Breach reporting update: reducing the regulatory burden on licensees

Amendments to the reportable situations regime 5 min read

ASIC has made some helpful amendments (the Instrument) to AFS and credit licensees’ obligations regarding certain breach reporting under the reportable situations regime (the Regime).

These updates will help reduce the regulatory burden on licensees, as well as the related costs of compliance, with respect to reportable situation reports that offer limited regulatory intelligence value to ASIC. 

In this Insight, we explore how the Instrument modifications further reflect ASIC's commitment to undertaking a detailed program of work regarding the implementation challenges of the Regime since its commencement in 2021. See our previous Insight for further details on ASIC's practical guidance on breach reporting by AFS and credit licensees.

Key takeaways

• Licensees are now exempt from reporting 'insignificant contraventions' of relevant misleading and deceptive conduct provisions to ASIC. This should reduce costs to licensees arising from the submission of reports that have limited regulatory benefit for ASIC.
• Licensees have a longer reporting period for a breach which is the same as or substantially similar to a breach previously reported to ASIC.
• These changes took effect from 20 October 2023.
• To take advantage of the amendments and the reduced regulatory burden, licensees should review and update their internal processes and frameworks for dealing with reportable situations.

Changes to the Regime

The Instrument amends the ASIC Corporations and Credit (Breach Reporting – Reportable Situations) Instrument 2021/716 by:

1. modifying the automatic requirement to report certain breaches of the prohibitions on misleading or deceptive conduct provisions under section 1041H(1) of the Corporations Act 2001 (Cth) or subsection 12DA(1) of the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act), or false and misleading misrepresentations provision under section 12DB(1) of the ASIC Act (collectively, the MDC provisions); and
2. extending the reporting period to 90 calendar days (up from the generally-applicable 30 calendar days) for a reportable situation which is the same as or substantially similar to a previously reported situation.

'Insignificant contraventions' - certain breaches relating to the MDC provisions

1. the underlying circumstances in relation to the breach would only give rise, and would only be likely to give rise, to a single reportable situation regarding one or more of the MDC provisions; and
2. the relevant reportable situation:

• only impacts one person or, if it relates to a financial product, credit contract, consumer lease, mortgage or guarantee that is, or is proposed to be, held jointly by more than one person, those persons;
• has not resulted in, and is unlikely to result in, any financial loss or damage to any person (regardless of whether that loss or damage has been, will be or may be remediated); and
• has not given rise, and is unlikely to give rise, to any other reportable situation,

(such breach being an Excluded Breach).

Previously, any breach of the MDC provisions would automatically be deemed a ‘significant’ breach of ‘core obligations’ and be a reportable situation. The Instrument therefore provides some much-needed relief for licensees where there are isolated contraventions of these provisions which do not cause financial loss or damage.

ASIC has also helpfully provided some practical guidance by way of example scenarios which it considers to be Excluded Breaches. These are set out in paragraph 32 of the explanatory statement to the Instrument and include the following:

1. a sales agent quotes a lower savings rate on a savings account at account opening than its actual rate, and the institution promptly advises the consumer of the actual rate and pays that higher rate in circumstances where, given the speed of identifying and paying the higher rate, the account holder has suffered no financial loss or damage;
2. a staff member mistakenly advises a consumer that a payment will be processed on the following day but that day is a public holiday, so the payment will not be processed until a day later in circumstances where there is no financial loss incurred by the consumer as a result of the payment being processed a day later;
3. a Statement of Advice given to a client contains an error that the adviser rectifies with the client promptly and involves no actual or expected financial loss to the client ie, is not an error that, if the correct information was provided, could have influenced the client’s decision; and
4. an approval letter issued to a superannuation fund member confirming their account balance fails to include a total and permanent disablement benefit amount that has been approved, but the payment made to the member includes this amount, and the omission was not made in circumstances where another omission has arisen, or is likely to arise (for example, because the root cause of the omission is a defective letter template or systems error).

Reporting period for an additional, substantially similar breach extended to 90 days

Where a reportable situation has underlying circumstances that are the same as, or substantially similar to, underlying circumstances of a reportable situation previously reported to ASIC, licensees now have up to 90 days (increased from 30 days) to report to ASIC. In line with the generally-applicable 30 day period, the clock starts from when the licensee first knows, or is reckless with respect to whether, there are reasonable grounds to believe that a reportable situation has arisen.

Next steps

Licensees should review their current breach reporting frameworks in light of the Instrument, and ensure that internal processes are updated to reflect the modification for 'insignificant breaches' and the extension of the reporting period for reportable situations that are the same as, or substantially similar to, previously reported reportable situations.