Six law reforms by the Australian Securities and Investments Commission (ASIC), arising out of recommendations from the Royal Commission into Misconduct in Banking and findings from the ASIC Enforcement Review Taskforce came into effect on October 1, 2021. The new regime expands breach reporting obligations for Australian Financial Services (AFS) Licensees and Australian Credit (AC) Licensees which require significant modifications to the breach reporting processes within financial institutions to minimise the risk of incurring penalties, sanctions and fines for non-compliance.
With reference to several reputable and professional industry and government publications, this article provides an overview of what the changes mean For AFS and AC Licensees and share insights regarding the type of systems and processes that can facilitate compliance with the new obligations.
In 2018, an analysis into the breach reporting processes of 12 financial services groups conducted by ASIC revealed it was taking large financial institutions an average of 4.5 years to identify significant breach incidents. A publication by Gadens provides further insight which demonstrates the main reasons licensees were failing to report within the required time frame included:
Accordingly, the reforms seek to provide consumers with more robust and longer-term protections by eliminating the occurrence of inconsistent, inadequate, and delayed breach reports.
In particular, the reforms close regulatory gaps, and give ASIC greater visibility of issues within the market such that ASIC can identify and resolve problems in a more punctual and effective manner. To that affect, the new reporting obligations are more consistent, clear, and timely across the industry. They implement Recommendations 1.6, 2.8, 2.9, and 7.2 of the Final Report of the Royal Commission and are issued in Schedule 11 of the Financial Sector Reform Act 2020.
A significant new element of the reporting obligations is the scope of what is deemed a ‘reportable situation.’
Further, and in addition to the requirement to report significant breaches of core obligations, the regime extends reportable situations to include where an AFS Licensee or its representative has engaged in conduct constituting gross negligence or where they have committed serious fraud.
Summary of key changes for licensees:
Implications for licensees:
For financial service institutions that operate in Australia, the reforms signify a dramatic shift in the regulatory landscape that demands implementation of new reporting practices and processes to address potential regulatory breaches, fee miscalculations, deficient consumer advice, cyber-attacks, and other issues.
The stricter reporting obligations and harsher penalties mean it is imperative that systems and processes are implemented to timely and cost-effectively support breach identification, investigation, reporting and remediation to ensure compliance with the new regimes.
As such, the systems and processes should streamline and expedite the internal flow of information to the risk functions, and externally to expert legal advisors when, as, and if required. That said, now is when financial service institutions should consider the impact the new changes will have on their organisation. It is essential that licensees conduct a gaps analysis to evaluate their processes and proactively identify solutions that can be implemented to assist their organisation to meet the new industry reporting requirements.
With time of the essence and resources constrained, it can be helpful to ask the following questions:
In addition to process mapping, ‘off the shelf’ technology and software solutions can assist financial institutions to successfully navigate and comply with the new regime.
One such solution is the Gadens Breach Manager. The Gadens Breach Manager was developed by Gadens alongside Lawcadia, with a goal to prepare and support financial service organisations as they adapt their process to reflect and comply with the new regulatory regimes. Specifically, the Gadens Breach Manager can assist risk and compliance teams with identifying, investigating, and reporting potential breaches defensibly, time and cost-effectively.
The cloud based RegTech platform streamlines the collation of information, assessment and reporting process to one online depository to ensure compliance and thereby reduce the risk of legal ramifications of non-compliance for financial service institutions and their senior executives.
Navigating the scale of these provisions, some of which may be unfamiliar to organisations, will be challenging and technology solutions such the Gadens Breach Manager will be crucial for financial services organisation as they become familiar with the new compliance and reporting requirements under this reform.
The new stringent breach reporting obligations, coupled with the harsher consequences for non-compliance means AFS and AC Licensees must be proactive and significantly modify their breach reporting processes and systems to avoid potential sanctions, fines or penalties. With time of the essence, it is prudent to conduct a gaps analysis to evaluate how the changes will affect the organisation, and subsequently identify the technology solution or process that can support the breach reporting function and minimise the risks associated with failing to comply.
We have a track record of partnering with our clients, delivering successful implementations and keeping our clients happy. Don’t just take our word for it – check out our case studies to learn more.
Transform your legal operations with the award-winning, two-sided intelligent platform built for in-house legal teams and their law firms with legal intake & triage, matter management, workflow automation, spend management, collaboration and customisable reporting.