ASIC consults on publishing firm level reportable situations and internal dispute resolution data

Generally, ASIC propose to publish RS and IDR data in two separate, interactive dashboards that can be filtered by root cause number of customers impacted or investigation timeframe.[7] The dashboards will also permit the download of some data, though the specifics of what will be available for download has not been published. The data will also be published with explanatory information statements that are to set out:

• defined terms;
  • descriptions regarding the data’s scope (time periods, data included or excluded, etc); and
  • contextual statements that set out:
  • that the number of RS reports or IDR complaints does not indicate higher non-compliance incidence or consumer dissatisfaction and may instead reflect stronger compliance processes;
  • no submissions being made by an entity does not necessarily indicate there are no reportable situations or complaints; and
  • that some data is likely still under investigation so the data may change over time.[8]

ASIC contends that publishing the data in such a manner allows users to readily understand and interpret the data effectively so that they may make fair comparisons and avoid misinterpretation.

RS data will be published annually by the end of October, while IDR data will be published biannually.[9]

It should be noted that, in February 2025, ASIC published CS 16 Reportable situations – additional relief, which proposes to grant relief from reporting for AFS and credit licensees from reporting certain breaches where:

• the breach has been rectified within 30 days from when it first occurred (including paying any necessary remediation), and
• the number of impacted consumers is not more than five, and
• the total financial loss or damage to all impacted consumers resulting from the breach is not more than $500 (including where the loss has been remediated), and
• the breach is not a contravention of the client money reporting rules, and clearing and settlement rules.

Consultations on the proposal closed on 11 March 2025.

Critically, CP 383 notes that ASIC now also intend to publish data at an industry level, and at a firm level. Firm level is intended to encompass a firm’s name and licence number, unless the licensee is an individual.[10]

ASIC will also not take steps to verify or confirm the data accuracy, simply publishing the data as is reported. Firms are responsible for ensuring the data is accurate and updated as required.[11]

The data elements ASIC intends to publish will encompass significant breaches of core obligations, and likely breaches of significant obligations. Specifically, this data will include:

• information about the licensee;
• volume and nature of breaches, and their impact;
• identification and investigation of breaches;
• remediation and rectification; and
• reporting practices.[12]

As to IDR data elements, ASIC intend to publish information as it relates to:

• information about the financial firms;
• complainant demographics; and
• complaint information.[13]

As set out above, ASIC will publish details on licensees and financial firms, including names (and other identifiable features), on the basis that ASIC considers this enhances accountability of firms and helps users identify substantial numbers of significant breaches, as well as the entity who breached the obligations (whether licensee or authorised representative).[14]

Specifically for IDR reports, firm data may be aggregated and ASIC may not publish all data elements, such as complainant demographics, for privacy reasons.[15]

In developing the proposals, ASIC considers that publishing the above data in such detail strikes an appropriate balance between:

• promoting RS and IDR regime objectives (encourage transparency, accountability and compliance); and
• publishing data that is useful and relevant to users and the industry.

Naturally, licensees and financial firms will be hesitant to accept, and otherwise object, to their information being made available on a firm basis for users. As a result, ASIC offer to carefully consider responses to CP 383 and request information that considers the likely effect on competition, and other impacts, costs and benefits to entities. Annexure B of CP 383 sets out a table for consultation responses to be guided by, including any comments about:

• the proposed format of the data publication;
• ASIC using explanatory statements as part of the publication;
• features that could be incorporated into the future; and
• responses to each of the RS and IDR data elements that may be published.

Accordingly, firms and licensees should consider and understand just how these proposals would impact their operations from an industry standpoint, as well as any benefits and costs that could result from the proposals. As above, CP 383 should also be read in conjunction with other proposals from ASIC such as CS 16, which look to reduce breach reporting obligations in other areas, signifying ASIC are taking a holistic approach to obligations placed on reporting entities.