Breach reporting: When do I need to report an investigation to ASIC?
Last month, the Australian Securities and Investments Commission (ASIC) updated its guidance on the breach reporting regime, with several amendments to Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78). In ASIC’s media release, the regulator acknowledged that there had been some ‘implementation challenges’ with the new breach reporting regime, which commenced on 1 October 2021. For further information about ASIC’s updates to RG 78, see our article in T-REX on the changes.
The updates to RG 78 mostly provided practical guidance to licensees about how to complete the breach reporting form, and when licensees should group reportable situations into a single report.
The guidance in RG 78 on what constitutes a ‘reportable investigation’ remains unchanged. However, ASIC provided some new practical guidance to licensees about how to answer questions in the breach reporting form about investigations, including:
- how to estimate the number of clients affected by a reportable situation during an investigation;
- clarification that ASIC considers that an investigation is ‘complete’ only after the licensee has determined the root cause(s), identified all affected clients and identified all instances of the reportable situation; and
- how to respond to the question “What triggered the investigation or made you aware of the matter?”
So, what constitutes a ‘reportable investigation’? Below we have set out when an investigation by a licensee must be reported to ASIC, and provided some practical measures you can take now in relation to breach reporting.
Who needs to notify ASIC of reportable situations?
First, let’s get back to basics. The ‘reportable situations’ regime applies to Australian Financial Services (AFS) licensees and credit licensees. Licensees must comply with their obligations to report certain breaches of the law to ASIC. The revised breach reporting regime applies to reportable situations that arise on or after 1 October 2021.
However, this might not be the only reporting regime that you need to comply with. Licensees often have separate obligations to report incidents, in addition to the breach reporting obligation. For example:
- data breach reporting – when an organisation has reasonable grounds to believe an eligible data breach has occurred, it must promptly notify the Office of the Australian Information Commissioner and any individual at risk of serious harm;
- market integrity rules – a market participant must notify ASIC of certain suspicious activities;
- design and distribution obligations – product distributors need to notify issuers of certain matters, and issuers need to notify ASIC of ‘significant dealings’ that are not consistent with a product’s target market determination;
- prudential requirements – APRA-regulated institutions are required to notify APRA of a breach of a prudential requirement, in accordance with the industry’s relevant legislation;
- industry codes – some industry codes require members to report breaches of code obligations to the relevant code compliance monitoring body.
What is a ‘reportable situation’?
The reportable situations regime is complex. Deciphering whether an incident is a reportable situation is not always an easy task.
There are four types of reportable situations:
- certain investigations into breaches or likely breaches of core obligations that are significant (a reportable investigation);
- breaches or ‘likely breaches’ of core obligations that are significant;
- additional reportable situations; and
- reportable situations about other licensees.
In order to understand when an investigation is reportable, we must first consider the meaning of ‘breaches or likely breaches of core obligations that are significant.’ AFS licensees’ core obligations are defined in section 912D(3) of the Corporations Act 2001 (‘the Corporations Act), while credit licensees’ core obligations are defined in section 50A(3) of the National Consumer Credit Protection Act 2009 (‘the NCCP Act’). They include obligations such as the requirement to do all things necessary to ensure that financial services are provided efficiently, honestly and fairly, and to comply with financial services laws (s912A(1) of the Corporations Act).
There are two ways to determine whether a breach of a core obligation is significant:
- deemed significant breaches – certain breaches are taken to be significant, such as engaging in misleading or deceptive conduct, breaching a civil penalty provision (where an exclusion does not apply) or breaches of core obligations that result in material loss or damage to clients; or
- breaches that require a determination of significance – where a breach of a core obligation is not ‘deemed significant’, a licensee must consider the breach against certain objective factors to determine whether it is significant.
What is a ‘reportable investigation’?
Licensees regularly undertake routine or ad hoc investigations into potential compliance issues. However, investigations into whether a significant breach (or likely significant breach) of a core obligation has occurred – that continue for more than 30 days – must be reported to ASIC. You must report to ASIC using the ASIC Regulatory Portal.
‘Investigation’ is not defined and has its ordinary meaning. However, the Explanatory Memorandum notes that ‘if a … licensee is considering whether it has conducted an investigation, a relevant factor would be whether there has been some information gathering or human effort applied by the licensee to determine whether a breach has occurred or will occur.” According to ASIC’s RG 78, ‘preliminary steps and initial fact-finding inquiries’ and ‘business as usual’ inquiries, such as routine audits, are not generally reportable.
When do I need to notify ASIC of a reportable investigation?
An investigation becomes a reportable situation on day 31 of the investigation, and you must lodge a report within 30 days of this date. This means that if your investigation commences on 1 July and is ongoing on 31 July (30 days later), the investigation will become a reportable situation on 1 August. The investigation must be reported to ASIC by 31 August.
ASIC expects that investigations will be commenced and conducted in a timely manner. Unreasonable delays might result in you lodging the breach report outside the required timeframe (which is a breach in itself) or breaching other legal obligations.
The commencement date for your investigation is a matter of fact. However, indicators that an investigation has commenced include that you have sought specialist or technical advice, communicated with representatives or staff involved in the incident, communicated with potentially affected clients or commenced a review of multiple files or systems to determine if an issue is systemic. What matters is the nature of the activities being conducted, not which team is conducting them.
For a larger licensee with multiple teams that have risk or compliance functions, it might be the case that a ‘reportable investigation’ doesn’t commence until an incident is escalated for particular actions. For example, ASIC cites the example of a ‘Line 1’ risk team in RG 78, which makes some preliminary inquiries about an incident, and then escalates the matter to a compliance team in ‘Line 2’ for further review. Line 2 communicates with the relevant business division and Line 1 team, seeks advice from the legal team and commences a review to understand more about what has occurred. In this example, the reportable investigation commenced when the compliance team in Line 2 began its assessment.
During the investigation
You should have policies and procedures in place for reporting and oversight of ongoing investigations. While there is no set timeframe within which an investigation must be concluded, it is important that investigations are progressed and appropriately prioritised. Failure to properly resource investigations might indicate that you do not have adequate resources to provide the financial services or credit activities covered by your licence (section 912A of the Corporations Act and section 47 of the NCCP Act).
If you identify a deficiency in a system or process before the investigation is completed, ASIC expects that you will not wait for it to be completed to implement steps to rectify the deficiency and limit its adverse impact. This might include remediating clients, if necessary.
Furthermore, if you are satisfied during an investigation that a reportable situation has arisen, you must report the matter to ASIC even if the investigation has not been fully completed.
Where an investigation uncovers multiple reportable situations arising from a single, specific root cause, a licensee must also notify ASIC of these multiple reportable situations, but may do so in one report.
What about investigations of less than 30 days?
If you start and conclude an investigation within 30 days, and there are no reasonable grounds to believe that a reportable situation has occurred, then you do not need to make a report to ASIC. If you conclude your investigation within 30 days and you do believe a reportable situation has arisen, then you need to report the breach to ASIC but not the investigation itself.
Practical measures to take now in relation to breach reporting
Having appropriate systems and processes in place in relation to breach reporting should be a core feature of your compliance and risk management arrangements. You’ll need to:
- review the updated version of RG 78;
- have documented processes for identifying, recording and escalating incidents, including a breach and incident register;
- ensure that it is clear who within your organisation has responsibility for investigating and reporting breaches to ASIC; and
- take steps to ensure that your employees and authorised representatives are complying with your processes for identifying, recording and escalating possible breaches.
We also recommend you consider incidents and breaches, and your breach reporting arrangements, as a standing agenda item at compliance committee meetings.