Establishing a healthy breach reporting environment

Why breaches can be like frogs

Frogs have thin, porous skin through which they absorb chemicals from the air and water. They won’t last long in an unhealthy environment, and their presence is an indicator of a healthy eco-system.

In fact, surveys are sometimes taken of frog numbers in particular regions, to determine whether mining or industrial sites have accidentally polluted local waterways.

Put simply, breaches are like frogs.

In a healthy compliance culture, you’ll find lots of breaches that have been identified and handled properly. ‘What?’ you might be thinking, ‘aren’t breaches bad?’ The answer, as you will see, is usually quite the reverse. In fact, an absence of breaches reflects a licensee eco-system that is out of balance.

One of our biggest tasks in dealing with dealer groups, boutique licensees, paraplanners and other licensees is convincing them of this law of nature.

In fact, if you already understand what a breach is, in the context of your Australian Financial Services Licence (AFSL), then you’re doing well. If you know how to properly handle a breach once identified, then you’re doing even better. Why? Because understanding, identifying and properly managing breaches will:

> reduce your potential liability from a client; and

> reduce the likelihood of enforcement by the Australian Securities and Investments Commission (ASIC).

So, what is a breach?

Before we go any further, let’s look at what constitutes a breach for licensing purposes.

A breach is effectively an act or omission that means a licensee breaches or is likely to breach, any of the financial services laws.

Financial services laws include various slabs of the Corporations Act 2001, the ASIC Act 2001, the Superannuation Industry (Supervision) Act 1993, the Insurance Contracts Act 1984, the Banking Act 1959, and more.

This frighteningly broad definition leads you to a number of conclusions:

> you need to know what relevant bits of the financial services laws apply to you;

> you need to distinguish between breaches of internal policy or non-financial services laws (let’s call them ‘incidents’) on one hand and breaches of the financial services laws on the other; and

> the definition does not give you discretion to determine what a breach is. It’s either a breach, or it isn’t. Simple.

What’s more, a breach of the financial services laws is also a breach of your licence, and vice versa. This is because the law requires you to comply with your AFSL conditions and your AFSL requires you to comply with the financial services laws. This means that a breach is actually plural; it’s a breach of more than one obligation.

So, let’s look at some examples. A breach includes:

> not giving the most up-to-date FSG to your client*;

> making a misleading statement in a promotional flyer;

> using the word ‘independent’ in promotional material if you receive almost any type of commission;

> a representative holding out to be the principal;

> failing to provide an SOA (statement of advice)*;

> failing to meet the replacement of product requirements*;

> failing to disclose benefits in dollar terms in your SOA or PDS (product disclosure statement)*;

> failing to have adequate PI (professional indemnity) insurance (with some exceptions)*;

> failing to renew your external dispute resolution scheme membership*

> failing to keep a three-monthly projection of your financials (for most licensees);

> not adequately managing conflicts of interest;

> not adequately supervising a representative;

> not adequately managing risks;

(* these are breaches only if you provide financial services to retail clients.)

The list of breaches is almost endless. However, we often see licensees recording breaches that, well, aren’t breaches of the financial services laws at all. For example:

* entering into a power of attorney with a client, against company policy;

* breaching the privacy laws;

* failing to use a particular company template;

* accidentally paying a client via their wrong bank account;

* breaches of service level agreements;

* some complaints; and

* breaching operational health and safety requirements.

Of course, the above list can sometimes refer to breaches of the requirement to conduct your business “efficiently” and “fairly”.

However, it’s likely that the above list refers to ‘incidents’ rather than breaches. We’ll talk more about incidents later.

Significant breaches

Once you’ve identified a breach, you need to identify whether it is significant, and so reportable to ASIC. If it’s significant, it must be reported to ASIC within 10 business days (note: at the time of writing, ASIC has not updated its website or guides — they still all say five business days).

You can’t choose what makes a breach significant. You must use the parameters set out by section 912D(1)(b). You must have regard to:

1. the number or frequency of similar previous breaches;

2. the impact of the breach or likely breach on your ability to provide your financial services;

3. the extent to which the breach or likely breach indicates that your compliance arrangements are inadequate; and

4. the actual or potential financial loss to your clients, or the licensee itself, arising from the breach or likely breach; and

5. nothing else.

This is where licensees can accidentally get things wrong.

If any other parameters are added to, or taken away from the significance test, then the whole system falls down, and a ‘significant’ breach is no longer a creature of law, but a creature of the licensee’s imagination.

The end result is usually that a truly ‘significant breach’ ends up being classed as something less than significant, and therefore never gets reported to ASIC.

How should you handle breaches?

Handling breaches or likely breaches will involve properly identifying, managing and reporting them, if they’re significant.

1. Identifying breaches

There are a few prerequisites for a robust identification system.

a) An accurate understanding of breaches. Everyone at every level of the business needs to have a grasp on breaches, for the purposes of their AFSL. They need to know, as a minimum, what is an ‘incident’, and they need to know to report it to head office. Head office can determine what is significant, and filter those incidents that are also breaches.

b) An accurate understanding of the consequences. Personnel need to understand that reporting breaches to head office is healthy. And, reporting significant breaches to ASIC is healthy too. Kind of like frogs. Let me show you why.

Many of you will be familiar with the enforcement action taken by ASIC against an adviser based in Tasmania, who failed to give four SOAs to clients within the required timeframe.

ASIC found out about the breaches during its super-switching surveillance campaign in 2004.

As a result, he was prosecuted by ASIC. Despite the potential of a jail sentence, he ended up paying $1,000 and entered into a two-year good behaviour arrangement.

One can only imagine the significant negative repercussions faced by an adviser in this situation, both to their business and personal life.

Compare that example to another real-life scenario:

A licensee (who will remain nameless) notified ASIC that a representative had failed to provide 19 SOAs to its clients, on time.

The licensee reported the breaches to ASIC, as well as a very detailed action plan as to how those breaches were to be remedied, including follow-up reporting to ASIC.

ASIC chose in that situation not to take further action, no doubt because it was satisfied with the action taken by the licensee.

I will explain more about the consequences of reporting later.

c) Identification systems. There need to be systems where people in the business know what to report to compliance, and that it must be done quickly. In our experience, systems include adviser reviews, compliance committees, PD days, e-mail ‘refresher’ communication, ongoing online training, and external licensee reviews.

d) A ‘green light’ reporting culture. A good compliance culture has a number of characteristics: the decision-making board clearly communicates that breaches are okay (for example, it may choose to tell the representatives about some breaches that it has reported); there are adequate human and technical resources in compliance; there is a system where representatives are not penalised for reporting breaches (subject to some conditions, of course); and, representatives are actually reporting breaches or ‘incidents’ to head office on a fairly regular basis. Right now, as you read, ask yourself whether your business display these types of characteristics.

2. Managing breaches

Once breaches are identified, how are they managed?

The better procedures that we have seen have some sort of incident/breach system. In fact, sometimes the representative is only required to report ‘incidents’.

Incidents in this context include actual breaches of the financial services laws, complaints and breaches of internal policy and other laws.

It is head office, or the compliance department, which actually decides which incidents constitute breaches, and puts those breaches on a breach register.

Any breaches or likely breaches deemed significant are then reported to ASIC.

One of the biggest challenges faced by large licensees in managing breaches, is consolidating the hundreds of incidents and breaches in a meaningful, efficient, systematic manner, and identifying which of those are significant. Although there is no perfect answer to this problem, we think that the system, in order to work properly, should have the following characteristics:

a) large volumes of breaches and incidents are filtered into what are breaches of the financial services laws, and what are not;

b) the identified breaches are somehow subject to the significance test. This can be done by grouping similar breaches and assessing them in periodic intervals (being conscious of the 10-business day rule for significant breaches). A software program to filter and sort them into categories may also help in this; and

c) any risk-based (for example, low/medium/high) rankings should not replace the significance test in determining what breaches are reported; they should only assist you in sorting the risks into categories, so they can be more efficiently assessed for significance.

Regardless of the size of the licensee, it is important that breaches find their way to a breach register.

Although there is no legal requirement to have a breach register (and I’ve heard this as a justification for licensees to not keep such a register), you should consider the following:

a) ASIC expects you to keep a breach register, and even tells you what headings to include in it (see page 12 of ASIC’s RG 78);

b) you only need to report to ASIC ‘significant’ breaches. What better place to show in writing that you’ve identified a breach, and assessed it for significance, than a breach register? It’s also a good way to show ASIC why you chose not to report a breach, if it ever asks at a later date; and

c) How can you identify systemic compliance problems (as required by law) if you don’t have some sort of register to assess breaches over time?

Once your management systems have identified a significant breach, how do you report it?

3. Reporting a breach

In my experience, if you tell ASIC how you are remedying that breach in detail, (including the devotion of significant resources), ASIC will most likely leave you alone.

Depending on the severity of the breach, consider making the following promises to ASIC when reporting it:

a) always show how you will remedy the specific breach. If SOAs haven’t been given to clients, say when and how you will give them. If disclosure has been incorrect, explain how you will provide correct disclosure;

b) undertake to have an external compliance consultant conduct a review of the people or processes that caused the breach, and then provide that report to ASIC within a certain time frame. (For really severe breaches, undertake to conduct two or more of these reviews and provide the reports to ASIC over an extended period);

c) show how you have considered and addressed systemic problems. For example, would more compliance staff, new IT software, or a better procedure remedy the issue? If you talk in terms of new procedures, explain in detail who will be monitoring those procedures, and why that new set-up will fix the systemic problem. Sometimes the problem is not the procedure, but the person(s) responsible for it. ASIC provides more guidance on this in RG 78, page 13.

In addition to your extensive covering letter to ASIC, you should complete form FS80, available on the ASIC website.

However, if you’re also regulated by APRA, you can just report to APRA using its online system (www.apra.gov.au/breach), and the report will be sent off to both ASIC and APRA.

If a breach is borderline — if you are unsure about whether it is significant or not in light of the five criteria above, then report it (ASIC also says this in its RG 78). Reporting is always a safer risk-management strategy.

Also, remember that a failure to report a significant breach incurs penalties for individuals and/or the company, as well as up to one-year’s jail for individuals.

You will need to report the significant breach to ASIC within 10 business days of identifying it as a breach. Remember that 10 business days is the outside limit, as the law says the breach must be reported “as soon as practicable and in any case within 10 business days”.

Also, if you are a Responsible Entity of a registered managed investment scheme, you will have additional breach reporting obligations (see RG 78 for more).

How does ASIC respond to your breaches?

Once you’ve reported to ASIC, there are a number of ways it can respond. It can:

* ask for more information. It has a basket of powers that it can draw on to gather documentary or testamentary evidence. Usually, the first request is just a letter asking for ‘more’;

* cancel or suspend your licence. This is something some compliance people stress to scare licensees into compliance. In practice, it happens quite rarely, and usually only when there are really, really serious compliance issues;

* issue a banning order against a person. You’ve probably read articles about different advisers who have been banned for different time periods;

* require you to conduct a compliance audit by an approved external compliance professional (it may just tell you, or it may add a condition to your licence requiring this of you);

* take other types of criminal, civil or administrative action against the licensee, or directors or offices of the licensee; or

* accept an enforceable undertaking from the licensee.

ASIC’s response will naturally be determined by the severity of the breach, and a range of other similar factors. ASIC’s breach notification business unit receives voluntarily reported breaches, whereas ASIC’s surveillance team investigates and uncovers non-reported breaches (and some reported breaches).

In our experience, you are nearly always in a better position if you were the one telling ASIC’s breach notification unit about the breach.

A greater risk to your business

To put this in perspective, our firm maintains that a greater risk to licensees than ASIC enforcement action, is a complaint by a client.

Not only is there a potential financial loss, there are other intangibles costs: distraction from your business, long-term PI ramifications, stress, legal costs, time, and so on.

If you have a strong compliance culture, which includes a pro-active approach to providing quality advice, breach identification, management and reporting, you are more likely to enhance your clients’ interests. In doing so, you protect yourself from this type of risk, in addition to regulatory risks — even if you do have a few frogs hopping around.

Paul Derham is a solicitor at Holley Nethercote Commercial Lawyers.