October 2021 sees the commencement of many new regulatory reforms for Australian credit licence holders. One of the reforms that will have the greatest impact will be the new breach reporting requirements.
Many of you may not remember that breach reporting could have easily been a feature of the National Consumer Credit Protection Act (NCCP Act) since the start of the legislation in 2009. In fact, it was part of the draft bill released for public consultation in April 2009. However, it was swiftly dropped following stakeholder feedback and was replaced with the requirement to lodge an annual compliance certificate.
Fast forward 12 years and Australian credit licence (ACL) holders are now on the eve of getting their breach reporting regime. Unfortunately, they will still be required to lodge their annual compliance certificates.
In 2009, the government was persuaded to ditch the breach reporting regime because it was simply not needed.
The multiple examples of misconduct exposed by the Hayne royal commission changed that and led commissioner Kenneth Hayne to recommend extending the strengthened AFSL breach reporting regime to ACL holders.
The breach reporting regime is now seen as central to restoring public trust in the financial services sector.
Why is it a big deal?
Breach reporting is all about self-reporting breaches or suspected breaches of the law. Such breaches can be significant and can lead to ASIC commencing court action or to suspend or cancel a credit licence.
Under our legal system, persons generally enjoy a right against self-incrimination. This essentially means you don’t have to dob yourself in when you’re suspected of having done something wrong. It’s the reason why when you’re watching a crime show you’ll usually hear the words, “You have the right to remain silent…”.
But in the case of breach reporting for ACL holders, the right against incriminating yourself is outweighed by ASIC being better able to detect and address misconduct in the credit sector. This is because it’s thought that those best placed to provide ASIC with information about misconduct are ACL holders themselves.
What breaches need to be reported?
The regime requires ACL holders to report “reportable situations'” rather than breaches. This is because, in some situations, ACL holders will need to report even if they haven’t determined a breach has actually occurred (more on this later).
Reportable situations fall within the following categories:
Breaches (or likely breaches) of the core obligations that are significant
Core obligations are all the general obligations in section 47 of the NCCP Act. In relation to the obligation to comply with the credit legislation in section 47(1)(d), this is modified to reduce the types of legislation covered for the purposes of reporting.
Two different significance tests exist. They are:
This is a breach (or likely breach) of a core obligation that:
If none of the automatically significant situations apply, the breach may still be significant based on the following factors:
Additional reportable situations
The new reporting regime also applies in the following instances:
Whose breaches must be reported?
ACL holders will not only have to report incidents they commit but also the incidents that their representatives commit. They will also need to report breaches by mortgage brokers of other ACL holders.
What’s the deadline for reporting?
ACL holders will generally have 30 calendar days to report a reportable situation from when they first have reasonable grounds to believe that a reportable situation has occurred.
ACL holders will need to submit their breach reports to ASIC (unless they are APRA regulated in which case, they can submit their report to APRA).
Additional obligations for mortgage brokers
ACL holders that provide mortgage broking services will also have to notify, investigate and remediate affected clients when:
Key takeouts for ACL holders
What you need to do
To successfully navigate the new breach reporting regime, ACL holders need to have written procedures and tools in place that help them:
Representatives should also be trained about these procedures so they can help their ACL holders comply with the requirements.
Your governance framework should be updated so that it’s tracking open breaches and suspected breaches.
Finally, ACL holders should be creating an environment where staff feel comfortable raising suspected breaches. If everyone in your organisation is playing their part, complying with the new requirements will be much easier.
Jesse Vermiglio is partner at Holley Nethercote Lawyers and of its compliance and training business Holley Nethercote Compliance, which has developed a template breach reporting procedure and supporting tools to help ACL holders comply with their reporting requirements.
He has extensive experience in financial services law, consumer credit law, commercial and commercial litigation, having held senior legal roles at ASIC, worked in the Victorian government and in private practice over the past 20 years.
The mortgage technology provider has tapped into open banking dat...
The lender’s co-chief executive believes this will sustain gro...