Skip to main content

Breach reporting reforms

A race to 1 October

For years, ASIC has complained that the reporting of significant breaches under the Corporations Act, by Australian Financial Services License (AFSL) holders, has been too slow and lacked transparency. ASIC undertook work across a number of projects to prove its concerns as an evidence point for legislative reform. Following the ASIC Enforcement Taskforce Review, a report was released in December 2017 which made 50 recommendations for significant reform of the breach reporting obligations. In that context, the timing of the Hayne led Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission) was opportune. In particular, the Royal Commission reported on case studies whereby deficiencies were identified in relation to:

  • The time it took AFSL holders to identify, investigate and
  • report incidents; andAccepting responsibility and addressing serious compliance concerns.

Fast forward nearly two years from the Royal Commission, Schedule 11 of the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (the Act) implements recommendations 7.2 and 2.8 of the Royal Commission in relation to breach reporting reforms. The purpose of this reform is to:

  • Clarify and strengthen the breach reporting regime for AFSL;
  • Introduce a comparable regime for Australian Credit License (ACL) holders; and
  • Mandate AFSL and ACL holders to report serious compliance concerns about financial advisers, mortgage brokers and other AFSL holders to ASIC on a quarterly basis.

Commencement date

Despite the industry’s efforts to improve breach reporting practices and to improve public trust by licensees, since the release of the Royal Commission report and the ASIC Enforcement Taskforce Review report, we expect there is a lot more to do prior to October.
The breach reporting requirements come into effect on 1 October 2021.  These requirements add to the sweeping reforms the financial services industry is currently in the process of implementing. This requires the industry to understand the intricacies of the vast regulatory changes and deliver these in record time.

The crux of the changes

The changes and the implications of the breach reporting reforms are wide-ranging and varied. The scope of what is reportable is significantly broader and the time from the identification of an incident to reporting it, whether or not the investigation of the suspected breach is ongoing, is now much shorter.  There is anecdotal evidence that some licensees may see increases in reportable incidents between five to ten times of current volumes. In any case, that is going to place a significant strain on existing assessment resources, and on compliance and risk teams, unless there are marked changes to design of processes and practices.

In addition, the form of what must be reported is set to be more prescriptive. The reforms will also impact organisations differently based on their size, complexity and structure. The changes mean:

ACL holders will be bound by the requirements as credit activities under the Credit Act will be captured by the requirements.

The changes significantly extend the kinds of situations that will be reportable to ASIC. Currently, licensees are required to report breaches and likely breaches that are significant. The reforms require licensees to report: 

  • Investigations that have occurred or will occur for more than 30 days, including their outcomes;
  • Conduct constituting gross negligence or serious fraud;
  • Conduct constituting misleading or deceptive under financial services law; and
  • Serious compliance concerns about individual financial advisers operating under another licensee will need to be reported to ASIC.

A 30 calendar days’ time period has been provided under the new requirements, determined from the point at which a licensee first knew or had reasonable grounds to believe that a reportable situation had arisen. This means that reportable situations will become reportable on the 31st day. We anticipate this will result in organisations significantly shifting their current approaches relating to people, processes and systems, to meet the tight timeframes. Organisation will also need to re-visit their strategies.

The existing test for when a breach or likely breach is significant has been supplemented by the ‘deemed significance test’. The ‘deemed significance test’ relates to a breach of a ‘core obligation’ and this would be regarded as significant if certain circumstances apply. For example, if it relates to misleading or deceptive conduct or is attached to a provision of the Corporations Act which imposes a civil penalty. The existing test will continue to be conducted for other breaches or suspected breaches which are not deemed significant by means of applying set assessment factors as in the current regime. For example, the frequency of similar breaches, the number of customers impacted and the impact on the licensee.

The form in which reports should be lodged will be have strict criteria. ASIC’s breach reporting forms will require the date of the reportable situation, an account of the reportable situation, any steps taken to remediate the reportable situation and steps for ongoing and future compliance. This has a focus on remediating past failures and preventing conduct failures in the future. Failing to lodge a report with ASIC will constitute an offence, attracting a maximum penalty of two years imprisonment or a fine.

The data in relation breach reports from the industry will be published on ASIC’s website. ASIC’s publication may include the name of the licensee, volume of reported breaches breakdown of breach reports by corporate group, and the number of breaches compared to the size, activity or volume of the business. Whilst this may increase transparency, it also creates the potential for increased reputational risks. 

Why do the changes matter and what are the next steps for the financial services industry?

The industry is facing challenges in understanding and operationalising their full end-to-end breach management frameworks. For example:

  • How and who first identifies incident;
  • The efficiencies that organisations can drive to meet the tight timeframes and deal with the large volumes of incident assessments;
  • Data and systems uplift required to meet the higher burden of requirements; and
  • Whether aspects of the requirements can be achieved by increasing head count in risk and compliance teams.

It is important to consider the impacts across all components of the breach management framework to achieve successful implementation of the complex requirements.

Furthermore, other regulatory changes, such as Significant Dealing under the Design and Distribution Obligations (DDO) and the upcoming complaints requirements under ASIC’s Regulatory Guide 271 relating to raising internal dispute resolution standards across the financial sector, intersect with the breach reporting requirements. As such, the synergies between these reforms needs to be assessed and implemented together. In doing so, it is worth noting that Treasury included breach reporting as a particular responsibility in the proposal paper for the Financial Accountability Regime (FAR). We eagerly await the release of the draft legislation to understand whether organisations will be required to appoint an accountable person responsible for this.

We understand organisations would be at different levels of maturity based on their size and complexity. In order to achieve compliance by 1 October, we recommend organisations should focusing on the following:

  • Establish breach reporting implementation programs;
  • Undertake a gap and impact analysis of current breach reporting frameworks and procedures;
  • Review documentation associated with breach reporting and re-design or streamline where necessary to meet the new requirements;
  • Understand roles and responsibilities across the organisation and determine whether there are appropriate delegations in place to allow for the flow of breach reporting and decision making;
  • Build out a plan to uplift capability in relation to breach reporting across the organisation having regard to training needed and shift of KPIs; and 
  • Consider data and system solutions for data collection, analysis and reporting, and compliance monitoring. Organisations should factor in solutions for October 2021 and longer terms sustainable solutions post October 2021.

We are already seeing large programs of work dedicated to the implementation of this regime. With the updated regulatory guide due to be released by ASIC any day, organisations need to quickly grapple with the vast impacts of these changes and the ever-looming deadline.