Changes to how AFS licensees and Australian credit licensees report breaches

From 1 October 2021, Australian financial services (AFS) licensees and Australian credit licensees are required to submit reportable situations (previously breach reports) to ASIC via the ASIC Regulatory Portal. Key points and some frequently asked questions are shown below.

Key points

  • Effective 1 October 2021, AFS and Australian credit licensees will be required to submit reportable situations to us via the approved form available in the ASIC Regulatory Portal.
  • Submitting reportable situation transactions via online forms on the portal will feature mandatory fields designed to help licensees comply with their obligations.

The main changes in relation to breach reporting are:

  • The regime is extended to Australian credit licensees.
  • Licensees must report to ASIC in a broader range of situations:
    • significant (or likely) breaches of core obligations;
    • investigations that continue for more than 30 days into whether a significant breach of a core obligation has occurred and outcomes of those investigations;
    • gross negligence or serious fraud; and
    • serious compliance concerns about individual financial advisers or mortgage brokers operating under another licence.
  • The reforms deem a number of situations to be significant and therefore reportable (for example, a contravention of a civil penalty provision).
  • Under the reforms, licensees will be required to lodge breach reports within 30 calendar days (not the 10 business days under the current law) after the licensee first knows that there are reasonable grounds to believe a reportable situation has arisen.

The main changes in relation to the 'notify, investigate and remediate' obligations are:

  • The reforms create new obligations for licensees of financial advisers who provide personal advice to retail clients and licensees of mortgage brokers who provide credit assistance in relation to residential mortgages.  The obligations require licensees to notify affected clients of certain breaches of the law, investigate those breaches and remediate customers within prescribed time frames.

I hold an AFS licence and/or Australian credit licence – what do I need to do?

Most licensees have registered on the ASIC Regulatory Portal as part of their annual industry funding obligations.

If you are an AFS/Australian credit licensee with an existing ASIC Regulatory Portal account, from 1 October 2021, two new 'transactions' will be available to you in the portal.

These transactions allow AFS licensees and Australian credit licensees to notify ASIC of ‘reportable situations’ obligations under Div 3 of Pt 7.6 of the Corporations Act 2001 (Corporations Act) and Div 5 of Pt 2-2 of the National Consumer Credit Protection Act 2009 (National Credit Act).

What information am I required to provide to ASIC as part of a reportable situation?

Two new 'transactions' will be available to you in the portal. Conditional logic in the transactions will generate only relevant questions depending on the nature and type of reportable situation being lodged. We will require minimal free text information and will not require additional attachments.

A draft version of our two new forms can be accessed below. These are ‘wireframes’ * so will contain the proposed questions you will be asked, the answers that will be available to you and the conditional logic that will be applied (e.g. what further questions or sections that will generate from answering a particular question a certain way). Further information about what the forms will look like will be released later.

*The content of these wireframes is subject to change

Does ASIC expect an increase in the volume of reporting as a result of the reforms?

Yes.  ASIC expects a significant increase in the volume of breach reports.  This is consistent with the legislative intent to expand the types of situations that must be reported to us, for example:

  • the extension of the breach reporting regime to credit licensees;
  • the deemed ‘significance’ provisions; and
  • the obligation to report investigations into possible breaches that continue for more than 30 days.

Will the Regulatory Portal have bulk/batch upload capability?

Bulk uploading capability will not be available on commencement. 

However, ASIC will be enabling Licensees the ability to report multiple instances of relatable Reportable situations in one transaction.

Will ASIC be providing guidance on what some terms mean (for example, the meaning of 'investigation' and 'recklessness'?)

These are new terms under the reforms that are coming into effect from 1 October 2021.  Earlier this year, we consulted on a draft guidance (draft RG 78 which provides guidance on these terms based on the law.  We have included some examples to illustrate the requirements. We are currently working on finalizing our draft regulatory guidance (RG 78), and this will be released ahead of the commencement of the reforms, in August 2021.

When does ASIC’s obligation to publish data from breach reporting commence?

As part of the reforms, ASIC has a statutory obligation to publish information about reports lodged with ASIC each financial year, with reports to be published on our website within 4 months after the end of the financial year. This applies in relation to financial years on or after 30 June 2022. It is likely that a separate project will be established to identify our approach to this obligation.

What is the ASIC Regulatory Portal?

The ASIC Regulatory Portal will become your central access to ASIC's growing suite of digital regulatory services.

The portal will also feature:

  • a record of previous reportable situations transactions
  • the ability to track the status of submitted reportable situation transactions reports.
  • the ability to correspond with ASIC online about submitted reportable situations.

Key features

  • allows you to act on behalf of multiple entities (individuals or organisations) – for example, you may be a company officeholder (director or secretary of a company) in which case you can register and claim that entity. You can then invite others to act on your behalf or you may be invited by an entity or an officeholder to act on their behalf.
  • uses information you have previously supplied to pre-fill applications and transactions.
  • tracks the status of your applications and transactions.
  • ensures greater security through use of your own individual portal user account and password.
  • enables you to define user access levels that control what others can do on behalf of an entity or individual – for example, you can authorise another user to launch and edit a transaction, but only you can submit.

Where do I go if I need help registering for or using the portal?

The ASIC Regulatory Portal help page has resources to help you get up to speed with using the portal. These include step-by-step user guides, FAQs and videos to help you – from registering your account to connecting your registration and inviting trusted representatives to act on your behalf

Still have a question?

You can send questions about this change to: feedback.breach@asic.gov.au

What's new

More financial service releases

ASIC industry funding

Last updated: 05/02/2020 12:00