Publication
Generative AI: A global guide to key IP considerations
Artificial intelligence (AI) raises many intellectual property (IP) issues.
Author:
Australia | Publication | setembro 2021
This article was co-authored with India Bennett.
On 7 September 2021, ASIC released the finalised Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78). While its content is largely the same as that of its draft guide published in April this year, there are some key changes to note and act on before these extensive reforms come into effect on 1 October 2021. The changes predominantly serve to clarify how the new obligations apply to financial services licensees and credit licensees.
For Australian credit licensees, it is now abundantly clear that breaches which occurred wholly before 1 October 2021 are not reportable under the new regime, even if the breach is identified on or after this date (RG 78.23).
On the requirement to report investigations, where a licensee conducts an investigation into an incident that happened entirely before 1 October 2021 (i.e. conduct which is the subject matter of the incident is not continuing on or after 1 October 2021), the licensee is not required to report the investigation under the new regime. This is even where the investigation was commenced on or after 1 October 2021, and the incident would have been a reportable situation had it occurred on or after 1 October 2021 (RG 78.16).
RG 78 also provides useful guidance with respect to the parameters of a reportable investigation. The term ‘investigation’, being undefined in the legislation, has a dictionary definition of ‘any searching inquiry in order to ascertain facts’ which arguably imposes a low threshold to trigger the reporting obligation.
Although highly dependent on the specific facts, RG 78 clarifies whether and when the steps taken in response to a customer complaint would be considered an ‘investigation’ under the new regime (RG 78.57):
It is important to note, however, that whether an investigation has commenced is a matter of fact and depends on the nature of activities being conducted, irrespective of how the activity is described internally, or by whom it was conducted.
Under the new regime, where a breach falls into the specified category of ‘deemed significant breaches’, additional steps to determine whether a breach is ‘significant’ is not necessary. Breaches that are deemed significant include, unless exempted, breaches of a civil penalty provision and those that constitute a contravention of a key requirement under section 111 of the National Credit Code.
The finalised RG 78 provides clarity on what are not ‘deemed significant breaches’. One specific call out under RG 78 is in relation to the enforceable paragraphs of Regulatory Guide 271: Internal dispute resolution which also comes into effect in October 2021. Licensees should be aware that while the enforceable paragraphs are civil penalty provisions, relief has been provided under ASIC Corporations and Credit (Breach Reporting—Reportable Situations) Instrument 2021/716 which means that individual breaches of these provisions are not ‘deemed significant breaches’ under the new breach reporting regime. However, the breach may still be reportable where it meets the other criteria set out in the relevant legislation (RG 78.42-78.43, Table 4 – Example 4(e)).
Notably, RG 78 includes a new section on reporting obligations where multiple reportable situations have arisen from the same root cause. Licensees may be able to include all these similar or related situations in a single report while still meeting their obligations under the new regime.
The guide also clarifies that it does not cover separate reporting obligations that are in addition to the breach reporting obligation, specifically referring to product design and distribution obligations and the internal dispute resolution reporting requirement – however, a significant breach of the latter may need to be reported under the new regime (RG 78.13-78.14).
In our previous thought leadership piece, we have explored the interconnectedness of the upcoming regulatory changes, including key considerations to successfully tackle the convergence of regulation in October 2021. With these changes coming into force within the coming month, we urge all licensees to ensure that they (and their employees at various levels) are adequately informed about the various new regimes and have robust processes that holistically address their new obligations.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023