Regulator guidance the latest development in countdown to Australia’s breach reporting reforms

In December last year we wrote of the sweeping changes to Australia’s breach reporting regime that had been passed into legislation by Federal Parliament and would have significant implications for Australian financial services and credit licensees (AFS Licensees and Credit Licensees respectively). 

We summarised the key changes and highlighted issues for licensees to look out for in preparing for the regime to commence on 1 October 2021.

Five months from when the changes will take effect, the Australian Securities and Investments Commission (ASIC) has released draft guidance on the new regime and is seeking feedback on it.

Treasury has also consulted on draft regulations, which give an early indication of the types of provisions that will be excluded from ‘deemed significance’ under the new laws.

In this briefing we highlight the key implications of ASIC’s guidance and the draft regulations for licensees as they continue to prepare for 1 October 2021.

CP 340: ASIC’S CONSULTATION ON NEW REGULATORY GUIDANCE

On 22 April 2021 ASIC released its much-anticipated guidance on the new regime, in Consultation Paper 340 (CP 340) which attaches:

• A draft revised Regulatory Guide 78 (RG 78) entitled “Breach reporting by AFS licensees and credit licensees”; and
• A draft information sheet (INFO 000) on the “notify, investigate and remediate” obligations in situations affecting retail clients who receive personal advice or credit clients who use a mortgage broker.

ASIC is seeking comments on these documents until 3 June 2021 and notes that they “are only an indication of the approach ASIC may take and are not [ASIC]’s final policy”.

At some time between 3 June and 1 October 2021 ASIC is expected to release RG 78 and INFO 000 in final form.

The feedback ASIC is seeking by 3 June 2021 includes:

• any alternative approaches that might achieve ASIC’s objectives; and
• any comments on:
• likely compliance costs;
• the likely effect on competition; and
• other impacts, costs and benefits.

Some key notable aspects of draft RG 78 include:

• On ‘significance’: Draft RG 78 gives practical examples of deemed significant breaches, breaches that may be significant under the general test, breaches that may not be significant, and factors that determine whether a breach is significant. Whilst these are useful as illustrations, they can only scratch the surface of the many types of breaches that will be deemed significant under the new regime by virtue of being civil penalty provisions and/or relevant offences.   Licensees should be wary of reading the examples as limiting the effect of the legislation, and may find it useful to start considering the types of issues that come up in practice that would, if established, be a breach of a civil penalty provision or a relevant offence.
• On “investigations”: Draft RG 78 gives two practical examples of investigations that are reportable situations. Otherwise, draft RG 78 does not give any more guidance than the explanatory memorandum on when an “investigation” starts. It states that the time at which an investigation starts is a matter of fact and not a matter for subjective determination by the licensee. Whilst true, this fails to acknowledge it is the licensee that has to form a view about when the investigation runs past 30 days thereby triggering the reporting obligation.
• On knowledge/recklessness: There is an important change in how ASIC assesses “knowledge”, at paragraphs RG 78.73 to 78.77. In the current RG 78, ASIC states: “We will administer this requirement as meaning that you become aware of a breach (or likely breach) when a person responsible for compliance becomes aware of the breach” (RG 78.28). In the new draft RG 78, ASIC relies on s 769B(3) of the Corporations Act to ascribe knowledge to anyone in the organisation who is acting within the scope of their actual or apparent authority.  Whilst there is an argument this reflects s 769B(3) and is consistent with the use of “recklessness” in the new breach reporting test, it is still a notable change in stance from ASIC. If ASIC’s position is accepted it will be another matter that licensees will need to carefully consider when assessing when they become subject to meeting the 30 day timeframe for reporting a significant breach.
• On method and content of breach reports: Draft RG 78 confirms that a prescribed form in the ASIC Regulatory Portal will be used to lodge breach reports. It gives a useful outline of the fields that will be in the prescribed form.
• On compliance arrangements: Draft RG 78 has a useful section, not present in the current RG 78, on what types of systems a licensee should have in place to identify, record and report breaches. This section, together with Report 594, gives licensees regulatory guidance to consider in seeking to adjust their breach reporting processes ahead of 1 October 2021.

Whilst ASIC’s proposed guidance is helpful, it is clear that the new regime still throws up many issues on which licensees will need to seek advice and exercise judgment in preparing for the new regime.

DRAFT REGULATIONS RELEASED BY TREASURY

As noted above and in our article last December, deemed significance for all civil penalty provisions (and certain criminal offences) means that almost all breaches of the relevant legislative provisions will be “significant” and reportable, regardless of their size or other factors that would currently be assessed in determining significance (e.g. impact on customers, number and frequency of similar breaches, etc). The legislation contemplates that regulations will be made to exclude certain provisions from deemed significance.

On 10 March 2021, Treasury released an exposure draft of regulations for the new breach reporting regime. The main purpose of these regulations (as they relate to breach reporting) is to:

• prescribe civil penalty provisions that are not taken to be significant under the breach reporting regime if contravened (i.e. breach of these provisions will not be deemed to be significant, but will still need to be assessed under the general significance test); and
• provide that failures to breach report can be the subject of an infringement notice by ASIC (an easier enforcement outcome for ASIC than commencing civil penalty proceedings).

We address each of these in turn below.

Civil penalty provisions not taken to be significant if breached

Under the draft regulations:

• For AFS Licensees, the civil penalty provisions not taken to be significant are provisions relating to the issuing of Financial Services Guides and Product Disclosure Statements.
• For Credit Licensees, the civil penalty provisions not taken to be significant are provisions relating to:
• the issuing of Credit Guides; and
• the citing of the licensee’s credit license number on documentation (e.g. Credit Guides, advertisements) as already required by the National Consumer Credit Protection Act (NCCP Act).

This leaves a large number of provisions (whether civil penalty provisions or relevant offences) “deemed significant” (if breached) and therefore reportable under the new regime. It is possible that the provisions deemed to be “significant” will be further narrowed (whether before or after the new regime commences), given:

• Treasury consulted with interested parties (including industry and industry groups) on the draft regulations, and might therefore amend them before 1 October 2021 to exclude more provisions from deemed significance.
• The Explanatory Memorandum to the amending legislation contemplates that the deemed significance provisions may be reassessed after the new regime has been in place for some time. It states:

“[The] regulation-making power ensures there is sufficient flexibility to target ASIC’s surveillance to problematic areas. For example, if ASIC is receiving a large number of largely unproblematic breach reports for minor, technical or inadvertent breaches of civil penalty provisions, and those breaches would not otherwise be significant, the Government may decide that the regulatory burden imposed outweighs the benefit of receiving these reports. In those circumstances, the regulation-making power may be used to quickly reduce the regulatory burden on licensees to report breaches where appropriate.”

In the meantime, a key strategic decision for AFS Licensees and Credit Licensees will be how to deal with low volume, low severity breaches (or potential breaches) of “deemed significant” provisions that are detected from time to time (for example, through customer complaints or incident reporting systems). Is it practical for each of these to be the subject of an investigation, or should they simply be reported to ASIC at the time of detection?

Failure to breach report can be the subject of an infringement notice

The draft regulations also provide that failure to report a reportable situation to ASIC within the required timeframe can be the subject of an infringement notice. Infringement notices are a method of enforcement ASIC can use in certain situations, if it has reasonable grounds to believe an entity has breached a legislative requirement. Infringement notices specify an amount to be paid, which the licensee can either agree to  pay or take the risk that ASIC will bring court proceedings in respect of the alleged failure.

In publishing this draft regulation, Treasury noted that “there may be a high volume of contraventions (ranging in severity)” of the duty to breach-report. This ties in with the fact discussed above, that many types of breaches will now be deemed significant (and therefore reportable) under the new regime, without the need for a significance assessment of the type that occurs under the current regime.

IMPORTANCE OF CP 340 AS LICENCEES CONTINUE TO PREPARE FOR 1 OCTOBER 2021

Whilst much of its content was to be expected, CP 340 (and its attachments draft RG 78 and draft INFO 000) will be important reference points (together with the amending legislation and its explanatory memorandum) as AFS Licensees and Credit Licensees assess and refine their breach reporting practices in light of the new regime.

Moreover, the current consultation process ending on 3 June 2021 is an important opportunity to influence ASIC’s guidance, inform ASIC of practical challenges the laws entail, and perhaps ultimately influence what types of civil penalty provisions and offences remain ‘deemed significant’ as the new regime becomes embedded in the longer term.