On 25 September 2018, ASIC released Report 594: Review of selected financial services groups' compliance with the breach reporting obligation (“Report”) which considered breach reporting practices and highlighted the significant period of time taken by many financial firms to identify and address regulatory breaches. The Report examines the breach reporting practices of ANZ, CBA, NAB, Westpac, AMP, and other large financial services groups.
Australian Financial Services (“AFS”) licensees are required to report any significant regulatory or licence condition breach that has occurred, or is likely to occur, as soon as practicable and within 10 business days of becoming aware of the significant breach.
ASIC began reviewing AFS licensee breach reporting following the Government’s announcement in April 2016 that it would implement new measures to protect Australian consumers by improving outcomes in financial services. ASIC’s Report considers the compliance of certain financial services groups with the reporting requirements under section 912D of the Corporations Act 2001 (Cth).
The review involved analysis of 715 significant breach reports from twelve financial services groups over the period 2014 to 2017. The financial services groups included the major four banks, AMP, Bank of Queensland, Bendigo and Adelaide Bank, Credit Union Australia, Greater Bank, Heritage Bank, Macquarie Group and Suncorp Group.
The Report found that most of the groups reviewed breaches in two stages. Some groups first determining whether an incident was a breach, and then proceeding to assess whether that breach was significant. Other groups directly assessed whether incidents were significant breaches.
ASIC found that it took an average of 1,517 days for the financial firms to identify a breach. It then took an average of 28 days for the groups to investigate the breach after identification, and a further 128 days for firms to report the breach after investigation.
The majority of the breaches were found to be related to superannuation (40%) and personal advice (27%). Of the breaches reported, 65% of them were a failure by the licensee to comply with financial services laws. 37% of them were due to deficient disclosure, 24% were due to incorrect fees and charges, 21% were due to inadequate compliance systems, and 14% were due to failure of the licensee’s representatives to comply with financial services laws.
279 of the 715 significant breaches reported to ASIC resulted in financial loss, which equated to a total loss of $497,241,980 for consumers. Some financial firms took an average of 251 days after completing their breach investigation to make the first payment to affected customers. The Report further stated that due to the current average time taken for groups to identify incidents, report significant breaches and pay affected customers after breach investigations, a consumer who experiences losses due to a significant breach that started today might be out of pocket until 2024.
ASIC recognised that the ambiguity and subjectivity around the concept of ‘significance’, combined with the legislation being silent on the timelines of investigation may contribute to the current perception that the breach reporting regime is inadequate. As a consequence, ASIC has stated that it will support any move to clarify the legislative definition of ‘significant breach’ in order to remove ambiguity and simplify the obligations on financial firms.
In light of the Report, ASIC have emphasised that breach reporting is a statutory requirement and a cornerstone of ASIC’s regulatory architecture. ASIC have made it clear that it will take action in response to non-compliance with breach reporting obligations.
ASIC will continue to monitor breach reporting processes, and intervene in remediation to customers where necessary, and may also conduct a follow up review. Senior ASIC staff will also begin on-site monitoring at ANZ, CBA, NAB, Westpac and AMP from October 2018 and additional changes to ASIC’s Regulatory Portal are being developed to allow AFS licensees to directly submit breach reports and updates to ASIC.
The Report is available on ASIC’s Website. If you have any questions please contact Hillary Ray or a member of our Financial Services team.