The reportable situations regime requires licensees to promptly identify, fix and report potential misconduct.
In February, ASIC put proposals out for feedback on four scenarios where additional relief would apply. This received feedback from four confidential and nine non-confidential submissions from industry and industry groups including the Financial Services Council (FSC) and the Financial Advice Association Australia (FAAA).
These were:
- The breach has been rectified within 30 days from when it first occurred (this includes paying any necessary remediation).
- The number of impacted consumers is not more than five.
- The total financial loss or damage to all impacted consumers resulting from the breach is not more than $500 (including where the loss has been remediated).
- The breach is not a contravention of the client money reporting rules, and clearing and settlement rules.
With the consultation having been closed and feedback reviewed, the regulator has now clarified relief that:
- Exempts industry from reporting certain breaches of the misleading and deceptive conduct provisions, and certain contraventions of civil penalties.
- Extends the length of investigations that are reportable to ASIC from 30 days to 60 days.
- Clarifies that a report is taken to be lodged with ASIC, if a licensee has submitted a breach report to the Australian Prudential Regulation Authority (APRA) that contains all the information APRA has requested.
If a breach satisfies all these thresholds, it is not deemed reportable to ASIC.
Following feedback, only investigations ongoing for more than 60 days, instead of 30 days, are reportable to ASIC.
This relief will reduce the reporting burden on industry so that if an investigation is completed within 60 days and no reportable situation is identified, a report does not have to be submitted, while still incentivising licensees to undertake timely investigations.
“Licensees are reminded to ensure they have the systems and processes in place to identify, escalate, investigate, rectify and capture incidents and breaches as part of their general obligations,” it stated.
