What is Mandatory Breach Reporting?
A recommendation from the Royal Commission was to enhance the existing AFSL Breach reporting requirements to apply to holders of an Australian Credit Licence (ACL).
Changes to the National Consumer Credit Protection Act 2009 (Cth) were passed which mandate the reporting of certain breaches to ASIC.
The legislation is effective from 1 October 2021.
Breaches are related either to:
Breaches of the license (refer to core obligations)
Individuals who are authorised to provide credit assistance under the licence (authorised representatives or employees)
Read the ASIC Regulatory Guidance Here
What breaches need to be reported?
The Act has a long list of provisions, which, if breached or likely breached, will be automatically reportable on the basis that they are deemed to be significant.
Automatic reporting obligations apply to:
Conduct constituting gross negligence or serious fraud, and/or
A breach or likely breach of a core obligation that is deemed significant, and/or
An investigation that runs for more than 30 days, regardless of whether a breach occurs.
What is a core obligation?
The core obligations reflect the existing list of obligations under the National Consumer Credit Protection Act 2009 (Cth) and ASIC’s Regulatory Guidance 205 Credit Licencing: General Conduct Obligations.
Core obligations include, but are not limited to:
Acting efficiently, honestly, and fairly;
Complying with the credit legislation;
Having in place adequate arrangements to ensure that clients are not disadvantaged by any conflict of interest;
Maintaining the competence to engage in credit activities (completing CPD hours) and ensuring representatives are trained and competent to engage in the activities authorised by the license;
Having an internal dispute resolution procedure and maintaining membership with an approved external dispute resolution provider (AFCA);
A Licensee must: have adequate arrangements and systems to ensure compliance with its obligations under this section and a written plan that documents those arrangements and systems;
Click here to access RG 205 for the complete Regulatory Guidance on the General Conduct obligations.
Investigations into a breach or likely breach that continue for more than 30 days
Investigations will automatically become a reportable situation on day 31 and a further reporting obligation will arise once the investigation has concluded, regardless of the outcome.
The timing of when an investigation into a breach is therefore critical and the regulatory guidance has made it clear that this is a matter of fact and not for subjective determination by the licensee. The guidance also reminds licensees that investigations should commence in a timely manner and without unreasonable delay.
Reporting other Licensees
The legislation also has provisions for Licensees to report other Licence holders. This is particularly important as both lenders and Connective will have an obligation to report other ACL holders where there are reasonable grounds to believe a reportable situation has arisen.
A copy of the report must also be supplied to the Licensee being reported as this will trigger the ACL holder's own reporting obligations to investigate and report any breach or likely breach.
ASIC will also be required to publish information about the reports lodged each financial year. This will include information about the breaches or likely breaches of core obligations, the name of the licensee, and the volume of reported breaches. The objective of publishing breach data is to provide an incentive to improve behavior, reduce the number of breaches, and improve outcomes for customers.
Reporting to impacted customers
There are also obligations to notify, investigate and remediate customers where certain circumstances have occurred. Licensees must also maintain records to show compliance with the obligations. The reportable situation must arise on or after 1 October 2021.
For more information on reporting to impacted customers, see our article (link).
What do holders of an Australian Credit License need to do?
Holders of an ACL need to ensure they have:
A breach reporting policy
A breach reporting procedure
A breach register
A customer remediation policy
A customer remediation process
For more information on preparing your business for mandatory breach reporting, refer to the wiki article: