‘Asinine’, excessive: Breach reporting regime weighs on industry

It has been based on a survey of 160 staff from financial services organisations, which found the sector has low confidence in the new reporting regime.

Around 51 per cent of respondents did not believe in ASIC’s ability to administer it effectively and fairly and only one in seven (15 per cent) believed the regulator would be completely effective.

Around 29 per cent of the survey respondents worked in mortgage broking, 21 per cent from a financial advice practice, 16 per cent from a financial advice licensee, 11 per cent were tied to banking and 4 per cent were involved with non-bank lenders.

Under the breach reporting rules, holders of Australian Financial Services Licences (AFSLs) and Australian Credit Licences (ACLs) are required to self-disclose non-compliance with laws to ASIC and are subject to civil and criminal penalties if they do not.

The regime is completely new to ACL holders.

ASIC is set to publicly release data comparing organisations mid-year, which Gadens partner Liam Hennessy has said will be a “ritualistic public shaming”.

While there could be civil and criminal penalties for failing to report, the Gadens and Lawcadia white paper noted breach reports have already resulted in court proceedings, loss or variations of licences, adverse media attention and career impacts.

There was widespread acceptance across respondents that changes had been needed to how financial services groups identified, assessed, reported and made good on breaches.

But at large, the industry was found to be struggling to prepare for and to maintain the compliance demands. Broadly, respondents agreed the legislation brought was “excessive”.

“[This is a] sledgehammer to crack a walnut,” a deputy chief risk officer and head of compliance and regulatory risk told the survey runners.

Challenges for industry

Around 53 per cent of respondents said the complexity of the new rules was a source of the regime’s challenges, along with 46 per cent who cited resourcing as an issue.

Half (51 per cent) rated their understanding of the new obligations as moderate, low or very low. In mortgage broking in particular, the proportion of moderate, low or very understanding rose to 54 per cent of respondents.

Training of staff was seen as a complexity for 37 per cent of respondents and a third (33 per cent) said there were issues related to systems for implementing and administering the rules.

Around half (55 per cent) said the breach reporting regime had led to an increase in compliance spending at their organisation.

Two-thirds (67 per cent) also warned that the new breach reporting requirements have distracted or diverted resources away from other important areas of work and compliance issues.

“It did require a large amount of time being directed towards getting ready for all those changes that took place throughout October and the big one really, was the mandatory breach reporting,” a head of compliance said in the survey.

“Unfortunately, the other stuff doesn’t stop, so it wasn’t a matter of replacing what I was doing. You’ve still got to keep doing all of the other stuff that you do, unfortunately. So, as a result of having to prepare and get ready for all these regulatory reforms, it required working overtime, working late nights, working on those weekends, to make ends meet.”

Concerns over ‘junk data’

Other survey respondents also noted that ASIC may find itself deluged with “junk data”, as a result of uncertainty around the rules and organisations reporting breaches just to be on the safe side.

Almost nine out of 10 (86 per cent) of respondents commented that before the rules came into effect, they were reporting fewer than five breaches a month. In the aftermath, that proportion dropped to around 71 per cent.

The portion of respondents reporting more than five breaches a month jumped from one in 20 (4 per cent) to one in five (19 per cent).

Many respondents indicated they are now reporting on behaviours or events that they would not previously report.

Advice-related issues were the top breach reported (23 per cent), followed by misleading and deceptive conduct issues (18 per cent), conduct issues (14 per cent), administrative and legislative issues (11 per cent) and “material loss or damage” inflicted on consumers (9 per cent).

“Breach reporting has very markedly increased, and the main pain points are around misleading and deceptive conduct, advice failures and conduct issues,” Mr Hennessy said.

“Misleading and deceptive conduct isn’t a big surprise – an incorrect fee on a bank statement technically triggers a report, which is asinine and a waste of organisations’ and ASIC’s time.”

Similarly, a chief risk and governance officer told the survey: “All of this energy spent on this stuff isn’t improving consumer outcomes.”

That view was reflected by 31 per cent of respondents.

Stress and overload

Lawcadia co-founder Sacha Kirk cautioned the new reporting measures could take a significant toll on the mental health and wellbeing of staff in the sector.

“The research highlights there is a high level of stress and anxiety being experienced by legal, risk and compliance professionals, who have been tasked with [planning], implementing and administering the requirements – regulatory design seems to be a factor here,” Ms Kirk said.

A head of compliance was quoted in the report saying: “I feel worried. I feel concerned. I feel scared.

“Same as our CEO and our team members as well… They understand that even one big compliance incident can catch attention from the regulators, from the community, which can cause massive reputational damage to a business like us. So, everyone’s just scared.”

The report has ruled technology and amendments to the policy scaling back the more “onerous” features would be the solution.

[Related: Family benefit assessments ‘unjust’: Brokers urge reforms]