By Matthew Farnsworth, Partner 

In April, we posted about forthcoming changes to the breach reporting regime for AFS licensees and credit licensees under changes to the Corporations Act 2001 (Cth) (Corporations Act).

As we head towards the new regime coming into effect on 1 October 2021, ASIC has recently finished taking submissions on a Draft Regulatory Guide 78 (Draft Guide).

From 1 October 2021, an AFS licensee must report to ASIC within 30 days after it ‘first knows that, or is reckless with respect to whether, there are reasonable grounds to believe [a] reportable situation has arisen’.

New reporting obligation for ongoing investigations

One of the new changes is that an investigation lasting longer than 30 days into whether there is a ‘reportable situation’ will itself be a ‘reportable situation’. If not resolved within that time, the ongoing investigation must itself be reported to ASIC within 30 days.

Some practical impacts

Below we examine the new obligation to report ‘investigations’ lasting longer than 30 days.

The changes will apply to investigations that were ongoing prior to 1 October 2021. It will be important to understand when the ‘clock’ starts so as not to be caught out inadvertently by the new requirements.

1. Q: What is an ‘investigation’?

A: The Draft Guide builds on the information already available in the Explanatory Memorandum (EM).

The term ‘investigation’ is not defined in the legislation and according to the EM is to be given its ordinary meaning (from the Macquarie Dictionary, a ‘searching inquiry to ascertain facts’). According to the EM:

• An investigation would ordinarily involve ‘information gathering or human effort’ to determine whether a breach has occurred or will occur.
• It does not matter what the process is called or whether it is performed in-house or externally.

Examples of ‘information gathering’ given in the EM are:

• communicating with representatives or staff of the licensee who may have been involved in the relevant conduct;
• communicating with potentially affected clients; or
• seeking specialist or technical advice.

In relation to ‘specialist advice’, this will likely include seeking external legal advice on the question of whether a ‘reportable situation’ has arisen.

The EM suggests that merely entering information into a risk management system is unlikely to be an ‘investigation’.

Helpfully, the Draft Guide sets out some additional examples (see Table 6). Some takeaways are:

• An example of an ‘internal audit’ that is ‘routine’ does not constitute an ‘investigation’ because it is ‘not directed at identifying whether a significant breach of a core obligation has arisen’.
• By contrast, any subsequent inquiry into the nature and extent of issues identified and the identity of any customers affected will amount to an ‘investigation’.
• In another example, a licensee reviews their records and processes in response to customer complaints. This is an ‘investigation’ because the inquiry is whether there has been a reportable breach.

The worked examples are helpful and we would welcome additional examples in the finalised guidance to be released in Q3 2021.

2. Q: When does an investigation commence?

A: An investigation will generally begin when a licensee first ‘look[s] into the matter or takes steps towards ascertaining whether a significant breach has occurred’ (EM 11.47).

3. Q: Is there an obligation to investigate?

A: There is an express requirement to investigate only applicable to financial advisers and mortgage brokers is (see 78.56 of the Draft Guide).

However, as the Draft Guide notes for all licensees, ‘[t]imely investigations reduce the risk of continuing breaches or breaches that reoccur by helping to identify the root or systemic cause of the breach’.

4. Q. Can I delay performing an investigation until I am ready?

A: ASIC will be alert to ‘unreasonable delay’ and expressly addresses this in the Draft Guide: ‘Delays in initiating, recording, escalating or conducting an investigation may suggest inadequacies of a licensee’s compliance arrangements’.

5. Q: Can I delay the 30-day timer by investigating merely whether a breach exists and leaving the question of whether a breach is ‘significant?’

A: Unlikely. It is true the reporting obligation relates to an investigation into whether a ‘reportable situation has arisen’ – and this means a ‘breach’ that is ‘significant’.

However, some breaches will be ‘deemed significant’ breaches by operation of the new provisions. A mere breach of these provisions is ‘significant’ without further inquiry (this is new).

Additionally, the reporting obligation arises 30 days after a licensee is ‘reckless’ with respect to whether there are reasonable grounds to believe a reportable situation has arisen. The Criminal Code definition will apply, under which ‘recklessness’ means being aware of a substantial risk and unjustifiably taking that risk. Wilfully avoiding making enquiries as to whether a breach identified is ‘significant’ would likely go beyond being ‘reckless’ and constitute a failure to report.

6. Q: Can I stop the clock by remedying any individual impact on customers affected by a breach?

A: First, the Draft Guide makes it clear that where you can remedy the impact you should do so, even before an investigation is completed. However, that does not alleviate the obligation to report an investigation lasting longer than 30 days.

Where you have identified and fixed some specific issues but not addressed broader issues, and the same issues arise later on, the Draft Guide suggests that the 30-day timer started when the initial inquiries were made.

According to the Draft Guide, where two investigations relate to ‘the same subject matter’, the 30-day timer will start at the earlier one.

7. Q: Should I avoid seeking legal advice?

A: No. Wilfully not investigating a reportable situation may end up as a failure to report.

8. Q: What can I do now?

A: Clearly the best way to avoid additional reporting obligations is to resolve investigations within 30 days – where no significant breaches are found, there is nothing to report. Those with streamlined processes will be best placed to minimise the additional reporting burden of the new regime.

Realistically, it may not be possible to resolve all investigations within 30 days. In those cases, you will need to report via the ASIC Regulatory Portal.

With that in mind, now is the time to:

• review processes and systems against the Draft Guide; and
• talk to your lawyers where you’re unsure of whether your processes meet the requirements.

Before 1 October 2021, ASIC will publish a final version of Regulatory Guide 78. You should check any guidance once finalised as the position in the guide may differ to what is in the Draft Guide.