What you need to know
- ASIC has stated all significant breach reports must now be lodged through its Regulatory Portal (Portal). However, at present, ASIC has no power to require this under the Corporations Act 2001 (Cth) (Corporations Act).
- Lodging a breach report through the Portal will require licensees to answer a range of detailed and complex questions, which appear similar to the kinds of questions ASIC asked in its Breach Reporting Project. Such questions will often prove difficult to answer in the 10 business day timeframe for reporting under section 912D of the Corporations Act.
- Licensees using the Portal will need to do their best to provide accurate information in the time available and consider updating the information periodically as their understanding of an issue develops.
ASIC requires breach reporting through its Regulatory Portal
Under section 912D of the Corporations Act, financial services licensees must report to ASIC "significant" breaches of relevant financial services laws as soon as possible and in any case within 10 business days after becoming aware of them. Beyond requiring that licensees lodge "a written report on the matter with ASIC", the Corporations Act is silent about the content of such reports and the manner in which they may be lodged with ASIC.
In the past, ASIC has provided guidance on the content of breach reports through its Regulatory Guide 78, and published the FS80 form for use in breach reporting, but did not seek to mandate the use of that form. Many institutions have historically provided breach reports by letter, which enables a more detailed and nuanced explanation of what can often be quite unclear circumstances at the time a breach report is made.
ASIC published a revised version of RG 78 on 30 March 2020, in which it stated that reports of significant breaches must be lodged through the Portal. It appears that the Portal will require licensees to answer a series of questions relating to the breach, designed to provide ASIC with data relating to breaches in a standardised form.
ASIC currently has no express statutory power to prescribe the form of breach reports. The ASIC Enforcement Review taskforce recommended that it be given such a power, and one is provided in the exposure draft legislation published by the Government in January 2020. Our update on the proposed reforms in the exposure draft can be found here. In light of COVID-19 and an announcement from the Treasurer, it appears these reforms will now commence no earlier than 1 October 2021.
ASIC has seemingly chosen to press on with mandating the form of breach reporting, through guidance, in advance of having an express power to do so. While the Portal may provide a convenient way of submitting breach reports and providing ASIC with the kind of information it now requires in order to assess breaches, as a matter of law it remains open for licensees to submit written reports to ASIC in other ways (for example, by letter to the proper officer of ASIC). It will be interesting to see whether licensees embrace the Portal and whether there is any recourse to other forms of reporting, for example when it is impossible within the 10 business day period to sensibly answer the detailed questions in the Portal, even by providing estimates.
From ASIC's description of the Portal on its website and its interpretation guidance on the questions, it appears that the detailed questions that are posed to financial services licensees lodging breach reports are similar to those that were asked of licensees in connection with ASIC's Breach Reporting Project, which resulted in the publication of Report 594.
Many of these questions will be challenging for licensees to answer in the 10 business day period within which a breach report must be lodged with ASIC. Answers provided within that time period will also frequently be subject to change as licensees progress their investigations following the submission of a breach report. ASIC acknowledges that some answers that will be provided through the Portal may only be estimates at the time a breach is initially lodged. However, it will be important that licensees using the Portal take reasonable steps to verify the information provided and can later explain to ASIC the basis for any estimates or assumptions which prove incorrect. There may also be some questions which are difficult or impossible to answer, even using estimates or assumptions, in the time available.
It also appears that ASIC envisages that the Portal will enable ongoing updates about breaches to be provided by licensees, by updating the answers to the standardised questions. This would undoubtedly assist ASIC in undertaking data analysis on and comparing reported matters. However, other forms of update, such as letters or presentations, may assist ASIC in better understanding the character or quality of reported matters, the rectification and remediation steps being undertaken, and any particular issues or challenges in relation to those steps. It will be interesting to see how ASIC balances the need for both kinds of information as the Portal becomes embedded in its business as usual practices.
Authors: Mark Bradley, Partner and Justin Browne, Lawyer.
