Without a doubt, one of the most critical obligations of an Australian Financial Services (AFS) or credit licensee (and understandably applied inconsistently by the industry1) is the obligation to notify ASIC of reportable situations or as many in the industry still call it—”breach reporting”.
In a media release dated 27 April 2023, the Australian Securities and Investments Commission (ASIC) announced that it had updated its Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78) to “clarify aspects of the existing guidance” in addition to providing “new guidance in response to operational issues that have arisen since the implementation of the regime on 1 October 2021.”
ASIC summarised the changes and new guidance into 2 tables; the first table lists updates to RG 78 (Table 1) and the second table lists updates to ASIC’s “prescribed form” which AFS and credit licensees use to electronically submit reportable situations (Table 2). The prescribed form updates will take effect on 5 May 2023.
Additionally, a third table summarises issues which ASIC is “still considering” and which have yet to result in any changes as at the date of this article. In this article, we will focus on the changes that have been finalised, i.e. tables 1 and 2 of ASIC’s media release.
So, what are the changes? Do they go far enough to demystify much of the confusion which AFS and credit licensees have grappled with over the last year and a half? Read on for our opinion.
ASIC’s updates to RG 78
There are seven changes to RG 78 which are summarised in Table 1. These changes cover the following elements of the reportable situations regime:
- a new “grouping test” which aims to clarify the circumstances in which AFS and credit licensees may group reportable situations in a single report;
- several new “how to” instruction guides to assist AFS and credit licensees in completing existing fields or answering questions on ASIC’s prescribed reporting forms;
- new guidance on the frequency with which AFS and credit licensees should update ASIC on reported breaches that have already been submitted; and
- guidance on how to make “genuine estimates” for client loss and the number of clients affected by a reportable situation.
What are some of the useful updates to RG78?
- Change #1 (Table 1) – The new grouping test
ASIC announced a new grouping test which provides AFS and credit licensees with clarification of the circumstances in which multiple reportable situations can be bundled and reported to ASIC in a single report.
New guidance at RG 78.112-117 outlines a two limb test, which requires both limbs to be satisfied for multiple reportable situations in order to be grouped together in a single report to ASIC.
The two limbs of the grouping test are:
- there is a similar, related, or identical conduct – i.e. conduct involves the same or very similar factual circumstances; and
- the conduct has the same root cause for all the reportable situations being reported together.
As it currently stands, all reportable situations must be reported to ASIC within 30 days of the AFS or credit licensee knowing, or being reckless as to whether a report situation has arisen. ASIC notes that if a licensee reports multiple reportable situations in a single report that occurred over a 30 day period, it must still ensure that the 30 day reporting required for each reportable situation is adhered to.
ASIC also provides comprehensive examples in Table 9 at RG 78.118 which, goes a long way to clarifying the practical application of the two limb test, saving AFS and credit licensees the time and resources of preparing multiple reports which need only to be reported once.
- Change #3 (Table 1) – Guidance on how often to update ASIC on the status of a breach.
The new guidance in Appendix 2 (Q3) of RG 78, under a new FAQ section gives clarification around the frequency in which ASIC expects to be updated on reportable situations that have already been lodged with ASIC.
In summary, updates must be made to ASIC on the status of a reportable situation if:
- six months have passed and no update has been provided;
- there are material changes to the nature, impact or extent of the reportable situation;
- the licensee has completed its investigation of the reportable situation, rectification of the root cause(s) and finalised the consumer remediation process.
For continuous or ongoing reportable situations, ASIC also clarifies that AFS and credit licensees can use an “update functionality” to report on further reportable situations rather a lodging a new report.
In our opinion, this clarification also assists by saving AFS and credit licensees from reporting to ASIC unnecessarily.
- Change #6 (Table 1) – Guidance on calculating the number of clients and losses affected by a reportable situation.
Another useful update is ASIC’s guidance as to how to calculate (or estimate) the number of clients affected by a reportable situation and their associated losses.
Appendix 2 (Q5) clarifies when a client is considered “affected”, specifying that holders of joint accounts should be counted individually, and that “impact” includes both financial and non-financial losses. Two examples outlined at RG 78.170 add further meaning to these terms, eliminating much of the uncertainty from AFS and credit licensees in making these calculations, as well as the inconsistencies which were being reported to ASIC on this matter. The examples cover the following situations:
- broadly advertised incorrect discount offer for motor vehicle insurance; and
- an error in an annual statement relating to how fees had been charged in relation to a superannuation product.
- Change #7 (Table 1) – When and how can a submitted report be withdrawn or corrected?
The last item in Table 7 of ASIC’s media release is in relation to withdrawing and submitting reports to ASIC.
How and when a previously reported reportable situation can be changed after being submitted is not as straight forward as you would expect. What may come as a surprise to some is that there are limited circumstances in which an AFS or credit licensee may withdraw or correct a report, and the fact that ASIC’s Regulatory Portal (which AFS and credit licensees use to submit reportable situation reports) does not allow AFS and credit licensees to correct a report in the same way it was submitted.
For this reason, it is important for AFS and credit licensees to seek advice, if necessary, on how and whether a reportable situation has arisen which has to be reported to ASIC, and how to prepare and lodge the report with ASIC. Not only are there regulatory deadlines to consider, but also the necessity to accurately prepare the report itself given that it is not always possible to amend or withdraw a report once it has been submitted to ASIC.
If the reasons for an amendment or withdrawal of the report are within the circumstances permitted by ASIC, such requests can be made by emailing ASIC at email@example.com.
What are some of the useful updates to the prescribed form to submit reportable situations to ASIC?
ASIC announced six changes to its prescribed form, which took effect on 5 May 2023. Most of the prescribed form changes are embedded texts within the form itself, supplementing the updates to RG 78. For example, change #4 (Table 2) relates to newly embedded text that cross references updates to section of RG 78 that assist with calculating client losses, discussed above in paragraph 3.
In our opinion, there are two noteworthy changes to the prescribed form in Table 2.
- Change #1 (Table 2) – Specifying the date when the potential breach, serious fraud and/or gross negligence was first discovered.
This first change to the prescribed form, while seemingly a minor change and a simple question for some, comes as a welcome clarification for many.
The change relates to how a question on the form is asked. Formerly the question was— “When did you first become aware that a breach, serious fraud or gross negligence had occurred—or that you were no longer able to comply with a core obligation?”. The new redrafted question is now— “Specify the date when the potential breach, serious fraud and/or gross negligence was first discovered.”
What comes as no surprise to us, is that most AFS and credit licensees have interpreted the former question as the date in which the AFS and credit licensee determined that a reportable situation had occurred rather than what ASIC intended, which is the date in which the licensee first discovered that there may be a breach i.e. before the AFS or credit licensee determined that a reportable situation did in fact arise.
In fact, the data point that ASIC wants is the date the licensee discovered the incident which may potentially give rise to a reportable situation. Accordingly, the prescribed form now embeds guidance to that effect noting “[the date] will often be when the information was entered into a breach register or risk management system, unless you have reason to believe it was discovered on an earlier date.”
The question has been redrafted more effectively in order to clarify that the first day of the 30-day legislative period in which a licensee must notify ASIC of a reportable situation may not align with the date for which the potential breach was “first discovered” (which ASIC asks for in this question).
- Change #2 (Table 2) – Clarifying the meaning of “investigation” in the prescribed form.
This second noteworthy change to the form is also useful as it clarifies what ASIC intends with the use of the term “investigation” in the prescribed form.
An investigation is not a difficult concept in the normal course, but given the multiple references to the word “investigation” in section 912D of the Corporations Act, it is understandable that some confusion exists in this context.
ASIC clarifies that its meaning of “investigation” in the context of asking “Have you completed your investigation of the matter?” (in the prescribed form), is distinct from a “reportable investigation” under section 912D. “Reportable investigations” are investigations which continue for more than 30 days and are reportable to ASIC.
To avoid further confusion, ASIC provides new embedded text to clarify that “to have completed an investigation” the licensee must have completed its assessment and determination of the root cause(s), clients, and instances to which the reportable situation relates.
Things to consider when submitting a breach report
Whenever any of our clients that are AFS or credit licensees go through the process of identifying whether a reportable situation has arisen and whether a report needs to be lodged with ASIC, there are a few things that we strongly recommend that they keep in mind:
- retain all business records that are directly, or maybe, related to the reportable situation(s);
- ensure that any reportable situation notified to ASIC is also reflected in the licensee’s breach register; and
- as early as possible, seek legal advice on any reportable situations that involve fraud or significant client harm, which are not related to the ordinary course of their business or which involve a contravention of a section of the law that is categorised as an “offence”.
This is because ASIC will review the information contained in reportable situation lodgements, and ASIC is entitled to use this information to commence an investigation into the circumstances that gave rise to the reportable situation and the plan to effectively remediate affected clients if there has been significant consumer harm.
ASIC may commence its investigation by sending the relevant AFS or credit licensee a voluntary information request or by issuing formal notices under section 912C of the Corporations Act 2001 (Cth) or, commonly, sections 19, 30, 33 or 49 of the Australian Securities Investments Commission Act 2001 (Cth).
If an AFS or credit licensee follows the recommended suggestions outlined above, they will usually be well placed to ensure that they can comprehensively respond to any “follow-up” queries that ASIC may have. Further, we recommend that AFS and credit licensees obtain legal advice as soon as possible as, if ASIC issues a notice to the AFS or credit licensee, ASIC will always state what specific legislative breaches they are investigating. Further, you will have (relative) peace of mind of knowing that you have people on your side who have dealt with many ASIC investigations, understand ASIC’s processes and can help you respond to ASIC’s inquiries.
Most of the recent changes to RG 78 are not only useful for clarifying some of the ambiguities associated with notifying reportable situations to ASIC but for navigating the reportable situations regime more broadly. ASIC’s media release includes four other issues it raised during industry consultation but were not progressed at the time of writing. We await any further changes from ASIC and we look forward to sharing our insights on those topics as they develop.
For more information, please contact Erik Setio, Simon Carrodus, Glenjon Aligiannis and Clarisse Berenger.
1See ASIC’s Report 740 dated October 2022 “Insights from the reportable situations regime: October 2021 to June 2022”.