House of Representatives

Explanatory Memorandum

(Circulated by authority of the Treasurer, the Hon Josh Frydenberg MP)

Chapter 11 - Breach reporting and remediation (recommendations 1.6, 2.8 and 7.2)

Outline of chapter

11.1 Schedule 11 to the Bill implements recommendation 7.2 of the Financial Services Royal Commission, which called for the implementation of the ASIC Enforcement Review Taskforce recommendations to:

•

clarify and strengthen the breach reporting regime for financial services licensees in the Corporations Act; and

•

introduce a comparable breach reporting regime for credit licensees in the Credit Act.

11.2 This Schedule also implements recommendations 1.6 and 2.8 of the Financial Services Royal Commission by requiring credit licensees and financial services licensees to report serious compliance concerns about mortgage brokers and financial advisers.

Context of amendments

11.3 Breach reporting is a cornerstone of Australia's financial services regulatory structure. Breach reports allow ASIC to detect significant non-compliant behaviours early and take action where appropriate. It also allows ASIC to identify and address emerging trends of non-compliance in the industry.

11.4 Section 912D of the Corporations Act sets out the existing breach reporting regime for financial services licensees. It requires these licensees to notify ASIC of breaches or likely breaches of specified obligations that are significant. Reports must be lodged with ASIC as soon as practicable, and in any event, within 10 business days of the licensee becoming aware of the significant breach or likely breach.

11.5 ASIC and industry participants have raised concerns about the existing breach reporting regime in the Corporations Act. The concerns mainly relate to the test for whether a breach or likely breach is significant and therefore reportable, as this requires a financial services licensee to make a judgement based on a broad range of matters. As a result, breach reporting is largely inconsistent amongst licensees in terms of the matters reported and the timeliness of reports.

11.6 Currently, there is no equivalent breach reporting obligation for credit licensees. Instead, credit licensees are required to lodge annual compliance certificates with ASIC. While these certificates give ASIC broad oversight over whether the credit licensee is complying with its general conduct obligations, the information in these certificates is high level and there is no obligation to provide ASIC with information about particular breaches in a timely way.

ASIC Enforcement Review Taskforce Report

11.7 The ASIC Enforcement Review Taskforce considered the effectiveness of the breach reporting regime in the Corporations Act and made nine recommendations in relation to that regime. In particular, the recommendations sought to strengthen the breach reporting requirement by resolving ambiguity about:

•

when a breach or likely breach is significant and reportable;

•

whether a licensee is required to report misconduct by a representative;

•

the timeframe for reporting to ASIC; and

•

the content of the breach report.

11.8 The ASIC Enforcement Review Taskforce also recommended introducing a comparable breach reporting regime for credit licensees.

The Financial Services Royal Commission

11.9 Recommendation 7.2 of the Financial Services Royal Commission was that the recommendations of the ASIC Enforcement Review Taskforce about breach reporting of contraventions by financial services licensees and credit licensees should be implemented.

11.10 Recommendation 2.8 of the Financial Services Royal Commission was that financial services licensees should be required to report serious compliance concerns about financial advisers to ASIC on a quarterly basis. Commissioner Hayne identified serious compliance concerns as concerns that a financial adviser may have engaged in:

•

dishonest, illegal, deceptive and/or fraudulent misconduct;

•

any misconduct that, if proven, would be likely to result in instant dismissal or immediate termination;

•

deliberate non-compliance with financial services laws; or

•

gross incompetence or gross negligence.

11.11 Recommendation 1.6 of the Financial Services Royal Commission states, in part, that credit licensees should be bound by reporting obligations in respect of mortgage brokers similar to those obligations referred to in recommendation 2.8 for financial advisers.

11.12 In its response to the Financial Services Royal Commission, the Government agreed to implement these recommendations. In particular, the Government agreed to implement recommendation 2.8 as part of strengthening the breach reporting requirements.

11.13 Schedule 9, which implements recommendations 3.8, 6.3, 6.4 and 6.5 of the Financial Services Royal Commission, also contains a minor amendment to the breach reporting regime in the SIS Act. This amendment aligns the 30-day timing requirement for reporting under that regime with these changes.

Summary of new law

11.14 Schedule 11 amends the Corporations Act to clarify and strengthen the breach reporting regime for financial services licensees. The key features of the amendments include:

•

expanding the kinds of situations that need to be reported by licensees to ASIC (which are referred to as 'reportable situations') to include:

-

investigations into whether a significant breach has occurred or will occur if the investigation continues for more than 30 days, and the outcomes of those investigations;

-

conduct that constitutes gross negligence or serious fraud;

-

conduct that amounts to misleading or deceptive conduct under the financial services law; and

-

serious compliance concerns about individual financial advisers operating under another licence;

•

requiring licensees to lodge breach reports with ASIC in the prescribed form, and within 30 calendar days after the licensee first knows that, or is reckless with respect to whether there are reasonable grounds to believe, a reportable situation has arisen; and

•

requiring ASIC to publish data about breach reports on its website.

11.15 The serious compliance concerns identified by Commissioner Hayne are addressed through the reportable situations which must be reported. Under the reforms, financial services licensees will have to report these concerns to ASIC if there are reasonable grounds to believe they have arisen in relation to individual financial advisers operating under another financial services licence. Licensees who report these concerns to ASIC will also need to provide a copy of the report to the licensee that was responsible for the financial adviser when the concern arose. This allows responsible licensees to quickly investigate and take action as needed, including remediating affected clients.

11.16 Schedule 11 also amends the Credit Act to introduce a comparable breach reporting regime for credit licensees. As part of these amendments, credit licensees will be required to report serious compliance concerns about individual mortgage brokers operating under another licence.

Comparison of key features of new law and current law

Detailed explanation of new law

Amendments to the Corporations Act

11.17 Schedule 11 repeals section 912D of the Corporations Act and replaces it with new provisions. [Schedule 11, item 5, section 912D of the Corporations Act]

Matters that may need to be reported to ASIC

11.18 The amendments in Schedule 11 refer to matters that may need to be reported to ASIC as 'reportable situations'. The reportable situations are set out in new section 912D and can be broadly separated into two categories:

•

reportable situations about core obligations (referred to in this chapter as core reportable situations); and

•

additional reportable situations.

[Schedule 11, item 5, section 912D of the Corporations Act]

Core reportable situations

11.19 A core reportable situation arises in relation to a financial services licensee where:

•

the financial services licensee or its representative has breached a core obligation and the breach is significant; or

•

the financial services licensee or its representative is no longer able to comply with the core obligation and the breach will be significant if it occurs; or

•

the financial services licensee or its representative conducts an investigation into whether there has been or will be a significant breach of a core obligation, and the investigation continues for more than 30 calendar days; or

•

an investigation described in the previous point discloses that there has been no breach of a core obligation.

[Schedule 11, item 5, section 912D of the Corporations Act]

What are the core obligations?

11.20 The new core obligations mirror the existing obligations that may need to be reported to ASIC if they are breached.

11.21 The core obligations are:

•

the general obligations on licensees under section 912A (other than the obligation to comply with the financial services laws), which includes for example, the obligations to:

-

do all things necessary to ensure the financial services covered by the licence are provided efficiently, honestly and fairly;

-

comply with the conditions on the licence; and

-

maintain the competence to provide financial services covered by the licence;

•

the requirement to have compensation arrangements for retail clients under section 912B; and

•

the obligation to comply with certain financial services laws under section 912A(1)(c).

[Schedule 11, item 5, section 912D of the Corporations Act]

11.22 The core obligations to comply with certain financial services laws is broad and includes the obligations under Chapter 7 of the Corporations Act and Division 2 of Part 2 of the ASIC Act.

11.23 Relevantly for the responsible entity of a registered scheme, the core obligation covers the obligation to comply with the financial services laws in Chapters 5C and 6C of the Corporations Act.

11.24 Further, the core obligations may include the obligation to comply with other financial services laws set out in Commonwealth legislation, if those laws are specified in the regulations.

When is a breach significant?

11.25 There are two separate significance tests set out in new sections 912D(4) and (5) respectively.

11.26 The first significance test (referred to in this chapter as the deemed significance test) provides that a breach of a core obligation is taken to be significant if any of the following circumstances apply:

•

the breach is constituted by the commission of an offence under any law, and the offence is punishable on conviction by a penalty that includes imprisonment for up to:

-

three months or more if the offence involves dishonesty; or

-

12 months or more in any other case; or

•

the breach is constituted by a contravention of a civil penalty provision under any law, other than a civil penalty provision that is prescribed by the regulations; or

•

the breach is constituted by a contravention of section 1041H(1) of the Corporations Act or section 12DA(1) of the ASIC Act, which relate to misleading or deceptive conduct in relation to financial products or services; or

•

the breach results, or is likely to result, in material loss or damage to:

-

in the case of a managed investment scheme-a member or members of the scheme;

-

in the case of a superannuation entity-a member or members of the entity; or

-

in all cases-a person or persons to whom the licensee or its representative provides a financial product or a financial service as a wholesale or retail client; or

•

any other circumstances prescribed by the regulations exist.

[Schedule 11, item 5, section 912D of the Corporations Act]

11.27 Therefore, under the deemed significance test, a breach of a core obligation will be significant if it is constituted by a contravention of the civil penalty provision in section 912A(5A) of the Corporations Act, which relates to the general obligations on licensees. Alternatively, a breach of a core obligation will be significant if it is constituted by a contravention of another civil penalty provision that forms part of the financial services law, unless that provision is prescribed by the regulations.

11.28 However, even if a civil penalty provision is prescribed by the regulations, the breach may still be significant and reportable if one of the other circumstances in the deemed significance test apply, or if the breach is significant under the second significance test.

11.29 This regulation-making power ensures there is sufficient flexibility to target ASIC's surveillance to problematic areas. For example, if ASIC is receiving a large number of largely unproblematic breach reports for minor, technical or inadvertent breaches of civil penalty provisions, and those breaches would not otherwise be significant, the Government may decide that the regulatory burden imposed outweighs the benefit of receiving those reports. In those circumstances, the regulation-making power may be used to quickly reduce the regulatory burden on licensees to report breaches where appropriate. Any instrument made would be subject to disallowance and parliamentary scrutiny.

11.30 'Loss or damage' in the context of the deemed significance test has its ordinary meaning, which is extensive. The term includes financial and non-financial loss or damage.

11.31 Whether a breach results or is likely to result in material loss or damage to a person will depend on the person's circumstances. For example, a relevant circumstance may include the person's financial situation.

11.32 If a breach affects a number of people, it is sufficient for significance to be established if the breach is likely to result in material loss or damage to one person. Additionally, where the breach affects a number of people, licensees should consider the total loss or damage resulting from the breach. For example, even if the breach does not result in a material loss or damage to individual persons, the total loss or damage to persons resulting from the breach may, when aggregated, amount to material loss or damage to persons, thereby satisfying the significance requirement.

11.33 Consistent with the common law position, 'likely to result in material loss or damage' is intended to mean that there is a real and not remote possibility that loss or damage will occur as a result of the breach.

11.34 The inclusion of contraventions of section 1041H(1) of the Corporations Act and section 12DA(1) of the ASIC Act in the deemed significance test captures the remaining misleading and deceptive conduct provisions in the financial services laws that are not already captured by the other circumstances in the deemed significance test.

11.35 This means that all breaches of misleading and deceptive conduct provisions in the financial services laws are taken to be significant and therefore reportable to ASIC. This ensures that the deceptive conduct element of the serious compliance concerns identified by Commissioner Hayne is captured in the definition of 'reportable situation'.

11.36 A general regulation-making power is included to prescribe other circumstances in which a breach of a core obligation is taken to be significant. This allows the Government to respond quickly and effectively to emerging trends of non-compliance in the financial services sector to ensure the breach reporting regime is fit for purpose. Any regulations made would be subject to disallowance and parliamentary scrutiny.

11.37 The purpose of the deemed significance test is to provide greater certainty for industry and to ensure significant breaches are reported to ASIC in a timely manner. For example, where a breach constitutes a contravention of a relevant civil penalty provision or the commission of a relevant offence, the significance of the breach is immediately taken to be satisfied.

11.38 If none of the circumstances in the deemed significance test apply, the breach may still be significant under the second significance test. This test is based on the existing significance test and requires consideration of all of the following matters:

•

the number or frequency of similar breaches;

•

the impact of the breach or likely breach on the licensee's ability to provide financial services covered by the licence;

•

the extent to which the breach or likely breach indicates that the licensee's arrangements to ensure compliance with those obligations are inadequate; and

•

any other matters prescribed by regulations.

[Schedule 11, item 5, section 912D of the Corporations Act]

11.39 Whether a particular breach is significant under the second significance test is determined objectively. This is made clear as the standard for reporting is that there are reasonable grounds to believe a reportable situation has arisen (see new section 912DAA(1) of the Corporations Act).

11.40 The new formulation of the significance tests gives effect to recommendation 1 of the ASIC Enforcement Review Taskforce Report, which called for amendments to the significance test to clarify the matters that should be reported, and amendments to ensure that the significance of breaches is determined objectively.

When is a licensee no longer able to comply with a core obligation?

11.41 The reportable situation that a licensee is no longer able to comply with a core obligation reflects the existing meaning of a 'likely breach' in section 912D of the Corporations Act. [Schedule 11, item 5, section 912D of the Corporations Act]

Example 11.1

Section 912A(1)(d) of the Corporations Act generally requires a financial services licensee to have available adequate resources to provide the financial services covered by the licence and to carry out supervisory arrangements.

Licensee A becomes aware that on a future date, its overdraft facility will be closed and it will no longer be able to comply with its base level financial requirements. Licensee A is aware that it does not have other means of meeting the financial requirements at that time, which is required under section 912A(1)(d).

As a breach of section 912A(1)(d) constitutes a contravention of a civil penalty provision (section 912A(5A) of the Corporations Act), there is a reportable situation in relation to Licensee A.

Reporting investigations

11.42 Investigations conducted by financial services licensees or their representatives into whether there has been or will be a significant breach of a core obligation also need to be reported to ASIC if the investigation continues for more than 30 calendar days. This means that on the 31st calendar day of such an investigation, it becomes a reportable situation. [Schedule 11, item 5, section 912D of the Corporations Act]

11.43 The term 'investigation' is not defined in the legislation and has its ordinary meaning. What constitutes an investigation is likely to vary significantly depending on the size of the licensee's business, their internal systems and processes, and the type of breach.

11.44 The Macquarie Dictionary defines 'investigation' as 'a searching inquiry in order to ascertain facts.' Accordingly, if a financial services licensee is considering whether it has conducted an investigation, a relevant factor would be whether there has been some information gathering or human effort applied by the licensee to determine whether a breach has occurred or will occur. Examples of information gathering may include:

•

communicating with representatives or staff of the licensee who may have been involved in the relevant conduct;

•

communicating with potentially affected clients; or

•

seeking specialist or technical advice.

11.45 Merely entering a suspected compliance issue into a risk management system is unlikely to amount to a searching inquiry to ascertain facts, although this will depend on the circumstances in each case.

11.46 The intention is that the term 'investigation' applies irrespective of how the licensee describes an investigation in its internal processes, as long as it satisfies the ordinary meaning of the term.

11.47 The time at which an investigation commences is a matter of fact and is not a subjective determination by the licensee. For example, after receiving a complaint from a client, if the licensee begins to look into the matter or takes steps towards ascertaining whether a significant breach has occurred, this would generally be considered to be when the investigation has commenced.

11.48 A financial services licensee is also considered to have conducted an investigation if it outsources the investigation, or if a related entity (such as a parent company) conducts the investigation.

11.49 Even if a licensee does not conduct an investigation, there may still be a reportable situation if the licensee has reasonable grounds to believe that they have breached, or will breach a core obligation and the breach is or will be significant. In other words, there may be circumstances where a significant and reportable breach should be clear to a licensee, even without an investigation being conducted.

11.50 Outcomes of investigations that continue for more than 30 calendar days must be reported to ASIC, even if the outcome is that there is no significant breach. The other possible outcomes of such an investigation will either be that there has been a significant breach of a core obligation or there will be a significant breach of a core obligation. The requirement to report these investigation outcomes are captured through the reportable situations (see sections 912D(1)(a), (b) and (d) of the Corporations Act). This ensures ASIC has visibility of protracted investigations, and incentivises licensees to prioritise and streamline investigation processes where appropriate. [Schedule 11, item 5, section 912D of the Corporations Act]

Additional reportable situations

11.51 Additional reportable situations are not linked to the core obligations and the significance tests. These reportable situations arise in relation to a financial services licensee if:

•

in the course of providing a financial service, the licensee or its representative has engaged in conduct constituting gross negligence; or

•

the licensee or its representative has committed serious fraud.

[Schedule 11, item 5, section 912D of the Corporations Act]

11.52 Serious fraud is defined in section 9 of the Corporations Act and means an offence involving fraud or dishonesty against an Australian law or any other law that is punishable by imprisonment for life or for a maximum period of at least three months.

11.53 Conduct that constitutes gross negligence or serious fraud must be reported to ASIC because of the potentially considerable detriment that could be caused to people as a result of that conduct. This conduct also goes to the licensee's or representative's character and suitability to provide financial services, which is relevant to ASIC's regulatory remit.

11.54 While investigations about the additional reportable situations are not expressly required to be reported to ASIC as part of the additional reportable situations, they may still need to be reported if they amount to a core reportable situation. That is, if the investigation can be characterised as an investigation conducted by a licensee or its representative into whether there has been or will be a significant breach of a core obligation, and the investigation continues for more than 30 calendar days. This is likely to occur in practice as there is some overlap between the additional reportable situations and the general obligations under section 912A of the Corporations Act (which are core obligations).

11.55 The additional reportable situations capture the 'serious compliance concerns' identified by Commissioner Hayne in relation to recommendation 2.8 of the Financial Services Royal Commission that are not already covered by the core reportable situations.

11.56 A regulation-making power is also included to prescribe other circumstances in which an additional reportable situation arises. This allows the Government to respond effectively to emerging trends of non-compliance in the financial services sector, particularly if those trends of non-compliance are unrelated to the core obligations. Any regulations made would be subject to disallowance and parliamentary scrutiny.

Self-reporting obligations to ASIC

11.57 A financial services licensee must lodge a report with ASIC if there are reasonable grounds to believe that a reportable situation has arisen in relation to the licensee. [Schedule 11, item 5, section 912DAA of the Corporations Act]

11.58 'Reasonable grounds to believe' ensures the breach reporting obligation is clearly objective. There will be reasonable grounds to believe a reportable situation has arisen if there are facts and/or evidence to induce, in a reasonable person, a belief that a reportable situation has arisen.

11.59 Each reportable situation is separate from one another. This means, for example, that there will be two separate obligations to lodge a report with ASIC if a financial services licensee is no longer able to comply with a core obligation and the breach will be significant if it occurs (as this is a reportable situation under section 912D(1)(b) of the Corporations Act), and that later eventuates into a significant breach of a core obligation (which is a reportable situation under section 912D(1)(a) of the Corporations Act).

Timing for reporting

11.60 A report must be lodged with ASIC within 30 calendar days after the licensee first knows that, or is reckless with respect to whether there are reasonable grounds to believe that, a reportable situation has arisen.

11.61 The terms 'know' and 'reckless' are equivalent to the concepts of 'knowledge' and 'recklessness' in the Criminal Code. A licensee knows of reasonable grounds to believe a reportable situation has arisen if the licensee knows of facts and/or evidence sufficient to induce in a reasonable person a belief that a reportable situation has arisen. The term 'reckless' is intended to capture circumstances where the licensee does not know that there are reasonable grounds to believe a reportable situation has arisen, but:

•

is aware of a substantial risk that there are reasonable grounds to believe a reportable situation has arisen; and

•

having regard to the circumstances known to the licensee, it is unjustifiable to take the risk that there are reasonable grounds to believe a reportable situation has arisen.

11.62 While the licensee must have knowledge of, or be reckless with respect to, whether there are reasonable grounds to believe that a reportable situation has arisen for the reporting timeframe to commence, the question of whether those reasonable grounds exist remains objective.

11.63 The timeframe for reporting has been extended from 10 business days to 30 calendar days to give licensees more time to investigate the breach (if needed) before reporting it to ASIC. This will also likely improve the quality of breach reports and assist ASIC to assess those reports. [Schedule 11, item 5, section 912DAA of the Corporations Act]

Example 11.2

11.64 These changes give effect to recommendation 4 of the ASIC Enforcement Review Taskforce Report.

How is a reportable situation reported to ASIC?

11.65 The report must be lodged by the financial services licensee in the form prescribed by ASIC. [Schedule 11, item 5, section 912DAA of the Corporations Act]

11.66 The use of a prescribed form aims to enhance the effectiveness of the breach reporting regime, as the reports will need to include all the information and supporting documents required by ASIC to assess the reportable situation and determine whether further action should be taken.

11.67 The prescribed form will require financial services licensees to include at a minimum the following information:

•

the date the reportable situation occurred;

•

a description of the reportable situation;

•

whether and how the reportable situation has been rectified by the licensee; and

•

the steps that have been or will be taken by the licensee to ensure future compliance.

11.68 This gives effect to recommendation 5 of the ASIC Enforcement Review Taskforce Report.

Where reports are received by APRA

11.69 A report that a financial services licensee is required to lodge in relation to its own reportable situations is taken to have been lodged with ASIC if:

•

the licensee is also regulated by APRA; and

•

the report is given to APRA containing all of the information that is required in a report in relation to the reportable situation.

[Schedule 11, item 5, section 912DAA of the Corporations Act]

11.70 A financial services licensee may need to consider the form prescribed by ASIC to ensure that it gives APRA all the information that is required in a report about the reportable situation.

11.71 The licensee will also need to ensure it gives the report to APRA within 30 calendar days after the licensee first knows that, or is reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen. This reflects that this new provision does not operate as a general exemption from the requirement to report, but operates such that a report is taken to have been lodged with ASIC even though it has been actually lodged with APRA.

11.72 There is a general exemption from the requirement to report. This exemption applies if the licensee is also regulated by APRA and the auditor or actuary of the licensee has given APRA a written report about the reportable situation within 10 business days after the licensee first knows that, or is reckless with respect to whether there are reasonable grounds to believe that, the reportable situation has arisen. This substantially replicates existing section 912D(1D) of the Corporations Act. [Schedule 11, item 5, section 912DAA of the Corporations Act]

11.73 These provisions recognise that there may be overlaps between the matters that need to be reported under the Corporations Act and under other legislation, such as the SIS Act. This reduces the compliance burden on licensees that are dual-regulated, as these licensees will only need to report the matter to one regulator to satisfy their reporting obligations.

Consequences of failing to satisfy self-reporting obligations

11.74 In the circumstance where there are reasonable grounds to believe that a reportable situation has arisen, the conduct of failing to lodge a report with ASIC as required constitutes an offence with a maximum penalty of two years imprisonment. A fine may also be imposed (see sections 1311B and 1311C of the Corporations Act).

11.75 Strict liability applies in relation to the conduct of lodging a report with ASIC, including whether it is lodged in accordance with the 30-calendar day timing requirement and the prescribed form requirement. [Schedule 11, item 5, section 912DAA of the Corporations Act]

11.76 Applying strict liability in this case is appropriate as requiring proof of fault would undermine deterrence.

11.77 In particular, applying strict liability makes it clear that the prosecution would not need to prove that the financial services licensee knew that they were under a legal obligation to lodge a report in the prescribed form, or that they knew they were required to submit a report within the particular statutory period. Not applying strict liability to this conduct would undermine deterrence, as in most cases it would not be possible for the prosecution to prove these matters. This approach is therefore consistent with the principles in the Guide to Framing Commonwealth Offences about applying strict liability.

11.78 However, the prosecution will be required to prove that the licensee knew of, or was reckless with respect to, the facts constituting the reasonable grounds to believe that a reportable situation had arisen. This is the fault element for that circumstance under the Criminal Code.

11.79 The prosecution will also need to prove when the licensee first knew of, or was reckless with respect to, the facts constituting that circumstance. Requiring proof of this is central to the offence as it determines when the 30-day period for reporting starts. This will need to be proven notwithstanding the application of strict liability, as it is included in section 912DAA(3).

11.80 The defence of honest and reasonable mistake of fact will be available in relation to the matters to which strict liability apply. This defence will, for example, protect a licensee that has put in place a proper compliance system, and that does not lodge a report within the statutory timeframe due to an honest and reasonable mistake of fact as to when precisely the 30-day period for reporting starts. However, where licensees have not acted honestly and reasonably, the defence will not be available. In this sense, licensees are incentivised to develop and maintain adequate compliance systems. The licensees that will be penalised are more likely to have poor compliance systems in place that would not enable them to comply with the breach reporting regime.

11.81 In accordance with section 769B(3) of the Corporations Act, for a licensee that is a body corporate, the state of mind of a director, employee or agent of the licensee (or certain other persons) will be attributed to the licensee where that person was engaged in the relevant conduct within the scope of their actual or apparent authority.

11.82 The maximum penalty of two years imprisonment, and/or a fine covered by section 1311B or 1311C of the Corporations Act, reflects the seriousness of the offence, and aims to encourage compliance with the breach reporting obligation. Maximum penalties also provide a court with guidance on how to punish criminal behaviour. The maximum penalty is generally reserved only for the most egregious cases.

11.83 Failure to lodge a report as required also attracts a civil penalty. [Schedule 11, items 5, 7 and 8, sections 912DAA and 1317E of the Corporations Act]

11.84 Consistent with other civil penalty provisions in the Corporations Act and section 1317QB of the Corporations Act, except to the extent expressly provided otherwise, it is not necessary to prove any state of mind of the person in proceedings for:

•

a declaration of a contravention of the civil penalty; or

•

a pecuniary penalty order relating to a contravention of the civil penalty.

11.85 Additionally, while the new breach reporting obligation relies on the Criminal Code definitions of 'knowledge' and 'recklessness', this does not import criminal standards of proof, or criminal rules of evidence or procedure in any civil penalty proceedings. This is consistent with sections 1317L and 1332 of the Corporations Act.

11.86 The standard maximum financial penalty for a contravention of a civil penalty provision under the Corporations Act is:

•

for individuals, the greater of:

-

5,000 penalty units; or

-

if the court can determine-the benefit derived or detriment avoided because of the contravention, multiplied by three;

•

for bodies corporate, the greater of the following:

-

50,000 penalty units;

-

if the court can determine-the benefit derived or detriment avoided because of the contravention, multiplied by three;

-

10 per cent of the annual turnover of the body corporate, but to a maximum monetary value of 2.5 million penalty units.

11.87 The offence provision will also form part of the infringement notice regime, and regulations will be made for this purpose. This is appropriate as there may be a high volume of contraventions (ranging in severity) of the reporting provisions. The Guide to Framing Commonwealth Offences highlights failing to comply with reporting obligations as an example of a case where issuing infringement notices may be appropriate.

11.88 Minor contraventions may be caused by poor internal processes. Where this is the case, the use of infringement notices may lead to a faster rectification of processes, as licensees are put on notice by ASIC sooner.

11.89 These enforcement options give ASIC sufficient flexibility to pursue the most appropriate action in each case, which will depend on its assessment of various considerations, including the severity and nature of the reportable situation. These options are also consistent with the existing consequences for failures relating to breach reporting.

11.90 This gives effect to recommendations 6 and 7 of the ASIC Enforcement Review Taskforce Report.

Reporting about other financial services licensees to ASIC

11.91 A financial services licensee will also be required to lodge a report with ASIC if the licensee has reasonable grounds to believe that a reportable situation, other than a reportable situation about an investigation, has arisen in relation to an individual who:

•

provides personal advice to retail clients about relevant financial products; and

•

is any of the following:

-

another financial services licensee;

-

an employee of another financial services licensee (or a related body corporate of another licensee), acting within the scope of the employee's employment;

-

a director of another financial services licensee (or a related body corporate of another licensee), acting within the scope of the director's duties as director; or

-

a representative of another financial services licensee, acting within the scope of the representative's authority given by the licensee.

[Schedule 11, item 5, section 912DAB of the Corporations Act]

11.92 Relevant financial products are defined in section 910A of the Corporations Act as financial products other than basic banking products, general insurance products, consumer credit insurance, or a combination of any of those products.

11.93 This obligation therefore targets misconduct by individual financial advisers who provide personal advice to retail clients about more complex financial products. It also recognises that in the financial advice industry, parties other than the financial adviser's licensee may be well positioned to identify this misconduct.

11.94 In practice, a reporting licensee will likely have reasonable grounds to believe that a reportable situation has arisen in relation to another financial adviser through a relationship of proximity between the two parties. For example, this may occur because of business dealings between the two parties or through mutual clients.

11.95 A reporting licensee who gives information to ASIC as required generally has the benefit of qualified privilege under section 1100A of the Corporations Act. This means the reporting licensee has qualified privilege in proceedings for defamation, or is not liable to an action for defamation if the reporting licensee had no malice when making the report to ASIC. A licensee who lodges a false report with ASIC under this section with an improper motive, for example to undermine a competitor, will not have the benefit of qualified privilege in an action for defamation.

11.96 A reporting licensee who has qualified privilege in respect of reporting on another licensee is also not liable for any action for breach of confidence in relation to that reporting under section 1100A of the Corporations Act.

11.97 This reporting obligation only applies in relation to other financial services licensees. If a licensee has reasonable grounds to believe that a reportable situation has arisen in relation to its own financial advisers who are acting within the scope of the authority given by the licensee, the licensee must self-report that matter under section 912DAA of the Corporations Act.

Timing for reporting a breach

11.98 The report must be lodged with ASIC within 30 calendar days after the reporting licensee first knows that, or is reckless with respect to whether there are reasonable grounds to believe that, the reportable situation has arisen in relation to another licensee. [Schedule 11, item 5, section 912DAB of the Corporations Act]

11.99 This is consistent with the general timing rules for self-reporting of reportable situations to ASIC.

How is a reportable situation reported to ASIC?

11.100 The report must be lodged by the reporting licensee in the form prescribed by ASIC. This ensures the report includes the information and supporting documents required by ASIC to assess whether further action should be taken. [Schedule 11, item 5, section 912DAB of the Corporations Act]

Informing the other financial services licensee

11.101 The reporting licensee must also provide a copy of the report lodged with ASIC to the licensee who is the subject of that report. In some cases, this will require the reporting licensee to provide a copy of the report directly to the financial adviser if the adviser operates under their own financial services licence, or to a financial services licensee who is no longer involved with the financial adviser (for example, a previous employer). [Schedule 11, item 5, section 912DAB of the Corporations Act]

11.102 Upon receiving a copy of the report, the financial services licensee who is the subject of that report may need to commence an investigation or report that matter to ASIC under the self-reporting obligation. This reflects that a financial services licensee will generally have more information about its own reportable situations, which will assist ASIC in assessing the reportable situation.

11.103 The copy of the report needs to be provided to the other licensee within 30 calendar days after the reporting licensee first knows that there are reasonable grounds to believe that the reportable situation has arisen, or is reckless with respect to that circumstance. This is the same timeframe for reporting the matter to ASIC.

11.104 A reporting licensee who provides a copy of the report to the other licensee as required will also have the benefit of qualified privilege in an action for defamation if the reporting licensee had no malice. Additionally, a reporting licensee is not liable for an action based on breach of confidence in relation to that conduct. [Schedule 11, item 5, section 912DAB of the Corporations Act]

11.105 This obligation supports the new requirement to be imposed on licensees to take steps to remediate an affected client when they detect misconduct - either arising from their own behaviour or that of a representative under their licence (see recommendation 2.9 of the Financial Services Royal Commission). The new obligation will require licensees to inform a client who is potentially affected by the detected misconduct, and to investigate the nature and full extent of the detected misconduct. As part of this investigation, licensees will be required to determine the quantum of any loss or damage to the client caused by the misconduct. Once the investigation is completed, the licensee is required to inform the affected client of the nature and full extent of the misconduct and remediate the client's loss.

Example 11.3

On 1 July 2021, Licensee C becomes aware of reasonable grounds to believe that a reportable situation has arisen in relation to Licensee D's financial adviser. This financial adviser also operates under Licensee C's licence.

Under section 912DAB of the Corporations Act, Licensee C is required to lodge a report with ASIC within 30 calendar days after the licensee first knows of the reportable situation, and is also required to provide a copy of that report to Licensee D in the same timeframe.

Licensee C also commences an investigation into whether the financial adviser, while acting within the scope of the authority of Licensee C's licence, has engaged in conduct amounting to a reportable situation. However, within 30 days of commencing the investigation, the investigation discloses that a reportable situation has not arisen in relation to Licensee C. Licensee C is not required under section 912DAA of the Corporations Act to report the investigation or its outcome to ASIC.

No need to report if reasonable grounds to believe ASIC is aware of the reportable situation

11.106 A financial services licensee is not required to lodge a report with ASIC about another licensee if the first licensee has reasonable grounds to believe that ASIC is aware of:

•

the existence of the reportable situation; and

•

all of the information that would otherwise be required in a report about the reportable situation.

[Schedule 11, item 5, section 912DAB of the Corporations Act]

11.107 This is a high threshold that is primarily intended to reduce reporting of matters to ASIC that are publicly well known about an individual financial adviser operating under another financial services licence.

11.108 This exemption only applies to the obligation to report about other financial services licensees. It does not apply in relation to reporting about a licensee's own matters.

Consequences of failing to satisfy reporting obligations in relation to another financial services licensee

11.109 Failure to lodge a report or provide a copy of a report as required attracts a civil penalty, which is subject to the standard maximum financial penalties for a contravention of a civil penalty provision under the Corporations Act. Failure to lodge a report or provide a copy of a report does not constitute an offence. [Schedule 11, items 5 and 8, sections 912DAB and 1317E of the Corporations Act]

11.110 Consistent with other civil penalty provisions in the Corporations Act and section 1317QB of the Corporations Act, except to the extent expressly provided otherwise, it is not necessary to prove any state of mind of the person in proceedings for:

•

a declaration of a contravention of the new civil penalty provision; or

•

a pecuniary penalty order in relation to a contravention of the new civil penalty provision.

11.111 Additionally, while the reporting obligation relies on the Criminal Code definitions of 'knowledge' and 'recklessness', this does not import criminal standards of proof, or criminal rules of evidence or procedure in any civil penalty proceedings in respect of a failure to lodge a breach report as required. This is consistent with sections 1317L and 1332 of the Corporations Act.

11.112 The civil penalty provisions will also be subject to the infringement notice regime and regulations will be made for this purpose. This is appropriate as there may be a high volume of contraventions (ranging in severity) of these reporting obligations. The Guide to Framing Commonwealth Offences highlights failing to comply with reporting obligations as an example of a case where issuing infringement notices may be appropriate.

11.113 Minor contraventions may be caused by poor internal processes. Where this is the case, the use of infringement notices may lead to a faster rectification of processes, as firms are put on notice by ASIC sooner.

11.114 These enforcement options give ASIC sufficient flexibility to pursue the most appropriate action in each case, depending on its assessment of various considerations, including the severity and nature of the reportable situation.

Participants in a licensed market or a licensed CS facility - existing requirement

11.115 A financial services licensee must give written notice to ASIC as soon as practicable if the licensee becomes a participant in a licensed market or a licensed CS facility, or ceases to be such a participant. [Schedule 11, items 5, 10 and 11, section 912DAC of the Corporations Act]

11.116 The notice must set out when the event happened and identify the market or facility. [Schedule 11, item 5, section 912DAC of the Corporations Act]

11.117 Failure to comply with this requirement is an offence with a maximum penalty of one year imprisonment. It is also a civil penalty provision. [Schedule 11, items 5, 7 and 8, sections 912DAC and 1317E of the Corporations Act]

11.118 This provision retains existing section 912D(2) of the Corporations Act without any changes.

ASIC publication of breach reporting data

11.119 ASIC must publish information about breaches and likely breaches of core obligations that are self-reported by licensees during the financial year. This includes reports lodged with APRA by dual regulated licensees or their auditors and actuaries. [Schedule 11, item 5, section 912DAD of the Corporations Act]

11.120 ASIC's publication must contain information about the licensees that have lodged these reports. This means the publication will contain licensee-level data. [Schedule 11, item 5, section 912DAD of the Corporations Act]

11.121 Subject to any requirements prescribed by regulations, ASIC has discretion as to the contents and form of the publication. ASIC's publication may include the following information:

•

the name of the licensee;

•

volume of reported breaches;

•

breakdown of breach reports by corporate group; and

•

the number of breaches compared to the size, activity or volume of the licensee's business.

11.122 ASIC's publication does not need to include information about reports regarding:

•

investigations into whether a significant breach of a core obligation has occurred or will occur, which are reportable situations under section 912D(1)(c) of the Corporations Act;

•

outcomes of those investigations, which are reportable situations under section 912D(1)(d) of the Corporations Act;

•

additional reportable situations under section 912D(2) of the Corporations Act; or

•

reportable situations in relation to other financial services licensees made under section 912DAB of the Corporations Act.

11.123 ASIC will be required to publish this information on its website within four months after the end of each financial year, starting on the financial year ending on 30 June 2022. [Schedule 11, item 5, section 912DE of the Corporations Act]

11.124 The information published by ASIC must include any information prescribed by the regulations, which may include personal information under the Privacy Act 1988 about a financial services licensee who is an individual. This regulation-making power may be exercised to allow ASIC to publish the names of financial services licensees where the licence is held in the name of an individual, as this would constitute personal information under the Privacy Act 1988. This will allow ASIC to publish breach report data at the licensee-level consistently and ensures licensees who hold a licence in the name of an individual are not excluded from ASIC's publication. [Schedule 11, item 5, section 912DAD of the Corporations Act]

11.125 Regulations may also prescribe circumstances in which information does not need to be included in ASIC's publication. This regulation-making power ensures there is an appropriate mechanism to balance to the broad requirement on ASIC to publish breach report data at the licensee-level. [Schedule 11, item 5, section 912DAD of the Corporations Act]

11.126 The information must also be organised in accordance with the regulations, if any. [Schedule 11, item 5, section 912DAD of the Corporations Act]

11.127 Regulations made for the purposes of these provisions would be subject to disallowance and parliamentary scrutiny.

11.128 ASIC may also correct any error in, or omission from, a report published under this section. This mirrors Australian Privacy Principles 10 and 13, which are set out in Schedule 1 to the Privacy Act 1988. The correction may be initiated by an affected licensee or by ASIC. [Schedule 11, item 5, section 912DAD of the Corporations Act]

11.129 This supplements ASIC's existing reporting framework to enhance accountability and provide an incentive for improved behaviour. It will also assist licensees and consumers to identify areas where substantial numbers of significant breaches are occurring, and allows licensees to target their efforts to improve their compliance outcomes in those areas.

11.130 This give effect to recommendation 10 of the ASIC Enforcement Review Taskforce Report.

Amendments to the Credit Act

11.131 The amendments made to the Credit Act largely replicate the new breach reporting provisions in the Corporations Act, with some changes to reflect the differences between the credit industry and its participants. These amendments give effect to recommendation 2 of the ASIC Enforcement Review Taskforce Report and recommendation 1.6 of the Financial Services Royal Commission.

Matters that may need to be reported to ASIC

11.132 The matters that may need to be reported to ASIC are referred to as 'reportable situations'. The reportable situations are set out in section 50A of the Credit Act and can be broadly separated into two categories:

•

reportable situations relating to core obligations (referred to in this chapter as core reportable situations); and

•

additional reportable situations.

[Schedule 11, item 15, section 50A of the Credit Act]

Core reportable situations

11.133 A core reportable situation arises in relation to a credit licensee where:

•

the credit licensee or its representative has breached a core obligation and the breach is significant; or

•

the credit licensee or its representative is no longer able to comply with the core obligation and the breach will be significant if it occurs; or

•

the credit licensee or its representative conducts an investigation into whether there has been or will be a significant breach of a core obligation, and the investigation continues for more than 30 calendar days; or

•

an investigation described in the previous point discloses that there has been no breach of a core obligation.

[Schedule 11, item 15, section 50A of the Credit Act]

What are the core obligations?

11.134 The core obligations in the Credit Act mirror the core obligations in the Corporations Act, and are:

•

the general conduct obligations on licensees under section 47 (other than the obligation under section 47(1)(d)), which includes for example, the obligation to:

-

do all things necessary to ensure the credit activities authorised by the licence are engaged in efficiently, honestly and fairly;

-

comply with the conditions on the licence;

-

have adequate compensation arrangements in place; and

•

the obligation to comply with certain credit legislation under section 47(1)(d).

[Schedule 11, item 15, section 50A of the Credit Act]

11.135 The core obligations will cover the obligation to comply with a broad range of credit legislation. It includes for example, the obligations in the Credit Act, the National Consumer Protection (Transitional and Consequential Provisions) Act 2009, and Division 2 of Part 2 of the ASIC Act.

When is a breach or likely breach 'significant'?

11.136 There are two separate significance tests which are set out in sections 50A(4) and (5) respectively.

11.137 The first significance test (referred to in this chapter as the deemed significance test) provides that a breach of a core obligation is taken to be significant if any of the following applies:

•

the breach is constituted by the commission of an offence under any law, and the offence is punishable on conviction by a penalty that includes imprisonment for up to:

-

three months or more if the offence involves dishonesty; or

-

12 months or more in any other case; or

•

the breach is constituted by a contravention of a civil penalty provision under any law, other than a civil penalty provision excluded by the regulations; or

•

the breach is constituted by a contravention of a key requirement (as defined for the purposes of the National Credit Code), other than a key requirement excluded by the regulations; or

•

the breach is constituted by a contravention of section 12DA(1) of the ASIC Act, which relates to misleading or deceptive conduct in relation to a financial service; or

•

the breach results in or is likely to result in material loss or damage to a credit activity client of the licensee; or

•

any other circumstances prescribed by the regulations exist.

[Schedule 11, item 15, section 50A of the Credit Act]

11.138 Therefore, under the deemed significance test, a breach of a core obligation will be significant if it is constituted by a contravention of the civil penalty provision in section 47(4) of the Credit Act, which relates to the general conduct obligations on licensees. Alternatively, a breach of a core obligation will be significant if it is constituted by a contravention of another civil penalty provision that forms part of the credit legislation, unless that provision is prescribed by the regulations.

11.139 However, even if a civil penalty provision is prescribed by the regulations, a breach of that provision may still be significant and reportable if one of the other circumstances in the deemed significance test apply, or if the breach is significant under the second significance test.

11.140 This regulation-making power ensures there is sufficient flexibility to target ASIC's surveillance to problematic areas. For example, if ASIC is receiving a large number of largely unproblematic breach reports for minor, technical or inadvertent breaches of civil penalty provisions, and those breaches would not otherwise be significant, the Government may decide that the regulatory burden imposed outweighs the benefit of receiving those reports. In those circumstances, the Government may exercise the regulation-making power to quickly reduce the regulatory burden on licensees to report breaches where appropriate. Any regulation made would be subject to disallowance and parliamentary scrutiny.

11.141 Key requirements, which are set out in section 111 of the National Credit Code, are treated in the same manner as civil penalty provisions for breach reporting purposes. This is consistent with the approach taken in other parts of the National Credit Code and the Credit Act, and reflects that the key requirements have been a fundamental component of the National Credit Code since its inception.

11.142 'Loss or damage' in the context of the deemed significance test has its ordinary meaning, which is extensive. The term includes financial and non-financial loss or damage.

11.143 A credit activity client of a licensee has a broad definition that takes into account the various credit activities regulated under the Credit Act. A credit activity client of a licensee therefore includes a consumer who:

•

is a party to a credit contract, or will be a party to a proposed credit contract;

•

is a person to whom the licensee or its representative provides a credit service;

•

is a party to a consumer lease, or will be a party to a proposed consumer lease;

•

is a mortgagor under a mortgage, or will be a mortgagor under a proposed mortgage;

•

is the guarantor under a guarantee or will be the guarantor under a proposed guarantee; or

•

is a person in relation to whom the licensee or its representative engaged in a prescribed activity under table item 6 of section 6(1) of the Credit Act.

[Schedule 11, item 15, section 50A of the Credit Act]

11.144 Whether a breach results in, or is likely to result in, material loss or damage to a credit activity client, requires the licensee to consider the particular client's circumstances. For example, a relevant circumstance may include the client's financial situation.

11.145 If a breach affects a number of clients, it is sufficient for the reporting obligation to be triggered if the breach is likely to result in material loss or damage to one client. Additionally, where the breach affects a number of clients, licensees should consider the total loss or damage. For example, even if the breach does not result in a material loss or damage to individual clients, the total loss or damage to clients resulting from the breach may, when aggregated, amount to material loss or damage to clients, thereby satisfying the significance requirement.

11.146 Consistent with the common law position, 'likely to result in material loss or damage' is intended to mean that there is a real and not remote chance that loss or damage will occur as a result of the breach.

11.147 The inclusion of contraventions of section 12DA(1) of the ASIC Act in the deemed significance test captures the remaining misleading and deceptive conduct provisions in the credit legislation that are not already captured by the other circumstances in the deemed significance test. This means that all breaches of misleading and deceptive conduct provisions in the credit legislation are taken to be significant and therefore reportable to ASIC. This ensures that the deceptive conduct element of the serious compliance concerns identified by Commissioner Hayne is captured in the definition of 'reportable situation'.

11.148 A general regulation-making power is included to prescribe circumstances in which a breach or likely breach of a core obligation is taken to be significant. This regulation-making power can be used to quickly and effectively respond to emerging trends of non-compliance in the credit sector to ensure the breach reporting regime is fit for purpose. Any regulations made would be subject to disallowance and parliamentary scrutiny.

11.149 The purpose of the deemed significance is to provide greater certainty for industry and to ensure significant breaches are reported to ASIC in a timely manner. For example, where a breach constitutes a contravention of a relevant civil penalty provision or the commission of a relevant offence, the significance of the breach is immediately taken to be satisfied.

11.150 If none of the circumstances in the deemed significance test apply, the breach may still be significant under the second significance test. This test requires consideration of all of the following matters:

•

the number or frequency of similar breaches;

•

the impact of the breach or likely breach on the licensee's ability to engage in credit activities covered by the licence;

•

the extent to which the breach or likely breach indicates that the licensee's arrangements to ensure compliance with those obligations are inadequate; and

•

any other matters prescribed by regulations.

[Schedule 11, item 15, section 50A of the Credit Act]

11.151 Whether a particular breach is significant under the second significance test is determined objectively. This is made clear as the standard for reporting is that there are reasonable grounds to believe a reportable situation has arisen (see new section 50B of the Credit Act).

11.152 This formulation of the significance test mirrors the test in the Corporations Act.

Reporting investigations

11.153 Investigations conducted by credit licensees or their representatives into whether there has been or will be a significant breach of a core obligation also need to be reported to ASIC if the investigation continues for more than 30 calendar days. This means that on the 31st calendar day of such an investigation, it becomes a reportable situation. [Schedule 11, item 15, section 50A of the Credit Act]

11.154 The term 'investigation' is not defined in the legislation and has its ordinary meaning. This reflects that an investigation is likely to vary significantly depending on the size of the licensee's business, their internal systems and processes, and the type of breach.

11.155 The Macquarie Dictionary defines 'investigation' as 'a searching inquiry in order to ascertain facts.' Accordingly, if a credit licensee is considering whether it has conducted an investigation, a relevant factor would be whether there has been some information gathering by the licensee to determine whether a breach has occurred or will occur. Examples of information gathering may include:

•

communicating with representatives or staff of the licensee who may have been involved in the relevant conduct;

•

communicating with potentially affected clients; or

•

seeking specialist or technical advice.

11.156 Merely entering a suspected compliance issue into a risk management system is unlikely to amount to a searching inquiry to ascertain facts, although this will depend on the circumstances in each case.

11.157 The intention is that the term 'investigation' applies irrespective of how the licensee describes an investigation in its internal processes, as long as it satisfies the ordinary meaning of the term.

11.158 The time at which an investigation commences is a matter of fact and is not a subjective determination by the licensee. For example, after receiving a complaint from a client, if the licensee begins to look into the matter or takes steps towards ascertaining whether a significant breach has occurred, this would generally be considered to be when the investigation has commenced.

11.159 A credit licensee is also considered to have conducted an investigation if it outsources the investigation, or if a related entity (such as a parent company) conducts the investigation.

11.160 Even if a licensee does not commence an investigation, there may still be a reportable situation if the licensee has reasonable grounds to believe that they have breached, or will breach a core obligation and the breach is or will be significant. In other words, there may be circumstances where a significant and reportable breach should be clear to a licensee, even without an investigation being conducted.

11.161 Outcomes of investigations that continue for more than 30 calendar days must be reported to ASIC, even if the outcome is that there is no significant breach. The other possible outcomes of such an investigation will either be that there has been a significant breach of a core obligation or there will be a significant breach of a core obligation. The requirement to report these investigation outcomes are captured through the reportable situations (see sections 50A(1)(a), (b) and (d) of the Credit Act). This ensures ASIC has visibility of protracted investigations, and incentivises licensees to prioritise and streamline investigation processes where appropriate. [Schedule 11, item 15, section 50A of the Credit Act]

Additional reportable situations

11.162 Additional reportable situations are not linked to the core obligations or the significance test. These reportable situations arise in relation to a credit licensee if:

•

in the course of engaging in a credit activity, the licensee or its representative has engaged in conduct constituting gross negligence; or

•

the credit licensee or its representative has committed serious fraud.

[Schedule 11, item 15, section 50A of the Credit Act]

11.163 Serious fraud is defined in section 5 of the Credit Act and means an offence involving fraud or dishonesty against an Australian law or any other law that is punishable by imprisonment for life or for a period, or maximum period, of at least three months.

11.164 Conduct that constitutes gross negligence or serious fraud must be reported to ASIC because of the potentially considerable detriment that could be caused to a person as a result of that conduct. This kind of conduct also goes to the licensee or representative's character and suitability to engage in credit activities, which is relevant to ASIC's regulatory remit.

11.165 While investigations about the additional reportable situations are not expressly required to be reported to ASIC as part of the additional reportable situations, they may still need to be reported if they amount to a core reportable situation. That is, if the investigation can be characterised as an investigation conducted by a licensee or its representative into whether there has been or will be a significant breach of a core obligation, and the investigation continues for more than 30 calendar days. This is likely to occur in practice as there is some overlap between the additional reportable situations and the general conduct obligations under section 47 of the Credit Act (which are core obligations).

11.166 The additional reportable situations capture the 'serious compliance concerns' identified by Commissioner Hayne in relation to recommendation 2.8 of the Financial Services Royal Commission that are not already covered by the core reportable situations.

11.167 A regulation-making power is also included to prescribe circumstances in which an additional reportable situation arises. This allows the Government to respond effectively to emerging trends of non-compliance in the credit sector, particularly if those trends of non-compliance are not directly linked to the core obligations. Any regulations made would be subject to disallowance and parliamentary scrutiny.

Self-reporting obligations to ASIC

11.168 A credit licensee must lodge a report with ASIC if there are reasonable grounds to believe that a reportable situation has arisen in relation to the licensee. [Schedule 11, item 15, section 50B of the Credit Act]

11.169 'Reasonable grounds to believe' ensures the breach reporting obligation is objective. There will be reasonable grounds to believe a reportable situation has arisen if there are facts and/or evidence to induce in a reasonable person, a belief that a reportable situation has arisen.

11.170 Each reportable situation is separate from one another. This means for example, that there will be two separate obligations to lodge a report with ASIC if a credit licensee is no longer able to comply with a core obligation and the breach will be significant if it occurs (as this is a reportable situation under section 50A(1)(b) of the Credit Act), and that later eventuates into a significant breach of a core obligation (which is a reportable situation under section 50A(1)(a) of the Credit Act).

Timing for reporting

11.171 A report must be lodged within 30 calendar days after the credit licensee first knows that, or is reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen.

11.172 The terms 'know' and 'reckless' are equivalent to the concepts of 'knowledge' and 'recklessness' in the Criminal Code. A licensee knows of reasonable grounds to believe a reportable situation has arisen if the licensee knows of facts and/or evidence sufficient to induce in a reasonable person a belief that a reportable situation has arisen. In this context, 'reckless' is intended to capture circumstances where, on the facts available, the licensee does not know that there are reasonable grounds to believe a reportable situation has arisen, but:

•

is aware of a substantial risk that there are reasonable grounds to believe a reportable situation has arisen; and

•

having regard to the circumstances known to the licensee, it is unjustifiable to take the risk that there are reasonable grounds to believe a reportable situation has arisen.

11.173 While the licensee must have knowledge of, or be reckless with respect to, whether there are reasonable grounds to believe that a reportable situation has arisen for the reporting timeframe to commence, the question of whether those reasonable grounds exist remains objective.

11.174 The timeframe for reporting gives licensees sufficient time to investigate the circumstances of the breach (if needed) before reporting it to ASIC. This will also likely improve the quality of breach reports and assist ASIC to assess those reports. [Schedule 11, item 15, section 50B of the Credit Act]

How is a reportable situation reported to ASIC?

11.175 The report must be lodged by the credit licensee in the form approved by ASIC. [Schedule 11, item 15, section 50B of the Credit Act]

11.176 The use of an approved form ensures the breach reporting regime is effective, as the reports will need to include all the information and supporting documents required by ASIC to assess the reportable situation and determine whether further action should be taken.

11.177 The approved form will require licensees to include at a minimum the following information:

•

the date the reportable situation occurred;

•

a description of the reportable situation;

•

whether and how the reportable situation has been rectified by the licensee; and

•

the steps that have been or will be taken by the licensee to ensure future compliance.

Where reports are received by APRA

11.178 A report that a credit licensee is required to lodge in relation to its reportable situations is taken to have been lodged with ASIC if:

•

the licensee is also regulated by APRA; and

•

the report is given to APRA containing all of the information that is required in a report in relation to the reportable situation.

[Schedule 11, item 15, section 50B of the Credit Act]

11.179 A credit licensee may need to consider the form approved by ASIC to ensure that it gives APRA a report containing all the information that is required about the reportable situation.

11.180 The licensee will also need to ensure it gives the report to APRA within 30 calendar days after the licensee first knows that, or is reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen. This reflects that this new provision does not operate as a general exemption from the requirement to report, but operates such that a report is taken to have been lodged with ASIC even though it has been physically lodged with APRA.

11.181 There is a general exemption from the requirement to report. This exemption applies if the credit licensee is also regulated by APRA and the auditor or actuary of the licensee has given APRA a written report about the reportable situation within 10 business days after the licensee knows that, or is reckless with respect to whether, there are reasonable grounds to believe that the reportable situation has arisen. [Schedule 11, item 15, section 50B of the Credit Act]

11.182 These provisions recognise that there may be overlaps between the matters that need to be reported under the Credit Act and under other legislation. These provisions reduce the compliance burden on licensees that are dual-regulated, as these licensees will only need to report the matter to one regulator to satisfy their reporting obligations.

Consequences of failing to satisfy self-reporting obligations

11.183 Failing to lodge a report with ASIC as required constitutes an offence with a maximum penalty of two years imprisonment. A fine may also be imposed (see sections 288C and 288D of the Credit Act).

11.184 Strict liability applies in relation to the conduct of lodging a report with ASIC, including whether it is lodged in accordance with the 30-calendar day timing requirement and the prescribed form requirement. [Schedule 11, item 15, section 50B of the Credit Act]

11.185 Applying strict liability in this case is appropriate as requiring proof of fault would undermine deterrence.

11.186 In particular, applying strict liability makes it clear that the prosecution would not need to prove that the credit licensee knew that they were under a legal obligation to lodge a report in the prescribed form, or that they knew they were required to submit a report within the particular statutory period. Not applying strict liability to this conduct would undermine deterrence, as in most cases it would not be possible for the prosecution to prove these matters. This approach is therefore consistent with the principles in the Guide to Framing Commonwealth Offences about applying strict liability.

11.187 However, the prosecution will be required to prove that the credit licensee knew of, or was reckless with respect to, the facts constituting the reasonable grounds to believe that a reportable situation had arisen. This is the fault element for that circumstance under the Criminal Code.

11.188 The prosecution will also need to prove when the licensee first knew of, or was reckless with respect to, the facts constituting that circumstance. Requiring proof of this is central to the offence as it determines when the 30-day period for reporting starts. This will need to be proven notwithstanding the application of strict liability as it is expressly included in section 50B(4).

11.189 The defence of honest and reasonable mistake of fact will be available in relation to the matters to which strict liability apply. This defence will, for example, protect a licensee that has put in place a proper compliance system, and does not lodge a report within the statutory timeframe due to an honest and reasonable mistake of fact as to when precisely the 30-day period for reporting starts. However, where licensees have not acted honestly and reasonably, the defence will not be available. In this sense, licensees are incentivised to develop and maintain adequate compliance systems. The licensees that will be penalised are more likely to have poor compliance systems in place that would not enable them to comply with the breach reporting regime.

11.190 In accordance with section 324(3) of the Credit Act, for a credit licensee that is a body corporate, the state of mind of a director, employee or agent of the licensee (or certain other persons) will be attributed to the licensee where that person was engaged in the relevant conduct within the scope of their actual or apparent authority.

11.191 The maximum penalty of two years imprisonment, and/or a fine reflects the seriousness of the offence and aims to encourage compliance with the breach reporting regime. Maximum penalties also provide a court with guidance on how to punish criminal behaviour. The maximum penalty is generally reserved only for the most egregious cases.

11.192 Failure to lodge a breach report also attracts a civil penalty. [Schedule 11, item 15, section 50B of the Credit Act]

11.193 Consistent with other civil penalty provisions in the Credit Act and section 175B of the Credit Act, except to the extent expressly provided otherwise, it is not necessary to prove any state of mind of the person in proceedings for:

•

a declaration of a contravention of the new civil penalty provision; or

•

a pecuniary penalty order in relation to a contravention of the new civil penalty provision.

11.194 Additionally, while the new breach reporting obligation relies on the Criminal Code definitions of 'knowledge' and 'recklessness', this does not import criminal standards of proof, or criminal rules of evidence or procedure in any civil penalty proceedings in respect of a failure to lodge a breach report as required. This is consistent with sections 175B and 202 of the Credit Act.

11.195 The specified financial penalty for the contravention of this civil penalty provision is 5,000 penalty units. However, the maximum penalty applicable under section 167B of the Credit Act is:

•

for individuals, the greater of:

-

5,000 penalty units; or

-

if the court can determine-the benefit derived or detriment avoided because of the contravention, multiplied by three;

•

for bodies corporate, the greater of the following:

-

5,000 penalty units multiplied by 10 (50,000 penalty units);

-

if the court can determine-the benefit derived or detriment avoided because of the contravention, multiplied by three;

-

10 per cent of the annual turnover of the body corporate, but to a maximum monetary value of 2.5 million penalty units.

11.196 The offence provision will also form part of the infringement notice regime, and regulations will be made for this purpose. This is appropriate as there may be a high volume of contraventions (ranging in severity) of the reporting provisions. The Guide to Framing Commonwealth Offences highlights failing to comply with reporting obligations as an example of a case where issuing infringement notices may be appropriate.

11.197 Minor offences may be caused by poor internal processes. Where this is the case, the use of infringement notices may lead to a faster rectification of these processes, as firms are put on notice by ASIC sooner.

11.198 These enforcement options give ASIC sufficient flexibility to pursue the most appropriate action in each case, which will depend on its assessment of various considerations, including the severity and nature of the reportable situation. These options are also consistent with the existing consequences for failures relating to reporting breaches in the Corporations Act.

Reporting on other credit licensees to ASIC

11.199 A credit licensee will also be required to lodge a report with ASIC if the licensee has reasonable grounds to believe that a reportable situation, other than a reportable situation about investigations, has arisen in relation an individual who:

•

is a mortgage broker; and

•

is any of the following:

-

another credit licensee;

-

an employee of another credit licensee (or a related body corporate of another licensee), acting within the scope of the employee's employment;

-

a director of another credit licensee (or a related body corporate of another licensee), acting within the scope of the director's duties as director; or

-

a representative of another credit licensee, acting within the scope of the representative's authority given by the licensee.

[Schedule 11, item 15, section 50C of the Credit Act]

11.200 A mortgage broker is defined in section 15B of the Credit Act as a licensee or credit representative of a licensee that:

•

carries on a business of providing credit assistance in relation to credit contracts secured by mortgages over residential property;

•

does not perform the obligations, or exercise the rights, of a credit provider in relation to the majority of those credit contracts; and

•

in carrying on that business, provides credit assistance in relation to credit contracts offered by more than one credit provider.

11.201 This reporting obligation therefore targets misconduct by individual mortgage brokers. It also recognises that in the industry, other parties such as lenders and aggregators are often well positioned to identify this misconduct.

11.202 In practice, a credit licensee will likely develop reasonable grounds to believe that a reportable situation has arisen about another mortgage broker through a relationship of proximity between the two parties. For example, this may occur because of business dealings between the two parties or through mutual clients.

11.203 A reporting licensee who gives information to ASIC as required generally has the benefit of qualified privilege under section 243 of the Credit Act. This means the reporting licensee has qualified privilege in proceedings for defamation, or is not liable to an action for defamation if the reporting licensee had no malice when making the report to ASIC. A credit licensee who lodges a false report under this section for an improper motive, for example to undermine a competitor, will not have the benefit of qualified privilege in an action for defamation.

11.204 This reporting obligation only applies to other credit licensees. If a credit licensee has reasonable grounds to believe that a reportable situation has arisen about a mortgage broker operating under its own licence, the credit licensee must self-report that matter under section 50B of the Credit Act.

Timing for reporting a breach

11.205 The report must be lodged with ASIC within 30 calendar days after the reporting licensee first knows or is reckless with respect to whether there are reasonable grounds to believe that the reportable situation has arisen about another credit licensee. [Schedule 11, item 15, section 50B of the Credit Act]

11.206 This is consistent with the general timing rules for self-reporting of reportable situations to ASIC.

How is a reportable situation reported to ASIC?

11.207 The report must be lodged by the reporting licensee in the form approved by ASIC. This ensures the report includes the information and supporting documents required by ASIC to assess whether further action should be taken. [Schedule 11, item 15, section 50C of the Credit Act]

Informing the other credit licensee

11.208 The reporting licensee will also need to provide a copy of the report lodged with ASIC to the credit licensee who is the subject of that report. In some cases, this will require the reporting licensee to provide a copy of the report directly to the mortgage broker if the broker holds their own credit licence and is operating under that licence, or to a licensee who is no longer involved with the mortgage broker (for example, a previous employer). [Schedule 11, item 15, section 50C of the Credit Act]

11.209 Upon receiving a copy of the report lodged with ASIC, the licensee who is the subject of that report may need to commence an investigation or report that matter to ASIC under the self-reporting obligation. This reflects that a credit licensee will generally have more comprehensive information about its own reportable situations, which will assist ASIC to assess the reportable situation.

11.210 The copy of the report needs to be provided to the other credit licensee within 30 calendar days after the reporting licensee first knows or is reckless with respect to whether there are reasonable grounds to believe that the reportable situation has arisen. This is the same timeframe for reporting the matter to ASIC.

11.211 A reporting licensee who provides a copy of the report to the other licensee as required will also have the benefit of qualified privilege in an action for defamation. Additionally, a reporting licensee is not liable for an action based on breach of confidence in relation to that conduct. [Schedule 11, item 15, section 50C of the Credit Act]

11.212 This obligation supports the new requirement to be imposed on licensees to take steps to remediate an affected client when they detect misconduct arising either from their own behaviour or that of a representative under their licence (see recommendations 1.6 and 2.9 of the Financial Services Royal Commission).

No need to report if reasonable grounds to believe ASIC is aware

11.213 A credit licensee is not required to lodge a report with ASIC about another licensee if the first licensee has reasonable grounds to believe that ASIC is aware of:

•

the existence of the reportable situation; and

•

all of the information that would otherwise be required in a report about the reportable situation.

[Schedule 11, item 15, section 50C of the Credit Act]

11.214 This is a high threshold that is primarily intended to reduce instances of reporting matters to ASIC that are publicly well known about an individual mortgage broker operating under another credit licence.

11.215 This exemption only applies to the obligation to report on other credit licensees. It does not apply in relation to reporting on the licensee's own matters.

Consequences of failing to satisfy reporting obligations about another credit licensee

11.216 Failure to lodge a report or provide a copy of a report as required attracts a civil penalty. The specified financial penalty for the contravention of these provisions is 5,000 penalty units. [Schedule 11, item 15, section 50C of the Credit Act]

11.217 The maximum pecuniary penalty applicable is:

•

for individuals, the greater of:

-

5,000 penalty units; or

-

if the court can determine-the benefit derived or detriment avoided because of the contravention, multiplied by three;

•

for bodies corporate, the greater of the following:

-

5,000 penalty units multiplied by 10 (50,000 penalty units);

-

if the court can determine-the benefit derived or detriment avoided by the body corporate because of the contravention, multiplied by three;

-

10 per cent of the annual turnover of the body corporate, but to a maximum monetary value of 2.5 million penalty units.

11.218 Consistent with other civil penalty provisions in the Credit Act and section 175B of the Credit Act, except to the extent expressly provided otherwise, it is not necessary to prove any state of mind of the person in proceedings for:

•

a declaration of a contravention of the new civil penalty provisions; or

•

a pecuniary penalty order in relation to a contravention of the new civil penalty provisions.

11.219 Additionally, while the reporting obligation relies on the Criminal Code definitions of 'knowledge' and 'recklessness', this does not import criminal standards of proof, or criminal rules of evidence or procedure in any civil penalty proceedings in respect of a failure to lodge a breach report as required. This is consistent with sections 175B and 202 of the Credit Act.

11.220 The civil penalty provisions will also be subject to the infringement notice regime and regulations will be made for this purpose. This is appropriate as there may be a high volume of contraventions (ranging in severity) of these reporting obligations. The Guide to Framing Commonwealth Offences highlights failing to comply with reporting obligations as an example of a case where issuing infringement notices may be appropriate.

11.221 Minor contraventions may be caused by poor internal processes. Where this is the case, the use of infringement notices may lead to a faster rectification of processes, as firms are put on notice by ASIC sooner.

11.222 These enforcement options give ASIC sufficient flexibility to pursue the most appropriate action in each case, depending on its assessment of various considerations, including the severity and nature of the reportable situation. These options are also consistent with the existing consequences for failures relating to reporting breaches in the Corporations Act.

ASIC publication of breach reporting data

11.223 ASIC must publish information about breaches and likely breaches of core obligations that are self-reported by licensees during the financial year. This includes reports lodged with APRA by dual regulated licensees or their auditors and actuaries. [Schedule 11, item 15, section 50D of the Credit Act]

11.224 The publication must contain information about credit licensees that have lodged these reports. This means the publication will contain licensee-level data. [Schedule 11, item 15, section 50D of the Credit Act]

11.225 Subject to any requirements prescribed by the regulations, ASIC has discretion as to the contents and form of the publication. ASIC's publication may include the following kinds of information:

•

the name of the licensee;

•

volume of reported breaches;

•

breakdown of breach reports by corporate group; and

•

the number of breaches compared to the size, activity or volume of the licensee's business.

11.226 ASIC's publication does not need to include information about reports regarding:

•

investigations into whether a significant breach of a core obligation has occurred or will occur, which are reportable situations under section 50A(1)(c);

•

outcomes of those investigations, which are reportable situations under section 50A(1)(d);

•

additional reportable situations-see section 50A(2); or

•

reportable situations relating to other credit licensees made under section 50C.

11.227 ASIC will be required to publish this information on its website within four months after the end of each financial year, starting on the financial year ending on 30 June 2022. [Schedule 11, item 15, section 50D of the Credit Act]

11.228 The information published by ASIC must include any information prescribed by the regulations, which may include personal information under the Privacy Act 1988 about a credit licensee who is an individual. This regulation-making power may be exercised to allow ASIC to publish the names of credit licensees where the licence is held in the name of an individual, as this would constitute personal information under the Privacy Act 1988. This will allow ASIC to publish breach report data at the licensee-level consistently and ensures licensees who hold a licence in the name of an individual are not excluded from ASIC's publication. [Schedule 11, item 15, section 50D of the Corporations Act]

11.229 Regulations may also be made to prescribe circumstances in which information does not need to be included in ASIC's publication. This regulation-making power ensures there is an appropriate mechanism to balance the broad requirement on ASIC to publish breach report data at the licensee-level. [Schedule 11, item 15, section 50D of the Credit Act]

11.230 The information must also be organised in accordance with the regulations, if any. [Schedule 11, item 15, section 50D of the Credit Act]

11.231 Regulations made for the purposes of these provisions would be subject to disallowance and parliamentary scrutiny.

11.232 ASIC may also correct any error in, or omission from, a report published under this section. This mirrors Australian Privacy Principles 10 and 13, which are set out in Schedule 1 to the Privacy Act 1988. The correction may be initiated by an affected licensee or by ASIC. [Schedule 11, item 15, section 50D of the Credit Act]

11.233 This supplements ASIC's existing reporting framework to enhance accountability and provide an incentive for improved behaviour. It will also assist industry and consumers to identify areas where significant numbers of breaches or likely breaches are occurring, and allow licensees to target their efforts to improve their compliance outcomes in those areas.

Consequential amendments

Amendments to the Corporations Act

11.234 The existing reporting requirement applying to responsible entities in section 601FC(1)(l) of the Corporations Act is replaced by the new breach reporting regime. In particular, key breaches of the Corporations Act relating to a registered scheme (such as in Chapter 5C of that Act) are captured by the core obligations. Section 601FC(1)(l) of the Corporations Act is therefore repealed to avoid duplication. This streamlines the reporting requirements for responsible entities of registered schemes. [Schedule 11, item 1, section 601FC of the Corporations Act]

11.235 The definitions in section 910A of the Corporations Act are updated to signpost the new definitions introduced by these amendments, including the definition of core obligation, knowledge, recklessness and reportable situation. [Schedule 11, item 2, section 910A of the Corporations Act]

11.236 The civil penalty provision and criminal offence penalties for existing section 912D of the Corporations Act have also been repealed and subsequently replaced as the breach reporting provisions have been rewritten. [Schedule 11, items 7 and 10, section 1317E and Schedule 3 to the Corporations Act]

11.237 Additional headings have also been introduced in Division 3 of Part 7.6 of the Corporations Act to add clarity. [Schedule 11, items 3, 4 and 6, Subdivisions A, B, C and D of Division 3 of Part 7.6 of the Corporations Act]

Amendments to the Credit Act

11.238 The definitions in section 5(1) of the Credit Act are updated to signpost the new definitions introduced by these amendments, including the definition of core obligation, knowledge, recklessness and reportable situation. [Schedule 11, items 12 and 17, sections 5 and 53C of the Credit Act]

11.239 Additional headings have also been introduced in Division 5 of Part 2-2 of the Credit Act to add clarity. [Schedule 11, items 13, 14 and 16, Subdivisions A, B, C and D of Division 5 of Part 2-2 of the Credit Act]

Application and transitional provisions

Amendments to the Corporations Act

11.240 Schedule 11 commences on 1 October 2021. [Clause 2]

11.241 The new breach reporting obligations in sections 912DAA and 912DAB of the Corporations Act apply to reportable situations arising on or after 1 October 2021. This period is designed to give industry participants and ASIC sufficient time to prepare their systems for the change. [Schedule 11, item 9, section 1671B of the Corporations Act]

11.242 Although existing section 601FC(1)(l) and section 912D of the Corporations Act are repealed upon commencement of this Schedule, these provisions continue to apply in relation to breaches and likely breaches that occur before 1 October 2021, if, before 1 October 2021, the licensee knew the breach or likely breach occurred. In this case, those existing provisions will continue to apply irrespective of whether the breach is significant before 1 October 2021, and irrespective of whether, before 1 October 2021, the licensee knew of that significance. [Schedule 11, item 9, section 1671A of the Corporations Act]

11.243 If however, the breach or likely breach occurred before 1 October 2021, but the licensee, on or after 1 October 2021, first knows that the breach or likely breach occurred, the licensee is required to apply the new reporting provisions under section 912DAA. Again, in this case the new provisions will apply irrespective of whether the breach is significant on or before 1 October 2021, and irrespective of whether, before 1 October 2021, the licensee knew of or was reckless with respect to that significance. [Schedule 11, item 9, section 1671B of the Corporations Act]

11.244 This approach ensures there is no gap between the existing reporting obligations and the new reporting obligations introduced by Schedule 11. Whether the old or new regime applies will depend on whether the licensee first knows that the breach occurred either before, or on or after, 1 October 2021. [Schedule 11, item 9, sections 1671 and 1671A of the Corporations Act]

11.245 If a financial services licensee is uncertain about whether a breach, likely breach or reportable situation arose before or after 1 October 2021, or when it first knows or is reckless with respect to the matter, the licensee should report the matter in the prescribed form under the new reporting obligations introduced by this Schedule. Uncertainty may arise for example where there has been a course of continuous misconduct before and after 1 October 2021. This approach will generally be sufficient as the new reporting obligations are broader in scope and will require the licensee to provide more information compared with the existing reporting obligations.

11.246 ASIC will be required to publish information about breach reports starting on the financial year ending on 30 June 2022. [Schedule 11, item 9, section 1671D of the Corporations Act]

11.247 The obligation to give notice to ASIC in section 912DAC applies if a financial services licensee becomes or ceases to be a participant in a licensed market or a licensed CS facility on or after 1 October 2021. Otherwise, sections 912D(2) and (3) of the previous law continue to apply. [Schedule 11, item 9, sections 1671B and 1671C of the Corporations Act]

Amendments to the National Consumer Credit Protection (Transitional and Consequential Provisions) Act 2009

11.248 The new reporting obligations in the Credit Act apply to all reportable situations arising on or after 1 October 2021. [Schedule 11, item 18, items 1 and 2 of Schedule 16 to the National Consumer Credit Protection (Transitional and Consequential Provisions) Act 2009]

11.249 ASIC will be required to publish information about breach reports starting on the financial year ending on 30 June 2022. [Schedule 11, item 18, item 3 of Schedule 16 to the National Consumer Credit Protection (Transitional and Consequential Provisions) Act 2009]