Skip to content

ASIC signals its approach on new breach reporting obligations

New breach reporting obligations for Australian financial services and credit licensees come into effect on 1 October 2021. This post considers ASIC’s draft guidance on some of the key features of these reporting obligations.

The new reporting obligations clarify and strengthen the existing obligation on Australian financial services (AFS) licensees to self-report certain breaches of the law and extend the obligation to credit licensees. The reforms require AFS licensees to lodge breach reports with ASIC within 30 days after the licensee first knows that, or is reckless with respect to whether, there are reasonable grounds to believe a ‘reportable situation’ has arisen.

Reportable situations

Entities are not required to report every instance of non-compliance or trivial breaches, but rather a targeted set of ‘reportable situations’ defined under the legislation. A relevant ‘reportable situation' would arise where:

  1. there is a significant breach of a 'core obligation' (s912D(1)(a) of the Corporations Act or s50A(1)(a) of the National Credit Act), or
  2. there is conduct that constitutes gross negligence or serious fraud (s912D(2) of the Corporations Act or s50A(2) of the National Credit Act).

Importantly, a ‘reportable situation’ under (1) has been expanded to include circumstances where the licensee has commenced an investigation into a significant breach of a core obligation and the investigation has continued for more than 30 days.

“Significant” uncertainty

One particular focus of ASIC’s draft guidance is the assessment of significance under (1). There are certain breaches that will automatically be deemed significant (such as breaches which constitute misleading and deceptive conduct) and the guidance provides various examples of these ‘deemed significant’ breaches. However, there are other breaches which require a determination of significance before being reported to ASIC.

The breach reporting reforms do not define the term ‘significant’, but rather outline several factors that should be considered when determining significance. This means that the meaning of ‘significant’ is potentially open to broad interpretation. The draft guidance provides examples of breaches that ASIC considers may be significant and those that may not be significant. However, ASIC emphasises that the determination of significance for a particular breach will depend on the licensee’s individual circumstances.

When to investigate

The guidance provides clarification regarding what is meant by an ‘investigation’ and when it will constitute a reportable situation. ASIC expects that investigations into breaches of core obligations will be ‘commenced in a timely manner and without unreasonable delay’. The time at which an investigation commences is a ‘matter of fact and is not a matter for subjective determination by the licensee’.

Market surveillance

The draft guidance suggests that ASIC intends to use the new breach reporting obligations to improve its market surveillance and enhance early detection of, and response to, ‘emerging threats, harms and trends within the financial services industry’.

The draft guidance is a clear example of ASIC seeking to make the most of its regulatory tools to identify and address patterns of non-compliance across the Australian financial sector. ASIC is not alone in seeking to bolster its breach reporting obligations for market participants. In the UK, the FCA recently extended its annual financial crime reporting obligation to a broader range of firm types.

For more insights into investigations trends in Australia and other jurisdictions, take a look at the Allen & Overy Cross-border White Collar Crime and Investigations Review.

Edward is grateful for the assistance of Georgina Calvert in the preparation of this post.