The Australia Securities & Investments Commission (ASIC) has released new regulatory guidance on the new breach reporting obligations set to commence on October 01, 2021.
ASIC’s new guidelines aim to help credit and Australian Financial Services (AFS) licensees meet new breach reporting obligations, which address long-standing concerns about breach reporting by making it consistent, clearer, and timely across the financial services industry.
As part of the reforms, AFS licensees have to report breaches discovered after October 01, even if the breach occurred before that date.
However, credit licensees do not have to report breaches that occurred before October 01, even when identified after that date. As a result, credit licensees will have a relatively gradual implementation upon commencement.
“The new reporting obligations address long-held concerns on the quality and timeliness of breach reporting. ASIC analysis in 2018 revealed it took more than four years (on average) for large financial institutions to identify incidents that proved to be significant breaches. [The] remediation tally reveals how much consumer harm these delays caused, and ultimately at great cost to those firms,” said ASIC deputy chair Karen Chester.
In December 2020, the breach reporting reforms became law, flowing from the Financial Services Royal Commission and findings of the Treasury’s Enforcement Review Taskforce.
ASIC explained that compliance breaches happen in all businesses, making breach reporting crucial for board oversight and risk management by licensees and ASIC’s system-wide regulatory oversight.
“The government’s new reporting obligations put strong guard rails in place that will benefit firms and consumers alike,” Chester said. “The new obligations will help firms identify and act swiftly on the breaches that matter, making sure they get the attention they deserve. Licensees and boards will have greater confidence they are doing the right thing by consumers, and ultimately their firm and shareholders.”
The new breach reporting obligations will also benefit consumers by allowing ASIC to identify and address systemic problems quickly, Chester said.
“There will be greater transparency for consumers and firms with the publication of breach reporting data by ASIC from late 2022,” she continued.
The guidance on the new breach reporting obligations can be found on the ASIC website.