Centrepoint Alliance Limited (CAF) Earnings Call Transcript & Summary

Good morning, everybody, and thank you all for joining us for our Virtual Responsible Manager Training today, sweeping changes to breach reporting presented by Head of Licensee Standards at Centrepoint Alliance, Nicole Alexander. Before we continue, can I please ask that you type into the questions box, so I know you can hear us okay. Great. Thank you. Please note, this webinar is being recorded and will be made available through Centrepoint Connect later today. Today's webinar will include a polling feature. In order to receive your relevant CPD hours, please ensure you contribute to the discussion by choosing your preferred answer to each question as they show on your screen. If you would like a copy of today's slides, you can find a PDF ready for download in the handout section in the panel on the right-hand side of your screen. [Operator Instructions] Well, I won't delay you any longer. Let's get into our first responsible manager training of the year. Over to you, Nicole.

Thanks very much, Jess, and thanks for joining us today for our responsible manager training. There's been quite a bit of interest in today's session about the new legislation relating to breach reporting. It's obviously an important part of the obligations of licensees, and it is quite significantly different to the way breach reporting is currently done. So we're going to go through today talk all about the new legislation. And I guess it's going to be a lot of new content and there might be quite a bit of content. So as we go through, quite happy for you to type in any questions, anything you want clarified and we'll pause periodically throughout the session and try and answer some of those questions as we go. Okay. All right. Moving on. So in a little bit of detail, the sorts of things we're going to be talking about today are the legislative changes and how we look at how they are different to the current requirements. So you can see the differences. And potentially, you might find that you don't actually do a lot of breach reporting currently. But I think what you'll see is from the new legislation is that your breach reporting will likely increase even for small licensees. So we're going to go through what they call a reportable situation and core obligations. Now that might not mean a lot to you at the moment, but we will talk about that as we go through. And we'll look at how you would assess a breach, sorry, and how you will apply the significance tests. And you should be fairly familiar with how to test for significance. But again, there's new tests in the new legislation. So we determine when you have to report investigations. And right at the end, we're going to touch a little bit on additional requirements to breach reporting on new obligations to investigate and remediate misconduct. So there's a fair bit to get through there today, but we're going to start off with breach reporting. So the Royal Commission bill -- or the Response Bill that came out of the Royal Commission included a range of new legislation, breach reporting was one. And as I said, there was another on remediating -- investigating and remediating this conduct. So starting off with the breach reporting, I thought it would be good to have a look at the current requirements. Currently, licensees are required to report significant poor behavior to ASIC. That helps them to identify and address noncompliance early in the process. So the current breach reporting regime says that licensees have to notify ASIC about breaches that are significant, and you have to do so within 10 days of becoming aware of the breach. So there's a fairly short amount of time to do that. In the industry, concerns have been around for some time about that reporting requirement mostly because it's a fairly subjective test of significance, which means licensees have to individually make assessments whether or not to report a matter. And the criticism of that is that it can sometimes result in inconsistent reporting. While some licensees might assess a matter and find it to be reportable, another would assess something similarly and decide that it's not reportable. So I think, though, for the most part, licenses would certainly report if there was a significant financial loss to a client as a result of poor advice or always something systemic. So looking at the new legislation just overall, it came about because -- it came about because of the Royal Commission, but really, it started with an ASIC Enforcement Review Task Force report, which was done in 2017 where they made a lot of recommendations that the Royal Commission then later decided to adopt essentially. And this new legislation will come into effect on the 1st of October this year. It is a little way away, but it's a good time now to start really getting ahead around the new obligations. So this summary is just some of the key parts of the legislation that we'll look into in more detail. So the new legislation does go into a fair bit of detail about what breaches will be reportable. And as we sort of mentioned, it's in an effort to make that reporting more consistent and less subjective or less ambiguous for licensees about what should and shouldn't be reported. So what they're calling those breaches that need to be reported now are called reportable situations. So we'll use that term a little bit today. And there's essentially 2 reportable situations: one is a breach of what they call core obligations, and the second one is what they say is serious compliance concerns or misconduct. So there's 2 parts to it. Often licensees will also need to investigate whether there's been a breach or not. And in some circumstances, under the new legislation, you will need to report to ASIC that you're doing an investigation even if, at a later point, the investigation determines that there was no breach. Additionally, the significance test gets a bit of a makeover. And there's 2 tests. One is where some breaches are deemed to be significant. So if it occurs, it's always reportable. There's no ambiguity about whether you should or shouldn't report it. Others, you do need to assess under a second test as to whether that's reportable. So it does get quite complicated. It's not straightforward. Also the timing which to report has been extended to 30 days instead of 10, which is great. Not so great potentially is that the licensees will also be required to report other licensees to ASIC if you have reasonable grounds to believe that a reportable situation has arisen, and we'll talk about when that might occur later. That's certainly a fairly new obligation. So going to kick off with a few polling questions as we go along. So our first polling question is about which of the following is not a key change to the breach reporting legislation. Hopefully, Jess is launching that poll for us?

Yes, that is on everybody's screen now.

Great. So you get your votes in.

So the options, for a little bit longer?

Thanks. So the options there are the time frame in which to report a significant breach has extended from 10 days to 30 days. There is no change in the way that a licensee will assess if a breach is significant, is B. C, the new legislation defines what is called a reportable situation. And D, investigations into potential breaches may need to be reported to ASIC. [Voting]

All right. So it looks like the most popular answer at the minute is B, with 42%, and then D shortly following behind on 30% of voters.

Yes. So remembering that what we're entering here is which of the following is not a change.

All right. We'll close that one off now.

Okay. So again, the majority of people were correct in that the thing that isn't correct is that there's no change into the way a breach is assessed. There are quite a lot of changes to the way breaches will be assessed, but all the others are correct. We do have a longer time frame. The legislation determines what's a reportable situation. And we may need to invest -- report investigations. Okay. All right. So we're going to now look at reportable situations in more detail. And we mentioned before, there's 2 branches. There's core reportable situation and additional reportable situations that look at the serious compliance concerns. So it's probably easier to start with the additional reportable situations. They focus on gross negligence and serious fraud. So careless mistakes are inattention that might result in damage, could potentially be negligence. But when we're looking at gross negligence, we're looking at actions that are deliberate or reckless when we're talking about gross negligence. And fraud, well, naturally, it's defined as deception intending to result in personal or financial gain. So all of those types of breaches, those really serious compliance concerns are considered a reportable situation. So that's fairly straightforward. The area that's a bit more interesting and a bit trickier is what is the core reportable situations. And it's defined as where there are -- is a breach of the core obligations of a licensee and when those core obligations are significant. So as you can probably already see, this requires you to know which obligations are core obligations and which ones are then significant. There is a second part there about investigations, but we're going to look at that entirely separately a little bit later. So we're going to start with the core obligations. So what are your core obligations? So it includes all of the general license obligations, all of the things like your obligations to have -- do things fairly efficiently, honestly, et cetera, those sorts of things. It's set out in Section 912A of the Corps Act. It's the sort of things that are on your license that you receive from ASIC when you get your license. So as we said, providing services efficiently, honestly and fairly; ensuring you have adequate compliance arrangements in place. You need to do things like manage conflicts, manage risks, make sure your representatives are trained and competent, et cetera. So those things are all your core obligations. They may also include any license conditions that you have that are unique to you that you need to comply with. Having adequate compensation arrangements is captured there. So if you fail to have adequate professional indemnity insurance, that's considered to be one of your core obligations, of course. And then there are certain financial services laws that are listed that may be considered a core obligation. It's not all of them, but it says here that under Chapter 7 of the Corporations Act, that is considered a core obligation. And it really deals with or governs how your financial services are provided. You'll know most of them even though you might not have been aware that they're part of Chapter 7 of the Corporations Act. Additionally, there's what they call Division 2 of Part 2 of the ASIC Act and that specifically deals with unconscionable conduct and other consumer protection laws when we're talking about providing financial services. We're going to have a look at them in a little bit more detail, those financial services laws. So I've listed some of them. Now it's not really possible for today to list all of them, but this gives you the general flavor of it anyway. So within Chapter 7, there's a range of requirements about how advice and services should be provided to clients. It includes things like giving an FSG, giving an SOA, your FDS obligations, et cetera. It also includes all of the best interest duty obligations and other parts of Chapter 7 look at more licensee obligations, more than sort of advice obligations. And it includes things like notifying ASIC of certain matters such as any changes to the license, about any changes to who its representatives are and things like your obligations to lodge financial statements, your FS70s and 71. Then we've got the ASIC Act, which focuses on conduct that would affect consumers such as unconscionable conduct, misleading and deceptive conduct and making false and misleading representations. Just recently, there was a media announcement from ASIC about an adviser who was banned for sending clients misleading and deceptive e-mails. So this would be potentially an example of that. What that adviser did back when MySuper products came out, he would e-mail clients encouraging them not to opt out or to exit MySuper products. And he falsely claimed that MySuper fees would be higher than their current fees. And as a result, clients didn't take up the cheaper MySuper products that may have been better for them and he ended up being banned for those fulsome misleading representations. As I said, we'd probably pause now and then just to see if there's any questions or anything anyone wants to ask so far. Has there anything come up, Jess?

No questions so far. [Operator Instructions]

Excellent. Thank you. Okay. Moving right along then. So just a little bit of a flowchart on how you would, under the new process, assess if something is a reportable situation, just helps sometimes to see something a little bit more visually as well. So first of all, if you're assessing a potential breach, I think the first thing you can tick off is if there is gross negligence or serious fraud because these types of breaches are going to be fairly obvious. If that comes up, they are immediately reportable. If we're not talking about negligence or fraud, then you need to have a look at whether the breach is actually a core obligation. If it isn't a core obligation, but it's still a breach of one of the financial services laws or requirements for how we do business, then you would add it to your breach register and treat that exactly the same as you would any other breach if you need to remediate it, et cetera. But if you determine that it is one of the core obligations, then you need to do an assessment as to whether the breach is significant. So that's the next step. If you don't know whether there's been a breach of a core obligation or you're not really sure exactly what's occurred, you might need to investigate the breach. Investigations had their own reporting requirements, and once again, we'll come back to that. Once you've determined that there's a breach of a core obligation, you then have to decide if the breach is significant. And a reportable situation only arises if you meet both of those things: breach of a core obligation and the breach is significant. And there are 2 tests that we will have a look at. The first test is called or it seems to be called the deemed significance test. It's where a breach is automatically considered to be significant if any of these listed circumstances apply. So if we work our way down the list. Firstly, if the breach is an offense that's punishable by imprisonment for generally a year or more, is considered to be significant. Look, as an example, some of the breaches that are in the list of offenses that are punishable by imprisonment included a lot of offenses relating to operating a company, director's duties, meeting your financial obligations and those types of things. There's also things like regarding your licensing, where if you breach, say, a banning order or you have some sort of offense about, say, knowingly providing defective disclosure material in your FSG or in your SOAs, for example. Those things potentially could actually be a criminal offense. Next, any breach that's a contravention of a civil penalty is also deemed to be significant, and we're going to have a look at those because they're the more standard ones that you're likely to see. We've got misleading interceptive conduct under the Corporations Act and also the ASIC Act. There's legislation about misleading and deceptive conduct, which is reportable in all circumstances. And additionally, and this one you'll be more familiar with because it's part of the current tests, is that if a core obligation results -- or a breach of that obligation results in sort of material loss or damage to a client, it's considered to be automatically reportable. And the same test is materialities, the same as your current tests now. So the main one here that I think probably needs further exploration right now will be your civil penalty provisions. And these are some of the examples. So the general license obligations that we mentioned earlier, they all attract a civil penalty. So any of those, if there's a breach of them, they are automatically reportable. Failure by the licensee to notify ASIC of matters such as not completing CPD, if you fail to notify ASIC about appointing or terminating an adviser as an authorized representative or any other changes about that adviser, that it would also be considered significant. So again, those are things where the -- if the licensee doesn't do it, it would be a breach. Breaches of conflicted remuneration provisions, some codes of conduct breaches may be subject to civil penalties. But probably when you're looking at the advice space and the sorts of things you might look at in audits and that type of thing, failure to give a statement of advice, not acting in the client's best interest are no-nos, as are some of the obligations relating to ongoing fee arrangements. An amendment has been introduced. It hasn't been passed yet, but it's expected to be passed that exempt some of these breaches that are a breach of a core obligation and attract a civil penalty, but they -- ASIC have said that they won't be reportable and those ones are if you fail to provide an FSG or PDS, so those ones will be excluded. Because I think they've identified that some of those things happen from time to time, are unlikely to cause any significant issues and they don't want those things to be reported. As we mentioned, there's a second test. It's not really named, so we're calling it the second significance test. And even if a breach isn't deemed to be automatically significant, it doesn't mean that, that's the end of the matter. It may still be reportable when you consider these second tests. It's quite similar to the current test with the exclusion of the material loss or damage, which has been moved up into the deemed significance test. So if a breach is systemic, if there are other similar breaches or maybe the breaches have been ongoing for some time and the licensee's compliance arrangements or monitoring supervisory arrangements have failed to identify this, and therefore, that indicates that, that could be a problem with the way the licensee is meeting its obligations, then potentially that could become a reportable situation. All right. We're going to go to our second polling question. And I appreciate there has been an awful lot to absorb over the last few slides. So let's just try a quick test and see how well we're doing. So which of the following is not a reportable situation? So which of these would you not have to report: failure to act in the best interest of a client; failure to give a warning if information is incomplete or inaccurate; failing to provide an FSG to a retail client; or paying an employed adviser a performance benefit based solely on product sales targets, so essentially conflicted remuneration. [Voting]

Thanks, Nicole. So whilst we have that poll up and running and people are having to think about their answers, we've got 2 questions that have come through if you have time to answer those.

Yes, sounds good.

So we have one here from [ Daniel ] and he asks, on the point that the breach results in material loss, what if the loss can be rectified, for example, a trading error?

Can you still hear me?

Yes. Can you hear me?

Yes, sorry. I was just -- I thought I was getting kicked out. So if there's a loss to a client because of a trading error?

So the question was...

[indiscernible] to say what caused the trading error?

Sorry, Nicole, there might be some lagging. Yes, I can hear you. I think there just might be a little bit of a lag. So let's just continue on with the presentation, and we'll get to the questions a little bit later on in the presentation.

Okay. Sorry about that. The fun and joys of the Internet, thank you. All right. So the response for this question is, the answer is C, so failing to provide an FSG to a retail client. That was one of the ones that has been or will be exempted from the reporting requirements. All of the other ones would be reportable.

Okay. Great. Thank you. So it looks like 44% of people online selected C, so that's great.

And to be honest, it's a lot to sort of get your head around. I know you're just going through the legislation and putting together the material for today's presentation, it feels like it goes around and around in circles a little bit. But I appreciate it's a lot to get head around. So we're going to move to our first case study here about how you would put this into practice. So in this scenario, there's an audit and it's identified that the adviser scoped out critical advice areas. In this example, the advice was to roll over Super, but the adviser said that they weren't going to give advice on the insurance that was in the fund that they will recommend be rolled over. Okay. So we have to determine if this is a reportable situation. So going through that flowchart, if I can draw your memory back to that one. First thing to tick off is, was there gross negligence or serious fraud? So in this situation, I'm just going to refresh the memory here. The gross negligence is failure to exercise care or having serious disregard to an obvious risk or there's intent to defraud the client or deceitful to gain a benefit to the adviser. I'm going to just assume that we're not dealing with any sort of nefarious things going on here. So then we move to if there is a breach of a core obligation, so that's the second of the -- what's a reportable situation, is there a breach of a core obligation. So in this case, yes. So section 961B, which is best interest duty obligations, and section 961D is appropriate advice. So best interest duty says that you cannot scope out critical areas. It's one of the steps of the 7 safe harbor steps. And as a result, it's highly unlikely that the advice may not be appropriate for the client if you roll over their Super and don't deal with their existing insurance. They are all part of Chapter 7 of the Corporations Act. So once you've determined that it's a core obligation, you have to then say, is it also significant? So the first step would be to determine if it's under the deemed significance test. And in this case, yes, it is a contravention of a civil penalty provision. Best interest duty was one of those things that's automatically reportable. Additionally, in this scenario, the licensee also would determine that the clients suffered a material loss because, as a result of the advice to roll over the Super, they lost their existing insurance because the advice didn't deal with it. So that would also be on that list of deemed significant. It may actually tick off more than 1 category being a contravention of a civil penalty and a material loss to the client. So in this scenario, the licensee determined that there was a reportable situation. So we're going to have a look at another audit-related situation. So if you get an audit that identify that product placement information wasn't included in the statement of advice, so that comparison between the existing product and the recommended product and any consequences or loss/benefits was not disclosed. So following the same process, was there gross negligence or serious fraud? You say no. Is there a breach of a core obligation? Yes. Section 947D is financial services law that's covered in Chapter 7 of the Corporations Act. Is it also significant under the deemed significance test? No. Section 947D isn't actually a part of Chapter 7 that attracts a civil penalty provision. So the licensee also determined the client didn't suffer any material loss of damage as a result. And he determined that the omission wasn't actually misleading or deceptive. It wasn't intended to hide any information from the client in order to encourage them to roll over. Now maybe one additional point I could say here is that in this scenario or the case study I put it together here is the adviser did actually investigate the existing product and did appropriately recommend rolling over, and the client didn't suffer any loss as a result of doing that. It was appropriate for them. The breach was that it wasn't in the SOA. If, for example, they didn't actually investigate the existing product, it would actually be a best interest duty or other breach of Chapter 7. But in this case, it's just not in the SOA. So then it's not significant under the deemed significance test. So then you have to go to the second significance test. As I said, it's only an omission in the statement of advice. But you want to have a look at it and say, was there actually this occurring regularly? Is it systemic? And looking at the other files that were also audited or having a look at other files from the adviser, they observed that it was just one sort of omission in this SOA and therefore not systemic. And so the licensee determined that this was not a reportable situation. So that's just how you sort of have to think through the process. And you're probably already seeing that you need to know what legislation is in each of those chapters and you need to know whether there's civil penalties that apply. So there's quite a lot of new information that you need to take into account when you're determining if something is reportable. Okay. I've been promising for a little while that we'll look at investigations, and we're going to look at that now. So if and when an investigation needs to be reported is set out in the new legislation. So the licensee will sometimes need to conduct an investigation into whether a breach has occurred. You might have a suspicion, but you're not really certain or you're not really certain exactly what's gone wrong. So in investigation, I suppose you have to then also define what is an investigation. They give the example that it's where inquiries need to be made in order to ascertain the fact. And they, for example, suggest you might need to speak to the adviser involved if you're the licensee. You might need to talk to the client. You might even need to get external advice about serious matters. So as soon as you start investigating over and above like a normal monitoring process, for example, then that becomes an investigation. Now ASIC want to be notified early about possible breaches, so they can take swift action to prevent it from continuing in the industry. They want to know what's going on out there. And previously, ASIC felt that licenses spent too long investigating things before they told them about the matter. So in this case, if the investigation is done within 30 days, you don't need to report it unless, of course, you identify that there is a breach. But if at the end of it you determine there isn't a breach and you did the whole thing within 30 days, there's no obligation to report it to ASIC. If the investigation continues for more than 30 days, the legislation says now that it automatically becomes reportable on the 31st day. So if you haven't finished your investigation, even if you eventually find that there has been no breach, you've still got to report that to ASIC and you've also got to report the outcome of your investigation to ASIC. So ultimately, there might even be 2 reports: one to ASIC to advise them about the investigation and then a second report when the investigation is complete, although in some cases, you might actually be able to combine them together within the relevant time frames as you can hopefully see here on the time line where you could actually report once both about the investigation and about the outcome. Okay. Quick polling question about investigations. So you're going to need your calendar potentially here, but I hopefully have made it easier for you. So if an investigation commences on the 1st of July, what's the last date you have before you must report it to ASIC? So A, on or before the 31st of July, which is 31 days after you start the investigation; B, on or before the 30th of August because you have 30 days in which to report after the reportable situation arises; C, on the 15th of July, within 10 business days of becoming aware of the breach; or D, just once you've determined that there's been a breach for core obligation and it is significant. [Voting]

Okay. So that one is launched and on everybody's screen. So whilst we're doing that, we might try the questions again.

So the first question was, on the point that the breach results in material loss, what if the loss can be rectified, for example, a trading error?

So in this scenario like the example was a trading error, and I'd have to probably say what exactly was the trading error. Was it because the adviser accidentally invested in the wrong fund. Maybe they didn't fill in the application form properly and therefore it resulted in the client being accidentally put into the wrong product. It was identified and rectified. I have to probably look at it sort of carefully to work out whether that's actually a breach or not. But if we just look at the question more broadly and is there an obligation to report if you can actually rectify the material breach? Yes, you still have to report to ASIC if it meets all of the requirements of being a reportable breach. And when you report to ASIC, one of the things you report is how you're going to remediate or rectify it. So it could be as simple saying, this is what happened. This is what we've done about it. It's been rectified. The client's been compensated, done, but you would still need to report it.

Okay. Great. And what is deemed as a material loss?

Yes. That was one of the things that is and was the criticism of the previous legislation. But like a lot of things, it's very hard to make everything black and white. The material loss really depends on the situation. It depends on the client, really. If the client has lost, say, $5,000 because of whatever the issue was, then if the client only had $50,000, that might be material. But if the clients is a gazillionaire, $5,000 may not be material. It's a subjective test, and you have to weigh up all of the circumstances.

And regarding case study 1, does the amount of cover impact if the loss is material, so i.e., if insurance was $2,000 of cover?

Well, in that scenario, I think there were a couple of things within the deemed significance test. One was that there was considered material loss because they lost a certain insurance. But the main part was that there was a breach of best interest duty because of not following the safe harbor steps and scoping the insurance out. That in itself is reportable irrelevant whether it was a material loss, that just adds to it if it's considered material or not.

Okay. And I think this question relates to...

So it relates to a client that only had like -- no, that's okay. Keep going.

Sorry, Nicole. I think this last question relates to the poll that we have up at the moment. Which year, for the question, new or old legislation?

So the investigation commences on the 1st of July. So let's say that this is under the new legislation, sorry, thank you for pointing that out because this legislation doesn't actually start till October. Let's say it's next year, 1st of July next year.

Okay. So the polling has ended, and we had 48% of people who selected B.

Yes. And the vast majority of those who didn't also selected A, and they're quite similar. So the answer is B because it becomes a reportable situation on the 31st of July, that's correct. But the last time which you have to report it is further 30 days after it becomes a reportable situation. So the answer is B.

Okay, we'll keep moving on. Next case study, and this one is specifically about investigations. So in this one here, the licensee has received a client complaint. So this is another way where we often see breaches coming about. The complainant wants a refund of fees that they've paid over the last 5 years, claiming that they didn't receive any services or any reviews during that time. In order to determine whether there actually has been a breach as a result of the complaint, the licensee has to start making inquiries. They have to communicate with the adviser, maybe the staff, get copies of documents, look at the file. They might also need to ask the client to provide additional information. And these are all things that you would do if you're investigating a complaint. And I guess that's the key: investigating. So you've actually commenced an investigation. So whilst you've got obligations under how you do your dispute resolution, under this new legislation, you'll also have obligations under the breach reporting to consider at the same time. So you look at it and say, are you investigating? Yes, of course. But importantly, you have to say, am I investigating whether or not a breach of a core obligation has occurred. So you've got to look at what the complaint is and go, could this potentially be breach of core obligation? It could be a breach of your obligation to provide services efficiently, honestly and fairly. I think that one will come up when you're doing breach reporting quite a lot because it's a bit of a catch-all. It could also be a breach of an obligation under Chapter 7 about ongoing fee obligations, such as providing an FDS. So in investigating, you might find that the client didn't actually provide those services and you might find they didn't see -- give an FDS along the way as well. So yes, it would be potentially an investigation into a breach of a core obligation. Then you've got to say how long does your investigation last. So once you commence your investigation, the time clock starts. If the investigation lasts longer than 30 days, it becomes automatically a reportable situation. But if it's completed within 30 days, it depends on whether you determine there's a breach or not. Okay. So one of the, I guess, more interesting, for want of a better word, parts of the legislation was the introduction of this obligation to report advisers from another licensee if you have reasonable grounds to believe that a reportable situation has risen. So it's nothing to do with your license, but you might see it has occurred somewhere else. So naturally, that's a little bit of an interesting one. So the legislation actually provides legal protection against things like defamation claims if you report another adviser or another licensee. In addition to reporting to ASIC, you have to give a copy of the report to the licensee that you're reporting. So here's an example of when this might typically come up for you. So if you see a new client, and they give you a copy of advice that was given to them by their previous adviser from another licensee, and you then think after reviewing it, that they potentially didn't provide advice that was appropriate or in the client's best interest. There's a couple of things that would typically happen here. Often, that will result in a complaint to the other licensee, but you will also now have an obligation to report that to ASIC and to that licensee separately under the breach reporting legislation. Similarly, if you happen to be the licensee that receives this type of report, you then, even though it's being reported to ASIC, will also still naturally want to investigate it yourself, but also you will have the obligations to self report. So once you've been notified, you probably start an investigation into the matter. That then kicks off a potential obligation on you to report this matter to ASIC yourself. So it's an interesting one. We're going to have a look at a case study about another way that this might come up for you. So in this scenario, and this happens quite a bit actually and under the new legislation will probably result in more than some sort of correspondence between you and a product provider. So the licensee receives an e-mail from a product provider and they want information because they've discovered that a couple of withdrawals that they've processed from one of your advisers has identical signatures and they suspect that those signatures are not genuine. So then you have to say, does the product issuer have reasonable grounds to believe there's been a reportable situation. They have enough information to determine whether there's been a reportable breach. So reasonable grounds are defined as when the licensee knows of facts or there's sufficient evidence that a reasonable person would think that a reportable situation has arisen. So is this issue likely to be reportable? Do you believe that the product issuer has reasonable grounds to believe that there could be fraud here and not just dishonesty, but serious fraud? It's a bit of a line ball there because you go -- duplicated signatures could indicate that something is going on with the withdrawals that the client doesn't know about. But if the money was paid into a client's bank account, maybe they don't suspect that it was serious fraud. They would say, is this conduct a breach of a core obligation potentially? So you have to consider, is it not providing services efficiently, honestly and fairly, for example, which would be a core obligation. So there's -- they would have to go through that same process as you would as the licensee, the product issuer because they are a licensee themselves. They have to go through the same process of assessing whether they think there's reasonable grounds to report this matter to ASIC themselves and not just raise it with the licensee and the adviser. So on the second part, as I think we've just talked about before, if you receive this e-mail, you then will have obligations under your breach reporting because you're likely to start investigating. Hopefully, this sort of thing could be resolved within 30 days. And if there's no issue, it's not reportable, but there may be scenarios where you would have to report to ASIC. And I would say, even under the current scenario, if an adviser was reusing client signatures, potentially that's dishonest conduct, it would be reportable under your current situations anyway. Okay. So once we get to the end of the breach reporting, there's going to be some things for you to be thinking about. So as a result of this legislation, of course, all of your breach reporting procedures and your compliance manuals will need to be updated to incorporate all of these new processes. We also anticipate when you're doing audits, you will need to be able to easily flag when there might be a reportable situation, when there might be a breach of one of those core obligations that might also be a civil penalty provision, for example. So there's going to be some work done on how to make sure you're actually identifying all of these issues when they come up. You'd need to look at your dispute resolution procedures to ensure that investigations and breaches that come up from complaint are also captured and reported as required. And we will certainly be updating all of our compliance manual material that we have for you as we get closer to the launch time in October. A couple of other things there. Breaches have to be reported in a form that ASIC specifies. So this starts to get into the practicalities of how you actually do your breach reporting. Look, if you have a large volume of breaches, which is probably more likely to be affecting large licensees, but -- it can present some challenges because the way that breaches have to be reported is via the licensee's portal. And it doesn't accommodate any sort of bulk reporting. So if you happen to have an audit on a whole -- several advisers and maybe there's a best interest duty breach on each of those audits, you would have to potentially do a separate report for each instance instead of bulk reporting because the system doesn't allow you to do that and we're not anticipating, at least initially, that ASIC is going to make any changes to the portal. So I guess the upshot of that -- or the downside to that really is that more resources are going to need to be put into your breach reporting. And you're probably already sort of seeing, and I alluded to it a little bit earlier, that whilst you may not have actually had any reportable breaches in the past, I think you'll be seeing now that, that's likely to change in the future. And I really encourage you to make sure that you are breaching to and doing reports to ASIC when it's required because once this is up and running, if you're not reporting to ASIC, and based on the size of your license and other similar licensees, it's going to become obvious that perhaps you're not meeting your obligations and not reporting and it may attract attention if you're not reporting. So don't ignore it, I guess, is the advice. There's a lot of information here. You've got copies of the slides, but we'll also be putting up an information sheet on our reg planner page with lots of links to the different parts of the legislation, the civil penalty provisions, criminal sections of the act and those types of things for you to be having to look at more. And I'm sure there'll be more coming as we progress closer to October. So before we go into the second part of which there's not quite as much to process as we have with breach reporting, are there any other questions at this time, Jess?

Yes, there is one here. Regarding the reporting. Is there a prescribed format or template?

Yes. I'm not sure when that one came through, but yes, there is. It has to be done through the portal. That changed, gosh, 6, 12 months ago, I can't remember the exact date. So you can't just write a report and e-mail attach or anything like we would have in the past. You've got to actually go into the portal. It's a series of questions. There's -- depending on how you answer one question, might unlock other questions, a series of drop-down menus where you really can only answer in a certain way. It's quite long and detailed and can be quite difficult to use, but that's the way that breaches have to be reported now.

Yes. [ Louise ] has just mentioned that it might be via the ASIC regulatory portal that the breaches now need to be launched as she saw it when paying her adviser levies recently.

Yes. And whilst we did update that in the manual and guidance, again, if you haven't actually had to do a report, you may not have noticed that. But you probably find you will be giving it a bit of a go under the new legislation. Yes. It's not fun. Fortunately, that's not my job. Tara has to do that.

And we have another question here from Damian. If in doubt whether to report or not, is it best to err on the side of caution and just report it?

Yes. Quite possibly, whether that's under the existing or the new legislation. Look, I think it's going to be pretty obvious, there's going to be a lot of reporting to ASIC. How they take that information and what they do with it because I don't know whether they're going to have more resources or whether they're going to have technology that's going to actually be able to pull out the sort of things that they want to know about. But even under the current situation, if you are uncertain, you report it. I think the key thing is in making sure you deal with it: here's the situation that's arisen, here's what we've done about it, here's how the client is being remediated if need be. And generally speaking, that isn't going to cause any dramas for you. So yes, I would say so.

Thank you. That concludes the questions so far.

Okay. All right. Well, again, I move on to the second part of the webinar today, which I probably didn't really mention in the synopsis for the session. But given -- I thought we had enough time. This is another part of the legislation that's coming to this Royal Commission Response Bill about what your obligations are to remediate misconduct. As I mentioned, it is going to be a little bit shorter than the breach reporting. So the Royal Commission found that when advisers -- or sorry, when licensees were identified or detected misconduct by an adviser, that licensees tended to fix that particular breach or that particular instance with that particular client. Didn't always look at how widespread that misconduct might be and whether there's other clients affected. And the answer is they felt that some client wasn't necessarily being identified. So Commissioner Hayne recommended that when misconduct was identified, that licensees should be required to investigate to determine what the misconduct was and the full extent of that misconduct. He also recommended that clients who may be affected need to be told and any clients impacted needed to be remediated promptly. I mean I think that's a reasonably fair requirement. And licensees under the current legislation already have general obligations to protect clients against loss and those sorts of things. There's already regulatory guides on how to remediate, et cetera. But this new legislation just goes that little bit further. So it says that licensees have to notify a person where a reportable situation has arisen. So that's particularly a significant breach for core obligation, gross negligence or serious fraud. And in addition, you have reasonable grounds to suspect that, that person will suffer loss or damage. And that damage is the responsibility of the licensee. So if you have both of those things, then you would need to notify potentially affected clients when you're investigating the misconduct and the outcome of any investigation. Let's look at that in practice. So the licensee, let's say, identifies potential fee-for-no-service issues. If you look at it and say, is that a reportable situation: Yes. Let's say, breach over the core obligations to do all things necessary to provide efficient, honest and fair services. Do you believe that the clients may have suffered a loss or damage or we've got reasonable grounds to believe that, yes. If they've paid ongoing fees and they haven't received services, it's a pretty straightforward that they've had some sort of loss there even just in terms of the fee they've paid and not received services for. You then have to say, well, how many clients potentially are affected? In this case, the licensee believes that up to 10 of the adviser's clients are affected. So the licensee has to notify all of those potentially affected clients then investigate and remediate those clients. So let's look at what the obligations are more closely about notifying clients. So a notice has to be given to affected clients within 30 days of first knowing about the misconduct, which has resulted in what you believe has resulted in loss or damage. So the notice -- the requirements are you give the notice in writing, and it has to include information -- certainly enough information that the client understands what the issue is and why you believe that the client may have suffered some sort of loss, and information about the fact that you're going to be investigating and that there may be possible remediation as a result. Clients do need to be kept informed reasonably of the progress of your investigation. And once that investigation is complete, a notice has to be given to the clients within 10 days of completing that investigation. That particular notice would be also in writing and explain what conduct you identified, how the clients' interests were affected and the amount of any loss or damage that you've calculated and you'll then explain how, when you'll be compensating the client. So it's possible that clients may be notified about misconduct before you completed your investigation and even actually determined 100% whether they were impacted if there was definitely misconduct or if they definitely suffered a loss. Some of the criticisms has been that this legislation may unduly alarm clients, may unduly impact on that adviser's reputation. So there is certainly a little bit of concern about how this would be managed. So any investigation -- so how you conduct those investigations are set out in the legislation. So if you're investigating misconduct, you have to commence your investigation within first -- within 30 days of first knowing about the misconduct. So if you think about it, if you first know about the misconduct, you have 30 days to notify the client, but you also have 30 days in which to begin your investigation. The licensee, first of all, has to identify which clients are affected. You need to check that the person suffered a loss or damage because of the misconduct. You have to determine what they call is a legally enforceable right for that client, which essentially just means is they have a right to recover their loss or seek damages from the adviser and the licensee. So whilst you're investigating, you'll be looking at the sorts of remedies available to that client. And in some circumstances, it may have been nonmonetary remediation. It doesn't always -- or won't always necessarily be a clear financial loss. You need to determine the amount of the payment. If you do find that there is a loss and it is something that can be compensated [ if we find ] monetary. And the legislation doesn't actually prescribe how you should calculate the loss. But there is other guidance, which I think I mentioned earlier, RG 256, which is about client reviews and remediation, which gives lots of guidance on how that should be done. The legislation says investigations must be completed within a reasonable period of time. And look, what's reasonable will really depend on the situation. It might depend on how many advisers are involved, the extent of the misconduct, the period of time over which it occurred and how much loss potentially may have been suffered. So all of those things will impact on how long an investigation might take. And then once you do finalize your investigation, you must take reasonable steps to remediate within 30 days. And of course, that's reasonable steps again because actually remediating can take longer, particularly if you're arranging to, say, refund of fees or something like that via a product provider, those things can sometimes take time. Okay. So we're going to our last polling question, and in fact, our last slide for today because there's -- I know we have a bit longer time, but there's an awful lot of information to cover. I think it's just -- it's not to overwhelm with too much. So this poll is just a quick one. What's the purpose of this legislation to remediate -- investigate and remediate misconduct? A, to ensure clients are remediated promptly; B, to ensure all affected clients are identified; C, to ensure clients are properly compensated for losses; and D, all of the above. [Voting]

Thanks, Nicole.

Whilst we have that up, I might just read out some questions that we have here. We have one from [ Rick ] and he asks, does a breach that may already be rectified need to be reported. So for example, if an adviser has made an error but has already fixed it, will that need to be reported?

Yes. I think it's a similar question to what we had previously if you've been able to rectify an issue. It potentially may still be reportable under the circumstances. Look, we are expecting that there may be additional guidance coming from sources and whatnot. There will be some more guidance. There has been a new RG guide put out. There's a consultation paper at the moment on some of this matter going on. We may see some more concessions about all of this breach reporting, remediating clients and all those types of things that may address that matter because I think practically, from time to time, someone will do something, they'll identify and they'll fix it. What does it add to have to report it. But as I understand the legislation as it is at the moment, yes, you would have to.

And would Centrepoint be able to provide some type of benchmarking service so to benchmark my reporting to a similar practice in order to avoid me sticking out from the pack? For example, a small licensee with 1 or 2 advisers should typically have x reportable issues?

Yes. I mean, currently, we don't know, obviously, how much reporting other licensees are doing. I don't know if that's something people would be interested in, in order to get a bit of a gauge. Potentially, it could be something to be talked about in the peer groups and things like that as well. Look, one thing I didn't mention is that ASIC do actually have to report on breaches. So that may be actually a way where that information could be found because they've got to include reports about the number of breaches and it goes down as far as like a licensee level. So yes, I think there will be information available for benchmarking actually.

Okay. Great. That concludes the questions for now.

Okay. As I mentioned, this is the last slide. So if there are any other questions, happy for them to be sent through afterwards. I think everybody is pretty clear that this last one that I made a nice easy question for you, and the answer is all of the above. Yes. So I think that's all for today. Everyone gets a little bit of an early mark. Your head is probably spinning a little bit. As I mentioned, we will be making some material available on the reg planner page on Centrepoint Connect, so you can have a look at this in a little bit more detail and we're always here for more questions. And I'm sure there will be more things coming out as we get closer to October whenever everything starts. But thank you, everyone, for joining us today.

Thank you, Nicole, for your time and expertise. Well, everybody, if there's no more questions, that concludes today's webinar. Please ensure that you complete the feedback form, which will be sent after this webinar ends. And thank you to everyone who dialed in today. And thanks again, Nicole, for presenting. We'll see you all soon. Bye-bye.

Thanks.