16 December 2021

Living with the new ASIC breach regime

Written by Jim Boynton and Tim Morgan

From 1 October this year, Australian financial services and Australian credit licensees have been subject to a new and expanded ASIC breach reporting regime. Under this new regime, licensees must lodge a report with ASIC whenever there are reasonable grounds to believe that a “reportable situation” has arisen in relation to a financial services licensee. The report must be lodged within 30 days and the clock starts ticking as soon as the licensee knows, or is reckless with respect to whether, there are reasonable grounds to believe that the reportable situation has arisen.  This article focuses on the new regime for Australian financial services licence holders.

Reporting more things more often

As outlined in greater detail in our previous update, this regime expands the scope of previous breach reporting arrangements, which will likely result in most licensees and their representatives having to report more and more often. Significantly, the scope of the new reporting obligation turns on the concept of a “reportable situation”, which includes any of the following situations:

  • Breach of a core obligation: where the financial services licensee (or its representative) has breached a core obligation and the breach is significant.

  • Inability to comply with a core obligation: where the financial services licensee (or its representative) is no longer able to comply with a core obligation and the breach, if it occurs, will be significant.
  • Conducting an investigation into the existence of a reportable situation: where the financial services licensee (or its representative) conducts an investigation into whether there is breach or inability to comply with a core obligation that is reportable, and the investigation continues for more than 30 days.
  • Investigation discloses no reportable situation: an investigation lasting more than 30 days discloses that there is no breach or inability to comply with a core obligation.
  • Gross negligence or serious fraud: in the course of providing a financial service, the financial services licensee (or its representative) has engaged in conduct constituting gross negligence, or has committed serious fraud.
  • Other circumstances: any other circumstances prescribed by the regulations exists.

The extension of the former regime to breaches and investigations by representatives, and their gross negligence or commission of serious fraud, needs to be built into breach reporting systems. Although there is a technical argument that breaches by representatives are not covered, this is proposed to be remedied and limited to certain legislation.

Investigations now reportable

A very important difference between the new arrangement and its predecessor is that “investigations” into the existence of a reportable situation are now reportable if they last longer than 30 days. Licensees must also report the outcome of any such investigation. This is likely to have significant operational impacts for licensees. In particular, reliable processes for determining the time at which an investigation commences are likely to be critical for effective compliance with the new regime.  In some cases it will be obvious when an investigation into a reportable situation commences but in other cases (eg BEAR breaches) it will require a detailed fact find and determination of whether the breach is likely to be significant. 

Deemed significance

In addition, the new regime includes a concept of “deemed significance”. The effect of this is that certain reportable situations will be treated as “significant” in all cases and thus will automatically be required to be reported by licensees where they occur. Examples of such situations include: where certain types of offences are committed or certain types of civil penalty provisions of the Corporations Act or ASIC Act are contravened or where the breach is likely to result in material loss or damage to members of managed investment schemes, superannuation entities or other clients of financial services providers. In such cases you must ensure that you are able to report the situations within the 30 day limit.

What will ASIC do with all this information?

According to ASIC, reporting of misconduct and breaches of regulatory requirements will allow ASIC to:

  • monitor the extent and severity of non-compliance and commence surveillance and investigation when necessary;
  • take law enforcement and regulatory action when warranted, including administrative action to protect consumers of financial products and services; and
  • identify and respond to emerging threats, harms and trends within the financial services industry, detect significant non-compliant behaviours early, and take the appropriate regulatory response.

ASIC received over 2000 breach reports in each of the last 3 years. We expect that number to significantly increase and most likely to at least double in the medium term.

ASIC will need to have adequate resources to assess and act on breach reports. Otherwise, it risks criticism that it had information on which it failed to act.


Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    The increased use of Artificial Intelligence raises serious questions: Can – or should – we automate decision making?

    16 December 2021

    One of this year’s prominent corporate governance developments was the Federal Government’s proposed regulatory "crackdown" on proxy advisers.

    16 December 2021

    On 15 October 2021, the Hon. Ray Finkelstein AO QC as Commissioner and Chairperson of the Royal Commission into the Casino Operator and Licence, delivered the report (An inquiry into the suitability...

    16 December 2021

    The Commonwealth Government currently has a number of initiatives underway to deter and penalise phoenix activity in order to protect those who are negatively affected by such fraudulent behaviour...

    16 December 2021

    Legal services for your business

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.