‘There is a high level of stress and anxiety’ for legal, risk and compliance professionals
New research offers a damning indictment of the new breach reporting obligations implemented following the Hayne royal commission.
Australia-headquartered legal technology company Lawcadia and BigLaw firm Gadens – with the assistance of CoreData Research – commissioned, in early 2022, a study to better understand the key challenges, potential benefits and reactions of the financial services industry to the breach reporting obligations that came into effect in October of last year.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
The obligations were a recommendation from the Financial Services Royal Commission, run by former High Court judge Kenneth Hayne, and formed part of the Financial Sector Reform (Hayne Royal Commission Response) Act 2020. The obligations require AFSL and ACL holders to self-report specific matters to ASIC and allow that corporate watchdog to detect noncompliance behaviours early.
The State of Financial Services Breach Reporting in Australia report sought to learn how the industry has responded in the first six months of its rollout. A total of 160 industry professionals responded to the survey put out by CoreData, and numerous one-on-one interviews were also conducted.
The findings show, Lawcadia said, that the enhanced breach reporting regime “has been rough on the financial services industry”, given the civil and criminal penalties for not making mandatory breach reports, and a “hawkish ASIC keen to show its, ‘Why not litigate?’ mantra in action when they do”.
The findings from the research included:
- 53 per cent of respondents cite the complexity of the new rules as a source of challenges, more so than resourcing (46 per cent), training (37 per cent) and systems-related implementation (33 per cent);
- 55 per cent say that the reporting regime has led to an increase in how much their organisations are spending on compliance;
- 67 per cent say that the obligations are distracting or diverting resources away from other important areas of work;
- 26 per cent say they are reporting more breaches than they are expected to;
- The number of professionals who are reporting less than five breaches a month has dropped from 86 per cent to 71 per cent);
- The types of issues generating breach reports under the new regime pertain to: advice-related issues (23 per cent); misleading and deceptive conduct issues (18 per cent); conduct issues (14 per cent); admin and legislative issues (11 per cent); and “material loss or damage” inflicted on consumers (9 per cent);
- 31 per cent say they do not believe that the new reporting obligations are at all effective in meeting their stated objectives;
- 51 per cent do not believe that ASIC can effectively administer the new regime;
- 51 per cent rate their understanding of the new obligations as “moderate”, “low”, or “very low”;
- 94 per cent believe that their licensee can competently handle a breach when it is reported to them; and
- 80 per cent said they invested additional time and money in process optimisation, people, regtech systems and non-legal advisers and consultants to deal with the increased compliance burden.
A conclusion to be drawn from the research, Lawcadia said in a statement, is that the legislation that had been brought in is considered “overly excessive”, and not achieving the goals that commissioner Hayne had in mind in recommending the changes.
Speaking about the findings, Lawcadia co-founder Sacha Kirk said the new reporting measures were also taking a significant toll on the mental health and wellbeing of staff in the sector.
“The research highlights there is a high level of stress and anxiety being experienced by legal, risk and compliance professionals, who have been tasked with planning, implementing and administering the requirements – regulatory design seems to be a factor here,” she said.
The findings give rise to the impression, Ms Kirk mused, that the sector has low confidence in the new reporting regime.
Gadens partner Liam Hennessy added that the research is valuable because it provides an insight into the quantitative and qualitative trends of breach reporting, ahead of when ASIC plans to publicly release data comparing organisations.
This will be a “ritualistic public shaming”, he explained.
“Breach reporting has very markedly increased, and the main pain points are around misleading and deceptive conduct, advice failures and conduct issues.
“Misleading and deceptive conduct isn’t a big surprise – an incorrect fee on a bank statement technically triggers a report, which is asinine and a waste of organisations’ and ASIC’s time.”
Moreover, he went on, it shows that the industry, as a whole, is struggling to prepare for and maintain the onerous compliance demands and that a combination of policy amendments scaling back the more onerous features of the regime and technology adoption is the answer.