User Login
Register Lost Password

Breach Reporting

To follow is a brief summary of the recently released ‘Breach reporting by AFS licensees –An ASIC guide’ which was reissued on 2 May 2006.

What breaches or likely breaches must you report?

Section 912D requires you to report to ASIC any significant breach or likely breach of:

  • your obligations under s912A and 912B (other than the obligation under s912A(1)(c)); and
  • your obligation under s912A(1)(c) to comply with certain financial services laws.

     

    Summary of your obligations

    Your obligations under s912A and 912B

    Your obligation under s912A(1)(c)

    You must:

    You must comply with the following financial services laws:

    do all things necessary to ensure that the financial services covered by your AFS licence are provided efficiently, honestly and fairly

    Chapter 5C of the Corporations Act (managed investment schemes)

    comply with the conditions on your licence

    Chapter 6 of the Corporations Act (takeovers)

    have adequate resources to provide the financial services covered by your licence and to carry out supervisory arrangements (unless you are a body regulated by APRA: see paragraph 1.4)

    Chapter 6A of the Corporations Act (compulsory acquisitions and buy-outs)

    be competent to provide the financial services covered by your licence

    Chapter 6B of the Corporations Act (rights and liabilities in relation to Chapter 6 and 6A matters)

    have trained and competent representatives

    Chapter 6C of the Corporations Act (information about ownership of listed companies and managed investment schemes)

    take reasonable steps to ensure that your representatives comply with the financial services laws

    Chapter 6D of the Corporations Act (fundraising)

    have a dispute resolution system for retail clients

    Chapter 7 of the Corporations Act (financial services and markets) Chapter 9 of the Corporations Act (miscellaneous), but only as it applies in relation to the chapters of the Corporations Act listed above

    have adequate risk management systems (unless you are a body regulated by APRA: see paragraph 1.4)

    Division 2 of Part 2 of the ASIC Act (unconscionable conduct and consumer protections in relation to financial services)

    have compensation arrangements for retail clients.

    other Commonwealth Acts specified in reg 7.6.02A in so far as they cover conduct relating to the provision of financial services.

    What does ‘significant breach’ mean?

    You do not have to report all breaches or likely breaches. You only have to report those that are ‘significant’. The term ‘significant’ is not defined in the Corporations Act. If a breach is not significant, you must address that breach even though you may not have to report it to ASIC. Note: For example, where there is a non-significant breach that requires compensation to clients or needs to be rectified in some other way, we expect you to take appropriate action even though you are not required to report the breach.

    Whether a breach or likely breach is significant or not will depend on the individual circumstances of the breach. We consider that the nature, scale and complexity of your financial services business might also affect whether a particular breach is significant or not. You will need to decide whether a breach (or likely breach) is significant and thus reportable. Where you are not sure whether a breach or likely breach is significant, we encourage you to report the breach.

    You must have regard to a number of factors specified in s912D(1)(b) when determining whether a breach or likely breach is significant: see Table 2 below. A breach may be significant where only one of the factors applies to your circumstances, or where there is a combination of factors. We expect that, at the time that you become aware of any breach or likely breach, you will consider the circumstances and impact of that breach or likely breach in light of each of these factors to determine whether the breach is significant. We also expect you to document this process.

    Table 2: Factors that determine whether a breach (or likely breach) is ‘significant’

    The number or frequency of similar previous breaches: s912D(1)(b)(i)

    The greater the number or frequency of similar breaches, the more likely the new breach will be significant. We also consider that the repeat of a breach may indicate a continuing underlying systemic problem.

    Note: For example, you may consider a failure to comply with the requirement to notify ASIC of the appointment of an authorised representative within the 15 business days allowed by s916F to be a minor breach that does not require a breach report (provided that you have rectified the breach by providing the notification to ASIC). However, if you are habitually late in giving us these notifications, or other notifications required under the Corporations Act, a further occurrence of this type of breach may be significant.

    If minor breaches of this type repeatedly occur, you may become aware that you can no longer comply with your notification obligations under the financial services laws (e.g. because you have inadequate compliance arrangements, or inadequate technological or human resources). This may therefore also amount to a likely significant breach.

    The impact of the breach or likely breach on your ability to provide the financial services covered by your licence: s912D(1)(b)(ii)

    If a breach or likely breach reduces your ability or capacity to provide the financial services covered by your licence, it may be significant. For example, we consider that a breach of the financial requirements of your licence conditions may be significant. If these minimum requirements are not met, you may not have the financial ability or capacity to provide the financial services covered by your licence. If the breach or likely breach will not affect your ability or capacity to provide the financial services covered by your licence (as in the earlier example of a late notification to ASIC), it may still be significant having regard to one or more of the other factors.

    The impact of the breach or likely breach on your ability to provide the financial services covered by your licence: s912D(1)(b)(iii)

    If the breach or likely breach indicates that your arrangements to ensure compliance are inadequate only in an isolated instance, it may not be significant. However, if the breach or likely breach indicates broader inadequacies in your compliance arrangements, it is more likely to be significant and, if so, you should report it to us. Occasional and minor breaches do not of themselves mean that your compliance arrangements are inadequate. We recognise that compliance arrangements are unlikely to ensure full compliance with every aspect of the law at all times. However, this factor requires you to consider whether a breach indicates that your compliance arrangements are inadequate. We expect that under this factor you would ask yourself questions such as how long it took to discover the breach and to what extent the compliance arrangements helped in identifying the breach.

    The actual or potential financial loss to your clients, or you, arising from the breach or likely breach: s912D(1)(b)(iv)

    Loss to clients

    We consider that any breach or likely breach of your obligations that causes actual or potential financial loss to clients is likely to be significant. Of course, where the breach is an isolated or occasional breach, the amount of the loss involved is minimal and immaterial, and the breach affects a very small number of clients, the breach is less likely to be significant. You must rectify breaches where that is appropriate, even where those breaches are not reported because they are not significant. In the above example, the amount of interest owed by you must be paid to the client, even if the breach need not be reported.

    Loss to the licensee

    If the breach or likely breach causes actual or potential loss to you, the breach may or may not be significant, depending on the size of the loss as compared with the overall business. However, if the actual or potential financial loss to you resulting from the breach causes non-compliance with your financial requirements under your licence conditions, we consider that the breach is likely to be significant. Such loss would also be likely to impact on your ability to provide the financial services covered by your licence.

    Any other matters prescribed by regulations: s912D(1)(b)(v)

    As at the date of publication of this guide, there were no relevant regulations. You should check to see whether the regulations have specified any further factors. © Australian Securities & Investments Commission May 2006

    Examples of breaches that may be significant

    Table 3: Examples of breaches that may be significant

    Example 1: Failure to maintain professional indemnity (PI) insurance, or an appropriate level of PI insurance cover

    If you are required to maintain PI insurance as a condition of your AFS licence, your failure to maintain that insurance will be a breach of your obligations to comply with your licence conditions and the financial services laws. We consider that a failure to maintain PI insurance is very likely to be a significant breach of these obligations because:

    • it may result in actual or potential financial loss to your clients; and
    • allowing PI insurance to lapse, or maintaining an inadequate level of PI insurance cover, may indicate that your arrangements for ensuring compliance with your obligations are inadequate.

    Example 2: Failure to prepare cash flow projections

    Generally, you must prepare cash flow projections as a condition of your AFS licence (unless, for example, you are APRA regulated). Failure to do so will be a breach of your obligations to comply with licence conditions, and may indicate a breach of your obligation to have adequate risk management systems and your obligation to have available adequate financial resources to provide the financial services covered by your licence. ASIC sets minimum financial resource requirements to promote appropriate financial risk management and ensure that cash shortfalls do not put compliance with the licensee obligations at risk. We consider that a failure to prepare cash flow projections is likely to be a significant breach of these obligations. It is likely to indicate that your arrangements to ensure compliance with your obligations are inadequate. Such breaches may also indicate that you do not have the ability to provide the financial services covered by your licence.

    Example 3: Previously undetected breaches

    A breach of a s912A or 912B obligation may indicate previous breaches of those obligations that have not been detected. We consider that your failure to detect previous breaches may be significant (even if those previous breaches were only minor) because it could indicate that you do not have adequate arrangements to ensure compliance with your obligations.

    Example 4: Provision of inappropriate advice by representatives

    If your representatives provide inappropriate financial product advice to your clients, there may be breaches of your obligations to comply with the relevant financial services laws, and to take reasonable steps to ensure that your representatives comply with those laws. Where there is a breach of these obligations because your representatives have provided inappropriate advice and the breaches are of a sufficient scale or have occurred with a sufficient degree of regularity, the breaches may be significant because they are more likely to:

    • have some impact on your ability to provide the financial services covered by your licence;
    • indicate that your arrangements to ensure compliance with your obligations are inadequate; and
    • involve actual or potential financial loss to your clients or to you.

    Example 5: Representatives operating outside the scope of your AFS authorisations

    If your representatives provide financial services outside the scope of your AFS authorisations, there may be breaches of your obligations to:

    • comply with the financial services laws, and take reasonable steps to ensure that your representatives comply with those laws;
    • have available adequate resources to carry out supervisory arrangements;
    • ensure that your representatives are adequately trained and competent; and
    • have adequate risk management systems. We consider that the provision of unauthorised financial services by a representative is likely be a significant breach of these obligations because such breaches may:
    • impact on your ability to provide the financial services covered by your licence;
    • indicate that your arrangements to ensure compliance with your obligations are inadequate; and
    • involve actual or potential financial loss to your clients or to you.

    Example 6: Fraud in the provision of financial services by a representative

    We consider that fraud by a representative, and your failure to prevent fraud by a representative, is likely to involve a significant breach of each of your obligations in s912A because such breaches will:

    • have some impact on your ability to provide the financial services covered by your licence;
    • indicate that your arrangements to ensure compliance with your obligations are inadequate; and
    • involve actual or potential financial loss to your clients or to you.

    What arrangements should you have in place to record and report breaches?

    If you fail to properly consider whether every breach or likely breach that comes to your attention is significant by having regard to the s912D(1)(b) factors, you run the risk of failing to identify a breach or likely breach that is significant and must be reported to ASIC. Failure to report a significant breach or likely breach in accordance with s912D is in itself a breach of your obligation to comply with the financial services laws.

    We consider that a failure to report a breach (or likely breach) that is significant is likely, in itself, to be a significant breach. This is because it indicates that your arrangements to ensure compliance with your obligations may be inadequate.

    To ensure compliance with the obligation to report all significant breaches or likely breaches, you should have a clear, well-understood and documented process for:

    • identifying breaches or likely breaches of your obligations;
    • ensuring that the relevant people responsible for compliance are aware of those breaches or likely breaches;
    • determining whether identified breaches or likely breaches are significant;
    • reporting to ASIC those breaches or likely breaches that are significant;
    • where appropriate, rectifying the breach or likely breach; and
    • ensuring that arrangements are in place to prevent the recurrence of the breach or likely breach.

    Breach register

    The Corporations Act does not require you to maintain a breach register. However, we consider that, in practice, you will need to use a documented breach register to ensure that you have adequate arrangements in place to comply with your obligation under the Act to identify and report all significant breaches and likely breaches.

    To ensure that you can satisfy yourself and us that you have done all things necessary to properly identify, report and deal with breaches or likely breaches, we consider that a breach register should contain the following information:

    • the date of the breach (or the date on which you are likely to breach the relevant obligation) and the date on which you became aware of the breach or likely breach. If the breach is significant, you will be required to report it to ASIC within 5 business days of the latter date, and accordingly should have a record of that date to ensure timely reporting;
    • a brief description of the breach or likely breach;
    • how the breach or likely breach was identified (e.g. whether it was identified through your compliance arrangements or as a result of a client complaint);
    • the process and responsibilities for handling the breach or likely breach, and a description of how the breach or likely breach is to be handled (i.e. steps to be taken to rectify the breach and prevent recurrence of the breach);
    • a consideration of each of the factors in s912D(1)(b). You should have a record of matters that you have considered in determining whether each breach or likely breach is significant and therefore required to be reported to ASIC;
    • the date a breach was reported to ASIC (where appropriate); and
    • the date the breach was rectified (where appropriate).

    You will need to consider how best to keep these documents or records (e.g. they may be kept electronically). Keeping documents and records helps you to demonstrate, to us and to yourself, that you know whether or not you are complying with your obligations as a licensee, including the obligation to report significant breaches to ASIC. For more information, see [PS 164].

    How do you report a breach?

    A breach must be reported to ASIC in writing. Although there is no prescribed form for reporting a breach, to help you provide the information we need to assess the breach, we have provided a template form (FS80) for lodging written breach reports on our website at www.asic.gov.au. You may lodge your report in another form if that is more appropriate to your circumstances.

    You can report a breach or likely breach of your obligations by giving us a written report that sets out:

    • the date of the breach, or if it is a likely breach, the date from which you anticipate that you will no longer be able to comply with your obligations;
    • a description of the breach (i.e. the obligation that has been breached or is likely to be breached, including references to the section of the Act that sets out that obligation, and any relevant financial services law or AFS licence condition);
    • a description of why the breach is significant (i.e. a description of the factors in s912D(1)(b) that you considered);
    • the duration of the breach;
    • how the breach or likely breach was identified;
    • if an authorised representative is involved, that authorised representative’s name, representative number and, if the representative’s authorisation has been revoked, all last known contact details;
    • whether the breach has been rectified, or any steps that have been taken to remedy the breach or likely breach, including any compensation paid to clients. If ongoing steps are being taken to rectify the breach or likely breach, you should indicate when you expect to provide a report to us on your progress in rectifying the breach or likely breach; and;
    • any steps that have been or will be taken to ensure future compliance with the obligation.

    If you do not have information about any of these matters at the date of reporting, you should include the information you do have in your written breach report and supplement it by lodging further information as it becomes available.

    How to lodge your breach report

    You can lodge the written breach report at any ASIC office (but preferably the office in the State or Territory where you live). The report should be addressed to 'Financial Services Regulation, Regulatory Compliance'. For contact details of ASIC offices, go to www.asic.gov.au/asicoffices. Or you can email the written breach report to ASIC at fsr.breach.reporting@asic.gov.au

    When must you report a breach?

    You must give the written breach report to ASIC as soon as practicable, and in any case within 5 business days of becoming aware of either:

    • the breach—if the breach had already occurred when you discovered it; or
    • the likely breach—if you become aware that you will no longer be able to comply with an obligation before the breach has actually occurred.

    The reporting period starts on the day you became aware of a breach or likely breach that you consider could be significant. We will administer this requirement as meaning that you become aware of a breach or likely breach when a person responsible for compliance becomes aware of the breach. We expect your internal systems to make the relevant people aware of breaches in a timely and efficient manner. Note: In providing up to 5 days to report a breach, the law allows you to make a genuine attempt to find out what has happened and decide whether the breach is significant. In responding to the breach notification, we will take into account any delays or obfuscation in reporting.

    In making your breach report, you should not wait until after:

    • you have completed all possible avenues of investigation to satisfy yourself whether or not the breach or likely breach is significant;
    • the breach or likely breach has been considered by your Board of Directors;
    • the breach or likely breach has been considered by your internal or external legal advisers;
    • you have rectified (where appropriate), or you have taken steps to rectify, the breach or likely breach; or
    • in the case of a likely breach, the breach has in fact occurred, since these extended processes may defeat the law’s intention for ASIC to be informed of significant breaches as soon as practicable.

    © Australian Securities & Investments Commission. Reproduced with permission

    Date 01.06.06

    •