Self-reporting of significant breaches for credit licensees proposed

Australian credit licence (ACL) holders will have to self-report significant actual or likely breaches of their licence obligations if a proposal by the taskforce conducting a Review of ASIC Enforcement (Taskforce) is adopted.

One of the responsibilities of the Taskforce is to look at the adequacy of the framework for notifying ASIC of breaches of the laws.

The Taskforce has released a position and consultation paper on self-reporting of contraventions by Australian financial services licence (AFSL) and ACL holders, setting out 12 key preliminary positions taken by the Taskforce and seeking public consultation.

Self-reporting obligations

Currently, AFSL holders must report actual or likely breaches of their obligations if the breach is, or is likely to be, significant. ACL holders do not have the same ongoing self-reporting obligations. ACL holders are instead required to complete an annual compliance certificate.

Although credit licensees must have systems in place to comply with their general obligations, the introduction of self-reporting of significant breaches will mean that credit licensees will need to ensure that their existing systems are appropriate so that significant breaches are identified and escalated inside the organisation and within the required timeframes.  In particular, staff will need training to comply with these new requirements.  The introduction of self-reporting may well result in increased compliance costs, especially for credit licensees who are small to medium sized enterprises.

Under the Taskforce’s proposal, ACL holders would still have to lodge an annual compliance certificate.

What triggers the obligation to report?

“Significance” test

The Taskforce is of the view that the significance test for reporting breaches should be retained, but considers it is too subjective in its current form. It proposes that significance should be determined by an objective standard, where licensees are required to notify ASIC of matters that:

a reasonable person would regard as significant having regard to the existing factors in the Corporations Act

The Taskforce suggests that ASIC could provide guidance, listing certain types of breaches which ASIC considers should always be reported.  These may include matters that involve dishonesty (as defined in the Criminal Code), breaches or suspected breaches of civil penalty provisions in Chapter 7 of the Corporations Act, breaches or suspected breaches of the consumer protection provisions of the ASIC Act, or breaches or suspected breaches of the managed investment scheme provisions of the Corporations Act.

Conduct of representatives and employees

The Taskforce is concerned that misconduct by individual representatives or employees may not be reported as it may not be considered significant in the overall context of the licensee’s business.

The Taskforce’s preliminary position is that the reporting obligation should expressly include significant breaches or other misconduct by an employee or representative.

Licensees reporting to ASIC in these circumstances will have the benefit of qualified privilege so that they are protected from third party liability when making breach reports in good faith. This is particularly relevant where a suspected (not proven) breach is reported.

The timing and content of the report

The Taskforce expressed concern about delay in reporting breaches and uncertainty as to when the 10 business days to report commences.  For example, whether a breach has occurred may take time to investigate, and a matter may not be determined as “significant” (and therefore reportable) until all the facts are known and the impact assessed.

The Taskforce has proposed that a breach is to be reported within 10 business days from the time that the obligation to report arises. This would run from when the AFS licensee becomes aware, or has reason to suspect that a breach has occurred, may have occurred or may occur (as opposed to when the licensee determines that a breach has occurred and/or the breach is significant).

This change would place additional time pressure on entities to report suspected breaches without full investigation, and may lead to unnecessary, premature reporting.

The Taskforce has also taken the preliminary position that there should be a prescribed content of breach reports and that these be delivered electronically.

However, the Taskforce does not agree with recommendations in the House of Representatives Standing Committee on Economics, Review of the Four Major Banks: First Report (Coleman Report) that licensees be required to “name and shame” individual executives involved in a reportable breach, or having organisational responsibility for the area in which the breach occurred.  The Taskforce is of the view that such reporting may hinder rather than assist compliance and early reporting.

Sanctions for non-reporting

The Taskforce also wants to widen the scope of the sanctions available for failure to report significant breaches.  Currently, it is an offence to fail to comply with the requirement to self-report.  The penalties available are a custodial sentence of up to one year or a maximum fine of $9,000 or both for individuals and maximum fine for corporations of $45,000 (as well as administrative action in relation to the licensee’s AFSL).

The Taskforce has taken the preliminary position that the level of criminal sanctions should be increased. It also proposes that civil penalty provisions should be introduced for failure to report breaches as and when required, together with a regime of infringement notices.  The Taskforce argues that a range of penalties would allow ASIC flexibility to deal with less serious cases.

ASIC’s approach to breach notification

The Taskforce also proposes provisions to support a collaborative approach to rectifying breaches, to encourage early reporting and cooperation.  This may take the form of a formal provision expressly allowing ASIC to decide not to take enforcement action against licensees when they self-report and satisfy other, yet to be determined requirements.

The Taskforce has identified an additional option to allow ASIC to decide to take no administrative or civil action against a licensee, if the licensee cooperates with ASIC and addresses the matter to ASIC’s satisfaction. This could possibly be achieved by an agreed program to address the breach, including the completion of any further investigation, rectifying the breach and remediation.

Annual publication of breach report data for licensees

The Taskforce agrees with the Coleman Report recommendation to publish breach report data at an individual licensee level.  This reporting would be in addition to the aggregate data on breach notification and enforcement activity already published by ASIC.

The Taskforce proposes that reporting should be confined to significant breaches at a licensee level and could extend to identifying the operational area of the licensee’s organisation in which the breach occurred.  The reporting could also be subject to a threshold based on the total number of breaches reported by the licensee for the relevant year.

The closing date for submissions to the Taskforce is 12 May 2017.

Kathleen Harris
Legal Director