The Australian Securities and Investments Commission (ASIC) has published a report REP 594 Review of selected financial services groups’ compliance with the breach reporting obligation which sets out the findings of its review of Australian financial services (AFS) licensees’ compliance with their breach reporting obligation under section 912D of the Corporations Act 2001.

Section 912D requires all Australian Financial Services (AFS) licensees to report to ASIC a ‘significant breach’ within 10 business days of becoming aware of it.

The report identifies delays in the time taken to identify, report and correct significant breaches of the law among Australia’s financial institutions.

ASIC has endorsed proposed changes to the law to improve breach reporting: ASIC Enforcement Review Taskforce Recommendations.

The purpose of the review was to consider selected financial services groups, covering all their AFS licensees. Depending on the groups’ diversity, these licensees provided services such as banking, superannuation, investment management, insurance, and financial advice.

The financial services groups were the four major banks (ANZ, CBA, NAB and Westpac) as well as 5 other banks, one credit union and two mutual banks.

The review examined their breach reporting process. their breach rectification process and their breach management culture.

Key findings from the report include:
Delayed identification of incidents: financial institutions are taking too long to identify significant breaches, with the major banks taking an average time of 1,726 days (over 4.5 years).
Delayed remediation for consumer loss It took an average of 226 days from the end of a financial institution’s investigation into the breach and first payment to impacted consumers. (This is on top of the average across all institutions of 1,517 days before the breach is discovered and the time taken to start and complete an investigation.)
The significant breaches (within the scope of the review) caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.
Lengthy investigations leading to delayed reporting: The process from starting an investigation to lodging a breach report with ASIC also takes too long, with major banks taking an average of 150 days.
Failure to report to ASIC within 10 business days: Once a financial institution has investigated and determined that a breach has occurred and that it is significant, the law requires that the breach be then reported to ASIC within 10 business days. One in seven significant breaches (110 of 715) were reported later than that 10-business day requirement.
Lack of effective and searchable incident and compliance systems: Some AFS licensees’ current systems had limited search functionality. This, in combination with a fragmented approach to recording information over many databases, inhibited the identification and investigation of a number of significant breaches. It also limited licensees’ capacity to understand their overall management of breaches. This, in turn, limits the AFS licensees’ broader lessons learned opportunities:
Inconsistent reporting of significant breaches: The subjective nature of the tests of significance in s912D(1)(b) contributes to delays and inconsistencies in reporting significant breaches to ASIC. The reviewed financial groups assess significance from their own perspective in the absence of an objective test.

In the review, ASIC did not re-assess or re-investigate the underlying breach by an AFS licensee. Nor did it include in the scope of its review whether the decision not to lodge a breach report with ASIC was appropriate, other than to highlight the inconsistency of the application of ‘significance’ in practice.

ASIC’s expectations for AFS licensees are:

• Compliance with breach reporting obligation, including reporting to ASIC within 10 business days;
• Greater capacity and speed in identifying and investigating incidents, and reporting significant breaches to ASIC;
• Demonstrate a sound breach management culture that makes breach reporting a priority;
• Demonstrate a sound breach management culture that makes consumer remediation a priority;
• Make the most of the lessons learned opportunities that each breach presents

You can download Bright Law’s Breach Reporting Guide here.