Notify a breach

Latest updates

This page has been updated to reflect changes to breach reporting arrangements from Thursday 21 May 2026.

What breaches must be reported to APRA?

Breach notification requirements were imposed on all APRA-regulated institutions from 1 January 2008. A breach notification arises where an APRA-regulated institution is required, in accordance with the industry’s relevant legislation, to notify APRA of a breach of a prudential requirement.¹

The legislation for each industry sets out the circumstances where an institution must notify APRA and the required timeframes for reporting the breach to APRA.

The legislation also contains a ‘significance’ test to assist institutions in assessing the seriousness of a breach. The ‘significance’ tests under each industry’s relevant legislation are very similar (note that the Private Health Insurance (Prudential Supervision) Act 2015 does not include a ‘significance’ test). The ‘significance’ test is a subjective test determined by the APRA-regulated institution under the provisions of each industry’s relevant legislation. To determine what breaches are considered to be significant, institutions need to consider the following factors:

• the number or frequency of similar breaches;
• the impact the breach has on the ability to conduct business (or in the Superannuation industry, the RSE licensee’s ability to fulfil its obligations as trustee);
• whether the breach indicates that the institution’s arrangements to ensure regulatory compliance might be inadequate; and
• actual or potential financial loss to members, policy holders or depositors of the institution.

The assessment of whether a breach is significant rests with the APRA-regulated institution, having regard to their legal obligations under the respective legislation that applies to them.

For further information refer to the relevant legislation including:

• s. 29JA of the Superannuation Industry (Supervision) Act 1993
• s. 132A of the Life Insurance Act 1995
• s. 38AA of the Insurance Act 1973
• s. 62A of the Banking Act 1959
• s. 95 of the Private Health Insurance (Prudential Supervision) Act 2015

When must a breach be notified to APRA?

If the breach relates to the financial position or financial obligations of an ADI, life insurer or general insurer, the institution must immediately notify APRA in writing (and in the case of a private health insurer, as soon as practicable).

In relation to other significant breaches of a prudential requirement, a breach must be notified to APRA by ADIs, life insurers, and general insurers as soon as practicable, but in any case, no later than 10 business days after those institutions become aware of a breach. For RSE licensees, a written report about the breach must be provided to APRA as soon as practicable, and in any case within 30 days, after becoming aware of the breach. For private health insurers, a breach must be notified to APRA as soon as practicable.

Failing to notify a breach of a prudential requirement to APRA

Failure to notify APRA of a breach of a prudential requirement is an offence under each industry’s relevant legislation and a penalty of 30 units for private health insurers, 50 units for RSE licensees and 200 units for ADI’s, life insurers and general insurers may apply.

Reporting breaches to ASIC

Breaches under APRA administered legislation may also breach ASIC administered legislation.  You should determine if you are also required to report the breach to ASIC.   
Reporting a breach to APRA will constitute the lodgement of a report under 912DAA(1) of the Corporations Act to ASIC, provided that:

• the report given to APRA contains all of the information under s912DAA.  APRA suggests that, in order to ensure compliance, you use the prescribed form contained on APRA’s Online Breach Notification System (the Extranet) , and
• the ASIC breach report is provided within the time required under s 912DAA(3).²   

You should not use the Online System or forms to report a breach that relates solely to ASIC-administered legislation. You should refer to ASIC to ascertain how to report these breaches.

How to report a breach to APRA

Reporting a breach

APRA’s required method for ADIs (including restricted ADIs), life insurers, general insurers, private health insurers and RSE licensees is to use APRA’s data collection system, APRA Connect.

To access APRA Connect, breach submitters under regulated institutions will need to have RAM and myID.

APRA Connect includes a new Breach Submitter role for breach reporting. To submit a breach, your Regulatory Reporting Administrator (RRA) must assign the Breach Submitter role to an appropriate user (for example, a Prudential Contact or Company Secretary).

Entities may assign this role to multiple users. All entities must have at least one Breach Submitter role assigned before they can submit a breach in APRA Connect. This role will also enable entities to submit breaches to both APRA and ASIC where applicable.

The following video demonstrates how to assign the Breach Submitter role, and access breach reporting forms in APRA Connect.

For more information on APRA Connect, refer to the APRA Connect support material.

FAR breaches and CPS 230/CPS 234 incident notifications

Please note, the submission of FAR breaches or CPS 230 and CPS 234 incident notifications do not fall under this process. Information about these submissions can be found on the relevant APRA website pages.

Footnotes

¹Obligations within the prudential standards to notify APRA are not considered to be a breach and reportable to APRA as described on this page. For example, notifications of Information Security Incidents and Material Information Security Control Weaknesses required by CPS 234 Information Security continue to be reported to APRA by the links contained under Prudential Standard 234 on the APRA website.
² The required time is within 30 days after a financial services licensee first knows that, or is reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen.