A new breach reporting regime will commence on 1 October 2021 and it will be more onerous on licensees than ever before. One of the most notable changes is that credit licensees are now required to report significant breaches for the first time. In this blog, we outline the other key changes that you need to know.
What is a ‘reportable situation’?
Under the new regime, a licensee must lodge a report within 30 days (previously 10 days) of when the licensee first knows or is reckless with respect to whether there are reasonable grounds to believe a reportable situation has arisen.
A reportable situation arises when:
While the term ‘core obligation’ is new, the provisions that it covers are identical to the current breach regime. What has changed is the significance test and the timeline for reporting.
The clock starts ticking earlier
You will need to review your breach assessment processes to ensure they can meet the new timelines. The 30-day clock now starts ticking once you have reasonable grounds to believe there has been or will be a significant breach, or you are reckless as to whether there are reasonable grounds.
The breach must also be reported to ASIC at the investigation stage if the investigation has continued for more than 30 days, and the licensee must provide a second report to ASIC on the outcome of the investigation once it is complete. In this way, there is an incentive to finalise any such investigation within 30 days to avoid having to report to ASIC twice.
There are several questions that remain unanswered here, including what constitutes an investigation and when an investigation actually commences.
The significance test has been expanded
Breach reporting is required in a broader range of circumstances because the significance test has been expanded. The new regime introduces deeming provisions that are supposed to take the guesswork out of determining whether a breach is significant or not.
A breach of a core obligation is deemed to be significant if:
Remember that gross negligence and serious fraud are automatically reportable as well.
For credit licensees, breach of a “key requirement” under the National Credit Code is also deemed to be significant.
By deeming a breach with a civil penalty provision as significant, it means that almost all breaches of the relevant legislative provisions will be reportable, regardless of their size. This means you should expect to lodge breach reports more frequently.
It’s worth noting that the Explanatory Memorandum contemplates that Treasury may introduce new regulations to pare back the deeming provisions if ASIC receives too many ‘minor, technical or inadvertent’ breach reports. This remains to be seen, however, and it is unlikely to happen for at least 12 months after commencement.
Even if a breach is not automatically ‘deemed’ to be significant, licensees must still assess whether the breach is significant by considering:
Licensees will be required to notify affected clients
If a reportable breach involves financial advice to retail clients or credit assistance by mortgage brokers, the affected clients must also be notified of the breach. The licensee must investigate the breach and compensate affected clients for any loss or damage.
You may need to implement new systems to ensure you can meet this new obligation.
Licensees will be required to notify ASIC of breaches by other licensees
Licensees will also be required to report to ASIC about breaches by other licensees to ASIC in certain circumstances. This new reporting provision is targeted at misconduct by individual financial advisers and mortgage brokers.
AFS and credit licensees are required to lodge a report with ASIC if:
The report must be lodged with ASIC within 30 days after you first know, or are reckless with respect to whether, there are reasonable grounds to believe that a reportable situation has occurred. A copy of the report must also be given to the relevant licensee within the same 30-day period. Failure to do so is a civil penalty provision.
Once these new provisions come into effect, you can expect to be lodging breach reports more frequently. These breach reports are currently required to be lodged via the ASIC portal and we do not expect this to change. The new requirements may mean you need to put in place additional systems and controls to identify and report on breaches.
If you need help reviewing your systems and processes, or would like advice on how to meet the new requirements, please get in touch. We’d be happy to help.