ASIC Updates the breach reporting regime

The obligation to report certain breaches to ASIC has been modified from 20 October 2023 onwards. Licensees are no longer required to report insignificant contraventions of certain core obligations. 

The existing breach reporting regime (which was extensively updated in 2021) was modified in response to concerns about the costs of reporting some reportable situations that have limited regulatory benefit.

What does NOT need to be reported?

Licensees no longer need to report insignificant breaches of core obligations relating to:

  • the prohibition on misleading and deceptive conduct – Corporations Act s1041H(1) and ASIC Act s12DA(1); and
  • the prohibition on false and misleading representations – ASIC Act s12DB(1).

In order for licensees to rely on the modifications, the breach must: 

  • Only impact one person (or if a financial or credit product is involved and it is held jointly, then those persons); 
  • not result in, and be unlikely to result in, any financial loss or damage to any person; and 
  • not give rise to, and be unlikely to give rise to, any other reportable situation. 

Examples of breaches that may no longer require reporting under the amended requirements include: 

  • cases of minor misinformation provided to one client: 
  • information errors that are immediately corrected where no financial loss occurred. 

Previously, a reportable situation was automatically triggered by any breach of the prohibitions on misleading and deceptive conduct or false and misleading representations under s1041H(1) of the Corporations Act and ss12DA(1) and ss12DB(1) of ASIC Act. The amendments aim to reduce the regulatory burden for licensees by exempting breaches from reporting when these conditions are met.

Increased Reporting Period 

To further ease the reporting requirements, Licensees now have up to 90 days to report a breach which has the same or substantially similar underlying circumstances. This amendment acknowledges the burden on Licensees that, during the course of an investigation, identify further related breaches, and provides additional time for comprehensive reporting of the subsequent breach.

What Next?

Licensees should:

  • familiarise themselves with the core obligations that apply to their business and ensure all representatives are aware of the obligations;
  • ensure there are adequate systems in place to identify breaches;
  • ensure adequate and appropriate reporting lines;
  • all communications with clients accurately represent the products and services the licensee offers and are not misleading or false in substance, or in the impression they give; and
  • staff are adequately trained and understand their obligations in relation to breaches and escalating any incidents.

Background

The breach reporting regime is found in Subdivision B of Division 3 of Part 7.6 of the Corporations Act 2001 (Cth) (“Corporations Act”).

ASIC Instrument 2023/589 amended sections 912D(4) of the Corporations Act and paragraph 50A(4) of the National Consumer Credit Protection Act 2009 (Cth) in relation to the reportable situations that are deemed to be ‘significant’ breaches.

Further Reading

Contact Us

Please contact Sophie Grace if you would like to discuss the changes or how it affects your business in more details.

Check our our Compliance Portal

Subscribe to our Newsletter

Contact Us

=