Once more unto breach reporting, dear friends

Once more unto breach reporting, dear friends

“In the past, so this is before October 2021, the regime was a little greyer in terms of what particular breaches needed to be reported to ASIC [the Australian Securities and Investments Commission],” said Lam. “It used to be just anything considered to be a significant breach.”

As Australian Financial Services (AFS) licensees, insurance companies are obliged to report significant breaches of their obligations of the Corporations Act to ASIC. Those breaches can include a failure to prepare cash flow projections or giving inappropriate advice.

“There were some factors that went towards what was considered to be significant,” said Lam. “So how frequent the breach was and the nature of the breach.”

Read more: What’s “the step change” in claims handling compliance?

For these cases, she said, insurance companies would spend time investigating whether an issue caught within their breach register or flagged for attention actually fell within the definition of what was considered to be significant.

However, the Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry uncovered a problem.

“The Royal Commission showed that some licensees were potentially taking up to four years to investigate whether something actually did constitute a significant breach,” said Lam.

The Clyde & Co. special counsel said, “to be fair” some of the scenarios licensees investigate are complex and take time. However, she said, the average investigation time was found to be a long wait of five months, or 150 days.

“The tightening of the regime now under this enhanced breach reporting regime is to make sure that anything that is considered to be a reportable situation for a court obligation is more strictly defined,” said Lam.

See also  Threat actors back to "big game hunting"

She said insurance companies investigating breaches still go through significant tests analysis.

“However, now ASIC says that once your investigation goes over 30 calendar days they want to know about it – even if you reach the conclusion that there is no significant breach,” said Lam. “So you can’t use the excuse that we’re still going through an investigation and gathering the facts to try and buy yourself more time.”

In a previous interview with Insurance Business, Lam explained the new regulatory guide (RG) called RG 271. The guide details what insurance companies’ internal dispute resolution (IDR) systems need to account for to be compliant.

Lam sees RG 271 and other recent regulatory changes as part of a new phase of reforms following the Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.

Watch more: Implementing a RG 271 Complaints Management Solution

RG271 is different to most previous ASIC guides, she said, for the way it sets out what’s enforceable in its guidance.

“Previously, regulatory guides are guidance as to what the expectations of the regulator are,” said Lam. “But now this regulatory guide actually picks out and highlights particular provisions that ASIC says are enforceable.”

That could mean fines or penalties depending on the particular breach under the Corporations Act.

Lam said RG 271 also has a major focus on timeliness and ensuring companies are interacting with their complaining customers, so their customer is made aware that their issue is being actively managed and escalated as necessary.

This contrasts with the situation before the new guide where customers could be “left hanging” after going to the effort of submitting a complaint.

See also  Ransomware attacks shift focus to data theft

Lam also detailed the recent regulatory changes around claims handling.

From January 1 last year, a new definition under the Corporations Act has legally defined claims handling as a financial service. Now, anyone providing claims handling services either needs their own AFS license or must operate as an authorised representative (AR) under another AFS license.