Posted November 10, 2022
Posted By Meghann Cannon
What ASIC said (and didn’t say) about breach reporting
A lot has been written about ASIC’s report on the first 9 months of the new reportable situations (breach reporting) regime.
Some of the headlines have caused concern, like those focusing on ASIC’s intended naming (and associated shaming) of licensees who lodge breach reports.
Here’s how we read the report.
What the report said about publishing the names of licensees
We want to start by saying that ASIC’s comments on what it intends to report in the future are both brief and ambiguous. Nothing is set in stone yet.
ASIC’s report suggests it may publish a list of all licensees who have lodged breach reports in 2023. The wording suggests they haven’t made a final decision on this and will consider the matter further next year.
ASIC also said they will consult with stakeholders before starting more ‘granular’ public reporting (likely in 2024).
Firstly, our position is that, without further clarification, these statements already threaten the integrity of the reporting regime.
Our concern is that ASIC’s comments may well cause licensees to think twice before submitting breach reports over concerns about how that data may be used in the future. At worst, licensees may stop reporting breaches, despite the significant consequences of not doing so.
In addition, if ASIC does move to publish the names of licensees who report breaches, we believe that this punishes licensees for doing the right thing and will drive bad behaviour further underground.
Identifying breaches shows that your systems are working – it’s a good thing. Ultimately no one can prevent every human error or issue that amounts to a reportable situation, especially given the broad reach of the reporting regime.
We expect our clients to have breaches and to report them as required. We would be more surprised if you didn’t have anything to report.
And this is the approach we believe ASIC should be taking. Rather than pointing the finger at licensees doing the right thing, ASIC should be asking: why hasn’t this licensee reported any breaches? What does this say about their compliance systems?
We also don’t believe that simply publishing a list of licensees who have lodged breach reports is of any benefit to consumers without further context.
As things stand, we just don’t know what ASIC’s approach will be in the future. However, we will be expressing our concerns to ASIC and will keep you posted on any developments in this area.