Yesterday, ASIC released its updated Regulatory Guide 78 Breach reporting by AFS licensees and credit licensees (RG 78).

Since the introduction of the new ASIC breach reporting regime on 1 October 2021, it is safe to say that there has been and continues to be confusion and ambiguity around the legal scope and practical operation of the regime. This has given rise to what we have previously called the 'Breach Reporting Chasm' – a mismatch between (1) the breach reporting practices between licensees across the industry and (2) the breach reporting practices of industry on one hand, and ASIC's expectations with regard to breach reporting on the other.

Against this backdrop, we welcome the further guidance from ASIC in the updated RG 78. In releasing this update, ASIC said its focus was to 'improve consistency and quality of reporting practices by licensees and reduce regulatory burden where [it] can'.

We do observe, however, that there are still considerable gaps in ASIC's guidance. While its updated guidance is helpful to industry from a procedural perspective (an important element of reducing the regulatory burden), ASIC continues to remain silent on key substantive matters that licensees are grappling with. For example, it would be beneficial to see further guardrails around ASIC's expectations on the reportability and materiality of once-off, human error incidents of misleading or deceptive conduct, where there is no identifiable consumer harm or loss. ASIC's continued focus on procedural matters (rather than giving further guidance on what is reportable under the regime) perhaps indicates that from ASIC's perspective, it is up to licensees and, ultimately, the courts (not ASIC) to determine what is reportable.

THE SHORT READ

SNAPSHOT OF ASIC'S UPDATE

The key changes to RG 78 (since the prior September 2021 version) fall into two general categories:

  • changes to give guidance on when a licensee can group multiple reportable situations into a single report; and
  • FAQs about how to answer various questions in ASIC's prescribed breach reporting form (contained in a new Appendix 2 to RG 78).

In addition to the changes to RG 78, ASIC outlined updates it will make to its form for lodging breach reports from 5 May 2023.

We set out further details of these changes below (see 'The Long Read').

ONGOING CHALLENGES IN BREACH REPORTING

In our experience advising licensees across the industry on breach reporting under the new regime, some key themes on current challenges can be identified:

  • the single most common issue for assessment is whether an incident gives rise to misleading or deceptive conduct, which is a deemed significant and reportable breach. These assessments are particularly challenging in instances of one-off errors;
  • a common question is whether a failure to adhere to the terms and conditions of a product (e.g. failure to comply with a PDS term due to some form of administration error) gives rise to misleading or deceptive conduct, or some other conduct breach;
  • there continues to be confusion around the assessment of compliance with the conduct obligations under section 912A of the Corporations Act, such as the obligation to act efficiently, honestly and fairly, or the obligation to take reasonable steps to ensure representatives comply with financial services law. In this regard at least, we observe a general trend of over-reporting of breaches;
  • in assessing whether there is a breach of a criminal offence provision, many licensees continue to overlook the need to identify whether the relevant mental element for the criminal offence has been met. On this, read our previous guidance and insights on assessing criminal offence provisions for breach reporting purposes. In our experience, this is another area of over-reporting of breaches.

If you have any questions about these matters or the breach reporting regime more broadly, please get in touch with one of our experts below or contact us via our Breach Reporting Hotline.

THE LONG READ

WHAT'S CHANGED IN RG 78?

Some of the more notable changes to RG 78 are set out in the following table:

New 'grouping test' for addressing multiple reportable situations in a single report ASIC has introduced a new 'grouping test', saying that reportable situations may be reported in a single report where both of the following are satisfied:
  • there is similar, related or identical conduct – that is, conduct involving the same or very similar factual circumstances; and
  • the conduct has the same root cause.

However, the updates also state that licensees 'may group individual reportable situations on the basis that they involve similar, related or identical conduct even when each reportable situation involves a separate occasion of staff negligence or human error as the root cause'. In that case, licensees should be satisfied that there is no broader failure or other relevant root cause (e.g. related to training, policy, processes or systems) that is the actual cause of the breach (RG 78.115).

So, in an appropriate case, 'human error' can be a single root cause that satisfies the second limb of the 'grouping test', even if each individual human error is unique (see, for example, example 12(a) in Table 9 of RG 78).
Use of the update functionality for ongoing breaches RG 78 confirms that a licensee may update an existing breach report to declare further reportable situations, where the reported situation is ongoing (i.e. further instances of breach occur after the original breach report is lodged) (see, for example, example 12(c) in Table 9 of RG 78).
The field 'Describe the reportable situation' FAQ 1 in Appendix 2 provides guidance on how to complete the free-text field 'Describe the reportable situation' in the prescribed form. It identifies specific information for licensees to consider including, for example, 'details about what happened', 'an explanation of how the reportable situation is a breach', and 'details of how the reportable situation was identified'.

On the whole we think this is useful guidance (noting that licensees can still exercise their judgment on what should be said in a given case) and will promote greater consistency in the detail licensees provide to ASIC.
What is a 'similar reportable situation' FAQ 2 provides guidance on how to consider and answer the question 'Have any similar reportable situations previously occurred?', including how far licensees need to look back.

Sensibly, ASIC did not proceed with a proposal to require licensees to look back for a default period of 6 years in considering this question – it had received industry feedback that this would create a significant regulatory burden.
How often to update ASIC after lodging a breach report FAQ 3 sets out ASIC's expectations on when licensees will provide an update to ASIC following a breach report. It expects such an update if:
  • 6 months have passed with no update;
  • there are material changes in the licensee's understanding of the nature, impact or extent of the reportable situation; or
  • the licensee has completed its investigation (to identify root cause/s and all impacted clients), its rectification of the root cause/s and its consumer remediation process (we think ASIC meant 'or' rather than 'and' for the underlined text, and we suggest licensees consider more frequent updates than this point strictly requires).

In our view, ASIC's expectations above create a generous timeframe. Licensees may want to consider more frequent updates to maintain a positive relationship with ASIC.
Calculating or estimating the number of clients affected In a bid to reduce inconsistency of reporting and provide clarity for licensees, FAQ 5 provides guidance on what is an 'affected client' and how to count them in answering the question, 'specify the total number of clients the reportable situation affects'.

While useful, this guidance does not (and likely cannot) address the frequent challenge here: that the number of such clients is often yet to be determined when a breach report is lodged, and the licensee must exert resources that could arguably be spent better elsewhere to obtain an estimate for the sole purpose of the breach report (which may turn out to be inaccurate). In this regard, new guidance in the prescribed form will set out ASIC's expectation that licensees must give a genuine estimate, based on the information available at the time of reporting.


WHAT'S CHANGED IN THE PRESCRIBED FORM?

ASIC will make changes to its prescribed form in the ASIC Regulatory Portal on 5 May 2023. The changes will be incorporated into an updated wireframe available for download from the ASIC website. As you may be aware, the 'wireframe' contains all the questions that appear in the prescribed form, together with the conditional logic that will be applied when a user responds to each question.

Key changes of interest are mentioned in the table below:

Two questions instead of one, on when the licensee became aware of the issue / reportable situation Until now, the portal form had asked 'When did you first become aware that a breach, serious fraud or gross negligence had occurred?'

Now, the portal will instead ask the following 2 questions:

  • 'Specify the date when the potential breach, serious fraud and/or gross negligence was first discovered' (our emphasis). ASIC has said (in guidance to be embedded in the form itself) that this 'is the date on which a staff member or representative first discovered the issue(s) or event(s) the subject of [the] report. This will often be when the information was entered or otherwise recorded into a breach register or risk management system'; and
  • 'When did you become aware that the breach is... significant?' The embedded guidance for this question will state: 'This refers to the date on which you determined that the breach(es) or issue(s) the subject of this report constituted a 'reportable situation'. For more information on the date at which a licensee becomes aware, including who must be aware, see RG 78.93 to 78.103. This date is when the 30-day legislative reporting timeframe commences.'

We envisage this requiring licensees to revisit their breach reporting practices to ensure: (1) they have the information needed to answer both questions, and (2) matters are promptly escalated and considered between date 1 and date 2 (noting that ASIC has said these questions supply an 'important data point for ASIC'; and noting that ASIC will eventually start to publish more granular annual reports on the breach reporting regime, including potentially names and data relating to specific licensees).
'Investigation' has a different meaning in the prescribed form The prescribed form asks various questions about the licensee's 'investigation of the matter' (e.g. 'have you completed your investigation of the matter').

ASIC's new guidance will clarify that this is not the same concept as what ASIC is calling a 'reportable investigation' / what is referred to in the legislation as an 'investigation into whether there is a reportable situation...'. ASIC states that the 'investigation' referred to in the form is 'complete only after the licensee has determined the root cause(s), identified all affected clients and identified all instances of the reportable situation'.


Finally, ASIC has flagged that certain questions raised by industry in relation to the prescribed form will be addressed in future (potentially after further consultation). Importantly, this includes:

  • Calculating the number of reportable situations that relate to a breach or likely breach. ASIC notes that licensees have 'adopted a variety of interpretations' to this question. Based on its comments ASIC is weighing up whether to omit this question altogether or provide further guidance on how to answer it (see Table 3, item 1 in ASIC's overview of the changes made). For example, ASIC states that it is 'considering whether other measures of the magnitude of the breach that we collect' (e.g. number of clients impacted, etc) 'provide adequate meaningful insights to meet [ASIC's] regulatory needs', whilst also noting that 'the number of reportable situations is a cornerstone concept to the reportable situations regime'.
  • Naming of employees and/or representatives. Licensees have raised privacy and procedural fairness concerns about the form asking the licensee to specify 'whose conduct or actions (or possible actions) are the subject of the reportable situation'. ASIC will consider these concerns further, which may include further consultation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.