No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

ASIC’s Breach Reporting Update: A Perfect Storm of Confusing Ambiguities and Increased Reporting

One Thing Is Clear: Aussie COs at Financial Institutions Are Going to Have More Work on Their Plates.

by Ajay Katara
September 2, 2021
in Compliance
A man is seen talking in the window of the Australia Securities Exchange in Sydney.

Announced in April, the Australian financial regulator’s CP 340 goes into effect in October. ASIC’s breach reporting update is going to make life more difficult and potentially more confusing for compliance officers at financial institutions across the country.

The Australian Securities and Investments Commission (ASIC) released its new breach-related obligations on April 2021 with CP (consultation paper) 340. The new regulation aims to strengthen and solidify existing breach regulation for market participants. It comes into effect by October 2021 and is expected to massively add on to the cost and complexity of the current breach reporting standards. It also significantly increases the number of scenarios under which a licensee needs to report.

ASIC has issued Consultation Paper 340, seeking stakeholder feedback on proposed updates to its draft guidance on upcoming breach reporting reforms. https://t.co/h0Gq29Osmp

— ASIC Media (@asicmedia) April 22, 2021

The regulation, which applies to Australian financial services (AFS) licensees, credit licensees and their representatives, has already gotten the industry thinking on managing the compliance expectations.

ASIC’s breach reporting update includes a regulatory guide (PDF download) that lists reportable situations. These include breaches of core obligations such as conduct, financially solvency, fraud, etc. It requires the licensees to report breaches with ASIC within 30 days of the incident (as compared to 10 days previously), failing which they are subject to fines and penalties. The various scenarios under which an automatic reporting obligation will be triggered are as follows:

  • Breaches or likely breaches of core obligations that are significant (this refers to the existing list of obligations defined in section 912(1)(a) of the Corporations Act 2001);
  • Investigations into breaches or likely breaches of core obligations that are significant and have continued beyond 30 days;
  • Additional reportable situations, such as conduct constituting gross negligence or serious fraud; and
  • Reportable situations about other AFS licensees, which is being termed the “dobbing” provision.

In order to ensure compliance, ASIC has also prescribed a form in which the breach should be reported. The form needs to be reported via a regulatory portal and consists of key aspects around the nature and description of the incident, significance of breach, process involved in identification of breach, rectification or remediation carried out and steps taken to ensure future compliance. The reported details will be published by ASIC within four months of the end of the financial year and may carry details around name of licensee, volume of reported breaches and number of breaches compared to size and activity or volume of licensee’s business.

ASIC’s Breach Reporting Update: Key Concerns

While the breach framework has been laid out comprehensively, there are many concerns playing on the minds of licensees. Some key examples include:

Increased Scenarios – The regulation brings in additional core obligations and scenarios that need to be reported in a span of 30 days. This will result in increased operational costs and controls.

Increased Workload – The regulation massively increases the number of breaches that need to be reported. This will all flow down to back-office processes.

Ambiguity – The regulation does spell out numerous scenarios that require reporting. But it also states that licensees are “not required to report every instance of non-compliance or trivial breaches.” Violators only need to focus on a “targeted set” of situations. While a set of significant breaches have been defined in the regulation with examples, other breaches will require a determination of significance before being reported to ASIC.

Defining Gross Negligence – Neither the legislature nor ASIC have provided clear guidance on what conduct constitutes gross negligence, a concept that is not defined in the Corporations Act.

Dobbing Provision – As per this provision, licensees can inform ASIC if they know or suspect another licensee not meeting the new breach reporting requirements. This may eventually cause suspicion or hostility between licensees.

How to Prepare

In order to identify and report breaches in a timely manner, the regulation will require licensees to scale their existing technology landscape and resources to ensure compliance. Some of the likely changes we can foresee are

Upgrading existing risk systems – Licensees will need to upgrade their existing risk systems so that they are able to identify breaches and report them in a timely manner. ASIC has indicated that if a licensee fails to report significant (or even likely) breaches, it will constitute a breach of compliance.

Creating a broad framework for breach assessment – Licensees will probably need to create a detailed framework from the guidelines listed in the obligation. Such a framework will help them in breach identification, breach severity assessment and final reporting of the breaches in line with the regulatory mandate.

Clearly documented business processes – Licensees must maintain clearly documented processes around the entire life cycle of breach reporting. These include processes around:

  • Identification and recording of incidents and potential reportable situations;
  • Assessment and determination of whether an identified incident is a reportable situation;
  • Reporting situations to ASIC within 30 calendar days; and
  • Remediation plans to prevent the recurrence of breaches or likely breaches.

Enhancing control libraries – Licensees will need to enhance their existing control libraries and put much tighter controls in place to include additional scenarios that will help in the breach identification and assessment process.

Maintaining breach registers – While this is not an explicit obligation, ASIC has indicated maintaining a record of actions from breach identification to reporting will help licensees comply with reporting obligations. Maintaining such a register will provide necessary insight to licensees based on number and frequency of breaches to ascertain whether or not a breach is significant.

While the reform regulations are currently under public consultation, it is expected that the regulation may factor in some minor changes. In all likelihood, it will still carry the essence of the guidelines which have been listed out so far. In terms of licensees, the regulation is going to add massive workload to the compliance function. ASIC’s breach reporting update is intended to increase market surveillance. It aims to identify and address patterns of noncompliance. It’s impact on financial institutions and compliance teams, however, has yet to be fully felt.


Tags: Financial Reporting
Previous Post

The Rabbi and the Shrink: Everyday Ethics Unscripted

Next Post

The Human Risk Podcast

Ajay Katara

Ajay Katara

Ajay Katara is a Domain Consultant with the Banking Industry Advisory Group at Tata Consultancy Services (TCS). He currently heads the Solution and Strategy for Enterprise Risk and Compliance Regulations. Ajay has extensive experience of more than 15 years in the Consulting & Solution design space cutting across CCAR Consulting, AML, Basel II implementation and credit risk, and he has worked with several financial enterprises across geographies. He has significantly contributed to the conceptualization of strategic offerings in the risk management space and has been instrumental in successfully driving various consulting engagements. He has also authored many editorials, details of which can be found on his LinkedIn profile.  

Related Posts

hotels owned in monopoly

What Does Lease Accounting Have to Do With ESG?

by Joe Fitzgerald
September 18, 2023

Real estate-related assets account for about 40% of global CO2 emissions, which means companies cannot get a handle on their...

papers stacked up in office

ASC 606 & IFRS 15 Standards Aren’t New. Why Are So Many Firms Still Falling Short?

by Tom Zauli
September 18, 2023

Auditors and government agencies have given a wide latitude when it comes to enforcement of ASC 606 and IFRS 15...

SEC building

Will Proposed SEC Cybersecurity Disclosure Rules Enhance Defenses or Hamper Responses? There’s Still Time to Assess and Comment.

by Jordan Rae Kelly
April 6, 2022

Proposed rules relating to incident reporting aim to improve cybersecurity in public companies, but FTI Consulting’s Jordan Rae Kelly suggests...

Graffiti depicting Enron and former chief Kenneth Lay

Enron’s Contribution to the Vitality of Corporate Compliance

by Michael W. Peregrine
December 2, 2021

Enron shares hit $90.75 on August 23, 2001. By December 2, they had corrected to $0.26 and the business had...

Next Post
Human Risk Podcast

The Human Risk Podcast

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights