Posted May 13, 2021

Posted By Meghann Cannon

New breach reporting regime from 1 October 2021

Key changes from 1 October 2021

Change to reporting timeframe

The breach reporting timeframe will be 30 days (previously 10 days). Whilst this sounds like a good thing, the current grey period between first discovering a breach and determining whether it is significant will disappear. The deadline kicks off from the time the licensee first knows there are reasonable grounds to believe a reportable breach has arisen. Significant expansion of what needs to be reported to ASIC

Reportable breaches occur when:

  • the licensee/representative has breached or is no longer able to comply with a core obligation (same test under current law) and the breach is (or when it occurs will be) significant (no real change here except for what is deemed to be significant, see more on this below);
  • the licensee/representative has commenced an investigation into whether a reportable breach has occurred, and the investigation has continued for more than 30 days (a second report must be provided to ASIC on the outcome of the investigation once it is complete); or
  • the licensee/representative has engaged in gross negligence or serious fraud.

What is “significant” is now expanded with a number of situations “deemed” significant including:

  • where the provision breached is an offence involving imprisonment for 12 months (or 3 months for dishonesty offences);
  • breach of any civil penalty provisions (e.g. failure to comply with most legislative requirements in Chapter 7);
  • misleading or deceptive conduct;
  • breaches that result or are likely to result in material loss or damage to clients or members;
  • gross negligence and serious fraud.

Draft regulations currently exclude failure to give a FSG or PDS from being deemed to be a significant.

The current arrangements continue to apply for other significant breaches that don’t fall within the above (i.e. systemic failures, breaches indicating compliance arrangements are inadequate).

For ACLs, breach of any key requirements under the National Credit Code is deemed to be significant. 

With the new deeming provisions, many breaches currently considered to be not significant (where not systemic or resulting in client losses) will be significant and need to be reported.

Clients must be notified

Clients are required to be notified of the breach where the breach involves financial advice to retail clients or credit assistance by mortgage brokers. Breaches must be investigated and affected clients compensated for loss or damage.

Blowing the whistle on others

AFSLs and ACLs will be required to report other licensees to ASIC. This is intended to target misconduct by individual financial advisers and mortgage brokers. The AFSL/ACL must report to ASIC (and provide a copy to the relevant AFSL/ACL the subject of the report) within 30 days where:

  • they have reasonable grounds to believe that a breach situation has arisen in relation to another AFSL or ACL;
  • the breach relates to the conduct of an individual; and 
  • the individual provides personal advice to retail clients or credit assistance by a mortgage broker.

Failure to lodge these reports will be a civil penalty.

ASIC is expecting a large number of breaches to be reported. It will be interesting to see whether ASIC will be analysing data to determine the level of breaches that are expected from different size firms and investigate where breach reporting data is not in line with ASIC expectations. 

Who is impacted?

Credit licensees

For the first time, credit licensees will be required to report breaches to ASIC so this is a major change for ACLs.


All AFSLs will be impacted. However, due to the nature of the changes, financial advice firms are likely to bear the greatest impact.

What you need to do

The focus on systems, process and removing human error as much as possible is now more important than ever. Of course, this is always held in tension with the need for bespoke client offerings and best interests.

Firms will need to ensure that breaches and incidents are being identified and reported up so they can be dealt with in accordance with the new requirements. Record keeping will be critical. Culture is even more important so that directors and responsible managers are confident that they are capturing all breaches and incidents to be able to assess that reportable situations are reported to ASIC within the required timeframes.


Receive regular updates.