“Delay is the enemy of progress”
— Eliot Spitzer, “Pretty Woman”
Delays and deterrence
“the reporting obligation is an important one in terms of the regulation of the financial services industry and I reject the submission .. that no penalty, or only a nominal penalty, was appropriate”
— Besanko J, ASIC v Statewide Superannuation  FCA 1650 at 123
In the wake of that article, we received numerous questions about the penalty provisions and some criticism of adviser bashing. We still think our assessment was balanced but, in the interest of industry harmony and goodwill to all, we’d like to (briefly) address Australian Securities and Investments Commission v Statewide Superannuation Pty Ltd  FCA 1650 (“ASIC v Statewide”).
ASIC v Statewide Superannuation
Although perhaps not as important as St George’s victory over South Sydney in the Charity Shield, we understand that this was the first case in which a Court imposed civil penalties for a licensee’s poor breach reporting since the penalties were significantly increased in 2019.
As Thucydides observed, no Licensee Executive ever allows mismanagement “without the inward conviction that he would succeed in his design”, so civil penalties, as either a specific or general deterrence, may have limited value. Treasury, more aligned with Cleon than gentle Diodotus, took an alternative view when they significantly strengthened the civil penalty regime in March 2019.
While John Doyle and RI Advice’s treatment demand a degree of attention, it’s worthwhile considering the treatment of Statewide Superannuation Pty Ltd, whose delay in notifying ASIC of reportable breaches caused by administration system failures led to the imposition of a pecuniary penalty of $500,000. Although this may be a rounding error for the bigger banks’ remediation projects, it was a significant penalty for Statewide (even without the complementary $3,500,000 penalty for making false and misleading statements).
If you’ve ever struggled to produce accurate an FDS from disconnected, legacy payment systems you may empathise with Statewide’s predicament. In this scenario, failures and defects in their administration system caused them to deduct insurance premiums from members without insurance policies. This error was compounded by Statewide issuing annual statements that the affected members held insurance policies and that the Trustee was entitled to deduct fees from their accounts.
Statewide became aware of the problem and, to its credit (and Commissioner Hayne’s relief) neither rationalised and dismissed the problem nor sought to bury the failure as insignificant process issues. Instead, once they became aware of the problem, they commenced a thorough investigation to identify affected persons and quantify the loss or damage.
The problem was that Statewide did not report the breach to ASIC until at least 25 days later than it should have. You’re no doubt aware that, since October 2021, Licensees have thirty (30) days to notify ASIC about reportable situations but, at the time, Statewide were required to notify ASIC within ten (10) days.
Although the Court found that the conduct was not deliberate and the delay was not substantial, it still imposed penalties of $4,000,000 in recognition that early breach reporting is the foundation of effective regulation.
If the numbers don’t bother you, take the time to appreciate that civil and criminal penalties are available under the new breach reporting regime.
The old order is rapidly fading
“The relief sought by ASIC consisted of declarations of contraventions of both the Corporations Act and the ASIC Act, the imposition of pecuniary penalties, an adverse publicity order, an order requiring the establishment and implementation of a review and remediation program and an order for costs.”
— ASIC v Statewide  FCA 1650 at 1
ASIC submitted that, from 1 July 2017, Statewide Superannuation Pty Ltd (“Statewide”) deducted approximately $2,700,000 in premiums from member accounts of members without insurance cover and, after identifying the problem in May 2018, failed to inform the affected members, failed to prevent further overcharging and failed to prevent misleading statements being issued to the affected members. It’s relevant to note that up to 1300 members were affected.
It was on this basis that Statewide were believed by ASIC to have failed to “act efficiently, honestly and fairly” (contravening s912A(1)(a)) and, by failing to report significant issues to ASIC in the prescribed time, contravened s912D (1B) and s912D(3). It should be noted that the failure to report significant breaches, or meet the general obligations, were in addition to numerous breaches of the ASIC Act and alleged misleading and deceptive conduct.
“ASIC submitted, correctly in my view, that there was within Statewide inadequate management and risk control.” Besanko J at 54
IRESS may have a different perspective of the administrative system failures, but what I find particularly interesting is the Court’s approach to quantifying liability. As we saw in the RI Advice case, the Courts will be guided by the formal requirements of s1317G(6) of the Corporations Act (and consider the person’s history and the nature and extent of the contravention, loss or damage) but exercise considerable restraint when assessing appropriate penalties.
To be clear, we are not suggesting that the Courts fail to appropriately use civil penalty provisions as either specific or general deterrents, but rather that the maximum penalties
The wheels’ still in spin
“These problems are increasingly not being fixed”
— ASIC v Statewide, Besanko J at 63
There is no doubt that Statewide compounded poor systems with bureaucratic requirements that, in practice, contradicted their own breach reporting policies. Despite the unambiguous statement in their Incident and Breach Reporting Policy that “the [ten day reporting] timeframe is a regulatory requirement and cannot be extended”, reporting was repeatedly delayed without any consequence.
Management simply failed to comply with the law and their delays could have had a much larger impact than Statewide might have considered acceptable. The reason is simple (and one that every Licensee must understand). Although the maximum penalty for a contravention of s912D(3) is $10,500,000, the 2019 changes mean that there is a separate contravention on each day the contravention occurs. So, a 20 day delay increases the maximum possible penalty to $210,000,000. The challenge for the Courts is to balance the mathematical application of these provisions with the specific conduct in a way that is both instructive and consistent with the Legislature’s intent. Remember, that the principal object of imposing pecuniary penalties is to deter the contravener (specific deterrence) and dissuade others from similar behaviour (general deterrence).
Admittedly, the penalty imposed was significant, but considerably less than that sought by ASIC. While it may serve as a specific deterrence, will the penalty effectively serve as a general deterrence for other parties?
It may be that, in the absence of recklessness and deliberate misconduct, the possibility of stronger penalties will have the perverse effect of reducing the penalties imposed by the Courts. It’s too early to know (and it’s generally poor reasoning to generalise from specifics) but the Courts demonstrable willingness to significantly reduce the orders sought by ASIC, may make Enforceable Undertakings the preferred enforcement strategy for both ASIC and the entities they regulate (particularly where contravening parties act quickly to identify and remediate issues).
A ‘Why not litigate’ approach may terrify advisers and the smaller licensees, but the variability and uncertainty of litigated outcomes for errors and mismanagement, make negotiated outcomes preferable for both parties. This may be fortuitous since, in November 2021, ASIC updated Regulatory Guide 100 (“Court Enforceable Undertakings”) to reflect their revised approach. RG100 hadn’t been amended in over five years, and its updating may signal more than renewed commitment to deliver on the more timely and effective outcomes promised in ASIC’s Corporate Plan for 2021-2025. Although ASIC’s use of Court Enforceable Undertakings widely criticised by Commissioner Hayne, his criticism was largely directed at ASIC’s strategy rather than at the administrative remedy itself.
ASIC’s willingness to once again embrace EU as efficient and cost effective ways to influence conduct does not, necessarily, suggest a return to ASIC’s pre-Hayne approach to enforcement. While it might, for some, signal a renewed timidity to enforce the law, it’s more likely signalling regulatory pragmatism and ASIC’s willingness to embrace flexibility to achieve outcomes in the public interest. The latter approach is more likely given ASIC’s declaration that it will not accept an EU that allows parties to deny liability, embed confidentiality or establish defences against future enforcement activity.
In any event, regardless of whether ASIC pursue litigation or Court Enforceable Undertakings, it’s clear that contravening parties would be well advised to actively (and strategically) manage their engagement with ASIC and complement early engagement with demonstrable efforts to escalate, and fix, compliance failures.
It’s far too early to opine about ASIC’s teeth, or their willingness to use them, and it’s premature to conclude that these changes will embolden institutions to return to advice. What these matters suggest to us is that since there’s no easy enforcement option for contravening parties, Licensees and advisers will need to embrace alacrity, transparency and objective risk-assessment. Smart compliance people, for their part, should respond to these nuanced regulatory signals by developing their negotiation and project management skills and increasing their practical understanding of the technology on which they rely.
Your call to action
- Review, and republish, your Incident Management and Breach Reporting policies.
- Refine, and republish, your Consequence Management Policy.
- Ensure your systems can accurately record, track and escalate incidents and breaches.
- When investigating/remediating, prefer speed over absolute certainty.
- Confirm when, or at what point, your PI Insurer needs to be notified.
- Refine your regulatory engagement framework to allocate clear accountability for breach reporting to one person.
- Formally consider whether cultural norms , business rules or internal structures undermine your capacity for effective regulatory reporting and engagement.