October looms – are you ready for the new breach reporting regime?

19 July 2021 

In brief

In December 2020, the Federal Parliament passed legislation to strengthen the existing breach reporting regime for Australian Financial Services (AFS) licensees in accordance with recommendations 2.8 and 7.2 of the Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial (Final Report). A number of other recommendations from the Final Report were given effect by this legislation, including recommendation 1.6 to introduce breach reporting requirements for Australian Credit Licensees (ACL) through amendments to the National Consumer Credit Protection Act 2009 (NCCP). The new regime will be effective for all “reportable situations” applying to Australian financial services and credit licensees occurring on or after 1 October 2021.

In detail 

Under the current breach reporting requirements, an AFS licensee must report a significant breach or likely significant breach of sections 912A or 912B  of the Corporations Act  2001 (Corporations Act) to ASIC as soon as practicable, and in any case within 10 business days of becoming aware of the breach or likely breach. There are no equivalent provisions for ACL holders under the NCCP.

One of the concerns highlighted by the Final Report as well as ASIC was that the test as to whether a breach is significant and therefore legally required to be reported is subjective. That is, the licensee makes that decision based on its own assessment and not based on objective grounds. Moreover, the 10-business day period for reporting only begins once an institution has determined that there is a breach and that it is significant. Institutions can delay making those decisions without breaching the law.

Reportable situations

For AFS licensees, the new regime widens the scope of what must be reported to ASIC. AFS Licensees will now have 30 days to report to ASIC from the time they have knowledge of, or there are reasonable grounds to believe, or are reckless as to knowing, a reportable situation has arisen.

The new section 912D of the Corporations Act states that reportable situations occur where:

1. A breach or likely breach of core a “core obligation” by the AFS Licensee or its Representative which is significant;
2. An AFS Licensee or its representative are no longer able to comply with the core obligations, and the breach if it occurred, would be significant;
3. an investigation into whether there is a reportable situation of the kind mentioned in paragraph (1) or (2), and the investigation continues for more than 30 days;
4. an investigation described in paragraph (4) concludes that there is no reportable situation.

While the new regime introduces the term “core obligations”, these are effectively the same provisions that fall under the current breach reporting regime. For example, a breach of the obligations set out under sections 912A and 912B of the Corporations Act.

However, in addition to the requirement to report significant breaches of core obligations (or the investigation of significant breaches of core obligations) the new regime also expands reportable situations to include where, in the course of the providing financial services, the AFS Licensee or it representative has engaged in conduct constituting gross negligence (which is not defined in the Corporations Act and is generally a concept more developed in the Courts of other jurisdictions than it is in Australia) or where they have committed serious fraud. Importantly, the significance test is not applicable to these specific reportable situations.

A new section 50A has been introduced in the NCCP which essentially replicates 912D of the Corporations Act. Core obligations for credit licensees are the general conduct obligations under s47 of the NCCP. 

Significance test expanded

To improve the subjective element of the significance test in the current regime, additional significance criteria specifically related to core obligations have been included. For AFS licensees, the breach will be significant if it: 

• is punishable on conviction by a penalty, which may include imprisonment for a maximum period of 3 months for offences involving dishonesty, or 12 months for any other offence; 
• results, or is likely to result, in material loss or damage to customers; 
• results in a contravention of a civil penalty provision, unless excluded by regulation; or results in a breach of either sections 1041H(1) of the Act or 12DA(1) of the ASIC Act (misleading or deceptive conduct in relation to a financial product or financial service).

A breach will otherwise be significant if it meets the existing significance criteria.

The NCCP replicates this significance criteria under s50A, except that instead of a breach of section 1041H(1), a breach will also be significant for an ACL holder or its representative where there has been a  breach of a “key requirement” under the National Consumer Credit Code.  

Reporting other Licensees

Where a licensee has reasonable grounds to believe that a reportable situation has arisen in relation to any other licensee, that licensee must report this to ASIC within 30 days. A copy of the report will also need to be provided to the other licensee. This does not apply if there are reasonable grounds to believe that ASIC is already aware of the reportable situation.

Reporting to ASIC

Knowledge and Recklessness

Licensees will have 30 days to report to ASIC from the time they have knowledge of, or there are reasonable grounds to believe, or are reckless as to knowing, a reportable situation has arisen.

In its draft Regulatory Guide 78 Breach Reporting by AFS licensees and credit licensees (Draft RG78), ASIC has provided guidance that “reasonable grounds” will exist where there are facts to induce, in a reasonable person, a belief that a reportable situation has arisen. 

Both the Corporations Act and the NCCP apply the criminal code definitions of “recklessness” and “knowledge”. Draft RG 78 provides an example of how ASIC considers recklessness to apply. In the example, the fact that  a member of  management is made aware of a software glitch which has caused loss to clients, but subsequently does not escalate the matter for further investigation as to whether a reportable situation has arisen, would amount to recklessness on the part of the licensee.  Draft RG 78 does not provide an  explanation as to why this would amount to recklessness on the part of  the licensee,  however we assume this is because the licensee (via the Head of Underwriting) was aware of the glitch and loss to clients, and therefore would have been aware of a substantial risk that a reportable situation had occurred.

Actual and apparent authority

ASIC also provides guidance in Draft RG 78 that in accordance with sections 769B of the Corporations Act and 324 of the NCCP, knowledge or recklessness is ascribed to anyone in the organisation acting within the scope of actual or apparent authority. According to ASICs views in the Draft RG 78, this means that although an employee may not have been given actual authority within their employment  to make a decision to lodge a breach report,  if an employee has obtained knowledge (within their apparent authority of employment)  of circumstances that give rise to reasonable grounds to believe that a reportable situation exists, it is at that point that the 30-day notice period will commence.

Investigations

Investigations into whether there is a reportable situation themselves become a separate reportable situation where the issue has not been determined by day 31 of the investigation. However, that is not the end of the reporting obligations for licensees - there is then a further requirement to lodge an additional breach report regardless of the result of the investigation. 

This means:

• licensees must lodge a separate breach report if, at any point during the investigation, they conclude there has been a significant breach of a core obligation;
• licensees must, however, alternatively lodge a report if the investigation concludes that there is no significant breach of a core obligation.

In order to make a report to ASIC, Licensees will need to use the prescribed form on the ASIC Regulatory Portal.

Publication of breach reporting data

ASIC is also required to publish information about reports lodged with ASIC each financial year. ASIC will include information about breaches and likely breaches of core obligations, the name of licensees and the volume of reported breaches. 

The objective of publishing breach data is to provide an incentive to improve behaviour, reduce the number of breaches and improve outcomes for consumers. 

Key considerations for Licensees as we approach 1 October 2021

The changes are likely to drive an increase in the volume of breach reports by deeming a range of breaches of legislation (not limited to core financial services legislation) to be ‘significant’ and therefore reportable, in addition the introduction of a new reporting requirement with respect to investigating whether a matter is reportable in the first place. 

Licensees should be aware that failure to comply with reporting obligations can attract both civil and criminal penalties.  The new civil penalty provisions carry significant financial penalties. Accordingly, it is crucial that licensees understand these new reporting requirements and implement systems and controls to ensure compliance.  In preparing for 1 October, licensees should consider:

• Conducting a gap analysis on the impacts of these changes on their current incident management and breach reporting framework, including processes for improvement and associated controls.
• Designing an effective end-to end incident management and breach reporting process. This may involve using existing technology or introducing new technology that will assist licensees in managing the entire process from identification, investigation, reporting and resolution.
• Educating employees to assist them in understanding both the licensees and their own obligations in relation to breach reporting.

We can assist licensees in getting ready for implementation of the new breach reporting system which goes live later this year.