As the new breach reporting obligations are about to commence from 1 October 2021, ASIC has provided an explanation of what constitutes an investigation into a possible breach and what should trigger the start of a 30-day window before investigations become a “reportable situation”.
Questions have been raised as to when an investigation into a possible breach starts amid concern that too many scenarios would trigger an investigation.
ASIC has outlined several situations in RG 78 that aren’t considered starting points.
ASIC has stated that the “mere receipt of a detective control” such as a disclosure from a whistleblower, a complaint, or a regulatory request is not an investigation that needs to be reported.
Further to this, “preliminary steps and initial fact-finding inquiries into the nature of the incident”, are not considered starting points, as long as they are completed over a short time frame and as an initial response.
ASIC also advised that, “business as usual inquiries such as routine audits, quality assurance monitoring, or other internal compliance review processes, are only reportable to us if they are triggered by an incident or assess, or will be, assessing a possible breach of a core obligation”.
These explanations also include four example scenarios − including fee for no service issues and complaints, and case studies designed to illustrate when an investigation is triggered and subsequently becomes reportable.
An investigation will now become reportable on day 31 of the investigation, after which licensees will have another 30 days to lodge a report to ASIC.