Breach reporting regulations finalised

The Financial Sector Reform (Hayne Royal Commission Response—Breach Reporting and Remediation) Regulations 2021  and the ASIC Corporations and Credit (Breach Reporting—Reportable Situations) Instrument 2021/716 have been registered to support the breach reporting amendments which commence on 1 October 2021. Background.

UPDATE 1 October 2021: ASIC Credit (Breach Reporting—Prescribed Commonwealth Legislation) Instrument 2021/801

The Financial Sector Reform (Hayne Royal Commission Response) Act 2020 amended the breach reporting obligations set out in section 912D of the Corporations Act and inserted parallel obligations into the Credit Act, in particular relating to reporting requirements for contraventions of civil penalty provisions, including those contained in subsection 912A(5A) of the Corporations Act and subsection 47(4) of the Credit Act.

The Regulations:

  • prescribe civil penalty provisions and key requirements in the Corporations Act and the National Credit Act and Code that are not taken to be significant (and therefore may not be reportable) under the relevant breach reporting regime if those provisions are contravened;
  • ensure certain breach reporting offences and civil penalty provisions are subject to an infringement notice; and
  • make minor and technical amendments, including updating references to the Corporations Act.

However even if a breach is not taken to be significant, if that breach results in or is likely to result in material loss or damage, then the breach could be taken to be significant under another provision. Therefore, the breach would need to be reported to ASIC within the required timeframe.

Separately the ASIC Corporations and Credit (Breach Reporting—Reportable Situations) Instrument 2021/716 is intended to notionally modify the law to exclude non-compliance with standards set out in the ASIC Corporations, Credit and Superannuation (Internal Dispute Resolution) Instrument 2020/98 (IDR Standards Instrument discussed here) from the categories of situations deemed to be ‘significant’ breaches of core obligations about which licensees are to be required to lodge breach reports.

The IDR Instrument was made with the intention of attaching pecuniary penalties to non-compliance with ASIC’s prescribed standards. It was not anticipated that attaching a pecuniary penalty in this manner would automatically result in the breach being deemed ‘significant’ and therefore reportable.

These provisions should be incorporated into your breach reporting framework.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

Print Friendly, PDF & Email

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.