New breach reporting obligations for financial services are here: What does that mean?

Six law reforms by the Australian Securities and Investments Commission (ASIC), arising out of recommendations from the Royal Commission into Misconduct in Banking and findings from the ASIC Enforcement Review Taskforce came into effect on October 1, 2021.  The new regime expands breach reporting obligations for Australian Financial Services (AFS) Licensees and Australian Credit (AC) Licensees which require significant modifications to the breach reporting processes within financial institutions to minimise the risk of incurring penalties, sanctions and fines for non-compliance.

With reference to several reputable and professional industry and government publications, this article provides an overview of what the changes mean For AFS and AC Licensees and share insights regarding the type of systems and processes that can facilitate compliance with the new obligations.

Background

In 2018, an analysis into the breach reporting processes of 12 financial services groups conducted by ASIC revealed it was taking large financial institutions an average of 4.5 years to identify significant breach incidents. A publication by Gadens provides further insight which demonstrates the main reasons licensees were failing to report within the required time frame included:

• • A failure to report and escalate issues internally within the organisation
  • Inadequate internal records maintained that considered whether to report an issue
  • Inadequate systems maintained to ensure compliance with breach reporting requirements.

Read more: Are you prepared? October breach reporting changes loom

Accordingly, the reforms seek to provide consumers with more robust and longer-term protections by eliminating the occurrence of inconsistent, inadequate, and delayed breach reports.

In particular, the reforms close regulatory gaps, and give ASIC greater visibility of issues within the market such that ASIC can identify and resolve problems in a more punctual and effective manner. To that affect, the new reporting obligations are more consistent, clear, and timely across the industry. They implement Recommendations 1.6, 2.8, 2.9, and 7.2 of the Final Report of the Royal Commission and are issued in Schedule 11 of the Financial Sector Reform Act 2020.

A significant new element of the reporting obligations is the scope of what is deemed a ‘reportable situation.’

A publication by PWC provides a succinct yet detailed summary of what now constitutes as ‘reportable situations’, which, as outlined in the new section 912D of the Corporations Act, includes:

1. 1. A breach or likely breach of core a “core obligation” by the AFS Licensee or its Representative which is significant;
   2. An AFS Licensee or its representative are no longer able to comply with the core obligations, and the breach if it occurred, would be significant;
   3. An investigation into whether there is a reportable situation of the kind mentioned in paragraph (1) or (2), and the investigation continues for more than 30 days;
   4. An investigation described in paragraph (4) concludes that there is no reportable situation.

Further, and in addition to the requirement to report significant breaches of core obligations, the regime extends reportable situations to include where an AFS Licensee or its representative has engaged in conduct constituting gross negligence or where they have committed serious fraud.

Read more: October looms – are you ready for the new breach reporting regime?

Summary of key changes for licensees:

• • Wider scope of matters that must be reported to ASIC
  • Introduction of the objective ‘deemed significant’ breach threshold (replacing the subjective assessment of ‘significance’ of a particular issue)
  • Introduction of a breach reporting regime for credit licensees
  • 30-day breach reporting obligation from the date the licensee becomes aware of a breach

Implications for licensees:

• • Increase in number of ‘reportable situations’ for licensees
  • Increased exposure to potential civil or criminal penalties for each non-compliance/failure to report for licensees
  • Greater potential for personal liability for licensee’s executives for non-compliance/failure to report that constitutes a breach of the Financial Accountability Regime (FAR)

Read more: Breach Reporting by AFS licensees and AC licensees

Systems and processes required

For financial service institutions that operate in Australia, the reforms signify a dramatic shift in the regulatory landscape that demands implementation of new reporting practices and processes to address potential regulatory breaches, fee miscalculations, deficient consumer advice, cyber-attacks, and other issues.

The stricter reporting obligations and harsher penalties mean it is imperative that systems and processes are implemented to timely and cost-effectively support breach identification, investigation, reporting and remediation to ensure compliance with the new regimes.

As such, the systems and processes should streamline and expedite the internal flow of information to the risk functions, and externally to expert legal advisors when, as, and if required. That said, now is when financial service institutions should consider the impact the new changes will have on their organisation. It is essential that licensees conduct a gaps analysis to evaluate their processes and proactively identify solutions that can be implemented to assist their organisation to meet the new industry reporting requirements.

With time of the essence and resources constrained, it can be helpful to ask the following questions:

• • Do you have the right people in place with the right expertise?
  • Do you have adequate processes and policies in place for staff to identify and report potential breaches early?
  • Have you proactively set up and mapped out external advisory support with your law firms to meet the additional timeframes?

Financial Services Breach Manager Platform

In addition to process mapping, ‘off the shelf’ technology and software solutions can assist financial institutions to successfully navigate and comply with the new regime.

One such solution is the Gadens Breach Manager. The Gadens Breach Manager was developed by Gadens alongside Lawcadia, with a goal to prepare and support financial service organisations as they adapt their process to reflect and comply with the new regulatory regimes. Specifically, the Gadens Breach Manager can assist risk and compliance teams with identifying, investigating, and reporting potential breaches defensibly, time and cost-effectively.

The cloud based RegTech platform streamlines the collation of information, assessment and reporting process to one online depository to ensure compliance and thereby reduce the risk of legal ramifications of non-compliance for financial service institutions and their senior executives.

Navigating the scale of these provisions, some of which may be unfamiliar to organisations, will be challenging and technology solutions such the Gadens Breach Manager will be crucial for financial services organisation as they become familiar with the new compliance and reporting requirements under this reform.

Conclusion

The new stringent breach reporting obligations, coupled with the harsher consequences for non-compliance means AFS and AC Licensees must be proactive and significantly modify their breach reporting processes and systems to avoid potential sanctions, fines or penalties. With time of the essence, it is prudent to conduct a gaps analysis to evaluate how the changes will affect the organisation, and subsequently identify the technology solution or process that can support the breach reporting function and minimise the risks associated with failing to comply.