On 25 September, ASIC released REP 594 Review of selected financial services groups’ compliance with the breach reporting obligation. The report sets out a number of findings based on quantitative analysis of data, statements and case studies from 12 financial services groups for the period 2014 to 2017. It also communicates ASIC’s expectations of Australian Financial Services (AFS) licensees regarding the breach reporting obligation and identifies opportunities for improvement to strengthen reporting processes.
The findings from the report are sobering. ASIC has highlighted significant delays in identification of incidents, lengthy investigations, breaches of the legal obligation in the Corporations Act to notify ASIC within 10 business days of becoming aware of a significant breach, and delayed remediation for consumer loss. In total, significant breaches, the subject of the review, caused financial losses to consumers of approximately $500m, with millions of dollars of remediation yet to be paid.
The release of the report is also timely. The Financial Services Royal Commission has continued to highlight examples of misconduct and concerning governance practices in the sector, and Commissioner Hayne is due to provide his interim report covering the first four rounds of hearings to the Governor-General by 30 September, with media reports it could be made public as soon as 28 September.
Our previous update includes an earlier discussion on breach reporting, including an outline of the relevant legal framework.
Takeaways for AICD members
Headlines for members from the ASIC report include:
- Breach reporting processes by AFS licensees need to improve. They constitute the frontline of compliance, and can assist in identifying systemic and process improvements for AFS licensees and, on a broader level, rebuilding public trust in financial institutions.
- ASIC Chair James Shipton has cited inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation, as the reasons for many of the delays in breach reporting and compensating consumers. He believes there is an urgent need for investment in systems and processes, as well as commitment and oversight from boards and senior executives to address significant failings.
- ASIC will continue its focus on breach reporting, including through its new on-site monitoring role at the four major financial groups and AMP from October 2018, active consideration of enforcement action, and ongoing monitoring of the effectiveness of AFS licensees’ breach reporting processes. ASIC is also developing the capacity to allow AFS licensees to submit breach reports through the new online ASIC Regulatory Portal.
Questions for boards
In our previous update, we detailed a number of questions directors on relevant boards should be asking about breach reporting. The ASIC report is likely to prompt further introspection, with ASIC clearly signalling an expectation for boards to take a more active role on such matters. Some questions for boards to ask include:
- Do we have appropriate oversight of the way that breach management systems and processes are working in practice? Are regular reviews of breach reporting processes conducted and are the outcomes escalated to the board?
- Is our breach reporting policy sufficiently robust? Does it include specific timeframes as appropriate?
- Is the investigation of breaches and remediation of consumers prioritised? Do we have the right systems and processes in place to support breach reporting, or do we need to make investments in this area?
- Does the organisation treat breaches as learning opportunities, and are improvements implemented as a result?
- Do our values and public statements align with what occurs in the business?
- How do we benchmark in terms of performance against the breach reporting obligation, including against the data in the ASIC report?
- How does the organisation approach consequence management?
Some of the key findings of the ASIC report are outlined below, followed by ASIC’s expectations of licensees and calls for legislative reform of breach reporting obligations.
- Delayed identification of incidents, with the major banks taking an average time of 1,726 days (over 4.5 years) to identify an incident that was later determined to be a significant breach. ASIC has identified this delay as the biggest factor that contributes to ASIC receiving breach reports about events that happened many years ago, and noted that more timely identification will reduce the duration and number of breaches (as well as the impact on consumers).
- Lengthy investigations leading to delayed reporting, with the major banks taking an average time of 150 days from starting an investigation to lodging a breach report. The report comments that it is important that AFS licensees challenge and raise concerns about lengthy investigations, and that the board and executives should be accountable for tracking and reporting response timeframes.
- Approximately one in seven significant breaches are being reported to ASIC more than 10 business days after the ASF licensee became aware of the breach. ASIC also identified inconsistent reporting of significant breaches, and noted that this is in part due to the subjective nature of the test in the Corporations Act (see below).
- Delayed remediation for consumer loss, which meant that consumers were out of pocket for an excessive period.
- Lack of effective and searchable incident and compliance systems - the report comments that inadequate IT systems can inhibit identification and investigation of breaches (including because they may have limited search functionality, or are not sufficiently integrated). Effective systems can allow information about breaches, and incidents more broadly, to be recorded, tracked and kept up to date.
- Underutilised ‘lessons learned’ opportunities - the report notes that the investigation and rectification of a breach presents an opportunity to remove or reduce weaknesses more broadly.
- Elements of a sound breach management culture not demonstrated, including because breach identification, rectification and reporting are not prioritised.
ASIC’s expectations and call for law reform
ASIC has emphasised the necessity of law reform to clarify and strengthen the breach reporting obligation, and increase their ability to take regulatory action. The report refers to the recommendations in the ASIC Enforcement Review Taskforce report released in 2017 and notes that the Government response agrees in principle to all recommendations in the Report but has deferred implementation to enable it to take into account any findings arising out of the Financial Services Royal Commission.
In the meantime, ASIC has made it clear that it expects:
- compliance with breach reporting obligations, including reporting to ASIC within 10 business days;
- greater capacity and speed in identifying and investigating incidents, and reporting significant breaches;
- demonstration of a sound breach management culture that makes breach reporting and consumer remediation a priority; and
- AFS licensees to embrace the lessons from each breach.
To assist AFS licensees, the report contains a number of ‘questions to ask’ in tables 20-24 (pages 99-105) in relation to the above matters.