It is imperative advisers understand, and have the systems in place to comply with, their obligations under the new Reportable Situations regime.

In October 2022, ASIC released a report examining the first 9 months of the Reportable Situations (more commonly referred to as Breach Reporting) regime^[1].

The main outtake from this report was that the number of breaches reported was significantly lower than the regulator expected, a finding which, in the words of then ASIC Commissioner Sean Hughes, suggested: “some licensees may not have in place the systems and processes required to detect and report non-compliance”^[2].

Since the introduction of the regime in late 2021, confusion amongst advisers, licensees, and product providers has been rife, a point acknowledged by ASIC as early as August 2022^[3]. Notwithstanding their recognition of these ‘implementation challenges’, however, ASIC confirmed that from 2023 it could start naming the licensees reporting the breaches^[4].

If a licensee does not report all “reportable situations” to ASIC, they may be subject to both civil and criminal penalties for every instance of failed reporting.

In this context, it is imperative advisers understand, and have the systems in place to comply with, their obligations under the Reportable Situations regime. In this article, we will revisit the background to the regime and the current context, and clarify ASIC’s own guidance about the type of breaches that must be reported, and the associated reporting and record-keeping processes.

Background to the regime

The current regime was one of several reforms that took effect in ‘Red October’ of 2021, and its genesis can be traced back to the 2018 Hayne Royal Commission. One of the many recommendations made in Kenneth Hayne’s final report was a direct response to concerns relating to the perceived inadequacy of the existing breach reporting regime in preventing non-compliance across the financial services industry.

Up until that point, the test for reportable breaches was a subjective one, based on breaches deemed to be ‘significant’. Within the RC Response Act, which became law in 2020, were provisions that sought to remove perceived ambiguities that had led to inconsistent interpretations of what constituted “significant”^[5].  The reforms also require licensees to investigate potential and actual misconduct, as well as to inform and remediate affected clients.

ASIC Guidance on the regime

In September 2021 – just a month before the regime was due to take effect – ASIC published Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees^[6].

RG 78 sets out ASIC’s expectations around how those covered by the regime – holders of AFSLs and Australian Credit Licenses – should comply with the new requirements. RG 78 also provided details about how the regime would apply in different circumstances, the obligations to communicate with customers affected by breaches, and what information must be provided to ASIC when reporting any breaches.

What is a reportable situation?

Reportable situations are those where:

• a licensee or its representative has breached a core obligation and the breach is significant
• a licensee or its representative is no longer able to comply with a core obligation and the breach, if it occurs, will be significant
• a licensee or its representative investigates whether there has been or will be a significant breach of a core obligation, and the investigation continues for more than 30 calendar days
• an investigation of the kind described above discloses that there has been no breach of a core obligation, or
• a licensee has engaged in gross negligence or serious fraud.

Licensees are also required to notify ASIC if they believe a reportable situation has arisen in respect of financial advisers and mortgage brokers, although they are not required to proactively investigate any potential misconduct.

Core obligations clarified

For AFSL holders, the core obligations largely mirror the obligations in sections 912A and 912B of the Corporations Act^[7], as shown below:

• Do all things necessary to ensure that the financial services covered by the license are provided efficiently, honestly, and fairly.
• Have in place adequate arrangements for the management of conflicts of interest that may arise wholly, or partially, in relation to activities undertaken by the licensee or a representative in the provision of financial services as part of the financial services business.
• Comply with the conditions on the license.
• Take reasonable steps to ensure its representatives comply with the financial services laws.
• If the licensee is the operator of an Australian passport fund, or a person with responsibilities in relation to an Australian passport fund, comply with each law of each host economy for the fund.
• Have available adequate resources (including financial, technological, and human resources) to provide the financial services covered by the license and to carry out supervisory arrangements – unless you are a body regulated by APRA (RG 79.151-78.152).
• Maintain the competence to provide those financial services.,
• Ensure that its representatives are adequately trained, and are competent, to provide those financial service.
• If those services are provided to retail clients, have a compliant dispute resolution system.
• Have compliant arrangements for compensating retail clients.

Determining if a breach is significant

Under the new regime, certain breaches of core obligations will be deemed to be significant.  Examples include circumstances where the breach:

• is a civil penalty provision, (subject to certain exceptions)
• is an offence punishable by a prescribed minimum term of imprisonment
• relates to misleading or deceptive conduct, or
• results, or is likely to result, in material loss or damage.

Even if a breach of a core obligation is not deemed to be significant under the new regime, it may nevertheless be significant based on:

• the number and frequency of similar breaches,
• the impact of the breach or likely breach on the licensee’s ability to provide financial services or engage in credit activities (as applicable); and
• the extent to which the breach indicates that the licensee’s compliance arrangements are inadequate.

ASIC does not specify any thresholds around these latter tests (for example the frequency of similar breaches), meaning an element of subjectivity (and potential cause of confusion) may still be present when determining significance.

Reportable investigations

Any investigation into the potential breach of a core obligation that continues for more than 30 calendar days will automatically be a reportable investigation (as will be the outcome of that investigation, even if a breach was not found to have occurred).

Beyond this, RG 78 explains that what constitutes a reportable investigation will depend on the individual facts of the case, and “is likely to vary widely depending on the size of the licensee’s business, their internal systems and processes, and the type of breach in question”^[8].

RG 78 also seeks to clarify the conduct that would not generally be regarded as ‘reportable investigations’, and provides the following examples:

• entering suspected compliance issues into your organisation’s risk management system
• the mere receipt of a detective control such as a complaint, a whistle-blower disclosure, or a regulatory request
• taking preliminary steps and conducting initial fact-finding inquiries into the nature of an incident, which are completed over a short timeframe and conducted as an initial response to detective controls; and
• undertaking ‘business as usual’ inquiries (such as quality assurance checks, audits, or other compliance review processes) except where these are triggered by an incident or assess a possible breach of a core obligation.

An investigation by any other name

In determining whether an activity is classed as an investigation, it should be noted that the nature of the team conducting the activity, and the way that activity is labelled or described internally by the licensee, is not relevant.

Client notification and remediation obligations

Advisers and their licensees also have obligations around investigating, communicating with, and remediating clients in the event of a reportable situation.

Specifically, an AFSL must take reasonable steps to investigate, then notify an affected client of a reportable situation if:

• The licensee or its authorised representative has provided personal advice to the affected client as a retail client and
• There are reasonable grounds to believe that the reportable situation constituted by a significant breach of a core obligation or gross negligence or serious fraud, and
• There are reasonable grounds to suspect that:
  • The affected client has suffered, or will suffer loss or damage as a result, and
  • The affected client has a legally enforceable right to recover the loss or damage from the licensee.

Keeping records

You must keep sufficient records to demonstrate your compliance with the ‘notify, investigate, and remediate’ obligations. Examples of such records include the steps taken to develop and review the remediation, all client communication through all channels, and any communication between internal staff or external parties involved in reviewing the advice. A full guide^[9] can be found in Regulatory Guides 256 and 277.

Don’t be so reckless – 30 days are all you have

A notice given to a client under this requirement must be given in writing within 30 calendar days after the financial services licensee first knows of, or is reckless with respect to, the circumstances listed above.

(In practical terms, ‘reckless’ means while the licensee may not be aware of a breach, they are aware of a substantial risk a breach has occurred, and in the circumstances, the licensee cannot justify ignoring this risk. Or put another way, ignorance is no excuse.

ASIC Information Sheet 259 suggests any notice given to a client (1) explains the nature of the breach(es), (2) describes how the client’s interests are affected by the breach(es), and (3) provides an assessment of the loss or damage you reasonably believe the client may be entitled to recover^[10].

30 days is also the timeframe within which ASIC must be notified of any breach.

Specifically, licensees must submit a report to ASIC within 30 calendar days of knowing (or being reckless to) that there are reasonable grounds to suspect a breach has occurred. (They then have a further 30 days to report the results of their investigation into that breach.)

RG 78 outlines that multiple breaches may be grouped together if there is a single underlying cause.

Reporting is done via the ASIC Regulatory Portal

Reporting of breaches is done via the ASIC Regulatory Portal. Using the form provided on the Portal, licensees will be required to provide comprehensive details about the potential breach, including, but not limited to:

• key dates
• the nature of the breach and a detailed description
• how it was detected
• the details of any authorised representative involved
• any client remediation undertaken, and
• any steps taken to prevent the breach from occurring again.

ASIC will confirm their receipt of a report and ask for more information if necessary, and licensees can track the status of, and correspond with ASIC about, any reported breaches, via the Portal.

It seems straightforward, but how are we doing?

As alluded to earlier this article, ASIC were described by several media outlets as being ‘underwhelmed’ by the industry response^[11].

In October 2022 their initial report into the regime found only 6% of licensees had lodged a report, well below the regulator’s expectations^[12].

Furthermore, nearly 75% of all reports were lodged by just 23 Financial Services and Credit License holders. Of the 8,829 reports, most related to credit and general insurance, with financial advice only accounting for 878 in total.

ASIC also expressed their disappointment with the timeliness of the reporting and remediation associated with breaches.

In 18 per cent of the reports received, it took the licensee more than one year to identify and commence an investigation into an issue after it had first occurred.

In response, ASIC said it would be undertaking a number of activities to strengthen compliance.

Notwithstanding their disappointment, ASIC should not have been surprised with the findings, with plenty of media reporting beforehand suggesting the industry was struggling with the new regime (and ASIC themselves acknowledging this).

Much of that media coverage centred around a report^[13] commissioned by Gadens and Lawcadia, released in May 2022.

The report, ‘The State of Financial Services Breach Reporting in Australia’, examined the first 6 months of the regime, and found that around half of all advisers rated their understanding of the new regime as low or very low, and less than one quarter (24%) believed they had been adequately trained by their licensee on how to monitor for breaches.

“Advisers don’t know what they’re doing with this regime and that’s a pretty big risk when you consider the personal consequences and the licensee consequences that can come from it,” commented Gadens Partner, Liam Hennessy^[14].

This lack of understanding was at its highest among advisers employed in practices that don’t have their own AFSL, of whom 74 per cent rated their understanding as ‘moderate’ or ‘low’.

Possible causes

Observers have been quick to offer explanations as to why the industry might be struggling to embed the new regime.

Regulatory fatigue is a commonly offered one, not unreasonable given the raft of other recent changes advisers have had to grapple with (including FASEA, DDO, and new professional development requirements).

Resourcing is another, with experts pointing out that smaller licensees had the same obligations as larger ones, but generally lacked their infrastructure and resourcing around legal and compliance support, systems, and controls^[15].

Yet another is the wording of the regulations themselves, which are undoubtedly complex, and in some cases retain the element of subjectivity which prompted changes to the regime in the first place.

ASIC are making this a focus going forward

Regardless of the factors underpinning these struggles, ASIC has clearly put the industry on notice that this will become an area of focus going forward.

They also recognised their role in driving increased compliance with the regime, announcing in August 2022 their intention to engage with Treasury and the industry over how the system operates and can be improved.

Pledging to work with stakeholders to find “common-sense solutions”, ASIC said it would consider whether enhancements were required to the approved form on the regulatory portal for lodging reports, and whether further practical guidance should be developed to assist licensees in meeting their obligations^[16].

Which means advisers should too

Whilst relief and clarity may eventually come from ASIC, or via any simplifying of compliance obligations delivered by the Quality of Advice Review, advisers and licensees cannot afford to wait. The obligations, and associated penalties, apply now. Many situations not reportable under the previous regime now are, meaning it is absolutely imperative that the new regime is understood and adhered to.

Increasing this imperative is the observation that consumers are getting more and more active. Based on one analysis, the number of complaints by advice clients has quadrupled over the last 12 months, generating more attention and more focus on licensees^[17].

Among the resources already provided by ASIC to help advisers understand and comply with their obligations under the regime are:

• Regulatory Guide 78
• Frequently asked questions
• Information Sheet 259 (Complying with the notify, investigate, and remediate obligations)
• Reportable Situation Guidance – explains how to complete the online reporting form

These resources, and others, are all available on the ASIC website.

———–

References:
[1] https://asic.gov.au/about-asic/news-centre/find-a-media-release/2022-releases/22-295mr-breach-reporting-asic-publishes-insights-from-the-reportable-situations-regime/
[2] https://www.professionalplanner.com.au/2022/10/asic-underwhelmed-with-breach-reporting-compliance/
[3] https://www.ifa.com.au/news/31965-asic-says-it-may-name-licensees-reporting-breaches-as-soon-as-2023
[4] Ibid.
[5] https://www.ashurst.com/en/news-and-insights/legal-updates/how-to-comply-with-the-new-breach-reporting-regime/
[6] https://asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-78-breach-reporting-by-afs-licensees-and-credit-licensees/
[7] https://www.assuredsupport.com.au/articles/2022/7/8/breach-reporting-how-to-identify-a-significant-breach-of-a-core-obligation
[8] https://asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-78-breach-reporting-by-afs-licensees-and-credit-licensees/
[9] https://asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-256-client-review-and-remediation-conducted-by-advice-licensees/
[10] https://asic.gov.au/regulatory-resources/financial-services/reportable-situations-for-afs-and-credit-licensees/complying-with-the-notify-investigate-and-remediate-obligations/
[11] https://www.professionalplanner.com.au/2022/10/asic-underwhelmed-with-breach-reporting-compliance/
[12] https://asic.gov.au/regulatory-resources/find-a-document/reports/rep-740-insights-from-the-reportable-situations-regime-october-2021-to-june-2022/
[13] https://www.lawcadia.com/state-of-financial-services-breach-reporting
[14] https://www.professionalplanner.com.au/2022/05/advisers-dont-know-what-theyre-doing-industry-lost-over-breach-reporting/
[15] https://www.professionalplanner.com.au/2022/10/asic-underwhelmed-with-breach-reporting-compliance/
[16] https://www.professionalplanner.com.au/2022/08/asic-to-improve-breach-reporting-processes/
[17] https://www.professionalplanner.com.au/2022/11/confusion-driving-rumours-and-regulatory-misunderstanding/

The post New breach reporting obligations – a practical guide to understanding and complying appeared first on AdviserVoice.