Last month’s wealth management hearings before the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Banking Royal Commission) highlighted the need for AFS licensees to understand and fully comply with their breach reporting obligations in a timely and not overly legalistic way. You can read more about our coverage of the issues coming out of the Banking Royal Commission here https://www.compliancequarter.com.au/tech-lies-and-litigation-asic-reads-the-riot-act-to-the-financial-services-industry/
In our article covering AFSL breach reporting obligations we take a closer look at those obligations and the consequences of non-compliance.
What must an AFS licensee report?
AFS licensees must notify ASIC in writing of any ‘significant’ breach (or likely breach) of their obligations under s912A (including licence conditions), s912B (compensation arrangements) or financial services laws, as soon as possible, and in any event within ten (10) business days of becoming aware of the breach or likely breach. If you don’t tell ASIC about a significant breach (or likely breach) then ASIC will consider that this itself is a significant breach. As such, an AFS licensee should have a clear, well-understood and documented process for identifying and reporting breaches. It is worth noting that, responsible entities are also subject to breach reporting requirements.
AFSL breach reporting obligations – What does ‘significant’ breach mean?
Whether a breach is significant will depend on the individual circumstances – it is a subjective assessment. As such, licensees need to give proper consideration to whether the breach (or likely breach) is significant, and, if so, provide timely notification to ASIC. You will need to decide whether a breach (or likely breach) is significant and therefore, reportable to ASIC.
What factors determine whether is a breach is ‘significant’?
The non-exhaustive list of factors that determine whether a breach (or likely breach) is ‘significant’ include:
• the number or frequency of similar previous breaches;
• the impact of the breach or likely breach on the licensee’s ability to provide the financial services covered by the licence;
• the extent to which the breach or likely breach indicates that the licensee’s arrangements to ensure compliance with those obligations is inadequate; and
• the actual or potential loss to clients or the licensee itself.
If you are not sure whether a breach is significant, ASIC has indicated you should err on the side of caution and report the breach. ASIC Regulatory Guide 78 ‘Breach reporting by AFS Licensees’ (RG78) also provides further guidance as to how ASIC interprets and will apply the law.
How do you report a breach?
A breach can be reported to ASIC by completing Form FS80 and/ or written report to ASIC via email at email@example.com
What are the penalties for non-compliance?
It is important that licensees report significant breaches to ASIC as early as possible, even where you are still gathering further information on the breach. ASIC states in RG78 that a failure to report a significant breach is an offence and may itself result in penalties up to $42,500 for companies.
What are the key takeaways?
The insights that have been emanating from the Banking Royal Commission, it’s coverage and associated regulatory matters, are that breach reporting is an area where there has been significant divergence by AFS licensees in how they are managing that process. The issue of governance internally around the breach reporting process has itself been a matter of considerable focus and debate – the ability of those charged with the responsibility to escalate incidents for consideration within the breach reporting framework and bring those to the attention of the board of licence holders in particular.
If you’re an AFS licence holding entity (or on the board of an entity that is) now is the time to be reviewing your breach reporting and incident management policies and considering the workflows within your organisation for how such matters are to be managed. At the board level, you should also be reflecting on what has been coming through from your audit and risk committee reports and whether there have been any details around incidents or breaches reported recently. If not, it may be worth contemplating a review of that process to ensure that adequate transparency is being afforded internally to such matters. Other matters that AFS licence holders should be reflecting on in this space include, how remuneration is structured for senior management and at the board level when there have been breaches identified and reported and ensuring that remuneration structures align with the obligations of the AFS licensee – for example, clawbacks or bonus ineligibility where there has been a major incident or significant breach. It would also be worth looking at how the organisation is learning from incidents and breaches – are they applying the right tools to identify how and why the incident or breach occurred along with adopting a lessons-learned mindset to avoid any future repeats within the business.
AFSL breach reporting obligations – Need more assistance?
If you would like assistance with better understanding your breach reporting obligations or an assessment of your internal procedures for managing issues in this space, please get in touch with us at Compliance Quarter and one of our regulatory specialists would be pleased to assist you.