ASIC Corporations and Credit (Amendment) Instrument 2023/589 (“Instrument“) was registered on 17 October 2023 to amend ASIC Corporations and Credit (Breach Reporting – Reportable Situations) Instrument 2021/716. The amendments modify the current reportable situations regime applicable to Australian financial services (AFS) licensees and Australian credit licensees and apply from 20 October 2023.
- Breaches of misleading and deceptive conduct provisions
- Reporting periods for previously reported situations
- Next steps
Breaches of misleading and deceptive conduct provisions
Following concerns about the costs of reporting some reportable situations that have limited regulatory benefit, the Instrument exempts licensees from reporting breaches of the misleading and deceptive conduct provisions (i.e., misleading and deceptive conduct or false and misleading representations in section 1041H of the Corporations Act 2001 (Cth) and sections 12DA and 12DB of the Australian Securities and Investment Commissions Act 2001 (Cth)) that:
- Give rise to a single reportable situation
- Impacts only one client or, if the product is jointly held, only impacts those clients
- Causes no financial loss or damage, or likely financial loss or damage
- Is not otherwise a reportable situation
Prior to the Instrument being registered, any breach of the misleading and deceptive conduct provisions was automatically reportable to ASIC regardless of whether the contravention was significant or insignificant.
Reporting periods for previously reported situations
Additionally, the Instrument gives licensees up to 90 days (instead of the previously required 30 days) to report a reportable situation that has underlying circumstances that are the same as, or substantially similar to, underlying circumstances of an earlier reportable situation that the licensee has reported to ASIC (i.e., a related reportable situation).
These modifications are a sensible approach by ASIC and we suggest this is an opportune time for licensees to review and look to update their breach reporting policy accordingly.