Small AFSLs on the rise but breach reporting low

ASIC’s latest breach reporting data shows small licensees may have improved their reports, but the regulator still believes they are under reporting.

Insights from the reportable situations regime covered reports made by AFSLs and credit licensees from July 2023 to June 2024, the third edition of the report. Overall, 12,298 reports were submitted during the period.

The number of licensees that lodged at least one report increased by 10 per cent to 1,024 licensees, but ASIC said there was “significant variation” in the number of reports based on licensee size. 

Just over half of licensees that reported during the period lodged only one report.

Only 10 per cent of licensees with less than $50 million or less in revenue lodged reports this year compared to 81 per cent of licensees with $1 billion or more. 

VIEW ALL

View all

“A small number of generally larger licensees submitted the majority of reports, although by a slightly smaller margin compared to the previous reporting period (21 licensees lodged 62 per cent of reports compared to 21 licensees lodging 71 per cent of total reporting volumes in the previous reporting period). Consequently, the results of this publication are driven, in large part, by reporting from a relatively small number of licensees.”

Looking specifically at AFSLs only, 415 AFSLs with less than $50 million in revenue submitted 739 reports which represented 9 per cent of total reports.

AFSLs of this size make up 10 per cent of the total licensee population, up from 8 per cent last year. 
In the next revenue bracket – AFSLs with $50–249 million – this also rose from 30 per cent to 32 per cent. These firms made up more than a third of breach reports, with 2,912 reports submitted.

Richard Hopkin, senior associate at Cowell Clarke, said: “It is still possible that licensees are under-reporting. I don’t think it’s necessarily a reluctance to report – I think the sensitivity and complexity of the regime mean that while incidents are identified and rectified without much fuss, licensees don’t necessarily realise that those (relatively minor) incidents are actually automatically reportable. That said, in my experience many mature smaller licensees don’t have that many material incidents in the course of a year.

“If a licensee runs a high touch business for a relatively small client base, provides generally low risk advice, and has good, well maintained procedures, I don’t see that many reportable situations arising in the course of the year. Most incidents will arise due to administrative / human errors, many of which won’t be reportable but some will.”

Identifying breach reports

A second focus of ASIC’s report was the time taken by licensees to identify and commence an investigation into a breach. 

Most breaches were identified by staff or business unit reports (48 per cent), but this was down from 56 per cent last year. This was followed by internal compliance function (16 per cent) and via customer complaint via internal dispute resolution (15 per cent).

“Of concern, the breaches identified from internal sources such as internal compliance activities decreased by 5 percentage points during the reporting period, from 78 per cent to 73 per cent.”

This meant a greater proportion of reports were being identified by external sources than the previous year. 
The overall median time taken to identify and commence an investigation into a breach was 73 calendar days and the average was 415 calendar days. More than one in five licensees took more than a year to identify and commence an investigation in 2,851 reports.

Hopkin said it is important that all licensee lodge a report as soon as possible when they become aware of a breach.

“A report needs to be made to ASIC within 30 days after the licensee first knows (or is reckless whether) there are reasonable grounds to believe the reportable situation has arisen. It is important to remember that the report should be lodged as soon as possible – don’t wait to finish rectifying the breach before you record it on your breach register and reporting it to ASIC. You can update ASIC later once you’ve finished resolving the issue.”