ASIC’s Report

ASIC recently released its Report on Insights from the reportable situations regime: October 2021 to June 2022 (Report). The Report is ASIC’s first publication of the information provided under the reportable situations regime prescribed by the Corporations Act 2001 (Cth). The reportable situations legislation requires ASIC to publish information from reports lodged by Australian financial services (AFS) licensees and Australian credit licensees (credit licensees), together “licensees”.

ASIC Regulatory Guide 78 Breach reporting by AFS licensees and credit licensees (RG 78) provides further guidance as to what, and when, licensees must report to ASIC. In summary, licensees must report all reportable situations to ASIC in writing, including:

• significant breaches or likely significant breaches of “core obligations”
• investigations into whether there is a significant breach or likely breach of a “core obligation” if the investigation continues for more than 30 days
• the outcome of such an investigation if it discloses there is no significant breach or likely breach of a “core obligation”
• conduct that constitutes gross negligence or serious fraud
• reportable situations about other licensees.

The Report’s scope covers information from reports submitted on reportable situations in the first category above (significant breaches or likely significant breaches of “core obligations”).

Implementation challenges

The Report provides high-level insights into the trends observed in reports lodged by licensees under the regime over nine months between 1 October 2021 (when the regime came into effect) and 30 June 2022.

It is interesting to note that, in the Report, ASIC states that the reportable situations regime is a reform that “required licensees to make substantial changes to their systems and processes. The scale of the changes and the principles-based nature of the regime have led to challenges in the implementation of the new regime. These implementation challenges have, among other things, resulted in some inconsistencies in reporting practices.”

Accordingly, the Report “is limited to high-level insights into trends observed across the reports lodged by licensees during the reporting period”. ASIC does not further specify what the “implementation challenges’’ were, however, factors could include:

• the sheer scale of the regime
• the need for internal compliance systems to support its implementation.

Key insights

Some of the key insights set out in the Report include:

• a significant increase in the volume of reports (8,829 initial reports and 2,530 updates – up from 2,435 breach reports (including updates) under the previous breach reporting regime recorded in the last full financial year before the implementation of the regime).
• of those reporting, AFS licensees are reporting more than credit licensees.
• most reports involved a financial service, credit activity or product line. The most common category of issues to which the reports related was “false or misleading statements” (34 per cent).
• staff negligence or error was most commonly reported as the root causes of a breach (a root cause refers to the underlying cause of the breach (e.g. a specific systems error or process deficiency)).
• 18 per cent of reports indicated that it took the licensee more than one year to identify and commence an investigation into an issue after it had first occurred.

ASIC attributes the increase in the volume of reports to the regime now extending to credit licensees and also changes to the “significance” test under the reportable situations regime – over 90 per cent of the reports in the reporting period were from “deemed significant” breaches.

The Report makes for interesting reading and for more detail on these insights above we encourage licensees to read the full Report. We have selected some additional findings below for discussion.

Duration of investigations

The Report reveals that the median time taken to identify and commence investigation into breaches was 39 calendar days, with a mean of 380 calendar days. However, this varied significantly across the reports. According to ASIC there was an excessive number of reports where it took more than a year to identify and commence an investigation into a breach. In some cases, it took the licensee five or more years to identify and commence an investigation into a breach. ASIC expects licensees “to have systems in place for significantly swifter identification and investigation of non-compliance”.

Rectification of breaches

As at 30 June 2022, licensees had rectified the breaches in 78 per cent of reports and were intending to rectify the breach in a further 6 per cent of reports. Licensees were still investigating the root cause and solutions for the remaining reports (14 per cent) or expressed no intention to rectify the breach (2 per cent). The Report notes that staff training on internal policy and procedures was the most common rectification method that licensees had taken or planned to take.

Who is impacted by breaches?

In the majority of the reports (82 per cent) the licensees’ clients were impacted (financially or non-financially). In addition to the other insights from the Report, perhaps that statistic should have the biggest impact on licensees. ASIC has made it clear in its ASIC enforcement and regulatory update: July to September 2022 Report 753 that its “key priority is to protect consumers, especially the most vulnerable”.  Improving internal compliance systems will not only help licensees to meet their reporting requirements faster and more efficiently but they will also, hopefully, avoid causing harm to clients.

How can CompliSpace help?

CompliSpace is a leading provider of governance, risk and compliance services to AFS licensees. We provide flexible RegTech solutions to business from domestic and global fund managers through to responsible entities, ASX listed entities, financial planners and insurance companies, helping to streamline and simplify their compliance obligations and data management for increased oversight and empowered decision-making.

To help our clients comply with their reportable situation reporting requirements, CompliSpace has created “a Reportable Situations workflow in accordance with RG 78” template through our Assurance Product, which builds on the information and functionality of our new breach reporting form. The data from the workflow template can be used to report the required reportable situation information to ASIC through the ASIC Regulatory Portal. If you’d like to discuss how we can help your organisation comply with the reportable situation reporting requirements, please get in touch with us by email at contactus@complispace.com.au or through our contact page.