Powered by MOMENTUM MEDIA
  • subs-bellGet the latest news! Subscribe to the ifa bulletin

The new breach reporting regime: as simple as assembling a springless trampoline

Paul Derham

After browsing the recently-tabled 153-page Financial Sector Reform Bill, I was struck by the irony of Hayne’s comments in his interim report.

"Should the existing law be administered or enforced differently? Is different enforcement what is needed to have entities apply basic standards of fairness and honesty: by obeying the law; not misleading or deceiving; acting fairly; providing services that are fit for purpose; delivering services with reasonable care and skill; and, when acting for another, acting in the best interests of that other? The basic ideas are very simple. Should the law be simplified to reflect those ideas better?"

It seems the answer is a resounding yes to the first question, and no to the last.

Yes: ASIC continues to escalate administrative, civil and criminal action, while dropping some regulatory tools like enforceable undertakings because they’re “on the nose” following criticism in the royal commission (even though ASIC commissioned a study by UNSW which found that EUs have a deterrent effect).

No: The law has not been simplified. The government’s response to the final report was that it would be “taking action on all 76 recommendations”. And it’s delivering. Phone-books of fresh legislation.

A simple read of the proposed new breach reporting framework is mind-boggling. It’s not a surprise, given that we saw the exposure draft back in January. However, it still fascinates me that this could be considered an improvement. It’s clear the old s912D breach reporting didn’t spark joy. In with the new! Given the approach of Christmas, I’ve selected gift-giving analogies:

Old rule

==
==

Like a gift voucher. Simple. A bit controversial and subjective based on preferred merchants, but generally understood by the public.

Step 1: Is it a breach or likely breach by the licensee of the financial services laws?

Step 2: If yes, is the breach or likely breach significant and reportable based on 4 (admittedly subjective) factors – (a) frequency, (b) ability to provide the financial services, (c) inadequacy of compliance arrangements, (d) actual or potential financial loss to client or licensee?

Step 3: If yes, dob yourself in to ASIC within 10 business days once becoming aware of the breach.

New rule

Like assembling a springless trampoline. They sell well to concerned parents because they sound safe, but they don’t have much bounce. Also, assembling them requires a degree in nuclear physics. Ever tried it? Good luck.

Step 1: Has the licensee or representative:
1. breached or likely breached the financial services laws?
2. Likely breached the financial services laws?
3. Not necessarily breached them but has spent 30+ days investigating whether it has;
4. Not necessarily breached them but has spent 30+ days investigating whether it has and has concluded that it hasn’t;
5. Engaged in gross negligence;
6. Committed serious fraud.

Step 2: If yes, is the breach or likely breach significant (items (5) and (6) are inherently significant, so you can skip this step for them), based on:
1. Three of the old four subjective factors (a) number or frequency, (b) ability to provide the financial services, (c) inadequacy of compliance arrangements;
2. New deeming factors, so it’s deemed to be significant if:
a. It’s an offence provision punishable by certain prison time;
b. It’s a civil penalty provision (most of the s912A obligations including the efficiently, honestly and fairly obligation are civil penalty provisions. This is a big change.);
c. It’s a breach of misleading and deceptive conduct provisions;
d. The breach results in material loss or damage.

(Note: these are all called “reportable situations”.)

Step 3: If yes, dob yourself in to ASIC within 30 days after you first know (or are reckless and should know) that there are reasonable grounds to believe it’s reportable.

And, if you look over the fence and see an individual of another licensee who provides personal advice to retail clients in relevant financial products and their conduct appears to be a breach as defined above, then dob them in to ASIC and their own licensee, too.

What should you do?

Nothing yet. Let’s see if the bill morphs into something more reasonable at the time of royal assent. Then, you’ll need to update your procedures and roll out training. Watch this space.

Paul Derham, partner, Holley Nethercote