ASIC moves to cut breach reporting red tape

  • FST Media
  • 19 February 2025
ASIC proposes cutting certain reporting obligations

ASIC has proposed removing certain breach reporting obligations under the reportable situations regime in an effort to help “relieve” regulated entities of costly, time-consuming and frequent updates to the regulator.

The financial services industry watchdog is seeking feedback from licensees on a proposal to remove some reporting obligations, including certain breaches of misleading and deceptive conduct provisions and contraventions of civil penalties.

This would include breaches that do not cause significant financial loss to consumers.

Under the proposed red tape relief, ASIC-regulated entities would no longer need to report incidents under the ‘reportable situations’ framework where:

  • the breach has been rectified within 30 days from when it first occurred (this includes paying any necessary remediation), and
  • the number of impacted consumers is not more than five, and
  • the total financial loss or damage to all impacted consumers resulting from the breach is not more than $500 (including where the loss has been remediated), and
  • the breach is not a contravention of the client money reporting rules, and clearing and settlement rules.

Under the reportable situations regime, AFS and credit licensees are required to automatically submit notifications to the regulator concerning any breach of misleading or deceptive conduct claims (MDC) provisions or certain contraventions of civil penalty provisions (CPPs).

According to wealth and advice industry peak body, The Financial Services Council (FSC), this reporting regime mandates the reporting of a number of “inconsequential oversights”, including statements sent to customers one day late, immaterial typos, or being a few hours late in removing a document from a website.

The Council, while welcoming the proposed relief for its members on reporting these “minor or technical breaches” to the regulator, has argued that “more needs to be done”.

FSC chief executive Blake Briggs noted that while ASIC’s proposed actions address some industry concerns, the current scope of the changes remains “relatively limited”, capturing too many trivial incidents. As well, he argues, regulator’s reporting portal remains clunky and inefficient, unncessarily increasing the reporting burden for regulated entities.

“With more than 12,000 breaches reported in the past year and 64 per cent of those have no financial loss or damage to consumers, coupled with the ongoing difficulties in using the ASIC portal, there should be a more streamlined and efficient way to report breaches,” Briggs said.

“The FSC notes ASIC has not addressed concerns to enhance the usability and efficiency of ASIC’s portal and reiterates calls for ASIC to take steps to fix this.”

A recent survey of FSC members found that licensees are spending nearly $4,000 each time a “minor” incident is reported – including documentation, time spent by senior executives on the matter, and auditor reviews. Overall, the FSC said more than $24 million per year is spent by its members on reporting these minor incidents.

“[This shows] a significant need for streamlining the reporting system to get rid of disproportionate regulation which results in businesses and ASIC incurring unnecessary time and expense,” Briggs said.

“This includes 34,000 hours of compliance staff time which could be more productively used to enhance governance and reduce risk, as well as resolve genuinely serious breaches where consumers are financially impacted or otherwise harmed.”

The FSC further called on policymakers to adopt a more assertive deregulation agenda, that it says would serve to “boost productivity in the financial services sector”.

“The breach reporting regime is emblematic of the sort of regulatory simplification opportunities that whoever forms the next Government should be identifying. It is welcome news the regulator has moved ahead of the Government on this.”

Prudential regulator APRA today also announced a move to simplify its regulatory framework, rescinding its 2018 information paper “Outsourcing Involving Cloud Computing Services”.

The withdrawal comes in preparation for the introduction of CPS 230 Operational Risk Management in effect 1 July 2025 (replacing existing standards 231 Outsourcing and 232 Business Continuity Management).

The new standard overrides the requirements of the existing standards, and includes formal supervisory coverage for entities with cloud service provider arrangements.

APRA said the withdrawal of the information paper aims to reduce the regulatory burden for regulated firms and improve clarity about the expected approach for material service provider arrangements.

Feedback on ASIC’s proposed changes to the reportable situations regime is due on 11 March 2025 by close of business.

 

Share This Post
Related News
Judo names new chair
Judo names next chair
Merger
ASX-listed banks complete formal merger
Keely O'Brien CALI
At the end of the life line: Keely O’Brien, GM Corporate Affairs & Strategy, CALI
Mastercard launches anti-money laundering payments tech in APAC
Mastercard’s ‘groundbreaking’ anti-AML tech for real-time payments debuts in APAC
Australian parliament
AFCA hails passage of world-first Scams Prevention bill