Proposed changes to self-reporting of contraventions including new and higher penalties
The Australian Securities and Investments Commission (ASIC) is becoming more proactive, and a recent review proposes expanding the regulator’s powers.
The ASIC Enforcement Review Taskforce has so far released five Position and Consultation Papers, which provide valuable insight into the regulator’s direction and need to strengthen certain enforcement abilities.
We will review the main issues across four parts, starting this week with consultation paper one:
Self-reporting of contraventions by financial services and credit licensees.
Proposed changes include:
Providing more clarity to the “significance test” in section 912D of the Corporations Act 2001 (Cth).
The Taskforces wishes to ensure significant breaches are determined objectively. Currently, the test is thought to be too subjective. The trigger to report would involve breaches that a “reasonable person would regard as significant”.
Breaches to be reported within 10 business days
from the time obligation to report arises. This effectively extends breach reporting to suspected or potential breaches – licensees will need to take time to determine if a breach has occurred before reporting i.e. from when the licensee becomes aware or has reason to suspect that a breach has occurred.
We would suggest the time be extended beyond 10 days, as licensees need adequate time to conduct preliminary investigations.
Higher penalties for failure to report as and when required.
Current criminal penalties are a maximum of $9,000 or/and one-year imprisonment for an individual, and $45,000 for a body corporate on current measures. The proposed higher maximum is not specified at this stage.
Introducing a civil penalty in addition to the criminal offence for failure to report as and when required.
There is currently no provision for civil penalties, but the taskforce believes that ASIC is likely to act more often if they can impose civil penalties. Penalties are not yet specified.
An infringement notice regime for failure to report breaches.
There is currently no infringement notice regime, but it is thought this will allow ASIC to issue infringement notices for less serious contraventions.
One wonders whether this is necessary considering a civil penalty regime is already proposed, particularly when ASIC wants to positively encourage reporting of breaches.
Encourage a co-operative self-reporting regime.
This would involve licensees reporting breaches, including suspected or potential breaches, and employee or representative misconduct, at the earliest opportunity. The idea is to create a formal provision meaning ASIC will not act where a licensee self-reports, provided other requirements are satisfied, such as reports detailing a program and timing to investigate and remediate the breach.
This is likely being introduced to provide some comfort or balance to the pecuniary measures. Any penalties should be relieved or reduced to the extent of any co-operation.
Prescribe report contents required under section 912D, and require electronic delivery.
The Taskforce considers electronically lodging breach reports in a prescribed form would enhance the reporting process. This would include required information and supporting documents. ASIC would benefit by more easily identifying trends and problem areas – ASIC will then publish aggregate information about self-reporting results, according to the proposal.
Introduce a self-reporting regime for credit licensees.
Currently, credit licensees are only required to monitor compliance and provide an annual compliance certificate. This is considered insufficient. The proposed change would be equivalent to the regime for AFS licensees under section 912D of the Corporations Act, which would be a step-up in compliance for credit licensees.
Ensure qualified privilege continues to apply to licensees reporting under section 912D.
This is important to protect licensees from third party liability when making reports in good faith pursuant to the requirements of the regime.
Remove the additional reporting requirement for responsible entities.
This will be welcome as it avoids unnecessary duplication.
Require annual publication by ASIC, of breach report data for licensees.
This may be problematic because it proposes information be published by ASIC at the firm and licensee level.
It is thought this proposal would enhance accountability and be an incentive for improved behaviour. However, many think it unnecessary, and the other measures should be sufficient.
Part two in the series will look at proposals to increase ASIC’s search warrant powers.