Notify a breach
What breaches must be reported to APRA?
Breach notification requirements were imposed on all APRA-regulated institutions from 1 January 2008. A breach notification arises where an APRA-regulated institution is required, in accordance with the industry’s relevant legislation, to notify APRA of a breach of a prudential requirement.
The legislation for each industry sets out the circumstances where an institution must notify APRA either immediately or as soon as practicable.
The legislation also introduced a ‘significance’ test to assist institutions in assessing the seriousness of a breach. The ‘significance’ tests under each industry’s relevant legislation are very similar (note that the Private Health Insurance (Prudential Supervision) Act 2015 does not include a ‘significance’ test). The ‘significance’ test is a subjective test determined by the APRA-regulated institution under the provisions of each industry’s relevant legislation. To determine what breaches are considered to be significant, institutions need to consider the following factors:
- the number or frequency of similar breaches;
- the impact the breach has on the ability to conduct business (or in the Superannuation industry, the RSE licensee’s ability to fulfil its obligations as trustee);
- whether the breach indicates that the institution’s arrangements to ensure regulatory compliance might be inadequate; and
- actual or potential financial loss to members, policy holders or depositors of the institution.
The assessment of whether a breach is significant rests with the APRA-regulated institution, having regard to their legal obligations under the respective legislation that applies to them.
For further information refer to the relevant legislation including:
- s. 29JA of the Superannuation Industry (Supervision) Act 1993
- s. 132A of the Life Insurance Act 1995
- s. 38AA of the Insurance Act 1973
- s. 62A of the Banking Act 1959
- s. 95 of the Private Health Insurance (Prudential Supervision) Act 2015
When must a breach be notified to APRA?
If the breach relates to the financial position or financial obligations of an ADI, life insurer, general insurer, the institution must immediately notify APRA in writing (and in the case of a private health insurer, as soon as practicable).
In relation to other breaches of a prudential requirement, a breach must be notified to APRA by ADIs, life insurers, general insurers and RSE licensees as soon as practicable, but in any case no later than 10 business days after those institutions become aware of a breach. For private health insurers, a breach must be notified to APRA as soon as practicable.
Failing to notify a breach of a prudential requirement to APRA
Failure to notify APRA of a breach of a prudential requirement is an offence under each industry’s relevant legislation and a penalty of 30 units for private health insurers, 50 units for RSE licensees and 200 units for ADI’s, life insurers and general insurers may apply.
Reporting breaches to ASIC
Institutions should determine whether they also should report a breach to the Australian Securities and Investments Commission (ASIC) where the institution holds an AFS licence or the breach relates to a legislative provision administered by ASIC. Refer to www.asic.gov.au for further guidance. If your breach of APRA-administered legislation also breaches ASIC – administered legislation, you may choose to use this form to notify ASIC as well as APRA. APRA will be acting as ASIC’s agent for the purpose of collecting these dual breach reports and forwarding them to ASIC.
If you are required to only report the breach to ASIC, you must report it directly to ASIC (and may not use this form).
How to report a breach to APRA
Reporting a breach – APRA’s preferred method for ADI, life insurers, general insurers and RSE licensees is to use the online system, the APRA Extranet.
Extranet - To access the APRA Extranet, regulated institutions will need to have a myGovID as well as up-to-date information in APRA’s contacts database.
The APRA Extranet is not currently available for private health insurance lodgements, accordingly PHIs are to use the PHI Breach template.
For private health insurers and institutions that are unable to use the Extranet, PDF versions of the form are available below:
The prudential contact or company secretary is required to have a myGovID login to authorise a breach to be reported using the Extranet. Refer to the D2A and Extranet are replacing AUSkey with myGovID and RAM page or the or the ATO website which contains full information about myGovID and RAM.
Online breach reporting
The online system was released on 25 August 2011. You will need a myGovID to access the breach online form via the Extranet. The online system enables you to:
- save breach forms in draft;
- view previously submitted breaches;
- print breach forms;
- prudential contacts or company secretaries with an myGovID login can submit breaches directly.
Verification emails will no longer include a copy of the form.