Description
Use this guide to understand when you must notify customers of a breach, what actions are required, and the timeframes under Mandatory Breach Reporting obligations.
Mandatory Breach Reporting commenced on 1 October 2021 and places obligations on licensees to notify, investigate, and remediate affected customers in certain circumstances.
When you must notify a customer
You must notify an affected customer when all four of the following conditions apply:
You, or one of your representatives, are a mortgage broker who has provided credit assistance to the client for a credit contract secured by a mortgage over residential property.
A reportable situation has occurred, or there are reasonable grounds to believe one has occurred.
There are reasonable grounds to suspect the client has suffered, or will suffer, loss or damage as a result of the reportable situation.
The client has, or may have, a legally enforceable right to recover the loss or damage from the licensee.
Note:
The loss or damage does not need to arise directly from the credit assistance. It only needs to result, or potentially result, from the reportable situation.
What is a reportable situation?
For the purpose of notifying customers, a reportable situation includes:
A significant breach of a core obligation
Conduct involving gross negligence or serious fraud
Circumstances involving loss or damage
The legislation does not define loss or damage. When assessing this, you must not consider materiality. Any loss or damage, regardless of size, may be relevant.
When a customer has a legally enforceable right
An affected customer may have a legally enforceable right to recover loss or damage where the reportable situation involves, for example:
Negligence by the licensee or its representative
Dishonest conduct by the licensee or its representative
What you must do if notification is required
If all four notification triggers apply, you must complete each of the following actions.
Notify the customer
You must take reasonable steps to notify the affected customer in writing within 30 days of becoming aware of the breach of the law.
Start an investigation
You must commence an investigation into the full extent of the breach within 30 days.
Notify the customer of the outcome
You must take reasonable steps to notify the affected customer in writing within 10 days of concluding the investigation.
Remediate the customer
If there is loss or damage and a legally enforceable right to recover it, you must take reasonable steps to pay remediation equal to the loss or damage within 30 days of the investigation concluding.
Important:
You must retain records that demonstrate compliance with notification, investigation, and remediation obligations. Failure to keep adequate records is a criminal offence.
Consequences of non-compliance
ASIC may take enforcement action where a licensee fails to meet Mandatory Breach Reporting obligations, including:
Failing to notify affected customers within required timeframes
Failing to conduct an investigation as required
Failing to remediate affected customers, or not doing so within required timeframes
What Australian Credit Licence holders must have in place
Holders of an Australian Credit Licence (ACL) must ensure they have:
Frameworks to identify actual or likely breaches that may trigger notification, investigation, or remediation
A documented breach reporting policy and procedure
A documented customer remediation policy and procedure
For related guidance, see:
Need help?
If you need help understanding Mandatory Breach Reporting obligations or customer notification requirements, contact your Partnership Manager or email [email protected]