Regulatory incident & breach notification¶
| Code | REP-009 |
| Domain | Regulatory Reporting |
| Owner | Chief Compliance Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD08 |
| Review date | 2027-04-08 |
Regulations: CPS 230 Operational Risk Management · CPS 234 Information Security¶
Purpose¶
Govern the platform's obligations to notify regulators of material operational incidents, breaches, and outages within required timeframes under CPS 230, CPS 234, and NZ DTA Operational Resilience requirements.
Scope¶
All material operational incidents, technology failures, data breaches, and compliance breaches affecting the platform in NZ and AU that meet or may meet regulatory notification thresholds.
Policy statements¶
The platform SHALL notify APRA of a material operational incident under CPS 230 within 72 hours of the platform becoming aware that the incident has occurred or is likely to occur. Notification SHALL be made via the APRA Regulatory Reporting system.
The platform SHALL notify APRA of a material information security incident under CPS 234 within 72 hours of the platform becoming aware of the incident.
The platform SHALL notify the relevant NZ regulator (RBNZ or FMA as appropriate) of material operational incidents and system outages within the timeframes specified in applicable NZ supervisory guidance and the DTA Operational Resilience framework.
The platform SHALL maintain an incident classification matrix that defines what constitutes a notifiable incident under each regulatory framework. The matrix SHALL be reviewed annually and approved by the CCO and CTO.
All notifiable incidents SHALL be recorded in the incident register before notification is made. The notification SHALL include: a description of the incident, the systems and customers affected, the cause (if known), and the remediation steps taken or planned.
A post-incident review SHALL be completed for all notifiable incidents within 30 days of resolution. Review findings SHALL be reported to the Board Risk Committee.
The platform SHALL test its incident notification capability at least annually. Test results SHALL be reviewed by the CTO and CCO.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-058 | Regulatory incident & breach notification engine | AUTO |
Manages the incident register, routes notifications to the correct regulator within required timeframes, and tracks acknowledgement receipts. |
| MOD-150 | Risk management platform | AUTO |
Material incidents and privacy breaches are auto-detected and routed through a notification assembly workflow; regulator API submission proceeds where an API is available. |
Part of Regulatory Reporting · Governance overview
Compiled 2026-05-22 from source/entities/policies/REP-009.yaml