Complying with the new breach reporting obligations

Background

In response to concerns relating to the existing breach reporting regime in preventing non-compliance across the financial services industry, the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (Cth) (RC Response Act) was enacted. 

Fundamentally the RC Response Act sought to expand the scope of the breach reporting obligations, remove ambiguities relating to the inconsistent interpretation of the word “significant” and further sort to place increased accountability on holders of Australian Financial Services Licenses (AFS Licenses) and holders of Australian Credit License (ACL), with the former not previously being subjected to breach reporting obligations.  

From 1 October this year, AFS and ACL License holders have been subjected to the new breach reporting obligations. 

What needs to be reported?

The new obligations require license holders to report all “reportable situations” to ASIC and in particular reference to AFS license holders such as Novus, section 912D (1) of the Corporations Act (2001) (Cth) (the Corporations Act) outlines what are “reportable situations”.  

A “reportable situation” includes any of the following scenarios:  

1. Where an AFS license holder or a representative of the AFS license holder has breached a core obligation[1] and the breach is significant.
2. Where an AFS license holder or a representative of the AFS license holder can no longer comply with their core obligations and if the breach were to occur, it would be significant. 
3. Where an AFS license holder or a representative of an AFS license holder conducts an investigation to determine if a breach has occurred or an inability to comply with a core obligation may exist, and the investigation continues for a period greater than 30 days. 
4. Where an investigation has occurred and lasted more than 30 days, with the investigation finding no breach occurred or no inability to comply with core obligations arose. 
5. Where there is gross negligence or serious fraud. and; 
6. Other circumstances as prescribed by the legislations.

A very important difference between the new arrangement and its predecessor is that “investigations” into the existence of a reportable situation are now reportable if they last longer than 30 days. 

Further Licensees are required to report the outcomes of such investigations whether a breach has occurred or not. 

When must reports be lodged?

Reports must be lodged within 30 calendar days of becoming aware of the reportable situation or being reckless as to whether, there are reasonable grounds to believe a reportable situation has arisen.  

Knowledge will arise under the new regime where the licensee knows of facts and/or evidence sufficient to induce in a reasonable person a belief that a reportable situation has arisen.  A reportable situation need not be considered by a licensee's board of directors or legal advisors for this element to be satisfied.

Recklessness will, on the other hand, be determined where a licensee does not know of any such facts or evidence but is aware of a substantial risk that there are reasonable grounds to believe that a reportable situation has a risen and, having regard to the circumstances known to the licensee, it is unjustifiable for the licensee to ignore this risk.  

While ASIC has stated that reporting situations will not influence the action they may take, ASIC has indicated that failure to adhere to breach reporting obligations may be taken to be indicative of a licensee’s general approach to compliance and will have severe ramifications on the licensee and its responsible officers. 

Notifying and remediating affected clients

The new regime introduces requirements for licensees to notify and remediate persons who are affected by reportable situations and suffer losses. The notification obligation does not relate to clients who have not or will not suffer loss as a result of the reportable situations. 

Conclusion

In case studies considered by the Financial Services Royal Commission, it was found that licensees primarily failed to report within the time required due to:

• a failure to report and escalate an issue internally within the organisation;
• inadequate internal records maintained that considered whether to report an issue; and
• inadequate systems maintained to ensure compliance with breach reporting requirements.

To comply with the breach reporting obligations outlined in RG 78 Novus has in place a robust breach reporting system that is timely and comprehensive. All authorised representatives and those who work on behalf of Novus have been provided with training and support relating to the new breach reporting obligations and have further been encouraged to report incidents that occur in the day-to-day operations with a direct and transparent escalation process within Novus. Alongside a robust monitoring program, Novus is well equipped to meet and comply with all reporting obligations in an efficient manner.