01 Sep 2016
Breach reporting – your obligations explained
By Scott Grahame
Robust internal systems are the key to identifying and reporting significant breaches.
Australian Financial Services (AFS) licensees are obliged to report significant breaches of their obligations in sections 912A and 912B of the Corporations Act to the Australian Securities and Investments Commission (ASIC). Determining whether a breach is "significant" requires careful analysis by AFS licensees. In this article we take a closer look at the relevant provisions of the Corporations Act to help you identify significant breaches, and understand your reporting obligations.
What is a "significant" breach?
Whether a breach is significant will depend upon the individual circumstances of the case at hand. A review of the breach must be performed to determine whether a breach or a likely breach is significant and, therefore, reportable to ASIC. Typically, legal and risk compliance functions within an organisation can assist the business with this review.
A licensee must take into account the factors listed in section 912D(1)(b) in deciding whether a breach or likely breach is significant. These factors include:
- the number or frequency of similar previous breaches;
- the impact of the breach or likely breach on the licensee's ability to provide the financial services covered by the licensee;
- the extent to which the breach or likely breach indicates that the licensee's arrangements to ensure compliance with those obligations is inadequate;
- the actual or potential loss to clients or the licensee itself; and/or
- any other regulatory requirements.
Some examples of breaches that ASIC considers may be significant and consequently reportable are:
- a failure to maintain professional indemnity insurance;
- a failure to prepare cash flow projections;
- a failure to detect previous breaches; and
- regular occurrences of representatives giving inappropriate advice.
What should you do if you become aware of a significant breach?
Significant breaches must be reported to ASIC in writing as soon as practicable, and in any case within 10 business days of the licensee becoming aware of the breach or a likely breach. Licensees can use ASIC's sample form (Form FS80) or prepare their own written report. The penalty for not reporting a breach can be serious. Individuals can be fined up to $8,500 and imprisoned for 1 year, and companies face penalties of up to $42,500.
ASIC does not take action in all circumstances. The manner in which the licensee handles breach identification and reporting will influence ASIC's response to the breach. For this reason, licensees should make genuine attempts to identify the cause of the breach and remedy the breach so that it is unlikely to recur. If satisfied with the licensee's response, ASIC may decide further action is not required.
When does the licensee become aware of a breach?
Given that a licensee has only 10 days to report a breach, it is important to know exactly when the 10 day reporting period commences.
ASIC considers that the reporting period starts on the day a person responsible for compliance within the organisation becomes aware of a breach or likely breach that could be significant. ASIC expects licensees to have appropriate internal systems to ensure that the relevant people are made aware of breaches in a timely and efficient manner.
When breach reporting is not necessary
Only significant breaches are reportable. Generally, ASIC does not consider isolated incidents to be significant and reportable. For example, a representative giving inappropriate financial product advice to a client on a single occasion is probably not a significant breach. However, repeated incidents of inappropriate advice might be a sign of a systemic problem. In that situation the breach is more likely to be significant and reportable.
It is important to note that even if a breach is not significant licensees may still need to address the breach through other means. This might include addressing the breach using internal systems and also reporting the breach to another regulator when the area of law is outside ASIC's regulatory power (such as a failure to comply with tax obligations, breaches of competition or consumer laws, criminal conduct or environmental issues).
What this means for you
To ensure compliance with the obligation to identify and report significant breaches, licensees should have internal systems for:
- identifying breaches or likely breaches;
- determining whether breaches or likely breaches are significant;
- ensuring that those responsible for compliance are made aware of the breaches as soon as possible;
- reporting significant breaches or likely breaches to ASIC;
- rectifying the breach or likely breach; and
- ensuring that arrangements are in place to prevent recurrence of the breach or likely breach.