On 22 April 2021, the Australian Securities and Investments Commission (ASIC) issued Consultation Paper 340: Breach reporting and related obligations (CP 340) which seeks industry submissions on the proposed revision of ASIC Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78). The consultation period and the draft updates to RG 78 follow the amendments made to the Corporations Act 2001 (Cth) (Corporations Act) by the Financial Sector Reform (Hayne Royal Commission Response) Bill 2020 (Cth) (Reform Act) on 17 December 2020. Treasury published the Financial Sector Reform (Hayne Royal Commission Response—Protecting Consumers (2020 Measures)) Regulations 2021: breach reporting (Cth) (Reform Regulations) on 10 March 2021 for public consultation that closed on 9 April 2021.
The revised breach reporting regime comes into effect on 1 October 2021. It requires Australian financial services (AFS) licensees and credit licensees to report reportable situations to ASIC. This note focuses primarily on the implications for AFS licensees.
Although the revised RG 78 remains subject to public consultation and the Reform Regulations have yet to be made, licensees should assess their current breach reporting framework and consider what changes are required in order to comply with the breach reporting obligations that will come into effect on 1 October 2021. It is unlikely that the final regulatory requirements will differ largely from those that are currently published.
The draft RG 78 refers to the four different types of “reportable situations” introduced by the Reform Act:
Each of these is considered in further detail below.
AFS licensees must report any significant breach of its core obligations to ASIC within 30 calendar days. AFS licensees must also report to ASIC within the same timeframe if it is no longer able to comply with a core obligation and the breach, if it occurs, will be significant (this is what ASIC means when it refers to “likely breach” in draft RG 78).
The core obligations for AFS licensees include:
The Reform Act amends the Corporations Act to include subsection 912D(4) which deems certain breaches or likely breaches of core obligations to be significant.
Deemed significant breaches by AFS licensees include those that:
The concept of material loss or damage includes both, financial and non-financial elements, and will be dependent on the client’s personal circumstances.
Other significant breaches by AFS licensees are those that require assessment in accordance with specific factors provided in subsection 912D(5) of the Corporations Act. These factors include:
Investigations into whether a breach or likely breach of a core obligation is significant is considered to be a reportable situation and must be reported to ASIC if the investigation continues for more than 30 calendar days. If, after an investigation that does not extend beyond a 30 calendar day period, the AFS licensee determines that there are no reasonable grounds to believe a reportable situation had occurred, then the investigation is not required to be reported to ASIC. The Reform Act Explanatory Memorandum notes that the investigation may involve communication by the AFS licensee with staff involved in the incident, potentially affected clients and specialist advisers.
Reportable situations also include where an AFS licensee (or one of its representatives):
AFS licensees are not required to make a determination as to whether the breaches are significant in relation to these additional reportable situations but will need to make a determination about whether the incident constitutes gross negligence or serious fraud.
Neither the legislature nor ASIC have provided clear guidance on what conduct constitutes gross negligence, a concept that is not defined in the Corporations Act and is generally more developed in the jurisprudence of other jurisdictions than it is in Australia. AFS licensees will presumably need to consider common law sources in order to guide determinations in relation to gross negligence. In GR Engineering Services Ltd v Investmet Ltd  WASC 439, Tottle J referred to the earlier case of Red Sea Tankers Ltd v Papachristidis  2 Lloyd’s Rep 547 in which Mance J stated at paragraph  “‘Gross negligence’ is not a term with a precise meaning; and its meaning is to be ascertained from the context in which it is used. In some cases, it has been held to encompass more than mere negligence. However, any distinction between gross negligence and mere negligence is one of degree and not of kind.” Arguably, “gross negligence” means something different to “negligence”; otherwise, why would the legislation contain the word “gross".
Serious fraud is defined in section 9 of the Corporations Act as an offence involving fraud or dishonesty against an Australian law or any other law and that is punishable by imprisonment for life or maximum period of at least three months.
In addition to the obligation to inform ASIC of serious fraud, in New South Wales (NSW), section 316 of the Crimes Act 1900 (NSW) (Crimes Act) provides that persons, who know or believe that a serious indictable offence has been committed and who have material information that could assist with the apprehension, prosecution or conviction of the offender, must provide that information to the NSW Police Force. Section 4 of the Crimes Act defines serious indictable offence as an indictable offence that is punishable by imprisonment for life or for a period of five years or more. This obligation is subject to certain exceptions and is not new, but AFS licensees in NSW should keep it in mind if they are dealing with a “reportable situation” by virtue of there being serious fraud.
An AFS licensee must report to ASIC within 30 calendar days after it becomes aware of reasonable grounds to believe that a reportable situation has arisen in relation to an AFS licensee that provides personal advice to retail clients in relation to relevant financial products. This requirement applies if the offending individual is an employee, director or representative of the other AFS licensee. The reporting AFS licensee must also provide the breach report to the offending AFS licensee within 30 calendar days.
An AFS licensee has the obligation to report to ASIC within 30 calendar days after it becomes aware of reasonable grounds to believe that a reportable situation has arisen or is reckless about whether there are reasonable grounds to believe a reportable situation has arisen. A failure to report a reportable situation to ASIC can result in both civil and criminal penalties.
An AFS licensee will have reasonable grounds to believe that a reportable situation has arisen in circumstances where the facts and evidence induces in a reasonable person the belief that a reportable situation has occurred.
The phrase “reckless about whether, there are reasonable ground to believe a reportable situation has arisen” used by ASIC in draft RG 78 is derived from the subsection 912DAA(3) of the Corporations Act in relation to AFS licensees. Its inclusion is designed to capture circumstances where the AFS licensee does not know that there are reasonable grounds to believe a reportable situation has arisen, but is nevertheless:
ASIC has indicated that, to ensure compliance, AFS licensees should not wait until the following events occur before lodging a breach report:
The Reform Act requires that the breach be reported to ASIC in the prescribed form. This can be actioned by the AFS licensee through the ASIC Regulatory Portal. The breach report submitted to ASIC must include details about the following:
ASIC has a statutory obligation to publish information pertaining to the reports lodged by AFS licensees each financial year. ASIC’s publications, which must be released within four months of the end of the financial year, may include the name of an AFS licensee and the number of reported breaches made by that AFS licensee.
AFS licensees have the general obligation to maintain adequate risk management systems and have adequate resources available to ensure ongoing compliance with their obligations. ASIC has indicated that a failure to report significant breaches or likely breaches will also constitute a breach of these general obligations.
To comply with their breach reporting obligations, AFS licensees must have clear and documented processes for:
Whilst the maintenance of breach registers are not an explicit obligation of an AFS licensee, ASIC has indicated that a record of actions taken in identifying, reporting and resolving breaches will ensure that AFS licensees comply with their breach reporting obligations. In particular, a breach register will assist AFS licensees in recording and collating data on the number and frequency of breaches, one of the factors that may be required to determine whether a breach is significant.
The Reform Regulations, which have been subject to public consultation and are yet to be made, are expected to commence on 1 October 2021, in line with the amendments made by the Reform Act. They are likely to include the following changes:
The Reform Regulations prescribe a series of civil penalty provisions in the Corporations Act which, if contravened, will be taken not to be a significant breach. These provisions focus on the provision of Financial Services Guides and Product Disclosure Statements. The intention of Treasury in implementing a carve out for these provisions is in recognition of the high frequency in which these documents are issued and the often minor, technical or inadvertent nature in which breaches of these provisions may occur. However, AFS licensees need to be aware that, if a breach of these provisions gives rise to a deemed significant breach or if the breach is otherwise significant under subsection 912D(5) of the Corporations Act, then the breach must be reported under the breach reporting regime.
The Reform Regulations provide that the contravention of the following will result in an infringement notice:
The change from the existing requirement to report breaches to ASIC as soon as practicable, and in any case within 10 business days, to the new time period of 30 calendar days is a welcome reform. Although the proposed removal of the pressure to report as soon as practicable relieves some of the pressure on AFS licensees, AFS licensees should retain adequate processes for the timely identification and reporting of breaches, now coined “reportable situations”. This is important particularly given that, under this new breach reporting regime, investigations that last longer than 30 calendar days must themselves be reported to ASIC.
Whilst the introduction of deemed significant events provides greater clarity in relation to the types of incidents that must be reported, the uncertainty over the meaning of “significant” remains due to the concept being retained for other significant events. The term ‘significant’ is not defined in the Corporations Act and therefore is open to broad interpretation. Under the previous iteration of RG 78, ASIC asserted that that each breach should be assessed on its own merits with the nature, scale and complexity of your financial services business all being relevant factors. These factors will continue to be relevant under the new regime with the focus on the number and frequency of breaches, the ability of the AFS licensee to continue providing the services under its licence and the extent to which the breach indicates a paucity of adequate compliance arrangements.
 This term is also used in the Explanatory Memorandum for the Reform Act.
Be the first to receive the latest articles, news and publications.
A recent Federal Court decision provides a useful distillation of the key principles that apply to unreasonable director-related transactions under s 588FDA of the Corporations Act.
Leading independent law firm Johnson Winter Slattery is advising Brookfield on the sale of certain businesses within LINX Cargo Care Group. As a part of that transaction, JWS is advising on the...
A Federal Court decision, handed down on Friday, is a blunt reminder that the statutory limitation period in section 588FF(3) of the Corporations Act 2001 (Cth) needs to be adhered to strictly, and...