09 November 2023
In October, ASIC introduced changes to the current breach Corporations Act reporting regime obligations (Regime) via ASIC Corporations and Credit (Amendment) Instrument 2023/589 (Instrument).
However, as we discuss below, the Instrument may only provide utility in limited circumstances. Trustees should be mindful about what may lie hidden.
The Regime was introduced in October 2021 and expanded the range of breach incidents (Reportable Situation) that Australian financial services licensees, including superannuation trustees, are required to report to ASIC. Generally, the Regime requires trustees to review all identifiable incidents and carefully assess whether these amount to a Reportable Situation that must be reported to ASIC as a Reportable Situation or an investigation of the incident within 30 days.
The Instrument exempts certain misleading and deceptive conduct from becoming a Reportable Situation if the following four conditions are satisfied:
Firstly, trustees should avoid generalising any incident of misleading and deceptive conduct as only falling within the limited scope of those three provisions under the Corporations Act and ASIC Act. In other words, such action could infringe on other, though similar, provisions relating to misleading, dishonest or unconscionable conduct that could still lead to a Reportable Situation. Therefore, trustees should carefully consider why such an incident could only fall within those three provisions, not only to justify whether the incident could fall within the exemption, but also to use as guidance for making similar determinations in future.
Secondly, it is unlikely that this exemption could be relied upon in cases where information is relayed to fund members and the public in an automated manner. In other words, if a trustee fails to disclose a fee or cost in a member statement template or includes an incorrect statement in a PDS, it is unlikely they could rely on the exemption as it would impact multiple members and or potential retail clients.
The Instrument’s explanatory statement provides an example of where the Instrument’s exemption could apply. The example involves a letter being sent to a single member failing to confirm a TPD payment has been made to the member’s account. In this case, trustees should consider whether the exemption applies with caution because if the letter is automated (which is most likely), the letter template contains an error and the member is unlikely to be the only member impacted by the error.
It is more likely that trustees may be able to rely upon the exemption from incidents arising during one-on-one or bespoke communications with a member or retail client – likely via an advisor or call centre.
Finally, there is the question of when ‘only one person’ is impacted. Trustees would need to carefully consider whether an incident was isolated or, in fact, forms part of a systemic breach over time.
In cases where a breach that would ordinarily be considered a Reportable Situation arises, the reporting timeframe may be increased to 90 days if the breach is the same or substantially similar to a Reportable Situation already reported (irrespective of when it was reported).
The Regime already allows trustees to group Reportable Situations that are similar, related or have the same root cause into a single report. The 90-day extension provides a different utility for trustees as it enables them more time to provide a report if one has previously been made. The purpose behind this may be to provide trustees with more time to draft a better and more precise report for ASIC to review, potentially with a better explanation of the process undertaken to mitigate the breach, rather than giving trustees the luxury of further time. Reading between the lines, ASIC seems to have the expectation that a longer reporting timeframe will deliver better reporting and mitigation/rectification results and help trustees focus on the task of solving problems, rather than reporting them.
Therefore, if trustees intend to utilise this reporting relief, they will need to ensure that the identification and cataloguing of their “breach taxonomy” provides enough accuracy and consistency to ensure that any time the relief is sought, they have not breached the 30-day reporting rule by reporting an unrelated breach.
On that basis, trustees will need to consider whether initial investigations of a breach include a requirement to determine whether the 90-day reporting relief can be relied upon, otherwise trustees may find themselves in the position (on day 30) of either reporting a breach or reporting an investigation into a breach, thereby losing the benefit of the 90-day reporting relief.
Once again, the 90-day reporting relief will require trustees to ensure their internal breach reporting systems and logs provide enough information for them to apply the relief safely. If the breaches are not related, trustees will have breached the Regime.
On 20 September 2023, Parliament amended the Corporations Act’s definition of “financial services law” for clarity but, in doing so, inadvertently removed breaches of ASIC Act Part 2, Division 2 (unconscionable conduct and consumer protection) from the Regime’s scope. The Instrument amends this error to ensure that the Regime catches breaches of the following provisions:
Based on the above, the benefits offered by the Instrument may be minimal in practice.
What becomes abundantly clear from the Instrument is the hidden or implied requirements placed on trustees to rely upon the relief and the potential exposures that may flow. In this case, trustees are exposed to breaches of the Instrument and the Regime, as well as the risk of disclosing a lack of preparedness, unless a further degree of precision is inserted into the breach reporting process.
If trustees are to rely upon the Instrument’s relief, trustees will need to:
Interestingly, our thoughts appear to touch on some of ASIC’s findings in its Report 775, ‘Insights from the reportable situations regime: July 2022 to June’ (Report), released shortly after the Instrument’s registration, including:
We believe the Instrument is designed for the benefit of ASIC, with the intention to nudge trustees (and other Australian financial services licensees) to better identify, report and mitigate breaches.
Authors: Michael O’Connor & Luke Hooper
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.