Centrepoint Alliance Limited (CAF) Earnings Call Transcript & Summary

Welcome, everyone, to our Responsible Manager Training. I'm joined today by Tara Foulkes, Group Executive for Risk and Compliance. And for those of you who don't know myself, Nicole Alexander, I'm the Head of Licensing Standards at Centrepoint. We're joined today by the Centrepoint AAP self-licensed advisers and LaVista Licensee Solutions, self-licensed advisers. So welcome, everybody, who could attend, and hope you enjoy our presentation today on breach reporting, everyone's favorite topic, I am sure. We'll get into it. Okay. So what we're going to talk about today is a little bit of a different take hopefully on breach reporting. We will be recapping some of the obligations that we've talked about before during different presentations. But we also want to look at some benchmarking. So 6 months into the start of the -- or 7 months now into the start of the new breach reporting regime, everybody kind of wants to know a little bit about, well, how's everyone else's experience has been with the breach reporting? And are they reporting the same amount of breaches as I am, and those types of things. We're going to ask a few polling questions and get some ideas from everyone on how they've been experiencing it and share that information with everyone. As I said, we'll recap some of the obligations and look at the different procedures to how you identify, assess and report breaches. People -- we hear lots of different questions on the challenges people have on doing that, so it's a good opportunity to have a look at that. And also to look at the regulatory portal, which has changed a lot if you've reported any breaches under the old regime. The new breach reporting portal is a little bit different. So we'll have a look at that. And there certainly will be opportunities for some Q&A at the end. So if you've got any questions, pop them in, and we'll get to them as we go. And of course, there will be some CPD points available for this. And we'll be looking, obviously, at the things that we've already talked about, the obligations. Reportable situations, which is a bit of a new term under the new regulations and how to make sure you've got some really good systems in place and some of the tools that we've got to support you in doing that. Okay. So I just said, we're going to start with some benchmarking by getting an understanding about how everyone else has had their experiences with these new regulations and obligations since the 1st of October when the new regime started. We won't be hearing from ASIC about the information that they've been collecting under this new regime until 4 months after the end of the financial year, so probably around about October. So in the interim, we've got some information from some surveys that were done by a couple of groups that got together, so Lawcadia, who's a legal technology solutions provider; and Gadens, a law firm. They got together and decided to engage core data to survey some licensees across both AFSL and ACL because they both have breach reporting obligations to see how they're coping with the new regime. And some of that information we can share with you and see how we're all fitting in and whether we're comparable to the sort of data that came out of that survey. So starting off, we're just going to do a couple of polling questions. If everyone can participate, just be open and honest so that we can all sort of see how things are going with your breach reporting. We're going to launch the first polling question. And the first question is just to give you an idea about how many breaches people have been reporting since October. There's a couple of options from you there. We typically hear concerns from licensees that they don't want to be an outlier. They don't want to be reporting more or less than their peers, and we often hear questions about, well, how many breaches are other people reporting on businesses of my size? I want to make sure that I don't attract attention by the reporting too much or too little. [Voting]

So we're getting some results coming in there. Give you just a little bit longer, but it looks like we've got a fair number of people who voted so far. Thanks. Now that's probably enough. So what we found there is that, as probably expected, a large number of licensees haven't reported any breaches. About -- of the attendees, we've got about 74% said they haven't reported any breaches. The remainder -- or the bulk of the remainder said between 1 and 5. So in the survey that was done that we've talked about there with Lawcadia and Gadens. They asked the question about how many per month were people reporting. And the majority said it was less than 5 per month. Only 20% said they were reporting 5 or more per month. We've just asked you about the entirety of that period of time. So in comparison, I would say it's probably likely we're fairly representative there that the bulk of people are reporting few breaches. Do you have any thoughts there, Tara is responsible for our breach reporting in our various licenses.

Yes, yes, I do. We've definitely reported more reportable situation since 1st of October than we've done before. So typically, we might have only done 4 or more per year or maybe a little bit more than that. And now we we're definitely in that 11-plus. But mind you, when we're talking about multiple licenses that we're dealing with and then lots of advisers. We're around, I think, 500 advisers now. So that's probably representative of the size of our group.

Yes. And that's it. The thing is we don't know from that survey what size the different groups were. It was a range -- I think they surveyed about 160 licensees. So some of them actually reported quite large numbers of reports, in the tens every month. So it will be interesting to see when the data comes out. We don't know yet how ASIC we'll be providing that data and how they'll be slicing up the data, but it will be interesting when we see it. Okay. We're going to go to the next question, so question 2. So if you have reported any breaches, so there's not going to be too many here. So if you answered yes to the previous question, answer this one here and just let us know what are the main types of behaviors or breaches that have been the subject of those breach reports. Sorry, I think I've skipped ahead one, sorry. Question 2 is are you spending more time on identifying and assessing and reporting breaches? So even if you haven't reported a breach, it's possible you might have been investigating and having a look at breaches and determining if a matter was a breach. So just let us know there if you're spending more time looking at those incidents, if you're spending more time reporting breaches, both? Or you really haven't noticed any difference in the time that you're spending? [Voting]

That's probably enough, I'd say, in the call, considering there haven't been reports previously.

Yes. Yes, that's right. So again, half of the participants said there was no change to the amount of time they're spending on breach reporting. Certainly, some of them are assessing incidents, so that probably falls in that category where we're sort of thinking there as you're looking at incidents that maybe you determined that they weren't reportable. And some people said -- about 16% said they're spending more time on both categories. In the survey from Gadens and Lawcadia they said that the number of breach reports had really increased significantly. So the majority of them actually saw that we're diverting a lot of resources away from other important work. They felt a lot of stress and anxiety. So the people that we surveyed certainly seem to feel like it had, had a big impact on the amount of time they were spending on breach reporting.

And from our point of view, Nicole, I agree with the spending more time assessing incidents. Because previously, you might have assessed some incident. Look, it feels like a breach. It's -- we'll put it in the breach register just in case. Well, now as licensees, as soon as it becomes a breach in your register, then if it's a civil penalty you've got a reportable situation on your hands. So we do spend a lot more time looking at the incidences and really making sure that it is a breach and not just a licensee standard that they've missed.

Yes, definitely. All right. Now we're on to question 3. Apologies for that before. So for those of you who have reported breaches, so we won't leave this open for a long time, but let us know what are the main types of breaches that you did report. And then we'll let you know what the survey found. These categories were the ones that we used in the survey just for you to choose from. They're quite broad. [Voting]

Okay. It's still sort of coming in. It looks like other is the main one. So again, there's not a huge amount of categories there. If people want to pop into the discussion or the Q&A that what those other ones are, we might be able to share that information around at later point as well or use that as some examples later in the webinar. But the main one for those people who responded said material loss or damage was the main type of breach that they had reported. Interestingly, that's very different to what we found in the survey. The survey said that advice-related breaches were the main one, so breaches probably things like best interests duty or those types of advice-related obligations, but followed closely by misleading and deceptive conduct, which I think might surprise you. Because I think it surprised us. But as Gadens explained, misleading deceptive conduct is defined as any conduct about a product or service that is misleading or deceptive or likely to mislead or deceive. But in application, what that practically could mean is that any error in any sort of disclosure that you make that's incorrect, that could, in fact, mislead the customer. So such is an error in disclosing a fee could be categorized as misleading and deceptive conduct. And many licenses appear to be reporting that type of breach. But obviously, a lot of licensees and probably us included really haven't taken that interpretation. We're really, I guess, looking at what's the intent or were they reckless with the information that was provided in making an error, and maybe even the materiality of the error before we looked at that. But that's a pretty significant category based on the survey done by Lawcadia and Gadens gates, and we might see ASIC making some commentary if that sort of rings true with the data that they're collecting as well. Okay. So last question in this little section. If you have a look at the sort of the challenges that you are facing with dealing with the new breach reporting obligations, so is it that you're not really confident that you understand the obligations and you worry that maybe you're not reporting when you should? Do you have limited resources because of the time and people take in to assess and report breaches and even identify breaches? Is it something that you've had available before because it hasn't been an obligation in the past? Are you spending a lot of time trying to understand the complexity of what's reportable and what's not reportable? And looking at the legislation and the various penalties or even one of the other categories in the survey that was done with things -- like the fact that everything is very manual. There's no tools, there's no technology that can actually assist with this. It's all quite manual work. [Voting]

Okay. So in survey results, the respondents in that survey said that complexity of the regime was the most challenging thing for them because it wasn't straightforward, as you'll see when we get to the recap. So that's probably things like [indiscernible], looking at the legislation and the penalties and even -- are you not confident you understand because of the complexity of the regime. And the second highest was things like resourcing, probably primarily from those practices that are doing a lot more assessing and reporting than they had previously, they're having trouble resourcing that. They also acknowledged that because this survey was done by both AFSL and ACL that they -- the ACLs actually never have any breach reporting obligations in the past. So it was quite new to them. So understandably, the whole situation is very different for them, not just how you assess the breach. Okay. The results there were 50% said they're just not confident that they understand and 24% limited resources. So those are the 2 key ones in the results. And as Tara mentioned before, that's -- I think the -- that would probably reflect our finding on limited resources. We've got somebody now pretty much full time assessing breaches.

And it's not only just the person assessing the breaches. It's also training up our compliance auditors who actually conduct the audit reports and changing the way that they assess whether something is a breach or not, so that they're having to go through a learning curve. And the other thing, I think, is also the tools and technology. So we didn't really know what ASIC were after until when we have to do a breach report until very late in the piece. So it's trying to get all that sort of information into some sort of system that you can actually track and make it simple. So...

Okay. So a little bit of a recap. Now I'm not going to go into a large amount of detail, and we've certainly got other resources that if anyone wants we can provide as well on this. But we'll do a bit of a summary. So changes, I suppose, the first, the differences between the 2. And we're still dealing with questions and queries where people still are operating really largely under what the previous regime was, which is a test of significance. And generally, that's a material loss. So prior to the change in October, licensees had to report what was called significant fall behavior with ASIC, and they had 10 days in which to report. And the assessment at that point was pretty subjective. And the reason for the change was because it wasn't really producing the consistent reporting across licensees that ASIC was after. And as I said, mostly to be -- if there was a financial loss or a systemic issue, those were the sort of things that we're getting reported. So with the change last year, the legislation now really specified in quite detail about what breaches are reportable as a setting in an effort to make that more consistent. And some breaches are what's called deemed significant. So it doesn't require an assessment of whether you think it's significant. If it's occurred, it must be reported. There are also other tests that look at significance, it's very similar to the way it was previously as well. So there's 2 tests that you need to have a look at when you're assessing significance. And the other 2 key things is the time frame has gone from 10 days to 30 days, just to allow better quality of data reporting to ASIC. And then also one of the things previously was that licensees would investigate a potential breach, it would take a long time. I think the average was like 150 days or something before a breach would be reported. So ASIC has now mandated that if you're investigating whether there's been a breach, they expect a report to be given to them if the investigation last for more than 30 days, so put a time limit on those investigations. Something else we often get asked about is the difference between a breach and an incident. You'll often hear in reference, say, a breach and incident register. So just a little bit of a summary here of the differences. So an incident is really something that has occurred and you suspect it may be a breach or a reportable situation. You don't know, but you suspect it has been. In RG 78 ASIC says that you must be able to identify incidents that are suspected or possible reportable situations to be able to assess if that is reportable. So that's an incident. Whether it's a breach, it depends on whether it's -- you're actually in noncompliance with an obligation or a legislative instrument. So finally, I suppose then is -- or are all breaches reportable situations? No, they aren't. Only some of them are reportable and the legislation defines when it is reportable. So if you had a good incident in breach reporting sort of system, you need to first be able to identify the incident. So at minimum, everybody needs to be aware of, what are the things I'm supposed to be doing? And if something hasn't happened or there's been a mistake or an error, then those things may be incidents. They don't need to know if it's a reportable situation or if it's a breach, but it needs to be escalated to somebody who will look at that. Someone will then -- any licensee or generally responsible for reviewing and assessing any incidents that are raised, and they filter out what are breaches and then which ones of those are reportable. You often see incident rates that aren't actually breaches of the financial services or it might be in noncompliance with a policy or a standard. Okay. This slide has probably got the bulk of the recap. So bear with me a little bit, there's a fair bit here. So essentially, what's reportable situation, and there's 3 key matters: so it's breaches of certain core obligations, negligence and fraud and also, you have obligations now to report other licensees if you have information that they have a reportable situation. So we're going to really focus mostly on the first one, which is the breaches of core obligations that are significant because that's the main ones that you're going to see. But really quickly, gross negligence and serious fraud, so careless mistakes or inattention that is -- may result in some sort of damage. It might be negligent, but it would have to be deliberate or reckless to be gross negligence. So just keep that in mind forward. Obviously, deception intended to result in some sort of personal or financial gains. So look, from time to time, those might arise. But the main one is going to be those core obligation breaches. So as I said, their core obligations, but those core obligations also need to be significant. So of course, that requires us to know what obligations of financial services are actually core obligations, which are defined and then whether they are significant. So what are some of the core obligations? So general license obligations, obligations to have PI insurance and certain financial services also. Your general obligations, 912A, of the Corps Act, all those sort of ones that are listed on your license, you know provide services efficiently, honestly and fairly, having adequate compliance arrangements, managing conflicts of interests and risks, having trained and competent advisers, dispute resolution arrangements, all those things that at a licensee level you need to do, all of those, if you have a breach of any of those, they are core obligations. Many of the financial services was in the Corporations Act that we have to comply with as advisers are core obligations, and there's also some other acts like the ASIC Act and SIS Act, which have some areas in there that could also be core obligations. So in determining if you've had a breach of a core obligation, so most financial services, you need to have a look and see if it's been reportable. Have a look at that in a second. So you've also got in that list then investigations that last for more than 30 days, which we mentioned. And there's 2 tests for significance, so first one being these deemed breaches. So they're breaches that are automatically considered to be significant and therefore, must be reported to ASIC. If we look down the list, any offense that is like a criminal offense, punishable by imprisonment generally for a year or more is significant naturally. It comes with the criminal penalty. It sounds pretty significant. If it's a breach of a civil penalty provision that's also deemed significant. There are some carve-outs just to make it even a bit more complex. Misleading deceptive conduct is automatically significant. Any breach of a corroboration that results in material loss or damage to a client is also reportable. So there's not supposed to be any subjective judgment about whether that is reportable. Once you've determined it's a breach, it's automatically reportable. As I said, there's more information about all of these that you can access if you want more details. But I think the main message here is that -- like we sort of want to get across is that it's not something that you can just use your own judgment or have a gut feeling about whether something might be reportable. It's not just looking at is this some something that causes some sort of damage and therefore should be reported? It really requires a systematic process of assessment, and that's probably the key difference, I think. Any thoughts on that, Tara? She's probably on mute. I can't hear you there, Tara. But that's okay. I'll move on. We've got another quick polling question, 3 CPD points. Just to sort of see which of the following would not be a reportable situation? So the poll there is, if the client suffered a material financial loss, numerous or frequent similar breaches, commencing an investigation or dishonest conduct. [Voting]

I think I can tell so far everyone's doing very well. Okay. So yes, the bulk of people said when an investigation has commenced. So it doesn't become reportable until it's been more than 30 days for investigation, but all of the others are reportable. So we'll have a quick look at the procedure. So as I said, you've got to have a really clear process of assessment. So really, we're just going to sort of step out what those steps will be when you come across an incident. So the first step is, as we said, identifying an incident. And you're going to have sources of information coming in so that you can identify some incidents such as your file audits, client complaints and self-reporting from, say, advisers and staff. And you also get things coming through from other sources such as product issuers who will come and bring to your attention something that they found that has gone wrong. So everyone in the business needs to have some awareness to be able to raise these incidents in these potential reportable situations for you to assess. And then you put that into your breach and incident register. You then need to look at that incident and determine what legislation applies. Because you need to know what legislation is used to determine if it's a core obligation and therefore, potentially reportable. Once you know what legislation it is, you need to look and see if there's a penalty that applies so that you can determine if it's a civil penalty for example or a criminal penalty even, to determine if that's a reportable situation. Sometimes you also need to assess if a breach has occurred, which may need rethinking about whether it's actually a breach of the legislation. Or you might suspect something has happened, but you don't have all the facts, that you might need to investigate. So there's that step in there. You then need to assess under the first significant test, which is that deemed significance test. So is it a breach of a core obligation? Is there a criminal or civil penalty? Or is it one of those other areas like misleading or deceptive conduct or loss or damage that would need to be reported? And if none of those apply, you're not off the hook yet, unfortunately. And you then need to move to the second test to determine is the breach either systemic or does it really have a major impact on your ability to operate your license? Or does it indicate you don't have good compliance arrangements. If those are also present, then that would be reportable as well. And then the last step is actually doing the report to ASIC, but also remediating any loss or damage that may have occurred, stopping the breach if it's still ongoing and then preventing it from occurring again in the future. And all of that information will be included in any reports that you give to ASIC. Okay. So there's a lot there, but what we've done is taken out a few examples of things that are deemed reportable situations that you might typically come across. And so we will pop a few of them up there and have a bit of a chat about some of those. So I'm going to let Tara weigh in on some of these ones.

Yes, happy to.

Great.

So these are some of the key deemed reportable situations that we've seen across the time since October, the ones that are probably popping up more that we weren't expecting would have to breach, we didn't really think about it when the reporting regime changed, is things that don't really cause a detriment to the client. So because there's a civil penalty attached to certain things, we're now finding that we're reporting something that we previously would have assessed and said, "Look, it's not significant. There's no material loss of clients. So therefore, we don't have to report." These things include, you'll see at the bottom there, we've got breaches of sole purpose test. We've picked us up a number of times in audits. It's not a major issue. It's things like charging the full advice fee to the husband's account when you're giving advice to the husband and the wife, or it could be that you are charging the full ongoing advice fee to the superannuation fund but you're also giving non-superannuation advice. These ones that have been picked up, prior to October last year, we wouldn't have reported those to ASIC because they wouldn't have been deemed significant. Now they are because there is a civil penalty attached to the sole purpose test within the SIS Act. So then it's captured as one of those deemed reportable. The other ones that we've been experiencing recently is conflicted remuneration. Now not to scare people, but it's minor conflicted rem. So as we know, there was some grandfathering in place prior to the 1st of January last year, things such as asset-based fees on margin loans. If they had have been put in place before [indiscernible] came in, advisers could continue to receive that amount if they didn't switch them back to a flat fee, then that's actually deemed conflicted rem. And a number of product providers have actually been going through their books and checking for these types of conflicts and they've identified some, and therefore, they're notifying the licensees. And when -- if you do receive a notification from a product issuer around something like conflicts or potentially issues with advice forms and things like that, you do need to assess those in relation to, has a breach occurred. Again, is it a -- is there a civil penalty attached to it? If there is, then you have an obligation to report. So sometimes you're actually being notified from external parties around potential breaches.

Great. And there's a few unusual ones there, failure to provide a statement of advice. If you don't give one, it's reportable. But if you give one late, that's not necessarily.

Yes, yes. So that's an unusual one. And also, it's a failure to provide the SOA, but it doesn't matter the content, so the Corps Act section which states what needs to be included in the SOA is not deemed a reportable situation. So you could give an SOA that doesn't have all the parts that should have in it, that's not automatically deemed reportable unless, again, there's other issues in relation to, is there any sort of loss or detriment to the client and things like that.

Yes. Cool. Again, if anyone has any sort of situations they want to pop into, the questions that you want us to have a look at or consider as we get towards the end, more than happy for you to do that. Okay. So we can provide you, I guess, with examples. And we've got some additional tools, which we're going to be bringing out to sort of assist you with identifying what breaches may be reportable situations. But what you might need to do is actually go and have a look for yourself. If you come across a situation to determine if there's a civil penalty or a criminal penalty. So I just sort of popped this up here to give you a bit of an example. And look, Google is your best friend sometimes. So if you type in what the issue is, best interest duty, Corps act, it will bring those things up. You can have a look at it. A lot of the times for legislation literally says to you, this is a civil penalty. So it will tell you if a penalty applies, it will tell you what sections of the act it is, because you will need that information when you go to do your breach report. You also notice here on the slide that it refers you to a section that lists all the civil penalties. So that section there is actually good to have. If you're not 100% sure what part of the legislation there is a breach of, you can scroll through the list of all of the civil penalties and it will describe the various sections of the act and where the penalties apply. So there's one for simple penalties and there's also a section on the Corps Act of criminal penalties. So that's a good source to go to and check and see if a penalty applies. We've also included here what civil penalty to apply on the basis of an audit that you might receive. So for example, this is the audit that we do. And typically, that's where you're going to identify breaches. So for some people, if you haven't reported a breach yet, it might be because you haven't yet done your annual audit. But when you do, you need to look at those audit reports and identify whether there's a breach. So the most -- as we said, the most common breaches are those civil penalty provisions, and there are a lot of them that are specific to giving advice. As we said before, failure to give an SOA, not acting in the client's best interests or following those sort of safe harbor steps are reportable situations. And there are some other obligations such as if you've got an ongoing fee arrangement and you continue to charge a fee if the fee arrangement ceases or the client doesn't consent, both things are breaches as well. I mentioned before that there are some things that are actually exempted as well, so failure to provide an FSG, a PDF or an FDS, they're all core obligations and they do attract civil penalties. But ASIC has explicitly excluded those from being a reportable situation. Those are breaches that you apparently are not interested in hearing about, that they presumably consider to be a bit more minor. As we said, there may be misleading and deceptive conduct identified in an audit. We talked about that one before. It's also reportable areas in fees, potentially. Yes, so when you get an audit report or you do an internal audit, make sure you're reviewing them for possible reportable situations. This table is a good guide. We're also going to be making this table available. We're going to do an updated breach register with a lot of this information and extra resources and some guidance on how to identify reportable situations are going to be on that register.

Nicole, just a question come through. They just wanted to me to repeat the example I gave around the sole purpose test.

Yes, of course.

So to explain that again for those that might have missed it, obviously, we're all aware of the sole purpose test, and superannuation is there for retirement purposes only. So that's why we have to meet the sole purpose test. A part of that is that you can't charge advice fees to super -- for non-superannuation advice. So if you had an example where an adviser was charging a client a fee. The advicee SOA included some cash flow management, some external investment advice, some non-super advice and then you charge the full fee for the advice in the SOA to the superannuation fund, that could be deemed a breach of SIS act. So in those situations, then you have to look at it and then assess and go, okay, well, the advisers charged a full amount. Is it a breach of the sole purpose test? Yes, it is. Is the sole purpose test a part of SIS act. So you could Google, then you could find out that -- it actually has a civil penalty attached, and therefore, it's a deemed reportable situation regardless of whether it was a huge amount of fees or whether you could reinstated for the client. So that's just one example. And you'll find that the superannuation funds, they're actually looking into this more and more. So you may actually get notifications, particularly from a lot of the larger industry funds.

We did do an article just in the last few weeks on the sole purpose test breaches. So if you have a look back through the newsletters or you have a look on Centrepoint Connect or those sort of places where those -- that article is there. And so that goes into a little bit more better detail. There are other examples that would be also considered sole purpose test breaches as well.

Yes. A few other questions probably relevant to talk about on this slide is have we looked at the other acts. So you see the question 23 to 26. We've got privacy, AML, CTFs, [ TAZA ], which probably need to update because that's a little bit different now, it's under ASIC. And then so it was put potentially because it really depends on what you're breaching in relation to those acts. So with the SIS Act, definitely sole purpose was one, I think early release is another, so condition of release. So that's one obviously that you'd report. In relation to privacy, most of that is not a civil penalty. But again, if you had it on mass -- so as Nicole talked about, if you're consistently breaching privacy, then that potentially could be. And that's probably more of an assessment. And AML/CTF again on its own is not. But if you -- if it's -- again, you're doing it frequently, then you may have to report that. There was a question about FTS errors not being reportable. Nicole, do you want to talk to that one?

Just off the top of my head, there were a number of FTS that are core obligations, but they -- and they do have civil penalties that they were excluded. Some of them sometimes are and sometimes -- I probably have to look in more detail on that one and come back if there's an error in it. Potentially, it falls under that misleading and deceptive conduct, which may be.

Yes. And that's why you need to take a practical approach, I think. If there's a -- it's very easy to have a minor error in the FTS. So, I think the major issue would be is if you're not doing FTS regularly, you're completely missing them altogether. But if you're giving an FTS, that's obviously -- with a few minor issues in it. But if you don't even give the FTS, it's not an issue. Where I would assess it as a potential breach is if the fee was quite significant and the client is not in an informed position that -- what they're actually getting for the fee they're paying. So that's the way I'd look at that one.

Yes. Definitely. Okay all right. We can keep going with -- definitely you will have hopefully some time at the end for more questions as well. Okay. So the breach register, I've mentioned there that we'll be releasing an updated breach register, some information on how to make best use of your breach register. So it's used to -- and the purpose of it is to record your actions that you're taking in how you identify, resolve and then report breaches. So you're probably aware that as a licensee, there's no express requirement to have a breach register. But in practice, ASIC does say that you will need one to show you have adequate arrangements in place to comply with any of your breach reporting obligations. And it really does help you identify breaches, determine whether a breach is significant. And a breach register can also help you identify when something might be systemic. If you're seeing a lot of incidents and breaches that may not have been reportable situations but they're happening frequently, those cumulative sense will potentially become reportable, as Tara mentioned. It should contain the information -- according to the reg guide, the information that ASIC requires you to give to them when you lodge your breach in the regulatory portal. They expect that information to be kept in your breach register. So the information that you put in your breach register will naturally, therefore, make it easier when it comes time to complete the ASIC report because there's a lot of questions you have to answer when you lodge the report. So if you have already assessed, documented all of that information and you got it to hand, makes your beach reporting a lot easier. The sorts of information that will be in there will be lots of different data about when the breach arose, when you first knew about it, when you believed it was reportable. It can also then track the date on which you need to report to ASIC so that you're reporting within your appropriate time frame within your 30 days. And there's another -- a number of other things there was listed on the screen that would be in your breach register or should be. So the new breach register will be coming out shortly with a lot of additional guidance in that register. One other thing just worth mentioning as well is there's an additional requirement in the legislation that you need to notify clients who suffered a loss. Naturally, you're going to because you need to contact them if you've got to remediate or provide compensation or something like that. So you're going to be notifying those clients. There may be occasions where you might need to notify a client before you've completed an investigation, unfortunately here as well. So just keep that in mind. There are time frames on that. You have to notify a person if a reportable situation has occurred and you think they suffered a loss or damage, and let them know if you're investigating and what the outcome is. So it's not just perhaps that person who is the -- or the client that's the first breach that you saw, but it may require you to actually expand your investigation and look at are there other affected clients. And if there are other affected clients you need to inform them as well. And then there's a time frame in which you've got to actually remediate or compensate these. And I think, as you can see there, one of the key examples would be there is if there's a fee for no service breach, and you find that on one file. You really need to look and see is that occurring on other files and remediate those. Okay. A quick following question. So what is the purpose of a breach register? Will it assist in managing your reporting time frame? Will it assist in determining if a breach is systemic? Is it how you document all your incidents? Or is its purpose to record all the actions you take to identify, report and resolve breaches? [Voting]

Numbers are coming up pretty quickly and most people seem to be on the right track. A bulk of people are saying, d, to record the actions to identify, report and resolve breaches, which is correct. All of the other ones are benefits, but it's not really the purpose of the breach report. Sorry if that was a bit of a trick question. So we also said we have a look at the regulatory portal. It is something -- if you haven't used it before, it's a bit of a beast. If you haven't, first of all, actually registered for the portal, if you've had no reason to do that, there's some guidance on ASIC. There's some user guide on how to register for the portal. And as you can see, they have a number of user guides available, but they're not overly helpful because they take you to a certain point, basically says, here's how you launch a breach report or here's how you commence one. But it doesn't actually take you through the entire process of answering all of the questions. And the reason for that is that each question that you answer has a whole bunch of possible options and each answer that you give them potentially launches a whole group of other questions. So it's got a lot of branching and conditional logic. So it's really pretty impractical to actually produce a single user guide. There is a wire frame that's like 100 pages along with every single question that might be in there, but I don't think anybody really wants to have a look at that. So what we have done is produced some screen shots from it. A typical breach that most licensees are going to need to do on some sort of advice kind of related breach, and we'll make that available as well so that you can sort of see each of the questions and how sort of you should answer those ones for your average or your typical breaches. We hope that will be helpful. The example that we did use for that was just a breach of a core obligation, which is going to be the most common one you have. It's a breach of best interest duty because it will equally apply in most breaches that you get on, say, an audit report or something like that. In the portal, there are a number of free text boxes. They're pretty limited. It's really where you describe the breach. Most of the questions in the portal have drop down menus or list that you have to pick and choose from, so you're quite prescriptive in the sort of answers that you can give. But as we talked about before, if you answered all the information in your breach register, you'll have most of the information to be able to answer your average question or your average reportable situation. We think it would take you probably about 30 minutes, give or take. If you're doing a few, you might get a bit more practiced at it. Your first one might take a little bit longer. Typically, there's around about, I counted them on that -- so the example that we did, around about 50 questions that you have to answer, so it's a bit of information to get through. You can report multiple breaches as long as they arise from a single issue in one report. The portal is also able to provide updates and -- to your report such as notifying ASIC if remediation has been completed, adding additional instances of a breach if you identify more after the initial report was made or if you need to amend any estimates. Like they may ask you an estimate of a financial loss the client may have suffered. If you need to update that as you continue on with your remediation, you can do that. And each transaction has a status recorded next to it so that you can sort of see where it is in the process. ASIC does have a frequently asked question site for using the portal, and they list some of the possible statuses there. But we've noticed a few more being used currently such as rectification incomplete or investigation incomplete.

Yes. It's actually really good using the status section because it keeps track of what you've actually told ASIC. So if it says rectification incomplete, it means that we've told ASIC that we're going to do some remediation, maybe some training with an adviser. We might have had to have written to the client or done a new SOA or things like that. If we told them, we're going to do it by a certain date, then it sort of flags to you that we haven't closed that one off. Yes, we might have done the remediation, but we forgot to tell ASIC. So it really does prompt you to go back in and give them the update that they're after.

Okay. All right. So that kind of brings us to the end of the main part of the presentation, but we want to leave a little bit of time for some questions and answers. So if anyone's got any more questions they want to pop in there. . One of the questions was about when your 30 days to report starts from. So it says that you must lodge with ASIC within 30 calendar days, it's calendar days and not business days. So that's important to be aware of when you're tracking that you're aware if there's public holidays and things when you're reporting date fall of June. But you need to report within 30 days after which you first know or is reckless about knowing whether there's reasonable grounds to believe a reportable situation. So it is a bit of a mouthful. But essentially, usually, it's going to be from the day that you become aware that there's a possible breach or you reasonably think that there's been a breach. If you become aware of a possible breach and you don't do anything and you don't look at it, you don't investigate, in a couple of weeks later, you come back and look at it, you can't start the 30 days from that point in time. It really needs to start from the point in time when you really should have known if it was a reportable situation. And the other one, I suppose, is too, it's not on the 30th day, it's before the 30th day. So you want to make sure you're reporting at the latest on 29th day.

And what we found, particularly up here in Queensland with all the public holidays is that really does impact on your 30-day time frame. So you do need to sort of consider weekend. So that if you know the 30-day or the 29th day is going to fall on a Sunday, you need to have your report into ASIC by the Friday. So it's really sort of trying to track that time and making sure you get it in within that 30-day time period.

Yes. One of the other things I think is that people are often a bit worried about having breaches. I talked to a licensee only the other day, and he was like, "I don't want to have any breaches." I think people are worried about what this will mean if they've got breaches being reported, whether that's the adviser or the licensees. Any thoughts on that one, Tara?

Yes. I think in my discussions with ASIC, because we meet with them quarterly just to let them know what we're doing as a group, being one of the largest dealer groups out there, they really see that this is a data collection exercise. So they have the ability to see what's happening across all the different licenses. And ultimately, they will be, yes, looking at those that are reporting at the moment and investigating if they need to. But they will be looking at licensees that don't breach and thinking, what, this is unusual. They're in the same sort of cohort as these other licenses and they haven't actually sent a reportable situation in. The other thing, I think, that you'll find once you start this process is last year and years before, I've been doing breach reporting for about 10 years now. It was always a really big deal because it was a significant breach. It was something that had client detriment loss, and sometimes it resulted in further investigation by ASIC. The ones that we have been reporting, they've been closing down pretty quickly because we've given them all the information, there's no detrimental loss and we've remediated the situation. So I don't think it's something to be scared of. And the other thing with advisers is sometimes they're thinking well, if -- I guess, if I want to move licensees and there's the reference checking that you have to do now, and you have to report whether there's a breach reported, I think as we go along, licensees, we'll be thinking, well, it'd be unusual not to see breaches against advisers from time to time. And in that report, you also see what the issue was and you can tell that was just a minor breach. It didn't have any client detrimental loss, and it was just because it was a deemed reportable situation. We've got a question here, Nicole. Is it expected from a dealer group level that in this transition period, there will be more reportable breaches regarding FDS?

It sounds like you're thinking there about the FDS and consent during the transition year, about people not doing that. I don't know whether they're expecting more breaches in that area or not. I will go back and have another look at the FDS. But if you're finding that a large number of people haven't received their FDSs within the appropriate time frame and those sorts of things, it's probably going to be something you look at reporting, as we talked about before, that it's likely to be reportable if it's systemic. I know we're talking to advisers to remind them that those deadlines are fast approaching now, that FDS need to be done, consent forms need to be done to try and make sure that we minimize any issues there.

One thing I thought I would mention as well to the group is some of the examples that we've had regarding assessing the breach, particularly best interest duty. Anyone who's read Report 515 and seen how ASIC we're expecting licensees to conduct an audit on a file and meet the safe harbor steps to best interest duty know that it can be quite easy to miss some information in the process of doing best interest duty. So for instance, when we do an audit, we might see that there's some objectives of the client in there that weren't documented anywhere else outside of that. It might be that the within the advice, they have failed to look at the insurance of the client. And maybe that was appropriate to not exclude that in the scope. So there's lots of these different ones that we see popping up and they take a lot more time to assess, to see whether -- usually, we just assess to see whether there's detriment and what the issues are. Now we just have to assess, well, is it actually a best interest duty breach? Or is it our interpretation of best interest duty? So -- or is it just a record-keeping bridge? So there's lots of different things that you have to consider when you're doing those ones.

Yes. I think that's probably one of the ones there that says it came up in an audit under best interest duty because the information in a file note was different to the information in the SOA. I think from best interest duty point of view, if your information is accurate and correct in your file note, but it's wrong in the SOA, I wouldn't say that, that's the best interest duty breach. That's probably more of an error in the SOA or not including certain information in the SOA that maybe should have been, which we said before, that's actually not a reportable breach. So we did also say it's a learning curve for everybody about how to assess some of these things and looking at them perhaps in a different -- different lens than maybe we have before because it has consequences about what's reportable and what's not.

Yes. And that's what -- that sort of leads into where it might be an investigation rather than a breach straightaway. So we're looking at one at the moment where the client is quite a wealthy client. They've got one adviser that's doing the insurance for them, an insurance specialist, and the advice that we have looked at is in relation to their superannuation investments. The adviser in this situation has [indiscernible] out insurance because there's an insurance specialist looking after their insurance. But when they've gone and done the advice, they've actually rolled over 2 super funds into another and have lost -- it's only around $100,000 worth, $100,000 in insurance for life insurance. We're assuming that the insurance specialist has got a robust insurance plan for them but the adviser hasn't got that on file. They haven't looked into that. So basically, it's not meeting best interest duty because we don't know what they've actually got and whether removing the $100,000 worth of cover is going to impact on the client. So that one is we're looking at. We're currently in that investigation stage. If the adviser can't prove that they did look at that beforehand, then it could be a best interest duty breach.

Cool. Well, we're right on the hour now. So thank you for attending. Thanks, Tara, for your assistance and your expertise as always. If there's any other questions we haven't got to, we'll have a look at it. And we'll keep an eye out for some of the updated resources that we'll be making available. And thank you very much.

Thanks, Nicole.