What you need to know: Major overhaul of breach reporting obligations for Financial Services and Credit Licensees
Australian Financial Services Licensees and, for the first time, Credit Licensees have until October to ensure they can comply with a complex overhaul of breach reporting obligations.
The Financial Sector Reform (Hayne Royal Commission Response) Bill 2020 passed and received Royal Assent with relatively little fanfare in December following a Covid-induced timetable extension, implementing 21 of the 76 Hayne Commission recommendations. Most of the reforms took effect on 1 January, with the balance due to take effect from 1 October, including an overhaul of the mandatory breach reporting regime applicable to holders of Australian Financial Services Licenses (AFSLs). Holders of Australian Credit Licenses (ACLs) will for the first time be subject to the same rules.
Breach reporting already causes AFSL holders significant headaches – the decision as to whether to lodge a report, particularly where internal investigations are at a preliminary stage and facts remain uncertain, or where the extent of the issue is unclear, can be difficult.
Key changes to the existing framework include:
1. An overhaul of the circumstances in which AFSL holders are required to report to ASIC under s912D of the Corporations Act 2001 (Cth) (Corporations Act), including to introduce the concepts of a 'reportable situation' and 'core obligations'. A 'reportable situation' arises where:
a. The licensee or their representative has breached a 'core obligation'1 and the breach is 'significant'; or
b. The licensee or their representative is no longer able to comply with a core obligation and the breach, if it occurs, will be significant; or
c. An investigation by the licensee into whether a reportable situation of the nature described in (a) or (b) above has arisen continues for more than 30 days, or where the investigation (which continued for more than 30 days) discloses there is no reportable situation; or
d. A licensee engages in gross negligence in the course of providing a financial service, or serious fraud (whether or not in the course of providing a financial service).
2. Additional circumstances which will be deemed to make a potential breach significant. From 1 October, a breach of a core obligation will be significant where:
a. It is constituted by:
i. an offence punishable by imprisonment for 12 months or more (3 months or more for offences involving dishonesty);
ii. contravention of a civil penalty provision under any law (unless excluded by regulation);
iii. contravention of the prohibitions against misleading or deceptive conduct in relation to a financial product or service2;
b. the breach results or is likely to result in material loss or damage to clients or members of the licensee;
c. the circumstances of the breach mean it should be regarded as significant, for example the number or frequency of similar breaches, the impact on the licensee's ability to provide the services covered by their license or the extent the breach indicates the licensee's compliance arrangements are inadequate – reflecting the current test for significance of a breach under s912D.
3. A requirement that licensees must lodge a report within 30 days (compared to the current breach reporting period of 10 days) of:
a. becoming aware a reportable situation has arisen;
b. having 'reasonable grounds' to suspect a reportable situation has arisen; or
c. being reckless as to whether there are reasonable grounds to suspect a reportable situation has arisen.
4. A new obligation to lodge reports in relation to other licensees in some circumstances, including where the reporting licensee has reasonable grounds to believe a reportable situation involving a breach of the licensee's obligations, gross negligence or fraud has arisen in relation to another licensee and one of the individuals involved is the licensee or one of its employees, directors or representatives.
5. Additional obligations to notify and compensate retail clients who have received personal advice and have or will suffer loss or damage as a result of a reportable situation, and to investigate reportable concerns that may affect those clients.
6. The introduction of an equivalent regime for ACL holders (who were not previously subject to the breach reporting requirements applicable to AFSL holders), contained within the National Consumer Credit Protection Act 2009.
In a year that will already require workplaces to adapt to significant organisational change to establish a new post-pandemic 'normal', the imposition of a new requirement that licensees keep records 'sufficient to enable the licensee's compliance' with the new rules 'to be readily ascertained' mean licensees will need to start preparing for the 1 October commencement date well in advance. The detail and complexity of the new rules materially increases the challenge.
1. Broadly, a 'core obligation' is an obligation under s912A (general obligations) or 912B (Compensation arrangements if financial services provided to persons as retail clients). Section 912A includes a broad list of obligations including to do all things necessary to ensure that the financial services covered by the license are provided efficiently, honestly and fairly, have in place adequate arrangements to manage conflicts, comply with license conditions and comply with financial services laws. Note that additional considerations are set out in the new rules to determine if a breach of the 'financial services laws' under s912A(1)(c) is a breach of a core obligation, depending on the nature of the breach.
2. i.e. s1041H of the Corporations Act or s12DA of the ASIC Act 2001 (Cth).