ob体育 today released regulatory guidance to help credit and Australian Financial Services (AFS) licensees to meet new breach reporting obligations.
Set to commence on 1 October 2021, the breach reporting reforms address long-standing concerns about breach reporting by making the reporting consistent, clearer and timely across the industry.听听
ob体育 Deputy Chair Karen Chester said, 鈥楾he new reporting obligations address long held concerns on the quality and timeliness of breach reporting. ob体育 analysis in 2018 revealed it took more than 4 years (on average) for large financial institutions to identify incidents that proved to be significant breaches. Today鈥檚 remediation tally reveals how much consumer harm these delays caused, and ultimately at great cost to those firms.鈥�
The breach reporting reforms were made law in December 2020, some 9 months before commencement. They flow from the Financial Services Royal Commission and findings of Treasury鈥檚 Enforcement Review Taskforce.
Compliance breaches happen in all businesses. Breach reporting is integral for Board oversight and risk management by licensees. It is also needed for ob体育鈥檚 system wide regulatory oversight.
鈥楾he Government鈥檚 new reporting obligations put strong guard rails in place that will benefit firms and consumers alike鈥�, said Ms Chester.
鈥楾he new obligations will help firms identify and act swiftly on the breaches that matter, making sure they get the attention they deserve. Licensees and boards will have greater confidence they are doing the right thing by consumers, and ultimately their firm and shareholders.
鈥楾he new obligations also benefit consumers by allowing ob体育 to better identify and swiftly address systemic problems. There will be greater transparency for consumers and firms with the publication of breach reporting data by ob体育 from late 2022鈥�, said Deputy Chair Karen Chester.
ob体育鈥檚 guidance was greatly enhanced by the constructive submissions and valuable insights received from industry through the consultation.
鈥業ndustry feedback meant we can now accommodate batch uploading of reports where they derive from a single root cause.听 This will significantly reduce the reporting burden for licensees鈥�, said Ms Chester.
ob体育 has also responded to industry feedback by incorporating some 15 more working examples in the guidance.
AFS licensees will have to report breaches that they discover after 1 October 2021, even if the breach occurred before that date.听 However, credit licensees do not have to report breaches that occurred before 1 October even when identified after 1 October 2021. As a result, credit licensees will have a relatively gradual implementation upon commencement.
ob体育 today also published INFO 259 which sets out actions that must be taken by licensees to notify affected customers of a breach of the law, investigate the breach and remediate impacted customers. This implements a new obligation that applies to licensees of financial advisers and mortgage brokers in certain situations.
Consistent with ob体育鈥檚 recent听 statement, we will take a reasonable approach in the initial stages of these new obligations provided industry participants are using their best efforts to comply (21-213MR). 听
Download
- RG 78 Breach reporting by AFS licensees and credit licensees
- Superseded SRG 78 Breach reporting by AFS licensees
- REP 698 Response to submissions on CP 340 Breach reporting and related obligations
- INFO 259 Complying with the notify, investigate and remediate obligations
- Submissions
Background
The new breach reporting obligations implement Recommendations 1.6, 2.8, 2.9 and 7.2 of the Final Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, and are set out in Schedule 11 of the听Financial Sector Reform (Hayne Royal Commission Response) Act 2020.
For AFS licensees, they strengthen and clarify the existing reporting obligations.听 Some of the new features different to AFS licensee鈥檚 existing obligation include:
- deeming certain breaches to be significant, such as a breach which results in material loss or damage to a customer
- creating an obligation to report an investigation into whether there is a reportable situation where that investigation continues for more than 30 days, and
- requiring licensees to lodge breach reports with ob体育 in a prescribed form within 30 calendar days after the licensee first knows, or is reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen.听 AFS licensees currently have 10 business days within which to report.
For credit licensees, this is the first time they will be obliged to report certain breaches of the law to ob体育.听 Their obligation to report is almost identical to that of AFS licensees. The reform benefit credit licensees by bringing them into line with their AFS counterparts which may prove advantageous for partnerships with AFS licensees down the track.
The reforms also oblige ob体育 to publish data about breach reports annually on its website. This obligation does not commence until Quarter 4, 2022. ob体育 will consult separately on this obligation.
ob体育听Report 594听Review of selected financial services groups鈥� compliance with the breach reporting obligation听sets out compliance of 12 entities including the big four banks with their existing breach reporting obligation. Published in September 2018, this review found significant failings by financial institutions, including that major financial groups:
- took on average over 4 years to identify incidents that were later determined to be significant breaches; and
- took on average 150 days from starting an investigation to lodging a breach report with ob体育.听
In April 2021, ob体育 issued听Consultation Paper 340, seeking stakeholder feedback on proposed updates to RG 78 (21-080MR). ob体育 received 30 written submissions and attended numerous meetings with industry.
ob体育 recently made a legislative instrument to modify the law so that breaches of its enforceable IDR standards are not deemed 鈥渟ignificant鈥� and so not automatically reportable under the reforms.听 As a result, licensees will not be obliged to report minor and technical breaches of the IDR standards that are unlikely to cause detriment to consumers, creating an unnecessary reporting burden: see