Notifying reportable situations Explaining ASICs updated guidance

TOPIC 

OVERVIEW 

Consolidating multiple reportable situations into one report

 ASIC has now clarified the circumstances in which licensees may group multiple reportable situations into one breach report.
In particular, the update guidance notes that reportable situations may be grouped and reported in a single report when both limbs of the below "grouping tests" are satisfied:

(a)  there is similar, related or identical conduct – that is, conduct involving the same or very similar factual circumstances; and

(b)  the conduct has the same root cause.

ASIC has specifically identified that reports can be grouped where the conduct involves separate occasions of staff negligence or human error.  However, where a licensee determines multiple reportable situations to be attributable to the same negligence or error, it must satisfy itself that there is no broader failure or relevant root cause that has given rise to this negligence or failure (e.g. a failure to adequately train staff or a failure of internal systems).

Describing reportable situations in the Regulatory Portal

In light of concerns relating to the consistency of responses provided by licensees to the "Describe the reportable situation" free-text field in the Regulatory Portal, ASIC has introduced guidance for licensees to assist with appropriately responding to this section.

Relevantly, ASIC's guidance in this regard is scalable, in that it asks licensees to adopt an approach to this section which:

(a)takes into account the impact, nature and complexity of the reportable situation; and

(b)considers whether further or more detailed information, beyond that which is captured through the structured data fields, would assist ASIC's understanding of the reportable situation.

The intention appears to be that licensees are not bound to provide overly detailed reports in respect of less significant breaches.

Updating existing breach reports

Noting ASIC's interest in remaining informed on the progress and status of reported breaches, ASIC has introduce guidance setting out its expectations for updates related to reported breaches.

In this regard, ASIC has stated that its minimum expectation is that licensees provide updates at least every six months (where applicable), as well as where there are any material changes to a licensee's understanding of the nature, impact or extent of the reportable situation.  ASIC also expects to be updated upon a licensee completing its investigation, rectifying the root cause(s) of the reportable situation and its customer remediation process. 

Identifying investigation triggers and root causes

ASIC has expanded the definitional guidance relating to the "What triggered the investigation or made you aware of the matter?" and "What are the root causes of the breach-or likely breach?" sections of the prescribed form.  

The updated guidance includes definitions for each answer option to the relevant questions, noting that previously a number of questions were undefined.  This caused significant confusion for licensees when completing the form, while it also prevented ASIC from obtaining key regulatory data.

ASIC had separately considered whether it would be appropriate to streamline these queries, yet ultimately decided to retain the existing question and answer options, and provide this additional guidance.  This was on the basis that it would minimise the changes that licensees' were required to make to their internal systems.

 "Similar" reportable situations

Updated RG 78 also includes guidance to help licensees understand what constitutes a "similar" reportable situation.  In particular, ASIC considers that licensees should consider the purpose of the question when undertaking this assessment – that is, do the reportable situations reflect a repeated issue or a broader systemic issue.

Licensees are also required to consider the impact, nature and complexity of the reportable situation to determine whether it is appropriate to identify that a reportable situation is similar to one which has previously occurred.

Relevantly, ASIC also considered imposing a six-year lookback requirement, under which licensees would be required to look back this length of time to identify similar reportable situations.  This approach was not ultimately adopted, noting that industry expressed concerns that this could cause significant regulatory burden.  

Calculating the number of affected clients

In order to assist licensees with understanding ASIC's expectations when specifying the total number of clients a reportable situation affects, or will likely affect if the beach does not occur, RG 78 clarifies when a client should be considered to be "affected".

In particular, RG 78 introduces two new illustrative examples which provide certainty to how a licensee can determine who is, or is likely, to be impacted by a reportable situation.

Withdrawing and correcting breach reports

While the update functionality is generally available on the ASIC Regulatory Portal, limits are intentionally placed on certain fields which prevent licensees from amending their entries.  This reflects ASIC's expectation that licensees lodge complete and accurate reports in respect of their reportable situation.

Having said this, RG 78 outlines a number of circumstances in which a licensee can apply to ASIC to have a report withdrawn or corrected on a case-by-case basis.

This relevantly includes where:

(a) there are material factual errors in the report (e.g. an incorrect licensee has been selected or an incorrect selection on a key field has been made);

(b) additional or more accurate information comes to light in respect of a submitted report;

(c) a matter is determined to no longer be reportable; or

(d) there are minor errors contained in a submitted report (e.g. typographical errors).

In some circumstances, ASIC may simply remove the existing report and request the licensee to submit an updated report with the correct information.