Reportable situations: Findings of ASIC’s review and how licensees can improve compliance with the regime
Australian financial services and credit licensees have an obligation to report breaches to ASIC under the reportable situations regime. ASIC uses this information to identify and address emerging trends of non-compliance and take regulatory action where appropriate.
Reforms to the reportable situations regime in 2021 expanded what was reportable and pushed for more timely and consistent reporting. However, a recent ASIC surveillance shows that there is still more work to do.
ASIC conducted a review of the policies, processes and practices that 14 licensees had in place to comply with their reportable situations obligations under s912DAA of the Corporations Act 2001 and/or s50B of the National Credit Consumer Protection Act 2009, as at November 2023. ASIC met with licensees for an extensive discussion of their arrangements in the quarter ending June 2024. ASIC reviewed licensees’ incident registers for the three-month period from July to September 2023. ASIC also reviewed all reports lodged by licensees from 1 October 2021 to 30 June 2024.
Findings
The review revealed a number of poor practices among licensees:
ASIC is seeking compliance outcomes to address these deficiencies from the licensees in the review. We will take enforcement action where appropriate.
Takeaways for General Insurance
In a case study included in the media release ASIC compared a licensee who had a simple definition of 'incident' v a licensee who had a complex definition. The licensee with the simple defintion had the highest number of incidents.
It's pleasing to note that the simple definition is the same defintion I advise to my clients.
‘An incident is an event that occurs where something has gone wrong.’
In contrast, another licensee’s definition was complex and much harder to understand:
‘An incident is an event that occurs when the actual outcome of a business objective differs from the expected outcome due to inadequate or failed processes, people, systems or external events which leads to a financial loss or impact on compliance, our customers, employees, operations, information management or brand. A near miss is an event that arises because the control environment failed to detect or prevent the event from occurring. However, due to the circumstances or good fortune, the event does not result in financial or other non-financial impact, but it had the potential to do so’.
2. Supporting staff
ASIC highlights the improtance of staff training at induction and regular intervals and providing a safe environment to raise incidents.
ASIC advises Licensees should maintain a workplace culture where staff are encouraged to be vigilant, raise and escalate incidents, and feel comfortable when doing so.
I would also add that the training must focus on what an incident is rather than regulatory clauses and paragraphs.
3. Assessing complaints for incidents and breaches
Recommended by LinkedIn
ASIC saw indications that complaints-handling staff may not be aware of what constitutes an incident or a breach, or how to record and escalate it. Some licensees did not appear to consider that a single complaint may give rise to an incident or a breach and become reportable. Some licensees only reviewed their complaints monthly, which does not support timely incident management. Discussions with some licensees also suggested a risk that they are not adequately identifying and recording complaints in the first place.
ASIC' advises that better practice is Licensees should carefully consider whether each customer complaint constitutes an incident, breach or reportable situation. They should also conduct regular root cause analysis to reduce the risk of continuing or reoccurring breaches. Complaints should be interpreted broadly in line with the definition outlined in Regulatory Guide 271 Internal dispute resolution (RG 271).
I would add to this that control testing outcomes including control break-downs, QA, file reviews, attestations etc should all be used as sources of identifying incidents. However, the best source remains self-identification.
In respect of Quality assurance activity, ASIC adds Licensees’ quality assurance activities should be timely, comprehensive, targeted and well-integrated with the licensee’s incident management framework and breach-reporting function. Licensees should ‘close the loop’, ensuring that identified issues are addressed and learnings share.
4. Are you escalating and investigating incidents and breaches comprehensively and in a timely way?
ASIC advises timely escalation and, where necessary, investigation supports the regime’s objectives, which are prompt rectification and remediation of issues, and reporting to ASIC. Timely escalation and investigation also reduces the risk of incidents or breaches continuing or reoccurring, and helps the root cause of an incident or breach to be identified quickly.
5. Do you capture important information about incidents and breaches in a single register?
I provide a single incident and breach register for my general insurance clients.
ASIC comments: a detailed and mandatory register of incidents and breaches prompts licensees to gather relevant information and conduct thorough investigations. Maintaining a single, comprehensive register helps licensees to understand the nature of their incidents and breaches and to capture necessary insights. It also helps licensees to monitor for systemic issues and the number and frequency of similar breaches.
6. Have you got the necessary arrangements in place to monitor your compliance with the regime?
I provide 'fit for purpose' monitoring programs for my clients, this not only includes employees but extends to service suppliers & authorised representatives.
ASIC says monitoring compliance helps licensees ensure that they meet legal obligations and respond to regulatory changes. Proactively monitoring and tracking compliance allows licensees to identify and mitigate risks of non-compliance that may result in costly legal issues, reputational damage and consumer losses. Regular monitoring of activities that span the whole breach life cycle will give senior management the oversight to ensure compliance arrangements remain effective.
ASIC signals ongoing work to maximise benefits of the reportable situations regime
In a seperate media release, ASIC Commissioner Kate O’Rourke said compliance with the reportable situations regime, which requires licensees to promptly identify, fix and report their own problems, can help lift industry standards and in turn improve consumer outcomes. At the same time, the reports submitted help ASIC to detect emerging issues and non-compliant behaviour early and take action where appropriate.
‘We have undertaken extensive work to strengthen the operation of the reportable situations regime since the introduction of the October 2021 reforms, and ensuring that the objectives of the regime are met remains a priority area of work for us in 2024-25,’ Commissioner O’Rourke said.
‘As part of this, we will consult with stakeholders on options for future granular reporting to provide even deeper insights, ahead of our fourth annual publication of reportable situations data in Q3 2025.
‘In addition, we will do further work next year to consider how best to ensure ASIC receives the reports that have the most intelligence value to us, while managing the burden on industry from reporting. We will also undertake a range of work on a sector-by-sector basis to monitor and uplift compliance with the regime, and consider enforcement action where necessary.