Lift breach reporting threshold to $1000 and 30 days

Significant changes have been recommended to the breach reporting regime by the Financial Advice Association of Australia (FAAA) and the major accounting bodies who argue that minor breaches are flooding the system, adding to costs and distracting the Australian Securities and Investments Commission (ASIC).

In doing so, they have recommended that a sensible balance can be achieved by amending the first parameter of reporting to a breach being rectified within 30 days of it being identified, rather than when the breach occurred.

As well, the joint bodies have recommended that the threshold for reporting a breach is increased from $500 to $1,000 and consequently the maximum number of clients is also increased from 5 to 10.

“The resources of ASIC should be focused on identifying and addressing emerging trends of serious non-compliance, including those that could lead to material consumer financial detriment. They should not be consumed on minor compliance breaches which are currently flooding the system, which is a concern for the sector given ASIC is funded via an Industry Funding Model,” the joint bodies said.

The joint submission to ASIC said the recommendation on 30 days is supported by the regulator’s own Report 800 which found found the median days to identify and commence an investigation into a breach over the last two reporting periods, by quarter, has ranged between 49 and 93.5 days.

“While we acknowledge that this is the median, not the average, it does imply that most reported breaches are not rectified within 30 days of when they first occurred,” it said.

“This is often the case with financial advice breaches, where non-compliance with the law is often discovered as a result of a complaint or a client file audit. Rarely is it discovered at the time the advice is delivered. This would mean that the benefit to the financial advice sector would likely be limited to administrative matters and licensee level breaches.”

On increasing the threshold to $1,000 the submissions said this provides a sensible balance between what is reported to ASIC, the associated costs and the value of the information to ASIC.

“Should this recommendation not be accepted, we recommend that the $500 threshold is at least annually indexed to ensure that it remains effective in reducing low intelligence breaches being reported en mass,” the submission said.

“The obligation to make a reportable situation report to ASIC involves a significant amount of work and cost, particularly for small business licensees, who are often forced to seek expensive legal or compliance advice to understand their obligations and prepare the report,” it said.

“This effort and cost, represents a significant waste for these businesses, particularly if the matter is immaterial and not something that ASIC has any interest in pursuing.”