Are you prepared? October breach reporting changes loom

In anticipation of the upcoming breach reporting obligations commencing on 1 October 2021, ASIC has released Regulatory Guide 78 (New RG 78) on Breach Reporting by Australian Financial Services (AFS) licensees and credit (AC) licensees.

These new expanded reporting obligations seek to address ASIC’s long-standing concerns regarding the timeliness and quality of breach reporting across the finance and credit industries. New RG 78 seeks to establish consistency, clarity, and punctuality for licensee reporting standards, and imposes significant penalties for failure to adhere to these standards. It also includes the added measure of requiring licensees to report other licensees when there is reasonable grounds to believe that the other AC or AFS licensee has had a reportable situation occur.

There were 4,788 ACL holders and 6,182 AFSL holders operating in Australia in July 2021, and these changes will cause a significant impact on how these businesses interface with ASIC, and the compliance infrastructure they need to have in place. This is particularly true for the AC licensees, who are not currently subject to any breach reporting regime.

Background

Please see our previous FSR Wrap for a more in-depth discussion of the upcoming changes to breach reporting requirements, based on the legislation and consultation papers.

The new breach reporting obligations implement recommendations from the Financial Services Royal Commission, and are included in the Financial Sector Reform (Hayne Royal Commission Response) Act 2020. These obligations require licensees to self-report specific matters to ASIC, and allow ASIC to detect non-compliance behaviours early and take action where appropriate.

The primary shift under this new regime is to a more expansive scope of ‘reportable situations’ (i.e. matters that must immediately be reported to ASIC), and the introduction of ‘deemed significant breaches’. Largely gone will be the days of subjective assessments of ‘significance’ of a particular issue, with the decision of whether a matter is reportable to ASIC or not hinging on that assessment. There is far more prescriptive rigour around what is reportable to ASIC now.

‘Deemed significant’ breaches, which must be reported to ASIC irrespective of the number of customers affected, the quantum of loss, or broader impact to compliance frameworks, include:

1. breaches that constitute the commission of an offence and the commission of the offence is punishable on conviction by a penalty that may include imprisonment for:
   1. three months or more if the offence involves dishonesty; or
   2. 12 months or more in any other case;
2. breaches of a civil penalty provision (if the provision is not exempted under the regulations[1]);
3. for AC licensees, breaches that constitute a contravention of a key requirement under s111 of the National Credit Code;
4. breaches that amount to misleading or deceptive conduct; or
5. breaches that result, or are likely to result, in material loss or damage to clients.

Instead of the subjective test previously utilised to determine whether a breach had occurred, breaches are now automatically deemed significant if they contravene a raft of relevant legislation (see footnote below). An obligation to report the breach to ASIC within 30 calendar days is automatically triggered if any ‘deemed significant breach’ occurs, such as conduct that amounts to contravention of a relevant civil penalty provision or commission of a relevant offence.

Why this is important for Licensees

The introduction of the objective ‘deemed significant’ threshold will subject licensees to a broad range of behaviours that will be deemed as ‘reportable situations’. This will require detection, analysis, and reporting to ASIC within a limited timeframe to avoid non-compliance with the breach reporting obligations.

From our extensive research, Gadens has identified and tabulated over 500 civil penalty provisions and 500 criminal penalty provisions under 12 key items of legislation[2] affecting financial services entities that would trigger ASIC reporting requirements. Many of these reside in dusty corners of these pieces of legislation – little known and little used. That may now change.

If a licensee does not report all ‘reportable situations’ to ASIC, they may be subject to both civil and criminal penalties for every instance of failed reporting. For larger licensees where there may be hundreds of reportable situations occurring annually, the quantum of fines that are able to be levied by ASIC are significant.

Two of Australia’s major financial institutions have previously been sanctioned for failing to comply with their reporting obligations. Penalties were applied for each breach subject only to the discretionary authority on whether the breach was continuing or repeating. This failure was a key finding and reason for the largest fine in Australia’s corporate history.

Due to the severity of the penalties ASIC has assigned for non-compliance, ensuring that appropriate policies and procedures are implemented for the prompt and thorough reporting of all reportable situations has become mandatory for licensees from a risk management perspective.

This is especially true when the crossover with other regimes such as the Financial Accountability Regime (FAR) is considered (which applies to banks, and will apply to insurers and super funds in 2023), where a failure to adhere to breach reporting obligations may also constitute a breach of the FAR obligations to conduct the business with honesty, integrity, and due skill, care and diligence. This may result in personal liability for the licensee’s executives if appropriate mitigation measures are not adopted – executive responsibility for breach reporting is a prescribed role under FAR!

Reporting to ASIC

Licensees must report to ASIC within 30 days of when any of their employees or agents first know, or are reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen and they obtain this knowledge within the scope of their apparent authority. This applies regardless of whether the employee in question has the authority to submit a breach report.

ASIC has clarified that recklessness includes instances where the licensee does not know that a reportable situation has arisen, but with regard to the circumstances they do know, there is a substantial risk of a reportable situation, and ignoring that risk is unjustifiable.

ASIC has (unsurprisingly) emphasised that events such as consideration of the report by a licensee’s board of directors, receiving legal advice on reportability, or taking steps to rectify the breach are not an acceptable excuse for failing to comply with the 30 day reporting requirement.

If a licensee commences an investigation into a suspected issue, they are required to report this investigation to ASIC where the investigation has continued for more than 30 days, even if the investigation has not discovered a reportable situation at that time. The investigation is reportable irrespective of whether it is labelled as an investigation in the licensee’s internal processes. The time an investigation starts will depend on the nature of the activities conducted, not where or by whom they are conducted. If the outcome of an investigation that continues for more than 30 days is that there are no reasonable grounds to believe a reportable situation has arisen, these findings must still be reported to ASIC.

Reports must be made to ASIC in the prescribed form, through the ASIC regulatory portal. Relevant details including information about the reportable situation, its significance, how it was identified, the representatives and clients involved, and future compliance measures being undertaken to address the issue must be included. From our experience, reporting using the portal is quite a prescriptive exercise.

When there are multiple reportable situations arising from a single specific root cause, a licensee may potentially notify ASIC of these multiple reportable situations in one report to satisfy the reporting obligations. However, this option should be utilised with caution, as ASIC has not supplied a definition of ‘root cause’, instead leaving it up to the judgement of the licensee on what is appropriate to group together in the relevant circumstances. ASIC has also said that ‘similar’ or ‘related’ reportable situations arising from the same root cause may be able to be grouped together depending on the circumstances.

While ASIC has stated that reporting to them will not influence the action they may take, they have indicated that failure to adhere to breach reporting obligations may be taken to be indicative of a licensee’s general approach to compliance i.e. it will make a bad situation much worse.

ASIC’s publishing of breach report information

ASIC has clarified that they may publish or exclude information including the name of the licensee and the volume of reported breaches according to regulations. However, ASIC has clarified that they will not take this out of context, and will acknowledge when publishing data that a large number of reports may indicate a stronger compliance system rather than a higher incidence of non-compliance.

Next Steps and Practical Guidance

In case studies considered by the Financial Services Royal Commission, it was found that licensees primarily failed to report within the time required due to:

• a failure to report and escalate an issue internally within the organisation;
• inadequate internal records maintained that considered whether to report an issue; and
• inadequate systems maintained to ensure compliance with breach reporting requirements.

To comply with the breach reporting obligations outlined in RG 78, a policy that outlines sound systems, processes and procedures is essential. The policy should allow you to:

• fully comply with the breach reporting obligations;
• have capacity and speed in identifying and investigating incidents, and reporting them to ASIC;
• demonstrate a sound breach management culture that makes:
  • reporting a priority;
  • consumer remediation a priority; and
• make the most of the lessons learned and opportunities that each breach presents.

We recommend implementation of the following systems, processes and procedures to reinforce your breach management policy and ensure compliance with breach reporting obligations:

• robust breach reporting systems that are timely and comprehensive. To achieve this, the system should have a clear, well-understood and well-documented process that is effectively communicated to all staff members;
• robust arrangements with all authorised representatives and credit representatives including any persons acting on behalf of the licensee. This arrangement must effectively identify, record and escalate breaches caused by your arrangements;
• a robust and timely breach escalation process that allows for reporting decisions to be made well before the 30 day deadline;
• a training scheme for employees relating to incidents and breaches including what they can and should do;
• a consumer remediation plan relating to breaches impacting consumers; and
• a breach register including information to comply with the Corporations Act and National Credit Act.

There are additional measures that are relevant to the different types of organisations in complying with the obligations. These include controls relating to reviewing processes, investigations, governance structures, analysis, accountability and resourcing.

Further Information and Assistance

Gadens is a market leader in the compliance and regulatory space, and has developed a number of bespoke RegTech resources to assist AFS and AC licensees to assess and report their activities and pick up on when a reportable breach has occurred, and assist with both of these processes.  See the Gadens Breach manager platform website here: https://breachmanager.gadens.com/

Otherwise, we encourage you to contact your usual Gadens lawyer to assist you in preparing for what will be one of the biggest changes to the financial services regulatory landscape in 2021.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Kate Mills, Partner
Kathy Merrick, Partner
Susan Forrest, Partner
Cameron Simpson, Solicitor
Taylor Green, Solicitor
Cameron Jones, Graduate
Jason Lee, Graduate

[1] There have been several exemptions set out in the last few months by Treasury, though they are arguably piecemeal.

[2] Corporations Act 2001; Corporations Regulations 2001; ASIC Act 2001; National Consumer Credit Protection Act 2009; National Consumer Credit Protection Regulations 2010; Superannuation Insurance (Supervision) Act 1993; Banking Act 1959; Australian Consumer Law 2010; Anti-Money Laundering and Counter-Terrorism Financing Act 2006; Spam Act 2003; Privacy Act 1988; and Foreign Acquisitions and Takeovers Act 1975.