Close this search box.

Breach Reporting by AFS Licensees

Australian Financial Services Licensees (“Licensees“) are required to submit breach reports to ASIC within 30 calendar days of knowing, or being reckless with respect to whether a breach or likely breach has occurred. ASIC has previously noted that AFS Licensees should not wait until a breach is rectified to provide a report to ASIC, but rather, the report must be sent within 30 calendar days of the Licensee having knowledge of, or are reckless with regard to, the breach.

What do you need to report?

The legislation prescribes a list of “Reportable Situations” which apply to Licensees, these include:

A core obligation has been breached by the Licensee (or its representative) and the breach is either deemed significant by the legislation, or assessed as significant by the Licensee.
The Licensee (or its representative) is no longer able to comply with a core obligation and the breach, if it occurs, will be either deemed significant, or assessed as significant.
An investigation is conducted into whether there is a breach (or possible breach) of a core obligation and the investigation continues for more than 30 days.
The Licensee (or its representative) has engaged in gross negligence or committed serious fraud.

Core obligations include the general obligations outlined in s912A and 912B of the Corporations Act 2001 (Corporations Act).

If a Licensee determines that multiple Reportable Situations have the same root cause, and the situations constitute similar, related or identical conduct, they may be grouped into one report. An example of this may be where there are multiple Reportable Situations that arise as a result of staff negligence or human error; however the Licensee must be satisfied that there is no broader root cause such as inadequate training processes.

Where an investigation uncovers additional Reportable Situations, Licensees must report these additional Reportable Situations within 30 calendar days, unless the additional Reportable Situations arise from the same, or substantially similar root causes. In these limited circumstances, Licensees have 90 days to notify ASIC of the additional Reportable Situations.

Exemptions for reporting breaches relating to false and misleading information and conduct

Licensees do not need to report breaches of core obligations relating to:

  • the prohibition on misleading and deceptive conduct – Corporations Act s1041H(1) and ASIC Act s12DA(1); and
  • the prohibition on false and misleading representations – ASIC Act s12DB(1).

where, the breach:

  • only impacts one person (or if a financial product is involved and it is jointly held, then those persons);
  • does not result in, and be unlikely to result in, any financial loss or damage to any person; and
  • does not give rise to, and be unlikely to give rise to, any other reportable situation.

Examples of breaches that are not to be reported include:

  • cases of minor misinformation provided to one client;
  • information errors that are immediately correct where no financial loss has occurred.

When is a Breach 'Significant'?

The test for significance includes an objective test and a subjective test.


Objective Test

The circumstances where a breach of a core obligation is deemed to be significant are prescribed as follows:

The breach is the commission of an offence which is punishable by imprisonment for 12 months or more (3 months where the offence involves dishonesty)
The breach is the contravention of a civil penalty provision under any law
The breach is the contravention of provisions of the Corporations Act or ASIC Act relating to misleading or deceptive conduct
The breach results in, or is likely to result in, material loss or damage to clients or members

Subjective Test

Where the breach is not deemed to be significant, Licensees are required to apply the following subjective factors to determine significance, including:

The number and frequency of similar breaches
The impact of the breach on the Licensee's ability to provide the services covered by the Licence
The extent to which the breach indicates that the Licensee's arrangements to ensure compliance are inadequate
Any other matters prescribed by regulations

How do you report breaches?

Licensees are required to submit breach reports to ASIC via the ASIC Regulatory Portal. ASIC has developed a prescribed form which will need to be completed to submit Reportable Situations.

Other key features of the ASIC Regulatory Portal include:

a record of previous breach reports

the ability to track the status of submitted breach reports

the ability to correspond with ASIC online about submitted breach reports

You can also invite trusted representatives to access the Regulatory Portal and act on your behalf to submit ASIC breach reports. When inviting a trusted representative, you can define user access levels that will dictate what other users can do on your behalf within the portal such as authorising another user to launch and edit a transaction but not submit a transaction.

Notify, Investigate and Remediate Obligations


These obligations are triggered where personal financial product advice has been provided to retail clients in relation to a relevant financial product (other than basic banking products, general insurance products and consumer credit insurance). And there are grounds to believe:

  • a Reportable Situation has arisen;
  • the affected client has, or will, suffer loss or damage as a result of the Reportable Situation; and
  • the affected client has a legally enforceable right to recover the loss or damage.

Having knowledge of these factors, or being reckless with respect to these factors, triggers the notification, investigation and remediation obligations.


Notification must occur within 30 calendar days of the AFS Licensees having knowledge that the obligations have been triggered. Licensees must take reasonable steps to notify the affected clients. The notification must be in writing and describe the nature of the Reportable Situations and the basis for the Licensee’s belief that the client has, or will, suffer loss or damage.


Investigations must commence within 30 calendar days of the Licensee having knowledge that the obligations have been triggered. The investigation should:

  • Identify the conduct that gave rise to the Reportable Situation;
  • Quantify the loss or damage the affected client has, or will, suffer (where that loss is legally enforceable);
  • Be complete and thorough.

The term ‘investigation’ is not defined in legislation but has its ordinary meaning. What constitutes an investigation depends upon the following factors:

  • The size of the Licensee’s business;
  • Internal systems and processes; and
  • The type of breach.

RG78 notes that preliminary steps, initial fact-finding and ‘business as usual’ inquiries such as routine audits do not constitute an investigation.

Licensees are required to report an investigation to ASIC where:

  • An investigation into whether there is a breach or likely breach of a core obligation has commenced, and the breach is significant and the investigation lasts for longer than 30 calendar days; or
  • The investigation into the breach lasts longer than 30 calendar days and the outcome of the investigation discloses that there is no breach or likely breach of a core obligation.

The commencement of an investigation is a matter of fact. Examples of commencing an investigation includes any of the following:

  • You have sought specialist or technical advice;
  • You have communicated with representatives or staff involved in the incident; or
  • You communicate with potentially affected clients.

While there is no required timeframe for completion of an investigation, ASIC expects investigations to be conducted in a timely manner and without unreasonable delay.

Licensees are also required to notify affected clients in writing of the outcome of their investigation within 10 days of concluding the investigation.


Licensees must take reasonable steps to pay affected clients an amount equal to their loss or damage where the Licensee has reasonable grounds to believe the client has:

  • suffered, or will suffer, loss or damage as a result of the breach;
  • a legally enforceable right to recover that loss or damage.

Remediation must occur within 30 calendar days of the Licensee concluding the investigation. For clients who fall outside the scope of the Licensee’s obligation to remediate, the Licensee must still consider whether it would be fair, efficient and honest to remediate.

The obligations in relation to notification, investigation and remediation require Licensees to maintain sufficient records demonstrating their compliance.

Action Items

Licensees both large and small, should ensure:

There are adequate systems in place to identify breaches and report these internally
Their risk and compliance function is adequately resourced to investigate and, where required, report breaches to ASIC
All communications with clients accurately represent the products and services the Licensee offers and are not misleading or false in substance, or in the impression they give
Staff are adequately trained and understand their obligations as an employee / representative of a Licensee, especially in relation to breaches and escalating any incidents
Prompt action is taken to investigate a breach and remediate any clients affected

Licensees should ensure their systems and controls for identifying, investigating and reporting breaches include, at a minimum:

  • a breach register in which all breaches and incidents are recorded;
  • adequate and appropriate reporting lines;
  • clear assignment of responsibilities in relation to investigations and reporting to ASIC;
  • senior staff are appropriately authorised to conduct investigations, with access being granted to all documentation required to make an assessment in relation to the significance of the breach and any loss or damage suffered by clients;
  • senior staff are appropriately authorised to make a determination as to the remediation provided to clients.

If you would like to speak to us about how we could help your business to fulfil the breach reporting obligations, or if you require assistance updating your breach reporting procedures, please contact us.

Further Reading

Sophie Grace Compliance Portal

Sign up today for up-to-date compliance policies and regular consultation with our staff.

Contact Us

We will contact you as soon as possible!