ASIC has expressed strong concerns that Australian Financial Services licensees have not been reporting correctly, or have been waiting too long to report, breaches or potential breaches and have therefore been in contravention of section 912D of the Corporations Act.
ASIC has warned licensees that failing to report a significant breach could constitute a criminal offence. The statutory timeframe in the Corporations Act requires licensees to report significant breaches as soon as practicable and, in any case, within 10 business days after becoming aware of the breach or likely breach.
During its last investigation into breach reporting, ASIC identified several key themes relating to the timeframe, noting that:
• licensees have delayed reporting until they have completed an internal investigation, or after the matter has been escalated to board level for consideration, and this therefore adds considerable delays to breach reporting; and
• where the licensee is a responsible entity, there is a requirement to notify the compliance committee which is required by law to report to the board and also “to report to ASC if the committee is of the view that the responsible entity has not taken, or does not propose to take, appropriate action”.
ASIC suggested that it is always better to report early when you believe a significant breach has occurred or suspect that a significant breach may occur. Failing to report within the statutory timeframe may constitute a second significant breach.
Licensees must have systems in place for robust reporting of breaches. Where the licensee is slow to report, ASIC may flag this late notice and target the licensee for surveillance.
ASIC utilises data from breach reporting to determine risks that the regulator faces and it will continue to be one of its focuses.
ASIC provides guidance in relation to breach reporting through Regulatory Guide 78 which is available through its website.
At Know Compliance, we assist licensees to determine if a breach is significant and, if it is, how to report the breach to ASIC. Importantly, we also assist licensees to remedy the breaches and take steps to reduce the risk of recurrence.
It should be noted that if a breach is detected by an auditor and the auditor discovers that that no action has been taken to address the breach, the auditor is obliged to report the matter to ASIC.
Licensees who have never reported a significant breach to ASIC run the risk that the regulator will conduct surveillance visits on their operations and discover reportable breaches.
The information in these notes is of a general nature and should not be considered to be the provision of legal advice. No assurance is given as to the accuracy or completeness of this information. If you have any queries or require assistance with your compliance matters, you can contact us by email: firstname.lastname@example.org or call us on (03) 9689 1186.