Mr Kell said that it had become apparent to ASIC that breach reporting was not occurring across the industry in a consistent manner and that breaches were not being reported in a timely manner. Failing to report significant breaches to ASIC is a criminal offence.
ASIC is conducting a review of breach reports that have been made by licensees. It will then conduct a proactive review of some licensees that they identify as high risk and engage with them to ensure that their processes are robust for identifying and escalating breaches in the organisation and reporting to ASIC. ASIC will consider taking action if the licensee's processes are inadequate.
Mr Kell focussed on the importance of a licensee's compliance culture. A poor compliance culture is considered to be more likely to result in breaches and to undermine customer trust and confidence in the licensee and sector. Compliance culture should be entrenched in the organisation, and Mr Kell said that the organisation's culture will affect the regulatory outcome that ASIC pursues. If business models and incentive structures undermine consumer outcomes, then the organisation is likely to be considered more closely by ASIC. Mr Kell suggested that tying remuneration to compliance culture rather than, for instance, sales, might assist.
The speech highlighted the following:
Firms are expected to play a role in identifying and reporting market problems. Section 912D of the Corporations Act requires licensees to notify ASIC of any significant breach or likely breach of financial services laws and ASIC's RG 78 deals with ASIC's breach reporting guidelines. This has not changed, but notable recent problems have resulted in ASIC's renewed focus on the area.
Reports must be lodged as soon as practicable and in any event within 10 business days of the licensee:
ASIC considers that systems must be in place that allow the licensee to determine the significance of breaches and likely breaches within the 10 business days of discovering them. In particular, the licensee should not delay reporting until:
ASIC considers that the licensee becomes aware of a breach when the person responsible for compliance becomes aware of the breach or likely breach. Internal systems should ensure that relevant persons become aware in a timely and efficient manner and licensees should have a clear, well understood and documented process for:
ASIC carefully assesses the reports and some result in formal action, although most do not. The reports provide information that assists ASIC to determine matters to prioritise for investigation, to identify patterns of misconduct for an organisation or industry, and to determine whether systems to detect and report problems are robust.
In most cases where ASIC does not take action, the licensee is acting to rectify the breach. Serious or systemic breaches may need formal ASIC action, which may include:
In determining what action to take, ASIC takes into account:
The review is part of ASIC's 'detect, understand and respond' approach. ASIC recognises that things can go wrong. Reporting is a measure of how effectively the firm responds to problems - timely and transparent or slow and confused or cover up. A system's failure or liberal interpretation of breach reporting obligations are both considered a problem.
AFS licensees should review their breach reporting framework and ensure their processes reflect Mr Kell's comments, in particular, the timing aspects of identifying and reporting significant breaches.
Be the first to receive the latest articles, news and publications.