Breach reporting

Some practical 'how to' guidance from ASIC 10 min read

ASIC recently announced the first round of updates to its Regulatory Guidance 78: Breach reporting by AFS licensees and credit licensees (RG 78), aimed at facilitating the effective operation of the (not so) new reportable situations regime (the Regime).

As outlined in our previous Insight, ASIC acknowledged last year that the Regime had encountered a number of implementation challenges since its commencement in 2021. It committed to undertaking a detailed program of work and now, after a period of industry consultation, has released these updates.

The updates to RG 78 include practical guidance on when licensees should group reportable situations into a single report and how they should complete the reportable situations form prescribed by ASIC (the ASIC Form). ASIC has also announced a series of changes to the ASIC Form that will apply from 5 May 2023.

In this Insight, we provide an overview of these changes and discuss some of the issues ASIC has left on the table for round two.

Key takeaways

• New 'grouping test' for multiple reportable situations: ASIC has introduced a new two-limbed test that, if satisfied, will permit them to group multiple reportable situations into one report. Namely, where (a) there is similar, related or identical conduct—ie conduct involving the same or very similar factual circumstances; and (b) the conduct has the same root cause—ie the underlying cause of the breach.
• Detailed FAQs on how to complete the ASIC Form: licensees should review the new FAQs to ensure the contents of any new reports are consistent with ASIC's expectations. ASIC has also provided an FAQ on correcting or withdrawing submitted reports.
• ASIC Form will be amended from 5 May 2023: a number of changes have been made to the ASIC Form. Licensees should be aware of these changes to ensure their internal processes are updated to capture the requisite information. Two of the key changes of interest to our clients are:
  • the clarification that licensees must report when the potential breach was identified, in addition to when it was determined that a reportable situation had arisen. Practically speaking, this will increase the time pressure on licensees to get on top of the issues associated with the potential breach quickly; and
  • the requirement for licensees to provide a genuine estimate of client loss associated with the incident. In some instances, this may pose real, practical challenges for licensees.

Grouping multiple reporting situations

Since the introduction of the Regime (see our Insight), licensees have been required to report reportable situations to ASIC in the prescribed form and through the ASIC Regulatory Portal. As part of that report, licensees are required to include details of how many reportable situations relate to the breach (or likely breach) and have been permitted to group together instances which were similar or related to a single, specific root cause. However, to date, there has been limited guidance in RG 78 about the practical application of this aspect of the Regime.

The updated guidance now provides that reportable situations may be grouped and reported to ASIC in a single report where:

• there is similar, related or identical conduct (eg similar representations made about the same type of product(s) and/or service(s)); and
• the conduct has the same root cause (eg a specific systems error or process deficiency).

This is the 'grouping test'.

Further examples as to when this test will be satisfied have also been included. The guidance clarifies that reportable situations that involve different products may be grouped, as may separate occasions of staff negligence or human error as the root cause. However, ASIC has reminded licensees that before concluding that incidents may be grouped, the licensee must be satisfied there is no broader failure or other relevant root cause (eg relating to training, policy, process and/or systems) that is the underlying cause of the breach.

FAQs on how to complete the ASIC Form

ASIC has inserted a new Appendix 2 to RG 78 that sets out detailed answers to FAQs about how a licensee should populate the ASIC Form when submitting their report to ASIC.

ASIC has developed these FAQs in response to industry feedback, and in recognition of the fact that since the introduction of the regime in 2021, there have been inconsistencies in the nature and quality of information provided to ASIC. We expect that Appendix 2 will be welcomed by licensees who, in our experience, spend a significant amount of time assessing and determining what is required to be provided and manually inputting this into the various mandatory and optional fields in the ASIC Form.

The core messaging in relation to each FAQ includes the following.

What information should I provide in the free-text field: ‘Describe the reportable situation’?

• ASIC has adopted a 'scalable approach' that it says seeks to balance the objectives of minimising regulatory burden for licensees and increasing the quality of information provided.
• ASIC says licensees should adopt an approach that takes into account the impact, nature and complexity of the reportable situation and consider whether further or more detailed information (beyond what is captured through the structured data fields in the prescribed form) would assist ASIC’s understanding of the reportable situation.
• Consideration should be given as to whether to include details of what happened, how the reportable situation is a breach of obligations, serious fraud or gross negligence, how it was identified, why it occurred, its impact to clients and other licensees, the remediation and rectification work associated with the incident, the steps taken to address the underlying root cause, and other relevant context and explanations.

How should I respond to the question: ‘Have any similar reportable situations previously occurred’?

• ASIC say this field will require professional judgement about whether two or more reportable situations are similar, and the length of the time to look back to identify similar reportable situations. Licensees should take into account factors such as the nature of the issue, the legislative provisions contravened, the underlying root cause, the compliance arrangements or controls involved and client impact.

When does ASIC expect an update to a report I have lodged?

• ASIC has now clarified its expectation that licensees provide an update at least once every six months or otherwise where there are any material changes to a licensee's understanding of the nature, impact or extent of the reportable situation(s).
• ASIC should also be notified when an investigation is complete, rectified and remediated.

How should I respond to the questions: ‘What are the root causes of the breach—or likely breach’? and ‘What triggered the investigation or made you aware of the matter’?

• ASIC has inserted new guidance to support these sections of the form.
• Licensees will be required to report the root cause by selecting from a number of common root cause categories. The FAQs include guidance to help licensees identify which category to select.
• The category options for 'root cause' include policy or process deficiencies, system deficiencies, staff negligence or error, inadequate supervision or lack of training, fraud and/or misappropriation, misconduct by staff, failure to comply with breach reporting requirements, failure to comply with other statutory reporting requirements, misunderstanding of obligations, failed change initiatives, or inadequacies in issues such as management controls or technological resources.
• 'Triggers' for investigations are also grouped into categories (eg internal audit function, a whistleblower, client complaints, etc.) and licensees will be asked to select the option that corresponds with how they (or one of their staff members or representatives) first became aware of the matter, or how the investigation first started.

How should I calculate and report the number of clients affected by a reportable situation?

• ASIC has inserted illustrative examples to address areas of known uncertainty in terms of the number of clients affected.
• ASIC has also confirmed that licensees should count each holder of a joint account individually (except where a licensee's systems do not permit disaggregation of joint account holders in this way, in which case, the licensee may count joint accounts as a single client).

Can I withdraw or correct a report I have submitted to ASIC?

• ASIC has reiterated that there are limited circumstances in which a report may be withdrawn or corrected, in the expectation that reports are complete and accurate when lodged.
• Examples of when ASIC may approve a request to correct a report (which it will consider on a case-by-case basis) include where there are material factual errors on a report, where a change is required to a field that has been greyed out or where additional or more accurate information comes to light.

Changes to the ASIC Form

ASIC has published an overview of changes to its prescribed form that will come into effect on 5 May 2023¹.Two of the changes to the ASIC Form introduce arguably some of the more material changes to the Regime.

The first is that ASIC will change the wording of question 1

This currently reads ‘[w]hen did you first become aware that a breach, serious fraud or gross negligence had occurred—or that you were no longer able to comply with a core obligation?’, and will now ask licensees to '[s]pecify the date when the potential breach, serious fraud and/or gross negligence was first discovered’.

As ASIC notes, most licensees have, until now, interpreted this question to mean the date on which the licensee determined that a ‘reportable situation’ had arisen under the law (ie when the licensee first knew, or was reckless as to whether, there were reasonable grounds to believe a significant breach of a core obligation, serious fraud or gross negligence situation had arisen). This is inconsistent with what ASIC now say was the intention. That is, ASIC intended to capture the date on which the licensee first discovered there may be a breach (or likely breach), but before the licensee makes a determination that a reportable situation exists. Providing that earlier date will, ASIC says, give it insight into the period of time that has lapsed between:

• the first discovery of an incident;
• the start of the investigation into that incident; and
• the date on which the licensee then determines that the matter is reportable to ASIC.

This clarification is significant. It brings into focus the time taken by licensees to understand the issues related to an incident, and increases the risk of regulatory criticism in the event a licensee lets long periods of time pass between each step.

The second change is the introduction of new guidance within the ASIC Form around the 30 day reporting timeframe

The ASIC Form now clarifies that licensees should provide genuine estimates for client loss and number of clients affected, based on the information available at the time of reporting. Placeholder values when responding to the question are not, in ASIC's view, compliant. While this clarification is helpful, we expect it will continue to pose practical challenges for licensees given estimating loss related to an incident is often complex, and there are usually limitations in terms of what can be achieved in 30 days.

Other changes to the ASIC Form

One additional aspect of guidance of note embedded in the new ASIC Form relates to the concept of 'investigation' under the Regime (an issue we raised in our previous Insight). ASIC has now clarified that an investigation is complete only after the licensee has determined the root cause(s), identified all affected clients and identified all instances of the reportable situation. ASIC has also promised to make clear the distinction between the term ‘reportable investigation’ and ‘investigation’ in any future public reporting where the investigation completion date is used.

Next steps

The changes reflect only the first round of updates that will be made to the Regime.

ASIC has flagged a number of other items² raised during industry consultation which have not progressed at this time, but on which ASIC proposes to consult further, including:

• Calculating the number of reportable situations and the number of instances that relate to a breach or likely breach: ASIC recognises that further extensive guidance may be required to reduce ambiguity and drive consistency in responding to the question ‘[h]ow many reportable situations relate to the breach/likely breach?’. We agree. It is not always a straightforward exercise for licensees to identify with precision the number of reportable situations, particularly within a short period of time. It is also challenging to accurately calculate the number of instances of the event. By way of example, in the context of the misleading or deceptive conduct provisions, the same conduct may be characterised as one act which results in one or more persons being misled, or multiple incidents of misleading or deceptive conduct in respect of each person being misled.
• Naming of employees and/or representatives: licensees have raised a variety of privacy, procedural fairness and employment concerns with the requirement to name the employees and/or representatives whose conduct is the subject of the reportable situation, and ASIC has determined that further consideration is required to appropriately balance licensees’ privacy and procedural fairness concerns against the regulatory benefit for ASIC in receiving this information.

It is unclear whether ASIC intends to consult on further changes to RG 78 or the prescribed form in addition to those described above. However, as we identified in our earlier Insight, the Regime imposes real regulatory burden upon licensees, who continue to tackle a number areas of ambiguity in its interpretation. ASIC has said it will continue its focus on the operation of the Regime to ensure it meets its policy objectives for the industry and consumers.

Finally, in what is sure to raise an eyebrow for licensees, ASIC has also signalled³ it will consult on its proposed approach to public reporting at a more granular level for the 2024 version of the public report and beyond. Whether this includes a proposal to name specific licensees is yet to be seen.