Australia approves sweeping changes to breach reporting regime

In a move with significant implications for Australian financial services and credit licensees (AFS Licensees and Credit Licensees respectively), the Federal Parliament has passed legislation endorsing several reforms recommended by the Financial Services Royal Commission, including to the regime for reporting significant breaches to ASIC.¹

This briefing summarises the key changes to that regime, and issues to look out for in preparing for the new regime to commence on 1 October 2021.

The highly anticipated changes to the regime include:

1. The requirement to report significant breaches will extend to Credit Licensees for the first time.
2. The significance test has been expanded to require reports in a broader range of circumstances.
3. The reporting obligation will apply not only when the licensee ‘knows’ there has been or will be a significant breach, but also where the licensee:

• knows there are reasonable grounds to believe that is the case; or
• is reckless as to whether there are reasonable grounds to believe that is the case.

4. Reports must be lodged within 30 days rather than 10 days.
5. New requirements to report at the investigation stage, if the investigation has continued for more than 30 days, and to report on the outcome of investigations.
6. New requirements to notify clients of reportable breaches involving personal advice to retail clients or credit assistance by mortgage brokers, to investigate and quantify any loss or damage suffered, and to compensate the affected clients.
7. New requirements to report breaches by other licensees in certain circumstances (targeted at misconduct by mortgage brokers or individual financial advisers).

The changes differ from those in the Exposure Draft released in January 2020 in various ways, including that: 1) investigations are only reportable if they continue for more than 30 days; 2) a materiality requirement has been added to the significance factor relating to client loss or damage; 3) a breach of the misleading or deceptive conduct prohibitions in s1041H(1) of the Corporations Act and s12DA(1) of the ASIC Act is now deemed significant despite those provisions not being civil penalty provisions; and 4) the test of reasonable knowledge has been simplified and the concept of recklessness added.

The legislation received royal assent on 17 December 2020. With the reforms taking effect from 1 October 2021, AFS Licensees and Credit Licensees have nine months to ensure they understand the new regime and have established systems and controls to comply with it. The potential consequences of non-compliance are significant as the legislation introduces several new civil penalty provisions, which carry significant financial penalties.

The new test for when to report a significant breach

Under the new regime, reports must be lodged within 30 days after the AFS Licensee/Credit Licensee first knows, or is reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen.

A reportable situation arises when:

1. the licensee or its representative has breached a core obligation² and the breach is significant;
2. the licensee or its representative is no longer able to comply with a core obligation and the breach, if it occurs, will be significant;
3. the licensee or its representative has commenced an investigation into whether (a) or (b) applies and the investigation has continued for more than 30 days; or
4. an investigation described in (c) above discloses that there is no reportable situation of the kind mentioned in (a) or (b); or
5. the licensee or its representative has engaged in gross negligence³ or serious fraud.⁴

The test for significance has changed markedly. For AFS Licensees, a breach of a core obligation is deemed to be significant if:

1. the provision breached is an offence that may involve imprisonment (3+ months for dishonesty offences, 12+ months for others);
2. the provision breached is a civil penalty provision, or s 1041H(1) of the Corporations Act or s12DA(1) of the ASIC Act (misleading or deceptive conduct in relation to a financial product or service); or
3. the breach results, or is likely to result, in material loss or damage to clients or members.

For Credit Licensees, breach of a “key requirement” under the National Credit Code⁵ is also deemed to be significant.

In addition, AFS Licensees and Credit Licensees must still assess any other breaches for significance having regard to the number or frequency of similar breaches, the impact of the breach on the licensee’s ability to provide the services covered by its licence, the extent to which the breach indicates the licensee’s compliance arrangements are inadequate, and any other matters prescribed by regulation.

We expect that breach reports will be required in a much wider variety of circumstances because many of the financial services laws that constitute core obligations are civil penalty provisions (including, since 13 March 2019, s912A(1)(a) of the Corporations Act and s47(1)(a) of the National Consumer Credit Protection Act (the obligation to do all things necessary to ensure financial services are provided / credit activities are engaged in efficiently, honestly and fairly). In practice, there may be limited scenarios when the deemed significant test is not met and it is necessary to subjectively consider significance.

The Explanatory Memorandum contemplates that the government may revisit this once it sees how many breach reports ASIC is getting under the new regime:

“[The] regulation-making power ensures there is sufficient flexibility to target ASIC’s surveillance to problematic areas. For example, if ASIC is receiving a large number of largely unproblematic breach reports for minor, technical or inadvertent breaches of civil penalty provisions, and those breaches would not otherwise be significant, the Government may decide that the regulatory burden imposed outweighs the benefit of receiving those reports. In those circumstances, the regulation-making power may be used to quickly reduce the regulatory burden on licensees to report breaches where appropriate.”

Obligations to notify, investigate and remediate reportable situations affecting retail clients who receive personal advice or credit clients who used a mortgage broker

The legislation will introduce new obligations on AFS Licensees to investigate reportable situations that may cause loss or damage to retail clients who received personal advice, to notify those potentially affected clients, and to pay compensation to affected clients within 30 days of completing the investigation.

More specifically, from 1 October 2021, if there are reasonable grounds to suspect that a retail client who received personal advice:

1. has suffered or will suffer loss or damage as a result of a reportable situation of the type in (a) or (e) above (that is, a reportable breach, gross negligence or serious fraud); and
2. has a legally enforceable right to recover that loss or damage from the AFS Licensee,

the AFS Licensee must:

1. Take reasonable steps to notify the affected client of the reportable situation within 30 days after the AFS Licensee first knows of, or is reckless with respect to, the reportable situation and the reasonable grounds mentioned above.
2. Commence an investigation of the reportable situation within 30 days after the licensee first knows of, or is reckless with respect to, the reportable situation and the reasonable grounds mentioned above. This investigation must identify the conduct that gave rise to the reportable situation, quantify the loss or damage to the affected client, and do anything else prescribed by regulation. The investigation must also be completed as soon as reasonably practicable after it is commenced.
3. Take reasonable steps to give the affected client written notice of the outcome of the investigation within 10 days after completing the investigation.
4. If, after the investigation is completed, there are reasonable grounds to believe that the affected client:

1. has suffered or will suffer loss or damage as a result of the reportable situation; and
2. has a legally enforceable right to recover that loss or damage from the AFS Licensee,

take reasonable steps to pay the affected client an amount equal to that loss or damage within 30 days after completing the investigation.

Failure to carry out these steps will itself be a breach of a civil penalty provision. The legislation contemplates that ASIC may specify an approved form for use in making the relevant notifications to retail clients. 

For Credit Licensees, the legislation introduces similar obligations in relation to reportable situations where mortgage brokers have provided credit assistance to home loan customers.

Both AFS Licensees and Credit Licensees will also be required to keep sufficient records to demonstrate compliance with these requirements. The legislation contemplates that regulations may be developed to specify the types of records that must be kept.

Obligation to report on other licensees

The legislation also introduces a requirement to lodge a report with ASIC in respect of conduct involving a financial adviser or mortgage broker in certain circumstances.

Specifically, AFS Licensees will be required to lodge a report with ASIC if:

1. there are reasonable grounds to believe that a reportable situation of the type in (a), (b) or (e) above (that is, significant breach, likely future significant breach, gross negligence or serious fraud) has arisen in relation to another AFS Licensee;
2. the breach/negligence/fraud includes conduct by an individual who is either the other AFS Licensee or an employee/director/representative of the other AFS Licensee acting within the scope of their employment/duties/authority; and
3. the individual provides personal advice to retail clients in relation to relevant financial products (as defined in Chapter 7 of the Corporations Act).

This report must be lodged in the prescribed form within 30 days after the AFS Licensee first knows, or is reckless with respect to, the circumstances described above. A copy of the report must also be given to the other licensee within the same 30‑day time period. Failure to lodge such a report with ASIC and share it with the other licensee is a civil penalty provision.

For Credit Licensees, the legislation introduces a similar obligation in relation to reportable situations involving mortgage brokers.

Issues to look out for in preparing for 1 October 2021

We recommend all AFS Licensees and Credit Licensees assess their breach reporting practices in light of the new regime and seek advice on how to build practices into their business that enable compliance with both the current and new regimes. Some issues to look out for in preparing for 1 October 2021 are:

1. When will the 30 days start to run, in light of your organisation’s breach assessment processes, now that the test involves “reasonable grounds” and “recklessness” rather than just knowledge?
2. When does an investigation start for the purpose of calculating whether it has continued for 30 days? What constitutes an “investigation” and what steps are merely preliminary to the investigation?
3. There is an incentive to try to complete investigations within 30 days where possible, so the relevant licensee can report to ASIC once (and with certainty) rather than reporting while the investigation is continuing. How can licensees put procedures in place now to help them achieve this goal?
4. Deemed significance for all civil penalty provisions means almost all breaches of the relevant legislative provisions will be ‘significant’ and reportable, regardless of their size or other factors that would typically be assessed in determining significance (e.g. impact on customers, number and frequency of similar breaches, etc). What new resources and systems will licensees need to comply with this “new normal”?
5. Similarly, AFS Licensees and Credit Licensees will need to implement new systems to ensure they can comply with obligations to notify certain types of clients who may be affected by reportable situations and investigate and remediate the situation as required.
6. AFS Licensees and Credit Licensees will also need to establish systems and controls to identify reportable situations involving other licensees and comply with the obligations to report these situations to ASIC and the other licensee.

Endnotes

1. The Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (the Act).
2. The core obligations are specified in the Act and are the same legislative provisions that currently attract the breach reporting regime. They include s 912A(1)(a) of the Corporations Act (the “efficiently, honestly and fairly” obligation) and the prohibitions on unconscionable conduct and misleading or deceptive conduct in the ASIC Act.
3. Gross negligence is not defined in the Act, and not addressed in the Explanatory Memorandum. Its natural meaning, having regard to the common law, will apply: essentially carelessness to an extreme degree.  
4. Serious fraud is defined in s 9 of the Corporations Act 2001 and means an offence involving fraud or dishonesty, against any law, that is punishable by imprisonment for a period of at least 3 months.
5. See definition in section 111 of the National Credit Code.