ASIC pushes breach reporting standards

The Australian Securities and Investments Commission (ASIC) has moved to address the importance of breach reporting by Australian financial services (AFS) licensees by announcing a review of the process by which it occurs.

Peter Kell, ASIC deputy chairman, said concerns about inconsistencies and delays in reporting significant breaches prompted the review, which will focus on who has reported a breach, the nature of the report and its timelines. The regulator will then conduct a proactive review of some licensees it identifies as having a high risk of non-compliance.

Kell said recent enforcement actions against both large and small firms have highlighted deficiencies in the current approach, in particular, the timeframe for reporting significant breaches.

He added that failure to comply with breach reporting requirements was a criminal offence and stressed that AFS licensees must report significant breaches to ASIC as soon as practicable and within 10 business days after becoming aware of a breach.

Kell warned licensees against waiting until a full investigation has been completed by its board of directors or by its internal or external legal advisers to identify whether or not the breach or likely breach is significant. If in doubt, err on the side of caution and report the breach to ASIC, he said, as it helps to better manage risk.

He added that breach reports provide an important source of intelligence for ASIC, but are only effective when timely. He warned that inadequate or late reporting could indicate to ASIC that the licensee has broader compliance and cultural issues and would be a red flag for closer scrutiny.

The full speech is available here.