INSIGHT

Are you ready for the new breach reporting regime?

By James Campbell, Alexandra McCaughan
ASIC Financial Services

New obligations from 1 October 2021 10 min read

In April 2021, ASIC has released a consultation paper on its draft regulatory guidance for the new (read onerous and wide-ranging) breach reporting regime, which is to commence on 1 October 2021. The release follows the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (the Act) receiving royal assent in December 2020. Responses to the consultation closed on 3 June.

This Insight is a reminder for Australian Financial Services and Credit licensees to ensure they are adequately prepared for the October 2021 deadline. It also provides a brief recap on one of the significant changes under the regime, being the obligation to automatically report to ASIC certain breaches (or likely breaches), including classes of breaches that are deemed to be significant.

For an overview of the interest this topic has attracted in recent years, see our Unravelled articles in 2017, 2018 and 2020.

Key takeaways

  • Extended scope – applies to both AFS and credit licensees.
  • Extended reporting period – reports must be lodged within 30 calendar days (compared to 10 business days).
  • Clock will start ticking earlier – 30 days will commence when the licensee knows that, or is reckless with respect to whether, there are reasonable grounds to believe the reportable situation has arisen. Licensees will want to consider the roles and responsibilities of staff involved in the breach reporting process to ensure there is clearly communicated delineation of responsibility as between those who have authority to make findings of fact, and those who have actual or apparent authority to assess whether there has been a breach.
  • No subjective significance assessment for certain reportable situations – an automatic reporting obligation may be triggered without a licensee undertaking a subjective assessment of significance. This will likely substantially increase the number of reports required.
  • Investigations are now reportable – a report must be lodged to report investigations into possible breaches if the investigation takes longer than 30 days. The outcome of that investigation will also be reportable.
  • New 'dobbing-in' provision – must notify ASIC if there are reasonable grounds to believe a reportable situation has arisen in relation to a mortgage broker, or individuals who provide personal advice to retail clients in relation to certain financial products.
  • Penalties – severe consequences for getting breach reporting wrong.

Recap – requirement to automatically report certain breaches to ASIC 

The Act creates a long list of provisions, which, if breached or likely breached, will be automatically reportable on the basis that they are deemed to be significant, irrespective of whether there are any similar beaches, the breach reflects the adequacy of monitoring and supervision, or the actual or potential financial loss to clients. The expansive scope of this obligation will require licensees to examine their existing systems and controls, and ensure that they are adequately uplifted and resourced to meet the larger number of reports likely to be required.

As a reminder, the three circumstances in which an automatic reporting obligation will be triggered are outlined below.

1. Conduct constituting gross negligence or serious fraud

2. Breach or likely breach of a core obligation that is deemed significant

While the definition of 'core obligation' largely reflects the existing list of obligations in section 912(1)(a) of the Corporations Act 2001 (Cth) and equivalent provision in the National Consumer Credit Protection Act 2009 (Cth), the Act goes further and provides that several of those statutory obligations will be taken to be 'significant', and therefore reportable, irrespective of the circumstances. This includes a breach of any 'obligation' that:

  1. is subject to a penalty that includes imprisonment for a maximum period of three months or more (for dishonesty offences) or 12 months or more (in all other cases);
  2. constitutes a contravention of a civil penalty provision;
  3. constitutes a contravention of the prohibitions on misleading or deceptive conduct in the Corporations Act or ASIC Act 2001 (Cth); or
  4. results, or is likely to result, in material loss or damage to clients.

In view of the above, the range of breaches that will automatically be considered 'significant' for reporting purposes is substantial. This is particularly the case following the expanded civil penalty provisions introduced in 2019 for corporate and financial sector misconduct; these created 'dual track' enforcement options for many parts of Chapter 7, increasing the number of civil penalty provisions that will be the subject of the deemed significance test.

Further, while Treasury recently consulted on which civil penalty provisions could be sensibly excluded from this automatic reporting obligation, the draft regulations released by Treasury will provide little comfort to licensees. The exclusions under those draft regulations were limited to the obligations in respect of the provision of FSGs and PDSs. 1 The Explanatory Statement acknowledged that to deem these provisions automatically significant would result in a large regulatory burden for licensees, but made no reference to other civil penalty provisions, which, in some instances, breaches thereof might be similarly trivial or technical in nature (eg an obligation to provide an FDS or Renewal Notice; or minor breaches of Market Integrity Rules, eg a single trivial breach of record-keeping or reporting requirements).

Similarly, the scope for conduct to be considered misleading and deceptive (and therefore deemed significant) is wide and may encompass trivial misdescriptions that have no client impact.

The expectation is that category (d) will similarly be expansive in scope. While it does include a materiality threshold, the Explanatory Memorandum describes 'loss or damage' in this context as having its ordinary and extensive meaning. The term will financial and non-financial loss or damage, and materiality will be assessed with reference to the person's individual circumstances. If a breach affects a number of people, it is sufficient for significance to be established if the breach is likely to result in material loss or damage to one person.

3. An investigation into a breach or likely breach of a core obligation, and that investigation has continued for more than 30 days

An investigation will become a reportable situation on Day 31, and a further reporting obligation will arise once that investigation is concluded, irrespective of the outcome. The timing of when an investigation is found to have started and concluded will therefore be of critical importance for reporting purposes, and the draft regulatory guide has made clear that it will be a matter of fact not for subjective determination by a licensee.

What will count as an 'investigation' will be fact specific, and while undefined by the Act, the Explanatory Memorandum refers to its ordinary meaning, and acknowledges that it will vary depending on the size of the licensee's business, their internal systems and processes, and the type of breach. The draft regulatory guide provides some examples of investigations that must be reported to ASIC, and reminds licensees that investigations should be commenced in a timely manner and without unreasonable delay.

Snapshot of the new regime

What entities will it apply to?
  • AFS and credit licensees, and their representatives, by way of amendments to the NCCP Act and Corporations Act.
When does it come into force?
  • 1 October 2021.
What are the reporting obligations?
  • Two separate reporting obligations are imposed on licensees. Namely, where there are reasonable grounds to believe a reportable situation has arisen in relation to:
    • its licensee; or
    • individuals who provide personal advice to retail clients in relation to certain financial products, or who are mortgage brokers.
What are the four categories of reportable situations?
  1. Breaches or likely breaches of core obligations that are significant.
  2. Investigations into breaches or likely breaches of core obligations that are significant.
  3. Additional Reportable Situations, which include conduct constituting gross negligence in the course of providing a financial service, or serious fraud.
  4. Reportable situations about other licensees.
What is a core obligation?
  • This concept is defined broadly.
  • For AFS licensees, it includes general obligations under s912A Corporations Act, and the obligation to comply with certain 'financial services laws' under s912A(1)(c).
  • For credit licensees, it includes general obligations under s57 NCCP Act, and the obligation to comply with certain credit legislation.
When does the report need to be filed by?
  • Report must be lodged within 30 days of the licensee first knowing that, or being reckless with respect to whether, there are reasonable grounds to believe the reportable situation has arisen.
When does the clock start ticking?
  • Reasonable grounds is an objective test – facts or evidence sufficient to induce a reasonable person to believe that a reportable situation has arisen.
  • Clock will start ticking when a person with actual or apparent authority to determine whether there is a reportable situation knows (or is reckless thereto) that reasonable grounds exist.
Do licenses need to assess whether the breach is significant?
  • Unlike the current regime, in some cases, a licensee will not be required to undertake any subjective determination of significance prior to reporting to ASIC.
  • The three categories of situations which will be automatically reportable to ASIC are:
    • the Additional Reportable Situations, being gross negligence in the course of providing a financial service, or serious fraud;
    • an investigation which continues for >30 days into whether a significant breach (or likely breach) of a core obligation has occurred, and the outcome of that investigation;
    • a contravention of:
      • an offence punishable on conviction by a penalty that may include imprisonment for ≥3 months if the offence involves dishonesty, or ≥12 months in any other cases;
      • a civil penalty provision, subject to any exceptions by regulation (see discussion above);
      • misleading and deceptive conduct provisions in the Corporations or ASIC Act;
      • will result, or likely result, in material loss or damage to clients.
  • If a reportable situation does not fall within one of the three categories above, a licensee should undertake a subjective determination of significance in a similar way to under the current regime (ie number or frequency or similar breaches; impact and extent of the breach).
Other points of note
  • New requirement for reports to be submitted to ASIC in a prescribed form, via the Regulatory Portal. That form may require licensees to provide a range of information about the Reportable Situation including how it has been rectified, remediation and steps taken to ensure future compliance.
  • ASIC will publish annual 'league' tables each financial year recording, among other things, licensee names and volume of reported breaches.
  • A failure to report to ASIC can lead to criminal or civil penalties.

Where to from here?

Responses to the consultation on the draft regulatory guide were invited by 3 June 2021. Irrespective of the output of that consultation process, the commencement of the regime in October 2021 will introduce new challenges for licensees and the regulator.

ASIC has said that it expects a 'significant increase' in the volume of breach reports it will receive as a result of the reforms, but has also reiterated that licensees are not required to report 'every instance of non-compliance or trivial breaches'. 2 The challenge for licensees will be how to reconcile this statement with the onerous automatic reporting obligations imposed on them, particularly in light of the significant civil and criminal penalties that can be imposed if a licensee fails to report. 

Footnotes

  1. See Exposure Draft for Financial Sector Reform (Hayne Royal Commission Response – Protecting Consumers (2020 Measures)) Regulations 2021: Breach Reporting. Breach Reporting Regulations | Treasury.gov.au

  2. 21-080MR ASIC consults on draft guidance on breach reporting reforms | ASIC - Australian Securities and Investments Commission

Stay informed

Subscribe to our insights and updates