FSR GPS: What does the significance test in s 912D(5)(c) mean?

In this edition of FSR GPS, we consider when a breach of a core obligation is likely to be significant having regard to s 912D(5)(c) of the Corporations Act, for the purposes of the ASIC breach reporting regime.

This limb of the significance test is concerned with: “the extent to which the breach indicates that the financial services licensee’s arrangements to ensure compliance with those obligations are inadequate.”

In this article, we posit that “those obligations” means the licensee’s various core obligations as defined in s 912D(3) of the Corporations Act and not just the core obligation or obligations breached. We also consider some factors which are indicative of when a breach may indicate that a licensee’s arrangements to ensure compliance with its core obligations are inadequate.

In other words, in our opinion, the significance factor must be assessed by reference to the compliance adequacy of the totality of the core obligations.  

Relevant factors may include:

• the number of core obligations shown by the breach to have inadequate compliance arrangements;
• whether the cause of the breach was individual error or a systemic deficiency;
• the length of time the breach went undetected;
• to what extent the compliance arrangements helped in identifying the breach; and
• the timeframe it took to investigate and assess the breach.

At the outset, it is important to acknowledge that many breaches nowadays will be deemed significant under s 912D(4), meaning the need to apply s 912D(5) may be occasional in practice. Further, the test in s 912D(5)(c) forms just one limb of the significance test in s 912D(5) and significance must be assessed having regard to all of the factors in paragraphs 912D(5)(a)-(d).

Context

Pursuant to s 912D(1)(a) of the Act, a “reportable situation” arises if the licensee has breached a “core obligation” and that breach is “significant”.

The “core obligations” are listed in s 912D(3). Some categories of breaches are deemed to be “significant” under s 912D(4). Otherwise, s 912D(5) provides that a breach of a core obligation may be “significant” having regard to the following factors:

(a) the number or frequency of similar breaches;

(b) the impact of the breach on the financial services licensee’s ability to provide financial services covered by the licence;

(c) the extent to which the breach indicates that the financial services licensee’s arrangements to ensure compliance with those obligations are inadequate;

(d) any other matters prescribed by regulations made for the purposes of this paragraph.

(our emphasis)

This article focuses on the factor in s 912D(5)(c).

Issue 1: meaning of “those obligations” in s 912D(5)(c)

The phrase “those obligations” is not defined in the Act, and its meaning depends on the context in which it appears.

Given that s 912D(5) is concerned with assessing whether “a breach of a core obligation” is significant, it seems clear that “those obligations” refers to the licensee’s core obligations.

In this context, “those obligations” may plausibly mean:

1. the core obligation(s) the licensee has breached; or
2. the licensee’s various core obligations as defined in s 912D(3).

In our view, the interpretation in (a) is unlikely to be the correct one, having regard to the fact that s 912D(5) is concerned with assessing whether “a breach of a core obligation” (i.e. a single obligation) is significant. Rather, we consider that the use of the plural in “those obligations” in s 912D(5)(c) is more likely referring to the licensee’s core obligations as a whole.

This is supported by the legislative history of the section.

The current formulation of s 912D came about through the amendments contained in the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (Cth). Before this, s 912D relevantly read:[1]

(1) A financial services licensee must comply with subsection (1B) if:

(a) the licensee breaches, or is likely to breach:

(i) any of the obligations under section 912A or 912B,

other than the obligation under paragraph 912A(1)(c);

or

(ii) the obligation under paragraph 912A(1)(c), so far as it

relates to provisions of this Act or the ASIC Act

referred to in paragraphs (a), (b), (ba) and (c) of the

definition of financial services law in section 761A; or

…; and

(b) the breach, or likely breach, is significant, having regard to

the following:

…

(iii) the extent to which the breach or likely breach indicates

that the licensee’s arrangements to ensure compliance

with those obligations is inadequate;

…

Thus, the factor now contained in s 912D(5)(c) was previously in s 912D(1)(b)(iii). Having regard to the conjunctive relationship between s 912D(1)(a) and (b) indicated by the use of “and”, it is clear that “those obligations” was then intended to refer to the various core obligations in s 912D(1)(a). On the better view, s 912D(5)(c) is now intended to refer to the various core obligations listed in s 912D(3).

Importantly, the obligations then listed in s 912D(1)(a) are now defined to be “core obligations” under s 912D(3). This is confirmed by the Explanatory Memorandum to the amendments, which provided that “the new core obligations mirror the existing obligations that must be reported to ASIC if they are breached.”[2]

Issue 2: applying s 912D(5)(c)

If “those obligations” means the licensee’s various core obligations, s 912D(5)(c) requires a licensee who has breached a core obligation to ask: does this breach indicate that our arrangements to ensure compliance with our core obligations are inadequate?

Noting the multiplicity of core obligations,[3] the first question that naturally arises is: will a breach be significant if it only indicates inadequate compliance arrangements for one or some, but not all core obligations?

In Commonwealth legislation like the Act, words in the plural number generally include the singular, and vice versa.[4] Accordingly, we consider it unlikely that a breach must always indicate inadequate compliance arrangements for every core obligation to be significant under s 912D(5). If a breach shows that compliance arrangements for just one core obligation are inadequate, but that inadequacy is exceptionally severe, the factor in s 912D(5)(c) may still weigh in favour of that breach being significant.

However, the use of “extent to which” in s 912D(5)(c) also suggests that all else being equal, the greater the number of core obligations shown to have inadequate compliance arrangements, the more likely a breach is to be “significant”. We consider that this may occur where a breach of a core obligation was caused by a faulty system or procedure with applications to many other core obligations, such as the training of a licensee’s staff.

Conversely, if the majority of core obligations are complied with adequately, this tends to indicate that the significance factor is not present.

In that regard, it may be useful to think of the assessment of “extent” in s 912D(5)(c) as involving both breadth (the number of core obligations shown to have inadequate compliance arrangements) and depth (how inadequate the compliance measures are for each such obligation).

When does one breach indicate inadequate compliance arrangements?

In its Regulatory Guide 78 (RG78), ASIC acknowledges that “compliance arrangements are unlikely to ensure full compliance with every aspect of the law at all times, and occasional and minor breaches do not of themselves mean that your compliance arrangements are inadequate.”[5]

By its nature, the term “compliance arrangements” focuses attention on the systems and procedures the licensee has in place to comply with core obligations.

It is useful in this regard to distinguish between breaches that are isolated, and those which are “systemic”. For example, suppose a licensee authorises the distribution of a Supplementary Financial Services Guide to a customer which is marked with the incorrect date, contrary to section 943C. If this is the result of an employee’s human error or a rare computer glitch, that might be considered an isolated breach. In contrast, if a licensee fails to put training and supervision arrangements in place to ensure documents are correctly dated and checked in general, the distribution of that Supplementary Financial Services Guide with an incorrect date is more likely to indicate an inadequacy in the compliance arrangements for the core obligation to “comply with financial services laws” under s 912D(5)(c).

However, RG78 suggests that even breaches in the former, “isolated” category may indicate inadequate compliance arrangements if they are not detected and investigated in a timely way. On this view, compliance arrangements include not merely prospective measures to prevent human error (e.g. staff training and internal policies) but also responsive measures.

Thus, even in the case of an “isolated” breach, the licensee may consider the following factors when evaluating the extent to which it indicates inadequate compliance measures for the core obligations:[6]

• the length of time the breach went undetected;
• to what extent the compliance arrangements helped in identifying the breach; and
• the timeframe it took to investigate and assess the breach.

Conclusion

The “significance” of a breach of a core obligation is an important threshold, enlivening a number of breach reporting obligations under the Corporations Act 2001 (Cth) with heavy penalties for non-compliance.

In practice, many breaches nowadays are deemed significant under s 912D(4). However, in those instances where the significance of a breach needs to be assessed under s 912D(5), it is important to have regard to the extent to which the breach indicates that arrangements to ensure compliance with the licensee’s core obligations are inadequate (s 912D(5)(c)).

In our opinion, this significance factor must be assessed by reference to the compliance adequacy of the totality of the core obligations.

Relevant considerations may include:

• the number of core obligations shown by the breach to have inadequate compliance arrangements;
• whether the cause of the breach was individual error or a systemic deficiency;
• the length of time the breach went undetected;
• to what extent the compliance arrangements helped in identifying the breach; and
• the timeframe it took to investigate and assess the breach.

Lastly, it is important to recall that s 912D(5)(c) is only one factor relevant to determining whether a breach is “significant”, and must be read alongside the other factors in s 912D(5).