Australia: Updated ASIC guidance on Breach Reporting by AFS Licensees and Credit Licensees

In brief

The Australian Securities and Investments Commission (ASIC) has provided updated guidance on the updated breach reporting regime applicable to Australian Financial Services Licensees and Credit Licensees (the regime). ASIC's updated guidance is set out in a new version of Regulatory Guide 78, 'Breach Reporting by AFS Licensees and Credit Licensees' (RG 78), published 27 April 2023.

In August 2022, ASIC announced in its 2022-23 priorities that a greater focus will be directed towards improving the operation of the reportable situations regime. This new regime commenced on 1 October 2021, and applied to all Australian Financial Services Licensees and Credit Licensees (together, Licensees).


Key takeaways 

Under the updated guidance, Licensees must now actively update ASIC with respect to reported breaches at least once every six months, and/or where material changes to the reported breach have occurred, which may include changes to the nature, impact or extent of the reportable situation as discussed in more detail below.

In an attempt to make breach reporting processes more consistent throughout the industry, ASIC also  provides updated guidance on several key areas including:

  1. The timing and substance of updates to reports
  2. Situations for grouping of reports
  3. Factors to consider when providing descriptions of reportable situations
  4. Investigation triggers and root cause definitions
  5. Factors that deem a situation to be considered 'similar' to past incidents
  6. Calculating the number of people affected by an error
  7. Circumstances which permit amendment or withdrawal of reports

In depth 

Reported breach updates

ASIC will seek an update on the progress and status of a reported breach to be provided by the licensee at least once every six months. An update should also be provided where material changes to the nature, impact or extent of the reportable situation have occurred, as well as where the licensee's investigation has been completed and the root cause has been rectified.

Additionally, where the updated functionality on the ASIC Regulatory Portal has been used in relation to a certain reportable situation, the licensee may use the function to report on any further reportable situations arising in connection with the original reportable situation, instead of lodging a new report with ASIC.

Licensees may also use the update functionality in any other way as they consider appropriate to keep ASIC informed on the progress of reportable situations

Grouping multiple situations

Licensees may now group multiple related reportable situations into a single report submitted to ASIC where the following 'grouping test' is satisfied:

  1. The conduct is similar, related or identical in relation to its factual circumstances
  2. The underlying cause of the breach is the same for all reportable situations (e.g. staff negligence or human error)

ASIC has clarified that even where the conduct involves different individuals, as long as the root cause is identical, the reports may be grouped together. This enables only a single report to be submitted where for example, the conduct relates to the same root cause, but identifies different licensees, or an AFS licensee and a credit licensee, provided that this is identified within the report. 

Description of reportable situations

In submitting the report, entities are required to provide a description of the reportable situation. To ensure that the quality of descriptions provided are consistent, ASIC has provided considerations licensees must take into account when describing reportable situations, including details of the situation, as well as explaining how it is a breach of the entity's obligations, how the situation was identified, why it occurred and details of any impacted clients and/or licensees. In describing the reportable situation, the entity should also ensure they are considering any steps which have been, or will be, taken to address the underlying cause of the conduct. ASIC hopes that this clarity surrounding the reporting regime minimises the existing regulatory burden of the reporting standards on the industry.

Clarity on investigation triggers and root causes of breach

New definitional style guidance has been provided by ASIC to ensure licensees are identifying the triggers or root causes in a more accurate manner. The updated regulatory guide elaborates on each of the root cause and investigation trigger options available on the reportable situations form with embedded form guidance. This update is to ensure accurate and consistent data is submitted to ASIC when identifying the likely causes of the breach, in order to drive meaningful public reporting.

'Similar' reportable situations

ASIC has provided guidance on their expectations of where situations are similar to the original reportable breach. Factors to be considered include the nature of the breach, legislative provisions that may have been contravened, the underlying root cause of the breach, any compliance arrangements or controls, and the nature of any client impact.

To minimise regulatory burden on the industry, ASIC has not stipulated a specific lookback time period. Instead, licensees must consider whether the issue may be repeated, or if it may instead be a broader systemic issue in determining the length of time to look back.

Calculating the number of clients affected

In determining which clients have been affected, ASIC has provided illustrative examples to assist licensees. In ascertaining the exact number of clients affected, both financial and non-financial impact of the breach must be considered. Where the substance of the error involves the making of incorrect offers, the number of clients affected should be calculated based on the number which attempted to take action in accepting the otherwise incorrect offer. Where instead there has been an error in a disclosure document, the number affected includes all those to whom the incorrect document was provided, even where the error only resulted in a misunderstanding amongst consumers.

ASIC has also provided that holders of joint accounts should be counted individually, unless the licensee's systems disallow disaggregation of joint accounts, in which case disclosure of this must be provided within the report.

Report withdrawals

Reports cannot be amended or withdrawn on the ASIC Regulatory Portal. However, ASIC has provided examples of circumstances in which withdrawal and correction of reports is permitted upon direct request to ASIC. This includes where material factual errors have been made on a report, additional or more accurate information comes to light, or where a change is required to a field that has been greyed out in the report. ASIC will not approve such a request where there are only minor factual errors, or if the matter is no longer determined to be reportable.  

Next steps 

The changes to the prescribed form for lodging reportable situations (accessed using the Regulatory Portal) are expected to be implemented on 5 May 2023. Further consultation by ASIC on the approach to breach reporting is also expected in 2023. Should you require advice on your breach reporting obligations, please don't hesitate to contact us.


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.