Always on my mind: Licensees' approach to breach reporting
Little things I should have said and done
The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry exposed, relatively quickly, profound and systemic non-compliance with the breach reporting obligations.
In the course of the Royal Commission hearings, AMP, CBA and NAB (amongst others) admitted to practices, some of which were known to the Regulator, that were starkly inconsistent with ASIC’s repeated assertions that breach reporting is both valuable to Licensees and "an important part of the regulatory framework".
Most licensees understand that they are required to notify ASIC in writing of any “significant” breach (or likely breach) of their licence conditions or compensation arrangements or the financial services laws, as soon as practicable, and in any event within 10 business days of becoming aware of the breach or likely breach.
The Commission’s hearings (and the Interim Report) show that, “on more than one occasion”, Licensees materially failed to comply with this obligation. Worryingly, they appeared to have suffered no consequences as a result of their failures.
The full extent of these failures was only finally revealed in ASIC Report 594 “Review of selected financial services groups’ compliance with the breach reporting obligations”. Released 25 September 2018, the report examined whether the selected groups’:
had adequate and effective breach reporting
complied with their breach reporting obligations, and
demonstrate elements of a sound breach-reporting culture.
Unsurprisingly, most didn’t. In fact, ASIC identified “serious, unacceptable delays in the time taken to identify, report and correct” significant breaches. Licensee’s reluctance to report and correct breaches may be understandable, given ASIC’s demonstrable failure to enforce this requirement. The popular view of ASIC’s ineffectiveness appears to be shared by the Commissioner, whose Interim Report notes, on page 148, that “ASIC has taken no step to prosecute any licensee for a contravention of 912D”
Three key observations
Time flies, but considering that Licensees have statutory obligations to promptly report significant or repeated failures (breaches) to ASIC as soon as they become aware of them, ASIC’s observations in Report 594 are profoundly unsettling.
It’s not the delays themselves, but the extent of the delays, that demands action. Despite the statutory obligation, ASIC observed that “the major financial groups took an average of 1,726 days to identify an issue that was later determined to be a breach.”
“An average of 1,726 days”
The headline figure should be alarming even if we can’t know whether resources, revisionism or reluctance are the root cause of these delays. Speculation is, for our purposes, unhelpful. Instead, we’d recommend Licensees do the following:
Review your definition of ‘significance’
When pressed to explain why they failed to report significant breaches, some Licensees offer that ‘significance’ is subjective. In the absence of an objective test, they suggest, it’s difficult to identify breaches that require reporting to ASIC. In the alternative, they admit that their legal advice did not identify the failures as significant given the “nature, scale and complexity” of their business.
These positions are credible only if failures are considered in isolation, and not subject to an overriding duty to act efficiently, honestly and fairly. The Licensees with whom we work prefer transparency to legalism.
In reality, context, consequence and regularity are critical factors to consider in making any assessment of ‘significance’. Rationalisations, pub-tests and frequently-reworked legal advice are poor substitutes for diligent and disinterested stewardship.
It’s likely that an objective test will be imposed on us in the wake of the Royal Commission. That may be some time in the future so, in the interim, we suggest that you take this opportunity to review your breach policy to ensure that your definition of ‘significance’ accords with reason, common-sense and regulatory and community expectations.
We'd also suggest that when you're redefining ‘significance’ you should also explicitly consider:
Frequency or similarity. As a general rule, the larger the number of similar failures, the more likely the new failure will be significant. Appreciate that frequent or as repetitive failures suggest systemic issues.
The impact of the breach on your organisational competence. If the failure impairs, or is likely to impair, your capacity to provide financial services, it's likely to be a significant breach. For example, your failure to meet your financial requirements indicates an in ability to continue to provide financial services.
The adequacy of your controls. A failure to effectively monitor and supervise your representatives, for example, would generally be considered a significant breach because it indicates the inadequacy of your compliance arrangements. The fact that CBA took two-years to determine whether their Fee-for-Service issues were significant, should have been enough to indicate they were - the length of time it takes to discover and resolve breaches highlights the effectiveness of the Licensee's compliance arrangements.
The actual or potential financial loss to clients. If a breach results in financial losses for clients of the Licensee, this could indicate a significant breach. The larger the losses (either individually or in aggregate) the more likely the incident is a significant breach.
2. Intent and Accountability
Once you’ve settled on your definition of ‘significance’, take a step back and consider whether your staff are actually empowered to meet the breach reporting obligations. The true answer might not be obvious.
Irrespective of their formal policies and procedures, some licensees are doomed to failure because they lack the required intent or cultural values.
We’ve previously argued that ‘Culture’ is an imprecise and largely unhelpful yardstick by which to assess compliance. Instead, we’d recommend that you approach your breach management framework with a critical eye and relentless pragmatism. Consider questions like:
Have we adequately resourced our staff to detect, escalate and manage breaches?
How have we communicated to our staff the importance of detecting, escalating and managing breaches?;
What arrangements are in place to ensure breach management is prioritised and adequately supported;
How do we recognise and reward those staff that raise concerns and risks?
Do our systems allow those that report and escalate breaches to see the progress of the issues?;
What are our expectations for remediation (timeliness, success and compensation)?;
How will we treat staff that conceal, facilitate or tolerate significant breaches (consequence management)?;
How do we ensure a consistent level of oversight by accountable managers?;
How do we learn, teach and prevent similar failures?;
Are we recording, reporting and responding to the right information?;
How deep and wide are our enquiries?; and
How do we transparently monitor, manage and report on breaches?
3. Reg-tech is the answer
The nature, scale and complexity of a large licensee group may explain their failures, but they do not excuse them - particularly when little or no substantive effort is made to mitigate these risks.
In REP594, ASIC observed that few licensees had accurate, complete and searchable breach reporting systems. As a consequence of their failure to invest in technology, often coupled with inadequate resourcing, these licensees were forced to rely on a “resource-intensive manual process to conduct investigations, reviews, audits and respond to [ASIC’s] inquiries”. The limitations of this approach in a complex and frequently changing environment should be obvious. Thankfully, so is the solution.
As Blessid Union of Souls observed some time ago, “regtech is the answer”.
Technology, and innovative solutions like openafsl, provide licensees with greater capacity and speed in identifying, investigating and reporting breaches.
An interrogable system that connects disparate information points, and provides tracking, measurements, metrics and consistent and considered analysis, is the best way that Licensees can manage their breach reporting obligations.
The ‘trick’ to embracing any reg-tech solution is to ensure that it actually solves the problem you’re facing.
READ: The reality of reg-tech
ASIC recommend licensees look for opportunities to improve their businesses by:
investing in business and compliance systems that more readily allow AFS licensees to identify and investigate incidents that may be breaches;
maintaining systems that capture accurate, complete and current information .. that are searchable, updatable and extractable.
We’d recommend that you review the report and consider less an expose of the larger licensees than an indication of the underlying issues that have eroded efficiency and trust.
In all likelihood, we’ll soon be provided with an objective definition of significance, systematised on-line breach reporting, publication of breach data and increased penalties for non-compliance with s912D obligations.
Our advice is not to wait for regulatory catalysts to address issues that go to the heart of your culture, competence and capability. Complying with the law requires no more than a willingness to obey the law.
Personally, I’d recommend you invest in technology like openAFSL, but sustainability requires no more than intent, efficiency and accountability.
If you need help with reviewing and refining your breach management processes, contact us at email@example.com.