The Australian Securities and Investments Commission (ASIC) has provided updated guidance on the updated breach reporting regime applicable to Australian Financial Services Licensees and Credit Licensees (the regime). ASIC’s updated guidance is set out in a new version of Regulatory Guide 78, ‘Breach Reporting by AFS Licensees and Credit Licensees’ (RG 78), published 27 April 2023.
In August 2022, ASIC announced in its 2022-23 priorities that a greater focus will be directed towards improving the operation of the reportable situations regime. This new regime commenced on 1 October 2021, and applied to all Australian Financial Services Licensees and Credit Licensees (together, Licensees).
- Key takeaways
- In depth
- Next steps
Under the updated guidance, Licensees must now actively update ASIC with respect to reported breaches at least once every six months, and/or where material changes to the reported breach have occurred, which may include changes to the nature, impact or extent of the reportable situation as discussed in more detail below.
In an attempt to make breach reporting processes more consistent throughout the industry, ASIC also provides updated guidance on several key areas including:
- The timing and substance of updates to reports
- Situations for grouping of reports
- Factors to consider when providing descriptions of reportable situations
- Investigation triggers and root cause definitions
- Factors that deem a situation to be considered ‘similar’ to past incidents
- Calculating the number of people affected by an error
- Circumstances which permit amendment or withdrawal of reports
Reported breach updates
ASIC will seek an update on the progress and status of a reported breach to be provided by the licensee at least once every six months. An update should also be provided where material changes to the nature, impact or extent of the reportable situation have occurred, as well as where the licensee’s investigation has been completed and the root cause has been rectified.
Additionally, where the updated functionality on the ASIC Regulatory Portal has been used in relation to a certain reportable situation, the licensee may use the function to report on any further reportable situations arising in connection with the original reportable situation, instead of lodging a new report with ASIC.
Licensees may also use the update functionality in any other way as they consider appropriate to keep ASIC informed on the progress of reportable situations
Grouping multiple situations
Licensees may now group multiple related reportable situations into a single report submitted to ASIC where the following ‘grouping test’ is satisfied:
- The conduct is similar, related or identical in relation to its factual circumstances
- The underlying cause of the breach is the same for all reportable situations (e.g. staff negligence or human error)
ASIC has clarified that even where the conduct involves different individuals, as long as the root cause is identical, the reports may be grouped together. This enables only a single report to be submitted where for example, the conduct relates to the same root cause, but identifies different licensees, or an AFS licensee and a credit licensee, provided that this is identified within the report.
Description of reportable situations
In submitting the report, entities are required to provide a description of the reportable situation. To ensure that the quality of descriptions provided are consistent, ASIC has provided considerations licensees must take into account when describing reportable situations, including details of the situation, as well as explaining how it is a breach of the entity’s obligations, how the situation was identified, why it occurred and details of any impacted clients and/or licensees. In describing the reportable situation, the entity should also ensure they are considering any steps which have been, or will be, taken to address the underlying cause of the conduct. ASIC hopes that this clarity surrounding the reporting regime minimises the existing regulatory burden of the reporting standards on the industry.
Clarity on investigation triggers and root causes of breach
New definitional style guidance has been provided by ASIC to ensure licensees are identifying the triggers or root causes in a more accurate manner. The updated regulatory guide elaborates on each of the root cause and investigation trigger options available on the reportable situations form with embedded form guidance. This update is to ensure accurate and consistent data is submitted to ASIC when identifying the likely causes of the breach, in order to drive meaningful public reporting.
‘Similar’ reportable situations
ASIC has provided guidance on their expectations of where situations are similar to the original reportable breach. Factors to be considered include the nature of the breach, legislative provisions that may have been contravened, the underlying root cause of the breach, any compliance arrangements or controls, and the nature of any client impact.
To minimise regulatory burden on the industry, ASIC has not stipulated a specific lookback time period. Instead, licensees must consider whether the issue may be repeated, or if it may instead be a broader systemic issue in determining the length of time to look back.
Calculating the number of clients affected
In determining which clients have been affected, ASIC has provided illustrative examples to assist licensees. In ascertaining the exact number of clients affected, both financial and non-financial impact of the breach must be considered. Where the substance of the error involves the making of incorrect offers, the number of clients affected should be calculated based on the number which attempted to take action in accepting the otherwise incorrect offer. Where instead there has been an error in a disclosure document, the number affected includes all those to whom the incorrect document was provided, even where the error only resulted in a misunderstanding amongst consumers.
ASIC has also provided that holders of joint accounts should be counted individually, unless the licensee’s systems disallow disaggregation of joint accounts, in which case disclosure of this must be provided within the report.
Reports cannot be amended or withdrawn on the ASIC Regulatory Portal. However, ASIC has provided examples of circumstances in which withdrawal and correction of reports is permitted upon direct request to ASIC. This includes where material factual errors have been made on a report, additional or more accurate information comes to light, or where a change is required to a field that has been greyed out in the report. ASIC will not approve such a request where there are only minor factual errors, or if the matter is no longer determined to be reportable.
The changes to the prescribed form for lodging reportable situations (accessed using the Regulatory Portal) are expected to be implemented on 5 May 2023. Further consultation by ASIC on the approach to breach reporting is also expected in 2023. Should you require advice on your breach reporting obligations, please don’t hesitate to contact us.