Last year, we examined the complex licensee breach reporting obligations which commenced in October 2021.
The new rules expanded the definitions of reportable situations, established a 30-day breach reporting timeframe and required that ASIC be notified of any investigations into whether a breach has occurred if said investigation takes longer than 30 days. Among other issues, the definition of a “reportable situation” – as per ASIC’s guidance – was confusingly recursive and relied upon a network of references to different sections of the Corporations Act.
Meanwhile, because a “reportable investigation” was not defined in the relevant legislation, licensees were pointed towards the definition of “investigation” in the Macquarie Dictionary: “a searching inquiry in order to ascertain facts”.
Perhaps most controversial, though, was the idea that as part of its annual reporting on the new breach reporting regime, ASIC would name specific licensees along with the volume of their reported breaches. Given the lack of clarity around reportable situations and investigations, there were concerns regarding “naming and shaming” licensees under a regime where, as the AFA put it in a submission, “even some of the most minor and administrative matters may end up in front of either ASIC or the FSCP.”
Fortunately, it would appear ASIC is aware of these issues. Earlier this month, ASIC commissioner Sean Hughes acknowledged that the new regime “has led to a number of implementation challenges.”
“However,” Hughes continued, “ASIC remains committed to the successful implementation of this regime and we have developed a comprehensive plan of work to ensure that it meets its objectives for ASIC, industry and consumers.”
As part of this plan, the regulator will no longer name individual licensees in its first annual report on the regime, due in October. Furthermore, Hughes said ASIC will engage with “stakeholders to find common-sense solutions” including improvements to the Regulatory Portal and the issuing of further breach reporting guidance.
Speaking to NMP, Story Wealth Management CEO Anne Graham said the removal of naming and shaming “is a good thing in my view.”
She added: “The current breach reporting framework is quite complex and ‘ambitious’. Complexity leads to confusion, cost and non-compliance – so any changes to the framework should be made with that in mind.”
ASIC has said it will continue engaging with Treasury regarding the new regime and how it’s meeting its policy objectives. We’ll find out more once the first report comes out in October.