Home Insights ASIC investigations and enforcement: trends to watch in 2021

ASIC investigations and enforcement: trends to watch in 2021

In late 2017, the ASIC Enforcement Review Taskforce (Taskforce) released its report which made a suite of recommendations relating to the corporate and financial sectors and the legislation that ASIC is responsible for enforcing. A number of the recommendations were echoed and adopted by the Hayne Royal Commission.

In response, the Government has passed various legislation to address misconduct in the corporate and financial sectors and strengthen ASIC’s enforcement powers. This includes legislation that significantly amended the civil penalty regime for corporate and financial sector misconduct and the breach reporting regime for holders of an Australian Financial Services License (AFSL) and Australian Credit License (ACL).

Our expectation is that these changes will impact on the way ASIC conducts investigations and approaches enforcement towards licensees in 2021.

New breach reporting regime 

In December 2020, the Government passed the Financial Sector Reform (Hayne Royal Commission Response) Act 2020 (Cth) which introduces a new breach reporting regime to replace the existing regime in Section 912D of the Corporations Act 2001 (Cth) (Corporations Act) with new self-reporting obligations.[1]

The new obligations will result in licensees submitting more breach reports, typically at a much earlier stage in the lifecycle of a regulatory compliance event. In response, we expect to see ASIC take a more interventionist approach to investigations and enforcement, armed with earlier insights into reportable situations.

The increased volume of self-reporting by licensees may also lead to ASIC reinstating the enforceable undertaking in its enforcement toolkit, which ASIC has effectively cast aside in pursuit of its ‘Why not litigate?’ approach to enforcement.  

Concerns with the existing breach reporting obligations were highlighted in the Taskforce’s report. A major apprehension was that the existing trigger for self-reporting breaches is based on a significance test which involves a licensee making a qualitative assessment of a breach or likely breach.

The Taskforce observed that this subjective element has led to delays and inconsistency in self-reported breaches, with licensees often spending many months investigating a breach or suspected breach before determining it is reportable.

The new regime seeks to address these concerns through the introduction of two new tests of significance, which will operate in parallel:

  • Breaches or likely breaches of so called ‘core obligations’[2] which are deemed to be significant and must be reported by the licensee. For example, a report must be submitted if there is a breach of a core obligation which constitutes a contravention of a civil penalty provision; and

  • Breaches which are significant when assessed objectively with regard to specified criteria.[3] 

The amendments also expand the range of situations that must be breach reported. For example, investigations into whether a significant breach of a core obligation has occured or will occur must be reported if the investigation goes on for 30 days or longer. The outcome of the investigation also must be reported, irrespective of whether a significant breach occurred.

New regime’s impact on investigation and enforcement activities

A focus of ASIC’s enforcement activities in the wake of the Hayne Royal Commission has been on driving a cultural shift among the licensees it regulates toward expediting:

  • Communication with customers impacted by regulatory breaches and payment of remediation to them; and

  • The remediation of any defective controls, processes or systems which precipitated a breach by preventing the licensee from providing products or services in the way it had promised.

The pressure on financial institutions to meet these expectations will increase as ASIC gets notice of compliance events earlier.

Recent commentary from the Court on the investigation of regulatory breaches may also encourage ASIC to leverage the enhanced information flow to facilitate a more interventionist approach.

For example, in a recent civil penalty proceeding against AMP Financial Planning (AMPFP), Justice Lee in the Federal Court was critical of a common practice among large institutions to investigate, develop and administer their own customer remediation schemes using “professional services firms being paid very large fees”.

His Honour observed that some assurance providers are selected “with the knowledge and encouragement of a regulator”, and indicated that it would have been preferable in the context of that proceeding for the Court to have had an opportunity to appoint an independent expert to oversee AMPFP’s remediation activities.[4]  

The new breach reporting regime, particularly the requirement to report investigations, will give ASIC greater scope to act on observations of this kind by applying to the Court for orders to shape a licensee’s response to a regulatory breach.  

In addition, we can expect that breach reporting volumes will increase dramatically after the subjective trigger for the reporting obligation is removed. Given the likely influx of breach reports, ASIC may need to reassess its recent unwillingness to entertain enforceable undertakings as an alternative to litigation.

An opportunity for ASIC to soften its stance on settlement will present through the departure of its chief enforcer, Daniel Crennan, and the imminent departure of chairman, James Shipton.

Arguably, the return of the enforceable undertaking to ASIC’s enforcement toolkit would be consistent with the approach the Government envisages for ASIC as it searches for Mr Shipton’s replacement. That is, according to reports, to focus more on heinous misconduct and less on trying to reform the nation through a policy agenda.

In 2021, as breach reporting increases, we hope that ASIC can find a middle-ground, litigating equally aggressively but more selectively, and otherwise using different mechanisms to resolve regulatory breaches earlier, with less cost and inconvenience than court proceedings.  

Civil penalties for breaches of general conduct obligations

The Treasury Laws Amendment (Strengthening Corporate And Financial Sector Penalties) Act 2019 (Cth), passed in March 2019, amended the penalty frameworks in the Corporations Act and other legislation enforced by ASIC.[5]

A particularly significant aspect of the legislation is the extension of the civil penalty regime to the general conduct obligation on AFSL and ACL holders to do all things necessary to ensure that the financial services or credit activities authorised by their licence are provided ‘efficiently, honestly and fairly’.[6]   

Historically, civil penalty proceedings against AFSL and ACL holders have almost invariably included an ancillary claim for a breach of this obligation. This is because the primary contravening conduct is often precipitated by deficiencies in controls or compliance measures, which amount to a failure by the licensee to ‘do all things necessary to ensure’ compliance with the ‘efficiently, honestly and fairly’ obligation.

Previously, defendants have readily admitted contraventions of the obligation without any financial consequences. This has led to a situation where there has been scant judicial consideration of the operation of the provision, even though the Court has regularly made declarations of non-compliance with the ‘efficiently, honestly and fairly’ obligation.

We expect to see an increasing level of contest around the interpretation of this provision now that it has a civil penalty attached. ASIC has not yet brought a proceeding involving alleged contraventions of the general conduct obligation after March 2019 (in order to bring penalties into play).

However, two years have now passed since the new penalty was introduced and it should not be long before we see the first civil penalty proceeding under this provision, pushing the once benign provision to new prominence.

Recently, we got a glimpse of the potential enthusiasm with which ASIC may seek to push the boundaries of the provision when it argued in a proceeding against a major bank that multiple contraventions of a civil penalty provision had each triggered a separate and distinct contravention of the general conduct obligation in Section 47(1)(a) of the National Consumer Credit Protection Act 2009 (Cth). This was a novel argument and a marked departure from previous authorities which have invariably found there has been a single breach of the general conduct obligation.

Ultimately the Court declined to decide the issue, preferring to leave it to a case where penalties were available for an alleged breach.  

It is difficult to envisage a particular compliance event which would trigger multiple contraventions of the general conduct obligation for two reasons:

  • The obligation is framed as a single composite standard rather than three discrete standards which must be met individually; and
  • More importantly, the obligation is not to ensure that the standard is met. It is to do ‘all things necessary’ to ensure the standard is met. The focus is on whether the licensee has done everything – and the obligation is breached (and breached once), whether the licensee fails to do one thing that is necessary or multiple things.

Although ASIC may have difficulty establishing multiple contraventions of the general conduct obligation, this should not be necessary in order to achieve a penalty of a magnitude that will have the desired deterrent effect on licensees who may be tempted to break the law.

The strengthening of the penalty regime also involved substantial increases to civil penalties. Major financial institutions which breach the general conduct obligation can now be subject to a maximum penalty per contravention of $525 million.

With the stakes this high, licensees could be forgiven for revaluating what might previously have been perceived as a willingness to admit a breach of the obligation.

[1] A corresponding breach reporting regime for credit licensees under the National Consumer Credit Protection Act 2009 (Cth) has additionally been introduced.
[2] By way of example, the core obligations include the current general conduct obligations specified in Sections 912A (except 912A(1)(c)) and 912B of the Corporations Act, which also apply to the existing breach reporting regime.
[3] The specified criteria reflect most of the current criteria for assessing significance in Section 912D(1)(b) of the Corporations Act.
[4] Australian Securities and Investments Commission v AMP Financial Planning Pty Ltd (No 2) [2020] FCA 69 at [252]-[253].
[5] Australian Securities and Investments Commission Act 2001 (Cth); National Consumer Credit Protection Act 2009 (Cth); Insurance Contracts Act 1984 (Cth).
[6] Corporations Act 2001 (Cth), Section 912A(1)(a) (ASFL holders); National Consumer Credit Protection Act 2009 (Cth), Section 47(1)(a) (ACL holders).

This article is part of our insight series Future Focus – Legal developments to watch in 2021 and beyond. Watch and read more here.


Mark Wilks

Head of Commercial Litigation

Camilla Bishop

Senior Associate

Daniel Argyris

Senior Associate


Investigations Litigation and Dispute Resolution

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.

  • Print article