In response to concerns regarding the inadequacy of existing breach reporting laws for Australian Financial Services Licensees and Credit Licensees raised in the Banking Royal Commission, the Federal Government recently introduced a new mandatory breach reporting regime for licensed financial advisers, brokers and lenders.

Under the new regime, certain material changes have been made and these include:

  1. The extension of the breach reporting regime to Australian Credit Licensees, in addition to Australian Financial Services Licensees;
  2. A requirement to report not only breaches but also investigations taking longer than 30 days;
  3. A list of breaches that will be deemed significant breaches, in addition to the subjective test of significance/materiality;
  4. A requirement to report within 30 calendar days, rather than 10 business days; and
  5. A requirement for ASIC to publish information on reports it receives, including the name of breaching licensees.

In this article, we will outline the reporting regime as it now applies, in more detail. 

Who needs to report?

The obligations to report breaches apply to holders of an Australian Financial Services Licence (AFSL) or an Australian Credit Licence (ACL).

For AFSL licensees, your obligations appear in the amended Section 912D of the Corporations Act 2001 (Cth).  You maintain an obligation to report under the old regime for breaches occurring prior to 1 October 2021, but the new regime applies in relation to breaches occurring on and after 1 October 2021.

For ACL licensees, your new obligations appear in section 50A of the National Consumer Credit Protection Act 2009 (Cth) and they apply in relation to breaches occurring on and from 1 October 2021.  Your obligations are restricted to Credit Code activities.

What are my reporting obligations?

You are required to self-report if you suffer a reportable situation.  This occurs if:

  1. You or your representatives have breached a core obligation and the breach is significant; or
  2. You or your representatives are no longer able to comply with a core obligation and if a breach occurs the breach would be significant; or
  3. You or your representatives conduct an investigation into where there has or will be a significant breach of a core obligation, and the investigation lasts longer than 30 days; or
  4. An investigation of the kind described above discloses that there has been no breach of a core obligation (noting that a decision that a breach took place would be its own reportable situation); or
  5. You or your representatives have engaged in gross negligence or serious fraud.

The core obligations for AFSL licensees are those set out in s912A and 912B of the Corporations Act 2001 (Cth), with a special note regarding s912A(1)(c).  For ACL licensees, this is the obligation set out in section 47 of the National Consumer Credit Protection Act 2009 (Cth), with a special note regarding s47(1)(d).

A breach of a core obligation will be deemed significant if the breach:

  1. is the commission of an offence which is punishable by imprisonment for 12 months or more (or 3 months where the offence involves dishonesty);
  2. is the contravention of a civil penalty provision under any law;
  3. is the contravention of provisions of the Corporations Act (AFSL) or the National Consumer Protection Act (ACL), or the ASIC Act (both) relating to misleading or deceptive conduct;
  4. results in, or is likely to result in, material loss or damage to customers or members; or
  5. is otherwise significant having regard to:
    1. the number and frequency of similar breaches;
    2. the impact of the breach on the licensee's ability to provide services covered by the licence;
    3. the extent to which the breach indicates that the licensee's arrangements to ensure compliance are inadequate; and
    4. any other matters prescribed by regulations.

There is no definition for what constitutes gross negligence  so the common law will apply. Interestingly, ASIC Regulatory Guide R78 points to an example of gross negligence being a failure to communicate application requirements to a customer to enable a finance application to be processed in time.

Serious fraud is defined as an offence involving fraud or dishonesty being an offence against Commonwealth or State laws and punishable by imprisonment for a period of at least 3 months.

What may be material loss or damage is not defined.  However, ASIC Regulatory Guide R78 offers some examples and suggests that loss cannot merely be considered on an individual customer basis.  Minor loss to multiple customers resulting in a significant aggregate loss should be considered material for reporting purposes.

There is no definition of what qualifies as an investigation. ASIC Regulatory Guide R78 states that what may amount to an investigation and when it is likely to have commenced is dependant on the circumstances in question.  It suggests an investigation will not be deemed to have commenced as soon as a customer complaint is received, but will have commenced once you begin to take steps to gather information and enquire into whether a significant breach has occurred.  The scope and purpose of the investigation may therefore be relevant.

Am I required to report breaches by someone else?

AFSL licensees are required to report if they reasonably believe a reportable situation has occurred in relation to an individual who is another AFSL licensee or their representative or employee and who provides personal advice to retail clients about banking or insurance (excludes life insurance).

ACL licensees are required to report if they reasonably believe a reportable situation has occurred in relation to an individual who is a mortgage broker.

The requirement is therefore to report third party breaches of core obligations, gross negligence or fraud only in connection with persons advising on mortgages, banking and insurance, not the products themselves, or the conduct of the lender.

ASIC Regulatory Guide 78 clarifies that licensees are not required to investigate the conduct of another person, but must simply not turn a blind eye to evidence of a reportable situation.

What time frame do I have and what happens if I don't report?

Reportable situations must be reported to ASIC in the prescribed form via the ASIC Regulatory Portal, within 30 calendar days of the date they arose or the date your business was reckless with respect to whether there was reasonable grounds to believe a reportable situation arose.  This means the time frame could start from before you actually become aware of a reportable situation.

As an investigation does not become reportable until day 31 of the investigation, it follows that the requirement to report investigations is within 30 days following day 31.  That said, outcomes of an investigation into a breach must be reported within 10 calendar days of the decision.

Failure to report is an offence and carries a civil penalty.  For ACL licensees, this is 5000 penalty units (or presently $1,050,000).  However, ASIC also has other powers including license suspension.  These penalties also apply to failing to report third party breaches as outlined above.

The laws require breaching AFSL and ACL holders to notify their customers of reportable situations, conduct investigations and provide remediation.  Notification to clients is required within the same 30 day time period for which you are required to report.  Bear in mind that reaching a settlement with an affected customer does not discharge your reporting obligations, and in many cases customers cannot waive your obligations under consumer laws.

The legislation further places a duty on ASIC to publish details of reports it receives including the name of breaching licensees.  A name and shame exercise will be in full effect!

Am I required to maintain a breach register?

There is no legal obligation to maintain a breach register.  However, ASIC is of the opinion that ". in practice, you will need a breach register to ensure that you have adequate arrangements in place to comply with your obligation to identify and report all reportable situations."  Consequently, consider if you want to maintain a breach register.

You can claim legal professional privilege on any documentation prepared by you or your legal counsel for the dominant purpose of obtaining legal advice.  However, a breach register is unlikely to be subject to legal professional privilege.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.