By Jim Bulling and Hugo Chow
In ASIC’s first annual report regarding the reportable situations regime, it noted that there were over 8000 reports made to ASIC by financial services and credit licensees under the regime from 1 October 2021 to 30 June 2022.
Some key findings from the report include:
- A significantly lower than expected number of licensees lodged a report during the period – only 6% of licensees lodged a report which indicates some licensees may not have the right systems and processes in place to detect and report non-compliance;
- Licensees are taking too long to identify and investigate breaches – 18% of the reports received took licensees more than 1 year to identify and commence an investigation into an issue after it had first occurred;
- Improvements are needed to appropriately identify and report the root causes of breaches – over half of the reports identified staff negligence or error as the sole root cause of the breach, and ASIC is concerned that licensees are not addressing the reasons for reported negligence or error. This observation may say more about ASIC’s design of the online reportable situation form rather than what is really happening at licensees; and
- Improvements are required for remediation practices – ASIC expects licensees to be proactive and timely when remediating impacted customers.
ASIC is required to release an annual report on information provided to it under the reportable situations regime, and this can include the names of licensees and the volume of their reported breaches.
It is likely that given ASIC is currently consulting with industry around implementation issues with the regime, it has chosen not to publicly name any of the licensees in this year’s report. However, ASIC has said that their approach to reporting will evolve over time and will consider its approach to the 2023 public report which may include a list of licensees who have reported to ASIC during the period.