Breach Reporting

What are the breach reporting obligations?

Based on a recommendation from the Royal Commission, breach reporting requirements are being enhanced to align credit with financial services reporting, to allow ASIC to detect significant non-compliant behaviours early and to address emerging trends of non-compliance in the industry.

Licensees are required to report breaches by the licensee as well as its representatives (including credit representatives) when deemed significant.

What breaches require reporting?

There are four types of reportable situations: 

  • Breaches or ‘likely breaches’ of core obligations that are significant;
  • Investigations into breaches or likely breaches of core obligations that are significant;
  • Additional reportable situations; and
  • Reportable situations about other licensees.

Likely breaches - when the licensee is no longer able to comply with a core obligation

Core obligations - refers to your existing obligations under NCCP

How does this impact you?

If you as the broker identify something that may be a breach, as per the above, or doesn’t look right, report it to the Risk and Compliance team using the incident form in MyCRM under Resources > Complaint/Situation. The Risk and Compliance team will be advised of the incident and will investigate to determine whether it is a significant breach that requires reporting.    

A situation can become automatically reportable (‘deemed significant’) in the following situations:

  • If the breach results (or is likely to result) in material loss or damage to a client. Loss to the client is not limited to financial loss, but it is necessary that the loss or damage to the client is material.
  • Breaches relating to the commission of a criminal offence or civil penalty (e.g. civil penalty - responsible lending, acting in the best interests of your client, prioritising the interests of your client) 
  • Breaches concerning misleading or deceptive conduct. 
  • Gross negligence and serious fraud.
  • Investigations >30 days, or that demonstrate a breach. 

Other breaches may be reportable when they are ‘significant’.  Factors to consider include number, frequency, and effect on the licensee. 

If you need more information you can contact