Legal development

How to comply with the new breach reporting regime

Insight Hero Image

    What you need to know

    • The new breach reporting regime requires licensees to report to ASIC within 30 days of knowing, or being reckless as to whether, there are reasonable grounds to believe that a "reportable situation" exists.
    • Licensees are also required to report to ASIC if they have reasonable grounds to believe that certain reportable situations have arisen in relation to other licensees. Licensees may also need to notify clients affected by a breach in certain circumstances under the new regime.
    • Breaches or likely breaches of core obligations will be taken to be significant in many cases, meaning that licensees will be required to report breaches that are not, in fact, material. 

    What you need to do

    • Review your existing processes and compliance frameworks to ensure they provide for reportable situations to be identified and reported to ASIC in accordance with the strengthened requirements.
    • AFSL holders should also consider their backlog of existing events such that any incidents that have arisen prior to 1 October can, where possible, be reported under the old regime.

    Background

    In response to concerns relating to the perceived inadequacy of the existing breach reporting regime in preventing non-compliance across the financial services industry, the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (Cth) (RC Response Act) was enacted.  The RC Response Act materially reforms the requirements which apply to AFSL holders and introduces a similar regime for ACL holders.

    Specifically, the RC Response Act sought to remove perceived ambiguities which had resulted in potentially inconsistent interpretations of "significant" breaches across industry.  The reforms also require licensees to investigate potential and actual misconduct, as well as to inform and remediate affected clients.

    ASIC has recently published its guidance on the regime, in the form of Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78), which sets out its expectations for how licensees should comply with the strengthened requirements.  RG 78 also details how the new regime may apply in different factual circumstances and specifies the information that must be provided in any breach reports lodged with ASIC.

    What needs to be reported?

    The new breach reporting regime requires licensees to report all "reportable situations" to ASIC.  Relevantly, reportable situations are those where:

    • a licensee or its representative has breached a "core obligation" and the breach is significant;
    • a licensee or its representative is no longer able to comply with a "core obligation" and the breach, if it occurs, will be significant;
    • a licensee or its representative conducts an investigation into whether there has been or will be a significant breach of a core obligation, and the investigation continues for more than 30 calendar days;
    • an investigation of the kind described above discloses that there has been no breach of a core obligation (noting that if the investigation discloses that there has been a breach of a core obligation, this will be its own reportable situation under the first bullet point above); or
    • a licensee has engaged in gross negligence or serious fraud.

    Licensees are also required to notify ASIC if there are reasonable grounds to believe a reportable situation has arisen in respect of financial advisers and mortgage brokers.  RG 78 clarifies that this obligation will not require licensees to proactively investigate any possible misconduct by these persons, though they must not turn a blind eye to facts that would reasonably give rise to these concerns.

    What are the core obligations?

    With respect to AFSL holders, the "core obligations" generally mirror the obligations in the Corporations Act 2001 (Cth) (Corporations Act) that may need to be reported to ASIC under the current regime. For ACL holders, this captures the general conduct obligations in section 47 of the NCCP Act.  

    When is a breach significant?

    The test for significance has been amended under the new regime such that breaches of certain "core obligations" will be deemed to be significant.  This includes where the breach:

    • is a civil penalty provision, subject to certain exceptions;
    • is an offence punishable by a prescribed minimum term of imprisonment;
    • relates to misleading or deceptive conduct; or
    • results, or is likely to result, in material loss or damage.

    Where a breach of a core obligation is not deemed to be significant under the new regime, it may nevertheless be significant under the other significance test.  This test is similar to the criteria in the current regime and relevantly requires licensees to consider:

    • the number and frequency of similar breaches, 
    • the impact of the breach or likely breach on the licensee's ability to provide financial services or engage in credit activities (as applicable); and
    • the extent to which the breach indicates that the licensee's compliance arrangements are inadequate.

    What is a reportable investigation?

    What constitutes an investigation for the purposes of the new regime is likely to vary depending on the size of a licensee's business, their internal systems and processes, and the type of breach in question.

    ASIC has made it clear that not all fact gathering scenarios will amount to an "investigation", noting that the following conduct is unlikely to be reportable:

    • entering suspected compliance issues into your organisation's risk management system;
    • receiving a complaint, whistleblower disclosure or regulatory request (i.e. detective controls);
    • taking preliminary steps and conducting initial fact-finding inquiries into the nature of an incident, which are completed over a short timeframe and conducted as an initial response to detective controls; and
    • undertaking 'business as usual' inquiries (e.g. routine audits or quality assurance) except where these are triggered by an incident or assess a possible breach of a core obligation.

    However, whether or not a licensee refers to an investigation as such will not be relevant in determining whether this reporting obligation has arisen. 

    When must reports be lodged?

    The RC Response Act provides that a licensee must submit a report to ASIC within 30 calendar days of knowing that, or being reckless as to whether, there are reasonable grounds to believe a reportable situation has arisen.  

    With regards to the obligation to report investigations, the reporting obligation is triggered after 30 days, and there is then a further 30 days to report the investigation.

    Moreover, while each breach of a legal obligation will give rise to a separate reportable situation, ASIC has outlined in RG 78 that multiple breaches may be grouped together where they relate to a single, specific root cause.  ASIC's Regulatory Portal will also afford licensees the ability to update reports, including where additional instances of reportable situations relating to the same root cause are identified after the initial report has been lodged.

    When is a licensee considered to know, or be reckless with respect to whether, a reportable situation has arisen? 

    Knowledge will arise under the new regime where the licensee knows of facts and/or evidence sufficient to induce in a reasonable person a belief that a reportable situation has arisen.  A reportable situation need not be considered by a licensee's board of directors or legal advisors for this element to be satisfied.  Rather, the state of mind of a director, employee or agent of the licensee will be attributed to the licensee where that person was engaged in the relevant conduct within the scope of their actual or apparent authority.

    Recklessness will, on the other hand, be determined where a licensee does not know of any such facts or evidence, but is aware of a substantial risk that there are reasonable grounds to believe that a reportable situation has a risen and, having regard to the circumstances known to the licensee, it is unjustifiable for the licensee to ignore this risk.  

    Notifying and remediating affected clients

    The new regime introduces requirements for licensees to notify and remediate persons who are affected by certain reportable situations.  The obligations specifically arise where personal advice is provided by an AFSL holder, or credit assistance in relation to a credit contract secured by a mortgage over residential property is provided by an ACL holder.  However, the obligations will not attach to licensees where the affected clients have not, or will not, suffer loss as a result of the reportable situation, or otherwise where these persons do not have legally enforceable rights to recover the loss or damage from the licensee.

    The notification obligation requires licensees to take reasonable steps to notify an affected client within 30 days of first knowing, or being reckless with respect to, the prescribed reportable situations have arisen.  In the same timeframe, licensees must also commence an investigation into the reportable situation which, at a minimum must:

    • identify the conduct that gave rise to the reportable situation; and
      quantify the loss or damage that there are reasonable grounds to believe has been, or will be, suffered and which the affected client has a legally enforceable right to recover.
    • Any such investigations must be completed as soon as is reasonably practicable after their commencement, with a follow up notice to be sent to clients within 10 days of completion.  Reasonable steps must also be taken upon completion of the investigation to compensate affected clients for an amount equal to the loss or damage within 30 days.

    What regime applies to reportable situations that arise during the transitional period?

    The current breach reporting regime will continue to apply to AFSL holders in respect of breaches or likely breaches that arise wholly before 1 October 2021, providing that the licensee knows that the obligation has been breached, or is likely to be breached, prior to the commencement of the new regime.  It is not, however, necessary for an AFSL holder to have determined the significance of the contravention, or likely contravention, before 1 October for the current regime to apply.

    Separately, RG 78 clarifies that investigations into incidents that occur wholly before 1 October 2021 will not be reportable under the new regime, even where such an investigation is commenced after 1 October 2021.

    For credit licensees, the new regime will apply only to reportable situations that arise on or after 1 October 2021, as there are presently no obligations upon such persons to report breaches of the NCCP Act to ASIC. 

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.