The new breach reporting regime requires licensees to lodge a report within 30 days (previously 10 days) and the significance test has been expanded, according to The Fold Legal.
An analysis by the law firm on the new regime which is due to commence on 1 October, 2021, said licensees needed to review its breach assessment processes to ensure they could meet the new timelines.
“The 30-day clock now starts ticking once you have reasonable grounds to believe there has been or will be a significant breach, or you are reckless as to whether there are reasonable grounds,” it said.
The breach must be reported to the Australian Securities and Investments Commission (ASIC) at the investigation stage if an investigation had continued for over 30 days, and a second report needed to be provided to ASIC on the outcome of the investigation.
On the significance test, a breach of a core obligation was now deemed significant if:
- The provision breached is an offence that may involve imprisonment for 12 months (three months for dishonesty offences);
- The provision breached is a civil penalty provision;
- The provision breached relates to misleading or deceptive conduct under the Corporations Act or the ASIC Act; or
- The breach results, or is likely to result, in material loss or damage to clients or members.
The analysis noted that gross negligence and serious fraud were automatically reportable as well, and for credit licensees, a breach of a “key requirement” under the national credit code was also deemed to be significant.
“By deeming a breach with a civil penalty provision as significant, it means that almost all breaches of the relevant legislative provisions will be reportable, regardless of their size. This means you should expect to lodge breach reports more frequently,” it said.
The Fold pointed to the explanatory memorandum that contemplated Treasury introducing new regulation to pare back the deeming provisions if ASIC received too many minor, technical, or inadvertent breach reports.
If a breach was not automatically deemed to be significant, licensees needed to assess if the breach was significant by considering:
- The number or frequency of similar breaches;
- The impact of the breach on their ability to provide the services covered by their licence; and
- The extent to which the breach indicates the licensee’s compliance arrangements are inadequate.
The Fold also said licensees would also be required to report breaches by other licensees to ASIC in certain circumstances. This aimed to target individual financial advisers and mortgage brokers.