Since October 2021, new obligations have applied to Australian Financial Services Licence and Australian Credit Licence holders (Licensees) in relation to lodging breach reports with ASIC. With the introduction of ASIC Instrument 2023/589 (the Instrument), the obligation to report certain breaches to ASIC has been modified and from 20 October 2023 onwards, Licensees will no longer be required to report insignificant contraventions of certain core obligations.

The existing breach reporting regime was modified in response to concerns about the costs of reporting some reportable situations that have limited regulatory benefit.

What does NOT need to be reported?

The Instrument modifies the breach reporting requirements so that Licensees do not need to report insignificant breaches of core obligations relating to:

  • the prohibition on misleading and deceptive conduct – Corporations Act s1041H(1) and ASIC Act s12DA(1); and
  • the prohibition on false and misleading representations – ASIC Act s12DB(1).

In order for licensees to rely on the modifications, the breach must:

  • Only impact one person (or if a financial or credit product is involved and it is held jointly, then those persons);
  • not reult in, and be unlikely to result in, any financial loss or damage to any person; and
  • not give rise to, and be unlikely to give rise to, any other reportable situation.

Examples of breaches that may no longer require reporting under the amended requirements include:

  • cases of minor misinformation provided to one client:
  • information errors that are immediately corrected where no financial loss occurred.

Previously, a reportable situation was automatically triggered by any breach of the prohibitions on misleading and deceptive conduct or false and misleading representations under s1041H(1) of the Corporations Act and ss12DA(1) and ss12DB(1) of ASIC Act. The amendments aim to reduce the regulatory burden for licensees by exempting breaches from reporting when these conditions are met.

Increased Reporting Period

To further ease the reporting requirements, the Instrument includes amendments to allow Licensees up to 90 days to report a breach which has the same or substantially similar underlying circumstances. This amendment acknowledges the burden on Licensees that, during the course of an investigation, identify further related breaches, and provides additional time for comprehensive reporting of the subsequent breach.

What Next?

Licensees should:

  • familiarise themselves with the core obligations that apply to their business and ensure all representatives are aware of the obligations;
  • ensure there are adequate systems in place to identify breaches;
  • ensure adequate and appropriate reporting lines;
  • all communications with clients accurately represent the products and services the licensee offers and are not misleading or false in substance, or in the impression they give; and
  • staff are adequately trained and understand their obligations in relation to breaches and escalating any incidents.

Background

The breach reporting regime is found in Subdivision B of Division 3 of Part 7.6 of the Corporations Act 2001 (Cth) ("Corporations Act").

The Instrument amends sections 912D(4) of the Corporations Act and paragraph 50A(4) of the National Consumer Credit Protection Act 2009 (Cth) in relation to the reportable situations that are deemed to be 'significant' breaches.