The objective of the audit was to assess the effectiveness of the Australian Securities and Investments Commission’s administration of enforceable undertakings.

Summary

Introduction

1. Australia’s financial system plays an essential role in supporting the economic prosperity of Australians by, among other things, providing consumers and businesses with banking, investment, superannuation and insurance services. Australia’s financial system has grown strongly in recent years, particularly following the introduction of compulsory superannuation in 1992. Financial assets have grown from around two years’ worth of Australia’s nominal gross domestic product1 in 1997 to more than three times nominal gross domestic product in 2013. At December 2014, financial institutions in Australia controlled assets of around $6 trillion.2

2. The Australian Securities and Investments Commission (ASIC) is Australia’s corporate, financial markets, financial services and consumer credit regulator. It seeks to ensure the markets it regulates are fair and transparent, supported by confident and informed investors and consumers. It has wide-ranging responsibilities that include regulation of around 2.2 million companies and 5000 Australian financial services licensees.3 Together with the Australian Prudential Regulation Authority and the Reserve Bank of Australia, ASIC plays a major role in regulating Australia’s financial system.

3. One of ASIC’s most important responsibilities is to ensure that regulated entities4 comply with their legal obligations, including obligations under the Corporations Act 2001. ASIC has developed a range of strategies aimed at encouraging voluntary compliance and addressing non-compliance. These strategies include:

  • educating consumers and investors to make informed and appropriate choices when dealing with money and financial products and services;
  • providing guidance to regulated entities on how to comply with their obligations; and
  • communicating the actions that ASIC takes to inform regulated entities about the standards that it expects and the consequences of failing to meet those standards.5

4. Where there is non-compliance by a regulated entity, ASIC can take enforcement action to deal with and deter the misconduct. This may involve conducting an investigation and: taking criminal action (such as seeking imprisonment); commencing civil proceedings (including seeking civil penalty orders); taking administrative action (such as banning orders and imposing licence conditions); or accepting a negotiated outcome (including an enforceable undertaking, known as an EU). ASIC has adopted a graduated approach to enforcement, with the more severe and less frequently used sanctions being employed for serious misconduct, while responses such as EUs are used for less serious misconduct.

5. An EU is a written undertaking given to ASIC by a company or individual that it will operate in a certain way. EUs can achieve a broad range of outcomes, such as requiring an entity to compensate consumers, improve its compliance processes, cease providing services for a period or indefinitely, or undertake specific education programs. In contrast to other regulatory alternatives, an EU can be a relatively quick remedy where: results are more certain than the outcomes of court proceedings; it has the potential to change the compliance culture of an organisation; and it may achieve an outcome that is comparable to, or better than, that obtained in court. An EU is not an alternative to commencing criminal action, and is generally not used in cases involving deliberate misconduct, fraud, or conduct involving a high level of recklessness.

6. An EU generally arises where ASIC becomes aware of potential misconduct by an entity. Discussions may then commence between ASIC and the entity about how to resolve ASIC’s concerns. If ASIC considers that an EU would provide an effective regulatory outcome in response to the misconduct, it may enter into negotiations with, and accept an EU from, the entity.

7. Between 1 January 2012 and 30 June 2014, ASIC entered into 53 EUs.6 The entities involved included large banks and other financial institutions, large public companies, providers of credit, and individual auditors and liquidators. The EUs related to a wide variety of conduct, including:

  • misleading or deceptive conduct by financial institutions;
  • failures by company auditors and liquidators to properly carry out their duties and functions;
  • poor advice provided by financial advisers; and
  • the failure of Australian financial services licensees to monitor and supervise the financial services provided by their representatives.

8. Following acceptance of an EU, ASIC monitors compliance with the undertaking by the entity or individual (promisor), often with input from an independent expert. If the promisor does not comply with the EU, ASIC may enforce the undertaking, generally in the Federal Court of Australia or a State Supreme Court.

9. ASIC has five Commissioners, including the Chairman, Deputy Chairman and three members (the Commission). Reporting to the Commission are 12 stakeholder teams and three enforcement teams organised around the industry segments regulated by ASIC. Each of the teams is headed by one or more Senior Executive Leaders who have responsibility for most regulatory activities undertaken by ASIC, including the decision to accept an EU (except for a major matter which must be approved by ASIC’s Enforcement Committee or the Commission).

Parliamentary interest

10. In June 2014, the Senate Economics References Committee released a report on its inquiry into the performance of ASIC.7 In this report, the Committee recognised the good work that ASIC has done in a challenging environment, but raised a number of concerns about the performance of ASIC, including in relation to its use of EUs. The Committee’s report contained 61 recommendations aimed at enabling ASIC to fulfil its responsibilities more effectively. The report also raised concerns about ASIC’s enforcement decisions, and particularly its use of EUs. In summary, issues raised in submissions and highlighted by the Committee included: the use of EUs as a remedy for misconduct by large entities; the strength of terms included in EUs; the clarity of EUs in describing the alleged misconduct; and the transparency of the monitoring of compliance with EUs. The report included a recommendation that the Auditor-General undertake a performance audit of ASIC’s use of EUs. The Auditor-General agreed to this request.

Audit objective and criteria

11. The objective of the audit was to assess the effectiveness of the Australian Securities and Investments Commission’s administration of enforceable undertakings.

12. To form a conclusion against this objective, the Australian National Audit Office (ANAO) adopted the following high level criteria:

  • management arrangements are in place that support the effective, consistent and transparent administration of EUs;
  • offers of an EU are administered consistently, transparently and in accordance with ASIC’s policies and procedures; and
  • EUs accepted by ASIC are monitored to ensure compliance with those undertakings, action is undertaken where non-compliance is identified and the effectiveness of EUs as a regulatory tool is assessed.

Overall conclusion

13. As one of ASIC’s suite of regulatory responses, enforceable undertakings (EUs) have a valuable role in ASIC’s overall enforcement approach. EUs are particularly useful in addressing less serious misconduct where the promisor is co-operative. A potential benefit of EUs is in driving changes in a promisor’s compliance culture and systems, whereas an administrative penalty (or even a civil sanction) may not lead to behavioural change. Since their introduction in 1998, ASIC has accepted an average of 24 EUs per year, and from January 2012 to June 2014, 53 of ASIC’s 1711 enforcement actions (three per cent) were EUs.

14. In general, ASIC has effectively administered the EUs it has negotiated and accepted. It has sound processes for each major step of the EU process: accepting EUs as the most appropriate regulatory tool; including terms in the undertaking that appropriately address the misconduct; and monitoring adherence to those terms and addressing any identified non-compliance. However, there is considerable scope to improve the record keeping processes supporting EU decisions and compliance monitoring, as documentation was inconsistent, dispersed across multiple systems and not always readily available. In addition, ASIC does not measure or report on the effectiveness of EUs in achieving intended regulatory outcomes, including greater levels of voluntary compliance. Improved performance measurement and reporting would better inform key stakeholders, including Parliament, of the effectiveness of ASIC’s regulation.

15. In relation to entering into EUs, ASIC has accepted offers of EUs consistently, transparently and in accordance with its policies and procedures. For most EUs reviewed by the ANAO (83 per cent)8, there was sufficient documentation to demonstrate that accepting an EU would provide an effective regulatory outcome9 and no instances were identified where promisors were treated differently based on the size of their business.

16. ASIC also had a sound basis for including particular terms in each EU, with the terms generally aligning with the non-compliance at which the EU was directed. However, ASIC could ensure that EUs are clearer about the misconduct that was the subject of ASIC’s concerns. ASIC could also strengthen its capacity to assess compliance with, and the effectiveness of, EUs by more consistently including in the terms of an EU the requirement that the promisor report back to ASIC demonstrating their compliance with EU obligations. This information will better inform ASIC’s monitoring of the promisor’s compliance with the EU and, where necessary, its response to non-compliance.

17. Where the EU required an independent expert to assess the promisor’s compliance with EU obligations, ASIC was generally involved with the review process, and the reports provided by the expert were satisfactory. However, there were inconsistencies in ASIC’s approach to approving the appointment of experts and their terms of reference.10 In February 2015, ASIC released new public guidance that is expected to help improve processes relating to the appointment of independent experts.

18. The ANAO has made two recommendations aimed at improving ASIC’s measurement and reporting of the effectiveness of EUs, and its documentation of key decisions relating to EUs.

Key findings by chapter

Managing Enforceable Undertakings (Chapter 2)

19. A key component of any regulatory regime is a sound compliance and enforcement approach. ASIC follows a structured process to identify and prioritise its strategic compliance risks. Once risks are identified, it has a well-established hierarchy of regulatory responses to non-compliance, including enforcement options. EUs have a clear place in ASIC’s approach, as a response to less serious misconduct, particularly as they can provide flexibility and have the capacity to drive cultural change in a promisor’s business.11

20. To support its decision-making in respect of EUs, ASIC has a range of public guidance (including regulatory guides and information sheets), and internal policies and procedures. ASIC also negotiates outcomes that are not EUs.12 However, the role of these is less clear, as there is no policy, definition or register for these other negotiated outcomes. To provide more certainty to regulated entities, ASIC should consider ways to provide greater clarity around the circumstances in which it accepts and enters into other negotiated outcomes.

21. ASIC’s organisational arrangements for EUs are appropriate. The stakeholder and enforcement teams have clear roles and responsibilities in relation to EUs.13 There are sound procedures for Senior Executive Leaders to provide oversight and direction, and to refer major matters for consideration by ASIC’s Enforcement Committee and where relevant, approval by the Commission. However, internal management reporting is currently limited to reporting on the progress of EU negotiations, and more recently, compliance with undertakings for some EUs. Improving reporting to include the consistency, timeliness and outcomes of EUs would better position senior management in oversighting EUs.

22. There is sufficient guidance, on-the-job training and support for ASIC officers involved in the EU process. However, there is scope for ASIC to consolidate the information relating to EUs to reduce duplication, improve accessibility and facilitate better internal and external oversight of the EU process.14

23. All regulators require a sound performance measurement and reporting framework, and an understanding of the costs of its regulatory activities. ASIC has five KPIs that relate to EUs. However it does not report externally against three of these KPIs, and only reports partially against two KPIs.15 The enhanced Commonwealth performance framework will come into effect on 1 July 2015, and provides the opportunity for ASIC to review its KPIs and develop appropriate performance measures, and to report on the extent to which EUs support ASIC in achieving regulatory outcomes. There would also be benefit in ASIC more systematically collecting information covering the costs of administering EUs, to help allocate its resources effectively and to ensure it is not placing an excessive burden on regulated entities.

Entering into Enforceable Undertakings (Chapter 3)

24. To help ensure that EUs are administered consistently and transparently, it is important that they are entered into in accordance with ASIC’s policies and procedures. ASIC’s internal guidance requires senior management involvement in all EUs, including approving the commencement of negotiations and providing final approval for the EU. For 85 per cent of EUs reviewed by the ANAO, senior management was appropriately involved throughout the process and, for 77 per cent of EUs, there was documented approval for the decision to negotiate an EU. However, the format and content of documentation (including approvals) varied substantially between cases and there is considerable scope to improve ASIC’s documentation to support a more consistent approach to the EU decision-making and approval process.

25. For 44 (83 per cent) of the 53 EUs reviewed, the documentation was sufficient to establish that the decision to accept an EU—on the basis that it would achieve an effective regulatory outcome—was defensible.16 In these cases, the ANAO was able to identify some comparative analysis outlining the benefits of accepting an EU over other regulatory options (such as court action). The most common justifications for entering into an EU included that the EU provided a superior outcome to consumers and investors and/or a more timely and cost effective way to deal with the misconduct. No instances were identified where promisors were treated differently based on the size of their business.

26. Generally, terms included in EUs provided a proportionate regulatory response to the non-compliance identified. The individual terms in the EU and the misconduct at which those terms were directed were also clearly aligned. However, ASIC does not assess the effectiveness of EUs (and terms in EUs) to enable it to have a firmer basis for requiring particular terms in EUs, or to provide assurance that EUs are having the desired regulatory outcome. In addition, to improve its capacity to monitor compliance with EUs (and to assess their effectiveness), ASIC could include reporting requirements in EUs requiring the promisor to provide proof of discharging their obligations. In line with the Senate Economics References Committee’s recommendation, there is also scope for ASIC to ensure that EUs are clearer about the misconduct that was the subject of ASIC’s concerns. This can be achieved by ASIC setting expectations about the required content of EUs through its policies, and through consistent actions in requiring future EUs to include a sufficiently clear statement about the alleged misconduct.

27. When EUs are being finalised, the Chief Legal Office is to provide quality control and assurance. However, while there was evidence of Chief Legal Office involvement for most EUs (91 per cent), an approval was documented in only 41 per cent of cases. Also, while senior executives ultimately sign all EUs, final approvals were only recorded (as required by ASIC guidance) in 53 per cent of cases. Accordingly, there would be merit in ASIC formalising the processes for obtaining approvals for EUs.

28. ASIC’s policy is that it will issue a media release for each EU and, at its discretion, may give advance notice about the media release to a promisor. While media releases were published for 52 of the 53 EUs reviewed, there was inconsistency in ASIC’s handling of requests from promisors for advance copies of media releases. In March 2015, ASIC advised that it will be introducing a new policy that media releases will generally be provided to all promisors that enter into an EU, 24 hours before publication.

Monitoring Compliance with Enforceable Undertakings (Chapter 4)

29. To assess whether EUs achieve intended regulatory outcomes (including greater compliance), it is important that ASIC monitors compliance by promisors with these undertakings.17 In this regard, ASIC’s monitoring of compliance with EUs was adequate for the significant majority of EUs reviewed (83 per cent). In accordance with its risk-based approach, monitoring was generally undertaken consistently, with ASIC having more extensive ongoing involvement with a promisor where the EU was complex or involved ongoing obligations. Where ASIC had information available suggesting non-compliance with an EU, it responded appropriately having regard to the circumstances of the matter.

30. To assist in monitoring a promisor’s compliance with an EU and/or relevant laws following acceptance of an EU, ASIC often requires the appointment of an independent expert to conduct independent reviews of the promisor’s business. However, there were inconsistencies in the process for appointing independent experts under an EU. Of the 30 EUs that required an independent expert to be appointed, 13 did not provide for ASIC to approve the expert
and/or their terms of reference. Further, even where there was a requirement for ASIC to approve the expert, the practices for this varied considerably between EUs, and there was no documented consideration of the appropriateness of an expert for one-third of cases where an approval had been given. In four of the 10 EUs reviewed (40 per cent) where there was documented consideration of the appropriateness of an independent expert, ASIC rejected the initial expert proposed by the promisor. ASIC has recently released new public guidance that requires promisors to obtain ASIC’s approval for the appointment of an expert and their terms of reference. It is expected that this will increase consistency over time.

31. In general, reports produced by independent experts addressed EU requirements, were sufficiently comprehensive and provided meaningful recommendations for promisors to improve their compliance with the legislation and/or the EU. The level of engagement by ASIC with the appointed independent expert reflected a risk-based approach, depending on the nature and complexity of the EU, and the misconduct at which the EU was directed. For 75 per cent of EUs where an independent expert had been appointed, there was evidence of ASIC assessing the reports provided by the expert and in 60 per cent of cases, there was evidence of direct communication by ASIC with the expert. However, while its engagement with experts was effective overall (particularly when a stakeholder team was responsible for monitoring compliance), ASIC should keep records of such engagement and ensure that roles and responsibilities for monitoring are clearly understood.

32. In its report, the Senate Economics References Committee recommended that ASIC consider ways of making the monitoring of ongoing compliance with EUs more transparent. In response, in August 2014 ASIC introduced draft guidance requiring, as a general position, the public reporting of outcomes of EUs (including the publication of summaries of independent expert reports). ASIC is currently entering into EUs consistent with this new policy and anticipates that by doing so, it will effectively address the Senate Economics References Committee’s recommendation. Nevertheless, there remains scope for ASIC to more systematically assess, and report publicly on, the effectiveness of each EU in achieving its desired regulatory outcomes.

Summary of entity response

33. ASIC provided the following summary comment to the audit report:

ASIC welcomes the ANAO audit report on ASIC’s administration of enforceable undertakings and considers it provides useful recommendations for improvements in practices. ASIC also welcomes the findings by the ANAO that enforceable undertakings have a significant role to play in ASIC’s enforcement approach, that in general, ASIC has effectively administered the enforceable undertakings it has negotiated and accepted, and that ASIC has accepted offers of enforceable undertakings consistently, transparently and in accordance with its policies and procedures. The findings that ASIC’s decisions and actions regarding enforceable undertakings are underpinned by a structured compliance and enforcement approach and that the ANAO did not identify any instances where promisers were treated differently based on the size of their business are also welcomed by ASIC.

ASIC agrees with the two recommendations made in the report, aimed at improving ASIC’s measurement and reporting of the effectiveness of enforceable undertakings, and at the documentation of key decisions relating to enforceable undertakings. ASIC confirms the recommendations will be implemented.

ASIC has been working towards the development of performance measures and reporting to comply with enhanced Commonwealth reporting obligations that take effect on 1 July 2015.

34. ASIC’s full response is included at Appendix 1.

Recommendations

Recommendation No. 1

Paragraph 2.50

To assess the effectiveness of enforceable undertakings as an appropriate regulatory tool and their contribution to ASIC achieving its compliance objectives, the ANAO recommends that ASIC:

  1. develops appropriate performance measures to monitor the effectiveness of enforceable undertakings in addressing non-compliance, and regularly reports against these measures; and
  2. periodically assesses, and reports on, the effectiveness of enforceable undertakings in contributing to improved levels of voluntary compliance.

ASIC response: Agreed.

Recommendation No. 2

Paragraph 3.62

To strengthen decision-making and support the transparency of, and quality assurance over enforceable undertakings, the ANAO recommends that ASIC:

  1. reinforces to staff the need for key documents and decisions relating to enforceable undertakings to be appropriately recorded in accordance with ASIC policies and procedures; and
  2. formalises the processes for obtaining enforceable undertaking approvals.

ASIC response: Agreed.

1. Introduction

This chapter provides background information on ASIC and the use of enforceable undertakings as a regulatory tool. It also outlines the audit objective and approach.

Background and context

1.1 Australia’s financial system plays an essential role in supporting the economic prosperity of Australians, by providing consumers and businesses with banking, investment, superannuation and insurance services. Among other things, Australia’s financial system is crucial to enabling businesses to attract capital to expand their businesses, providing the means for consumers to borrow to fund large purchases and allowing individuals to provide for their retirement. In recent years, there has been significant growth in Australia’s financial system, with financial system assets growing from two years’ worth of Australia’s nominal gross domestic product in 1997 to more than three times nominal gross domestic product in 2013.18 At December 2014, financial institutions in Australia controlled assets of around $6 trillion.19

1.2 The Australian Securities and Investments Commission (ASIC) is Australia’s corporate, financial markets, financial services and consumer credit regulator. It seeks to ensure the markets it regulates are fair and transparent, supported by confident and informed investors and consumers. Together with the Australian Prudential Regulation Authority and the Reserve Bank of Australia, ASIC plays a major role in regulating Australia’s financial system. One of ASIC’s most important responsibilities20 is to ensure that regulated entities comply with their legal obligations, including obligations under the Corporations Act 2001.

1.3 In 2013–14, ASIC’s operating expenditure was $341 million. As shown in Figure 1.1, 40 per cent of this expenditure was directed towards markets. This strategic priority broadly covers corporate governance21 and market integrity, and involves regulating the 2.2 million registered companies in Australia22 and supervising trading on Australia’s domestic equities, derivatives and futures markets. As at 30 June 2014, there were 40 authorised financial markets and six licensed clearing and settlement facilities. Australia’s largest financial market is the Australian Stock Exchange, one of the largest share markets in the world, with a domestic equities market capitalisation of $1.57 trillion.23

Figure 1.1: ASIC’s resource allocation by strategic priority, 2013–14

Source: ASIC Annual Report 2013–14.

1.4 The other significant area of regulation carried out by ASIC is in relation to investors and financial consumers, to which 33 per cent of ASIC’s resources were directed in 2013–14. In relation to investors and financial consumers, ASIC is responsible for, among other things:

  • monitoring financial services businesses to help ensure they operate efficiently, honestly and fairly; and
  • ensuring persons who engage in credit activities meet the standards—including their responsibilities to consumers—that are set out in the National Consumer Credit Protection Act 2009.

1.5 In 2013–14, ASIC oversaw 3391 Australian financial services licensees that provide personal financial advice, 3673 registered managed investment schemes and 5837 Australian credit licensees.24 The considerable resources directed towards investors and other financial consumers reflects the significant role that financial services play in Australia’s economy and its essential contribution to investment, savings and retirement incomes.

1.6 The importance of effective financial regulation in Australia was illustrated by the collapses of Storm Financial and Opes Prime in 2008–09. In the case of Storm Financial, around 3000 of its clients, typically individuals seeking to generate retirement savings and income, suffered combined losses of around $830 million. Many of these clients were required to sell their homes.25 In respect of Opes Prime, a securities lending and stockbroking firm, creditors sold the securities for a small proportion of their initial worth. Consequently, Opes Prime’s clients, many of whom thought the arrangement was a standard loan, suffered losses such as their entire retirement savings and forced sales of family homes, as well as breakdowns in personal relationships and ill health.26 There have also been instances of inappropriate or predatory lending practices, which are often targeted at vulnerable, disadvantaged or low-income consumers.27

1.7 ASIC’s compliance model is based on a ‘detect, understand and respond’ approach.28 Detection occurs through surveillance, reports from the public and whistleblowers, data gathering and matching, and intelligence. ASIC responds to non-compliance, or the risk of non-compliance, by: disrupting harmful behaviour; taking enforcement action; communicating the actions it takes; educating investors and financial consumers; providing guidance to ‘gatekeepers’29; and providing policy advice to Government.

1.8 In conducting its 2013–14 regulatory activities, 35 per cent of ASIC’s resourcing was directed towards enforcement and 20 per cent towards surveillance activities. ASIC’s surveillance activity generally involves monitoring entities to determine whether they are complying with the relevant legislation. ASIC adopts a risk-based approach to surveillance, which may be proactive or reactive. For example, ASIC may proactively target the largest firms in a market through site visits and desk-based reviews, or it may be reactive, in response to breach reports, or reports of misconduct from the public and whistleblowers. Where ASIC identifies misconduct as a result of its surveillance activity, public or statutory reports, or referrals from another regulator, it may take enforcement action. Enforcement is one of the many regulatory tools available to ASIC, and is used to deter misconduct. Enforcement includes: taking criminal action (such as seeking imprisonment); commencing civil proceedings (including seeking civil penalty orders); taking administrative action (such as banning orders and imposing licence conditions); or accepting a negotiated outcome (including an enforceable undertaking).

Enforceable undertakings

1.9 An enforceable undertaking (EU) is a written undertaking, given to ASIC by a regulated entity, that it will operate in a certain way.30 For example, an EU may typically require an entity or an individual (the promisor) to:

  • remedy the deficiencies in a company’s compliance systems by taking certain specified action, and having this reviewed by an independent auditor or expert;
  • complete additional professional education, or for a set period of time, refrain from performing a significant role in an audit engagement, or be subject to technical supervision on future audit engagements;
  • inform the market to correct false or misleading disclosures;
  • perform a community service obligation (for example, by funding an education program for consumers of particular financial services); or
  • write to investors or parties affected by misconduct, advising them of the existence of the EU, its terms and how a copy of it can be obtained.31

1.10 EUs are used as an alternative to civil court action or administrative actions (such as banning orders, imposing licence conditions, or issuing an infringement notice). In comparison to these, EUs provide a tailored and more certain outcome that can, for example, involve entities making substantial changes to their systems and cultures and, in appropriate cases, making restitution. EUs may be preferred to civil action as the latter is usually lengthier and the outcome is uncertain. Administrative actions such as infringement notices may not lead to cultural or behavioural change, as the entity may see the penalty as simply a cost of doing business. An EU is not an alternative to commencing criminal action, or to be used in cases of deliberate misconduct, fraud, or conduct involving a high level of recklessness.32

1.11 ASIC is able to accept EUs from individuals and corporations and in respect of any area where ASIC has regulatory responsibility.33 ASIC considers EUs are ‘an important component in [its] array of enforcement remedies to influence behaviour and encourage a culture of compliance’. In its view, an EU ‘can sometimes offer a more effective regulatory outcome than could otherwise be achieved through other available enforcement remedies’.34 EUs have been identified as a form of restorative justice, where the objective is to address the harm done (restoration), repair relationships, and reduce recidivism.35

1.12 Where an EU is not complied with, ASIC may apply to a court (generally, the Federal Court of Australia) for relevant orders, including for the promisor to: comply with a term of the undertaking; pay the Commonwealth an amount up to the amount of any financial benefit directly attributable to the breach; or compensate any other person who has suffered loss or damage as a result of the breach. Failure to comply with such an order is a contempt of court.

ASIC’s use of enforceable undertakings

1.13 ASIC’s use of EUs in the context of its other enforcement activities covering the period 1 January 2012 to 30 June 2014 is outlined in Table 1.1.

Table 1.1: ASIC enforcement outcomes, 1 January 2012 to 30 June 2014

Area of enforcement

Criminal convictions

Civil outcomes(1)

Administrative remedies

EUs/ negotiated outcomes(2)

Public warning notices

Total

Market Integrity

29

4

38

4

0

75

Corporate Governance

24

9

11

16

1

61

Financial services

40

41

140

77

5

303

Small business compliance and deterrence

1 105(3)

2

165

0

0

1 272

Total

1 198

56

354

97

6

1 711

Source: ASIC, Report 383: ASIC enforcement outcomes: July to December 2013 and ASIC, Report 402: ASIC enforcement outcomes: January to June 2014.

Note: ASIC reports outcomes per defendant, rather than per matter.

Note 1: Civil outcomes include declarations, injunctions and civil penalty orders.

Note 2: The figure for EUs also includes other negotiated outcomes. An example of an ‘other negotiated outcome’ is where ASIC negotiated with a home loan lender to have the lender refund early termination fees paid by consumers in breach of the relevant consumer credit law. ASIC’s publicly available enforcement statistics do not separate EUs from other negotiated outcomes.

Note 3: The large number of criminal convictions arising from small business compliance and deterrence activities reflects the high-volume investigative activities of ASIC’s Small Business Compliance and Deterrence team. These activities include: taking action against directors who fail to assist liquidators when their companies fail; investigating and banning directors; and preparing criminal briefs for matters including breaches of director’s duties, managing while disqualified, lodging false documents and failing to lodge financial statements.

1.14 Table 1.1 combines EUs and negotiated outcomes. To determine the number and nature of EUs entered into from 1 January 2012 to 30 June 2014, the Australian National Audit Office (ANAO) examined ASIC’s EUs register, available on its website (Table 1.2).

Table 1.2: Number and nature of enforceable undertakings entered into by ASIC, 1 January 2012 to 30 June 2014

 

 

EUs, by entity size

EUs, by area of enforcement

Year

Total EUs

Large(1)

Small

Individual

Auditors and Liquidators

Financial Services

Consumer Credit

Other(2)

2012

18

2

0

16

7

7

2

2

2013

25

7

8

10

3

12

8

2

2014(3)

10

1

5(4)

5(4)

3

3

3

1

Total

53

10

13

31

13

22

13

5

Source: ANAO analysis.

Note 1: The Australian Bureau of Statistics definition of a large business is used—that is, one with 200 or more employees.

Note 2: Includes two EUs relating to influencing the Bank Bill Swap Rate, one EU relating to a breach of continuous disclosure obligations, one EU relating to corporate governance and one EU involving market misconduct.

Note 3: These figures are for the half year to June 2014. A further 13 EUs were accepted by ASIC in the period 1 July 2014 to 31 December 2014.

Note 4: The figures for EUs by entity size in 2014 add to 11 (rather than 10) because one EU accepted during the year involved both small companies and individuals associated with those companies.

1.15 From July 1998 (when EUs were introduced) to December 2014, a total of 388 EUs were accepted by ASIC (an average of 24 annually) and from January 2010 to December 2014, 92 EUs were accepted (an average of 18 annually). Table 1.2 shows that in 2013 and the first half of 2014, ASIC entered into more EUs with companies than with individuals. In this period, the EUs also related to comparatively more credit and financial services matters.

Parliamentary and other external scrutiny of ASIC

1.16 In June 2013, the Senate referred the performance of ASIC to the Senate Economics References Committee for inquiry. The terms of reference for the inquiry were:

  • ASIC’s enabling legislation, and whether there are any barriers preventing ASIC from fulfilling its legislative responsibilities and obligations;
  • the accountability framework to which ASIC is subject, and whether this needs to be strengthened;
  • the workings of ASIC’s collaboration and relationships with other regulators and law enforcement bodies;
  • ASIC’s complaints management policies and practices;
  • the protections afforded by ASIC to corporate and private whistleblowers; and
  • any related matters.36

1.17 The Senate Economics References Committee tabled its final report on 26 June 2014. One area of focus for the Committee was the allegations of serious misconduct engaged in by financial advisers at Commonwealth Financial Planning Limited (part of the Commonwealth Bank of Australia Group) between 2006 and 2010. The chair of the Committee stated that ASIC’s slow response to the case and lack of scepticism was hard to explain, and that the agency ‘allowed itself to be lulled into complacency and placed too much trust in an institution that sought to patch over its problems.’ He added that:

The good work that ASIC has done in a challenging environment has been recognised. Even so, there is a need for ASIC to become a far more proactive regulator ready to act promptly but fairly. ASIC also needs to be a harsh critic of its own performance with the drive to identify and implement improvements.37

1.18 The Committee made 61 recommendations generally aimed at enabling ASIC to fulfil its responsibilities and obligations more effectively and to promote greater confidence in the regulator. The Committee also raised concerns about ASIC’s enforcement decisions, and particularly, its use of EUs. Potential issues regarding ASIC’s EU processes and practices raised in submissions and highlighted by the Committee included:

  • the extent of ASIC’s reliance on EUs, particularly as a remedy for misconduct by large entities—the Committee quoted submissions that suspected ASIC might have been ‘soft on the big end of town’;
  • the clarity of EUs in specifying remedial actions and whether the undertakings placed sufficient conditions on entities whose strategies may be damaging financial consumers and investors;
  • the extent of detail included in the EU about the alleged misconduct, such that other market participants may not be aware of the purpose of the undertaking;
  • in its approach to negotiating EUs, ASIC may give excessive regard to the burden an undertaking might impose on a company; and
  • scope to improve transparency in relation to the monitoring of EUs, such as through making publicly available the reports provided to ASIC by independent experts appointed as a condition of the undertaking.38

1.19 As a consequence of these concerns, the Senate Economics References Committee included in its report a recommendation that the Auditor-General consider conducting a performance audit of ASIC’s use of EUs, including:

  • the consistency of ASIC’s approach to EUs across its various stakeholder and enforcement teams39; and
  • the arrangements in place for monitoring compliance with EUs that ASIC has accepted.

1.20 The Auditor-General accepted the recommendation and agreed to conduct the audit, which is the subject of this report.

1.21 ASIC has responded to the Committee’s concerns, stating that EUs are not a soft option but a very effective regulatory tool ‘that generally require the person offering the EU to implement significant changes to the way they operate, and to provide substantial compensation, conditions that may be enforced in court’. It also noted that, ‘like all Commonwealth agencies, ASIC is required to act as a model litigant, including trying wherever possible to avoid court proceedings and considering settlements where appropriate’.40

Previous ANAO coverage of ASIC

1.22 The ANAO has undertaken the following two performance audits of ASIC, tabled in 2006 and 2007:

  • Audit Report No. 25 2005–06, ASIC’s Implementation of Australian Financial Services Licences; and
  • Audit Report No. 18 2006–07, ASIC’s Processes for Receiving and Referring for Investigation Statutory Reports of Suspected Breaches of the Corporations Act 2001.

1.23 An element of ASIC’s registry functions was also included in the cross-agency audit of the Administration of the Australian Business Register, which was tabled in June 2014. None of these reports covered ASIC’s administration of EUs.

Audit objective, criteria and methodology

1.24 The objective of the audit was to assess the effectiveness of the Australian Securities and Investments Commission’s administration of enforceable undertakings.

1.25 To form a conclusion against this objective, the ANAO has adopted the following high-level criteria:

  • management arrangements are in place that support the effective, consistent and transparent administration of EUs;
  • offers of EUs are administered consistently, transparently and in accordance with ASIC’s policies and procedures; and
  • EUs accepted by ASIC are monitored to ensure compliance with those undertakings, action is undertaken where non-compliance is identified and the effectiveness of EUs as a regulatory tool is assessed.

Audit methodology

1.26 The audit examined ASIC’s use of EUs as a regulatory tool across all stakeholder and enforcement teams involved in administering EUs. The audit examined all 53 EUs that were accepted by ASIC from 1 January 2012 to 30 June 2014.

1.27 The audit methodology included consulting with stakeholder groups and professional advisers with relevant experience and expertise, interviewing ASIC staff41, and examining relevant documentation and systems.

1.28 The audit has been conducted in accordance with the ANAO’s auditing standards at a cost of approximately $365 000.

Report structure

1.29 The structure of the report is outlined in Table 1.3 and reflects the audit criteria in paragraph 1.25.

Table 1.3: Structure of the report

Chapter

Overview of chapter

2

Managing Enforceable Undertakings

Examines ASIC’s arrangements to support the administration of enforceable undertakings.

3

Entering into Enforceable Undertakings

Examines whether ASIC enters into enforceable undertakings consistently, transparently and in accordance with its own policies and procedures.

4

Monitoring Compliance with Enforceable Undertakings

Examines ASIC’s monitoring of enforceable undertakings, action taken to address non-compliance, and reporting on compliance with the undertakings.

2. Managing Enforceable Undertakings

This chapter examines ASIC’s arrangements to support the administration of enforceable undertakings.

Introduction

2.1 Sound management and governance arrangements support regulators to meet their legislative and regulatory responsibilities and to be accountable for their decisions, actions and performance.42 Regulators also need a risk-based compliance and enforcement approach that communicates regulatory requirements and how these requirements will be monitored and enforced in a consistent and transparent manner.

2.2 The ANAO examined ASIC’s:

  • compliance and enforcement approach;
  • management arrangements, including for the oversight and quality control of EUs;
  • performance monitoring and reporting processes; and
  • guidance and training arrangements that support ASIC officers involved in negotiating and monitoring compliance with EUs.

Compliance and enforcement approach

2.3 Regulators should have a compliance and enforcement approach that is risk-based and proportionate, and that supports consistency, accountability and transparency.43 The approach should also be designed to promote voluntary compliance, and to detect and deal with non‐compliance.

Compliance approach

2.4 ASIC’s compliance approach is set out in its Strategic Framework and is based on a three stage process; detect, understand and respond (Figure 2.1).

Figure 2.1: ASIC’s approach to non-compliance

Source: ANAO, based on ASIC information.

Detecting and understanding misconduct or the risk of misconduct

2.5 ASIC detects misconduct or the risk of misconduct (including potential systemic industry issues) through the four main sources listed in Figure 2.1. ASIC states that it takes a proactive and risk-based approach to detecting and understanding misconduct.44 At the strategic level, this occurs through formal business planning and risk management processes.45 At the operational level, ASIC identifies, analyses and evaluates risks in the regulated population and focuses surveillance activities46 on those areas it considers to be the highest risk. This program sits alongside reactive surveillance work, which arises from reports from whistleblowers, complaints from the public or breach reports.47 A key focus for ASIC is detecting and understanding the drivers of risks to investors, financial consumers, and the sectors and participants that it regulates.

Responding to misconduct or the risk of misconduct

2.6 Where misconduct or the risk of misconduct (such as industry-wide issues or issues relating to the introduction of new regulation) is detected and understood, ASIC has a variety of responses, as outlined in Table 2.1.

Table 2.1: ASIC’s responses to misconduct or the risk of misconduct

Response

Explanation

Communication

ASIC communicates the actions it takes to promote compliance with the law by informing the public about the standards it expects and the consequences of failing to meet those standards. Examples include media releases reporting ASIC’s compliance activities and corporate publications (such as ASIC’s Strategic Outlook).

Education

ASIC helps investors and financial investors and consumers make appropriate choices when they deal with money and financial products and services through its MoneySmart website and Indigenous Outreach Program.

Enforcement

ASIC takes a range of actions (including administrative, civil and criminal action) to enforce the law and deal with misconduct that puts investors and fair and efficient markets at risk.

Engaging with industry and stakeholders

ASIC engages with industry and stakeholders to assist regulated entities to meet their obligations under Australian law, and to detect misconduct, by gathering intelligence and understanding market and consumer behaviour. In 2013–14, ASIC held 1172 meetings with industry groups and other stakeholders.

Policy advice

ASIC provides policy advice to Government on law reform that might be required to overcome problems that it encounters in administering or enforcing legislation, or as a response to changes in financial markets.

Guidance and other regulatory documents

ASIC issues regulatory guides and information papers to assist regulated entities in complying with the law. This guidance explains when and how ASIC will exercise specific powers, how it interprets the law and provides practical guidance for entities (such as outlining the process for applying for a licence or giving practical examples about how regulated entities may decide to meet their obligations).

Source: ANAO analysis of ASIC information.

2.7 ASIC publications emphasise the importance of voluntary compliance. For example, ASIC’s guidance on corporate compliance states: ‘we encourage high levels of voluntary compliance by being up-front about our educative and enforcement strategies and helping companies and officeholders comply with their obligations’.48 Further, Information Sheet 172: Cooperating with ASIC encourages entities to cooperate with ASIC, including by self-reporting misconduct.49 As outlined in Table 2.1, where ASIC identifies misconduct, it may take enforcement action in respect of that conduct.

Enforcement approach

2.8 ASIC’s overall enforcement approach is set out in Information Sheet 151: ASIC’s approach to enforcement, which is available on its website.50 This information sheet covers the range of regulatory tools that ASIC can use to improve confidence in Australia’s financial markets and facilitate fair and efficient markets. These tools include education, engagement and guidance, and using its enforcement powers such as criminal and civil sanctions, administrative remedies and negotiated outcomes, depending on the seriousness and consequences of the misconduct.

2.9 ASIC’s approach to enforcement is similar to the commonly-used ‘regulatory pyramid’ compliance model. The model involves the less frequent use of the most severe sanctions, which form the apex of the pyramid, compared to the persuasion-focused methods of resolution that form the pyramid’s base.51 More severe sanctions, such as imprisonment of individuals involved in the misconduct and high pecuniary penalties, are used where the conduct is more serious and there is an unwillingness of the regulated entity to comply with the law. Where the conduct is less serious and the regulated entity is co-operative, the model identifies more moderate sanctions as being appropriate. ASIC advised that it sees EUs as normally sitting towards the bottom of the compliance pyramid, although this will depend on the content of a particular EU.

2.10 ASIC has processes in place to consider appropriate enforcement action. The decision whether to conduct a formal investigation will depend on ASIC’s initial assessment of the extent of harm or loss, the benefits of pursuing the misconduct and the seriousness of the misconduct. ASIC’s decision-making process is set out in Figure 2.2.

Figure 2.2: ASIC’s approach to enforcement

Source: ASIC Information Sheet 151: ASIC’s approach to enforcement.

Role of enforceable undertakings

2.11 In terms of EUs, the role of these regulatory tools in ASIC’s enforcement approach is outlined in ASIC’s Regulatory Guide 100: Enforceable Undertakings. According to this guide, ASIC views EUs: ‘as an important component in [its] array of enforcement remedies to influence behaviour and encourage a culture of compliance for the benefit of all participants’. Importantly, ASIC considers: ‘that an [EU] can sometimes offer a more effective regulatory outcome than could otherwise be achieved through other available enforcement remedies, namely civil or administrative action’.52

2.12 Before deciding whether to accept an EU, ASIC will have already undertaken a number of compliance actions, including conducting a surveillance activity and/or an initial investigation of the regulated entity. A decision is then taken whether to conduct a formal investigation, based on a consideration of the matter’s strategic significance (including the seriousness of the misconduct, its impact on the market, and the likelihood and consequences of the conduct causing harm to investors and others) and the benefits of pursuing the misconduct.

2.13 If a breach is established and enforcement action is justified, ASIC may consider accepting an EU from among the enforcement tools available (outlined in the following section). This consideration involves an assessment of factors influencing the risk to the community, such as the compliance history of the entity, and whether it is likely to comply with the EU.53 ASIC will also consider the relative uncertainty of an alternative course of action, such as a court, tribunal or disciplinary body action. For example, if an EU leads to a liquidator agreeing not to practice for three years, this may be preferred to Companies Auditors and Liquidators Disciplinary Board proceedings, where an outcome is uncertain and ASIC might have judged the likely outcome as being a ban of between two and four years.54

Alternatives to enforceable undertakings

2.14 As previously discussed, ASIC has a range of tools to achieve its regulatory objectives. The selection of an EU is dependent on a comparison of the regulatory effectiveness of an EU to the other regulatory options available. These other options are outlined in Table 2.2.

Table 2.2: Regulatory alternatives to enforceable undertakings

Type of sanction

Effectiveness

Transparency

Consequences

Administrative action

Licence conditions and cancellations

Can protect the public by excluding an entity from the industry in a relatively timely manner, or imposing conditions on the way in which they operate. There are a wide-range of conditions that can be imposed.

The result is public, as details about any licence cancellations or conditions are publicly available through ASIC’s professional registers.

A licence cancellation will result in exclusion of the entity from the industry. The effect of licence conditions will depend on the conditions that are imposed.

Banning or disqualification order

Can protect the public by resulting in the exclusion of an entity from the industry in a relatively timely manner.

The result is public, as the person is placed on a register of banned or disqualified persons.

The person is banned or disqualified from providing specified services, usually for a period.

Infringement notice

May not change the entity’s culture (that is, it can be seen as a ‘cost of doing business’). Legislation does not provide infringement notice powers for some types of misconduct.

The result is public, as details are placed on an infringement notice register and a media release issued.

Several different regimes have differing levels of penalty.

Court action (civil or criminal action)

Civil action (civil penalties and/or the seeking of injunctions, declarations and compensation orders)

Quantum of a civil penalty may not provide strong deterrence or result in behavioural change. Can achieve outcomes that result in the remediation of consumers/investors. Publicity of outcome may have strong deterrence impact.

The result is public as a court imposes a penalty (and ASIC issues a media release).

Depend on the contravention. Under the Corporations Act 2001, the maximum civil penalty is $200 000 for individuals and $1 million for corporations. Compensation orders are also possible.

Court action (civil or criminal action) (continued)

Criminal action

Can protect the public by resulting in the imprisonment of a person. Criminal action can have a very strong deterrence impact; however, charges can take a long time to be heard by a court.

The result is public as a court imposes a penalty (and ASIC issues a media release).

Depend on the offence. Prison terms of up to 10 years; or fines up to $765 000 for individuals or $7.7 million for companies, or three times the benefit gained.

Companies Auditors and Liquidators Disciplinary Board

Cancellation, suspension or undertaking

Can protect the public by resulting in the temporary or permanent exclusion of a person from the industry. The Companies Auditors and Liquidators Disciplinary Board can also make other orders (such as requiring a person to undertake education) to reduce the possibility of reoffending.

Proceedings are in private unless and until an adverse finding is made.

May cancel registration or suspend for a specified period of time. May also obtain an EU, or admonish or reprimand.

Other negotiated outcomes

Examples include an agreement to:

  • undertake corrective disclosure or advertising; or
  • refund unlawful early termination fees

These are highly flexible, and due to the informality, can be achievable in a relatively short timeframe. These undertakings might not be court enforceable.

Negotiated in private, but normally publicised in a media release. There is currently no formal ASIC policy, definition or public register.

Vary depending on the terms of the agreement.

Source: ANAO analysis of ASIC information.

2.15 As indicated in Table 2.2, EUs have a significant role to play in ASIC’s enforcement approach where other regulatory options: are unavailable; would not produce an outcome commensurate with the harm caused; or have other disadvantages. A potential benefit of EUs is in driving changes in an entity’s culture and systems, whereas an administrative penalty, or even a civil sanction, may not lead to behavioural change. Recognising this benefit, the Senate Economics References Committee concluded that EUs may correct behaviour within a particular organisation, but added that these undertakings ‘do not yield the wider and more significant regulatory benefits that are associated with successful court action’.55 While a favourable court decision may have a greater general deterrent effect than an EU, as indicated in Table 2.2, the outcome of court action is uncertain in terms of the sanction56 that a court might impose and the consequential effect on the entity’s business (such as improved compliance processes). During the period 1 January 2012 to 30 June 2014, as outlined in Table 1.1, there were a total of 1711 enforcement outcomes, of which 97 were EUs or other negotiated outcomes.

Other negotiated outcomes

2.16 As mentioned in Chapter 1, ASIC sometimes reaches negotiated outcomes with regulated entities that are not EUs (that is, they are not enforceable by statute, although they may be enforceable as a contract). These types of outcomes are used across a variety of matters. At the lower end, ASIC negotiates outcomes that involve, for example, an exchange of letters leading to the correction of misleading or deceptive conduct. At the higher end, a negotiated outcome may be similar to an EU. While these other negotiated outcomes can be quite significant, ASIC does not have a policy, definition or public register for this type of activity. There can also be less clarity about announcing the terms of the settlement.57

2.17 Based on information provided by ASIC, the ANAO identified that in 2013–14, ASIC finalised at least 113 negotiated outcomes other than an EU.58 However, given that ASIC does not have a policy, clear definitions or public register in relation to negotiated outcomes, these numbers are not exhaustive, and there are likely to be additional outcomes resolved through negotiations by the stakeholder and enforcement teams. To give regulated entities more certainty and to increase transparency, there would be merit in ASIC providing greater clarity around the circumstances in which it accepts and enters into other negotiated outcomes.

Management arrangements for enforceable undertakings

2.18 To help ensure that regulatory decisions (including for the use of EUs) are made consistently, transparently and proportionately, it is important that sound management arrangements are in place. Accordingly, the ANAO examined ASIC’s management arrangements for EUs.

2.19 As previously discussed, ASIC may become aware of a potential enforcement matter in a number of ways, including through reporting of misconduct and breaches. These matters can be referred to the relevant ASIC stakeholder team for further review or directed to an enforcement team to consider undertaking an investigation or initiating enforcement action.59

2.20 Depending on the nature of the EU, staff from the enforcement and stakeholder teams will have varying degrees of involvement. EUs are generally negotiated and finalised by enforcement teams, which will also undertake monitoring if prompt follow-up action is required (for example, a community benefit payment must be made by a certain date). Otherwise, the stakeholder team, which is better placed to have an ongoing relationship with the promisor, monitors the EU. The relevant stakeholder and enforcement teams are expected to liaise with each other as necessary, for example to ensure that an EU contains appropriate terms and that the promises given will take into account the position of those affected by the alleged breaches. In practice, as discussed in paragraphs 4.12 to 4.14, the respective teams generally did consult as required.

Roles of senior executives and executive committees

2.21 According to ASIC guidance, a Senior Executive Leader (SEL)60 must be consulted before ASIC enters into negotiations for a possible EU, and generally approves the EU. As at November 2014, there were 21 SELs (and two Senior Executives), whose roles included considering and approving EUs.61 For the 53 EUs reviewed by the ANAO, all were formally approved and signed by a SEL or a Senior Executive.

2.22 To support SELs, ASIC has an Enforcement Committee that makes decisions about the conduct, strategy and focus of major compliance matters and other significant enforcement actions, which can include EUs.62 Records indicate that the Committee has considered aspects of the administration of EUs, including the current status and whether an EU was being considered for, or had been concluded with, an entity.63 There were also action items and matters carried forward (with due dates and persons responsible), and a record of the Committee’s decisions.

2.23 The Office of the Chief Legal Office (CLO) provides legal, strategic and other input into major compliance cases, and assists enforcement and stakeholder teams. In relation to EUs, the CLO is responsible for the policy and procedures, and is required to provide assurance about drafting clarity, legal certainty, enforceability and compliance with ASIC policies before ASIC accepts each EU. As discussed in Chapter 3, for most of the 53 cases examined by the ANAO, there was evidence of the CLO’s involvement in the EU process.

Internal monitoring and reporting of enforceable undertakings

2.24 Accurate performance reporting should inform ASIC senior managers of the extent to which regulatory objectives are being met and support management decision-making. In the case of EUs, it was expected that senior executives would track these in a systematic way to monitor how long negotiations are taking, what outcomes they are achieving, and if they have been effective in changing behaviours.

Internal monitoring and reporting of EU negotiations

2.25 Prior to acceptance of an EU, each stakeholder and enforcement team reports on the progress of the EU negotiation as part of their regular fortnightly and monthly reports. The reports provide a summary of developments in the cases being addressed by each team, including EUs.64 With respect to EUs, the reports provide an update on the status of negotiations and any problem areas. However, the reports do not document senior management consideration and feedback (if any) regarding the progress of matters or suggested changes of approach. It would be helpful if reporting also focused on matters such as timeliness, obstacles faced or issues that have arisen in negotiations with entities, and shareing better practices where appropriate across teams.

Internal monitoring and reporting of EU compliance

2.26 It is important that there is appropriate oversight and accountability by senior management after an EU has been signed. This requires regular reporting to senior management about compliance with, and outcomes of, EUs.

2.27 In September 2014, the CLO developed a spreadsheet with information on the status of existing EUs, for consideration at Commission meetings. While the spreadsheet provides useful information for the Commission65, it covered only around half of the EUs reviewed as part of the audit, and was limited to EUs involving ongoing positive obligations (undertakings to do or performance a certain act). To improve senior management visibility over the administration of EUs, further work could be undertaken to consider the coverage of EUs in the CLO report.

2.28 Overall, internal reporting on EUs is currently limited to reporting on the progress of EU negotiations, and more recently compliance with undertakings for some EUs. To reflect better practice and support senior management oversight of EUs, there would be merit in ASIC improving internal reporting to provide a greater focus on timeliness of EU negotiations, and consistency in approaches between stakeholder and enforcement teams.

Guidance, systems and training

2.29 As part of the audit, the ANAO examined the guidance, records management systems and training arrangements ASIC has in place to support its staff in entering into and monitoring compliance with EUs.

Guidance

2.30 ASIC has the authority to accept EUs under sections 93AA and 93A of the Australian Securities and Investments Commission Act 2001 and section 322 of the National Consumer Credit Protection Act 2009 (in relation to Commonwealth credit legislation). These provisions are broadly drafted and provide ASIC with discretion to exercise this authority.

2.31 Given the lack of specificity in these Acts, it is important for ASIC to issue guidance on how it exercises its authority, to support consistent decision-making processes and provide transparency about the criteria on which decisions will be based. ASIC uses a range of public and internal guidance documents to explain how it administers EUs. The key public guidance document is Regulatory Guide 100, which was last updated in February 2015 and is available on ASIC’s website.66 The guide sets out: the circumstances in which ASIC will accept EUs; the terms that are acceptable or not acceptable to ASIC; how ASIC will report publicly on the outcomes of an EU; and how ASIC will respond to non-compliance with an EU.

2.32 While ASIC will normally follow the principles set out in a regulatory guide, it will not do so inflexibly or uncritically. In a particular instance, ASIC may form the view that there are relevant considerations that are not set out in its policy, but which it is required by law to take into account in making its decision. For example, ASIC’s policy states that it will not normally accept an EU in which the promisor does not at least acknowledge that ASIC’s views in relation to the misconduct which gave rise to the EU are reasonably held. However, in eight cases, ASIC did not insist on an acknowledgement clause, generally because an EU without such a clause was still viewed as the most effective regulatory outcome in the matter.

2.33 There are a number of public documents that further support ASIC’s EU policy: a policy on public comment, which outlines that it will usually issue a media release or media advisory when it accepts EUs and agreements by people to change their conduct67; and a policy on cooperation, that states that cooperation will be relevant to ASIC’s decision on the type of enforcement action to pursue or remedy to seek.68 Finally, ASIC’s Service Charter provides that ASIC is committed to ‘making consistent decisions, and advising [entities] of [its] decisions in a timely manner’.69

Internal guidance

2.34 In addition to its public guidance, ASIC has a number of internal documents to guide its decision-making in relation to EUs. The most important of these is its Enforcement Manual, which provides detailed guidance to staff on how ASIC exercises its enforcement powers. The manual includes a chapter on EUs that sets out the process by which ASIC will enter into an EU. As previously noted, the CLO is responsible for ASIC’s policy and practice in relation to EUs. It provides and revises internal guidance on EUs and manages a Technical and Procedures Library, which is available to all staff and includes a page dedicated to EUs.

2.35 Overall, these documents contain clearly defined regulatory objectives and comprehensively set out the considerations that are taken into account in deciding whether an EU will be accepted, and if so under what terms.

2.36 Stakeholders and ASIC staff interviewed by the ANAO during the audit raised few concerns about their ability to apply ASIC’s guidance. However, some stakeholders suggested there could be more guidance provided regarding the appointment of, and ASIC’s expectations for, independent experts (discussed in Chapter 4). In relation to independent experts, these concerns have been largely addressed by the publication of a revised Regulatory Guide 100 in February 2015.

Records management systems

2.37 The recording of regulatory actions and the reasons for these actions is important for both transparency and accountability.70 Consistent with these principles, ASIC’s internal Governance Protocol states that: ‘record keeping in relation to all matters, should be comprehensive, orderly and readily accessible’.71

2.38 ASIC officers use a range of disparate systems to track and store their work, including in relation to EUs:

  • Search tools—ASCertain (a mainframe system) and the data warehouse search tool (a web-based system) allow ASIC staff to search across the data holdings in ASIC’s mainframe systems and workflow systems to research companies and individuals of interest.
  • Registers—ASCOT is a mainframe system that is ASIC’s main registry system. It contains details about registered companies, persons associated with companies (such as directors), as well as professional registration information regarding auditors, liquidators and licensing information (including about Australian financial services licensees and Australian credit licensees).
  • Workflow systems—The workflow systems are databases that are used for case management and reporting. The use of the workflow systems is inconsistent across the organisation.
  • Document management—The main systems for recording documentation are ASIC’s paper files (centrally tracked through the EPSOM system) and ASIC’s electronic documents and records management system, ECM. In addition, the ANAO identified that ASIC staff also stored files in the workflow systems (referred to above), in staff emails or hard files, and in shared drives.

2.39 It was common for information relevant to an EU to be held in multiple systems (ECM, paper files and a workflow system). In many cases, these systems did not have all of the information relating to the EU and the ANAO had to obtain the documentation from the relevant ASIC officer (from staff emails or hard files). This presents risks for ASIC, as staff responsible for a certain part of the EU process (such as monitoring) may not have sufficient information to effectively carry out their responsibilities, particularly as matters often need to be handed over from stakeholder to enforcement teams, and vice versa. Accordingly, there would be value in consolidating information relating to EUs to reduce duplication, improve accessibility and facilitate better internal and external oversight of the EU process. A key first step would be to reinforce to staff the need to store all documentation relating to an EU in accordance with ASIC policies and procedures.

Staff training

2.40 ASIC mainly regards training in EUs as being acquired through on-the-job experience. Accordingly, it does not provide formal training. A significant proportion of ASIC’s workforce has undertaken legal studies (at least 350 of 1816 total staff, with a higher proportion of legally qualified persons in the enforcement and stakeholder teams), which should better position them to understand and apply the relevant rules and procedures. As previously noted, ASIC also provides guidance that is clear, comprehensive and straightforward to apply.

2.41 Notwithstanding the skill profile of ASIC’s staff and the availability of suitable guidance, the organisation is undergoing significant staff turnover, with staffing levels expected to fall by 209 (or 12 per cent) in 2014–15.72 This level of staff turnover and loss of corporate knowledge presents risks to administration, and there would be merit in ASIC considering whether some level of formal EU training should be provided.

Monitoring and reporting on the performance of enforceable undertakings

2.42 The Australian Government’s performance measurement and reporting framework requires entities to set out their outcome, programs, deliverables, key performance indicators (KPIs) and expenses in their Portfolio Budget Statements and to report against these in the annual report. Specifically:

  • deliverables provide information on the goods and/or services produced and/or delivered; and
  • KPIs provide information on how effective the program has been in achieving outcomes.

ASIC’s outcome, Program 1.1 Objective and KPIs for 2014–15 are set out in Figure 2.3.73

Figure 2.3: ASIC’s key performance indicators for 2014–15

Source: ANAO, based on ASIC Portfolio Budget Statement 2014–15.

2.43 ASIC states that it delivers on its outcome and program objective through engagement with industry and stakeholders, surveillance, guidance, education, enforcement activities and policy advice. The impact and results of these activities are measured using 10 KPIs across ASIC’s three strategic priorities. The KPIs applicable to EUs are: misconduct is dealt with and deterred; fair and efficient processes are in place for resolution of disputes; product issuers, credit providers and advisers meet required standards; participants in financial markets meet required standards; and issuers (of securities) and their officers meet required standards.

2.44 These KPIs are designed to provide information that would assist in determining how ASIC undertakes its regulatory activities, including through EUs. However, in relation to the first two KPIs, ASIC has only reported in a limited way in its 2013–14 Annual Report74, and did not report against the other three KPIs in relation to EUs. In addition, all five KPIs do not specify performance expectations, or include targets, benchmarks or timeframes for achievements. Nor do they indicate the extent to which ASIC’s efforts have contributed to achieving outcomes.75

2.45 Given that an enhanced Commonwealth performance framework will come into effect on 1 July 2015, there is an opportunity for ASIC to develop more appropriate performance measures and to report on the extent to which EUs support ASIC in achieving regulatory outcomes. A key first step for ASIC is to include targets, benchmarks and/or timeframes in KPIs, and to provide meaningful information to key stakeholders on the effectiveness of EUs in achieving desired regulatory outcomes.

External reporting on EUs

2.46 ASIC reports externally on its enforcement activities through two main publications: its annual report and its half-yearly enforcement outcomes publications. In addition, EUs are published on the EU register on ASIC’s website and through ASIC issuing of a media release with each EU.

2.47 In its 2013–14 Annual Report, ASIC reported that it had achieved 596 enforcement ‘outcomes’,76 including criminal and civil litigation, administrative action and EUs.77 As in previous years, the annual report also referred to specific examples of EUs. ASIC’s enforcement outcomes publications78 report on the number and detail of enforcement outcomes achieved, and provide information on ASIC’s views about certain conduct and the resulting enforcement outcome.

2.48 Neither the annual report nor the enforcement outcomes publications report on post-EU results (for example, the results of independent expert reports or whether promisors have complied with their obligations under an EU). The reports do not provide stakeholders with sufficient information about the outcomes achieved by these activities. ASIC has advised that it will include additional commentary on EUs commencing in its 2014–15 Annual Report. This will address a Senate Economics References Committee recommendation that ASIC include in its annual report additional commentary on: ASIC’s activities related to monitoring compliance with EUs; and how the undertakings have led to improved compliance with the law and encouraged a culture of compliance.79

2.49 To enable a better understanding of the extent to which EUs contribute to ASIC achieving its compliance objectives, it should also develop, and report against, appropriate performance measures that assist management to monitor the effectiveness of EUs in addressing non-compliance. ASIC should also periodically assess the extent to which EUs are contributing to improved levels of voluntary compliance. Possible sources of information for such an assessment include complaints data, community satisfaction surveys and surveys of regulated entities (to identify the effect of EUs on their awareness of, and willingness to comply with, relevant obligations).

Recommendation No.1

2.50 To assess the effectiveness of enforceable undertakings as an appropriate regulatory tool and their contribution to ASIC achieving its compliance objectives, the ANAO recommends that ASIC:

  1. develops appropriate performance measures to monitor the effectiveness of enforceable undertakings in addressing non-compliance, and regularly reports against these measures; and
  2. periodically assesses, and reports on, the effectiveness of enforceable undertakings in contributing to improved levels of voluntary compliance.

ASIC response:

2.51 Agreed. In relation to Recommendation 1(a) ASIC monitors compliance with undertakings given by promisors in enforceable undertakings. Further, in February 2015 ASIC revised its policy about aspects of its administration of enforceable undertakings. One of those revisions was the adoption of a new policy that, for undertakings accepted by ASIC from 9 March 2015, ASIC will publicly report on whether promisors have complied with undertakings. The policy applies to all undertakings other than those to refrain from particular conduct. ASIC has also committed to enhanced enforceable undertaking reporting in its Annual Report.

2.52 In relation to Recommendation 1(b), the work to implement enhanced Commonwealth reporting obligations is being undertaken across ASIC’s broad regulatory functions and will provide a basis for implementing Recommendation 1(b). ASIC does not underestimate the challenges of developing performance measures that monitor the effectiveness of enforceable undertakings in a broader context.

2.53 Implementation of Recommendation 1(b) will allow both ASIC and its regulated population to periodically assess the effectiveness of enforceable undertakings, and enable ASIC to adapt its structured compliance and enforcement approach as required.

Measuring the costs of compliance options

2.54 To support the efficient allocation of resources, it is important that ASIC has a good understanding of the cost of its compliance activities, in absolute terms and relative to regulatory alternatives. ASIC should also take into account the regulatory burden it imposes on entities, noting that the burden of compliance (including with various types of enforcement action) should be proportionate to the seriousness of the breach.80

2.55 Senior ASIC officers advised the ANAO that, while they have a good understanding of the costs of various types of enforcement action (including litigation and tribunal hearings), ASIC does not capture the costs of EUs.81 However, there have recently been some initiatives to determine aspects of these costs.82 There would be benefit in ASIC commencing work to establish a sound understanding of the costs of its EUs relative to other compliance options, to help allocate its resources effectively, and to ensure it is not placing an excessive burden on regulated entities.

Conclusion

2.56 ASIC’s decisions and actions regarding EUs are underpinned by a structured compliance and enforcement approach. EUs are an important sanction that have a clearly defined role within ASIC’s risk-based compliance and enforcement framework. ASIC has an understanding of the advantages and disadvantages of EUs when compared to other available alternative sanctions, although there is scope for ASIC to develop a better understanding of the costs of EUs.

2.57 ASIC has appropriate organisational arrangements underpinning the use of EUs. These arrangements are based on day-to-day administration by a stakeholder team or enforcement team across the various financial market segments. There is high-level direction and other input by SELs and the CLO, and involvement of the Enforcement Committee and Commission for more important matters. However, internal management reporting could be strengthened to better position senior management to monitor the consistency, timeliness and outcomes of EUs.

2.58 ASIC’s internal and external guidance is clear, comprehensive and straightforward to apply. However, ASIC’s workflow and document management systems are complex and procedures are not always followed. Consequently, there is scope for ASIC to consolidate information relating to EUs, and to reinforce to staff the need to store all documentation relating to an EU in accordance with ASIC policies and procedures.

2.59 ASIC reports externally the number of EUs entered into (through its annual report and enforcement outcomes publications), and publishes the full text of each EU on its website. It is also preparing to publicly report on the outcomes of EUs in its annual reports, in accordance with a recommendation by the Senate Economics References Committee. ASIC should also develop, and report against, appropriate performance measures that assess the effectiveness of EUs as a regulatory tool and the contribution they make to achieving compliance objectives.

3. Entering into Enforceable Undertakings

This chapter examines whether ASIC enters into enforceable undertakings consistently, transparently and in accordance with its own policies and procedures.

Introduction

3.1 As previously discussed, EUs are a flexible regulatory tool used by ASIC to achieve a wide range of regulatory outcomes, many of which are not possible using the other regulatory options available. Entering into an EU in a consistent and transparent manner, and in accordance with ASIC’s policies and procedures, increases the prospect that the promisor will comply with the undertaking.

3.2 The ANAO examined ASIC’s processes for:

  • accepting and negotiating an EU;
  • drafting the terms of an EU; and
  • finalising an EU.

To enable this assessment, the ANAO analysed the 53 EUs ASIC entered into between 1 January 2012 and 30 June 2014.83

3.3 The ANAO also requested ASIC to advise the number of EUs offered or negotiated, but not entered into, over this period. While ASIC provided some relevant examples, it does not routinely collect data regarding such cases, including the reason why the EU was not accepted. Collecting such information could assist ASIC to review and improve its EU processes.

Accepting and negotiating enforceable undertakings

3.4 EUs can be proposed either by a regulated entity or ASIC. In 19 of the 53 cases reviewed, it was ASIC, rather than the promisor, that suggested an EU as a means of addressing the entity’s misconduct. Regardless of which party initiates the EU, senior management is involved in the process to determine whether the EU will produce an effective regulatory outcome.

Senior management involvement

3.5 ASIC’s Enforcement Manual requires that written approval be obtained from the relevant Senior Executive Leader (SEL) before an ASIC officer enters into discussions with a regulated entity about accepting an EU. Prior to obtaining approval, a memo should be prepared outlining the circumstances of the matter and why acceptance of the EU will change the entity’s behaviour, protect investors and/or creditors, or compensate wronged parties. Since August 2014, where the matter is a ‘high profile or controversial or major matter’, the SEL is required to brief a Commissioner or the Enforcement Committee before giving approval.

3.6 The ANAO reviewed the documentation relating to each of the EUs in the ANAO’s sample to determine whether approvals were obtained from SELs at an early stage in negotiations, in accordance with the Enforcement Manual. This review identified early-stage SEL approval for 41 of the 53 EUs reviewed (77 per cent).84 For the remaining cases, it was often evident that the SEL had some involvement in the matter—sometimes even leading the negotiations with the regulated entity—even though there was no written approval on the case file. Table 3.1 outlines the level of SEL involvement in the 53 EUs reviewed by the ANAO.

Table 3.1: Level of involvement of Senior Executive Leaders in decisions to negotiate and accept enforceable undertakings

Involvement

Explanation

No. of EUs

Per cent

Extensive

The SEL had very active involvement in negotiating the EU, including direct negotiation with the promisor.

5

9

High

The SEL had a high level of involvement in negotiating the EU, including providing suggestions about its terms.

21

40

Medium

The SEL was involved at key decision points but had little further involvement in the negotiation process.

19

36

Limited

There was evidence of some involvement by the SEL in negotiating the EU, but that involvement was relatively insignificant.

7

13

None

There was no documentation demonstrating any SEL involvement in negotiating the EU.

1

2

Total

 

53

100

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

3.7 Of the eight EUs with limited or no evidence of SEL involvement, poor record keeping could be a contributing factor. In discussions with five SELs involved in these EUs, all exhibited considerable knowledge about the EUs for which they were responsible. Further, there were email records of meetings being arranged between ASIC staff and SELs relating to the decision to accept an offer of an EU, indicating that there may have been oral briefings.85

3.8 While it may be appropriate to discuss the possibility of an EU informally prior to ASIC entering into formal discussions, there are risks in ASIC staff discussing potential terms of EUs without clear written instructions from senior management. For example, in one EU negotiation, an ASIC officer mistakenly advised a promisor that ASIC would agree to a period of suspension not requiring the cancellation of the auditor’s registration. Upon being informed about this, the relevant SEL required the ASIC officer to retract the statement as the SEL’s position was that ASIC should insist upon cancellation of the auditor’s registration.

3.9 Overall, while approvals and relevant documentation could be found for the majority of cases, the format and content of this documentation varied substantially between cases. Even though the Enforcement Manual provides clear procedures and directions in relation to these matters, this guidance was not consistently followed by ASIC staff. This was evident in the varying ways in which SELs were briefed on why an EU should be accepted (an oral briefing, a short email or a comprehensive formal memo) and the varying ways in which SELs gave their approval to an EU (usually by email, but occasionally by signing a memo). There would be merit in ASIC reinforcing to staff the importance of complying with the Enforcement Manual in relation to the processes for obtaining approvals for an EU, in order to improve accountability and better position SELs to make decisions about whether to accept an EU.

Decisions to accept an EU

3.10 In the absence of statutory guidance about when it is appropriate to accept an EU, ASIC has developed Regulatory Guide 100 to guide its use of EUs. The guide states that ASIC will only accept an EU as an alternative to seeking a civil order from a court, taking administrative action or referring a matter to another administrative body. It will not accept an EU as an alternative to criminal action, after the matter has been referred to a specialist body or in cases of deliberate misconduct, fraud or conduct involving a high level of recklessness (except where an EU best serves an urgent protective purpose and does not preclude later court action).86

3.11 The ANAO assessed whether the 53 EUs were accepted in line with the circumstances described in Regulatory Guide 100. An EU was accepted in eight cases where ASIC officers considered there was possible criminal misconduct or where the facts revealed some level of deliberate misconduct, fraud or high level of recklessness. In these cases, the EU was to serve a protective purpose (removing the promisor from the industry), or to remove profits pending the finalisation of ASIC’s criminal or civil penalty investigation. In the other 45 cases, ASIC staff did not identify possible criminality, deliberate misconduct, fraud or a high level of recklessness.

Critical considerations

3.12 In assessing whether an EU would constitute an effective regulatory response, ASIC has regard to four critical considerations: the position of consumers and investors; the effect on the promisor’s future conduct; the effect on the regulated population as a whole; and whether the EU would present a quick and cost-effective outcome.87 Decision-making documents for each of the 53 EUs reviewed were assessed to determine how ASIC had taken the critical considerations into account in deciding that the EU would provide an effective regulatory outcome. The results of this analysis are shown at Table 3.2.

Table 3.2: ASIC’s rationale for accepting an enforceable undertaking

Factor

ANAO’s assessment

Position of consumers and investors

The position of consumers and investors was explicitly considered for 36 of the 53 EUs reviewed. Reasons cited for accepting an EU included that it would:

  • facilitate the protection of investors and consumers (especially where the EU provides for a promisor to be removed from the industry through a banning or suspension);
  • result in affected consumers being financially better off (where the EU provides for rectification);
  • better inform consumers (such as where the EU provides for corrective advertising or notices); and
  • improve the quality of advice or service being provided to consumers of the regulated entity (especially where the EU provides for a compliance program review).

Effect on promisor’s future conduct

For 19 EUs reviewed, explicit consideration was given to the effect of the EU on the promisor’s future conduct. This mainly took the form of views expressed that the EU would:

  • have a deterrence impact on the individual or company;
  • improve the entity’s compliance programs and systems and in that way reduce the likelihood of future breaches (where the EU provided for a compliance program review); and
  • immediately remove the promisor from the industry.

Effect on the regulated population as a whole

In the case of 14 EUs, explicit consideration was given to the EU’s effect on the broader regulated population. Examples of such consideration included statements that the EU would:

  • send a wider message to the profession;
  • be educative and achieve general deterrence in making the business community aware of the conduct and the consequences arising from engaging in the conduct; and
  • offer a publicly reportable outcome (more than infringement notices or other negotiated outcomes).

Quick and cost effective outcome

For 27 EUs, explicit consideration was given to the benefit of swift and cost effective resolution of the matter. This was usually found in comments that the EU would:

  • provide a quicker and/or more cost effective outcome than other regulatory tools;
  • avoid the time and cost of completing an investigation;
  • avoid the risk of an adverse costs order against ASIC in the event that it was unsuccessful in the proceedings (where civil penalty proceedings were a prospect); and
  • provide a certain outcome and deliver a quicker outcome for consumers/investors.

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

3.13 The decision-making documentation for most EUs examined (44 of 53), revealed justification for the EU by reference to at least one of the factors outlined above. The most commonly considered critical consideration was the position of consumers and investors (36 of 53 EUs), with the effect on the promisor’s future conduct explicitly considered in fewer cases (19 of 53).88 In slightly over half the cases reviewed, ASIC explicitly considered EUs as a quick and cost effective outcome. While this could be a convenient approach for ASIC, in 25 of the 27 cases there was also clear consideration of the comparative regulatory outcomes likely to arise from other enforcement actions, as discussed further in the following section.

3.14 It is also noted that the impact of the EU on the broader regulated population (the general deterrence effect) was explicitly considered in only 14 EUs. In an environment of constrained regulatory resources, it is important that regulatory decisions consider the impact on the broader regulated population, not just the individual regulated entity that is the subject of ASIC’s concerns. An example of general deterrence being considered as part of the decision-making process for an EU is shown in the following case study relating to the 2012 EU accepted from the Commonwealth Bank of Australia.

Case study – Commonwealth Bank of Australia credit limit increase invitations

In July 2011, the Australian Parliament passed into law an amendment to the National Consumer Credit Protection Act 2009 restricting credit providers from offering to consumers a credit limit increase in respect of their credit card unless prior informed consent to receiving such invitations had been provided by the consumer. The commencement date for these provisions was 1 July 2012 and a transitional provision was included, allowing credit providers to obtain consents prior to 1 July 2012.

In response to these legislative changes, ASIC expected that credit card issuers would contact consumers offering them a mechanism to opt-in to continue to receive credit limit increase offers. ASIC was concerned that, during this period, consumers had to be appropriately informed about the nature of the choice being offered to them, to ensure that the legislative changes would have the desired effect of reducing household over-indebtedness.

Between 12 and 14 December 2011, the Commonwealth Bank of Australia (CBA) sent electronic messages to its consumers to obtain their consent to receive credit limit increase invitations in the future. ASIC became aware of this through a staff member receiving one of these messages, and contacted CBA informing them that it considered the messages to be misleading. While disagreeing with ASIC’s characterisation of the messages, CBA promptly withdrew the messages, consulted with ASIC about the content of a more appropriate message and informed ASIC of its willingness to resolve the matter.

At a meeting between ASIC senior executives and a Commissioner on 16 December 2011, it was decided that ASIC would discuss the matter with CBA and seek to have CBA take steps to communicate with cardholders and to inform them more accurately of their options. Though CBA was willing to undertake these actions on an informal and voluntary basis, ASIC required the bank to formalise the arrangement by way of an EU. The reason for this was to help ASIC communicate the issue, and its views of CBA’s conduct, to the industry and to the public.

As an alternative, ASIC considered commencing civil proceedings for a declaration that the message was misleading and for remedial action to be taken; however, a decision was considered very unlikely to be achieved by 1 July 2012, by which time the remainder of the industry would probably have sent their messages to consumers about the opt-in choice. Accordingly, ASIC considered that court action was less likely to support it in communicating the issue to the industry and the public. The length of time required for civil action was demonstrated in a recent case where ASIC took civil penalty action against GE Capital Finance for serious misleading and deceptive conduct in relation to credit limit increase invitations. Although a penalty of $1.5 million was imposed in this case, this outcome was not reached until 1 July 2014 (two years after the misconduct).

Following negotiations with CBA, an EU was ultimately accepted by ASIC on 6 March 2012 in which CBA acknowledged that ASIC’s views were reasonably held, and agreed to not rely on the previously-obtained consents and to contact consumers who consented correcting any misleading impression and informing them of their rights. CBA provided confirmation of compliance with these undertakings on 23 March 2012.

Source: ANAO analysis of ASIC documentation.

Considering regulatory outcomes

3.15 As well as having regard to the four critical considerations, the Enforcement Manual requires that, in deciding whether to accept an EU, the regulatory outcome that could be achieved by accepting an EU should be compared with the outcomes that might be achieved by taking other available action such as civil or administrative action. The ANAO identified that such comparisons were made between an EU and other regulatory options for 44 of the 53 EUs reviewed.89

3.16 For 15 of the 44 EUs where there was an explicit comparison, ASIC staff had come to the view that an EU would provide an equivalent or greater outcome than through contested proceedings—particularly in terms of the length of suspension or banning that could be achieved through an EU compared to administrative or civil action. In many areas, ASIC had drawn on its corporate knowledge of the quantum of sanction that would likely be imposed by a particular court, tribunal or disciplinary body. Where ASIC identified that the court, tribunal or disciplinary body was likely to impose a sanction similar to or less than could be agreed with the promisor by way of an EU, ASIC preferred to use an EU to resolve the matter.

3.17 In 16 instances, ASIC considered that the other regulatory tools available would not sufficiently enhance the position of consumers or investors, or would not have the desired deterrence impact on the regulated population as a whole. An example of this was where the main regulatory alternative was issuing an infringement notice. In this circumstance, ASIC staff concluded that penalty amounts available through an infringement notice were insufficient to send a strong enough deterrence message to the regulated entity and the broader regulated population, and would not otherwise operate to improve the regulated entity’s compliance with the law. For five of the 53 EUs, ASIC combined the EU with the issuing of an infringement notice. In these cases, the EU operated in a protective manner to improve compliance of the regulated entity (through an independent expert review) or to remediate the consumers (through compensation or other rectification to consumers) and the infringement notice operated in a punitive way.

3.18 Another factor taken into consideration in accepting an EU, as opposed to taking other regulatory action, was the certainty of an EU compared to the other options. The decision-making documentation reviewed showed concerns that a court or administrative result was not certain, and even where achieved was subject to appeal. Particular concerns related to:

  • evidence—the high evidential burden in criminal and civil penalty proceedings, matters being older and therefore harder to litigate, and in one case, the difficulty in getting consumers to appear as witnesses; and
  • legal uncertainty—in some areas, ASIC has identified that the law is not clear and that there is a risk of an unfavourable interpretation by a court.

3.19 Overall, for 46 of the 53 EUs reviewed, the decision to accept an EU was defensible and there was appropriate justification for why the EU provided an effective regulatory outcome. In the case of the other seven EUs, there was limited or no documentation to support why the EU presented an effective regulatory outcome. For each of these seven EUs, the signing SEL provided the ANAO with a statement outlining why the EU presented an effective regulatory outcome. These statements indicated that the decision to accept an EU in each of the seven cases was defensible. However, the need for these statements highlights significant deficiencies in ASIC’s record keeping arrangements.

Negotiating enforceable undertakings

3.20 The process for negotiating an EU varies greatly, depending on the individual circumstances of each matter. In some cases, the offer to enter into an EU comes at a very early stage, with the entity proposing an EU in response to ASIC raising its initial concerns about the regulated entity’s conduct. In other cases, ASIC has agreed to accept the offer of an EU at a very late stage, such as following the referral of the matter to an administrative hearing delegate and in the days prior to that hearing.

3.21 Once ASIC has made a decision that it is willing to accept an EU, it will negotiate with the regulated entity as to the specific terms of the EU. According to the Enforcement Manual, while there may be room for compromise, protracted negotiations will not usually be appropriate.90 Where an EU is subject to prolonged negotiations, this may detract from one of the key benefits of an EU—achieving community benefits as quickly and cost effectively as possible. To assess whether EU negotiations were concluded in a timely manner, the ANAO analysed the time elapsed between when an EU was first raised by ASIC or the regulated entity as a possibility for resolving a matter, and when the EU was formally accepted by ASIC (Figure 3.1).

Figure 3.1: Time taken from proposing to formally accepting an enforceable undertaking

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note: A month in this figure refers to a whole month. Accordingly, if an EU was concluded within one and a half months, it would appear in this figure in the 0 – 1 month grouping.

3.22 For 32 of the 53 EUs assessed, the time from an EU being initially proposed to acceptance was less than six months. This compares favourably to the likely length of time to resolve matters using other regulatory tools available to ASIC (such as court action or an application to a specialist body).

3.23 In five of the six instances where the time between an EU being proposed to acceptance was twelve months or more, the promisor had ceased the conduct that was the subject of ASIC’s concerns during or prior to negotiation of the EU. In the other case, although the promisor continued the conduct while the EU was negotiated, the outcome achieved was better, and concluded quicker, than that likely to have been achieved through court action. Similar factors existed for the 15 EUs where the time taken to finalise the EU was between six and 11 months. In no case reviewed did the length of time taken to negotiate the EU appear to have significantly detracted from the effectiveness of the EU as a regulatory outcome.

3.24 Overall, ASIC negotiates reasonably and in good faith—offers made by promisors are considered in the context of whether the proposal by the promisor would result in an effective regulatory outcome. Where ASIC rejects a proposal of the promisor, the basis for this rejection is explained to the promisor and the promisor given a chance to respond. ASIC did not differentiate based on the size of the entity. There were no instances identified where promisors were treated differently based on the size of their business, beyond those differences explained by the differing factual circumstances.

3.25 Decision-making in respect of the EUs entered into with large entities was somewhat more extensive than for the other EUs in the ANAO’s sample. None of the eight EUs for which the level of SEL involvement was assessed as ‘limited’ or ‘none’ involved a large entity, and only one of the seven EUs for which there was insufficient documentation to support whether the EU presented an effective regulatory outcome related to a large entity.91 Further, the decision-making documentation supporting the EUs with large entities revealed greater consideration of the impact on consumers and investors, the effect on the promisor’s future conduct and the general deterrence effect than for EUs in the ANAO’s sample as a whole.

Terms of enforceable undertakings

3.26 An important aspect of the negotiation of an EU is for ASIC and the promisor to agree to acceptable terms upon which the EU can be settled. As EUs are tailored to a specific matter, their terms will depend on the circumstances of the case and, in particular, the misconduct that is being addressed.

Clear statement about the alleged misconduct

3.27 In its report into ASIC’s performance, the Senate Economics References Committee recommended that ASIC ‘require a clearer acknowledgement in the undertaking of what the misconduct was’.92 This recommendation addresses comments by stakeholders that EUs did not always: contain sufficient detail about the alleged misconduct for the public to understand why the EU was being accepted; and include a sufficiently clear admission of fault.93

3.28 ASIC’s Regulatory Guide 100 requires that EUs set out the detail of the relevant misconduct and ASIC’s assessment of that conduct. To assess compliance with this policy, the ANAO sought to identify the extent to which the undertakings were sufficiently clear about the alleged misconduct. The ANAO identified that 45 of the 53 EUs reviewed were sufficiently clear about the misconduct, although it was noted that the EUs were generally not comprehensive. For example, the EUs did not always include relevant information about the value of losses, or number of consumers or investors affected. In the cases where the alleged misconduct was not clearly identified, this was because the background was essentially limited to a statement of the legislative provisions that the promisor had allegedly contravened.

3.29 There would be merit in ASIC taking steps to ensure that EUs are clearer about the alleged misconduct, so that they better serve their educative, guidance and deterrence functions. It would also allow other industry participants to more fully understand ASIC’s views on certain conduct. ASIC advises that in practice many promisors strongly resist clear statements about misconduct and requiring more detail in EUs may lead to a reduced willingness by promisors to offer EUs. While appreciating this is likely to be a common response by promisors, it is important that ASIC sets expectations about the required content of EUs through its policies, and through consistent actions in requiring future EUs to include a sufficiently clear statement about the alleged misconduct.

Acknowledging ASIC’s position

3.30 Since February 2012, Regulatory Guide 100 has stated that ASIC will not generally accept an EU in which the promisor does not at least acknowledge that ‘ASIC’s views in relation to the misconduct which gave rise to the EU are reasonably held’.94

3.31 The ANAO reviewed the 53 EUs to identify where and how frequently ASIC made an exception to the policy requiring promisors to acknowledge that ASIC’s views are reasonably held. The analysis identified that 19 EUs either did not have a clause in which the promisor acknowledged ASIC’s views were reasonably held and/or had a clause in which ASIC acknowledged that nothing in the EU constituted an admission by the promisor.

3.32 While agreeing to the inclusion of a non-admission clause or to the non-inclusion of a clause acknowledging the reasonableness of ASIC’s concerns may be appropriate in an individual case, consideration needs to be given to the possibility of that decision being seen as a precedent that other regulated entities negotiating an EU may seek to rely upon. Although previous EUs are not binding on future decisions of ASIC, they may make it more difficult to argue a principled position in later negotiations and may place ASIC in a more constrained bargaining position. On this basis, ASIC may wish to consider adopting a more consistent approach to the use of these terms in future EUs.

Substantive terms of enforceable undertakings

3.33 The terms of an EU are subject to negotiation between ASIC and the promisor, although ASIC is only to accept an EU where the terms offered will deliver an effective regulatory outcome. ASIC’s Regulatory Guide 100 gives an indication of the terms that ASIC may accept in an EU, including terms regarding: compliance and monitoring; rectification or compensatory action; and corrective notices. An overview of the EU terms, and their use in EUs is provided at Appendix 2.

3.34 Although the terms of an EU will necessarily depend on the results of negotiation between ASIC and the promisor, terms should be proportionate to the regulatory risks posed by the non-compliance at which the EU is directed. A proportionate response will minimise the level of regulatory intervention required to effectively mitigate the risks as well as the costs to the regulator and to the promisor.

3.35 To assess whether the terms in the EUs reviewed were a proportionate regulatory response to the non-compliance, the ANAO assessed the basis for including particular terms in EUs and the severity of those terms (such as the quantum of a payment or the period of suspension). This analysis is shown at Table 3.3.

Table 3.3: Basis for including terms in enforceable undertakings

Term

Basis for ASIC accepting term

Independent review

Where independent reviews were required as part of an EU with a company, it was viewed by ASIC that the appointment of the independent expert would enable the business to move towards being compliant with the law and allow ASIC to monitor this.

Independent reviews were more likely to be included in an EU where ASIC’s concerns related to a lack of adequate oversight, policies, processes or systems and where the promisor was cooperative. These are circumstances where the appointment of an independent expert to conduct independent reviews might be more likely to achieve the desired regulatory outcomes, such as changes to the promisor’s business practices.

Where the independent review requirement was accepted as part of an EU with an individual, this was usually in addition to the acceptance of a term requiring the individual to cease providing advice/services for a period (a suspension period). The basis for including these terms was less well explained in the decision-making documentation, but was intended to improve ASIC’s ability to monitor the individual’s post-suspension conduct.

Continuing professional education

In all cases where there was a term in an EU requiring the promisor to undertake continuing professional education, this was in addition to other substantive terms (most commonly a suspension and/or independent expert review). This indicated that these educational requirements were intended to operate in conjunction with, and in support of, other obligations. Reasons for including a term requiring continuing professional education included:

  • to ensure that the promisor does not contravene the law again;
  • to rehabilitate the promisor; and
  • because the completion of a training program may indicate a willingness to comply with relevant legislative requirements.

Rectification

Where a term in an EU required some form of rectification, the required rectification generally operated to undo the relevant misconduct. The decision-making documents showed two principles underpinning the inclusion of rectification terms: a promisor should not gain from misconduct; and consumers or investors should not be disadvantaged by the misconduct.

In two cases, the rectification terms in the EUs resulted in windfall gains for some consumers. These windfall gains, however, were not intended by ASIC, but rather necessary to ensure the rectification processes were administratively workable.

Cease providing services

The inclusion of a term requiring a promisor to cease providing advice or services (such as financial services or acting as a liquidator) for a period, in most cases was underpinned by an interest in protecting the public from the promisor.

Where the EU contained a term requiring the promisor to cease providing financial services or credit activities, in determining the length of suspension to be accepted, ASIC staff usually made reference to the outcome likely to be achieved through administrative action. In making these assessments, consideration was given to the factors and likely outcome in Regulatory Guide 98 (for financial services)a and/or Regulatory Guide 218 (for credit).b

For EUs that included a term requiring the promisor to cease performing acts that only a registered auditor or registered liquidator can perform, consideration was normally given to the outcome that could be expected if an application were made to the Companies and Liquidators Disciplinary Board. These assessments depended on a comparison with previously decided applications involving similar factual circumstances.

Professional registration

Where the misconduct was particularly egregious or where the protection of the public was required, ASIC only accepted the EU on condition that the promisor cancel their license or registration and never re-apply.

Community benefit payments

ASIC’s Regulatory Guide 100 includes guidance on when it is appropriate to include a requirement to make a community benefit payment in an EU. The guide states that a payment should be proportional to the alleged conduct, having regard to the:

  • penalties that could be applied in relation to the alleged conduct; and
  • amount of profit made, or loss avoided, as a result of the conduct the subject of the EU.

For all EUs where a community benefit payment was accepted as part of an EU, one or both of these factors was considered as part of the decision to accept an amount (despite all of the EUs reviewed pre-dating this policy).

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note a: ASIC, Regulatory Guide 98: Licensing: Administrative action against financial services providers.

Note b: ASIC, Regulatory Guide 218: Licensing: Administrative action against persons engaging in credit activities.

3.36 Table 3.3 indicates that in negotiating and accepting the terms of EUs, ASIC staff demonstrated an understanding of the regulatory aims sought to be achieved through the inclusion of a particular term, and that terms included within EUs were generally a proportionate regulatory response to the non-compliance. This is demonstrated, for example, by the fact that the periods of suspension for liquidators and auditors, and promisors engaged in credit or financial services, had regard to relevant regulatory guides and/or previous decisions of a disciplinary body or administrative decision-maker.

3.37 While terms in EUs were proportionate in the sense of having a clear connection with the non-compliance at which the EU was directed, it is noted in Chapter 4 that ASIC does not systematically assess the effectiveness of EUs in achieving desired regulatory outcomes, including improving the compliance of the promisor. A systematic evaluation of the compliance effectiveness of EUs is likely to allow ASIC to develop a greater understanding of the effectiveness of EU terms. This would allow ASIC to better understand the basis for including particular terms and in turn, provide a firmer basis for requiring the inclusion of particular terms in EUs.

3.38 The use of ‘good faith’ terms95 in four of the EUs reviewed is one exception to the terms in EUs being proportionate to the level of non-compliance. Discussions with ASIC staff indicated that they believed the inclusion of these terms was occasionally necessary to prevent the promisors from undermining the EU. There would be benefit in ASIC evaluating its use of good faith terms to ensure that their inclusion does not unreasonably limit the legitimate free expression by promisors (including legitimate criticism of ASIC) or result in a perceived difference in treatment by ASIC of regulated entities.

Terms that specify monitoring arrangements

3.39 An important consideration in negotiating the terms of EUs are the arrangements for: ensuring that the alleged misconduct does not recur; monitoring compliance with the undertakings; and reporting to ASIC. In this regard, Regulatory Guide 100 requires that ASIC must be satisfied that ‘the promisor has adequate arrangements for monitoring how the undertaking is implemented and reporting to ASIC’.96

3.40 The Enforcement Manual is generally silent on whether a monitoring term should be included in an EU. The main guidance provided by the Manual is that depending on the type of EU, ‘it may be appropriate at this stage to consider whether an external compliance expert will need to be appointed to review the company’s compliance.’ Following a recommendation by the Senate Economics References Committee, in February 2015 ASIC updated Regulatory Guide 100 to include guidance in relation to the public reporting of outcomes of EUs (discussed in Chapter 4).

3.41 The ANAO reviewed the EUs in its sample to understand the types of monitoring arrangements included. These are outlined in Table 3.4.

Table 3.4: Monitoring terms included in the ANAO’s review of enforceable undertakings

Term

ANAO assessment the of use of the term

Independent Reviews

Thirty EUs included a term requiring an independent expert to undertake an independent review of specified matters. These reviewers were required to produce reports containing the findings of their review and provide these reports to ASIC. Independent experts and reviews are discussed in more detail in Chapter 4.

Proof of continuing professional education

Thirteen EUs included a term requiring an individual to undertake specified continuing professional education. In seven of these EUs, there was also a term requiring the promisor to provide proof of the completion of the education—usually documentary confirmation (certification of completion) and a statutory declaration.

Letters confirming compliance / statutory declarations

For 12 EUs, there was a term requiring the promisor to provide confirmation to ASIC upon the completion of undertaking(s) contained in the EU. This confirmation took a number of forms, including written statements, statutory declarations and reports. In some cases, supporting evidence was also required to be provided.

Information regarding employment

In 10 EUs involving individuals, the EU required the individual offering the EU to report to ASIC about their employment. The specific requirements of the reporting depended on the EU. In some cases, the individual only had to inform ASIC of their new employer. In other cases, the individual had to provide regular reports to ASIC about their activities over a specified period.

Reporting non-compliance

In six EUs, a term required the promisor to notify ASIC of any failures to comply with obligations contained in the EU. These terms were in addition to reporting obligations already imposed on Australian financial services licensees under the Corporations Act 2001.

Other

Other monitoring terms included the requirement for the promisor to meet with ASIC on a periodic basis (two EUs) and for one EU, a term requiring the promisor to notify ASIC of any change in the status of its authorised representatives.

Source: ANAO review of EUs accepted by ASIC between 1 January 2012 and 30 June 2014.

3.42 Overall, 38 of the 53 EUs reviewed had one or more terms that facilitated the monitoring of compliance with the EU. Where the EU contained a monitoring term, these terms were generally well designed and likely to provide ASIC with a sound basis for determining whether there was compliance with the EU.

3.43 Of the 15 EUs that did not contain a monitoring arrangement, 12 had primarily negative obligations—that is, undertakings to refrain from doing specified acts, such as engaging in credit activities or providing financial services. In the remaining three cases, the EU imposed mainly positive obligations upon the promisor (for example, issuing corrective notices to consumers). There was no requirement for the promisors to report to ASIC on their performance of those positive obligations.

3.44 It is noted however, that of the 38 EUs with one or more terms facilitating the monitoring of compliance with the EU, these terms were not always exhaustive as they did not cover all positive obligations under the EU. This is particularly evident with EUs requiring the promisor to undertake continuing professional education, where just over half of the EUs (seven of 13) required the promisor to provide proof to ASIC of their completion of the educational requirements.97 This inconsistency also relates to differences in practices between teams involved in negotiating EUs—with all six EUs involving a financial services matter that included a continuing professional education requirement also requiring proof of the education to be provided, while only one in five such EUs involving an auditor matter contained a term requiring proof to be provided.

3.45 In its report, the Senate Economics References Committee recommended that ASIC ‘as its default position, require that an independent expert be appointed to supervise the implementation of the terms of the undertaking’.98 While the appointment of an independent expert is likely to improve the ability of ASIC to monitor compliance with an EU, in many cases these benefits may not outweigh the financial cost of an independent expert. This is especially the case where the EU involves one-off rather than ongoing obligations. Further, a large number of EUs contain undertakings that are not suitable for review by an independent expert. For example, those where an individual agrees to remove themselves from the industry for a period of time. On this basis, ASIC’s policy that the requirement for an independent compliance expert be assessed on a case-by-case basis remains appropriate.

3.46 Nevertheless, there is room for improvement in ASIC’s use of terms to monitor compliance with EUs. In particular, there would be merit in ASIC adopting a policy requiring that where an EU contains positive obligations on a promisor, an obligation be included in the EU for the promisor to report back to ASIC and provide proof of its performance of that obligation.99 Including reporting obligations in respect of all positive obligations in EUs is likely to improve ASIC’s ability to monitor and report on compliance with EUs, and report on the effectiveness of these in achieving desired regulatory outcomes. Importantly, this information could be used by ASIC to inform its monitoring of a promisor’s compliance with an EU and, where necessary, to respond to non-compliance. The Enforcement Manual would need to be amended to provide guidance on the form that such reporting obligations should take.

Inclusion of standard terms

3.47 A master EU template is available on ASIC’s Technical and Procedures Library, which sets out the standard form for an EU and contains a number of standard clauses. These standard clauses relate to: media and publicity; access to documents; and non-derogation of ASIC’s rights to take action in relation to conduct which is not the subject of the background section of the EU.

3.48 The ANAO reviewed each of the EUs accepted during the review period to determine whether standard terms were included in EUs. The media and publicity and non-derogation terms were present in all 53 of the EUs reviewed. A term providing ASIC with access to relevant documents to assess compliance with the EU was identified for 50 of the 53 EUs.

Finalising enforceable undertakings

3.49 Once ASIC and the promisor come to an agreement on the terms of an EU and an offer is formally made to ASIC, the Enforcement Manual requires a number of steps to be taken to formally accept and finalise the EU. In particular:

  • ASIC staff involved with an EU are required to seek approval from the Chief Legal Office (CLO) that the EU is in an acceptable form;
  • the final EU is required to be signed (formally accepted) by a SEL; and
  • a copy of the EU is to be sent to the Registry for publication on ASIC’s EU register, and a media release is to be drafted.

Approval from the Chief Legal Office

3.50 Prior to seeking final senior management approval for an EU, approval is to be obtained from a Special Counsel or Litigation Counsel in the CLO. This review primarily covers drafting clarity, legal certainty, enforceability and compliance with ASIC’s policies in relation to accepting EUs.

3.51 The ANAO reviewed the CLO approvals for the 53 EUs accepted between 1 January 2012 and 30 June 2014. The approvals provided by the CLO were email chains between a CLO Special Counsel or Litigation Counsel and the relevant ASIC staff in the enforcement or stakeholder teams. A summary of the ANAO’s assessment is at Table 3.5.

Table 3.5: ANAO assessment of Chief Legal Office approvals of enforceable undertakings

Extent of Compliance

Description

No. of EUs

Per Cent

Fully Compliant

The approval provided is consistent with the approval required by the Enforcement Manual—an explicit approval is provided for the final or near-final draft.

14

26

Largely Compliant

The approval provided, while not an explicit approval, could be implied. For example, the CLO sending a revised draft to the team and the final EU is substantially the same as that draft.

12

23

Partially Compliant

There is no decision that could be considered an approval, but there is sufficient evidence to indicate that the CLO has been involved with the EU.

22

42

Non-Compliant

There is no decision that could be considered an approval or sufficient evidence of the CLO having had input into the EU or its negotiation.

5

9

Total

 

53

100

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

3.52 The practices for obtaining CLO approval for an EU varied significantly, on a case-by-case basis and depending on the staff involved. A particular problem was where the email chain showed some involvement by the CLO in the EU at some stage during its negotiation, but not an approval of the final form of the EU—this gap was often over several months.100

3.53 The ANAO’s review of CLO approvals and decision-making documentation for the EUs identified that where the CLO was involved in the negotiation and finalisation of an EU, useful guidance and advice to enforcement and/or stakeholder teams was provided. CLO involvement also gave greater assurance of the quality of EUs, improving consistency between EUs and ensuring that EUs complied with relevant ASIC policies and procedures, including Regulatory Guide 100 and the Enforcement Manual.101

3.54 Given the value added by the CLO’s involvement, there would be merit in formalising the arrangements for CLO approval of EUs, as this would help to improve the quality of EUs and reduce the risk of drafting errors. In this regard, in three EUs reviewed by the ANAO, there were errors in drafting the executed EU (relating to drafting clarity, legal certainty and in one case, enforceability)—for two of these, there was no documented CLO approval.

Approval from senior management

3.55 Final approval for an EU must be obtained from an SEL. In addition, if the matter is ‘high profile or controversial or a major matter’, the acceptance of the EU must be submitted to the Commission or the Enforcement Committee for consideration and discussion.

3.56 The ANAO assessed the extent to which relevant final approvals were obtained and was able to identify SEL approvals for only 28 of the 53 EUs in the ANAO’s sample. While all EUs were ultimately signed by an SEL, a more rigorous approval process would provide quality assurance over the EU process. Accordingly, and consistent with paragraph 3.9, there is considerable scope for ASIC to improve documentation of the EU approvals and decision-making processes.

Media and publicity

3.57 ASIC will usually issue a media release when it secures an EU and will ‘always assert the right to make a regulatory outcome public’.102 According to ASIC, this is important for regulatory transparency and effective deterrence. This position is consistent with Regulatory Guide 100 and the Enforcement Manual, which also require EUs to be made available on a public register on ASIC’s website. For all 53 EUs reviewed, a copy of the signed EU was publicly available on ASIC’s website. For 52 of these EUs, a media release was also published by ASIC.

3.58 One area where there has been a lack of consistency with respect to media releases was in providing a promisor with a copy of the media release prior to its release. The usual practice was for ASIC to provide a copy of the media release to the promisor an hour or two before publication. It was common, however, for promisors to ask for a copy of the media release several days prior to its publication so that they could brief relevant stakeholders (such as staff or authorised representatives). This was generally rejected, with ASIC stating that this was not usual practice. In four cases, however, an EU was provided to a promisor prior to the day of publication of the media release. On 20 March 2015, in a statement to the Parliamentary Joint Committee on Corporations and Financial Services, the Chairman of ASIC advised that ASIC would be introducing a new policy that media releases will generally be provided to all promisors who enter into an EU, 24 hours before publication.

Conclusion

3.59 Decisions about whether to accept an offer of an EU were generally sound. For the majority (46 of 53) of EUs, ASIC documentation demonstrated some comparison being made between an EU and other regulatory options available to ASIC. Further, in the seven instances where record keeping was insufficient, ASIC was able to advise the reasons why entering into an EU would provide an effective regulatory outcome. Importantly, the ANAO did not identify any EUs where promisors were treated differently based on the size of their business.

3.60 In general, terms included in EUs provided a proportionate regulatory response to non-compliance, with individual terms in EUs being clearly aligned with the misconduct at which those terms were directed. ASIC does not, however, assess the effectiveness of EUs (and terms in EUs) to enable it to have a firmer basis for requiring the inclusion of particular terms in EUs. Terms facilitating the monitoring of compliance with EUs were found in a majority of EUs reviewed (38 of 53). However, there is scope for ASIC to strengthen its capacity to assess compliance with, and the effectiveness of, EUs by more systematically including reporting obligations in future EUs.

3.61 Documentation relating to the decision-making process for EUs was inconsistent, dispersed across multiple systems, and not always readily available. The ANAO was able to identify early stage SEL approvals for 41 of the 53 EUs and late stage SEL approvals for 28 EUs. In regards to CLO approvals, only 26 of 53 EUs were assessed as fully or largely compliant with ASIC policies. Even where documentation was available, it was not always readily apparent as to why a particular EU was accepted. The inconsistent documentation of decisions and approvals poses risks to the transparency, clarity, consistency, and enforceability of EUs. There would be merit in ASIC reinforcing to staff the importance of complying with its policies and procedures, and particularly, documenting all decisions relating to the acceptance of an EU.

Recommendation No.2

3.62 To strengthen decision-making and support the transparency of, and quality assurance over enforceable undertakings, the ANAO recommends that ASIC:

  1. reinforces to staff the need for key documents and decisions relating to enforceable undertakings to be appropriately recorded in accordance with ASIC policies and procedures; and
  2. formalises the processes for obtaining enforceable undertaking approvals.

ASIC response:

3.63 Agreed. Implementation of Recommendation 2 will assist ASIC to ensure transparency and consistency in its administration of enforceable undertakings.

4. Monitoring Compliance with Enforceable Undertakings

This chapter examines ASIC’s monitoring of enforceable undertakings, action taken to address non-compliance, and reporting on compliance with the undertakings.

Introduction

4.1 It is important that EUs are monitored, and any breaches are detected and dealt with appropriately and in a timely manner. Monitoring of EUs is mainly undertaken by ASIC but can sometimes involve an independent expert.103 Adopting a risk-based approach to monitoring compliance provides a sound basis for focusing regulatory effort and cost-effectively deploying resources.

4.2 In its report, the Senate Economics References Committee raised concerns that the effectiveness of an EU in deterring misconduct within or by other regulated entities may be diminished by ‘a belief that the compliance with the undertaking will not be monitored effectively and the terms not enforced.’ In light of this, the Committee recommended that ‘ASIC should more vigilantly monitor compliance with [EUs] with a view to enforcing the undertaking in court if necessary.’104

4.3 The ANAO examined whether ASIC:

  • actively monitors compliance by promisors with the terms of their EUs, and takes action where breaches are identified;
  • undertakes appropriate assessments of independence and expertise when approving independent experts and engages with independent experts to maximise regulatory benefits from the process; and
  • measures and reports on the effectiveness of the EU in achieving desired regulatory outcomes.

4.4 In undertaking this review, the ANAO assessed the monitoring undertaken for the 53 EUs accepted between 1 January 2012 and 30 June 2014. Of these EUs, 30 included the appointment of an independent expert.

ASIC’s monitoring of compliance

4.5 Once ASIC formally accepts an EU, the terms of the undertaking become binding on the promisor. While the promisor is ultimately responsible for complying with the EU, ASIC is responsible for monitoring and verifying compliance after the EU has been accepted. Where ASIC considers that a promisor has failed to comply with any of the terms of an EU, it may apply to a court for enforcement of the undertaking.105

Form and extent of monitoring

4.6 The Enforcement Manual recognises that the nature and extent of monitoring compliance with EUs will depend on the substantive obligations, and any reporting obligations, in the undertaking. The Enforcement Manual does not specify the form of monitoring that can or should be taken in respect of EUs, but states that ‘in many cases, [ASIC] will have active future involvement in monitoring obligations of the [EU] (for example, receiving and assessing reports from an auditor of a compliance program, or receiving and assessing documents from the company, such as financial reports)’.

4.7 The ANAO assessed documentation relating to the monitoring of EUs in the audit sample to identify the monitoring activities commonly undertaken (Table 4.1). Given the wide variety of obligations imposed under EUs, the monitoring activities depended on the particular terms of the EU.

Table 4.1: Common monitoring activities undertaken by ASIC for enforceable undertakings

Type

Description

No. of EUs

% of EUs

Communicate with promisor

ASIC had some form of communication with the promisor post-acceptance of the EU.

32

60

Receive documents

ASIC received the documents required to be produced under the terms of the EU, including independent expert reports and statements of compliance with obligations.

27

51

Follow up compliance

ASIC followed up with a promisor where the promisor was late or deficient in complying with undertakings under the EU.

9

17

Undertake searches

ASIC undertook searches of relevant databases to monitor compliance with undertakings.

8

15

Communicate with third party

ASIC had communicated with relevant third parties to ascertain compliance with the EU (for example, asking a non-profit organisation to confirm a community benefit payment had been made).

7

13

Source: ANAO analysis of ASIC monitoring documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note: Individual EUs can have multiple forms of monitoring. This table does not include most forms of monitoring undertaken as part of the independent expert review progress. These forms of monitoring are considered in the next section of this chapter.

4.8 The most common forms of monitoring undertaken by ASIC were communication with the promisor (32 of 53 EUs) and receiving documentation under the EU (27 of 53 EUs). Where there were deliverables (such as reports or statements) under an EU, ASIC was able to provide evidence of receiving these in all but three cases (see paragraph 4.17). The content of discussions with the promisor depended on the nature of the EU and any issues arising. These discussions ranged from the relatively straightforward (such as ASIC providing approval for an individual to undertake a course to meet a continuing professional education obligation) to the more involved, as shown in the following case study.

Case study – Finalising outstanding external administrations

One of the EUs accepted by ASIC during the review period was from a registered liquidator who agreed, among other things, to cease carrying out work that only a registered liquidator can perform and to submit a Form 905A cancelling their registration as a liquidator.

Pursuant to the EU, a Form 905A was submitted within the timeframe specified in the EU. However, at the time the form was submitted, the liquidator had some outstanding external administrations that were not yet finalised and accordingly, ASIC’s Registry Services and Licensing team was unable to action the cancellation form.

To enable the cancellation to be actioned, ASIC’s Insolvency Practitioners stakeholder team worked with the promisor to finalise the external administrations. The Insolvency Practitioners team set up alerts to enable it to track the promisor’s progress in finalising these administrations and was in regular communication to remind the promisor of his obligations and to assist where possible. The external administrations were ultimately finalised and the promisor’s Form 905A cancellation of registration actioned, although not within the original timeframe outlined in the EU.

4.9 The ANAO also reviewed the extent to which ASIC monitored the EUs. To undertake this review, the ANAO assessed the terms of each EU to determine the extent to which ASIC could be expected to actively monitor the EU. A higher level of monitoring was expected where the EU was complex or involved ongoing obligations (such as those requiring independent expert reviews and involving complex arrangements for the remediation of consumers/investors) compared to EUs involving simple, one-off obligations (such as correcting misleading advertising). The ANAO then reviewed documentation to assess the extent to which the EUs were monitored. The results of this assessment are shown at Table 4.2.

Table 4.2: ASIC’s level of monitoring compliance with enforceable undertakings

 

Actual level of monitoring

Expected level of monitoring

None

Basic

Moderate

High

Basic

7

21

3

0

Moderate

0

1

12

2

High

0

0

1

6

Total

7

22

16

8

Source: ANAO analysis of ASIC monitoring documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note: Numbers in cells shaded grey represent EUs where monitoring was below ANAO expectations.

4.10 The ANAO identified adequate monitoring of undertakings for 44 of the 53 EUs reviewed (83 per cent). Of the nine instances where the level of monitoring fell short of expectations, the main obligation of six of these EUs required the individual to cease providing financial services for a specified period. In respect of these, documentation was not available to demonstrate that the Financial Advisers team was monitoring the exclusion of these individuals from the industry.106

4.11 More generally, the form and extent of EU monitoring activities was adequate having regard to the nature of the EUs. Nevertheless, there is scope to improve the documentation supporting the monitoring activities and allocating responsibility for monitoring EUs, for example to a person in each stakeholder team. These changes would be especially beneficial where the EU imposes ongoing obligations but does not include reporting requirements (such as EUs involving an exclusion from an industry).

Team conducting the monitoring

4.12 Broadly, the roles and responsibilities for monitoring an EU will depend on the obligations contained in the EU. According to the Enforcement Manual, where compliance with the EU will occur immediately and is easily verifiable, verification is the responsibility of the enforcement team that negotiated the undertaking. Where the EU involves a continuing obligation, monitoring is the responsibility of the relevant stakeholder team. To assess the extent to which monitoring is undertaken in accordance with this policy, the ANAO assessed which team could be expected to have responsibility for monitoring each EU reviewed. The ANAO then identified which team was actually monitoring the EU. The results of this analysis are shown at Table 4.3.

Table 4.3: Monitoring of enforceable undertakings by stakeholder or enforcement teams

 

Actual team monitoring EU

Team expected to monitor EU

Enforcement

Stakeholder

Monitoring not undertaken

Enforcement

9

0

1

Stakeholder

8

29

6

Source: ANAO analysis of ASIC monitoring documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note: Numbers in cells shaded grey represent EUs that were monitored by a team different to that expected to monitor the agreement (based on ASIC guidance).

4.13 Apart from the seven EUs for which there was no evidence of monitoring (see Table 4.2 and related discussion), in eight EUs the monitoring of compliance was by a different team than expected by the guidance in the Enforcement Manual. In each of these cases, this was because the matter remained with the enforcement team indefinitely or for an extended period after acceptance of the EU, rather than being transferred to a stakeholder team. There was no reason documented for the responsibility for monitoring of the EU not being transferred to the relevant stakeholder team in accordance with ASIC procedures.

4.14 While enforcement teams can continue to monitor an EU containing ongoing obligations, this approach may lead to teams being unclear about their roles and responsibilities in relation to monitoring EUs. For example, for one of the EUs reviewed, there was considerable overlap between the monitoring activities of the stakeholder and enforcement teams, leading to confusion among staff members about their roles and responsibilities, and to an expert report not being appropriately followed up. More generally, a higher level of engagement with independent experts was identified in cases where responsibility for monitoring of an EU was promptly transferred to the relevant stakeholder team (see paragraph 4.43). Further, stakeholder teams are likely to gain experience and expertise over time in monitoring EUs (particularly in assessing expert reports).

Breaches of EUs

4.15 Where ASIC has reason to believe that an EU is not being complied with, the Enforcement Manual says it ‘will usually first try to resolve the matter by drawing the matter to the attention of the [promisor].’ In cases where the breach is ‘of a substantive term or involves a failure of the [promisor] to satisfy a material obligation by a certain time’, ASIC’s policy is that it will not hesitate to apply to a court to enforce the EU.

4.16 To assess ASIC’s identification of, and responses to, breaches of EUs, the ANAO assessed compliance with the terms in the EUs based on information available to ASIC.107 In making this assessment, the ANAO reviewed data sources including EU monitoring documentation, key systems and registers (such as complaints, licensing and registry systems) and relevant public information (such as websites, to determine whether corrective notices had been published). A summary of the ANAO’s assessment is shown at Table 4.4, which focuses on the more common obligations.

Table 4.4: Breaches of terms of enforceable undertakings

 

No. of EUs with term

Breach of term(1)

 

Term/Obligation

Total

Assessed(2)

No

Yes

Breaches (%)

Reviews by independent experts

 

 

 

 

 

Provide a report on specified matters prepared by an independent expert

30

20

20

0

0

Provide remediation plans in response to recommendations

14

8

8

0

0

Certification of implementation of recommendations made by an expert

11

6

6

0

0

Limiting activities

 

 

 

 

 

Not provide financial services or services, or engage in credit activities

15

15

15

0

0

Not perform any duties or functions that can only be carried out by a registered liquidator or registered company auditor

11

11

11

0

0

Not take part in the management of any company

5

5

4

1

20

Continuing professional education

 

 

 

 

 

Individual to undertake specified education

13

6

4

2

33

Company to ensure specified company officers undertake specified education

5

5

4

1

20

Other

 

 

 

 

 

Cancellation of registration as a liquidator or company auditor

6

6

6

0

0

Payment of an amount to a specified not-for-profit organisation

4

4

4

0

0

Rectification to consumers/investors (such as compensation and corrective letters to clients)

14

8

8

0

0

Source: ANAO analysis of ASIC EU monitoring documentation, ASIC registry and licensing databases, websites and other information relating to EUs accepted between 1 January 2012 and 30 June 2014.

Notes to Table 4.4

Note 1: The analysis is necessarily constrained by the available information. In the case of a promisor who has agreed to refrain from providing financial services and subsequently obtains employment with a financial service provider, it is unlikely that ASIC will identify this non-compliance except by receiving a complaint. The analysis is not intended to confirm that undertakings have been complied with, rather it provides assurance that there was no information in ASIC’s possession to indicate that an undertaking had not been complied with.

Note 2: A term was assessed where: the obligation was current at 15 November 2014; and information was available to enable an assessment—either because the EU had a reporting obligation or relevant information was available on ASIC’s various databases (including companies register, professional registers and complaints).

4.17 The ANAO identified four EUs where there was non-compliance with an obligation in an EU—three of these related to non-compliance with a continuing professional education obligation and one related to a promisor taking part in the management of a company despite an undertaking to refrain from doing so. In addition to the above, there were seven EUs where an obligation was not complied with in accordance with the timeframe specified in the EU. In all instances, ASIC was aware of the non-compliance. No instances were identified where information was available to ASIC about non-compliance with an EU, and the relevant team was unaware of that non-compliance.

4.18 For the two instances where an individual has not complied with their undertaking to complete specified continuing professional education, both individuals had advised ASIC that they were unemployed and in one case, unable to afford the course fees. ASIC has not demanded strict compliance with these undertakings. In the case of the company failing to ensure officers complete the education, this was due to differing expectations between ASIC and the promisor. To gain assurance that the obligation had been met, ASIC required the company to promptly fulfil the educational requirements and have the appointed independent expert produce a supplementary report in relation to that non-compliance (and certain other specified matters).

4.19 The one identified instance of non-compliance with an undertaking not to take part in the management of a corporation came to ASIC’s attention through a complaint from the public. In response to the complaint, ASIC contacted the promisor and relevant third parties to determine whether there had been a breach of the EU and sought relevant information. Although ASIC was of the view that a breach had occurred, it determined that it had insufficient evidence of the breach and that in any event, the risk posed to the public was limited. A letter was sent to the promisor to reinforce their obligations under the EU. Overall, and in the context of a risk-based regulatory framework, ASIC’s approach to responding to breaches of an EU has been suitable for the EUs reviewed by the ANAO.

Responding to complaints of a breach of an EU

4.20 An important means for ASIC to identify potential breaches of an EU is through complaints received from the public, as illustrated above. Reports of misconduct received from the public through ASIC’s website are assessed by the Misconduct and Breach Reporting (M&BR) team. M&BR also deal with Australian financial services licensee breach reports, auditors’ breach notifications and liquidators’ statutory reports, which also have the potential to reveal breaches of an EU.

4.21 To determine how ASIC deals with reports involving a potential breach of an EU, the ANAO reviewed the 71 cases in the Complaints Management System for which the activity description included a reference to an EU. Of these, 19 related to the 53 EUs reviewed as part of this audit. A diagram summarising the results of the ANAO’s testing is shown at Figure 4.1.

Figure 4.1: Outcomes of reports of misconduct relating to enforceable undertakings

Source: ANAO analysis of data in ASIC’s Complaints Management System.

4.22 Overall, the procedures for referring reports relevant to the monitoring of compliance with an EU are effective, with 10 of the 14 reports that raised a potential breach or information relevant to monitoring an EU being referred to the appropriate stakeholder or enforcement team. In two of the four cases where the report was not referred, the stakeholder team advised that it was already aware of the information and that the matter did not need to be referred. In a further case, evidence was considered insufficient for a formal referral, and in the final case, the complaint largely restated information from a previous case that had been referred to the enforcement team. In each case, the decision to not refer the report was appropriate in the circumstances.

Use of independent experts

4.23 One way that ASIC monitors compliance with EUs is to require the appointment of an independent expert to report to ASIC (either directly or through the promisor) on specified matters. In the review period, 30 of the 53 EUs included a term requiring a review to be undertaken by an independent expert. The form of review depended on the particular EU, but could be generalised into one of four types, as outlined in Table 4.5.

Table 4.5: Types of independent expert review required under enforceable undertakings

Type of review conducted by the independent expert

No. of EUs

Per cent of EUs

Compliance with laws. Review advice or services provided by the promisor to determine if these have been provided in accordance with relevant laws and regulations.

15

50

Compliance framework. Review the systems, processes and procedures of the promisor to establish whether these effectively support compliance with relevant laws and regulations.

12

40

Compliance with EU. Review whether the promisor has discharged their obligations under the EU.

1

3

Multiple. Where the EU requires multiple reviews to be undertaken, involving a combination of the above matters.

2(1)

7

Total

30

100

Source: ANAO analysis of EUs entered into from 1 January 2012 to 30 June 2014.

Note 1: One of these EUs involved a review of an individual’s compliance with legislation and a review of the firm’s compliance framework. The other EU involved a review of the promisor’s compliance with legislation and compliance with the EU (in terms of an obligation to refund consumers).

4.24 The requirement to appoint an independent expert can have a number of potential benefits, including allowing for the independent verification of remedial action and shifting the cost of monitoring compliance with the EU to the promisor. However, in its report, the Senate Economics References Committee identified some concerns regarding the management of the independent expert process, including in relation to transparency and the appointment process. In particular, the Committee queried the degree of certainty around the obligations of the expert, what constitutes expertise, and how potential conflicts of interest should be resolved.108 The remainder of this section considers the process for appointing independent experts, the reports produced and ASIC’s engagement with independent experts.

Appointing independent experts

4.25 ASIC’s involvement in appointing an expert will depend on the terms of the particular EU. As a general position, independent experts under an EU and their terms of reference, are to be approved by ASIC before the promisor engages that expert. There are, however, exceptions to this general position—for example, if the independent expert was approved before the EU was accepted. Table 4.6 outlines the arrangements for approving independent experts under the EUs reviewed by the ANAO.

Table 4.6: Arrangements for approving independent experts under enforceable undertakings

 

ASIC approval of terms of reference

 

ASIC approval of expert

Yes

Prior to EU(1)

No

Total

Yes, approval required

12

3

7

22

Approved prior to or when accepting EU

0

2

0

2

No approval required

0

3

3

6

Total

12

8

10

30

Source: ANAO analysis of EUs entered into from 1 January 2012 to 30 June 2014.

Note 1: ‘Prior to EU’ indicates instances where the terms of reference were agreed before the acceptance of the EU because the independent expert was engaged prior to acceptance of the EU, or because the EU prescribes a form of terms of reference (attached as an appendix to the EU) to be used when engaging an independent expert.

4.26 As Table 4.6 indicates, ASIC’s approval of the expert was required in 24 of the 30 EUs where an independent review was to be undertaken. Of the six EUs that did not require ASIC’s approval of the independent expert, four related to financial advisers who, following the resumption of work after completing their periods of suspension, were required to have reviews undertaken of the compliance of financial advice provided by them with relevant laws. In each of these cases, although not requiring ASIC to approve the expert, there was some guidance as to who would constitute an acceptable reviewer.109 It was not clear why ASIC’s approval was not required in these cases when for similar EUs (such as EUs involving auditors and liquidators), ASIC was required to provide a final approval.

4.27 Overall, the arrangements for approving experts varied considerably between EUs, with 13 of the 30 EUs not requiring ASIC approval of either the expert and/or the terms of reference. As the nature of ASIC’s consideration of an approval will necessarily depend on the nature and complexity of a matter, it is important that ASIC has a clear policy and consistent practices in appointing independent experts and their terms of reference.

Appointing experts in accordance with the EU

4.28 Of the 22 EUs where ASIC’s approval was required110: an approval was provided for 15 EUs; there was no record of approval for two EUs; and for the remaining five EUs, approvals were not yet required as the obligation to engage an expert was future-dated or contingent. Documented consideration of the appropriateness (expertise and/or independence) of an expert was identified for 10 of the 15 EUs where an approval had been given.

4.29 For the 12 EUs where ASIC was required to approve the terms of reference, there was documented approval for 11 of the 12 EUs—for seven of these 11 EUs, there was documented consideration of, or input into, the terms of reference.

ASIC’s consideration of the independence and expertise of experts

4.30 ASIC’s consideration of the independent expert and their terms of reference varied between EUs. While lacking a systematic approach to considering independent experts’ independence and expertise, common considerations included:

  • the performance of an expert in past reviews conducted under an EU;
  • the results of data warehouse and mainframe system searches (particularly, whether there have been past complaints/issues regarding the proposed reviewer, and whether the search identifies connections between the promisor and reviewer that could suggest a conflict of interest); and
  • reviews of the curriculum vitae and statements of independence provided by the expert.

4.31 In four of the 10 EUs reviewed where there was documented consideration of the appropriateness of an independent expert, ASIC had rejected the initial expert proposed by the promisor. In two of these cases, the basis for the rejection was that ASIC did not believe the expert was sufficiently independent of the promisor. In one case, ASIC considered that the proposed independent expert lacked the relevant qualifications, regulatory knowledge and compliance experience to carry out the required tasks. In the other case, ASIC refused to approve the independent expert because of concerns about the quality of past reports prepared by the expert as well as a perceived conflict of interest.

4.32 While ASIC generally undertakes adequate assessments in relation to the appointment of independent experts, the practices for this differ greatly between teams and on a case-by-case basis. The fact that ASIC rejected the independent expert initially proposed by the promisor in 40 per cent of cases where there was documented consideration of the appropriateness of the independent expert, underscores the importance of consideration by ASIC of the independence and expertise of experts proposed by promisors, and the content of their terms of engagement.

4.33 In February 2015, a revised Regulatory Guide 100 was released that deals with many of the above matters. Importantly, the revised Guide states that where a promisor is to appoint an independent expert under an EU, ASIC will require a term in the EU that the promisor obtains ASIC’s approval of the appointment and of the terms of reference. The guide also lists considerations to be taken into account when determining whether an expert demonstrates: competence to undertake the engagement; independence from the promisor; and the existence of adequate arrangements to manage conflicts of interest arising during the engagement. While the revised Regulatory Guide 100 is a significant improvement, there would be merit in ASIC supporting the amendments with practical assistance to staff on how to apply the revised Guide by making amendments to its internal guidance on EUs.

Independent expert reports

4.34 Where an independent expert is required to be appointed as part of an EU, that expert is required to review certain matters (as outlined in Table 4.5) and report back to the promisor and ASIC on their findings. In some cases, the EU also requires the expert to make any relevant recommendations and for the promisor to implement these recommendations.

4.35 To support ASIC in effectively monitoring compliance with EUs, and to improve the compliance of individuals and businesses subject to EUs, it is important that the reports:

  • address the EU requirements and areas of concern to ASIC;
  • are comprehensive; and
  • where appropriate, make meaningful recommendations.

4.36 The ANAO assessed 35 reports provided to ASIC against these criteria.111 The results of this assessment are shown at Table 4.7.

Table 4.7: ANAO assessment of independent expert reports

Criteria

ANAO Assessment

Address EU requirements

All but one fully or substantially addressed the requirements.

Comprehensive (such as including details about the testing performed, the analysis, results and high-level conclusions)

Of the 35 reports, 24 were very comprehensive, seven sufficiently comprehensive and four provided limited information.

Meaningful recommendations (that is, whether they provided real and practical ways for the issues identified to be remedied)

Of the 35 reports, 29 made recommendations—in all but two of these reports, the recommendations were meaningful.

Source: ANAO analysis of 35 independent expert reports received by ASIC pursuant to EUs accepted between 1 January 2012–30 June 2014.

4.37 Although some stakeholders raised concerns with the ANAO about the quality of reviewers appointed by some promisors, this was generally not supported by an assessment of reports produced by those reviewers. The overwhelming majority of reports reviewed were of sufficient quality having regard to addressing the EU requirements, being comprehensive and containing meaningful recommendations.

4.38 For two reports, however, the ANAO identified shortcomings. In one of these cases, ASIC also identified issues with the quality of the report. ASIC discussed these concerns with both the promisor and the independent expert and required a supplementary report to be provided to respond to the concerns raised. In the other case—an EU monitored by the enforcement team—ASIC had not identified similar issues.

4.39 As part of its review, the ANAO also assessed the extent to which the reports made findings critical of the compliance of a promisor—this being an indicator as to whether independent experts have applied appropriate professional scepticism in the discharge of their responsibilities.112 The results of this assessment are shown at Table 4.8. Overall, just over half (52 per cent) of the reports had negative and/or mixed findings.

Table 4.8: Findings of independent expert reports

Finding

No. of reports

Percentage of reports

Positive—the report identified no or only very minor issues with the promisor’s compliance arrangements, or compliance with the EU or with specific legislation.

13

37

Generally positive—the report did not identify any major issues.

4

11

Mixed—the report identified one or more major issues, but these were balanced against the promisor’s generally positive conduct in respect of other areas.

10

29

Generally negative—the report identified one or more major issues not balanced by positive findings in other areas.

5

14

Negative—multiple major issues were identified that indicated systemic issues with the promisor’s compliance arrangements, or compliance with the EU or with specified legislation.

3

9

Source: ANAO analysis of 35 independent expert reports received by ASIC pursuant to EUs accepted between 1 January 2012 and 30 June 2014.

ASIC’s engagement with independent experts

4.40 To maximise the potential regulatory benefit from independent reviews under EUs, it is important that ASIC engages with independent experts to help ensure that the reviews undertaken address the areas of concern to ASIC and that appropriate remedial action is taken by promisors in response to issues raised by the expert. It is expected that in interacting with independent experts, ASIC will adopt a risk-based approach—a high level of engagement being required where the consequences or likelihood of misconduct are greater or where the expert is not performing as expected.

4.41 For each of the 20 EUs where an independent expert had been appointed and a report produced, the ANAO assessed the level of engagement and follow-up by ASIC in relation to the expert and their reports. There was evidence of ASIC communicating directly with the independent reviewer for 12 of these 20 EUs. The extent and nature of these discussions varied between EUs, ranging from ASIC providing input into the reviewer’s scope of work (four EUs) to one EU where ASIC had to arbitrate in a dispute between the promisor and the appointed independent expert. An example of an EU where ASIC has had a high level of ongoing engagement with both the promisor and the independent expert is provided in the following case study, relating to the EU accepted from Macquarie Equities Limited.

Case Study – ASIC’s ongoing monitoring of an EU with Macquarie Equities Limited

On 29 January 2013, ASIC accepted an EU from Macquarie Equities Limited (MEL) following ASIC identifying some recurring compliance deficiencies by, and in the supervision of, MEL’s advisers. The EU concluded on 29 January 2015, following receipt by ASIC of the final independent expert report.

Due to the matter involving a large participant in the wealth management industry, and its high public profile, ASIC had close and ongoing involvement with MEL and the independent expert appointed under the EU. As a demonstration of ASIC’s level of engagement, 2.3 full time equivalent staff were dedicated to the EU. Three examples of ASIC’s monitoring of the EU are provided below, relating to: ASIC’s engagement with the expert; its role in the adviser reviews; and its input into the client remediation methodology.

Engagement with the expert

ASIC held regular meetings and teleconferences (often several times a week) with MEL and the independent expert, both together and independently. During these meetings, ASIC received updates on the status of MEL’s initiatives and provided feedback to MEL on how it can best address ASIC’s concerns. Under the EU, ASIC was provided with confidential independent expert reports. There was evidence of close consideration by ASIC of these reports. In some instances, ASIC asked the independent expert to undertake specific testing and review on matters of interest to ASIC so that it could gain further assurance in relation to the EU.

Role in adviser reviews

Under the EU, MEL was required to implement a mechanism to identify advisers with poor compliance, undertake a review of those advisers’ files and rectify concerns identified about the conduct of those advisers. ASIC has monitored the process and the results of this review. Where advisers were identified as having poor compliance, ASIC has reviewed these cases and, in some instances, is taking further action. As a result of the adviser review program, there are a number of individual former advisers currently being investigated by ASIC, and some other advisers in relation to whom ASIC is making inquiries that may lead to a formal investigation.

A large part of the adviser review was undertaken by MEL using Key Risk Indicators (KRIs) to identify advisers who may have been at risk of having poor compliance. Given the importance of these KRIs to the adviser review process, ASIC engaged with MEL and the expert at an early stage to provide its input and feedback on the indicators proposed by MEL. As a result of ASIC’s input into the process, drawing on experience across the industry more widely, MEL agreed to include a number of additional KRIs and to amend some KRIs.

Input into client remediation methodology

One term in the EU required that where MEL identifies that a client has been disadvantaged due to the failings of an adviser, MEL is obliged to remediate the client where appropriate. To help ensure clients are appropriately remediated, MEL and ASIC commenced discussions about MEL’s proposed remediation methodology at an early stage which resulted in ASIC providing feedback on MEL’s remediation methodology. These discussions took place over a number of months, with MEL considering that it was necessary to refine its remediation process, based in part on feedback from ASIC and the independent expert.

One of the areas of particular interest for ASIC was in having an independent expert to oversee the client remediation process. After discussion with ASIC, MEL engaged a professional services firm to oversee the client remediation process even though not required to do so under the EU. ASIC provided feedback on the firm’s role and scope of work. ASIC’s continued engagement with MEL has also contributed to other enhancements to the remediation process, including $5000 being offered to all clients to obtain independent advice on the reviews conducted by MEL, rather than only those clients who are offered compensation. Also, MEL has aligned its processes with those of the Financial Services Ombudsman and broadened the scope of clients that can escalate their complaint to the Ombudsman.

4.42 Of the 20 EUs where an independent expert report had been provided to ASIC, documentation (such as a memo, working paper or email) was available that demonstrated ASIC had assessed reports for 15 of these EUs. In 13 cases, ASIC had requested further information or arranged a meeting to discuss the report with the promisor. Importantly, ASIC undertook appropriate follow-ups in relation to seven of the eight reports having ‘Negative’ or ‘Generally Negative’ findings against the promisor. For the other EU, follow-up is to occur after the promisor has submitted their statement of implementation of recommendations.

4.43 There was a higher level of engagement with the independent expert where the ASIC team responsible for monitoring was a stakeholder team rather than an enforcement team. ASIC documentation indicated consideration of an expert report for 14 of the 16 EUs monitored by a stakeholder team where a report had been provided. ASIC records indicated consideration of an expert report for only one of the four EUs monitored by an enforcement team. There would be merit in ASIC taking steps to ensure that responsibility for monitoring EUs with expert reporting obligations is transferred to the relevant stakeholder team so that appropriate consideration is given to the reports produced under the EU.

4.44 Overall, ASIC’s engagement with independent experts generally reflected an appropriate risk-based approach. The differences in the extent to which ASIC engaged with the expert review process (through communication with the expert, and consideration and follow-up of reports) was generally explained by reference to factors including: the nature of the misconduct subject to the EU; the details of the review arrangement included in the EU (including whether the EU required multiple reviews); and whether issues were identified as part of the reviews conducted by the independent expert. Nevertheless, in light of the five cases where there was no documentation to demonstrate an assessment of the independent expert reports, there is scope for better record keeping and documentation of the independent expert process.

Public reporting on compliance with enforceable undertakings

4.45 In its report, the Senate Economics References Committee raised concerns about the transparency of compliance with EUs. Having regard to this, the Committee recommended that ASIC:

consider ways to make the monitoring of ongoing compliance with the undertaking more transparent, such as requiring that reports on the progress of achieving the undertaking’s objectives are, to the extent possible, made public.113

4.46 This recommendation was in addition to the recommendation discussed in Chapter 2 that ASIC include in its annual report additional commentary on: its activities to monitor compliance with EUs; and how the undertakings have led to improved compliance with the law and encouraged a culture of compliance.114

4.47 In response to the Committee’s recommendation, in August 2014, ASIC included in its Enforcement Manual interim guidance on the public reporting of outcomes. This guidance specified mandatory public reporting of outcomes of EUs (including by allowing ASIC to refer to the findings of expert reports), unless a Commissioner determines otherwise. In February 2015, Regulatory Guide 100 was revised to reflect a final position on the public reporting of outcomes. The revised Guide makes clear to regulated entities that for EUs accepted in the future, ASIC will report on whether the undertakings given by a promisor in an EU have been complied with. The revised Guide also states that where an EU requires reporting by an independent expert, ASIC will make ‘available publicly a summary of the final report or a statement that refers to the content of the report’.115

4.48 While not forming part of the broad sample, the ANAO assessed the 11 EUs entered into by ASIC between 4 August 2014 and 31 December 2014 to determine whether their terms reflect the interim policy outlined in the Enforcement Manual. Nine of the 11 EUs accepted were consistent with the policy, and for the five EUs where an independent expert report was required, the undertaking provided for this report to be made publicly available.116

Evaluating the effectiveness of EUs in achieving improved compliance

4.49 While it is important for transparency that compliance with EUs is reported, it is also important that ASIC goes further and assesses more broadly the effectiveness of each EU in achieving improved compliance.

4.50 As discussed in Chapter 2, ASIC does not currently systematically measure and report (internally or publicly) on the effectiveness of individual EUs in achieving desired outcomes. Though stakeholder teams and SELs often have a sense about the effectiveness of particular EUs in generating behavioural change, there would be merit in ASIC taking steps to more systematically collect data and report on these outcomes. The reporting obligations in many EUs (as well as other reporting obligations outside EUs)117 position ASIC well to report on compliance outcomes, as outlined below:

  • for five of the eight EUs where multiple expert reports were provided under the EU, there was an improvement in the promisor’s compliance in subsequent reports compared to the initial report—suggesting that the review process had led to improved compliance118;
  • in one case, after acceptance of an EU and following an independent expert review process, an Australian financial services licensee (AFSL) began submitting AFSL breach reports in relation to newly identified instances of prior non-compliance—suggesting that the EU had led to the promisor taking their AFSL obligations more seriously; and
  • in one case, ASIC continued to receive regular reports of misconduct in relation to the conduct of franchisees of a franchisor whom ASIC had accepted an EU from—suggesting that greater attention may need to be given when accepting future EUs involving franchise operations.

4.51 While these examples demonstrate the effectiveness of EUs in providing specific deterrence, the impact of EUs as an effective regulatory tool for deterring and educating regulated entities more generally is also important, as discussed in Chapter 2.

Conclusion

4.52 Monitoring compliance with the terms of EUs varied depending on the nature of the obligations in EUs. Generally, the monitoring activities undertaken were appropriate in the circumstances and the level of monitoring was also adequate in a majority of cases (44 of 53 EUs reviewed). Where ASIC possessed information suggesting a breach of an EU, it had identified the breach and responded appropriately.

4.53 In terms of its use of independent reviews, there were inconsistencies in the process for appointing independent experts under an EU. Of the 30 EUs that required an independent expert to be appointed, 13 did not provide for ASIC to approve the expert and/or their terms of reference. ASIC has recently released new public guidance that requires these approvals. Where the EU required ASIC to provide relevant approvals, there was documented evidence of ASIC having provided those approvals. However, the inquiries undertaken and judgments made to support the approval of an expert were not consistently documented. To support a more consistent approach to the approval of independent experts and their terms of reference, ASIC should consider complementing its public guidance on independent experts with internal guidance to staff on the steps to be taken in approving the appointment of an independent expert.

4.54 In response to the Senate Economics References Committee’s recommendation that ASIC consider ways of increasing the transparency of monitoring compliance with EUs, in August 2014 ASIC introduced interim guidance requiring the public reporting of outcomes of EUs. A final position was reached in February 2015, with the release of a revised Regulatory Guide 100. EUs entered into since August 2014 have generally been accepted in line with the new policy.

4.55 In addition, to support future decisions to enter into EUs, there remains scope for ASIC to assess the effectiveness of each EU in achieving its desired regulatory outcomes. The information that ASIC receives through monitoring compliance with EUs positions it well to undertake this task. The assessment of the effectiveness of an EU should inform ASIC’s views on the circumstances in which it is appropriate to enter into an EU in the future and the terms to be included in these EUs.

Appendices

Appendices

Please refer to the attached PDF for the Appendices:

  • Appendix 1: Entity Response
  • Appendix 2: Terms in Enforceable Undertakings Reviewed

Abbreviations

AFSL

Australian financial services licence

ASIC

Australian Securities and Investments Commission

CALDB

Companies Auditors and Liquidators Disciplinary Board

CLO

ASIC Chief Legal Office

CBA

Commonwealth Bank of Australia

EU

Enforceable undertaking

KPI

Key performance indicator

KRI

Key risk indicator

M&BR

Misconduct and Breach Reporting

MEL

Macquarie Equities Limited

SEL

Senior Executive Leader

Glossary

Australian financial services licence

A licence given by ASIC that allows people or companies to legally carry on a financial services business, including selling, advising or dealing in financial products.

Australian credit licence

A licence given by ASIC that allows people or companies to legally engage in credit activities, including lending money or providing assistance to a person borrowing money.

Chief Legal Office

The office within ASIC that provides legal, strategic and other input into major compliance cases and assists enforcement and stakeholder teams.

Commission

The body responsible for the exercise of ASIC’s functions and powers, its strategic direction and priorities. The Commission consists of the ASIC Chairman, Deputy Chairman and Commissioners.

Enforceable undertaking

A written undertaking given to ASIC by a regulated entity, in which that entity makes a commitment to operate in a certain way. If breached by the entity, the undertaking is enforceable in court.

Enforcement

One of the tools available to ASIC to respond to non-compliance. It involves taking steps such as court action or issuing infringement notices to deal with and deter misconduct.

Enforcement teams

Teams of ASIC staff that are responsible for investigating identified misconduct and, where appropriate, taking enforcement action in relation to the misconduct.

Gatekeepers

Individuals or entities that play an important role in ensuring the health of financial markets, such as: company directors and officers; financial advisers; credit licensees; insolvency practitioners; and auditors and liquidators.

Independent expert

A person required to be appointed under the terms of an enforceable undertaking to perform a review of specified matters, and to provide a report on these matters to ASIC and/or the promisor.

Promisor

The regulated entity that has entered into an enforceable undertaking with ASIC and is required to comply with the obligations of that enforceable undertaking.

Senior Executive Leader

An ASIC senior executive officer who reports directly to an ASIC Commissioner. Most enforcement and stakeholder teams are headed by an SEL officer.

Stakeholder teams

Outwardly-focused teams of ASIC staff that consider compliance risks across the various financial market segments.

Surveillance

Surveillance generally involves monitoring entities to determine whether they are complying with relevant legislation. Surveillance can be proactive or reactive (such as in response to reports of misconduct).

Footnotes

1 Nominal gross domestic product is a common measure of the size of an economy and refers to the total market value of goods and services produced in Australia within a given period.

2 Reserve Bank of Australia, Statistical Tables: Assets of Financial Institutions, available from <www.rba.gov.au/statistics/tables/xls/b01hist.xls> [accessed 16 March 2015].

3 ASIC, Annual Report 2013–14, pp. 19–21. In 2013–14, ASIC had operating expenditure of $341 million to discharge its responsibilities.

4 Regulated entities in the context of ASIC’s regulatory activities include: corporations, auditors and liquidators registered under the Corporations Act 2001, Australian financial services licensees and Australian credit licensees.

5 ASIC, ASIC’s Strategic Framework, available from <http://download.asic.gov.au/media/2309568/strategicframework_nov2014_online_accessible.pdf> [accessed 22 January 2015].

6 From July 1998 (when EUs were introduced) to December 2014, ASIC accepted 388 EUs.

7 Senate Economics References Committee, Performance of the Australian Securities and Investments Commission, June 2014.

8 The ANAO examined all 53 EUs concluded by ASIC between 1 January 2012 and 30 June 2014.

9 Of the 53 EUs examined, in the seven instances where record keeping was insufficient, ASIC was able to advise the reasons why entering into an EU would provide an effective regulatory outcome.

10 Of the 30 EUs that required an independent expert to be appointed, 13 did not provide for ASIC to approve the expert and/or their terms of reference.

11 For example, in 18 EUs, a company was required to have an independent expert undertake reports on specific matters (usually on the company’s compliance arrangements) and in five EUs, specific company officers were required to undertake particular education. Independent expert reports frequently indicated that the EU had contributed to the company improving its compliance arrangements—including improved training, systems, policies and procedures.

12 These other negotiated outcomes range from entities agreeing to correct misleading advertising to more formal arrangements, such as entities agreeing to the imposition of a licence condition.

13 Stakeholder teams cover compliance risks across various sectors of the financial economy. Enforcement teams are generally responsible for undertaking investigations and initiating enforcement actions.

14 ASIC’s workflow and document management systems are complex, and information relevant to an EU was often held in multiple databases and/or in staff email inboxes. In consolidating the recording of information in relation to EUs, a key first step would be to reinforce to staff the need to store all documentation relating to an EU in accordance with ASIC policies and procedures.

15 ASIC does not report externally against the three KPIs; product issuers, credit providers and advisers meet required standards: participants in financial markets meet required standards; and issuers (of securities) and their officers meet required standards. ASIC reports partially against the two KPIs: fair and efficient processes are in place for resolution of disputes; and misconduct is dealt with and deterred.

16 As discussed in footnote 9, in the other seven instances ASIC was able to advise the reasons why entering into an EU would provide an effective regulatory outcome.

17 The Senate Economics References Committee raised concerns about the extent to which ASIC monitored compliance with EUs.

18 Nominal gross domestic product is a common measure of the size of an economy and refers to the total market value of goods and services produced in Australia within a given period.

19 Reserve Bank of Australia, Statistical Tables: Assets of Financial Institutions, available from <www.rba.gov.au/statistics/tables/xls/b01hist.xls> [accessed 16 March 2015].

20 ASIC’s other responsibilities include: maintaining publicly accessible registers of information about companies, financial services licensees and credit licensees; and administering unclaimed money from banking and deposit taking institutions and life insurance institutions.

21 Corporate governance includes ensuring that: company directors comply with their obligations under the Corporations Act 2001; companies comply with requirements in relation to financial reporting; and companies comply with requirements in relation to fundraising, takeovers and other corporate transactions.

22 Australian Bureau of Statistics, 8165.0, Counts of Australian Businesses, including Entries and Exits, June 2009 to June 2013.

23 Australian Stock Exchange, Historical market statistics—End of month values, available from <http://www.asx.com.au/about/historical-market-statistics.htm#End_of_mont...> [accessed 10 July 2014].

24 ASIC, Annual Report 2013–14, p. 19.

25 Senate Economics References Committee, Performance of the Australian Securities and Investments Commission, p. 504, available from <http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Economics/ASIC/Final_Report/~/media/Committees/Senate/committee/economics_ctte/ASIC/Final_Report/c04.pdf> [accessed 29 January 2015].

26 Parliamentary Joint Committee on Corporations and Financial Services, Financial products and services in Australia, p. 52, available from <http://www.aph.gov.au/~/media/wopapub/senate/committee/corporations_ctte/completed_inquiries/2008_10/fps/report/report_pdf.ashx> [accessed 12 February 2015].

27 Minister for Financial Services and Superannuation, Media Release No 151 of 2011, Protecting vulnerable people from inappropriate lending, available from <http://ministers.treasury.gov.au/DisplayDocs.aspx?doc=pressreleases/2011/151.htm&pageID=003&min=brs&Year=&DocType=0> [accessed 17 February 2015].

28 ASIC, ASIC’s Strategic Outlook, available from <http://download.asic.gov.au/media/2195181/asic-strategic-outlook-2014-2015.pdf> [accessed 29 January 2015]

29 Gatekeepers are individuals or entities who are important in ensuring the health of financial markets, and include company directors and officers, financial advisers, credit licensees, insolvency practitioners, auditors and liquidators.

30 Enforceable undertakings are enforceable under statute: Australian Securities and Investments Act 2001, ss 93AA and 93A; National Consumer Credit Protection Act 2009, s 322.

31 ASIC, Regulatory Guide 100: Enforceable Undertakings, February 2015, Table 3, pp. 12–13.

32 An exception is where the acceptance of an EU best serves an urgent protective purpose and is not an impediment to later court action. A detailed comparison of EUs with other regulatory options is at Table 2.2 in Chapter 2.

33 See s 93AA and s 93A of the Australian Securities and Investments Act 2001. In relation to consumer credit related matters, the power is provided by s 322 of the National Consumer Credit Protection Act 2009. The law envisages that the entity that has committed the suspected misconduct will make an offer to ASIC to enter into an EU, and ASIC then considers whether to accept the offer. ASIC cannot require an entity to enter into an EU, and an entity cannot compel ASIC to accept an EU. Either ASIC or the promisor can initiate negotiations to enter into an EU.

34 ASIC, Regulatory Guide 100: Enforceable Undertakings, February 2015, p. 5.

35 Johnstone R and Parker C, Enforceable Undertakings in Action: Report of a Roundtable Discussion with Australian Regulators, available from <http://www.law.unimelb.edu.au/files/dmfile/ParkerandJohnstone EnforceableUndertakingsinActionReportofa RoundtableDiscussionwithAustralianRegulatorsFinalEUWorking Paper17Feb20101.pdf> [accessed 31 October 2014].

36 Senate Economics References Committee, Performance of the Australian Securities and Investments Commission, p. 3.

37 Senate Economics References Committee, Media Release: ASIC Inquiry final report says Royal Commission is warranted, 26 June 2014.

38 If the EU contains ongoing obligations, ASIC needs to ensure that the entity’s compliance is monitored. Often, EUs will stipulate that independent experts will be appointed by the promisor to undertake this monitoring.

39 ASIC’s stakeholder teams cover compliance risks across various sectors of the financial economy. ASIC’s enforcement teams are generally responsible for undertaking investigations and initiating enforcement actions.

40 ASIC, Opening statement, Senate Economics References Committee Inquiry into the performance of ASIC, 19 February 2014, available from <http://www.aph.gov.au/DocumentStore.ashx?id=b43214c6-1b13-4050-b964-5e62192ddfa2> [accessed 27 January 2015].

41 The ANAO consulted with the Australian Restructuring Insolvency and Turnaround Association, Chartered Accountants Australia and New Zealand, the Consumer Action Law Centre, the Financial Rights Legal Centre and the GRC Institute. The ANAO also interviewed independent experts and academics.

42 ANAO Better Practice Guide, Administering Regulation, June 2014, p. 13, available from <http://www.anao.gov.au/~/media/Files/Better%20Practice%20Guides/2013%202014/ANAO%20-%20BPG%20Administering%20Regulation.pdf> [accessed 30 October 2014].

43 Productivity Commission, Regulator Audit Framework, March 2014, p. 25, available from <http://www.pc.gov.au/__data/assets/pdf_file/0005/134780/regulator-audit-framework.pdf> [accessed 12 December 2014].

45 Annual business planning processes require ASIC management to develop business plans that deliver ASIC’s strategic priorities. Risks that could impact on the delivery of these priorities are recorded and assessed as part of ASIC’s risk management framework and processes. ASIC has broad processes for identifying and prioritising strategic risks.

46 ASIC undertakes surveillance to assess compliance with the laws that it administers. Surveillance may be desk-based (such as assessing the advertising material of regulated entities) or on-site (including assessing the records and client files of entities).

47 Australian financial services licensees, and company auditors and liquidators are required to submit reports notifying ASIC of breaches in specified circumstances.

48 ASIC, Corporate compliance, available from <http://asic.gov.au/for-business/running-a-company/company-officeholder-duties/corporate-compliance> [accessed 30 January 2015].

49 ASIC, Information Sheet 172, available from <http://asic.gov.au/about-asic/asic-investigations-and-enforcement/cooperating-with-asic> [accessed 29 January 2015].

50 ASIC, Information Sheet 151, available from <http://asic.gov.au/about-asic/asic-investigations-and-enforcement/asic-s-approach-to-enforcement> [accessed 16 December 2014].

51 Senate Economics References Committee, Performance of the Australian Securities and Investments Commission, available from <http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Economics/ASIC/Final_Report/~/media/Committees/Senate/committee/economics_ctte/ASIC/Final_Report/c04.pdf> [accessed 21 November 2014].

52 ASIC, Regulatory Guide 100: Enforceable Undertakings, February 2015, paragraphs RG100.6 and RG100.7, available from <http://download.asic.gov.au/media/2976014/rg100-published-19-february-2015.pdf> [accessed 24 February 2015].

53 ibid, paragraphs RG100.20 and RG100.26(g).

54 Chapter 3 examines the practical implementation of this approach, that is, whether EUs have been entered into on the basis they will achieve an effective regulatory outcome. The ANAO examined 53 EUs that were accepted by ASIC between 1 January 2012 and 30 June 2014.

55 Senate Economics References Committee, Performance of the Australian Securities and Investments Commission, available from <http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Economics/ASIC/Final_Report/~/media/Committees/Senate/committee/economics_ctte/ASIC/Final_Report/report.pdf> [accessed 12 November 2014], paragraph 17.47.

56 In its submission to the 2014 Financial System Inquiry, ASIC raised concerns that the available regulatory tools and penalties may not be sufficient to operate as a genuine deterrent to misconduct. ASIC, Financial System Inquiry: Submission by the Australian Securities and Investments Commission, available from <http://fsi.gov.au/files/2014/04/ASIC.pdf> [accessed 10 November 2014].

57 While ASIC advised that, as a matter of practice, such outcomes are announced in a media release, the ANAO identified one instance where this did not occur.

58 These other negotiated outcomes included: 91 involving the correction of misleading or deceptive information (usually following a letter sent by ASIC to the entity); and 12 resulting in compensation or refunds to consumers.

59 As outlined in Chapter 1, stakeholder teams consider compliance risks across the various finance market segments, while enforcement teams are generally responsible for investigations and enforcement actions.

60 An SEL is an ASIC senior executive officer who reports directly to an ASIC Commissioner. In most cases, each enforcement and stakeholder team is headed by a SEL.

61 ASIC, ASIC senior executives, available from <http://asic.gov.au/about-asic/what-we-do/our-structure/asic-senior-executives/asic-senior-executives-biographies> [accessed 23 January 2015].

62 If the matter is particularly high profile, controversial or otherwise major, it may also need to be submitted to the ASIC Commission for consideration, discussion and potential decision.

63 For these meetings, a table is circulated to attendees listing all current major matters and outlining the current status of the matter.

64 The ANAO reviewed the fortnightly and monthly reports for the period January 2012 to June 2014.

65 The information contained in the spreadsheet included the name of the party, the concerns that were the subject of the EU, the team responsible for the EU and the current monitoring status. While there was information regarding the outcomes of the monitoring activities for some EUs, this information was not provided consistently.

66 ASIC, Regulatory Guide 100: Enforceable Undertakings, February 2015.

67 ASIC Information Sheet 152, Public comment, available from <http://asic.gov.au/about-asic/asic-investigations-and-enforcement/public-comment/> [accessed 17 December 2014].

68 ASIC Information Sheet 172, Cooperating with ASIC, available from <http://asic.gov.au/about-asic/asic-investigations-and-enforcement/cooperating-with-asic/> [accessed 17 December 2014].

69 ASIC Service Charter, September 2012, available from <http://www.asic.gov.au/servicecharter> [accessed 16 October 2014].

70 ANAO Better Practice Guide, Administering Regulation, p. 21.

71 The Governance Protocol describes the governance principles for investigations, including when the Commission is to be involved in decisions about EUs.

72 ASIC, Annual Report 2013–2014, p. 4.

73ASIC Portfolio Budget Statement 2014–15, pp. 157–162. To achieve its outcome, ASIC has two programs. Program 1.2 covers the Banking Act 1959, the Life Insurance Act 1995, unclaimed monies and special accounts.

74 In relation to the first KPI, reporting is limited to the number and detail of enforcement outcomes. In relation to the second KPI, ASIC’s Annual Report 2013–14 detailed the number of reports of misconduct dealt with, and the proportion finalised within 28 days but did not report against the fairness aspect of this KPI. All five KPIs were unchanged from ASIC’s 2013–14 Portfolio Budget Statements.

75 According to a 2012 OECD Expert Paper, few countries have moved from identifying relevant activities and information to proper indicators for measuring the effectiveness of compliance activities: Radaelli C and Fritsch O, Measuring Regulatory Performance: Evaluating Regulatory Management Tools And Programmes, Expert Paper No. 2, July 2012, p. 18, available from <http://www.oecd.org/gov/regulatory-policy/2_Radaelli%20web.pdf> [accessed 9 December 2014].

76 While ASIC uses the term ‘outcome’, the reference is to the number of activities (a deliverable) rather than the broader effect of the activities on the behaviour of regulated entities.

77 ASIC, Annual Report 2013–14, p. 158.

78 The latest report being ASIC, Report 421: ASIC enforcement outcomes: July to December 2014.

79 Senate Economics References Committee, Parliament of Australia, Performance of the Australian Securities and Investments Commission, 2014, p. 280.

80 Productivity Commission, Regulator Audit Framework, p. 27. During hearings, the Chair of the Senate Economics References Committee expressed concern that ASIC was overly focused on the potential cost to a promisor (Commonwealth Financial Planning) of complying with an EU. Senate Economics References Committee, Parliament of Australia, Performance of the Australian Securities and Investments Commission, 2014, pp. 166–167.

81 ASIC does, however, capture the costs of investigations and enforcement projects more generally. One of the major uses of time recording for ASIC is to allow it to allocate costs to matters and, where a threshold is reached, to recover those costs from its enforcement special account.

82 In September 2014, ASIC advised its stakeholder teams that they were now required to record the time they spend assisting enforcement teams with EUs, including contributing to the monitoring of EUs for which enforcement teams are responsible.

83 For each of these EUs, the ANAO examined: negotiation documentation—communication between ASIC and the promisor, including emails, letters and file notes of correspondence; and decision-making records—including internal memos and emails, file notes and relevant approvals.

84 A memo setting out the background of the matter and recommending an EU was identified for 38 of the 53 EUs (72 per cent), although the format and content of these memos varied considerably and did not always address the matters required. The cases where there was a memo did not always coincide with those with an early approval—there were five EUs where there was a memo, but no early approval, and eight cases where there was an early approval but no memo. This is because of poor record keeping, sometimes because approvals/memos took the form of oral briefings.

85 Minutes were not prepared to record the discussions or outcomes of these meetings.

86 ASIC, Regulatory Guide 100: Enforceable undertakings, February 2015, p. 9.

87 ASIC, Regulatory Guide 100: Enforceable undertakings, February 2015, p. 10.

88 However, there were many EUs where the regulated promisor’s future conduct was implicitly (rather than explicitly) considered. This was often obvious from the terms of the EU (such as where an EU suspended a promisor from an industry, as this would limit the ability for the promisor to engage in misconduct for that period).

89 Of these EUs, 42 also had evidence of reference to at least one of the critical considerations outlined above. Two of the 44 cases that had made reference to at least one of the critical considerations did not also have documented consideration of the alternative regulatory outcomes. Consequently, there was documentary evidence for 46 EUs that ASIC had either considered at least one of the critical considerations or alternative regulatory outcomes.

90 The Enforcement Manual does not provide standard timeframes or guidance in relation to an acceptable timeframe for EU negotiations. The time taken to negotiate an EU will necessarily depend on the nature and complexity of each matter.

91 In this case, the relevant SEL led the negotiations with the regulated entity and provided a statement to the ANAO outlining why an EU presented the most effective regulatory outcome.

92 Senate Economics References Committee, Parliament of Australia, Performance of the Australian Securities and Investments Commission, 2014, p. 280.

93 Senate Economics References Committee, Parliament of Australia, Performance of the Australian Securities and Investments Commission, 2014, p. 271.

94 ASIC, Regulatory Guide 100: Enforceable Undertakings, February 2012, p. 15.

95 These terms required the promisor to refrain from undertaking any acts inconsistent with the terms and objectives of the undertaking, including ‘publishing or making any statement which is derogatory of, denigrates or trivialises the terms, objectives or any other aspect of’ the undertaking.

96 ASIC, Regulatory Guide 100: Enforceable Undertakings, p. 14. The guide specifies terms that may be included in an EU for these purposes, including monitoring and reporting mechanisms the promisor will adopt, and any external assessment of the changes that are put in place.

97 These EUs are not captured as part of the three EUs referred to above. This is because these seven EUs contained other positive obligations that were subject to a reporting requirement (for example, providing an independent expert report).

98 Senate Economics References Committee, Parliament of Australia, Performance of the Australian Securities and Investments Commission, 2014, p. 271.

99 Even where such a clause is not included, ASIC may still be able to monitor and establish compliance with the EUs by requesting documents under the standard clause in EUs. However, this is likely to be less straightforward than a clear positive reporting obligation on the promisor.

100 These instances are largely reflected in the ‘Partially Compliant’ category in Table 3.5.

101 For example, in late 2013, four EUs were being negotiated in which it was proposed that the promisor would make community benefit payments in order to remove profits. The CLO provided advice on matters including: the nature of the payment; the appropriateness of the recipient for such payments; the purpose for such payments; and the legal ability of regulators to have parties pay such amounts. Based on this, the CLO developed supplementary guidance on community benefit payments to facilitate a consistent approach for including these terms in future EUs.

102 ASIC, Information Sheet 152: Public Comment, p. 4.

103 An independent expert is a person required to be appointed under the terms of an EU to undertake a review of specified matters, and to provide a report on these matters to ASIC and/or the promisor.

104 Senate Economics References Committee, Performance of the Australian Securities and Investments Commission, 2014, p. 280.

105 Courts having jurisdiction to hear matters under section 93AA of the Australian Securities and Investments Act 2001 and/or section 322 of the National Consumer Credit Protection Act 2009 include the Federal Court of Australia and state and territory Supreme Courts.

106 While it can be difficult to monitor compliance with terms in EUs requiring a promisor to cease an activity, ASIC’s Financial Reporting and Auditing stakeholder team had a sound process whereby a designated member of that team was responsible for monitoring compliance for the seven EUs involving the exclusion of a promisor from conducting company audits.

107 For some terms, it was not possible to make an assessment as the obligation was future-dated, the EU did not contain reporting obligations or it was not otherwise practical to make an assessment (because the information needed to assess compliance was not available to ASIC and/or the ANAO).

108 Senate Economics References Committee, Performance of the Australian Securities and Investments Commission, 2014, pp. 269–270, 280.

109 The other two EUs also provided some guidance—one required the expert to be an ‘independent, third-party auditor’, and the other required an assessment from ‘one or more suitably qualified and experienced person(s)’.

110 As indicated in Table 4.6, two EUs were also approved prior to or when an accepting EU.

111 These 35 reports were in relation to the 20 EUs accepted during the review period for which an expert report had been submitted pursuant to the EU.

112 The fact that an independent expert makes a positive assessment of a promisor’s compliance is not, of course, evidence, prima-facie or otherwise, that an expert has failed to apply professional scepticism. In many cases, a positive assessment will be warranted as the promisor may have improved their processes and procedures since acceptance of the EU. Nevertheless, given that each of the reports was prepared because ASIC had concerns about a promisor’s compliance, it was expected that at least some reports would identify elements of non-compliance.

113 Senate Economics References Committee, Parliament of Australia, Performance of the Australian Securities and Investments Commission, 2014, p. 280.

114 Senate Economics References Committee, Parliament of Australia, Performance of the Australian Securities and Investments Commission, 2014, p. 280.

115 ASIC, Regulatory Guide 100: Enforceable Undertakings, February 2015, p. 25.

116 As at January 2015, no reports had been published in accordance with the new policy. The two EUs that were not consistent with the interim policy involved, in one case, an individual agreeing to not provide financial services, and in the other case, an individual agreeing to not perform any acts or functions that require registration as a company auditor. Under the final policy in Regulatory Guide 100, ASIC will not report on compliance with these types of undertakings unless it becomes aware of a failure to comply.

117 These include: Australian financial services licensee breach reporting obligations; auditors’ breach reports; and liquidator and auditors’ annual statements.

118 For the other three EUs, the ANAO did not identify an improvement as the findings of the first report were already positive.