Regulatory breach reporting is a concept that has been in and out of favour since the FSR reforms of twenty years ago. After the introduction in March 2002 of the breach reporting obligation of Australian Financial Services Licence (AFSL) holders in s 912D of the Corporations Act, the concept was extended to prudential regulation. Following this, the wheel turned and the concept was dropped from the proposed credit licensing regime before the regime was enacted. A decade, and a Royal Commission, later the wheel has turned again.
The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, (the Banking Royal Commission) at Recommendation 7.2 endorsed the recommendations of the 2017 Report of the ASIC Enforcement Review Taskforce. The Government accept this endorsement and took the recommendation further in its omnibus legislation, the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (Cth) (the Act). Schedule 11, which deals with breach reporting, takes effect on 1 October 2021. Breaches that occur before that date are not required to be reported, even if the licensee only becomes aware of them after that time.
The Act extends and increases the reporting obligation for AFSL holders and introduces a very similar regime for Australian Credit Licence (ACL) holders. Licensees should also be aware of the related Financial Sector Reform (Hayne Royal Commission Response—Breach Reporting and Remediation) Regulations 2021. Most recently, on 7 September 2021 ASIC issued crucial guidance for the implementation of the new regime, as RG 78 Breach reporting by AFS licensees and credit licensees.
This article examines its impact on ACL holders of these developments and proposes some steps towards being prepared to comply by 1 October 2021.
What is the Existing Framework?
AFSL holders have long been required to report to ASIC any significant breaches or likely breaches of a dozen core obligations under sections 912A and 912B of the Corporations Act 2001 (Cth). There are 11 broad requirements, including to act efficiently, honestly, and fairly, and to comply with the financial services laws and the conditions of their financial services licence.
ACL holders are required to comply with 13 general obligations under s 47 of the National Consumer Credit Protection Act 2009 (Cth) (NCCPA) that are broadly similar to the equivalent provisions of the Corporations Act. This includes the obligation to comply with the consumer protection provisions of the ASIC Act, and other legislation covering conduct relating to credit activities such as the Banking Act 1959 (Cth) under which banks are regulated by APRA, and the Financial Sector (Collection of Data) Act 2001 (Cth) under which APRA collects statistical data from a much broader range of registered financial corporations, including bank and non-bank lenders (collectively, the credit legislation).
These core obligations reflect the foundations of the licensee’s regulatory compliance framework and will be well known. ACL holders have been required to report significant breaches annually when completing their compliance certificate since the inception of the ACL regime.
So, what’s new for ACL holders?
Under the new regime, ACL holders will be required to report:
- Reportable situations – significant breaches or likely breaches of the core obligations that apply to them as ACL holders, including both:
- Significant Breaches of Core Obligations – that are assessed to be significant having regard to three key factors discussed below; or
- Deemed significant breaches – a daunting list of over 150 specific obligations attracting civil or criminal penalties that are ‘deemed significant’ and therefore reportable on a strict liability (hair trigger) basis attracting both civil penalty and criminal penalties for failure to comply;
- Additional reportable situations
- Any conduct that constitutes gross negligence or serious fraud;
- Investigations – instances of investigations into a breach or likely breach of a core obligation
- continuing for over 30 days; or
- continuing for less than 30 days and resulting in finding that no significant breach occurred); and
- Reportable situations about other licensees – reasonable grounds to believe a mortgage broker authorised by another ACL holder is in significant breach or likely breach of a core obligation or has been grossly negligent or committed serious fraud.
Licensees must report breaches to ASIC within calendar 30 days of when they have reasonable grounds to believe a reportable situation has arisen. Breaches by the representatives other licensees must also be reported to that licensee, so mortgage broking business should prepare to ‘snitch’, and to be ‘snitched upon’. A licensee receiving a report from another licensee must commence its own enquiries as to whether a reportable situation has arisen.
Failing to report a reportable situation is itself a breach, which attracts penalties that deem it to be reportable.
What is a significant breach?
Licensees should first consider if the breach is deemed to be significant before determining if the breach is significant for other reasons.
What is ‘deemed significant’?
Breaches that are ‘deemed significant’ will be reportable, with the aim of strengthening and reducing the room for interpretation of what is reportable in the existing reporting regime. A breach of a core obligation is deemed significant if it:
- is a criminal offence that attracts a prison sentence of at least 12 months, or at least 3 months for offences of dishonesty (e.g. fraud, bribery, money laundering),
- attracts a civil penalty (including if it is a breach of the requirements in relation to prohibited monetary obligations in credit contracts and the maximum annual cost rate of a credit contract)
- is misleading and deceptive conduct in relation to financial products and services, or
- results in material loss or damage to a client that is party to a credit contracts or is receiving credit services.
The Corporations Regulations 2001 (Cth) excludes certain civil penalty provisions that would otherwise be taken as significant. These exceptions include all civil penalties imposed under the credit legislation and administrative failures that are breaches of the NCCPA, such as failing to provide a credit guide. The Government has signalled that further minor and technical changes to these exemption arrangements are planned and amendments to the legislation are currently open for public comment.
Should your business require assistance navigating the reportable situations, please contact our Banking & Finance team for a copy of our Breach Reporting Compliance Guide.
What is material loss or damage?
One notable criteria for a breach to be deemed to be significant is if it results in material loss or damage to clients.
Whether a loss is material will depend on the financial situation and other circumstances of the person harmed by the breach. ASIC expects licensees to determine a customer’s circumstances when assessing the significance of a regulatory breach. Licensees’ should recognise that ASIC’s expectations have changed and consider whether a change in approach to the assessment of the materiality of financial loss is required. In the case of a breach affecting a number of people, the licensee will need to consider the aggregate financial impact on those clients affected when assessing materiality.
Additional reportable situations
Regardless of the significance or otherwise of the underlying breach or likely breach, licensees will need to report
- any investigation into a breach or likely breach that exceeds 30 days, or which concludes within 30 days but finds no reasonable grounds to suspect a significant breach.
- Any conduct that is determined to rise to the level of gross negligence or serious fraud.
While not all issues will require an investigation, ASIC expects that any investigations that are necessary are conducted in a timely manner and without unreasonable delay (RG 78.59).
To comply with this reporting obligation licensees will need to establish a clear point at which an investigation begins and ends and effective procedures to initiate, record, escalate and conduct investigations, and identify systemic issues. These measures can vary, depending on the size and complexity of the licensee, but will be triggered by ‘human effort’ or information gathering. This can include communicating and gathering evidence from customers or staff, seeking advice, or outsourcing the investigation.
The criteria for significance
If the breach is not automatically deemed to be significant, ACL holders are required to assess whether the breach (or likely breach) is significant by reference to the following considerations in s.50A(5) NCCPA:
- Number or frequency of similar breaches;
- Impact on the licensee’s ability to engage in credit activities covered by the licence; and
- Whether the breach indicates that compliance arrangements are not adequate.
ASIC’s view, expressed in its regulatory guidance, is that this determination should be made objectively (RG 78.48). A practical explanation of how to apply these three criteria may be found there. Licensees should consider whether a particular issue is significant under these criteria only after it has been determined it is not deemed to be significant or is reportable for any other reason.
A revised reporting period
The 10 business day time limit for reporting a breach or likely breach under the AFSL regime has proven to be challenging for licensees. On the surface, it appears this has been addressed by the move to a 30-day reporting period.
However, this might not be the case in practice – the longer (30 calendar day) reporting period is accompanied by an earlier start date commencing once the licensee has actual or apparent knowledge of the breach.
Licensees should ensure current internal reporting processes set clear rules as to the point at which the licensee has knowledge of the issue.
If a breach occurs before 1 October, new reporting obligations do not apply even if the matter only comes to notice after that date. However, if the breach continues or an investigation of over 30 days takes place after 1 October, the new framework will apply.
So how do licensees report?
ASIC remains the relevant authority to receive notice of reportable situations. Breaches of the credit legislation that would be reportable to APRA (such as breaches of the Banking Act) are deemed to be reported to ASIC when the required report is made to APRA.
In making a report, licensees must use the prescribed form. ASIC has provided guidance on what information is required in table 8, page 33, RG 78 Breach reporting by AFS licensees.
What do Licensees need to do now?
As we hurtle closer to the 1 October deadline, it is important that licensees have a grip on what these new obligations will mean for their financial services and credit activities, and how they will ensure they comply with them.
At Hunt & Hunt, our Banking & Finance team is here to assist with implementation of the new breach reporting regime.
Things to do now:
- Review your compliance framework and ensure a robust system is in place for the identification, escalation, remediation and reporting of regulatory breaches. This includes:
- an accurate and complete breach reporting register documenting issues as they are identified, and tracking their investigation, assessment for significance and the management of remediation measures taken;
- clear objective criteria and allocated decision-making authority both as to findings of whether or not a reportable breach has occurred, and the underlying determination the facts on which those findings are based.
- Identify the trigger events for what is reportable. This includes
- tracking smaller (not significant) breaches that may be or become systemic or otherwise become significant when aggregated
- identifying the compliance obligations that attract criminal and civil penalties which if breached are deemed significant and therefore reportable. There are over 170 such provisions in the NCCPA. You can contact our Banking & Finance team for a copy of our Breach Reporting Compliance Guide to help with this.
- Develop procedures for identification, assessment and reporting of other potentially reportable situations, including instances of gross negligence or serious fraud, and matters arising from the conduct of the mortgage brokers the licensee deals with.
- Develop procedures to document investigations of potential breaches, track the length of the investigation, and escalate the matter for reporting at the required time.
- Nominate the decision-makers responsible whose knowledge of the issue is deemed to be the knowledge of the licensee, and for making the final determination as to a reportable situation.
~ with Alexandra Culshaw, Graduate at Law