“Cause I got issues, but you got ‘em too
So give ‘em all to me and I’ll give mine to you
Bask in the glory of all our problems
’Cause we got the kind of love it takes to solve ‘em”
— ASIC Regulatory Guide 78 Breach reporting by AFS licensees (or “Issues” by Julia Michaels)
Despite the noteworthy efforts of the other major institutions, NAB’s breach reporting record is unlikely ever to be beaten.
In fact, the new breach reporting regime that commences on 1 October 2021, should ensure that significant and detrimental delays like these do not recur.
You’re no doubt aware that the Corporations Act was amended to clarify and strengthen the breach reporting regime for financial services licensees and introduce comparable obligations for credit licensees under the National Consumer Credit Protection Act 2009. The key features of these amendments include:
- the introduction of two new significance tests and;
- expanding the kinds of situations that need to be reported by licensees to ASIC (which are referred to as ‘reportable situations’) to include:
- investigations into whether a significant breach has occurred or will occur if the investigation continues for more than 30 days, and the outcomes of those investigations;
- conduct that constitutes gross negligence or serious fraud;
- conduct that amounts to misleading or deceptive conduct under the financial services law; and
- serious compliance concerns about individual financial advisers operating under another licence;
- requiring licensees to lodge breach reports with ASIC in the prescribed form, and within 30 calendar days after the licensee first knows that, or is reckless with respect to whether there are reasonable grounds to believe, a reportable situation has arisen; and
- requiring ASIC to publish data about breach reports on its website.
These changes are, for want of a better term, significant and Licensees are already starting to operationalise these requirements. The requirements are nuanced and detailed so review them carefully to ensure you understand them and the assumptions on which they are built.
We’ll address the law and the requirements in more detail in our webinar, but we want to highlight five key points for your immediate attention.
- What to report
There’s more clarity provided by the new law.
A Licensee is required to notify ASIC if there are reasonable grounds to believe that a “reportable situation” has occurred or is likely to occur.
A “reportable situation” in this context occurs when:
- the licensee or a representative has breached a “core obligation” (one or more of the licensee obligations under s912A and 912B) and the breach is significant;
- the licensee or a representative is no longer able to comply with a core obligation and the breach, if it occurs, will be significant;
- the licensee’s investigation into a reportable situation continues past 30 days;
- the licensee or a representative has engaged in conduct constituting gross negligence; and
- the licensee or a representative has committed a serious fraud.
2. Judging significance
As you’re probably aware, the current law requires Licensees to determine the significance of the breach by reference to:
- the number or frequency of similar breaches;
- the impact of the breach on the licensee’s ability to provide financial services or credit activities covered by the licence;
- the extent to which the breach indicates that the licensee’s compliance arrangements are inadequate; and
- any other prescribed matters.
This practical approach has been supplemented by a new “deemed significance test.”
Essentially, a breach of a core 912A or 912B obligation will be deemed to be significant if it involves the commission of an offence punishable by a penalty of 12 months or more (or three months or more for offences involving dishonesty), contravention of a civil penalty, involves misleading or deceptive conduct in relation to financial products or services or is likely to result in material loss or damage to a retail client.
In contrast to the glacial speed permissible under the old law, the new law requires Licensees to alert ASIC of reportable situations within 30 calendar days.
If the reportable situation relates to personal advice provided to retail clients, the new law obliges the Licensee to take reasonable steps to notify affected consumers. (Similarly, Credit Licensees are required to notify customers if the credit assistance involved a a credit contract secured by a mortgage over residential property, and the licensee or representative is a mortgage broker.)
This notification process is critical if there are reasonable grounds to believe that the reportable situation is a significant breach of a core obligation, gross negligence or serious fraud or that affected clients have suffered, or will suffer, loss or damage. Likewise, if the Licensee reasonably suspects that an affected client has a legally enforceable right to recover the loss or damage, then there is a obligation to notify them, in writing and in a form approved by ASIC, within 30 days.
Interestingly, the decision to notify affected clients has another, immediate consequence, and obliges the licensee to conduct an investigation within 30 days of notifying clients. The investigation itself is not a trivial obligation; the licensee is required to identify the acts or omissions that caused the breach and quantify the loss or damage to the affected client. After completing the mandatory investigation, affected customers must be notified of the outcome of investigation.
5. Remediation and Compensation
After the completion of the mandatory investigation, if there are reasonable grounds to believe that a client has suffered, or will suffer loss or damage, the licensee must take reasonable steps to pay them an amount equal to their loss or damage.
These obligations do not affect any of the client’s legally enforceable rights to recover loss or damage, but it’s likely that any court may take into account any compensation paid by the licensee when assessing loss or damage.