Current mandatory breach reporting requirements in practice

Ensuring reporting and notification requirements are met

On 1 October 2021, amendments to the Corporations Act 2001 (the Corporations Act) and National Consumer Credit Protection Act 2009 (the NCCP Act), made in response to the Final Report from the Banking and Finance Royal Commission, came into effect.

The amendments expanded the existing scope of breach reporting obligations for Australian Financial Services Licence (AFSL) holders and introduced a new mandatory breach reporting scheme for Australian Credit Licence (ACL) holders (Licensees).

A recap of the changes

The amendments substantially increased the scope of what reports need to be made to ASIC in order to maintain ACL and AFSL compliance.

Compliance with the amended obligations is not possible without enhanced vigilance and awareness of what the obligations are, and what internal compliance processes are required, at all levels of a business.

For example, ASIC Regulatory Guide 78 makes it clear that circumstances may exist where an employee or representative of a licence holder becomes aware of facts or concerns that give rise to a reportable situation. This may be enough to trigger reporting obligations, even if the facts or concerns are not escalated to a company's compliance officers.

This means that staff of all levels will need to be made aware of the current reporting obligations and understand the situations they need to escalate. More than ever, licence holders will need to be across what is going on at all levels of their businesses.

Reportable situations

Previously, an AFSL holder would have to make a report if there was a significant breach or likely significant breach of its core obligations. The licence holder was required to make the report as soon as practicable, or otherwise within 10 business days of becoming aware of the significant breach or likely breach.

ACL holders had no equivalent reporting obligations.

Now, the Corporations Act and NCCP Act set out when a reportable situation will arise. These situations include:

• where there is a breach or likely breach of a core obligation by the licence holder or their representative, and that breach is significant
• where a licence holder or their representative is no longer able to comply with a core obligation and, if that breach occurred, it would be significant
• where there is an internal investigation into whether a significant breach or likely breach has occurred and the investigation lasts for more than 30 days
• where an internal investigation lasting for more than 30 days determines there is no reportable situation
• where the licence holder or their representative has engaged in conduct constituting gross negligence, and
• where the licence holder or their representative has committed serious fraud.

What is a core obligation?

The core obligations of AFSL holders are set out in sections 912A and 912B of the Corporations Act, and include (but are not limited to):

• doing all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly
• having adequate arrangements for the management of conflicts of interest that may arise in relation to activities undertaken by the licensee or a representative of the licensee in the provision of financial services
• complying with the conditions of the holder's financial licence and relevant financial services laws
• taking reasonable steps to ensure that the licence holder's representatives comply with the financial services laws (unless a relevant exception applies)
• having adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence (including supervisory arrangements)
• maintaining the competence to provide the licensed financial services
• ensuring the licensee's representatives are adequately trained and competent to provide those financial services.

These examples are not exhaustive, and a number of additional obligations apply to certain AFSL holders that provide financial services to retail customers.

What is a "significant" breach?

Both AFSL and ACL holders have 30 days to make a report to the regulatory authority from the time:

• they have knowledge of a reportable situation
• they have reasonable grounds to believe a reportable situation has occurred, or
• they are reckless as to knowing whether a reportable situation has arisen.

Historically, whether a breach or likely breach was "significant" could be subjectively determined by the licence holder in its sole discretion. In addition, a time limit did not apply for the licence holder to determine whether an incident was significant or not. A licence holder could avoid making a report to ASIC in circumstances where a decision as to whether a breach had occurred, and whether that breach was significant, had not been made as the (then) 10-day reporting time limit would not have commenced.

The new regulatory framework limits the level of discretion a licensee has in determining whether a breach or likely breach is "significant" by setting out a number of situations that will automatically be classified as significant, including situations that:

• constitute an offence under any law (including the Corporations Act or the Australian Securities and Investments Commission Act 2001 (the ASIC Act)) that is punishable by conviction of 12 months or more (three months if the offence involves dishonesty)
• constitute a breach of a prescribed civil penalty provision under any law (including the Corporations Act or ASIC Act), or
• constitute misleading or deceptive conduct pursuant to s 1042H of the Corporations Act or 12DA(1) of the ASIC Act.

The result of these changes is that circumstances which, under the old reporting regime, may not have been viewed by licence holders as "significant" breaches could now be considered reportable situations.

There is increased potential for these new reporting obligations to arise in situations relating to misleading and deceptive conduct. For example, an isolated incident of misleading and deceptive conduct may not have been considered a significant breach by licensees in the past. Now, any breach which is constituted by a contravention of misleading and deceptive conduct provisions under the Corporations Act or ASIC Act is now deemed significant by the new regime.

Obligations to notify affected retail clients

In some situations, licensees are now also required to notify clients when they may have suffered a loss by reason of a reportable situation. Notification obligations arise when:

• the client is a retail client
• personal advice has been provided to the affected client in relation to a relevant financial product
• there are reasonable grounds to believe that the reportable situation relates to a significant breach of a core obligation, gross negligence or serious fraud, and
• there are reasonable grounds to suspect that the affected client has or will suffer loss or damage as a result of the reportable situation, and they are entitled to recover this loss from the licensee.

Licensees must take reasonable steps to:

• notify the affected client/s, and
• commence an investigation into the reportable situation to identify the cause of the reportable situation and quantify any loss suffered by the client/s, within 30 days of having reasonable grounds on which to suspect a reportable situation has occurred.

If, at the completion of the investigation the licensee has reasonable grounds to believe the client has or will suffer loss or damage as a result of the reportable situation, and the client would be entitled to recover that loss from the licensee, the licensee must, within 30 days after completing their investigation, take reasonable steps to compensate the affected client for such loss.

Some practical impacts to consider

The updates to the reporting regime are onerous on licensees. These requirements will almost invariably lead to a significant increase in the number of reports made to ASIC by AFSL and ACL holders.

Failure to comply with these obligations can result in substantial civil or criminal penalties.

In addition, ASIC will be publishing data in respect of the breach reports lodged under this new framework. This could include the names of licensees and the volume of their reported breaches. This will no doubt provide useful insights for the financial services industry, but could equally result in reputational damage for reporting licensees and those that are pursued by the regulator for failures to report.

It will take time for the true impact of these amendments on licensees to be assessed. However, for now, the following key matters are clear:

• This new regulatory framework creates a level of objectivity to what must be reported to ASIC in respect of reportable breaches.
• The objective criteria and timelines for reporting mean that licensees need to have systems in place to ensure potential reporting events are identified and escalated, with investigations conducted promptly and reporting actioned as required.
• Delaying or avoiding reporting requirements due to the delay of internal determinations as to potential breaches will no longer be possible for events that fall under the new regime.
• Clear and efficient procedures to identify, assess and investigate potential breaches quickly will be essential to ensuring compliance and avoiding penalties.
• Relevant personnel at all levels will need to be made aware of the new reporting obligations and develop an understanding of facts and circumstances that may give rise to a reportable situation, to ensure that reportable events are appropriately escalated within the organisation.

For more information on how these changes will impact your organisation, please contact a member of our team.

Image by Priscilla du Preez on Unsplash.