Last week, ASIC published its highly anticipated Report 740 Insights from the reportable situations regime: October 2021 to June 2022. The report sets out ASIC’s observations regarding implementation of the reportable situations regime based on data received from breach reports lodged between 1 October 2021 and 30 June 2022.
As per ASIC’s commentary in the lead-up to publication, the report is limited to high level insights into trends observed and ‘does not name licensees or provide data with a high degree of granularity’. This is because ASIC acknowledges that, unfortunately, ‘comparisons between licensees are unlikely to provide meaningful insights, given the current inconsistencies in reporting practices'.
ASIC is considering how to respond to these inconsistencies and is currently consulting with the industry on this.
Some important statistics revealed in the report, and our comments on these trends, are as follows:
8,829 initial reports were submitted. Dentons comment: This is less than we anticipated – it would seem that some licenses are under reporting
6% of the licensee population lodged reports. Dentons comment: This is a much smaller cohort than we expected, with only 3% of all ACL holders lodging a report
74% of all reports were lodged by just 23 licensees (generally larger licenses). Dentons comment: This is not surprising as larger licensees generally have dedicated resourced for breach reporting
548 AFS licensees lodged a report (9% of the licensee population), compared to only 126 credit licensees (3% of the licensee population)
38% of reports were about credit product lines, 19% were about general insurance, and 10% were about deposit-taking
34% of reports were about issues arising from false or misleading statements (mainly statements in relation to products, service information or warning statements), 21% were about lending, 19% were about general licensee obligations, and 14% were about fees and costs 60% of reports specified a root cause of staff negligence or error, 9% were in relation to policy or process deficiencies, and 6% were in relation to system deficiencies
9% of reports stated that the breaches were identified from internal sources
18% of reports indicated the licensee took more than one year to identify and commence an investigation into an issue after it had first occurred 5% of reports indicated the licensee took, or was expected to take, more than one year to complete the investigation 70 calendar days was the average time for completion of an investigation
82% of reports indicated customers were impacted (financially and non-financially) with 23% indicating financial loss
$368.5m in cumulative customer financial impact was reported $51.6m in compensation was paid to 455,210 impacted customers 236 remediation activities involving compensation took, or were expected to take, more than a year to complete after commencement of an investigation (out of 1,952 remediations in total)
ASIC noted:
"The proportion of the licensee population that has lodged a report during the reporting period is significantly lower than anticipated, particularly for credit licensees. This is concerning. The reportable situations regime acknowledges that, despite an expectation of compliance, breaches will occur. Licensees have a clear role in lifting industry standards as a whole by identifying and reporting their own problems in a timely manner. Failure to lodge reports is an indicator that those licensees may not have in place the systems and processes required to detect and report non-compliance."
Given ASIC’s warning, it is important for licensees to review breach reporting policies and procedures and promptly audit those procedures to ensure that they are followed.
There is also a probable need to uplift training of frontline staff (especially staff dealing with complaints) and all staff responsible for investigating and assessing breaches. Given the complexity of the regime, those staff should be encouraged to lean on internal or external legal resources to ensure breaches are being appropriately assessed and reported if necessary.
Interestingly, the main driver for the significant volume of reports by credit providers ‘was the lodgement of separate reports about one-off breaches of specific responsible lending obligations, where those breaches were reported as the result of staff negligence or error’. 25% of reports lodged were in relation to home loans.
Staff negligence or error was selected as the sole root cause in 55% of reports where the licensee had reported that there had been previous similar breaches and/or there were multiple breaches grouped into the relevant report. ASIC notes that this ‘raises some concerns as to whether licensees are consistently identifying and addressing the underlying root causes for breaches'.
In response to this, ASIC intends to provide guidance on the circumstances in which it is appropriate for licensees to select ‘staff negligence or error’ as the root cause (e.g. only when it has determined there are no other underlying root causes).
We expect ASIC will be looking closely at the conduct of credit licensees given that only 126 credit licensees lodged breach reports in the period.
ASIC’s insights raise several questions: what incidents were identified by licensees in the period (or are incidents simply not being identified at all)? Why did these incidents fail to trigger the lodgement of breach reports? Are breach reporting policies and procedures insufficient, or are do staff and management simply fail to follow them?
Please reach out if any assistance is required to ensure breach reporting policies and procedures comply with the regime. Dentons may also assist with reporting any breaches that arise, or simply provide some refresher training to staff.