ASIC issues key breach reporting guidance

The Australian Securities and Investments Commission (ASIC) has reminded financial advice licensees and advisers of the breach reporting regime which cuts in from 1 October at the same time as releasing new guidance around the system.

The new guidance makes clear what a reportable situation is and places it in the context of having to make a breach report.

The guidance also provides an outline of the timetables within which licensees will have to work including investigating a reportable situation within 30 days and notifying affected clients within 10 days of that investigation concluding.

It also makes clear the terms of which advisers should notify their clients of a reportable situation.

“The types of information we consider are relevant to include in this notice are:

• the date of the reportable situation
• a description of the reportable situation
• the consequences of the reportable situation for the affected client that show they may be affected
• information about the investigation that is to be carried out
• when the affected client should expect to hear from you next
• the client’s relevant consumer rights, such as internal dispute resolution (IDR) and external dispute resolution (EDR) processes
• the licensee’s contact details.

“As part of the investigation, you must identify the conduct that gave rise to the reportable situation,” it said. “You must also quantify the loss or damage that you have reasonable grounds to suspect affected clients have:

suffered, or will suffer, as a result of the reportable situation

a legally enforceable right to recover.

‘We expect that your investigation will be thorough, complete and robust, and that you will make whatever inquiries are reasonably necessary to determine the nature and full extent of the breach of the law.’

‘During the investigation you may find reasonable grounds to believe that additional reportable situations have arisen or you may identify additional affected clients. This may trigger obligations to report the additional breach to ASIC, and to notify clients of the reportable situation (Action 1), and to investigate and remediate as required within the relevant timeframes.’

‘Your investigation must be completed as soon as reasonably practicable after it starts. What is a reasonable amount of time for an investigation will depend on the circumstances of the case, including the size of your business, the extent and period of the misconduct, and the nature of the loss or damage caused by the licensee.”