Three key themes since the Regime’s introduction
10 min read
ASIC has recently published a paper (here) recording high-level insights on themes and trends observed in reports received from AFS and credit licensees under the new Reportable Situations Regime (the Regime). Much to the relief of licensees, ASIC declined to publish granular licensee-level data, although it has not excluded the possibility of doing so in future publications.
As outlined in our previous Insight, the Regime has extended reporting requirements to credit licensees and has significantly widened the scope of what is required to be reported to ASIC. Since the introduction of the Regime, we have observed three key themes:
- The Regime has necessitated a comprehensive review of existing internal breach and investigation frameworks, and has in some cases required licensees to dedicate significant human and financial resources to that function.
- In respect of those categories of breaches ‘deemed significant’, in some instances clients have been required to report matters even where the number of breaches, or client or market impact, is immaterial (or non-existent).
- Despite efforts to introduce objectivity and clarity into the Regime, there remain key points of ambiguity in its interpretation and operation. As a result, we have observed (and ASIC notes in its report) inconsistencies in reporting practices across licensees, including how licensees calculate and report the number of reportable situations, as well as what constitutes an ‘investigation’ and when it starts.
Our observations above are reflected in the data reported by ASIC, as summarised below.
- Significant increase in the volume of reports but highly concentrated number of reporters – ASIC received 8,829 reports in the period from October 2021 to June 2022 (the Reporting Period), plus an additional 2,530 updates. However, only 6% of licensees (from the available licensee population) submitted reports to ASIC and 23 licensees were responsible for 74% of all reports. Most of these licensees had revenue over $250 million (for AFS licensees) or $1,800 million (for credit licensees). ASIC has expressed concern that this might mean smaller licensees do not have the processes in place to identify and report breaches and it will take steps to strengthen compliance with the Regime in the future.
- Most reports relate to a financial service, credit activity or product line – about 86% of all reports related to a financial service, credit activity or product line, with credit (38%), general insurance (19%) and deposit taking (10%) being the main drivers.
- The most common issue was ‘false or misleading statements’ – ‘false or misleading statements’ were listed as the common issue (34%), followed by lending (21%), general licensee obligations (19%) and fees and charges or account administration (14%). Most ‘false or misleading statements’ related to products regarding service information or in a warning statement.
- The most common root cause was ‘staff negligence or error’ – approximately 83% of reports identified at least one root cause. ‘Staff negligence or error’ was identified in 60% of cases, followed by process deficiencies (9%) and system deficiencies (6%). ASIC has expressed concern as to whether licensees are using ‘staff negligence or error’ as a catch-all and has noted an intention to publish guidance to encourage licensees to list this root cause as a last resort where no other root cause can be identified.
- Most breaches were identified from an internal source – about 79% of reports were listed as being identified through an internal source, with ‘staff report or business unit report’ being the main driver. ASIC noted there were some inconsistencies between licensees identifying internal versus external sources and promised to provide further guidance to licensees.
- It took licensees on average 380 days to identify and commence an investigation but only 70 days to complete their investigation – most licensees were able to commence their investigation within a year. However, 18% took over a year and 7% took over five years. The majority of licensees were able to complete their investigations within 90 days, but approximately 5% of investigations took over a year to complete.
- Less than a quarter of breaches actually caused financial loss to customers – while a majority of reports (82%) identified customer impact, most of this was non-financial, ranging from customer confusion to distress. Of the 23% of cases reporting financial loss to customers, in most cases the loss was less than $10,000.
- ‘Staff training on internal policy and procedures’ was the main rectification listed – while the rectification method varied depending on the identified root cause, ‘staff training on internal policy and procedures’ was listed in almost half of cases (which tallies with ASIC’s findings about the predominance of ‘staff negligence or error’ as an identified root cause).
These key takeaways suggest that the widening of the scope of what constitutes a ‘reportable situation’ under the Regime (a Reportable Situation), particularly to catch breaches of certain civil and criminal penalty provisions where the breach would not otherwise satisfy the ‘significance’ test, has meant that smaller or less sophisticated licensees are not identifying and reporting Reportable Situations that should be reported to ASIC in a timely fashion, or at all. This may be because those licensees do not have the resources to investigate the potentially hundreds of penalty provisions that now automatically trigger a Reportable Situation. Licensees with larger internal compliance and legal teams and the ability to devote budget to external legal support are, on the other hand, investigating and reporting certain situations which are ultimately insignificant and involve no loss to clients. This certainly accords with our experience advising clients in the past 12 months – in many cases, the time and legal spend required to reach a firm conclusion on whether a Reportable Situation has arisen is in no way proportionate to the nature of the incident being reported.
Despite this, ASIC’s view seems to be that there remains insufficient reporting across the industry. This suggests the Regime is currently having a bifurcated outcome whereby:
- larger licensees are devoting material time, resources and cost to investigating and reporting situations in a way which is disproportionate to their actual significance (taking into account actual and potential loss to clients); and on the other hand
- smaller licensees who do not have the same resources may be experiencing, and continue to experience, difficulty in complying.
What licensees are lodging reports?
For the Reporting Period, ASIC received 8,829 reports and a further 2,530 updates, up from 2,435 breach reports over a 12-month period under the old reporting regime. ASIC attributed this increase to:
- the Regime being extended to credit licensees (responsible for about 35% of all reports); and
- changes to the significance test under the Regime (about 90% of all reports were ‘deemed significant’ breaches, ie breaches which may not have been reportable under the old regime for failing to meet the actual ‘significance’ threshold).
Despite the material increase in the volume of reports submitted, about three-quarters of the reports were lodged by only 23 licensees. ASIC also expressed concern about the very low volume of credit licensees who had lodged reports, despite most reports relating to credit.
In ASIC’s view, this concentration of licensees suggests other licensees may not have the adequate systems and processes in place to identify and report non-compliance.
Somewhat ominously, ASIC has foreshadowed it will be taking steps to strengthen compliance with the Regime in the coming year and it remains to be seen what this will entail. With the significant increase in the number of reports received (and noting that a majority of these reports related to deemed rather than actual significant breaches), it remains to be seen how ASIC will triage these reports to ensure breaches which have caused loss to clients and/or are indicative of systemic issues within an organisation are being appropriately identified and dealt with, rather than being obscured by the voluminous reporting received in respect of other Reportable Situations that are objectively less significant.
How are licensees identifying and investigating breaches?
Figure 1 shows the breakdown of the most common identification triggers of Reportable Situations during the Reporting Period. About 79% of these came from the relevant licensee’s internal sources. ASIC noted there were some inconsistencies between licensees when identifying a trigger as an ‘internal’ as opposed to an ‘external’ source, and said it will provide guidance to encourage greater consistency among licensees.
Figure 1: Top identification triggers of a breach
On average, it took licensees 380 days to identify and commence an investigation. The average is skewed because of the 1,567 reports (18%) that have taken over a year to identify and commence an investigation. ASIC noted it is particularly concerned with these reports, including 582 reports that have taken over five years to identify and commence an investigation (and noting that one of the key drivers of the new Regime was to avoid the situation under the old breach reporting regime where licensees were in some cases taking years to investigate and report breaches).
In ASIC’s view, the longer it takes a licensee to begin its investigation, the greater the number of customers potentially impacted. For example, ASIC noted that a licensee that takes on average 198 days to identify and investigate a breach is likely to affect one customer as opposed to over 1 million customers for a licensee that takes on average 1,874 days to identify and begin its investigation.
The time taken to investigate a breach was significantly shorter, on average, during the Reporting Period than in respect of the previous 12 months under the old regime, with licensees taking an average of 70 days to investigate a breach. ASIC noted there was a strong relationship between the number of customers impacted by a breach and the time taken for a licensee to complete its investigation. Hence ASIC drew the conclusion that the sooner a breach is identified, the quicker a licensee is able to conclude its investigation and the less likely customers are to be impacted.
Despite relatively helpful guidance from ASIC in Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (available here), we continue to observe that licensees are having difficulty determining what constitutes an investigation and when it is deemed to have commenced (including determining when the licensee is deemed to ‘know’ of the existence of certain facts), and this remains an area of uncertainty which is causing some angst and which may be in part responsible for the inconsistent outcomes in terms of reporting, which ASIC has noted.
Customer impact, remediation and rectification
Of the reports submitted to ASIC, 82% indicated that customers were impacted. The majority of reports (83%) reported that nine customers or fewer were impacted.
- Customer financial loss: Only about a quarter of reported situations identified customers as having experienced loss, and most of that loss (68%) was confined to less than $10,000 (equating to about $368.5 million in aggregate). The remaining impacted customers were recorded as having non-financial loss, varying widely and including concepts ranging from customer confusion to distress.
- Licensees paid approximately $51.6 million in aggregate to remediate impacted customers. While 96% of reports (which identified customer impact) indicated the licensee had either remediated or intended to remediate, the Report expressed concern with the less than 4% of reports that noted the licensee did not intend to compensate impacted customers.
- The time taken by licensees to remediate was on average 120 days, though in the case of a small number of reports (12%), remediation took more than a year. ASIC has recently published Regulatory Guide 277: Consumer remediation (here) which sets out its expectations for the systems and process that licensees must have in place to ensure that misconduct is identified and to compensate consumers that suffer loss.
- Rectification: At the time of reporting, licensees had rectified breaches in 78% of cases, with a further 20% either in the process of rectifying or still conducting investigations. Less than 2% of reports stated that the licensees had no intention of rectifying the breach. The most common rectification method was ‘staff training on internal policy and procedures’ (41%), followed by ‘other rectification methods’ (26%) and ‘communication to customers’ (23%). On average, it took licensees 12 days to rectify a breach.
It is clear from the ASIC paper that there remain implementation challenges with the Regime, and that ASIC intends to focus its efforts on enhancing compliance across the board. In this regard, we have heard anecdotally that the directors of some licensees have received letters from ASIC reminding them of their obligations under the Regime.
Going forward, licensees should ensure they are operationally equipped to identify and report Reportable Situations, which may require licensees to revisit their compliance structure, provide additional training to staff and/or engage external legal support to assist with putting in place a framework that responds to, and allows for, compliance with the new Regime.