Insights on the reportable situations regime – how are we doing two years on?

By Vanessa Murphy and Caitlin Byrne

ASIC recently released its second review of the reportable situations (or 'breach reporting’) regime for AFS and credit licensees, two years after the changes took effect in October 2021. The report provides insights into the trends observed in the reports lodged between 1 July 2022 and 30 June 2023, as well as how this compares with the first year the new regime was in force.

Key findings

ASIC continues to be concerned about the consistency and quality of reporting practices by licensees. In particular, ASIC highlights the following emerging themes and outcomes:

• The proportion of licensees reporting remains low–only 11% have lodged a report since the changes came into effect two years ago (with the portion of AFSL licensees increasing from 9% FY22 to 13% in FY23, and the portion of credit licensees being 3% and 4% in the same respective periods). The licensees that make up the reporting population comprised a majority of the largest in the industry (with 88% of AFS licensees with revenue over $1 billion lodging a report in FY23).
• Staff negligence or error was by far the most reported root cause of breaches, with 66% of reports in FY23 attributing this as the root cause.
• Breaches where clients suffered financial loss were largely identified through internal and external dispute resolution procedures (rather than by the licensees’ internal measures), indicating the need for stronger internal risk management activities.
• The prompt identification and investigation of breaches remains a concern, with 5% of reports in FY23 relating to breaches that took more than five years to identify and commence investigation (although this was down from 7% in FY22).
• Licensees are not dedicating sufficient resources to conduct remediation activities so that impacted customers can be compensated for their loss in a timely manner.

What does this mean for licensees?

Be willing to report

ASIC has made clear it will take stronger measures to achieve enhanced compliance with the regime, including through targeted surveillance activities. As a result, licensees are encouraged to even more proactively identify and report breaches, as ASIC will be targeting those that are not reporting or are reporting significantly less than would be expected given their size and comparison to their peers. While licensees should of course be seeking to ensure compliance with all obligations that would otherwise give rise to the need to lodge a report, this should provide some comfort that—

• the identification and reporting of breaches in fact shows there is a level of diligence in their procedures; and
• the new regulatory environment is one where breaches are expected to some extent.

Timely identification and reporting

To be able to properly comply with the breach reporting regime, licensees need to ensure they have systems in place that adequately detect and report non-compliance. Given the findings of the report, timely identification of breaches will be key to minimising the risk of regulatory attention (such as targeted surveillance or potential enforcement action). Further, timely detection and reporting of non-compliance will also help minimise the impact on clients and reduce the potential loss to clients and the licensee (which, in the case of incidents that are not deemed significant breaches of a core obligation, also reduces the likelihood that they will meet the threshold of being a reportable situation).

In our experience, since the changes came into effect, the investigation of an incident (particularly where it is factually complex or involves the consideration of internal disciplinary measures) can very often take longer than those dealing with the incident may initially anticipate. Given the importance of staying within the 30-day investigation period if possible (to avoid the need to report the length of the investigation itself as a reportable situation), we recommend licensees involve the necessary business units as early as possible in the investigation period.

Other ‘breach reporting’ news

In other breach reporting news, ASIC has also released ASIC Corporations and Credit (Amendment) Instrument 2023/589, which makes changes to slightly relax licensees’ breach reporting obligations.

The changes include that:

• Certain breaches of particular misleading or deceptive conduct provisions in the Corporations Act and the ASIC Act, and the false or misleading misrepresentation provisions in the ASIC Act, are excluded from being deemed significant breaches of a core obligation (and so are no longer automatically reportable). For the exclusion to apply, there are certain criteria that need to be met, such as the breach must—
  • only impact one person (or if it relates to a financial product that is or is proposed to be held jointly by more than one person, only those persons);
  • not result in, and be unlikely to result in, any financial loss or damage to any person (regardless of whether the loss or damage is remediable); and
  • not give rise, and be unlikely to give rise, to any other reportable situation.
• Licensees now have up to 90 days (instead of the usual 30 days) from when they first know (or are reckless with respect to whether) there are reasonable grounds to believe a reportable situation has arisen to lodge a report with ASIC, if the situation has underlying circumstances that are the same as, or substantially similar to, underlying circumstances of a reportable situation previously reported to ASIC.

Given these changes, we recommend licensees review, and if necessary, amend their policies and procedures dealing with reportable situations to ensure they don’t impose more onerous obligations than the law now does.