ASIC identifies poor reportable situations compliance by AFSLs

AFSLs are being urged by ASIC to monitor and improve their compliance with the reportable situations regime after identifying “poor practice” by licensees in a recent review.

The reportable situations regime requires licensees to identify, fix and report their problems to the regulator to life industry standards and improve consumer outcomes. It also helps ASIC to identify any emerging systemic issues.

A recent report shared licensees submitted 12,298 reports during FY24 which was a decrease of 27 per cent on the previous corresponding period. This was divided by 913 AFSLs that lodged 8,636 reports, and 161 credit licensees that submitted 4,088 reports.

Following this report, the corporate regulator broke it down further and has now reviewed 14 licensees of various sizes that had either low number of reports or had not reported at all between October 2021 and June 2024.

“ASIC expects all licensees, regardless of size, to have robust systems and processes in place to ensure timely detection and reporting of non-compliance,” it said.

VIEW ALL

View all

"It was not clear that licensees monitored time frames and acted on delays, which indicates a level of acceptance for internal non-compliance."

The review found:

• Licensees were generally slow to report to ASIC. The key driver of these delays was that licensees took a long time to identify breaches in the first place and begin investigating.
• When ASIC reviewed why this was happening, ASIC found that there were deficiencies in licensees’ incident management, particularly how they identified, escalated and recorded incidents.
• Most licensees had gaps in how they monitored their own compliance with the regime.
• These poor practices had real impacts on consumers. The failures to promptly identify breaches meant that licensees were very slow to rectify breaches and remediate customers.

Almost a third of reported breaches took more than one year to be identified and the average time taken to complete an investigation was 39 days. The average time to report a breach to ASIC was 534 days and the average time to finalise compensation to consumers was 632 days. 

In the worst case identified, it took over 12 years for a licensee to commence an investigation into a breach, ASIC said.

Examples of poor practice were broken down into 10 categories: capacity to identify an incident, definition of an incident, supporting staff, incident identification channels, assessing complaints for incidents and breaches, quality assurance activity, recording or escalating incidents and breaches, quality of incident and breach registers, reporting to senior management and reviews into compliance. 

Specific instances included licensees setting high minimum thresholds around financial impacts suffered, failure to provide adequate staff training, delayed identification of breaches, only one-line descriptions of breaches, failing to consider the effectiveness of a breach reporting function and an acceptance of internal non-compliance. 

Better practices

The regulator shared four questions that licensees should consider when it comes to their reporting.

• Are you identifying incidents and breaches?
• Are you escalating and investigating incidents and breaches comprehensively and in a timely way?
• Do you capture important information about incidents and breaches in a single register?
• Have you got the necessary arrangements in place to monitor your compliance with the regime?

Examples of better practice included having clear and well-understood processes, simple definitions of an incident, regular staff training, considerations of the differences between incident, breaches and reportable situations and licensees should ensure learnings from identified issues are shared with the team. 

When it comes to timing, licensees should have defined time frames across the life cycle and adherence to these should be monitored. If an investigation is necessary, this should start immediately and not be delayed while another issue is rectified.

Licensees should conduct regular reviews of their breach reporting cycles and test compliance arrangements, have robust governance structures that promote sharing to senior management and analysis of root causes to enable management to proactively detect emerging issues and reduce the risk of reoccurrence. 

Kate O’Rourke, ASIC commissioner, said: “We have undertaken extensive work to strengthen the operation of the reportable situations regime since the introduction of the October 2021 reforms, and ensuring that the objectives of the regime are met remains a priority area of work for us in 2024–25.

“As part of this, we will consult with stakeholders on options for future granular reporting to provide even deeper insights, ahead of our fourth annual publication of reportable situations data in Q3 2025.”

Last month, ASIC chair Joe Longo acknowledged the complexity of the reporting situations regime has made it difficult for ASIC to compile information. 

“That regime was introduced with the best of intentions and indeed this time last year we announced it would be one of ASIC’s enforcement priorities,” he told the ASIC annual forum.

“One of the challenges we have encountered in administering and enforcing the regime has been the number of modifications, and the number of pages of guidance that have been required to help industry meet their obligations and ensure the regime meets its objectives – in other words, to make it work.”