ASIC Breach Reporting Changes
ASIC’s impending changes to the breach reporting regime (as detailed in Consultation Paper 340 and draft Regulatory Guide 78) are due to take effect on 1 October 2021.
What’s changing?
The heart of the changes is that ASIC has reduced the scope for licensees to determine what should be reportable. The current regime (set out in RG 78) gives licensees considerable scope to use their discretion with respect to what it reportable – and certainly since ASIC has taken its infamous ‘Why not litigate?’ approach, GCs have been increasingly incentivised to find reasons not to report.
The current regime
Until now, when a General Counsel became aware of a breach (or a likely breach) they would apply the long-standing ‘significance test’ to determine if it needed to be reported to ASIC. In short, this involved assessing the breach across 4 key criteria:
recurrence/frequency of the breach;
the extent to which the breach indicated fundamental flaws in compliance arrangements
(I think of these first two as the ‘systemic breach’ criteria);
whether the breach impacted on the licensee’s ability to provide the financial services they were license for; and
the actual or potential loss to clients.
In addition, and as is the case for almost all things ASIC, these factors have to be viewed through the lens of the nature, size and complexity of the relevant business.
What is key here is that ASIC does not give any hard and fast rules in terms of how many of these factors need to be present, or which factors to prioritise. When you add nature, size, complexity, it leaves plenty of scope for a commercial (and maybe even a little creative) General Counsel to document very reasonable arguments for why a breach does not need to be reported. As an ex-General Counsel, I can tell you that in practice this process really boiled down to two questions – is there material loss to clients, and is the issue systemic.
The new RG 78
The proposed changes to the guidance, which come into effect on 1 October, looks to reduce the scope of this discretion, expand a few obligations, and close some perceived ‘loopholes’.
A. Deemed significant breaches
The new RG in effect sweeps the significance test to the side – relegated to the section marked Other breaches that may be significant, it is now practically an afterthought.
In its stead, ASIC has designated a large swath of breaches as ‘deemed significant breaches’ and therefore automatically reportable regardless of circumstance or seriousness.
In short, deemed significant breaches include any breach that:
Is subject to a criminal or civil penalty (there are many);
Constitutes misleading or deceptive conduct (this could include even minor misstatements that have no material significance to clients);
Result in material loss or damage to clients (note that this was just one factor of the previous significance test – and material is a low bar).
ASIC gives one example that is particularly significant to wealth managers – a failure of an adviser to comply with their best interests duty is just one of many obligations subject to a civil penalty provision so therefore automatically reportable. To get more granular – a failure to include a product comparison table in a statement of advice could trigger this obligation.
Making misleading statements is also something that is easily done, and will often involve simple human error. Any compliance team that does regular marketing reviews can attest to how easy it is for minor misleading statements to slip through.
In practice, the outcome of these changes will be that that the starting point for any General Counsel will now be to report a breach, no matter how minor.
B. Investigations
ASIC has now deemed that if any investigation into a breach goes on for more than 30 days, it is automatically reportable (on day 31).
This change has been made to close a perceived loophole – namely that until a licensee could determine that there was a breach (or likely breach), that breach was not reportable. This change has likely been made in response to some very delayed reporting in relation to some of the major breaches made by the big banks – where a potential breach could sometimes be investigated for a year or more before it was deemed reportable.
This takes reduces the option for licensees to remain in a state of intentional ignorance. As someone who managed a compliance team in the past, I know exactly what it’s like to feel that there could be a potential problem in an area, but to leave it alone until the resources to look into it properly became available.
In practice, I think this will incentivise legal and compliance staff to think twice before commencing any form of investigation into an issue.
C. Reporting financial advisers and mortgage brokers
In yet another blow to financial advisers, RG 78 now makes it compulsory for any licensee to report any potential breaches regarding mortgage brokers or financial advisers who provide personal advice. The list of reasons never to advise a retail client continues to expand.
D. How to report
ASIC has set out that breaches must be reported to ASIC through the Regulatory Portal and using a prescribed form. The form must include the date, nature, description and relevance of the reportable situation and any details about remediation and if the situation has been rectified. ASIC will publish records about breach reporting on their website within four months after the end of the financial year.
What licensees need to do?
For licensees, there are a number of action items for 1 October:
To the extent that you have a breach reporting policy, it will need to be updated.
Compliance staff need to be trained and processes updated. ASIC have stated that Licensees should expect to report significantly more often than they do now, and this will require changes in the breach assessment and reporting processes.
Ideally, and particularly for wealth managers, front line staff should be trained to identify reportable situations under their new, much broader definition.
As always, AB is happy to help. Just reach out!