Deficiencies in Breach Reporting Found by ASIC from Fourteen Australian Financial Services Licensees

The Australian Securities and Investments Commission (ASIC) has reviewed breaches reporting of some licensees and made compliance suggestions to all licensees.

The 14 Australian financial services licensees from different sectors were reviewed by the Australian regulator for submitting reports less frequently, or not at all.

The regulator found that the main reasons for these licensees' delays in reporting were that they were slow to identify breaches and commence investigations and that there were deficiencies and gaps in incident management and compliance self-monitoring.

The results revealed that each of these fourteen licensees filed 0 to 53 reports between October 2021 and June 2024. 31% of the reports took more than a year to identify, and the longest time to commence an investigation was over 12 and a half years.

In addition, the licensees under review took an average of 534 days to report to the regulator after a breach first occurred, while the average time to determine compensation for financial consumers was 632 days.

The Commission said that Australian financial services licensees have an obligation to report breaches to assist the regulator in obtaining information to identify and address emerging trends in breaches and to take appropriate regulatory action.

ASIC requires these licensees to address deficiencies and will take regulatory action where appropriate.

ASIC advised all licensees to ask themselves several key questions, including whether incidents and breaches have been identified, whether incidents and breaches have been escalated and investigated in a timely and comprehensive manner, whether important information has been recorded in a single register, and whether the necessary arrangements are in place to monitor compliance.

In addition, the regulator has made suggestions to the licensees to improve work arrangements based on these questions.