As most superannuation trustees will be aware, until quite recently, institutions regulated by both APRA and ASIC were required to meet separate breach reporting regimes. The rationale being that breach notifications provided each regulator with valuable information to help identify emerging trends or issues and alert them to specific breaches of the law.
While duplication in breach reporting for dual-regulated entities has been reduced via the online, single breach report system administered by APRA, the two regulators’ approaches to breach reporting are consistent in rationale, but not identical.
ASIC’s Approach to Breach Reporting
ASIC’s approach to breach reporting for AFS licensees is contained in Regulatory Guide 78. An AFS licensee must tell ASIC in writing within 10 business days about any significant breach (or likely breach) of its obligations. Lack of notification is considered, in itself, a significant breach of the financial services laws. AFS licensees are expected to have a clear, well-understood and documented process for identifying breaches.
Where an AFS licensee is a body regulated by APRA, obligations regarding adequate resources or risk management systems do not form part of the relevant AFS licence conditions, but are determined by APRA’s prudential standards and rules.
While the Corporations Act does not require you to maintain a breach register, ASIC considers that in practice, an AFS licensee should maintain a breach register to ensure adequate arrangements are in place to comply with the obligation to identify and report all significant breaches (or likely breaches).
While not binding, ASIC considers that a breach register should contain the kind of information ASIC is likely to require in a written breach report including:
- The date the breach occurred and when you became aware of it, the date it was reported to ASIC (if required) and rectified. If a likely breach, the date from which it is anticipated you will no longer be able to comply with your obligation(s).
- The obligation that has been breached (or is likely to be breached), including the section of the Corporations Act that sets out that obligation, and any relevant financial services law or AFS licence condition.
- Why the breach is significant.
- How the breach was identified (e.g. via client complaint).
- How long the breach lasted.
- Details regarding any authorised representative who was involved.
- The process and responsibilities for handling the breach (or likely breach), including any remedial steps. If ongoing steps are being taken to rectify the breach (or likely breach), an indication of when ASIC is expected to receive a rectification progress report.
- Any steps that have been, or will be, taken to ensure future compliance with the obligation.
APRA’s Approach to Breach Reporting
Among other functions, APRA enforces a comprehensive framework of prudential standards and prudential practice guides to promote sound financial and risk management, and good governance for superannuation trustees.
APRA’s prudential standards and guides – including the Risk Management Prudential Standard SPS 220 and Prudential Guide SPG 220 – set out minimum capital, governance and risk management requirements, which are legally binding on superannuation trustees.
APRA requires, amongst other things, that an RSE licensee has:
- Systems for identifying, assessing, managing, mitigating and monitoring material risks that may affect its ability to meet its obligations to beneficiaries. These systems, together with the structures, policies, processes and people supporting them, comprise an RSE licensee’s risk management framework.
- A risk management framework that is appropriate to the size, business mix and complexity of the RSE licensee’s business operations.
- A risk management framework that enables the RSE licensee to implement risk management approaches that appropriately manage different types of risk.
- A Board-approved risk management strategy that describes, among other things:
a) the process for monitoring, communicating and reporting risk issues, including escalation procedures for the reporting of material events and incidents; and
b) the mechanisms in place for monitoring and ensuring ongoing compliance with all prudential requirements; and
- Controls that include:
a) A system for assessing the design and effectiveness of controls and for monitoring compliance with controls, including escalation procedures for accelerated reporting of material control failures and compliance breaches and exceptions to the Board, Board committees and senior management;
b) Policies and procedures that document controls and treatment plans for the resolution of non-compliance issues including fraud and instances of material failures in business processes or systems;
- A methodology for notifying APRA when the RSE licensee becomes aware of a significant breach of, or material deviation from, the risk management framework, or discovers that the risk management framework does not adequately address a material risk; and
- Adequate technical, human and financial resources at a level adequate for the RSE licensee’s business operations.
Ongoing Documentation & Assessment via the Smart Use of Technology
At the heart of both regulators’ approaches is an adequate process of documentation and risk assessment. A practical, operational, internal breach escalation and reporting mechanism can be considered a core component of such a risk management framework. The ability to consistently capture printable information surrounding compliance breaches or likely breaches – whether ‘significant’ or not – will allow an organisation to improve the quality of the documentation that may be required to keep regulators and internal decision makers ‘happy’.
By combining its superannuation/financial services expertise with the smart use of technology, Hive Legal has developed the Hive Legal Super App, a Breach Reporting Application for superannuation trustees to capture key details about compliance incidents. It is designed to assist an organisation to understand, identify, properly manage, rectify and escalate (where necessary) breaches or likely breaches that may help to minimise liability and reduce the likelihood of enforcement action by APRA and/or ASIC. It also enables good documentation of compliance incidents including the breach or likely breach; whether the incident is considered ‘significant’; the impact on members; the financial impact on the relevant fund or company; the similarity or recurrence of other known compliance incidents; which legislative provisions may have been breached; whether any internal policies have been breached.
David Reckenberg, Consultant, Hive Legal
Rebecca Lim, Senior Associate, Hive Legal
For more information and for a free one month trial of the Hive Legal Super App please click here.