ASIC has reminded AFS licensees of their obligation to report significant breaches to ASIC promptly and of the need to ensure that internal risk management systems are sufficiently robust to identify, assess and escalate breaches and report significant breaches to the regulator.
In an open letter to the Institute of Internal Auditors Australia, and a press release issued simultaneously, ASIC has made it clear that complying with section 912D of the Corporations Act 2001 requires AFS licensees to report significant breaches to ASIC as soon as practicable, and no later than 10 business days, after first becoming aware of the breach or potential breach. It also states that licensees should not wait until after they have conducted a full investigation into the breach to determine whether it satisfies the “significance” threshold, nor wait for the matter to be considered by the board or by external legal or other expert advisers.
ASIC Deputy Chairman, Peter Kell, has indicated that ASIC will turn its attention to breach reports received from AFS licensees over the coming months, and will actively undertake surveillance of those licensees that are considered to be high-risk. Mr Kell has stated that late reporting will be considered a red flag for closer scrutiny. Mr Kell also reminded licensees that failure to comply with the self reporting requirements is a criminal offence.
ASIC’s emphasis on systems is noteworthy. AFS licensees must have systems in place that are sufficient to ensure that “relevant” breaches identified anywhere in the business are promptly elevated to, and considered by, senior management so that the organisation can comply with its reporting obligations. Delay in reporting will be scrutinised. It is clear that ASIC will have little sympathy for delays caused by organisational or governance failures.
Determining whether an incident is reportable may not be straightforward as there may be some uncertainty regarding the consequences of particular breaches in the early stages of any internal investigation. Equally important will be ensuring that systems are adequate to ensure compliance. AFS licensees may consider this development an opportunity to review their reporting processes, training and policies around breach reporting so that they are best prepared to meet their obligations.