Potential ‘name and shame’ breach reporting approach sparks AFSL uneasiness

A legal expert has flagged there is growing tension in the industry as ASIC considers naming licensees in its breach reports, with such a move potentially deterring proactive self-reporting in favour of caution.

Now in its third year, the reportable situations regime requires licensees to submit reports of any breaches and is used by ASIC to identify any emerging trends and detect non-compliant behaviour. 

ASIC is obliged to report annually on information that is provided under the regime and to date, these reports have not named licensees nor referred to the nature or number of reports lodged by specific licensees. 

However, the regulator has indicated it will be consulting with stakeholders in 2025 about potential changes to this approach for future publications.

Speaking to Money Management, Selina Nutley, partner at Hall & Wilcox, noted ASIC’s current philosophy encourages companies to “err on the side of caution” when reporting potential breaches, advising them to report even situations that may not qualify as serious violations.

VIEW ALL

View all

The potential change has sparked tension in the industry as licensees face the prospects of potentially being called out by ASIC over these reports.

The regulator previously noted potential instances of underreporting, with a “significant variation” in the number of reports based on licensee size. In FY24, just over half of licensees that reported during the period lodged only one report.

Only 10 per cent of licensees with less than $50 million or less in revenue lodged reports compared to 81 per cent of licensees with $1 billion or more. 

“The philosophy behind the reportable situations regime is it’s meant to encourage really broad levels of reporting and ASIC would like a philosophy which is ‘when in doubt, report it anyway’,” Nutley explained. 

“But where you’re suggesting them to err on the side of caution and maybe, if it’s not a reportable situation, report it anyway, and you are encouraging people to make mass reports but simultaneously intending to name the people who are reporting, there is a little bit of tension there.”

The core concern among industry professionals is that without adequate context, companies may be unfairly stigmatised for proactively reporting breaches, Nutley pointed out.

“The industry is really concerned about how that reporting is going to take place, whether there’s going to be appropriate contextualisation around the actual reportable situation that’s detailed and the number [of breaches]. 

“You can imagine, if one of the larger licensees is shown to have reported thousands of breaches in a year, without context around what percentage of their operations that represents, then there’s potential for adverse implications.”

Nutley observed that in some cases, breaches that are self-reported to ASIC lead to further investigations, as they are intended to. 

However, when the corporate regulator goes on to issue media releases, they don’t always acknowledge that these breaches are reported voluntarily, giving the public a skewed view of the situation. 

“ASIC is clear that the data is important from a surveillance perspective because it gives them industry-wide trends and also allows them to look at significant conduct and then carry out important activity. But there are instances where those investigations have been carried out and the media releases that are issued don’t then say the licensee had actually self-reported the breach, that they were being a good corporate citizen,” she said. 

“That’s something that the industry would like to see in the media reports because it helps provide a more balanced perspective around what has happened and the fact this has been identified through proactivity and compliance with obligations, to dob yourself in, so to speak.”

Concerns over no breaches

Interestingly, a number of licensees are also concerned about the adverse effects of having no breaches to report to the corporate regulator.

Money Management previously explored the need for a “mindset change” around breach reporting as, rather than be pleased, the regulator will more likely be suspicious if a firm has no breaches.

“There needs to be a mindset change around how we treat breaches and how they are reported and resolved. The mindset is still instinctive that it’s bad to have any reports,” explained Richard Hopkin, senior associate at Cowell Clarke.

“But it’s the opposite – it’s bad to have an empty breach register, and ASIC will be wondering what is happening. It is impossible to go a whole year without having any incidents. ASIC is expecting you to get some. It would be a red flag for them not to have any. It is clear they think poorly of those licensees who aren’t reporting much.”

Nutley echoed the sentiment, explaining some clients have expressed concerns about having no reported breaches on their books, fearing they might be perceived as non-compliant or become targets for scrutiny.

“We’ve had clients who have said, ‘We have nothing on our books and we’re worried about that, we don’t want to become a target because we’ve got nothing on our books’,” she told Money Management.

“It’s like they were looking for a reportable situation just for the sake of it, in an otherwise very efficient, compliance-focused, experienced organisation. 

“That’s not the purpose of the regime, and I don’t think that’s what ASIC is looking to encourage.”

In October, ASIC’s latest report shared licensees submitted 12,298 reports during FY24.

This was divided by 913 AFSLs that lodged 8,636 reports, and 161 credit licensees that submitted 4,088 reports.

It noted the median time taken by a licensee to identify and commence investigations into breaches stood at some 73 calendar days. 

In one in five cases, licensees took more than a year to identify and commence an investigation, and this tended to have a correlation with a higher number of customers being impacted.