EP 3: Breach reporting reflections on disclosure errors & LPP
In this episode, Senior Associate Shan-Verne Liew, and solicitors Abby Sutherland and Henry Gallagher reflect on some real life examples of potentially reportable scenarios with a focus on inadvertent system or disclosure errors, as well the importance of legal professional privilege when investigating incidents.
Transcript:
Michael Vrisakis
Hi everyone. I'm Michael Vrisakis, a Partner in the Herbert
Smith Freehills Financial Services Team. Welcome to our podcast
series called the FSR GPS. This series focuses on topical and
emerging issues in financial services regulation which we think are
the most strategic and important issues for our clients. Feel free
to suggest topics you would like us to cover in the future but for
now, we hope you enjoy today's episode.
Shan-Verne Liew
Hi, thank you for joining us on today's episode. I'm
Shan-Verne Liew, a Senior Associate in our FSR practice here at
HSF. I'm joined today by my colleagues Abby Sutherland,
who's solicitor in our FSR practice and Henry Gallagher, a
solicitor in our Disputes practice.
Abby Sutherland
Thanks Shan, we are the new kids on a block. In Episode 1,
'Once more into the Breach', we dove into the new breach
reporting regime including legal and industry insights post
implementation and some common reportable breaches. In today's
episode, we will reflect on some real-life examples of potentially
reportable situations with the focus on the reportability of
inadvertent system errors.
Henry Gallagher
We also touch on legal professional privilege and why it's
important to keep in mind when investigating potential
breaches.
Shan-Verne Liew
It's worth mentioning that we have an online blog called FSR
Australia Notes where we publish key articles and issues facing the
Australian financial services industry. That covers our
introductions. Abby, I've noticed that some of the articles on
our blog refer to a breach reporting chasm. Can you explain what we
mean by that?
Abby Sutherland
So we call it the breach reporting chasm because I guess post
implementation of the new regime, there appears to be a mismatch
between the breach reporting practices of licensees across the
industry on the one hand. And ASIC's expectations with regard
to breach reporting on the other. As our team mentioned in episode
1, one of the most important changes in the new regime is that
certain breaches are automatically deemed to be significant and
therefore, reportable without any further significance assessment
being required.
Henry Gallagher
This is a really helpful difference to point out Abby. In the old
breach reporting regime, minor and isolated breaches that did not
cause any detriment to clients would not have been reportable. But
under the expanded regime, most, but not all civil penalty breaches
and misleading or deceptive conduct breaches are deemed
significant. And are therefore, automatically reportable to ASIC.
That's a case even if there is no appreciable impact on a
client.
Shan-Verne Liew
Thanks, Henry. That's right. Given the breadth of the new
regime, an assumption we occasionally get, is that if an error has
been made whether it's a system's error or an error in a
regulated disclosure document such as a PDS or FSG, then there must
be a breach of the prohibitions against misleading or deceptive
conduct. And therefore, the error must be reportable to ASIC. In
this episode, we are going to unpack that assumption. Abby, can you
give us an example of an error that is not necessarily
reportable?
Abby Sutherland
Yeah for sure. So I think poor old M&D gets picked on a lot but
an error is not always reportable. My example relates to pricing.
So I'll simplify the facts but one real-life example we
encountered involved a systems error where the algorithm that sat
behind a new insurance underwriting calculator contained a flaw. As
a result, the new underwriting calculator produced inaccurate
premium and deductible values for proposed insurance cover.
However, on a closer investigation of the facts, it turned out that
the insurer had only used the old calculator to populate the value
of premiums and deductibles in renewal notices. And in discussions
that the underwriting team had with customers. And these numbers
produced by the old calculator were in fact correct.
Henry Gallagher
So customers were actually given the correct premiums and
deductibles?
Abby Sutherland
Yeah, so the error was actually never communicated to the customer.
Meanwhile, the incorrect values produced by the new calculator was
stored in the insurer's system but were never used in the
assessment of any claim. In that specific scenario, it turned out
that there was no reportable situation because no misrepresentation
or incorrect statement had actually been communicated to the
customer.
Shan-Verne Liew
That's a really good scenario Abby. Goes to show that in some
cases, it can pay off to do more digging to get a precise
understanding of what's actually been communicated to
customers. Perhaps it's also worth pointing out that even if
the value stored in the system is incorrect, that will not
necessarily determine the customer's rights and obligations in
relation to the product. It is the product documentation or
agreement sets up what a customer is entitled to and that
information will often prevail whatever value stored in the
system.
Abby Sutherland
For sure.
Shan-Verne Liew
Let's now talk about what happens when an accidental mistake is
actually communicated to a customer. For example in a PDS or FSG.
Because of the level of detail that needs to be included in many of
these documents, minor misstatements with respect to trivial detail
can happen. For example, a typo in an FSG might say that a licensee
can be contacted by phone from 9:00am to 5:00pm every day. When in
fact the call centre will actually operate until 6:00pm.
Henry Gallagher
Surely we don't need to prepare a report to a regulator to
disclose that our FSG said that our contact centre closed just one
hour later.
Abby Sutherland
Yeah, so I think in this case, we were fortunate. There are a few
important exceptions and defences to be aware of. The first
exception can be found in a definition of when a regulator
disclosure document is deemed to be defective, and these can be
found in sections 925(b) and 1021(b) of the Corporations Act. This
exception provides that a document will not be defective as a
result of a misstatement. If the misstatement is not materially
adverse from the point of view of a reasonable person considering
whether to rely on the document. So in Shan's example, the FSG
may have contained an error about when the call centre closed but
this may not amount to a defective disclosure breach on the basis
that disclosing an earlier closing time for a call centre is not
actually a misstatement that is materially adverse to a
customer.
Shan-Verne Liew
The other important point to note is that the deemed significant
misleading or deceptive conduct prohibitions in section 12DA of the
ASIC Act and section 1041H of the Corporations Act do not apply to
regulated disclosure documents such as PDSs, FSGs, SOAs or ROAs.
The defective disclosure regime that we just discussed applies
instead.
Henry Gallagher
The other important defence can be found in the strict liability
prohibition against giving a defective regulated disclosure
document. There is a defence in sections 952E(3) and 1021E(3) of
the Corporations Act which provides that the prohibition is not
triggered if the person took reasonable steps to ensure that the
disclosure document or statement would not be defective. So if the
licensee had conducted a thorough and diligent review of a
regulated disclosure document before it is given to a client. In
some circumstances, this defence can be relied on to sustain a
position that the prohibition has not been triggered. These
exceptions are important to keep in mind because they reflect the
original policy position for the defective disclosure regime, but
not every single misstatement, however innocent and trivial is
intended to trigger a breach of the legislation.
Abby Sutherland
Sounds like we've covered quite a few scenarios where an error
may not have actually resulted in a reportable situation. So I
guess to recap, in the first scenario the error was stored in admin
systems but not actually communicated to the customers. In the
second scenario, the error was contained in an FSG so the broad
prohibitions against misleading or deceptive conduct do not apply.
There may have been no breach under the defective disclosure regime
because reliance on the error was not materially adverse from the
perspective of the customer. And finally, Henry also mentioned that
there is a defence which applies when reasonable steps have been
taken to ensure that regulated disclosure document is not
effective. I think it's important and helpful for licensees to
be aware of these nuances in a regime because they can protect
against inadvertent over-reporting of M&D breaches.
Shan-Verne Liew
Thanks Abby. Let's now turn to the very important topic of
legal professional privilege. Many licensees have clear procedures
for assessing incidents which may be reportable to the regulator.
It can be helpful to understand at each step/stage of the breach
reporting procedure whether any new information that is produced
will be covered by legal professional privilege. Henry, again, can
you set out some key principles for when legal professional
privilege will apply?
Henry Gallagher
Thanks, Shan. Well, legal professional privilege is a big area,
but I'll touch on a few important considerations regarding
breach reporting. As many listeners may know, privilege refers to a
confidential communication between the client and another person or
between a lawyer acting for the client and other person that was
made, or the contents of a confidential document that was prepared
for the dominant purpose of the client then provided with
professional legal services relating to a proceeding or an
anticipated or pending proceeding or alternatively, in respect of
legal advice, privilege refers to a confidential communication made
between the client or the lawyer or between two or more lawyers
acting for the client or the contents of a confidential document
prepared by the client, lawyer or another person for the dominant
purpose of the lawyer or one or more of the lawyers providing legal
advice to the client. Courts have applied that dominant purpose
test reasonably strictly. Courts will not necessarily accept that
an internal investigation commenced with a stated objective of
enabling a company to obtain legal advice or litigation services
will cover those investigation documents to be privileged. Instead
courts will carefully scrutinise the purpose said to underlie each
document in the context of the investigation.
Shan-Verne Liew
So if the licensee brings material into existence to assess whether
there was a reportable situation to ASIC, will legal professional
privilege apply?
Henry Gallagher
Well, that's a good question Shan. It's important to keep
in mind that material will only be protected by legal professional
privilege if it is both confidential and it can be objectively
shown that its dominant purpose was for legal advice or an existing
or reasonably anticipated legal proceedings. And to answer your
question more specifically, if the dominant purpose was to obtain
legal advice on whether a reportable situation has occurred or and
what if any compensation the licensee is legally required to
provide, then yes, privilege should apply. However, advice from
someone who was not acting as a lawyer such as a representative in
a compliance function would not be privileged. The dominance
purpose test may be difficult to establish if there are other
plausible purposes such as obtaining commercial input of a border
operational risk and compliance reasons leading to the creation of
the document.
One thing that may be considered is running two separate investigations – one by the legal team for the purpose of the company obtaining legal advice being a privileged workstream and the other confined to technical or purely factual findings to enable the company to respond to the incident being the non-privileged the work stream.
Abby Sutherland
That's quite relevant in a breach reporting context I think,
Henry, whereas a first step a compliance team might perform an
initial BAU fact finding exercise in response to an internally
reported incident before a breach reporting investigation
commences. So are you suggesting here then that the initial BAU
fact finding exercise might not be covered by LPP, that the breach
reporting investigation will be?
Henry Gallagher
Yes, that's right Abby. It may be difficult to sustain a client
for privilege in relation to a purely or predominantly factual
investigation even if it's procured or conducted by
client's lawyer. As I've mentioned, the question is what
was the dominant purpose of the investigation? A further point to
consider is that clients must take care to avoid waiving privilege
when referring to the results of findings of an investigation.
Privilege will often be waived where the gist, substance or
conclusion of the privileged communication is published or
communicated.
Abby Sutherland
So can a licensee communicate the findings of an investigation
within the business without waiving privilege? I'm thinking for
example what if a legal or compliance team shares privilege
information with a product owner within the same entity or a
related entity within the corporate group?
Henry Gallagher
Privilege will generally not be waived, fortunately, where legal
advice is shared within a company or between companies in the same
corporate group. However, of course care must be exercised as
waiver is a very fact specific exercise in question. It's
important that any legal advice is shared on a confidential basis
and ideally on a restricted access or need-to-know basis. It should
be clear that the recipient does not further disclose the
information. There is also a practical issue to keep in mind, which
is that the more people you tell, the more people that might breach
confidentiality. The more people you tell means that there's a
large number of people who may subsequently use the information not
for the original purpose but to some other purpose or that may
subsequently use the information in a non-confidential way, and
that subsequent use deprives the information of its confidential
character. There's also a separate issue of what you can tell a
regulator. For example, if a report informs a regulator that you
have obtained legal advice that the company has not breached a
particular law, that statement will likely waive privilege over
that advice. On the other hand, privilege will generally not be
waived where you disclose that you had received legal advice but
without disclosing either expressly or impliedly the substance of
the advice. However, it's important to keep in mind that all of
these considerations are factually and contextually dependent, and
it's important to get expert legal advice on these matters
depending on the context of the particular issue.
Shan-Verne Liew
Thanks Henry. Some really useful insights. I think that's all
we have time for today. Thank you for listening.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.