To report or not report? Proposed changes to the breach reporting regime

Prepared by Peter Hagias and Julia Winzar

The current self-reporting regime for AFSL holders has faced scrutiny over the last decade in the media and in various inquiries that have been conducted in relation to poor advice and banking practices.

A consultation paper has been released which proposes the following changes to the self-reporting regime:

  • What is determined to be a ‘significant’ breach will be determined by an objective standard (i.e. what would a reasonable person consider to be significant) rather than the current subjective standard (i.e. what does the licensee consider to be significant).
  • Extending the breach reporting regime to ACL holders. There is currently no equivalent self-reporting regime for ACL holders. It is intended that the self-reporting regime will sit alongside the requirement to lodge an annual compliance certificate.
  • The regime will be extended to expressly require licensees to report significant breaches or misconduct by an employee or representative.
  • Breaches would have to be reported within 10 days from when the licensee becomes aware or has reason to suspect that a breach has occurred, may have occurred or may occur. This is intended to remove the lag time in reporting breaches, given the current regime requires the licensee to be become aware of the breach and its significance (the timing of which may be different) before reporting it to ASIC.
  • Increasing the penalties that apply for failing to report a breach, including by adding a civil penalty punishment in addition to a criminal penalty for failing to report.
  • Providing ASIC with the power to issue infringement notices (essentially fines) for simple or minor failures to report.
  • Encouraging collaboration between the licensee and ASIC to encourage licensees to report events and information at the earliest opportunity, even where internal investigations are still on-foot. This may be achieved by having an ASIC no-action position or penalty discount if certain circumstances have been met.
  • Require breaches to be reported to ASIC in a prescribed form. The current style and content of breach reports is not prescribed.
  • Publishing annual breach reporting data, at a firm or licensee level – the ‘name and shame’ technique. This obviously carries significant reputational issues for non-compliant licensees.

At the moment, nothing needs to be done. However once the consultations have been finalised, AFSL holders will need to revise their breach reporting procedures. More work will be required for ACL holders – they will need to imbed breach reporting procedures into their current compliance framework as well as undertake relevant RM and staff training in relation to breach identification, reporting and remedial action.