news item

Credit licensees required to meet new breach reporting obligations from 1 October 2021

Published

8 October 2021

Breach reporting obligations now apply to Australian credit licensees

Breach reporting reforms for Australian financial services (AFS) licensees and credit licensees commenced on 1 October. These obligations extended to credit licensees for the first time.

Unlike AFS licensees, credit licensees do not have to report breaches that occurred before 1 October, even when identified after 1 October 2021. Credit licensees have 30 days to report from when they know of the existence of a reportable situation.

We recognise there will be a period of transition as industry finalises implementation of additional compliance measures. We will take a reasonable approach in regulating the early stages of these reforms provided industry participants apply best efforts to comply. In adopting this approach, ASIC will take into account the context in which firms are operating.

These  reforms allow for greater transparency across systemic problems affecting consumers and firms. This will help ASIC to identify issues earlier and address them more quickly.

More information about the breach reporting reforms can be found under media release 21-235MR ASIC publishes guidance on breach reporting.

Updated resources for licensees

ASIC has updated Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78) and provides guidance as to what licensees must report to ASIC and when to report it.

To assist industry, the ASIC website has been further updated to include:

We also published Information Sheet 259: Complying with the notify, investigate and remediate obligations (INFO 259). This sets out actions that must be taken by credit licensees who provide mortgage broking services to consumers (either directly or through their representative) to notify affected customers of a breach of the law, investigate the breach and remediate impacted customers in certain circumstances.

Getting ready

Licensees should already be registered on the ASIC Registration Portal for their annual industry funding obligations.

However, individuals responsible for submitting reportable situations on behalf of their Licensee may need to create a portal account and be given access to the licensees they represent.

Licensees are encouraged to organise portal access for relevant employees as soon as possible. The portal's frequently asked questions page has guidance on how to invite someone to connect to a licensee in the portal.

You can send questions about the changes to feedback.breach@asic.gov.au.

ASIC is Australia’s corporate, markets and financial services regulator.

Media enquiries: Contact ASIC Media Unit