19 July 2021
In December 2020, the Federal Parliament passed legislation to strengthen the existing breach reporting regime for Australian Financial Services (AFS) licensees in accordance with recommendations 2.8 and 7.2 of the Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial (Final Report). A number of other recommendations from the Final Report were given effect by this legislation, including recommendation 1.6 to introduce breach reporting requirements for Australian Credit Licensees (ACL) through amendments to the National Consumer Credit Protection Act 2009 (NCCP). The new regime will be effective for all “reportable situations” applying to Australian financial services and credit licensees occurring on or after 1 October 2021.
Under the current breach reporting requirements, an AFS licensee must report a significant breach or likely significant breach of sections 912A or 912B of the Corporations Act 2001 (Corporations Act) to ASIC as soon as practicable, and in any case within 10 business days of becoming aware of the breach or likely breach. There are no equivalent provisions for ACL holders under the NCCP.
One of the concerns highlighted by the Final Report as well as ASIC was that the test as to whether a breach is significant and therefore legally required to be reported is subjective. That is, the licensee makes that decision based on its own assessment and not based on objective grounds. Moreover, the 10-business day period for reporting only begins once an institution has determined that there is a breach and that it is significant. Institutions can delay making those decisions without breaching the law.
For AFS licensees, the new regime widens the scope of what must be reported to ASIC. AFS Licensees will now have 30 days to report to ASIC from the time they have knowledge of, or there are reasonable grounds to believe, or are reckless as to knowing, a reportable situation has arisen.
The new section 912D of the Corporations Act states that reportable situations occur where:
While the new regime introduces the term “core obligations”, these are effectively the same provisions that fall under the current breach reporting regime. For example, a breach of the obligations set out under sections 912A and 912B of the Corporations Act.
However, in addition to the requirement to report significant breaches of core obligations (or the investigation of significant breaches of core obligations) the new regime also expands reportable situations to include where, in the course of the providing financial services, the AFS Licensee or it representative has engaged in conduct constituting gross negligence (which is not defined in the Corporations Act and is generally a concept more developed in the Courts of other jurisdictions than it is in Australia) or where they have committed serious fraud. Importantly, the significance test is not applicable to these specific reportable situations.
A new section 50A has been introduced in the NCCP which essentially replicates 912D of the Corporations Act. Core obligations for credit licensees are the general conduct obligations under s47 of the NCCP.
To improve the subjective element of the significance test in the current regime, additional significance criteria specifically related to core obligations have been included. For AFS licensees, the breach will be significant if it:
A breach will otherwise be significant if it meets the existing significance criteria.
The NCCP replicates this significance criteria under s50A, except that instead of a breach of section 1041H(1), a breach will also be significant for an ACL holder or its representative where there has been a breach of a “key requirement” under the National Consumer Credit Code.
Where a licensee has reasonable grounds to believe that a reportable situation has arisen in relation to any other licensee, that licensee must report this to ASIC within 30 days. A copy of the report will also need to be provided to the other licensee. This does not apply if there are reasonable grounds to believe that ASIC is already aware of the reportable situation.
Knowledge and Recklessness
Licensees will have 30 days to report to ASIC from the time they have knowledge of, or there are reasonable grounds to believe, or are reckless as to knowing, a reportable situation has arisen.
In its draft Regulatory Guide 78 Breach Reporting by AFS licensees and credit licensees (Draft RG78), ASIC has provided guidance that “reasonable grounds” will exist where there are facts to induce, in a reasonable person, a belief that a reportable situation has arisen.
Both the Corporations Act and the NCCP apply the criminal code definitions of “recklessness” and “knowledge”. Draft RG 78 provides an example of how ASIC considers recklessness to apply. In the example, the fact that a member of management is made aware of a software glitch which has caused loss to clients, but subsequently does not escalate the matter for further investigation as to whether a reportable situation has arisen, would amount to recklessness on the part of the licensee. Draft RG 78 does not provide an explanation as to why this would amount to recklessness on the part of the licensee, however we assume this is because the licensee (via the Head of Underwriting) was aware of the glitch and loss to clients, and therefore would have been aware of a substantial risk that a reportable situation had occurred.
Actual and apparent authority
ASIC also provides guidance in Draft RG 78 that in accordance with sections 769B of the Corporations Act and 324 of the NCCP, knowledge or recklessness is ascribed to anyone in the organisation acting within the scope of actual or apparent authority. According to ASICs views in the Draft RG 78, this means that although an employee may not have been given actual authority within their employment to make a decision to lodge a breach report, if an employee has obtained knowledge (within their apparent authority of employment) of circumstances that give rise to reasonable grounds to believe that a reportable situation exists, it is at that point that the 30-day notice period will commence.
Investigations into whether there is a reportable situation themselves become a separate reportable situation where the issue has not been determined by day 31 of the investigation. However, that is not the end of the reporting obligations for licensees - there is then a further requirement to lodge an additional breach report regardless of the result of the investigation.
In order to make a report to ASIC, Licensees will need to use the prescribed form on the ASIC Regulatory Portal.
ASIC is also required to publish information about reports lodged with ASIC each financial year. ASIC will include information about breaches and likely breaches of core obligations, the name of licensees and the volume of reported breaches.
The objective of publishing breach data is to provide an incentive to improve behaviour, reduce the number of breaches and improve outcomes for consumers.
The changes are likely to drive an increase in the volume of breach reports by deeming a range of breaches of legislation (not limited to core financial services legislation) to be ‘significant’ and therefore reportable, in addition the introduction of a new reporting requirement with respect to investigating whether a matter is reportable in the first place.
Licensees should be aware that failure to comply with reporting obligations can attract both civil and criminal penalties. The new civil penalty provisions carry significant financial penalties. Accordingly, it is crucial that licensees understand these new reporting requirements and implement systems and controls to ensure compliance. In preparing for 1 October, licensees should consider:
We can assist licensees in getting ready for implementation of the new breach reporting system which goes live later this year.