Breach reporting reforms - Financial Services blog | Deloitte Australia has been saved
Limited functionality available
For years, ASIC has complained that the reporting of significant breaches under the Corporations Act, by Australian Financial Services License (AFSL) holders, has been too slow and lacked transparency. ASIC undertook work across a number of projects to prove its concerns as an evidence point for legislative reform. Following the ASIC Enforcement Taskforce Review, a report was released in December 2017 which made 50 recommendations for significant reform of the breach reporting obligations. In that context, the timing of the Hayne led Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission) was opportune. In particular, the Royal Commission reported on case studies whereby deficiencies were identified in relation to:
Fast forward nearly two years from the Royal Commission, Schedule 11 of the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (the Act) implements recommendations 7.2 and 2.8 of the Royal Commission in relation to breach reporting reforms. The purpose of this reform is to:
Despite the industry’s efforts to improve breach reporting practices and to improve public trust by licensees, since the release of the Royal Commission report and the ASIC Enforcement Taskforce Review report, we expect there is a lot more to do prior to October.
The breach reporting requirements come into effect on 1 October 2021. These requirements add to the sweeping reforms the financial services industry is currently in the process of implementing. This requires the industry to understand the intricacies of the vast regulatory changes and deliver these in record time.
The crux of the changes
The changes and the implications of the breach reporting reforms are wide-ranging and varied. The scope of what is reportable is significantly broader and the time from the identification of an incident to reporting it, whether or not the investigation of the suspected breach is ongoing, is now much shorter. There is anecdotal evidence that some licensees may see increases in reportable incidents between five to ten times of current volumes. In any case, that is going to place a significant strain on existing assessment resources, and on compliance and risk teams, unless there are marked changes to design of processes and practices.
In addition, the form of what must be reported is set to be more prescriptive. The reforms will also impact organisations differently based on their size, complexity and structure. The changes mean:
1. Credit activities will be captured
ACL holders will be bound by the requirements as credit activities under the Credit Act will be captured by the requirements.
2. Scope of reportable situations will expand
The changes significantly extend the kinds of situations that will be reportable to ASIC. Currently, licensees are required to report breaches and likely breaches that are significant. The reforms require licensees to report:
3. Reporting timelines will be set and consequently shorter
A 30 calendar days’ time period has been provided under the new requirements, determined from the point at which a licensee first knew or had reasonable grounds to believe that a reportable situation had arisen. This means that reportable situations will become reportable on the 31st day. We anticipate this will result in organisations significantly shifting their current approaches relating to people, processes and systems, to meet the tight timeframes. Organisation will also need to re-visit their strategies.
4. There will be a need to conduct two significance tests
The existing test for when a breach or likely breach is significant has been supplemented by the ‘deemed significance test’. The ‘deemed significance test’ relates to a breach of a ‘core obligation’ and this would be regarded as significant if certain circumstances apply. For example, if it relates to misleading or deceptive conduct or is attached to a provision of the Corporations Act which imposes a civil penalty. The existing test will continue to be conducted for other breaches or suspected breaches which are not deemed significant by means of applying set assessment factors as in the current regime. For example, the frequency of similar breaches, the number of customers impacted and the impact on the licensee.
5. Reporting will be prescribed by ASIC
The form in which reports should be lodged will be have strict criteria. ASIC’s breach reporting forms will require the date of the reportable situation, an account of the reportable situation, any steps taken to remediate the reportable situation and steps for ongoing and future compliance. This has a focus on remediating past failures and preventing conduct failures in the future. Failing to lodge a report with ASIC will constitute an offence, attracting a maximum penalty of two years imprisonment or a fine.
6. Data on breach reports will be published on ASIC’s website
The data in relation breach reports from the industry will be published on ASIC’s website. ASIC’s publication may include the name of the licensee, volume of reported breaches breakdown of breach reports by corporate group, and the number of breaches compared to the size, activity or volume of the business. Whilst this may increase transparency, it also creates the potential for increased reputational risks.
Why do the changes matter and what are the next steps for the financial services industry?
The industry is facing challenges in understanding and operationalising their full end-to-end breach management frameworks. For example:
It is important to consider the impacts across all components of the breach management framework to achieve successful implementation of the complex requirements.
Furthermore, other regulatory changes, such as Significant Dealing under the Design and Distribution Obligations (DDO) and the upcoming complaints requirements under ASIC’s Regulatory Guide 271 relating to raising internal dispute resolution standards across the financial sector, intersect with the breach reporting requirements. As such, the synergies between these reforms needs to be assessed and implemented together. In doing so, it is worth noting that Treasury included breach reporting as a particular responsibility in the proposal paper for the Financial Accountability Regime (FAR). We eagerly await the release of the draft legislation to understand whether organisations will be required to appoint an accountable person responsible for this.
We understand organisations would be at different levels of maturity based on their size and complexity. In order to achieve compliance by 1 October, we recommend organisations should focusing on the following:
We are already seeing large programs of work dedicated to the implementation of this regime. With the updated regulatory guide due to be released by ASIC any day, organisations need to quickly grapple with the vast impacts of these changes and the ever-looming deadline.
John is an experienced executive and qualified lawyer (Australia and UK) with in excess of 20 years' experience in professional conduct, risk and compliance including civil, criminal and regulatory surveillance, investigation and litigation focused on failures in business and business processes across a range of sectors including financial services, public listed companies and professional services.
Bhrajna is a Director in Deloitte’s Governance, Regulation and Conduct practice. She has a focus on insurance and has extensive experience in supporting insurers on engagements relating to regulatory change and conduct. This includes design of frameworks, reviews and implementation relating to product design and governance, sales practices, claims handling and complaints.
Georgia is a Senior Manager in the Governance, Regulation and Conduct practice based in Brisbane. She specialises in supporting clients across the financial services sector in designing, implementing and reviewing frameworks, policies and procedures focused on preventative conduct and promoting good customer outcomes.