“We are already hard put to establish a relationship between such an obvious effect as a charred tree and the lightning bolt that set fire to it, so to trace sometimes endless chains of causes and effects seems to me as foolish as trying to build a tower that will touch the sky.”
— Umberto Eco, “The Name of the Rose”
Incidents, breaches and required responses
What are Incidents, Breaches and why should I care?
Let’s start with the basics.
If you’re a Licensee, or a representative of a Licensee, you’re obliged to operate “efficiently, honestly and fairly” and a key component of your obligations is your ability to identify and appropriately respond to operational, structural or regulatory failures.
Simply put, an “incident” is any failure (or anticipated failure) to meet your legal and professional obligations (or appropriately respond to these failures).
A ‘breach’ is an incident (or series of incidents) that’s been formally recognised as contravention of the financial services laws or your licence conditions.
Not all incidents are breaches
If you consider that an Incident is any failure of your internal controls, it’s easy to imagine that some failures are going to be more significant than others.
- Isolated or one-off incidents (that are quickly remediated) are less of a problem for your business than significant or recurring issues. These latter types of incidents or failures are commonly considered to be Breaches.
- Recurring or Reoccurring incidents. It’s relatively simple to identify an isolated incident, it is a singular, atypical or outlying failure. it’s more difficult to differentiate between recurring and reoccurring incidents. Both recurring and reoccurring incidents suggest repetition but recurring incidents occur repeatedly over regular intervals and imply systemic issue (and therefore require prioritisation). An incident that repeats, over an irregular interval, should be classified as a reoccurring incident.
Irrespective of the assurances your external consultants offer, your compliance arrangements are just cultural, procedural and behavioural mechanisms designed to limit the frequency and severity of your compliance failures. These arrangements cannot, and should not be expected to, guarantee your ongoing compliance.
An obligation to investigate
So effective incident management cannot simply be reactive. Instead, a competent Licensee should embrace proactive exception testing designed to appropriately identify and classify failures in a manner consistent with the nature, scale and complexity of your business. In an advice business, Incidents (and potential breaches) include, but aren’t limited to:
- Failure(s) to produce Statements of Advice or provide Financial Services Guides;
- A contravention of an applicable law, regulatory requirements, or a licence condition;
- Charging clients for services that aren’t provided;
- An inability to meet, or continue to meet a licence condition;
- Misrepresentation of a products benefits or features;
- A breakdown of a key control, system or process;
- Signing a document on behalf of your client (without legal authority);
- A recurring event, or combination of events, that considered together indicate a systemic internal control failure;
- A breach of contractual arrangements (including client agreements, outsourced service providers, mandates, guidelines);
- Failures of your Internal Dispute Resolution processes;
- Failure to notify ASIC of significant breaches; and
- Representative misconduct such as breaches of their Best Interest Duty.
Please appreciate that incidents (operational, structural or governance failures) will occur regardless of the complexity or sophistication of your compliance arrangements.
The anatomy of an Incident
Logically, not all incidents and failures are the same.
In fact, the context, consequence and impact are critical considerations for determining the appropriate response. But they are, in our experience, not the only relevant matters that need to be considered.
While your arrangements may be different, our Incident Management framework requires us to address the following seven (7) elements:
Description – Objectively, and without any judgment or assessment, what occurred?
Source – How was the Incident identified? When? By whom? Was it identified through internal vigilance or brought to your attention by the Regulator?
Proof – How was the identified incident confirmed and verified? Were internal resources deployed to validate the issue or were external resources engaged?
Context – Take a step back from the identified incident and consider it in the context of the broader environment and related matters. In the aftermath of the Royal Commission (and in anticipation of regulatory reform) consider whether the Incident involves:
- dishonest, illegal, deceptive and/or fraudulent misconduct;
- any misconduct that, if proven, would be likely to result in instant dismissal or immediate termination;
- deliberate non-compliance with financial services laws; or
- gross incompetence or gross negligence.
Catalysts – Is the incident a consequence of another failure? Is it a result, or a cascading effect, of another issue? In our review methodology, for example, we focus on identifying catalysts – errors, acts or omissions – that cause, or materially contribute to subsequent failures. It’s not a root cause analysis, but it’s an important ‘but for’ analysis if you want to address the causes of the compliance failures rather than simply addressing symptoms.
Consequence (or Impact)- What are the likely consequences of the identified incident? It’s often tempting to reduce this to financial impacts – fees, charges, fines, NPS, remediation and settlement costs – but it’s critical that consequence is not limited to quantifiable measures. Qualitative measures – complaints, feedback, staff turnover and morale and the extent to which it indicates failures of your compliance arrangements – are perhaps more important indicators. Is the failure a contravention of your internal standards, the financial services laws and/or your licence conditions? Consider the incident(s) through a variety of lenses – customer, consumer, employee, Licensee and regulator.
Solution – What counter-measures need to be deployed to prevent recurrence/reoccurrence? How is the immediate issue best resolved? What additional controls are necessary? What changes should be made to your compliance arrangements?
Further, while all breaches need to be appropriately managed, addressed and remediated, some failures are so fundamental or significant that ASIC must be notified of the relevant circumstances.
download rg78 Breach reporting
Identifying a ‘significant’ breach
“Both ASIC and industry have raised concerns about the existing breach reporting regime. The concerns relate primarily to the test for when a breach or likely breach is significant and therefore reportable, as this requires a licensee to make a subjective assessment. This subjectivity means that breach reporting is largely inconsistent amongst licensees in terms of timeliness and the matters reported. ”
— FINANCIAL SECTOR REFORM (HAYNE ROYAL COMMISSION RESPONSE – PROTECTING CONSUMERS (2020 MEASURES)) BILL 2020 at 2.5
‘Significance‘ is difficult to define. Until we’re subject to new regulatory definitions*, it remains a subjective and contextual determination.
Consequence and regularity are important factors for you to consider. We’d add that when you’re assessing significance you should also explicitly consider:
- Frequency or similarity. As a general rule, the larger the number of similar failures, the more likely the new failure will be significant. Appreciate that frequent or as repetitive failures suggest systemic issues.
- The impact of the breach on your organisational competence. If the failure impairs, or is likely to impair, your capacity to provide financial services, it’s likely to be a significant breach. For example, your failure to meet your financial requirements indicates an in ability to continue to provide financial services.
- The adequacy of your controls. A failure to effectively monitor and supervise your representatives, for example, would generally be considered a significant breach because it indicates the inadequacy of your compliance arrangements. The fact that CBA took two-years to determine whether their Fee-for-Service issues were significant, should have been enough to indicate they were – the length of time it takes to discover and resolve breaches highlights the effectiveness of the Licensee’s compliance arrangements.
- The actual or potential financial loss to clients. If a breach results in financial losses for clients of the Licensee, this could indicate a significant breach. The larger the losses (either individually or in aggregate) the more likely the incident is a significant breach.
COVID-19 may have delayed the Financial Sector Reform (Hayne Royal Commission Response – Protecting Consumers (2020 MEASURES)) Bill 2020, but it’s not dead.
We’ll examine the proposed changes in an upcoming post but the introduction of additional obligations – core obligations – and the refinement of current obligations may pose a significant challenge to many Licensees.
For the record, under the proposed changes a breach or likely breach of a core obligation is ‘significant’ if:
- the breach is punishable on conviction by a penalty that may include imprisonment for a maximum period of:
- if the offence involves dishonesty—3 months or more; or
- in any case—12 months or more; or
- the breach constitutes a contravention of a civil penalty provision; or
- the breach results or is likely to result in loss or damage to clients, or in the case of a managed investment scheme, members of the scheme; or
- any other circumstances prescribed by the regulations exist.
read the Exposure draft