Background:
Mandatory Breach Reporting becomes effective 1 October 2021.
Breaches are related either to:
Breaches of the license (refer to core obligations)
Individuals who are authorised to provide credit assistance under the licence (authorised representatives or employees)
For more information on breach reporting obligations refer to our article: Overview of Mandatory Breach Reporting and the ASIC regulatory guide
What ASIC requires when reporting breaches through the portal.
Reporting of breaches or likely breaches must be completed through the ASIC portal in the timeframes prescribed in the regulations.
The report must include information relating to 12 key areas including:
1. The date the reportable situation arose.
2. The date the licensee first knew that there were reasonable grounds to believe a reportable situation had arisen.
The nature of the reportable situation including if the report relates to:
a. A significant breach of a core obligation
b. A likely significant breach of a core obligation
c. An additional reportable situation (serious fraud or gross negligence)
An investigation into whether a breach or likely breach of a core obligation has occurred that has continued for more than 30 days;
d. An investigation into whether a breach or likely breach of a core obligation has occurred that has continued for more than 30 days even where the outcome discloses that no reportable situation has occurred
e. A reportable situation about another licensee.
4. A description of the reportable situation.
5. A description of the reportable situation including the section of the NCCP which sets out the relevant obligation.
6. Details of why the breach is significant, where relevant.
7. How the reportable situation was identified.
8. How long the breach lasted including whether the breach is still occurring.
9. Information about representatives including name and authorised credit representative number. Additional information such as whether the representative’s authorisation has been revoked or suspended or if ongoing monitoring of the representative is being undertaken are also required, where relevant.
10. How the reportable situation has been rectified including any progress plans on rectifying the breach.
11. Customer remediation requirements, where required; and
12. Any steps taken to ensure future compliance with the obligation.
Breach reporting policy:
In creating your policy, consider the following:
Roles and responsibilities of staff?
Who will have the responsibility to investigate breaches?
Who will have the responsibility to lodge reports to ASIC?
Documented timeframes for reporting breaches or likely breaches to ASIC
Sections of the NCCP which may be breached by the licensee or representatives (noting the section of the NCCP which is breached is a requirement to report through the portal)
NCCP LEGISLATION | SECTION |
Licensing | Section 29 |
Core obligations | Section 47 |
Credit Guide | Section 113 (licensee) |
Preliminary Assessment | Section 116-120 |
Credit Proposal Disclosure | Section 121 |
Credit Quote | Section 114 |
Best Interests Duty | Section 158 |
Breach reporting considerations:
In creating your procedure, consider the following:
Is your current monitoring and oversight sufficient to identify and detect breaches or likely breaches of the core obligations and credit legislation?
Do you need to review the monitoring of your representatives and employees to identify systemic instances of non-compliance?
Do you have sufficient controls in place to detect breaches?
Do you have a satisfactory consequence management framework?
Who is responsible for undertaking the reviews of your licence, obligations, ACL frameworks and consumer credit files?
Breach reporting register:
A template breach register is included at the bottom of this article.
Examples:
Scenario | Reportable | Timeline | Reason |
Failure to renew AFCA membership | Yes | Within 30 days | Breach of core obligation where no further investigation is required. |
Failure to issue a Credit Guide to one customer | No | Not required | Isolated event which is not systemic non-compliance with credit legislation |
Failure to issue a Credit Proposal Disclosure on 15 / 20 files audited | Yes | Within 30 days | The reporting obligation will depend on the length of time it takes the audit to be conducted. |
Fraud or gross negligence | Yes | Within 30 days | Breaches or suspected breaches of fraud or gross negligence do not require an assessment of significance and need to be reported within 30 days |
Scenarios
Customer Sam Smith arranged his home loan via your authorised representative Joe Bloggs. Sam contacted ABC Finance to make a complaint that the loan he received was not what was requested. The complaint was lodged on the complaints register.
Upon reviewing Sam’s loan file, the loan had been lodged as a P&I loan when the needs analysis requested a five-year interest only term. During your review, it was identified that no Credit Proposal Disclosure was issued to Sam which outlined the loan (P&I) which was being applied for.
A broader review of your representative, Joe Bloggs, home loans commenced on the 1 November 2021. At the end of November, the review was still in progress but the preliminary findings of the review evidence Sam’s loan was not an isolated event and most loan files did not evidence the NCCP disclosure documents were provided to the customer.
This is now a reportable situation on day 31 of the investigation and a report must be made to ASIC through the regulatory portal.
At the conclusion of your investigation, a further report must be made to ASIC.