ASIC has provided further clarity on its impending breach reporting obligations in its final guidance, including an explanation of what constitutes an investigation into a possible breach and what should trigger the start of a 30-day window before investigations become a “reportable situation”.
Responding to concern from stakeholders such as the FSC about exactly when an investigation into a possible breach starts amid broader concern that too many scenarios would trigger an investigation, ASIC outlined several situations that aren’t considered starting points in its regulatory guide (RG 78), published Tuesday.
The “mere receipt of a detective control” such as a complaint, regulatory request or whistleblower disclosure is not an investigation that needs to be reported, ASIC stated.
Nor are “preliminary steps and initial fact-finding inquiries into the nature of the incident”, as long as they are completed over a short time frame and as an initial response.
Thirdly, ASIC advised, “business as usual inquiries such as routine audits, quality assurance monitoring, or other internal compliance review processes, are only reportable to us if they are triggered by an incident or assess, or will be, assessing a possible breach of a core obligation”.
Alongside the explanation are four example scenarios − including fees for no service issues and client complaints − and a handful of case studies designed to illustrate when an investigation is triggered and subsequently becomes reportable.
The timing aspect of possible breach investigations has been an issue for the industry since ASIC released its draft guide to breach reporting in April this year, which deemed any ‘investigation’ that carried on for 30 days reportable to the regulator.
An investigation will now become reportable on day 31 of the investigation, after which licensees will have another 30 days to lodge a report to ASIC.
Concrete trigger point
According to representatives from legal firm Allens − who labelled the breach reporting obligations a “mammoth project” for licensees − licensees would struggle to place controls in their compliance framework to accommodate the initial 30-day time limit due to different interpretations of what actually starts an investigation.
“The time trigger for making a breach report has changed so licensees are needing to rethink how their reporting processes operate from the ground up,” said managing associate Alexandra McCaughan. “The thing that’s causing anxiety is… how do you know when that is? What’s the concrete trigger point?”
In the final regulatory guide ASIC stuck with its assertion that no new definition of the term ‘investigation’ is required, and that it retains “its ordinary meaning” in the context of breach reporting.
The regulator quoted the Macquarie Dictionary’s definition of ‘investigation as a “searching inquiry in order to ascertain the facts”.
“Accordingly, if a licensee is considering whether it has conducted an investigation, a relevant factor would be whether there has been some information gathering or human effort applied by the licensee to determine whether a breach has occurred or will occur,” ASIC stated.
Examination of information gathering, ASIC continued, may include communicating with the relevant clients or licensee staff that are involved, as well as seeking “specialist or technical advice”.
Commenting on the new obligations, ASIC deputy chair Karen Chester brought up a 2018 report from the regulator that revealed it took more than four years for large financial institutions to identify significant breaches.
“Today’s remediation tally reveals how much consumer harm these delays caused, and ultimately at great cost to those firms,” she said.
“The new obligations also benefit consumers by allowing ASIC to better identify and swiftly address systemic problems,” Chester added. “There will be greater transparency for consumers and firms with the publication of breach reporting data by ASIC from late 2022.”