AFSL Breach Register and Reporting
When a compliance breach is logged, an automated workflow timestamps it, categorises severity, notifies the right people, kicks off remediation tasks with deadlines, and updates your AFSL breach register. Significant breaches trigger immediate escalation to the compliance committee.
The Problem
A breach gets mentioned over coffee. An adviser flags something in a team meeting. A client complaint lands in the general inbox and sits there for four days before someone reads it properly. This is how most small and mid sized AFSL holders discover compliance breaches. Not through structured processes, but through luck.
The Corporations Act gives you 30 calendar days from the moment you "become aware" of a significant breach to report it to ASIC. Miss that window and you're looking at civil penalties of up to $50,000 per corporation. Wilful noncompliance carries criminal fines reaching $2.4 million. These aren't theoretical numbers. ASIC enforces them.
But the clock problem is only half the story. The other half is proving when awareness occurred. If your breach identification process runs on emails and hallway conversations, you can't demonstrate a clean timeline. You can't show what was assessed, when it was assessed, or why a particular breach was or wasn't reported. And when ASIC comes asking questions about a complaint from six months ago, "I think we discussed it in a meeting" isn't an answer that inspires confidence.
Most firms know this. They've built spreadsheets. They've written checklists. They've told the compliance manager to "keep on top of it." But spreadsheets don't send reminders when a 30 day deadline is approaching. Checklists don't escalate significant breaches to the compliance committee. And your compliance manager takes leave sometimes.
How It Works
The automation replaces ad hoc breach tracking with a structured workflow that runs the same way every time, regardless of who's in the office or how busy things get.
1. Breach is logged through a structured form
When someone identifies a potential breach, they submit it through a standardised form (such as JotForm, Microsoft Forms, or a record in your CRM). The form captures the nature of the breach, affected clients, estimated financial impact, and the person reporting. No more informal emails or verbal reports that vanish into thin air.
2. Timestamp and reference number assigned
The workflow immediately timestamps the submission and assigns a unique breach reference number. This creates your "awareness date" on the record, which is the moment the 30 day ASIC reporting clock starts. You now have a defensible, auditable timestamp for every breach.
3. Severity categorisation applied
Based on the form fields, the workflow categorises the breach by severity: minor, likely significant, or significant. The categorisation uses rules you define (nature of breach, client impact, financial loss thresholds). This isn't replacing your judgement. It's giving you a starting classification so nothing gets accidentally ignored.
4. Compliance manager and responsible manager notified
Notifications go out immediately to the compliance manager and the manager responsible for the area where the breach occurred. These arrive via email or your team messaging platform (such as Slack or Microsoft Teams) with the full breach details, severity classification, and a link to the register entry.
5. Remediation tasks created with deadlines
The workflow generates a set of remediation tasks with built in deadlines: seven days for initial assessment, 21 days for a remediation plan, and 30 days for ASIC reporting if the breach is deemed significant. Each task is assigned to the appropriate person with automatic reminders as deadlines approach.
6. Entry added to the centralised breach register
Every detail lands in your centralised breach register (Airtable, SharePoint, or your compliance platform of choice) with full timestamps, classification, assigned owners, and status tracking. One source of truth. No duplicate spreadsheets, no conflicting email threads.
7. Significant breaches escalated to compliance committee
If the breach is classified as significant or likely significant, the workflow triggers an immediate escalation notification to the licensee's compliance committee. Committee members receive a summary with all relevant details, and the register entry is flagged for priority review.
Why Spreadsheets and Email Chains Fail
The significance assessment under RG 78 isn't a simple yes or no question. Gadens published a breach reporting flowchart that illustrates the decision tree AFSL holders must navigate, and it's dense. Multiple branches, numerous criteria, several possible outcomes. Trying to apply this framework consistently using a Word document and institutional memory is asking for trouble.
Picture this. Your compliance manager receives an email about a potential breach on a Tuesday. She opens a spreadsheet, adds a row, and makes a mental note to assess it properly after the client meeting she's running late for. Wednesday is a write off because of back to back meetings. Thursday she's working from home and the spreadsheet is on the office server. Friday she starts the assessment but realises she needs information from the adviser involved, who's on leave until Monday.
Ten days have passed. The 30 day clock has been ticking since Tuesday. Nobody else in the firm knows this breach exists, because it lives in one person's email and one row of a spreadsheet that nobody else checks.
This isn't a failure of competence. It's a failure of process. The compliance manager did everything she was supposed to do within the system she was given. The system just wasn't built to handle regulatory deadlines that carry six figure penalties.
What ASIC Actually Expects
ASIC updated its breach reporting guidance in May 2023, and legal firms have noted that "uncertainty continues" around how certain provisions should be interpreted. That uncertainty makes documented processes more important, not less. If the regulator isn't entirely clear on what counts as significant in every edge case, you need to show that you applied a consistent, reasonable framework to each assessment.
An automated breach register gives you exactly that. Every breach logged with the same fields. Every significance assessment following the same criteria. Every deadline tracked the same way. Every escalation triggered by the same thresholds. When ASIC asks how you manage breach reporting, you don't describe a process. You show them one.
And the register works both ways. It protects you when you report and when you don't. If you assessed a breach as non significant, the register shows the reasoning. The criteria you applied. The factors you considered. The date you made the decision. That documented trail is your defence.
The Business Impact
Take a mid sized AFSL holder with 15 authorised representatives and a part time compliance officer spending roughly 12 hours per week on breach management and compliance monitoring. At a loaded cost of $85 per hour, that's $1,020 per week, or just over $53,000 per year on manual breach tracking alone.
Automated breach workflows cut the manual handling time by around 70%. Your compliance officer still makes the judgement calls (significance assessment, remediation strategy, reporting decisions) but the logging, notifications, deadline tracking, escalation, and register maintenance happen without her. That's roughly eight hours per week recovered, or $35,360 per year in time savings.
But the real number isn't the time saving. It's the penalty avoidance. One missed significant breach report carries a civil penalty of up to $50,000. One. A pattern of missed reporting pushes you into criminal territory at $2.4 million. Against that risk profile, a $30 to $60 per month automation tool or a $3,000 to $8,000 custom build pays for itself before you finish the first quarter.
- Every breach timestamped and logged within seconds of identification
- 30 day ASIC reporting deadlines tracked automatically with escalating reminders
- Significant breaches escalated to the compliance committee without manual intervention
- Full audit trail showing awareness dates, assessments, and remediation actions
- Compliance officer time reduced by approximately 70% on breach administration
- Single source of truth replacing scattered emails, spreadsheets, and verbal updates
Frequently Asked Questions
Can automation actually assess whether a breach is significant under RG 78?
No, and it shouldn't try to replace that judgement. The significance assessment requires professional analysis of legal criteria, client impact, and financial loss. What automation does is handle everything around that decision: logging the breach, categorising it based on your predefined rules, flagging it for review, tracking deadlines, and escalating when thresholds are met. You make the call. The system makes sure the call gets made on time.
We don't have many breaches. Is this worth setting up?
The breaches you know about aren't usually the problem. A structured reporting form and automated workflow often surfaces issues that would otherwise go unnoticed until an ASIC audit. And even with a low volume of breaches, the penalty for missing a single reportable one is $50,000. The automation costs less than $60 per month to run.
What happens when our compliance manager is on leave?
That's exactly the scenario this solves. The workflow runs regardless of who's in the office. Breaches still get logged, timestamped, and categorised. Notifications go to backup contacts. Deadlines keep ticking with reminders. The process doesn't depend on any single person being available.
Does this integrate with existing compliance platforms like 3Lines or RAC Pro?
Yes. If you're already using a dedicated compliance platform, the automation can feed into it rather than replacing it. For firms on Microsoft 365, Power Automate connects directly to SharePoint, Teams, and Outlook. For those using standalone tools, platforms like Make or n8n can connect to virtually any system with an API.
How do we prove awareness dates to ASIC?
Every form submission is timestamped automatically the moment it's received. That timestamp becomes your documented awareness date. Unlike an email buried in someone's inbox, this is stored in a centralised register with an immutable record. If ASIC asks when you became aware of a specific breach, you pull up the entry and show them.
What if ASIC changes the reporting format or requirements?
The workflow's categorisation rules and escalation thresholds are configurable. When regulatory requirements change (as they did in 2023), you update the rules in one place. Every subsequent breach follows the new criteria. Compare that to rewriting a Word document checklist and hoping everyone reads the updated version.
How long does this take to set up?
A basic breach reporting workflow using Make or Power Automate can be configured in two to three weeks, including the intake form, notification rules, and register setup. More advanced builds with AI assisted classification and ASIC report prepopulation take four to six weeks. Either way, you're operational well within a single reporting cycle. Book your free audit to see which approach fits your firm.
Sources
- ASIC: Reportable Situations for AFS and Credit Licensees
- ASIC: RG 78 Breach Reporting by AFS Licensees and Credit Licensees
- AFSL House: A Guide to Breach Reporting by AFS Licensees
- Gadens: Breach Reporting Flowchart for AFSL and ACL Licensees
- Mondaq: ASIC Updates Its Breach Reporting Guidance as Uncertainty Continues
- 3Lines Platform
- RAC Pro
Automations we’ve already built
Thirty days after onboarding begins, an automated workflow surveys your client, pulls milestone data from your project tools, generates an AI written retrospective, and flags anyone who needs a recovery call. Every onboarding teaches the next one.
When a new client lands in your practice management software, this automation generates a tailored engagement letter with the right services, fees, and deadlines, sends it for electronic signature, then builds the client folder and kicks off your onboarding checklist. No chasing. No waiting.
A project manager fills out a short form after a discovery call. Within minutes, AI drafts a full Statement of Work into your branded template, routes it through Slack for internal approval, and sends it to the client for signature.
When a project closes in your PM tool, this automation collects every contract, deliverable, and sign off from across your systems, organises them into a standardised archive folder, and generates a summary PDF. No manual cleanup required.
When a contact is tagged in your CRM as needing an NDA, the agreement is generated from a template with their details prefilled, sent for signature, and tracked automatically. Overdue NDAs trigger reminders so nothing slips through.
Automatically converts raw meeting notes or recordings into structured, branded board minutes with tracked resolutions and action items, so your admin staff can stop spending full days on documentation that nobody reads until it's too late.
Capture scope changes on site, generate costed PDFs, route them through internal approval and client e signature, and log everything automatically. No verbal agreements, no lost paperwork, no payment disputes.
When a new contract lands in your cloud folder, an AI agent extracts the text, checks every clause against a risk framework, and sends your team a structured memo flagging the problems that actually matter. Preliminary review drops from hours to minutes.
When a new contractor lands in your HR system or Airtable base, this automation generates a complete document bundle, sends it as a single signing package through PandaDoc, and updates your records the moment everything is signed.
When a deal hits the proposal stage in your CRM, this automation pulls the client name, scope, pricing, and line items, then merges everything into a branded template. The finished PDF lands back on the deal record and in the prospect's inbox without anyone touching a document.
When every party signs a document in DocuSign or PandaDoc, this automation downloads the completed PDF, renames it to your filing convention, stores it in the right client folder, and notifies the account manager. No manual downloading, no misfiled contracts.
A scheduled workflow scans your contracts database daily, flags renewals at 30, 14, and 7 day intervals, and sends tiered alerts to account managers and leadership so nothing expires unnoticed.
When a new client is created in your CRM, this automation builds their billing profile, generates the first invoice, sets up recurring payments, and sends a secure link to collect their payment method. No manual data entry between systems, no forgotten first invoices.
When a project is marked complete in your project management tool, this automation pulls billable hours and rates, generates a branded PDF invoice, and emails it to the client with payment instructions. A copy lands in the client folder without anyone lifting a finger.
When a new patient books an appointment, this automation sends digital intake forms, collects consent and insurance details, converts everything to PDF, files it in the patient folder, and notifies your front desk. No clipboards. No data entry.
An AI agent that turns your meeting recordings into structured summaries, assigned action items, and tracked tasks across Slack, Asana, and Notion. No more post meeting admin, no more forgotten decisions.
An automated workflow pulls client KPIs from your data sources on the first business day of each month, populates branded report templates, converts them to PDF, and emails every client their personalised report before your team starts work.
Automatically classify incoming contracts by type, route each one to the right reviewer, and track every document through the review pipeline so nothing stalls in someone's inbox.
When a new B2B client submits their intake form, this automation reads every team member's role and sends each person the exact onboarding content they need. Billing contacts get payment setup. Project sponsors get the timeline. Day to day operators get tool access and kickoff details. Every stakeholder's progress is tracked independently until all are ready.
When a new client record lands in your CRM with a signed engagement letter, a prefilled contract is automatically generated and sent for e signature. No copying, no delays, no forgotten clauses.
When a prospect opens your proposal, this automation logs the view in your CRM, pings the assigned salesperson on Slack, and sends a templated follow up email if the document stays unsigned after 48 hours.
When a real estate agent fills out a short form with property details and buyer information, the automation generates a complete contract of sale, attaches the correct disclosure forms, and sends the full package to DocuSign with the right signing order.
Automatically converts approved quotes into signed service contracts with warranty terms, payment schedules, and scope definitions. No manual paperwork, no verbal agreements, no disputes three months later.
When a vendor sends a contract, AI extracts payment terms, liability caps, termination clauses and auto renewal dates into a structured row. Your procurement team can then compare every vendor agreement side by side, spotting bad deals before anyone signs.
Not ready to talk yet? Start here.
Everything we've learned building 300+ automations for small businesses, in one practical guide. Written for business owners, not engineers.
- Where your team's hours are actually disappearing
- The five automations worth setting up first and why
- How to calculate what manual work is actually costing you
- A step by step checklist to get your first automation live this week
Completely free.