What is an Investigation?

As the new breach reporting obligations are about to commence from 1 October 2021, ASIC has provided an explanation of what constitutes an investigation into a possible breach and what should trigger the start of a 30-day window before investigations become a “reportable situation”.

Questions have been raised as to when an investigation into a possible breach starts amid concern that too many scenarios would trigger an investigation.

ASIC has outlined several situations in RG 78 that aren’t considered starting points.

ASIC has stated that the “mere receipt of a detective control” such as a disclosure from a whistleblower, a complaint, or a regulatory request is not an investigation that needs to be reported.

Further to this, “preliminary steps and initial fact-finding inquiries into the nature of the incident”, are not considered starting points, as long as they are completed over a short time frame and as an initial response.

ASIC also advised that, “business as usual inquiries such as routine audits, quality assurance monitoring, or other internal compliance review processes, are only reportable to us if they are triggered by an incident or assess, or will be, assessing a possible breach of a core obligation”.

These explanations also include four example scenarios − including fee for no service issues and complaints, and case studies designed to illustrate when an investigation is triggered and subsequently becomes reportable.

An investigation will now become reportable on day 31 of the investigation, after which licensees will have another 30 days to lodge a report to ASIC.

If you see something, say something

Most of us have heard this phrase before. It has generally been used in the US regarding recognising behaviours and indicators of terrorism and terrorism-related crime.

So why would I use this phrase then? Surely I’m not likening financial planners to terrorists?

Not at all!

The majority of advisers I know, and work with, are doing the best they can for their clients, in trying and often confusing circumstances. They need a little guidance and coaching along the way, but generally, they know their clients and they want good outcomes.

The reason this phrase has come to mind recently is that from 1 October 2021, the new breach reporting obligations commence.

From my point of view, one of the biggest components of the new obligations is that there is now an obligation for licensees to lodge reports in relation to other licensees.

Under this new obligation, a licensee must lodge a breach report when they first reasonably know that there are reasonable grounds to suspect that a reportable situation has arisen about an individual who provides personal advice to retail clients about relevant financial products (this excludes basic banking products, general insurance products, consumer credit insurance or a combination of any of these products) and is operating under another AFSL.

Some articles that I have read are calling this the “Dobbing Obligation”.

But is it really?

We cry out to be recognised as a profession, yet there has been an inherent reluctance in the industry to report advisers who engage in misconduct or poor advice outcomes for clients.

And the reason, for most Licensees, is that they have been concerned about lawsuits and claims of defamation.

So in other words, Licensees have acted in a Ïf you see something, don’t say something, just let the problem go”.

The new obligation provides Licensees with protections when they are sharing information for reference checking protocols. This, in my opinion, is a good step, as long as the information is based in fact and evidence. It cannot be based on opinion.

But it also opens it up to the greater adviser community.

If we are truly passionate about this industry, and about providing positive outcomes to our clients, don’t we also want to ensure that the minority, who may be doing the wrong thing, are not practising or moving between licensees.

Maybe it is time that when you come across some form of poor advice from another adviser that you ask the question of your licensee, or a compliance consultant. Maybe it is time that Ïf you see something, say something”.

To Breach or Not to Breach – That is the Question?

As an outcome to the Hayne Royal Commission, current breach reporting requirements have been strengthened and have also been introduced for credit licensees.

Up until the 1st of October 2021, there have been transitional arrangements for Australian Financial Service Licensees (AFSLs) to update their systems and processes for the new requirements.

AFSLs now have a reporting obligation when it ‘knows’ that there has been, or will be, a significant breach, and where they know that there are reasonable grounds to believe that it is the case or is reckless as to whether there are reasonable grounds to believe that it is the case.

The reporting obligation now extends to the investigation stage if the investigation has continued for more than 30 days.  ASIC also requires a report on the outcome of such investigations.

AFSLs will now need to notify clients of reportable breaches involving personal advice to retail clients and must investigate and quantify any loss or damage suffered and compensate the affected clients under this requirement.

The new regime also introduces an obligation for AFSLs to lodge reports in relation to other licensees. AFSLs must lodge a report with ASIC within 30 days after they first know there are reasonable grounds to suspect that an applicable reportable situation has arisen about individual financial advisers.

As an AFSL, you must report to ASIC a range of conduct that the law describes as reportable situations.

Reportable situations include:

  • significant or likely significant breaches of core obligations;
  • investigations into whether there is a significant or likely breach of a core obligation if the investigation continues for more than 30 days;
  • the outcome of such an investigation if it discloses there is no significant or likely breach of a core obligation;
  • conduct that constitutes gross negligence or serious fraud; and
  • conduct of financial advisers who are representatives of other licensees in certain prescribed circumstances.

Core obligations

Under s912A and s912B of the Corporations Act 2001 (Corps Act), the core obligations are that an AFLS must:

  • do all things necessary to ensure that the financial services covered by your AFSL are delivered efficiently, honestly and fairly;
  • comply with the conditions of your licence;
  • have adequate resources to provide the financial services covered by your licence and to carry out supervisory arrangements;
  • be competent to deliver the financial services covered by your licence;
  • have trained and competent representatives;
  • take reasonable steps to ensure that representatives comply with the financial services laws;
  • have dispute resolution systems in place for retail clients;
  • have adequate risk management systems; and
  • have compensation arrangements for retail clients.

Reportable situations

RG78 outlines four types of reportable situations:

  1. breaches or ‘likely breaches’ of core obligations that are significant;
  2. investigations into breaches or likely breaches of core obligations that are significant;
  3. additional reportable situations; and
  4. reportable situations about other licensees.

A likely breach is referred to as a reportable situation that an AFSL is no longer able to comply with a core obligation and the breach, if it occurs, would be significant.

There are reportable situations that do not require a determination of significance before being reported to ASIC. 

These include:

  • additional reportable situations (gross negligence or serious fraud), which must be reported to ASIC and require no determination of significance;
  • deemed significant breaches, which are automatically taken to be significant by law; and
  • investigations that continue for more than 30 days, which require consideration of whether there may be a breach (or likely) breach of a core obligation that is significant, but do not require determination of significance before being reported to ASIC.

Other breaches or likely breaches of core obligations will require a determination of significance before being reported to ASIC.  

When is a breach significant?

  1. Deemed significant breaches—In certain situations, a breach or likely breach of a core obligation is taken to be significant.
  2. Other breaches that may be significant—In other situations, a breach or likely breach of a core obligation will need to be considered against factors to determine whether it is significant.

An accurate and complete breach register can help with timely identification and adequate reporting. For example, if you identify a single, isolated breach which is not significant, it should be recorded in your breach register or in your risk management system. Although a single breach may not be significant, multiple breaches of the same kind may result in a later breach being considered significant.

What are deemed significant breaches?

For a breach of a core obligation to be deemed significant, it will have:

  1. the obligation breached is an offence that is punishable on conviction by a penalty of 12 months or more, or if the offence involves dishonesty, three months or more;
  2. the breach is constituted by a contravention of a civil penalty provision, unless excluded by regulation;
  3. the obligation breached is with regards to misleading or deceptive conduct in relation to a financial product or financial service; or
  4. the breach results, or is likely to result, in material loss or damage to customers.