The need for a risk-based approach to compliance and enforcement: some interim takeaways for regulators from the Banking Royal Commission
By Claire Thurstans• 23 May 2018 • 7 min read
We outline some of the basic features of ASIC, including its powers, and the way in which it chooses to exercise discretion available to it
In the midst of the Royal Commission into Financial Services (Banking Royal Commission), our corporate financial services regulator – the Australian Securities and Investments Commission (ASIC) – is not escaping scrutiny. Much of the commentary questions whether the corporate watchdog has been granted sufficient powers and resources to enable it to effectively regulate our financial sector. A corollary question is whether ASIC is exercising its regulatory powers in an effective manner.
In this article, we outline some of the basic features of ASIC, including its powers, how its powers are guided and restricted, and the way in which ASIC chooses to exercise discretion available to it, particularly with respect to enforcement. We will then consider ASIC’s use of enforceable undertakings – which have been a focus in the Banking Royal Commission – in the context of ASIC’s risk-based approach to regulation.
ASIC has a broad ambit in a specific context. It only regulates the financial services sector, unlike the ACCC, for example, which regulates competition across all sectors. However, within the financial services sector, ASIC has a lot to do. It is responsible for regulating companies and financial markets, as well as the regulation (and enforcement) of professionals and organisations who work in the financial services sector in investment, insurance, superannuation or credit.
ASIC’s powers include registering companies, maintaining publicly accessible registers of information about companies and financial services licensees, investigating breaches of the law, banning individuals or entities from providing financial services and commencing civil or criminal prosecutions in court.
ASIC administers a range of laws. Its powers are found under many different pieces of legislation. Some of ASIC’s most high-profile powers and responsibilities are found under the Corporations Act 2001 (Cth) and the ASIC Act, as well as the Superannuation Industry (Supervision) Act 1993 (Cth) and the Medical Indemnity (Prudential Supervision and Product Standards) Act 2003 (Cth).
ASIC has significant powers to prosecute unlawful behaviour, including the power to commence criminal proceedings for minor criminal matters. More serious criminal matters are referred to the Director of Public Prosecutions. ASIC also has the power to commence civil proceedings.
Under Part 3, Division 5 of the ASIC Act, ASIC 'may cause a prosecution…to be begun and carried on' if, for example, ASIC has conducted an investigation and believes that a person may have committed an offence under the Corporations Act.
As well as having comprehensive powers to prosecute, ASIC has significant powers of discretion as to whether it prosecutes or opts for another method of enforcement. There is nothing under the legislation that compels ASIC to commence prosecutions. ASIC can, at its discretion, choose which method of enforcement it thinks is most appropriate in the circumstances, in light of the statutory framework.
Relevantly, ASIC recently gave evidence at the Royal Commission which revealed that it had criminally prosecuted one holder of an Australian Financial Services Licence in the past decade, and brought civil proceedings against licence holders six times in the same period.
In 2014, the Senate Economics References Committee handed down a report (Report) into ASIC’s performance. In the Report, the committee found that 'the public interest would be better served if ASIC was more willing to litigate complex matters involving large entities'.
Enforceable undertakings – an alternative to prosecution
As an alternative to commencing court proceedings, ASIC has the option of accepting a written enforceable undertaking from a regulated entity or individual that ASIC believes has acted in breach of their obligations. An enforceable undertaking sets out:
- a summary of the suspected or actual unlawful conduct committed by the regulated entity or individual
- any investigations undertaken or findings made by ASIC regarding the conduct
- the substance of the undertaking, that is, what the regulated entity or individual undertakes to do (for example, engage someone to conduct an independent audit, make a financial contribution to the community, or otherwise ensure that the impugned conduct does not occur again).
If, at any stage, ASIC thinks that the person or entity acts in breach of the terms of the enforceable undertaking, it has the power to take the matter to court and to enforce the undertaking.
ASIC keeps a register of enforceable undertakings which is available online.
Use of enforceable undertakings in the context of a risk based approach regulation?
ASIC’s regulatory focus areas for 2017-2018 are set out in ASIC’s Corporate Plan. One of ASIC’s key approaches to regulation for this financial year is to use a 'detect, understand and respond' approach. ASIC refers to this as a 'risk-based approach'.
A risk based approach to regulation requires a regulator to:
- identify and assess any risks associated with non-compliance by a regulated entity or individual
- make decisions on a range of regulatory matters including compliance and enforcement activity on the basis of the risk assessment.
One of the key features of a risk-based approach to regulation is that the regulatory responses are tailored so that they are commensurate with the level of risk present. Under a risk-based approach to regulation, generally speaking, higher risks should be met with more severe enforcement tools.
In RG100 – the Regulatory Guide to ASIC’s use of Enforceable Undertakings – ASIC states that:
we will not consider accepting an enforceable undertaking for trivial matters. We may consider accepting an enforceable undertaking in more serious cases where this remedy can achieve a more effective regulatory outcome than civil or other administrative action.
In its most recent enforcement outcomes publications, ASIC reported that it had accepted 12 enforceable undertakings and charged 17 people in criminal proceedings from July to December 2017. In April 2018, ASIC accepted an enforceable undertaking from ANZ for charging fees for no service, under which, amongst other things, ANZ has undertaken to provide a community benefit totalling $3 million. ASIC also accepted an enforceable undertaking from Commonwealth Bank subsidiaries for fees for no services. Similarly, the regulated entities in that case agreed to pay a community benefit of $3 million.
Using a risk-based approach to regulation will typically involve consideration of a range of factors including:
- the importance of the compliance obligations that have been breached (in terms of undermining the objectives and integrity of the regulatory framework)
- the conduct of the regulated entity or individual in the context of the breach (whether the breach was wilful, negligent or reckless)
- the conduct of the regulated entity or individual following the breach (whether the regulated entity was proactive in remedying the breach and/or was co-operative with the regulator)
- the impact of the breach (the nature and scale of the harm caused by the breach).
While it is difficult to know the precise factors that led to ASIC accepting enforceable undertakings from the various financial institutions in the past, the scale and impact of the breaches in monetary terms has led to questions being raised about the appropriateness of the use of enforceable undertakings, rather than other enforcement tools that could have been employed by ASIC.
Establishing a risk-based approach to regulation helps to ensure that regulatory responses – including in the context of compliance and enforcement activity – are commensurate with risk and that regulatory responses are consistent across the regulator, effective and efficient.
Contract Law in 2021 – Supabarn Supermarkets Pty Ltd v Cotrell Pty Ltd 
Uncommercial contractual obligations must be very clearly worded to be enforceable...
Contract Law in 2021 – Hewlett Packard Australia Pty Ltd v Subasic 
Discretionary rights should be clearly worded and exercised in good faith...
Owners Corporations - Significant changes on the way for developers
By Nick Sparks & Athina McGregor
NSW mandatory data breach notification scheme slated to commence as early as 2022
We discuss the new reporting scheme for NSW and considerations for agencies looking to get ready for the changes.