Enforcement of the reportable situations regime – Are you ready?

What you need to know

• Compliance with the reportable situations regime is a key enforcement focus for ASIC in 2024
• ASIC are surveilling licensees to ensure reporting obligations are met
• The reportable situations regime warrants further attention by licensees given ASIC's pointed approach and statements about compliance

What you need to do

• Ensure you have a comprehensive framework in place to enable compliance with the reportable situations regime
• Consider whether uplift is required on any aspect of your reporting processes
• Consider whether previously reported situations might highlight any gaps to ASIC or identify you as an outlier among your sector peers, and take action if those reports reflect systemic issues

ASIC has announced that one of its key enforcement priorities for 2024 is compliance with the reportable situations regime, previously known as the breach reporting regime.

Introduced in October 2021, the reportable situations regime requires financial services and credit licensees to notify ASIC of potential misconduct by licensees, including significant breaches or likely significant breaches of core obligations, or investigations of the same. The regime is intended to promote the early detection and reporting of significant and/or non-compliant behaviour by licensees.

ASIC considers the regime to be a cornerstone of an effective financial services regulatory structure. The reports are a critical source of regulatory intelligence.

ASIC has observed that compliance with the reportable situation regime is currently too low, with 89% of licensees not reporting against the regime at all. This is despite the bar for reporting now being set very low for certain types of breaches such as those that are 'deemed significant'. As a result, ASIC has signalled an intention in 2024 to adopt a stronger approach to compliance in this area, directing its resources and expertise to ensuring that licensees are complying with their obligations under the regime and enforcing the law where they are not.

Under its 'proactive, strategic and bold' enforcement approach, ASIC has recently commenced a targeted surveillance of those licensees who are not reporting to ASIC as it would expect.

Potential breach reporting focus areas

With the reportable situations regime being a key priority, areas of the reportable situation regime that ASIC is likely to focus on include:

• How do licensees compare to other similar licensees both in and across sectors in the number, timeliness and kind of reports they are making? Data analysis of reportable situations notified may guide ASIC's selection of targets for surveillance and enforcement action, particularly when considered against benchmarks like those in REP 594Review of selected financial services groups’ compliance with the breach reporting obligation.
• How do licensees fare on key data points in a reportable situation including —
  - customer impact
  - customer financial loss
  - whether situation or breach is ongoing, especially if customer impact is ongoing
  - licensee financial loss
  ——继续操作或被许可方的能力fulfil obligations, and
  - duration of the situation or breach
• For more serious breaches (particularly those involving poor consumer outcomes), have licensees met reporting timeframes? Is there a possibility that the licensee had reasonable grounds to believe that there was a reportable situation for some time, but did not report it?
• Are licensees complying with particular pain points under the new regime (for example, the requirement to submit updates every 30 days for continuing matters).
• Are licensees adequately identifying and disclosing systemic issues involving continuing events that may span over a lengthy period of time? Have these been rectified and consumers remediated in as timely a manner as reasonably possible?

It will be interesting to see whether ASIC seek to use enforcement action to clarify licensees' obligations in these areas. ASIC may be particularly interested in testing how licensees have applied the recent changes to RG 78, which sought to clarify ASIC's expectations on the operational application of the reportable situations regime and promote greater consistency in reporting.

Any such action will be taken in a new era of transparency and accountability under the Financial Accountability Regime for banks, super funds and insurers. In the future, we expect ASIC reporting to publicly name outlier licensees across industry, and by or within sectors, particularly where they are unable to demonstrate benchmarked improvement in the time taken from the first instance of an event to:

• identify and investigate reportable situations,
• submit reportable situations to ASIC—both initially and on an ongoing basis,
• identify and rectify the root cause of systemic issues identified in reportable situations and other datasets, and
• remediate consumers where necessary.

"ASIC's approach to reporting will evolve over time, as implementation of the regime matures and allows for greater granularity of reporting", ASIC, 10 August 2022.

Is your reportable situations framework ready to withstand ASIC scrutiny, and are you ready for this unprecedented transparency?

随着ASIC enforceme变化从一个乐于助人的nt-focused approach to the reportable situations regime, now is the time for licensees to undertake a health check of their reporting processes and consider whether any uplift and improvement is required.

Ensuring you have a comprehensive and robust reporting framework in place will help mitigate the risk of being targeted by ASIC as an outlier.

In particular, consider:

• Do you have a comprehensive register of all core obligations that apply to your business?
• Do you know (with sufficient clarity) which of those obligations will be 'deemed significant' when breached?
• If you have not yet submitted any reports under the reportable situations regime, whether it is time to revisit your definition of 'reportable' to ensure you have interpreted the law appropriately and updated your frameworks, policies, processes and procedures to accommodate the new regime adequately?
• Are there safeguards to ensure reportable situations are reported to ASIC within the required timeframes (noting that these are important to the potential defence of honest and reasonable mistake of fact available in some circumstances)?
• What data sources are available to you that might give rise to reasonable grounds to believe that a reportable situation has arisen (for example, internal risk and compliance incident/event registers, complaints records, exceptions reports)? Are those records being appropriately analysed from a reportable situations reporting perspective and, when considered collectively, have you connected the dots between such disparate data sets to identify systemic risks and issues?
• What does data analysis of your reportable situation reports to date show and how might they compare with other licensees, based on ASIC's published data?
• Are robust processes in place to ensure ASIC is updated on reports, particularly in the context of continuing contravening conduct?

可报告的情况,以及将依旧是评论家al source of intelligence for ASIC as a leading indicator of emerging systemic industry risk. Coupled with increasing maturity of ASIC's data analytics capability (including the ability to link reportable situations datasets with datasets such as internal and external dispute resolution), together with a renewed focus on accountability in banking, superannuation and insurance through the incoming Financial Accountability Regime from March 2024, more targeted and precise ASIC supervision and enforcement action in the future is inevitable.

Through close collaboration between Ashurst's legal and risk advisory services, we help our clients navigate the reportable situations regime, providing advice ranging from the establishment of a comprehensive reportable situations framework and a register of core obligations applicable to your business activities, to assist in assessing, investigating and reporting events to ASIC. To learn more about what you can do today to ensure you are ready, please reach out to the key contacts below or your usual Ashurst contact.

Authors:Mark Bradley, Partner; Chris Baker, Partner; Samantha Carroll, Partner; Lucinda Hill, Partner; Elizabeth Hristoforidis, Director; Morgan Spain, Partner; and Jennifer Chen, Lawyer