Go to our Contact page for our office details.
Treasury consults on the breach reporting regime for Australian financial services licensees and Australian credit licensees
The Commonwealth Treasury’s consultation on the current self-reporting regime for breaches of Australian financial services (AFS) licences and proposed introduction of a self-reporting regime for breaches of Australian credit licences is due to conclude on 12 May 2017. Licensees are reminded of the short window in which submissions can be made on this important consultation. This update discusses the positions for breach self-reporting proposed in the consultation.
The consultation paper was written by the Enforcement Review Taskforce, entrusted with reviewing the Australian Securities and Investments Commission’s (ASIC) broader enforcement regime, and arrives 14 years after the last changes to breach reporting. Amongst the proposals, the paper suggests clarifying when reporting obligations are triggered, increasing accountability, introducing new penalties and heightening penalties for not reporting breaches and requiring ASIC to publish data on breach reports by AFS licensees.
The current regime
Currently, only AFS licensees are required to make a written report to ASIC of significant breaches or likely breaches of their obligations. This report must be made within ten days of the licensee becoming aware of the breach or likely breach.
However, this regime of self-reporting has come under increasing scrutiny following media reports and inquiries into banking and financial services related misconduct. ASIC has outlined the following concerns regarding the regime’s effectiveness:
- the subjectivity and qualitative nature of the ‘significance’ test has led to inconsistent reporting;
- employees and representatives, as providers of financial advice, are not captured under the obligation to report;
- the ambiguity around the timing for reporting and delays in reporting as a result of licensees assessing whether breaches or likely breaches are significant; and
- the lack of flexibility in sanctioning failures to report.
The Taskforce’s proposed changes
In the consultation paper, the Taskforce has outlined preliminary positions on a set of reforms to enhance the current regime. Broadly, these positions are:
- The ‘significance test’ for determining whether to report breaches should be retained but clarified to ensure that the significance of breaches is determined objectively. This could be achieved, for example, by providing that AFS licensees are required to notify ASIC of matters that a reasonable person would regard as significant, having regard to the existing criteria for reporting. The flexibility in the existing criteria would be maintained, with the ability to prescribe additional factors in the regulations.
- Consistent with a number of other international jurisdictions, the obligation for licensees to report should be extended to expressly include significant breaches or other significant misconduct by an employee or representative.
- The Taskforce proposes a ten business day timeframe for licensees to report a breach from the time the obligation to report arises. This timeframe would therefore commence from when the AFS licensee becomes aware or has reason to suspect that a breach has occurred, may have occurred or may occur, rather than when the licensee determines that the relevant breach has occurred and is significant.
- The monetary and custodial penalties for failure to report as and when required should be increased to make a contravention indictable to deter deliberate non-compliance with the reporting obligation.
- There should be the introduction of a civil penalty, in addition to the criminal offence, for failure to report as and when required, giving ASIC greater flexibility in choosing an avenue to pursue.
- ASIC should be empowered to issue infringement notices for failure to report breaches as and when required.
- The self-reporting regime should encourage a co-operative approach where at the earliest opportunity licensees report breaches, suspected or potential breaches, or employee or representative misconduct. This could be achieved by creating a formal provision expressly allowing ASIC to decide not to take action in respect of licensees when they self-report and certain additional requirements are satisfied.
- Self-reports should have their required content prescribed by legislation and should also be delivered electronically.
- A self-reporting regime for credit licensees, equivalent to the regime for AFS licensees, should be introduced. The increased compliance burden can be offset by making Compliance Certificates less onerous to complete.
- Qualified privilege must continue to apply to licensees so as to ensure licensees are protected from third party liability when making reports in good faith pursuant to the requirements of the regime.
- The additional reporting requirement for responsible entities should be removed as it creates an unnecessarily complex regulatory burden.
- The existing ASIC reporting framework could be supplemented by an annual publication of breach report data for firms or licensees, providing greater accountability and incentivising improved behaviour. This reporting should initially be confined to significant breaches at the licensee level and could extend to identifying the operational area of the licensee’s organisation in which the breach occurred.
Those interested in making a submission are reminded that submissions are due by 12 May 2017. The Taskforce is looking to provide recommendations to the Government by the end of September 2017.