Key findings from ASIC’s breach reporting review

ASIC reviewed the compliance arrangements of 14 licensees who had low numbers of reportable situations, or no reportable situations at all, since the implementation of the reforms to the regime in October 2021. This review identified a number of poor practices:

• Slow reporting times: licensees were taking a long time to identify and investigate breaches due to deficiencies in incident management, including the identification, escalation and recording of breaches. In terms of the licensees subject to the surveillance, 31 per cent of their reported breaches took more than one year to be identified, and the average time to complete an investigation into an incident that was later reported as a breach was 39 days.
• Gaps in monitoring compliance: there were gaps in licensees monitoring their own compliance with the regime, with licensees taking an average of 534 days to report to ASIC after a breach first occurred.
• Very slow remediation timeframes: there were flow-on effects in terms of remediating consumers and rectifying the effects of breaches, with licensees taking an average of 632 days to finalise compensation to consumers after a breach first occurred.

As a result of the surveillance, ASIC has identified a number of uplifts and ‘better practices’ that should be adopted by licensees, including:

• Identifying incidents and breaches: licensees should adopt clear and simple definitions of ‘incidents’ and have well-understood and documented processes for identifying incidents and monitoring business activities for breaches. Half of the licensees recorded fewer than five incidents in their registers over a three-month period, which ASIC considers to be very low and suggestive of deficiencies in incident identification.
• Supporting staff: licensees need to provide adequate guidance and training to staff to identify and handle incidents and assess complaints from clients for incidents and breaches (including conducting regular root cause analysis to reduce the risk of continuing or reoccurring breaches). Further, there should be measures in place to ensure staff across several channels can identify, record and escalate incidents, and a robust governance and accountability structure that supports and promotes proper escalation to senior management. Some incident registers showed incidents from one or two internal sources only, or only incidents from external sources such as client complaints.
• Recording incidents and breaches: licensees should maintain a single, comprehensive register that documents all relevant information on incidents and breaches, including the factual circumstances, losses incurred and customers affected. ASIC states that licensees’ breach registers should contain the information in the reportable situations prescribed form, which is summarised in Table 8 of Regulatory Guide 78 Breach reporting by AFS licensees and credit licensees.
• Escalating or acting on incidents and breaches: licensees should have clear and suitably short timeframes for investigating and reporting incidents and breaches, as ASIC found that internal frameworks were likely contributing to overall delays. One licensee had an incident management process where incidents passed through a number of reporting lines, which meant more than a month could pass before an incident was first brought to the attention of the breach reporting team to start an investigation.
• Compliance reviews: adherence to the licensee’s processes and procedures across the entire breach-reporting cycle should be regularly monitored, reviewed and reported on internally, including to identify trends and timeliness of incident management. ASIC found there was a level of acceptance for internal non-compliance (with several licensees only conducting a review after being prompted by ASIC), and poor practices were preventing proper scrutiny of incident management and breach reporting.