Issues identified in ASIC's previous report persist across the licensee population 10 min read
ASIC has published its second report (here) recording high-level insights and trends observed in breach reports received from AFS and credit licensees between 1 July 2022 and 30 June 2023 (Reporting Period) under the Reportable Situations Regime (the Regime).
The regulator has included comparisons to the period between 1 October 2021 and 30 June 2022 (the Previous Reporting Period). You can read a summary of ASIC's previous report in our past Insight.
Broadly, many of the trends previously identified by ASIC persisted across this Reporting Period. ASIC remains concerned about the small proportion of the licensee population that is reporting (with larger entities being more likely to report), the high prevalence of staff negligence and/or error as the primary root cause of over 60% of breaches, and lengthy delays in identifying and remediating breaches.
The observations in this Insight are reflected in the data reported by ASIC, as summarised below.
- There was a significant increase in the volume of reports: 16,836 reports were submitted during the Reporting Period—a 43% increase in the monthly reporting average from the Previous Reporting Period. Additionally, there was a 46% increase in the number of reporting licensees compared to the Previous Reporting Period.
- Most reports relate to a financial service, credit activity or product line: similar to the previous Reporting Period, about 86% of all reports related to a financial service, credit activity or product line, with credit (32%), general insurance (28%), and deposit taking and financial advice (each 7%) being the main drivers.
- Number of reporting licensees still lower than anticipated: only 9% of the licensee population lodged one or more breach reports during the Reporting Period. ASIC noted this is much lower than expected and flagged it will be taking stronger measures (including surveillance activities) to achieve enhanced compliance with the Regime.
- The most common root cause was staff negligence and/or error: licensees have been reminded to ensure there are no broader failures in systems, policies or processes that may be contributing to the high incidence of staff negligence or error.
- Investigation periods remain a concern: while there were improvements to the average time taken to investigate whether a breach had occurred, ASIC remains concerned with particularly lengthy investigations.
- On average, customers lost more financially due to breaches: one in five reports specified financial loss to customers, with a 15% increase in customers suffering financial loss as a result of breaches.
Consistent with data from the Previous Reporting Period, AFS licensees submitted more reports than credit licensees during the Reporting Period. In addition, there were 548 licensees that reported for the first time under the Regime.
88% of AFS licensees with reported annual revenue of $1bn or more lodged at least one report during the reporting period—a 27% increase compared to the Previous Reporting Period. Similarly, there was a 5% increase in the number of larger credit licensees (ie those who had reported a credit value of $1.8bn or more in their more recent annual compliance certificate) who reported a breach during this Reporting Period as compared to the Previous Reporting Period.
Larger entities are more likely to report under the Regime. We expect this reflects increased compliance resources and more entrenched procedures which assist with breach identification. ASIC has emphasised that it expects all licensees (regardless of size) to have robust systems and processes in place to ensure the detection and reporting of any non-compliance is undertaken in a timely way.
The trends identified by ASIC during the Previous Reporting Period remain relevant, with the same products, services and issues topping the most-reported lists.
Notably, there was a 9% increase in reports relating to general insurance, whereas reports relating to credit decreased by 6% from the previous reporting period. Other key findings include:
- Content: around 82% of reports submitted related to at least one financial service, credit activity or product line.
- Financial services: credit (32%), general insurance (28%) and deposit taking (7%) were the most represented financial services in the reports. At the opposite end of the scale were traditional trustee services (0.1%) and payment systems (1%).
- Financial products: home loans and motor vehicle insurance were the top two reported financial products, accounting for 20% and 18% of the total reports lodged respectively. These two products were also the top two reported products during the Previous Reporting Period. Additionally, superannuation accounts rose two places in the top 10 reported product list, following a 1% increase in the total reports made in relation to that product.
- Issues: 'false or misleading statements' remained the most common reported issue, increasing by 10% compared to the Previous Reporting Period. Other high-volume issues included general licensee obligations (18%), lending (17%) and fees and charges or account administration (10%).
Broadly, breaches were identified in a consistent manner to the Previous Reporting Period. Most breaches were attributed to a staff or business unit report (56%) or internal compliance function (15%).
ASIC reported that, where customers suffered financial loss, the percentage of reports identified from internal sources was significantly lower—instead, breaches in these circumstances were identified by customers via internal and external dispute resolution. ASIC noted that further improvements are required to strengthen risk management activities to support the proactive identification of breaches, allowing licensees to take earlier action and minimise customer impact.
Another continuing theme is the regulator's concern with the high prevalence of 'staff negligence and/or error' as the sole root cause of breaches by a significant margin (66% of total reports). The frequency of other root causes continued to be broadly similar to the Previous Reporting Period (as shown in the below diagram extracted from ASIC's report).
ASIC acknowledged the existence of ongoing implementation challenges that are likely to contribute to the prevalence of staff error, but also reminded licensees to ensure there are no other underlying root causes or deficiencies in their systems, policies or processes more generally that may be contributing to these root causes.
ASIC noted that the average time taken to investigate whether a breach had occurred had improved, but maintained its concern over those breaches that took, or were expected to take, a particularly long time to investigate. Notably,
- 17% of reports indicated that the relevant licensee took more than one year to identify and commence an investigation into an issue after it first occurred
- the average time taken to commence an investigation into a breach was 327 calendar days (a decrease from 396 calendar days in the Previous Reporting Period)
- in 5% of reports, the licensee took more than five years to identify and commence an investigation into a breach.
The regulator noted that licensees should monitor the progress of investigations to ensure breaches can be addressed in a timely manner.
- Customer impact: of the reports submitted to ASIC, 82% indicated that customers were impacted, either financially or non-financially. A total of approximately 28 million customers were impacted, lower than the 43.7 million customers identified in the Previous Reporting Period. In 58% of cases, only one customer was affected. Around 13% of reports impacted 10 or more customers.
- Financial loss: 19% of reports specified financial loss to customers, with the proportion of customers suffering financial loss as a result of breaches increasing from 9% in the Previous Reporting Period to 26%.
- Remediation: based on the reports involving customer financial loss, licensees either had compensated or intended to financially compensate all impacted customers in 97% of cases. Additionally, a total of $128.6 million in compensation had been paid during the Reporting Period to just over 1.35 million impacted customers, representing 29% of the total financial loss reported and 19% of financially impacted customers. Notwithstanding, ASIC reported that a significant number of remediations are still taking too long to complete, with a mean time to finalise compensation after the commencement of an investigation being 87 days.
- Rectification: licensees completely rectified the significant breaches in 85% of reports made during the Reporting Period, with the most common method of rectification being staff training (42%), followed by communication to customers (31%). This is consistent with the Previous Reporting Period. ASIC also reported significant variability in the time taken to rectify a significant breach depending on the complexity of the breach and the underlying root cause(s).
It is clear from ASIC's report that a number of trends identified during the Previous Reporting Period continue across the licensee population.
Key takeaways for licensees to keep front of mind over the next reporting period are set out below.
|Recent changes to the Regime
ASIC has made some helpful changes to the Regime that reduce the regulatory burden on licensees with respect to certain reportable situation reports that offer limited regulatory intelligence value to ASIC (eg 'insignificant contraventions' of relevant misleading and deceptive conduct provisions). Read more about those changes in our recent Insight.
|Surveillance and enforcement activity
The regulator has reported that it engaged with more than 100 larger licensees who had not yet lodged a report to remind them of their obligations under the Regime. ASIC noted that, following this communication campaign, a significant proportion of contacted licensees lodged a report for the first time.
We anticipate that ASIC will conduct similar activities based on the key trends emerging out of this Reporting Period. In particular (and perhaps unsurprisingly, given the low proportion of the licensee population that has reported to date), the regulator noted it has commenced surveillance activity targeted at those licensees that are not reporting (or, based on the data arising out of the Regime, are reporting less than their peers) with the aim of driving improved compliance with the Regime.
|Licensees should conduct ongoing review
We recommend that licensees continue to review their operational capacity to comply with the Regime by identifying and reporting breaches in a timely manner. In particular, ASIC has identified that further improvement is required to strengthen risk management activities to support the proactive identification of breaches, allowing for earlier action and the minimisation of consumer impact (both financial and non-financial).
At the commencement of the Regime, ASIC highlighted the possibility of making licensee-level reporting data publicly available. At this stage, the regulator has declined to take this step on the basis that comparisons between licensees are unlikely to provide any meaningful insights, given the inconsistencies in reporting practice.
Notwithstanding, licensees should assume that more granular data will be published in the future as the Regime matures. ASIC has stated it will consult with stakeholders in advance of the commencement of licensee-level granular public reporting (proposed to commence in 2024).