Home loans most common breach report: ASIC

The financial services regulator released its first publication of information lodged under the reportable situations regime, which revealed that 8,000 reports were made to ASIC by financial services and credit licensees under the regime between 1 October 2021 and 30 June 2022.

The new regime (which commenced on 1 October 2021), applies to Australian Financial Services (AFS) licensees and credit licensees and requires them to write to ASIC to report significant breaches or potential significant breaks of “core obligations”.

The regime aims to provide ASIC with a source of intelligence to better identify developing trends of non-compliance in the industry and help prompt regulatory action, where appropriate.

According to the new report, 25 per cent of total product reports were about home loans.

Mortgages were not the only loan product to make the list, however; business loans and investment property loans placed ninth and 10th.

The “issues” in this category related to general licensee-level obligations, ASIC found.

Under a section titled subject of reports and root causes of breaches, it found most reports involved a financial service, credit activity, or product line, whereas licensee-level obligations were analysed as a separate grouping.

In this latter grouping, the products most commonly the subject of a report were home loans (25 per cent; 2,185 reports) and motor vehicle insurance (13 per cent; 1,112 reports), which were the primary drivers of credit and general insurance reports, respectively, ASIC stated.

Business loans placed ninth (3 per cent; 262 reports) and investment property loans rounded out 10th spot (2 per cent; 149 reports).

Overall, approximately 86 per cent of the reports lodged involved reportable situations affecting at least one financial service, credit activity or product line.

Most reports related to credit (38 per cent), followed by general insurance (19 per cent) and deposit-taking (10 per cent).

According to ASIC, the main driver for the significant volume of reports by credit providers was the lodgement of separate reports about one-off breaches of specific responsible lending obligations, where those breaches were reported as the result of staff negligence or error.

The most common category of issues to which the reports related was “false or misleading statements” (34 per cent) while other categories of issues about which there were significant volumes of reports included lending (21 per cent), general licensee obligations (19 per cent), and fees and charges or account administration (14 per cent).

The main driver for the “false or misleading statements” issue category was statements about products, regarding service information or in warning statements (30 per cent), ASIC explained.

The scope of the report and what it means

Notable key highlights from the numbers include:

• A much smaller proportion of licensees has reported under the regime than anticipated.
• Licensees are still taking too long to identify and investigate some breaches.
• More work needs to be done to appropriately identify and report the root cause of breaches.
• Further improvements are needed to licensees’ practices towards remediating impacted customers.

ASIC commissioner Sean Hughes said: “The data ASIC has been receiving under this regime demonstrates how industry is monitoring and responding to non-compliance.

“It also highlights where compliance with the regime itself requires greater regulatory attention.

“As part of its 2022–23 priorities, ASIC is focussing on improving the operation of the reportable situations regime.

“We will continue to work with stakeholders to address issues that have arisen from implementation of the regime, including by providing additional guidance where needed.

“Greater alignment of reporting practices by licensees will facilitate the publication of more comparative data at the licensee level in coming years.”

Inadequately identifying causes

ASIC reported that a high proportion of reports (55 per cent) identified staff negligence or error as the sole root cause, including where the licensee had reported that there had been previous similar breaches, or multiple breaches were grouped together.

The regulator said it was concerned that licensees may not be adequately identifying and addressing the underlying root causes for breaches, such as by determining the underlying reasons for repeated staff negligence or error.

Delays in investigating breaches

Additionally, in 18 per cent of the reports received, ASIC found it took the licensee more than one year to identify and commence an investigation into an issue after it had first occurred.

ASIC said it expects licensee systems to promptly identify non-compliance as delays create challenges for the timely investigation and rectification of issues and can mean customers wait longer for remediation.

Mr Hughes said: “ASIC’s review of breach reporting in 2018 found that the major banks were taking four and a half years to identify a breach.”

“We recognise the changes to processes that have been implemented following ASIC’s review to truncate these timeframes.

“However continued efforts are required by all licensees to ensure that issues are rectified and customers are remediated in a timely manner.”

Proactive and timely action expected

Ultimately, the total customer financial loss identified to date across the reports received was approximately $368.5 million, ASIC confirmed.

Of concern, it explained, licensees indicated that they did not intend to compensate impacted customers in 4 per cent of reports that had identified customer financial loss.

The report also showed that where remediation is planned, in many cases it is taking licensees too long to complete.

Licensees indicated in 236 reports (12 per cent of the total 1,952 reports involving compensation to customers) that it had taken, or was estimated to take, more than one year to finalise. 

[Related: Breaches against CBA conflicted remuneration dismissed]