Uncover key insights from the first six months of the AFSL & ACL breach reporting regime and the tool to alleviate managing and reporting breaches.
There are over 11,000 ASFL & ACL businesses in Australia, which all fall under the regulatory compliance breach reporting regime. In a new research study ‘State of Financial Services Breach Reporting in Australia‘ commissioned by Lawcadia and Gadens, the extra workload and stresses brought on by the new regime are corroding the Financial Services sector. A staggering 67% of respondents indicated the new breach reporting obligations are distracting or diverting resources away from other important areas of work and compliance issues, highlighting the escalating workloads placed on risk, legal and compliance teams.
Liam Hennessy, Partner at Gadens, specialises in compliance and risk matters, regulatory investigations, and complex disputes in the financial services sector. At a recent live event, he shared the key drivers for commissioning this important research into the state of breach reporting in Australia.
“The key driver was the fact that the new enhanced breach reporting regime is placing a lot of stress and pressure on in-house compliance, legal, and risk teams. In my view, it is poorly constructed, in so far as the information that ASIC is getting is not high quality, in terms of the significance of the breach. We wanted to see what that looked like across the industry ahead of when ASIC is going to come out and publicly comment on the numbers of individual breaches for each licensee in June.
“We really wanted to give our clients, and indeed the broader market, an insight quantitively and qualitatively about how the new regime is impacting their peers.
Because there’s been a lot of information, anecdotally, about how tough it all is… and we wanted to add some numbers to that discussion,” said Mr Hennessy.
18 months ago, he was concerned about the impact this regime would have on workload, and he sought to counterbalance that with systems and process innovation. This led to the creation of the Gadens Breach Manager for financial services clients.
“Going into the Royal Commission in 2018, ACIS had commissioned some reports that said that on average, it takes 150 days to identify, investigate and report a significant breach, and that focused on the bigger end of town. That was back when lawyers got to apply their subjective judgement, to an extent, as to whether to report or not. The new regime, what changed, and I guess what we saw going ahead in the future was, a regime where a lot of that subjectivity has been stripped away – if you breach any one of thousands of civil or criminal penalty provisions across Australia’s legislation, it’s reported to ASIC. There’s not a lot of scope for subjective judgements there.
“We saw the existing ASFL regime was going to become harder, we saw it was going to get extended towards credit licence holders for the first time, which is immediately 6,000 businesses across Australia which is going to be brought into the regime. We saw that there were pretty severe criminal and civil penalties that would apply if you are not reporting in time and finally overlaying on top of all of this, we’re getting a bit of a convergence in terms of our Financial Services regime: you’ve got your licencing reporting, which then potentially, depending on the issues under consideration, might trigger your OAIC reporting, it will certainly trigger your FAR reporting – the banks, insurance and super funds, when that all comes into play, FAR has some incredibly broad reporting obligations in so far as integrity, honesty, due skill, care and diligence. So, we really wanted to draw it all together and give clients a bit of a central repository where they can consider all those things together and make assessments in pretty quick time,” said Mr Hennessy.
With 26% of respondents surveyed reporting more breaches than they expected to, the big unknown in the industry is whether they are reporting too many or too few breaches. Coupled with low confidence in the new regime, 31% of respondents said that they believed the new reporting obligations are not at all effective in meeting their stated objectives. In addition, an astounding 51% of respondents do not believe that ASIC can administer the new regime effectively.
Mr Hennessy commented, “ASIC’s ability through its RegTech systems – and they’ve got this brand new, as I understand it, software to pass through things and cherry pick what they want to focus on in any particular instance – I think is probably not as broadly appreciated as it could be. ASIC is not like an industry participant as so far as its resourcing challenges and so forth, at least in this area.
“I suspect ASIC probably has a higher ability to utilise that online form and to really cut that data to focus on where it wants to focus. Probably more than people think.
And for anyone who has had that distinct pleasure of going through that new online form, it’s so prescriptive, it’s so narrow in terms of things you need to click on, you have to imagine that design is on purpose.”
The Gadens Breach Manager, powered by Lawcadia, can streamline the depth and breadth of the mandatory breach reporting process for compliance, legal and risk teams, making it easy to capture, review, and quickly navigate over 2,000 provisions, including civil and criminal penalties.
To access a copy of the research report, click here.
Footnote
Lawcadia and Gadens hope that the findings of the research, which has been provided to ASIC, will be taken into consideration by the governing body and that the industry concerns will be heard and addressed.
