How to report a breach
ASIC uses the information in breach reports not only to identify issues with the relevant licensee but also to identify and assess emerging risks and issues. In 2013-2014, of 1,388 breach reports lodged, 51% were referred for further action such as compliance surveillance or enforcement action.
A working internal breach escalation and reporting mechanism (as evidenced by a populated breach register) and occasional reports of significant breaches to ASIC are hallmarks of good compliance culture and a working compliance framework. Mistakes and errors are inevitable in financial services businesses, as in life, and human nature is to "bury" and fix them as quickly and quietly as possible. It goes against the grain to bring dirty laundry out into the sunlight, and report such issues to management, much less the regulator, yet this is what the law requires. How many is "too many" breaches will depend on the size, complexity and nature of the financial services business.
When reviewing breach reports, ASIC is looking for evidence that the licensee understands its obligations, takes them (and ASIC) seriously, and that the action plans to remediate the problem are adequate.
Here are 6 simple tips for reporting breaches on time when you may not yet have all the answers:
- Be open, and clear about what obligation you believe has been breached and how it occurred. Was it an issue of substance, of documentation, or reporting?
- Explain how the breach was discovered (if this was due to internal compliance processes, this is an indicator that those processes are working as they should) and describe its nature and extent (including, as relevant, the number of clients affected, and the period of time over which the breach occurred);
- If there is financial loss, explain your methodology for compensation of clients and how clients may access it (preferably without having to complain);
- Explain your remediation strategy, both in terms of making good any impact on clients already affected and enhancements to compliance arrangements to ensure that the issue cannot happen again. Put yourself in ASIC's shoes: have you done everything that reasonably can be done to address any harm to clients and ensure the issue does not happen again?;
- If any information about the size or extent of the breach remains unconfirmed or in doubt:
- Provide details of the resources being devoted to address the issue with a view to demonstrating that these are reasonable (having regard to the severity of the breach and the size of the licensee)
- Give a clear commitment to a date at which an update will be provided, and stick to it (even if the further update is simply that a further report is delayed and committing to a revised date). It is preferable to explain the missing information and commit to a date by which an update will be provided, than to lodge a comprehensive report late;
- Resist any temptation to minimise the issue or assert that it is not of concern unless you have clear objective information to support that conclusion (such as statistics about the number of clients affected). State, and demonstrate, that you are open to ASIC's views and suggestions in the event it disagrees with any of your conclusions or considers more should be done.
When considering your breach reporting arrangements, it is worth remembering that (in the absence of a clear confession) breaches of the financial services laws are often complex and difficult to prove even if they are the subject of a report. It is true that there are cases where ASIC has prosecuted licensees for breaches which the licensee has itself brought to the attention of the regulator.
Yet, it is also true that there are cases in which regulatory action has been taken against licensees for failure to report breaches than for breaches which are reported. It is relatively simple to make a case against a licensee that it should have reported a matter and did not do so. It is generally more difficult to succeed in prosecution of the underlying offence.
The breach reporting regime is one of the few means at ASIC's disposal to understand how licensees compliance processes are operating. Timely and comprehensive breach reports and a breach register which documents occasional breaches is a sign of a healthy compliance culture and effective compliance program.
To achieve this outcome, effective compliance training programs, to communicate key compliance obligations and breach reporting procedures to staff and a management culture that focuses on results are essential. If you have "never" had a breach or incident, ask yourself whether your processes really are perfect and what your team would do if there is ever a problem.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.