ASIC updates breach reporting guidance for AFS and credit licensees

ASIC has released an updated version of its guidance on breach reporting (RG 78) following their own insights and industry feedback.

Key takeouts

• ASIC has made a number of changes to Regulatory Guide 78 in an effort to improve the operation of the reportable situations regime and clarify certain issues for licensees.

• In addition, ASIC has introduced a number of changes to the prescribed form through which reportable situations are lodged (i.e. through the ASIC Regulatory Portal).

• ASIC are considering further changes that have not yet been implemented.

On 27 April, the Australian Securities and Investments Commission (ASIC) released updates to its guidance on the breach reporting regime. ASIC's changes to Regulatory Guide 78 (RG 78) aim to clarify the existing guidance, while introducing new guidance in response to ongoing issues that ASIC has identified since the regime was significantly amended and strengthened in October 2021.

ASIC has also made changes to the prescribed form for lodging reportable situations via the ASIC Regulatory Portal – such changes were implemented on 5 May 2023.

The updates to RG 78 reflect ASIC's focus on improving the operation of the breach reporting / reportable situations regime as part of its 2022/2023 regulatory priorities. These changes follow on from ASIC having published its first insights on the reportable situations regime in October last year. (i.e. ASIC Report 740)

Part I: Overview of changes to RG 78

RG 78 has been updated as follows:

When multiple breaches can be reported together (RG 78.112 – 78.117, Table 9)

ASIC have introduced a new 'grouping test' and provided examples to demonstrate when reportable situations can be 'grouped'.

Reportable situations may be grouped in a single report where:

• there is similar, related or identical conduct; and
• the conduct has the same root cause.

Reports may also be grouped if the root cause is staff negligence or human error, but licensees should satisfy themselves there is no broader failure or other relevant root cause.

Required information when describing breaches (RG 78 Appendix 2, Q1)

RG 78 now identifies specific information for licensees to consider, including:

• the impact, nature and complexity of the reportable situation;
• whether further or more detailed information is required;
• an explanation of how the reportable situation is a breach of the licensee's obligations; and
• details about why the reportable situation occurred.

The guidance is scalable to reflect concerns from industry about the regulatory burden that minimum standards might cause, leading to ASIC to adopt a scalable approach.

What constitutes 'similar' breaches (RG 78 Appendix 2, Q2)

While the definition of 'similar' has been retained, further guidance has been provided to help determine whether a reportable situation is 'similar', including:

• the nature of the issue and / or breach;
• the legislative provisions contravened;
• the compliance arrangements or controls involved; and
• the nature of any client impact.

When to provide an update about a lodged report (RG 78, Appendix 2, Q3)

RG 78 now sets out ASIC's expectations on when licensees should provide an update to a lodged report, including where:

• six months has passed and no other update has been provided to ASIC;
• there is a material change to the licensee's understanding of reportable situation; or
• the licensee has completed its investigation of the reportable situation, is satisfied it has identified all affected clients and instances of the reportable situation, the root causes have been addressed and the consumer remediation process has been completed.

Root cause of the breach (RG 78, Appendix 2, Q4 and Table 11)

ASIC has emphasised that licensees should apply professional judgment when deciding which 'root cause' category to choose in the prescribed form and has provided new guidance on each category.

Calculating the number of clients affected (RG 78, Appendix 2, Q5)

In response to uncertainty identified in industry feedback, there is new guidance on ASIC's expectations when calculating and reporting the number of clients affected by a reportable situation. In particular, ASIC requires joint account holders be counted individually.

How to explain the trigger event for a breach (RG 78, Appendix 2, Q6)

ASIC has clarified that licensees should select the option on the prescribed form that aligns with how the reportable situation was first identified or how the investigation first commenced. There is also new guidance on each of the investigation triggers capable of being selected in the prescribed form.

Process for withdrawing a report (RG 78, Appendix 2, Q7 and Tables 13 and 14)

The new guidance clarifies the circumstances in which a report may be withdrawn or corrected. ASIC has provided updated guidance on breach correction reports they will consider.

Part II: Overview of changes to the prescribed form

Licensees must report breaches using an online form that is completed and lodged through the ASIC Regulatory Portal. In addition to updating RG 78, ASIC has also made the following amendments to/within the prescribed form:

• clarifying ASIC's expectation that licensees must provide a date on which they first discovered that there may be a breach but before they determined that a reportable situation did exist. This question is to be contrasted with a separate question that requires licensees to specify when they became aware that the breach is – or would be – significant;
• clarification to how ASIC uses the term 'investigation' – in particular, that an investigation is complete only after the licensee has determined the root cause(s), identified all affected clients and identified all instances of the reportable situation;
• new guidance on how ASIC expects licensees to describe a reportable situation – specifically, there should be a reference to the impact, nature and complexity of the breach;
• new guidance stipulating that licensees provide genuine estimates for client loss and number of clients affected, based on information available at the time of reporting; and
• in line with ASIC's changes to RG 78, new guidance on ASIC's expectations of what constitutes a 'similar' reportable situation. ASIC has also added guidance to encourage licensees to consider any significant breaches that occurred under the old breach reporting regime;

Further changes

ASIC flagged that a number of other items raised during industry consultation have not yet been progressed at this time. These include proposed changes to calculating the number of reportable situations that relate to a breach and the number of instances that relate to a reportable situation.

In response to industry feedback, ASIC is reviewing the requirement that the employees whose conduct or actions are the subject of the reportable situation be specified, given feedback from licensees including privacy concerns. ASIC may consult further on this matter.

If you require any assistance in relation to your obligations under the breach reporting regime or with lodging a breach report, please do not hesitate to contact us.