Acknowledging improvements are required for the breach reporting regime, ASIC will continue to engage with Treasury and the industry over how the system operates.
In an announcement on Wednesday morning, the corporate regulator recognised there has been significant investment made across the industry and will attempt to minimise further impacts.
“ASIC will continue to engage with Treasury on how the regime is meeting its policy objectives,” ASIC stated.
It added the regulator will continue to engage with the industry on reporting practices adopted by licensees to better understand any issues creating an unnecessary compliance burden.
“ASIC will communicate clear expectations for compliance with the new regime and design solutions to ensure the consistency and quality of reporting meets the policy objectives of the regime, as well as improve the efficiency of ASIC’s data collection and analysis.”
Breach reporting was part of the Red October reforms introduced last year and required AFSLs to report any breaches to ASIC in writing within 30 calendar days it has reasonable knowledge of the breach.
But research by Gadens and Lawcadia found the industry “didn’t know what it was doing” when it came to breach reporting and ASIC chair Joe Longo has acknowledged those struggles.
The system won’t be removed as the regulator stated it provides a “critical source of intelligence” to identify emerging trends of non-compliance in the industry.
“It also allows detection of significant non-compliant behaviours early, facilitating prompt regulatory action where appropriate,” ASIC stated.
ASIC commissioner Sean Hughes said the regulator is aware the regime has led to several implementation challenges.
“However, ASIC remains committed to the successful implementation of this regime and we have developed a comprehensive plan of work to ensure that it meets its objectives for ASIC, industry and consumers.”
Hughes said ASIC will work with stakeholders to find “common-sense solutions”.
“ASIC will consider whether enhancements are required to the approved form on the regulatory portal for lodging reports. We will also consider whether further practical guidance should be developed to assist licensees in meeting their obligations.”
Reporting the reports
ASIC will release its first public report in October which will include “high-level insights into trends” from the first nine months of the regime’s operation.
The report will not name licensees nor refer to the nature or number of reports lodged by specific licensees.
Because none of the published data and insights will be at a licensee level in the report, ASIC isn’t consulting with stakeholders on the information being published.
However, that is subject to change over time and the regulator will consider its approach to the 2023 public report and whether it should include a list of all licensees that have made reports during that period.
The regulator plans to consult with stakeholders if it does go in the direction of licensee-level granular public reporting which isn’t expected until 2024.
