Breach Reporting for Credit Licensees

It’s been six months since Australian Credit Licensees were introduced to the wonderful world of mandatory breach reporting. Has this additional layer of regulatory reporting resulted in increased consumer confidence in the industry or merely more paperwork?

Setting the scene
Remember when breach reporting was first introduced through the National Consumer Credit Protection Act (NCCP)? Neither can we. This is because when breach reporting was first introduced back in 2009 by the Federal Parliament, there was so much industry backlash it was swiftly abandoned and replaced with the requirement to lodge an Annual Compliance Certificate.

As part of the Annual Compliance Certificate, Credit Licensees were required to declare that they have the appropriate policies and procedures in place to satisfy the General Conduct Obligations within the NCCP.

Then came that pesky little Royal Commission designed to clean up the financial services industry in a way that would ‘spark joy’ Marie Kondo style.

Fast forward to 2021 and new obligations were introduced where Australian Credit Licence holders are now required to not only continue to submit an annual Compliance Certificate to ASIC but also report on any breaches of the licensee’s core obligations.

The “new” reporting obligations.
Not only is reporting back on the table, but it has also introduced a new concept: the significance test. This test was created to take the guesswork out of reporting, but alas increased reporting.

Credit Licensees are now required to:

• Lodge a report with ASIC if they have reasonable grounds to believe that a reportable situation has occurred; and
• Dob in other Credit Licensees and their credit representatives (who are mortgage brokers) if they have reasonable grounds to believe that a reportable situation has occurred.

Reportable Situations
A reportable situation includes:

• Breaches of core obligations that are deemed significant (offences with certain fines or jail terms attached;
• Breaches of core obligations which are otherwise assessed as meeting a significance test relating to frequency and systemic issues;
• Gross negligence and serious fraud;
• Investigations into breaches where the investigation takes more than 30 days
• Reportable situations about other licensees who are mortgage brokers or financial advisers

The Significance Test
A Breach of a core obligation may be significant for two reasons:

• Because it is deemed significant; or
• Because it is assessed as significant.

Deemed Significant Breaches
A breach of a core obligation is deemed significant if:

• It is punishable by a jail term of not less than breach 12 months (3 months for dishonesty offences);
• It is designated in the Act as a civil penalty provision;
• For credit providers, it is a breach of the key requirements in section 111 of the Code;
• the breach relates to misleading or deceptive conduct
• the breach is likely to result in material loss or damage

This means the first step is to identify if a breach is of a core obligation and, if so, whether it is a civil penalty provision or carries a jail term. However, note that some civil penalty provisions are excluded from breach reporting e.g. the obligation to cite a licence number. However, such excluded breaches may still fall foul of other deeming rules, such as amounting to misleading conduct.

Assessing Significance
Any breach of a core obligation which is not deemed significant needs to be assessed to determine whether it is significant having regard to the following factors

• The number or frequency of similar breaches - the greater the number or frequency of similar breaches, the more likely it will be that the new breach will be significant. The repeat of a breach may also indicate a continuing underlying systemic problem;
• the impact of the breach or likely breach on your ability to engage in credit activities covered by the licence - if a breach or likely breach reduces your ability or capacity to supply the financial services or engage in the credit activities covered by your licence, it is likely to be significant;
• the extent to which the breach or likely breach indicates that the licensee’s arrangements to ensure compliance with those obligations are inadequate – if the breach or likely breach indicates that your arrangements to ensure compliance failed to prevent the breach in an isolated and specific instance, it may not be significant. However, if it indicates broader inadequacies or systemic failings in your compliance arrangements, it is more likely to be significant; and
  
• any other matters prescribed by the regulations – at present, there are none.

Reasonable Grounds Test
You must report a reportable situation if you have reasonable grounds to believe it has occurred. A person will have reasonable grounds to believe that a reportable situation has occurred where there are facts or evidence which would lead a reasonable person to believe that a reportable situation has arisen. “The reasonable person” is assumed to possess average judgment or skill.

Timeframe to Report
Credit Licensees must report to ASIC within 30 days if there are reasonable grounds to believe a reportable situation has arisen.

Examples
ASIC gives the following examples of reportable situations:

• Failing to notify ASIC of changes to key persons;
• Failure to lodge statutory reports; or
• Breach of IDR requirements.

Six Months On: Insights
Industry data and Credit Licensee commentary highlight that over 50% of Australian Credit Licence holders consider the obligations to report on both their own breaches and that of other Credit Licensees and their authorised representatives to have:

• Caused complexity and operational challenges
• Created additional resourcing and training issues; and
• Increased spending on compliance; while
• Decreasing productivity and causing distractions to staff members.

Industry feedback to date indicates that the legislation is overly excessive and not achieving the goals that the Royal Commission had in mind when recommending the changes. On average, Credit Licensees are reporting at least five breaches per month, across a range of issues such as misleading and deceptive conduct issues, legislative issues, and material loss or damage inflicted on consumers.

Five breaches per month for a single Credit Licensee; that is a lot! We expect, like the workload required of a Credit Licensee, the workload required of ASIC to review and assess all reports from all Credit Licensees adequately is unsustainable.

It remains to be seen whether ASIC will release further guidance on when to report and when to merely monitor. We hope ASIC does provide guidance and clears up uncertainty and confusion for Credit Licensees suffering since the aftermath of the Royal Commission. Credit Licensees will hopefully benefit from improved productivity and decreased training challenges.

We look forward to ASIC’s first annual publication on breach reports in Quarter 4.

If you would like assistance understanding your breach reporting obligations, please contact us. We may also be able to provide you or your credit representative(s) with assistance regarding:

• Reviewing your breach reporting processes;
• Providing advice on whether a reportable situation has arisen or is likely to arise; or
• Advice on remediation, enforcement and other strategic matters arising from reportable situations (including the impact to customers and remediation requirements).