Understanding ASIC Regulatory Changes for Australian Credit Licence Holders

Introduction

Significant regulatory changes introduced by the Australian Securities and Investments Commission (ASIC) have reshaped the landscape for Australian Credit Licence (ACL) holders. Stemming from the Financial Services Royal Commission and enacted through amendments to the Corporations Act 2001 (Cth) and the National Consumer Credit Protection Act 2009 (Cth) effective from 1 October 2021, these reforms introduced enhanced breach reporting obligations for every licensee, making compliance a critical focus for ACL holders.

This guide provides essential information for credit licensees navigating these updated requirements. Understanding the key changes to reporting obligations is vital for licence holders to maintain robust compliance frameworks, manage regulatory risk effectively, and ensure adherence to the standards set by ASIC.

Overview of the Enhanced Breach Reporting Regime

Commencement and Scope

Significant regulatory changes impacting ACL holders came into effect on 1 October 2021. These changes introduced a mandatory breach reporting regime, extending similar obligations already placed on Australian Financial Services Licence (AFSL) holders. Both AFSL and ACL holders, collectively referred to as licensees, are now subject to these enhanced reporting obligations under the Corporations Act 2001 (Cth) and the National Consumer Credit Protection Act 2009 (Cth).

The updated regime applies to ‘reportable situations’ that arose on or after 1 October 2021. This means that ACL holders are generally not required to report breaches that occurred entirely before this date, even if identified later.

The regime covers conduct by the licensee and its representatives, including:

• Employees
• Directors
• Authorised representatives or credit representatives

Identifying Reportable Situations Under the New Rules

Breaches of Core Obligations

ACL holders must report significant breaches, or likely significant breaches, of their ‘core obligations’ to ASIC. These core obligations are defined in section 50A(3) of the National Consumer Credit Protection Act 2009 (Cth), with a detailed summary available in ASIC’s Regulatory Guide 78 (RG 78).

Core obligations for ACL holders include:

• Ensuring credit activities are provided efficiently, honestly, and fairly
• Having adequate arrangements for managing conflicts of interest
• Complying with credit licence conditions and relevant credit legislation
• Taking reasonable steps to ensure representatives comply with credit legislation
• Having adequate resources (financial, technological, human) and risk management systems
• Maintaining competence and ensuring representatives are trained and competent
• Having compliant internal dispute resolution (IDR) procedures and being a member of AFCA
• Having adequate compensation arrangements

It’s important to note that only breaches or likely breaches of these core obligations that are deemed ‘significant’ need to be reported to ASIC.

Determining Breach Significance

A breach, or likely breach, of a core obligation must be reported if it is considered ‘significant’. There are two pathways to determine if a breach meets this threshold:

1. Deemed Significance: Certain breaches are automatically considered significant by law, requiring no further assessment before reporting.
2. Objective Assessment: If a breach is not automatically deemed significant, its significance must be assessed objectively based on specific factors outlined in the legislation.

Licensees should first assess if a breach falls under the ‘deemed significant’ category. If it does not, they must then proceed to the objective assessment based on the statutory factors.

Deemed Significant Breaches

Certain breaches of core obligations are automatically taken to be significant under section 50A(4) of the National Consumer Credit Protection Act 2009 (Cth). This provides greater certainty and ensures timely reporting.

These ‘deemed significant breaches’ include situations where the breach:

• Constitutes an offence punishable by imprisonment for 12 months or more (or three months or more if involving dishonesty)
• Breaches a civil penalty provision, unless specifically excluded by regulations or ASIC instruments
• Contravenes a key requirement under section 111 of the National Credit Code, unless exempted by regulations
• Involves misleading or deceptive conduct under section 12DA(1) of the Australian Securities and Investments Commission Act 2001 (Cth), with some exceptions
• Results, or is likely to result, in material loss or damage to a credit activity client

Some civil penalty provisions and key requirements are excluded from being automatically deemed significant. For instance:

• Regulation 12A of the National Consumer Credit Protection Regulations 2010 (Cth) excludes certain civil penalty provisions
• Regulation 12B excludes some key requirements under the National Credit Code
• ASIC Instrument 2021/716 provides relief from deeming for specific breaches under certain conditions

Even if excluded from deeming, these breaches must still be assessed against the objective significance factors.

The term ‘material loss or damage’ depends on the client’s circumstances, including their financial situation. This includes both financial and non-financial types of loss. A breach affecting multiple clients might be material based on the aggregated loss, even if individual losses are small. ‘Likely to result’ means there is a real, not remote, possibility of loss or damage occurring.

Objectively Assessing Significance

If a breach of a core obligation is not automatically deemed significant, licensees must assess its significance based on factors outlined in section 50A(5) of the National Consumer Credit Protection Act 2009 (Cth). This assessment must be objective.

The key factors to consider include:

• The number or frequency of similar breaches: Repeated minor breaches might indicate a systemic issue or inadequate compliance arrangements, making a subsequent similar breach significant. Maintaining a breach register helps track this frequency.
• The impact on the licensee’s ability to engage in credit activities: Breaches affecting the licensee’s capacity to provide services covered by the licence are more likely to be significant. For example, breaching financial requirements could impair the ability to operate.
• The extent the breach indicates inadequate compliance arrangements: A breach suggesting broader failures in compliance systems, rather than an isolated incident, is more likely to be significant. The time taken to detect and investigate the breach is relevant here.
• Any other matters prescribed by regulations: Licensees should check if regulations prescribe additional factors.

A breach may be significant based on just one factor or a combination of factors. Ongoing challenges exist, particularly in assessing misleading or deceptive conduct arising from one-off human errors where no client harm occurs.

Reportable Investigations

An internal investigation into whether a significant breach (or likely significant breach) of a core obligation has occurred becomes a ‘reportable situation’ itself if it continues for more than 30 days. This applies under section 50A(1)(c) of the National Consumer Credit Protection Act 2009 (Cth).

The term ‘investigation’ involves a searching inquiry to ascertain facts, including:

• Communicating with staff or affected clients
• Gathering information
• Seeking specialist advice

Merely logging an issue in a risk system is unlikely to constitute an investigation. The label given internally to the process is irrelevant; what matters is the nature of the activity. Investigations conducted by outsourced providers or related entities are also covered.

The 30-day period starts when the investigation commences, which is a matter of fact, not subjective determination. The investigation becomes reportable on day 31, and the licensee then has another 30 days to lodge the report with ASIC.

Important timeline considerations:

• If an investigation concludes within 30 days and finds no reasonable grounds to believe a reportable situation arose, it is not reportable
• If it concludes within 30 days and does find reasonable grounds, the underlying reportable situation must be reported within 30 days of that finding
• If an investigation that has become reportable ultimately concludes that no significant breach occurred, this outcome must also be reported to ASIC within 30 days of that conclusion

Licensees should not delay reporting a confirmed reportable situation simply because an investigation is ongoing.

Additional Reportable Situations Gross Negligence and Serious Fraud

Beyond breaches of core obligations, certain other conduct must always be reported to ASIC, irrespective of whether it relates to a core obligation or meets a significance test. These ‘additional reportable situations’ under section 50A(2) of the National Consumer Credit Protection Act 2009 (Cth) include when the licensee or its representative:

• Engages in conduct constituting gross negligence in the course of engaging in credit activities
• Commits serious fraud

‘Serious fraud’ is defined as an offence involving fraud or dishonesty against Australian law (or any other law) punishable by imprisonment for at least three months. Conduct amounting to gross negligence or serious fraud must be reported due to the potential for significant client detriment and its reflection on the licensee’s character and suitability.

Key Procedural Changes for ACL Holders

Understanding Reporting Timelines

ACL holders must adhere to strict timelines for reporting identified issues to ASIC. The reporting process follows these key timeframes:

• Standard 30-day reporting period: You must lodge a report within 30 calendar days after you first know, or are reckless regarding whether, there are reasonable grounds to believe a reportable situation has arisen.
• Starting point for the 30-day clock: This period begins from the point of knowledge or recklessness, not necessarily from when the incident occurred.

The law establishes an objective standard for determining when this reporting period begins. It hinges on when facts or evidence exist that would lead a reasonable person to believe a reportable situation has occurred.

Knowledge can be attributed to the licensee even if it resides with an employee or agent acting within their actual or apparent authority, regardless of internal reporting hierarchies or delegations. You should not delay reporting beyond the 30-day timeframe to wait for board consideration or legal advice if reasonable grounds already exist.

In specific, limited circumstances, a 90-day reporting timeframe may apply. This extension is available for reporting subsequent reportable situations that share the same or substantially similar underlying circumstances as a situation already reported to ASIC. This requires meeting the ‘grouping test’ criteria. However, even with this potential extension, each individual reportable situation must still meet its applicable deadline.

For investigations into potential significant breaches of core obligations, the reporting timeline works slightly differently:

• If an investigation continues for more than 30 days, the investigation itself becomes reportable on day 31.
• You must then report the existence of the investigation to ASIC within 30 days of it becoming reportable (i.e., by day 61).
• If the investigation ultimately concludes that no reportable situation occurred, this outcome must also be reported within 30 days of that conclusion.

Reporting via the ASIC Portal

Submitting reports about reportable situations must be done electronically using the prescribed form available through the ASIC Regulatory Portal. This is the mandatory channel for licensees to meet their reporting obligations.

Reporting entities regulated by APRA may also lodge reports with APRA, provided they meet the timeframes and include all information required by ASIC’s form.

The prescribed form uses conditional logic, asking questions relevant to the specific type of situation being reported. It requires details such as:

• Dates related to the situation and its discovery
• The nature of the reportable situation (e.g., significant breach, investigation, gross negligence, serious fraud)
• A description of the situation and the obligation breached
• Why a breach is considered significant (if applicable)
• How the situation was identified and how long it lasted
• Information about any representatives involved
• Details on rectification and client remediation efforts
• Steps taken to prevent recurrence

Under certain conditions, multiple reportable situations can be grouped into a single report submitted via the portal. This is permissible if the situations meet ASIC’s ‘grouping test’, which requires that the situations involve:

• Similar, related, or identical conduct (e.g., same factual circumstances)
• The same underlying root cause (e.g., a specific system error or process deficiency)

Even when grouping, the reporting deadline for each individual situation within the group must be met. If further related situations meeting the grouping test are identified after an initial report, they can often be reported using the update functionality in the portal, potentially benefiting from the 90-day reporting extension.

Client Notification and Remediation Obligations

Significant changes introduced in 2021 include obligations for licensees to notify affected clients and potentially provide remediation in certain circumstances. These obligations apply specifically when a reportable situation involves:

• A significant breach of a core obligation
• Conduct constituting gross negligence
• Conduct constituting serious fraud

These client-facing obligations are triggered if:

• The affected person is a retail client
• The licensee provided credit assistance concerning a credit contract secured by a residential property mortgage
• There are reasonable grounds to suspect the client has suffered, or will suffer, loss or damage as a result
• The client has a legally enforceable right to recover that loss or damage from the licensee

If these conditions are met, the licensee must take reasonable steps within 30 days of first suspecting the issue to:

1. Notify the affected client(s) about the reportable situation
2. Commence an investigation to identify the cause and quantify the recoverable loss or damage

Following the investigation, if the licensee confirms the client suffered recoverable loss or damage, they must take reasonable steps to pay compensation within 30 days of completing the investigation.

Implications of the Regulatory Changes

Increased Compliance Burden and Scrutiny

The enhanced breach reporting regime introduced significant changes for ACL holders, demanding greater vigilance and more robust internal systems. The expanded scope of what constitutes a ‘reportable situation’, combined with objective tests for significance and strict reporting timelines, necessitates a proactive approach to compliance.

ACL holders must ensure their internal protocols facilitate adherence to the new ASIC reporting obligations. Meeting these requirements often involves adjustments to existing risk and compliance processes.

Businesses holding an ACL need adequate resources to manage the increased compliance burden effectively, including:

• Financial resources
• Technological infrastructure
• Human capital

Additionally, organisations must establish:

• Clear internal reporting lines
• Defined accountabilities
• Processes for prompt investigation and escalation of potential issues

These measures are essential to meet reporting obligations under the new regulatory framework.

Penalties for Non Compliance and Reputational Risks

Failing to comply with the mandatory reporting obligations under the Corporations Act 2001 (Cth) and the National Consumer Credit Protection Act 2009 (Cth) carries significant consequences for ACL holders. ASIC views breach reporting as a cornerstone of the regulatory structure, and non-compliance can attract substantial penalties.

These penalties can be both civil and criminal in nature:

For civil penalties, a body corporate may face:

• 50,000 penalty units
• Three times the benefit derived or detriment avoided
• 10% of annual turnover (capped at 2.5 million penalty units)

For criminal penalties related to failure to report:

• Fines up to 2,400 penalty units for a body corporate
• Potential imprisonment for individuals (up to two years)

Beyond financial penalties, non-compliance poses considerable reputational risks. ASIC has a statutory obligation to publish information about the breach reports lodged by licensees each financial year. This public disclosure may include licensee names and the volume of breaches reported, which can significantly impact a licensee’s standing within the industry and with consumers. To mitigate these risks, licensees should consider seeking guidance from compliance experts. 

Strategies for Maintaining Compliance

Implementing Robust Internal Protocols

ACL holders must maintain adequate risk management systems and sufficient resources to ensure compliance with their reporting obligations under the National Consumer Credit Protection Act 2009 (Cth). This includes having robust systems, processes, and procedures to meet the breach reporting requirements, which form a critical part of a licensee’s compliance framework.

Failure to report a significant breach may itself indicate inadequate compliance arrangements. To facilitate adherence to ASIC reporting requirements, ACL holders should establish clear internal processes.

Consider these key elements for your protocols:

• Clear Guidelines: Develop unequivocal guidelines outlining internal reporting lines for when a potential reportable incident arises.
• Defined Accountability: Identify specific individuals within the organisation accountable for decisions regarding reportable situations.
• Staff Training and Awareness: Ensure employees understand the reporting processes, know whom to escalate potential issues to, and have enough information to identify a possible reportable situation.
• Prompt Investigation Procedures: Implement clear protocols for conducting swift internal investigations, aiming to complete them within 30 days where feasible to avoid triggering unnecessary reportable situations based on investigation length alone.
• Regular Process Checks: Institute processes to verify that compliance strategies are functioning effectively, minimising the risk of incidents being overlooked.
• Representative Oversight: Maintain robust arrangements for monitoring authorised representatives and credit representatives, ensuring potential breaches are identified, recorded, and escalated effectively.

These compliance protocols should ensure the new reporting obligations and timelines are met, thereby helping to manage regulatory risk.

Effective Record Keeping and Breach Registers

Maintaining comprehensive records is crucial for managing compliance with reporting obligations. While not explicitly mandated by the Corporations Act 2001 (Cth) or the National Consumer Credit Protection Act 2009 (Cth), ASIC considers a breach register practically necessary for licensees to demonstrate adequate arrangements for identifying and reporting all reportable situations.

A well-maintained breach register assists in:

• Tracking Incidents: Recording actions taken to identify, report, and resolve breaches.
• Assessing Significance: Providing data to assess the significance of breaches, particularly by tracking the number or frequency of similar breaches as required under section 50A(5)(a) of the National Consumer Credit Protection Act 2009 (Cth).
• Demonstrating Compliance: Showing ASIC that the licensee has systems to properly identify, record, and report reportable situations, including systemic issues.

ASIC expects that a breach register would contain information similar to that required in the reportable situations prescribed form. This helps licensees satisfy themselves and ASIC of their compliance efforts.

Conclusion

ASIC’s enhanced breach reporting regime, effective since October 2021, mandates ACL holders report significant breaches, prolonged investigations, gross negligence, and serious fraud under the Corporations Act 2001 (Cth) and the National Consumer Credit Protection Act 2009 (Cth). Adhering to the strict 30-day reporting timelines via the ASIC portal and implementing robust internal protocols are crucial for licence holders to manage compliance burdens and avoid significant penalties associated with these reporting obligations.

Whether you are applying for an ACL or managing ongoing compliance as an ACL holder, ensuring your credit service operations meet ASIC’s stringent requirements is critical. For trusted expertise in ensuring your credit service operations meet these ASIC requirements, contact the specialists at AFSL House today to safeguard your ACL and maintain regulatory compliance.

Frequently Asked Questions