Breach Reporting: Findings of ASIC’s review and how licensees can improve compliance with the regime

ASIC conducted a review of the policies, processes and practices that 14 licensees had in place to comply with their reportable situations obligations. ASIC reviewed licensees’ incident registers for the three-month period from July to September 2023. They also reviewed all reports lodged by licensees from 1 October 2021 to 30 June 2024.

The review revealed a number of poor practices among licensees that included:

• Licensees being generally slow to report to ASIC,

• deficiencies in licensees’ incident management, particularly how they identified, escalated and recorded incidents.

• gaps in how they monitored their own compliance with the regime.

ASIC is seeking compliance outcomes to address these deficiencies from the licensees in the review and will take enforcement action where appropriate.

Recommended Action: Review the better practices recommended by ASIC to ensure the Business is meeting key requirements including:

• Capacity to identify an incident

• Supporting staff

• Assessing complaints for incidents and breaches

• Quality assurance activity

• Recording, escalating or acting on incidents and breaches

• Quality of incident and breach registers

• Reporting to senior management

• Reviews into compliance