Introduction
The Australian Securities and Investments Commission (ASIC) has released an updated version of its regulatory guide (RG) 78. This update clarifies aspects of the breach reporting and reportable situations regime, intending to assist licensees with their reporting obligations to ASIC. The changes made to RG 78 address implementation challenges identified since the regime's introduction in October 2021.
ASIC has made changes to the prescribed form for reporting, which will be effective from 5 May 2023. ASIC will continue to engage with the industry to improve the reportable situations regime and undertake further consultation in due course.
Key Updates to RG 78
Consolidating multiple reportable situations into one report: ASIC has clarified the circumstances in which licensees may group multiple reportable situations into a single breach report, based on two grouping tests. The situations must involve similar, related, or identical conduct and share the same root cause.
Describing reportable situations in the Regulatory Portal: ASIC introduced guidance to help licensees provide consistent and appropriate information in the "Describe the reportable situation" free-text field. The guidance is scalable to account for the impact, nature, and complexity of the reportable situation.
Updating existing breach reports: ASIC expects licensees to provide updates at least every six months or when there are material changes to their understanding of the reportable situation. Updates should also be provided upon the completion of investigations, rectification of root causes, and customer remediation processes.
Identifying investigation triggers and root causes: ASIC has expanded the definitional guidance for the "What triggered the investigation or made you aware of the matter?" and "What are the root causes of the breach or likely breach?" sections of the prescribed form.
"Similar" reportable situations: The updated RG 78 provides guidance on what constitutes a "similar" reportable situation. Licensees should consider the purpose, impact, nature, and complexity of the situation when making this assessment.
Calculating the number of affected clients: RG 78 clarifies when a client should be considered "affected" by a reportable situation, providing illustrative examples to help licensees make this determination.
Withdrawing and correcting breach reports: RG 78 outlines circumstances in which licensees can apply to ASIC to have a report withdrawn or corrected on a case-by-case basis.
Changes to the Prescribed Form for Reporting
ASIC has made changes to the prescribed form for reporting, which will be effective from 5 May 2023. These changes mainly reflect the updated regulatory guidance and aim to clarify the information that ASIC requires. For instance, ASIC has redrafted its question regarding when a licensee becomes "aware" of a reportable situation, and the new form now provides more guidance on terms such as "investigate."
If you have any questions, or need help with a reportable breach, please contact us at astrid.raetze@abmlconsulting.com.au
Comments