On 27 April 2023, ASIC issued an updated Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees (RG 78), to address operational issues that have arisen since the system was implemented on 1 October 2021.
The updated RG78 was developed in consultation with various industries - including industry association feedback from the banking, insurance, superannuation, financial advisers, markets and credit sectors - and follows ASIC's analysis of reports received to date.
ASIC hopes that the updated guidance will improve the "consistency and quality of reporting practices" for licensees, and ultimately support the use of data for ASIC's regulatory purposes and public reporting and reduce the regulatory burden on licensees.
Update Highlights
New 'grouping test' for multiple reportable conditions: ASIC has introduced a new 'grouping test' which, if met, will allow them to group multiple reportable conditions into one report. That is, (a) there is similar, related or identical conduct—that is, conduct involving the same or very similar factual circumstances; and (b) the conduct has the same root cause—that is, the root cause of the breach.
Detailed FAQs on how to complete the ASIC form: requires licensees to consider the impact, nature and complexity of the breach, and the extent to which the report would benefit from an explanation rather than a prescribed form through content captured in other fields in the report.
Changes to ASIC forms: To be revised from 5 May 2023, a few changes have been made to ASIC forms. Licensees should be aware of these changes to ensure that their internal processes are updated to obtain the necessary information.
New 'grouping test' for multiple reportable conditions
Since the introduction of the regime, licensees have been required to report reportable circumstances to ASIC in a prescribed form and through the ASIC Regulatory Portal.
As part of this report, licensees are required to detail how many reportable conditions are associated with the violation (or possible violations) and are permitted to group together instances that are similar or related to a single specific root cause. However, to date there is limited guidance in RG 78 on the practical application of this aspect of the regime.
Updated guidance that reportable conditions can be grouped and reported to ASIC in a single report where:
There is similar, related or identical conduct (for example, making similar statements about the same type of product and/or service); and
The behaviour has the same root cause (such as a specific system error or process flaw).
This is "group testing".
More examples of when this test is met are also mentioned in the update. The guidance clarifies that reportable situations involving different products can be grouped together, and situations where employee negligence or human error is the root cause are separated.
However, ASIC also specifically reminds licensees that before drawing conclusions that incidents may be classified, licensees must be satisfied that there are no wider failures or other relevant causes (e.g., related) as the root cause of the accident.
Detailed FAQs on how to complete the ASIC form
Through the analysis of feedback and report data from various industries since the implementation of the system in October 21, the following frequently asked questions and answers have been formulated:
Q1: What information should I provide in the free-text field ‘Describe the reportable situation’?
Q2: How should I respond to the question ‘Have any similar reportable situations previously occurred’?
Q3: When does ASIC expect an update to a report that I have lodged?
Q4: How should I respond to the question ‘What are the root causes of the breach—or likely breach’?
Q5: How should I calculate and report the number of clients affected by a reportable situation?
Q6: How should I respond to the question ‘What triggered the investigation or made you aware of the matter’?
Q7: Can I withdraw or correct a report that I have submitted to ASIC?
For detailed questions and answers, please refer to Regulatory Guide 78 Appendix 2 Frequently asked questions about how to complete ASIC’s reportable situations form:
Changes to ASIC forms
ASIC has published an overview of changes to its prescribed forms, which will come into effect on 5 May 2023. The main changes you might be interested in are:
Clarified that from ASIC's perspective, "an investigation is not complete until the licensee has established the root cause, identified all affected customers and identified all instances of a reportable situation". In other words, the time it takes a licensee to understand issues related to an event comes into focus and increases the licensee's risk of regulatory criticism if there is a long time between each step.
Clarified that true estimates of customer losses and the number of customers affected should be based on information available at the time of reporting, and licensees should provide updated information as they become known.
Clarified that when considering “similar” reportable circumstances, licensees should look back at least until 1 October 2021, to answer this question.
The licensee provides renewals at least every six months
Under updated guidance issued by ASIC, licensees will be able to gain greater clarity on how they should approach reportable situations and provide more accurate and complete reports. This will provide ASIC with more accurate regulatory intelligence and facilitate compliance across the financial industry.
Comments