Into the breach: Reforms to Australian breach reporting and regulatory reference checks set to commence
From 1 October 2021, Australian Financial Services and Credit Licensees must comply with a revised suite of breach reporting requirements, and additional requirements for employment reference checks for financial advisers.
If you are the type to get excited about regulatory reform - and there is certainly no judgement from our team if that's you – 1 October 2021 is a big day, with the commencement of revisions to two key regimes applicable to Australian Financial Services and Credit Licensees.
The commencement of the reforms, which are a further by-product of the Hayne Royal Commission into Misconduct in Banking, Superannuation and Financial Services Industry, will necessitate a significant shake up of many licensees' internal policies and procedures to ensure compliance with the new requirements.
ASIC has made clear1 that it recognises the reforms 'require significant changes to businesses’ systems and processes and take effect at the same time industry is facing other challenges, including from COVID-19 and renewed lockdowns' and a period of transition will therefore be required whilst the industry finalises the implementation of additional compliance measures. ASIC Chair Joe Longo commented in relation to the commencement of the reforms that ASIC 'will take a reasonable approach in the early stages of these reforms provided industry participants are using their best efforts to comply'. Whilst licensees may, in the early stages of the new reforms, receive some leniency in relation to 'technical or inadvertent breaches, where firms have systems changes underway and act quickly to address problems as they arise', ASIC will not hesitate to take enforcement action 'where firms are not acting in good faith or where we detect conduct causing actual harm'.
Read on for our update on the key changes.
Significant breach reporting
Our earlier post summarised the key changes to the breach reporting regime which will take effect from 1 October.
Key changes include expansion of the significant breach reporting obligations to include Credit Licensees, and more stringent requirements in relation to reporting on incomplete investigations.
ASIC has released updated guidance designed to assist licensees to comply with the revised requirements, developed following a period of industry consultation.2
The responses received by ASIC to its draft guidance indicate - unsurprisingly - that there is particular concern amongst licensees in relation to the requirement to report ongoing investigations. Under the reforms, investigations into whether a significant breach (or likely significant breach) of a core obligation that continue for more than 30 days must be reported to ASIC.
In response to industry feedback, ASIC updated its guidance on when an investigation will be reportable, including by clarifying that '[a]n investigation becomes a reportable situation on day 31 of the investigation, and [the licensee] must lodge a report within 30 days of this date'.
ASIC declined to provide a definition of 'investigation', instead indicating that the term should be given its ordinary meaning, but clarified that complaints, whistleblower disclosures, preliminary steps and factfinding, and business as usual inquiries will generally not be reportable – the latter providing they are not triggered by an incident or assessing a possible breach.
Employment reference checks
ASIC released legislative instrument 2021/429 – Reference Checking and Information Sharing Protocol ("the Protocol") under subsection 912A(3A) of the Corporations Act 2001 (Cth) and subsection 47(3A) of the National Consumer Credit Protection Act 2009 (Cth) in July as a means to address the issue of financial advisers and mortgage brokers changing employers to avoid the consequences of misconduct – the proverbial rolling bad apple. The instrument commences on 1 October 2021, and mandates the provision of references by 'Referee Licensees' to 'Recruiting Licensees' in relation to 'Prospective Representatives'.
Recruiting Licensees must:
- seek the consent, using the template consent form, of a Prospective Representative to undertake reference checking and information sharing; and
- make a written request, using the template reference request, to a Referee Licensee
Recruiting Licensees have the right to make additional requests, or to seek clarification or updates, once a reference has been obtained.
Referee Licensees must:
- respond to requests from Recruiting Licensees within 10 business days, unless otherwise agreed (up to a maximum of 30 business days) based on complete, accurate and documented facts that have been verified in writing, if the information requested is in relation to conduct of the Prospective Representative that occurred less than 5 years prior to the request;
- not give references without consent from the Prospective Representative;
- only collect information in accordance with the Protocol (i.e. only for the purpose of reference checking in accordance with the Protocol);
- not limit information shared (including by entering into any arrangements or agreements – including settlements in relation to employment disputes);
- be contactable (i.e. have adequate arrangements to ensure they can be easily contacted for reference checking and information sharing purposes) and provide clarifications or updates if requested; and
- keep for five years written records that are complete and accurate and that demonstrate compliance with the obligations of the Protocol.
1. 21-213MR ASIC’s approach to new laws reforming financial services sector, released 12 August 2021.
2. RG 78 Breach reporting by AFS licensees and credit licensees.