Breach reporting is not something AFS licensees should fear or avoid. The breach reporting mechanism established by ASIC is nothing more than an expectation that licensees will promptly, responsibly and objectively reflect on every situation to try to improve for next time and report those that are significant enough to warrant the attention of ASIC. So, it’s about continuous improvement and transparency. It’s what most parents expect (or hope) of their children and what you’d likely expect of your employees and business partners, right?
This is how ASIC facilitates the self-regulatory aspects of its mandate. What do I mean by this? No regulator is funded enough to be able to exhaustively monitor all activity within its regulated population. It’s that old adage that regulation is often one step behind innovation, so there’s a gap to be addressed.
In addition to their surveillance and enforcement functions, regulators have a guidance function where they establish expectations about how the regulated population will self-regulate some aspects of what needs to be monitored and acted on and therefore alleviate the regulator from having to do that itself.
Putting mechanisms in place to facilitate self-regulation is also about regulatory efficiencies – some things are better or more efficiently/effectively done by the regulated population than by the regulator itself.
What a licensee’s focus should be on
Whether you agree with this or not, the main game with breach reporting is actually breach identification. That’s what licensees need to focus most on. The ‘whether to report or not’ question will flow from that, and for many of you the reporting question will probably not be a question you come across each year.
But the question of whether there has been a breach or not will come up much more frequently – and if it doesn’t, you should ask yourself why not, because just as few people are perfect drivers, breaches are inevitable for all financial advice licensees. Few licensees’ practices, people and processes are so perfect and work in such harmony together that the licensee complies perfectly with the law at all times.
Many of the ways in which a licensee can breach its obligations are situations that ASIC would be unlikely to become aware of itself, or at least not until a substantial amount of time has passed since the incident. This is why ASIC relies on licensees to assess breaches and report to it anything that it should be aware of. It’s called a policy of enforced transparency. By requiring licensees to be transparent in how they deal with the issues that they discover, it forces licensees to apply higher standards to the matter and then expect those same higher standards of their representatives.
This in turn drives continuous improvement, which can reasonably be expected to raise the quality of advice provided across the industry – well, at least amongst those who have healthy breach identification and reporting functions.
The past focus of breach reporting, however, has largely been about identifying and reporting on misconduct. Although ASIC wants you to report to misconduct, don’t focus solely on behaviour that could be considered to be misconduct. It’s the ‘smaller’ but still significant breaches that might go unidentified and not dealt with that could present a bigger risk to your licence if left unchecked.
How undetected breaches become significant breaches
Where an adviser who was found to have engaged in tombstoning didn’t just start one day submitting applications on behalf of dead people. It is more likely the practice that eventually turned into tombstoning was failing to get clients to sign policy application forms and fact finds.
When the adviser realised that the insurers with whom he was dealing the licensee under which he was appointed weren’t going to enforce personal signatures before accepting the applications, they realised that there was a loophole that could be manipulated in the right circumstances. The adviser realised other parts of applications that were missing could also be filled in by them.
The next step was telling some clients who cried ‘time poor’ that they would deal with the application forms on the client’s behalf and then suggesting actually the clients didn’t need to complete the forms themselves. Once they realised that neither party for whom he was acting as the conduit was monitoring everything he did, completing application forms on behalf of dead people was the next step in perpetrating their fraud.
What can licensee do to protect themselves and their businesses?
It’s important to be mindful of the ‘smaller’ breaches, not just those that are identifiably representative of misconduct. Not everyone who doesn’t get their clients to sign applications or fact finds will be a potential tombstoner – that requires other ingredients such as motivation and character. Nevertheless, failing to remedy the ‘smaller’ breaches tipped the slope for the right person to fall through the cracks into unsupervised inappropriate behaviour.
Try also to not place a value judgement on whether something might be misconduct or not because that will undoubtedly involve a consideration of the character of the person involved as well as their intentions. As any seasoned investigator will tell you – and the insurance claims staff of many insurers who are honest about their team’s approach to claims will no doubt agree – when you start to make value judgements about a person’s character you lose sight of many important facts and can often arrive at a very different (or wrong) conclusion.
Focus instead on the issues and the facts, and that will highlight in light of the four significance factors outlined in section 912D whether the issue discovered needs to be reported to ASIC.
Although it may be different to what you’ve been told before or it may not be your natural reaction when dealing with the authorities (i.e. police, regulators, the ATO), it actually is in your licence’s interest to have a robust breach awareness and reporting function. Not just because this helps define your relationship with the regulator, but because it might show your PI insurer that your capacity to deal with issues that arise mitigates the risks involved with insuring you.
It might not lead to reduced premiums, but it might help avoid premiums increasing when the insurer’s usual reaction would be to do so.
At the end of the day, isn’t that what breach identification and reporting is about – protecting your business? Sustainable and profitable advice practices embrace breaches and breach reporting as a form of feedback and one of several measures of success. They certainly don’t welcome them, but they see them as an important part of protecting their business in the long term.
