New ASIC RG 78 issued this morning

new asic regulatory guide 78 (rg78) issued

Dear All,

ASIC has released a new Regulatory Guide 78 (RG 78) on breach reporting this morning, which is applicable to AFSL and ACL holders.

Key changes

The following key areas are noted:

  • clarifying when licensees may group multiple reportable situations into one report

  • guidance on how to describe the reportable situation

  • new guidance for reporting updates related to a previously reported breach - including providing updates every 6 months

  • new guidance on the reason for the original breach and a requirement for root cause analysis

  • new guidance as to what constitutes a ‘similar’ reportable situation

  • new guidance on calculating and reporting the number of clients affected

  • new guidance on how to withdraw an already submitted breach report

Updated breach reporting form

In addition, an updated breach reporting form will be issued from 5 May, with the following changes:

  • the question ‘When did you first become aware that a breach, serious fraud or gross negligence had occurred—or that you were no longer able to comply with a core obligation’ will change to ‘Specify the date when the potential breach, serious fraud and/or gross negligence was first discovered’.

  • guidance on when an investigation is complete is included, which is stated as after the licensee has determined the root cause(s), identified all affected clients and identified all instances of the reportable situation

  • describing the reportable situation is updated - the level of detail to include in the description of the reportable situation should take into account the impact, nature and complexity of the breach, including by providing greater detail for reportable situations that involve client loss or other client or market integrity impacts, and which are not one-off or isolated breaches

  • clarifying that licensees should provide genuine estimates of client losses based on information available at the time of reporting.

  • clarifying what constitutes ‘similar’ when answering the question ‘Have any similar reportable situations previously occurred’

  • drop downs for root cause analysis

LNP Audit and Assurance initial observations.  The guidance has been issued as a result of the new breach reporting regime in place since 1 October 2021 and industry consultation since then.  ASIC has commented previously that the uptake of the new regime was less than they expected - they had expected more reports under the new regime than they received. 

They are now referring to breaches as reportable situations and there is more detail expected to be reported.  There is a particular focus on 'root cause analysis', and providing numerical and descriptive information about the number and effects of a breach.   We also observe that ASIC's approach to 'guidance' is that they usually expect licensees to address all guidance relating to relevant circumstances.  

The new RG 78 is available now here - https://download.asic.gov.au/media/pgiemipd/rg78-published-27-april-2023.pdf

LNP Audit and Assurance is one of the largest independent Audit and Assurance practices in Australia.  We have significant expertise in financial services,  working with around 100 AFSL holders, a number of ACL holders, with NZ FMA licence holders, and clients in many other parts of the world. 

We would be very pleased to talk to you about the above or other compliance or audit matters, especially as the FY 2023 audit season is nearly upon us and if you want to talk to us about that, please get in touch!

Thanks
Tony Rose
Director
LNP Audit and Assurance

Tony Rose