10 October 2007
From 1 January 2008, entities regulated both by ASIC and APRA can submit a single breach report to APRA (which will act as ASIC's agent for that purpose) when they breach APRA's legislation or both APRA's and ASIC's legislation. In addition, the breach reporting requirements for APRA and ASIC regulated entities have otherwise been harmonised.
What was the problem?
The Financial Sector Legislation Amendment (Simplifying Regulation and Review) Act 2007 seeks to streamline the breach reporting arrangements between the Corporations Act 2001 and the Prudential Acts (the Banking Act 1959, Insurance Act 1973, Life Insurance Act 1995 and Superannuation Industry (Supervision) Act 1993).
Previously, an entity regulated by both the Corporations Act (for example, the holder of an AFSL) and a Prudential Act (for example, the holder of an RSE licence under the Superannuation Industry (Supervision) Act), would need to consider its breach reporting requirements separately under each regime. Having regard to the differences between the regimes, such a dually regulated entity could legitimately form the view that a particular breach was reportable under one regime but not the other. Similarly, where the particular breach was reportable under both regimes the entity would need to lodge separate breach reports with each of ASIC and APRA in respect of the same breach within different time periods.
How have the breach reporting requirements been streamlined?
Broadly speaking, the Act seeks to address the mismatch in regulation between the Corporations Act and the Prudential Acts by:
Eliminating the requirement for breaches to be reported twice. Where entities are regulated by both APRA and ASIC, a single breach report can be submitted to APRA. However, the entity may elect to continue submitting duplicate lodgements to APRA and ASIC.
Removing duplication. Where a an actuary or auditor of the entity is required to notify ASIC or APRA of a breach, the entity will not be required to submit a separate breach report on an incident provided the auditor or actuary of the entity gives a written breach report to APRA within ten business days after the licensee becomes aware of the breach. It is envisaged that APRA and ASIC will provide guidance as to how this agreement will operate and that entities will be able to engage with APRA and ASIC in the development of this guidance material.
Introducing a significance test to the Prudential Acts. The breach reporting obligations under the Prudential Acts have been amended to require APRA regulated entities to report significant breaches that have occurred or that will occur in the future. Breaches to the Prudential Acts must be reported by the entity, auditor or actuary as soon as possible and in any event within 10 business days after becoming aware of the breach, unless the breach relates to:
Consistent with that, section 912D of the Corporations Act has been amended to extend the time by which significant breaches must be reported from a maximum of 5 business days to 10 business days.
