The objective of the audit was to assess the effectiveness of the Australian Communications and Media Authority’s regulation of unsolicited communications.

Summary

Introduction

1. Unsolicited communications, which includes unsolicited telemarketing, fax marketing, commercial emails and short message service (SMS) and multimedia message service (MMS) messaging, cost the global economy billions of dollars each year1 and impose on Australians’ time and resources. The Australian Government has established a suite of legislation—including the Do Not Call Register Act 2006 (DNCR Act) and the Spam Act 2003—that is designed to minimise the impact of unsolicited communications on Australians.

2. Under Part 26 of the Telecommunications Act 1997, a person may complain to the Australian Communications and Media Authority2 (the ACMA) about potential breaches of the DNCR Act and the Spam Act. The Authority’s mandate is to deliver a communications and media environment that balances the needs of industry and the Australian community through regulation, education and advice.

3. The regulation of unsolicited communications differs from some other regulatory environments because the industry to which the DNCR Act and Spam Act apply is not clearly defined. These Acts may apply to any industry sector that markets by telephone or email to Australian consumers. In general, the ACMA actively monitors the compliance of an entity only if a complaint or report has been made in relation to the entity’s marketing activities.

Unsolicited communications legislation

4. The DNCR Act, the Telemarketing and Research Industry Standard 2007 and the Fax Marketing Industry Standard 2011 set out the rules applying to telemarketing and fax marketing. The DNCR Act allows Australians who do not wish to receive telemarketing calls or marketing faxes to list their private-use fixed and mobile telephone numbers and fax numbers on the Do Not Call Register (DNCR).3 In February 2015, total DNCR registrations reached 10 million.

5. According to the DNCR Act, unsolicited telemarketing calls and marketing faxes are not to be made to numbers on the register. However, calls and faxes may still be made to registered numbers if they are research calls or fall into the category of designated calls and faxes. This designation applies to certain calls and faxes from registered charities, government bodies, members of parliament, political parties and educational institutions.

6. It is a breach of the Spam Act to send ‘unsolicited commercial electronic messages’ (known as spam) with an ‘Australian link’.4 The Spam Act covers email, SMS and MMS messaging and other electronic messages of a commercial nature. The Act also requires that commercial electronic messages are sent with the recipient’s consent, clearly identify the sender and include a functional unsubscribe facility.

Monitoring and addressing non-compliance

7. Consumers who have received unsolicited communications may lodge a complaint with the ACMA. In 2013–14, the ACMA received over 20 000 complaints in relation to non-compliance with the DNCR Act and almost 1400 complaints and 350 000 direct reports5 in relation to non-compliance with the Spam Act. The most common complaints related to telemarketing calls made to a DNCR-listed telephone number and entities sending commercial emails without first obtaining the recipient’s consent.

8. The graduated model used by the ACMA to respond to potential non-compliance ranges from encouraging voluntary compliance and informal resolution to administrative action and, where necessary, civil action. In 2013–14, the ACMA finalised 16 unsolicited communications investigations under the Telecommunications Act and took 14 enforcement actions—seven formal warnings, four infringement notices and three enforceable undertakings. For example, the ACMA issued a $20 400 infringement notice to a company that made telemarketing calls to telephone numbers listed on the DNCR and a $15 500 infringement notice to a company that sent spam emails that did not include adequate contact information or a functional unsubscribe facility.

Administrative arrangements

9. The ACMA’s Unsolicited Communications Branch (UCB) is responsible for the regulation of unsolicited communications. It is part of the Content, Consumer and Citizen Division (CCCD) and is based at the ACMA’s Melbourne office. Within this branch, the Unsolicited Communications Compliance Section (UCCS) manages compliance with both the DNCR Act and the Spam Act. In 2013–14, the UCCS had a budget of $1.8 million and 18 staff.

Audit objective and criteria

10. The objective of the audit was to assess the effectiveness of the Australian Communications and Media Authority’s regulation of unsolicited communications.

11. To form a conclusion against this audit objective, the ANAO adopted the following high-level criteria:

  • an appropriate framework for assessing and mitigating risks and an effective strategy for monitoring compliance have been established;
  • an effective risk-based program to communicate regulatory requirements and to monitor compliance with the Do Not Call Register Act 2006 and the Spam Act 2003 has been implemented; and
  • non-compliance has been effectively addressed and resolved in accordance with established requirements.

12. The ACMA has been subject to ANAO audit coverage over recent years, including an audit in 2009–10 that assessed the Authority’s effectiveness in operating, managing and monitoring the Do Not Call Register.6 The audit made three recommendations, including one relating to the escalation of regulatory action. This recommendation was followed up as part of this audit’s examination of the ACMA’s monitoring of compliance with the DNCR Act.

Overall conclusion

13. The Australian Communications and Media Authority (the ACMA) is Australia’s regulator for broadcasting, the internet, radiocommunications and telecommunications. The ACMA is responsible for handling complaints from the Australian community about unsolicited communications, including potential breaches of the DNCR Act and the Spam Act, and for monitoring and addressing non-compliance with these acts. The ACMA’s graduated model for addressing non-compliance includes responses ranging from encouraging voluntary compliance and informal resolution to administrative action and, where necessary, civil action. In 2013–14, the ACMA received almost 22 000 complaints relating to unsolicited communications, issued approximately 6000 advisory and informal warning letters and conducted 16 investigations.

14. Overall, the ACMA has established appropriate arrangements to underpin its effective regulation of unsolicited communications. In particular, the ACMA has implemented: processes to help ensure that risks are identified and managed; generally sound policies, processes and practices to support its communication of regulatory requirements and its compliance monitoring activities; and a graduated approach to addressing and resolving non-compliance identified through its regulatory activities. There was, however, scope to improve the following aspects of the ACMA’s regulation of unsolicited communications:

  • written investigation plans and risk assessments were not prepared for any of the 16 investigations finalised in 2013–14 and, in general, complainants were not notified when investigations had been completed. The preparation of written investigation plans, the assessment of investigation risks and the timely notification to complainants of the closure of each investigation would help to improve the delivery and oversight of investigations and achieve compliance with established requirements; and
  • the current performance measures and reporting arrangements have not provided stakeholders with a clear indication of the impact and effectiveness of regulatory activities. Reviewing the measures for the regulation of unsolicited communications and monitoring and accurately reporting against them would better position the Authority to demonstrate the extent to which it is achieving its regulatory objectives.

15. The ANAO has made two recommendations, which are designed to strengthen the ACMA’s regulation of unsolicited communications by improving the planning, monitoring and closure of investigations and the monitoring and reporting of performance.

Key findings by chapter

Monitoring Compliance (Chapter 2)

16. A graduated compliance and enforcement approach for unsolicited communications has been adopted by the ACMA. It is underpinned by guiding principles and strategies to encourage and enforce unsolicited communications compliance. The ACMA’s model for responding to potential non-compliance includes responses ranging from encouraging voluntary compliance and informal resolution to administrative action and, in some circumstances, civil action. The Authority has also established minimum standards for escalating the DNCR regulatory response from informal resolution to administrative action.7 In contrast, minimum standards for escalating cases of spam non-compliance are yet to be established, which has the potential to result in inconsistent regulatory responses to suspected breaches of the Spam Act.

17. The ACMA has developed a Communications Strategy and Communications Plan to encourage voluntary compliance, help entities meet their regulatory responsibilities and assist the public in responding to unsolicited communications. The Communication Strategy provides staff with clear guidance on the UCB’s communication objectives and stakeholder engagement activities, and the Communication Plan effectively outlines the UCB’s key activities, when these activities are to be undertaken and who is responsible for them. Targeted communication and educational activities, such as social media engagement and industry blogs, are delivered as part of the Communications Plan.

18. The arrangements to receive and handle complaints, related to both the DNCR Act and the Spam Act, have generally been managed effectively, with appropriate processes and practices implemented for the lodgement, assessment, acknowledgement and processing of complaints. In relation to the 2013–14 cases examined by the ANAO, the ACMA responded to 97 per cent of DNCR complainants and 81 per cent of spam complainants within an average response time of five days for DNCR complaints and one day for spam complaints. The examined complaints were also generally managed in a timely manner—with 91 per cent of DNCR complaints handled within 21 days of receipt (which exceeded the established target timeframe of 90 per cent) and 75 per cent of spam complaints handled within eight days of receipt (which was below the established target timeframe of 90 per cent).

19. The ACMA reported that it issued approximately 6000 advisory and informal warning letters in 2013–14 in relation to potential non-compliance with the DNCR Act and Spam Act.8 According to the ACMA’s 2013–14 Annual Report, the majority of companies contacted by the ACMA received only one advisory or informal warning letter during 2013–14.9

20. In relation to the spam informal warning letters examined by the ANAO, around 70 per cent related to only one spam report (and no complaints). These letters lacked sufficient information for people and companies to resolve the alleged issues, as letters sent in response to spam reports do not include details of the date the alleged spam message was sent or the email address or mobile number to which the spam message was sent. Further, these informal warning letters were sent, on average, 53 days after a spam report was received by the ACMA, which, when coupled with the limited information provided in the letters, generally made it difficult for people and companies to determine whether a breach had occurred and to address the issue, where necessary. During the audit, the ACMA informed the ANAO that it would amend its procedures so that it will not send informal warning letters to people and companies in circumstances where it is unable to provide sufficient details on the alleged spam message.

Addressing Non-compliance (Chapter 3)

21. The ACMA has established policies for conducting investigations. In 2013–14, the ACMA finalised 16 investigations into potential contraventions of the DNCR Act and the Spam Act. For all investigations, key decisions were made by an appropriate ACMA officer and appropriate documentation was retained on the relevant case files. However, written investigation plans and assessments of investigation risks were not prepared for any of the 16 investigations finalised in 2013–14. The preparation of written plans and risk assessments are outlined as recommended minimum standards in the Australian Government Investigations Standards (AGIS) and are required by the ACMA’s policies. The AGIS also outline that supervisors should review investigations at appropriate intervals to ensure adherence with the AGIS and investigation plans. In the absence of investigation plans, supervisors were not well placed to monitor the performance of the ACMA’s investigations.

22. In 2013–14, all entities that were investigated (the respondents) were notified of the closure of the investigation in a timely manner. In contrast, the consumers who had made the complaints on which the investigations were based (the complainants) were notified of the closure of the investigation for only three of the 16 investigations. In addition to being outlined as a requirement in the ACMA’s internal policies, notifying complainants is part of the ACMA’s published complaint handling policies.

23. Unsolicited communications legislation provides for several forms of enforcement action that may be used in response to non-compliance: formal warnings, infringement notices, enforceable undertakings and federal court action. In 2013–14, the ACMA took 14 enforcement actions—seven formal warnings, four infringement notices and three enforceable undertakings. All decisions to take enforcement action were appropriately documented and included the rationale for the selected action. All decisions were retained on the case files and signed by an appropriate ACMA officer. For all infringement notices, legislative requirements were met, payments were received on time and proof of payment was retained on the case files.

24. Since 2003, the ACMA has completed four prosecutions in the Federal Court, involving 12 respondents and resulting in $30.08 million in penalties. In relation to the one case involving the DNCR Act, the ACMA also obtained a five-year injunction that restricted the respondent from engaging in the telemarketing sector.10

Governance Arrangements (Chapter 4)

25. The ACMA has established appropriate administration arrangements to underpin its regulation of unsolicited communications, including oversight arrangements to monitor key aspects of regulatory activity and an established process for business planning. Sound guidance on risk management has been developed through a risk management framework review that had been underway at the ACMA between 2011 and early 2014. The Authority has also established appropriate arrangements to identify and manage conflicts of interest, including a management instruction outlining requirements and appropriate monitoring arrangements.

26. The ACMA regularly reports on its compliance activities to both internal and external stakeholders, primarily through monthly and quarterly management reports, annual reports, annual communications reports and monthly compliance activity statistics. There have, however, been some issues in relation to the accuracy of reporting, with inaccurate compliance activity data included in the ACMA’s 2013–14 Annual Report and, subsequently, in its 2013–14 Communications Report. In addition, there is a lack of alignment of performance measures across key planning documents and an absence of targets for objectively assessing performance. Existing measures provide limited insights into the impact or effectiveness of the regulation of unsolicited communications. Reporting against an appropriate set of performance measures would enable the ACMA to better demonstrate the extent to which it is achieving its regulatory objectives.

Summary of entity response

27. The ACMA’s summary response to the proposed report is provided below, while the full response is provided at Appendix 1.

The Australian Communications and Media Authority (the ACMA) welcomes the ANAO’s report on its audit of the ACMA’s activities in the regulation of unsolicited communications.

The ACMA notes that the report presents, overall, a positive picture of the ACMA’s regulatory program for handling complaints about unsolicited communications, including potential breaches of the Spam and DNCR Acts, and for monitoring and addressing non-compliance with these Acts. I welcome the ANAO’s findings and recommendations as presenting opportunities to further enhance and improve this program.

The ACMA accepts the ANAO’s two recommendations contained within the report, and has already implemented and/or will complete implementation of these recommendations. In response to Recommendation 1, the ACMA now prepares and uses investigation plans to conduct investigations, and routinely notifies complainants of the closure of investigations. The ACMA is currently reviewing and enhancing its measures for regulation of unsolicited communications, in response to Recommendation 2, and will fully implement these performance measures during 2015–16.

Recommendations

Recommendation No. 1

Paragraph 3.37

To improve the planning, monitoring and closure of investigations and to comply with established requirements, the ANAO recommends that the Australian Communications and Media Authority:

  1. prepare a written investigation plan that includes an assessment of risks prior to the commencement of each investigation; and
  2. notify complainants of the closure of each investigation in a timely manner.

ACMA’s response: Agreed.

Recommendation No. 2

Paragraph 4.48

To improve the effectiveness of its performance monitoring and reporting and to better inform stakeholders about the extent to which regulatory objectives are being achieved, the ANAO recommends that the Australian Communications and Media Authority:

  1. review and enhance its performance measures for the regulation of unsolicited communications; and
  2. monitor and accurately report against these performance measures.

ACMA’s response: Agreed.

1. Background and Context

This chapter provides information on the Australian Communications and Media Authority’s regulation of unsolicited communications and sets out the audit approach.

Unsolicited communications

1.1 Unsolicited communications, which includes unsolicited telemarketing, fax marketing, commercial emails and short message service (SMS) and multimedia message service (MMS) messaging, cost the global economy billions each year11 and impose on Australians’ time and resources. The Australian Government has established a suite of legislation that is designed to minimise the impact of unsolicited communications on Australians. This legislation includes the Do Not Call Register Act 2006 (DNCR Act) and the Spam Act 2003.

1.2 Under Part 26 of the Telecommunications Act 1997, a person may complain to the Australian Communications and Media Authority (the ACMA) about potential breaches of the DNCR Act and the Spam Act. The ACMA is a statutory authority within the federal Communications portfolio and Australia’s regulator for broadcasting, the internet, radiocommunications and telecommunications. The ACMA’s mandate is to deliver a communications and media environment that balances the needs of industry and the Australian community through regulation, education and advice.12

1.3 The regulation of unsolicited communications differs from some other regulatory environments, because the industry to which the DNCR Act and Spam Act apply is not clearly defined. These Acts may apply to any industry sector that markets by telephone or email to Australian consumers. In general, the ACMA actively monitors the compliance of an entity only if a complaint or report has been made in relation to the entity’s marketing activities. In 2013–14, the ACMA received almost 22 000 complaints and 350 000 direct reports from the Australian community about potential breaches of unsolicited communications legislation.

Do Not Call Register Act

1.4 The DNCR Act, the Telemarketing and Research Industry Standard 2007 and the Fax Marketing Industry Standard 2011 set out the rules applying to telemarketing and fax marketing. The DNCR Act allows Australians who do not wish to receive telemarketing calls or marketing faxes to list their private-use fixed and mobile telephone numbers and fax numbers on the Do Not Call Register (DNCR).13 As at 30 June 2014, more than 9.6 million numbers had been listed on the register, representing around half of Australia’s fixed-line numbers, 4.1 million mobile numbers and 377 000 fax numbers, as outlined in Figure 1.1. In February 2015, total DNCR registrations reached 10 million.

Figure 1.1: Numbers on the Do Not Call Register (2009–10 to 2013–14)

Source: ACMA’s 2013–14 Annual Report, p. 120.

1.5 According to the DNCR Act, unsolicited telemarketing calls and marketing faxes are not to be made to numbers on the register. However, calls and faxes may still be made to registered numbers if they are research calls or fall into the category of designated calls and faxes. This designation applies to certain calls and faxes from registered charities, government bodies, members of parliament, political parties and educational institutions.

1.6 To avoid breaching the DNCR Act, telemarketers and fax marketers are to submit their contact lists for checking against the register. In 2013–14, over 1.1 billion numbers were checked or ‘washed’ against the register by 1189 telemarketers and fax marketers.

1.7 The Telemarketing and Research Industry Standard and the Fax Marketing Industry Standard set out the rules all telemarketers, fax marketers and researchers must follow, including: not making telemarketing and research calls or sending marketing faxes during prohibited calling times14; ending telemarketing calls when requested; providing opt-out functionality for marketing faxes; and including a valid calling line identification number. All consumers are protected by the requirements of the industry standards, whether or not they have listed their numbers on the DNCR.

1.8 Consumers who have listed their number(s) on the register may make complaints to the ACMA about unsolicited telemarketing and fax marketing calls. The most common DNCR-related complaint relates to telemarketing calls made to a listed telephone number, which is a potential breach of the DNCR Act. The ACMA has the power to investigate and, where necessary, take enforcement action in response to breaches of the legislation. All Australians are able to make complaints to the ACMA about potential breaches of the industry standards. In 2013–14, the ACMA received over 20 000 complaints in relation to non-compliance with the DNCR Act and industry standards and conducted a range of compliance activities, as outlined in Table 1.1.

1.9 The ACMA has adopted an ‘advise, warn, investigate’ approach to DNCR compliance, applying a graduated level of intervention and focusing on industry education and stakeholder engagement. When the ACMA is able to identify the entity that is the subject of a telemarketing or fax complaint, it sends an ‘advisory’ letter, providing the party with information about its legislative obligations and advising that its compliance will be monitored for 180 days. During 2013–14, the ACMA issued 940 advisory letters to entities identified as potentially in breach of the requirements of the DNCR Act and industry standards, as outlined in Table 1.1.

Table 1.1: DNCR complaints and compliance activities (2012–14)

 

2012–13

2013–14

Complaints

19 677

20 462(1)

Advisory letters

918

940(2)

Informal warning letters

139

114(3)

Investigations finalised

11

6

Enforcement actions

8

5

Source: ANAO analysis of ACMA information.

Note 1: The ACMA informed the ANAO that this is the number of DNCR complaints received and classified in 2013–14. The number of complaints is higher than the number of advisory letters for two main reasons: (1) 20 per cent (4178) of DNCR complaints received in 2013–14 were assessed as being ‘no breach’; and (2) advisory letters are not sent for each complaint. Advisory letters are sent when one complaint is received and the entity is subsequently monitored for 180 days. No further advisory letters are generally sent during the monitoring period (even if further complaints are received). However, if five or more complaints are received during the period, an informal warning letter may be sent.

Note 2: The ACMA informed the ANAO that the number of advisory letters listed in the 2013–14 Annual Report (951) was incorrect. The ACMA provided the revised figure (942) to the ANAO in October 2014. The ANAO’s analysis identified two additional cases where reported advisory letters had not been sent, which brings the total down to 940.

Note 3: The ANAO’s analysis identified that two listed informal warning letters had not been sent, bringing the reported figure of 116 down to 114.

1.10 Where the ACMA receives five or more complaints about the same entity during the 180-day monitoring period, it may issue an informal warning letter, which provides more detailed information about the complaints received (including the date, time of call and substance of complaint) and provides the party with a further opportunity to address issues on a voluntary basis. In 2013–14, the ACMA issued 114 informal warning letters to entities that were the subject of multiple DNCR complaints.

1.11 Where non-compliance continues after an entity has been advised and warned, the ACMA considers whether to proceed to an investigation. During 2013–14, the ACMA finalised six telemarketing-related investigations under Part 26 of the Telecommunications Act. As a result of these investigations, the ACMA issued one infringement notice, accepted two enforceable undertakings, issued two formal warnings and closed one investigation with no enforcement action being taken.

Spam Act

1.12 It is a breach of the Spam Act to send ‘unsolicited commercial electronic messages’ (known as spam) with an ‘Australian link’.15 The Act covers email, SMS and MMS messaging and other electronic messages of a commercial nature. The Act requires that commercial electronic messages: are sent with the recipient’s consent; clearly identify the sender; and include a functional unsubscribe facility.

1.13 Consumers may make complaints about spam to the ACMA, with the most common spam-related complaint relating to companies sending commercial emails without first obtaining the recipient’s consent.16 Consumers may also report spam to the ACMA by forwarding a spam email or SMS to the Authority’s Spam Intelligence Database. Unlike complaints, reports are not necessarily reviewed individually, but they contribute to intelligence about spam trends and prevalence. Of the direct reports reviewed by the ACMA in 2013–14, the most common breach identified was the same as for complaints—that an email had been sent without the recipient’s consent.

1.14 In 2013–14, the ACMA received 1387 complaints and almost 350 000 direct reports about non-compliance with the Spam Act. In response, the ACMA issued 4967 informal warnings, as outlined in Table 1.2.

Table 1.2: Spam complaints, reports and compliance activities (2012–14)

 

2012–13

2013–14

Complaints

1246

1387(1)

Reports

409 761

346 592

Informal warning letters

7105

4967(2)

Investigations finalised

10

10

Enforcement actions

9

9

Source: ANAO analysis of ACMA information.

Note 1: The number of complaints is lower than the number of informal warning letters because the ACMA also sends informal warning letters in response to some spam reports.

Note 2: The ACMA informed the ANAO that the number of informal warning letters published in the 2013–14 Annual Report (5002) was incorrect, providing the revised figure (4967) in October 2014.

1.15 When multiple informal warnings have been issued to an entity and voluntary compliance is not forthcoming, the ACMA considers whether to proceed to an investigation. In 2013–14, the Authority finalised 10 spam-related investigations, which resulted in nine enforcement actions—five formal warnings, three infringement notices and one enforceable undertaking.

Gathering intelligence

1.16 The ACMA gathers intelligence though direct complaints and reports from the public about potential breaches of DNCR and spam legislation. The ACMA also receives over 20 million ‘indirect reports’ of spam annually—from a variety of sources, including ‘spamtraps’.17 These spam messages are stored, along with direct reports, in the Spam Intelligence Database. The ACMA uses software tools to analyse this large volume of spam to identify messages that are likely to have the greatest impact on Australians. The Spam Intelligence Database is also used to identify trends, such as prolific senders, and the incidence of malware18 within spam messages.

Collaboration and international engagement

1.17 A number of federal government entities have responsibilities regarding illegal electronic messages. The Australian Competition and Consumer Commission (ACCC)19 is responsible for handling fraudulent messages and scams, and the Australian Federal Police is responsible for high tech crime offences, such as the distribution of malware (see Figure 1.2). While the ACMA is responsible for all commercial electronic messages under the Spam Act (regardless of their content), it has discretion to pursue a matter under the Spam Act and/or refer it to another relevant agency.

Figure 1.2: Federal responsibilities for the regulation of illegal electronic messages

Source: ANAO analysis of ACMA information.

1.18 The ACMA also participates in the Australasian Consumer Fraud Taskforce, which comprises 22 government entities with responsibility for consumer protection regarding frauds and scams.

1.19 Further, the ACMA seeks to collaborate with overseas counterparts on common problems and to share information, with the goal of reducing the impact on Australians of unsolicited communications originating offshore. For example, the ACMA participates in the London Action Plan—an international network that was founded in 2004 with the purpose of promoting international spam enforcement cooperation. It has since expanded its mandate to include additional online and mobile threats, including unsolicited telemarketing calls and administering Do Not Call schemes. The network has 45 government members and 28 industry participants.

Administrative arrangements

1.20 The ACMA’s day-to-day activities are managed by an executive team comprising: the Chair; the Deputy Chair; one full-time Member20; four general managers; and 11 executive managers. General Managers are currently responsible for four divisions: Content, Consumer and Citizen; Communications Infrastructure; Corporate and Research; and Legal Services. In 2014–15, the ACMA’s budget was $99.3 million21, and it employed approximately 450 staff.22

1.21 The Unsolicited Communications Branch (UCB) is part of the ACMA’s Content, Consumer and Citizen Division (CCCD) and is based at the ACMA’s Melbourne office. Within this branch, the Unsolicited Communications Compliance Section (UCCS) manages compliance with both the DNCR Act and the Spam Act.23 In 2013–14, the UCCS had a budget of $1.8 million and 18 staff.

Previous reviews and audit coverage

Review and amendment of the Do Not Call Register

1.22 In February 2014, the DNCR Act was amended by the Telecommunications Legislation Amendment (Consumer Protection) Act 2014 to enable the ACMA to more effectively pursue telemarketers that use third parties overseas and other intermediaries to reach Australian consumers, in breach of the DNCR Act.

1.23 In mid-2014, after releasing a discussion paper and receiving 1300 submissions on the optimal period of registration for the DNCR24, the Department of Communications submitted legislation to the Parliament to amend the DNCR Act. In April 2015, the resulting legislation, the Telecommunications Legislation Amendment (Deregulation) Act 2015, amended the DNCR Act to make the registration period of the register indefinite, which is intended to reduce the administrative burden on consumers.

ANAO performance audit coverage

1.24 The ACMA has been subject to ANAO audit coverage over recent years, including:

  • ANAO Audit Report No.46 2007–08 Regulation of Commercial Broadcasting; and
  • ANAO Audit Report No.16 2009–10 Do Not Call Register.

1.25 The objective of the 2009–10 audit of the DNCR was to assess the ACMA’s effectiveness in operating, managing and monitoring the register, including compliance with legislative requirements. The audit concluded that, overall, the ACMA had implemented arrangements that effectively supported its regulatory oversight of the register. The audit made three recommendations that focused on information technology (IT) security management practices, complaint handling and the escalation of regulatory action, including Recommendation 3:

To further improve transparency and minimise the risk of inconsistency in compliance enforcement decision making, the ANAO recommends that ACMA set minimum standards in its procedures for escalating regulatory action.

1.26 This audit followed up on Recommendation 3 as part of its examination of the ACMA’s monitoring of compliance with the DNCR Act.

Audit objective, criteria, scope and methodology

Objective

1.27 The objective of the audit was to assess the effectiveness of the Australian Communications and Media Authority’s regulation of unsolicited communications.

Criteria

1.28 To form a conclusion against this audit objective, the ANAO adopted the following high-level criteria:

  • an appropriate framework for assessing and mitigating risks and an effective strategy for monitoring compliance have been established;
  • an effective risk-based program to communicate regulatory requirements and to monitor compliance with the Do Not Call Register Act 2006 and the Spam Act 2003 has been implemented; and
  • non-compliance has been effectively addressed and resolved in accordance with established requirements.

Scope

1.29 The audit focused on the regulatory aspects of the DNCR Act and the Spam Act. The audit did not examine the day-to-day administration of the DNCR, the ACMA’s contract arrangements with the third-party operator of the DNCR or the Authority’s internet security activities.

Methodology

1.30 In undertaking the audit, the ANAO: examined policy documents, guidelines and standard operating procedures; reviewed files and records; interviewed relevant ACMA staff; examined a random sample of 2013–14 compliance monitoring activities related to the DNCR Act and the Spam Act25; and examined all 16 investigations and 14 enforcement actions finalised in 2013–14.

1.31 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of $354 500.

Report structure

1.32 The structure of the report is set out in Table 1.3.

Table 1.3: Report structure

Chapter

Outline

2. Monitoring Compliance

Examines the ACMA’s monitoring of compliance with unsolicited communications legislation.

3. Addressing Non-compliance

Examines the ACMA’s approach to addressing and resolving non-compliance with unsolicited communications legislation.

4. Governance Arrangements

Examines the governance arrangements in place to support the ACMA’s regulation of unsolicited communications.

2. Monitoring Compliance

This chapter examines the ACMA’s monitoring of compliance with unsolicited communications legislation.

Introduction

2.1 The Unsolicited Communications Compliance Section (UCCS) undertakes compliance monitoring activities and investigations of potential breaches of the Do Not Call Register Act 2006 (DNCR Act), the Spam Act 2003 and associated industry standards in response to complaints and reports made to the ACMA by the public. The UCCS’s objectives are to ‘minimise unsolicited telemarketing calls and faxes to citizens; spam emanating from Australia; and the impact of spam on citizens’.

2.2 The ANAO examined the ACMA’s compliance and enforcement policies and the manner in which the ACMA monitors compliance with unsolicited communications legislation, including its activities for:

• communicating with stakeholders and encouraging voluntary compliance;

• assessing complaints and reports; and

• responding to non-compliance.

Compliance and enforcement policies

2.3 The ACMA has adopted a compliance and enforcement approach for unsolicited communications that is underpinned by guiding principles and strategies to encourage and enforce unsolicited communications compliance. This graduated approach seeks to: educate the industry about its regulatory obligations; encourage a culture of compliance; promote better practice; and achieve compliance with minimal intervention. The ACMA’s unsolicited communications compliance strategy outlines its DNCR and spam compliance mission and business objectives. The ACMA has also developed a Compliance and Enforcement Manual, which covers: ACMA enforcement and regulatory policy; scoping and planning of investigations; evidence gathering; decision-making; compliance and enforcement options; and information management procedures. It was most recently updated in April 2014.

2.4 In addition to established corporate policies and manuals, the UCCS has standard operating procedures for complaint handling and compliance monitoring.

Graduated response to non-compliance

2.5 A graduated approach to compliance allows a regulator to either escalate action if an entity does not respond appropriately to initial regulatory action or reward an entity for improved performance with reduced compliance activity. In addition, the flexibility of a graduated approach allows a regulator’s response to: be proportionate to the risks posed by the non-compliance; recognise the capacity and motivation of the non-compliant entity to return to compliance; and signal the seriousness with which a regulator should view the non-compliance.26

2.6 The graduated model used by the ACMA to respond to potential non-compliance in relation to unsolicited communications includes responses ranging from encouraging voluntary compliance and informal resolution to administrative action and, where necessary, civil action (see Figure 2.1). When determining the appropriate response, compliance officers are to take into account: the regulatory objectives of the legislation breached; the nature of the breach; the entity’s compliance history; and the entity’s level of cooperation with the ACMA.

Figure 2.1: Compliance and enforcement response model

Source: UCCS Compliance and Enforcement Approach diagram (reproduced by the ANAO).

Note 1: In specific circumstances, matters may be referred for criminal prosecution.

2.7 The UCCS has developed business rules to guide compliance officers through its graduated response model. As outlined in Table 2.1, the number of compliance activities escalated during 2013–14 decreased at each compliance tier, aligning with the expected graduated response pattern.

Table 2.1: UCCS compliance and enforcement responses (2013–14)

Compliance Tier

Compliance Activity

DNCR Act

Spam Act

Informal resolution

Advisory letters

940

Informal warning letters

114

4967

Administrative action

Investigations

6

10

Enforcement actions

5

9

Civil action

Federal court action

0

0

Source: ANAO analysis of ACMA information.

Minimum standards for escalating regulatory action

2.8 The ACMA has established minimum standards for escalating the DNCR regulatory response through the informal resolution tier and from informal resolution to administrative action. According to UCCS business rules, an entity is to be:

  • issued with an advisory letter when one (or more) complaints are received by the ACMA;
  • moved from advisory letter stage to informal warning letter stage if the ACMA receives five or more complaints about the entity during a 180-day monitoring period (which commences from the date of the advisory letter); and
  • moved from informal warning letter stage to consideration for possible investigation if the ACMA receives five or more complaints during an additional 180-day monitoring period (which commences from the date of the informal warning letter).

2.9 In contrast to DNCR regulatory activities, minimum standards for escalating spam regulatory responses have not been established. Informal warning letters are generally sent to an entity every month that spam complaint(s) and/or reports(s) are received until compliance officers determine that voluntary compliance is not likely to occur and they recommend that the entity be considered for possible investigation. The establishment of thresholds for escalating compliance activities for non-compliance with the Spam Act would help to deliver more consistent regulatory responses.

Communicating with stakeholders and encouraging voluntary compliance

2.10 The relationships that a regulator establishes with regulated entities and other stakeholders can make an important contribution to the effective administration of regulation. Effective stakeholder engagement has many benefits, such as allowing a regulator to: effectively elicit compliance; identify and address compliance issues as they emerge; and design appropriate responses to non‐compliance.

2.11 The ACMA engages in targeted communication and educational activities to encourage voluntary compliance, help entities meet their regulatory responsibilities and assist the public in responding to unsolicited communications. These activities include direct contact with stakeholders, industry blogs and social media engagement. The ANAO examined the ACMA’s approach to communicating with stakeholders, including: communication strategies; communicating regulatory responsibilities and encouraging voluntary compliance; and communicating enforcement action outcomes.

Communication strategies

2.12 The Unsolicited Communications Branch (UCB) is responsible for communication, education and public awareness activities related to the DNCR Act and Spam Act. These activities include: managing relevant pages of the ACMA website; preparing blog posts; issuing media releases and scam alerts; and engaging with stakeholders through social media.

2.13 The UCB has developed a Communication Strategy, which aims to: make citizens aware of the protections available against unsolicited communications, including their legislative limitations; encourage people and companies engaging in telemarketing and e-marketing to comply; and inform citizens and small to medium-sized enterprises of new security threats. It defines key stakeholders, communication objectives, key messages, priorities and measures of success. Measures of success include traffic to ACMA websites and blogs and engagement on social media. The ACMA uses web analytics to measure performance in these areas, and the media communications team provides monthly web analytic reports to the UCB and the Executive Group.27 The UCB revises the Strategy periodically, with the most recent version dated September 2014.

2.14 The UCB has also developed a Communication Plan, which establishes the goals, responsible parties, target audiences, key messages and measures of success for periodic and event-driven stakeholder activities. The plan outlines key activities, when activities are to be undertaken and who is responsible for them. It is reviewed periodically, with the most recent version, at the time of the audit, dated February 2014.

Communicating regulatory responsibilities and encouraging voluntary compliance

2.15 Effective two-way engagement and communication with regulated entities can lead to positive regulatory outcomes. When regulated entities have a clear understanding of their regulatory obligations, they are better able to comply.28 The UCB uses a variety of channels, including websites, blogs and social media, to provide DNCR Act and Spam Act guidance and educational material and advice to consumers on the scope and nature of the ACMA’s regulatory role, such as advice that the ACCC, rather than the ACMA, is responsible for scam calls.

Websites

2.16 The UCB maintains a number of pages on the ACMA website for the purpose of consumer and stakeholder education and guidance, including:

  • Stay protected: web pages that target consumers and provide fact sheets and online forms to lodge complaints about unsolicited communications; and
  • acma-i: a web page that targets industry, containing regulatory fact sheets and information on outcomes and statistics of complaints, investigations and enforcement activities.

2.17 In addition, the third-party Register Operator29 maintains the DNCR website, which provides information for citizens and companies on outcomes of investigations, scam alerts and facilities for registering phone numbers and lodging complaints.

2.18 Since February 2014, the UCB has collected web analytics data, such as the number of total and unique page views for key web pages and the average time spent on each page. The UCB uses this data to track and evaluate its stakeholder engagement and communication activities. In the period from February to August 2014, there was an increase in the total number of monthly views for the web pages that the UCB maintains (17 648 in February to 21 211 in August), with, on average, views for industry-related web pages representing 63 per cent of total page views and views for web pages targeting consumers representing 37 per cent of total views.

Blogs

2.19 The UCB also maintains several blogs that aim to provide industry with better practice guidance and to address developing industry trends (see Table 2.2). A key use of the blogs is regulatory education, with entities directed to blog posts by compliance officers in instances where potential non-compliance has been identified.

Table 2.2: Scope and number of the ACMA’s blog posts (2013–15)

Scope of Blog

Number of Posts

 

2013–14

2014–15

Successful e-marketing…it’s about reputation

Email and SMS marketing, covering topics such as: unsubscribe features; sender identification; purchasing contact lists; and overseas outsourcing.

6

6

Better telemarketing…take the right line

Advice on telemarketing and fax marketing processes and practices, insights into common consumer concerns and issues and simple ideas to make your marketing campaigns more effective.

2

1

The guru guide

Intended to give an insider’s view on what’s happening in the world of e-marketing, fax marketing and telemarketing compliance.

3

0

Total

11

7

Source: ANAO analysis of ACMA blogs.

Social media

2.20 The UCB also provides announcements and links to blog posts, news articles and compliance outcomes on social media sites such as Facebook and Twitter. For example, the ACMA made an announcement on Facebook and Twitter when the 10 millionth telephone number was registered on the DNCR in February 2015 (see Figure 2.2).

Figure 2.2: ACMA Facebook announcement

Source: ACMA Facebook page.

2.21 Social media is also used to alert consumers to scams. For example, a post to the ACMA’s Facebook page in March 2014 warned of an emerging scam in which a caller claiming to be from a telecommunications provider would attempt to have a consumer install malware on their computer. The ACMA also used this opportunity to direct the public to the ACCC’s SCAMwatch website, as the ACCC is the federal entity responsible for responding to scams. The post was viewed by almost 50 000 people in the first 48 hours, and had been the most popular post on the ACMA’s Facebook page to date (see Figure 2.3).

Figure 2.3: ACMA Facebook scam warning

Source: ACMA Facebook page.

Communicating enforcement action outcomes

2.22 The Australian Government Investigations Standards (AGIS) state that entities ‘are to have written procedures regarding liaison with the media and the release of media statements in regard to investigations’. In accordance with these standards, the ACMA has established written procedures regarding the release of investigation media statements. These procedures are outlined in the ACMA’s Compliance and Enforcement Manual and include specific procedures for each type of enforcement action. For example, the ACMA procedures indicate that media releases relating to infringement notices are not to be issued until the infringement notice has been paid.

2.23 Following the finalisation of enforcement activities, the ACMA may issue a media release and make the details of the enforcement action public when: a formal warning has been issued; an enforceable undertaking has been accepted; an infringement notice has been paid; or when civil proceedings have been filed.

2.24 At the conclusion of enforcement actions taken in 2013–14, the ACMA issued media releases for 79 per cent of the actions and published enforcement documents for 64 per cent of the actions, as shown in Table 2.3. All of the 2013–14 media releases that related to enforcement actions were issued in accordance with established procedures.

Table 2.3: Publication of enforcement action results (2013–14)

 

Total Cases (Enforcement Action Taken)

Media Release Issued

Enforcement Document Published

DNCR

5

5

4

Spam

9

6

5

Total

14

11 (79%)

9 (64%)

Source: ANAO analysis of ACMA information.

Assessing complaints and reports

2.25 Consumer complaints and reports about telemarketing and spam are the UCCS’s primary source of compliance intelligence. The UCCS’s process for monitoring compliance with unsolicited communications legislation involves receiving and analysing complaints and reports from the public, issuing advisory and informal warning letters, monitoring potentially non-compliant entities to assess ongoing compliance and, where necessary, commencing investigations into entities that continue non-compliant activities, despite receiving warnings from the ACMA (see Figure 2.4).

Figure 2.4: UCCS process for monitoring compliance

Source: ANAO analysis of ACMA information.

2.26 The ACMA has a Compliance and Enforcement Manual, standard operating procedures and other guidance in place to underpin the assessment of complaints and reports of unsolicited communications. In 2013–14, the ACMA received 20 462 telemarketing and fax complaints, 1387 spam complaints and 346 592 spam reports, as outlined in Table 2.4.

Table 2.4: DNCR and spam complaints and reports (2012–14)

 

2012–13

2013–14

DNCR complaints

19 677

20 462

Spam complaints

1246

1387

Spam reports

409 761

346 592

Source: ANAO analysis of ACMA information.

2.27 To assess how effectively the ACMA monitors compliance with unsolicited communications legislation, the ANAO examined a random sample of 271 (of 1054) DNCR compliance activities30 and 235 (of 4967) spam compliance activities for the period 2013–14.

Lodgement and assessment

2.28 Telemarketing or fax marketing complaints are made through the DNCR website or the 1300 number. These complaints are initially received and assessed by the Register Operator to determine whether the complaint is within the ACMA’s jurisdiction. Where the complaint raises a potential breach, the Register Operator forwards it to the ACMA for action. The most common DNCR-related complaint involves unsolicited telemarketing calls made to a listed telephone phone number.31 Where no potential breach has taken place, the Register Operator resolves the complaint. The ACMA is to review the initial assessment and amend it where necessary. In general, the ACMA does not amend the initial assessment by the Register Operator, with only one per cent (2 of 193) of the initial assessments in the ANAO’s sample amended.

2.29 Spam complaints are typically lodged through an online form on the ACMA website, but complaints can also be made by telephone. The most common spam-related complaint involves a company that has sent a commercial email without first obtaining consent.32 Complaints and reports are processed by compliance officers, who assign themselves specific cases in the relevant case management system.33

2.30 Direct spam reports are made by forwarding an unsolicited email to the ACMA’s reporting email address or forwarding an unsolicited SMS to a dedicated telephone number. Of the reports reviewed by the ACMA in 2013–14, the most common breach identified related to an email that had been sent without the consent of the recipient. As outlined earlier, reports of spam are stored in the ACMA’s Spam Intelligence Database. The ACMA receives an average of 950 direct spam reports each day, with complaints taking priority over reports. Compliance officers review spam reports in the Spam Intelligence Database, as resources allow, and, if it is determined that a message appears to be commercial and has sufficient information to identify the sender, it is transferred to the spam case management system for processing.

Scope of complaint

2.31 Once complaints are assigned to a compliance officer, the scope of the complaint is assessed to confirm that it is within the ACMA’s regulatory jurisdiction. To be actioned, complaints must relate to a potential breach of the:

• Do Not Call Register Act 2006 (DNCR Act);

• Spam Act 2003;

• Telemarketing and Research Industry Standard 2007; and/or

• Fax Marketing Industry Standard 2011.

2.32 For DNCR complaints, compliance officers confirm that the complainant has been registered on the DNCR for at least 30 days. Complainants do not, however, need to be registered to make complaints related to the industry standards.

2.33 For spam complaints and reports, compliance officers must determine whether the message: is a commercial electronic message34; has an ‘Australian link’; and is not a designated commercial electronic message.35

Australian link for spam complaints and reports

2.34 According to section 16(1) of the Spam Act, ‘a person must not send, or cause to be sent, a commercial electronic message that: (a) has an Australian link’. Section 7 of the Spam Act states that a commercial electronic message has an Australian link if, and only if:

(a) the message originates in Australia; or

(b) the individual or organisation who sent the message, or authorised the sending of the message, is: (i) an individual who is physically present in Australia when the message is sent; or (ii) an organisation whose central management and control is in Australia when the message is sent; or

(c) the computer, server or device that is used to access the message is located in Australia; or

(d) the relevant electronic account-holder is: (i) an individual who is physically present in Australia when the message is accessed; or (ii) an organisation that carries on business or activities in Australia when the message is accessed; or

(e) if the message cannot be delivered because the relevant electronic address does not exist—assuming that the electronic address existed, it is reasonably likely that the message would have been accessed using a computer, server or device located in Australia.

2.35 The ANAO examined a sample of 235 spam cases to determine whether an Australian link had been established. While for 97 per cent (229 of 235) of cases, the Australian link was apparent, the ACMA had not demonstrated that an Australian link had been established for the remaining six cases. All six cases related to a report (and not a complaint) and a company that was based overseas.36 The ACMA informed the ANAO that, although it is required to establish an Australian link before issuing a formal adverse finding against an entity, it does not establish an Australian link prior to issuing spam-related informal warning letters, as it considers it reasonable to operate on the assumption that consumers will complain or report about only those spam messages that have an Australian link.

Compliance history

2.36 The decision to respond to potential non-compliance can be informed by the compliance history of the party in question.37 To accurately record the compliance history of a person or company and to inform any future compliance activity, compliance officers attempt to assign the complaint to the appropriate entity in its case management system. Because some companies use a variety of trading names, compliance officers use a number of tools and methods to identify the relevant company.

2.37 The ANAO found that 33 per cent of entities against which DNCR complaints were made were identified in the ACMA’s database of potentially non-complaint entities38, and 46 per cent of spam complaints related to entities that had a prior history of potential non-compliance with the Spam Act.

2.38 The history of DNCR complainants is also reviewed by the ACMA when assessing new complaints. When providing acknowledgement that a DNCR complaint has been received, the ACMA will note any previous complaints by the complainant against different or the same entities. The ANAO found that 42 per cent of consumers who made a complaint in 2013–14 had made a previous complaint.

Responding to the complainant

2.39 Prompt acknowledgement that a complaint has been received, including an outline of the complaint process, is an important element in managing the complainant’s expectations and reassuring them that their complaint is receiving attention.39

2.40 Compliance officers are to respond to complainants to acknowledge that their complaints have been received. In 2013–14, the ACMA responded to 97 per cent of DNCR complaints and 81 per cent of spam complaints. For DNCR responses, there is a standard response template that the ACMA modifies for about half (47 per cent) of responses to note any previous complaints and to inform the complainant if the entity is already being monitored for previous cases of potential non-compliance. In relation to spam complaints, a standard response is generally issued automatically on receipt, but due to an IT issue with the new case management system, not all ‘auto responses’ were sent between October 2013 and February 2014.40 The ANAO’s analysis of response rates and times is outlined in Table 2.5.

Table 2.5: Complaint response rates and times (2013–14)

Type of Complaint

Response Rate

Average Response Time

DNCR Act complaint

97%

5 days

Spam Act complaint

81%

1 day(1)

Source: ANAO analysis of ACMA information.

Note 1: Responses to Spam Act complaints are generally issued automatically on receipt.

Assigning potential breach types

2.41 Compliance officers are to assess complaints and reports to determine which, if any, potential breaches of legislation have occurred. In 2013–14, the majority of potential DNCR breaches identified by the ACMA related to the DNCR Act—particularly, section 11, which prohibits telemarketers from calling a number on the register. The majority of the potential spam breaches identified through consumer complaints related to section 16 of the Spam Act, which prohibits commercial emails being sent without consent.41

2.42 The 193 DNCR advisory letter cases and the 235 informal warning letter cases examined by the ANAO related to 174 potential breaches of the DNCR Act, 98 potential breaches of telemarketing and fax marketing standards and 267 potential breaches of the Spam Act, as outlined in Table 2.6.

Table 2.6: Identified potential breaches in ANAO sample (2013–14)

Legislative Instrument

Number of Potential Breaches Identified

DNC

DNCR Act section 11: Calling a number on register

165

DNCR Act section 12: Faxing a number on register

9

DNCR Act Total

174

Fax Marketing Industry Standard 2011

13

Telemarketing and Research Industry Standard 2007

85

Standards Total

98

DNCR Total

272(1)

Spam

Section 16: Messages must not be sent

175

Section 17: Messages must include accurate sender information

41

Section 18: Messages must contain a functional unsubscribe facility

51

Spam Total

267(1)

Source: ANAO analysis of ACMA information.

Note 1: These figures do not align with the sample numbers because each compliance case could involve the identification of more than one potential breach.

Timeliness

2.43 The complaints and reports examined by the ANAO were initially assessed and classified, on average, within:

• five days of receipt for DNCR complaints;

• 10 days of receipt for spam complaints; and

• 40 days of receipt for spam reports.

2.44 The UCCS has established internal key performance indicators (KPIs) for the time taken to handle complaints42 (targets have not, however, been established for handling spam reports). The UCCS has reported internally that it generally meets these targets.43 The ANAO’s analysis of 193 DNCR Act complaints and 37 Spam Act complaints against these KPIs is outlined in Table 2.7.

Table 2.7: DNCR and spam complaint handling KPIs (2013–14)

Key Performance Indicator

Target

Actual

DNCR Act

Within 7 days of receipt

50 per cent

60 per cent

Within 14 days of receipt

75 per cent

86 per cent

Within 21 days of receipt

90 per cent

91 per cent

Spam Act

Within 8 days of receipt

90 per cent

75 per cent

Source: ANAO analysis of ACMA information.

2.45 As outlined in Table 2.7, in 2013–14, 91 per cent of DNCR complaints were handled within 21 days of receipt, with the remaining nine per cent of cases handled within 22 to 119 days. For spam complaints, 75 per cent were handled within 8 days of receipt, with IT issues—related to the transfer to a new case management system—causing delays in assessing and classifying complaints received between September 2013 and February 2014. In the sample examined by the ANAO, the average number of days between the receipt of a complaint or report and the issuing of an advisory letter or informal warning letter was: 11 days for DNCR complaints; 37 days for spam complaints; and 53 days for spam reports, as outlined in Table 2.8.

Table 2.8: Timeliness of regulatory response—issuing advisory letters (AL) and informal warning letters (IWL)

Complaint/ Report Type

Average Days Between Receipt and Issuing of AL or IWL

Minimum Days Between Receipt and AL or IWL

Maximum Days Between Receipt and AL or IWL

DNCR complaint

11

1

119

Spam complaint

37

4

96

Spam report

53

9

137

Source: ANAO analysis of ACMA information.

Responding to non-compliance

2.46 A flexible and graduated response to non-compliance can encourage compliance from regulated entities while reducing compliance costs to the regulator.44 The UCCS has adopted a tiered ‘advise, warn, investigate’ approach to DNCR non-compliance and a ‘warn, investigate’ approach to spam non-compliance.

2.47 In the first instance, for DNCR non-compliance, entities that do not have a recent history of non-compliance (over the previous 180 days) are to receive an advisory letter from the ACMA. The entity is then to be monitored for 180 days. If the entity has five or more complaints lodged against it during the monitoring period, the ACMA is to issue the entity with an informal warning letter. If non-compliance continues, the entity is to be considered for investigation and possible enforcement action.

2.48 For spam non-compliance, the ACMA may send out informal warning letters each month to entities that have been the subject of recent complaint(s) and/or report(s). If non-compliance continues, the entity is to be considered for investigation and possible enforcement action.

DNCR advisory letters

2.49 An advisory letter represents the first step in the DNCR non-compliance response strategy. The letter is sent when the first complaint is made against an entity or when a complaint is made following 180 days of previous compliance. The purpose of an advisory letter is to: advise the entity that a complaint has been received; provide information on DNCR legislation; and provide an opportunity to the entity to voluntarily comply.

2.50 Advisory letters are based on a variety of templates developed by the UCCS to respond to the various potential breaches that may be identified. The letter contains details on: the ACMA’s powers with regard to unsolicited communications; an overview of DNCR legislation; a summary of the complaint received; and a notice that additional complaints within the next 180 days may trigger additional compliance actions. The advisory letter also directs entities to ACMA educational material and contains extracts from the DNCR Act or standards that have been potentially breached. In 2013–14, the ACMA issued 940 advisory letters to entities identified as potentially in breach of the DNCR Act and industry standards. All of the 193 advisory letters in the ANAO’s sample had been retained by the ACMA and had been created using an established template.

DNCR informal warning letters

2.51 According to UCCS business rules, following the issuing of an advisory letter, compliance officers are to monitor DNCR complaints lodged against the entity for 180 days. Depending on the number of complaints received during the monitoring period, the following compliance activities may be undertaken:

• if no complaints are received, active monitoring of the entity ceases;

• if fewer than five complaints are received, additional advisory letters may be issued; or

• if an additional five (or more) complaints are received during the 180-day monitoring period, an informal warning letter may be issued.

2.52 In addition to the number of complaints received during the monitoring period, the ACMA may take into account the entity’s compliance history when determining the compliance activity to undertake. A demonstrated history of non-compliance may prompt the ACMA to proceed directly to the informal warning stage, with the ANAO observing this occurring in 15 per cent (12 of 78) of sampled DNCR informal warning letter cases.

2.53 To monitor compliance, a compliance officer is to determine, at least monthly, the number of complaints made against monitored entities within the past 180 days. In instances when an entity is approaching five complaints during the monitoring timeframe, the compliance officer may assess whether the evidence for a breach is ‘strong’ or ‘weak’, with the possibility of removing complaints with ‘weak’ evidence from the count. The DNCR standard operating procedures and UCCS business rules do not provide guidance on how compliance officers are to undertake this assessment. There would be merit in the ACMA documenting these procedures to help deliver more consistent compliance decisions.

2.54 When compliance officers determine that an informal warning letter should be sent, they are required to manually generate the letter from a template. The manual generation of letters has the potential to introduce transcription errors, with the ANAO’s analysis identifying that five per cent (4 of 78) of DNCR informal warning letters contained such errors—primarily relating to incorrect reporting of the complaint identification number or complaint date. The ACMA is aware of this issue and is in the process of moving to a more automated system to reduce these occurrences.

2.55 Informal warning letters include details on: DNCR legislation; previous non-compliance; the ACMA’s compliance strategy; and up to five recent complaints. The letters also outline further compliance actions that may be undertaken if non-compliance continues.

2.56 The ANAO found that the average time between the commencement of the monitoring period and the issuing of the informal warning letter was 160 days, with 35 per cent (23 of 65)45 of informal warning letters issued beyond 201 days (the 180-day monitoring period plus 21 days).

2.57 In 2013–14, the ACMA issued 114 informal warning letters to entities that were the subject of multiple DNCR complaints. In relation to the 193 DNCR advisory letters examined, the ANAO tracked the complaint history of the relevant entities over the subsequent 180 days and determined that 16 entities should have been issued with an informal warning letter because of five or more instances of potential non-compliance during the monitoring period. For 10 of these entities, an informal warning letter was appropriately issued. For two of these cases, notes were retained on file to indicate that the evidence for the potential breaches was reassessed as being ‘too weak’ to warrant an informal warning letter. For the remaining four entities, informal warning letters should have been sent, but were not.

Previous ANAO recommendation on regulatory action

2.58 As previously noted, the objective of the ANAO’s 2009–10 audit of the DNCR was to assess the ACMA’s effectiveness in operating, managing and monitoring the register, including compliance with legislative requirements. The audit made three recommendations that focused on IT security management practices, complaint handling and the escalation of regulatory action, including Recommendation 3:

To further improve transparency and minimise the risk of inconsistency in compliance enforcement decision making, the ANAO recommends that ACMA set minimum standards in its procedures for escalating regulatory action.

2.59 The ACMA has set minimum standards in its procedures for escalating regulatory action by:

  • introducing a minimum standard for escalating the DNCR compliance response from advisory letter to informal warning letter (the receipt of five or more complaints in the 180-day monitoring period);
  • establishing internal procedures for escalating DNCR compliance cases to investigation; and
  • publishing information, such as the ACMA’s ‘Approach to Telemarketing Compliance’, on its website to outline its procedures and minimum standards for escalating DNCR regulatory action.

2.60 There is, however, scope to further improve the consistency and timeliness of the process for escalating compliance responses from advisory letter stage to informal warning letter stage.

Spam informal warning letters

2.61 The process for responding to spam complaints and reports differs from the DNCR process. Although informal warning letters are an escalated response to DNCR complaints, informal warning letters are the ACMA’s first point of contact with entities that are the subject of spam complaints and reports.

2.62 After spam complaints and reports are processed, the relevant entities are placed in a queue in the spam case management system. A running total is maintained of the number of complaints/reports lodged (and processed) against each entity in the queue. Each month, compliance officers are to generate informal warning letters. This process involves a template being automatically populated for each entity in the queue, and the informal warning letters are emailed directly from the case management system to the potentially non-compliant entities. In 2013–14, informal warning letters were not sent in October, December or January. According to the CCCD’s monthly management reports, this was largely due to IT issues related to the transfer to the new case management system.

2.63 The standard informal warning letter for potential breaches of the Spam Act includes:

  • the number of complaint(s) and/or report(s) received since a particular date (generally the date of the first relevant complaint/report or the date of the last informal warning letter sent to the entity);
  • the nature of the potential breach(es) (for example, ‘may have been sent without the permission of the recipient’);
  • general information on the Spam Act, the ACMA and the e-marketing blog;
  • the subject line/content of the message (when available); and
  • a request that the entity take action to comply.

2.64 Informal warning letters do not, however, include:

  • the date the unsolicited message was sent;
  • the date the complaint(s)/report(s) were received;
  • in the case of reports, the email address/mobile telephone number of the message recipient; or
  • the specific sections of the Spam Act that have been potentially breached.

2.65 In response to 1387 complaints and approximately 350 000 direct reports about non-compliance with the Spam Act, the ACMA issued 4967 informal warning letters in 2013–14. The ANAO examined a random sample of 235 informal warning letters from 2013–14.46 The majority (69.5 per cent) of informal warning letters related to only one report and no complaints. All informal warning letters were retained on file and all provided information on the number of complaint(s)/report(s) and the nature of the potential breach(es).

Providing entities with sufficient information

2.66 In the ANAO’s sample, 18 per cent (42 of 235) of entities responded in writing after receiving a spam informal warning letter. Of these, 50 per cent (21 of 42) indicated that the informal warning letter did not provide sufficient information—19 of these letters were related to reports and did not provide information on the recipient of the unsolicited message. Examples of entities’ requests for further information are outlined below:

We have received your email, and are more than happy to take the appropriate steps to removing the person implied off our mailing list. To be able to do so though, we will require the name of the player who is being referred too. If you could please provide us with these details, we will in turn take the necessary steps.

***

Please note that Attachment A to your letter does not identify or list the electronic addresses that are required to be removed. Please can you forward those addresses to us so that they can be removed?

***

We take this matter seriously and want to resolve it. Are you able to provide the mobile number of the [reporter] to ensure they have been taken off our marketing list?

2.67 In response to these requests for further information, the ACMA generally replied that spam reports are made anonymously and it could not disclose further information.47

2.68 Relevant peak bodies contacted by the ANAO during the audit also commented on the utility of informal warning letters for reports of spam, with one peak body providing the following statement:

When an organisation receives a notification of alleged spam, the notification itself lacks sufficient detail for the organisation to investigate the date of the commercial electronic message and to whom it was sent. In our view, additional detail is crucial to enable targeted investigation given the volume of digital engagement undertaken within the industry.

2.69 As mentioned earlier, 69.5 per cent of the spam informal warning letters sent in 2013–14 related to only one report and no complaints. These letters appear to generate the most negative responses from entities as the letters do not provide sufficient information to allow the entity to investigate the specific issue, and the basis of the letter—only one report—on its face, may not warrant such intervention. This is particularly the case because:

• the ACMA is unable to provide the entity with sufficient information to resolve the specific issue (such as the email addresses or mobile telephone number of the message recipient);

• entities are notified, on average, 53 days after a report is made48 (and there is no restriction on how long after a message was sent that it can be reported by a consumer)—this delay reduces the effectiveness of the response, particularly as the entity is not told when the report was made;

• entities are not provided with the date of the report or the date the message was sent;

• there is a higher chance that a report (rather than a complaint) is unfounded—as it requires little effort to make a report and the reporter does not need to provide any statement or any proof that the message was sent without consent (which is the most common spam-related ‘potential breach’ identified by the ACMA);

• entities that are the subject of only one report are a lower compliance risk than entities that have multiple complaints and reports lodged against them; and

• the sending of informal warning letters imposes an administrative burden on industry and the ACMA.

2.70 There would be value in the ACMA reviewing the merits of its approach to responding to reports of spam—particularly given:

• the constructive feedback it has received from people and companies who have received informal warning letters and indicated a desire to comply with regulatory requirements, but have no recourse to determine when or to whom the email or SMS was sent, whether or not they were compliant with the Spam Act or how to address the specific issue; and

• the Government’s deregulation objectives and regulation principles, which state that ‘regulation should be imposed only when it can be shown to offer an overall net benefit’.49

2.71 In response to these findings, the ACMA informed the ANAO that it is amending its procedures, and it will not send informal warning letters to people and companies in circumstances where it is unable to provide sufficient details of the alleged spam message.

Conclusion

2.72 The ACMA has developed compliance and enforcement policies that align with unsolicited communications legislation and convey regulatory and management requirements. The compliance and enforcement policy includes a graduated model for responding to potential non-compliance, with responses ranging from encouraging voluntary compliance and informal resolution to administrative and civil action. While minimum standards for escalating DNCR compliance action have been set, minimum standards for the escalation of spam compliance action are yet to be established.

2.73 Overall, the ACMA has effective education and guidance arrangements in place to inform regulated entities of their responsibilities under unsolicited communications legislation, to encourage voluntary compliance and to assist the public in responding to unsolicited marketing. The ACMA also engages in targeted communication and educational activities through industry blogs, social media and the publication of enforcement action outcomes.

2.74 Compliance monitoring activities—such as the processing and assessment of complaints and reports and the issuing of advisory and informal warning letters—have generally been implemented in accordance with the ACMA’s compliance monitoring policies and have helped in the ongoing achievement of the Authority’s compliance monitoring objectives. Responses to potential non-compliance have, in the main, been escalated, when necessary, in accordance with established procedures. There is, however, scope to improve the consistency of the escalation of DNCR complaints, in particular, to ensure that informal warning letters are sent in accordance with established procedures.

2.75 Overall, the arrangements to receive and handle complaints, related to both the DNCR Act and the Spam Act, have been managed effectively, with appropriate guidance and mechanisms established for the lodgement, assessment, acknowledgement and processing of complaints. In relation to the 2013–14 cases examined by the ANAO, the ACMA responded to 97 per cent of DNCR complainants and 81 per cent of spam complainants within an average response time of five days for DNCR complaints and one day for spam complaints. The examined complaints were also managed in a timely manner—with 91 per cent of DNCR complaints handled within 21 days of receipt (which exceeded the established target timeframe of 90 per cent) and 75 per cent of spam complaints handled within eight days of receipt (which was below the established target timeframe of 90 per cent).

2.76 The majority (69.5 per cent) of 2013–14 spam informal warning letters related to only one spam report and no complaints, with these letters lacking sufficient information for entities to resolve the alleged issues. Further, these letters were sent, on average, 53 days after a spam report was received by the ACMA, which, when coupled with the limited information provided in the letters, made it difficult for entities to determine whether a breach had occurred and to address the issue, where necessary. The ACMA informed the ANAO that it is amending its procedures so that it will not be sending informal warning letters to people and companies in circumstances where it is unable to provide sufficient details on the alleged spam message.

3. Addressing Non-compliance

This chapter examines the ACMA’s approach to addressing and resolving non-compliance with unsolicited communications legislation.

Introduction

3.1 As outlined earlier, the ACMA adopts a graduated approach to addressing potential non-compliance with the DNCR Act and the Spam Act. On receipt of a complaint and, in some cases, a report about unsolicited communication, the ACMA issues an advisory or informal warning letter to give the entities involved information about their obligations under the relevant legislation. Where complaints continue to be received, voluntary compliance is not forthcoming and there is reason to suspect that an entity may have contravened the DNCR Act or the Spam Act, the ACMA may respond to the apparent non-compliance by commencing an investigation.

3.2 During 2013–14, the ACMA finalised 16 investigations under Part 26 of the Telecommunications Act into potential contraventions of the DNCR Act and the Spam Act. As a result of these investigations, the ACMA: issued seven formal warnings; issued four infringement notices; accepted three enforceable undertakings; and closed two cases without enforcement action being taken. The ACMA can take enforcement action under the Telecommunications Act, the DNCR Act and the Spam Act.

3.3 The ANAO examined the 16 investigations and the 14 resulting enforcement actions to assess whether the ACMA had effectively addressed and resolved non-compliance in accordance with the Australian Government Investigations Standards (AGIS), relevant legislation and internal requirements.

Investigations

Australian Government Investigations Standards

3.4 The AGIS are the ‘minimum standards’ for government entities ‘conducting investigations relating to the programs and legislation they administer’.50 According to the AGIS:

An investigation is a process of seeking information relevant to an alleged, apparent or potential breach of the law, involving possible judicial proceedings. The primary purpose of an investigation is to gather admissible evidence for any subsequent action, whether under criminal, civil penalty, civil, disciplinary or administrative sanctions. Investigations can also result in prevention and/or disruption action.51

3.5 The AGIS apply to all entities required to comply with the Financial Management and Accountability Act 1997 (FMA Act), which was superseded by the Public Governance, Performance and Accountability Act 2013 (PGPA Act) on 1 July 2014.52 The AGIS were revised in 2011, stating:

The new AGIS recognise the diverse context within which Australian Government agencies operate and the more prominent role non-criminal sanctions play in investigative responses. The concepts defined in AGIS are designed to allow agencies (both large and small) to apply them to their own operations and to maintain a minimum quality standard within investigations.53

3.6 The AGIS includes those standards outlined in Table 3.1.

Table 3.1: Australian Government Investigations Standards

Topic

Standard

 

Among other things, the AGIS outline that entities should:

Investigation policy

Have a clear written policy in regard to its investigative function

Staff certification

Ensure investigations staff possess relevant qualifications to effectively carry out their duties

Selecting investigations

Appoint a position responsible for making decisions regarding the evaluation and acceptance of investigations

Planning investigations

Have a standard investigations plan template

Commence each investigation with an overall planning process and a written investigation plan

Identify and manage risks as part of the planning process and ensure that risk management is incorporated into decision-making through the investigation

Conducting and documenting investigations

Record investigation activities and keep and file all documents and information in accordance with agency procedures and legislative requirements

Supervisors review investigations at appropriate intervals to ensure adherence with the AGIS and investigation plans

Ensure that critical decisions are made by an appropriate officer and documented on the investigation file

Source: ANAO analysis of the AGIS.

Investigation policy and staff certification

3.7 The ACMA has developed a number of documents that relate to its investigation policy, including the Compliance and Enforcement Manual, Selection of Investigations Policy, UCCS Compliance and Enforcement Approach, Investigation Process, standard operating procedures for DNCR and spam cases and regulatory guides for enforcement actions.

3.8 The ACMA’s Compliance and Enforcement Manual covers: ACMA enforcement and regulatory policy; scoping and planning of investigations; fact finding and evidence gathering; findings and decision-making; compliance and enforcement options; and information management procedures. When this manual was introduced in 2010, it replaced a number of ACMA compliance instructions, work instructions and business operating procedures. While the consolidation of enforcement information into a single document has delivered efficiencies, some of the information in previous instructions has not been clearly outlined in the replacement manual. For example, although the manual refers to the AGIS, it does not clearly outline the role of the AGIS in regard to the ACMA’s investigative work. Previous compliance instructions had clearly outlined the role of the AGIS, stating that the standards were ‘to be followed in all cases where an ACMA staff member, appointed as an inspector under either the Radiocommunications Act 1992 and/or Telecommunications Act 1997, is investigating breaches of those Acts and/or the Spam Act 2003’.54 Compliance managers were also ‘to ensure that the contents of the document are strictly adhered to as far as it relates to the investigation’.

3.9 As required by the AGIS, all Unsolicited Communications Branch (UCB) investigations staff had obtained a Certificate IV in Government (Investigations) or an equivalent qualification (as at 1 December 2014).

Selecting investigations

3.10 According to the ACMA’s Selection of Investigations Policy, the following criteria are to be considered in determining whether a case should be escalated to investigation:

• the number of complaints and reports lodged by the public about the entity;

• the potential detrimental effect the conduct may have on those receiving the unsolicited communications; and

• any other information at hand that may be relevant to determining the need for escalation.

3.11 A monthly meeting between compliance officers and investigations officers is generally used to discuss and select investigations. Summaries of these meetings include the compliance officers’: recommended cases for investigation; list of cases for discussion; and list of additional cases that will continue to be monitored.

3.12 Where an investigation has been recommended, an investigator is to consider whether they will look further at the matter proposed, taking into account available resources and the priority of other matters presented. When a case is not selected, it is to be returned to the normal compliance process (see discussion in Chapter 2). When investigators consider an investigation to be warranted, they meet with the UCCS Investigations Manager to put forward their reasons for commencing an investigation. This meeting concludes with one of three decisions being made: the matter will be investigated; the matter will not be investigated; or the matter may be investigated when appropriate resources become available.

3.13 As noted earlier in Table 3.1, the AGIS outline that entities should appoint a position responsible for making decisions regarding the evaluation and acceptance of investigations. Decisions regarding the selection of investigations are made by the UCCS Investigations Manager. Once a recommendation for an investigation has been accepted, the Investigations Manager allocates the investigation to a specific investigator.

Planning investigations

Investigation plans

3.14 The planning process for each investigation should culminate in a written investigation plan.55 According to the ACMA’s Compliance and Enforcement Manual:

An investigation plan is an integral part of the management of an investigation. The development of the plan will involve an assessment of the time and projected costs of the matter. The plan should be regularly reviewed and revised (if necessary) as the matter progresses.

3.15 Although a recommended minimum standard in the AGIS and required by the ACMA’s documented internal policies, no written investigation plans were prepared for any of the 16 investigations finalised in 2013–14. The ACMA informed the ANAO that the planning process involves a verbal discussion where staff meet with the Investigations Manager to discuss the merits of a proposed investigation and, where an investigation is determined to be appropriate, the planning of the investigation. While these discussions may have merit, they are not generally documented and they do not satisfy the requirement to establish a written investigation plan.

3.16 According to the ACMA’s Compliance and Enforcement Manual, an investigation plan should set out the key aspects of the investigation, such as the: key issues for inquiry; tasks to be performed; priority of tasks; resource requirements; investigation timeframe; and key milestones. These basic elements—along with a section for the assessment of risk— should be outlined in the investigation plan. Supervisors should review investigations at appropriate intervals to ensure adherence with the AGIS and investigation plans. In the absence of investigation plans, ACMA supervisors are not well placed to monitor the performance of investigations.

Risk management

3.17 Entities should identify and manage risks as part of the planning process and ensure that risk management is incorporated into decision-making throughout the investigation. The ACMA’s Compliance and Enforcement Manual requires that risks be identified, stating:

The identification of risks enables the ACMA to adopt a strategic approach to matters and to assess and determine what measures can be adopted to minimise any adverse impact of those risks. It is important that during the course of a matter the risks are reviewed and, if necessary, revised.

3.18 The ongoing monitoring of current and emerging risks is an essential element of sound risk management. The creation and retention of adequate records also supports monitoring activities and enables trend analysis and comparisons of risks over time.56 Only three of the 16 investigations had evidence retained to indicate that risks had been considered as part of the planning process, and none had a documented risk assessment.

3.19 The documentation of investigation plans and risk assessments helps to ensure continuity, particularly in those circumstances where an investigator is unable to complete an investigation. A clearly outlined plan and risk assessment (which may form part of the plan) would facilitate the efficient transfer of an investigation to another investigator, should this be required.

Preliminary inquiries

3.20 The Telecommunications Act (section 511) sets out the ACMA’s power to make preliminary inquiries regarding a complaint to determine whether it has power to investigate the matter or whether it should, at its discretion, investigate the matter. Preliminary inquiries are made prior to the commencement of an investigation.

3.21 Of the 16 investigations in 2013–14, four involved a preliminary inquiry, with inquiries usually undertaken to determine the relevant legal entity and to confirm that the ACMA has the jurisdiction to investigate. Each preliminary inquiry letter requested information or sets of data and gave the entity 21 days to respond. In all cases, the entity responded by the due date (although in two cases, missing documentation had to be followed up). Overall, the ACMA handled preliminary inquiries effectively and in accordance with legislative requirements.

Conducting and documenting investigations

3.22 Prior to commencing an investigation, the investigation team is to produce a commencement recommendation memorandum for the responsible Senior Executive Service (SES) officer. All 16 investigations had a memorandum retained on file, and all:

• outlined the basis for the investigation and the reasons why the entity was suspected of breaching the DNCR Act or Spam Act;

• stated that the investigation was to be commenced under section 510(1) of the Telecommunications Act; and

• were signed by an appropriate SES officer.

3.23 None of the memoranda indicated that risks had been considered as part of the planning process or outlined timeframes and key milestones for the investigation. Only two memoranda provided resourcing information and stated that the investigations team had sufficient resources to conduct the investigation. There would be merit in including risk, timeframes and resourcing information in each commencement memorandum to help ensure that the decision-maker is taking into account all relevant information. The ACMA informed the ANAO during the audit that it was reviewing its memorandum templates and would ensure that the new templates specifically outline this information.

3.24 Under section 512(1) of the Telecommunications Act, the ACMA must notify the respondent before beginning an investigation. For all 16 investigations, a commencement notification letter was retained, signed by an appropriate SES officer and sent to the respondent prior to the commencement of the investigation.

Notice to Give Information and Produce Documents

3.25 For 12 of the investigations, a Notice to Give Information and Produce Documents was issued to the respondent under section 521 or 522 of the Telecommunications Act.57 All notices were issued in accordance with the requirements of the Act and appropriately documented.

Pre-adverse finding

3.26 After analysing the available data and any submissions made by the respondent, the investigations team is to prepare a memorandum recommending the respondent be issued with a pre-adverse finding letter. A pre-adverse finding letter outlines the ACMA’s preliminary view about the investigation and provides the respondent with an opportunity to make submissions about this view. For all 16 investigations, the decision to issue the pre-adverse finding and the letter to the respondent were retained on file and signed by an appropriate authorising officer.

3.27 All 16 letters provided the respondent with the opportunity to make submissions in response to the finding(s).58 Further, all letters outlined the reasons for the preliminary view, the alleged contraventions and the ACMA’s enforcement options. Of the 11 respondents that provided a submission in response to the pre-adverse finding letter, one provided the ACMA with sufficient evidence to warrant the investigations team changing its preliminary view (following consultation with the ACMA legal team). This resulted in the closure of the investigation with no finding of a contravention and no enforcement action being taken.

Concluding investigations

3.28 To conclude an investigation, the investigation team is to prepare a memorandum for the relevant SES officer recommending an enforcement action or the conclusion of the investigation without an enforcement action. All 16 investigations had an investigation conclusion memorandum retained on file that was signed by an appropriate SES officer. For the 14 memoranda that recommended an enforcement action be taken, all included substantiation of the contraventions and outlined the matters the investigations team considered and the rationale for the selected enforcement action.

3.29 On average, investigations finalised in 2013–14, took 267 days, with the shortest investigation being 2.5 months and the longest being two years. The length of an investigation depends on a number of factors, such as: the number of contraventions that need to be investigated; how many notices to produce documents are issued to the respondent; how long it takes the respondent to provide documentation; and how cooperative the respondent is throughout the investigation process.

Investigation reports

3.30 While the ACMA did not produce investigation reports following the completion of DNCR and spam investigations, for half of the 2013–14 investigations, investigators prepared a ‘details of investigation’ summary as an attachment to the investigation conclusion memorandum. Although key investigation details are generally included in the conclusion memoranda in a variety of formats, there would be merit in the ACMA having a more consistent approach to documenting finalised investigations. Consistent and comprehensive investigation reports would assist the ACMA in cases where, for example, investigated matters proceed to the Federal Court or an investigated entity’s further non-compliance leads to an additional investigation.

Notification of investigation closure

3.31 The ACMA’s Compliance and Enforcement Manual outlines that ‘the ACMA is statutorily required to notify a complainant and/or the respondent of the outcome of the ACMA’s investigation’. The UCCS’s standard operating procedures for spam complaint handling also outline this requirement:

As stated in section 513 of the Telecommunications Act, if ACMA decides not to investigate, or not to investigate further, a matter to which a complaint relates, it must, as soon as practicable and in such manner as it thinks fit, inform the complainant and the respondent of the decision and of the reasons for the decision. The [UCCS] interprets this to mean that all complainants must be notified of the completion of an investigation.

3.32 The respondents for all investigations were notified of the closure of the investigation—15 in writing and one by telephone.59 These notifications were timely, with 12 respondents advised on the same day that they were notified of the enforcement action to be taken or that no enforcement action would be taken. The remaining four investigations were closed after an infringement notice was paid. These four respondents were notified of the closure of the investigation, on average, 17 days after payment was lodged.

3.33 The Commonwealth Ombudsman’s Better Practice Guide to Complaint Handling states ‘When the investigation of a complaint is completed, the complainant should be told the particulars of the investigation, including any findings or decision reached’.

3.34 The ACMA’s published complaint handling policies specific to DNCR and spam complaints also state that:

• ‘If the ACMA commences an investigation, the ACMA will write to you […] at the end of the investigation, to notify you of the outcome of the investigation’60; and

• ‘The ACMA will advise the complainant of the outcomes of the investigation’.61

3.35 The complainants for three investigations were notified in writing in a timely manner (an average of 23 days after investigation closure). However, for 13 of the 16 investigations, the complainants were not notified of the closure of the investigation.

3.36 In addition to being outlined in internal policy documents and promoted as better practice by the Commonwealth Ombudsman, the notification of complainants is part of the ACMA’s published complaint handling policies. The adoption of practices that are inconsistent with published policies has the potential to adversely impact on stakeholders’ confidence in the Authority’s complaint handling arrangements.

Recommendation No.1

3.37 To improve the planning, monitoring and closure of investigations and to comply with established requirements, the ANAO recommends that the Australian Communications and Media Authority:

  1. prepare a written investigation plan that includes an assessment of risks prior to the commencement of each investigation; and
  2. notify complainants of the closure of each investigation in a timely manner.

ACMA’s response: Agreed.

3.38 The ACMA accepts Recommendation 1 and has already modified its procedures to implement this recommendation. In particular, as part of its standard practice, the ACMA now prepares and uses investigation plans to assist in monitoring the performance of its investigations into compliance with the Spam Act 2003 and the Do Not Call Register Act 2006. It has also re-introduced notification of investigation closures to complainants.

Enforcement actions

3.39 Unsolicited communications legislation provides for several forms of formal enforcement action that may be used in response to non-compliance—formal warnings, infringement notices, enforceable undertakings and federal court action. In the period from 200362 to December 2014, the ACMA took enforcement action against 160 respondents, in response to identified non-compliance with unsolicited communications legislation, as outlined in Table 3.2.

Table 3.2: Enforcement actions taken against respondents (2003–14)

Enforcement Action Taken

Spam Act Related

DNCR Act Related

Total

Formal warning

54

25

79

Infringement notice

14

5

19

Enforceable undertaking

20

14

34

Multiple enforcement actions(1)

4

12

16

Federal Court action

11

1

12

TOTAL

103

57

160

Source: ANAO analysis of ACMA information.

Note 1: The actions were infringement notice and enforceable undertaking (12), infringement notice and formal warning (1) and formal warning and enforceable undertaking (3).

3.40 In 2013–14, the ACMA took 14 enforcement actions: seven formal warnings; four infringement notices; and three enforceable undertakings. All respondents were issued with a letter outlining the results of the investigation, whether enforcement action was to be taken and, where relevant, a formal document outlining the enforcement action. In 2013–14, the average number of days between the commencement of the investigation and the issuing of formal enforcement action was 235 days.

Formal warning

3.41 A formal warning indicates to a respondent that the ACMA has identified issues of concern, provides the respondent with an opportunity to address the issues and warns them that further enforcement action may be taken if the non-compliance is not resolved.63

3.42 In 2013–14, the ACMA issued seven formal warnings for contraventions of civil penalty provisions. Two were issued to telecommunication providers for contraventions of section 11 of the DNCR Act—one was responsible for over 800 telemarketing calls to DNCR-listed telephone numbers during a six-month period and the other was responsible for 25 telemarketing calls to DNCR-listed telephone numbers during a six-week period. Five formal warnings were issued for contraventions of the Spam Act, which included companies that sent commercial emails without obtaining the recipients’ consent (in breach of section 16 of the Spam Act).

3.43 All decisions to issue the formal warnings included the rationale for the selected enforcement action, and all decisions and formal warning documents were retained on the relevant case files and signed by an appropriate authorising officer.

Infringement notice

3.44 An infringement notice is an administrative enforcement remedy that the ACMA may issue in certain limited circumstances. It offers a respondent the chance to avoid being subject to lengthy and potentially costly court action over an alleged contravention by paying the administrative penalty specified in the notice.64

3.45 The ACMA issued four infringement notices in 2013–14. One was issued for contraventions of section 11 of the DNCR Act, with a company paying a $20 400 infringement notice for making telemarketing calls to telephone numbers listed on the DNCR. Three infringement notices were issued for contraventions of the Spam Act, with amounts paid ranging from $6800 to $165 000 for breaches, such as failing to obtain appropriate consent of the message recipients and failing to have a functional unsubscribe facility. All decisions to issue infringement notices included the rationale for the decision and were retained on file and signed by an appropriate SES officer. All infringement notices were retained on the case files, met legislative requirements, and:

  • were signed by an authorised officer;
  • stated that the ACMA had reasonable grounds to believe that the respondent had contravened a particular civil penalty provision;
  • were issued within 12 months of the oldest relevant contravention;
  • provided details of the alleged contraventions;
  • outlined the amount of payment, explained how payment was to be made and complied with legislated maximums for the number of penalty units issued; and
  • set a due date that was at least 28 days after the date the notice was issued.

3.46 Further, payments were received on time and proof of payment was retained on the relevant case files for all infringement notices issued in 2013–14.

Enforceable undertaking

3.47 An enforceable undertaking is a negotiated written agreement that can be enforced in court by the ACMA. In determining whether it will accept an enforceable undertaking, the ACMA generally considers whether: the respondent is prepared to publicly acknowledge the concerns about the conduct in question and the need for corrective action; the terms of the undertaking will achieve an effective outcome for those who may have been disadvantaged by the conduct; and it is likely that the undertaking will be fulfilled.65

3.48 The ACMA accepted three enforceable undertakings in 2013–14:

  • two related to companies making telemarketing calls to registered telephone numbers (in breach of section 11 of the DNCR Act), with both companies undertaking to ensure no calls were made to numbers on the register and to keep comprehensive records of all telemarketing calls they, or their call centres, make; and
  • one related to breaches of section 16 of the Spam Act—with the company undertaking to stop sending marketing messages until it had adopted a ‘double opt-in’ process to ensure appropriate consent had been obtained.66

3.49 All decisions included the rationale for the decision, were retained on the case files and were signed by an appropriate SES officer. All enforceable undertakings were retained and signed by the respondent and an appropriate ACMA officer.

3.50 Enforceable undertakings generally require respondents to take remedial steps in areas of non-compliance and provide reports and proof of compliance over a set period. According to the ACMA’s Compliance and Enforcement Manual, it is important that the ACMA be given timely and adequate reports to enable it to determine whether the undertaking party has complied with the enforceable undertaking.

3.51 For the three cases in 2013–14:

  • evidence had been retained on file for one case to indicate that the ACMA had reviewed the respondent’s records and actively monitored the enforceable undertaking;
  • one case involved a company that did not recommence telemarketing during the undertaking’s set reporting period (and thus did not submit any records) and was declared insolvent and deregistered before the undertaking expired; and
  • one case did not require the submission of records, except on request. As the ACMA had not requested any records, none had been provided.

Federal Court action

3.52 The ACMA may apply to the Federal Court or Federal Circuit Court for a civil penalty order for a person to pay to the Commonwealth a pecuniary penalty, if the court is satisfied that a person has contravened a civil penalty provision.67 This option is available to the ACMA where a person has either failed to comply with an infringement notice or where the alleged breaches otherwise warrant court proceedings.

3.53 The ACMA may also apply to the Federal Court or Federal Circuit Court for an injunction either to restrain a person from engaging in certain conduct or to require a person to perform certain acts.68 Injunctions may be sought if a person has engaged, is engaging, or is proposing to engage in any conduct that contravenes a civil penalty provision.

3.54 Since 2003, the ACMA has completed four prosecutions in the Federal Court, involving 12 respondents and resulting in $30.08 million in penalties. For the one case related to the DNCR Act, the ACMA also obtained a five-year injunction that restricted the respondent from engaging in the telemarketing sector. None of the investigations finalised in 2013–14 involved court action.

Conclusion

3.55 The ACMA has an appropriate framework in place for addressing and resolving non-compliance with unsolicited communications legislation. Where an entity’s voluntary compliance is not forthcoming, the ACMA may respond by commencing an investigation under the Telecommunications Act. The ACMA finalised 16 investigations in 2013–14, with 14 resulting in an enforcement action. For all investigations, key decisions were made by an appropriate authorising officer and documented. The ACMA met many of the Australian Government Investigations Standards and requirements of the Telecommunications Act. However, investigation plans and risk assessments were not prepared for any of the investigations finalised in 2013–14 and complainants were generally not notified of the closure of investigations.

3.56 The rationale for proposed enforcement actions was provided to the decision-maker, and all key enforcement action documentation was retained on the case files and signed by an appropriate SES officer. Most enforcement actions did not require monitoring or follow-up (aside from regular compliance activity if further complaints or reports were received). In relation to the three cases that resulted in an enforceable undertaking in 2013–14, one was actively monitored, one involved a respondent that went out of business and one did not require the submission of records, except on the ACMA’s request.

4. Governance Arrangements

This chapter examines the governance arrangements in place to support the ACMA’s regulation of unsolicited communications.

Introduction

4.1 Sound regulatory administration requires effective governance arrangements. The ANAO examined the ACMA’s:

  • administrative arrangements;
  • business planning and management of risks;
  • management of conflicts of interest; and
  • performance monitoring and reporting.

Administrative arrangements

4.2 The responsibility for overall governance and management of the ACMA resides with the Chair as the Chief Executive Officer.69 The role of the Chair is to facilitate and manage the performance of the ACMA’s functions and exercise of powers, as outlined under Part 2 of the Australian Communications and Media Authority Act 2005. In addition to the Chair, the Authority comprises: the Deputy Chair; one full-time Member; four part-time Members; and one Associate Member. The Authority is the ACMA’s decision-making body for regulatory matters. To assist in the discharge of their governance responsibilities, the Chair is provided with monthly management reports from each division and the Authority is provided with quarterly updates on key areas of the ACMA’s operations.70 In 2013–14, the Authority met 21 times.

4.3 The ACMA’s Executive Group functions as a high-level oversight committee and assists the Chair by providing advice on issues of corporate or strategic significance to the Authority. The Executive Group comprises the Chair, Deputy Chair, one full-time Member and four General Managers.71 The Executive Group met monthly in 2013–14.

4.4 The ACMA also has committees that oversee specific areas such as IT, finance management, internal audit and compliance and enforcement. The Audit Committee, which coordinates internal audit activities and oversees the financial statements, risk management framework and implementation of fraud control policies, met on four occasions in 2013–14. The Compliance and Enforcement Committee, which oversees the ACMA’s compliance and enforcement policies and procedures, met twice in 2013–14.

Division and branch structure and responsibilities

4.5 As previously discussed, unsolicited communications compliance is the responsibility of the Unsolicited Communications Compliance Section (UCCS)72, which is part of the Unsolicited Communications Branch (UCB)73 and the broader Content, Consumer and Citizen Division (CCCD). The CCCD is also responsible for telecommunications, broadcasting and online safeguards, which include activities such as investigating broadcasting code complaints (see Figure 4.1).

Figure 4.1: Content, Consumer and Citizen Division (CCCD) Organisation Structure

Source: ANAO analysis of ACMA information.

Staffing

4.6 In 2014–15, the ACMA employed around 450 staff74, including approximately 100 staff in the CCCD. Of these, the UCCS had 18 staff, distributed among three sub-teams: Compliance (nine staff); Investigations (six staff); and Policy, Analysis and Education (three staff).

Business planning and management of risks

Business planning

4.7 The regulatory activities of the UCCS are guided by an annual business plan, which is developed in accordance with the ACMA’s established business planning template. The 2013–14 UCCS Business Plan provides a high-level overview of the section’s role and responsibilities and information on its activities, performance measures, priorities, communications requirements and budget. The priority activities outlined in the plan were linked to overall ACMA priorities and key results areas. While the unsolicited communications performance measures in the business plan generally aligned with the information provided in the monthly management reports, they did not align with the higher level measures outlined in the Portfolio Budget Statements and subsequently reported in the annual report. The alignment and integration of performance measures across planning documents underpins effective performance monitoring and reporting. Further, for reporting periods commencing on or after 1 July 2015, the ACMA will be required to prepare annual performance statements in accordance with requirements established under the PGPA Act. The enhancement of performance measures will assist the ACMA to meet these revised reporting requirements.

Management of risks

4.8 The ACMA has developed a management instruction and an associated guide on risk management.75 The guide was approved in October 2014 and outlines the ACMA’s risk management framework and risk management processes, which require:

  • divisions and branches to assess risks and prepare risk registers, which include identifying, analysing, evaluating and treating risks and assigning responsibility for managing risks;
  • divisions and branches to monitor and review risk registers; and
  • divisions to report quarterly against their risk register.

4.9 The risk management instruction and guide were the culmination of a risk management framework review that had been underway at the ACMA between 2011 and early 2014. The most recent approved risk management document (prior to October 2014) was Management Instruction 21: Risk Management, which was approved in March 2008. Although this instruction outlined a process for identifying and reviewing risks, the ACMA informed the ANAO that this process was not consistently applied across the authority during the period of the risk management framework review.

4.10 Risk registers were generally not completed for the CCCD and the UCB while the review was underway between 2011 and early 2014. However, in 2012–13, the UCB completed a high-level risk assessment, which resulted in three risk ‘registers’ that identified risks, but did not outline consequences should a risk eventuate, identify risk treatments or assign responsibility for managing and monitoring risks. Further, there was no mechanism in place for reporting against these risks in 2012–13.

4.11 As at early 2013–14, a documented risk register and functioning reporting mechanism was yet to be established for the CCCD and the UCB. However, as part of the risk framework review, the ACMA held a Strategic Risk Workshop in October 2013 and a number of Divisional Risk Workshops in November and December 2013 to develop a set of strategic risks for the Authority and a list of the key risks facing each division. This work led to the development of division and branch risk registers in early to mid-2014.

Division and branch risk registers

4.12 The CCCD risk register covers key risks facing the ACMA in relation to unsolicited communications compliance. The UCB risk register outlines 11 key risks facing the branch, including:

  • data relied upon to report and monitor compliance is inaccurate, incomplete, not recorded, inaccessible or not suitable for purpose (Rating: Medium); and
  • the volume of complaints and reports made by the public about unsolicited communications exceeds the capacity of available staff resources to undertake graduated business compliance activities (Rating: Medium).76

4.13 For each risk, the UCB outlines the potential causes and consequences, current controls, risk ratings (including likelihood and consequence), position responsible for the risk, planned treatments and target risk ratings. The division and branch level risk ratings indicate that the regulation of unsolicited communications is a medium to low risk. Overall, the CCCD and UCB risk registers have been developed in accordance with the general requirements of the 2014 risk management framework for identifying, assessing and evaluating risks.

Reporting and reviewing risks

4.14 The first quarterly reporting against the CCCD risk register occurred in July 2014, with the second report prepared in October 2014 and the third in January 2015. According to the risk management guide, any divisional risks that are rated as being ‘extreme’ or ‘high’ should be reported to the Executive Group. For the CCCD, no risks were rated as ‘extreme’ or ‘high’ in the first two quarters of 2014–15. The UCB is required to review its risk register quarterly, with the first quarterly review undertaken in December 2014. As at 31 January 2015, the CCCD and UCB had met the reporting and review requirements of the established risk management framework.

4.15 To help ensure that the ACMA’s compliance activities are appropriately targeting key areas of regulatory risk, it will be important that the outcomes of risk assessments and the regulatory risk environment be reflected in the ACMA’s compliance approach and strategy when these are next reviewed.

Management of conflicts of interest

4.16 The Australian Public Service Code of Conduct77 requires that an employee disclose, and take reasonable steps to avoid, any conflict of interest (real or apparent) in connection with employment in the Australian Public Service. The ACMA has developed a management instruction for identifying and managing conflicts of interest for its staff. This instruction was last updated in May 2014 and covers: identifying and disclosing conflicts of interest; recording and managing conflict; and avoiding conflicts of interest.

4.17 At least once each year, all employees are directed to undertake a self-assessment to identify and disclose any matters that could create, or be perceived to create, a conflict of interest and to make a declaration. In accordance with the Code of Conduct and ACMA policy, all UCB staff members completed conflict of interest declarations in 2014. These declarations were reviewed and approved by the appropriate delegate.

4.18 Once declarations are completed, managers are required to monitor their content. If an actual, potential or perceived conflict of interest is disclosed by the employee, the manager (or the Chair in the case of senior executives and employees in designated positions) must discuss with the employee how that conflict is to be managed and record the outcomes of this discussion (including any follow-up action). This record forms part of the Conflict of Interests Register.

4.19 In 2013–14, two UCCS staff members identified potential conflicts of interest. Documentation indicates that these potential conflicts were discussed with the relevant staff member’s manager and that the risk or likelihood of an actual conflict of interest was low. In 2013–14, there was only one case where a potential conflict of interest materialised in the UCB. In this case, an investigator was related to two employees at the company to be investigated and removed herself from the investigation prior to its commencement.

Performance monitoring and reporting

4.20 Performance monitoring and reporting should inform management decision making, advise stakeholders of program performance and provide assurance that programs are being effectively implemented. The ANAO examined the ACMA’s internal and external performance reporting to assess whether appropriate indicators had been developed to measure the effectiveness of compliance monitoring activities and whether performance reporting was timely and accurate.

Internal performance monitoring and reporting

4.21 Each branch within the CCCD, including the UCB, is required to report to the General Manager monthly on its performance and achievements. These reports include: a ‘traffic light’ project status snapshot; coverage of operational performance; divisional budget tracking; divisional staffing profiles; issues faced by the Authority78; recent media coverage of divisional programs; expected achievements for the next reporting period; progress of major projects79; records of key stakeholder engagements; and reviews of codes of practice.

4.22 The ANAO examined the 12 monthly management reports for the 2013–14 financial year. The reports included information on: the number of DNCR and spam complaints and reports; the number of advisory and informal warning letters issued; the status and outcomes of investigations; the number of DNCR registrations; and changes to relevant legislation. When issues arise that impact on the UCB’s ability to meet its regulatory requirements, the monthly management reports also provide a mechanism for the resolution of the issue to be monitored and reported against. For example, during October 2013, no Spam Act informal warning letters were sent because of the introduction of a new IT system. This, along with the follow-up actions undertaken, was reported in the October 2013 monthly report.

4.23 The monthly management reports include two internal key performance indicators (KPIs) for the regulation of unsolicited communications, against which the UCB is to report:

  • 50 per cent of DNCR-related complaints and enquiries closed within seven days of receipt, 75 per cent closed within 14 days of receipt and 90 per cent closed within 21 days of receipt; and
  • 90 per cent of spam-related complaints and enquiries addressed within eight days of receipt.

4.24 The monthly reports indicate that, during 2013–14, the UCB met: its DNCR complaint KPI in each of the 12 months; its DNCR enquiry KPI in every month except October 2013; and its spam-related KPI in all months except November and December 2013, when the roll-out of the new IT system caused delays in the handling of spam complaints.80

4.25 Another key means by which the performance of the regulation of unsolicited communications is communicated internally is through quarterly reports to the Authority. These reports include coverage of: the number of complaints, enquiries and reports received; the number and nature of compliance actions; education and stakeholder awareness activities; intelligence sharing and international engagement; and delegated decisions related to investigations and enforcement actions.

External performance monitoring

Portfolio Budget Statements

4.26 Portfolio Budget Statements (PBS) specify each entity’s outcome(s), programs, expenses, deliverables and KPIs. The ACMA’s performance information, which forms part of the Department of Communications’ 2014–15 PBS, outlines one outcome (Outcome 1) for the ACMA:

A communications and media environment that balances the needs of the industry and the Australian community through regulation, education and advice.81

4.27 The PBSs for the years 2011–12 to 2013–14 captured the ACMA’s regulation of unsolicited communications activities under both Program 1.1—Communications regulation, planning and licensing and Program 1.2—Consumer safeguards, education and information. In the 2014–15 PBS, the ACMA consolidated its reporting of unsolicited communications activities under Program 1.2.

4.28 The following deliverable was established under Program 1.2 in 2014–15: ‘minimise unsolicited spam and telemarketing communications’. Although this deliverable relates to the unsolicited communications function, it does not outline a specific and measurable target that is to be achieved. Prior to 2014–15 (in 2012–13 and 2013–14), some PBS deliverables for unsolicited communications were more specific and measurable82, which better placed the ACMA to report to stakeholders on its performance.

4.29 The 2014–15 PBS was the first to contain a KPI directly related to the regulation of unsolicited communications.83 This KPI—‘that the adverse impacts of spam and unsolicited telemarketing on the economy and society are minimised’—also lacks a specific and measurable target and does not give stakeholders a clear picture of the impact or effectiveness of the ACMA’s regulation of unsolicited communications (see Appendix 2 for further information on unsolicited communications deliverables and KPIs).

Corporate plan performance measures

4.30 In its 2013–16 Corporate Plan, the ACMA included new KPIs for the regulation of unsolicited communications under the key results area of ‘Consumer, citizen and audience safeguards and standards’. These KPIs are:

  • the number of complaints and reports about unsolicited communications received from companies after they have been sent informal warnings is low; and
  • the number of complaints about unsolicited communications within targeted priority areas reduces.

4.31 The plan also outlines strategies for meeting these KPIs, which include: gathering market intelligence; engaging with industry to encourage compliance; educating citizens about how to avoid and deal with unsolicited communications; engaging with global partners in relation to cross-border unsolicited communications; and maintaining the Do Not Call Register.

4.32 In contrast to the performance measures outlined in the ACMA’s PBS, the measures included in the corporate plan are more easily measured and provide insights into specific aspects of regulatory performance. There is, however, a lack of alignment between these measures and those outlined in the PBS. Further, the measures provide limited insights into the overall impact or effectiveness of the ACMA’s regulation of unsolicited communications. The ACMA has informed the ANAO that it has been working to refine its performance monitoring and reporting arrangements, in part in response to revised requirements established under the PGPA Act, and that it envisages that this work will lead to more consistent approaches across the organisation.

External performance reporting

Annual reports

4.33 Annual reports are one of the principal accountability mechanisms between departments and the Parliament, and are designed to provide factual and informative commentary on performance against the targets and anticipated outcomes specified in the PBS. The ANAO examined the ACMA’s annual reports for 2011–12, 2012–13 and 2013–14 to assess the appropriateness and accuracy in reporting against PBS deliverables and KPIs and Corporate Plan performance measures.

Reporting against PBS deliverables and KPIs

4.34 While the 2011–12 and 2012–13 annual reports provided performance information against all three PBS deliverables, such reporting was provided against only two (of three) deliverables in the ACMA’s 2013–14 Annual Report (see Appendix 2).

4.35 As noted earlier, the ACMA introduced KPIs directly related to the regulation of unsolicited communications in the 2014–15 PBS. In the three years prior, there were no KPIs specific to DNCR Act and Spam Act compliance activities.

4.36 More broadly, the ACMA’s 2011–12, 2012–13 and 2013–14 annual reports do not clearly identify reporting against the KPIs established in the PBSs for all activities undertaken by the Authority. In contrast to the approach adopted for deliverables (which involves the provision of page numbers aligned against each deliverable), the performance related to KPIs is addressed in narrative form across the report, without any clear statements as to whether each KPI was achieved.

4.37 There is scope for the ACMA to review and enhance its KPIs and to report against these more clearly in its annual report. Reporting against specific and measurable KPIs would enable the Authority to better measure the effectiveness of its regulatory activities and demonstrate the extent to which it is meeting its regulatory objectives.

Reporting against Corporate Plan performance measures

4.38 In the ACMA’s 2013–14 Annual Report, it reported against its 2013–16 Corporate Plan performance measures in narrative form, outlining responses to specific incidents, such as its response to an increase in the number of complaints received about the PC Virus scam and the introduction of a variant scam relying on Telstra’s brand to deceive the public.84

Accuracy of reported information

4.39 The objective of external performance reporting is to provide key stakeholders with an accurate and succinct picture of an agency’s performance in achieving its stated objectives. If the data on which performance reporting is based is incomplete or inaccurate, the value of that information is diminished.85

4.40 The ACMA’s 2013–14 Annual Report reported that, during the financial year, it had issued 951 advisory letters to entities potentially non-compliant with the DNCR Act. In October 2014, the ACMA informed the ANAO that it had issued only 942 advisory letters during the period, and that the discrepancy was caused by an IT issue. The ANAO found a further two instances where a reported advisory letter was not sent, bringing the total down to 940. The incorrect figure of 951 was subsequently reported in the 2013–14 Communications Report. Further, the number of DNCR and spam informal warning letters issued during 2013–14 was also incorrectly reported in the annual report, as outlined in Table 4.1.

Table 4.1: Reported and actual compliance activity numbers (2013–14)

Compliance Activity

Reported Number (2013–14 Annual Report)

Actual Number

Difference

DNCR advisory letter

951

940

11 (1%)

DNCR informal warning letter

116

114

2 (2%)

Spam informal warning letter

5002

4967

35 (1%)

Source: ANAO analysis of ACMA information.

4.41 While acknowledging that these discrepancies are relatively minor, it would nevertheless be prudent for the ACMA to strengthen its processes for ensuring data quality, given this data is used for reporting to management and advising stakeholders on the performance of the ACMA’s regulatory activities.

Communications report

4.42 Since 2005, the Authority has published an annual communications report, which provides information on: the state of the Australian communications and media market; telecommunications consumer safeguards and quality of service (including its work related to the DNCR and spam); and broadcasting industry regulatory performance.86

4.43 The 2012–13 and 2013–14 communications reports provided performance information on: the number of telemarketing and spam complaints received; the number of compliance actions undertaken; and the number of investigations conducted. The 2013–14 report also provided a comparison of these measures against the 2012–13 measures, presenting historical information on the UCB’s compliance and enforcement activities.

Compliance statistics

4.44 The ACMA also publishes monthly compliance activity statistics on its website. The statistics include: the number of complaints received; the number of advisory letters sent; and the number of DNCR and spam informal warning letters issued. The ANAO compared the figures reported in these monthly statistics reports with those available in recent annual reports and communications reports. For 2013–14, the statistics for the number of DNCR and spam complaints were consistent across the three types of reports (statistics reports, annual report and communications report). However, the reported statistics for DNCR advisory letters and DNCR informal warning letters were not consistent across the reports, with none of the publicly reported figures reflecting the actual numbers of these compliance activities.87 Although the number of spam informal warning letters was reported consistently across the three types of reports, this figure was not accurate.

Conclusion

4.45 Overall, the ACMA has established administration arrangements that appropriately underpin its regulation of unsolicited communications, with oversight arrangements in place to monitor key aspects of regulatory activity. The ACMA has established business planning processes and has a risk management framework in place that aligns with international risk management standards. The current risk management guidance is the culmination of a risk management framework review undertaken between 2011 and early 2014. During the review period, the ACMA did not consistently apply its established processes for identifying and reviewing risks across the authority, and risk registers were not completed for the CCCD and UCB. When the risk management framework is next reviewed, there would be merit in the ACMA ensuring that interim arrangements are in place during the period of review to help ensure that risks continue to be appropriately monitored and managed.

4.46 The UCB effectively manages conflicts of interest. In 2014, UCB staff completed conflict of interest declarations that were reviewed and approved by the appropriate delegate.

4.47 The ACMA has provided regular and timely reports on its compliance activities. Internally, this is through monthly management reports and quarterly reports to the Authority and, externally, through annual reports, annual communications reports and monthly compliance activity statistics. However, there is scope to improve the accuracy of reported data, given minor discrepancies across performance reports. Further, performance measures are not aligned across key planning documents, lack targets against which performance can be objectively assessed and give limited insights into the impact or effectiveness of the regulation of unsolicited communications. The ACMA should review and enhance its performance measures and report against them more clearly in its annual report to better demonstrate the extent to which it is meeting its regulatory objectives.

Recommendation No.2

4.48 To improve the effectiveness of its performance monitoring and reporting and to better inform stakeholders about the extent to which regulatory objectives are being achieved, the ANAO recommends that the Australian Communications and Media Authority:

  1. review and enhance its performance measures for the regulation of unsolicited communications; and
  2. monitor and accurately report against these performance measures.

ACMA’s response: Agreed.

4.49 The ACMA accepts Recommendation 2, and is currently reviewing and enhancing its performance measures for regulation of unsolicited communications and the reporting against these measures. This review is occurring in the context and in recognition of the recent introduction of new performance reporting requirements under the Public Governance, Performance and Accountability Act 2013 and the Regulator Performance Framework. It is anticipated that these performance measures will be fully implemented for the reporting period, 2015–16.

Appendices

Appendices

Please refer to the PDF version of the report for the Appendices:

  • Appendix 1: Response from the Australian Communications and Media Authority
  • Appendix 2: Unsolicited communications deliverables and KPIs (2012–15)

Abbreviations

ACCC

Australian Competition and Consumer Commission

ACMA

Australian Communications and Media Authority

AGIS

Australian Government Investigations Standards

ANAO

Australian National Audit Office

CCCD

Content, Consumer and Citizen Division

DNCR

Do Not Call Register

DNCR Act

Do Not Call Register Act 2006

FMA Act

Financial Management and Accountability Act 1997

KPI

Key Performance Indicator

MMS

Multimedia Message Service

PBS

Portfolio Budget Statements

PGPA Act

Public Governance, Performance and Accountability Act 2013

SMS

Short Message Service

UCB

Unsolicited Communications Branch

UCCS

Unsolicited Communications Compliance Section

Footnotes

1 The total worldwide cost of spam (including end-user costs and the costs of anti-spam technology and hardware) is estimated to be approximately $20 billion. See Rao, JM and Reiley, DH, ‘The Economics of Spam’, Journal of Economic Perspectives, 26 (3), 2012, p. 100.

2 The ACMA is a statutory authority within the federal Communications portfolio and is Australia’s regulator for broadcasting, the internet, radiocommunications and telecommunications.

3 The Do Not Call Register is a secure database containing the list of numbers Australians have registered. It is managed by a third party Register Operator contracted by the ACMA.

4 A message has an Australian link if it originates or was commissioned in Australia or originates overseas, but was sent to an address accessed in Australia.

5 A direct report about spam occurs when a member of the public forwards a spam email or SMS to the ACMA’s Spam Intelligence Database. Unlike complaints, reports are not necessarily reviewed individually, but they can contribute to the ACMA’s intelligence about spam trends and prevalence.

6 ANAO Audit Report No.16 2009–10 Do Not Call Register.

7According to ACMA business rules for DNCR regulatory responses, an entity is to be: issued with an advisory letter when one (or more) complaints are received by the ACMA; moved from advisory letter stage to informal warning letter stage if the ACMA receives five or more complaints about the entity during a 180-day monitoring period; and moved from informal warning letter stage to consideration for possible investigation if five or more complaints are received during an additional 180-day monitoring period.

8 The ACMA issued 940 DNCR advisory letters, 114 DNCR informal warning letters and 4967 spam informal warning letters.

9 According to the ACMA’s 2013–14 Annual Report, 86 per cent of spam-related companies contacted by informal warning letter for the first time in 2013–14 did not attract further complaints and 92 per cent of DNCR-related companies required only one advisory letter or warning letter in 2013–14 to address compliance issues.

10 None of the investigations finalised in 2013–14 involved court action.

11 The total worldwide cost of spam (including end-user costs and the costs of anti-spam technology and hardware) is estimated to be approximately $20 billion. See Rao, JM and Reiley, DH, ‘The Economics of Spam’, Journal of Economic Perspectives, 26 (3), 2012, p. 100.

12 ACMA’s 2014–15 Portfolio Budget Statements, p. 89.

13 The Do Not Call Register is a secure database containing the list of numbers Australians have registered. It is managed by a third party Register Operator contracted by the ACMA. The contract has been held by Service Stream Solutions Pty Ltd since 2007. However, the ACMA undertook a competitive tender process in 2014 that resulted in the contract being awarded to another service provider. Salmat Digital is scheduled to commence as the Register Operator in mid-2015.

14 According to the standards, telemarketing calls and marketing faxes are prohibited before 9 am and after 8 pm on weekdays, before 9 am and after 5 pm on Saturdays and all day on Sundays and national public holidays. Research calls are prohibited before 9 am and after 8:30 pm on weekdays, before 9 am and after 5 pm on the weekend and all day on national public holidays.

15 A message has an Australian link if it originates or was commissioned in Australia or originates overseas, but was sent to an address accessed in Australia.

16 Sending a commercial email without obtaining consent is a breach of section 16 of the Spam Act.

17 A ‘spamtrap’ is an email address that is not published or circulated, but whose existence can be ascertained through the use of machine techniques that are commonly used by spammers. It can be inferred that any marketing email sent to such an address is spam.

18 Malware is ‘malicious software’ designed to disrupt computer operation, gather sensitive information or gain access to private computer systems.

19 The ACCC is an independent Commonwealth statutory authority whose role is to enforce the Competition and Consumer Act 2010 and a range of additional legislation, promoting competition and fair trading and regulating national infrastructure.

20 According to sections 19–20 of the Australian Communications and Media Authority Act 2005, the ACMA consists of the following members: a Chair; a Deputy Chair; and at least one, and not more than seven, other full-time or part-time members. As at 15 January 2015, the ACMA had—in addition to the Chair, the Deputy Chair and one full-time Member—four part-time Members and one Associate Member.

21 According to the Department of Communications’ Portfolio Additional Estimates Statements 2014–15, the ACMA was budgeting in 2014–15 for total expenditure of $99.3 million. This represents an increase of $4.1 million from the 2014–15 Portfolio Budget Statements position due to the transfer of funding for enhancing online safety for children from Department of Communications and additional funding for pre-existing measures affecting the public sector.

22 ACMA’s 2015–16 Portfolio Budget Statements, p. 82.

23 The Unsolicited Communications Compliance Section (UCCS) was formed in late 2012 when the Anti-Spam Team merged with the Telemarketing Investigations Section.

24 The December 2013 discussion paper proposed four options: reduce the period of registration to three years; retain the current eight-year registration period; extend the registration period to indefinite; and remove the need to register.

25 The ANAO sample included: a random sample of 271 DNCR compliance activities related to 193 advisory letters and 78 informal warning letters that were sent in 2013–14; and a random sample of 235 spam compliance activities from 2013–14.

26 ANAO Better Practice Guide—Administering Regulation, June 2014, Canberra, pp. 45–47.

27The 2013–14 Annual Report also noted that the ACMA is increasing its engagement with members of the public on telemarketing and spam-related issues through social media, such as Facebook and Twitter.

28 ANAO Better Practice Guide—Administering Regulation, June 2014, Canberra, p. 15.

29 The DNCR is managed by a contracted third-party Register Operator who is responsible for handling registrations for the DNCR, operating the DNCR ‘washing’ services, maintaining the DNCR website and handling complaints from people who have received unsolicited telemarketing calls.

30 The DNCR sample included 193 advisory letters and 78 informal warning letters. The ANAO initially selected a random sample of 275 DNCR activities, however, subsequent analysis indicated that four of the reported DNCR compliance activities had not taken place. The remaining 271 DNCR activities were examined.

31 It is a breach of section 11 of the DNCR Act to make a non-designated unsolicited telemarketing call to a DNCR telephone number.

32 Sending a commercial email without consent is a breach of section 16 of the Spam Act.

33 The Complaints Management System for DNCR complaints and the Case Management and Investigations System for spam complaints.

34 A ‘commercial electronic message’ is a message that has the purpose to (among other things) offer to supply or advertise: goods or services; land or an interest in land; business opportunities; or investment opportunities.

35 For the purposes of the Spam Act, a designated commercial electronic message is a message that relates to goods or services that the message authoriser is the supplier of and the message authoriser is any of the following bodies: (1) a government body; (2) a registered political party; (3) a registered charity; and (4) an educational institution (if the receiver is, or has been, a student at that institution).

36 The six companies were based in Romania, Slovakia, the United States, India and the United Kingdom (two).

37 ANAO Better Practice Guide—Administering Regulation, June 2014, Canberra, p. 48.

38 For DNCR complaints, two parties can potentially be non-compliant for each unsolicited call made: the party who made the call (the telemarketer) and the party who caused the call to be made (the person or company that hired the telemarketer).

39 Commonwealth Ombudsman (2009) Better Practice Guide to Complaint Handling, p. 21.

40 The ACMA informed the ANAO that 166 (of 581) responses to complainants were not issued between October 2013 and February 2014.

41 The data provided to the ANAO by the ACMA on the total number of breaches and the number of breaches against specific legislative provisions were found to be inaccurate. The ACMA informed the ANAO that it is taking steps to improve the accuracy of this data.

42 In this context, the ANAO determines DNCR ‘complaint handling’ to refer to assessing and classifying complaints and responding to the complainant and spam ‘complaint handling’ to refer to assessing and classifying complaints (without auto-responses to spam complainants factored in). It does not, in either case, include the regulatory response, such as the issuing of an advisory or informal warning letter.

43The ACMA’s internal reports indicate that, in 2013–14, the UCCS met its DNCR complaint KPI for each of the 12 months and the spam complaint KPI for all months except November and December 2013.

44 ANAO Better Practice Guide—Administering Regulation, June 2014, Canberra, pp. 45–47.

45 This excludes 13 instances where the ACMA did not issue an advisory letter, because it escalated the cases directly to the informal warning letter stage.

46 Of these: 10 (4 per cent) related to both complaint(s) and report(s); 26 (11 per cent) related to one or more complaints (and no reports); 36 (15.5 per cent) related to two or more reports (and no complaints); and 163 (69.5 per cent) related to only one report (and no complaints).

47 The ACMA informed the ANAO that it has considered several technical solutions to secure the consent of spam reporters to use their information, but these options were not deemed feasible.

48 According to the ANAO’s analysis of a sample of 235 informal warning letters issued during 2013–14.

49 Department of the Prime Minister and Cabinet, The Australian Government Guide to Regulation, Canberra, March 2014, p. 2.

50Australian Government Investigations Standards, 2011, p. iii.

51Australian Government Investigations Standards, 2011, p. 1.

52 The ACMA was an FMA Act agency until 1 July 2014. It is now a PGPA Act entity.

53Australian Government Investigations Standards, 2011, p. iii.

54 This compliance instruction was issued prior to the introduction of the DNCR Act.

55 According to the AGIS, entities that are required to commence investigations in urgent circumstances may do so without a written plan, however, planning considerations during the course of the investigation should be appropriately recorded.

56 ANAO Better Practice Guide—Public Sector Governance, June 2014, Canberra, p. 31.

57 Section 521 applies to carriers and service providers, and section 522 applies to companies other than carriers and service providers.

58 This is a requirement under section 512(5) of the Telecommunications Act.

59 The notification of investigation closure by telephone was not in accordance with the ACMA’s procedural requirements, but the ACMA informed the ANAO of certain extenuating circumstances that led to its decision not to follow up, in this instance, with a standard letter of closure.

60DNCR Complaints Handling Policy, available from: <http://www.acma.gov.au> [accessed 14 January 2015].

61Spam Complaints Policy, available from: <http://www.acma.gov.au> [accessed 14 January 2015].

62 The Spam Act was introduced in 2003, followed by the DNCR Act in 2006.

63 The ACMA may issue a formal warning under section 40 of the DNCR Act and section 41 of the Spam Act for contraventions of civil penalty provisions.

64 The ACMA may issue infringement notices under Schedule 3 to the DNCR Act and Schedule 3 to the Spam Act for contraventions of civil penalty provisions.

65 The ACMA may accept enforceable undertakings under section 572B of the Telecommunications Act for DNCR-related cases and section 38 of the Spam Act for spam-related cases.

66 This is a two-stage system where a consumer opts in to receiving marketing messages and then confirms that they wish to receive these messages, usually by responding to an email.

67 Under section 24 of the DNCR Act and section 24 of the Spam Act.

68 Under section 34 of the DNCR Act and section 32 of the Spam Act.

69 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) replaced the Financial Management and Accountability Act 1997 (FMA Act) on 1 July 2014. Under the PGPA Act (and the preceding FMA Act), the Chair, as the Accountable Authority, is responsible for the governance and management of the ACMA.

70 Reporting arrangements are discussed later in this chapter.

71 There were five general managers in 2013–14 prior to an organisational restructure in mid-2014.

72 The Unsolicited Communications Compliance Section (UCCS) was formed in late 2012 when the Anti-Spam Team merged with the Telemarketing Investigations Section.

73 The UCB also has a section that administers the DNCR (which includes managing the contract with the third-party Register Operator) and a section that manages internet security programs.

74 ACMA’s 2015–16 Portfolio Budget Statements, p. 82.

75 The ACMA’s current risk management guidance aligns with the 11 principles of risk management outlined in the international standard, ISO 31000:2009 Risk Management—Principles and Guidelines.

76 Risk ratings for the 11 risks included high (1), medium (5) and low (5).

77 Section 13(7) of the Public Service Act 1999.

78 For example, the proposal for a change in legislation to increase the duration of DNCR registration.

79 For example, the tender process to select a new DNCR Operator, which was undertaken in 2013–14.

80 The DNCR KPI concerning the closure of 90 per cent of enquiries within 21 days of receipt was not achieved in October 2013 because of resource limitations coupled with the deployment of a new IT system that placed additional demands on available staff.

81 The ANAO’s review of four consecutive PBSs between 2011–12 and 2014–15 found that the ACMA’s outcome has remained consistent across all four financial years.

82 For example, ‘Online content, DNCR, spam, broadcasting and telecommunications consumer codes complaints dealt with within applicable timeframes’.

83 Although KPIs that related generically to ACMA activities have been included in prior PBSs, they did not relate specifically to unsolicited communications activities.

84 ACMA’s 2013–14 Annual Report, p. 84.

85 ANAO Audit Report No.21 2013–14 Pilot Project to Audit Key Performance Indicators, pp. 90–91.

86 Section 105 of the Telecommunications Act requires the ACMA to monitor, and report each year to the Minister on, significant matters relating to the performance of carriers and carriage service providers.

87 There was a one to two per cent variance between the reported figures and the actual numbers.

Related documents: