ASIC recognises industry struggling with breach reporting

ASIC has acknowledged there hasn’t been a consistent approach to how breach reporting legislation has been interpreted and expects it take a few years before the industry fully understands the regime.

Breach reporting reforms commenced in October 2021 and require licensees to report to ASIC within 30 days of a breach of financial services law, implementing several Hayne royal commission recommendations.

“There’s been not an entirely consistent approach to how the legislation was being interpreted by reporters,” Longo said at the conference. “We’re working with those affected to figure out where those issues are with a view to probably release some additional guidance once we’ve gone through some more consultation.”

The ‘State of Financial Services Breach Reporting in Australia’ report shared insights of the first six months of the breach reporting regime and was conducted by Gadens and Lawcadia in conjunction with CoreData.  The research found only 24 per cent of advisers believed they are adequately trained by their licensee to monitor for breaches.

“Advisers don’t know what they’re doing with this regime and that’s a pretty big risk when you consider the personal consequences and the licensee consequences that can come from it,” he says.  This lack of understanding is most pronounced with advisers employed in practices that don’t have their own AFSL, where 74 per cent rate their understanding as ‘moderate’ or ‘low’.

What is the key challenge?

The breach reporting obligations implement Recommendations 1.6, 2.8, 2.9 and 7.2 of the Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, and are set out in Schedule 11 of the Financial Sector Reform (Hayne Royal Commission Response) Act 2020.

Some of the new challenges faced by licensee’s include:

• the new category of breach known as “deemed significant breaches“, such as a breach which results in a breach of a civil penalty provision (if the provision is not exempted under the regulations), in material loss or damage to a customer, or involves misleading or deceptive conduct;
• creating an obligation to report an investigation into whether there is a reportable situation where that investigation continues for more than 30 days, and
• requiring licensees to lodge breach reports with ASIC in a prescribed form within 30 calendar days after the licensee first knows, or is reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen. AFS licensees currently have 10 business days within which to report.

What is the usual meaning of ‘breach’?

The word breach is defined as “an act of breaking or failing to observe a law, promise, agreement, or code of conduct.”  The key aspects to the definition is the “act or failure” components.  A breach only occurs when something is done, an action is completed, or a failure of action has occurred.

The key sections of the Corporations Act to which deemed significant breaches will most likely apply, when providing personal advice to retail clients, are s961B, G, H, and J.

From a licensee persepctive, an important section is s961L which states “(a) financial services licensee must take reasonable steps to ensure that representatives of the licensee comply with sections 961B, 961G, 961H and 961J.”  The legal obligation under s961L is a proactive obligation and should not be managed by “traditional” backward looking audit processes that focus on a random selsction of SOAs that have already been presented to clients.

Importantly, these sections of the Corporations Act can only be breached, and reporting obligations created, at the point when the Statement of Advice (SOA) is presented to the client.  Right up until that point of presentation, any issues are fixable, problems are avoidable, and breaches are avertible.

In other words, when providing personal advice to a retail client in the form of an SOA, a breach can only occur when the advice is actually presented to the client.

Notifying and remediating affected clients

Licensees must notify and remediate persons who are affected by certain reportable situations.

The notification obligation requires licensees to take reasonable steps to notify an affected client within 30 days of first knowing, or being reckless with respect to, a reportable situations has arisen. In the same timeframe, licensees must also commence an investigation into the reportable situation which, at a minimum must:

• identify the conduct that gave rise to the reportable situation; and
• quantify the loss or damage that there are reasonable grounds to believe has been, or will be, suffered and which the affected client has a legally enforceable right to recover.

Any such investigations must be completed as soon as is reasonably practicable after their commencement, with a follow up notice to be sent to clients within 10 days of completion. Reasonable steps must also be taken upon completion of the investigation to compensate affected clients for an amount equal to the loss or damage within 30 days.

How do you avoid problems and breaches?

PREVET 100% of all advice provided to retail clients.  If the SOA presented to a client does not breach sections s961B, G, H, and J then no “deemed significant breaches” have occured relating to these section.  That is, the licensee does not need to report any breaches to ASIC or notify the client, because the advice has avoided breaching any of these section.

It just makes sense to ensure there are no legislative challenges with the advice before it is presented to the client.

How can you do this at scale?

Use technology such as the Fourth Line Quality Advice and Risk Management platform.

How does Fourth Line help?

Fourth Line’s Quality Advice and Risk Management (QARM) system identifies advice related issues before they become unavoidable problems. By interrogating the advice at the point of creation (before the SOA is presented), issues are fixed, problems are avoided, and breaches averted. This builds trust with clients, enhances the reputation of the advice firm, and avoids costly client remediation programs.

Importantly, Fourth Line complements existing compliance frameworks. For licensees who have a multipronged regime, Fourth Line enables licensees to “scale up” client file reviews under traditional backward-looking audit programs or, similarly, implement critical “due diligence” advice analysis when considering the appointment of new advisers.