New changes to breach reporting commence from 1 October 2021. The changes are significantly more onerous on Australian Financial Services (“AFS”) and Credit Licensees than the previous breach reporting regime.
The New ‘Reportable Situations’
The new legislation prescribes a list of reportable situations which apply to AFS and credit licensees, these include:
- a core obligation has been breached by the licensee (or its representative) and the breach is significant;
- the licensee (or its representative) is no longer able to comply with a core obligation and the breach, if it occurs, will be significant;
- an investigation is conducted into whether there is a breach (or possible breach) of a core obligation and the investigation continues for more than 30 days; or
- the licensee (or its representative) has engaged in gross negligence or committed serious fraud.
The core obligations in the new provisions cover the same provisions as the current breach regime. For AFS licensees, these are the obligations under Sections 912A or 912B of the Corporations Act and for credit licensees, the obligations included under section 47 of the National Consumer Credit Protection Act.
When is a Breach ‘Significant’?
The test for significance has changed and now includes an objective test. The circumstances where a breach of a core obligation is deemed to be significant are prescribed as follows:
- the breach is the commission of an offence which is punishable by imprisonment for 12 months or more (or 3 months where the offence involves dishonesty);
- the breach is the contravention of a civil penalty provision under any law;
- the breach is the contravention of provisions of the Corporations Act and ASIC Act relating to misleading or deceptive conduct;
- the breach results in, or is likely to result in, material loss or damage to clients or members.
The current subjective factors still apply, including:
- the number or frequency of similar breaches;
- the impact of the breach on the licensee’s ability to provide services covered by the licence;
- the extent to which the breach indicates that the licensee’s arrangements to ensure compliance are inadequate; and
- any other matters prescribed by regulations.
Notification to ASIC and Clients – Breach Reporting Process
The Act introduces a new breach reporting process all licensees must adhere to, including a 30-day timeframe to report breaches to ASIC and in some cases, to retail clients.
From 1 October 2021, the following investigations will be required
- AFS licensees must conduct investigations into breaches where financial product advice has been provided to retail clients; and
- Credit licensees must conduct investigation into breaches where credit assistance has been provided by a mortgage broker in relation to a credit contract secured by a mortgage over residential property.
Investigations must commence within 30 days of the licensee having knowledge of circumstances involving a significant breach of a core obligation, gross negligence or serious fraud.
Reminiscent of the introduction of AFCA’s Datacube, the new provisions include a requirement for ASIC to report on their website within 4 months of the end of the financial year the details of certain breach reports received.
AFS and credit licensees need to ensure their breach reporting procedures are up to date and all team members are aware of the new obligations. As there will be more breach reports being lodged with ASIC, your systems and controls for identifying, investigating and reporting breaches will need to be appropriately modified and enhanced.
ASIC has released the final guidance ahead of the new obligations commencing in October 2021.
- ASIC Regulatory Guide 78
- ASIC Consults on Draft Guidance on Breach Reporting Reforms
- Financial Sector Reform (Hayne Royal Commission Response) Act 2020
- Breach Reporting and Related Obligations
If you would like to speak to us about how the breach reporting obligations affect your business, or if you require assistance updating your breach reporting procedures, please contact us.