How to comply with the new breach reporting regime
14 September 2021
In response to concerns relating to the perceived inadequacy of the existing breach reporting regime in preventing non-compliance across the financial services industry, the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (Cth) (RC Response Act) was enacted. The RC Response Act materially reforms the requirements which apply to AFSL holders and introduces a similar regime for ACL holders.
Specifically, the RC Response Act sought to remove perceived ambiguities which had resulted in potentially inconsistent interpretations of "significant" breaches across industry. The reforms also require licensees to investigate potential and actual misconduct, as well as to inform and remediate affected clients.
ASIC has recently published its guidance on the regime, in the form of Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78), which sets out its expectations for how licensees should comply with the strengthened requirements. RG 78 also details how the new regime may apply in different factual circumstances and specifies the information that must be provided in any breach reports lodged with ASIC.
The new breach reporting regime requires licensees to report all "reportable situations" to ASIC. Relevantly, reportable situations are those where:
Licensees are also required to notify ASIC if there are reasonable grounds to believe a reportable situation has arisen in respect of financial advisers and mortgage brokers. RG 78 clarifies that this obligation will not require licensees to proactively investigate any possible misconduct by these persons, though they must not turn a blind eye to facts that would reasonably give rise to these concerns.
With respect to AFSL holders, the "core obligations" generally mirror the obligations in the Corporations Act 2001 (Cth) (Corporations Act) that may need to be reported to ASIC under the current regime. For ACL holders, this captures the general conduct obligations in section 47 of the NCCP Act.
The test for significance has been amended under the new regime such that breaches of certain "core obligations" will be deemed to be significant. This includes where the breach:
Where a breach of a core obligation is not deemed to be significant under the new regime, it may nevertheless be significant under the other significance test. This test is similar to the criteria in the current regime and relevantly requires licensees to consider:
What constitutes an investigation for the purposes of the new regime is likely to vary depending on the size of a licensee's business, their internal systems and processes, and the type of breach in question.
ASIC has made it clear that not all fact gathering scenarios will amount to an "investigation", noting that the following conduct is unlikely to be reportable:
However, whether or not a licensee refers to an investigation as such will not be relevant in determining whether this reporting obligation has arisen.
The RC Response Act provides that a licensee must submit a report to ASIC within 30 calendar days of knowing that, or being reckless as to whether, there are reasonable grounds to believe a reportable situation has arisen.
With regards to the obligation to report investigations, the reporting obligation is triggered after 30 days, and there is then a further 30 days to report the investigation.
Moreover, while each breach of a legal obligation will give rise to a separate reportable situation, ASIC has outlined in RG 78 that multiple breaches may be grouped together where they relate to a single, specific root cause. ASIC's Regulatory Portal will also afford licensees the ability to update reports, including where additional instances of reportable situations relating to the same root cause are identified after the initial report has been lodged.
Knowledge will arise under the new regime where the licensee knows of facts and/or evidence sufficient to induce in a reasonable person a belief that a reportable situation has arisen. A reportable situation need not be considered by a licensee's board of directors or legal advisors for this element to be satisfied. Rather, the state of mind of a director, employee or agent of the licensee will be attributed to the licensee where that person was engaged in the relevant conduct within the scope of their actual or apparent authority.
Recklessness will, on the other hand, be determined where a licensee does not know of any such facts or evidence, but is aware of a substantial risk that there are reasonable grounds to believe that a reportable situation has a risen and, having regard to the circumstances known to the licensee, it is unjustifiable for the licensee to ignore this risk.
The new regime introduces requirements for licensees to notify and remediate persons who are affected by certain reportable situations. The obligations specifically arise where personal advice is provided by an AFSL holder, or credit assistance in relation to a credit contract secured by a mortgage over residential property is provided by an ACL holder. However, the obligations will not attach to licensees where the affected clients have not, or will not, suffer loss as a result of the reportable situation, or otherwise where these persons do not have legally enforceable rights to recover the loss or damage from the licensee.
The notification obligation requires licensees to take reasonable steps to notify an affected client within 30 days of first knowing, or being reckless with respect to, the prescribed reportable situations have arisen. In the same timeframe, licensees must also commence an investigation into the reportable situation which, at a minimum must:
The current breach reporting regime will continue to apply to AFSL holders in respect of breaches or likely breaches that arise wholly before 1 October 2021, providing that the licensee knows that the obligation has been breached, or is likely to be breached, prior to the commencement of the new regime. It is not, however, necessary for an AFSL holder to have determined the significance of the contravention, or likely contravention, before 1 October for the current regime to apply.
Separately, RG 78 clarifies that investigations into incidents that occur wholly before 1 October 2021 will not be reportable under the new regime, even where such an investigation is commenced after 1 October 2021.
For credit licensees, the new regime will apply only to reportable situations that arise on or after 1 October 2021, as there are presently no obligations upon such persons to report breaches of the NCCP Act to ASIC.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.