The combination of civil and criminal penalties for failing to make mandatory breach reports and a hawkish ASIC litigation mantra has resulted in a "rough" breach reporting regime for the financial services industry, a Lawcadia survey found.
The survey found the reporting regime was considered “overly excessive”, and not achieving the goals commissioner Kenneth Hayne had in mind in recommending the changes.
The research was conducted by CoreData Research and commissioned by legal technology company Lawcadia and law firm Gadens following the introduction of new mandatory breach reporting obligations in October 2021.
Lawcadia co-founder Sacha Kirk said the new reporting measures were also taking a significant toll on the mental health and wellbeing of staff in the sector.
“The research highlights there is a high level of stress and anxiety being experienced by risk and compliance professionals, who have been tasked with planning, implementing and administering the requirements – regulatory design seems to be a factor here,” she said.
Ms Kirk said the report, based on survey results of 160 staff from Australian financial services organisations and a number of in-depth interviews, also found the sector had low confidence in the new reporting regime.
Around half of survey respondents (51 per cent) do not believe that ASIC can administer the new regime effectively and fairly across all financial services providers.
“There is a low level of confidence in the new breach reporting regime meeting its stated objectives, and in ASIC’s ability to administer the new regime effectively and fairly,” Ms Kirk said.
Gadens partner Liam Hennessy said the research was valuable because it provided an insight into the quantitative and qualitative trends of breach reporting, ahead of when ASIC plans to publicly release data comparing organisations.
He said this would be a “ritualistic public shaming” from ASIC.
“Breach reporting has very markedly increased, and the main pain points are around misleading and deceptive conduct, advice failures and conduct issues,” he said.
“Misleading and deceptive conduct isn’t a big surprise – an incorrect fee on a bank statement technically triggers a report, which is asinine and a waste of organisations and ASIC’s time.”
Mr Hennessy said the report showed that the industry at large was struggling to prepare for and maintain the onerous compliance demands.
He said a combination of technology adoption and policy amendments to scale back the more onerous features of the regime was the answer.
“There is widespread acceptance that changes were needed to how financial services organisations identified, assessed, and remediated breaches and a broad agreement that the mandated approach is excessive,” he said.
“It will require a significant increase in compliance and resourcing costs, and greater adoption of technology solutions to assist meeting obligations.”
The State of Financial Services Breach Reporting in Australia report was commissioned in January after 12 months of discussions with clients and others in the sector about the new requirements.
It sought to understand the key challenges and potential benefits of the new legislation, as well as how the industry has responded in the first six months of its roll-out.
You are not authorised to post comments.
Comments will undergo moderation before they get published.