By Matthew Farnsworth, Partner

Following the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Royal Commission), the government has continued its roll out of its unprecedented legislative program with the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (Act), to give effect to many of the Royal Commission’s recommendations.

The breach reporting regime for Australian financial services (AFS) licensees in s 912D of the Corporations Act 2001 (Cth) (Corporations Act), faces a revamp that will result in significant implications for AFS licensees. The Act also introduces a similar regime for Australian credit licensees under the National Consumer Credit Protection Act 2009 (Cth), resulting in the first ever breach reporting regime in consumer credit. The new breach reporting regime will commence on 1 October 2021.

Existing breach reporting regime

Under the existing breach reporting regime, an AFS licensee must report to ASIC as soon as practicable and in any event within 10 business days of becoming aware of a significant breach (or likely significant breach) of certain obligations. Concerns with this regime mainly centred around the significance test, which requires an AFS licensee to consider various factors. One of the most noteworthy changes under the new regime is the expansion of the ‘significance’ test to require reporting in a wider range of circumstances, as detailed below.

New breach reporting regime

Under the new regime, the reporting obligation applies when the licensee ‘knows’ that there has been or will be a significant breach and also where the licensee knows that there are reasonable grounds to believe that it is the case, or is reckless as to whether there are reasonable grounds to believe that it is the case.

The reporting obligation will also extend to the investigation stage if the investigation has continued for more than 30 days, and a report to ASIC is also required on the outcome of such investigations. Unfortunately, the Act and the Explanatory Memorandum for the bill do not provide a definition of ‘investigation’, which is likely to cause a number of issues for licensees as each licensee may have different investigation processes.

Licensees will also need to notify clients of reportable breaches involving personal advice to retail clients or credit assistance by mortgage brokers, and have to investigate and quantify any loss or damage suffered and compensate the affected clients under this requirement.

Controversially, the Act introduces a ‘dobbing in’ obligation for licensees to lodge reports in relation to other licensees. AFS licensees and credit licensees must lodge a report with ASIC within 30 days after the licensee first knows there are reasonable grounds to suspect that an applicable reportable situation has arisen about individual financial advisers or mortgage brokers.

Reportable situation and significance test

The timeframe for reports to be lodged with ASIC has been extended under the new regime, from 10 business days to 30 days after the licensee knows, or is reckless whether, there are reasonable grounds to believe that a ‘reportable situation’ has arisen.

A ‘reportable situation’ occurs when:

1. a licensee or its representative has breached a core obligation and the breach is significant;
2. a licensee or its representative is no longer able to comply with a core obligation and the breach, if it occurs, will be significant;
3. the licensee or its representative has commenced an investigation into whether (a) or (b) applies and the investigation has continued for more than 30 days;
4. an investigation described in (c) above discloses that there is no reportable situation of the kind mentioned in (a) or (b); or
5. in the course of providing a financial service or engaging in a credit activity (as applicable), the licensee or its representative has engaged in gross negligence or serious fraud.

‘Core obligation’ for an AFS licensee is a new term introduced as part of the regime, and is defined in the Act. They are the same provisions that fall under the current breach reporting regime. For credit licensees, the core obligations cover the general conduct obligations of licensees and the obligation to comply with a range of credit legislation.

A breach of a core obligation is deemed to be significant if:

1. the provision breached is an offence that may involve imprisonment for certain maximum periods;
2. the provision breached is a civil penalty provision, s1041H(1) of the Corporations Act (for AFS licensees) or s12DA(1) of the ASIC Act (misleading or deceptive conduct in relation to a financial product or service)
3. the breach results or is likely to result in material loss or damage to clients or members.

For credit licensees, the breach of a ‘key requirement’ under the National Credit Code is also considered significant.

Licensees must still consider the factors under the significance test in the current regime, taking into account the number or frequency of similar breaches, the impact of the breach on the licensee’s ability to provide the services covered by its licence, the extent to which the breach indicates the licensee’s compliance arrangements are inadequate, and any other matters required by regulation.

Streamlined reporting for responsible entities

The new regime streamlines breach reporting obligations for responsible entities. Currently, the responsible entity of a registered scheme must report to ASIC under s 601FC(1)(l) of the Corporations Act any breach of the Corporations Act that relates to the scheme and that has had, or is likely to have, a materially adverse effect on the interests of members, as soon as practicable after it becomes aware of the breach. The new breach reporting regime will replace this reporting requirement.

Publication of breach report data

ASIC will be required to publish on its website information about breach reports received during each financial year, in relation to significant breaches and likely breaches of core obligations. Subject to any applicable regulations, ASIC will have discretion about the form and contents of the publication and may include information such as the name of a licensee and volume of reported breaches. This is intended to provide an incentive for improved behaviour and to assist licensees and consumers.

Next Steps

We expect that the number of breach reports received by ASIC will increase dramatically, as there are more circumstances under which breach reports will be required. The Explanatory Memorandum has highlighted that the new legislation may be revisited and updated by regulation after being rolled out, particularly if there are largely unproblematic breach reports that would not otherwise be significant.

As new civil penalty provisions which carry significant financial penalties have also been introduced as part of the regime, it is important for all licensees to understand these new reporting requirements and ensure that they have established the requisite systems and controls to comply.

We recommend affected licensees:

1. Assess their breach reporting practices and procedures.
2. Update compliance procedures and internal processes to ensure that the new deadlines under this regime are met. Procedures will be needed to identify when an investigation into a reportable breach begins, thus triggering the 30 day timeframe for reporting. There is also an added incentive for licensees to instigate and resolve investigations within 30 days where possible to avoid the need for double reporting.
3. Create systems and processes to ensure that they are able to comply with the requirement to notify clients affected by reportable situations, and remediate the situation if required.
4. Establish systems to identify reportable situations involving other licensees and to comply with their obligations to report these situations to ASIC.

Please contact Matthew Farnsworth ([email protected]) for further information.