Enhancing Compliance with the Reportable Situations Regime – An Enforcement Priority for ASIC in 2024

As February ends, most have returned to work.  A return to work officially marks the end of the new year’s celebrations and (the even the more distant) Christmas season. Customarily, the start of a new year is accompanied by new year resolutions which are often preceded by a period of reflection or self-assessment of the year that has passed.

In a similar way that individuals assess themselves for new year resolutions, Australian financial services (AFS) licensees and Australian credit licensees must also “self-assess” as part of their licensee obligations under the reportable situations regime. By contrast, these self-assessments are not isolated, year-end events that only occur at the stroke of midnight but are ongoing licensee obligations under the Corporations Act and National Credit Act.

Noting that:

  • in October last year, ASIC released its insights on the reportable situations regime for the financial year ended 2023 (Report 775); and
  • in December last year, ASIC re-issued Regulatory Guide 78 (Breach reporting by AFS licensees and credit licensees) (RG 78); and
  • since one of ASIC’s enforcement priorities for 2024 is ensuring that licensees comply with the reportable situations regime,

we thought it is timely to re-visit some of ASIC’s key messages.

Reportable situations lodged during the 2022/23 financial year “significantly lower” than ASIC’s expectations

A key message in Report 775 is that licensees are still not reporting enough with only 9% of the licensee population lodging a report in the last financial year.[1] Specifically, Report 775 states that 16,836 “reports” in addition to 6,789 “updates” were submitted, reflecting a total of 22,789 report lodgements to ASIC during the last financial year.

The 9% figure according to ASIC is “still much lower than expected”, and accordingly “[ASIC] will be taking stronger measures to achieve enhanced compliance with the regime, including by undertaking a range of surveillance activities and potential enforcement action.”[2]

Scope of Reportable Situations in Report 775

It is worth noting that ASIC does not include all reportable situations that it would have received from licensees because ASIC is only required (under the Corporations Act) to report on a subgroup of all reportable situations that licensees are required to lodge reports for. [3]

As explained in appendix 1 of Report 775, the data in scope for Report 775 are reports lodged with ASIC and APRA about:

  • significant breaches of core obligations, or
  • situations where the licensee is no longer able to comply with a core obligation and the breach, if it occurs, will be significant (likely significant breaches).

However, the Corporations Act not only requires licensees to report to ASIC on the above situations, but also includes the following (amongst others):

  • investigations into significant breaches of core obligations or likely breaches that continue for more than 30 days;
  • the outcome of such an investigation if it discloses there is no significant breach or likely breach of a core obligation;
  • conduct that constitutes gross negligence or serious fraud; and
  • other prescribed circumstances involving the conduct of financial advisers and mortgage brokers who are representatives of other licensees (otherwise known as the obligation to “dob in” other licensees).[4]

ASIC notes that there were 837 reports that it was not initially required to report on (given that reports on investigations are excluded from the scope of ASIC’s reporting obligations) but were later included due to those investigations confirming an occurrence of a significant breach or likely significant breach (which are within the scope of ASIC’s reporting obligations as discussed above).[5]

In any case, a comparison of the reportable situations that ASIC is required to report on, and the list of reportable situations that licensees are required to report to ASIC, shows that there are several situations that are not included in the reported 22,789 lodgements mentioned in Report 775. To clarify, ASIC has excluded from Report 775, reportable situations covering the last four bullet points above.

Push for further reporting

Accordingly, the “complete picture” of reportable situations lodged with ASIC may be more than the 22,789 reported figure and whether the total reportable situations lodged with ASIC was significantly more would be interesting to know. It would also be interesting to know whether the actual figure of licensees that reported during the 2022/2023 financial year is much higher than what has been disclosed in Report 775, being only 981 (or 9% of a 10,976-licensee population).[6] However, ASIC is not required to show us the complete picture as mentioned above. [7]

Notwithstanding the above, licensees are being urged to report more to ASIC and this includes licensees of all sizes and not just the large licensees that make up most of those reporting. In total, ASIC reports that only 11% of the licensee population have “reported” since the start of the regime. Of AFS licensees with a total reported revenue of $1 billion or more, 88% lodged a report during the reporting period.[8]

Misleading conduct and staff negligence/error make up the majority of types of reportable situations and root causes reported to ASIC

Further interesting observations disclosed in Report 775 is that 44% of the reports lodged to ASIC in the last financial year concerned false or misleading statements and that 66% of root causes for the breaches lodged were attributed to staff negligence/error.[9]

What are “Deemed Significant Breaches”?

In the broad context of the reportable situations regime, false or misleading statements is one of several “deemed significant breaches” under s 912D(4) of the Corporations Act. “Deemed significant breaches” (by their definition) are breaches that require “no additional steps to determine whether the breach is ‘significant’ before reporting to ASIC.”[10] To put simply, when a “deemed significant breach” occurs, the licensee is spared the seemingly painstaking process (given the extended investigation times outlined in Report 775 and discussed below) of assessing if a breach is indeed significant based on the factors outlined in s 912D(5). Those factors include:

  • the frequency of similar breaches;
  • impact of the breach by the licensee to provide the financial services it is licensed to provide and
  • the extent to which the breach indicates an inadequacy in the licensee’s arrangements to ensure compliance with its core obligations.

What are “Lesser-known” Deemed Breaches?

In addition to (what could be categorised as) the “better known” deemed breaches that arise from misleading and deceptive conduct, are the “lesser known” deemed breaches, which are breaches which aren’t typically obvious to those who are not financial services licensees or financial services regulatory specialists.

One of the lesser-known deemed breaches relevant to AFS licensees are breaches of core obligations that result in a civil penalty provision (other than those carved out by the regulations). [11] To understand how broad this category of deemed significant breaches are, we must first look at the definition of a core obligation. Under s912A of the Corporations Act, core obligations include:

  • the general obligations: doing all things “efficiently honestly and fairly”, having adequate arrangements for the management of conflicts of interest, complying with the conditions of the licence, taking reasonable steps to ensure representatives (subject to some exceptions) are complying with financial services laws, complying with dispute resolution systems, and the list goes on; and
  • as part of the general obligations, there is a further subset of core obligations which include compliance with the “financial service laws” which leads us to define what financial service laws encompass with the answer leading down a further subset of core obligations to include, as part of the definition of financial service laws:
    • a provision of several chapters of the Corporations Act including 5C, 5D, 6, 6A, 6B, 6C, 6D, 8A or 8B and also Division 2 of Part 2 of the ASIC Act, and
    • a broad subset of any other Commonwealth, State or Territory legislation that covers conduct relating to the provision of financial services (whether or not it also covers other conduct), but only in so far as it covers conduct relating to the provision of financial services.

The above list of what the core obligations include should provide some idea of how vast the definition of “core obligations” is. Noting that should a civil penalty provision attach to any of the core obligations (sampled above) and a breach of any of those civil penalty core obligations occur, a deemed significant situation automatically occurs and is therefore reportable to ASIC.

Considering the vast number of core obligations there are and the “objectively low threshold” (i.e. a civil penalty provision) required for a breach of a core obligation to become reportable, it becomes apparent as to why ASIC expected more licensees to report and more reports to be lodged.

Naturally, it also raises the question as to whether licensees are aware of how wide the net is of what a significant breach can constitute and if licensees are only reporting on the better known (and perhaps more easily identifiable) breach of misleading and deceptive conduct. The regime is complex, and even seasoned compliance specialists continue to grapple with knowing what exactly is reportable.

Similarly, the high portion of the root causes being attributable to “staff negligence/error” also begs the question of whether licensees are turning their minds to other root causes that breaches can be attributed to, such as inadequacy of internal processes and policies etc.

ASIC wants licensees to be sure that there aren’t other underlying root causes or broader failures in their systems especially considering the further guidance ASIC provided in in the re-issued RG 78 (dated December 2023), particularly paragraphs 165-169.[12] These paragraphs of RG 78 discuss how to answer the root causes questions associated with lodging a report. For example, a licensee should select categories corresponding with the root cause it has identified, and it may select one or more, and it should select all root cause options that are applicable.[13]

Delays and Customer Impact

Excessive delays in resolving investigations remain a concern for ASIC

Considering the complexity of the regime, it is no surprise that licensees took on average 327 calendar days to identify and commence an investigation into a breach in the last financial year. The median days for the same period was 55 calendar days (up from 39 days in the last financial year).[14]

These time frames are a concern for ASIC given that the longer it takes a licensee to commence an investigation, the more customers are likely to be impacted.[15]

What also does not come as a surprise is the fact that where customers suffered a financial loss, the situation was raised by the client rather than the licensee identifying the issue. “This highlights that further improvement is required to strengthen internal risk management activities so that breaches are proactively identified”[16].

At the extreme end, Report 775 notes that for 820 reports, licensees took more than 5 years to identify and commence an investigation into a breach. ASIC expresses that “[f]urther improvement is required for licensees to identify and commence investigations into breaches in a timely manner”.[17]

Customer losses reported to be $448.4 million

For the last financial year, customers’ reported losses were $448.4 million, impacting 7.2 million customers.[18] As of 30 June 2023, $128.6 million in compensation to just over 1.35 million impacted customers had been paid.[19]

In this regard, ASIC cautions that finalising compensation is taking too long at a median of 22 days and a mean of 87 days and that “licensees must ensure they dedicate sufficient resources to conduct remediation activities so that impacted customers can be compensated in a timely manner”.[20]

ASIC’s Enforcement Measures

ASIC has not made it a secret that it has commenced further efforts to drive improved compliance with the reportable situations regime, stating that the regime is “a cornerstone of the financial services and credit regulatory regimes, and the reports are a critical source of regulatory intelligence for ASIC”.[21]

Where to from here?

We have only scratched the surface of what licensees must report to ASIC as part of their licensee obligations. The process of identifying the scenarios that constitute a reportable situation, determining whether certain reportable situations are “deemed significant” (or not), and those that require further investigation, and finally deciding to report to ASIC, can be complex and daunting. However, given that one of ASIC’s priorities this year is to enforce greater compliance with the reportable situations regime, it’s an area that licensees should prioritise and better understand, ensuring they start the year with the systems and processes in place to efficiently detect and correctly lodge reportable situations to ASIC in 2024.

Please reach out to Erik Setio or Clarisse Berenger if you would assistance understanding compliance obligations in 2024 under the reportable situations regime.

[1] Report 775 page 3.

[2] Report 775 page 3.

[3] S912DAD of the Corporations Act.

[4] S912D of the Corporations Act.

[5] Report 775 page 28.

[6] Report 775 page 9.

[7] S912DAD of the Corporations Act.

[8] Report 775 page 10.

[9] Report 775 pages 14-15.

[10] RG 78.34.

[11] See RG 78.37.

[12] Report 775 page 16.

[13] RG 78.166.

[14] Report 775 page 18.

[15] Report 775 page 19.

[16] Report 775 page 17.

[17] Report 775 page 18.

[18] Report 775 page 23.

[19] Report 775 page 24.

[20] Report 775 page 24.

[21] Report 775 page 4.