ASIC’s final guidance on breach reporting - what’s changed?
The new regime on breach reporting for financial services and credit licensees begins on 1 October 2021.
On 7 September 2021, ASIC published its final guidance, Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (“RG 78”). A consultation draft of RG 78 had been released back in April 2021.
There are some points to note in the final guidance which are different to the draft version of RG 78.
Reportable situations
A licensee must report to ASIC if it knows (or is reckless with respect to whether) there are reasonable grounds to believe a “reportable situation” has arisen. RG 78 clarifies the standard of facts or evidence required. A licensee must report to ASIC “if there are sufficient facts or information to found an objectively reasonable belief. That is, you may have reasonable grounds to believe a reportable situation has arisen when other possible explanations are available, and this legal threshold does not require facts or evidence amounting to certain proof that there is a breach.” (RG 78.87-88).
Reporting delays and legal advice
ASIC has modified its commentary on delays in reporting. There is a 30 calendar day reporting deadline under the new breach reporting regime. In the draft version of RG 78, ASIC said that a licensee should not wait to lodge a report until after the board of directors or legal counsel had considered the matter, among other things. ASIC now says that a licensee should not delay on these grounds if it has reasonable grounds to believe that a reportable situation has arisen and if to do so would take the licensee beyond the 30 calendar day reporting period (RG 78.100).
On the matter of obtaining legal advice, ASIC says that licensees are best placed to determine whether or not legal advice is required before reporting, but it expects that licensees will not need to obtain legal advice for every case, and licensees should not wait for further sign-off from internal or external legal advisers if they have reasonable grounds to believe a reportable situation has arisen (RG 78.100-101).
Multiple breaches
RG 78 now includes guidance on how to report when there are multiple breaches which share a common origin. ASIC says that when there are multiple reportable situations arising from a single, specific root cause, you may be able to notify ASIC of these multiple reportable situations in one report (RG 78.112). In the breach report, the reporting licensee will be able to specify how many reportable situations relate to the breach or likely breach that is being reported (Table 8).
ASIC notes that update functionality is available on the ASIC Regulatory Portal which is accessible from the reportable situation event created when the initial report is lodged. ASIC says that licensees may use this functionality to provide updates on a report that has already been lodged, or to notify ASIC of the completion of rectification and remediation processes, but it can also be used after the breach report has been lodged if the licensee identifies additional instances of reportable situations that are similar or related to reportable situations that arise from the same single, specific root cause (RG 78.117).
Exemptions
RG 78 now takes account of exemptions which have recently been granted in regulations and an ASIC instrument to exclude various civil penalty provisions and key requirements from being breaches that are “deemed” significant. These breaches however may still be significant and therefore reportable if they meet the other criteria of a significant breach (RG 78.42-43).
Investigations
The new breach reporting requirements include an obligation to report investigations into possible breaches that go beyond 30 days. ASIC considers that the mere receipt of a detective control such as a complaint, a whistleblower disclosure or a regulatory request is not an investigation that must be reported and that preliminary steps and initial fact-finding inquiries into the nature of the incident which are completed over a short timeframe and conducted as an initial response to detective controls (such as the receipt of a complaint) would not generally be reportable.
RG 78 also states that “business as usual” inquiries, such as routine audits, quality assurance monitoring, or other internal compliance review processes, are only reportable if they are triggered by an incident or assess (or will be assessing) a possible breach of a core obligation (RG 78.57). ASIC notes that the person or team within the licensee that commences an investigation (e.g. a compliance team) does not determine whether a reportable investigation has commenced. What matters is the nature of the activities being conducted (RG 78.58).
Reporting other licensees
In some circumstances relating to financial advisers and mortgage brokers, the new breach reporting requirements compel a licensee to report on reportable situations in relation to other licensees. RG 78 says that licensees do not need to proactively investigate any possible misconduct of other licensees, but they must not turn a blind eye to facts that are before them. This may include, for example, where information comes to light through usual practices or processes, such as a due diligence process as part of a business transfer (RG 78.75).
AML/CTF
The revised RG 78 recognises that a matter reportable to ASIC under the breach reporting regime may also be reportable to AUSTRAC as a suspicious matter report (“SMR”) where the licensee is a “reporting entity” under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the “AML/CTF Act”).
There are “tipping off” provisions in the AML/CTF Act which prohibit a reporting entity from disclosing any information about the SMR. However there is an exception to the tipping off prohibition when disclosure is made in compliance with a law of the Commonwealth, a State or Territory, and ASIC is of the view that disclosure in a breach report to ASIC would fall within this exception (RG 78.80-81).
Transitional provisions
In the final RG 78 ASIC has provided clarification on the transitional provisions for the new breach reporting regime.
For a financial services licensee, an investigation that commences before 1 October 2021 may become a reportable situation if the investigation is still in progress on or after 1 October 2021 and continues for more than 30 days, where the investigation concerns an incident that started before 1 October 2021, and the conduct that is the subject of the incident is still continuing on 1 October 2021 (RG 78.17).
For a credit licensee, the breach reporting framework applies only in relation to reportable situations arising on or after 1 October 2021, and credit licensees are not required to report breaches of the National Consumer Credit Protection Act 2009 (Cth) that occurred wholly before 1 October 2021, even if the breach is identified on or after 1 October 2021 (RG 78.23).
* * *
The finalised RG 78 has been released only a few weeks before the commencement of the breach reporting changes, which is not convenient for licensees in the process of preparing for them. However ASIC has published a statement of its approach to the enforcement of these reforms and the other regulatory changes coming into effect in October 2021 in which it says that it will take a “reasonable approach” in the early stages of the reforms, as long as industry participants are using their best efforts to comply.
If you need assistance complying with the breach reporting requirements, please contact us.
Patrick Dwyer and Kathleen Harris
Legal Directors