Breach reporting by AFS licensees

In brief

Written by Senior Regulatory Counsel Michael Mathieson

In the hurly burly of the Royal Commission's recent hearings concerning financial advice, you may have missed some very important information about breach reporting by AFS licensees contained in the witness statement prepared by Mr Peter Kell, Deputy Chair of ASIC.

Legal advice received by ASIC

In early 2015, ASIC obtained advice from senior counsel about what it would be required to prove in order to establish a contravention of the breach reporting obligation in section 912D of the Corporations Act.

According to Mr Kell's statement, the opinion of counsel was that, as currently drafted:

• the test of 'significance' in s912D(1)(b) was subjective and involved matters of judgment and so gave the licensee a very wide discretion when assessing significance, such that a prosecution for contravention of the section would be highly problematic except in extremely clear factual scenarios;
• the section required the licensee to be aware that a breach was significant and it was not triggered by awareness that a breach may be significant, or was probably significant, or was suspected to be significant;
• in order to establish a contravention of the section, it would not be sufficient for ASIC to establish that, at a certain point in time, the licensee was aware of the facts and circumstances that established the breach and, in turn, the facts and circumstances that established the significance of the breach. Rather, ASIC would need to establish that the licensee was aware that there was a breach and, in turn, that the breach was significant; and
• in the circumstances described above, the time limit set out in s912D(1B) did not commence until the responsible officer became aware of the breach and that it was significant.

The advice received by ASIC differs, in a very important respect, from ASIC's past and present guidance on breach reporting. In Regulatory Guide 78, ASIC says: 'The reporting period starts on the day you became aware of a breach (or likely breach) that you consider could be significant' (at [28]; emphasis added). That guidance is plainly inconsistent with ASIC's own legal advice, as recorded above. The current version of Regulatory Guide 78 was issued in February 2014. Why did ASIC not withdraw it, or amend it, in early 2015, when ASIC obtained legal advice that contradicted it?

Readers will be aware that the ASIC Enforcement Review Taskforce has recommended significant changes to s912D and that the Government has accepted those recommendations. If those changes are made, then the matters referred to above will cease to be relevant on a prospective basis. However, they will remain very relevant to the question of whether s912D is being contravened now or has been contravened in the past. Counsel Assisting has submitted to the Commissioner that it is open to the Commissioner to find that various contraventions of s912D have occurred. And some financial institutions are under considerable pressure to accept that contraventions have occurred.

In the end, ASIC's role is to administer the financial services laws. ASIC's guidance should be consistent with the law. Producing or maintaining guidance which is inconsistent with the law is likely to be self-defeating, as it tends to undermine the broader authority of ASIC's guidance.

Breach reporting surveillance project

In June 2016, ASIC commenced a breach reporting surveillance project, with the objective of reviewing the adequacy and effectiveness of the breach reporting framework. The project is due for completion in July 2018.

According to Mr Kell's statement, some key preliminary findings of this project (which is based on a quantitative analysis of data from 12 banking groups for the period 2014 to 2016) are that:

• the average time frame from an event occurring to it being identified internally for investigation was 1552 days (ie just over four years) (median of 1094);
• the average time frame from the start of internal investigation of a matter to lodging of a breach report with ASIC was 123 days (median of 58 days);
• one in four significant breaches took longer than 145 days to report to ASIC from the start of an internal investigation;
• the average length of an investigation was 120 days;
• the institutions in question had commenced a change to their systems to address a compliance issue within an average of 18 days of an internal investigation concluding, but first customer remediation (ie time to first payment made to a customer) averaged 217 days after conclusion of the internal investigation;
• the average and median amount of total financial loss for all affected customers flowing from reported breaches varied between institutions in a way which suggested that there is inconsistency between institutions in judging what is 'significant' (at least by that measure).

Mr Kell went on to say that 'ASIC considers that these preliminary findings tend to confirm its concerns about the timeliness and consistency of breach reporting'.

It may be that few would quarrel with ASIC's concerns about the timeliness of breach reporting. However, seeking to address that concern by maintaining guidance which does not reflect the law is unlikely to be productive and is, instead, likely to be counterproductive, as explained earlier.