In a constantly shifting financial services environment, maintaining compliance is crucial for organisations  but it shouldn’t jeopardise the processes that keep them afloat in a competitive ecosystem. Fortunately, the Australian Securities and Investments Commission (ASIC) acknowledges that a reportable situation like a breach can occur despite your best efforts.

To simplify the subsequent requirements, ASIC has been updating Regulatory Guide 78 (RG78), for breach reporting. Here’s a look at RG 78, how it’s been updated and how it impacts Australian Financial Service License (AFSL) and Australian Credit License (ACL) holders.

What Is RG 78?

Regulatory Guide 78, also called RG 78, provides guidance specifically designed for financial services and credit licensees. It outlines the obligation to report to ASIC certain breaches of the law under the Corporations Act 2001 (Corporations Act) and the National Consumer Credit Protection Act 2009 (National Credit Act). It also clarifies ASIC’s expectations regarding reporting practices and processes.

RG 78 allows ASIC to detect compliance trends at individual and industry levels. The breach reporting regime allows financial firms to self-identify issues and create opportunities to learn, understand and improve — all to help licensees fulfil the reporting obligation and prevent larger-scale issues.

In May 2023, ASIC put updated rules into effect. It clarified RG 78 breach reporting guidance and the regulatory regime overall. Changes included:

  • A new “grouping test” to clarify whether a single root cause connects multiple reportable situations.
  • Different form structures and language to help ensure licensees provide accurate information.
  • Support in determining when a client should be considered “affected.”
  • New guidance on using the ASIC Regulatory Portal.

ASIC updated RG 78 again in May 2024, making very small language changes to improve clarity and usability.

Why AFSL Holders Need to Rethink Incident and Breach Identification

ASIC’s recent report paints a concerning picture for AFSL breach reporting. Many Australian Financial Services Licensees are falling short when it comes to identifying and reporting breaches, struggling to translate RG 78 guidelines into effective action.

Years of experience in the financial services industry have shown how easily incidents can slip through the cracks. The problem often starts with a fundamental misunderstanding of what constitutes a reportable situation under RG 79. It’s not enough to simply address an issue when something goes wrong. Every incident, no matter how minor, needs to be thoroughly reviewed, recorded in the AFSL breach register and escalated appropriately.

The Missing Link: Identifying and Recording Incidents

One of the biggest challenges for AFSL holders is ensuring staff consistently identify and record incidents. Without a robust system for capturing these events, it’s impossible to conduct effective root cause analysis, identify trends and implement preventative measures.

Think of it this way: If your AFSL breach register is gathering dust, it’s a glaring red flag. That’s not an indication of flawless operations; it’s a sign that your reporting system is failing you. In today’s regulatory environment, complacency is not an option when it comes to financial services compliance.

Bridging the Gap: Practical Steps for Improvement

So, how can AFSL holders strengthen their breach reporting and compliance program? Here are some essential starting points:

  • Ongoing Staff Training: Don’t just train your staff once and consider it done. Implement regular refreshers to reinforce the importance of incident identification and reporting, and stay up to date with ASIC guidance or updates on reportable situations. Make sure they understand what constitutes a breach, how to escalate concerns and what ASIC’s expectations mean for your business. Use real-life examples and case studies to illustrate the potential consequences of unreported incidents and the importance of adhering to ASIC Regulatory Guide 78.
  • Effective Technology: Invest in user-friendly technology solutions that simplify incident recording and reporting. Platforms like Complii can streamline these processes and provide valuable data for analysis. Look for solutions that integrate with your existing systems and offer features like automated reporting, data visualization and trend analysis to enhance your financial services compliance efforts.
  • Timely and Thorough Analysis: Instead of merely reacting to incidents, proactively investigate them. Conduct timely root cause analysis for individual breaches and schedule periodic reviews to identify broader trends and systemic issues. Ask the “why” questions: Why did this happen? What were the contributing factors? How can we prevent it from happening again? This is crucial to meeting your licensee obligations and ensuring RG 78 compliance.

Beyond the Bottom Line: The True Cost of Non-Compliance With ASIC Breach Reporting

The consequences of inadequate ASIC breach reporting extend far beyond financial penalties. Unhappy clients, reputational damage and increased regulatory scrutiny can significantly impact your business. A single unreported breach can erode client trust, trigger negative media attention and even lead to license suspension.

By fostering a culture of compliance where every employee is empowered to identify and report potential breaches, you can protect your clients, reputation and license.

Where does this begin? Simple: right at the top. Leaders need to demonstrate their commitment to ethical conduct and responsible reporting. This means:

  • Open Communication: Encourage open dialogue and create a safe space for employees to raise concerns without fear of retribution.
  • Proactive Solutions: Focus on identifying and addressing the root causes of breaches, rather than simply assigning blame.
  • Client-Centric Approaches: Reinforce the importance of putting clients’ best interests first.

A Call to Action: Embrace Transparency and Continuous Improvement for Robust AFSL Compliance

If your incident reporting processes aren’t up to par, it’s time to take action. Don’t wait for a regulatory intervention to force your hand. Embrace transparency, encourage open dialogue and foster a proactive approach to compliance.

Remember, we all make mistakes. It’s how we respond to those mistakes that sets us apart. By actively identifying, analysing and learning from incidents and breaches, we can strengthen our businesses, better serve our clients and build a more robust and resilient financial services industry.

ASIC RG 78: Frequently Asked Questions

What Is the ASIC Regulatory Portal?

The ASIC Regulatory Portal is a platform uniting all of ASIC’s digital services, acting as a single location for your interactions with the organisation. It includes a specific form for RG 78 breach reporting, which asks you for information about:

  • Core obligation breaches.
  • Any ongoing investigations and outcomes.
  • Conduct that constitutes gross negligence or serious fraud.

When Do Breaches Need To Be Reported to ASIC?

Breaches generally need to be reported to ASIC within 30 calendar days of identification. This includes cases where there are reasonable grounds to believe a reportable situation has arisen.

However, it’s important to understand what constitutes a “reportable situation.” RG 78 outlines specific criteria, including:

  • Core Obligation Breaches: This includes significant breaches (and likely significant breaches) of key legal requirements related to providing financial services.
  • Investigations: If an investigation into a potential breach continues for more than 30 days, it becomes reportable, regardless of the outcome.
  • Misconduct: Breaches involving gross negligence or serious fraud require immediate reporting.

When Did RG 78 Come Into Force?

The updated RG 78 came into force on 1 October 2021. It’s important to note that breaches that occurred entirely before this date are not reportable under the new regime, even if they were identified after 1 October 2021. However, if the conduct that caused the breach continued after 1 October 2021, it may be reportable.

Managing Regulatory Change the Smart Way

ASIC is always collaborating with the wider industry to perfect RG 78 and other guidelines, which means more changes could be right around the corner. Licensees can’t afford to stop entire workflows every time an update is announced — especially since regulatory change is nearly constant in financial services.

The key is to implement solutions that enable you to identify updates and their internal impacts through visual links. Fortunately, MIntegrity is here to help.

Our expert services encompass all your regulatory change management needs, from implementing compliance frameworks and performing due diligence reviews to remediating licence conditions and Court-Enforceable Undertakings. We also have compliance software and a regulatory change management platform to help lay the technological foundation for success in your firm.

Contact us today to see how we can help you manage your compliance obligations.

Back to Blog