On 27 October 2022, ASIC published Report 740 (REP 740) with its first insights on the reportable situations regime. ASIC's publication is a requirement of the reportable situations regime in the Corporations Act 2001 (Cth) which requires the publication of information about reports that are lodged by licensees. For background, the reportable situations regime came into effect on 1 October 2021 and was implemented to strengthen the obligations of AFS licensees and extend this obligation to credit licensees.
- ASIC's report focuses on insights in relation to the following:
- the volume of reports and nature of lodgers;
- the subject of the reports and root causes of the breaches;
- the identification and investigation of breaches; and
- the customer impact, remediation and rectification of breaches.
We discuss each of these in this alert as well as ASIC's observations, concerns and expectations.
ASIC also prefaced their report by acknowledging that there appear to be some inconsistencies in reporting practices as result of the challenges licensees faced with implementing the scale of changes and given the principles-based nature of the regime. With this in mind ASIC's publication shares high-level insights and trends and does not 'name and shame' licensees.
What does REP 740 cover?
ASIC's report covers reports lodged between 1 October 2021 to 30 June 2022 in relation to significant breaches of core obligations and situations where the relevant licensee is no longer able to comply with a core obligation and the breach, if it occurs, will be significant.
The following were therefore outside of scope of ASIC's report:
- reports about gross negligence and serious fraud;
- reports about investigations that have not yet concluded that a significant breach of a core obligation has occurred or will occur;
- reports about investigations that have concluded that a significant breach of a core obligation did not or will not occur;
- reports about another licensee;
- reports made under the previous breach reporting obligation (as in force immediately before 1 October 2021) using the previous ASIC Regulatory Portal form; and
- reports made to APRA with a first awareness and instance date before 1 October 2021 and not involving a continuing breach.
Volume of reports and nature of lodgers
There was a significant increase in the volume of reports received by ASIC compared to the previous beach reporting regime with ASIC receiving 8,829 initial reports and a further 2,530 update to reports. While the increase was significant, ASIC notes that it was expected, given the extension of the regime to credit licensees and the changes to the significance test.
The portion of the licensee population that lodged a report, however, was significantly lower than expected, with only 6% of all licensee holders lodging a report. ASIC notes in the report that this is concerning and indicates that it will be undertaking a range of activities to strengthen compliance with the regime.
The report also reveals that the majority of reports were lodged by larger licensees, with 74% of all reports being lodged by only twenty-three license holders. ASIC notes its expectation that all licensees, regardless of size, have adequate systems to detect and report breaches.
Subject of reports and root causes of breaches
ASIC has disclosed that 38% of reportable situations related to credit. ASIC noted that the high volume of breaches by credit licensees were reported as separate and one-off breaches of specific responsible lending obligations relating to staff negligence or error. Home loan products were the most common subject of a breach notice amounting to 25% of all breach reports.
ASIC has also revealed that the most common category of issues to which reports related was false and misleading statements which amounted to 34% of the reports. Of that 34% a total of 30% related to statements regarding service information and warning statements about products. This highlights the importance of ensuring that as a licensee you have appropriate arrangements in place to ensure that client facing documents and disclosure and marketing materials are accurate and not misleading and deceptive.
ASIC discloses that the most common category of root cause selected was staff negligence or error, with 60% of reports listing this as the root cause. Staff negligence or error was selected as the sole root cause category in 55% of reports where the licensee had previous similar breaches and/or there were multiple breaches grouped into the relevant report. ASIC considers that this raises concerns as to whether licensees are consistently identifying and addressing the underlying root causes for breaches and notes that it proposes to provide guidance in relation to the circumstances when a licensee should select ‘staff negligence or error’ as the root cause in an effort to emphasise the importance of undertaking appropriate root cause analysis.
Identification and investigation of breaches
ASIC determined that 79% of the breaches reported were first identified by the licensee from internal sources, highlighting the importance of internal risk management activities. The report identifies that the most common triggers selected for identifying a breach were staff or business unit reports, followed by the compliance function and customer complaints.
The median time taken to identify and commence an investigation into a breach was 39 calendar days. However, this varied significantly across the reports with an excessive number (18%) of reports taking more than a year to identify and commence an investigation. In particular, ASIC is concerned about the 582 reports where it took the licensee five or more years to identify and commence an investigation into a breach. ASIC also notes that reports containing breaches that licensees took longer to identify and commence an investigation into had a greater number of impacted customers, reinforcing the importance of early identification of breaches. Overall, licensees completed (or expected to complete) investigations on average in 18 calendar days.
ASIC has identified that timeliness for identifying and investigating breaches is a real concern and that it expects licensees to have systems in place for significantly swifter identification and investigation of non-compliance.
Customer Impact, Remediation and Rectification
ASIC detailed that approximately a quarter of reports involved financial loss for customers. The total customer financial loss identified across the reports received as at 30 June 2022 was approximately $368.5 million. Of the reports where a customer financial loss was recorded, 68% involved a total customer financial loss of less than $10,000. ASIC considers that these figures likely understate the actual numbers given that:
- customer financial loss could increase as licensees continue to conduct their investigations; and
- there may be circumstances where financial loss is not obvious to the licensee.
From the reports ASIC received that quoted a customer financial loss, licensees either had, or intended to, financially compensate all impacted customers in 96% of cases. ASIC expressed concern regarding the remaining 4% of reports and reiterated its position that remediation must be initiated if a licensee, or one of its representatives, has engaged in misconduct or other failure that has or will cause, customer loss. ASIC also used this report to remind industry that licensees need to properly resource remediation activities so that remediation can occur in a timely manner.
In terms of rectification, the rectification approach varied depending on the particular issue and underlying root cause. The most common rectification method was staff training, followed by other rectification methods and communication to customers.
What are some of the key takeaways?
ASIC identifies a number of areas of concern in REP 740 that licensees should consider in light of their own reportable situations arrangements.
Some of the key areas that licensees should consider include:
- whether their systems are adequate to detect and report all reportable situations to ASIC;
- whether their root cause analysis is adequate to identify and address the underlying root causes for breaches;
- what measures they have in place to address staff negligence or error;
- whether they have appropriate systems in place to ensure that all client facing and disclosure documents and marketing content are not misleading and deceptive in nature;
- whether their systems are adequate to ensure timely identification and investigation of breaches and non-compliance; and
- whether they have appropriate systems and resources to initiate remediation in a timely manner if the licensee, or one of its representatives, has engaged in misconduct or other failure that has or will cause, customer loss.
Licensees should review their reportable situations arrangements in relation to these matters together with their incident and breach registers and analyse data in relation to the time taken to identify, investigate, remedy and rectify relevant breaches.
Licensees should also keep watch for any further ASIC guidance and further ASIC consultation in relation to those of aspects of the regime that ASIC identifies in the report.