Business Insight

Enforcement of the reportable situations regime – Are you ready?

By Chris Baker, Samantha Carroll, Elizabeth K Hristoforidis Mousamas and Morgan Spain

28 November 2023

Share Share
Insight Hero Image
Share

    What you need to know

    • Compliance with the reportable situations regime is a key enforcement focus for ASIC in 2024
    • ASIC are surveilling licensees to ensure reporting obligations are met
    • The reportable situations regime warrants further attention by licensees given ASIC's pointed approach and statements about compliance

    What you need to do

    • Ensure you have a comprehensive framework in place to enable compliance with the reportable situations regime
    • Consider whether uplift is required on any aspect of your reporting processes
    • Consider whether previously reported situations might highlight any gaps to ASIC or identify you as an outlier among your sector peers, and take action if those reports reflect systemic issues

    ASIC has announced that one of its key enforcement priorities for 2024 is compliance with the reportable situations regime, previously known as the breach reporting regime.

    Introduced in October 2021, the reportable situations regime requires financial services and credit licensees to notify ASIC of potential misconduct by licensees, including significant breaches or likely significant breaches of core obligations, or investigations of the same. The regime is intended to promote the early detection and reporting of significant and/or non-compliant behaviour by licensees.

    ASIC considers the regime to be a cornerstone of an effective financial services regulatory structure. The reports are a critical source of regulatory intelligence.

    ASIC has observed that compliance with the reportable situation regime is currently too low, with 89% of licensees not reporting against the regime at all. This is despite the bar for reporting now being set very low for certain types of breaches such as those that are 'deemed significant'. As a result, ASIC has signalled an intention in 2024 to adopt a stronger approach to compliance in this area, directing its resources and expertise to ensuring that licensees are complying with their obligations under the regime and enforcing the law where they are not.

    Under its 'proactive, strategic and bold' enforcement approach, ASIC has recently commenced a targeted surveillance of those licensees who are not reporting to ASIC as it would expect.

    Potential breach reporting focus areas

    With the reportable situations regime being a key priority, areas of the reportable situation regime that ASIC is likely to focus on include:

    • How do licensees compare to other similar licensees both in and across sectors in the number, timeliness and kind of reports they are making? Data analysis of reportable situations notified may guide ASIC's selection of targets for surveillance and enforcement action, particularly when considered against benchmarks like those in REP 594 Review of selected financial services groups’ compliance with the breach reporting obligation.
    • How do licensees fare on key data points in a reportable situation including —
      - customer impact
      - customer financial loss
      - whether situation or breach is ongoing, especially if customer impact is ongoing
      - licensee financial loss
      - the licensee's ability to continue operations or fulfil obligations, and
      - duration of the situation or breach
    • For more serious breaches (particularly those involving poor consumer outcomes), have licensees met reporting timeframes? Is there a possibility that the licensee had reasonable grounds to believe that there was a reportable situation for some time, but did not report it?
    • Are licensees complying with particular pain points under the new regime (for example, the requirement to submit updates every 30 days for continuing matters).
    • Are licensees adequately identifying and disclosing systemic issues involving continuing events that may span over a lengthy period of time? Have these been rectified and consumers remediated in as timely a manner as reasonably possible?

    It will be interesting to see whether ASIC seek to use enforcement action to clarify licensees' obligations in these areas. ASIC may be particularly interested in testing how licensees have applied the recent changes to RG 78, which sought to clarify ASIC's expectations on the operational application of the reportable situations regime and promote greater consistency in reporting.

    Any such action will be taken in a new era of transparency and accountability under the Financial Accountability Regime for banks, super funds and insurers. In the future, we expect ASIC reporting to publicly name outlier licensees across industry, and by or within sectors, particularly where they are unable to demonstrate benchmarked improvement in the time taken from the first instance of an event to:

    • identify and investigate reportable situations,
    • submit reportable situations to ASIC—both initially and on an ongoing basis,
    • identify and rectify the root cause of systemic issues identified in reportable situations and other datasets, and
    • remediate consumers where necessary.
    "ASIC's approach to reporting will evolve over time, as implementation of the regime matures and allows for greater granularity of reporting", ASIC, 10 August 2022.

    Is your reportable situations framework ready to withstand ASIC scrutiny, and are you ready for this unprecedented transparency?

    As ASIC shifts from a facilitative to an enforcement-focused approach to the reportable situations regime, now is the time for licensees to undertake a health check of their reporting processes and consider whether any uplift and improvement is required.

    Ensuring you have a comprehensive and robust reporting framework in place will help mitigate the risk of being targeted by ASIC as an outlier.

    In particular, consider:

    • Do you have a comprehensive register of all core obligations that apply to your business?
    • Do you know (with sufficient clarity) which of those obligations will be 'deemed significant' when breached?
    • If you have not yet submitted any reports under the reportable situations regime, whether it is time to revisit your definition of 'reportable' to ensure you have interpreted the law appropriately and updated your frameworks, policies, processes and procedures to accommodate the new regime adequately?
    • Are there safeguards to ensure reportable situations are reported to ASIC within the required timeframes (noting that these are important to the potential defence of honest and reasonable mistake of fact available in some circumstances)?
    • What data sources are available to you that might give rise to reasonable grounds to believe that a reportable situation has arisen (for example, internal risk and compliance incident/event registers, complaints records, exceptions reports)? Are those records being appropriately analysed from a reportable situations reporting perspective and, when considered collectively, have you connected the dots between such disparate data sets to identify systemic risks and issues?
    • What does data analysis of your reportable situation reports to date show and how might they compare with other licensees, based on ASIC's published data?
    • Are robust processes in place to ensure ASIC is updated on reports, particularly in the context of continuing contravening conduct?

    Reportable situations are—and will remain—a critical source of intelligence for ASIC as a leading indicator of emerging systemic industry risk. Coupled with increasing maturity of ASIC's data analytics capability (including the ability to link reportable situations datasets with datasets such as internal and external dispute resolution), together with a renewed focus on accountability in banking, superannuation and insurance through the incoming Financial Accountability Regime from March 2024, more targeted and precise ASIC supervision and enforcement action in the future is inevitable.

    Through close collaboration between Ashurst's legal and risk advisory services, we help our clients navigate the reportable situations regime, providing advice ranging from the establishment of a comprehensive reportable situations framework and a register of core obligations applicable to your business activities, to assist in assessing, investigating and reporting events to ASIC. To learn more about what you can do today to ensure you are ready, please reach out to the key contacts below or your usual Ashurst contact.

    Authors: Mark Bradley, Partner; Chris Baker, Partner; Samantha Carroll, Partner; Lucinda Hill, Partner;  Elizabeth Hristoforidis, Director;  Morgan Spain, Partner; and Jennifer Chen, Lawyer


    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 28 November 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts