The corporate regulator has announced a review of breach reporting by Australian Financial Services licensees following concerns raised about inconsistencies and delays.
ASIC deputy chair Peter Kell said ASIC will be reviewing and examining the breach reports it has received including who they are from, what is reported and the timeliness of the reports.
“We will then conduct a proactive review of some of the licensees we’ve identified as having a high risk of non-compliance,” said Mr Kell.
Mr Kell stressed that breach reports were an important part of the regulatory framework and that failure to comply with reporting requirements was a criminal offence.
“Some recent enforcement actions against both large and small firms have highlighted deficiencies in the approach to breach reports - in particular, the timeframe for reporting significant breaches,” he said.
Mr Kell said section 912D of the Corporations Act 2001 specifies that AFS licensees must report significant breaches to ASIC “as soon as practicable and in any case within 10 days of becoming aware of a breach”.
“To be clear, this means that a licensee should not wait until after it has completed a full investigation to satisfy itself whether or not the breach or likely breach is significant,” he said.
“Nor should the licensee wait until the breach or likely breach has been considered by its board of directors or by its internal or external legal advisers.”
Mr Kell said breach reports enable ASIC to identify and rectify problems with individual businesses and assess emerging risks and issues, but in order to be effective they must be timely.
“We expect licensees to have robust systems in place for identifying, escalating and reporting breaches in a timely manner,” he said.
“Inadequate or late reporting could indicate to ASIC that the licensee has broader compliance and cultural issues and would be a red flag for closer scrutiny.”
Mr Kell said while ASIC will work with licensees who are operating in good faith and taking their obligations seriously, the regulator will take action if it finds the processes for breach reporting are inadequate.