What you need to know
- ASIC has released draft guidance regarding the breach reporting reforms introduced by the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (Cth): Consultation Paper 340, draft Regulatory Guide 78and a draft Information Sheet.
- The draft guidance summarises the substance of the breach reporting reforms and includes information on how ASIC expects the new regime to operate in practice.
- The draft guidance indicates the types of information that will need to be provided for each report will be consistent with what has been required through ASIC's Regulatory Portal since March 2020.
- The draft guidance is only an indication of the approach ASIC might take and does not address all the practical and legal implications and uncertainties that may arise in the new regime. ASIC has invited stakeholder feedback in relation to the draft Regulatory Guide and Information Sheet. An updated Regulatory Guide and Information Sheet are due to be released in Q3 of 2021.
What you need to do
- It is very important to appreciate that the new breach reporting regime will be significantly different from what is currently in place.
- Familiarise yourself with the draft guidance and make any submissions to ASIC in response to Consultation Paper 340 by 3 June 2021, including seeking clarification from or engagement with ASIC on the issues and uncertainties not covered by the draft guidance.
- Prepare for the new breach reporting regime which takes effect on 1 October 2021 by reviewing business and compliance frameworks and practices to ensure you have processes and controls in place to allow you to meet the legislative requirements and that they are consistent with ASIC's expectations in the draft guidance.
- Consider how the requirements of the new breach reporting regime interact with RG 271 relating to internal dispute resolution, given that complaints and IDR may lead to the identification of reportable situations.
Breach reporting reforms and Consultation Paper 340
In December 2020, the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (Cth) (Amending Act) was passed by the Commonwealth Parliament, introducing significant changes to breach reporting for Australian financial services and credit licensees. Key changes under the new regime include:
- extension of breach reporting to credit licensees;
- expansion of the significance test so that a large number of breaches will be deemed significant;
- licensees will need to lodge reports with ASIC within 30 calendar days of knowing of, or being reckless as to, the existence of reasonable grounds to believe that a reportable situation has arisen or is likely to arise;
- investigations into reportable situations that are ongoing for more than 30 days, and the outcome of such investigations, must be reported to ASIC; and
- introduction of obligations to investigate, notify and remediate affected customers of reportable situations that involve personal advice to retail clients or credit assistance by mortgage brokers.
In advance of the new breach reporting regime commencing on 1 October 2021, ASIC has released Consultation Paper 340, setting out and seeking feedback on the regulatory guidance it proposes to provide to industry in updated Regulatory Guide 78 and in the Information Sheet.
The draft Information Sheet provides what ASIC considers to be a practical overview of how licensees can comply with the new obligations for investigating, notifying and remediating customers affected by reportable situations where personal advice or credit assistance has been provided.
Draft Regulatory Guide 78
Drawing closely on the Explanatory Memorandum to the Amending Act and using examples and case study scenarios, draft Regulatory Guide 78 addresses a number of key practical topics, including:
- The transitional arrangements in relation to the commencement of the new regime on 1 October 2021.
- How licensees should approach the question of "significance" under the new law, particularly in light of the provisions that will now deem many breaches to be significant without the need for further assessment by licensees.
- When a licensee will have "reasonable grounds to believe" that a reportable situation has arisen or is likely to arise.
- Whose knowledge counts as the licensee's knowledge for the purpose of triggering the 30 day reporting requirement.
- When an "investigation" begins and ASIC's expectations for how these will be expeditiously progressed by licensees so as not to delay reporting to ASIC.
- How the obligation to notify ASIC of reportable situations in respect of other licensees (financial advisers and mortgage brokers) should operate in practice.
- What information will be required in the prescribed breach reporting form. The type of information that will need to be provided for each report is consistent with what has been required through ASIC's Regulatory Portal. We have previously provided an update regarding ASIC's move to require breach reporting through the Portal.
The draft guidance also sets out a number of ASIC's key expectations regarding licensees' compliance systems for breach reporting and examples of "good practice".
Consultation
ASIC seeks feedback on the draft guidance generally and raises a number of specific topics in Consultation Paper 340.
The draft guidance is only an indication of the approach ASIC might take and does not address all the practical and legal implications and uncertainties that may arise in the new regime. For example, in some cases, the examples given to assist licensees seem to be relatively extreme scenarios and therefore leave uncertainty about how ASIC will approach more typical cases. Stakeholders may provide feedback to ASIC on areas that require further guidance.
Licensees should give careful consideration to the draft guidance as they work on developing internal processes and procedures to respond to the new breach reporting regime, and consider engagement with ASIC on areas which are not covered in the guidance or where the guidance does not deal with particular scenarios or uncertainties.
Submissions are due by 3 June 2021.
Authors: Lucinda Hill, Partner; Mark Bradley, Partner; Emma Della Posta, Lawyer; and Justin Browne, Lawyer.
