ASIC consults on the ‘cornerstone’ of Australia’s financial services regulatory framework

On 22 April 2021, the Australian Securities and Investments Commission (ASIC) issued Consultation Paper 340: Breach reporting and related obligations (CP 340) which seeks industry submissions on the proposed revision of ASIC Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78). The consultation period and the draft updates to RG 78 follow the amendments made to the Corporations Act 2001 (Cth) (Corporations Act) by the Financial Sector Reform (Hayne Royal Commission Response) Bill 2020 (Cth) (Reform Act) on 17 December 2020. Treasury published the Financial Sector Reform (Hayne Royal Commission Response—Protecting Consumers (2020 Measures)) Regulations 2021: breach reporting (Cth) (Reform Regulations) on 10 March 2021 for public consultation that closed on 9 April 2021.

The revised breach reporting regime comes into effect on 1 October 2021. It requires Australian financial services (AFS) licensees and credit licensees to report reportable situations to ASIC. This note focuses primarily on the implications for AFS licensees.

Although the revised RG 78 remains subject to public consultation and the Reform Regulations have yet to be made, licensees should assess their current breach reporting framework and consider what changes are required in order to comply with the breach reporting obligations that will come into effect on 1 October 2021. It is unlikely that the final regulatory requirements will differ largely from those that are currently published.

What is a reportable situation?

The draft RG 78 refers to the four different types of “reportable situations” introduced by the Reform Act:

• breaches or likely breaches of core obligations that are significant;
• investigations into breaches or likely breaches of core obligations that are significant;
• additional reportable situations; and
• reportable situations about other AFS licensees.

Each of these is considered in further detail below.

What are breaches or likely breaches of core obligations?

AFS licensees must report any significant breach of its core obligations to ASIC within 30 calendar days. AFS licensees must also report to ASIC within the same timeframe if it is no longer able to comply with a core obligation and the breach, if it occurs, will be significant (this is what ASIC means when it refers to “likely breach” in draft RG 78).[1]

            The core obligations for AFS licensees include:

• the general obligations under sections 912A and 912B of the Corporations Act, other than subsection 912A(1)(c);
• the obligation under subsection 912A(1)(c) of the Corporations Act in relation to ‘financial services laws’ as defined under section 761A and subsection 912D(3)(b); and
• in relation to traditional trustee company services, the obligation under subsection 912A(1)(c) of the Corporations Act.

The Reform Act amends the Corporations Act to include subsection 912D(4) which deems certain breaches or likely breaches of core obligations to be significant.

Deemed significant breaches by AFS licensees include those that:

• constitute the contravention of an offence that is punishable by imprisonment for three months or more if the offence involves dishonesty or 12 months or more in any other case;
• constitute the contravention of subsection 1041H(1) of the Corporations Act or subsection 12DA(1) of the Australian Securities and Investments Commission Act 2001 (Cth); or
• result, or are likely to result, in material loss or damage to retail and wholesale clients, members of a managed investment scheme or members of a superannuation entity.

The concept of material loss or damage includes both, financial and non-financial elements, and will be dependent on the client’s personal circumstances.

Other significant breaches by AFS licensees are those that require assessment in accordance with specific factors provided in subsection 912D(5) of the Corporations Act. These factors include:

• the number and frequency of breaches, particularly those of a similar nature;
• the impact of the breach on the AFS licensees ability to provide the financial services under its AFS licence;
• the extent to which the breach indicated that the AFS licensee’s compliance arrangements are inadequate; and
• other matters as prescribed by regulations.

When are breach investigations considered reportable situations?

Investigations into whether a breach or likely breach of a core obligation is significant is considered to be a reportable situation and must be reported to ASIC if the investigation continues for more than 30 calendar days. If, after an investigation that does not extend beyond a 30 calendar day period, the AFS licensee determines that there are no reasonable grounds to believe a reportable situation had occurred, then the investigation is not required to be reported to ASIC. The Reform Act Explanatory Memorandum notes that the investigation may involve communication by the AFS licensee with staff involved in the incident, potentially affected clients and specialist advisers.

Additional reportable situations

Reportable situations also include where an AFS licensee (or one of its representatives):

• engages in conduct that constitutes gross negligence in the course of providing the services under their licence; or
• commits serious fraud.

AFS licensees are not required to make a determination as to whether the breaches are significant in relation to these additional reportable situations but will need to make a determination about whether the incident constitutes gross negligence or serious fraud.

Neither the legislature nor ASIC have provided clear guidance on what conduct constitutes gross negligence, a concept that is not defined in the Corporations Act and is generally more developed in the jurisprudence of other jurisdictions than it is in Australia. AFS licensees will presumably need to consider common law sources in order to guide determinations in relation to gross negligence. In GR Engineering Services Ltd v Investmet Ltd [2019] WASC 439, Tottle J referred to the earlier case of Red Sea Tankers Ltd v Papachristidis [1997] 2 Lloyd’s Rep 547 in which Mance J stated at paragraph [69] “‘Gross negligence’ is not a term with a precise meaning; and its meaning is to be ascertained from the context in which it is used. In some cases, it has been held to encompass more than mere negligence. However, any distinction between gross negligence and mere negligence is one of degree and not of kind.” Arguably, “gross negligence” means something different to “negligence”; otherwise, why would the legislation contain the word “gross".

Serious fraud is defined in section 9 of the Corporations Act as an offence involving fraud or dishonesty against an Australian law or any other law and that is punishable by imprisonment for life or maximum period of at least three months.

In addition to the obligation to inform ASIC of serious fraud, in New South Wales (NSW), section 316 of the Crimes Act 1900 (NSW) (Crimes Act) provides that persons, who know or believe that a serious indictable offence has been committed and who have material information that could assist with the apprehension, prosecution or conviction of the offender, must provide that information to the NSW Police Force. Section 4 of the Crimes Act defines serious indictable offence as an indictable offence that is punishable by imprisonment for life or for a period of five years or more. This obligation is subject to certain exceptions and is not new, but AFS licensees in NSW should keep it in mind if they are dealing with a “reportable situation” by virtue of there being serious fraud.

Reportable situations about other AFS licensees

An AFS licensee must report to ASIC within 30 calendar days after it becomes aware of reasonable grounds to believe that a reportable situation has arisen in relation to an AFS licensee that provides personal advice to retail clients in relation to relevant financial products. This requirement applies if the offending individual is an employee, director or representative of the other AFS licensee. The reporting AFS licensee must also provide the breach report to the offending AFS licensee within 30 calendar days.

What are the requirements to report to ASIC?

An AFS licensee has the obligation to report to ASIC within 30 calendar days after it becomes aware of reasonable grounds to believe that a reportable situation has arisen or is reckless about whether there are reasonable grounds to believe a reportable situation has arisen. A failure to report a reportable situation to ASIC can result in both civil and criminal penalties.

An AFS licensee will have reasonable grounds to believe that a reportable situation has arisen in circumstances where the facts and evidence induces in a reasonable person the belief that a reportable situation has occurred.

The phrase “reckless about whether, there are reasonable ground to believe a reportable situation has arisen” used by ASIC in draft RG 78 is derived from the subsection 912DAA(3) of the Corporations Act in relation to AFS licensees. Its inclusion is designed to capture circumstances where the AFS licensee does not know that there are reasonable grounds to believe a reportable situation has arisen, but is nevertheless:

• aware of a substantial risk that there are reasonable grounds to believe a reportable situation has occurred; and
• aware of the circumstances known to the AFS licensee, it is unjustifiable to take the risk that there are such reasonable grounds.

ASIC has indicated that, to ensure compliance, AFS licensees should not wait until the following events occur before lodging a breach report:

• the reportable situation has been considered by the board of directors;
• the reportable situation has been considered by the AFS licensee’s internal or external legal advisers;
• the AFS licensee has, where appropriate, rectified or taken steps to rectify a breach of its core obligations or an additional reportable situation; or
• the breach has actually occurred where the reportable situation arises due to the inability of the AFS licensee to comply with a core obligation and the breach, if it occurs, will be significant.

How do you report a breach?

The Reform Act requires that the breach be reported to ASIC in the prescribed form. This can be actioned by the AFS licensee through the ASIC Regulatory Portal. The breach report submitted to ASIC must include details about the following:

• date of the reportable situation;
• nature of the reportable situation;
• description of the reportable situation;
• why the breach is significant (if relevant);
• how the reportable situation was identified;
• the duration of the breach;
• information about representatives (if relevant);
• whether the reportable situation has been rectified;
• how the reportable situation has been rectified;
• information about any remediation for affected clients; and
• steps to ensure future compliance.

What will ASIC publish about breaches by AFS licensees?

ASIC has a statutory obligation to publish information pertaining to the reports lodged by AFS licensees each financial year. ASIC’s publications, which must be released within four months of the end of the financial year, may include the name of an AFS licensee and the number of reported breaches made by that AFS licensee.

What arrangements should licensees have in place to record and report breaches?

AFS licensees have the general obligation to maintain adequate risk management systems and have adequate resources available to ensure ongoing compliance with their obligations. ASIC has indicated that a failure to report significant breaches or likely breaches will also constitute a breach of these general obligations.

To comply with their breach reporting obligations, AFS licensees must have clear and documented processes for:

• the identification and recording of incidents and potential reportable situations;
• the assessment and determination of whether an identified incident is a reportable situation;
• reporting reportable situations to ASIC within 30 calendar days;
• where appropriate, the rectification of loss or damage; and
• the implementation of arrangements to prevent the recurrence of breaches or likely breaches.

Breach Registers

Whilst the maintenance of breach registers are not an explicit obligation of an AFS licensee, ASIC has indicated that a record of actions taken in identifying, reporting and resolving breaches will ensure that AFS licensees comply with their breach reporting obligations. In particular, a breach register will assist AFS licensees in recording and collating data on the number and frequency of breaches, one of the factors that may be required to determine whether a breach is significant.

Changes Implemented by the Reform Regulations

The Reform Regulations, which have been subject to public consultation and are yet to be made, are expected to commence on 1 October 2021, in line with the amendments made by the Reform Act. They are likely to include the following changes:

• the introduction of civil penalty provisions that are not taken to be significant if contravened under the breach reporting regime; and
• that certain offences relating to breach reporting and other relevant civil penalty provisions will now be subject to infringement notices from ASIC.

The Reform Regulations prescribe a series of civil penalty provisions in the Corporations Act which, if contravened, will be taken not to be a significant breach. These provisions focus on the provision of Financial Services Guides and Product Disclosure Statements. The intention of Treasury in implementing a carve out for these provisions is in recognition of the high frequency in which these documents are issued and the often minor, technical or inadvertent nature in which breaches of these provisions may occur. However, AFS licensees need to be aware that, if a breach of these provisions gives rise to a deemed significant breach or if the breach is otherwise significant under subsection 912D(5) of the Corporations Act, then the breach must be reported under the breach reporting regime.

The Reform Regulations provide that the contravention of the following will result in an infringement notice:

• where an AFS licensee fails to report a reportable situation within the required timeframe and in the prescribed form;
• where an AFS licensee fails to notify ASIC that it has become or ceases as a participant in a licensed market or a licensed clearing and settlement facility; and
• where an AFS licensee fails to lodge a breach report about a financial advisor operating under a different AFS licence or provide a copy of the breach report to that other AFS licensee.

Comment

The change from the existing requirement to report breaches to ASIC as soon as practicable, and in any case within 10 business days, to the new time period of 30 calendar days is a welcome reform. Although the proposed removal of the pressure to report as soon as practicable relieves some of the pressure on AFS licensees, AFS licensees should retain adequate processes for the timely identification and reporting of breaches, now coined “reportable situations”. This is important particularly given that, under this new breach reporting regime, investigations that last longer than 30 calendar days must themselves be reported to ASIC.

Whilst the introduction of deemed significant events provides greater clarity in relation to the types of incidents that must be reported, the uncertainty over the meaning of “significant” remains due to the concept being retained for other significant events. The term ‘significant’ is not defined in the Corporations Act and therefore is open to broad interpretation. Under the previous iteration of RG 78, ASIC asserted that that each breach should be assessed on its own merits with the nature, scale and complexity of your financial services business all being relevant factors. These factors will continue to be relevant under the new regime with the focus on the number and frequency of breaches, the ability of the AFS licensee to continue providing the services under its licence and the extent to which the breach indicates a paucity of adequate compliance arrangements.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).