Breach reporting for credit licensees: are you ready to dob yourself in?
October 2021 sees the commencement of many new regulatory reforms for Australian Credit Licence (ACL) holders. One of the reforms that will have greatest impact will be the new breach reporting requirements.
Many of you may not remember that breach reporting could have easily been a feature of the National Consumer Credit Protection Act (NCCP Act) since the start of the legislation in 2009. In fact, it was part of the draft Bill released for public consultation in April 2009. However, it was swiftly dropped following stakeholder feedback and was replaced with the requirement to lodge an Annual Compliance Certificate.
Fast forward 12 years and ACL holders are now on the eve of getting their breach reporting regime. Unfortunately, they will still be required to lodge their Annual Compliance Certificates.
In 2009, the Government was persuaded to ditch the breach reporting regime because it was simply not needed.
The multiple examples of misconduct exposed by the Hayne Royal Commission changed that and led Commissioner Hayne to recommend extending the strengthened AFSL breach reporting regime to ACL holders. The breach reporting regime is now seen as central to restore public trust in the financial services sector.
Why is it a big deal?
Breach reporting is all about self-reporting breaches or suspected breaches of the law. Such breaches can be significant and can lead to ASIC commencing court action or to suspend or cancel a credit licence.
Under our legal system, persons generally enjoy a right against self-incrimination. This essentially means you don’t have to dob yourself in when you’re suspected of having done something wrong. It’s the reason why when you’re watching a crime show you’ll usually hear the words, “You have the right to remain silent…”.
But in the case of breach reporting for ACL holders, the right against incriminating yourself is outweighed by ASIC being better able to detect and address misconduct in the credit sector. This is because it’s thought that those best placed to provide ASIC with information about misconduct are ACL holders themselves.
What breaches need to be reported?
The regime requires ACL holders to report “reportable situations” rather than breaches because in some situations, ACL holder will need to report even if they haven’t determined a breach has actually occurred (more on this later)
Reportable situations fall within the following categories:
- Breaches (or likely breaches) of the core obligations which are significant; and
- Additional reportable situations.
Breaches (or likely breaches) of the core obligations which are significant
Core obligations are all the general obligations in section 47 of the NCCP Act. In relation to the obligation to comply with the credit legislation in section 47(1)(d), this is modified to reduce the types of legislation covered for the purposes of reporting.
Two different significance tests exist. They are:
- Breaches (or likely breaches) of the core obligations which are automatically considered to be significant; and
- Other breaches of the core obligations that are significant based on a materiality test.
This is a breach (or likely breach) of a core obligation which:
- relates to a criminal offence whether the maximum term of imprisonment is:
- 3 months or more for dishonesty offences; or
- 12 months or more for all other offences
- relates to a civil penalty provision
- relates to a key requirement in the National Credit Code
- relates to the misleading or deceptive conduct provision in the ASIC Act
- results in (or is likely to result in) material loss or damage to clients
If none of the automatically significant situations apply, the breach may still be significant based on the following factors:
- the number or frequency of similar breaches;
- the impact of the breach or likely breach on the licensee’s ability to engage in credit activities covered by the licence;
- the extent to which the breach or likely breach indicates that the licensee’s arrangements to ensure compliance with those obligations are inadequate; and
- any other matters prescribed by regulations (no regulations are currently made).
Additional reportable situations
The new reporting regime also applies in the following instances:
- If the investigation of a significant breach of a core obligation takes more than 30 days
- If the conduct amounts to gross negligence
- If the conduct relates to serious fraud
- If the ACL holder believes a reportable situation (other than an investigation taking more than 30 days) has been committed by a mortgage broker of another ACL holder.
Whose breaches must be reported?
ACL holders will not only have to report incidents they commit but also the incidents that their representatives commit. They will also need to report breaches by mortgage brokers of other ACL holders.
What’s the deadline for reporting?
ACL holders will generally have 30 calendar days to report a reportable situation from when they first have reasonable grounds to believe that a reportable situation has occurred. ACL holders will need to submit their breach reports to ASIC, unless they are APRA regulated in which case, they can submit their report to APRA.
Additional obligations for mortgage brokers
ACL holders that provide mortgage broking services will also have to notify, investigate and remediate affected clients when:
- a significant breach of a core obligation, gross negligence or serious fraud has occurred;
- affected clients have suffered loss or damage; and
- affected clients have a legally enforceable right to recover loss or damage from the licensee.
Key take outs for ACL holders
- It is not just breaches (or likely breaches) that must be reported. If you’re still investigating after 30 days, you must report the matter.
- The automatically significant category is very broad, so most breaches of the credit legislation are likely to need reporting.
- Whether an incident is reportable in an objective test. It won’t be good enough not to report just because you think the incident is not reportable. It’s what an objective ACL holder would consider is reasonable given the facts and circumstances of the situation.
- While 30 days may seem a lot, it’s not. You will generally have lots to do to determine whether you need to report. So, make sure you have clear procedures in place to deal with suspected breaches.
- Existing ACL holders are already required to review and remediate clients where systemic misconduct has occurred and they have suffered loss. The new obligation for ACL holders of mortgage brokers formalises this process and imposes strict timeframes on how long it must take.
- Focusing on your own breaches will not be enough. The obligation to “dob in” mortgage brokers of other ACL holders means all ACL holders have a responsibility to identify and report misconduct in the industry.
- Breach reporting is serious business. Failing to report reportable situations could result in court action (criminal or civil penalty proceedings). It could also be used as a basis to suspend or cancel your ACL.
- With the commencement of the new breach reporting regime for ACL holders, and the strengthening of the AFSL breach reporting regime, ASIC is almost certain to experience a significant increase in breach reports. ACL holders should therefore ensure their breach reports focus on how they have rectified (or will rectify) the breach and what steps they have taken (are taking) to ensure it won’t reoccur.
What you need to do
To successfully navigate the new breach reporting regime, ACL holders need to have written procedures and tools in place that help them:
- Identify suspected breaches
- Assess whether it’s a reportable situation
- Report the matter
- Rectify breaches to ensure they don’t re-occur.
Representatives should also be trained about these procedures so they can help their ACL holders comply with the requirements.
Your governance framework should be updated so that it’s tracking open breaches and suspected breaches.
Finally, ACL holders should be creating an environment where staff feel comfortable raising suspected breaches. If everyone in your organisation is playing their part, complying with the new requirements will be much easier.
The new breach reporting regime is complex. The team at Holley Nethercote Compliance has developed a template breach reporting procedure and supporting tools on the HN Hub compliance platform to help ACL holders comply with their reporting requirements. If you would like to know more, contact us at [email protected].
Author: Jesse Vermiglio (Partner)