All Things Newz
Law \ Legal

ASIC’s first report into the new reportable situations regime – Financial Services

[ad_1]

ASIC has recently released its first publication setting
out insights into the effectiveness of reporting and the
performance of licensees under the new reportable situations
regime, Report 740 Insights from the reportable situations
regime
(Report 740).

While the report did not name and shame any individual
licensees, ASIC has indicated that in future publications its
approach to reporting practices will evolve and provide greater
detail, including the possibility of naming licensees.

Notwithstanding the limits of the report, it does contain some
surprising findings.

  1. Number of reports: Industry bodies had
    previously forewarned that the regime would result in large
    increases in the number of reports lodged, however the data
    suggests that this concern has not materialised.

    ASIC has expressed concern about what it considers to be low levels
    of licensee reporting during the first nine months of the regime
    between 1 October 2021 and 30 June 2022 (only 6% of total AFSL and
    ACL holders have provided reports in the reporting period)
    particularly given the recent inclusion of credit licensees. Of
    note, 74% of all reports filed in the reporting period were by just
    23 licensees.


  2. Speed of licensees: While licensees appeared
    to act quickly to rectify an issue once it was been identified,
    ASIC believes licensees were still too slow to:

    • identify issues (18% had been in existence for more than a year
      prior to being identified);

    • complete its investigation (5% took longer than a year to
      complete the investigation); and

    • complete any necessary remediation (12% of all remediations
      took longer than a year to complete).


  3. Deemed reporting: The regime’s shift to a
    deemed significance test appears to have had a material impact on
    reporting with 90% of all reports falling under a ‘deemed
    significance’ category.

  4. Ongoing guidance: ASIC proposes that it will
    provide further guidance to licensees in areas where it considers
    there are inconsistencies with reporting or clear errors in the
    data. For example, ASIC has identified an overuse of the ‘human
    error’ root cause category.

Overview

As part of the new reportable situations reporting regime
introduced on 1 October 2021, ASIC is obliged to publish
information about the reports it receives. Report 740 is the first
such publication from ASIC.

As foreshadowed in our previous Insight, Report 740 does not identify any
individual licensees which have lodged reports with ASIC for the
regime. Interestingly, ASIC says that Report 740 does not provide
data with a high level of granularity due to inconsistencies in
reporting practices between licensees.

However, Report 740 does set out statistics relating to the
number of reports lodged, the composition of those licensees, the
subject and root cause of the issues the subject of the reports as
well as the timing of identification, investigation and
remediation. These are addressed below, together with some of our
insights on the relevant issues.

Statistics

Volume of reports and who is reporting




8,829 reports and 2,530 updates were submitted


More than half of the reports were lodged by AFSL holders


Only 6% of total licensee population (both AFSL and ACL holders)
lodged a report

The 8,829 reports represent a nearly fourfold increase over a
nine month period compared with the previous 12 month reporting
period (1 July 2020 to 30 June 2021) where 2,530 breach reports,
including updates were received in a full financial year.

The data indicates that reporting licensees are a mixture of
both credit (38%) and AFS licensees (62%).

ASIC has indicated that the increased volume of the reporting is
due to credit licensees becoming subject to the reportable
situation requirements under the new regime in addition to the
deemed significance test. Notwithstanding this increase, ASIC has
been critical of what it considers to be significant under
reporting.

ASIC also says that it expects, despite the requirement for
compliance, breaches to occur and thus equates the lack of breach
reports to a potential failure in the systems and processes
required to detect non-compliance.

Corrs insight

While lower than expected numbers may be the result of an
overall uplift in processes and systems across the industry
following the Financial Services Royal Commission, it could also be
an indicator of a lack of proper engagement and adequate
implementation of the new requirements (such as the requirement to
report open investigations of more than 30 days). Alternatively it
could be the result of a de facto materiality test being applied to
issues prior to reporting.

As noted above, only 6% of licensees have provided reports under
the new regime (consisting of 9% of all financial services
licensees and 3% of all credit licensees) and Report 740 covers a
nine month period, yet despite this, there has been a four-fold
increase in reports compared to the previous regime. If a greater
number of licensees were reporting, and the data covered a 12 month
period, it could be expected that the number of reports under the
new regime would be significantly greater than for pre-October
2021.

While we agree that the 6% level of reporting licensees is
small, in our view this may speak to the differentiated levels of
resources which licensees have. Further, feedback from our clients
is that while larger licensees may be adopting a more
‘conservative’ position in their reporting, this may not be
the case for the industry as a whole.

Based on the commentary, it certainly appears that ASIC’s
preference is for a conservative approach to be adopted. ASIC makes
it clear that it expects all licensees, regardless of size, ‘to
have adequate systems in place to detect and report
non-compliance’.




Licensees with greater revenue are reporting more

It was noted in Report 740 that larger licensees have lodged the
majority of the reports with 61% of the reporting licensee
population earning $1,000m or more in total revenue. This can also
be seen from the fact the data indicates that just 23 licensees
submitted 74% of the total reports.

Corrs insight

Given the information in Report 740 is based primarily on
reports lodged by a small number of larger licensees, we recommend
caution be exercised not to draw industry-wide conclusions in light
of the small and potentially unrepresentative sample.

Subject of reports and root cause of breaches




38% of the reports lodged related to credit products

ASIC states that a significant proportion of reports were in
respect of one-off breaches of specific responsible lending
obligations arising from staff negligence or error, with 60% of all
reports identifying this as the sole root cause of the breach.

The top ten most reported products in reports were:

  1. Home loans (25%).

  2. Motor vehicle insurance (13%).

  3. Personal transaction accounts (5%).

  4. Credit cards (5%).

  5. Home building insurance (4%).

  6. Home contents insurance (3%).

  7. Personal loan (3%).

  8. Superannuation account (3%).

  9. Business loans (3%).

  10. Investment property loans (2%).

Corrs insight

In our view, the composition of the products reported above
demonstrates that credit products and insurance products continue
to be areas of key risk and that increased investment in compliance
for these areas may be necessary.




False or misleading statements – most common category

Report 740 states that the most common category of reported
issue was ‘false and misleading statements’ (34%). This is
unsurprising given the broad ambit of misleading and deceptive
conduct as ‘deemed significant breaches’ under the new
regime. Unsurprisingly, ASIC reported that most of these ‘false
and misleading statements’ (30%) related to statements about
products, regarding service information or in warning
statements.

The second most popular category was reporting relating to
lending (21%) and general licensee obligations with 7% of the
reports for general licensee obligations relating to the obligation
to act efficiently, honestly and fairly. Again this is unsurprising
given the broad nature of this obligation and its increasing
popularity with ASIC in enforcement activity.

Corrs insight

The high level of reports relating to false or misleading
statements is powerful substantiation for reform of the use of this
issue category in the reportable situations regime. In our previous
Insight, we recommended a high materiality threshold be introduced
for misleading or deceptive conduct. Our clients tell us that they
feel that they need to report issues to ASIC which are unlikely to
have been intended to be covered by the regime, such as incorrect
addresses and contact details in marketing materials.




Staff negligence and error was the root cause for 60% of the
reports

ASIC says that it is concerned with the fact that 55% of reports
where the licensee had reported that there had been a previous
similar breach had selected ‘staff negligence and error’ as
the sole root cause. The regulator is doubtful that the licensees
in these situations are identifying and addressing the underlying
root cause for these reportable situations.

Corrs insight

While it may be the case that some licensees are not identifying
the underlying root cause of the reportable situations, we also
note that the products that are the key areas of reporting to ASIC
are retail in nature. ASIC has indicated that it intends to issue
further guidance as to when it considers it appropriate for a
licensee to select ‘staff negligence or error’ as the root
cause of a breach.

Identification and investigation of breaches




79% of breaches were identified from internal sources

Report 740 states that 79% of breaches reported were identified
by the licensee from internal sources. ASIC says that this
highlights the importance of internal risk management. However,
ASIC also notes that there are some inconsistencies between the
reporting of identification triggers using an example of licensees
recording the internal trigger to be ‘staff or business
unit’ when a staff member had identified an issue as a result
of a customer compliant. Interestingly, 79 reports recorded the
identification trigger to be ASIC.

Corrs insight

We note that while the majority of issues are identified from
internal sources, only 14% were identified as a result of
compliance activities. This is a reassuring outcome as it
demonstrates a level of ownership by business units to call out
those situations where something has gone wrong.

Time taken to identify and commence investigation into
breaches




Median time – 39 calendar days

Mean time – 380 calendar days

The time taken to identify and commence investigations is
another concern of ASIC, particularly as Report 740 identifies 582
reports where it had taken five or more years to identify and
commence an investigation. ASIC states that it expects licensees to
have systems in place for significantly swifter identification and
investigation of non-compliance.

Corrs insight

While the 582 report figure is notable to ASIC, we also note
that this represents less than 7% of all reports, and the number of
reports where the time taken to identify and commence an
investigation into a breach was 30 days or less was 44%.
Additionally, the 582 reports may also represent the legacy nature
of many retail products that have been available.




More time taken = more customers impacted

Report 740 concludes that ‘[i]nvestigations involving a
greater number of customers impacted took longer to complete’,
and that:

“The earlier that issues are identified, the fewer
customers that are likely to be impacted, and the less time and
cost that is likely to be associated with investigating the issue.
ASIC has taken this as an opportunity to emphasise the importance
of early identification of breaches and the requirement to allocate
sufficient resources to ensure that investigations are carried out
in a timely manner
.”

Corrs insight

On the basis of the information in Report 740, we do not
necessarily agree with ASIC’s conclusion that the earlier
issues are identified then the fewer customers will be impacted.
ASIC’s conclusion will hold for recurring events – the longer
the total duration of such events then the more likely it will be
that more customers are impacted. However, it does not hold for
non-recurring events – customer impact is ‘one off’ and
determined solely by the unique circumstances of that event.

Customer impact




Customers impacted in 82% of reports

43.7 million customers impacted

56% of reports impacted a single customer

Whilst 82% of reports noted that a customer had been impacted,
only 23% had reported a financial loss with the total financial
loss across all reports to be approximately $368.5 million.

More than half of the reports (56%, 4,928) were said to have
only impacted a single customer. Additionally, in 17% of reports
(1,507) there was said to be not a single customer impacted at
all.

Corrs insight

That 1,507 reports were lodged where no customer was affected by
breaches speaks to a reporting regime that is arguably
misallocating compliance resources: a requirement to lodge a report
where there is no customer impact diverts those resources from
matters where there is customer impact.

It may be that some licensees have lodged a report prior to
understanding the full level of customer impact, and that at a
later time customer impact was identified. If this was not the
case, then we recommend ASIC and Treasury carefully consider
amending the regime to address this by including appropriate
materiality thresholds and consider the significant compliance
burden the new regime is placing on licensees.

A similar comment can also be made about the 56% of reports
which disclosed only one customer was impacted. Taken together,
Report 740 indicates that 73% of reports lodged had either nil or
one customer impacted, which is a significant proportion.

Remediation




$51.6 million in compensation to 455,210 impacted
customers

96% of cases licensees recorded an intention to remediate


Time taken to finalise compensation after commencement:


  • Median – 37 days

  • Mean – 120 days

Due to 4% of cases recording no intention of remediation, ASIC
has emphasised the requirement to initiate remediation if a
licensee or a representative has engaged in misconduct. While ASIC
acknowledged that some of the 4% may have been mistaken about their
intention to compensate customers, ASIC has also warned that it is
considering its regulatory response in relation to the remaining
cases.

Corrs insight

It is difficult to state with certainty whether the 4% is of
concern, as it may be that remediation has already occurred or
would be futile (for example, redundant legacy products).

Rectification

Report 740 states that 67% (5,972) of reports indicated that a
breach had been rectified within 30 days of commencement of an
investigation. For 0.6% (54) of reports, rectification would take a
year or more.

Corrs insight

That 67% of reports showed rectification occurred within 30 days
of the commencement of an investigation shows that the reporting
licensees have given a high priority to doing so. It is difficult
to draw many conclusions from this data as Table 17 of Report 740
appears to omit information on 16% of reports lodged.

What is missing?

We note that one curious omission in Report 740 is the absence
of any data regarding reporting under the ‘dobbing in’
provisions. Appendix 1 simply states that ‘reports made to ASIC
about another licensee’ are out of scope. This is unfortunate
given that data on this aspect of the regime would have been a
useful signpost to licensees regarding how these provisions are
being interpreted and applied in practice.

What can we expect?

Report 740 noted numerous concerns of the regulator. In response
to these concerns, ASIC proposes:












ASIC concern

ASIC response

Low level of licensee population lodging a report

ASIC to undertake a range of activities to strengthen
compliance.

Underlying root cause not being correctly identified

ASIC to issue guidance regarding when ‘staff negligence or
error’ is the root cause

Inconsistencies with identification triggers

Intention to issue further guidance to ensure more consistent
reporting.

Licensees that do not intend to remediate their customers

Considering their regulatory response

It is evident that whilst there are some inconsistencies with
licensees recording their reportable situations, ASIC will use this
industry data to inform its supervisory and enforcement priorities.
ASIC has previously confirmed that as part of its 2022-23
regulatory priorities, it intends to focus on improving the
operation of the reportable situations regime. At the time it was
announced in August 2022, this approach came with an explicit
recognition from the regulator that the regime had created a number
of implementation challenges for licensees that it will seek to
address.

In the interim, licensees can expect ASIC to provide further
detail in future publications. ASIC has flagged that this may
include a list of all the licensees that have reported to ASIC.
However, ASIC will consult with ‘stakeholders’ before
commencing ‘more granular public reporting’ which is likely
to commence in 2024.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.





    Lawyers Weekly
Law firm of the year
2021                  

Employer of Choice for Gender Equality
(WGEA)

[ad_2]

Source link

Related posts

COVID-19 Year-End Edition – Employee Rights/ Labour Relations

U.S. Merger Notification Threshold Increases To $111.4 Million – Antitrust, EU Competition

Self Defence Under Nigerian Law – Crime