Notifying customers of breaches under Mandatory Breach Reporting obligations
Mandatory Breach Reporting becomes effective 1 October 2021 and there are obligations to notify, investigate and remediate customers in certain circumstances.
Reporting to impacted customers
The obligations to notify, investigate and remediate customers will be triggered when the following circumstances exist:
- A credit licensee or one of its representatives is a mortgage broker who provides or has provided credit assistance to the affected client in relation to a credit contract secured by a mortgage over residential property
- A relevant reportable situation has occurred, or there are reasonable grounds to believe a reportable situation has arisen
- Loss or damage – there are reasonable grounds to suspect the affected client has suffered or will suffer loss or damage as a result of the relevant reportable situation
- There is a legally enforceable right to recover loss or damage or there are reasonable grounds to suspect that the affected customer has a legally enforceable right to recover the loss or damage from the licensee.
Where all four circumstances exist, you must notify the customer of the reportable situation. The loss or damage the customer has suffered or may suffer does not need to be the result of the credit assistance provided, but rather is or could be a result of the reportable situation.
For the purposes of notifying the customer, a relevant reportable situation arises when there is
- A significant breach of a core obligation
- Conduct that constitutes gross negligence or serious fraud
Loss or damage
The term 'loss or damage' is not defined in the legislation. In determining whether there is loss or damage to an affected client for these purposes, it is not relevant to consider whether or not that loss or damage is material.
Legally enforceable right to recover loss or damage
Circumstances in which an affected client will have a legally enforceable right to recover loss or damage arising from a reportable situation include a licensee's or representative's negligence or dishonest conduct.
Compliance with the obligations
If there is a situation where the four triggers outlined under reporting to affected customers has occurred, you must take the following actions:
Notify the affected customer of the breach of the law within 30 days. You must take reasonable steps to notify the customer in writing of the breach.
You must start an investigation into the full extent of the breach within 30 days.
You must take reasonable steps to notify the affected clients in writing of the outcome of the investigation within 10 days of concluding the investigation.
If there is loss or damage and an enforceable right to recover this damage, you must take reasonable steps to pay the affected clients the remediation of an amount equal to the loss or damage within 30 days of the investigation concluding.
Remember: you must retain records to demonstrate your compliance with the obligations to notify, investigate and remediate impacted customers. Failure to keep adequate records is also a criminal offence.
ASIC can take enforcement action against licensees who fail to comply with these obligations. Examples of compliance failures which would result in enforcement action are:
- failure to take reasonable steps to notify affected clients within the required timeframes
- failure to undertake an investigation in accordance with the requirements
- failure to remediate affected clients as required or within the required timeframes.
What ACL’s must do:
Holders of an Australian Credit Licence (ACL) must ensure:
- Have sufficient frameworks to identify breaches or likely breaches under the mandatory reporting obligations which could trigger the requirement to notify, investigate and remediate clients;
- Have in place a breach reporting policy, procedure and framework
- Have in place a customer remediation policy and procedure
For more information on creating a breach reporting framework, refer to our wiki articles: