Guidance on new breach reporting regime released

This marks the first time that credit licensees will be obliged to report certain breaches of the law to ASIC. 

The breach reporting reforms will be slightly different for ACLs and AFSLs.

While AFSLs will have to report breaches that they discover after 1 October 2021, even if the breach occurred before that date, this will not apply for brokers.

Indeed, ASIC confirmed that the breach reporting obligations only apply to credit licensees in relation to reportable situations arising on or after 1 October 2021. 

As such, credit licencees will not have to report breaches that occurred before 1 October (even when identified after 1 October 2021) and – as a result, will have a relatively gradual implementation upon commencement.

Examples of reportable situations

Under the new rules, credit licensees must notify ASIC when licensees and their credit representatives commit breaches in “reportable situations”. These include:

• Significant breaches or likely significant breaches of “core obligations”
• Investigations into whether there is a significant breach or likely breach of a “core obligation” if the investigation continues for more than 30 days
• The outcome of such an investigation if it discloses there is no significant breach or likely breach of a core obligation
• Conduct that constitutes gross negligence or serious fraud
• Conduct of financial advisers and mortgage brokers who are representatives of other licensees in certain prescribed circumstances

The guidance provides a range of examples of “reportable situations” that might arise.

For example, ASIC outlines that if a credit licensee conducts a review of its credit contracts and identifies that it is imposing a fee or charge that is prohibited under s23(1) (prohibited money obligations) of the National Credit Code, they must report this to ASIC, even if the fee or charge is imposed on only one debtor.

Aggregators will also have to report situations where one of their credit representatives engages in misleading or deceptive conduct (even when that conduct does not result in material loss or damage to clients).

ASIC provided the example of a licensed mortgage broker conducting an audit of one of their representatives and identifying that a loan application contains “false information, which indicates that its representative made false representations to a potential lender”.

“Based on this information, it has reasonable grounds to believe a reportable situation has arisen (misleading or deceptive conduct in contravention of s12DA of the ASIC Act), and it must report this to ASIC,” the guidance read.

For examples of “gross negligence”, ASIC provides the hypothetical example of a mortgage broker failing to provide further documentation to a lender to complete a loan approval in time (resulting in the consumer losing out in a property), despite being repeatedly requested to do so by the lender and being chased by the client.  

“The failure of the mortgage broker to act on the repeated requests by the lender and respond to repeated contact from the consumer is conduct constituting gross negligence that must be reported to ASIC,” the regulator stated.

Licensees must report to ASIC in the prescribed form through the ASIC Regulatory Portal. 

Failure to report to ASIC in accordance with the breach obligations will be an offence that can lead to criminal or civil penalties.

The maximum civil penalty for not reporting a reportable situation in accordance with obligations as a licensee is $1.11 million (5,000 penalty units) for an individual.

Similarly, failure to report to ASIC in accordance with the obligation is a criminal offence. That carries both penalties and up to two years’ imprisonment. 

However, the regulator has previously stated that it will be “reasonable” when enforcing the new laws.

ASIC will also publish data about breach reports annually on its website from the fourth quarter of 2022. A consultation on this is expected in due course.

New obligations ‘put strong guard rails in place’

The regulator said that the new obligations aim to “address long-standing concerns about breach reporting by making the reporting consistent, clearer and timely across the industry”. She highlighted that ASIC analysis in 2018 revealed it took more than four years (on average) for large financial institutions to identify incidents that proved to be significant breaches, which not only harmed consumers but also cost firms substantially in remediation.

ASIC deputy chair Karen Chester said: “The government’s new reporting obligations put strong guard rails in place that will benefit firms and consumers alike.

“The new obligations will help firms identify and act swiftly on the breaches that matter, making sure they get the attention they deserve. Licensees and boards will have greater confidence they are doing the right thing by consumers, and ultimately their firm and shareholders.

“The new obligations also benefit consumers by allowing ASIC to better identify and swiftly address systemic problems. There will be greater transparency for consumers and firms with the publication of breach reporting data by ASIC from late 2022.”

The financial services regulator noted that its new guidance was “greatly enhanced” by “constructive submissions and valuable insights” received from industry through the consultation process.

“Industry feedback meant we can now accommodate batch uploading of reports where they derive from a single root cause. This will significantly reduce the reporting burden for licensees,” Ms Chester said.

The regulator has also published an information sheet (INFO 259) that sets out actions that must be taken by licensees to notify affected customers of a breach of the law, investigate the breach and remediate impacted customers. 

You can access the regulatory guide RG 78 here.

[Related: Breach reporting for credit licensees: Are you ready to dob yourself in?]