What to Do When Things Go Wrong: A Guide to Dispute & Breach Management

Key Takeaways

• AFS licensees must have a two-tiered dispute resolution system: Internal Dispute Resolution (IDR) managed by you, and access to the external body, AFCA.
• You must adhere to strict timeframes for responding to client complaints, as outlined in ASIC’s Regulatory Guide 271.
• The Reportable Situations Regime (breach reporting) legally requires you to notify ASIC of significant compliance failures.
• A breach is deemed “significant” based on factors like its frequency, its impact on your services, and the financial loss caused to clients.
• If a breach causes loss to a retail advice client, you have specific obligations to Notify, Investigate, and Remediate.

Even with the best planning, things can sometimes go wrong. How your business responds in these moments is a true test of its integrity and compliance culture. Your general obligations require you to have robust systems not just for preventing problems, but also for dealing with them effectively when they arise.

These reactive processes—dispute resolution and breach reporting—are not just administrative hurdles. They are fundamental to maintaining consumer trust and providing ASIC with the visibility it needs to oversee the industry. From our experience, a well-handled complaint can sometimes even strengthen a client relationship, while a poorly managed breach can create immense regulatory and reputational risk.

What is the Dispute Resolution Framework for AFS Licensees?

For retail clients, the dispute resolution framework is a two-tiered system. The first tier is your own Internal Dispute Resolution (IDR) process. This is your frontline opportunity to resolve a client’s dissatisfaction directly. If the issue cannot be resolved internally, the client has the right to escalate it to the second tier: External Dispute Resolution (EDR), which is handled by the Australian Financial Complaints Authority (AFCA).

As an AFS licensee providing services to retail clients, membership with AFCA is mandatory.

What are your Internal Dispute Resolution (IDR) obligations?

Your IDR procedures must meet the standards set out by ASIC in Regulatory Guide 271: Internal dispute resolution. This is more than just an informal chat; it’s a formal system with specific requirements.

Key components of a compliant IDR system include:

• A broad definition of ‘complaint’: A complaint is any expression of dissatisfaction where a response or resolution is expected. It doesn’t need to be in writing or use the word “complaint.”
• A publicly available policy: Your complaints policy must be easy for clients to find and understand.
• Thorough record-keeping: You must record all complaints received in a system that allows you to track their progress and outcome.

You must also adhere to maximum timeframes for providing a final IDR response.

Finally, you are required to submit an IDR data report to ASIC every six months via the ASIC Regulatory Portal, even if you had zero complaints.

What is the Reportable Situations Regime?

The Reportable Situations Regime, governed by Regulatory Guide 78: Breach reporting, is your legal duty to report certain compliance failures and other matters to ASIC. This regime is a critical source of regulatory intelligence for ASIC, allowing it to identify industry trends and potential harms.

What makes a situation “reportable”?

A “reportable situation” isn’t just any minor error. The key triggers for reporting include:

• A breach (or likely breach) of a “core obligation” that is determined to be significant.
• An investigation into a significant breach of a core obligation that continues for more than 30 days.
• Additional situations involving conduct such as gross negligence or serious fraud.

How do you determine if a breach is “significant”?

The test for “significance” is objective and requires you to consider several factors. A breach of a core obligation is significant if, for example:

• There are a high number or frequency of similar breaches.
• It has a negative impact on your ability to provide financial services.
• It indicates that your compliance arrangements are inadequate.
• It has caused, or has the potential to cause, financial loss to clients or your business.

This is not an exhaustive list, and the assessment requires careful and honest judgment.

Expert Insight: The quality and timeliness of your breach reports are, in themselves, a reflection of your compliance culture. Inadequate, late, or poorly detailed reports can be a major red flag for ASIC, suggesting deeper issues within your systems.

What are your “Notify, Investigate, and Remediate” obligations?

A specific and critical set of obligations is triggered when a reportable situation involves personal advice given to a retail client, and that client has suffered a loss for which they could legally seek recovery.

As detailed in ASIC’s Information Sheet 79, you must take three key actions:

1. Notify Affected Clients: You must take reasonable steps to notify the affected clients of the situation within 30 days.
2. Investigate the Situation: You must begin a formal investigation into the matter within 30 days.
3. Remediate Affected Clients: You must take reasonable steps to calculate and pay the client an amount equal to their loss or damage.

These obligations are serious and carry significant penalties for non-compliance.

In Conclusion

While the goal is always to prevent issues from occurring, having clear, effective, and well-documented processes for when they do is a non-negotiable part of being a licensee. A robust framework for managing disputes and reporting breaches protects your clients, helps you manage your regulatory risk, and ultimately demonstrates the accountability that builds long-term trust.