Written by Partner Michelle Levy and Senior Regulatory Counsel Michael Mathieson
The Taskforce established by Treasury to consider ASIC's enforcement powers released its first consultation paper a few weeks ago on breach reporting. The Taskforce was asked to look at:
The adequacy of the frameworks for notifying ASIC of breaches of law, including the triggers for the obligation to notify; the time in which notification is required to be made; and whether the obligation to notify breaches should be expanded.
The Taskforce has come up with 12 'preliminary positions'. The most significant is probably the proposal to impose a new obligation on credit licensees to report breaches of their obligations. A more curious position is the proposed reasonable person test for breach reporting by Australian financial services licensees. The most concerning, to our minds, is the proposed duty to report something that may be a breach.
Under section 912D of the Corporations Act (as it currently stands), an AFS licensee must provide a report to ASIC as soon as practicable and in any case within 10 business days of becoming aware of a breach or likely breach of an obligation identified in the section which is significant having regard to the factors in the section.
The Taskforce identifies a number of problems with this formulation, starting with it being 'strongly subjective'. We are not sure that is true. It is true that the factors that a licensee must have regard to are matters relating to the licensee's own business – the impact of the breach on the licensee's business, the extent to which the breach indicates that the licensee's compliance arrangements are inadequate and so on – and that does mean that what is significant for one licensee may not be significant for another. But that does not make the test of significance a subjective one, merely one that requires an exercise of judgment and, in the first instance, the licensee is the person who must make that assessment, and therein lies the real problem.
The paper says:
Subjectivity also connotes an element of uncertainty in borderline cases whether a report is necessary (significant) or not. In effect, in the absence of a clear or indisputable breach, licensees need to make judgment calls about whether a breach is significant or not having regard to the factors stipulated in the statute.
This does not follow. The absence of a clear or indisputable breach does not affect the separate question of whether a breach is significant and the question of whether a clear or indisputable breach is significant can, in our experience, be just as hard to determine as the significance or otherwise of a less clear or less indisputable breach.
That determination is unlikely to be helped by the proposal in preliminary position 1, which is to amend the Corporations Act:
to provide that significance is to be determined by reference to an objective standard. This could be achieved, for example, by providing that AFS licensees are required to notify ASIC of matters that a reasonable person would regard as significant having regard to the existing factors set out in subsection 912D(1)(b) of the Act.
This proposal, if implemented, would see no change to the existing situation (which the Taskforce identifies as problematic) where the same breach is significant (and reportable) for a licensee operating a small financial services business but is not significant (and not reportable) for a licensee operating a large financial services business. Further, on one view, it should make no difference at all if we assume that licensees act reasonably when deciding whether a breach or likely breach is significant.
If preliminary position 1 is unlikely to make much of a difference, preliminary position 3 is a completely different kettle of fish. It is intended to address concerns, especially concerns held by ASIC, that the current requirement for licensees to form a view that there is in fact a breach or likely breach which is significant gives licensees the opportunity to delay reporting a breach or likely breach.
The Taskforce's preliminary position is that:
in order to improve certainty and reduce subjectivity in assessing the existence of the obligation to report, the trigger for reporting could be modified so that it is clearly based on an objective assessment of the information available to the AFS licensee. This could be achieved by making the 10 business day timeframe commence from when the AFS licensee becomes aware or has reason to suspect that a breach has occurred, may have occurred or may occur rather than when the licensee determines that the relevant breach has occurred and is significant.
This seems to be an extraordinary proposition. It is true that ASIC is responsible for overseeing the conduct of licensees and protecting consumers from their misconduct. But that does not mean that ASIC should have any interest in being informed about a licensee's suspicion that a breach may occur. The obligation would present risks for ASIC too in the event that it is notified of a suspected prospective breach which it takes no steps to prevent occurring. One can imagine a parliamentary committee cross-examining ASIC about the notices that it failed to take any action in response to.
We provide advice all the time about whether a licensee has breached an obligation under section 912A or 912B of the Corporations Act. Those questions are often really hard and hasty decisions made with inadequate information are rarely good ones. The consequences of forming a view that there has been a significant breach of a licensee's obligations, including (but not only) reporting that breach to ASIC, can be very material. Licensees should be encouraged to make properly informed decisions about whether or not they have breached a reportable obligation before providing a report to ASIC. They can and probably should be encouraged to do that promptly, but we can see very little justification for imposing a reporting obligation in relation to something that may turn out not to be a breach at all.
It is a particularly concerning proposal when preliminary position 6 is taken into account.
Under preliminary position 6, the Taskforce proposes that ASIC should be able to issue infringement notices to licensees for simple or minor contraventions that do not involve a deliberate failure to report. We think infringement notices are a very bad idea generally – they give the regulator the power to impose a fine when they suspect the regulated entity has breached the law and an incentive for the regulated entity to pay despite having not in fact breached the law. The proposal here is no better. If it was adopted, it would mean that ASIC could ask a licensee to pay a fine because they did not report what ASIC thinks might have been a suspicion that there may have been a breach and, it is very possible that, in that case, the licensee will pay a fine for failing to report something that may not have been reportable and where there was in fact no breach.
The report is not all bad news. The Taskforce's preliminary position 7 is that the breach reporting regime (which we will have to stop calling 'breach reporting' if position 3 is adopted) be adapted to encourage a collaborative approach between licensees and ASIC. Among other things, ASIC could issue no-action letters to licensees who report early and take appropriate steps to remedy a breach. We think more co-operation between ASIC and licensees would be helpful all round, but the other proposals in the position paper are probably not going to help. And a licensee might find cold (or no) comfort in the Taskforce's suggestion:
An appropriate additional option may be to provide that ASIC may decide to take no administrative or civil action against the licensee if the licensee cooperates with ASIC and addresses the matter to ASIC's satisfaction.
Submissions are due by 12 May.