Why is there so much ‘human error’ in breaches?
There is over-reliance by licensees on ‘human error’ with over 5,000 reports stating that as a cause of a breach when the fault may lie in their systems and processes, according to a legal expert.
Last week, the Australian Securities and Investments Commission (ASIC) announced the first results of its reportable situations regime data from 1 October, 2021 to 30 June, 2022 which found there had been over 8,000 breaches reported.
This was a smaller number than the regulator had expected and it questioned if licensees understood the nature of the legislation and whether it had the right systems and processes in place to identify breaches.
Felicity Healy, partner and financial services litigator at Corrs Chambers Westgarth, agreed that the law firm had also expected to see a “huge influx” of breach reports made but this had failed to appear.
She noted over 5,000 of reports specified a root cause of the problem as being staff negligence or error and Healy said this was an overuse of the term.
In contrast to human error root causes, just 9% of reports were described as a policy or process deficiency and 6% were described as a system deficiency.
The ASIC report stated: “Staff negligence or error was selected as the sole root cause category in 55% of reports where the licensee had reported that there had been previous similar breaches and/or there were multiple breaches grouped into the relevant report. This raises some concerns as to whether licensees are consistently identifying and addressing the underlying root causes for breaches (e.g. by determining the underlying reasons, such as systems or process issues, for repeated staff negligence or error).
“In response to this, we intend to provide guidance to licensees on the circumstances in which it is appropriate for licensees to select ‘staff negligence or error’ as the root cause (e.g. only when it has determined there are no other underlying root causes).”
Healy said: “There was an overuse of the term ‘human error’ and that doesn’t match up when the the most-common reports were about false or misleading information and it doesn’t match with the understanding of compliance.
“Some breaches may have been caused by human error but that’s caused by a weakness in the system which has then led to an error.”
When this was identified as the cause, ASIC found the most-common rectification method was staff training on internal policy and procedures, cited by 41% of reports.
However, she praised efforts by firms to remediate quickly once a breach was identified.
In 18% of reports received, ASIC said it had taken the licensee more than one year to identify and commence an investigation into an issue after it had first occurred. However, only 0.6% of the reports had taken longer than a year to rectify with most being rectified before the investigation commenced or within seven days.
“This is the good news part, people are finding and fixing these breaches quickly but they can be hard to find, it is hard to be critical of them to taking too long to identify. It takes time to do it properly.
“In particular, customers are very wary of scammers nowadays so contacting them is getting harder, it is not as simple as it used to be to.”
She also pointed out that it was difficult to re-open cases after they had finished so firms were erring on the side of caution and allowing long lead times to complete investigations or customer remediations.
Recommended for you
Insignia Financial has announced a board director will be stepping down next year after almost a decade amid a board refresh.
Zenith Investment Partners has appointed a Brisbane-based business development manager, who previously led Fitzpatrick Private Wealth Partners as a director and senior adviser.
Praemium has said it is open to investing in artificial intelligence “in a big way” as it believes it can transform the business and details how it is already being used by the firm.
Sequoia has shared its strategic initiatives for FY25, including organically increasing its licensee market share and restructuring its specialist investment arm.
Like most service providers these days, the financial services industry is filled with people who aspire to mediocrity, but expect top dollar.
It is a scourge and no amount of systems and processes will prevent these errors occurring because put simply, many employees are lazy and just don't care.
Bring on a recession because the service industry needs a good clean out.
It’s quite comical to hear lawyers, politicians and regulators making outrageous claims that their new sets of rules will stop the breaches of wide area networks when what is required is the implementation of new code. The Government has failed to assist developers of new code to have the updates implemented to protect the community. Until such time as Government and Industry start to support Developers with new code they will continue to suffer these horrendous losses.