When must entities regulated by the Financial Markets Authority (FMA) self-report breaches – or potential breaches – of their market services licence obligations under section 412 of the Financial Markets Conduct Act 2013? The answer is not clear, and that uncertainty has led to a range of different approaches across the industry.

The obligation to self-report is triggered whenever a licensee “has contravened, may have contravened, or is likely to contravene a market services licence obligation in a material respect”. Reports must be made to the FMA “as soon as practicable” after the licensee forms the belief as to the above matters.

The materiality threshold is a source of confusion. Some entities have adopted a belt-and-braces approach, reporting every breach or possible breach, without regard to materiality while others are more selective on materiality. The difficulties are particularly acute as we are yet to have any judicial guidance on the materiality threshold under the FMCA.

Some assess it case by case, weighing the modest benefits of self-reporting – usually just a 15% discount on any penalty that may be imposed – against the potential downsides of dealing with a breach.

Others take a more structured view. A deliberate decision to not self-report is treated as an aggravating factor if the breach is later found to be material. More importantly, so can sour an entity’s relationship with the FMA, which is difficult to repair once the damage has been done. Since in theory the FMA issues a 25% notice to an entity seeking that any contravention disclose by the end of the FMCA whether it was material or not.

Recognising the difficulties, the FMA has been carrying out targeted consultation with the industry with some regulated entities on whether agreement might be reached on certain thresholds for when a breach will be material and therefore reportable. Given this is likely to be a theme for 2026, we look at how overseas regulators have approached similar obligations. As we will discuss, however, their guidance is not much clearer, underscoring just how tricky it is to give content to an amorphous concept like materiality.

Australia

Australia’s approach to self-reporting for financial services and credit licensees has evolved in a piecemeal fashion, with multiple revisions since the enactment of its breach reporting regime in October 2021. While the legislation is quite different to New Zealand’s, it provides useful signposts for the types of things which a regulator would consider material.

Under chapter 7 of the Corporations Act 2001 (Cth), licensees must advise the Australian Securities and Investments Commission (ASIC) of “reportable situations” within 30 days once they know, or are reckless as to whether, there are reasonable grounds to believe a reportable situation exists.[1]

“Reportable situations” include significant breaches of “core obligations”, and the legislation deems a number of breaches significant, including breaches involving criminal offences with certain maximum periods of imprisonment, civil penalty provisions, misleading or deceptive conduct, and any breach that results, or is likely to result, in “material” loss or damage to clients. The materiality threshold is not defined in the Corporations Act, however, guidance issued by ASIC says that regulated entities ought to have regard to certain comments made in the Explanatory Memorandum to the legislation, which include that:

•  Loss or damage may be financial or non- financial.
• The financial circumstances of the affected person are relevant to determining whether the loss or damage is likely to be material to them [2].
• If a breach affects several people, significance may be established if just one of them suffers a material loss.
• Total loss should be considered, not merely individual losses.
• “Likely to result in material loss or damage” is intended to mean that there is a real and not remote possibility that loss or damage will occur as a result of the breach.

These markers still leave considerable room for firms’ own judgement and assessment.

For breaches of core obligations that are not deemed significant, section 912D(5) provides that licensees must assess significance by having regard to:

1. the number or frequency of similar breaches;
2. the impact of the breach on the financial services licensee’s ability to provide financial services covered by the licence;
3. the extent to which the breach indicates that the financial services licensee’s arrangements to ensure compliance with those obligations are inadequate; and
4. any other matters prescribed by regulations.

Yet the legislation does not - and cannot - specify what number or frequency of breaches makes a matter significant, leaving firms to navigate ambiguity.

Canada

Canada’s regulatory landscape is fragmented and differs depending on the type of organisation and whether it is regulated at a federal level only, or at both the provincial and federal level.

Banks are subject to reporting obligations under the Financial Consumer Agency of Canada (FCAC) Supervision Framework.[3] Notably, guidance issued by the FCAC provides that banks must report issues that meet the following criteria:

1. The issue must be a breach of a market conduct obligation.
2. The issue would normally be reported to the Bank’s compliance division.
3. The issue meets, at a minimum, one of the following:

•  once detected by the Bank, it took longer or will take longer than 120 calendar days to fix and remediate the issue; or
•  the issue affected or affects more than 250 consumers; or
• the issue was or is ongoing for more than 1 year before the Bank detected it.

These must be reported even though consumers may not have been affected financially or if the issue was caused by an individual employee.

United Kingdom

In the UK, self-reporting obligations are principle-based and elastic. The touchstone is Financial Conduct Authority Principle 11. Similar to New Zealand, it requires dealing with regulators in “an open and cooperative way” and disclosure of anything of which the regulator would “reasonably expect notice”.

More specifically, under SUP 15.3.1 of the FCA Handbook, [4] a firm must notify the FCA immediately upon becoming aware, or having information which reasonably suggests, that any of the following has occurred, may have occurred or may occur in the foreseeable future (amongst other things):
 
2. any matter which could have a significant adverse impact on the firm’s reputation;or
3. any matter which could affect the firm’s ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm; or
4. any matter in respect of the firm which could result in serious financial consequences to the UK financial system or to other firms.

Again, these criteria involve loose concepts of materiality, and significance or seriousness of the consequences, which are left to the judgement of the regulated entity.

Practitioner commentary throughout 2021–2022 characterised this self-reporting duty as a “minefield” that demands subjective judgement under uncertainty, prompting some firms to “report everything” to avoid hindsight based enforcement, while others take a stricter materiality line at the risk of under reporting. Public guidance pages and law firm notes acknowledge the breadth and vagueness of “what the regulator would reasonably expect,” contrasted with the FCA’s readiness to sanction failures to notify (with examples of sizeable fines).

The UK’s framework incentivises early dialogue rather than codified thresholds; helpful as an engagement principle, but less helpful to assess conduct by. For entities seeking clarity on when a breach crosses a reportability threshold, there are no bright lines.

Key takeaways

Across jurisdictions, self-reporting obligations share a common challenge: ambiguity. Whether under section 412 in New Zealand, the Corporations Act in Australia, Canada, or the FCA’s principles-based approach in the UK, regulated entities face uncertainty in applying concepts like materiality, significance, and seriousness.

While steps towards greater certainty are welcome, experience overseas shows that even detailed guidance rarely eliminates judgment calls. For now, firms should focus on robust internal frameworks, early engagement with regulators, and documenting decision-making processes. In an environment where bright lines are elusive, objective advice is an important step in the process.

Footnotes

[1] In some circumstances, licensees have 90 days to report to ASIC. This exception applies where a second reportable situation has underlying circumstances that are the same as, or substantially similar to underlying circumstances of the previously reported reportable situation (RG 78.84).
[2] Although the financial circumstances of the affected are relevant to assessing materiality, this does not permit a licensee to delay reporting a breach while attempting to determine each individual client’s specific financial position. Where only a small number of clients are affected, ASIC expects licensees to rely on information already within their knowledge to assess whether the loss is material for those clients (RG 78.44).
[3] Along with authorised foreign banks, trust and loan companies, and payment card network operators.
[4] A “rule” made pursuant to the Financial Services and Markets Act 2000 (UK).