Breach reporting regime taking its toll on financial services sector

The report explains that the primary shift under this new regime is to a more expansive scope of “reportable situations” or matters that must be reported to ASIC, and the introduction of deemed significant breaches.

“Instead of the subjective test previously utilised to determine whether a breach had occurred, breaches are now automatically deemed significant and reportable within 30 days if they contravene any one of thousands of relevant Australian civil or criminal penalty legislative provisions,” it stated.

“If a licensee does not report all ‘reportable situations’ to ASIC, they may be subject to both civil and criminal penalties for every instance of failed reporting.”

The research report found that the legislation that has been brought in is “overly excessive” and not achieving the goals commissioner Hayne had in mind in recommending the changes.

Lawcadia co-founder Sacha Kirk said the report, based on survey results of 160 staff from Australian financial services organisations and a number of in-depth interviews, found the sector had low confidence in the new reporting regime.

Around half of the survey respondents (51 per cent) do not believe that ASIC can administer the new regime effectively and fairly across all financial services providers.

Gadens partner Liam Hennessy said the research is valuable because it provides an insight into the quantitative and qualitative trends of breach reporting, ahead of when ASIC plans to publicly release data comparing organisations. This will be a “ritualistic public shaming”, explained Hennessy.  

“Breach reporting has very markedly increased, and the main pain points are around misleading and deceptive conduct, advice failures and conduct issues. Misleading and deceptive conduct isn’t a big surprise – an incorrect fee on a bank statement technically triggers a report, which is asinine and a waste of organisations’ and ASIC’s time,” he said.

The report found that before the breach reporting obligations came into effect, nine out of 10 respondents were reporting fewer than five breaches each month.

“Since the obligations came into effect, however, that figure has dropped to around seven in 10,” the report stated.

“The proportion of over 160 respondents reporting more than five breaches a month has jumped from fewer than one in 20 (4 per cent) to almost one in five (19 per cent).”

Mr Hennessy said the report showed that the industry at large was struggling to prepare for and maintain the onerous compliance demands and that a combination of policy amendments scaling back the more onerous features of the regime and technology adoption is the answer.

Ms Kirk said the new reporting measures were also taking a significant toll on the mental health and wellbeing of staff in the sector.

“The research highlights there is a high level of stress and anxiety being experienced by legal, risk and compliance professionals, who have been tasked with planning, implementing and administering the requirements – regulatory design seems to be a factor here,” she said.

Some respondents raised concerns that ASIC may find itself deluged with junk data due to come of the uncertainty with the requirements and organisations reporting breaches just to be on the safe side.