Breach reporting – rebuilding community trust in financial services
In a recent speech (link below) ASIC Commissioner Sean Hughes made the following comment on Breach reporting: “We have seen an increase in breach reports… of over 50% compared to the previous year & an increase of 99% compared to two years ago.” Mr Hughes speculated whether the increase in breaches being reported was a short term “clearing out the skeletons’’.
In my view the number of significant breaches being reported will continue to rise over the next 2-3 years before stabilising and setting a new (higher) threshold of reporting levels. I consider this is due to a number of factors:
- Customer facing staff are more aware of consumer obligations due to increased training & education thus more incidents are being raised internally. An interesting observation is that staff were previously good at identifying prescriptive breaches such as ‘providing a PDS within 5 days’ but less so in identifying breaches of principle based obligations such as acting ‘efficiently, honestly and fairly’. With refreshed training and awareness, staff are starting to understand these principle based obligations and capturing them within business procedures;
- Significant compliance resources are being budgeted and added to business and group risk & compliance teams (line 1 & 2). This enhanced degree of oversight and monitoring together with more specialised skill-sets is a key factor in driving better identification of compliance incidents. The downside of this is the current drain on industry compliance resources especially as ASIC & AFCA are ramping up their teams which is further impacting a limited resource pool. The risk is one of quality rather than quantity whereby the quality of advice being provided internally is not at a level commensurate with the compliance & regulatory control environment necessary to meet community and regulator expectations. This is likely to create a 2nd wave of breach reporting once the more senior compliance person with specialised skills is made aware of the incident, usually this occurs when the incident becomes more serious in terms of customer detriment.
- There has been increased focus upon compliance through an uplift in obligation management & control environments. Obligation management continues to be a challenge for the industry with technology providing the medium to long term solution;
- Most financial firms are undertaking risk transformation projects hence discovering legacy compliance incidents. Importantly, Compliance risk is now being recognised and positioned as a stand-alone risk category driving deeper thought and consideration with compliance risk taxonomies being developed and implemented within incident management systems;
- Most organisations have a mindset ‘to do the right thing’ usually being captured under culture, ethics, conduct risk or customer risk initiatives;
- Boards are more focused upon compliance risk requiring deeper & more frequent updates from management. Significant Board approved funding is being allocated to compliance risk projects with commensurate levels of oversight and governance. With the recent interrogation of Insurers self-assessment of their risk management approach by APRA, most compliance and risk transformation Projects include regular updating to APRA via Board Risk Committees.
- Breach Management committees are adopting a conservative approach when considering significance. Similar to ASIC’s new enforcement approach of ‘Why not litigate?’, Breach Committees are now asking the question ‘Why not report?’ Whilst there is a reputational risk of being named and shamed, financial firms are preferring to report more especially where breaches are related to historical issues and the financial firm can demonstrate that their compliance uplift programs will prevent a re-occurrence;
- Whistleblowers are more comfortable in calling out inappropriate behaviours where management or Committees aren’t doing the right thing or ‘aren’t seen to be doing the right thing’. Often this is around timing where a breach has been discovered and investigated however there remains a reluctance to report;
- Compliance risk is being uplifted through Regtech & Insurtech. This of itself will assist breach reporting numbers to stabilise after an initial uplift as more and more compliance incidents will be discovered due to better technology especially in respect of quality assurance.
Financial firms will continue to be challenged in finding the right balance of when to report breaches and to do so in a timely fashion. The current regulatory landscape fueled by increased expectations of the community, media, regulators and the government is unforgiving. However, in order to rebuild consumer trust financial firms must continue to adopt a conservative approach to breach reporting whilst enhancing systems and behaviours to prevent future instances of misconduct.
A speech by ASIC Commissioner Sean Hughes at ‘Banking in the Spotlight’: the 36th Annual Conference of the Banking and Financial Services Law Association, Gold Coast, Queensland, 30 August 2019 https://asic.gov.au/about-asic/news-centre/speeches/asic-s-approach-to-enforcement-after-the-royal-commission/