Australia: Breach Reporting – Reporting Investigations to ASIC

Licensees are required to submit breach reports to ASIC within 30 calendar days* of becoming aware of the breach or likely breach. In determining whether a breach constitutes a reportable situation, licensees are often required to conduct investigations into the conduct or circumstances that caused the breach.

What constitutes an investigation?

The term "investigation" is not defined in legislation but has its ordinary meaning. What constitutes an investigation depends upon the following factors:

• the size of the licensee's business;
• internal systems and processes; and
• the type of breach.

RG78 notes that preliminary steps, initial fact-finding and 'business as usual' inquiries such as routine audits do not constitute an investigation.

When are investigations reportable to ASIC?

You must report an investigation to ASIC where:

• you have commenced an investigation into whether there is a breach or likely breach of a core obligation and the breach is significant and the investigation lasts for longer than 30 calendar days; or
• the investigation into the breach lasts longer than 30 calendar days and the outcome of the investigation discloses that there is no breach or likely breach of a core obligation.

Where an investigation covers multiple reportable situations arising from one specific root cause, licensees can notify ASIC within one breach report.

* Where an investigation has the same or substantially similar underlying circumstances, licensees are required to report a breach within 90 days.

Lodgement of a breach report is made via the ASIC Regulatory Portal.

Commencement of Investigations:

The timing of an investigation is a matter of fact.

Examples of commencing an investigation include any of the following:

• you have sought specialist or technical advice;
• you have communicated with representatives or staff involved in the incident; or
• you communicate with potentially affected clients.

While there is no required timeframe for completion of an investigation, ASIC expects investigations to be conducted in a timely manner and without unreasonable delay.

Action Items:

Licensees should:

• Ensure policies and procedures set out expectations and timeframes for the completion of investigations and circumstances where additional reporting or oversight is required for ongoing investigations
• ensure proper resourcing of investigations;
• have processes in place for identifying, recording and escalating breaches;
• ensure someone is appointed within the organisation that has responsibility for investigating and reporting breaches to ASIC;
• continually train relevant staff in relation to the investigations of breaches and ensure all staff are aware of their obligation to comply and assist with investigations;
• ensure that authorised representatives are complying with your processes and procedures surrounding investigations of breaches; and
• ensure breach reporting is included as an item to be discussed within compliance committee meetings.

Further Reading

• Reportable Situations: overview of changes to RG 78 announced in April 2023
• Reportable situations regime: ASIC modifies licensee's obligations
• Regulatory Guide 78
• ASIC Corporations and Credit (Amendment) Instrument 2023/589