Credit Licensees now have an obligation to report breaches to ASIC in certain situations.  If a breach is reportable and you don't report it, you may be fined or face jail time.

When is a Breach Reportable?

ASIC's Regulatory Guide 78 describes four different types of "reportable situations":

• Breaches or likely breaches of core obligations that are significant
• Internal investigations into breaches or likely breaches that are significant
• Reportable situations about other Licensees
• Breaches that amount to gross negligence or serious fraud.

ASIC has acknowledged that the guidelines here are quite broad and this may be reviewed again in the future if ASIC is overwhelmed by insignificant breach claims.

To help us determine if a breach is "significant", RG78 offers further guidance:

1. Deemed significant.  Breaches are automatically "significant" if they could involve criminal convictions resulting in jail time, fraud, misleading or deceptive conduct or loss or damage to a client.
2. Objectively significant.  Other breaches could still be "significant" when objectively viewed against certain criteria.  These include the number or frequency of such occurrences, the impact on your ability to continue as a Licensee or indications that your compliance systems are failing.

Compliance Systems

You have to document your management of breaches from detection to closure, including reporting to ASIC where applicable.  Your compliance system must include a breach register to track ALL breaches.  This includes reportable breaches but also minor issues to identify those that may be the result of a systemic failing. 

All representatives of the business should be able to identify and record breaches in your compliance system.  This ensures that breaches are appropriately escalated in a timely manner to avoid delays in reporting to ASIC and prevent further issues within the organisation.

Lodging Breach Reports

For significant breaches that occurred on or after 1 October 2021, ASIC must be notified through the ASIC Regulatory Portal within 30 calendar days after you become aware.

Finally, Licensees are also obliged to report the breaches of other Licensees if they don't believe the offending Licensee has reported the breach themselves.  A practical example of this would be where a lender or aggregator believes you have committed a reportable breach and you haven't reported it yourself.