Breach Reporting Guidance to Reduce Licensee Burden – ASIC


ASIC has released regulatory guidance for its new breach reporting requirements this week, which includes processes it says will ease the reporting burden for licensee firms.

Taking effect from 1 October 2021, the new breach reporting obligations will now accommodate batch uploading of reports where they derive from a single root cause.

This change has been introduced following an industry feedback process which the regulator characterises as having been “…greatly enhanced by the constructive submissions and valuable insights received from industry through the consultation.”

Karen Chester…Karen Chester…the  new obligations will help firms identify and act swiftly on the breaches that matter…

ASIC Deputy Chair, Karen Chester, says the ability for licensee firms to provide batch uploading “…will significantly reduce the reporting burden for licensees.”

The regulator notes it has also responded to industry feedback by incorporating an additional 15 working examples in its guidance.

In a statement accompanying the release of its regulatory guidance, ASIC notes these breach reporting reforms are intended to address long-standing concerns about breach reporting by making the reporting consistent, clearer and timely across the industry:

“ASIC analysis in 2018 revealed it took more than four years (on average) for large financial institutions to identify incidents that proved to be significant breaches. Today’s remediation tally reveals how much consumer harm these delays caused, and ultimately at great cost to those firms,” Chester says.

She adds the new obligations “…will help firms identify and act swiftly on the breaches that matter, making sure they get the attention they deserve. Licensees and boards will have greater confidence they are doing the right thing by consumers, and ultimately their firm and shareholders.”

ASIC has also published INFO 259 which sets out actions that must be taken by licensees to notify affected customers of a breach of the law, investigate the breach and remediate impacted customers. It says this implements a new obligation that applies to licensees of financial advisers and mortgage brokers in certain situations.

…we will take a reasonable approach in the initial stages of these new obligations…

The commission notes that in line with its recent statement, it will “…take a reasonable approach in the initial stages of these new obligations provided industry participants are using their best efforts to comply.” (See: Reasonable Approach to New Laws Reforming Financial Services Sector.)

The AFA’s Phil Anderson welcomed the release of the new regulatory guide, noting that the new regime is less than four weeks away and was pleased that ASIC has issued an info sheet on the ‘notify, investigate and remediate’ obligations.

He says the association has been concerned about the new breach reporting regime, including the complexity of what is reportable and the prospect that it will lead to a substantial increase in the number of matters that need to be reported and the extent to which some of them will be minor or administrative matters.

“The recently issued breach reporting regulation has at least provided some important exemptions for civil penalty provisions that do not need to be reported.

“This is one more major reform that is happening at the same time as a lot of other change, whilst the adviser population is still coming to terms with other reforms that are continuing to play out… The new breach reporting regime will be particularly challenging for small licensees,” Anderson says.