ASIC has given encouragement to smaller Australian financial services licensees for an increase in breach reports, but larger AFSLs are still carrying the load.
The regulator’s third annual Insights from the reportable situations regime report – into what is colloquially known as breach reporting – found larger AFSLs still lodged a higher proportion of reports compared to smaller licensees, in line with previous reports.
However, ASIC noted that while there was a 7 percentage point decrease in the proportion of lodgements from AFSLs with over a $1 billion in revenue, there was an increased uptake in reporting from smaller AFSLs.
“While it is still mostly the larger licensees that are reporting under the regime, we expect all licensees, regardless of size, to have robust systems and processes in place to ensure timely detection and reporting of any non-compliance,” the report said.
“If there are reasonable grounds to believe that a reportable situation has arisen, it is a legal obligation for licensees of any size to lodge a report with ASIC. Failing to report to ASIC when a reportable situation has arisen can attract both civil and criminal penalties.”
Breakdown of AFS licensee reporting by size
| FY24 | FY23 | |||||
| Number of reports | Percentage of reports | Number of lodgers | Number of reports | Percentage of reports | Number of lodgers | |
| Less than $50m | 739 | 9% | 415 | 719 | 6% | 332 |
| $50m-$249m | 2912 | 34% | 380 | 3186 | 27% | 371 |
| $250m-$999m | 1377 | 16% | 47 | 3493 | 30% | 38 |
| $1b or more | 3557 | 41% | 38 | 4153 | 36% | 36 |
| No revenue data available | 51 | 0.6% | 33 | 72 | 0.6% | 36 |
| Total | 8636 | 100% | 913 | 11,623 | 100% | 813 |
Source: ASIC reports from 2024 and 2023.
ASIC said the most notable change was reports about superannuation, increasing from 4 per cent in FY23 to 7 per cent. Financial advice remained at 7 per cent over both reporting periods.
Breach reporting commenced in October 2021, although ASIC assured the industry it would take a lighter approach to regulating the new system as the industry settled in, a report six months into the regime from law firm Gadens and Lawcadia found half of the industry was struggling to understand their specific obligations with the law.
ASIC acknowledged the industry had been struggling with the regime and further worked in with Treasury to help the system better fulfill its policy objectives.
The regulator released its first annual report into breach reporting in 2022 which found almost three-quarters of breaches were reported by only 23 AFSLs or ACLs.
The inaugural report found only larger licensees were reporting, with the regulator calling on smaller licensees to step up. This finding was echoed in its second report which it released last October.
In line with the previous reporting period, the 6360 AFSLs reported more breaches than the 4615 credit licensees.
Number of reports, and number and percentage of licensees who have lodged a report, by licence type
| Licensee type | Number of reports FY24 | Number of reporting licensees FY24 | Number of reports FY23 | Number of reporting licensees FY23 |
| AFSL | 8636 | 913 | 11,623 | 813 |
| ACL | 4088 | 161 | 5711 | 168 |
Source: ASIC reports from 2024 and 2023.
Both AFSLs and credit licensees reported they had paid a total of $92.1 million in compensation to approximately 494,000 impacted customers in relation to the breaches reported in the reporting period.
This meant that AFSLs and ACLs had paid out approximately 32 per cent of the total customer financial loss reported and had compensated 17 per cent of financially impacted customers for the reporting period.
However, licensees were taking less time to remediate affected customers – the median time taken was 24 days in FY23, dropping to 16 days in FY24.
As with previous reports, staff training on internal policy and procedures for licensees to rectify a breach (41 per cent of the time, down from 44 per cent in the previous report) with staff error being reported as one of the root causes in the vast majority of reports.
Communication to customers remained around the same (33 per cent in FY24 versus 32 per cent in FY23), while financial compensation increased to 16 per cent from 12 per cent.
The median time taken from the “commencement of an investigation” to the “rectification completion” was three calendar days, but ASIC said the time to rectify breaches varied too greatly.
“In half of the reports, licensees took, or were expected to take, a week or less to rectify a significant breach after the investigation started,” the report said.
“However, there were 102 reports where licensees took, or were expected to take, more than a year to completely rectify the breach after commencing their investigation. Licensees should rectify breaches effectively and within a reasonable timeframe to minimise further harm to customers.”
Time taken to rectify a significant breach after commencement of investigation
Source: ASIC
