ASIC breach reporting - October 2023

On 31 October 2023, ASIC published its annual report on breach reporting statistics for the 2023 financial year. This is the second such report of its kind since the implementation of RG78 which laid out new guidelines and obligations around breach reporting by AFSL and ACL licensees.

ASIC has made a few tweaks to RG78 since 2021, most recently in April 2023. To read the most recent version, check here.

This latest report has a few head-scratching statistics and figures. Considering ASIC put out RG78 as a means of ensuring more transparency in the industry, it’s not an easy task to sift through the data and make sense of it all. We’ve done our best to sort through the numbers and bring you the key takeaways.

The following data has been taken from the full ASIC report. As always, any commentary, advice or recommendations in this article are entirely ours.

Key points of concern

These were the WTF moments for us in reading this report. Some of what’s being reported just doesn’t make a whole lot of sense. Here are our key callouts.

Percentage of licensees reporting is too low

Whilst there has been a small improvement on this from last year’s 6%, it is simply impossible that only 9% of the reportable populations are experiencing reportable breaches. Unsurprisingly, ASIC finds this concerning as well. These reports are of course anonymous so there are no widespread reputational risks to businesses in reporting a breach. One could argue that if you are a business that isn’t making breach reports, you may be inviting closer scrutiny by ASIC. And nobody wants that.

Disparity between reportable licensees by size

The responsibility to meet the obligations of RG 78 apply to all licensees is equal, regardless if you’re the smallest minnow in the pond or the biggest fish in the sea. This report shows us that the rate of reporting is quite disproportionate when taking size into consideration, with the heavy lifting done mainly by the entities with the largest scale, whether that be wealth or credit-based licensees.

In looking at this data, one might surmise that as a business scales up, there is more risk of breach. We don’t think that’s true. We think these are the more likely scenarios:

1. Overreporting by the big fish – This is almost definitely happening to a degree. One section of the report details around 20 entities making 50-100 reports a year. That is a huge amount and certainly speaks to the possibility that some big companies are reporting everything ‘just in case’. It’s not surprising that this could happen with bigger entities as they’d be more in the focus of ASIC already, due to their size and power.

2. Underreporting by the minnows – This could be due to unsophisticated processes or no processes at all depending on the size. Or unwillingness to report due to a fear of the ramifications to the business and its ability to recover.

Let’s be clear, neither overreporting nor underreporting is desirable.

If report numbers are too low, then almost definitely there are reportable breaches happening that are in fact not being reported. Left unchecked, a minor breach can easily snowball into a systemic issue.

Being overly careful is a sensible course of action in most cases but there also needs to be thoughtful consideration applied to deciding what to report or not. Overreporting could leave the entire system weighed down by endless paperwork and use of resources, investigating these ‘breaches’ leaving less in the tank to remediate real issues.

Significant increase in ‘false and misleading statements’ breaches

This category had a 10% jump from the previous reporting period and remains at the top of the issues reported on.

ASIC does allow for more than one issue category to be selected in a report but doesn’t provide information as to how many of these reports are involving single or multiple issues. We think it’s possible or even likely that licensees are covering their bases and increasingly listing more issues in each report.

Laying the blame (and fix) on staff

Staff negligence and/or error is reported as the root cause for two thirds of the reportable breaches.

This also marks an increase from the previous year. This is further exacerbated by staff training/consequences being used as the rectification method in 67% of cases. I’m sorry but making staff do more online training is unlikely to get a step change in compliance. Instead, companies really need to look at how to make it easier for staff to comply.

And yes, we understand that technology and process reviews cost time, money, and people and all of those are a bit thin on the ground at the moment. Which leads us to…

Is the real issue that we’re just too damned over-regulated!?

Here’s our real question though - Is the existing environment just making it impossible to truly be completely compliant? We know it’s a contentious but hot topic. The regulations exist to protect consumers and businesses, but there’s no doubt staying compliant all the time is akin to navigating a minefield. Sometimes whilst holding a mine-detecting tool and we really don’t understand how it works.

For our part, we support transparency and accountability in business as a rule. Check out Mayflower’s values and you’ll see we are not afraid to speak up and admit mistakes. For instance: Sh*t happens. Own it. Fix it. Learn from it. Move on. We apply this to our business and in how we advise our clients, most of who must answer to ASIC.