ASIC – Page 10 – Digital Finance Analytics (DFA) Blog

ASIC concedes it doesn’t know how to deter misconduct

The corporate regulator has told the Hayne royal commission that it is at a loss over how to successfully prevent misconduct in financial services, via InvestorDaily.

The Australian Securities and Investments Commission has expressed in its submission that work had to be done to stop misconduct in the industry but there was not enough evidence as to how.

“There is unfortunately currently a dearth of knowledge and research as to what effectively deters misconduct across the range of corporate sectors and, in particular, the financial sector itself,” it reads.

ASIC recognised that it had a duty to force significant cultural change in the industry and said it would begin onsite supervision in major financial institutions.

However, ASIC rejected the interim reports idea that it did not go to court or issue civil penalties.

The Hayne Interim Report made claims that ASIC rarely went to court, seldom brought civil penalty proceedings and allowed entity’s to pay infringement notices with no admission.

ASIC said it was willing to change its enforcement practices but said it regularly undertook litigation against the financial sector.

“ASIC has litigated matters (through civil and criminal proceedings) twice as much as it has accepted enforceable undertakings,” ASIC’s report read.

ASIC also rejected the emphasis the interim report placed on its track record in the past decade against the major banks.

The interim report noted how ASIC had only issued commenced 10 civil proceedings against the major banks but 45 infringement notices to the major banks and accepted 13 enforceable undertakings.

ASIC said that the figures expressed in the report do not support the proposition that ASIC presently avoids compulsory enforcement action, nor do they reflect the full variety of enforcement tools made available to ASIC.

ASIC provided no comment on the interim reports findings that the commission had never brought proceedings against a licensee who failed to report a data breach.

“As at April 2018, ASIC had never brought, or sought to have the Commonwealth Director of Public Prosecutions (CDPP) bring, proceedings against a licensee for failing to comply with the 10 day time limit for breach reporting under Section 912D of the Corporations Act 2001 (Cth) (the Corporations Act), 21 despite affirming that it believed that entities frequently fail to comply with the section,” the report read.

The commission also provided no comment to the reports findings that it had never commenced proceedings against an entity for fees for no service.

“At 30 May 2018, ASIC had never commenced, or sought to have CDPP commence, proceedings under Section 12DI of the Australian Securities and Investments Commission Act 2001 (Cth) (the ASIC Act). This prohibits accepting payment for financial services when the payee does not intend to, or there are reasonable grounds to believe it cannot, supply the service,” it read.

Westpac Gets Away With Light Penalty For BBSW

ASIC says the Federal Court of Australia today ordered Westpac Banking Corporation (Westpac) pay a pecuniary penalty of $3.3 million for contravening s12CC of the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) through its involvement in setting BBSW in 2010.

In reasons for making the pecuniary penalty order, Justice Beach noted the legislative constraint he had in imposing the order,

‘If I had been permitted to do so I would have imposed a penalty of at least one order of magnitude above $3.3 million in order to discharge [the objectives of specific and general deterrence]. But I am not free do so.‘

Justice Beach concluded in his reasons,

‘Westpac’s misconduct was serious and unacceptable…Westpac has not shown the contrition of the other banks. Moreover, imposing the maximum penalty is the only step available to me to achieve specific and general deterrence. The message that should be sent is that if you manipulate or attempt to manipulate key benchmark rates you are likely to have the maximum penalty imposed, whatever that is from time to time.‘

The Court also ordered that an independent expert agreed between ASIC and Westpac be appointed to review whether Westpac’s current systems, policies and procedures are appropriate, and to report back to ASIC within 9 months.

It was also ordered that Westpac pay ASIC’s costs of and incidental to the penalty hearing as agreed and assessed.

Today’s court orders follow Justice Beach’s judgment, delivered on 24 May 2018, which found that Westpac on 4 dates in 2010 traded with a dominant purpose of influencing yields of traded Prime Bank Bills and where BBSW set in a way that was favourable to its rate set exposure. His Honour held that this was unconscionable conduct in contravention of s12CC of the ASIC Act.

His Honour also found in his 24 May 2018 judgment that Westpac had inadequate procedures and training and contravened its financial services licensee obligations under s912A(1)(a), (c), (ca) and (f) of the Corporations Act 2001 (Cth).

ASIC Commissioner Cathie Armour welcomed today’s decision and noted that ‘ASIC brought this litigation to hold the major banks to account for their unacceptable conduct, and to test the scope of the law in combating benchmark manipulation. ASIC actions have led to these successful court outcomes, and also contributed to new benchmark manipulation offences being enacted by Parliament, and the calculation method and administration of the BBSW being radically overhauled.’

Read the full judgment

Background

On 5 April 2016 ASIC commenced civil penalty proceedings in the Federal Court against Westpac, alleging in the period between 6 April 2010 and 6 June 2012 (inclusive) it traded in a manner that was unconscionable and created an artificial price and a false appearance with respect to the market for certain financial products that were priced or valued off BBSW.

This mirrored proceedings brought in the Federal Court against the Australia and New Zealand Banking Group (ANZ) on 4 March 2016 (refer: 16-060MR), against National Australia Bank (NAB) on 7 June 2016 (refer: 16-183MR) and Commonwealth Bank of Australia (CBA) on 30 January 2018 (refer:18-024MR).

On 10 November 2017, the Federal Court made declarations that each of ANZ and NAB had attempted to engage in unconscionable conduct in attempting to seek to change where the BBSW set on certain dates and that each bank failed to do all things necessary to ensure that they provided financial services honestly and fairly. The Federal Court imposed pecuniary penalties of $10 million on each bank.

On 20 November 2017, ASIC accepted enforceable undertakings from ANZ and NAB which provides for both banks to take certain steps and to pay $20 million to be applied to the benefit of the community, and that each will pay $20 million towards ASIC’s investigation and other costs (refer: 17-393MR).

On 21 June 2018, the Federal Court in Melbourne imposed pecuniary penalties totalling $5 million on CBA for attempting to engage in unconscionable conduct in relation to BBSW. CBA admitted to attempting to seek to change where BBSW set on five occasions in the period 31 January 2012 to 15 June 2012.

On 11 July 2018 ASIC accepted a court enforceable undertaking to address its BBSW conduct which provides for CBA will pay $15 million to be applied to the benefit of the community and $5 million towards ASIC’s investigation and legal costs (refer: 18-210MR).

In July 2015, ASIC published Report 440, which addresses the potential manipulation of financial benchmarks and related conduct issues.

The Government has recently introduced legislation to implement financial benchmark regulatory reform and ASIC has consulted on proposed financial benchmark rules.

On 21 May 2018, the new BBSW methodology commenced (refer: 18-144MR). The new BBSW methodology calculates the benchmark directly from market transactions during a longer rate-set window and involves a larger number of participants. This means that the benchmark is anchored to real transactions at traded prices.

Post Royal Commission change is all talk: Shipton

Despite the revelations of the Royal Commission, ASIC is still experiencing deliberate delays from financial institutions in meeting reporting requirements, via Financial Standard.

On Friday, ASIC chair James Shipton told the Parliamentary Joint Committee on Corporations and Financial Services that the regulator is still experiencing “slow and delayed responses from financial institutions and, in some cases, overly technical responses aimed at delay.”

This is despite a key finding of the Royal Commission’s interim report being that the industry has been repeatedly dishonest with both the community and regulators, Shipton said.

“And unfortunately, whilst we are hearing important acknowledgements from leaders of financial institutions about change, such change is not happening as quickly as it should,” he said.

“Due process is important, but it must not be manipulated to disrupt the achievement of fair, appropriate and honest outcomes.”

He then warned institutions of the ramifications if such conduct continues.

“If institutions lie, or are otherwise dishonest with us, we will use every power available to us to punish that behaviour. I am a firm believer in the importance and effectiveness of court-based enforcement tools. They are the foundation of any regulator,” Shipton said.

Further, in defending ASIC on criticisms of its effectiveness in recent years, Shipton questioned whether the entity he leads should be resourced differently to meet community expectations.

Shipton said any comments as to ASIC’s regulatory approach should be considered in the context of its size, stating: “ASIC has been designed over the arc of its history and how Australia’s financial system has evolved over the years to have its own unique characteristics.”

He said now is the right time to discuss whether ASIC and its peers are “right sized” in relation to the new industry funding model; unique characteristics of Australia’s financial system; size of Australia’s financial markets; number of consumers; number of people engaged in the industry; and the clear expectations of the community.

Shipton clarified that he was not demanding greater resources, but instead looking to start an important policy conversation.

“For me, my own experience as a regulator in Hong Kong, in a system that also has an industry funding model, is instructive. There, on an adjusted basis (in terms of financial services GDP and financial services population), Hong Kong’s financial regulators are three times the size of Australia’s,” he said.

Update on Commonwealth Bank Fees for No Service Court-enforceable undertaking

ASIC says that on 13 April 2018, ASIC announced that it had accepted a Court-enforceable undertaking (EU) from Commonwealth Financial Planning Limited (CFPL) arising from its Fees For No Service conduct (18-102MR).

One undertaking required of CFPL was to appoint Ernst & Young (EY) to prepare an independent expert report that considered:

whether CFPL had taken reasonable steps to ensure customers who should have received remediation in the 31-month period from 1 July 2015 to 31 January 2018 did receive that remediation. ASIC’s previous oversight of CFPL’s remediation had considered the period to 30 June 2015; and

whether CFPL had put in place systems, processes and controls to meet its contractual obligations to customers who are paying ongoing service fees.

As set out in ASIC’s Regulatory Guide 100: Enforceable Undertakings, ASIC will make available a summary of an independent expert’s report in these circumstances to promote the integrity of, and public confidence in, the financial markets and corporate governance. A copy of the executive summary of EY’s report can be accessed via the Enforceable undertakings register.

EY’s findings on remediation

In relation to the remediation of CFPL customers, EY found that:

for the periods 1 July 2015 to 31 May 2016 and 5 June 2017 to 31 January 2018, there was no evidence to suggest that CFPL had not taken reasonable steps to ensure that customers who should have received remediation did receive that remediation; and

for the period 1 June 2016 to 4 June 2017 (Period 2), there had been a lower level of customer testing during this period and further work by CFPL was required. EY found that CFPL is in the process of taking reasonable steps to identify and remediate those customers who should have received remediation.

EY will re-assess and report on Period 2 in January 2019 once CFPL has undertaken additional remediation work for that period.

EY’s findings on CFPL’s controls environment

EY assessed whether CFPL had put in place adequate systems, processes and controls to meet its contractual obligations to customers who are paying ongoing service fees. EY found that there was nothing to suggest that those systems, processes and controls are not reasonably adequate to ensure that CFPL is able to discharge its obligations to its customers. However, EY noted that CFPL could make further improvements to address:

a low level of control awareness within the business;

a high prevalence of manual processes and controls;

limitations on CFPL’s ability to analyse and report information for tracking and reporting of compliance centrally; and

the sustainability of its manually intensive processes.

EY will assess and report on whether CFPL has addressed EY’s findings, through the implementation of systems and process improvements, in January 2019.

CFPL has requested an extension of time for EY to produce its final report and for CFPL to provide its senior executive attestation as required under the EU, to 31 January 2019.This extension of time will allow CFPL to undertake the additional work required in relation to Period 2 and to implement the recommendations made by EY to further improve CFPL’s systems, processes and controls.

CFPL is required by ASIC to submit a detailed plan setting out the specific actions that it will undertake to ensure that it addresses EY’s findings and recommendations. The EU will be amended to reflect this additional plan, the timing of the final report and senior executive attestation.

ASIC announces review of school banking

As the lead Australian Government agency for financial capability, ASIC announced that it will commence a review of school banking programs in primary schools.

Across the country young people are learning about money at school. Financial literacy education is embedded in the Australian Curriculum and teachers draw on a range of materials and programs to support an understanding of money and financial concepts.

Students are learning about the value of money, the cost of living, compound interest, identifying a scam, choosing a mobile data plan and starting a business.

It is essential that young people develop the knowledge and the skills they need to engage effectively with financial products and services. Attitudes and behaviours around money can be shaped from an early age and education is a key component to support stronger financial capability and to better prepare young people to manage financial decisions throughout their life.

School banking programs are offered to primary schools as a way of encouraging and supporting the importance of savings through regular deposits facilitated by the school.

To better understand how school banking programs are operating, ASIC will undertake a review of school banking programs. ASIC’s review:

will seek to understand how these programs are implemented and how they are marketed to school communities.

will consider how students are engaging with these programs and the accounts established through these programs while they are at school and after they leave school.

will assess the benefits as well as the risks of school banking programs, and will set out principles for appropriate conduct and good practice in this area.

Deputy Chair, Peter Kell said, ‘Transparency around school banking programs is important. ASIC wants to understand the motivations and behaviours around school banking programs to ensure they ultimately serve the interests of young Australians, and to enable school communities to have an understanding of the potential impact of these programs.’

ASIC will consult with various stakeholders including from the education sector, consumer organisations, other regulatory agencies, as well as the banks offering the programs.

It is expected the review will be complete by mid-2019.

Background

ASIC is the lead Australian Government agency for financial capability, consistent with its strategic priority and statutory objective to promote confident and informed consumers and investors. ASIC’s financial capability program includes:

›     Leading the National Financial Capability Strategy;

›     Providing consumer information via ASIC’s MoneySmart;

›     Delivering ASIC’s MoneySmart Teaching program; and

›     Implementing ASIC’s Indigenous Outreach Program.

The National Financial Capability Strategy, led and coordinated by ASIC, seeks to broaden the reach and impact of financial capability initiatives that assist Australians to be in control of their financial lives.

School banking programs are programs where a bank has a relationship with a school to offer deposit products to their students. These students are encouraged to establish bank accounts and make ongoing deposits into those accounts at the school.

ASIC may just be the best deal maker in town

From InvestorDaily.

Are you a major financial institution looking to profit from misconduct? The corporate regulator is open to negotiations.

There are very few surprises in Hayne’s interim report. Fortunately, the document backs up what I’ve long suspected – that ASIC is a toothless tiger of a regulator when it comes to the big end of town; always happy to hit small business where it hurts but equally glad to negotiate bargain basement prices on infringement notices for the big corporates.

Seventy per cent of all of ASIC’s enforcement outcomes come from the Small Business Compliance and Deterrence Team, which focuses very heavily on the prosecution by in-house ASIC legal teams of strict liability offences, primarily in relation to the failure of directors to assist liquidators.

When it comes to regulating the big four banks, however, it’s a different story. Negotiation, rather than prosecution, is the strategy.

As Hayne states in his report: “ASIC issued infringement notices to the major banks as the outcome agreed with the bank.”

We have already seen plenty of evidence of this during the royal commission hearings throughout the year.

Hayne pulls no punches in his interim report, blasting the nonchalant regulator: “When deciding what to do in response to misconduct, ASIC’s starting point appears to have been: How can this be resolved by agreement?

“This cannot be the starting point for a conduct regulator. When contravening conduct comes to its attention, the regulator must always ask whether it can make a case that there has been a breach and, if it can, then ask why it would not be in the public interest to bring proceedings to penalise the breach. Laws are to be obeyed. Penalties are prescribed for failure to obey the law because society expects and requires obedience to the law.”

But the big banks were clearly too big to obey the book and ASIC was unwilling to throw it at them.

If ASIC has a reasonable prospect of proving contravention, Hayne said, then the starting point must be that the consequences of contravention should be determined by a court.

But the courtroom is an unfamiliar environment for the corporate watchdog. It does its best work around the negotiating table.

Over the 10 years to 1 June 2018, ASIC’s infringement notices to the major banks have amounted to less than $1.3 million. By contrast, in a single year (the year ending 30 June 2017) CBA declared a profit about 7,000 times greater – $9.93 billion (net profit after tax on a statutory basis).

Between 1 January 2008 and 30 May 2018, ASIC commenced 1,102 proceedings, an average of about 110 per year. Of those, more than half (587) were administrative proceedings, which include disqualification or bans on individuals from the industry; revocation, suspension or variation of a licence; and public warning notices.

“That is, they were outcomes carried out in-house by ASIC and not through the courts, though they may be appealed to the Administrative Appeals Tribunal,” Hayne states in his interim report.

“In that time, ASIC commenced 238 criminal proceedings and 277 civil proceedings, and accepted 194 enforceable undertakings. Of those proceedings, just 10 were against major banks.”

Hayne found that in a number of cases where ASIC acted against major banks in the form of infringement notices, the regulator included the following disclaimer in its media release: ‘The payment of an infringement notice is not an admission of guilt in respect of the alleged contravention.’

Crikey!

Another important point in Haynes report supports the arguments I made in an earlier editorial, that it is the banks, not the regulator, who really call the shots.

“Too often, entities have been treated in ways that would allow them to think that they, not ASIC, not the Parliament, not the courts, will decide when and how the law will be obeyed or the consequences of breach remedied,” Hayne states.

“Attitudes of this kind have not been discouraged by ASIC’s approach to the implementation of new provisions of financial services laws. Too often, ASIC has permitted entities confronted with new provisions, of which ample notice has been given (such as the unfair contract terms provisions), to take even longer to implement the provisions than the legislation provided.”

ASIC has been aiding the misconduct in financial services by its own weak and possibly even corrupt preference for deal making. If things are to change, ASIC will need to litigate rather than negotiate.

Of course, ASIC, like any other government agency or department, will cry for more resources. Hayne is across this too.

“I do not accept that the appropriate response to the problem of allocating scarce resources is for a regulator to avoid compulsory enforcement action and instead attempt to settle all delinquencies by agreement,” he said.

Hayne knows that ASIC needs to change its ways but is yet to be convinced that this can happen. For several reasons.

“First, there is the size of ASIC’s remit,” he said.

“Second, there seems to be a deeply entrenched culture of negotiating outcomes rather than insisting upon public denunciation of and punishment for wrongdoing.

“Third, remediation of consumers is vitally important but it is not the only relevant consideration. Fourth, there seems no recognition of the fact that the amount outlaid to remedy a default may be much less than the advantage an entity has gained from the default.

“Fifth, there appears to be no effective mechanism for keeping ASIC’s enforcement policies and practices congruent with the needs of the economy more generally.”

ASIC permanently bans another former NAB branch manager

ASIC says an ongoing investigation has resulted in the permanent banning of former National Australia Bank (NAB) branch manager Mathew Alwan from engaging in credit activities and providing financial services.

The ban is the result of an extensive ASIC investigation in respect of NAB employees in greater western Sydney who were accepting false documents in support of loan applications and falsely attributing loans as having been referred by NAB introducers in order to obtain commissions. This conduct was the subject of the first case study before the Financial Services Royal Commission.

From 2012 to 2015, Mr Alwan assigned 101 home loans as being referred to NAB by an introducer, causing a total of $186,725 to be paid to the introducer by way of commission. ASIC found in 25 of these loan applications, Mr Alwan had knowingly given NAB false or misleading information and documentation.

The introducer in question is Mr Alwan’s relative, a fact he did not disclose to NAB and actively concealed from the bank when questioned.

ASIC found that Mr Alwan’s conduct was dishonest, deliberate and repeated.

ASIC also found Mr Alwan personally lent money to a NAB staff member who reported to him and to a NAB customer while loan applications by each of them were pending approval, creating an unacceptable conflict of interest.

Mr Alwan has the right to lodge an application for review of ASIC’s decisions with the Administrative Appeals Tribunal.

ASIC’s ongoing investigation is considering whether a brief for criminal charges should be referred to the CDPP.

Background

On 16 November 2017, NAB announced a remediation program for home loan customers whose loans may not have been established in accordance with NAB’s policies.

NAB has identified that around 2,300 home loans since 2013 may have been submitted with inaccurate customer information and/or documentation, or incorrect information in relation to NAB’s Introducer Program.

Mr Alwan’s banning follows the permanent banning of former NAB employees Danny Merheb and Samar Merjan (also known as Samar Awad) from engaging in credit activities and providing financial services (refer: 18-205MR), and the seven year banning of former NAB branch manager Rabih Awad (refer: 18-211MR)

Metricon Homes pays $50,400 in penalties for misleading first home buyers

ASIC says Metricon Homes Pty Ltd (Metricon) has paid $50,400 in penalties after ASIC issued four infringement notices for misleading advertising aimed at first home buyers.

Metricon’s ‘2K on your way’ campaign for its ‘HomeSolution’ house and land packages (HomeSolution) contained misleading representations about eligibility to qualify.

The HomeSolution advertisements created the impression that consumers who qualified for the first home owner grant could obtain a Metricon HomeSolution house and land package with a $2,000 deposit. However, consumers were still required to fund the balance of the prescribed 5% deposit (approximately $30,000 on a typical $600,000 package, but could be as much as $41,000 on a $825,000 package). This additional amount was financed through an unsecured personal loan, typically through one of Metricon’s associated finance brokers.

Any disclaimer in the HomeSolution advertisements was not prominent enough to effectively qualify the dominant message of the advertising. Consumers were also required to navigate through links on Metricon’s website to the HomeSolution landing page where eligibility conditions were listed in small font at the bottom of that page.

In response to ASIC’s investigation, Metricon has withdrawn the concerning advertising and ceased promoting its ‘2K on your way’ offer.

ASIC reminds all financial services firms to regularly review their advertising compliance arrangements. ASIC proactively monitors all forms of advertising, including advertising on-line, and will take action in appropriate circumstances.

View the infringement notices

Background

The misleading advertisements appeared in radio, print, outdoor, electronic and online formats throughout Victoria, Queensland and South Australia between July 2017 and February 2018.

ASIC has issued Regulatory Guide 234 Advertising financial products and services (including credit): Good practice guidance (RG 234) setting out our guidance to help promoters comply with their legal obligations not to make false or misleading statements or engage in misleading or deceptive conduct.

ASIC can issue an infringement notice where it has reasonable grounds to believe a person has contravened certain consumer protection laws under the ASIC Act.

The payment of an infringement notice is not an admission of a contravention of the ASIC Act consumer protection provisions.

ASIC releases guidance on code of ethics compliance schemes for financial advisers

ASIC has today released guidance on its proposed approach to approving and overseeing compliance schemes for financial advisers (RG 269).

The financial advice professional standards reforms include obligations for financial advisers to, from 1 January 2020, comply with a code of ethics and be covered by an ASIC-approved compliance scheme under which their compliance with the code of ethics will be monitored and enforced.

RG 269 explains our process and criteria for determining whether to grant approval to a compliance scheme. It also sets out:

our expectations for the governance and administration, monitoring and enforcement processes, and ongoing operation of compliance schemes

how we will exercise our powers to revoke the approval of a compliance scheme and to impose or vary conditions on the approval, and

the notifications that monitoring bodies must make to ASIC.

ASIC Deputy Chair Peter Kell said that ASIC is committed to ensuring robust, transparent, fair and consistent compliance schemes that effectively monitor and enforce compliance with the code of ethics.

‘Effective compliance schemes are a key component of the reforms that will require higher standards of ethical behaviour and professionalism among financial advisers.’

‘Our guidance requires high standards for compliance schemes, reflecting the significant responsibility that monitoring bodies operating compliance schemes will have. This includes the responsibility to effectively monitor and sanction adviser members if required,’ he said.

The code of ethics is being developed by the Financial Adviser Standards and Ethics Authority (FASEA). Consultation on an exposure draft of the code of ethics released by FASEA closed on 1 June 2018. At this time, FASEA has not released the final code. If there are significant changes from the draft code, we may need to revise our guidance when the final code is released.

Download

Regulatory Guide 269 Approval and oversight of compliance schemes for financial advisers (RG 269)

Report 595 Response to submissions on CP 300 Approval and oversight of compliance schemes for financial advisers (REP 595)

Consultation Paper 300 Approval and oversight of compliance schemes for financial advisers (CP 300) and submissions

Background

The Corporations Amendment (Professional Standards of Financial Advisers) Act 2017 amended the Corporations Act 2001, and commenced on 15 March 2017. It introduced a number of new requirements for financial advisers who provide personal advice to retail clients on more complex financial products.
From 1 January 2020, all financial advisers must be covered by an ASIC-approved compliance scheme under which their compliance with a new single, uniform code of ethics will be monitored and enforced. These compliance schemes will be operated by monitoring bodies.
In May 2018, ASIC released Consultation Paper 300 Approval and oversight of compliance schemes for financial advisers (CP 300) which sought feedback on a number of proposals in relation to the approval and oversight of compliance schemes for financial advisers.
The consultation period for CP 300 closed in June 2018 and we received 11 submissions.

ASIC Finds Unacceptable Delays By Financial Institutions Breach Management

In a report released today, ASIC has identified serious, unacceptable delays in the time taken to identify, report and correct significant breaches of the law among Australia’s most important financial institutions.

It can they say take over 4 years to identify that a breach incident has occured!

The report REP 594 Review of selected financial services groups’ compliance with the breach reporting obligation examined the breach reporting processes of 12 financial services groups, including the big four banks (ANZ, CBA, NAB and Westpac) and AMP.

Key findings from the report include:

Financial institutions are taking too long to identify significant breaches, with the major banks taking an average time of 1,726 days (over 4.5 years).

There were delays in remediation for consumer loss. It took an average of 226 days from the end of a financial institution’s investigation into the breach and first payment to impacted consumers. (This is on top of the average across all institutions of 1,517 days before the breach is discovered and the time taken to start and complete an investigation.)

The significant breaches (within the scope of the review) caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.

The process from starting an investigation to lodging a breach report with ASIC also takes too long, with major banks taking an average of 150 days.

Once a financial institution has investigated and determined that a breach has occurred and that it is significant, the law requires that the breach be then reported to ASIC within 10 business days. One in seven significant breaches (110 of 715) were reported later than that 10-business day requirement.

ASIC Chair James Shipton said:

‘Breach reporting is a cornerstone of Australia’s financial services regulatory structure.

‘Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation.

‘Our review found that, on average, it takes over 5 years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand.

‘There are two related problems here and ASIC wants change to address both of these:

The first is that industry is taking far too long to identify and investigate potential breaches. Whilst this is not of itself a breach of the reporting requirement, this is the source of longest delay and thus of most detriment for consumers.

The second problem is that even having identified an issue and concluded following an investigation that it is a breach, institutions are failing to then report it to ASIC within the required 10 business days. The delays here are much shorter (75% were late by 1 – 5 days) but this is still a breach of the legal requirements.

‘Accordingly, there is an urgent need for investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives to address these significant failings.’

In response to the review’s findings, ASIC will ensure there is a strong focus on compliance with breach reporting requirements in its new Close and Continuous Monitoring approach to supervising major institutions. ASIC is also actively considering enforcement action for failures to report breaches on time.

The review underscores the need for law reform of the breach reporting requirements, that the Government has committed to, in principle, following the ASIC Enforcement Review. Currently, there are three factors that are barriers to enforcement action which would be addressed by the proposed reforms:

The test as to whether a breach is significant and therefore is legally required to be reported is subjective. That is, the licensee makes that decision based on its own assessment, not based on objective grounds.

The 10-business day period for reporting only begins once an institution has determined that there is a breach and that it is significant. Institutions can delay making those decisions without breaching the law.

Failures to report can only be prosecuted on a criminal basis with the associated high standard of proof. At the same time the existing penalty is relatively modest.

Background

The review

Following the Government’s announcement in April 2016 of new measures to protect Australian consumers by improving outcomes in financial services, ASIC undertook a breach reporting review of 12 financial services groups.

The financial services groups were: the four major banks ANZ, CBA, NAB and Westpac; as well as eight others – AMP, Bank of Queensland, Bendigo Bank, Credit Union Australia, Greater Bank, Heritage Bank, Macquarie and Suncorp.

The review considered the institutions’ compliance with reporting requirements under section 912D of the Corporations Act. The law requires all Australian Financial Services (AFS) licensees to report to ASIC a ‘significant breach’ within 10 business days of becoming aware of it.

Methodology

ASIC analysed the financial services groups’ breach data from 2014 to 2017, covering a total of 715 significant breaches. ASIC also examined internal policies and evaluated specific scenarios using case studies.

The review covered key stages of the breach management process – from identifying an issue or incident to reporting the significant breach to ASIC; and rectifying the breach including remediating consumers.

Breach reporting law reform

Subjectivity and ambiguity in the current legal requirements have led to inconsistent decisions about what breaches are ‘significant’ across different financial services groups. As noted by the ASIC Enforcement Review Taskforce, this has undermined ASIC’s ability to take enforcement action for non-compliance.

The Taskforce in its report to the Government concluded that ‘the current regime is not conducive to pursuing action against non-compliant licensees’. [Page 11 of the report]

Law reform has been recommended by the Taskforce and accepted in-principle by the Government. This reform would make breach reporting rules stronger, clearer, and more enforceable as well as extending the requirement to cover breaches of credit laws and introducing a civil penalty for failure to report.

Close and continuous monitoring

The review’s findings re-emphasise the need to implement new and more intensive supervisory approaches.

ASIC will now be regularly placing ASIC staff on site in major financial institutions to closely monitor their breach management, governance and compliance with laws – this new programme of work is called Close and Continuous Monitoring.

Downloads

Report 594 Review of selected financial services groups’ compliance with the breach reporting obligation
Infographic
ASIC’s submission to the ASIC Enforcement Review Taskforce: Self reporting of contraventions by financial services and credit licensees (May 2017)