A close look at the breach reporting reforms

Breach reporting is changing for Australian financial services licensees, and Australian credit licensees will also have to report breaches on the same basis. The reforms will commence on 1 October 2021.

This article reviews the main differences from the existing breach reporting requirements so that you can plan for any necessary changes to your policies and procedures.

The topics we cover are:

  • What is reportable?
  • Determining whether a breach is significant
  • Timeframes for reporting
  • Initial reporting to customers
  • Mandatory investigation of an issue
  • Notice to customers after mandatory investigation
  • Compensation
  • Reportable situations about other licensees
  • Record keeping
  • ASIC publication of breaches

What is reportable?

Current law

Under the current law, if a financial services licensee has committed a significant breach of certain key obligations under the financial services laws, or is no longer able to comply and is therefore likely to commit a breach of those obligations, the licensee must provide a written report to ASIC.

The key obligations are the general conduct obligations of financial services licensees under sections 912A and 912B of the Corporations Act. These obligations include that you:

  • do all things necessary to ensure that the financial services covered by your licence are supplied efficiently, honestly and fairly;
  • comply with the conditions of your licence;
  • comply with certain financial services laws (not all financial services laws – only some of them are listed for the purposes of breach reporting);
  • have adequate resources to provide the financial services covered by your licence and to carry out supervisory arrangements (unless you are regulated by APRA);
  • be competent to supply the financial services covered by your licence;
  • have trained and competent representatives;
  • take reasonable steps to ensure that your representatives comply with the financial services laws;
  • have a dispute resolution system for retail clients;
  • have adequate risk management systems (unless you are regulated by APRA); and
  • have compensation arrangements for retail clients.

A report is taken to be lodged with ASIC if the licensee is regulated by APRA and the report is received by APRA in accordance with any agreement between APRA and ASIC under which APRA is to act as ASIC’s agent for such reports.

The breach reporting obligation also does not apply in the situation where the licensee is a body regulated by APRA and the auditor or actuary of the licensee gives APRA a written report about the breach before, or within 10 business days after, the licensee becomes aware of the breach.

New law

Under the new law, if there are reasonable grounds to believe that a “reportable situation” has arisen in relation to a financial services licensee or a credit licensee, the licensee must lodge a report in relation to the reportable situation with ASIC. A reportable situation is any of the following:

  • the licensee or a representative has breached a “core obligation” and the breach is significant;
  • the licensee or a representative is no longer able to comply with a core obligation and the breach, if it occurs, will be significant;
  • the licensee or a representative conducts an investigation into one of the above kinds of reportable situation and the investigation continues for more than 30 days;
  • such an investigation discloses that there is no reportable situation of the kind mentioned in the first two points above;
  • in the course of providing a financial service (for a financial services licensee) or engaging in credit activity (for a credit licensee), the licensee or a representative has engaged in conduct constituting gross negligence;
  • the licensee or a representative has committed a serious fraud; or
  • as prescribed by the regulations.

In the case of financial services licensees, the “core obligations” are the general obligations of licensees under sections 912A and 912B of the Corporations Act described above.

In the case of credit licensees, the core obligations are the equivalent obligations of credit licensees found in section 47 of the National Consumer Credit Protection Act.

The exceptions for when reports have been given to APRA are broadly the same under the new law, although the new law does not refer to an agreement between APRA and ASIC and simply requires that the licensee has given a report to APRA which contains all of the information that the licensee would otherwise have been required to give to ASIC.

Implications

The breach or likely breach of core obligations is a continuation of the existing regime for financial services licensees. What has changed is the requirement to also report on investigations of those matters, and to report on gross negligence and serious fraud.

“Serious fraud” is defined in the Corporations Act as an offence involving fraud or dishonesty against an Australian law or any other law that is punishable by imprisonment for life or for a maximum period of at least three months.

Implementing processes to detect and report on gross negligence and serious fraud could pose operational challenges for licensees.

For credit licensees, of course, the whole requirement to report breaches is new. For those credit licensees who also hold an Australian financial services licence, however, the new requirements should not be as much of a burden, because many existing processes used for AFSL breach reporting could be extended to Australian credit licence breach reporting.

Determining whether a breach is significant

Current law

Under the existing breach reporting regime, the Corporations Act specifies that the following factors must be taken into account when determining whether a breach or likely breach is significant:

  • the number or frequency of similar previous breaches;
  • the impact of the breach or likely breach on the licensee’s ability to provide the financial services covered by the licence;
  • the extent to which the breach or likely breach indicates that the licensee’s arrangements to ensure compliance with those obligations is inadequate; and
  • the actual or potential financial loss to clients, or the licensee itself, arising from the breach or likely breach.

New law

The new law will have two tests of whether a breach is significant.

The first test is based on the test under the existing law, and requires the licensee to have regard to:

  • the number or frequency of similar breaches;
  • the impact of the breach on the licensee’s ability to provide financial services covered by the licence (in the case of financial services licensee) or to engage in credit activities covered by the licence (in the case of a credit licensee);
  • the extent to which the breach indicates that the licensee’s arrangements to ensure compliance with those obligations are inadequate; and
  • any matters prescribed by the regulations.

The second test has been described as a “deemed significance test.” A breach of a core obligation is deemed to be significant if one of the following applies:

  • it involves the commission of an offence punishable by a penalty of 12 months or more (or three months or more if the offence involves dishonesty), or contravention of a civil penalty;
  • it involves contravention of certain provisions of the Corporations Act or ASIC Act concerning misleading or deceptive conduct in relation to financial products or services;
  • in the case of a credit licensee, it involves the breach of a “key requirement” under the National Credit Code (except as prescribed by the regulations);
  • the breach results or is likely to result in material loss or damage to a retail client (called a “credit activity client” in the case of a credit licensee); or
  • as prescribed by the regulations.

Implications

The current law includes financial loss to a client as only one of the factors that must be taken into account when determining whether a breach or likely breach is significant.

In contrast, under the new law, if the breach results (or is likely to result) in material loss or damage to the client, then it is deemed to be significant under the second test, regardless of the other factors. What’s more, loss to the client under the new law is not limited to financial loss, although it is necessary that the loss or damage to the client is material.

The new law also identifies certain types of breaches as significant in all circumstances. These are the ones relating to the commission of an offence or civil penalty, breaches concerning misleading or deceptive conduct, and breaches of key requirements under the National Credit Code.

In some ways this deemed significance makes it easier for a licensee to decide whether or not the breach has to be reported: rather than having to weigh up all the factors, the licensee will know that the breach is significant and therefore reportable when it is determined that one of those kinds of contraventions has occurred.

It is also important to note that under the new law, not every “reportable situation” requires an element of significance before it is reportable. Gross negligence and serious fraud are reportable regardless of whether or not the actions are significant.

Timeframes for reporting

Current law

The timeframe for reporting of a breach under the current law is that the report must be made as soon as practicable and in any case within 10 business days after the licensee becomes aware of the breach or likely breach.

New law

The deadline to lodge reports about reportable situations under the new law will be within 30 calendar days after the licensee first knows, or is reckless with respect to whether there are reasonable grounds to believe, the reportable situation has arisen.

Implications

The amended timeframe for reporting allows for additional time for the licensee to lodge its report with ASIC. There will no longer be a requirement to report as soon as practicable. A licensee could therefore decide to report late within the 30 day window, even if it would be practicable to report earlier.

However the new reporting deadline will apply even if the licensee does not actually know that a reportable situation has arisen, if the licensee is reckless with respect to whether there are reasonable grounds to believe that a reportable situation has arisen. The Explanatory Memorandum for the legislation says that this is intended to capture the circumstances where a licensee does not know that there are reasonable grounds to believe a reportable situation has arisen, but it is aware of a substantial risk of this, and in the circumstances known to the licensee, it is unjustifiable to take the risk that there are reasonable grounds to believe a reportable situation has arisen.

Content of the report

Current law

At present, the legislation does not spell out what a breach report to ASIC must include. However, in its regulatory guide on breach reporting, RG 78, ASIC says that the breach report should include:

  • the date of the breach or likely breach;
  • a description of the breach;
  • why the breach is significant;
  • how the breach was identified;
  • how long the breach lasted;
  • information about authorised representatives involved;
  • how the breach was rectified;
  • details of any remediation to compensate clients that have suffered a loss; and
  • any steps taken or to be taken to ensure future compliance with the obligation.

ASIC requires that a breach is reported through the ASIC Regulatory Portal.

New law

Under the new law, reports will have to be made in a prescribed form. The form is not yet available, but the Explanatory Memorandum says that at a minimum, it will require licensees to include the following information:

  • the date the reportable situation occurred;
  • a description of the reportable situation;
  • whether and how the reportable situation has been rectified by the licensee; and
  • the steps that have been taken or will be taken by the licensee to ensure future compliance.

Implications

We will need to see the prescribed form before we can say whether there will be any notable changes to the content of a breach report. Having a prescribed form should make it easier for licensees to include all of the necessary information in their reports to ASIC.

Initial reporting to customers

Current law

Currently there is no obligation on a licensee to report to affected customers in relation to a breach.

New law

The new law will require a licensee to take reasonable steps to notify affected customers of a reportable situation in some cases.

This obligation will only apply to a financial services licensee if the licensee (or a representative of the licensee) provides or has provided personal advice to the affected customer as a retail client in relation to a relevant financial product.

For credit licensees, it will only apply to a credit licensee if the credit licensee (or a representative of the licensee) has provided credit assistance to the affected customer in relation to a credit contract secured by a mortgage over residential property, and the licensee or representative is a mortgage broker.

The requirement to take reasonable steps to notify affected customers arises if:

  • there are reasonable grounds to believe that the reportable situation is a significant breach of a core obligation, or gross negligence or serious fraud;
  • there are reasonable grounds to suspect that the affected client has suffered or will suffer loss or damage as a result of the reportable situation; and
  • there are reasonable grounds to suspect that the affected client has a legally enforceable right to recover the loss or damage from the licensee.

The notice to customers must be given in writing within 30 days. This period is measured from when the licensee first knows of, or is reckless with respect to, having provided the advice or assistance and that there are reasonable grounds to believe that it is a significant breach of a core obligation, or gross negligence or serious fraud.

The notice to customers must be in a form approved by ASIC, if ASIC has approved a form of notice, and include the information, statements, explanations or other matters required by the form, and be accompanied by any other material required by the form.

A licensee has qualified privilege in relation to a notice given to a customer. This means that the licensee is protected if there is an action against the licensee for defamation regarding the contents of the notice. The licensee will also not be liable for any action based on breach of confidence in relation to the giving of notice.

Implications

The requirement to notify customers is new, but it does not apply to all reportable situations. For financial services licensees, the conduct must involve personal advice, and for credit licensees, the licensee must be a mortgage broker and the conduct must relate credit assistance for a loan secured by a residential property mortgage.

Licensees affected by this requirement will be a subset of licensees. They will need to build in customer notification to their breach reporting procedures.

Mandatory investigation of an issue

Current law

Under the current law there is no specific requirement for a licensee to investigate a breach, although in order to properly report the breach, it is probably implied that some level of investigation is needed.

New law

The new law will require a licensee to conduct an investigation in those cases where the licensee is also required to notify the affected customer. The investigation must begin within the same 30 day period for notifying customers.

In conducting the investigation, the licensee is required to identify the conduct that gave rise to the reportable situation and to quantify the loss or damage to the affected customer. The loss or damage that must be quantified is loss or damage that there are reasonable grounds to believe the affected customer has suffered or will suffer as a result of the reportable situation and that the affected customer has a legally enforceable right to recover from the licensee.

There is no hard deadline for completion of the investigation, but it must be completed as soon as reasonably practicable after commencement.

Notice to customers after mandatory investigation

Current law

Just as there is no specific obligation to investigate breaches under the current law, there is currently no obligation either to notify customers of the outcome if an investigation is completed, although again this may occur in practice as part of the remediation of the breach.

New law

Under the new law, on the completion of a mandatory investigation, there is a further obligation to notify the affected customers. The licensee must take reasonable steps to give them notice of the outcome of investigation. This must occur within 10 days after the investigation is completed and be given in writing. If ASIC has approved the form of notice, it must be in that approved form, and include content required by the form and accompanied by any material required by the form.

The licensee has qualified privilege in relation to the notice and is not liable for any action based on breach of confidence in relation to that conduct.

Implications

When an investigation is required under the new law, notice to affected customers at the end of the investigation is also required. Licensees will need to know when notices to customers are required by law and when they are only voluntary.

Compensation

Current law

The current law does not say what a licensee is required to do in terms of compensating customers for any breaches.

New law

The new law will require a licensee to take reasonable steps to pay the customer an amount equal to their loss or damage. This obligation arises when:

  • the investigation is a mandatory investigation;
  • the investigation is completed; and
  • there are reasonable grounds to believe that the affected customer has suffered or will suffer loss or damage as a result of the reportable situation and that the affected customer has a legally enforceable right to recover from the licensee.

These obligations do not affect any legally enforceable right that an affected customer may have to recover loss or damage, but a court may take into account any compensation paid by the licensee under this obligation when determining the amount of any compensation to be paid for loss or damage.

Implications

The compensation requirement only applies in the case of mandatory investigations. It is not required in every case where there is a reportable situation, and it is not required when the licensee conducts a voluntary investigation.

It is of course open to licensees to choose to compensate customers for loss from a breach, even when it is not required by law.

Reportable situations about other licensees

Current law

Under the existing law there is no obligation on a licensee to report to ASIC on any breaches by another licensee.

New law

There will be a requirement under the new law for a licensee to report to ASIC where there are reasonable grounds to believe that there is a reportable situation involving a significant breach or likely breach of a core obligation or gross negligence or serious fraud in relation to another licensee.

This obligation will only apply if an individual who has engaged in conduct that forms part of the reportable situation is:

  • the other licensee;
  • an employee of the other licensee or of a related body corporate of the other licensee, acting within the scope of the employee’s employment;
  • a director of the other licensee or of a related body corporate of the other licensee, acting within the scope of the director’s duties as director; or
  • another representative of the other licensee acting within the scope of the representative’s authority given by the licensee.

In addition, the individual engaged in the conduct:

  • must provide personal advice to retail clients in relation to relevant financial products (in the case of financial services licensees reporting about another financial services licensee);
  • must be a mortgage broker (in the case of credit licensees reporting about other credit licensees).

The reporting period is within 30 days after the reporting licensee first knows of, or is reckless with respect to, the conditions for reporting being met.

The reporting licensee must also give a copy of the report to the licensee being reported on. The licensee has qualified privilege here and is not liable for any action based on breach of confidence in relation to the conduct.

A report is not required if there are reasonable grounds to believe that ASIC is already aware of the reportable situation, including all the information required in a report for the reportable situation.

Implications

Licensees who deal with other licensees involved in providing personal advice or who are mortgage brokers will need to develop reporting mechanisms so that when the licensee knows of (or should know of) a reportable situation arising about those other licensees, a report is given to ASIC. Licensees will need to consider their monitoring of other licensees to ensure that reportable situations are detected when they should be.

Record keeping

Current law

At the moment there is no obligation on a licensee to keep records specifically in relation to its compliance with the breach reporting obligations.

New law

The new breach reporting regime will require licensees to keep records sufficient to enable their compliance with the requirements to be readily ascertained. The regulations may specify records that a licensee is required to keep.

Implications

As a matter of good corporate governance and legal risk management, licensees should already keep records in relation to breach reporting. When the new law commences, this will become a mandatory requirement.

ASIC publication of breaches

Current law

ASIC presently has no statutory obligation to publish details of breaches reported to ASIC.

New law

The new law requires ASIC to publish information for each financial year about breach reports lodged with ASIC or APRA during the financial year. This only applies to reports about breaches and likely breaches of core obligations. ASIC is also required to publish information about the entities who lodged the reports. ASIC’s publication must be made within four months after the end of the financial year and included on its website. It must include any information prescribed by the regulations and follow any requirements in the regulations about how the information is to be organised.

Implications

The Explanatory Memorandum for the new law says that this provision will “enhance accountability and provide an incentive for improved behaviour. It will also assist industry and consumers to identify areas where significant numbers of breaches or likely breaches are occurring, and allow licensees to target their efforts to improve their compliance outcomes in those areas.”

ASIC guidance

ASIC’s regulatory guide on breach reporting, RG 78, should be updated for the new reporting regime.

Contact us if you need legal advice on the breach reporting reforms. 

Patrick Dwyer and Kathleen Harris
Legal Directors

Click here to subscribe to our email list for news, comment and analysis