INSIGHT

Are you ready for the new breach reporting regime?

By James Campbell, Alexandra McCaughan
ASIC Financial Services

New obligations from 1 October 2021 6 min read

ASIC has released a consultation paper on its draft regulatory guidance for the new (read onerous and wide-ranging) breach reporting regime, which is to commence on 1 October 2021. The release follows the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (the Act) receiving royal assent in December 2020. Responses to the consultation are invited by 3 June.

This Insight is a reminder for Australian Financial Services and Credit licensees to ensure they are adequately prepared for the October 2021 deadline. It also provides a brief recap on one of the significant changes under the regime, being the obligation to automatically report to ASIC certain breaches (or likely breaches), including classes of breaches that are deemed to be significant.

For an overview of the interest this topic has attracted in recent years, see our Unravelled articles in 2017, 2018 and 2020.

Recap – requirement to automatically report certain breaches to ASIC 

The Act creates a long list of provisions, which, if breached or likely breached, will be automatically reportable on the basis that they are deemed to be significant, irrespective of whether there are any similar beaches, the breach reflects the adequacy of monitoring and supervision, or the actual or potential financial loss to clients. The expansive scope of this obligation will require licensees to examine their existing systems and controls, and ensure that they are adequately uplifted and resourced to meet the larger number of reports likely to be required.

As a reminder, the three circumstances in which an automatic reporting obligation will be triggered are outlined below.

1. Conduct constituting gross negligence or serious fraud

2. Breach or likely breach of a core obligation that is deemed significant

While the definition of 'core obligation' largely reflects the existing list of obligations in section 912(1)(a) of the Corporations Act 2001 (Cth) and equivalent provision in the National Consumer Credit Protection Act 2009 (Cth), the Act goes further and provides that several of those statutory obligations will be taken to be 'significant', and therefore reportable, irrespective of the circumstances. This includes a breach of any 'obligation' that:

  1. is subject to a penalty that includes imprisonment for a maximum period of three months or more (for dishonesty offences) or 12 months or more (in all other cases);
  2. constitutes a contravention of a civil penalty provision;
  3. constitutes a contravention of the prohibitions on misleading or deceptive conduct in the Corporations Act or ASIC Act 2001 (Cth); or
  4. results, or is likely to result, in material loss or damage to clients.

In view of the above, the range of breaches that will automatically be considered 'significant' for reporting purposes is substantial. This is particularly the case following the expanded civil penalty provisions introduced in 2019 for corporate and financial sector misconduct; these created 'dual track' enforcement options for many parts of Chapter 7, increasing the number of civil penalty provisions that will be the subject of the deemed significance test.

Further, while Treasury recently consulted on which civil penalty provisions could be sensibly excluded from this automatic reporting obligation, the draft regulations released by Treasury will provide little comfort to licensees. The exclusions under those draft regulations were limited to the obligations in respect of the provision of FSGs and PDSs. 1 The Explanatory Statement acknowledged that to deem these provisions automatically significant would result in a large regulatory burden for licensees, but made no reference to other civil penalty provisions, which, in some instances, breaches thereof might be similarly trivial or technical in nature (eg an obligation to provide an FDS or Renewal Notice; or minor breaches of Market Integrity Rules, eg a single trivial breach of record-keeping or reporting requirements).

Similarly, the scope for conduct to be considered misleading and deceptive (and therefore deemed significant) is wide and may encompass trivial misdescriptions that have no client impact.

The expectation is that category (d) will similarly be expansive in scope. While it does include a materiality threshold, the Explanatory Memorandum describes 'loss or damage' in this context as having its ordinary and extensive meaning. The term will financial and non-financial loss or damage, and materiality will be assessed with reference to the person's individual circumstances. If a breach affects a number of people, it is sufficient for significance to be established if the breach is likely to result in material loss or damage to one person.

3. An investigation into a breach or likely breach of a core obligation, and that investigation has continued for more than 30 days

An investigation will become a reportable situation on Day 31, and a further reporting obligation will arise once that investigation is concluded, irrespective of the outcome. The timing of when an investigation is found to have started and concluded will therefore be of critical importance for reporting purposes, and the draft regulatory guide has made clear that it will be a matter of fact not for subjective determination by a licensee.

What will count as an 'investigation' will be fact specific, and while undefined by the Act, the Explanatory Memorandum refers to its ordinary meaning, and acknowledges that it will vary depending on the size of the licensee's business, their internal systems and processes, and the type of breach. The draft regulatory guide provides some examples of investigations that must be reported to ASIC, and reminds licensees that investigations should be commenced in a timely manner and without unreasonable delay.

Where to from here?

Responses to the consultation on the draft regulatory guide are invited by 3 June 2021. Irrespective of the output of that consultation process, the commencement of the regime in October 2021 will introduce new challenges for licensees and the regulator.

ASIC has said that it expects a 'significant increase' in the volume of breach reports it will receive as a result of the reforms, but has also reiterated that licensees are not required to report 'every instance of non-compliance or trivial breaches'. 2 The challenge for licensees will be how to reconcile this statement with the onerous automatic reporting obligations imposed on them, particularly in light of the significant civil and criminal penalties that can be imposed if a licensee fails to report.

In May 2021 we are conducting a webinar on the new reporting regime. Please reach out to one of the people below if this is of interest, or you would otherwise like to discuss the arrangements you have in place for identifying, recording and reporting breaches. We also have a BAU investigations offering to assist clients with 'day to day' investigations. This may assist in ensuring you are in a position to meet your new reporting obligations in this context.  

Footnotes

  1. See Exposure Draft for Financial Sector Reform (Hayne Royal Commission Response – Protecting Consumers (2020 Measures)) Regulations 2021: Breach Reporting. Breach Reporting Regulations | Treasury.gov.au

  2. 21-080MR ASIC consults on draft guidance on breach reporting reforms | ASIC - Australian Securities and Investments Commission