INSIGHT

Are you ready for the new breach reporting regime?

By James Campbell, Alexandra McCaughan
ASIC Financial Services

New obligations from 1 October 2021 10 min read

In June 2021, consultation closed on ASIC's draft regulatory guidance for the new (read onerous and wide-ranging) breach reporting regime, which is to commence on 1 October 2021. The release follows the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (the Act) receiving royal assent in December 2020.

This Insight is a reminder for licensees to ensure they are adequately prepared for the October 2021 deadline. It also provides a recap on one of the significant changes under the regime, being the obligation to automatically report to ASIC certain breaches (or likely breaches), including classes of breaches that are deemed to be significant.

For an overview of the interest this topic has attracted in recent years, see our Unravelled articles in 2017, 2018 and 2020.

Key takeaways

  • Extended scope – applies to both AFS and credit licensees.
  • Extended reporting period – reports must be lodged within 30 calendar days (compared to 10 business days).
  • Clock will start ticking earlier – 30 days will commence when the licensee knows that, or is reckless with respect to whether, there are reasonable grounds to believe the reportable situation has arisen. Licensees will want to consider the roles and responsibilities of staff involved in the breach reporting process to ensure there is clearly communicated delineation of responsibility as between those who have authority to make findings of fact, and those who have actual or apparent authority to assess whether there has been a breach.
  • No subjective significance assessment for certain reportable situations – an automatic reporting obligation may be triggered without a licensee undertaking a subjective assessment of significance. This will likely substantially increase the number of reports required.
  • Investigations are now reportable – a report must be lodged to report investigations into possible breaches if the investigation takes longer than 30 days. The outcome of that investigation will also be reportable.
  • New 'dobbing-in' provision – must notify ASIC if there are reasonable grounds to believe a reportable situation has arisen in relation to a mortgage broker, or individuals who provide personal advice to retail clients in relation to certain financial products.
  • Penalties – severe consequences for getting breach reporting wrong.

Recap – requirement to automatically report certain breaches to ASIC 

The Act creates a long list of provisions, which, if breached or likely breached, will be automatically reportable on the basis that they are deemed to be significant, irrespective of whether there are any similar beaches, the breach reflects the adequacy of monitoring and supervision, or the actual or potential financial loss to clients. The expansive scope of this obligation will require licensees to examine their existing systems and controls, and ensure that they are adequately uplifted and resourced to meet the larger number of reports likely to be required.

As a reminder, the three circumstances in which an automatic reporting obligation will be triggered are outlined below.

1. Conduct constituting gross negligence in the course of providing a financial service, or serious fraud

2. Breach or likely breach of a core obligation that is deemed significant

While the definition of 'core obligation' largely reflects the existing list of obligations in section 912(1)(a) of the Corporations Act 2001 (Cth) and equivalent provision in the National Consumer Credit Protection Act 2009 (Cth), the Act goes further and provides that several of those statutory obligations will be taken to be 'significant', and therefore reportable, irrespective of the circumstances. This includes a breach of any 'obligation' that:

  1. is subject to a penalty that includes imprisonment for a maximum period of three months or more (for dishonesty offences) or 12 months or more (in all other cases);
  2. constitutes a contravention of a civil penalty provision;
  3. constitutes a contravention of the prohibitions on misleading or deceptive conduct in the Corporations Act or ASIC Act 2001 (Cth); or
  4. results, or is likely to result, in material loss or damage to clients.

In view of the above, the range of breaches that will be considered 'significant' for reporting purposes is substantial. For example, conduct that will be considered misleading and deceptive is wide and may encompass trivial misdescriptions that have no client impact. Further, 'loss or damage' will encompass both financial and non-financial, and materiality will be assessed with reference to the person's individual circumstances. If a breach affects a number of people, it will be significant if it is likely to result in material loss or damage to one person.

Similarly, a significant number of civil penalty provisions will be subject of the deemed significance test. This is particularly the case following the expanded civil penalty provisions introduced in 2019 for corporate and financial sector misconduct; these created 'dual track' enforcement options for many parts of Chapter 7 of the Corporations Act. In recognition of the burden this approach will impose on licensees, the regulations made under the new regime prescribe a number of civil penalty provisions that a breach thereof will not be deemed significant (for example, provision of FSGs, PDSs and FDSs, and compliance with the market integrity and derivative transaction rules). While the regulations will provide some comfort to licensees, the number of provisions that remain in scope are substantial. Further, even where a civil penalty provision is 'excluded' under the regulations, licensees will still need to assess whether the breach might otherwise be reportable on some other basis (for example, by the other limbs of the deemed significance test).

3. An investigation into a breach or likely breach of a core obligation, and that investigation has continued for more than 30 days

An investigation will become a reportable situation on Day 31, and a further reporting obligation will arise once that investigation is concluded, irrespective of the outcome. The timing of when an investigation is found to have started and concluded will therefore be of critical importance for reporting purposes, and the draft regulatory guide has made clear that it will be a matter of fact not for subjective determination by a licensee.

What will count as an 'investigation' will be fact specific, and while undefined by the Act, the Explanatory Memorandum refers to its ordinary meaning, and acknowledges that it will vary depending on the size of the licensee's business, their internal systems and processes, and the type of breach. The draft regulatory guide provides some examples of investigations that must be reported to ASIC, and reminds licensees that investigations should be commenced in a timely manner and without unreasonable delay.

Snapshot of the new regime

What entities will it apply to?
  • AFS and credit licensees, and their representatives, by way of amendments to the NCCP Act and Corporations Act.
When does it come into force?
  • 1 October 2021.
What are the reporting obligations?
  • Two separate reporting obligations are imposed on licensees. Namely, where there are reasonable grounds to believe a reportable situation has arisen in relation to:
    • its license; or
    • individuals who provide personal advice to retail clients in relation to certain financial products, or who are mortgage brokers.
What are the four categories of reportable situations?
  1. Breaches or likely breaches of core obligations that are significant.
  2. Investigations into breaches or likely breaches of core obligations that are significant.
  3. Additional Reportable Situations, which include conduct constituting gross negligence in the course of providing a financial service, or serious fraud.
  4. Reportable situations about other licensees.
What is a core obligation?
  • This concept is defined broadly.
  • For AFS licensees, it includes general obligations under s912A Corporations Act, and the obligation to comply with certain 'financial services laws' under s912A(1)(c).
  • For credit licensees, it includes general obligations under s57 NCCP Act, and the obligation to comply with certain credit legislation.
When does the report need to be filed by?
  • Report must be lodged within 30 days of the licensee first knowing that, or being reckless with respect to whether, there are reasonable grounds to believe the reportable situation has arisen.
When does the clock start ticking?
  • Reasonable grounds is an objective test – facts or evidence sufficient to induce a reasonable person to believe that a reportable situation has arisen.
  • Clock will start ticking when a person with actual or apparent authority to determine whether there is a reportable situation knows (or is reckless thereto) that reasonable grounds exist.
Do licenses need to assess whether the breach is significant?
  • Unlike the current regime, in some cases, a licensee will not be required to undertake any subjective determination of significance prior to reporting to ASIC.
  • The three categories of situations which will be automatically reportable to ASIC are:
    • the Additional Reportable Situations, being gross negligence in the course of providing a financial service, or serious fraud;
    • an investigation which continues for >30 days into whether a significant breach (or likely breach) of a core obligation has occurred, and the outcome of that investigation;
    • a contravention of:
      • an offence punishable on conviction by a penalty that may include imprisonment for ≥3 months if the offence involves dishonesty, or ≥12 months in any other cases;
      • a civil penalty provision, subject to those prescribed by the Corporations Regulations 2001;
      • misleading and deceptive conduct provisions in the Corporations or ASIC Act;
      • will result, or likely result, in material loss or damage to clients.
  • If a reportable situation does not fall within one of the three categories above, a licensee should undertake a subjective determination of significance in a similar way to under the current regime (ie number or frequency or similar breaches; impact and extent of the breach).
Other points of note
  • New requirement for reports to be submitted to ASIC in a prescribed form, via the Regulatory Portal. That form may require licensees to provide a range of information about the Reportable Situation including how it has been rectified, remediation and steps taken to ensure future compliance. A draft version of the new form (referred to as a 'wireframe') is accessible here
  • ASIC will publish annual 'league' tables each financial year recording, among other things, licensee names and volume of reported breaches.
  • A failure to report to ASIC can lead to criminal or civil penalties.

Where to from here?

Responses to the consultation on the draft regulatory guide closed on 3 June 2021. Irrespective of the output of that consultation process, the commencement of the regime in October 2021 will introduce new challenges for licensees and the regulator.

Footnotes

  1. See Exposure Draft for Financial Sector Reform (Hayne Royal Commission Response – Protecting Consumers (2020 Measures)) Regulations 2021: Breach Reporting. Breach Reporting Regulations | Treasury.gov.au

  2. 21-080MR ASIC consults on draft guidance on breach reporting reforms | ASIC - Australian Securities and Investments Commission

Stay informed

Subscribe to our insights and updates