ASIC's recent provides high-level insights into the trends observed in breach reports lodged by Australian Financial Services and Australian Credit licensees ("Licensees") between 1 July 2022 and 30 June 2023.

Key Observations from the Report

  • There has been a 43% increase in monthly reporting compared to the previous reporting period, with around 1,403 reports being submitted by Licensees per month.
  • ASIC expressed concerns that only 9% of the Licensee population lodged reports, which is much lower than expected. Moreover, 71% of all reports were lodged by only 21 licensees.
  • The most common root cause of reportable breaches continues to be staff negligence and/or error (66% of all reports). Other common root causes that were reported to ASIC include policy and process deficiency (8%), system deficiency (6%) and inadequate supervision or lack of staff training (4%).
  • With 25% of all investigations into a breach taking longer than 30 days, the timeliness for identifying and investigating breaches remains a concern.
  • In 8% of cases involving compensation, Licensees took or estimated taking more than a year to finalise compensatory actions, indicating a lack of expedited resolution for affected customers.

1431140a.jpg

Key Takeaways for Licensees

Licensees should consider their breach reporting procedures, including:

  • strengthening internal risk management activities;
  • identifying and investigating breaches in a timely manner;
  • familiarising themselves with the current rules around the reportable situations regime and ensure their systems, policies and processes are up to date.

In cases where Licensees reported issues in the same areas of their businesses, Licensees should review their processes to ensure their compliance obligations are being met and address any gaps where a breach may arise. Licensees should also consider the most common underlying root causes for breaches (such as staff negligence and/or error) and ensure appropriate preventative measures are put in place to reduce the likelihood of similar breaches occurring, for example:

  • implementing ongoing training on common areas of concern;
  • monitoring and supervising mechanisms;
  • induction training for new employees;
  • procedures and checklists to ensure continuity.

Background

The reportable situations regime was introduced in October 2021. Under the regime, ASIC is required to report annually on information submitted by Licensees and may take enforcement action against Licensees if it considers there has been non-compliance with the reporting requirements.

Further Reading