Navigating the new breach reporting regime

The release of Regulatory Guide 78 — Breach reporting by AFS licensees and credit licensees (RG 78) on 7 September 2021 finalises the Australian Securities and Investments Commission’s (ASIC) guidance to Australian financial services licensees and Australian credit licensees of the breach reporting obligations that came into effect on 1 October 2021.

A broad overview

Much of RG 78 is unchanged from the exposure draft released in April 2021, discussed in the July 2021 edition of the Australian Banking & Finance Law Bulletin.[1] That being the case, this article will not rehearse the detail of the new regime explored in that article, rather it will focus on those aspects of RG 78 that differ from the exposure draft. It is useful, however, to start with a broad overview.

“Core obligations” are central to the new reporting regime. The breach, likely breach, or an investigation into the breach of these obligations are the “reportable situations” dealt with by RG 78. There are two exceptions, the first being the requirement to report gross negligence or serious fraud, referred to as “additional reportable situations”. The second is the obligation to report the conduct of other licensees.

Naturally, familiarity with the core obligations is essential to a thorough understanding of the reporting obligations. The breadth of those core obligations is such that it is not possible to attempt to reproduce them here, even in the summarised form appended to RG 78.

“Significant” breaches of core obligations must be reported. Some breaches are, by nature, deemed to be significant. These include breaches that amount to the commission of an offence, the breach of a civil penalty provision not exempted under the regulations[2] and, importantly, breaches that result, or are likely to result, in material loss or damage to clients or members. Materiality may be established by reference to the significance of the loss to an individual, or by aggregating that loss where a number of individuals are involved.

Aside from deemed significant breaches, a reportable situation will arise where the breach is otherwise significant having regard to the number or frequency of similar breaches, the impact on the licensee’s ability to undertake the licensed activities, the extent to which the breach reveals inadequate compliance measures or other matters prescribed by the regulations.

Reportable investigations

One of the main areas in which RG 78 expands on the exposure draft is in respect of reportable investigations. An investigation into a significant breach or likely significant breach is itself a reportable situation if it subsists for longer than 30 days. A lack of clarity in relation to what amounts to an investigation for the purposes of “starting the clock ticking” has presumably prompted the further guidance provided by RG 78 on this issue.

RG 78 clarifies that a reportable investigation must at least in part be looking into whether there is a breach (or likely breach) of a core obligation that is significant. It also seeks to clarify those events which are not considered to be reportable investigation, namely:

• the mere receipt of a complaint, whistleblower disclosure or regulatory request
• preliminary steps and initial fact-finding inquiries into the nature of the incident, provided these are conducted over a short timeframe as an initial response to the complaint (or other notification), and
• “business as usual” inquiries such as routine audits, quality assurance monitoring or other internal compliance review processes that are not triggered by an incident, or assess a possible breach of a core obligation

Importantly, RG 78 has made clear that the date on which a licensee’s compliance team is seized of the investigation is not necessarily determinative of the commencement of a reportable investigation. In other words, it is the nature of the activity undertaken that is important, rather than the role of the individual who undertakes that activity.

These further additions to the guide have unfortunately not resolved all of the uncertainty that exists in respect of the timing of the commencement of a reportable investigation. As noted at RG 78.52, activity amounting to an investigation is likely to vary depending on the size of the licensee’s business, its internal systems and processes, and the type of breach. Whether there has been some information gathering, or effort applied to determining whether a breach has or will occur, will be a relevant factor.

The additions to the exposure draft noted earlier, however, indicate that preliminary fact-finding inquiries conducted over a short timeframe as an initial response to detective controls (such as the receipt of a complaint) are not reportable. The point at which such initial inquiries mature into an investigation will likely be difficult for licensees to discern. Where an investigation into particular matters morphs into an investigation into a breach, similar timing issues may arise. Identifying “day 1” with a view to ascertaining “day 31” (when the investigation becomes reportable) is likely to, in some cases, vex licensees and their advisors.

Additional reportable situations

RG 78 expands upon the guidance provided in the exposure draft in respect of additional reportable situations. As mentioned above, additional reportable situations comprise instances of fraud or gross negligence. An example of a mortgage broker jeopardising an application for finance by failing to respond to information requests is cited as an example of gross negligence. Whether conduct which falls short of the level of competence expected is sufficiently egregious to meet the threshold of “gross” negligence is a matter in respect of which licensees may understandably have some difficulty discerning.

Reporting the conduct of financial advisers and mortgage brokers

One of the more remarkable features of the new breach reporting regime is the obligation on licensees to lodge breach reports in relation to the conduct of other licensees, namely financial advisors and mortgage brokers. RG 78 provides a more expansive explanation of the scope of this obligation than the exposure draft.

Licensees are required to report the conduct of others where “reasonable grounds to believe” that a reportable situation has arisen exist in respect of the conduct of financial advisors and mortgage brokers. RG 78 notes, not entirely helpfully, that reasonable grounds will exist when there are facts or evidence to induce, in a reasonable person, a belief that a reportable situation has arisen. In the context of reports about other licensees, such a belief may arise by reason of mutual business dealings or through mutual clients. These facts or evidence do not, however, need to satisfy any particular standard of proof nor does the possibility of an innocent explanation for particular conduct rule out the formation of the requisite belief, and consequently the requirement to report. Whilst licensees are not required to assume the role of amateur detective by proactively investigating other licensees’ conduct, RG 78 makes clear that licensees cannot turn a blind eye where relevant information comes to light.

Where the obligation to report is triggered, licensees have 30 days to both lodge a report with ASIC and provide a copy to the licensee who is the subject of the report. RG 78 suggests that the provision of the report to the person responsible for the offending conduct in this manner will fall within the exemption in s 123(9) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).

The obligation to report instances of gross negligence of financial advisers and mortgage brokers will be difficult territory for licensees to navigate. Returning to the example of the negligent mortgage broker mentioned above, it will not be easy to discern the difference between (unreportable) negligence and (reportable) gross negligence. The spectre of civil penalty for the failure to report might encourage licensees to err on the side of caution in identifying reportable conduct of financial advisers and mortgage brokers. While RG 78 suggests that reports made without malice will attract the defence of qualified privilege in any defamation action, licensees will likely be wary of the reputational consequences of perceived over-zealous reporting.

Multiple reportable situations

Another major change to the exposure draft is provision for the amalgamation of multiple reportable situations with the same root cause into a single report. As licensees will still need to report each breach within the required timeframe, the ASIC Regulatory Portal has been updated so as to facilitate the addition of related reportable situations by way of update to an existing report.

Legal advice and knowledge of a reportable situation

RG 78 expands upon the provisions of the exposure draft on the subject of legal advice. It makes plain that legal advice should not delay the lodgement of reports where obtaining such advice would result in a lodgement outside the 30-day reporting window. It is suggested that legal advice will not be required in every case, and RG 78 cautions against the delays likely to result from the adoption of an “overly legalistic approach”.[3]

Transitional arrangements for credit licensees

Finally, RG 78 clarifies that credit licensees are not required to report breaches of the National Consumer Credit Protection Act 2009 (Cth) that occurred wholly before 1 October 2021, even if the breach is identified on or after 1 October 2021.

The new normal

Notwithstanding the more expansive guidance and examples provided by RG 78 in comparison to the exposure draft, uncertainty around the commencement of investigations, materiality and the other threshold issues discussed above will challenge licensees and their advisors. Most challenging, perhaps, will be the manner in which licensees settle into their new role as informants of financial advisor and mortgage broker misconduct. Many in the industry will keenly await ASIC’s annual publication of information about reports lodged to gauge the impact of the new regime.