The Australian Securities and Investments Commission will undertake a review of breach reporting by licensees, in response to concerns raised about inconsistencies and delays.
Speaking at the Risk Management Association of Australia Chief Risk Officers Forum, ASIC Deputy Chairman, Peter Kell, said recent enforcement actions had highlighted deficiencies in the approach to breach reports, in particular the timeframe in which licensees are reporting significant breaches.
“Under the Corporations Act 2001 (section 912D), AFS licensees must report significant breaches to ASIC as soon as practicable and in any case within 10 business days after becoming aware of a breach,” Mr Kell explained.
“To be clear, this means that a licensee should not wait until after it has completed a full investigation to satisfy itself whether or not the breach or likely breach is significant. Nor should the licensee wait until the breach or likely breach has been considered by its board of directors or by its internal or external legal advisers. If in doubt, err on the side of caution and report the breach to ASIC.”
…a licensee should not wait until after it has completed a full investigation to satisfy itself whether or not the breach is significant
Mr Kell said that breach reports provided an important source of intelligence for ASIC, helping to identify and assess emerging risks and issues. ASIC expects that licensees have robust systems in place to identify, escalate and report breaches in a timely manner. Mr Kell said that inadequate or late reporting could indicate to ASIC that the licensee has broader compliance and cultural issues and would be a red flag for closer scrutiny.
“ASIC will be closely examining the breach reports we receive, and in the coming months will conduct a proactive surveillance of those licensees identified as having a higher risk of non-compliance based on what is reported and on the timeliness of reports,” Mr Kell said.
“ASIC will work with licensees who are operating in good faith and taking their obligations seriously. However, we will take regulatory action if we find the processes for breach reporting are inadequate,” he added.