The Breach Reporting Chasm - Financial Services

On 27 October 2022, ASIC released its first publication of information lodged under the new breach reporting regime, Report 740 Insights from the reportable situations regime: October 2021 to June 2022 (Report 740). As readers will be aware, the new breach reporting regime for financial services came into effect on 1 October 2021, seeking to transform licensee self-reporting behaviour on breaches. It sought to do this largely by capturing a wider range of conduct, reducing the scope for subjective assessments on "significance" and starting the clock earlier.

However, the insights from Report 740 indicate that the regime is not operating as intended. In many ways, ASIC's insights in Report 740 came as a surprise to us and a number of industry players, particularly with respect to the statistics on under reporting. What this reveals, most starkly, is the wide variance in breach reporting conduct between licensees across the industry, as well as between the expectations of licensees and ASIC – exposing the ongoing ambiguity of a new legal regime that was designed to achieve greater certainty and consistency.

Report 740: At a glance

ASIC has identified, among other things, that:

a much smaller proportion of licensees have reported under the regime than anticipated;
licensees are still taking too long to identify and investigate some breaches;
more work needs to be done to appropriately identify and report the root cause of breaches; and
further improvements are needed to licensees' practices towards remediating impacted customers.

We examine each of these insights in turn below.

The "under reporting" chasm

ASIC identified that only 6% of its licensee population lodged a breach report during the first 9 months of the regime between 1 October 2021 and 30 June 2022 (representing 9% of the financial services licensee population and 3% of the credit licensee population). ASIC has expressed concerns that this is significantly lower than expected and suggests that some licensees may not have in place the systems and processes required to detect and report non-compliance.

Herein lies the first great chasm of the new breach reporting regime. In our experience since 1 October 2021, many of our clients across the superannuation, life insurance, general insurance, funds and financial advice sectors have experienced an exponential increase in the number of breach reports lodged with ASIC. So much so that many in-house legal and compliance resources are now exclusively dedicated to assessing potential breaches and reportability under the regime – reflective of a significant compliance burden. The statistics released by ASIC confirm this burden: the number of reports received by ASIC in this 9 month period was 8,829, a substantial increase from the total of 2,435 reports in the 12 months from 1 July 2020 to 30 June 2021 (under the old regime). However, Report 740 indicates that this burden is not being equally experienced across the industry.

The key discrepancy is based on licensee size. Report 740 finds that large licensees are reporting more than smaller licensees. The source of this discrepancy is multi-faceted in our experience. One reason is simply based on the maturity and sophistication of the licensee, with larger licensees typically being resourced with more legal and compliance resources, resulting in a greater awareness of the scope of the new breach reporting obligations among larger licensees. The other reason is based on the size and complexity of business operations, with larger and more complex operations being more likely to experience breaches.

The "investigation" chasm

In 18% of breach reports received, ASIC identified it took licensees more than one year to identify and commence an investigation into an issue after it had first occurred. ASIC has reiterated in Report 740 that it expects licensee systems to promptly identify non-compliance. The timely identification and investigation of breaches can also help reduce the risk of continuing breaches or breaches that reoccur, such as by helping identify the root or systemic cause of the breach, which we discuss below.

In the main, this result suggests that it is taking some licensees too long to identify potential issues that need to be investigated, suggesting deficiencies in compliance systems. For example, ASIC states that there were 582 reports where it took the licensee 5 or more years to identify and commence an investigation into a breach.

However, this statistic also exposes one of the most legally ambiguous and complex aspects of the new regime – the what, when and how of an "investigation". The concept of the "investigation" was introduced into the regime to (as mentioned above) start the clock on reportability earlier.

However, the foundational practical questions remain: What is an investigation and when does it start? When does preliminary fact-finding (as contemplated in ASIC's Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78)) transform into an investigation? When does regular quality assurance (QA) and audit become an investigation? Are separate incidents of the same nature one or multiple investigations? Is an investigation into a systemic issue separate to the investigation of the underlying incidents that give rise to the systemic issue?

The uncertainty around the concept of "investigation" has led to wide variation in the approach taken by licensees on reportability and timeframes, and the discrepancy between licensee reporting and ASIC's expectations.

The "root cause" chasm

ASIC identified its concerns that licensees may not be adequately identifying and addressing the underlying root causes for breaches, such as by determining the underlying reasons for repeated staff negligence or error. ASIC has identified that a high proportion of reports (55%) identified staff negligence or error as the sole root cause, including where the licensee had reported that there had been previous similar breaches, or multiple breaches were grouped together. In 60% of reports, staff negligence or error was identified as one of the root causes, with system deficiency identified as one of the root causes in only 6% of reports.

This is a tricky issue as despite rigorous controls and training, human error is part and parcel of operating a business, particularly a large and complex one. The key question then becomes when a series of human errors constitute an issue of a more systemic nature. For example, consistent with ASIC's finding in Report 740, the vast majority of the increase in breach reports by our clients and other industry players is represented by breach reports on false and misleading statements. With misleading or deceptive conduct constituting one of the "deemed" significant breaches under the new regime, this is no surprise (given that it legally established that the threshold for triggering misleading or deceptive conduct is a low one, with limited opportunity for correction). For many large institutions, the greatest scope for error arises in frontline interactions, where despite rigorous scripting and training, human error continues to occur.

ASIC in RG 78 outlines that when there are multiple reportable situations arising from a single, specific root cause, these multiple reportable situations can be notified to ASIC in the one report relating to the breach or likely breach of the relevant provision/s.¹ Identifying the specific root cause is no doubt a challenging task for licensees. For example, a breach of the efficiently, honestly and fairly provision under section 912A(1)(a) of the Corporations Act may involve human error as one "cause" but at its core, may be representative of a wider system deficiency. Several system errors may have occurred as the result of a system migration and a manual workaround is required by the staff of a licensee, during which human error occurs. It is of course fact dependant, but in some cases, it may be the proper interpretation that had there not been an underlying system deficiency, the human error would not have occurred.

To this point, the recent case of ASIC v ANZ²sp;handed down on 26 October 2022 demonstrates that while systems errors may have a human overlay, the root cause is ultimately sometimes the systems and controls that are put in place.³ In this case it was found that ANZ's systems "were substantially reliant on manual inputs that were susceptible to human error and subject to controls that were incompletely understood and inconsistently applied."⁴ Ultimately, "the conduct continued as long as it did because of inadequacies within ANZ's systems [i.e. the system], which were compounded by inaction or ineffective action [i.e. the human error]."

Robust systems for analysing root causes and systemic issues are required by licensees to proactively detect significant or emerging issues and to ensure that existing issues are adequately addressed. ASIC has recognised this is a challenging area and has indicated that it will provide further guidance to industry on this particular issue.

Remediation practices and challenges

Report 740 outlines that where remediation is planned, in many cases it is taking too long to complete. 12% of licensees who were required to conduct remediation indicated it had taken or was estimated to take more than one year to finalise.

The prescribed ASIC reportable situation form requires licensees to identify whether and when affected clients have been compensated. Licensees must provide details of any remediation program (including preventative measures) that has been or is being developed to compensate clients who have suffered a loss. Licensees should also provide information about when remediation is completed. ASIC has indicated in Report 740 that it will engage further with those licensees that have failed to remediate a breach.

On this note, ASIC issued its new guidance on consumer remediation in Regulatory Guide 277 Consumer remediation (RG 277) on 27 September 2022. It also released the accompanying guide 'Making it right: How to run a consumer-centred remediation' to assist licensees in conducting consumer remediation. HSF has previously commented on ASIC's changing expectations of consumer remediation, which you can find here.

The development of a remediation methodology and program continues to be a complex exercise facing the industry. Common challenges include determining the scope of remediation, the integrity of data and the method of paying compensation – against the backdrop of an increasingly uncertain complaints landscape created by AFCA.

We have published a Legal Guide on Remediation, covering topics such as the legal basis for remediation, designing a remediation program, timeframes, customer and regulator engagement, as well as specific issues affecting superannuation, insurance and financial advice. If you would like a copy of our Legal Guide on Remediation, please get in touch with one of our experts below.

Breach reporting: Where to now?

ASIC has indicated as part of its 2022-23 priorities that it will focus on improving the operation of the reportable situations regime, having recognised earlier this year that the regime has led to a number of implementation challenges as discussed above.

We are currently working on content dealing with 2 important issues that our clients are dealing with under the new breach reporting regime, namely (1) the relevance of materiality in a breach of the "efficiently, honestly and fairly" provision; and (2) practical issues in assessing a breach of the misleading or deceptive conduct provision. Stay tuned for these updates.

Footnotes

1 RG 78.112.

2 [2022] FCA 1251.

3 Australian Securities and Investments Commission v Australia and New Zealand Banking Group Limited [2022] FCA 1251 [203].

4 Ibid [204].

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.