Posted: 14 Jun. 2019 05 min. read

Licensee breach reporting

Do you want to be the first through the door?

In competition cartel cases there is a view that if you are the first through the door to confess, you will benefit from a ‘get out of jail free’ card and everyone else involved will get smacked.

For the past 15 months and in particular since the release of the Financial Services Royal Commission report in February, Licensees have sought to improve openness and transparency with ASIC in relation to suspected breaches, to improve public trust and confidence.

The increased willingness to submit breach reports has been borne out by ASIC statistics, which record a significant year on year increase in the number of notifications. There is however some unease that with ASIC’s changed enforcement posture, if you are the first through ASIC’s door with a new problem you may in fact be exposed to a higher risk of enforcement action. 

Let’s start with a hypothetical scenario

Notwithstanding the increase in ASIC’s resources, it is not able to litigate all breaches. In particular when there are breaches which turn out to be industry wide, it seems likely ASIC will choose some matters to litigate to operate as both a specific and general deterrent.

Now let’s assume a licensee has effective compliance monitoring systems in place. The systems operate as they are designed and identify a failure that has caused customer detriment.  The Licensee (A), being responsible and sensitive to its regulatory obligations, promptly notifies ASIC and consistent with community expectations, speedily remediates impacted customers.

Applying its ‘Why not litigate’ principle, ASIC assesses the breach and concludes that it is more likely than not Licensee A has breached financial services laws. The breach relates to something ASIC hasn’t seen before and therefore represents a new or emerging risk in relation to which market knowledge and public denunciation may be appropriate.

Without knowing more about whether the problem is a one off, or systemic, how will ASIC approach the public interest considerations when deciding whether to litigate? Should the licensee be ‘punished’ for being the first through the door?

It may for instance eventuate that the problem is industry wide. And the fact other licensees didn’t effectively identify the issue as early as Licensee A, they actually may have, or contrived a way not to be first to report it. Or it may be far more serious in their businesses. The question then is: Are they not more culpable and deserving of penalty and public denunciation?

Therein lies the challenge for ASIC. And indeed every conduct regulator asked to assess matters as and when they are notified, without necessarily having any visibility of what is in the pipeline. If ASIC had 100 cases on the first of January and knew it had the resources to take on 10 of them, a reasoned assessment could be that by ranking the 100, ASIC would identify the 10 matters most deserving of further action. Unfortunately, that isn’t the way breach reports, whistle-blower or customer complaints are received.

How then to proceed?

Assuming these matters are not time sensitive, and assuming Licensee A is otherwise getting on with the important job of putting things right with the customer, perhaps circumstances like the one in the scenario might be assessed like this.

The report is received by ASIC. It identifies a breach which suggests a potential industry wide risk. Rather than assessing the position only in relation to the breach, ASIC identifies the potential broader issue and writes to a peer group of the reporting licensee and poses the question – do you have problem x, please look for it and advise us within the next four weeks.

If the answer is consistently in the negative then it is a more straightforward assessment. If however the answer is in the affirmative in relation to some or all of the responses, then ASIC is well positioned to approach the challenge far more strategically. Importantly it can assess the original breach report with improved context and in particular assess relative culpability across licensees.

An approach of this nature would more likely result in timely identification of industry wide risks – for broader publication and education, and focus ASIC’s finite resources on those licensees more deserving of substantive enforcement sanction and public denunciation.

It also creates a more level playing field among licensees that are seeking to do the right thing and in particular reinforce the importance of transparency with the regulator. Ultimately improved transparency and rebuilding of trust between the regulator and those it regulates, can only be a good thing for the public.

John Weaver
Governance Risk and Conduct Partner Deloitte and former ASIC Regional Commissioner Queensland.

Meet our author

John Weaver

John Weaver

Partner, Audit and Assurance

John is an experienced executive and qualified lawyer (Australia and UK) with in excess of 20 years' experience in professional conduct, risk and compliance including civil, criminal and regulatory surveillance, investigation and litigation focused on failures in business and business processes across a range of sectors including financial services, public listed companies and professional services.