In April of this year, we wrote about draft guidance released by the Australian Securities and Investments Commission (ASIC) on the significant impending changes to Australia’s breach reporting regime.
We summarised notable key aspects of the draft guidance and the implications for financial services licensees and credit licensees as they continue to prepare for new regime to commence on 1 October 2021.
ASIC sought feedback on the draft guidance by 3 June 2021. As part of the stakeholder consultation process, Herbert Smith Freehills provided a written submission to ASIC focussing on three key areas of the regime and proposing solutions to some identified issues.
In this briefing, we highlight the key points in the submission and consider how licensees should deal with areas of continuing uncertainty in preparing for the reforms.
CP 340: CONSULTATION ON DRAFT GUIDANCE
In April, ASIC released Consultation Paper 340 (CP 340) which attached:
a draft revised Regulatory Guide 78 (Draft RG 78) entitled Breach reporting by AFS licensees and credit licensees; and
a draft information sheet on the “notify, investigate and remediate” obligations in situations affecting retail clients who receive personal advice or credit clients who use a mortgage broker.
- Knowledge: Under the new regime, a licensee must lodge a report with ASIC within 30 days after the licensee first knows that, or is reckless with respect of whether, there are reasonable grounds to believe a reportable situation has arisen. Understanding when a licensee forms the relevant state of mind will be pivotal in establishing and implementing processes to comply with the new regime. In Draft RG 78,2 ASIC relies on s 769B(3) of the Corporations Act 2001 (Cth) (Corporations Act)3 to ascribe knowledge to anyone in the organisation who is acting within the scope of their actual or apparent authority. If ASIC’s position is accepted, any employee or agent can be shown to possess the relevant knowledge, attributable to the licensee, provided they obtained that knowledge within their apparent authority within their employment. Our submission is that this position does not accurately reflect s 769B(3)4 in that it ignores the requirement that the person with the relevant state of mind is also the person “by whom the conduct is engaged in”. We say that the “conduct” in this context must be an alleged failure to lodge a breach report within the 30-day period, and s 769B(3) can therefore only operate to attribute to the licensee the state of mind of the person or persons within the licensee who is/are responsible for compliance with the breach reporting obligation.
- “Deemed significant” obligations: Sections 912D(4) of the Corporations Act and 50A(4) of the National Credit Act mean that a single breach of any one of hundreds of legislative provisions is reportable, regardless of whether it would be characterised as “significant”. This is a significant change and presents risks of non-compliance and/or inconsistency across licensees, contrary to the purpose stated at paragraph 11.37 of the Explanatory Memorandum to the amending legislation.5 We propose that ASIC publish and maintain a list of “deemed significant” provisions, as an important measure to promote compliance with the regime and put licensees on a more equal footing in seeking to achieve such compliance.
- Investigations: Understanding when an “investigation” (within the meaning of sections 912D(1) of the Corporations Act and 50A(1) of the National Credit Act) begins will be pivotal for licensees as they establish and implement their processes to comply with the new requirements to report investigations that run for more than 30 days. Aspects of the guidance in Draft RG 78 create uncertainty in this area, as they suggest that various preliminary or other steps may be regarded by ASIC as investigations for the purpose of those sections. We submit that too broad an interpretation of “investigations” might actually impeded licensees’ ability to conduct and track investigations and report them to ASIC in keeping with the objectives of the new regime. We propose amendments to Draft RG 78 in this regard, including further examples of steps that would not have the status of (relevant) investigations.
PREPARING FOR 1 OCTOBER 2021
Licensees can expect final versions of the guidance to be released during quarter 3 2021, leaving potentially a very short window between the release of the guidance and the commencement of the new regime. While the consultation process was an opportunity to influence ASIC’s guidance and seek clarification on key aspects of it, there is no guarantee that the submissions of stakeholders will be accepted or acted upon by ASIC.
Licensees should continue to refine their breach reporting practices in preparation for 1 October 2021 on the basis that ASIC’s view is as set out in the draft guidance, and consider seeking legal advice on issues of complexity or uncertainty in seeking to apply the new regime to their own systems and processes.
1. CP 340, page 4.
2. Paragraphs RG 78.73 to 78.77.
3. Section 324(3) is the equivalent provision in the National Consumer Credit Protection Act 2009 (Cth) (National Credit Act).
4. CP 340, page 4.
5. Or the relevant paragraph (11.81) of the Explanatory Memorandum to the amending legislation.
6. “The purpose of the deemed significance test is to provide greater certainty for industry and to ensure significant breaches are reported to ASIC in a timely manner.”