INSIGHT

Breach reporting and remediation and enforceable code provisions

By Kerensa Sneyd, Nicola Greenberg
Financial Services Financial Services Royal Commission

In brief 12 min read

Earlier this year, the Government consulted on an exposure draft Bill that was intended to give effect to a number of recommendations arising from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission).  

Breach reporting

The exposure draft Bill incorporated the ASIC Enforcement Review Taskforce's (Taskforce) breach reporting recommendations and the endorsement of these recommendations by Commissioner Hayne in the Royal Commission's Final Report (the Exposure Draft).

Broadly, the Exposure Draft proposed to replace the current breach reporting obligation in section 912D of the Corporations Act with a new set of obligations, and to introduce a comparable set of breach reporting obligations for credit licensees under the National Consumer Credit Protection Act 2009 (Cth) (the Credit Act). (In this Insight, we will use licensees as a collective reference to both financial services licensee and credit licensees.)

While the Exposure Draft generally addressed the Taskforce's recommendations, there were some deviations that raised concerns and did not reflect Commissioner Hayne's endorsement. Further, the drafting of the Bill was, in parts, layered and complex, making it difficult to navigate and challenging for licensees to understand the new obligations. We published a detailed discussion on the Exposure Draft, including these issues and challenges, in our earlier Insight: The when and what of the new breach reporting regime.

Enforceable codes

ASIC's powers to make sections of voluntary industry codes enforceable, or declare entire codes to be mandatory, have been largely unchanged since they appeared in the Exposure Draft. The Bill provides ASIC with powers to approve an industry code and declare that certain provisions of that code are enforceable, so long as it has regard to certain prescribed criteria.

Alternatively, the Bill provides that entire codes may be declared 'mandatory' by the regulations. A breach of any section of a mandatory code, and a breach of an enforceable provision code, both give rise to liability for civil penalty.

There is scope for ASIC's powers regarding industry codes to be narrowed by the regulations. The regulations may set out prescribed criteria for declaring a provision of a code enforceable. We assume the regulations would also contain a framework that sets out what must be considered before a code is declared mandatory. This means the true scope of this new power cannot be tested until drafts of the regulations are made available for review.

Until then, entities that are signatories to voluntary industry codes should conduct a review of their obligations and consider whether they would be able to comply if those obligations became enforceable.

Breach reporting

The current Bill

We are pleased the Government has taken the time to address a number of concerns with the Exposure Draft in Schedule 11 to the Financial Sector Reform (Hayne Royal Commission Response) Bill 2020 (Cth) (Bill), and has extended the commencement date for the new regime to 1 October 2021.

The Bill retains the new core obligations for licensees to:

  • lodge a report with ASIC if there are reasonable grounds to believe that a reportable situation has arisen in relation to the licensee, or another licensee who is providing personal advice to retail clients in relation to relevant financial products or is a mortgage broker;
  • take reasonable steps to notify a person (the affected client) of a reportable situation where:
    • the licensee or representative has provided personal advice to the affected client as a retail client in relation to a relevant financial product;
    • there are reasonable grounds to believe that the reportable situation has arisen in relation to a significant breach of a core obligation or due to gross negligence or serious fraud; and
    • there are reasonable grounds to suspect that the affected client has or will suffer loss or damage, and the affected client has a legally enforceable right to recover the loss or damage from the licensee; and
  • compensate the affected client if, after an investigation, there are reasonable grounds to believe the affected client has or will suffer loss or damage, and the affected client has a legally enforceable right to recover the loss or damage from the licensee.

While the reporting and notification obligations remain anchored to a 'reasonable belief' and a 'reportable situation', the Government has reshaped and clarified certain elements of this reporting obligation from when they first appeared in the Exposure Draft.

What is a reportable situation?

The Bill currently provides seven specific reportable situations, which we have grouped into four categories below:

Category Reportable situation
1) Significant breach of a core obligation
  1. The licensee or representative has breached a core obligation and the breach is significant
  2. The licensee or representative is no longer able to comply with a core obligation and the breach, if it occurs, will be significant
2) Investigation
3.  The licensee or representative conducts an investigation as to whether there is a reportable situation of the kind mentioned in (1) and (2), and the investigation continues for more than 30 days
4.  The investigation in (3) discloses there is no reportable situation of the kind mentioned in (1) and (2)
3) Negligence and fraud
5.  The licensee or representative has engaged in conduct constituting gross negligence in the course of providing a financial service or credit activity
6.  The licensee or representative has committed serious fraud
4) Other licensees
7. 

The licensee has reasonable grounds to believe that:

  1. a reportable situation has arisen of the kind mentioned in (1), (2), (5) or (6) in relation to another licensee; and
  2. one of the following is an individual who is engaged in conduct that forms part of the reportable situation:
    1. an employee or director of the licensee (or related body corporate), acting within the scope of their employment or duties; or
    2. a representative of the licensee acting within the scope of the representative's authority given by the licensee; and
  3. the individual:
    1. (for AFS licensees) provides personal advice to retail clients in relation to relevant financial products; or
    2. (for credit licensees) is a mortgage broker
Category 1 – Significant breach of a core obligation

The core obligations mirror the current obligations in s912D(1) of the Corporations Act, being a licensee's general conduct obligations and compensation obligations, as well as the obligation to comply with the 'financial services laws' which includes Division 2 Pt 2 of the ASIC Act.

However, the concept of 'significance' is now broken into two categories:

  • breaches that are deemed significant; and
  • breaches that are assessed for significance by applying the current significance test from s912D(1)(b).

We think the breaches that are 'deemed' significant are the ones that have the potential to cause the most headaches for licensees. There are currently four categories for AFS licensees, and five categories for credit licensees:

  • a breach constituted the commission of an offence punishable on conviction that may include a period of imprisonment;
  • a breach constituted by the contravention of a civil penalty provision under any law (being the defined 'financial services law' in the Corporations Act, or 'credit legislation' in the Credit Act), unless otherwise prescribed;
  • a breach of the misleading and deceptive conduct prohibitions;
  • a breach that results, or is likely to result, in material loss or damage to a person or persons to whom the licensee or representative provide financial services or a credit activity client(equivalent provisions for members of super funds and members of a MIS); and
  • (for credit licensees) a breach that is constituted by a contravention of a key requirement under the National Credit Code, unless otherwise prescribed.

The effect of this deeming provision is that a licensee or representative need only breach a civil penalty provision, or the misleading and deceptive conduct prohibition, once in order to trigger a reporting obligation – ie one breach of the 'efficiently, honestly and fairly' obligation or one breach of the any number of civil penalty provisions in Chapter 7 of the Corporations Act and the Credit Act. Unfortunately, the Government has elected not to introduce a materiality threshold here, instead adding a regulation-making power to reduce regulatory burden if ASIC is receiving a large number of largely unproblematic breach reports.

There will also be complexity in determining whether a breach results, or is likely to result, in material loss or damage to a person or persons. While the Government has (thankfully) added the word 'material' to this category since the Exposure Draft, there will be tricky scenarios to navigate – eg a breach can result in material loss to one person (including in a class where others in the class do not suffer material loss), or a breach can result in material loss to persons (when the losses are aggregated together as a group). It includes non-financial loss which, while undefined, could include consideration of inconvenience to the customer or interference with the customer's use or enjoyment of the financial service or credit activity.

Category 2 - Investigation

The first reportable situation in this category requires licensees or representatives to report an investigation into whether there has been a Category 1 reportable situation, and the investigation continues for more than 30 days. This means that licensees do not need to report the fact that an investigation starts and finishes within a 30-day period, an improvement on the position initially put forward in the Exposure Draft.

The second reportable situation in this category requires licensees or representatives to report the outcome of the investigation, if the outcome is that there is no reportable situation. If the outcome is that there is a reportable situation, this will also be reportable under Category 1. So either way, if you start an investigation and it continues for more than 30 days, you will need to make a subsequent breach report to ASIC.

The million dollar question is what constitutes an 'investigation'? The Government has chosen not to include a definition, noting in the Explanatory Memorandum that it will take its ordinary meaning, will likely vary between licensee, will require some level of information gathering or human effort, but is unlikely to be logging an issue into a compliance system. Ultimately, whether an investigation is an 'investigation' for breach reporting purposes will be a question of fact.

Category 3 – Gross negligence and fraud

This reportable situation will arise where a licensee or representative has engaged in gross negligence or committed serious fraud. 'Fraud' takes its meaning from the Corporations Act as an offence involving dishonesty against an Australian or any other law punishable by at least three months in jail.

Category 4 – Other licensees

Licensees will now have an obligation to lodge a report with ASIC where there are reasonable grounds to believe that a reportable situation has arisen in relation to another licensee, acting under their own licences or as representatives under a separate licence. The reporting licensee must provide a copy of this report to the other licensee within the prescribed time frame.

An exception applies if there are reasonable grounds to believe that ASIC is aware of the existence of the reportable situation, and of all information that would be provided in a report from a licensee.

We are pleased to see two improvements to this obligation since it first appeared in the Exposure Draft:

  • The Government has introduced the protection of qualified privilege for licensees who provide reports to ASIC (and a copy to the relevant licensee), provided there is no malice on the licensee's part in making the report. Licensees will also not be liable for any action for breach of confidence.
  • The Government has lifted the reporting threshold from 'reasonable grounds to suspect' to 'reasonable grounds to believe', introducing objectivity to the reporting obligation.
Reporting trigger - When does a licensee have reasonable grounds to believe that a reportable situation has arisen?

'Reasonable grounds to believe' is an objective test, and will be triggered if there are facts or evidence that would induce this belief in a reasonable person.

A report must be lodged with ASIC (and a copy given to the other licensee, where the report relates to a Category 4 breach) within 30 calendar days after the licensee first knows that, or is reckless with respect to whether there are reasonable grounds to believe that, a reportable situation has arisen.

'Knows' and 'reckless' borrow their meaning from 'knowledge' and 'recklessness' the Criminal Code:

  • A licensee will 'know' something if there are facts/evidence that will lead a reasonable person to the belief that a reportable situation has arisen.
  • A licensee will be 'reckless' where a licensee does not know that a reportable situation has arisen, but is aware of the substantial risk that the situation has arisen and, having regard to the circumstances known to the licensee, it is unjustifiable to take the risk that the situation has arisen.

The report must be in the (yet to be released) prescribed form, and will require licensees to provide a standard set of information, including whether the reportable situation has been rectified and the steps taken by the licensee to ensure future compliance.

ASIC must also publish licensee level information about Category 1 breach reports lodged with ASIC or APRA during the relevant financial year. This will commence at financial year end 30 June 2022.

Remediation

Currently, licensees are subject to the general conduct obligation to do all things necessary to ensure financial services or credit activities under the relevant licences are provided 'efficiently, honestly and fairly'. Licensees must also have adequate compensation arrangements in place for loss or damage suffered by retail clients as a result of breaches of licence conditions.

The Bill now adds another layer to these obligations and requires licensees to notify affected clients within 30 days where:

  • the licensee or representative has provided personal advice to a retail client on relevant financial products;
  • there are reasonable grounds to believe a reportable situation has arisen in relation to the licensee in relation to a Category 1 (significant breach of a core obligation) or Category 3 (gross negligence or fraud) breach; and
  • there are reasonable grounds to suspect that the affected client has or will suffer loss or damage, and the affected client has a legally enforceable right to recover this from the licensee.

If these requirements are met, the licensee must then commence an investigation within 30 days after it first knows, or is reckless with respect to, these circumstances, and this investigation must identify the conduct that gave rise to the reportable situation (ie licensees must cast the net wide to see whether there are other examples of misconduct that come to light) as well as quantifying the loss or damage suffered by the client. Licensees must complete the investigation as soon as is reasonably practicable, and however long the investigation takes will ultimately depend on the particular misconduct.

Once the investigation is complete, the licensee must:

  • take reasonable steps to notify the affected clients of the outcome within 10 days; and
  • take reasonable steps to pay the affected clients an amount equal to any loss or damage that the licensee determines the client has or will suffer within 30 days (but only if the client has a legally enforceable right to recover the loss or damage from the licensee).

There's a lot in these obligations that will require careful consideration by licensees. However, we wish to call out a couple of key points:

  • The intention is for this remediation obligation to operate alongside the licensee's general remediation framework and the obligation to act efficiently, honestly and fairly. If an affected client becomes excluded from this remediation obligation (eg because they are now outside a limitation period and therefore do not have a legally enforceable right to recover from the licensee), the Government expects licensees to consider whether that client might require compensation as part of the licensee's general remediation framework.
  • An affected client retains their right to separately pursue the licensee for loss or damage, however a court must have regard to any compensation payment already made under these provisions (ie no double dipping by the affected client).
  • The timeframe for making compensation payments (being 30 days from completion of an investigation) is ambitious at best. However, the obligation is to take 'reasonable steps' to pay within this period, and if this is not achievable, licensees will need to ensure they have evidence of the reasonable steps taken in the circumstances.
  • There is a new obligation to retain records for five years that are sufficient to ascertain the licensee's compliance with this remediation obligation.

Enforceable codes

In March, the Exposure Draft provided new powers to be drafted into the Corporations Act and the Credit Act in relation to voluntary codes of conduct. We explored these powers, and the way that might shape this 'soft' area of law, in our earlier Insight: Enforceability of industry codes of conduct.

The current Bill does not depart substantially from the Exposure Draft. It contains Amendments to be made to the Corporations Act 2001 and the National Consumer Credit Protection Act 2009 to give ASIC new powers in relation to voluntary codes of conduct. These amendments reflect the recommendations made by the Royal Commission in 2018 that ASIC's powers to approve a voluntary code of conduct should be extended to a broader range of industry participants. As the amendments to both acts are the same, we will consider them together for the purposes of this analysis.

Background

There are a range of voluntary codes currently on the market. The way they are drafted, agreed and adopted differs between them. For example, provisions of the Banking Code of Conduct are reflected in the drafting of terms and conditions documents used by member banks. This means the terms of the Banking Code of Conduct are considered the 'most enforceable' of the voluntary codes. By contrast, there some codes of conduct that reflect smaller industry groups, and contain less prescriptive requirements. Where the language used in these codes is more principles-based and less specific, it can be difficult to imagine how it could be enforced by ASIC, or how an entity could be satisfied that it is completely compliant.

How can a code be enforceable?

There are two mechanisms drafted to make a code, or a code provision, enforceable:

  • ASIC approval; and
  • Mandatory codes of conduct.
ASIC approval

Using this mechanism, an application must be made to ASIC to 'approve' a code. ASIC can only approve a code if it is satisfied of the following:

  • if the code is inconsistent with the current law, the effect of the inconsistency is to impose an obligation that is more onerous than the current law;
  • it is appropriate to approve the code, having regard to a range of criteria, including whether the code is capable of being enforced, monitored and whether a list of subscribers can be maintained and made public; and
  • each enforceable code provision has been agreed with the applicant and is legally effective.

As well as the obligation in the third point above regarding the enforceable provisions, for ASIC to identify a provision of the code as an 'enforceable code provision' it must consider some further mandatory criteria:

  • the provision represents a commitment by a subscriber relation to transactions or dealings performed for, on behalf of or in relation to, a person;
  • a breach of the provision of the code is likely to result in significant and direct detriment to the person;
  • it is appropriate to identify the provision as enforceable having regard to the matters prescribed by regulations (if any); and
  • additional criteria prescribed by the regulations (if any) are satisfied.

This is a detailed process and we have not yet seen what further obligations will be imposed by the regulations. It's possible the regulations will allow ASIC to prescribe a level of specificity that must exist in a code provision for it to become enforceable. This may solve the problem we identified above for codes that are broadly drafted.

Mandatory codes of conduct

The regulations may declare that a code of conduct is a 'mandatory code of conduct'. In relation to a mandatory code of conduct, the regulations may also confer powers on people in relation to monitoring compliance or dealing with disputes, and introduce obligations regarding record keeping or reporting obligations for persons bound by a mandatory code of conduct.

Unlike the approval process, there is no outline currently provided about what must be considered for a code of conduct to be mandatory. These powers seem broad, and it will be interesting to see whether they are refined by the introduction of certain thresholds. The structure of any thresholds will also be interesting, as to whether they focus on industry participation in the code or the potential consumer harm addressed by the code.

Consequences of breach

A breach of an enforceable code provision, or any provision of a mandatory code, will constitute a breach of a civil penalty provision. It is not clear whether the obligations associated with a mandatory code (such as record keeping or reporting) will also attract a civil penalty for breach.

Key takeaways

Code subscribers should carefully consider the powers included here, and how they may impact their businesses. The detail regarding this power will come in the regulations, but until this occurs, signatories to codes of conduct should assume that ASIC will be able to take a broad view of a provision, or a code that should be enforceable. To prepare for this change, subscribers could:

  • take a stock-take of codes to which they are currently a signatory, and identify any provisions that are broadly drafted or may cause problems if enforceable;
  • conduct an audit of their compliance policies and key product documents to determine whether they reflect the obligations in the code; and
  • assess the work to be done to align their current practice with any provisions of a voluntary code that they are not currently complying with.

Stay informed

Subscribe to our insights and updates