Key points

• ASIC has released updated guidance for credit and financial services licensee (Licensees) on making notifications to ASIC under the reportable situations regime.
• These updates are intended to improve the ‘consistency and quality of reporting practices’.
• These updates mean Licensees need to update their breach reporting policies and procedures to ensure they are up to date with ASIC’s revised guidance.

Background

On 27 April 2023 ASIC released guidance for credit and financial services licensees on making notifications to ASIC under the reportable situations regime (formerly known as breach reporting) (Updated RG78).

The Updated RG78 has been developed following consultation with the industry – including feedback from industry associations from the banking, insurance, superannuation, financial advisers, markets and credit sectors - and follows ASIC’s analysis of reports received to date.

ASIC hopes that the updated guidance will improve the ‘consistency and quality of reporting practices’ by Licensees, and ultimately support the use of the data for ASIC’s regulatory purposes and public reporting.

The updates are also intended to reduce the regulatory burden for Licensees.

What’s changed

Some key changes by ASIC to Updated RG78 include the following.

• Clarification regarding the circumstances in which Licensees may group multiple reportable situations into one report to ASIC: ASIC has developed a new ‘grouping test’ and provided new and revised examples to help demonstrate how this new test should be applied to common scenarios. The guidance now recognises that reports may be grouped if the root cause is staff negligence or human error.
• New guidance on the information to include when Licensees describe a reportable situation: The guidance asks Licensees to consider the impact, nature and complexity of the breach, and the extent to which the report would benefit from explanation beyond what is captured through the other fields in the prescribed form.
• New guidance for Licensees on ASIC’s expectations when Licensees are providing updates related to a reported breach: The guidance clearly sets out the types of matters that should be updated and introduces an expectation that Licensees should provide updates at least every six months.

ASIC is also in the process of making minor changes to the prescribed reporting form, which from 5 May 2023 will clarify how some questions should be answered – including pointing Licensees to the guidance available in the Updated RG 78. Some of the more helpful changes to the form include new embedded guidance in relation to the following.

• Clarification that from ASIC’s perspective, ‘an investigation is complete only after the Licensee has determined the root cause(s), identified all affected clients and identified all instances of the reportable situation’.
• Clarification that genuine estimates for client loss and number of clients affected should be based on information available at the time of reporting, and that updated information should be provided by Licensees once it is known.
• Clarification that when considering ‘similar’ reportable situations, Licensees should look back until at least 1 October 2021 to answer this question.

Next steps

Licensees need to update their breach reporting policies and procedures to ensure they are up to date with ASIC’s revised guidance which is effective immediately.

It is worth noting that ASIC acknowledges that these updates are by no means the only updates required for consistent and quality reporting practices.

In releasing the Updated RG78, the regulator has acknowledged it is aware of other issues regarding the operation of the regime – and indeed referred to the Updated RG78 as the ‘first phase’ of changes under the reportable situations program of work announced as one of ASIC’s 2022–23 priorities in August 2022.

Accordingly, ASIC’s work on these other matters is ongoing, and the regulator flagged it will be undertaking further consultation with stakeholders. Licensees are advised to watch this space for further development.