According to Blake Dawson Waldron partner Michael Vrisakis, a key obligation imposed under the new regime is that financial services licensees have to report significant breaches of financial services law within five business days.

In guidelines recently released by the Australian Securities and Investments Commission (ASIC) dealing with breach reporting, the Commission details how it sees the regime working and gives guidance and interpretation of key aspects of the regime.

One of these guidelines is important for both in-house and external lawyers, said Vrisakis. That is, that institutions should not wait to get legal advice before they report a potential breach to ASIC.

The ASIC guide, Breach Reporting by AFS Licensees, states that in making a breach report, “ASIC considers that you should not wait until after the breach or likely breach has been considered by your internal or external legal advisers”.

ASIC is concerned that seeing a lawyer first might defeat the law’s intention for ASIC to be informed of significant breaches as soon as practicable, Vrisakis said.

This has serious ramifications for lawyers, according to Vrisakis, who said there should be some protection of institutions to have legal advice. “Lawyers believe that before you can report prudently and sensibly, you will often need legal advice as to whether there has been a breach of the law and whether or not it is significant,” he said.

“The problem with ASIC’s stance from a legal perspective is that, particularly given the complexity of the legislation, it will often, if not regularly, be the case that legal advice is an essential precursor to ascertaining whether in fact a breach exists in the first place and secondly whether it is significant,” Vrisakis said.

As well, if legal advice is not sought, there is a risk of inaccurate reporting or reporting that compromises the legal position of the institution, according to Vrisakis. “For example, the legislation requires a report about the matter, not that a licensee admit legal liability,” he said.

Another risk lies in the term “likely”, used in the legislation and referred to in ASIC’s guidelines, Vrisakis said. It requires reporting of likely as well as actual breaches, “but this refers to ‘likely breaches’ in the sense of future breaches, not whether a particular set of circumstances which have occurred is likely to be a breach,” he said.

Organisations may need legal advice to steer them through such technicalities, Vrisakis suggested. “Bypassing legal advice would mean bypassing a fundamental right and protection of an organisation.”