As of 1 October 2021, AFS licensees need to brace themselves, and be ready for, the introduction of the new breach reporting framework and the risks it poses to operating in Australian financial services.
The changes
As compared to the previous regime, the new framework will incorporate:
- A far broader remit;
- Heavier penalties;
- The morphing of the “significance” test into the “reportable situation”;
- A provision for incidents involving “serious fraud” and “gross negligence”;
- More objective legal tests; and
- The “deemed significance” provision.
What does this mean?
In a nutshell, any breach, irrespective of severity, of an applicable civil penalty or offence (criminal) provision (leaving aside very limited exceptions) will result in a legal obligation to report to ASIC. Even if you are not caught by the new “deemed significance” test or the incident does not involve “serious fraud” or gross negligence”, you will still need to report where your investigation into the incident or breach continues for more than 30 days. Even if your investigation doesn’t exceed this period, you will still need to consider whether the breach could be considered “significant” when analysed against 3 of the 4 factors in the previous “significance test”.
What you need to do
We recommend you undertake the following actions prior to the effectiveness of the law:
- Reform and update your breach reporting policies and procedures;
- Train your first line employees on how to identify and escalate potential risk of breaches quickly and efficiently;
- Thoroughly test your relevant systems and technology;
- Incorporate relevant procedures for reporting to Audit Committees and Boards;
- Amend your breach registers so it is aligned with reporting on the ASIC Regulatory Portal;
- Put additional control measures on your authorised representatives (if applicable); and
- Update your risk registers and monitoring systems and procedures.
Concluding comments
All of the above will completely change the game for businesses operating in the space, with respect to how they will identify, investigate, monitor and review breaches of relevant core obligations, financial services laws and general law. To this end, it is certain that licensees will be reporting their breaches far more than ever before, and ASIC will have far greater transparency on participants contraventions.
In the future, we can expect ASIC to detect and conduct surveillance on misconduct far earlier and respond to emerging trends of harm in the industry far more effectively.
Should you need assistance or have any questions in preparing for the framework, please reach out to our Compliance Solutions Team on +61 2 8916 6115.
This update is general in nature. It is not legal advice and as such, it should not be relied upon for any reason.