Key Takeaways

In September 2021, ASIC published its new Regulatory Guide 78 – Breach Reporting by AFS Licensees and Credit Licensees (RG 78) on the new and revised breach reporting obligations introduced by the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (FSR Act).

The guidance provides important insights into ASIC’s expectations as to how licensees should comply with the enhanced breach reporting requirements, including additional examples to those in draft RG 78 that had been released for consultation.

When do the new breach reporting obligations apply?

The FSR Act amends existing s912D of the Corporations Act 2001 (Cth) (the Act), and introduces new s912DAA, with effect from 1 October 2021.

The new regime requires AFS licensees to report all ‘reportable situations’ to ASIC that arise on or after 1 October 2021.

The former breach reporting regime continues to operate on a transitional basis for breaches (or likely breaches) that arise wholly before 1 October 2021, provided the licensee knows of the breach (or likely breach) prior to the commencement of the new regime.

What must be reported to ASIC

New s912DAA of the Act requires AFS licensees report to ASIC all ‘reportable situations’.

In RG 78, ASIC refers to four types of ‘reportable situations', namely:

1. breaches or ‘likely breaches’ of core obligations that are significant;
2. investigations into breaches or likely breaches of core obligations that are significant;
3. additional reportable situations; and
4. reportable situations about other licensees.

1. Breaches or likely breaches of core obligations that are significant

The first reportable situation is any ‘significant’ breach (or likely significant breach) by a licensee or its representative of a licensee’s ‘core obligations’.

‘Core obligations’ are those existing obligations under s912D(3) of the Act.

Before being reported to ASIC, a ‘determination of significance’ will therefore be required by the licensee in a similar way to that under the previous regime (i.e. having regard to the relevant factors in s912D(5) of the Act which include the number and frequency of similar breaches, the impact of the breach/likely breach on the licensee’s ability to provide financial services, and the extent to which the breach indicates the licensee’s compliance arrangements are inadequate).

In certain situations, a breach (or likely breach) of a core obligation is a ‘deemed significant breach’ that triggers an automatic reporting obligation.¹ These situations include breaches that result or are likely to result in ‘material loss or damage’ to customers. The ASIC Guidance identifies that a licensee should consider the financial circumstances of clients (retail and wholesale) affected by a breach in considering whether loss or damage suffered is material.

The ASIC Guidance also provides examples of material loss and damage. An example provided relates to a superannuation fund trustee who identifies issues with its operation and control systems that led to overcharging of member insurance premiums. The trustee establishes that the individual loss to members is low but the breach collectively results in a large cohort of affected members (over 70,000) who suffer a significant collective loss (over $5 million). ASIC outlines that in assessing whether a breach results, or is likely to result, in material loss or damage to a member or members of a superannuation entity, a superannuation fund trustee should take into account the total and aggregated loss or damage to affected members of the entity, even if the individual loss per affected member is small.

2. Investigations into breaches or likely breaches of core obligations that are significant (‘Reportable Investigations’)

The high water mark under the new regime is that an investigation into a significant breach (or likely significant breach) of a core obligation is now reportable if the investigation continues for more than 30 calendar days. The outcome of such an investigation (whether or not a breach is found by the licensee) is also a separate automatic ‘reportable investigation’.

The time at which an investigation commences will therefore be critical for reporting purposes. ASIC makes it clear that it will not be a matter ‘of a subjective determination’ by a licensee, but rather will be ‘a matter of fact’.

RG 78 explains that what constitutes a reportable investigation will depend on the specific facts of each case and ‘is likely to vary significantly depending on the size of the licensee’s business, their internal systems and processes, and the type of breach’. ASIC adds that what is critical is ‘the nature of the activities being conducted not which team is conducting them’, and how a licensee labels the activity in its internal processes will not be relevant to determining a reporting obligation.

Table 6 in RG 78 provides a useful example for life insurers relating to customer complaints (example 6(d)). ASIC also confirms that an investigation does not commence as soon as a customer complaint is received and/or acknowledged by a licensee. However, ASIC points out that when the licensee takes steps towards determining whether a significant breach has occurred, including further information gathering, then an investigation would be considered to have commenced.

3. ‘Additional reportable situations’

This includes conduct constituting gross negligence or serious fraud.

4. Reportable situations about other licensees 

New obligations exist to report another licensee, such as a financial adviser where there are reasonable grounds to believe a ‘reportable situation’ has arisen. The ASIC Guidance clarifies that there is no obligation for licensees to ‘proactively investigate any possible misconduct of other licensees’, though they ‘must not turn a blind eye’ to facts that would reasonably give rise to such concerns.

When and how to report to ASIC 

Reports must be lodged with ASIC within 30 calendar days after licensees ’first know that’ (or are ‘reckless’ as to whether) there are ‘reasonably grounds to believe’ a ‘reportable situation’ has arisen.

ASIC clarifies that ‘reasonable grounds to believe’ a reportable situation has arisen ensures that the breach-reporting obligation is clearly ‘an objective standard’.  

For investigations continuing after 30 days, as discussed above, these will automatically become a ‘reportable situation’ on ‘Day 31 of the investigation’ and there is a further 30 days to lodge a report with ASIC.

The consequences of not complying with breach reporting obligations are severe and can attract both civil and criminal penalties.

Reportable situations must be reported to ASIC using the prescribed form through the ASIC portal. ASIC will be enabling licensees to report multiple reportable situations in one transaction, provided they can be grouped together on the basis that they relate to ‘a single, specific root cause’ (i.e. an underlying cause of the breach).

Implications 

The new reporting regime will undoubtedly lead to a larger volume of breach reports to ASIC. Licensees have been preparing for such changes, including ensuring systems are in place for identifying, assessing, recording and reporting reportable situations to ASIC.

A key area of focus will need to be on when the 30 day clock starts to run on an investigation. The ASIC guidance provides commentary and examples that highlight ASIC’s expectations that the 30 day timeframe can commence prior to any incident being referred to the legal department. Licensees will need to ensure processes are in place that reflect ASIC’s guidance regarding the 30 day period.

^₁ See s912D(4) of the Corporations Act.