The Australian Securities and Investments Commission will not publish firm-level data on compliance breaches, reversing its April proposal following industry pushback about regulatory maturity and reporting burdens.

ASIC received 47 submissions to Consultation Paper 383 that raised concerns about publishing Reportable Situations data with company names attached. The regulator will instead publish aggregate breach data while proceeding with plans to publish firm-level Internal Dispute Resolution complaint data.

The decision reflects ongoing tensions in the RS regime, which has undergone multiple modifications since its October 2021 introduction. ASIC granted additional relief in June, extending investigation reporting timeframes from 30 to 60 days and exempting minor breaches affecting fewer than five consumers with losses under $A500.

Industry submissions warned that public naming could discourage voluntary breach reporting. The Stockbrokers and Investment Advisers Association argued ASIC would be "abrogating its responsibilities" by putting the burden of supervising licensees on consumers rather than using its investigative powers.

Compliance professionals cautioned that "name and shame" approaches could trigger under-reporting as firms avoid being publicly identified as top complaint generators.

The Australian Finance Industry Association, representing over 150 financial services firms, fundamentally opposed the proposal. "AFIA does not support publishing raw data with financial firms named as proposed under ASIC Consultation Paper 383," the organisation stated, arguing that transparency should only be introduced "where transparency can improve conduct and build trust and confidence in the financial system."

AFIA warned that without sophisticated data analytics and deeper assessment of different business models, "publication of data could be misleading, even with contextual statements." The association raised concerns that firms with strong compliance cultures that identify and report more issues could be penalised reputationally, while under-reporting firms escape scrutiny.

Law firm Herbert Smith Freehills argued ASIC has discretionary power to withhold firm-level identifiable information. The firm contended that publication "could disincentivise reporting accurate RS and IDR data to ASIC" as firms facing public disclosure may delay reporting ambiguous incidents or understate breach significance.

"There is a risk that the publication of firm-level information could increase the time taken to finalise an RS investigation," Herbert Smith Freehills submitted, noting that public data may require additional approval layers, particularly for listed companies.

The Law Council of Australia supported transparency but recommended ASIC "run a pilot program with a small number of firms of different sizes from different sectors to test the new framework" before industry-wide implementation.

Data Quality Concerns

ASIC's first industry-wide IDR report in October 2024 flagged data quality concerns, with 5,035 firms declaring zero complaints - higher than expected. The regulator found variations in complaint volumes among comparable firms, suggesting some may not be reporting accurately.

AFIA emphasised that "quality of data is critical for any benchmarking or comparisons exercises," noting the financial services industry contains diverse firms with different compliance systems suitable for their business models.

Herbert Smith Freehills noted that ASIC's first two RS reports cited "inconsistencies in reporting practices" that made firm-level comparisons "unlikely to provide meaningful insights." Neither CP 383 nor recent reports explained whether these inconsistencies have been addressed.

ASIC will publish the RS dashboard in October and the IDR dashboard later this year. The IDR publication will include firm names and Australian Financial Services Licence numbers but incorporate privacy protections for complainants and contextual explanations.

ASIC has not disclosed how many firms will be affected by publication requirements or provided guidance on data quality standards expected for public dashboards. The regulator stated it will not verify the accuracy of self-reported data