Legal development

Notifying reportable situations Explaining ASICs updated guidance

Insight Hero Image

    What you need to know

    • Updated RG 78 clarifies a number of aspects of the regime applicable to breach reporting and other reportable situations, with a view to assisting licensees with making notifications to ASIC.  This includes clarifying the types of information that must be included when licensees describe reportable situations
    • ASIC has also made changes to the prescribed form for reporting, which will go-live 5 May 2023.  These changes largely reflect ASIC's updated regulatory guidance, though a number of further drafting changes have also been made to ensure that licensees are providing the required information to ASIC
    • ASIC proposes to continue engaging with industry to improve the operation of the reportable situations regime and will be undertaking further consultation in due course

    What you need to do

    • Ensure that those within your organisation responsible for making notifications are familiar with ASIC's updated guidance and are aware of how this impacts the form that reports should take moving forward
    • Update your existing processes and compliance frameworks to ensure that they are compatible with ASIC's updated guidance

    Background

    Following industry consultation in late 2022, ASIC has released updated guidance on the reportable situations regime to assist licensees with meeting their reporting obligations, as well as to enhance the consistency and quality of reporting practices across industry.

    The changes, which were first contemplated as part of ASIC's 2022-23 priorities, specifically respond to various implementation challenges that have been identified following the regime's introduction in October 2021.  They include updates to RG 78 to assist licensees with determining the types of information that must be included in breach reports, as well as how licensees ought to keep ASIC informed of updates relevant to an existing report.  ASIC has also made changes to the prescribed form for lodging reporting situations to reflect the guidance in updated RG 78 and to reduce the regulatory burden associated with notifying ASIC of reportable situations.

    ASIC has indicated that it will continue to consult on ways in which it can enhance the reportable situations regime, with further updates expected in due course.

    For more information on the reportable situations regime, please see our previous Financial Services Update.

    Key updates to RG 78:

    The key changes that have been made to RG 78 are as follows:

    TOPIC 

    OVERVIEW 

    Consolidating multiple reportable situations into one report

     ASIC has now clarified the circumstances in which licensees may group multiple reportable situations into one breach report.
    In particular, the update guidance notes that reportable situations may be grouped and reported in a single report when both limbs of the below "grouping tests" are satisfied:

    (a)  there is similar, related or identical conduct – that is, conduct involving the same or very similar factual circumstances; and

    (b)  the conduct has the same root cause.

    ASIC has specifically identified that reports can be grouped where the conduct involves separate occasions of staff negligence or human error.  However, where a licensee determines multiple reportable situations to be attributable to the same negligence or error, it must satisfy itself that there is no broader failure or relevant root cause that has given rise to this negligence or failure (e.g. a failure to adequately train staff or a failure of internal systems).

    Describing reportable situations in the Regulatory Portal

    In light of concerns relating to the consistency of responses provided by licensees to the "Describe the reportable situation" free-text field in the Regulatory Portal, ASIC has introduced guidance for licensees to assist with appropriately responding to this section.

    Relevantly, ASIC's guidance in this regard is scalable, in that it asks licensees to adopt an approach to this section which:

    (a)takes into account the impact, nature and complexity of the reportable situation; and

    (b)considers whether further or more detailed information, beyond that which is captured through the structured data fields, would assist ASIC's understanding of the reportable situation.

    The intention appears to be that licensees are not bound to provide overly detailed reports in respect of less significant breaches.

    Updating existing breach reports

    Noting ASIC's interest in remaining informed on the progress and status of reported breaches, ASIC has introduce guidance setting out its expectations for updates related to reported breaches.

    In this regard, ASIC has stated that its minimum expectation is that licensees provide updates at least every six months (where applicable), as well as where there are any material changes to a licensee's understanding of the nature, impact or extent of the reportable situation.  ASIC also expects to be updated upon a licensee completing its investigation, rectifying the root cause(s) of the reportable situation and its customer remediation process. 

    Identifying investigation triggers and root causes

    ASIC has expanded the definitional guidance relating to the "What triggered the investigation or made you aware of the matter?" and "What are the root causes of the breach-or likely breach?" sections of the prescribed form.  

    The updated guidance includes definitions for each answer option to the relevant questions, noting that previously a number of questions were undefined.  This caused significant confusion for licensees when completing the form, while it also prevented ASIC from obtaining key regulatory data.

    ASIC had separately considered whether it would be appropriate to streamline these queries, yet ultimately decided to retain the existing question and answer options, and provide this additional guidance.  This was on the basis that it would minimise the changes that licensees' were required to make to their internal systems.

     "Similar" reportable situations

    Updated RG 78 also includes guidance to help licensees understand what constitutes a "similar" reportable situation.  In particular, ASIC considers that licensees should consider the purpose of the question when undertaking this assessment – that is, do the reportable situations reflect a repeated issue or a broader systemic issue.

    Licensees are also required to consider the impact, nature and complexity of the reportable situation to determine whether it is appropriate to identify that a reportable situation is similar to one which has previously occurred.

    Relevantly, ASIC also considered imposing a six-year lookback requirement, under which licensees would be required to look back this length of time to identify similar reportable situations.  This approach was not ultimately adopted, noting that industry expressed concerns that this could cause significant regulatory burden.  

    Calculating the number of affected clients

    In order to assist licensees with understanding ASIC's expectations when specifying the total number of clients a reportable situation affects, or will likely affect if the beach does not occur, RG 78 clarifies when a client should be considered to be "affected".

    In particular, RG 78 introduces two new illustrative examples which provide certainty to how a licensee can determine who is, or is likely, to be impacted by a reportable situation.

    Withdrawing and correcting breach reports

    While the update functionality is generally available on the ASIC Regulatory Portal, limits are intentionally placed on certain fields which prevent licensees from amending their entries.  This reflects ASIC's expectation that licensees lodge complete and accurate reports in respect of their reportable situation.

    Having said this, RG 78 outlines a number of circumstances in which a licensee can apply to ASIC to have a report withdrawn or corrected on a case-by-case basis.

    This relevantly includes where:

    (a) there are material factual errors in the report (e.g. an incorrect licensee has been selected or an incorrect selection on a key field has been made);

    (b) additional or more accurate information comes to light in respect of a submitted report;

    (c) a matter is determined to no longer be reportable; or

    (d) there are minor errors contained in a submitted report (e.g. typographical errors).

    In some circumstances, ASIC may simply remove the existing report and request the licensee to submit an updated report with the correct information.

     

    Changes to the prescribed form for reporting

    ASIC has also proposed a number of updates to the prescribed form for reporting that will come into effect on 5 May 2023.  While a number of these updates have been made merely to reflect and refer back to ASIC's updated regulatory guidance, others involve wholesale drafting changes to clarify the information that ASIC requires from the form.  For example, ASIC has redrafted its question regarding when a licensee becomes "aware" of a reportable situation, such that it instead requires licensees to specify the date when the potential breach, serious fraud and/or gross negligence was first discovered.  Relevantly, this change was made due to many licensees previously interpreting this question as asking when the licensee first determined a reportable situation had arisen (e.g. after some analysis), whereas ASIC sought information about when licensees first discovered the relevant facts which evidenced that there may be a reportable situation. 

    In addition, the new prescribed form will embed further guidance as to what is meant by the term "investigate", including that ASIC has clarified that an investigation will be complete only after a licensee has determined the root cause(s), identified all affected clients and identified all instances of the reportable situation.  This follows various stakeholders expressing confusion as to what is meant by this term, particularly given the additional concept of a "reportable investigation".  ASIC has also embedded guidance in respect of how licensees determine estimates for client loss and the number of clients affected, which responds to concerns about the level of certainty that licensees can provide in the 30-day reporting period.  In this regard, ASIC has stated that these numbers are intended to be "genuine estimates" based on the facts available at the time of reporting.

    Next Steps

    As noted above, ASIC has indicated that it will continue to consult on the reportable situations regime and identify ways in which it can further improve its operation.  ASIC specifically proposes to consider a number of key matters through industry consultation, including, for example, how licensees ought determine the number of reportable situations that relate to a breach or likely breach, as well as how licensees should calculate the number of instances that relate to a reportable situation.

    We expect that ASIC will announce any further consultation prior to this being undertaken and that is will subsequently update its regulatory guidance to reflect the feedback received. 

    Authors: Corey McHattan, Partner; Nicky Thiyavutikan, Senior Associate and Jack Collins, Associate.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.