Australian Credit Licensees (“Licensees”) are required to submit breach reports to ASIC within 30 calendar days of becoming aware of the breach or likely breach. ASIC has previously noted that Licensees should not wait until the breach is rectified to provide a report to ASIC, but rather, the report must be sent within 30 calendar days of the Licensees having knowledge of the breach.
What do you need to report?
The legislation prescribes a list of Reportable Situations which apply to Licensees, these include:
- a core obligation has been breached by the Licensee (or its representative) and the breach is significant;
- the Licensee (or its representative) is no longer able to comply with a core obligation and the breach, if it occurs, will be significant;
- an investigation is conducted into whether there is a breach (or possible breach) of a core obligation and the investigation continues for more than 30 days; or
- the Licensee (or its representative) has engaged in gross negligence or committed serious fraud.
Core obligations include the general obligations outlined in s47 of the National Consumer Credit Protection Act 2009 (National Credit Act).
When is a Breach ‘Significant’?
The test for significance includes an objective test and a subjective test.
The circumstances where a breach of a core obligation is deemed to be significant are prescribed as follows:
- the breach is the commission of an offence which is punishable by imprisonment for 12 months or more (or 3 months where the offence involves dishonesty);
- the breach is the contravention of a civil penalty provision under any law;
- the breach is the contravention of provisions of the Corporations Act or ASIC Act relating to misleading or deceptive conduct;
- the breach results in, or is likely to result in, material loss or damage to clients or members.
Where the breach is not deemed to be significant, Licensees are required to apply the following subjective factors to determine significance, including:
- the number and frequency of similar breaches;
- the impact of the breach on the Licensee’s ability to provide services covered by the Licensee;
- the extent to which the breach indicates that the Licensee’s arrangements to ensure compliance are inadequate; and
- any other matters prescribed by regulations.
How do you report breaches?
Licensees are required to submit breach reports to ASIC via the ASIC Regulatory Portal. ASIC has developed a prescribed form which will need to be completed to submit Reportable Situations.
Other key features of the ASIC Regulatory Portal include:
- a record of previous breach reports;
- the ability to track the status of submitted breach reports; and
- the ability to correspond with ASIC online about submitted breach reports.
You can also invite trusted representatives to access the Regulatory Portal and act on your behalf to submit ASIC breach reports. When inviting a trusted representative, you can define user access levels that will dictate what other users can do on your behalf within the portal such as authorising another user to launch and edit a transaction but not submit a transaction.
These obligations are triggered where credit assistance has been provided by a mortgage broker in relation to a credit contract secured by a mortgage over residential property, and there are grounds to believe:
- a Reportable Situation has arisen;
- the affected client has, or will, suffer loss or damage as a result of the Reportable Situation; and
- the affected client has a legally enforceable right to recover the loss or damage.
Having knowledge of these factors, or being reckless with respect to these factors, triggers the notification, investigation and remediation obligations.
Notification must occur within 30 calendar days of the Licensees having knowledge that the obligations have been triggered. Licensees must take reasonable steps to notify the affected client. The notification to potentially affected clients must be in writing and describe the nature of the Reportable Situations and the basis for the Licensee’s belief that the client has, or will, suffer loss or damage.
Investigations must commence within 30 calendar days of the Licensee having knowledge that the obligations have been triggered. The investigation should:
- Identify the conduct that gave rise to the Reportable Situation;
- Quantify the loss or damage the affected client has, or will, suffer (where that loss is legally enforceable);
- Be complete and thorough.
Licensees are also required to notify affected clients in writing of the outcome of their investigation within 10 days of concluding the investigation.
Licensees must take reasonable steps to pay affected clients an amount equal to their loss or damage who the Licensees have reasonable grounds to believe have:
- suffered, or will suffer, loss or damage as a result of the reportable situation;
- a legally enforceable right to recover that loss or damage.
Remediation must occur within 30 calendar days of the Licensee concluding the investigation. For clients who fall outside the scope of the Licensee’s obligation to remediate, the Licensee must still consider whether it would be fair, efficient and honest to remediate.
The obligations in relation to notification, investigation and remediation require Licensees to maintain sufficient records demonstrating their compliance.
Licensees both large and small, should ensure:
- There are adequate systems in place to identify breaches and report these internally;
- Their risk and compliance function is adequately resourced to investigate and, where required, report breaches to ASIC;
- All communications with clients accurately represent the products and services the licensee offers and are not misleading or false in substance, or in the impression they give;
- Staff are adequately trained and understand their obligations as an employee of a licensee, especially in relation to breaches and escalating any incidents; and
- Prompt action is taken to investigate a breach and remediate any clients affected.
Licensees should ensure their systems and controls for identifying, investigating and reporting breaches include, at a minimum:
- a breach register in which all breaches and incidents are recorded;
- adequate and appropriate reporting lines;
- clear assignment of responsibilities in relation to investigations and reporting to ASIC;
- senior staff are appropriately authorised to conduct investigations, with access being granted to all documentation required to make an assessment in relation to the significance of the breach and any loss or damage suffered by clients;
- senior staff are appropriately authorised to make a determination as to the remediation provided to clients.
If you would like to speak to us about how we could help your business to fulfil the breach reporting obligations, or if you require assistance updating your breach reporting procedures, please contact us.