Breach Reporting by AFS Licensees

Australian Financial Services Licensees (“AFS Licensees”) are required to submit breach reports to ASIC within 30 calendar days of becoming aware of the breach or likely breach. ASIC has previously noted that AFS Licensees should not wait until the breach is rectified to provide a report to ASIC, but rather, the report must be sent within 30 calendar days of the AFS Licensee having knowledge of the breach.

 

What do you need to report?

The legislation prescribes a list of Reportable Situations which apply to AFS Licensees, these include:

  • a core obligation has been breached by the AFS Licensee (or its representative) and the breach is significant;
  • the AFS Licensee (or its representative) is no longer able to comply with a core obligation and the breach, if it occurs, will be significant;
  • an investigation is conducted into whether there is a breach (or possible breach) of a core obligation and the investigation continues for more than 30 days; or
  • the AFS Licensee (or its representative) has engaged in gross negligence or committed serious fraud.
 

Core obligations include the general obligations outlined in s912A and 912B of the Corporations Act 2001 (Corporations Act).

 

When is a Breach ‘Significant’?

The test for significance includes an objective test and a subjective test.

 

Objective Test

The circumstances where a breach of a core obligation is deemed to be significant are prescribed as follows:

  • the breach is the commission of an offence which is punishable by imprisonment for 12 months or more (or 3 months where the offence involves dishonesty);
  • the breach is the contravention of a civil penalty provision under any law;
  • the breach is the contravention of provisions of the Corporations Act or ASIC Act relating to misleading or deceptive conduct;
  • the breach results in, or is likely to result in, material loss or damage to clients or members.
 
Subjective Test

Where the breach is not deemed to be significant, AFS Licensees are required to apply the following subjective factors to determine significance, including:

  • the number and frequency of similar breaches;
  • the impact of the breach on the AFS Licensees’ ability to provide services covered by the AFS Licensees;
  • the extent to which the breach indicates that the AFS Licensees’ arrangements to ensure compliance are inadequate; and
  • any other matters prescribed by regulations.
 

How do you report breaches?

AFS Licensees are required to submit breach reports to ASIC via the ASIC Regulatory Portal. ASIC has developed a prescribed form which will need to be completed to submit Reportable Situations.

Other key features of the ASIC Regulatory Portal include:

  • a record of previous breach reports;
  • the ability to track the status of submitted breach reports; and
  • the ability to correspond with ASIC online about submitted breach reports.
 

You can also invite trusted representatives to access the Regulatory Portal and act on your behalf to submit ASIC breach reports. When inviting a trusted representative, you can define user access levels that will dictate what other users can do on your behalf within the portal such as authorising another user to launch and edit a transaction but not submit a transaction.

 

Notify, Investigate and Remediate Obligations

These obligations are triggered where personal financial product advice has been provided to retail clients in relation to a relevant financial product (other than basic banking products, general insurance products and consumer credit insurance). And there are grounds to believe:

  • a Reportable Situation has arisen;
  • the affected client has, or will, suffer loss or damage as a result of the Reportable Situation; and
  • the affected client has a legally enforceable right to recover the loss or damage.
 

Having knowledge of these factors, or being reckless with respect to these factors, triggers the notification, investigation and remediation obligations.

 

Notify

Notification must occur within 30 calendar days of the AFS Licensees having knowledge that the obligations have been triggered. AFS Licensees must take reasonable steps to notify the affected clients. The notification must be in writing and describe the nature of the Reportable Situations and the basis for the AFS Licensee’s belief that the client has, or will, suffer loss or damage.

 

Investigations

Investigations must commence within 30 calendar days of the AFS Licensees having knowledge that the obligations have been triggered. The investigation should:

  • Identify the conduct that gave rise to the Reportable Situation;
  • Quantify the loss or damage the affected client has, or will, suffer (where that loss is legally enforceable);
  • Be complete and thorough.
 

AFS Licensees are also required to notify affected clients in writing of the outcome of their investigation within 10 days of concluding the investigation.

 

Remediation

AFS Licensees must take reasonable steps to pay affected clients an amount equal to their loss or damage where AFS Licensees have reasonable grounds to believe have:

  • suffered, or will suffer, loss or damage as a result of the breach;
  • a legally enforceable right to recover that loss or damage.
 

Remediation must occur within 30 calendar days of the AFS Licensee concluding the investigation. For clients who fall outside the scope of the AFS Licensee’s obligation to remediate, the AFS Licensee must still consider whether it would be fair, efficient and honest to remediate.

The obligations in relation to notification, investigation and remediation require AFS Licensees to maintain sufficient records demonstrating their compliance.

 

Action Items

AFS Licensees both large and small, should ensure:

  • There are adequate systems in place to identify breaches and report these internally;
  • Their risk and compliance function is adequately resourced to investigate and, where required, report breaches to ASIC;
  • All communications with clients accurately represent the products and services the licensee offers and are not misleading or false in substance, or in the impression they give;
  • Staff are adequately trained and understand their obligations as an employee of a licensee, especially in relation to breaches and escalating any incidents; and
  • Prompt action is taken to investigate a breach and remediate any clients affected.
 

AFS Licensees should ensure their systems and controls for identifying, investigating and reporting breaches include, at a minimum:

  • a breach register in which all breaches and incidents are recorded;
  • adequate and appropriate reporting lines;
  • clear assignment of responsibilities in relation to investigations and reporting to ASIC;
  • senior staffs are appropriately authorised to conduct investigations, with access being granted to all documentation required to make an assessment in relation to the significance of the breach and any loss or damage suffered by clients;
  • senior staffs are appropriately authorised to make a determination as to the remediation provided to clients.
 

If you would like to speak to us about how we could help your business to fulfil the breach reporting obligations, or if you require assistance updating your breach reporting procedures, please contact us.

 

Further Reading

ASIC Regulatory Guide 78

Financial Sector Reform (Hayne Royal Commission Response) Act 2020

ASIC’s FAQ Page about reportable situations

Breach Reporting – ASIC’s Insights

Info Sheet 259: Complying with the notify, investigate and remediate obligations

Sophie Grace Compliance Portal

Sign up today for up-to-date compliance policies and regular consultation with our staff

Contact Us

We will contact you as soon as possible!

=