With ASIC’s ongoing breach reporting surveillance project into banks revealing that on average it takes four years for breaches to be identified for investigation, it is abundantly clear that breach reporting processes need to improve.
The fifth round of public hearings before the Financial Services Royal Commission has highlighted further allegations of misconduct in financial services, with questions being asked about the superannuation sector and management of conflicts of interest, remediation of customers and whether trustee boards have been acting in their members’ best interests.
The Royal Commission process is raising important policy issues that go to the heart of good governance and the role of the board and management, and the AICD will continue to closely engage on these issues. An important area of focus is the role of the regulators – ASIC and APRA - and approaches to dealing with them.
The Banking Executive Accountability Regime (BEAR) brought in specific obligations regarding dealings with APRA. In particular, under the BEAR, ADIs and ‘accountable persons’ of ADIs, or of subsidiaries of ADIs, now have an obligation to deal with APRA in an ‘open, constructive and co-operative way’. ADIs also have an obligation to notify APRA of specific events – including where they become aware of a breach of their or an accountable person’s accountability obligations under the BEAR.
While there are no equivalent broad-sweeping provisions along the lines of the BEAR provisions that apply to ASIC regulated entities, it is timely to highlight the breach reporting obligations that apply to Australian financial services (AFS) licensees and responsible entities under the Corporations Act. The Royal Commission will no doubt be prompting introspection by all AFS licensees who should be reviewing their internal systems for identifying breaches, and critically examining their approach to dealing with the regulators.
At a board level, directors on relevant boards should be asking themselves:
- Is there a breach reporting policy in place? How regularly is it reviewed?
- Are we satisfied that robust internal systems are in place to identify and notify breaches?
- Are lines of accountability and authority clear, to avoid unnecessarily protracted processes which may delay a breach report?
- Is a breach register maintained?
- Does the board receive reports on all reported breaches in a timely manner?
- How are staff disciplined for significant breaches of the law?
- Are there remuneration consequences for significant breaches of the law?
- Have internal and/or external reviews of breach reporting processes been undertaken?
AFS licensees have a number of obligations under the Corporations Act, including, for example, to comply with the financial services laws set out in the Corporations Act; to do all things necessary to ensure that the financial services covered by their AFS licence are supplied efficiently, honestly and fairly; and to take reasonable steps to ensure that representatives comply with the financial services laws.
As it currently stands, the law provides that AFS licensees must tell ASIC in writing within 10 business days about any significant breach (or likely breach) of their obligations. ‘Significant’ is not defined, so it all depends on the circumstances of the breach, and a judgment call will be necessary, having regard to a number of factors including the number or frequency of similar previous breaches; the impact of the breach on ability to supply the relevant financial services covered by the licence; the extent to which the breach indicates that the licensee’s arrangements to ensure compliance with their obligations is inadequate; and the actual or potential financial loss to clients, or to the licensee, arising from the breach.
The breach reporting regime has been recently considered by the ASIC Enforcement Review Taskforce and is the subject of a number of recommendations in the Taskforce report released in April 2018, including that the significance test be clarified to ensure that the significance of breaches is determined objectively; that the obligation to report should expressly apply to misconduct by an employee or representative; and that significant breaches (and suspected breach investigations that are ongoing) must be reported within 30 days. The Government response agrees, or agrees-in-principle, to all recommendations in the Report so we can expect reform in this area.
ASIC has identified poor standards of compliance in terms of timeliness and consistency of breach reporting amongst the largest financial institutions. In ASIC Deputy Chair Peter Kell’s witness statement to the Royal Commission, he acknowledges that ASIC has held concerns for some time that financial services entities are not consistently complying with their statutory breach reporting obligations by either not reporting, or not reporting in a timely and consistent manner.
The statement referred to a number of key preliminary findings of ASIC’s ongoing breach reporting surveillance project (which is based on a quantitative analysis of data from 12 banking groups for the period 2014 to 2016) including that the average time taken from a breach occurring to the institution identifying it internally for investigation was 1,552 days — or just over four years. On average it took an additional 123 days — or about four months — from the start of an internal investigation to lodging a breach report with ASIC.
It is abundantly clear that breach reporting processes need to improve, and may well trigger some recommendations from Commissioner Hayne for reform.
With the APRA report into CBA highlighting the need for boards to take a proactive approach to managing non-financial risks, all regulated entities should be taking a close look at their own policies and practices, and testing whether they would hold up to public scrutiny.
Already a member?
Login to view this content