This article by Carole Ferguson is a companion article to breach reporting tackling fundamental regulatory obligations for Australian Financial Services License (AFSL) Holders.
Beach reporting seems to be a trap for old and young players. ASIC has indicated strongly through Deputy Chair Daniel Crennan, that breach reporting is one of the key areas it will be continuing to evaluate to determine a prima facie view on the regulatory compliance status of an entity. So, it is important that your company takes this obligation seriously- not from an avoidance perspective, but rather from the view that breach reporting is part of the dialogue between an AFSL holder and ASIC.
Why breach report?
The obligations for breach reporting arise in s912D of the Corporations Act and are more fully explained in ASIC Regulatory Guide 78 (RG78). It is important that you take the time to read RG78 carefully and that your management team fully understand the examples.
S912D provides that an AFSL holder must notify ASIC within business 10 days in writing about any significant breach (or likely breach) of your obligations. ASIC has advised that if you don’t tell them about a significant breach (or likely breach) then they will consider that that action is in itself is a significant breach.
What is a breach?
A significant breach (or likely breach) occurs when an AFSL holder does not meet its obligations under:
(a) s912A and 912B (other than the obligation under s912A(1)(c)); and
(b) its obligations under s912A(1)(c) to comply with certain financial services laws.
These obligations relate to the obligations for the licensee to:
(a) do all things necessary to ensure that the financial services covered by its AFSL are supplied efficiently, honestly and fairly;
(b)comply with the conditions of its AFSL;
(c)have adequate resources to provide the financial services covered by the licence and to carry out supervisory arrangements (unless it is a body regulated by APRA: see RG 78.6–RG 78.8);
(d) be competent to supply the financial services covered by the AFSL;
(e) have trained and competent representatives;
(e) take reasonable steps to ensure that its representatives comply with the financial services laws;
(f)have a dispute resolution system for retail clients;
(g)have adequate risk management systems (unless it is a body regulated by APRA: see RG 78.6– RG 78.8); and
(h) have compensation arrangements for retail clients.
Reporting and Significance
As indicated, as a compliance or risk officer, you must ensure that the management of your licensee understand not only its AFSL obligations but also what “significant” means. Helpfully RG78 sets out a number of examples of significant events. You can also have regard to industry standards such as the Financial Services Council Standards on issues such as unit pricing and crediting rates to determine whether the breach is “significant”.
In general, a breach (or likely breach) is significant depends on the circumstances of the breach. It is important to assess the breach having regard to the nature, scale and complexity of your financial services business. This assessment will affect whether a breach is significant or not. As an example, if you have 1000 investors in a fund a unit pricing error that affects 500 people may be significant, whereas an error of under $20 for 500 investors in a fund with 100,000 investors may not be significant.
You will need to decide whether a breach (or likely breach) is significant and thus reportable. When you are not sure whether a breach (or likely breach) is significant, ASIC encourages licensees to report the breach- the “when in doubt report” rule. Waiting until you are absolutely sure, or indeed undertaking remediation may result in regulatory action. As an example, ASIC has required certain licensees to re- do remediation, requiring appointment of external, monitors, correspondence with investors etc.
In general issues that affect your investors or relate to the ability of your entity to perform its obligations (e.g. system issues) or serious issues relating to the management or personnel of your entity must be considered for their significance. It is a good practice to have workshopped with management various scenarios and developed relevant policies and procedures. You should have a clear, well-understood and documented process for identifying breaches.
You also must undertake training so that personnel understand what is a breach and whether it is significant. This ensures that the time for consideration of the significance of a breach is reduced. It is also important that you update this training regularly to ensure that staff and management understand the importance of telling compliance about breaches that may occur from time to time.
Entities must also be aware that a breach of a financial services law is also reportable- s761(a) provides that in addition to breaches of certain sections of the Corporations Act, reportable financial services laws include Commonwealth, State or Territory legislation that cover conduct relating to the provision of the financial services for example the AML/CTF, taxation issues, data or privacy protection etc. It is important to be aware of this requirement!
The most important thing is that ASIC wants entities to report. This is because it is a sign of functioning risk and compliance systems. In the last financial year ASIC undertook 54 risk-based reviews and again found that, while most REs are generally committed to complying with their obligations, there are particular areas such as breach reporting where non-compliance remains an issue. ASIC required all non-complying REs to address the non-compliance and are continuing to follow up with them on this- a considerable expense for the relevant entities.
Earning ASIC’s trust by demonstrating a culture of compliance is important. As indicated breach reporting is part of that trust equation. You have an opportunity to empower business as first line defence to help compliance and risk to identify early breaches or potential breaches and to work effectively and quickly with you to determine significance.