The Australia Securities and Investments Commission (ASIC) has released its second report on information lodged under the reportable situations regime for the period 1 July 2022 to 30 June 2023.
Introduced in October 2021, the reportable situations regime redefined what needed to be self-reported to ASIC and required licensees to make substantial changes to their breach reporting systems and processes. A year after the regime commenced, ASIC published its first report (Report 740) observing that implementation challenges had resulted in some inconsistencies in reporting practices. At that time ASIC indicated that further improvement was required from licensees to comply with the regime.
Twelve months on ASIC reports little improvement has been made in key areas of concern highlighted in its first report. Key observations from ASIC’s second publication include:
- Compliance of the licensee population with the regime: Just 11% of the licensee population have lodged a report since the regime commenced in October 2021 and 71% of all reports in the recent reporting period were lodged by just 21 licensees. ASIC remains concerned that this is still significantly lower than it originally anticipated and considers this an indication that some licensees may not have in place the systems and processes required to detect and report breaches.
- Identification and investigation of breaches: In 17% of reports received, the licensee took more than one year to identify and commence an investigation into an issue after it had first occurred (only a 1% improvement from 2022).
- Strengthening of remediation practices: Licensees are still taking too long to compensate impacted customers. Licensees indicated in 247 reports (8% of the total reports involving compensation to customers) that it had taken, or was estimated to take, more than one year to finalise compensation (only a 4% improvement from 2022).
- Staff negligence/error as root cause: 66% of reports identified the most common root cause of a breach (by a significant margin) to be staff negligence/error, consistent with the findings in the 2022 report. ASIC has expressed its continued concern that this may reflect other underlying root causes or broader failures in licensees’ systems, policies or processes which may be contributing to the prevalence of staff negligence and/or error.
On releasing the report ASIC Chair Joseph Longo stated that “ASIC will now move to taking stronger regulatory action to drive improved compliance with the regime, including enforcement action where appropriate.” This recent report indicates a clear indication from ASIC that it will now be increasing its focus on surveillance activity in this area, targeting licensees who may not be meeting their reporting obligations. In particular, ASIC will focus on licensees who are not reporting or are reporting significantly less than expected given their nature, scale, complexity, and when compared to peers.
This serves as a timely reminder for licensees to review and where appropriate update their systems and processes in place to detect, investigate and (where required) report breaches to ASIC.