Breach reporting has been high on ASIC’s agenda for the past 12 months. Like its global counterparts, ASIC is increasingly reliant on entities self-reporting breaches to inform its allocation of resources in supervision and enforcement.
In June, we published an article in the Company and Securities Law Journal, in which we explored some of the difficult issues that arise in relation to one of the key self-reporting obligations, ‘significant’ breaches of an AFSL’s obligations (in s.912D of the Corps Act). This includes when the entity will be sufficiently 'aware' to trigger a reporting obligation, and how to assess whether the relevant breach is 'significant'.
ASIC’s concerns in this area have not dissipated. Last week, ASIC Deputy Chair Kell announced that ASIC will be conducting a 'review' of breach reporting by AFSLs. This review will include an examination of the breach reports ASIC has received, including who they are from, what is reported, and the timeliness of the reports. ASIC then intends to conduct a 'proactive review' of some of the licensees it identifies as having a high risk of non-compliance. We anticipate that as part of this 'review', ASIC will continue to:
- use compliance visits of AFSLs to review breach registers and compliance reports, to assess whether licensees are reporting breaches as required, and
- have regard to reporting statistics, to assess whether entities are making the number of breach reports that might be expected.
For more detail, you can read Deputy Chairman Kell's speech. It contains familiar statements, including that licensees should ‘err on the side of caution’ and, if in doubt, report. Also, ASIC repeats its view that a licensee should not wait until after it has completed a full investigation to satisfy itself that the breach or likely breach is significant. To add emphasis, he also notes that a failure to comply with these obligations is a criminal offence.
Clearly, it is critical for AFSLs to be aware of ASIC’s approach in this area, including how that bears upon how internal reporting processes should operate, and the role of legal advice in the process of assessing possible breaches. However, it is also important to be mindful of the potential for breach reports to contain damaging admissions and be used in actions against the licensee (whether by ASIC, or third parties).