Significant changes in government's breach reporting proposals

What you need to know

• The Government has released an exposure draft of legislation to reform the breach reporting regime for Australian financial services and credit licensees. 
• If enacted, the proposed legislation would significantly expand the matters which financial services licensees will have to report to ASIC under s 912D of the Corporations Act.  The changes go beyond those foreshadowed in the ASIC Enforcement Review Taskforce final report and the Royal Commission.  This is likely to greatly increase the volume of breach reporting by large institutions.   

Key proposed changes include:

• All breaches with a financial impact on customers will need to be reported.
• Investigations will need to be reported within 30 days, with the outcome of the investigation also having to be reported within 10 days, even where no significant breach is ultimately found.
• The extension of the regime to credit licensees.
• New provisions requiring the timely notification and remediation of personal financial advice and mortgage broking customers.

What you need to do

• If the bill passes, licensees will need to bring their breach reporting processes and systems in line with the final form of the legislation, for implementation by the proposed commencement date of 1 April 2021.
• Licensees should consider making submissions to the Treasury by 28 February 2020, given the significant practical implications of the proposed changes.

From the ASIC Enforcement Review Taskforce to the exposure draft legislation

On 31 January 2020, the Government released an exposure draft of the Financial Sector Reform (Hayne Royal Commission Response – Protecting Consumers (2020 Measures)) Bill 2020.  While in line with the stated aims of reform, it differs significantly from the recommendations of the ASIC Enforcement Review Taskforce (Taskforce), which were endorsed in the Final Report of the Financial Services Royal Commission. 

The key changes proposed in the exposure draft include:

Expanded concept of a "reportable situation"

A financial services licensee will be required to report in a range of "reportable situations", including the traditional requirement to report where there is a breach or likely breach of certain "core obligations" which is significant, but also where:

• An investigation has been commenced into whether there has been a breach or likely breach, and the breach or likely breach is significant.
• The licensee has committed gross negligence, serious fraud, or any other circumstances prescribed in regulations, in the course of providing a financial service – there is no requirement that this involve a breach of a financial services law.

The requirement to report investigations was not contemplated by the Taskforce, although it endorsed an objective test which would have required the early reporting of potential breaches in many situations.

Similarly, the Taskforce report recommended that serious misconduct by employees and authorised individuals should be deemed to be significant, but the exposure draft instead includes the concept of "gross negligence" – a term which has proved uncertain in a range of commercial and legal contexts.  If enacted, licensees will need to give careful consideration to the meaning of "gross negligence" and how they should assess themselves against that standard. 

More objective test for knowledge

The reporting obligation arises where the licensee "reasonably knows" that a reportable situation exists, meaning either that it is aware of the situation or "is aware of a substantial risk that a circumstance exists (which substantial risk it would be unjustifiable to take in the circumstances)."  

This is not a completely objective test, but licensees and decision-makers within them will doubtless be concerned about the risk that, in hindsight, they are considered to have known enough that they ought to have reported to ASIC or done so sooner.    

Expanded concept of "significance"

The exposure draft deems a breach to be significant where it:

• is an offence punishable by a maximum of 12 months or more (or 3 months in the case of an offence involving dishonesty);
• constitutes a breach of a civil penalty provision (including misleading or deceptive conduct, unconscionable conduct, and (from March 2019) the "efficiently, honestly and fairly" obligation); or
• results or is likely to result in loss or damage to clients, or members of a managed investment scheme – this is stronger than the Taskforce recommendation, which referred to a "material" loss to customers.

Additional deeming rules may be prescribed by regulation.  In other cases, significance is to be judged having regard to the traditional factors under s 912D (with the exception of financial impact on clients, which would become a deeming rule).

Requirement to report outcomes of investigations

In addition to the requirement to report investigations, the licensee must also report the outcome of the investigation into whether there has been a breach of a core obligation – even if it concludes that there was no breach or no significant breach.  This must be done within 10 days of the licensee "reasonably knowing" that the investigation did or did not disclose reasonable grounds to believe that the licensee or representative has breached the core obligation.  This is a shorter period than the 10 business days allowed under the current law.  Current experience is that 10 business days is often a relatively short time to prepare an accurate summary of an issue, and the reduction in time will pose an additional challenge for licensees.

Prescribed form for breach reports

There will be a prescribed form for breach reports, which will reduce the scope for licensees to take different approaches to the description of the issue in the reports.  Given ASIC's past regulatory guidance regarding its expectations for breach reports, there may be some prospect that the prescribed form will specify more detailed information than the proposed legislation on its face would require. 

Expansion of the regime to Australian Credit Licensees

The breach reporting regime will apply to credit licensees for the first time.

Reporting to and remediating customers

Personal financial advice licensees and mortgage brokers will also be obliged to notify affected customers within 30 days where a significant breach, fraud or gross negligence has been identified and there are reasonable grounds to suspect that the customer has suffered loss which they have a legally enforceable right to recover.  This will require customers to be notified very early in the investigation process, and often before it is clear that they are affected and what, if any, compensation they will be offered by the licensee. 

The licensee must then investigate the matter within a reasonable time, including quantifying the impact of the breach on the customer (if any), and report to the customer within 10 days of concluding the investigation, as well as paying compensation to the customer within 30 days.

It remains to be seen whether the 10 day and 30 day time periods are from the conclusion of the overall investigation or only in relation to the particular customer's position.  If it is the latter, licensees will need to streamline their processes to ensure that payments are made very promptly after cohorts of affected customers are identified and their losses are quantified – this would intensify an emerging trend in relation to remediation in the post-Royal Commission environment.