Australian financial service (AFS) licensees and credit licensees (Licensees) are required to submit breach reports to ASIC within 30 calendar days of becoming aware of the breach or likely breach. ASIC has previously noted that Licensees should not wait until the breach is rectified to provide a report to ASIC, but rather, the report must be sent within 30 days of the Licensee having knowledge of the breach.
What do you need to report?
The legislation prescribes a list of Reportable Situations which apply to Licensees, these include:
- a core obligation has been breached by the licensee (or its representative) and the breach is significant;
- the Licensee (or its representative) is no longer able to comply with a core obligation and the breach, if it occurs, will be significant;
- an investigation is conducted into whether there is a breach (or possible breach) of a core obligation and the investigation continues for more than 30 days; or
- the Licensee (or its representative) has engaged in gross negligence or committed serious fraud.
When is a Breach ‘Significant’?
The test for significance includes an objective test and a subjective test.
The circumstances where a breach of a core obligation is deemed to be significant are prescribed as follows:
- the breach is the commission of an offence which is punishable by imprisonment for 12 months or more (or 3 months where the offence involves dishonesty);
- the breach is the contravention of a civil penalty provision under any law;
- the breach is the contravention of provisions of the Corporations Act or ASIC Act relating to misleading or deceptive conduct;
- the breach results in, or is likely to result in, material loss or damage to clients or members.
Where the breach is not deemed to be significant, Licensees are required to apply the following subjective factors to determine significance, including:
- the number and frequency of similar breaches;
- the impact of the breach on the licensee’s ability to provide services covered by the Licensee;
- the extent to which the breach indicates that the Licensee’s arrangements to ensure compliance are inadequate; and
- any other matters prescribed by regulations.
How do you report breaches?
Licensees are required to submit breach reports to ASIC via the ASIC Regulatory Portal. ASIC has developed a prescribed form which will need to be completed to submit Reportable Situations.
Other key features of the ASIC Regulatory Portal include:
- a record of previous breach reports;
- the ability to track the status of submitted breach reports; and
- the ability to correspond with ASIC online about submitted breach reports.
You can also invite trusted representatives to access the Regulatory Portal and act on your behalf to submit ASIC breach reports. When inviting a trusted representative, you can define user access levels that will dictate what other users can do on your behalf within the portal such as authorising another user to launch and edit a transaction but not submit a transaction.
Notify, Investigate and Remediate Obligations
These obligations are triggered:
- AFS licensees: where personal financial product advice has been provided to retail clients in relation to a financial product (other than basic banking products, general insurance products and consumer credit insurance); or
- Credit licensees: where credit assistance has been provided by a mortgage broker in relation to a credit contract secured by a mortgage over residential property.
and there are grounds to believe:
- a Reportable Situation has arisen;
- the affected client has, or will, suffer loss or damage as a result of the Reportable Situation; and
- the affected client has a legally enforceable right to recover the loss or damage.
Having knowledge of these factors, or being reckless with respect to these factors, triggers the notification, investigation and remediation obligations.
Notification must occur within 30 days of the Licensee having knowledge that the obligations have been triggered. The notification to affected clients must be in writing and describe the nature of the Reportable Situation and the basis for the Licensee’s belief that the client has, or will, suffer loss or damage.
Investigations must commence within 30 days of the Licensee having knowledge that the obligations have been triggered. The investigation should:
- Identify the conduct that gave rise to the Reportable Situation;
- Quantify the loss or damage the affected client has, or will, suffer (where that loss is legally enforceable);
- Be complete and thorough.
Licensees are also required to notify clients of the outcome of their investigation within 10 days of concluding the investigation.
Licensees must remediate affected clients where there is a legally enforceable right to recover loss or damage. Remediation must occur within 30 days of the Licensee concluding the investigation. For clients who fall outside the scope of the Licensee’s obligation to remediate, the Licensee must still consider whether it would be fair, efficient and honest to remediate the client.
The obligations in relation to notification, investigation and remediation require Licensees to maintain records demonstrating their compliance.
Licensees need to ensure their breach reporting procedures are up to date and all staff members are adequately trained in relation to：
- the obligations of the Licensee;
- what constitutes a breach;
- internal reporting lines for breach reporting;
- how to determine whether a breach is significant and who is responsible for making this decision;
- the timeframes for reporting significant breaches to ASIC; and
- whether the ‘notify, investigate and remediate’ obligations are appliable to the Licensee.
Licensees should ensure their systems and controls for identifying, investigating and reporting breaches are appropriately modified and enhanced to ensure they align with the legislative requirements and ASIC Regulatory Guide 78. These procedures should include, at a minimum:
- a breach register in which all breaches and incidents are recorded;
- adequate and appropriate reporting lines;
- clear assignment of responsibilities in relation to investigations and reporting to ASIC;
- senior staff are appropriately authorised to conduct investigations, with access being granted to all documentation required to make an assessment in relation to the significance of the breach and any loss or damage suffered by clients;
- senior staff are appropriately authorised to make a determination as to the remediation provided to clients.
If you would like to speak to us about how we could help your business to fulfil the breach reporting obligations, or if you require assistance updating your breach reporting procedures, please contact us.