ASIC won’t “name and shame” in new breach reporting regime (for now) and pursues more industry consultation and guidance

Craig Hine, David Gerber, Steven Klimt, Matt Daley, Vanessa Pallone
18 Aug 2022
Time to read: 1.5 minutes

Licensees won’t be named in ASIC’s first public report on breach reporting.

ASIC has provided some welcome relief to AFS and credit licensees by confirming that it won’t publicise the names of licensees individually in its first public report, but will focus on improving the operation of the new “reportable situations” regime as part of its 2022-23 priorities.

The breach reporting regime: the background

The new regime commenced on 1 October 2021 for Australian financial services and credit licensees. It requires those licensees to submit notifications to ASIC about any “reportable situations”. These extend to situations involving significant breaches or likely significant breaches of core obligations to ASIC and investigations into such matters, the outcomes of those investigations, conduct that constitutes gross negligence or serious fraud and certain conduct of financial advisers and mortgage brokers.

ASIC previously released guidance in its updated Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78) and Information Sheet 259: Complying with the notify, investigate and remediate obligations (INFO 259). ASIC also has further guidance available on its website in relation to notification via the ASIC Regulatory Portal. However, since the regime commenced there have been reports in the media of inconsistent approaches to interpretation of the legislation and reporting, and licensees being overwhelmed by the increased compliance burden.

Licensees won’t be named in ASIC’s first public report

ASIC must release an annual report on information provided to it under the reportable situations regime.

That information could include the names of licensees and the volume of their reported breaches, a possibility that led to some concern, given the reporting volume from large institutions and the potential for negative reputational consequences.

ASIC has eased those concerns, at least for now, by providing some insights into what will be included in its first public report. It has confirmed that its first public report, due to be published in October 2022, will include high-level insights into trends observed in licensee reports lodged between 1 October 2021 to 30 June 2022. Importantly, it will not name licensees and will not refer to the nature or number of reports lodged by specific licensees. This means ASIC won’t consult with stakeholders on the information to be published in its first report.

A bigger question is how long this position will last. More granular reporting may appear in subsequent years, starting with a list of all licensees who have reported to ASIC in the 2023 report. ASIC says it will consult with stakeholders in advance of the commencement of licensee-level granular public reporting.

Further consultation and guidance to clarify the compliance challenge

With the current state of guidance, licensees have been unclear exactly what their compliance burden is.

ASIC indicated it has developed a comprehensive plan of work in relation to the reportable situations regime, and plans:

  • further engagement with industry to better understand the issues creating an unnecessary compliance burden;
  • to communicate clear expectations for compliance with the new regime; and
  • to design solutions to improve the consistency and quality of reporting.

ASIC acknowledged there has been a number of implementation challenges, but remains committed to its successful implementation. It says it will continue to engage with industry on licensees’ reporting practices to further understand any issues that are placing unnecessary compliance burden on industry.

What do licensees need to do now?

While ASIC’s decision not to name licensees this year will be welcome, it remains possible that ASIC will “name and shame” in next year’s report. In the meantime, licensees should be ready to engage in any consultation process and look out for any further guidance on breach reporting to confirm that they are operating in accordance with it, or to be able to effect any necessary changes.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.