The Australian Securities and Investments Commission (ASIC) is to review breach reporting by financial services licensees in response to alleged inconsistencies and delays.

“Some recent enforcement actions against both large and small companies have highlighted deficiencies in the approach to breach reports, in particular the timeframe for reporting significant breaches,” Deputy Chairman Peter Kell said.

He told the Risk Management Association of Australia chief risk officers’ forum that failure to comply with regulations is a criminal offence.

Under the Corporations Act 2001 significant breaches must be reported within 10 business days.

“To be clear, this means a licensee should not wait until after it has completed a full investigation to satisfy itself whether or not the breach or likely breach is significant.

“ASIC will be closely examining the breach reports we receive and, in the coming months, will conduct a proactive surveillance of those licensees identified as having a higher risk of non-compliance.”