INSIGHT

The when and what of the new breach reporting regime

By Kerensa Sneyd
Financial Services

In brief

All signs point to the final tranche of the Hayne Royal Commission exposure draft Bills being introduced before the end of the year, and their focuses will include something that is a favourite topic here at Unravelled, and is of considerable interest to our clients – breach reporting. We explain the new regime's timing and effects.

Timing

In late March, the Federal Government was forced to shelve plans to introduce the final tranche of the Hayne Royal Commission exposure draft Bills, to make way for the urgent passage of the Government's first COVID-19 individual and SME relief packages.

It will now be August (or later) before these Bills can be introduced, presenting an understandable delay to the Government's Royal Commission Implementation Roadmap (where these Bills were scheduled for introduction into Parliament by 30 June 2020).

While the timetable may be slightly delayed, by all indications the Government will press ahead and introduce these Bills before the end of the year. Given this, while these are unusual times and many licensees will (rightly) be focused on business continuity and business critical activities, we suggest they keep one eye on the Government's implementation agenda and assume – for now – that the proposed commencement date for many of the Bills will remain unchanged.

In focus – breach reporting

Breach reporting has not lacked attention over the past three years. In October 2016, the Government announced the formation of an ASIC Enforcement Review Taskforce (the Taskforce) to review the enforcement regime of the Australian Securities and Investments Commission (ASIC), at the same time as ASIC was undertaking its own review into the current operation of breach reporting by reference to 12 authorised deposit-taking institutions and associated Australian Financial Service Licence (AFSL) holders. ASIC's own Mr Peter Kell, in his then-capacity as its Deputy Chair, also produced a witness statement to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Royal Commission), which included statements about what ASIC would be required to prove in order to establish an AFSL holder had contravened the breach reporting obligation in section 912D of the Corporations Act 2001 (Cth) (see our Breach reporting by AFS licensees).

What we learned from these reviews, and what we at Unravelled already suspected, was that the practice of breach reporting was not working well. Both ASIC and the Taskforce highlighted concerns with reporting inconsistency; the skewing of the subjective 'significant breach' assessment between large and small institutions; and the fact that ASIC was often receiving the reports months (if not years) after the event (leading to material delays to customer remediation payments). These issues, among others, were neatly addressed by the 10 recommendations of the Taskforce's Final Report and endorsed by Commissioner Hayne in recommendation 7.2 of the Royal Commission's Final Report (the Final Report).

The Government's response to recommendation 7.2

In his Final Report, Commissioner Hayne recommended that the Taskforce's recommendations relating to self-reporting of contraventions by financial services and credit licensee be carried into effect.

In March 2019, the Government announced that it agreed to implement the Taskforce's recommendations, and subsequently released for consultation, on 31 January 2020, an exposure draft Bill (Financial Sector Reform (Hayne Royal Commission Response – Protecting Consumers (2020 Measures) Bill 2020) (the Bill), giving effect to this commitment.

Overview of the Bill – a new trigger for breach reporting

The Bill proposes to clarify and strengthen the breach reporting regime for financial services licensees, by replacing the current reporting obligation in s912D with a new set of obligations. The Bill also introduces a comparable set of obligations for credit licensees under the National Consumer Credit Protection Act 2009 (Cth) (the Credit Act), extending the operation of the breach reporting regime (for the first time) to consumer credit. (In this Insight, we will use licensees as a collective reference to both financial services licensee and credit licensees.)

Under the Bill, licensees will have an obligation to lodge a report with ASIC if there are reasonable grounds to believe that a reportable situation has arisen in relation to the licensee.

Turning first to what constitutes a 'reportable situation', the Bill goes on to define this as one where:

  • the licensee or its representative has breached a core obligation and the breach is significant;
  • the licensee or its representative is likely to breach a core obligation and the breach is significant;
  • the licensee has commenced an investigation into whether the licensee or representative has breached a core obligation and the breach is significant;
  • in the course of providing a financial service, the AFS licensee or representative has engaged in conduct constituting gross negligence; or
  • the licensee or representative has committed serious fraud.

What is a breach of a core obligation?

The definition of 'core obligation' largely reflects the current list of obligations in s912(1)(a) (this includes obligations arising under s912A(1), which include to provide financial services efficiently, honestly and fairly, and to comply with certain financial services laws), with the addition of the managed investment scheme obligations from ss 601FC – 601FE (in line with the ASIC Enforcement Review Taskforce's recommendation to streamline the self-reporting obligations on responsible entities). An equivalent definition is proposed for the Credit Act.

However, this is where the similarities in the 'old' and 'new' regime end. What the Bill proposes from here is to split the test of 'significance' into two parts, applying it:

  • first, to those breaches or likely breaches of core obligations that 'are taken' to be significant and therefore reportable (deemed breaches); and
  • second, to all other breaches or likely breaches of core obligations that will only be reportable if the licensee determines the breach or likely breach is significant, having regard to a number of matters that largely replicate the current test for significance in s912D(1)(b).

The deemed breaches are defined further as:

  • a breach of a core obligation that is subject to a penalty that includes imprisonment for a maximum period of three months or more (for dishonesty offences) or 12 months or more (in all other cases);
  • a breach of a core obligation that constitutes a contravention of a civil penalty provision;
  • a breach of a core obligation that results, or is likely to result, in loss or damage to clients or, in the case of a managed investment scheme, members of the scheme; or
  • any other circumstances prescribed by regulations.

The Explanatory Memorandum notes that the new formulation of the significance test gives effect to recommendation 1 of the Taskforce Report and aims to provide an additional set of objectively determinable criteria for licensees. The Explanatory Memorandum further notes that this is intended to provide 'greater certainty for industry, resulting in more consistent reporting, improved regulatory oversight and better outcomes for consumers'.

However, we think that this definition goes further than the Taskforce recommendation in one important respect – there is no materiality threshold for what constitutes a deemed breach. This means a reporting obligation could be triggered where a breach affects one customer with negligible financial impact. We question the practical benefit to ASIC of receiving a flood of breach reports of this nature (which seems to hark back to the pre-2003 days where every breach was reportable and created an unnecessary burden for both ASIC and licensees). The Taskforce, in contrast, recommended that a deemed breach be defined as (among other things) one that results in or has the potential to result in material loss to clients.

If this definition remains unchanged, we query whether there would be ever be a breach or likely breach that wasn't a deemed breach, given almost every breach of a core obligation we can think of would result, or be likely to result, in some loss or damage to customers – and therefore be automatically reportable.

Reportable situations and investigations

A 'reportable situation' will also be triggered when a licensee has commenced an investigation into whether the licensee or representative has breached a core obligation and the breach is significant.

The Explanatory Memorandum notes that this new reportable situation is intended to address the issue of long delays between the process of a licensee starting an investigation and then lodging a breach report with ASIC. Under the current regime, it often takes licensees months of investigation and review (if not years, in the case of complex issues) to reach a point where the licensee can form a view that the breach, or likely breach, is 'significant' and therefore reportable.

When the Taskforce considered this issue, it recommended a slightly different approach – that reporting requirements extend to circumstances where the breach is being investigated by the licensee, but the investigation has not concluded within the prescribed time limit (30 days). The Taskforce considered that this would allow licensees 30 days to investigate and make an initial assessment of whether a matter is reportable. If the licensee assesses within that 30 days that the matter is not reportable, there would be no obligation to report that fact to ASIC.

We think the Taskforce's recommendation is sensible. The Bill's current drafting results in an outcome where a licensee must report the fact that an investigation commenced, even in circumstances where it is concluded within a matter of days and determined there was no breach. Prescribing reports of this nature could create unnecessary noise for an already stretched regulator.

The practical application of this obligation also turns on the meaning of 'investigation'. Unhelpfully, this term is undefined in the Bill, and the Explanatory Memorandum provides no guidance. Unless clarified, licensees may each take a different (subjective) view of what constitutes an investigation in their organisation, which then leads to inconsistent reporting to ASIC. This is the exact outcome the Taskforce's and Royal Commission's recommendations sought to avoid.

Gross negligence and serious fraud

The list of 'reportable situations' includes two new situations that are not a feature of the current regime:

  • in the course of providing a financial service, the licensee or representative has engaged in conduct constituting gross negligence; or
  • the licensee or representative has committed serious fraud.

These situations are separate from the 'core obligations' and are not subject to a significance test. 'Serious fraud' is defined in s9 of the Corporations Act as an offence involving fraud or dishonesty against an Australian law, or any other law, that is punishable for life or for a period, or maximum period, of at least three months. An equivalent definition appears in the Credit Act.

However, 'gross negligence' is not defined in the Bill and there is a question (in our minds) about how this should be interpreted – should the licensee apply the common law principles of negligence?

'Reasonable grounds to believe'

A licensee must have 'reasonable grounds to believe' that a reportable situation has arisen in order to trigger a reporting obligation to ASIC.

'Reasonable grounds to believe' is not defined in the Bill and limited guidance is given in the Explanatory Memorandum. We understand it to be an objective test, based on circumstances and information as known to a senior person within the licensee at the relevant time. The drafting is unclear, and should be clarified to avoid an interpretation that could be unmanageable in practice – that a reporting obligation could be triggered if eg a branch manager becomes aware that a single customer has been incorrectly charged a fee. Looking at this from a criminal context, a 'belief' is something more than merely suspecting but less than a certainty – conceptually, this is a test that goes some way to addressing the Taskforce's recommendation regarding objectivity, however practically we question just how challenging this may be for licensees to operationalise.

Timeframe for reporting

A report must be lodged with ASIC within 30 calendar days after the licensee first reasonably knows that there are reasonable grounds to believe that a reportable situation has arisen. Currently, financial services licensees must report a breach to ASIC within 10 business days of becoming aware of a breach or likely breach that is significant (and there is no reporting obligation for credit licensees under the Credit Act). However, a licensee must report the outcome of an investigation within 10 calendar days after the licensee first reasonably knows the outcome of the investigation. The Explanatory Memorandum note that this shorter timeframe is appropriate because, at this stage, the licensee is not required to make any further inquiries.

The Bill provides that a person will 'reasonably know' of a circumstance that gives rise to a reporting obligation if:

  • the person is aware that the circumstance exists or will exist in the ordinary course of events; or
  • the person is aware of a substantial risk that the circumstance exists or will exist and, having regard to the circumstances known to the person, it is unjustifiable to take the risk.

The Explanatory Memorandum provides that the concept of 'reasonably knows' is based on the definitions of 'knowledge' and 'recklessness' in the Criminal Code, and is intended to capture circumstances where – on the facts available – the licensee:

  • has knowledge that a reportable situation has arisen; or
  • may not have actual knowledge but ought to have knowledge that a reportable situation has arisen.

The language in the Bill leaves a key question unanswered: what is considered a 'substantial risk' that a circumstance exists or will exist? Is this a risk that has more than a 50% chance of occurring? And who is the person that must be aware of the substantial risk – is this a senior employee of the licensee with authority to report to ASIC, or is it someone on the front line who takes a complaint from a customer and whose knowledge is taken to be knowledge of the licensee?

One may also question the need for the second part of the definition, being that a person must consider it 'unjustifiable to take the risk'. We are referring here to circumstances involving a significant breach of a core obligation, and surely it is always 'unjustifiable' to take the risk of breaching a core obligation – particularly given all licensees have an obligation to comply with the financial services laws.

Reporting on other licensees to ASIC – the 'dobbing' obligation

In addition to the obligations to report a licensee's own reportable situations, the Bill introduces an obligation for a licensee to lodge reports in relation to other licensees.

Under this obligation, a licensee must lodge a report with ASIC within 30 calendar days after the licensee first reasonably knows that there are reasonable grounds to suspect that a reportable situation has arisen about an individual who:

  • provides personal advice to retail clients about relevant financial products (this excludes basic banking products, general insurance products, consumer credit insurance or a combination of any of these products) and is operating under another AFSL; or
  • is a mortgage broker operating under another ACL.

The Explanatory Memorandum describes how this obligation is intended to target misconduct and serious compliance concerns about financial advisors and mortgage brokers, on the basis that 'there are other parties in the industry' who are 'well positioned' to identify this misconduct.

This obligation carries a lower reporting threshold compared with reporting a licensee's own reportable situations to ASIC – it requires licensees to have 'reasonable grounds to suspect' rather than 'reasonable grounds to believe'. The Explanatory Memorandum notes that the rationale for the lower threshold is because it may be difficult for licensees to come to a 'belief' that a reportable situation has arisen, as the licensee may not have access to information to develop such a belief. Instead, a licensee may 'in practice' develop reasonable grounds to suspect that a reportable situation has arisen about a financial advisor or mortgage broker, due to the 'proximity between the two entities'.

This obligation relates to recommendations 1.6 and 2.8 of the Royal Commission, that licensees should be required to report 'serious compliance concerns' about financial advisors and mortgage brokers to ASIC on a quarterly basis. However, we are concerned that the Government has imposed a much higher obligation on licensees than Commissioner Hayne recommended by implementing these recommendations as part of the breach reporting regime. Licensees will now need to consider what systems and controls they have, or should have, in relation to arrangements with financial advisors and mortgage brokers, and ensure they are designed in a way that will alert the licensee where there are 'reasonable grounds to suspect' that a reportable situation has arisen. While the Bill stops short of imposing a direct obligation on licensees to monitor the conduct of financial advisors and mortgage brokers operating under their own licences, we wonder whether this dobbing obligation will, in effect, result (or require?) some form of monitoring to ensure the reporting licensee is in a position to satisfy their reporting obligations.

Licensees who deal with a large independently licensed advisor and broker network may find this to be a particularly onerous obligation and, without a materiality test, one that may very likely result in a large number of reports to ASIC about minor or insignificant conduct.

And – in case this obligation didn’t present enough challenges – licensees who lodge a breach report about a financial advisor or mortgage broker must then provide a copy of this report to the relevant financial advisor or mortgage broker. We wonder how much of an impact this will have on the commercial dealings between licensees, financial advisors and mortgage brokers.

Where to from here?

Consultation on the exposure draft Bill closed at the end of February 2020. The Government has not published submissions (yet) and the ordinary sittings of Parliament do not recommence until 11 August 2020. If it weren't for COVID-19, we would say this delay could give Treasury extra time to run a second round of consultation on some of the more problematic areas of the Bill – in the current environment, however, this seems extremely unlikely. Treasury has conveyed that it is very much 'all hands on deck' to help deliver the Government's COVID-19 relief packages.

Absent any formal indications from Treasury, the Bill is likely to keep its original commencement date of 1 April 2021. We expect many licensees (particularly credit licensees, for whom this will all be new) will need this full period to plan and design reporting processes, in order to balance the current demands of business-critical activities driven by COVID-19.

We will continue to keep you informed of developments with the Bill and the introduction of the new breach reporting regime – and, in the meantime, please reach out to any of the people below if you would like to discuss the issues raised in this Insight.