ASIC breach reporting relief narrow, underwhelming
The Australian Securities and Investments Commission (ASIC) has been told that its proposed breach reporting exemptions are so narrow that they are unlikely to be actually used by financial advice licensees.
ASIC announced the proposed reportable situations additional relief on 18 February suggesting that its move would reduce both administration time and costs for licensees.
However, the Stockbrokers and Investment Advisers Association (SIAA) has signalled that its members are less than enthused by ASIC’s proposed changes.
ASIC has proposed providing relief from reporting breaches when:
- the breach has been rectified within 30 days from when it first occurred (this includes paying any necessary remediation), and
- the number of impacted consumers does not exceed five, and
- the total financial loss or damage to all impacted consumers resulting from the breach does not exceed $500 (including where the loss has been remediated), and
- the breach is not a contravention of the client money reporting rules and clearing and settlement rules.
The SIAA said its members’ feedback is that “the proposed exemptions being suggested by ASIC are so narrow that licensees would be unlikely to rely on them”.
“Our members cite a typical reportable situation where an error has been made in website material which is assessed as having no financial impact on consumers. In that case, the proposed relief would not apply and the licensee would be required to report because the website error is generally available to potentially hundreds or thousands of clients,” it said in response to ASIC.
“This is the type of incident which gives rise to many reports that are of limited benefit due to the minimal impact the breach has on consumers.”
“To be useful, we recommend that the relief be re-worded so that the requirement for the number of impacted consumers to not exceed five be removed. This would reduce the reporting obligation in a more meaningful way for licensees but would not compromise consumers as the breach rectification and financial loss or damage requirements would remain.”
ASIC wouldn’t know if its ass was on fire.
What has been the benefit of this breach reporting regime? It seems excessive with little benefit. It has to be argued that swamping licensees (and advisers) in red tape is not an efficient outcome, especially when ASIC are complaining they don’t have the resources to police all the other various sectors, not just financial advice.
The $500 impact threshold is too low