In April 2023, ASIC released updates to Regulatory Guide 78 (RG 78) to provide additional guidance in relation to breach reporting. These changes took effect on 5 May 2023 and seek to enable AFS and credit licensees (Licensees) to better understand the breach reporting process. This follows ASIC's implementation of a new Breach Reporting Regime in late 2021, which saw many firms report breaches to ASIC and enabled ASIC to better identify trends of non-compliance in the industry.
Key Changes
- Grouping multiple Reportable Situations;
- New guidance on describing the Reportable Situation;
- New guidance on providing updates to your breach report;
- Updated breach reporting form, including new guidance on root causes and what constitutes a similar Reportable Situation; and
- New guidance on withdrawing a breach report.
So, what are the changes?
Grouping multiple Reportable Situations
ASIC has created a new 'grouping' test which will assist Licensees to determine when they are permitted to group multiple Reportable Situations into one report. The test takes a two-pronged approach and stipulates that if multiple reportable situations have:
- the same root cause, AND
- the situations constitute similar, related or identical conduct, they may be grouped into one report.
An example of this may be where there are multiple reportable situations that arise as a result of staff negligence or human error, however the entity must be satisfied that there is no broader root cause such as inadequate training processes.
Describing Reportable Situations
ASIC has provided new guidance about the information Licensees should include in their description of the Reportable Situation. The description should include:
- The impact, nature and complexity of the breach, including a greater level of detail for Reportable Situations that involve client loss or other client or market integrity impacts that are not 'one-off' breaches;
- An explanation of how the situation is a breach of your obligations;
- How the breach was identified and why it occurred;
- Any remediation information that is not covered in the prescribed form;
- What steps will be taken to address the underlying root cause; and
- Any additional information that is not captured through the prescribed form, that would assist ASIC to better understand the situation.
Licensees providing updates related to a reported breach
ASIC expects to be updated on the progress and status of reported breaches by Licensees. ASIC has introduced an expectation that Licensees should provide an update at least every 6 months, or wherever a Licensee's understanding of the nature, impact or extent of the situation changes, or whenever an investigation is complete, rectified or remediated.
For Licensees, this means ensuring dates for providing an update to ASIC are diarised and that the relevant staff members are aware of the obligation to provide the update to ASIC.
Updated Breach Reporting Form
ASIC has updated a number of questions in the breach reporting form so they can better understand the nature and impact of the breach. These include:
What are the root causes of the breach? And what triggered the investigation or made you aware of the matter?
ASIC has created several root cause categories for selection when completing the online breach reporting form. Some of the categories include: policy or process deficiencies, staff negligence or error, fraud and/or misappropriation, staff misconduct, inadequate supervision or training and misunderstanding of obligations. Licensees can select more than one category but will need to exercise professional judgement to ascertain which categories best apply to them.
Similarly, 'triggers' for investigations have also been placed into categories. A full description of what each category constitutes can be seen in Appendix 2 of RG 78.
Have any similar reportable situations previously occurred?
RG 78 sets out ASIC's expectations on what is considered a 'similar' breach. ASIC has clarified that when determining whether a Reportable Situation is similar, Licensees should consider:
- The nature of the issue and/or breach;
- The legislative provisions contravened;
- The underlying root cause of the reportable situation;
- The compliance arrangements or controls involved; and
- The nature of any client impact.
When determining similarity, Licensees are only required to review breaches that occurred after 1 October 2021.
Specify the total number of clients affected or likely affected
The new guidance outlines that if Licensees are providing an estimate of the number of clients affected by the situation, the estimate must be based on the information the Licensee has at the time of reporting and should include all financial and non-financial loss or damage. ASIC has inserted illustrative examples to RG 78 to address areas of uncertainty.
Withdrawing a Report
RG 78 also now sets out the circumstances in which a Licensee may withdraw a submitted breach report. ASIC may approve a request to correct or withdraw a report where:
- There are material factual errors on a report;
- A change is required to a field that has been greyed out;
- Additional or more accurate information has come to light;
- A matter has been determined as no longer reportable; or
- There is a minor factual error.
Further Reading