ASIC’s recent review of reportable situations (4th December 2024) revealed a number of poor practices among licensees (the review covered 14 licensees across all financial sectors):
- Licensees were generally slow to report to ASIC. The key driver of these delays was that licensees took a long time to identify breaches in the first place and begin investigating.
- When ASIC reviewed why this was happening, ASIC found that there were deficiencies in licensees’ incident management, particularly how they identified, escalated and recorded incidents.
- Most licensees had gaps in how they monitored their own compliance with the regime.
- These poor practices had real impacts on consumers. The failures to promptly identify breaches meant that licensees were very slow to rectify breaches and remediate customers.
Start with a focus on incidents
GI Licensees should focus on raising awareness for staff and authorised representatives so that they can identify and raise incidents. This ensures all potential harm and areas of continuous improvement are identified in a timely manner and potentially before a breach of obligations (or Industry Code has arisen).
ASIC advises to adopt a simple definition of an incident. This reduces the risk of the business acting as a filter or blockage. Once an incident is pushed down the incident pipeline an experienced person can review the incident and determine whether it is a breach, or likely breach, of an obligation.
‘An incident is an event that occurs where something has gone wrong.’
Operational risk incidents
All incidents have the potential to cause harm or detriment. Adopt the APRA CPS 230 definition of operational risk:
‘Legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk.
To this definition, add financial risk incidents (including insurance risk) and strategic risk incidents.
Reportable situations
Once an incident has been identified, raised and reported by the business and/or distributors & service suppliers the incident(s) need to be categorized and managed to ensure the proper treatment.
Incidents need to be considered singularly and, as part of a group in case of an emerging trend or theme.
Compliance incidents need to be considered in context of the reportable situations regime. In addition, they must be considered in context of all financial services laws, privacy laws and Code (where relevant) and the separate reporting regime that applies for APRA insurers, the privacy notifiable breaches scheme and the relevant industry Codes.
The reportable situations regime arises under Section 912DAA Corporations Act (also refer RG 78).
There are 3 types of reportable situations for general insurance:
(a) breaches or ‘likely breaches’ of core obligations that are significant;
(b) investigations into breaches or likely breaches of core obligations that are significant;
(c) additional reportable situations.
What does significant breach mean?
There are two ways to determine whether a breach is significant:
(a) Deemed significant breaches: In certain situations, a breach or likely breach of a core obligation is taken to be significant;
- Generally speaking a breach is deemed significant if it is a civil/criminal penalty breach however s912D should be referenced and legal advice obtained.
- A breach of AFS Licence general obligations s912A(1) is a civil penalty breach (other than the general obligation to comply with licence conditions)
- A breach of misleading or deceptive conduct prohibitions however ASIC Instrument 2021/716 covers insignificant contraventions of core obligations relating to a single breach of misleading or deceptive prohibitions
- breaches that result, or are likely to result, in material loss or damage to a person or persons to whom the AFS licensee or a representative of the licensee provides a financial product or a financial service as a wholesale or retail client;
(b) Other breaches that may be significant: In other situations, a breach or likely breach of a core obligation will need to be considered against the factors in s912D(5) of the Corporations Act. These factors are:
(a) the number or frequency of similar breaches;
(b) the impact of the breach or likely breach on the licensee’s ability to supply the financial services or engage in credit activities covered by the licence;
(c) the extent to which the breach or likely breach indicates that the licensee’s arrangements to ensure compliance with those obligations are inadequate; and
(d) any other matters prescribed by the regulations.
Reportable investigation
Investigations into whether a significant breach (or likely significant breach) of a core obligation has occurred, and that continue for more than 30 days, must be reported to ASIC as a ‘reportable situation’. See s912D(1)(c) of the Corporations Act
Additional reportable situations
You must also report to ASIC certain additional reportable situations: see s912D(2) of the Corporations Act. If an additional reportable situation arises, you must report it to ASIC irrespective of whether or not it is ‘significant’. Additional reportable situations include when you or your representative:
(a) engage in conduct constituting gross negligence in the course of providing a financial service; or
(b) commit serious fraud
When and how to report to ASIC
As a licensee, you must tell ASIC in writing within 30 calendar days after a reportable situation has arisen. See 912DAA Corporations Act
The reporting period starts on the day you first know that, or are reckless with respect to whether, there are reasonable grounds to believe that a reportable situation has arisen.
You must report to ASIC in the prescribed form, through the ASIC Regulatory Portal.
Compliance systems and identifying, recording and reporting breaches
Having robust breach reporting systems, processes and procedures in place to meet the breach reporting obligation is a critical element of a licensee’s compliance and risk management framework. ASIC consider that failure to report a significant breach (or likely breach) is likely, in itself, to be a significant breach of your obligation to comply with the financial services laws. This is because it indicates that your arrangements to ensure compliance with your obligations may be inadequate: see s912D(5)(c) of the Corporations Act
ASIC advises (RG 78.135):
To ensure compliance with the breach reporting obligation, you should have a clear, well-understood and documented process for:
(a) identifying and recording incidents (e.g. suspected or possible reportable situations);
(b) assessing and determining whether an identified incident is a reportable situation, including timely and appropriately resourced investigations as required;
(c) reporting to ASIC all incidents identified as reportable situations within the reporting period in the form prescribed;
(d) when appropriate, rectifying loss or damage as required; and
(e) ensuring that arrangements are in place to prevent the recurrence of the breach (or likely breach).
For assistance with your compliance measures and incident management framework contact me.
Disclaimer: Reproduction of statements made in this article by media outlets, whether in full or in part, is strictly prohibited without the written express consent of the author. The views, opinions, and positions expressed within this article are those solely of the author and Compliance Advocacy Solutions Pty Ltd and not the views of other individuals, companies or organisations they may be affiliated with. The author and Compliance Advocacy Solutions Pty Ltd make no representations as to accuracy, completeness, currency, suitability, or validity of any information in this article and will not be liable for any errors or omissions or any loss or damage arising from its use or reliance. This article is intended for educational and informational purposes only and should not be relied upon as professional legal advice.