Skip to main content
All CollectionsComplianceAll Connective Members
Preparing your business for Mandatory Breach Reporting obligations
Preparing your business for Mandatory Breach Reporting obligations
Updated over a year ago

Background:

Mandatory Breach Reporting becomes effective 1 October 2021.

Breaches are related either to:

  1. Breaches of the license (refer to core obligations)

  2. Individuals who are authorised to provide credit assistance under the licence (authorised representatives or employees)

For more information on breach reporting obligations refer to our article: Overview of Mandatory Breach Reporting and the ASIC regulatory guide

What ASIC requires when reporting breaches through the portal.

Reporting of breaches or likely breaches must be completed through the ASIC portal in the timeframes prescribed in the regulations.

The report must include information relating to 12 key areas including:

1. The date the reportable situation arose.

2. The date the licensee first knew that there were reasonable grounds to believe a reportable situation had arisen.

The nature of the reportable situation including if the report relates to:

a. A significant breach of a core obligation

b. A likely significant breach of a core obligation

c. An additional reportable situation (serious fraud or gross negligence)

An investigation into whether a breach or likely breach of a core obligation has occurred that has continued for more than 30 days;

d. An investigation into whether a breach or likely breach of a core obligation has occurred that has continued for more than 30 days even where the outcome discloses that no reportable situation has occurred

e. A reportable situation about another licensee.

4. A description of the reportable situation.

5. A description of the reportable situation including the section of the NCCP which sets out the relevant obligation.

6. Details of why the breach is significant, where relevant.

7. How the reportable situation was identified.

8. How long the breach lasted including whether the breach is still occurring.

9. Information about representatives including name and authorised credit representative number. Additional information such as whether the representative’s authorisation has been revoked or suspended or if ongoing monitoring of the representative is being undertaken are also required, where relevant.

10. How the reportable situation has been rectified including any progress plans on rectifying the breach.

11. Customer remediation requirements, where required; and

12. Any steps taken to ensure future compliance with the obligation.

Breach reporting policy:

In creating your policy, consider the following:

  1. Roles and responsibilities of staff?

    1. Who will have the responsibility to investigate breaches?

    2. Who will have the responsibility to lodge reports to ASIC?

  2. Documented timeframes for reporting breaches or likely breaches to ASIC

  3. Sections of the NCCP which may be breached by the licensee or representatives (noting the section of the NCCP which is breached is a requirement to report through the portal)

NCCP LEGISLATION

SECTION

Licensing

Section 29

Core obligations

Section 47

Credit Guide

Section 113 (licensee)
Section 158 (representative)

Preliminary Assessment

Section 116-120

Credit Proposal Disclosure

Section 121

Credit Quote

Section 114

Best Interests Duty

Section 158

Breach reporting considerations:

In creating your procedure, consider the following:

  1. Is your current monitoring and oversight sufficient to identify and detect breaches or likely breaches of the core obligations and credit legislation?

  2. Do you need to review the monitoring of your representatives and employees to identify systemic instances of non-compliance?

  3. Do you have sufficient controls in place to detect breaches?

  4. Do you have a satisfactory consequence management framework?

  5. Who is responsible for undertaking the reviews of your licence, obligations, ACL frameworks and consumer credit files?

Breach reporting register:

A template breach register is included at the bottom of this article.

Examples:

Scenario

Reportable

Timeline

Reason

Failure to renew AFCA membership

Yes

Within 30 days

Breach of core obligation where no further investigation is required.

Failure to issue a Credit Guide to one customer

No

Not required

Isolated event which is not systemic non-compliance with credit legislation

Failure to issue a Credit Proposal Disclosure on 15 / 20 files audited

Yes

Within 30 days

The reporting obligation will depend on the length of time it takes the audit to be conducted.

If the audit is concluded within a fortnight, the reporting requirement will be within 30 days of first becoming aware of the breach.

If the investigation lasts 6 weeks, the breach becomes reportable on day 31 of the investigation.

Fraud or gross negligence

Yes

Within 30 days

Breaches or suspected breaches of fraud or gross negligence do not require an assessment of significance and need to be reported within 30 days

Scenarios

Customer Sam Smith arranged his home loan via your authorised representative Joe Bloggs. Sam contacted ABC Finance to make a complaint that the loan he received was not what was requested. The complaint was lodged on the complaints register.

Upon reviewing Sam’s loan file, the loan had been lodged as a P&I loan when the needs analysis requested a five-year interest only term. During your review, it was identified that no Credit Proposal Disclosure was issued to Sam which outlined the loan (P&I) which was being applied for.

A broader review of your representative, Joe Bloggs, home loans commenced on the 1 November 2021. At the end of November, the review was still in progress but the preliminary findings of the review evidence Sam’s loan was not an isolated event and most loan files did not evidence the NCCP disclosure documents were provided to the customer.

This is now a reportable situation on day 31 of the investigation and a report must be made to ASIC through the regulatory portal.

At the conclusion of your investigation, a further report must be made to ASIC.

Did this answer your question?