Notify a breach
The existing approach for reporting breaches of APRA administered legislation remains unchanged.
The approach for reporting breaches of ASIC administered legislation has changed as set out in the box.
From 1 October 2021 RSE Licensee, ADIs, General Insurers, and Life Insurers are required to lodge ASIC breach notifications in the Prescribed Form. This form will be available on the APRA website (within the online form)
- for RSE Licensees - from 23 October 2021;
- for ADIs, general insurers and life insurers - from early December 2021.
In the intervening period, these entities must lodge breach notifications to ASIC directly via the ASIC breach reporting portal.
This does not apply to PHIs.
What breaches must be reported to APRA?
Breach notification requirements were imposed on all APRA-regulated institutions from 1 January 2008. A breach notification arises where an APRA-regulated institution is required, in accordance with the industry’s relevant legislation, to notify APRA of a breach of a prudential requirement.1
The legislation for each industry sets out the circumstances where an institution must notify APRA and the required timeframes for reporting the breach to APRA.
The legislation also contains a ‘significance’ test to assist institutions in assessing the seriousness of a breach. The ‘significance’ tests under each industry’s relevant legislation are very similar (note that the Private Health Insurance (Prudential Supervision) Act 2015 does not include a ‘significance’ test). The ‘significance’ test is a subjective test determined by the APRA-regulated institution under the provisions of each industry’s relevant legislation. To determine what breaches are considered to be significant, institutions need to consider the following factors:
- the number or frequency of similar breaches;
- the impact the breach has on the ability to conduct business (or in the Superannuation industry, the RSE licensee’s ability to fulfil its obligations as trustee);
- whether the breach indicates that the institution’s arrangements to ensure regulatory compliance might be inadequate; and
- actual or potential financial loss to members, policy holders or depositors of the institution.
The assessment of whether a breach is significant rests with the APRA-regulated institution, having regard to their legal obligations under the respective legislation that applies to them.
For further information refer to the relevant legislation including:
- s. 29JA of the Superannuation Industry (Supervision) Act 1993
- s. 132A of the Life Insurance Act 1995
- s. 38AA of the Insurance Act 1973
- s. 62A of the Banking Act 1959
- s. 95 of the Private Health Insurance (Prudential Supervision) Act 2015
When must a breach be notified to APRA?
If the breach relates to the financial position or financial obligations of an ADI, life insurer or general insurer, the institution must immediately notify APRA in writing (and in the case of a private health insurer, as soon as practicable).
In relation to other breaches of a prudential requirement, a breach must be notified to APRA by ADIs, life insurers, and general insurers as soon as practicable, but in any case, no later than 10 business days after those institutions become aware of a breach. For RSE licensees, a written report about the breach must be provided to APRA as soon as practicable, and in any case within 30 days, after becoming aware of the breach. For private health insurers, a breach must be notified to APRA as soon as practicable.
Failing to notify a breach of a prudential requirement to APRA
Failure to notify APRA of a breach of a prudential requirement is an offence under each industry’s relevant legislation and a penalty of 30 units for private health insurers, 50 units for RSE licensees and 200 units for ADI’s, life insurers and general insurers may apply.
Reporting breaches to ASIC
Breaches under APRA administered legislation may also breach ASIC administered legislation. You should determine if you are also required to report the breach to ASIC.
Reporting a breach to APRA will constitute the lodgement of a report under 912DAA(1) of the Corporations Act to ASIC, provided that:
- the report given to APRA contains all of the information under s912DAA. APRA suggests that, in order to ensure compliance, you use the prescribed form contained on APRA’s Online Breach Notification System (the Extranet) to ensure any information that is required by the ASIC prescribed form is provided, and
- the ASIC breach report is provided within the time required under s 912AA(3).2
You should not use the Online System or forms to report a breach that relates solely to ASIC-administered legislation. You should refer to ASIC to ascertain how to report these breaches.
How to report a breach to APRA
Reporting a breach – APRA’s preferred method for ADIs, life insurers, general insurers and RSE licensees is to use the online breach reporting system, the APRA Extranet.
Extranet - To access the APRA Extranet, regulated institutions will need to have a myGovID as well as up-to-date information in APRA’s contacts database.
The APRA Extranet is not currently available for private health insurance lodgements, accordingly PHIs are to use the PHI Breach template.
For private health insurers and institutions that are unable to use the Extranet, PDF versions of the form are available below:
The prudential contact or company secretary is required to have a myGovID login to authorise a breach to be reported using the Extranet. Refer to the D2A and Extranet have replaced AUSkey with myGovID and RAM page for further detail.
Online breach reporting system
The online system was released on 25 August 2011. You will need a myGovID to access the breach online form via the Extranet. The online system enables you to:
- save breach forms in draft;
- view previously submitted breaches;
- print breach forms;
- prudential contacts or company secretaries with an myGovID login can submit breaches directly.
Verification emails will no longer include a copy of the form.
1 Obligations within the prudential standards to notify APRA are not considered to be a breach and reportable to APRA as described on this page. For example, notifications of Information Security Incidents and Material Information Security Control Weaknesses required by CPS 234 Information Security continue to be reported to APRA by the links contained under Prudential Standard 234 on the APRA website.
2 The required time is within 30 days after a financial services licensee first knows that, or is reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen.