Latest changes to trustee breach reporting

In October, ASIC introduced changes to the current breach Corporations Act reporting regime obligations (Regime) via ASIC Corporations and Credit (Amendment) Instrument 2023/589 (Instrument).

The Instrument:

1. exempts certain misleading and deceptive conduct from the Regime’s reporting requirements
2. extends reporting times from 30 to 90 days in certain circumstances
3. re-introduces the requirements in the ASIC Act Part 2, Division 2 as core obligations.

However, as we discuss below, the Instrument may only provide utility in limited circumstances. Trustees should be mindful about what may lie hidden.

The Regime

The Regime was introduced in October 2021 and expanded the range of breach incidents (Reportable Situation) that Australian financial services licensees, including superannuation trustees, are required to report to ASIC. Generally, the Regime requires trustees to review all identifiable incidents and carefully assess whether these amount to a Reportable Situation that must be reported to ASIC as a Reportable Situation or an investigation of the incident within 30 days.

Misleading and deceptive exemption

The Instrument exempts certain misleading and deceptive conduct from becoming a Reportable Situation if the following four conditions are satisfied:     

• the misleading and deceptive conduct constitutes a breach of subsection 1041H(1) of the Corporations Act or subsection 12DA(1)/12DB(1) of the ASIC Act
• the contravention does not, or is unlikely to, give rise to any other type of Reportable Situation
• the contravention only impacts one person (or several individuals if they hold the same product jointly)
• no financial loss or damage has resulted (remediation of loss will not satisfy this requirement).

Firstly, trustees should avoid generalising any incident of misleading and deceptive conduct as only falling within the limited scope of those three provisions under the Corporations Act and ASIC Act. In other words, such action could infringe on other, though similar, provisions relating to misleading, dishonest or unconscionable conduct that could still lead to a Reportable Situation. Therefore, trustees should carefully consider why such an incident could only fall within those three provisions, not only to justify whether the incident could fall within the exemption, but also to use as guidance for making similar determinations in future.

Secondly, it is unlikely that this exemption could be relied upon in cases where information is relayed to fund members and the public in an automated manner. In other words, if a trustee fails to disclose a fee or cost in a member statement template or includes an incorrect statement in a PDS, it is unlikely they could rely on the exemption as it would impact multiple members and or potential retail clients.

The Instrument’s explanatory statement provides an example of where the Instrument’s exemption could apply. The example involves a letter being sent to a single member failing to confirm a TPD payment has been made to the member’s account. In this case, trustees should consider whether the exemption applies with caution because if the letter is automated (which is most likely), the letter template contains an error and the member is unlikely to be the only member impacted by the error.

It is more likely that trustees may be able to rely upon the exemption from incidents arising during one-on-one or bespoke communications with a member or retail client – likely via an advisor or call centre.

Finally, there is the question of when ‘only one person’ is impacted. Trustees would need to carefully consider whether an incident was isolated or, in fact, forms part of a systemic breach over time.

Same breach time extension

In cases where a breach that would ordinarily be considered a Reportable Situation arises, the reporting timeframe may be increased to 90 days if the breach is the same or substantially similar to a Reportable Situation already reported (irrespective of when it was reported).

The Regime already allows trustees to group Reportable Situations that are similar, related or have the same root cause into a single report. The 90-day extension provides a different utility for trustees as it enables them more time to provide a report if one has previously been made. The purpose behind this may be to provide trustees with more time to draft a better and more precise report for ASIC to review, potentially with a better explanation of the process undertaken to mitigate the breach, rather than giving trustees the luxury of further time. Reading between the lines, ASIC seems to have the expectation that a longer reporting timeframe will deliver better reporting and mitigation/rectification results and help trustees focus on the task of solving problems, rather than reporting them.

Therefore, if trustees intend to utilise this reporting relief, they will need to ensure that the identification and cataloguing of their “breach taxonomy” provides enough accuracy and consistency to ensure that any time the relief is sought, they have not breached the 30-day reporting rule by reporting an unrelated breach.

On that basis, trustees will need to consider whether initial investigations of a breach include a requirement to determine whether the 90-day reporting relief can be relied upon, otherwise trustees may find themselves in the position (on day 30) of either reporting a breach or reporting an investigation into a breach, thereby losing the benefit of the 90-day reporting relief.

Once again, the 90-day reporting relief will require trustees to ensure their internal breach reporting systems and logs provide enough information for them to apply the relief safely. If the breaches are not related, trustees will have breached the Regime.

Consequential amendments

On 20 September 2023, Parliament amended the Corporations Act’s definition of “financial services law” for clarity but, in doing so, inadvertently removed breaches of ASIC Act Part 2, Division 2 (unconscionable conduct and consumer protection) from the Regime’s scope. The Instrument amends this error to ensure that the Regime catches breaches of the following provisions:

• Misleading and Deceptive conduct – section 12DA
• False and misleading representations – section 12DB
• Unconscionable conduct in connection with financial services – section 12DC.

Our thoughts

Based on the above, the benefits offered by the Instrument may be minimal in practice.

What becomes abundantly clear from the Instrument is the hidden or implied requirements placed on trustees to rely upon the relief and the potential exposures that may flow. In this case, trustees are exposed to breaches of the Instrument and the Regime, as well as the risk of disclosing a lack of preparedness, unless a further degree of precision is inserted into the breach reporting process.

If trustees are to rely upon the Instrument’s relief, trustees will need to:

• ensure that any misleading or deceptive conduct can be ring-fenced to the three provisions in the Corporations Act and ASIC Act as any leakage to another provision will expose trustees
• have clarity around the facts leading to a misleading and deceptive conduct breach to defend any claims by ASIC that there are no other breaches resulting from that conduct
• have processes in place to quickly identify whether a misleading and deceptive breach has only impacted one person and determine whether a series of isolated breaches (over time) would become reportable
• identify and classify different breach situations and root causes with greater sophistication so that they can rely upon the 90-day relief in the event of a subsequent breach
• ensure their current breach reporting provides sufficient clarity and detail to help them determine whether a subsequent breach is similar, related or has the same root cause as an earlier breach
• determine whether earlier breaches are subject to a robust mitigation process on the basis that trustees relying upon the 90-day reporting relief may inadvertently be alerting ASIC to the fact that an identifiable and foreseeable risk is yet to be properly addressed.

Interestingly, our thoughts appear to touch on some of ASIC’s findings in its Report 775, ‘Insights from the reportable situations regime: July 2022 to June’ (Report), released shortly after the Instrument’s registration, including:

• some Australian financial services licensees are still taking too long to identify and investigate some breaches
• a significant number of remediation activities are still taking too long to complete
• opportunities remain to improve identification and reporting root causes of breaches.

We believe the Instrument is designed for the benefit of ASIC, with the intention to nudge trustees (and other Australian financial services licensees) to better identify, report and mitigate breaches.

Authors: Michael O’Connor & Luke Hooper

Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Luke Hooper

Michael O'Connor

Share this