Regulator slams ‘mischievous’ breach reporting

Speaking in front of a senate public hearing in Sydney on Friday, Mr Medcraft said the recently aired issues with NAB’s financial planning division had served to highlight the issue.

When it comes to breach reporting, ASIC has identified two issues, Mr Medcraft said: what actually constitutes a ‘significant’ breach and the time it takes to disclose the issue to ASIC.

Asked by Nationals senator John Williams if the word ‘significant’ should be removed from the legislation, Mr Medcraft said it was “a matter for government”.

“Frankly, I think there is a lot of mischief that goes on with the word ‘significant’. I’ll be blunt – I think there is abuse,” he said.

The abuse exists at “both ends of the spectrum”, Mr Medcraft said – with issues labelled ‘significant’ when they are not and vice versa.

In addition, some companies can take “several years” to decide whether or not an issue is significant, he added.

“We have a system that relies on people to report breaches that [ASIC] rules on. If they’re not ‘significant’ breaches and they’re not getting reported then that’s a problem,” Mr Medcraft said.

ASIC deputy chairman Peter Kell said the regulator also lacks the ability to respond to inadequate breach reporting.

“We told [a previous] senate inquiry the only remedy we have for failure to breach report is a criminal remedy. That’s a very high standard of proof.

“We think this could be an ideal provision for a civil remedy provision.

“It would allow us to move faster and more effectively when there has been a failure to breach report.

“The issue of significance, as well as the nature of the remedy we have, both inhibit our ability to deal with breach reports [in a way] that would send a strong message,” Mr Kell said.