The title of this story, a close copy of a quote in Shakespeare’s play Henry V, could resonate for many insurance professionals. Henry V, England’s king during the 15th century, says these words in the play while fighting the 100 Years War against the French. For insurance professionals, breach reporting is not unlike a never-ending battle, not with France, but to comply with financial regulations.
One year ago this month, the insurance industry started dealing with an updated and tougher breach reporting regime. The obligation to report breaches quickly is a major change, said Yvonne Lam (pictured), special counsel with Clyde & Co, a global law firm with a focus on insurance services.
“In the past, so this is before October 2021, the regime was a little greyer in terms of what particular breaches needed to be reported to ASIC [the Australian Securities and Investments Commission],” said Lam. “It used to be just anything considered to be a significant breach.”
As Australian Financial Services (AFS) licensees, insurance companies are obliged to report significant breaches of their obligations of the Corporations Act to ASIC. Those breaches can include a failure to prepare cash flow projections or giving inappropriate advice.
“There were some factors that went towards what was considered to be significant,” said Lam. “So how frequent the breach was and the nature of the breach.”
For these cases, she said, insurance companies would spend time investigating whether an issue caught within their breach register or flagged for attention actually fell within the definition of what was considered to be significant.
However, the Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry uncovered a problem.
“The Royal Commission showed that some licensees were potentially taking up to four years to investigate whether something actually did constitute a significant breach,” said Lam.
The Clyde & Co. special counsel said, “to be fair” some of the scenarios licensees investigate are complex and take time. However, she said, the average investigation time was found to be a long wait of five months, or 150 days.
“The tightening of the regime now under this enhanced breach reporting regime is to make sure that anything that is considered to be a reportable situation for a core obligation is more strictly defined,” said Lam.
She said insurance companies investigating breaches still go through significance analysis.
“However, now ASIC says that once your investigation goes over 30 calendar days they want to know about it - even if you reach the conclusion that there is no significant breach,” said Lam. “So you can’t use the excuse that we’re still going through an investigation and gathering the facts to try and buy yourself more time.”
In a previous interview with Insurance Business, Lam explained the new regulatory guide (RG) called RG 271. The guide details what insurance companies’ internal dispute resolution (IDR) systems need to account for to be compliant for retail customers.
Lam sees RG 271 and other recent regulatory changes as part of a new phase of reforms following the Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
RG271 is different to most previous ASIC guides, she said, for the way it sets out what’s enforceable in its guidance.
“Previously, regulatory guides are guidance as to what the expectations of the regulator are,” said Lam. “But now this regulatory guide actually picks out and highlights particular provisions that ASIC says are enforceable.”
That could mean fines or penalties depending on the particular breach under the Corporations Act.
Lam said RG 271 also has a major focus on timeliness and ensuring companies are interacting with their complaining customers, so their customer is made aware that their issue is being actively managed and escalated as necessary.
This contrasts with the situation before the new guide where customers could be “left hanging” after going to the effort of submitting a complaint.
Lam also detailed the recent regulatory changes around claims handling.
From January 1 last year, a new definition under the Corporations Act has legally defined claims handling as a financial service. Now, anyone providing claims handling services either needs their own AFS license or must operate as an authorised representative (AR) under another AFS license.
