The new breach reporting regime: ASIC releases Regulatory Guide 78 after consultation

This article was co-authored with India Bennett.

On 7 September 2021, ASIC released the finalised Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78). While its content is largely the same as that of its draft guide published in April this year, there are some key changes to note and act on before these extensive reforms come into effect on 1 October 2021. The changes predominantly serve to clarify how the new obligations apply to financial services licensees and credit licensees.

Incidents that occur before 1 October 2021

For Australian credit licensees, it is now abundantly clear that breaches which occurred wholly before 1 October 2021 are not reportable under the new regime, even if the breach is identified on or after this date (RG 78.23).

On the requirement to report investigations, where a licensee conducts an investigation into an incident that happened entirely before 1 October 2021 (i.e. conduct which is the subject matter of the incident is not continuing on or after 1 October 2021), the licensee is not required to report the investigation under the new regime. This is even where the investigation was commenced on or after 1 October 2021, and the incident would have been a reportable situation had it occurred on or after 1 October 2021 (RG 78.16).

Reportable investigations

RG 78 also provides useful guidance with respect to the parameters of a reportable investigation. The term ‘investigation’, being undefined in the legislation, has a dictionary definition of ‘any searching inquiry in order to ascertain facts’ which arguably imposes a low threshold to trigger the reporting obligation.

Although highly dependent on the specific facts, RG 78 clarifies whether and when the steps taken in response to a customer complaint would be considered an ‘investigation’ under the new regime (RG 78.57):

1. Merely receiving a detective control (for instance, a complaint) does not mean that it is an investigation that is required be reported.
2. Initial fact-finding inquiries into the nature of the incident, if completed over a short period of time and as part of the licensee’s initial response to detective controls, are generally not reportable.
3. With respect to customer complaints:

• There is no reportable investigation up to the point where the licensee merely sends an acknowledgment of receipt for the complaint, enters the complaint in its system, verifies basic information about the customer and conducts an initial discussion with its staff.
• However, an investigation is taken to have commenced where the licensee identifies that the complaint may involve a possible breach of the law and undertakes further steps to ascertain whether there is a significant breach, including conducting preliminary factual and legal analysis of the complaint (which may include requesting further information from the customer or undertaking a further information gathering exercise) (Table 6, Example 6(d)).
• It is clear that an investigation is taken to have commenced when the licensee conducts a review of its client books in response to customer complaints (Table 6, Example 6(b)).

It is important to note, however, that whether an investigation has commenced is a matter of fact and depends on the nature of activities being conducted, irrespective of how the activity is described internally, or by whom it was conducted.

Deemed significant breaches

Under the new regime, where a breach falls into the specified category of ‘deemed significant breaches’, additional steps to determine whether a breach is ‘significant’ is not necessary. Breaches that are deemed significant include, unless exempted, breaches of a civil penalty provision and those that constitute a contravention of a key requirement under section 111 of the National Credit Code.

The finalised RG 78 provides clarity on what are not ‘deemed significant breaches’. One specific call out under RG 78 is in relation to the enforceable paragraphs of Regulatory Guide 271: Internal dispute resolution which also comes into effect in October 2021. Licensees should be aware that while the enforceable paragraphs are civil penalty provisions, relief has been provided under ASIC Corporations and Credit (Breach Reporting—Reportable Situations) Instrument 2021/716 which means that individual breaches of these provisions are not ‘deemed significant breaches’ under the new breach reporting regime. However, the breach may still be reportable where it meets the other criteria set out in the relevant legislation (RG 78.42-78.43, Table 4 – Example 4(e)).

Other key updates

Notably, RG 78 includes a new section on reporting obligations where multiple reportable situations have arisen from the same root cause. Licensees may be able to include all these similar or related situations in a single report while still meeting their obligations under the new regime.

The guide also clarifies that it does not cover separate reporting obligations that are in addition to the breach reporting obligation, specifically referring to product design and distribution obligations and the internal dispute resolution reporting requirement – however, a significant breach of the latter may need to be reported under the new regime (RG 78.13-78.14).

Are you all set for the raft of regulatory changes?

In our previous thought leadership piece, we have explored the interconnectedness of the upcoming regulatory changes, including key considerations to successfully tackle the convergence of regulation in October 2021. With these changes coming into force within the coming month, we urge all licensees to ensure that they (and their employees at various levels) are adequately informed about the various new regimes and have robust processes that holistically address their new obligations.