ASIC RG 78 2024 Update: Refined Reportable Situations Regime

RG 78 in context

ASIC Regulatory Guide 78 'Breach reporting by AFS licensees and credit licensees' provides guidance on the reportable situations regime. This regime is established in section 912DAA of the Corporations Act 2001 (Cth) and section 50A of the National Consumer Credit Protection Act 2009. Reportable situations RG 78 explained

The reportable situations regime began on 1 October 2021, following the Financial Sector Reform (Hayne Royal Commission Response) Act 2020. The guide has been updated in 2024 to reflect industry experience and the content of ASIC’s first report on the regime (REP 740).

The 2024 update also ensures RG 78 aligns with later regulatory reforms, including the Financial Services Compensation Scheme of Last Resort (CSLR). Licensees are required to report 'reportable situations' to ASIC within 30 calendar days after becoming aware of them. Reportable situations RG 78 explained

Deemed significance tests

A ‘core obligation’ breach is a reportable situation if it is significant. Significance is determined by reference to the ‘deemed significance’ tests ASIC breach reporting RG 78 deemed significance tests or the general significance criteria. These deemed significance tests are outlined in section 912DAA(5)-(6) and include factors such as penalty severity, civil penalty, gross negligence, dishonest conduct, and indictable offence.

Certain breaches are automatically deemed significant. For example, a breach that involves a civil penalty provision is deemed significant. Furthermore, a breach that causes financial loss to a client is also deemed significant, unless the impact of that loss is plainly trivial.

The 2024 update to RG 78 clarifies ASIC's expectations regarding the application of the ‘general significance’ test ASIC breach reporting RG 78 deemed significance tests where the deemed tests are not triggered. Licensees must exercise careful judgement in these circumstances.

Investigation triggers

An investigation into whether a reportable situation exists is itself a reportable situation if it continues for more than 30 days. This requirement, initially introduced in the 2021 regime, remains in place following the 2024 update to ASIC’s regulatory guidance.

ASIC’s guidance in RG 78 provides clarification on the commencement of an investigation. The ‘start’ of the investigation is defined by the commencement of substantive investigation activity, rather than preliminary triage processes.

Licensees reporting under this investigation trigger are not required to assume a substantive breach has occurred. Subsequent reports must be lodged upon the investigation’s conclusion, regardless of whether the investigation confirmed a reportable situation.

Group reporting and remediation

ASIC’s updated guidance supports the use of group reporting arrangements for related licensees. This allows for coordinated reporting where multiple licensees share systems and a single breach impacts more than one. Specific conditions apply to enable this coordinated approach.

Licensees remain obligated to provide ongoing updates regarding remediation actions taken in response to a reportable situation. These updates must include details of affected clients, the redress provided, the root cause of the issue, and the corrective actions implemented.

Failure to report a reportable situation constitutes a contravention of section 912DAA and may result in civil penalty exposure under section 1317G. ASIC publishes annual statistics relating to the reportable situations regime, as demonstrated in publications such as REP 803.