Revisiting the new mandatory reporting obligations to ASIC

Almost 12 months have now passed since the mandatory breach reporting amendments to the Corporations Act and National Consumer Credit Protection Act 2009 came into effect.

The updated and onerous self-reporting obligations, made in response to the Royal Banking Commission, caused a substantive rethink of how companies and licensees configure their internal systems and protocols to ensure regulatory compliance in their mandatory breach reporting and to avoid any regulatory compliance issues.

The changes, which took effect on 1 October 2021, create additional ASIC reporting requirements for Australian Financial Services Licence (AFSL) and Australian Credit Licence (ACL) holders and their representatives. A failure to meet the new obligations could come at a high cost as ASIC will now publish data about the breach reports lodged with ASIC by licensees each financial year. This data may include licensee names and the volume of breaches reported.

A detailed summary of the regulatory changes can be found here.

On 10 August 2022 ASIC released a media update confirming its commitment to the new reporting regime and its ongoing engagement with industry as businesses continue to make the transition to more onerous requirements. ASIC has restated its intention to continue its engagement with licensees to understand any issues with the new regime and to set clear expectations for compliance.

Of particular interest for licence holders is the fact that ASIC also confirmed that its first annual report regarding information collected under the reporting regime is scheduled to be published in October 2022. ASIC has indicated that the report will include high-level insights into the trends identified from the breach reporting. However it has also confirmed that, at least for now, the names of licensees (and the number and nature of the breaches reported by each licensee) will not be included in the report.

ASIC has flagged the likely inclusion of this information in future reports. Businesses can expect ASIC to consult with industry stakeholders before it undertakes reporting at a licensee level, currently expected in 2024.

How have you fared under the updated regime?

Given the impact of the changes to the regulatory framework and the imminent release of ASIC's first annual report under the new regime, now is an excellent time to revisit your compliance strategies and confirm they are working to minimise your regulatory risk. That is, do your compliance strategies facilitate your adherence to the new ASIC reporting requirements?

Protocols health check

Reaching a finalised procedure may need adjustments along the way. To make sure you are meeting the new regulatory requirements, consider the following:

• Does your company have clear and unequivocal guidelines identifying the process of internal reporting lines when a reportable incident arises or is thought to have arisen?
• Have you identified people in your organisation who are accountable for decisions regarding a reportable situation?
• Do your employees understand these processes and who they need to go to when they identify a possible reportable situation?
• Do your employees have enough information to identify and escalate a possible reportable situation?
• Do you have a clear protocol for undertaking quick internal investigations? It is preferable to complete investigations within 30 days where possible in order to avoid triggering unnecessary reportable situations.
• Do you have processes in place to check your strategies are working? This will minimise the risk of an incident falling through the gaps.
• Are your processes working, and do they deliver quick results?

If you've answered no, or you don’t know the answer to any of these questions, you may not be meeting your regulatory requirements and may be exposing yourself to unnecessary "reputational risk", civil or criminal penalties (such as pecuniary penalties in excess of $908,700 for individuals or $9 million for body corporates or up to five years' imprisonment). Organisations taking a proactive approach to considering regulatory compliance risk management and proactive compliance measures will be best placed to comply and to meet the reporting and related consumer protection purposes of the new regime.

Adhering to these new regulatory requirements is likely to require consideration and the adjustment of existing risk and compliance processes and procedures. A proactive approach is however the most likely way to minimise any consequential "reputational risk" to your organisation for inadequate reporting and in turn reduce the risk of further inquiry or potential ASIC investigations. Your legal and regulatory team should identify gaps in compliance, and work with you to devise essential strategies for regulatory compliance, including:

• staff training to ensure they are able to identify and appropriately escalate potential reportable situations
• compliance and reporting protocols which ensure the new obligations and timelines are met
• rectifying known regulatory compliance issues and establishing controls and safeguards against recurrences
• implementation of risk minimisation strategies
• reputational risk management in circumstances where breaches are reportable to clients or create concerns when published by ASIC.

For advice and support regarding corporate conduct and how to manage your compliance obligations, contact our experienced team of experts.