RG 78 Breach Reporting by AFS licensees and credit licensees: ASIC updates guidance on Reportable Situations Regime April 2023

Since amendments in October 2021 the reportable situations (formerly referred to as breach reporting) regime for AFS and credit licensees has become both broader in its reach and more complex in its operation. Implementation of the new regime has posed a number of challenges both for industry and the regulator. Addressing these has, and continues to be, a strategic priority for ASIC and, following the release of ASIC Report 740 in October 2022, which analyses the first six months’ operation of the reportable situation regime, ASIC has issued updated Regulatory Guidance and revisions to the online form for reporting reportable situations.

The background

ASIC released Report 740 Insights from the reportable situations regime: October 2021 to June 2022 in October 2022.  It’s analysis of over 8,000 reports lodged in that period led to four key conclusions about how industry was responding to the new regime.  These were that:

• the number of licensees reporting breaches was very low;
• remediation practices were unsatisfactory with some reports indicating that financial losses would not be compensated, and in cases where remediation was planned, frequent long delays in finalising the payment of compensation;
• long delays in the identification and investigation of breaches, with many instances taking years; and
• a high proportion of reports showed evidence of inadequate efforts to identify and address the root cause of the breach.

In April 2023, to assist in addressing these issues, ASIC issued updated guidance reflecting the first phase of its response to earlier industry consultation it conducted about improvements to the reportable situations program. The updated reporting form took effect on 5 May 2023.

The reportable situations regime has been described as the ‘cornerstone’ of Australia’s financial services regulatory structure. The regime acknowledges that despite an expectation of compliance, breaches may occur, and imposes governance requirements around their identification, management and remediation.

ASIC requires AFS and credit licensees to notify ASIC of all reportable breach situations: ss 912DAA – 912DAB of the Corporations Act 2001 (Cth) and ss 50B -50C of the National Consumer Credit Protection Act 2009 (Cth).  This includes, among others, breaches or likely breaches that are assessed as or deemed to be significant, prolonged breach investigations, certain additional reportable situations, as well as similar situations about certain other licensees involved in distributing financial products.

What has changed?

ASIC’s revised guidance on implementing the reportable situations regime (Regulatory Guide 78), is the first phase of changes identified in consultation with industry, with more to come.  These are set out in detail in a summary document: Reportable situations: Overview of changes to

RG 78 announced in April 2023. The most significant of these changes include:

• a new test for when related reportable situations may be ‘grouped’ into one report. The new ‘grouping test’ (112-117 and Table 9) allows licensees to group related matters together if there is similar, related or identical conduct with the same root cause;
• clarification that ASIC expects updates on the progress and status of certain types of reported breaches at least every six months; and
• Revisions to the FAQs about how to complete the reportable situations form including:
• more detailed and specific typologies to provide detailed guidance in relation to the expected responses concerning the ‘trigger’ for the investigation into the reportable situation, and the determination of its root cause;
• revised guidance in relation to the question as to whether similar reportable situations have occurred in the past. ASIC has provided a list of factors to consider in assessing ‘similarity’.

A difficult question that often arises is how far back to look.  While the purpose of this question is to identify repeat or systemic issues, ASIC considers that the response will also depend on the impact, nature and complexity of the reportable situation.  Importantly, the field that is provided to describe the reportable situation is free text and so allows for context and perspective concerning any similar past issues to be documented and provided;

• additional guidance as to when a client is to be considered to be ‘affected’ by an issue, the meaning of the term ‘investigation’, and rewording of the question dealing with when the licensee first became aware that a breach, serious fraud or negligence had occurred to focus on when this was first discovered rather than when it was determined that a reportable situation had arisen; and
• additional guidance as to when and how to seek withdrawal or correction of a reportable situations report.

There is more to come

Further matters raised in the course of earlier consultations that ASIC is yet to address are summarised in Table 3 in the outline document. For instance, while ASIC has addressed the grouping issues, it is yet to determine an approach on how to calculate the number of reportable situations that relate to a breach, or the number of instances of the event that relate to a reportable situation.

ASIC also acknowledges another key issue that remains to be addressed relating to the naming of the person(s) whose conduct or actions are the subject of the breach. Though it is not public, a range of privacy, procedural fairness, and other concerns are raised by disclosure of individuals names.  While the information must continue to be provided, ASIC has indicated it is is considering how to balance these privacy and procedural fairness concerns, including impact on the employees’ wellbeing, with the regulatory benefit of receiving this information.

The take-away

ASIC considers breach reporting to be a critical source of intelligence relating to the management and remediation of these breaches. The reportable situations regime is, however, complex and raises operational challenges for licensees, which ASIC’s analysis in its report last October has highlighted.  Timely identification, remediation and reporting of reportable situations is a strong indicator of an effective compliance framework.

ASIC has had its own challenges with the regime. but is developing its capability to analyse the rich seam of data these reports provide, and can be expected to utilise this information to set industry surveillance and enforcement priorities in future.

The insights ASIC articulated in October 2021 in its report provide a vital roadmap to what these red flags might be, and the recent update to RG 78 may be viewed as ASIC’s response to any argument by industry that these issues are teething problems and should be excused.  In other words, while ASIC may decide to take no further action in relation to the subject of any given report, it is reasonable to expect that its greater interest will be in both licensees that have not lodged any reports, and for those that have, the timeliness with which the breach was identified and investigated, and report was lodged, the rigour of the root cause analysis of the breach, and the effectiveness of the remediation of any financial loss caused by it.

If you would like to know more about how to better meet ASIC’s expectations in relation to identifying, remediating and reporting reportable situations, or would like to discuss a reportable situation, contact Andrew Ham or Sirisha Pinnali from our Banking and Finance team.