An overview of the relief and compliance steps for licensees 6 min read
ASIC has provided some additional relief from the 'reportable situations' regime that applies to Australian financial services and credit licensees. The changes apply immediately, and licensees should review and update their internal systems for dealing with incidents and reportable situations to reflect the new relief.
This is the third tranche of relief ASIC has provided since the new reportable situations regime commenced on 1 October 2021. Our Insight on the previous relief is available here. The latest changes follow ASIC's consultation with industry in early 2025, and it appears unlikely to broaden the relief further without legislative amendment.
In this Insight, we provide an overview of the relief and what licensees need to do to comply. The changes should reduce the number of incidents that need to be notified to ASIC, but the regime will continue to capture many immaterial breaches which need to be investigated and reported.
Key takeaways
The new relief in ASIC Corporations and Credit (Amendment) Instrument 2025/289:
- expands the exemptions from the reporting requirements for certain limited breaches of the misleading and deceptive conduct provisions and certain civil penalty provisions (details further below).
- extends the time allowed for an investigation before it must be reported to ASIC, from 30 days to 60 days.
- clarifies for APRA-regulated entities when a breach report lodged with APRA will also be taken to be lodged with ASIC.
Further relief for misleading and deceptive conduct and other civil penalty provisions
The previous ASIC relief exempted licensees from reporting a breach of the misleading and deceptive conduct provisions where the incident involves a single reportable situation that only impacts one person (or joint holders of a product), and which has not resulted in financial loss or damage to any person. ASIC notes that even with this exemption, the regime still requires reporting of breaches that 'have limited intelligence value'.
The new relief provides an additional exemption so that a breach is not taken or deemed to be 'significant' where all of the following conditions are satisfied:
- The underlying circumstances in relation to the breach would only give rise to a single reportable situation or a single group of reportable situations as a result of:
- a breach of the misleading or deceptive conduct provisions; or
- a contravention of a civil penalty provision.
A single group of reportable situations for this purpose is two or more single reportable situations which each involve the same or substantially similar conduct (other than the identity of the consumer and the date of the conduct), and which occur within a period of no more than 60 days; and
- The breach does not constitute a contravention of the client money reporting rules or clearing and settlement facility rules (sections 828C and 981M Corporations Act 2001 (Cth)); and
- No more than 10 persons are (or are likely to be) impacted; and
- The total financial loss or damage to all persons resulting from (or likely to result from) the reportable situation does not exceed $1000 (before remediation); and
- The breach has been rectified, including any necessary remediation to clients, within 60 days after the reportable situation first occurred.
While this relief may allow licensees to avoid having to report some isolated incidents, we expect licensees will continue to identify many immaterial breaches which are not covered by the relief.
In particular, it appears ASIC intended the relief to allow a licensee that rectifies a breach within 60 days of the breach having occurred (not 60 days from the time the licensee becomes aware of the breach) to not report the breach where the other conditions (one to four above) are met (unless it is otherwise assessed as significant). However, this is not the way the drafting of point five above works when read with the reportable situations provisions in the Corporations Act.
Under those provisions, a licensee has 30 days to notify ASIC after it first knows or is reckless as to whether there are reasonable grounds to believe a reportable situation has arisen. To take an example, if on day one a licensee reasonably believes it has contravened a civil penalty or misleading or deceptive conduct provision that is deemed to be significant, the licensee has 30 days to lodge a report with ASIC. The new relief does not give the licensee 60 days to rectify the breach before the obligation to lodge the report arises, and does not have retrospective effect so that even if the licensee does rectify the breach—say on day 20—the relief would strictly not apply to override the reportable situation that arose on day one. The relief will, therefore, only be available where conditions one to four above are met and where, as at the time the licensee knows or is reckless as to whether there are reasonable grounds to believe a reportable situation has arisen, the breach has already been rectified and was rectified within 60 days of the breach having occurred. This appears to be inconsistent with ASIC's intent, and a fix would require changes to the drafting of condition five above, as set out in the relief instrument.
Further, issues caused by errors in the way IT systems are set up are likely to affect more than 10 persons and may take time to be identified and then rectified. We also note that the financial loss or damage threshold ($1000 in total) is very low and so in practice the relief is likely to cover only those breaches which do not result in financial loss or damage or only in very immaterial loss or damage.
Breaches covered by the new relief may also be reportable under other circumstances provided for under the reportable situations regime aside from the 'taken to be significant' test, such as where the incident satisfies the 'significance test' that has regard to the number and frequency of similar breaches.
Extending time for investigations
ASIC has also given relief so that only investigations that are ongoing for more than 60 days, rather than 30 days, are reportable to it. This means that if an investigation is completed within 60 days and no reportable situation is identified, the investigation is not a reportable situation and does not need to be notified to ASIC.
This will assist licensees, because many investigations require more time to gather facts and obtain advice about the implications of issues that have been identified.
For investigations currently on-foot, the new relief instrument commenced on 27 June 2025 and so investigations that had commenced before then but had not been continuing for more than 30 days will now only be reportable if they continue for more than 60 days. Investigations that became reportable situations before the commencement of the new relief instrument still need to be reported.
APRA breach reporting
For APRA-regulated entities that also have an Australian financial services or credit licence, some incidents will be reportable both to APRA under the relevant legislation governing the entity as well as to ASIC under the reportable situations regime.
The legislation currently provides that a report is taken to be lodged with ASIC if the licensee has given a report to APRA that contains all of the information required under the ASIC reportable situations regime.
The new relief clarifies what information needs to be provided by a licensee to APRA, in the form required by APRA, so that the report will also be sufficient for the purposes of the reportable situations regime in the Corporations Act and the National Consumer Credit Protection Act 2009 (Cth). A licensee will not need to submit a separate report to ASIC if they provide all of the information required in the APRA form (although, they are not precluded from reporting to both regulators).
Next steps
Licensees should review and update their processes for dealing with reportable situations in light of the new relief.