Skip to main content

Notify a breach

 Reporting a breach - APRA's preferred method for entities to report a breach is to use the online system, the APRA Extranet 

What breaches must be reported to APRA?

If an APRA regulated institution becomes aware that it has breached (or will breach) a prudential requirement and that breach is ‘significant’, it must give APRA a written report about the breach. You may use the online breach reporting system to give the report to APRA. For further information refer to the relevant legislation including:

  • s. 29JA of the Superannuation Industry (Supervision) Act 1993
  • s. 132A of the Life Insurance Act 1995
  • s. 38AA of the Insurance Act 1973
  • s. 62A of the Banking Act 1959
  • s 95 of the Private Health Insurance(Prudential Supervision) Act 2015

Important – Superannuation only

Breach forms can only be submitted to APRA using a myGovID that has been issued to a Trustee (i.e. RSE Licensee) ABN. If you have an AUSkey that has been issued in respect of a Fund ABN, the breach form cannot be submitted to APRA. More information about myGovID can be found here: 

When must a breach be notified to APRA?

If the breach relates to the sound financial position or financial obligations of an ADI, life insurer or general insurer, the institution must immediately notify APRA in writing.

In relation to other breaches of the prudential requirement, a breach must be notified within 10 business days after the institution becomes aware a breach has occurred.

Failing to notify a breach of a prudential requirement to APRA

Failure to notify APRA of a breach of a prudential requirement is a strict liability offence and a penalty of 200 units may apply.

Reporting breaches to ASIC

Institutions should determine whether they also should report a breach to the Australian Securities and Investments Commission (ASIC) where the institution holds an AFS licence or the breach relates to a legislative provision administered by ASIC. Refer to further guidance. If your breach of APRA-administered legislation also breaches ASIC–administered legislation, you may choose to use this form to notify ASIC as well as APRA. APRA will be acting as ASIC’s agent for the purpose of collecting these dual breach reports and forwarding them to ASIC.

If you are required to only report the breach to ASIC, you must report it directly to ASIC (and may not use this form).

How to report a breach to APRA

APRA’s preferred method is to use the online system, the APRA Extranet. The APRA Extranet is not currently available for private health insurance lodgements, accordingly private health insurers are to use the private health insurance notification form below

For private health insurers, or if you are unable to use the Extranet, PDF versions of the form are available:

Updated March 2020

The prudential contact or company secretary is required to have a myGovID login to authorise a breach to be reported using the Extranet.

To access the APRA Extranet, users for regulated institutions will need to have a myGovID and be authorised in Relationship Authorisation Manager (RAM). For more information, please visit the Extranet help page or the ATO website which contains full information about myGovID and RAM.

Online breach reporting

The online system was released on 25 August 2011. As of 27 March 2020 you need a myGovID to access the breach online form via the Extranet. The online system enables you to:

  • save breach forms in draft;
  • view previously submitted breaches;
  • print breach forms;
  • prudential contacts or company secretaries with a myGovID can submit breaches directly.

Verification emails will no longer include a copy of the form.

For more information

  • If you are from an APRA supervised institution, contact your APRA Responsible Supervisor.
  • All other users should contact APRA on 1300 558 849 or email