Background
Under the reportable situations regime, Australian financial services and credit licensees are required to submit notifications to ASIC about all breaches of MDC provisions or CPPs (subject to certain limited exceptions). Breaches of these provisions are deemed “significant” breaches of “core obligations” under section 912D(4)(b) and (c) of the Corporations Act 2001 (Cth) ("Corporations Act") and section 50A(4)(b) and (d) of the National Consumer Credit Protection Act 2009 (Cth) ("National Credit Act").
ASIC notes this automatic reporting requirement has led to reports which are of limited value to ASIC, but still involve a cost for licensees. In light of this situation, ASIC’s proposed relief seeks to strike a balance between reducing the reporting burden on licensees, and upholding the objectives of the reportable situations regime.
In more detail
The proposed ASIC instrument establishes additional reporting relief for MDC and certain CPP contraventions of the core obligations under section 912D(4) of the Corporations Act 2001 (Corporations Act) and section 50A(4) of the National Consumer Credit Protection Act 2009 (National Credit Act) in the following circumstances:
- The breach has been rectified within 30 days from when it first occurred (and remediation has been paid if required); and
- The number of impacted consumers is less than five; and
- The total financial loss or damage to all impacted customers resulting from the breach does not exceed AUD 500 (including where the loss has been remediated); and
- The breach is not a contravention of clearing and settlement services rules or rules relating to reporting client monies.
Despite this proposed relief, licensees should be aware that relevant breaches could still be reportable under other circumstances in section 912D of the Corporations Act and section 50A of the National Credit Act. For example, these breaches could be “significant” as a result of there having been a number of similar breaches under section 912D(5)(a) of the Corporations Act and section 50A(5)(a) of the National Credit Act.
In addition, ASIC has reiterated that the proposed relief does not affect licensees’ obligations to have systems and processes in place for identification, escalation, investigation, rectification and capture of incidents and breaches as part of their general obligations to maintain adequate risk management systems and to ensure compliance with their licensee obligations.
Next steps
We consider this proposed relief as a step in the right direction by ASIC to assist licensees with their compliance costs in relation to information that is of little value to ASIC. ASIC is requesting feedback on the consultation before 5 pm AEDST on Tuesday 11 March 2025.