ASIC has released its second publication on information lodged under the reportable situations regime. Over 16,000 reports were made to ASIC by financial services and credit licensees under the regime between 1 July 2022 and 30 June 2023.
The publication shows little improvement has been made in key areas of concern that ASIC highlighted in the first publication on insights from this regime last year. Among other things:
the proportion of the licensee population reporting remains very low, indicating that some licensees may not be complying with the regime
licensees are still taking too long to identify and investigate some breaches
a significant number of remediation activities are still taking too long to complete, and
there remain opportunities to improve identification and reporting root causes of breaches.
‘The reportable situations regime has now been in place for over two years, and licensees have had ample time to take the necessary steps to ensure full compliance with the requirements,’ said ASIC Chair Joseph Longo.
‘Since its commencement, ASIC has been working with stakeholders to improve the operation of the reportable situations regime, including through providing guidance and modifications. ASIC will now move to taking stronger regulatory action to drive improved compliance with the regime, including enforcement action where appropriate.’
Compliance of the licensee population with the regime
Since the regime commenced in October 2021, only 11% of the licensee population has lodged a report. This remains significantly lower than expected and indicates that some licensees may not have in place the systems and processes required to detect and report breaches.
ASIC has commenced surveillance activity targeting licensees who may not be meeting their obligations. As part of this, ASIC will focus on licensees who are not reporting or are reporting significantly less than expected given their nature, scale, complexity, and when compared to peers.
Identification and investigation of breaches
In 17% of the reports received, it took the licensee more than one year to identify and commence an investigation into an issue after it had first occurred.
ASIC expects licensees to promptly identify non-compliance. Delays create challenges for the timely investigation and rectification of issues and can mean that customers wait longer for remediation.
Timeliness of remediation activities
ASIC is concerned that licensees are still taking too long to compensate impacted customers. Licensees indicated in 247 reports (8% of the total reports involving compensation to customers) that it had taken, or was estimated to take, more than one year to finalise compensation.
As outlined in a recent article, ASIC calls on licensees to strengthen remediation procedures, ASIC will consider regulatory action where licensees fail to deliver fair and timely remediation to affected customers.
Identification of root causes
The most common root cause for breaches (66%) continues to be staff negligence or error, even where there are repeat or multiple breaches, or multiple breaches were grouped together.
ASIC remains concerned that licensees may not be adequately identifying the underlying root causes for breaches, such as by determining the underlying reasons for repeated staff negligence or error. The accurate identification of root causes is important in enabling a licensee to put in place appropriate preventative measures to reduce the likelihood of similar breaches occurring.