RG 78 Breach Reporting (Reportable Situations): Clarity, Materiality, Evidence
Understanding RG 78
RG 78 sets out ASIC’s expectations for breach reporting (reportable situations) by AFS and credit licensees. Firms must identify, assess and report potentially significant compliance failures within statutory timeframes (commonly 30 calendar days from when there are reasonable grounds to believe a reportable situation has arisen). The regime covers:
Significance tests (actual or likely material loss/harm, systemic issues, or seriousness of the obligation breached).
Deemed-significant categories (certain civil/criminal contraventions, misleading or dishonest conduct, etc.).
Recurring issues and systemic defects that turn isolated incidents into reportable situations.
Content requirements for reports, including incident details, impacts, remediation status and controls to prevent recurrence.
Why RG 78 Matters
Effective breach reporting protects customers and your licence by turning incidents into controlled, evidenced responses. Strong frameworks:
Reduce enforcement and remediation risk through timely, high-quality reporting.
Improve root-cause management and prioritisation of fixes.
Strengthen board and regulator confidence via consistent taxonomy, traceable decisions and outcome MI.
Link complaint themes (RG 271), distribution risks (DDO), advice conduct (BID/RG 146) and product disclosure (RG 97) into one feedback loop.
Key Challenges Facing Firms
Trigger clarity & materiality: deciding when suspicion becomes reasonable grounds, and when an issue becomes significant or deemed significant.
Clock control: starting, pausing and evidencing investigation timelines; avoiding late reports.
Case triage at scale: separating IDR-only matters from reportable situations; deduplicating linked issues.
Root-cause & systemic detection: stitching signals across complaints, QA, surveillance, ops incidents and audit findings.
Content quality: writing reports that are complete, consistent and remediation-focused.
Representative & third-party oversight: getting adequate incident data and control assurance from ARs, brokers and outsourced service providers.
MI & governance: presenting boards with decision-useful dashboards (volume, timeliness, severity, customer impact, closure velocity, repeat root causes).
How OCG Can Help
Oceanic Consulting Group (OCG) turns breach reporting from a compliance burden into a disciplined improvement engine.
Framework & policy design: significance tests, trigger taxonomy, decision trees, investigation standards, and quality gates.
Operating model: roles/RACI across three lines; intake, triage, escalation and legal sign-off; interface with IDR (RG 271), DDO and remediation.
Content uplift: report templates, evidence packs, root-cause narratives, remedial actions and preventative controls.
Systems & data: single source of truth for incidents, timers, audit trails, and analytics that detect systemic issues early.
Training & playbooks: scenario libraries for product, distribution, advice and operations; “what good looks like” exemplars.
Independent reviews: effectiveness testing, late-report root-cause analyses, and board-ready improvement plans.
FAQs
When does the 30-day clock start?
When you have reasonable grounds to believe a reportable situation has arisen (not merely when first suspected). Document your decision points and investigation milestones.
How should IDR and RG 78 interact?
Treat IDR as customer resolution and RG 78 as regulatory accountability. Complaint themes can trigger reportable situations if they are significant or systemic. Ensure shared taxonomies and data lineage.
What makes a high-quality breach report?
Clear facts, scope and impacts; significance rationale; customer cohorts and remediation approach; root cause; and preventative controls with accountable owners and dates.
Strengthen Your Breach Reporting Framework
Work with OCG’s Compliance Specialists
Don’t let breach reporting obligations expose your firm to risk. Contact OCG today to build defensible RG 78 frameworks that meet ASIC’s expectations and demonstrate accountability.
