Written by Jim Boynton and Tim Morgan
From 1 October this year, Australian financial services and Australian credit licensees have been subject to a new and expanded ASIC breach reporting regime. Under this new regime, licensees must lodge a report with ASIC whenever there are reasonable grounds to believe that a “reportable situation” has arisen in relation to a financial services licensee. The report must be lodged within 30 days and the clock starts ticking as soon as the licensee knows, or is reckless with respect to whether, there are reasonable grounds to believe that the reportable situation has arisen. This article focuses on the new regime for Australian financial services licence holders.
Reporting more things more often
As outlined in greater detail in our previous update, this regime expands the scope of previous breach reporting arrangements, which will likely result in most licensees and their representatives having to report more and more often. Significantly, the scope of the new reporting obligation turns on the concept of a “reportable situation”, which includes any of the following situations:
- Inability to comply with a core obligation: where the financial services licensee (or its representative) is no longer able to comply with a core obligation and the breach, if it occurs, will be significant.
- Conducting an investigation into the existence of a reportable situation: where the financial services licensee (or its representative) conducts an investigation into whether there is breach or inability to comply with a core obligation that is reportable, and the investigation continues for more than 30 days.
- Investigation discloses no reportable situation: an investigation lasting more than 30 days discloses that there is no breach or inability to comply with a core obligation.
- Gross negligence or serious fraud: in the course of providing a financial service, the financial services licensee (or its representative) has engaged in conduct constituting gross negligence, or has committed serious fraud.
- Other circumstances: any other circumstances prescribed by the regulations exists.
The extension of the former regime to breaches and investigations by representatives, and their gross negligence or commission of serious fraud, needs to be built into breach reporting systems. Although there is a technical argument that breaches by representatives are not covered, this is proposed to be remedied and limited to certain legislation.
Investigations now reportable
A very important difference between the new arrangement and its predecessor is that “investigations” into the existence of a reportable situation are now reportable if they last longer than 30 days. Licensees must also report the outcome of any such investigation. This is likely to have significant operational impacts for licensees. In particular, reliable processes for determining the time at which an investigation commences are likely to be critical for effective compliance with the new regime. In some cases it will be obvious when an investigation into a reportable situation commences but in other cases (eg BEAR breaches) it will require a detailed fact find and determination of whether the breach is likely to be significant.
In addition, the new regime includes a concept of “deemed significance”. The effect of this is that certain reportable situations will be treated as “significant” in all cases and thus will automatically be required to be reported by licensees where they occur. Examples of such situations include: where certain types of offences are committed or certain types of civil penalty provisions of the Corporations Act or ASIC Act are contravened or where the breach is likely to result in material loss or damage to members of managed investment schemes, superannuation entities or other clients of financial services providers. In such cases you must ensure that you are able to report the situations within the 30 day limit.
What will ASIC do with all this information?
According to ASIC, reporting of misconduct and breaches of regulatory requirements will allow ASIC to:
- monitor the extent and severity of non-compliance and commence surveillance and investigation when necessary;
- take law enforcement and regulatory action when warranted, including administrative action to protect consumers of financial products and services; and
- identify and respond to emerging threats, harms and trends within the financial services industry, detect significant non-compliant behaviours early, and take the appropriate regulatory response.
ASIC received over 2000 breach reports in each of the last 3 years. We expect that number to significantly increase and most likely to at least double in the medium term.
ASIC will need to have adequate resources to assess and act on breach reports. Otherwise, it risks criticism that it had information on which it failed to act.