As the financial services landscape grows more intricate and new market entrants disrupt long-held conventions, the challenges of compliance become particularly noticeable. Varying interpretations and fast-changing requirements complicate an already-stringent regulatory environment. Australian financial organisations are left scrambling to play by the rules — all without jeopardising the processes that keep them afloat in a competitive ecosystem.

Because of all these factors and more, the Australian Securities and Investments Commission (ASIC) acknowledges that breaches can occur despite a financial organisation’s best efforts. To simplify the subsequent reporting requirements, ASIC recently updated Regulatory Guide 78, guidelines for breach reporting by Australian Financial Services and credit licensees.

Here’s a look at what changed and how it impacts Australian Financial Service License (AFSL) and Australian Credit License (ACL) holders.

Overview of key changes

Regulatory Guide 78, also called RG 78, provides guidance specifically designed for financial services and credit licensees. It outlines the obligation to report to ASIC certain breaches of the law under the Corporations Act 2001 (Corporations Act) and the National Consumer Credit Protection Act 2009 (National Credit Act).

These requirements help ASIC track industry-wide issues. Under the reportable situations regime, ASIC is required to create annual public reports on this provided information, enabling industry professionals and consumers to make informed financial decisions.
The most recent RG 78 changes, which went into effect on 5 May 2023, took two basic approaches:

Guidance clarification

ASIC clarified various aspects of its breach reporting regime and other reportable situations. The goal of these updates was to help licensees fulfil their obligations to notify ASIC of certain breaches, including what information must be recorded and how specific scenarios should be described.

Reporting form updates

In line with its new guidance, ASIC also updated the reporting form used to communicate breaches. The changes were built around ensuring that licensees know what information to provide and how to do so accurately.


An in-depth look at ASIC updates

Here’s a quick reference guide for recent RG 78 updates:

Change #1

This update shifts the circumstances in which licensees may list multiple situations in a single report to ASIC. It introduces a ‘grouping test’ to help clarify when reportable situations are related based on root causes.

Change #2

ASIC updated guidance around the ‘Describe the reportable situation’ field. The new language provides specific information for licensees to consider when filling out the form, including the breach’s impact, nature and complexity.

Change #3

This change requires licensees to use the ASIC Regulatory Portal’s update functionality to report the progress and status of individual breaches. Updates are expected at least every six months.

Change #4

A new form structure provides definitional-style guidance for answer options regarding a breach’s trigger and root cause. There’s also further clarification on each option to help licensees make the most accurate choice when describing breach events.

Change #5

Similar to Change #1, this update is concerned with clarifying what constitutes ‘similarity’ in reporting situations. This enables licensees to more confidently answer the required question about previous, similar reportable situations. 

Change #6

This new guideline defines when a client should be considered ‘affected,’ including examples and support for calculating the number of affected clients. 

Change #7

If a licensee needs to correct or entirely withdraw a submitted report, this updated guidance clarifies relevant circumstances and outlines the necessary processes.


What AFSL and ACL holders can do to stay compliant

As with all ASIC regulations, AFSL and ACL holders must adhere to the updated RG 78 guidelines — and do so in a timely manner. Failing to make appropriate changes can cause a licensee to incorrectly note certain breaches or completely fail to report others, demonstrating inadequate regulatory change management and potentially instigating formal reviews. This can lead to ASIC enforcement actions and penalties, which may be more severe in cases of improper breach reporting. 

Simply put, it’s crucial to digest and synthesise regulatory change. This isn’t just a display of technological and operational resilience as required by ASIC; it’s a visible effort to protect a licensee’s clients. 

AFSL and ACL holders should follow these steps to remain compliant with RG 78 changes:

  • Plan updates: Identify which forms, policies, procedures and processes are involved in breach reporting. Plan to update them according to new guidelines.
  • Distribute information: Ensure that all new or changed content is shared among relevant staff. Outline practical impacts on their day-to-day responsibilities.
  • Track changes: Note how these updates affect the nature and extent of any breach reporting activities.


Managing regulatory change the smart way

ASIC notes that it will continue collaborating with the wider industry to perfect RG 78, which means more changes could be right around the corner. Licensees can’t afford to stop entire workflows every time an update is announced — especially since regulatory change is nearly constant in financial services.

The key is to implement solutions that enable you to identify updates and their internal impacts through visual links. RegsWeb, our regulatory change management platform, does just that.

Contact us today to see how RegsWeb helps licensees stay on top of changes like these.


Image by yanalya on Freepik

Back to Blog