Are you ready for the new breach reporting regime?

BY ,  |  

In June 2021, consultation closed on the Australian Securities and Investments Commission's (ASIC) draft regulatory guidance [Regulatory Guide 78 Breach reporting by AFS licensees and credit licensees attached to Consultation Paper 340 Breach reporting and related obligations] for the new, more onerous and wide-ranging breach reporting regime, which is to commence on 1 October 2021.

The release follows the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (FSR Act) which received Royal Assent in December 2020.

Australian financial services (AFS) licensees will need to ensure they are adequately prepared for the October 2021 deadline. This paper provides a recap on one of the significant changes under the regime-the obligation to automatically report to ASIC certain breaches (or likely breaches), including classes of breaches that are deemed to be significant.

Key takeaways

  • Extended scope-the new regime applies to both AFS and credit licensees.
  • Extended reporting period-reports must be lodged within 30 calendar days (compared to 10 business days previously).
  • The clock will start ticking earlier-at 30 days-and this will commence when the licensee knows that, or is reckless with respect to whether, there are reasonable grounds to believe the reportable situation has arisen. Licensees will want to consider the roles and responsibilities of staff involved in the breach reporting process to ensure there is clearly communicated delineation of responsibility between those who have authority to make findings of fact, and those who have actual or apparent authority to assess whether there has been a breach.