Credit licensees required to meet new breach reporting obligations from 1 October 2021
8 October 2021
- From 1 October 2021, breach reporting obligation will extend to Australian credit licensees for the first time
- ASIC has given guidance to industry on how to comply, including updating Regulatory Guide 78 Breach reporting by AFS licensees and credit licensees, frequently asked questions and information for submitting reportable situations to the ASIC Regulatory Portal
- Licensees should visit our Breach reporting webpages for information on what constitutes reportable situations and how to submit a reportable situation
Breach reporting obligations now apply to Australian credit licensees
Breach reporting reforms for Australian financial services (AFS) licensees and credit licensees commenced on 1 October. These obligations extended to credit licensees for the first time.
Unlike AFS licensees, credit licensees do not have to report breaches that occurred before 1 October, even when identified after 1 October 2021. Credit licensees have 30 days to report from when they know of the existence of a reportable situation.
We recognise there will be a period of transition as industry finalises implementation of additional compliance measures. We will take a reasonable approach in regulating the early stages of these reforms provided industry participants apply best efforts to comply. In adopting this approach, ASIC will take into account the context in which firms are operating.
These reforms allow for greater transparency across systemic problems affecting consumers and firms. This will help ASIC to identify issues earlier and address them more quickly.
More information about the breach reporting reforms can be found under media release 21-235MR ASIC publishes guidance on breach reporting.
Updated resources for licensees
ASIC has updated Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78) and provides guidance as to what licensees must report to ASIC and when to report it.
To assist industry, the ASIC website has been further updated to include:
- The specific questions and logic of the approved form you must use when reporting to us through the ASIC Registration Portal from 1 October.
- Guides on how to submit reportable situations in the portal.
- Updated frequently asked questions
We also published Information Sheet 259: Complying with the notify, investigate and remediate obligations (INFO 259). This sets out actions that must be taken by credit licensees who provide mortgage broking services to consumers (either directly or through their representative) to notify affected customers of a breach of the law, investigate the breach and remediate impacted customers in certain circumstances.
Licensees should already be registered on the ASIC Registration Portal for their annual industry funding obligations.
However, individuals responsible for submitting reportable situations on behalf of their Licensee may need to create a portal account and be given access to the licensees they represent.
Licensees are encouraged to organise portal access for relevant employees as soon as possible. The portal's frequently asked questions page has guidance on how to invite someone to connect to a licensee in the portal.
You can send questions about the changes to email@example.com.
ASIC is Australia’s corporate, markets and financial services regulator.