It appears a minority of the regulated population have properly understood the new obligations and responded accordingly. ASIC reports that although the volume of reporting has increased significantly compared to pre-1 October 2021, the number remains lower than they expected when combined with other data sources. In particular, they note that suspected breaches have only been reported by 6% of the regulated population.  

The obligation to report suspected breach of a much broader range of offences and the removal of the materiality threshold mean that is it almost inevitable licensees will have suspected breaches. ASIC therefore finds the notion that only 6% of Australian Financial Services Licensee (AFSL) and Australian Credit Licensee (ACL) holders had a reason to suspect a breach as unlikely. The implication then is that some licensees are either not appropriately interpreting their obligations or they do not have adequate process and systems in place to identify suspected breaches.

ASIC confirms that it will be looking into the low response rate. One approach they may take is to segment the data by sector and look to identify larger licensees in a peer group who have not reported under the new regime (or whose reporting is materially lower than comparable peers) and undertake surveillance to test compliance. For those who are not reporting, it would pin that event be advisable to test what has been done to comply with the obligations and whether the licensee is appropriately calibrated.

Firstly, reporting to ASIC that you have a suspected breach represents only part of the obligation. Just as important is answering the question as to what caused the breach. Understanding the cause of suspected breaches is foundational to the ability to rectify them in a timely way to prevent a recurrence and minimise potentially ongoing customer impact. The root cause and a licensee’s response to it also tells ASIC much about the licensee’s approach to getting things right and whether they are a responsible licensee. As an example, the Report identifies that licensees notified staff negligence or error in 60% of suspected breaches. This is very high, and experience suggests that further analysis of the root cause would likely identify issues around training, change management and processes. This next level analysis is imperative to rectify the situation.

Secondly, self-identification of suspected breaches appears to be more effective in larger licensees. In addition to testing reporting levels generally, smaller and mid-tier licensees should seek to understand the balance between self-identified and externally identified suspected breaches. If the balance favours externally identified breaches, then it suggests a licensee has more to do in its control environment to identify prospective problems early. This work relates at least to breach reporting obligations, but is of equal importance to the customer experience.

Thirdly, the Report emphasises the importance of effective product governance and ASIC’s focus in that area.  By way of example, 34% of the reports related to suspected false and misleading statements about a product and a further 14% in relation to information as to fees and costs. Tracking delivery of customer promises and ensuring each step of the value chain results in accurate customer representations and communications is imperative.

 The report identifies that only 3% of ACL holders submitted a report, but they made up the largest single cohort of reported suspected breaches (38%). Although there is significant overlap between some of Australia’s largest AFSL and ACL holders (for example, our largest banks), the obligations to report suspected breaches by ACLs under the regime is entirely new, as the previous breach reporting obligations related to AFSL holders only. Having regard to the number of reports lodged by the largest ACL’s it seems likely they are disproportionately represented in the reports. As a sense check, it would be surprising if the 97% of ACL holders who have not submitted reports have exponentially better processes and systems in place such that they have not experienced a suspected breach of their obligations. Accordingly, if they have not already done so, it would be advisable for ACLs who have not submitted reports under the new regime, to undertake a post implementation review to test compliance.

ASIC expresses the concern that often the time taken to commence an investigation is too long (median 39 days and mean 380 days). While the report indicates there has been significant improvement over the old regime (which is to be expected given the changed obligations), it is apparent there remains work for licensees to do. The focus should be on improving the monitoring and supervision environment to accelerate the identification of suspected issues to be triaged into investigation (which starts the clock ticking on the 30 days investigation period obligation). Long delays in detection in our experience can signal potential control deficiencies to ASIC and accordingly there are overwhelmingly good reasons for licensees to invest in this space.

The Report identifies the financial impact of the reported breaches on customers at $368.5m to date and that customer impact worsens the longer issues go undetected. Importantly, the report highlights that breaches with a high number of customers impacted also took longer to remediate, with the median time to finalise compensation being 37 days but the mean is 120 days and the customer segment with the highest amount of compensation due to them took in excess of 366 days. Noting ASIC has recently released updated remediation guidance RG277 Consumer remediation and emphasised on a number of occasions that unduly delayed remediation is not fair to customers and undermines the fairness generally of the licensees program, licensees should expect this area will be a continuing priority for the regulator.

 A significant focus on ASIC’s work in the wealth management sector in recent years and a focus of the FSRC case studies, was what licensees knew of suspected financial adviser breaches and whether those issues were elevated to ASIC or new licensees recruiting advisers with identified (FSRC Recommendation 2.8) issues. The FSRC recommendations have subsequently been implemented to strengthen the regime in relation to reporting suspected adviser breaches and in our experience licensees have also expended considerable resources to improve the quality and effectiveness of advice monitoring. The report identified that reports in relation to advisers make up 5% of total reports.  Given the number of licensees represented in the sample, it suggests that the advice audit changes we have observed across a range of licensees, are increasingly effective. However, it is likely those reports come from a small number of licensees since 94% of Advice licensees have not made any reports. This cohort is therefore likely to benefit from testing outputs from their adviser assurance process against the breach reporting obligations.