ASIC’s Breach Reporting Update: A Perfect Storm of Confusing Ambiguities and Increased Reporting

The Australian Securities and Investments Commission (ASIC) released its new breach-related obligations on April 2021 with CP (consultation paper) 340. The new regulation aims to strengthen and solidify existing breach regulation for market participants. It comes into effect by October 2021 and is expected to massively add on to the cost and complexity of the current breach reporting standards. It also significantly increases the number of scenarios under which a licensee needs to report.

ASIC has issued Consultation Paper 340, seeking stakeholder feedback on proposed updates to its draft guidance on upcoming breach reporting reforms. https://t.co/h0Gq29Osmp

— ASIC Media (@asicmedia) April 22, 2021

The regulation, which applies to Australian financial services (AFS) licensees, credit licensees and their representatives, has already gotten the industry thinking on managing the compliance expectations.

ASIC’s breach reporting update includes a regulatory guide (PDF download) that lists reportable situations. These include breaches of core obligations such as conduct, financially solvency, fraud, etc. It requires the licensees to report breaches with ASIC within 30 days of the incident (as compared to 10 days previously), failing which they are subject to fines and penalties. The various scenarios under which an automatic reporting obligation will be triggered are as follows:

• Breaches or likely breaches of core obligations that are significant (this refers to the existing list of obligations defined in section 912(1)(a) of the Corporations Act 2001);
• Investigations into breaches or likely breaches of core obligations that are significant and have continued beyond 30 days;
• Additional reportable situations, such as conduct constituting gross negligence or serious fraud; and
• Reportable situations about other AFS licensees, which is being termed the “dobbing” provision.

In order to ensure compliance, ASIC has also prescribed a form in which the breach should be reported. The form needs to be reported via a regulatory portal and consists of key aspects around the nature and description of the incident, significance of breach, process involved in identification of breach, rectification or remediation carried out and steps taken to ensure future compliance. The reported details will be published by ASIC within four months of the end of the financial year and may carry details around name of licensee, volume of reported breaches and number of breaches compared to size and activity or volume of licensee’s business.

ASIC’s Breach Reporting Update: Key Concerns

While the breach framework has been laid out comprehensively, there are many concerns playing on the minds of licensees. Some key examples include:

Increased Scenarios – The regulation brings in additional core obligations and scenarios that need to be reported in a span of 30 days. This will result in increased operational costs and controls.

Increased Workload – The regulation massively increases the number of breaches that need to be reported. This will all flow down to back-office processes.

Ambiguity – The regulation does spell out numerous scenarios that require reporting. But it also states that licensees are “not required to report every instance of non-compliance or trivial breaches.” Violators only need to focus on a “targeted set” of situations. While a set of significant breaches have been defined in the regulation with examples, other breaches will require a determination of significance before being reported to ASIC.

Defining Gross Negligence – Neither the legislature nor ASIC have provided clear guidance on what conduct constitutes gross negligence, a concept that is not defined in the Corporations Act.

Dobbing Provision – As per this provision, licensees can inform ASIC if they know or suspect another licensee not meeting the new breach reporting requirements. This may eventually cause suspicion or hostility between licensees.

How to Prepare

In order to identify and report breaches in a timely manner, the regulation will require licensees to scale their existing technology landscape and resources to ensure compliance. Some of the likely changes we can foresee are

Upgrading existing risk systems – Licensees will need to upgrade their existing risk systems so that they are able to identify breaches and report them in a timely manner. ASIC has indicated that if a licensee fails to report significant (or even likely) breaches, it will constitute a breach of compliance.

Creating a broad framework for breach assessment – Licensees will probably need to create a detailed framework from the guidelines listed in the obligation. Such a framework will help them in breach identification, breach severity assessment and final reporting of the breaches in line with the regulatory mandate.

Clearly documented business processes – Licensees must maintain clearly documented processes around the entire life cycle of breach reporting. These include processes around:

• Identification and recording of incidents and potential reportable situations;
• Assessment and determination of whether an identified incident is a reportable situation;
• Reporting situations to ASIC within 30 calendar days; and
• Remediation plans to prevent the recurrence of breaches or likely breaches.

Enhancing control libraries – Licensees will need to enhance their existing control libraries and put much tighter controls in place to include additional scenarios that will help in the breach identification and assessment process.

Maintaining breach registers – While this is not an explicit obligation, ASIC has indicated maintaining a record of actions from breach identification to reporting will help licensees comply with reporting obligations. Maintaining such a register will provide necessary insight to licensees based on number and frequency of breaches to ascertain whether or not a breach is significant.

While the reform regulations are currently under public consultation, it is expected that the regulation may factor in some minor changes. In all likelihood, it will still carry the essence of the guidelines which have been listed out so far. In terms of licensees, the regulation is going to add massive workload to the compliance function. ASIC’s breach reporting update is intended to increase market surveillance. It aims to identify and address patterns of noncompliance. It’s impact on financial institutions and compliance teams, however, has yet to be fully felt.