ASIC Reportable Situations Regime: 7 Lessons for AFS Licensees in 2026
The ASIC reportable situations regime is one of the most important ongoing obligations for Australian financial services licensees. For small AFS licensees, advisers, brokers and specialist financial services practices, the risk is not just missing a lodgement. It is failing to identify an incident early enough to decide whether it must be reported, investigated, updated and remediated.
ASIC's reportable situations data is now much more visible. The regulator launched a public dashboard in October 2025, showing breach reporting trends across AFS and credit licensees. That makes breach reporting less of a private back-office task and more of a governance signal.
This guide explains what small AFS licensees should take from ASIC's latest guidance, review findings and dashboard data, and how to build a practical breach reporting process that does not depend on one person remembering every rule.
This article is general information only. Reportable situations can be legally complex, so licensees should check ASIC's current guidance and get professional compliance or legal advice for specific matters.
ASIC Reportable Situations Regime: What AFS Licensees Must Track
ASIC's reportable situations guidance says AFS and credit licensees must generally report reportable situations to ASIC through the prescribed form in the ASIC Regulatory Portal.
For AFS licensees, the regime sits under the breach reporting provisions in Part 7.6 of the Corporations Act 2001. ASIC's Regulatory Guide 78 explains the obligation in detail.
At a practical level, your process needs to identify and assess whether an event falls into one of the key categories, including:
- Significant breaches or likely significant breaches of core obligations
- Investigations into significant breaches or likely significant breaches of core obligations that continue for more than 60 days
- The outcome of those investigations, including where no significant breach is found
- Conduct that constitutes gross negligence or serious fraud
- Certain reportable situations about representatives of other licensees who provide personal advice
ASIC says licensees must generally notify ASIC within 30 calendar days after they first know, or are reckless about whether, there are reasonable grounds to believe a reportable situation has arisen.
That timing is important. The question is not simply "when did we finish the investigation?" It is whether the business had enough information to form reasonable grounds that a reportable situation had arisen.
For a small AFS licensee, the operational challenge is clear: if your incident process is slow, incomplete or informal, you may not even know when the 30-day clock started.
Why ASIC's 2025 Dashboard Matters for Small Licensees
ASIC launched its Reportable Situations data dashboard on 31 October 2025. The dashboard covers reports with an initial submission date between 1 July 2024 and 30 June 2025.
The dashboard matters because it gives ASIC, consumers and industry participants a clearer view of:
- The volume and nature of reported breaches
- Customer impact and financial loss
- How long it takes licensees to discover, investigate, rectify and compensate
- Which licensees are reporting, by size and type
ASIC says the dashboard data must be read carefully. High report volumes do not automatically mean worse compliance. In some cases, they may show stronger systems for identifying and recording problems. Low report volumes do not automatically prove non-compliance either.
But the numbers still give small licensees a useful benchmark. ASIC reported that in FY24/25 it received 12,001 reports and 6,485 updates. For AFS licensees, ASIC recorded 930 licensees submitting 7,909 reportable situation reports. In the under-$50 million revenue bucket, 648 AFS licensees submitted 2,096 reports, representing 12.5% of the current licensees in that size bucket.
If your practice has no reportable situations, that may be correct. But if it also has no incident register entries, no near misses, no complaints, no advice review exceptions, no fee errors and no privacy or cyber incidents, the bigger question is whether the business is identifying issues at all.
Lesson 1: Use a Broad Incident Definition
ASIC's December 2024 review of 14 licensees found deficiencies in incident management, especially in how incidents were identified, escalated and recorded. ASIC said some licensees used complex or restrictive definitions, while others did not have a definition at all.
For a small AFS licensee, the fix should be simple. Define an incident broadly enough that staff do not need to make a legal judgement before escalating it.
A practical definition could be:
An incident is something that has gone wrong, or nearly gone wrong, in providing financial services or running the licensed business.
Examples worth capturing include:
- Advice file errors or missing client documents
- Incorrect fees, fee consents or ongoing service arrangements
- Product implementation errors
- Conflicts of interest that were not identified or recorded
- Internal dispute resolution complaints and AFCA escalations
- Authorised representative conduct concerns
- Privacy, cyber or data handling incidents
- Failure to meet licence conditions, training obligations or supervision requirements
- Repeated process failures, even where the financial impact appears small
Staff do not need to know whether something is reportable. They need to know what to record and who to tell.
Lesson 2: Separate Incident Capture From Reportable Situation Assessment
One common mistake is expecting frontline staff, advisers or administrators to decide whether a matter is a reportable situation. That creates two risks: serious issues are filtered out too early, and staff avoid reporting because the threshold feels legalistic.
A better structure is:
- Staff record incidents quickly using a simple form or register.
- A nominated owner triages each incident.
- The triage owner decides whether a breach assessment is needed.
- A responsible manager, compliance lead or external adviser signs off the assessment.
- The register records the decision, reasons, owners, deadlines and next action.
For small practices, this does not require enterprise software. It does require discipline. Every incident should have a status, an owner and an assessment date. If the matter needs investigation, the register should show when the investigation started, what is being tested, and when it must be reviewed for 60-day reporting risk.
For broader licence obligations that sit around this process, see our AFSL obligations guide.
Lesson 3: Manage the 30-Day and 60-Day Clocks
The reportable situations regime has timing traps.
The first is the 30 calendar day reporting window. ASIC's guidance says this generally runs from when the licensee first knows, or is reckless about whether, there are reasonable grounds to believe a reportable situation has arisen.
That means a practice should not wait for a quarterly compliance meeting before escalating a potential breach. If the facts suggest a significant breach may have happened, the assessment needs to move quickly.
The second is the 60-day investigation threshold. If an investigation into whether there is a significant breach or likely significant breach of a core obligation continues for more than 60 days, that investigation itself can become reportable. The outcome of the investigation may also need to be reported, including where the investigation finds there was no significant breach.
Build these controls into your workflow:
- Day 0: incident identified and entered into the register
- Day 1-2: triage owner assigned
- Day 5-10: initial breach assessment completed or escalated
- Day 20: reportability decision reviewed if still unresolved
- Day 25: draft ASIC report prepared if reporting appears likely
- Day 45: investigation status reviewed for 60-day risk
- Day 55: senior sign-off on whether the ongoing investigation must be reported
These are internal control points, not ASIC deadlines. They help make sure the real deadlines are not discovered too late.
Some AFS licensees also need to consider ASIC's notify, investigate and remediate obligations for certain personal advice matters involving affected retail clients. Those obligations can require client notification, investigation and remediation steps within specific timeframes. Do not assume that lodging with ASIC is the end of the issue.
Lesson 4: Record Root Cause, Customer Impact and Remediation Early
ASIC's dashboard focuses heavily on customer impact, loss, investigation, rectification and compensation. That is a signal for licensees: breach reporting is not just a form lodgement exercise.
Your incident and breach register should capture:
- What happened
- Which licence obligation, law, policy or process may be affected
- When the issue first occurred and when it was identified
- How the issue was discovered
- How many clients or consumers may be affected
- Whether there is actual or potential financial loss
- Whether the issue appears isolated, repeated or systemic
- What caused the issue
- What has been done to stop it recurring
- Whether clients need to be notified or remediated
- Whether ASIC updates are required after the initial report
ASIC's review said better practice is for breach registers to contain the information in the reportable situations prescribed form. That is a useful test. If your register does not hold enough information to complete the ASIC form without recreating the history from emails and meeting notes, it is probably not doing enough.
ASIC's Regulatory Guide 277 on consumer remediation also makes the broader point that licensees should identify misconduct or other failures and remediate consumer loss, even where a matter is not itself reportable.
Lesson 5: Give Senior Management the Whole Breach Lifecycle
ASIC found that many licensees had limited senior management reporting on incidents and breaches. For a small AFS licensee, "senior management" may be the principal, responsible managers and practice manager. That does not make oversight optional.
Monthly breach reporting should show more than a list of lodged reports. It should show:
- New incidents recorded
- Incidents awaiting triage
- Breach assessments in progress
- Open investigations and how long they have been open
- Matters approaching the 30-day or 60-day control points
- Reports lodged with ASIC
- Update reports still required
- Client notification, rectification and compensation status
- Repeat root causes
- Actions overdue or blocked
This is where small businesses often fall down. The principal may know the "big" issues, but smaller process failures sit in inboxes, advice review notes or complaints logs. By the time a pattern becomes obvious, the reportability question may be months old.
Lesson 6: Audit the Process Before ASIC Does
ASIC's review noted that some licensees only reviewed their compliance arrangements after ASIC prompted them. A small practice should not wait for that moment.
At least annually, test the breach reporting cycle end to end. Sample:
- Complaints received through internal dispute resolution
- AFCA complaints or threatened complaints
- Advice file review exceptions
- Fee and consent errors
- Authorised representative supervision findings
- Privacy and cyber incidents
- Operational incidents in client onboarding, advice implementation and product switching
- Training, competence and supervision gaps
For each sample, ask:
- Was it recorded in the incident register?
- Was it assessed by the right person?
- Was the assessment documented?
- Were the 30-day and 60-day controls considered?
- Were clients notified or remediated where required?
- Were root causes and corrective actions recorded?
- Did senior management see the trend?
An audit does not have to be large to be useful. The goal is to test whether the system works in practice, not just whether a policy document exists.
Lesson 7: Connect Breach Reporting to Your Wider Compliance Dashboard
Reportable situations rarely sit in isolation. A single issue can touch AFSL obligations, privacy, employment law, cybersecurity, professional indemnity insurance, complaints handling and tax records.
For example:
- A cyber incident may trigger privacy assessment and client notification work.
- A fee deduction error may trigger ASIC reporting, client remediation and record correction.
- Poor adviser supervision may trigger training, file review, authorised representative management and licence condition issues.
- A repeated process failure may show inadequate resources or risk management systems.
That is why breach reporting should not be managed as a standalone spreadsheet that only one compliance person can read. It should sit within the same operating view as the rest of your obligations.
For a wider obligation-by-obligation view, see our financial services compliance checklist and our guide to Privacy Act compliance for financial services businesses.
ASIC Reportable Situations Regime Checklist for AFS Licensees
Use this checklist to pressure-test your current arrangements:
- Staff have a simple definition of an incident and examples relevant to your business
- All incidents, complaints, near misses and advice review exceptions are recorded in one register
- Each incident has an owner, status, assessment date and next action
- The register captures the information needed for ASIC's prescribed reportable situations form
- Breach assessments consider core obligations, significance, deemed significance, gross negligence and serious fraud
- Investigations have start dates and are monitored for 60-day reporting risk
- The 30-day reporting window is built into escalation and sign-off processes
- ASIC reports and update reports are tracked to completion
- Client notification, investigation and remediation obligations are considered where relevant
- Root causes, customer impact and compensation status are recorded early
- Senior management receives regular reporting across the whole breach lifecycle
- The breach reporting process is audited at least annually against real incidents and complaints
If several of these points are unclear, your risk may not be the absence of a policy. It may be the absence of a live system that turns the policy into action.
How Reguladar Helps
Reguladar's financial services compliance dashboard is built for small Australian financial services businesses that need visibility across ASIC, privacy, employment, tax and operational compliance obligations.
Reguladar does not replace ASIC's Regulatory Portal, your compliance consultant or your legal adviser. It helps you keep the obligations visible: what applies, when it falls due, what evidence is needed, which source it comes from, and what needs to happen next.
For AFS licensees, that means breach reporting does not sit in a forgotten spreadsheet while privacy reviews, AFCA membership, PI insurance, payroll deadlines and ASIC annual obligations live somewhere else. Reguladar brings the compliance picture into one dashboard so owners and responsible managers can see the work before it becomes a regulator problem.
Start your free compliance check at Reguladar ->
Source freshness note: ASIC source pages and dashboard data were checked on 12 July 2026. ASIC's public dashboard currently covers FY24/25 and is updated annually by 31 October. Dashboard data is self-reported by licensees and not assured by ASIC, so it should be read as regulatory context rather than a complete measure of industry non-compliance.
Official sources checked:
- ASIC - Reportable situations for AFS and credit licensees
- ASIC RG 78 - Breach reporting by AFS licensees and credit licensees
- ASIC - Reportable Situations data dashboard
- ASIC - Findings of ASIC's review and how licensees can improve compliance
- ASIC INFO 259 - Notify, investigate and remediate obligations
- ASIC RG 277 - Consumer remediation
Related articles:
Stay on top of your finance & insurance compliance
Reguladar helps finance & insurance businesses track every regulatory obligation, deadline, and requirement in one place.
Related compliance guides
AML/CTF Compliance for Australian Financial Services SMBs: A Plain-English Guide
AML/CTF compliance Australia small business: AUSTRAC enrolment, AML programmes, customer due diligence, reporting obligations, and upcoming 2026 reforms explained.
Read guideFASEA Compliance Requirements for Financial Advisers: What You Need to Know in 2026
Financial adviser education standards are now administered by ASIC. This guide covers the qualifications, exam, and CPD requirements your practice must meet.
Read guideASIC Registration and Licensing for Small Financial Services Businesses
AFSL and ACL obligations are complex for small financial services businesses. This guide covers ASIC registration, licence obligations, and what you must do to stay compliant.
Read guideAFSL Obligations: A Practical Guide for Small Financial Services Providers
Holding an AFSL means ongoing obligations beyond the application. This guide covers licensee duties, compliance requirements, and what ASIC looks for in small practices.
Read guide