RG 78 Breach Reporting & the Reportable Situations Regime
What is the reportable situations regime?
Under Regulatory Guide 78 (RG 78), Australian financial services (AFS) and credit licensees must report “reportable situations” to ASIC. These include significant breaches (and likely breaches) of core obligations, certain long-running investigations, serious misconduct (gross negligence or serious fraud), and some breaches relating to other licensees.
You must lodge a report within 30 calendar days after you first know – or are reckless about – there being reasonable grounds to believe a reportable situation has arisen.
ASIC views this regime as a cornerstone of the financial services regulatory framework and a critical source of intelligence on misconduct and emerging risks.
Key features & recent changes you need to know
1. What must be reported?
Reportable situations include:
Significant breaches or likely breaches of core obligations (e.g. licence obligations, conduct provisions, disclosure obligations).
Investigations into potential significant breaches that run beyond a defined threshold of days (see below).
The outcome of such investigations, even if you conclude there is no significant breach.
Gross negligence or serious fraud.
Certain breaches relating to other licensees.
Some contraventions are “deemed significant” and automatically reportable; others rely on a significance assessment (e.g. number/impact of clients, financial loss, systemic issues).
2. Timeframes – 30 days, 60 days and 90 days
Under the core regime and RG 78:
Licensees must report a reportable situation within 30 days of first knowing (or being reckless about) reasonable grounds to believe a reportable situation has arisen.
Where you have already reported a situation, you may report a further situation with the same or substantially similar underlying circumstances within 90 days, under targeted relief designed to reduce duplicate reporting.
Additional 2025 relief further refines the regime:
Only investigations that run beyond 60 days, rather than 30, are themselves reportable situations, easing reporting of short, resolved investigations.
Where dual-regulated licensees lodge a breach report with APRA containing all required information, that report may be treated as lodged with ASIC, reducing duplication
3. Targeted relief on low-value reports
ASIC has progressively modified the regime to reduce low-value reporting and focus on meaningful intelligence:
Relief from reporting particular breaches of misleading and deceptive conduct and some civil penalty provisions where reports added limited regulatory value.
Further targeted relief in 2025 via the 2025 Relief Instrument, intended to cut compliance cost and sharpen the signal-to-noise ratio in breach data.
4. ASIC’s insights – where firms are still struggling
ASIC’s REP 800 – Insights from the reportable situations regime (July 2023–June 2024) and related commentary highlight recurring weaknesses:
Under-reporting and inconsistent application of significance tests.
Delayed reporting, sometimes many months after breaches were known.
Poor root-cause analysis and limited remediation detail.
Patchy data quality in reports, weakening ASIC’s ability to analyse trends.
In October 2025, ASIC launched a public Reportable Situations data dashboard, making breach trends visible to the market and sharpening reputational incentives to get this right.
Why RG 78 is a top-priority topic for licensees
For stockbrokers, advisers, super trustees, banks and credit providers, the regime sits at the intersection of:
Regulatory risk – failure to report can attract civil penalties and is itself a red flag for ASIC.
Operational risk & CPS 230 – your ability to identify, escalate, remediate and report breaches is now a core operational-resilience control.
Conduct & consumer risk – breach themes (fees, disclosure, product governance, complaints) often align with DDO, RG 271 and FAR accountability concerns.
Done well, breach reporting becomes proof of a healthy control environment and can build trust with regulators. Done poorly, it signals weak governance, fragile systems and blurred accountability.
Common pain points we see
Fragmented incident & breach registers spread across business units and platforms.
Manual, spreadsheet-driven processes that cannot scale and are prone to error.
Confusion about investigation vs reportable situation thresholds (30-, 60-, 90-day rules).
Weak root-cause analysis – symptoms patched, but systemic drivers untreated.
Limited linkage between breach data and complaints (RG 271), IDR reporting, DDO issues and FAR accountability.
How OCG helps clients operationalise RG 78
We work with AFS and credit licensees across broking, wealth, banking, super and credit to turn RG 78 into a structured, evidence-rich programme.
1. Design a coherent breach & incident framework
Map end-to-end workflows from issue detection to closure, including triage, significance testing, escalation and reporting.
Clarify roles and RACI across first, second and third line, including the board and accountable executives.
Align breach categories with your obligation register, complaints taxonomy and product governance (DDO) issues.
2. Build data, systems and MI that actually work
Consolidate breaches and incidents into a single system of record with strong data governance and audit trails.
Configure logic to reflect RG 78 timeframes (30/60/90) and trigger alerts before deadlines.
Develop board and executive dashboards showing breach volumes, themes, root causes, remediation status and consumer impact.
3. Lift quality of investigations and reports
Standardise investigation templates: facts, chronology, obligations, root cause, control failures, customer impact, remedial actions.
Define root-cause taxonomies that distinguish process, system, people, product and third-party drivers.
Train teams on writing ASIC-ready breach reports that are clear, quantified and forward-looking.
4. Integrate with CPS 230, DDO, RG 271 and FAR
Link breach themes to critical operations and operational-resilience scenarios under CPS 230.
Connect DDO and IDR data, ensuring complaints and distribution issues feed into breach analysis.
Map material breach themes to accountable persons under FAR where relevant.
FAQs
Does every breach need to be reported?
No. Only reportable situations must be notified – including significant breaches, some long-running investigations, serious misconduct and specified deemed situations. Some low-value categories have been carved out under ASIC’s targeted relief.
How long do we have to investigate before reporting?
You must report a reportable situation within 30 days of first knowing there are reasonable grounds to believe it has arisen. Investigations that run beyond 60 days without resolution may themselves be reportable, subject to the latest relief.
What is ASIC looking for in good reporting?
ASIC wants timely, accurate, complete reports that explain the conduct, quantify impact, identify root causes, outline remediation, and show governance involvement. REP 800 emphasises under-reporting, delays and patchy root-cause analysis as key weaknesses.
How public is our breach data?
ASIC’s public Reportable Situations dashboard aggregates data up to sector level rather than naming individual licensees, but ASIC has signalled it may consult on greater transparency in future.
Strengthen Your Breach Reporting Framework
Work with OCG’s Breach & Incident Specialists
Turn RG 78 from a source of anxiety into a proof point of control. OCG helps you redesign breach frameworks, uplift systems and data, and sharpen investigations and reporting so you can meet ASIC’s expectations – and build trust – with confidence.
