ASIC's new regulatory guidance on breach reporting for AFS and credit licensees commences 1 October
ASIC has now released its updated Regulatory Guide 78 – Breach reporting by AFS licensees and credit licensees (RG 78) and Information Sheet 259 – Complying with the notify, investigate and remediate obligations (INFO 259) to address the reforms commencing on 1 October 2021. The reforms flow from the Financial Services Royal Commission and the ASIC Enforcement Taskforce Review and aim to make breach reporting consistent and clearer across the industry.
More examples, clearer expectations from ASIC on breach reporting
The new guidance on breach reporting in RG 78 includes some changes from the draft version released for consultation in April 2021. It includes more extensive examples and guidance on reportable situations and investigations, and:
- Multiple reportable situations: In a new section dealing with multiple reportable situations with a single and specific root cause, ASIC says they may be notified to ASIC in a single report. However, licensees will still need to report each breach within the required timeframe. ASIC also says there may be scenarios when you wish to identify similar or related reportable situations that arise from the same root cause. In that case, the extent to which similar or related reportable situations can be grouped together for the purposes of reporting will depend on the circumstances. The ASIC Regulatory Portal will have updated functionality to provide additional information in relation to a previously lodged report.
- Lodging your report: ASIC says you should not wait until receipt of legal advice on reportability to lodge your report if to do so would take you beyond the 30 calendar day reporting period (previously the advice was not to wait until the reportable situation has been considered by your internal or external legal advisers). ASIC now also says it considers licensees are best placed to determine whether or not legal advice is required before reporting, but it expects licensees will not need to obtain legal advice for every case and should not wait for further sign-off from internal or external legal advisers before reporting to ASIC if they have reasonable grounds to believe a reportable situation has arisen.
- Reasonable grounds to believe a reportable situation has arisen: ASIC says you must report if there are sufficient facts or information to found an objectively reasonable belief. That may happen when other possible explanations are available and does not require facts or evidence amounting to certain proof that there is a breach.
- ASIC says "reasonable grounds" is an objective standard and, although licensees do not need to proactively investigate any possible misconduct of other licensees, they must not turn a blind eye to facts that are before them. By way of example, ASIC says such information may come to light though usual practices or processes, such as a due diligence process as part of a business transfer. It also says the fact that other possible innocent explanations can be thought of to explain a situation does not automatically rule out the need to report.
- Transitional provisions: ASIC now says (at RG 78.23) that the breach reporting obligations apply to credit licensees in relation to reportable situations arising on or after 1 October 2021 and that credit licensees are not required to report breaches of the National Consumer Credit Protection Act 2009 that occurred wholly before 1 October 2021, even if the breach is identified on or after 1 October 2021.
- Obligation to report: INFO 259 outlines the obligations that apply from 1 October 2021 for licensees to investigate certain breaches of the law and to notify and remediate clients and consumers in certain circumstances.
What this means for AFS licensees and credit licensees
There are significant changes in the breach reporting reforms for both AFS licensees and credit licensees from their existing obligations.
ASIC guidance should be taken into account when considering how to comply with these new obligations. To the extent that measures have already been implemented to ensure compliance from 1 October, those measures should be reviewed for consistency against the new ASIC guidance.