Once more into the breach

In a discussion leading up to next week's Money Management Platforms and Wraps Conference at Magenta Shores, Australian Securities and Investments Commission (ASIC) commissioner, Greg Tanzer, made the point that financial services companies should not be fearful of breach reporting.

Tanzer who, along with leading financial services lawyer, Peter Bobbin and Morningstar head of fund research, Asia Pacific, Grant Kennaway, will be discussing product failures and their consequences for platforms made the point that ASIC well understood that it was normal for a certain number of breaches to occur.

Bobbin, the principal of Rockwell Olivier, suggested that a financial services firm with an empty breach reporting log ought to be far more likely to attract increased regulatory attention than those with an average number of instances.

The fact that a senior member of the ASIC executive team has recognised the need to reassure financial services firms about the normality of breach reporting may be a reflection of a growing concern that recent adverse media reporting may be prompting some firms to under-report or at least equivocate.

Those media reports related to whether National Australia Bank (NAB) appropriately fulfilled its breach reporting obligations to ASIC with respect to 37 planners who either resigned or were forced to leave the big banking group over bad advice issues.

VIEW ALL

View all

Further issues relating to breach reporting were then raised with respect to the more recent allegations pertaining to issues within IOOF and warnings issued to senior staff which were not then necessarily flagged with the regulator.

IOOF has disputed whether some of the incidents which occurred warranted being reported to ASIC.

ASIC, in fact, as recently as late May used its website to remind financial services of their obligations with respect to breach reporting.

It noted that, "AFS licensees must notify ASIC in writing of any ‘significant' breach (or likely breach) of their obligations under s912A (including licence conditions), s912B (compensation arrangements) or financial services laws, as soon as practicable, and in any event within ten business days of becoming aware of the breach or likely breach".

It said that licensees needed to give proper consideration to whether the breach (or likely breach) "is significant, and, if so, provide timely notification to ASIC".

"Whether a breach is significant will depend on individual circumstances. You will need to decide whether a breach (or likely breach) is significant and therefore, reportable to ASIC," it said.

The ASIC outline said the factors that determined whether a breach (or likely breach) is ‘significant' include:

• The number or frequency of similar previous breaches;

• The impact of the breach or likely breach on the licensee's ability to provide the financial services covered by the licence;

• The extent to which the breach or likely breach indicates that the licensee's arrangements to ensure compliance with those obligations is inadequate; and/or

• The actual or potential loss to clients or the licensee itself.

"If you are not sure whether a breach is significant, we encourage you to report the breach," it said.

In other words, holders of an Australian financial services license have a legal obligation to report incidents to ASIC almost as soon as they become aware of them or, at worst, within 10 working days of the occurrence and there are no viable excuses for not doing so.

In most instances a breach report remains a matter between the reporting entity and ASIC but, clearly, problems arise when those reports become the subject of adverse publicity. Nobody wants to be punished for simply meeting their obligations.