Complying with the notify, investigate and remediate obligations

This is Information Sheet 259 (INFO 259). It is for:

  • Australian financial services (AFS) licensees who provide personal advice to retail clients
  • Australian credit licensees (credit licensees) who provide mortgage broking services to consumers, and
  • their representatives.

It outlines the obligations for licensees to investigate certain breaches of the law and to notify and remediate clients and consumers in certain circumstances. 

Note: In this information sheet, we refer collectively to AFS licensees and credit licensees as ‘licensees’. We refer to the obligations as the ‘notify, investigate and remediate obligations’.

This information sheet explains:

Overview: What are the notify, investigate and remediate obligations?

The notify, investigate and remediate obligations are set out for:

  • AFS licensees in Part 7.6, Division 3, Subdivision C of the Corporations Act 2001 (Corporations Act), and
  • credit licensees in Part 2-2, Division 5, Subdivision C of the National Consumer Credit Protection Act 2009 (National Credit Act).

The obligations require licensees to:

  • notify clients affected by certain breaches of the law
  • investigate the nature and full extent of those breaches, and
  • remediate affected clients within certain timeframes.

Licensees must also maintain records to show compliance with these obligations.

In this information sheet, an ‘affected client’ refers to a client of a financial adviser consistent with the meaning in section 912EA of the Corporations Act or a consumer who receives credit assistance from a mortgage broker in relation to a mortgage over a residential property consistent with the meaning in section 51A of the National Credit Act.

Related guidance

In considering how the notify, investigate and remediate obligations apply, licensees should also take into account our general guidance in:

  • Regulatory Guide 78 Breach reporting by AFS licensees and credit licensees (RG 78): Licensees must report all reportable situations to ASIC as part of their breach reporting obligations. RG 78 gives detailed guidance about the breach reporting obligation, including what constitutes a ‘reportable situation’ and when and how these must be reported to ASIC.
  • Regulatory Guide 256 Client review and remediation conducted by advice licensees (RG 256): The notify, investigate and remediate obligations should be considered in the broader context of the principles in RG 256, which include, for example, considering whether it is efficient, honest and fair to remediate in circumstances where the notify, investigate and remediate obligations do not apply or have ceased applying.

Part A: How do the obligations apply?

This part explains who the notify, investigate and remediate obligations apply to and when the obligations are triggered. If the obligations are triggered, Part B sets out what you must do to comply with the obligations.

Who must comply with the obligations?

The notify, investigate and remediate obligations apply to licensees whose conduct, or that of their representatives, triggers the obligations.

When are the obligations triggered?

The notify, investigate and remediate obligations will be triggered if all four of the following circumstances exist:

  1. personal advice or credit assistance – either:
    • an AFS licensee or one of its representatives provides personal advice to the affected client as a retail client on a ‘relevant financial product’ (these are financial products other than basic banking products, general insurance products, consumer credit insurance, or any combination of these), or
    • a credit licensee or one of its representatives is a mortgage broker who provides credit assistance to the affected client in relation to a credit contract secured by a mortgage over residential property
  2. reportable situation – there are reasonable grounds to believe that a relevant reportable situation has arisen
  3. loss or damage – there are reasonable grounds to suspect that the affected client has suffered, or will suffer, loss or damage as a result of the reportable situation, and
  4. legally enforceable right to recover loss or damage – there are reasonable grounds to suspect that the affected client has a legally enforceable right to recover the loss or damage from the licensee.

To determine if there are ‘reasonable grounds to suspect’, a licensee should consider whether there are facts that would induce a reasonable person to suspect the truth or existence of the circumstances. This threshold relies on the common law meaning of the term ‘reasonable grounds to suspect’ and is not defined by the legislation: see Explanatory Memorandum to the Financial Sector Reform (Hayne Royal Commission Response) Bill 2020 (Explanatory Memorandum), paragraphs 12.28 and 12.29.

Reportable situations relevant to the obligations

The concept of a ‘reportable situation’ relies on the meaning given in section 912D of the Corporations Act and section 50A of the National Credit Act, which deal with licensees’ general breach reporting obligations. What constitutes a reportable situation is explained in more detail in RG 78.

Only a subset of reportable situations will trigger the notify, investigate and remediate obligations. These are:

  • a significant breach of a ‘core obligation’ (section 912D(1)(a) of the Corporations Act or section 50A(1)(a) of the National Credit Act), and
  • conduct that constitutes gross negligence or serious fraud (section 912D(2) of the Corporations Act or section 50A(2) of the National Credit Act).

‘Core obligations’ are the general obligations under sections 912A and 912B of the Corporations Act and section 47 of the National Credit Act. For a summary of the core obligations, see the appendix to RG 78.

To fall within the scope of the notify, investigate and remediate obligations, the reportable situation must have arisen on or after 1 October 2021.

Loss or damage

The term ‘loss or damage’ is not defined in the legislation. In determining whether there is loss or damage to an affected client for the purposes of the notify, investigate and remediate obligations, it is not relevant to consider whether that loss or damage is material.

To trigger the obligations, the loss or damage to an affected client must be a result of the reportable situation, and does not need to be as a result of the personal advice or credit assistance provided: see the Explanatory Memorandum, paragraphs 12.31, 12.109 and 12.110.

Legally enforceable right to recover loss or damage

An affected client may have a legally enforceable right to recover loss or damage. This right may exist if there is a potential claim that, if pursued by the affected client, may be enforced as a judgment by the court against the licensee: see the Explanatory Memorandum, paragraph 12.32.

There are many circumstances in which an affected client will have a legally enforceable right to recover loss or damage arising from a reportable situation. Examples include a licensee’s or representative’s negligence, dishonest conduct, breach of contract or breach of fiduciary duty, or where a compensation order is available (e.g. under section 1317HA of the Corporations Act).

Importantly, if an affected client does not have a legally enforceable right (e.g. because a negligence claim is barred by expiry of the statutory limitation period), you still need to consider the requirements under the existing remediation framework in deciding whether it is efficient, honest and fair to remediate: see Action 4: Remediate affected clients for the breach in Part B of this information sheet.

Part B: How do you comply with the obligations?

The notify, investigate and remediate obligations will apply only if they have been triggered, as set out in Part A: see When are the obligations triggered? This part gives guidance on how to comply with the obligations, including:

Actions a licensee must take

Table 1 summarises the actions a licensee must take if the obligations have been triggered.

Table 1: Overview of how to comply with the obligations

Action

What you must do

When you must act

Action 1: Notify affected clients of the reportable situation

Take reasonable steps to notify affected clients in writing of the reportable situation

Within 30 days

Action 2: Investigate the reportable situation

Start an investigation into the nature and full extent of the reportable situation

Within 30 days

Action 3: Notify affected clients of the outcome of the investigation

Take reasonable steps to notify affected clients in writing of the outcome of the investigation

Within 10 days of the investigation concluding

Action 4: Remediate affected clients for the breach

If there is loss or damage and an enforceable right to recover, take reasonable steps to pay affected clients remediation of an amount equal to the loss or damage

Within 30 days of the investigation concluding

These actions may overlap and are not necessarily sequential. For example, you may choose to:

  • prepare for aspects of the remediation (Action 4) during the investigation (Action 2), or
  • triage affected clients so that you notify and remediate some (Actions 3 and 4), while you continue to investigate others (Action 2).

The law allows ASIC to approve a form that licensees must use to notify clients (Actions 1 and 3). While we have not approved a form at this time, we may do so if we become aware of deficiencies in the approach taken by licensees in communicating with affected clients.

Action 1: Notify affected clients of the reportable situation

You must take reasonable steps to notify the affected client within 30 days after you first know that, or are reckless with respect to whether, the circumstances exist to trigger your obligations: see When are the obligations triggered? in Part A.

The notice to affected clients must be in writing. It should explain:

  • the nature of the relevant reportable situation (the breach), and
  • the basis for the suspicion that the affected client may have suffered, or will suffer, loss or damage.

The types of information we consider are relevant to include in this notice are:

  • the date of the reportable situation
  • a description of the reportable situation
  • the consequences of the reportable situation for the affected client that show they may be affected
  • information about the investigation that is to be carried out
  • when the affected client should expect to hear from you next
  • the client’s relevant consumer rights, such as internal dispute resolution (IDR) and external dispute resolution (EDR) processes, and
  • the licensee’s contact details.

Action 2: Investigate the reportable situation

You must start your investigation within 30 days after you first know that, or are reckless with respect to whether, the four circumstances exist to trigger your obligations: see When are the obligations triggered? in Part A.

As part of the investigation, you must identify the conduct that gave rise to the reportable situation.

You must also quantify the loss or damage that you have reasonable grounds to suspect affected clients have:

  • suffered, or will suffer, as a result of the reportable situation, and
  • a legally enforceable right to recover.

We expect that your investigation will be thorough, complete and robust, and that you will make whatever inquiries are reasonably necessary to determine the nature and full extent of the breach of the law.

During the investigation you may find reasonable grounds to believe that additional reportable situations have arisen or you may identify additional affected clients. This may trigger obligations to report the additional breach to ASIC, and to notify clients of the reportable situation (Action 1), and to investigate and remediate as required within the relevant timeframes.

Your investigation must be completed as soon as reasonably practicable after it starts. What is a reasonable amount of time for an investigation will depend on the circumstances of the case, including the size of your business, the extent and period of the misconduct, and the nature of the loss or damage caused by the licensee: see the Explanatory Memorandum, paragraph 12.58.

When appropriate, it is prudent for you to keep affected clients informed of the progress of the investigation – for example, with interim updates on the investigation: see the Explanatory Memorandum, paragraph 12.68.

Action 3: Notify affected clients of the outcome of the investigation

You must also provide notice, in writing, to affected clients of the outcome of the investigation. You must take reasonable steps to provide this notice within 10 days of the investigation concluding.

This notice should:

  • explain the nature of the breach identified and any related breaches
  • describe how the breach affected the client’s interests, and
  • assess the loss or damage you reasonably believe the affected client is entitled to seek to recover.

Your investigation may find that an affected client you notified at Action 1 has not suffered or will not suffer loss or damage that they have a legally enforceable right to recover. If this is the case, you must still notify them of the outcome of the investigation as described above.

In satisfying this obligation, a licensee has qualified privilege and is protected from a defamation action in relation to the information contained in the licensee’s notice about the outcome of the investigation. The licensee is also not liable for any action based on breach of confidence.

Action 4: Remediate affected clients for the breach

You must take reasonable steps to pay affected clients an amount equal to their loss or damage, within 30 days after the investigation is completed.

The remediation applies to all affected clients who, after the investigation, you have reasonable grounds to believe have:

  • suffered, or will suffer, loss or damage as a result of the reportable situation, and
  • a legally enforceable right to recover that loss or damage.

For clients who fall outside the scope of the obligation to remediate, you must continue to consider the requirements of the existing remediation framework in deciding whether it is efficient, honest and fair to remediate.

As stated in paragraph 12.33 of the Explanatory Memorandum: ‘… affected clients may still have rights that they are able to pursue through internal dispute resolution and through [the Australian Financial Complaints Authority]. Licensees should take this into account in determining whether they should extend the breadth of their remediation.’

For affected clients that you remediate, you may consider providing non-monetary remedies alongside the compensation provided. For example:

  • rescinding the contract
  • helping the client transfer to a more appropriate product, and
  • setting aside all or part of a debt owed by the client (see Explanatory Memorandum, paragraph 12.83).

Record keeping

You must keep sufficient records to demonstrate your compliance with the notify, investigate and remediate obligations.

See RG 256 for further information about record keeping in the context of remediation.

What happens if you do not comply?

ASIC can take enforcement action against you if you fail to comply with the notify, investigate and remediate obligations. Examples of compliance failures are:

  • failure to take reasonable steps to notify affected clients within the required timeframes
  • failure to undertake an investigation in accordance with the requirements, and
  • failure to take reasonable steps to remediate affected clients as required or within the required timeframes.

A civil penalty applies for non-compliance with the notify, investigate and remediate obligations. Failure to keep adequate records is a criminal offence. We may also take administrative action if you do not comply with the obligations. These actions could include suspending or cancelling your licence, or imposing additional licence conditions.

Note: For an explanation of how we approach our enforcement role, see Information Sheet 151 ASIC’s approach to enforcement (INFO 151). For information about penalties, including the value of a penalty unit, see Fines and penalties.

Where can you get more information?

For more information on complying with your obligations, see the following guidance:

You can also call ASIC on 1300 300 630 or refer to our Top call centre questions.

Important notice

Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice. We encourage you to seek your own professional advice to find out how the applicable laws apply to you, as it is your responsibility to determine your obligations.

You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases, your particular circumstances must be taken into account when determining how the law applies to you.

Information sheets provide concise guidance on a specific process or compliance issue or an overview of detailed guidance.

This information sheet was updated in December 2023.

What's new

More financial services releases

ASIC industry funding

Last updated: 07/03/2024 04:09