ASIC publishes guidance on breach reporting

ASIC has released guidance to help credit and Australian Financial Services licensees to meet new breach-reporting obligations.

From 1 October, reforms addressed long- standing concerns about breach reporting by obliging reporting to be consistent, clearer, and timely.

ASIC deputy chair Karen Chester said, 'The new reporting obligations address long held concerns on the quality and timeliness of breach reporting. ASIC analysis in 2018 revealed [that] it took more than four years on average for large financial institutions to identify incidents that proved to be significant breaches. Today's remediation tally reveals how much consumer harm these delays caused, and ultimately at great cost to those firms.'

Compliance breaches happen in all businesses. Breach reporting is integral for board monitoring and risk-management by licensees. It is also needed for the commission's regulatory surveillance.

'The Government's new reporting obligations put strong guard-rails in place that will benefit firms and consumers alike,' said Ms Chester.

'The new obligations will help firms identify and act swiftly on the breaches that matter, making sure they get the attention they deserve. Licensees and boards will have greater confidence [that] they are doing the right thing by consumers, and ultimately their firm and shareholders.

'The new obligations also benefit consumers

by allowing ASIC to better identify and swiftly address systemic problems. There will be greater transparency for consumers and firms with the publication of breach-reporting data by ASIC from late 2022.'

AFS licensees will have to report breaches that they discover after 1 October 2021, even if the breach occurred before that date. However, credit licensees do not have to report breaches that occurred before 1 October even when identified after 1 October last year. As a result, credit licensees will have a relatively gradual implementation.

The commission has published INFO 259

Complying with the notify, investigate and remediate obligations, which sets out actions that must be taken by licensees to notify affected customers of a breach of the law, investigate the breach and remediate affected customers. The move implements a new obligation that applies in certain situations to licensees of financial advisers and mortgage brokers.

The commission will take a reasonable approach in the early stages of the new obligations provided industry participants are using their best efforts to comply.

By Nikki Shen, Partner, Hall Chadwick (WA)