Breach Reporting: The Final Countdown
Preparing for the new regime
The new breach reporting regime for Australian financial services and credit licensees is fast approaching. From 1 October 2021, both licensees and ASIC will need to grapple with what could be a veritable tsunami of self-reporting under the new regime.
With submissions having closed on 3 June, hopefully ASIC's final views on a raft of key issues will be made clear in the near future through the release of a final version of ASIC's Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees.
In this insight we provide by way of a refresh, a short summary of the key changes implemented by the new regime, as well as highlighting two critical issues licensees should be considering to ensure they develop compliance systems and procedures that will enable them to meet their obligations.
Deemed significance and investigations
While one of the key changes was the long foreshadowed extension of the breach reporting regime to credit licensees, the two changes that are driving an anticipated significant increase in the number of breach reports by licensees are:
- deeming a range of breaches of various legislation to be significant, and therefore reportable; and,
- the introduction of a new reporting requirement with respect to investigations into whether a matter is reportable.
Reportable situation
The new regime introduces a new concept of a "reportable situation", which includes:
- breaches or "likely" breaches of core obligations that are significant; and
- investigations into whether there is a reportable situation, where the investigation continues for more than 30 days.
Deemed significance
The potential volume of self-reporting that will be required under the new regime is largely driven by the range of breaches of core obligations that are deemed to be significant under the new regime. A breach of a core obligation will be deemed to be significant if:
- the provision breached is an offence that is punishable on conviction by a penalty of 12 months or more, or if the offence involves dishonesty, three months or more;
- the breach is constituted by a contravention of a civil penalty provision, unless excluded by regulation;
- the provision breached is section 1041H(1) of the Corporations Act or section 12DA(1) of the Australian Securities and Investments Commission (ASIC) Act 2001 (misleading or deceptive conduct in relation to a financial product or financial service); or,
- the breach results, or is likely to result, in material loss or damage to customers.
Even a cursory glance at the Corporations Act, ASIC Act or National Consumer Credit Protection Act (NCCP Act) quickly identifies that there are a significant number of provisions that are either civil penalty provisions or offences punishable by the necessary length of potential imprisonment.
That includes a large number of breaches that are likely to be relatively innocuous – for example, one-off failures to provide certain disclosure documents. This has been recognised to a degree by Treasury, which has released draft Regulations excluding some of these types of breaches, such as failures to provide a Financial Services Guide, Product Disclosure Statement or Credit Guide. However, at this stage, while that has eliminated the most obvious examples, it does not appear likely to materially reduce the breach reporting burden that will be imposed on licensees under the new regime.
Additionally, it is not just breaches of these core financial services legislative regimes that are subject to breach reporting – a range of additional legislation must be considered. Somewhat paradoxically, while the scope of breach reporting of ancillary legislation under the Corporations Act is limited by Corporations Regulation 7.6.02A, currently there is no equivalent limitation by regulation for the regime under the NCCP Act, nor is there even provision for the making of a regulation along these lines under the NCCP Act.
Multiple reporting of investigations
The second element of the new regime that appears likely to drive a significant uplift in breach reporting is a multi-layered requirement to report investigations as to whether there is a reportable situation.
Investigations into whether there is a reportable situation themselves become a separate reportable situation where the issue has not been determined by day 31 of the investigation. However, that is not the end of the reporting obligations for licensees – there is then a further requirement to lodge an additional breach report regardless of the result of investigation. This means:
- licensees must lodge a separate breach report if, at any point during the investigation, they conclude there has been a significant breach of a core obligation;
- licensees must, however, alternatively lodge a report if the investigation concludes that there is no significant breach of a core obligation.
It's all in the timing
Licensees must lodge reports with ASIC within 30 days after the licensee "first knows, or is reckless with respect to whether there are reasonable grounds to believe", a reportable situation has arisen.
Given the changes to the regime, there are a couple of key issues that licensees will need to grapple with:
- First, with the extension of reporting to investigations, a key date will be when any relevant investigation started.
The process of identifying that something may have gone wrong, working out exactly what happened, and at some point, realising that it could be a serious matter (and more relevantly, potentially a breach of a core obligation), is often fluid, organic and iterative.
Licensees will need to design their reporting procedures so that they can clearly identify the point at which such a process became an investigation into whether there is a reportable situation.
- The second key date is when the body corporate licensee first knows that there are reasonable grounds to believe a reportable situation has arisen. This in turn depends crucially on whose knowledge within the corporation will be taken to be the knowledge of the licensee.
ASIC has been quick in its draft Regulatory Guide to put forward its views on this issue. The Explanatory Memorandum states that (with reference to) section 769B(3) of the Corporations Act and section 50B(4) of the National Credit Act, the state of mind of a director, employee or agent of the licensee (or certain other persons) will be attributed to a body corporate licensee where that person was engaged in the relevant conduct within the scope of their actual or apparent authority.
Based upon this interpretation of section 769B(3), the draft Guide states that where an employee has not been granted authority within their employment by the licensee to make a decision to lodge a breach report, their knowledge may still relevantly be attributable to the licensee. In particular, the Guide refers to an employee being shown to possess knowledge of reasonable grounds, provided that they acquired the knowledge within the scope of their apparent authority within their employment.
While there are material differences in the tests, this is arguably still a key change in approach from ASIC. Under the old regime, ASIC was prepared to administer the test on the basis that licensees became aware of a significant breach when a person responsible for compliance became aware (current Regulatory Guide 78 – 78.28).
We are working with many of our clients on these issues already and can assist all licensees in developing breach reporting programs to meet the new requirements.