THE STARTING POINT
This edition of HSF FSR Australia Notes delves into a phenomenon which we see as increasingly prevalent in the Australian financial services market; namely, the over-reporting or under-reporting of significant breaches under section 912D of the Corporations Act. In this sense, the burning question becomes just what is the right compass setting for breach reporting?
We will examine this question primarily through a governance lens.
THE CHANGING LANDSCAPE
In the context of governance around breach reporting, it is important to recognise that the breach reporting regime in section 912D of the Corporations Act is the subject of a reform proposal to significantly broaden the circumstances in which breaches must be reported to ASIC.
The question of whether to report breaches which may have occurred is not captured by the current breach reporting regime. This is despite the fact that the current regime refers to “likely” breaches – the current law in section 912D scopes such breaches to occur when, and only when, a licensee is no longer able to comply with the obligation. This involves the licensee making a binary decision about whether a future breach has or has not occurred, rather than a probabilistic assessment of the occurrence of the breach. This is a surprising outcome given the plain and ordinary meaning of “likely” and the inquiry which that would suggest, but this position arises as result of a choice by the legislature to give certainty as to the meaning of “likely” in the 2003 reforms to section 912D.
It is also worthwhile noting that the proposed reforms to section 912D which the Government announced in January will still give rise to considerations in some cases about whether a breach may have occurred or not. These reforms propose to divide the provisions relevant to breach reporting obligations into those of two origins: “core obligations” (e.g. section 912B), and others (e.g. where a licensee or a representative has committed serious fraud). In the case of “core obligations”, a licensee will need to report to ASIC breaches if these are significant in their own right, are likely significant breaches, or are investigations into significant “core obligation” breaches. The proposals retain the “likely” breach test in the current section 912D. While a licensee will be required to report a breach having regard to when the licensee “reasonably knows” that a reportable situation has arisen (a test which itself involves considering whether a person is aware of a substantial risk of an event happening), this invites consideration of the fundamental aspects of whether a breach has occurred and continues to raise the issues discussed above in respect to section 912D. You can read further details of this reform proposal (and the rest of Treasury’s financial services reform package) in our article FSR Consultation Package – The 2020 Vision.
With the coming of the Financial Accountability Regime (FAR) and ASIC’s future role in administering that regime, the question arises as to the extent to which a financial services licensee would have to disclose events which may give rise to a breach, independently of section 912D. Two important accountability obligations proposed for FAR – which have their origin in the current BEAR provisions – relate to dealing with APRA and ASIC in an open, constructive and co-operative way, with the accountability obligation to be imposed on the regulated institution being subject to a “reasonable steps” qualification. There is little guidance on the scope of that obligation for BEAR, and the FAR proposals paper is similarly limited. However, it is not inconceivable to posit that a future FAR obligation to deal with APRA and ASIC in an open, constructive and co-operative way could be said by a regulator to encompass reporting breaches which may have occurred, and not met the degree of certainty contemplated by the breach reporting requirement. This is particularly so given the “community expectations” referred to by the Royal Commission, expectations which will become those of ASIC and APRA to divine and enforce.
With all these developments, and an increasing reporting obligation framework, the role for a savvy governance regime around breach reporting becomes all the more crucial.
THE NATURE OF THE BEAST
It is fair to say that in recent times, we probably see more over-reporting of breaches than under-reporting of breaches. The reasons for this phenomenon are multiple.
On the one hand, over-reporting is often equated with being a good corporate citizen and “doing the right thing”. At this level, over-reporting can be linked to a strand of corporate morality; a tangible indication of the community standing, decency and even superiority of the particular organisation.
At another level, over-reporting can occur out of a motivation to be seen by the regulator as having strong ethical and compliance values. Importantly, it is viewed as an central mechanism to maintain a strong and transparent relationship with the regulators. This phenomenon has become particularly commonplace following the Royal Commission but really began a few years ago when the then ASIC Chairman Greg Medcraft called for greater scrutiny on the significance test and the delays it caused in breach reporting:
“I think that word significant breach probably needs to be revisited because there’s a lot of light interpretation and people could spend several years working out what is significant” — then ASIC Chairman Greg Medcraft
Over-reporting usually occurs in one of three distinct scenarios:
- The first is where the reporting institution is not certain whether an incident has the status of a significant breach, but reports it nonetheless to be on the safe side.
- The second is where the institution genuinely believes that an incident is a significant breach but in reality, has either over-inflated the significance of the breach or as sometimes transpires, the incident is not in fact a breach of financial services law.
An example of the last scenario is where the institution reports an incident as breaching the efficiently, honestly and fairly licensing condition prescribed in section 912A of the Corporations Act but in fact, a pre-condition to such a breach is not met insofar as the incident did not occur in relation to the provision of a financial service (refer to HSF FSR Notes: Spotlight on efficiently, honestly and fairly edition).
- The third scenario, which in our experience has become increasingly common, is where the reporting institution does not technically breach report but rather notifies ASIC or APRA “voluntarily” of a “Clayton’s” breach, howsoever called. Here, the institution is effectively saying to the relevant regulator: “This is not a breach or if it is, it is not significant” but “in case you disagree, at least we told you”. Suffice to say, that the status of this third variant is somewhat unclear.
While over-reporting continues to be an increasing phenomenon, routine under-reporting also remains an issue.
Under-reporting occurs usually in one of the following scenarios:
- The first is where the assessment of the breach is not correct. Here, the institution genuinely believes, with or without the benefit of legal advice, that the relevant incident is not a breach or, if it is, it is not held to be significant.
- The second scenario is where the institution is not aware of the relevant incident and so, on a more existential level, can be seen to be under-reporting.
Perhaps ironically, the commercial implications of over-reporting and under-reporting are the same, or similar, insofar as both phenomena can cost the relevant financial institution dearly, not just in a monetary sense but also in a reputational sense. Under-reporting can of course lead to regulatory intervention. Over-reporting can lead also to regulatory intervention. So naturally there is, or should be, a commercial imperative to neither over-report or under-report.
This is, of course, simpler than it sounds. Most financial institutions are either monolithic or megalithic (or both) and to calibrate breach reporting to the “just right” setting is no easy feat. Naturally many institutions may feel it better, at least as a cultural statement, to over-report in preference to under-report. But this sentiment belies the fact that the breach reporting setting does not have to be at either of these polarities.
So what does the “just right” setting look like?
In our strong view, based on our experience, the ability to obtain the just right setting is a function of three factors.
Factor 1: The first is competency and resources to detect and analyse the breaches.
Factor 2: The second is a cultural and management environment that facilitates and does not impede the recognition of incidents and breaches upstream in the management structure.
These first two factors have to be assumed in a modern, competitive financial institution (or at least we will assume these factors for present purposes as it is beyond the ambit of this article to unpack these factors).
Factor 3: It is the third factor that we wish to focus on, which is governance.
Governance in this context includes compliance, but transcends this insofar as good governance in relation to breach reporting does not just happen. In our experience, it requires considerable thought and acumen, as well as structure.
There are several elements we see/have seen as constituting good breach reporting governance:
- Proactivity in practice: Garnering the possible breaches is linked to proactive, as well as reactive processes. Proactivity can obviously include matter reviews and debriefs, client complaints and monitoring of comparable industry experience;
- Breach reporting structures and stakeholder involvement: Clearly having a strong breach reporting committee is essential, particularly in large organisations where decisions are made below the Board level. But beyond this generality, in our experience, often the importance of strong legal representation on such a committee or decision-making forum is not given sufficient weight. Or if it is, the representation is inadequate because of under attention to important practical matters such as having a sufficiently senior legal practitioner sitting on the committee. In some cases we have witnessed, there is an experienced lawyer on the committee, but he or she is viewed and treated as peripheral or a mere formality; and
- Escalation and review: This then leads to a crucial governance aspect, which is the presence of a review/approval/oversight level that is an ordinary out-working of the breach reporting structure and not one that need be invoked by “special resolution” as it were.
In our experience, where breach determination decisions are made below Board level (particularly in large vertically integrated organisations), it is vital that a smaller body of ultimate decision-makers sits above the ordinary day-to-day functioning breach committee. It is equally vital that this oversight body can be brought into the ultimate decision-making process by either referral up from the ordinary body, or through proactive oversight over the ordinary body.
One additional governance issue remains the extent to which the Board is involved in the process. We consider that at a minimum, the Board should be at least informed of all breach reports made, as part of management’s regular Board reporting framework.
At this juncture, the argument may well be raised that having such a second body is overkill or would undermine the integrity or authority of the larger body.
Our response is in the negative, provided the oversight committee is properly set up with a sound rationale, and this rationale is properly articulated and communicated. This sound rationale starts with the proposition that there needs to be a second body to act as a safeguard and checkpoint to the first.
First instance decisions of a breach committee can go errant for a large number of reasons: the matter may be extremely complex, the issue of law untested, or the decision-makers lacking certain key information available to the smaller oversight body.
In many cases, “first instance” decisions of the larger day-to-day body can be extremely well reasoned, well intended and well ventilated but there is some key piece of the puzzle which the body is either not aware of or has under-scored in terms of its importance to the ultimate decision.
COMPOSITION OF THE OVERSIGHT BODY
There is no right answer or equation in relation to the optimal composition of the oversight body, as it will depend in large part on the nature and operations of the relevant financial institution. The composition of the oversight body could be one person.
In our experience, it is usually one to three people; typically senior and typically a mixture of skill-sets, but with legal or risk personnel being prominent.
The right oversight committee can assist enormously in finding the right beach report setting and balance, as well as engendering enormous value to the organisation from both compliance, reputational and cost perspectives.
ALTERNATIVE PATHWAYS TO ENGAGE WITH THE REGULATOR
It may be the case that while a particular incident does not constitute a breach of financial services law, the financial institution may wish to inform the regulator of the issue on an “FYI basis”. Here, the institution can consider alternative routes to notifying the regulator, such as through the institution’s regulatory relationship team/contacts. This approach has the benefit of maintaining an open and transparent relationship with the regulator, without the need to use prescribed breach reporting forms, which are not typically fit for purpose in the context of voluntary reports.
As mentioned earlier however, even with purely voluntary reporting, the need for close consideration by a committee is desirable with the same or similar governance oversight safeguards mentioned above.