressed concern about what it considers to be low levels of licensee reporting during the first nine months of the regime between 1 October 2021 and 30 June 2022 (only 6% of total AFSL and ACL holders have provided reports in the reporting period) particularly given the recent inclusion of credit licensees. Of note, 74% of all reports filed in the reporting period were by just 23 licensees.
- Speed of licensees: While licensees appeared to act quickly to rectify an issue once it was been identified, ASIC believes licensees were still too slow to:
- identify issues (18% had been in existence for more than a year prior to being identified);
- complete its investigation (5% took longer than a year to complete the investigation); and
- complete any necessary remediation (12% of all remediations took longer than a year to complete).
- Deemed reporting: The regime’s shift to a deemed significance test appears to have had a material impact on reporting with 90% of all reports falling under a ‘deemed significance’ category.
- Ongoing guidance: ASIC proposes that it will provide further guidance to licensees in areas where it considers there are inconsistencies with reporting or clear errors in the data. For example, ASIC has identified an overuse of the 'human error' root cause category.
As part of the new reportable situations reporting regime introduced on 1 October 2021, ASIC is obliged to publish information about the reports it receives. Report 740 is the first such publication from ASIC.
As foreshadowed in our previous Insight, Report 740 does not identify any individual licensees which have lodged reports with ASIC for the regime. Interestingly, ASIC says that Report 740 does not provide data with a high level of granularity due to inconsistencies in reporting practices between licensees.
However, Report 740 does set out statistics relating to the number of reports lodged, the composition of those licensees, the subject and root cause of the issues the subject of the reports as well as the timing of identification, investigation and remediation. These are addressed below, together with some of our insights on the relevant issues.
Volume of reports and who is reporting
8,829 reports and 2,530 updates were submitted
More than half of the reports were lodged by AFSL holders
Only 6% of total licensee population (both AFSL and ACL holders) lodged a report
The 8,829 reports represent a nearly fourfold increase over a nine month period compared with the previous 12 month reporting period (1 July 2020 to 30 June 2021) where 2,530 breach reports, including updates were received in a full financial year.
The data indicates that reporting licensees are a mixture of both credit (38%) and AFS licensees (62%).
ASIC has indicated that the increased volume of the reporting is due to credit licensees becoming subject to the reportable situation requirements under the new regime in addition to the deemed significance test. Notwithstanding this increase, ASIC has been critical of what it considers to be significant under reporting.
ASIC also says that it expects, despite the requirement for compliance, breaches to occur and thus equates the lack of breach reports to a potential failure in the systems and processes required to detect non-compliance.
While lower than expected numbers may be the result of an overall uplift in processes and systems across the industry following the Financial Services Royal Commission, it could also be an indicator of a lack of proper engagement and adequate implementation of the new requirements (such as the requirement to report open investigations of more than 30 days). Alternatively it could be the result of a de facto materiality test being applied to issues prior to reporting.
As noted above, only 6% of licensees have provided reports under the new regime (consisting of 9% of all financial services licensees and 3% of all credit licensees) and Report 740 covers a nine month period, yet despite this, there has been a four-fold increase in reports compared to the previous regime. If a greater number of licensees were reporting, and the data covered a 12 month period, it could be expected that the number of reports under the new regime would be significantly greater than for pre-October 2021.
While we agree that the 6% level of reporting licensees is small, in our view this may speak to the differentiated levels of resources which licensees have. Further, feedback from our clients is that while larger licensees may be adopting a more ‘conservative’ position in their reporting, this may not be the case for the industry as a whole.
Based on the commentary, it certainly appears that ASIC's preference is for a conservative approach to be adopted. ASIC makes it clear that it expects all licensees, regardless of size, 'to have adequate systems in place to detect and report non-compliance'.
Licensees with greater revenue are reporting more
It was noted in Report 740 that larger licensees have lodged the majority of the reports with 61% of the reporting licensee population earning $1,000m or more in total revenue. This can also be seen from the fact the data indicates that just 23 licensees submitted 74% of the total reports.
Given the information in Report 740 is based primarily on reports lodged by a small number of larger licensees, we recommend caution be exercised not to draw industry-wide conclusions in light of the small and potentially unrepresentative sample.
Subject of reports and root cause of breaches
38% of the reports lodged related to credit products
ASIC states that a significant proportion of reports were in respect of one-off breaches of specific responsible lending obligations arising from staff negligence or error, with 60% of all reports identifying this as the sole root cause of the breach.
The top ten most reported products in reports were:
- Home loans (25%).
- Motor vehicle insurance (13%).
- Personal transaction accounts (5%).
- Credit cards (5%).
- Home building insurance (4%).
- Home contents insurance (3%).
- Personal loan (3%).
- Superannuation account (3%).
- Business loans (3%).
- Investment property loans (2%).
In our view, the composition of the products reported above demonstrates that credit products and insurance products continue to be areas of key risk and that increased investment in compliance for these areas may be necessary.
False or misleading statements – most common category
Report 740 states that the most common category of reported issue was ‘false and misleading statements’ (34%). This is unsurprising given the broad ambit of misleading and deceptive conduct as ‘deemed significant breaches’ under the new regime. Unsurprisingly, ASIC reported that most of these ‘false and misleading statements’ (30%) related to statements about products, regarding service information or in warning statements.
The second most popular category was reporting relating to lending (21%) and general licensee obligations with 7% of the reports for general licensee obligations relating to the obligation to act efficiently, honestly and fairly. Again this is unsurprising given the broad nature of this obligation and its increasing popularity with ASIC in enforcement activity.
The high level of reports relating to false or misleading statements is powerful substantiation for reform of the use of this issue category in the reportable situations regime. In our previous Insight, we recommended a high materiality threshold be introduced for misleading or deceptive conduct. Our clients tell us that they feel that they need to report issues to ASIC which are unlikely to have been intended to be covered by the regime, such as incorrect addresses and contact details in marketing materials.
Staff negligence and error was the root cause for 60% of the reports
ASIC says that it is concerned with the fact that 55% of reports where the licensee had reported that there had been a previous similar breach had selected ‘staff negligence and error’ as the sole root cause. The regulator is doubtful that the licensees in these situations are identifying and addressing the underlying root cause for these reportable situations.
While it may be the case that some licensees are not identifying the underlying root cause of the reportable situations, we also note that the products that are the key areas of reporting to ASIC are retail in nature. ASIC has indicated that it intends to issue further guidance as to when it considers it appropriate for a licensee to select ‘staff negligence or error’ as the root cause of a breach.
Identification and investigation of breaches
79% of breaches were identified from internal sources
Report 740 states that 79% of breaches reported were identified by the licensee from internal sources. ASIC says that this highlights the importance of internal risk management. However, ASIC also notes that there are some inconsistencies between the reporting of identification triggers using an example of licensees recording the internal trigger to be ‘staff or business unit’ when a staff member had identified an issue as a result of a customer compliant. Interestingly, 79 reports recorded the identification trigger to be ASIC.
We note that while the majority of issues are identified from internal sources, only 14% were identified as a result of compliance activities. This is a reassuring outcome as it demonstrates a level of ownership by business units to call out those situations where something has gone wrong.
Time taken to identify and commence investigation into breaches
Median time – 39 calendar days
Mean time – 380 calendar days
The time taken to identify and commence investigations is another concern of ASIC, particularly as Report 740 identifies 582 reports where it had taken five or more years to identify and commence an investigation. ASIC states that it expects licensees to have systems in place for significantly swifter identification and investigation of non-compliance.
While the 582 report figure is notable to ASIC, we also note that this represents less than 7% of all reports, and the number of reports where the time taken to identify and commence an investigation into a breach was 30 days or less was 44%. Additionally, the 582 reports may also represent the legacy nature of many retail products that have been available.
More time taken = more customers impacted
Report 740 concludes that '[i]nvestigations involving a greater number of customers impacted took longer to complete', and that:
"The earlier that issues are identified, the fewer customers that are likely to be impacted, and the less time and cost that is likely to be associated with investigating the issue. ASIC has taken this as an opportunity to emphasise the importance of early identification of breaches and the requirement to allocate sufficient resources to ensure that investigations are carried out in a timely manner."
On the basis of the information in Report 740, we do not necessarily agree with ASIC’s conclusion that the earlier issues are identified then the fewer customers will be impacted. ASIC’s conclusion will hold for recurring events – the longer the total duration of such events then the more likely it will be that more customers are impacted. However, it does not hold for non-recurring events – customer impact is ‘one off’ and determined solely by the unique circumstances of that event.
Customers impacted in 82% of reports
43.7 million customers impacted
56% of reports impacted a single customer
Whilst 82% of reports noted that a customer had been impacted, only 23% had reported a financial loss with the total financial loss across all reports to be approximately $368.5 million.
More than half of the reports (56%, 4,928) were said to have only impacted a single customer. Additionally, in 17% of reports (1,507) there was said to be not a single customer impacted at all.
That 1,507 reports were lodged where no customer was affected by breaches speaks to a reporting regime that is arguably misallocating compliance resources: a requirement to lodge a report where there is no customer impact diverts those resources from matters where there is customer impact.
It may be that some licensees have lodged a report prior to understanding the full level of customer impact, and that at a later time customer impact was identified. If this was not the case, then we recommend ASIC and Treasury carefully consider amending the regime to address this by including appropriate materiality thresholds and consider the significant compliance burden the new regime is placing on licensees.
A similar comment can also be made about the 56% of reports which disclosed only one customer was impacted. Taken together, Report 740 indicates that 73% of reports lodged had either nil or one customer impacted, which is a significant proportion.
$51.6 million in compensation to 455,210 impacted customers
96% of cases licensees recorded an intention to remediate
Time taken to finalise compensation after commencement:
- Median – 37 days
- Mean – 120 days
Due to 4% of cases recording no intention of remediation, ASIC has emphasised the requirement to initiate remediation if a licensee or a representative has engaged in misconduct. While ASIC acknowledged that some of the 4% may have been mistaken about their intention to compensate customers, ASIC has also warned that it is considering its regulatory response in relation to the remaining cases.
It is difficult to state with certainty whether the 4% is of concern, as it may be that remediation has already occurred or would be futile (for example, redundant legacy products).
Report 740 states that 67% (5,972) of reports indicated that a breach had been rectified within 30 days of commencement of an investigation. For 0.6% (54) of reports, rectification would take a year or more.
That 67% of reports showed rectification occurred within 30 days of the commencement of an investigation shows that the reporting licensees have given a high priority to doing so. It is difficult to draw many conclusions from this data as Table 17 of Report 740 appears to omit information on 16% of reports lodged.
What is missing?
We note that one curious omission in Report 740 is the absence of any data regarding reporting under the 'dobbing in' provisions. Appendix 1 simply states that 'reports made to ASIC about another licensee' are out of scope. This is unfortunate given that data on this aspect of the regime would have been a useful signpost to licensees regarding how these provisions are being interpreted and applied in practice.
What can we expect?
Report 740 noted numerous concerns of the regulator. In response to these concerns, ASIC proposes:
Low level of licensee population lodging a report
ASIC to undertake a range of activities to strengthen compliance.
Underlying root cause not being correctly identified
ASIC to issue guidance regarding when ‘staff negligence or error’ is the root cause
Inconsistencies with identification triggers
Intention to issue further guidance to ensure more consistent reporting.
Licensees that do not intend to remediate their customers
Considering their regulatory response
It is evident that whilst there are some inconsistencies with licensees recording their reportable situations, ASIC will use this industry data to inform its supervisory and enforcement priorities. ASIC has previously confirmed that as part of its 2022-23 regulatory priorities, it intends to focus on improving the operation of the reportable situations regime. At the time it was announced in August 2022, this approach came with an explicit recognition from the regulator that the regime had created a number of implementation challenges for licensees that it will seek to address.
In the interim, licensees can expect ASIC to provide further detail in future publications. ASIC has flagged that this may include a list of all the licensees that have reported to ASIC. However, ASIC will consult with ‘stakeholders’ before commencing ‘more granular public reporting’ which is likely to commence in 2024.