As we notice an upturn in regulatory scrutiny of the financial services industry, and see a degree of focus on the adequacy of breach reporting by financial services businesses following the recent Senate report on the performance of ASIC, Alexander Morris, Armen Varvachtian and Amanda Kazacos reflect on the disclosure obligations of Australian finance services licensees (and their auditors) under the Corporations Act.

The holders of Australian financial services (AFS) licensees have an obligation, under section 912D of the Corporations Act, to make a report to ASIC of any significant breach or likely breach of:

  • the provisions of the Corporations Act concerning the general obligations of AFS licencees and compensation arrangements for retail clients; and
  • the obligation to comply with certain financial services laws.

The report must be in writing and should be lodged with ASIC as soon as practicable after a licensee becomes aware of the breach or likely breach – and, in any event, within 10 business days. The consequences of failing to comply with the self-reporting obligation are potentially very serious, with individuals facing imprisonment for up to a year, a fine of up to $8,500, or both. Corporations face penalties of up to $42,500.

A similar reporting obligation exists in relation to the responsible entities of registered managed investment schemes. Section 601FC(1)(l) requires the responsible entity of such a scheme to report to ASIC any breach of the Corporations Act that relates to the scheme and has had, or is likely to have, a materially adverse effect on the interests of members. A report should be lodged as soon as practicable after the responsible entity becomes aware of the breach. Given that responsible entities must be AFS license holders, the obligations under section 912D and section 601FC overlap.

AFS licensees should also be mindful of other obligations to make reports to regulatory bodies (such as APRA or Austrac) and the various requirements under State law to report serious crimes to the authorities.

How significant is “significant”?

Given the penalties which apply where the self-reporting obligation is not complied with, the question whether a breach or likely breach is “significant” - and should therefore be reported to ASIC – is an important one.

Determining the significance of the breach requires consideration of a number of factors set out in s 912D(1)(b) of the Act. These are:

  • the number or frequency of similar previous breaches;
  • the impact of the breach or likely breach on the ability of the licensee to provide the financial services covered by the licence;
  • the extent to which the breach or likely breach indicates that the licensee’s arrangements to ensure compliance with those obligations are inadequate; and
  • the actual or potential financial loss to clients of the licensee, or the licensee itself, arising from the breach or likely breach.

Practical guidance on this provision

In February 2014, ASIC published Regulatory Guide 78, which provides more detailed guidance on how to determine whether a breach (or likely breach) is significant. ASIC emphasised the need to report recurring breaches, as even minor recurring breaches could indicate underlying systemic problems in a company’s compliance regime. More recently, the Chairman of ASIC has been quoted as saying: “We are going to go in much harder on the timeliness of when things get reported to us… And there are things they are supposed to report that are material and they deemed it immaterial. We will publish sectoral reports several times a year on how good or bad we see it going. We are really turning the dial up on this.”

However, much appears to depend on the nature of the breach. For example, if the breach or likely breach indicates that a licensee’s arrangements to ensure compliance are inadequate only in an isolated instance, the breach may not be significant. Conversely, it considers that any breach (or likely breach) of a licensee’s obligations that causes actual or potential financial loss to clients is likely to be significant (while noting that if the breach is an isolated or occasional breach, the amount of the loss involved is minimal and immaterial, and the breach affects a very small number of clients, the breach is less likely to be significant).

Regulatory Guide 78 provides some practical examples of breaches that may be identified as significant, including:

  • inadequate professional indemnity insurance;
  • the existence of previous undetected breaches;
  • failure to prepare cash flow projections;
  • multiple occasions of representations that provide inappropriate financial product advice;
  • representations of matters outside the scope of licensee authorisations; and
  • fraud in the supply of financial services.

What else should a breach report include?

The contents of a breach report can impact the approach ASIC takes in responding to the breach. Licensees are generally well-served by ensuring their breach reports demonstrate a pro-active approach not only to reporting the breach but also (where possible) remedying it. Adopting, from an early stage, a strategic and thoughtful approach to doing so could yield benefits in the longer term.

Regulatory Guide 78 notes that ASIC’s response will be influenced (and in some cases no further action will be taken) where, for example, ASIC is satisfied that:

  1. the licensee has made a genuine attempt to comply with the law and its breach reporting obligations;
  2. the causes of the breach have been identified and addressed such that the breach is unlikely to happen again (if they are readily able to be rectified) or a plan has been developed and submitted to ASIC to rectify the failure in compliance;
  3. the consequences of the breach can be dealt with comprehensively (such as through compensation or communication), especially in respect of consumers;
  4. there has been no undue delay in notifying ASIC; and
  5. more significant compliance issues within the licensee’s business have been identified, if the circumstances suggest that they exist.

ASIC also identifies the possibility of reduced penalties and lenient responses to a breach, where:

  1. the conduct of the company subsequent to the breach being reported is cooperative;
  2. the company is proactive in reviewing and modifying compliance procedures;
  3. the company is generous in compensating those affected; and
  4. the company acknowledges wrongdoing and takes appropriate disciplinary action against wrongdoers within the business.

Obligations of auditors to report on AFS licensee breaches

Under s 311 of the Act, auditors are required to notify ASIC in writing of circumstances that they suspect, on reasonable grounds, amount to a contravention of the Act. Section 990K relates to auditor reporting obligations in respect of AFS license holders. Under s 990K an auditor is to report certain matters to ASIC within 7 days of becoming aware of those matters. An auditor is to report on any matter which the auditor believes:

  • has adversely affected, is adversely affecting or may adversely affect the ability of the licensee to meet the licensee’s obligations as a licensee; or

  • constitutes a contravention of provisions concerning:

    • how clients’ money is dealt with (including loan money);
    • how other property of clients is dealt with; or
    • the financial records or statements of financial services licensees,

or a condition of the licensee’s licence; or

  • constitutes an attempt to unduly influence, coerce, manipulate or mislead the auditor in the conduct of the audit.

An auditor is not prevented from having to make reports to ASIC by the fact that AFS licensees have their own reporting obligations under s 912D. This means that, even if a licensee does not self-report, a breach can still come to the attention of the regulator through the licensee’s auditor.

As noted in the recent report of the Senate Economic References Committee on the Performance of the Australian Securities and Investments Commission, parts of the auditing profession have voiced concerns surrounding the high burden on auditors to make reports to which, historically, the regulator has not appeared to have been responsive. AFS licensees should be bear in mind that, as scrutiny of reporting by auditors increases in the present regulatory climate, auditors may well err on the side of caution in determining whether they should make reports to ASIC.