Introduction

1. Australia’s financial system plays an essential role in supporting the economic prosperity of Australians by, among other things, providing consumers and businesses with banking, investment, superannuation and insurance services. Australia’s financial system has grown strongly in recent years, particularly following the introduction of compulsory superannuation in 1992. Financial assets have grown from around two years’ worth of Australia’s nominal gross domestic product¹ in 1997 to more than three times nominal gross domestic product in 2013. At December 2014, financial institutions in Australia controlled assets of around $6 trillion.²

2. The Australian Securities and Investments Commission (ASIC) is Australia’s corporate, financial markets, financial services and consumer credit regulator. It seeks to ensure the markets it regulates are fair and transparent, supported by confident and informed investors and consumers. It has wide-ranging responsibilities that include regulation of around 2.2 million companies and 5000 Australian financial services licensees.³ Together with the Australian Prudential Regulation Authority and the Reserve Bank of Australia, ASIC plays a major role in regulating Australia’s financial system.

3. One of ASIC’s most important responsibilities is to ensure that regulated entities⁴ comply with their legal obligations, including obligations under the Corporations Act 2001. ASIC has developed a range of strategies aimed at encouraging voluntary compliance and addressing non-compliance. These strategies include:

• educating consumers and investors to make informed and appropriate choices when dealing with money and financial products and services;
• providing guidance to regulated entities on how to comply with their obligations; and
• communicating the actions that ASIC takes to inform regulated entities about the standards that it expects and the consequences of failing to meet those standards.⁵

4. Where there is non-compliance by a regulated entity, ASIC can take enforcement action to deal with and deter the misconduct. This may involve conducting an investigation and: taking criminal action (such as seeking imprisonment); commencing civil proceedings (including seeking civil penalty orders); taking administrative action (such as banning orders and imposing licence conditions); or accepting a negotiated outcome (including an enforceable undertaking, known as an EU). ASIC has adopted a graduated approach to enforcement, with the more severe and less frequently used sanctions being employed for serious misconduct, while responses such as EUs are used for less serious misconduct.

5. An EU is a written undertaking given to ASIC by a company or individual that it will operate in a certain way. EUs can achieve a broad range of outcomes, such as requiring an entity to compensate consumers, improve its compliance processes, cease providing services for a period or indefinitely, or undertake specific education programs. In contrast to other regulatory alternatives, an EU can be a relatively quick remedy where: results are more certain than the outcomes of court proceedings; it has the potential to change the compliance culture of an organisation; and it may achieve an outcome that is comparable to, or better than, that obtained in court. An EU is not an alternative to commencing criminal action, and is generally not used in cases involving deliberate misconduct, fraud, or conduct involving a high level of recklessness.

6. An EU generally arises where ASIC becomes aware of potential misconduct by an entity. Discussions may then commence between ASIC and the entity about how to resolve ASIC’s concerns. If ASIC considers that an EU would provide an effective regulatory outcome in response to the misconduct, it may enter into negotiations with, and accept an EU from, the entity.

7. Between 1 January 2012 and 30 June 2014, ASIC entered into 53 EUs.⁶ The entities involved included large banks and other financial institutions, large public companies, providers of credit, and individual auditors and liquidators. The EUs related to a wide variety of conduct, including:

• misleading or deceptive conduct by financial institutions;
• failures by company auditors and liquidators to properly carry out their duties and functions;
• poor advice provided by financial advisers; and
• the failure of Australian financial services licensees to monitor and supervise the financial services provided by their representatives.

8. Following acceptance of an EU, ASIC monitors compliance with the undertaking by the entity or individual (promisor), often with input from an independent expert. If the promisor does not comply with the EU, ASIC may enforce the undertaking, generally in the Federal Court of Australia or a State Supreme Court.

9. ASIC has five Commissioners, including the Chairman, Deputy Chairman and three members (the Commission). Reporting to the Commission are 12 stakeholder teams and three enforcement teams organised around the industry segments regulated by ASIC. Each of the teams is headed by one or more Senior Executive Leaders who have responsibility for most regulatory activities undertaken by ASIC, including the decision to accept an EU (except for a major matter which must be approved by ASIC’s Enforcement Committee or the Commission).

Parliamentary interest

10. In June 2014, the Senate Economics References Committee released a report on its inquiry into the performance of ASIC.⁷ In this report, the Committee recognised the good work that ASIC has done in a challenging environment, but raised a number of concerns about the performance of ASIC, including in relation to its use of EUs. The Committee’s report contained 61 recommendations aimed at enabling ASIC to fulfil its responsibilities more effectively. The report also raised concerns about ASIC’s enforcement decisions, and particularly its use of EUs. In summary, issues raised in submissions and highlighted by the Committee included: the use of EUs as a remedy for misconduct by large entities; the strength of terms included in EUs; the clarity of EUs in describing the alleged misconduct; and the transparency of the monitoring of compliance with EUs. The report included a recommendation that the Auditor-General undertake a performance audit of ASIC’s use of EUs. The Auditor-General agreed to this request.

Audit objective and criteria

11. The objective of the audit was to assess the effectiveness of the Australian Securities and Investments Commission’s administration of enforceable undertakings.

12. To form a conclusion against this objective, the Australian National Audit Office (ANAO) adopted the following high level criteria:

• management arrangements are in place that support the effective, consistent and transparent administration of EUs;
• offers of an EU are administered consistently, transparently and in accordance with ASIC’s policies and procedures; and
• EUs accepted by ASIC are monitored to ensure compliance with those undertakings, action is undertaken where non-compliance is identified and the effectiveness of EUs as a regulatory tool is assessed.

Overall conclusion

13. As one of ASIC’s suite of regulatory responses, enforceable undertakings (EUs) have a valuable role in ASIC’s overall enforcement approach. EUs are particularly useful in addressing less serious misconduct where the promisor is co-operative. A potential benefit of EUs is in driving changes in a promisor’s compliance culture and systems, whereas an administrative penalty (or even a civil sanction) may not lead to behavioural change. Since their introduction in 1998, ASIC has accepted an average of 24 EUs per year, and from January 2012 to June 2014, 53 of ASIC’s 1711 enforcement actions (three per cent) were EUs.

14. In general, ASIC has effectively administered the EUs it has negotiated and accepted. It has sound processes for each major step of the EU process: accepting EUs as the most appropriate regulatory tool; including terms in the undertaking that appropriately address the misconduct; and monitoring adherence to those terms and addressing any identified non-compliance. However, there is considerable scope to improve the record keeping processes supporting EU decisions and compliance monitoring, as documentation was inconsistent, dispersed across multiple systems and not always readily available. In addition, ASIC does not measure or report on the effectiveness of EUs in achieving intended regulatory outcomes, including greater levels of voluntary compliance. Improved performance measurement and reporting would better inform key stakeholders, including Parliament, of the effectiveness of ASIC’s regulation.

15. In relation to entering into EUs, ASIC has accepted offers of EUs consistently, transparently and in accordance with its policies and procedures. For most EUs reviewed by the ANAO (83 per cent)⁸, there was sufficient documentation to demonstrate that accepting an EU would provide an effective regulatory outcome⁹ and no instances were identified where promisors were treated differently based on the size of their business.

16. ASIC also had a sound basis for including particular terms in each EU, with the terms generally aligning with the non-compliance at which the EU was directed. However, ASIC could ensure that EUs are clearer about the misconduct that was the subject of ASIC’s concerns. ASIC could also strengthen its capacity to assess compliance with, and the effectiveness of, EUs by more consistently including in the terms of an EU the requirement that the promisor report back to ASIC demonstrating their compliance with EU obligations. This information will better inform ASIC’s monitoring of the promisor’s compliance with the EU and, where necessary, its response to non-compliance.

17. Where the EU required an independent expert to assess the promisor’s compliance with EU obligations, ASIC was generally involved with the review process, and the reports provided by the expert were satisfactory. However, there were inconsistencies in ASIC’s approach to approving the appointment of experts and their terms of reference.¹⁰ In February 2015, ASIC released new public guidance that is expected to help improve processes relating to the appointment of independent experts.

18. The ANAO has made two recommendations aimed at improving ASIC’s measurement and reporting of the effectiveness of EUs, and its documentation of key decisions relating to EUs.

Key findings by chapter

Managing Enforceable Undertakings (Chapter 2)

19. A key component of any regulatory regime is a sound compliance and enforcement approach. ASIC follows a structured process to identify and prioritise its strategic compliance risks. Once risks are identified, it has a well-established hierarchy of regulatory responses to non-compliance, including enforcement options. EUs have a clear place in ASIC’s approach, as a response to less serious misconduct, particularly as they can provide flexibility and have the capacity to drive cultural change in a promisor’s business.¹¹

20. To support its decision-making in respect of EUs, ASIC has a range of public guidance (including regulatory guides and information sheets), and internal policies and procedures. ASIC also negotiates outcomes that are not EUs.¹² However, the role of these is less clear, as there is no policy, definition or register for these other negotiated outcomes. To provide more certainty to regulated entities, ASIC should consider ways to provide greater clarity around the circumstances in which it accepts and enters into other negotiated outcomes.

21. ASIC’s organisational arrangements for EUs are appropriate. The stakeholder and enforcement teams have clear roles and responsibilities in relation to EUs.¹³ There are sound procedures for Senior Executive Leaders to provide oversight and direction, and to refer major matters for consideration by ASIC’s Enforcement Committee and where relevant, approval by the Commission. However, internal management reporting is currently limited to reporting on the progress of EU negotiations, and more recently, compliance with undertakings for some EUs. Improving reporting to include the consistency, timeliness and outcomes of EUs would better position senior management in oversighting EUs.

22. There is sufficient guidance, on-the-job training and support for ASIC officers involved in the EU process. However, there is scope for ASIC to consolidate the information relating to EUs to reduce duplication, improve accessibility and facilitate better internal and external oversight of the EU process.¹⁴

23. All regulators require a sound performance measurement and reporting framework, and an understanding of the costs of its regulatory activities. ASIC has five KPIs that relate to EUs. However it does not report externally against three of these KPIs, and only reports partially against two KPIs.¹⁵ The enhanced Commonwealth performance framework will come into effect on 1 July 2015, and provides the opportunity for ASIC to review its KPIs and develop appropriate performance measures, and to report on the extent to which EUs support ASIC in achieving regulatory outcomes. There would also be benefit in ASIC more systematically collecting information covering the costs of administering EUs, to help allocate its resources effectively and to ensure it is not placing an excessive burden on regulated entities.

Entering into Enforceable Undertakings (Chapter 3)

24. To help ensure that EUs are administered consistently and transparently, it is important that they are entered into in accordance with ASIC’s policies and procedures. ASIC’s internal guidance requires senior management involvement in all EUs, including approving the commencement of negotiations and providing final approval for the EU. For 85 per cent of EUs reviewed by the ANAO, senior management was appropriately involved throughout the process and, for 77 per cent of EUs, there was documented approval for the decision to negotiate an EU. However, the format and content of documentation (including approvals) varied substantially between cases and there is considerable scope to improve ASIC’s documentation to support a more consistent approach to the EU decision-making and approval process.

25. For 44 (83 per cent) of the 53 EUs reviewed, the documentation was sufficient to establish that the decision to accept an EU—on the basis that it would achieve an effective regulatory outcome—was defensible.¹⁶ In these cases, the ANAO was able to identify some comparative analysis outlining the benefits of accepting an EU over other regulatory options (such as court action). The most common justifications for entering into an EU included that the EU provided a superior outcome to consumers and investors and/or a more timely and cost effective way to deal with the misconduct. No instances were identified where promisors were treated differently based on the size of their business.

26. Generally, terms included in EUs provided a proportionate regulatory response to the non-compliance identified. The individual terms in the EU and the misconduct at which those terms were directed were also clearly aligned. However, ASIC does not assess the effectiveness of EUs (and terms in EUs) to enable it to have a firmer basis for requiring particular terms in EUs, or to provide assurance that EUs are having the desired regulatory outcome. In addition, to improve its capacity to monitor compliance with EUs (and to assess their effectiveness), ASIC could include reporting requirements in EUs requiring the promisor to provide proof of discharging their obligations. In line with the Senate Economics References Committee’s recommendation, there is also scope for ASIC to ensure that EUs are clearer about the misconduct that was the subject of ASIC’s concerns. This can be achieved by ASIC setting expectations about the required content of EUs through its policies, and through consistent actions in requiring future EUs to include a sufficiently clear statement about the alleged misconduct.

27. When EUs are being finalised, the Chief Legal Office is to provide quality control and assurance. However, while there was evidence of Chief Legal Office involvement for most EUs (91 per cent), an approval was documented in only 41 per cent of cases. Also, while senior executives ultimately sign all EUs, final approvals were only recorded (as required by ASIC guidance) in 53 per cent of cases. Accordingly, there would be merit in ASIC formalising the processes for obtaining approvals for EUs.

28. ASIC’s policy is that it will issue a media release for each EU and, at its discretion, may give advance notice about the media release to a promisor. While media releases were published for 52 of the 53 EUs reviewed, there was inconsistency in ASIC’s handling of requests from promisors for advance copies of media releases. In March 2015, ASIC advised that it will be introducing a new policy that media releases will generally be provided to all promisors that enter into an EU, 24 hours before publication.

Monitoring Compliance with Enforceable Undertakings (Chapter 4)

29. To assess whether EUs achieve intended regulatory outcomes (including greater compliance), it is important that ASIC monitors compliance by promisors with these undertakings.¹⁷ In this regard, ASIC’s monitoring of compliance with EUs was adequate for the significant majority of EUs reviewed (83 per cent). In accordance with its risk-based approach, monitoring was generally undertaken consistently, with ASIC having more extensive ongoing involvement with a promisor where the EU was complex or involved ongoing obligations. Where ASIC had information available suggesting non-compliance with an EU, it responded appropriately having regard to the circumstances of the matter.

30. To assist in monitoring a promisor’s compliance with an EU and/or relevant laws following acceptance of an EU, ASIC often requires the appointment of an independent expert to conduct independent reviews of the promisor’s business. However, there were inconsistencies in the process for appointing independent experts under an EU. Of the 30 EUs that required an independent expert to be appointed, 13 did not provide for ASIC to approve the expert
and/or their terms of reference. Further, even where there was a requirement for ASIC to approve the expert, the practices for this varied considerably between EUs, and there was no documented consideration of the appropriateness of an expert for one-third of cases where an approval had been given. In four of the 10 EUs reviewed (40 per cent) where there was documented consideration of the appropriateness of an independent expert, ASIC rejected the initial expert proposed by the promisor. ASIC has recently released new public guidance that requires promisors to obtain ASIC’s approval for the appointment of an expert and their terms of reference. It is expected that this will increase consistency over time.

31. In general, reports produced by independent experts addressed EU requirements, were sufficiently comprehensive and provided meaningful recommendations for promisors to improve their compliance with the legislation and/or the EU. The level of engagement by ASIC with the appointed independent expert reflected a risk-based approach, depending on the nature and complexity of the EU, and the misconduct at which the EU was directed. For 75 per cent of EUs where an independent expert had been appointed, there was evidence of ASIC assessing the reports provided by the expert and in 60 per cent of cases, there was evidence of direct communication by ASIC with the expert. However, while its engagement with experts was effective overall (particularly when a stakeholder team was responsible for monitoring compliance), ASIC should keep records of such engagement and ensure that roles and responsibilities for monitoring are clearly understood.

32. In its report, the Senate Economics References Committee recommended that ASIC consider ways of making the monitoring of ongoing compliance with EUs more transparent. In response, in August 2014 ASIC introduced draft guidance requiring, as a general position, the public reporting of outcomes of EUs (including the publication of summaries of independent expert reports). ASIC is currently entering into EUs consistent with this new policy and anticipates that by doing so, it will effectively address the Senate Economics References Committee’s recommendation. Nevertheless, there remains scope for ASIC to more systematically assess, and report publicly on, the effectiveness of each EU in achieving its desired regulatory outcomes.

Summary of entity response

33. ASIC provided the following summary comment to the audit report:

ASIC welcomes the ANAO audit report on ASIC’s administration of enforceable undertakings and considers it provides useful recommendations for improvements in practices. ASIC also welcomes the findings by the ANAO that enforceable undertakings have a significant role to play in ASIC’s enforcement approach, that in general, ASIC has effectively administered the enforceable undertakings it has negotiated and accepted, and that ASIC has accepted offers of enforceable undertakings consistently, transparently and in accordance with its policies and procedures. The findings that ASIC’s decisions and actions regarding enforceable undertakings are underpinned by a structured compliance and enforcement approach and that the ANAO did not identify any instances where promisers were treated differently based on the size of their business are also welcomed by ASIC.

ASIC agrees with the two recommendations made in the report, aimed at improving ASIC’s measurement and reporting of the effectiveness of enforceable undertakings, and at the documentation of key decisions relating to enforceable undertakings. ASIC confirms the recommendations will be implemented.

ASIC has been working towards the development of performance measures and reporting to comply with enhanced Commonwealth reporting obligations that take effect on 1 July 2015.

34. ASIC’s full response is included at Appendix 1.

Recommendations

Background and context

1.1 Australia’s financial system plays an essential role in supporting the economic prosperity of Australians, by providing consumers and businesses with banking, investment, superannuation and insurance services. Among other things, Australia’s financial system is crucial to enabling businesses to attract capital to expand their businesses, providing the means for consumers to borrow to fund large purchases and allowing individuals to provide for their retirement. In recent years, there has been significant growth in Australia’s financial system, with financial system assets growing from two years’ worth of Australia’s nominal gross domestic product in 1997 to more than three times nominal gross domestic product in 2013.¹⁸ At December 2014, financial institutions in Australia controlled assets of around $6 trillion.¹⁹

1.2 The Australian Securities and Investments Commission (ASIC) is Australia’s corporate, financial markets, financial services and consumer credit regulator. It seeks to ensure the markets it regulates are fair and transparent, supported by confident and informed investors and consumers. Together with the Australian Prudential Regulation Authority and the Reserve Bank of Australia, ASIC plays a major role in regulating Australia’s financial system. One of ASIC’s most important responsibilities²⁰ is to ensure that regulated entities comply with their legal obligations, including obligations under the Corporations Act 2001.

1.3 In 2013–14, ASIC’s operating expenditure was $341 million. As shown in Figure 1.1, 40 per cent of this expenditure was directed towards markets. This strategic priority broadly covers corporate governance²¹ and market integrity, and involves regulating the 2.2 million registered companies in Australia²² and supervising trading on Australia’s domestic equities, derivatives and futures markets. As at 30 June 2014, there were 40 authorised financial markets and six licensed clearing and settlement facilities. Australia’s largest financial market is the Australian Stock Exchange, one of the largest share markets in the world, with a domestic equities market capitalisation of $1.57 trillion.²³

Figure 1.1: ASIC’s resource allocation by strategic priority, 2013–14

Source: ASIC Annual Report 2013–14.

1.4 The other significant area of regulation carried out by ASIC is in relation to investors and financial consumers, to which 33 per cent of ASIC’s resources were directed in 2013–14. In relation to investors and financial consumers, ASIC is responsible for, among other things:

• monitoring financial services businesses to help ensure they operate efficiently, honestly and fairly; and
• ensuring persons who engage in credit activities meet the standards—including their responsibilities to consumers—that are set out in the National Consumer Credit Protection Act 2009.

1.5 In 2013–14, ASIC oversaw 3391 Australian financial services licensees that provide personal financial advice, 3673 registered managed investment schemes and 5837 Australian credit licensees.²⁴ The considerable resources directed towards investors and other financial consumers reflects the significant role that financial services play in Australia’s economy and its essential contribution to investment, savings and retirement incomes.

1.6 The importance of effective financial regulation in Australia was illustrated by the collapses of Storm Financial and Opes Prime in 2008–09. In the case of Storm Financial, around 3000 of its clients, typically individuals seeking to generate retirement savings and income, suffered combined losses of around $830 million. Many of these clients were required to sell their homes.²⁵ In respect of Opes Prime, a securities lending and stockbroking firm, creditors sold the securities for a small proportion of their initial worth. Consequently, Opes Prime’s clients, many of whom thought the arrangement was a standard loan, suffered losses such as their entire retirement savings and forced sales of family homes, as well as breakdowns in personal relationships and ill health.²⁶ There have also been instances of inappropriate or predatory lending practices, which are often targeted at vulnerable, disadvantaged or low-income consumers.²⁷

1.7 ASIC’s compliance model is based on a ‘detect, understand and respond’ approach.²⁸ Detection occurs through surveillance, reports from the public and whistleblowers, data gathering and matching, and intelligence. ASIC responds to non-compliance, or the risk of non-compliance, by: disrupting harmful behaviour; taking enforcement action; communicating the actions it takes; educating investors and financial consumers; providing guidance to ‘gatekeepers’²⁹; and providing policy advice to Government.

1.8 In conducting its 2013–14 regulatory activities, 35 per cent of ASIC’s resourcing was directed towards enforcement and 20 per cent towards surveillance activities. ASIC’s surveillance activity generally involves monitoring entities to determine whether they are complying with the relevant legislation. ASIC adopts a risk-based approach to surveillance, which may be proactive or reactive. For example, ASIC may proactively target the largest firms in a market through site visits and desk-based reviews, or it may be reactive, in response to breach reports, or reports of misconduct from the public and whistleblowers. Where ASIC identifies misconduct as a result of its surveillance activity, public or statutory reports, or referrals from another regulator, it may take enforcement action. Enforcement is one of the many regulatory tools available to ASIC, and is used to deter misconduct. Enforcement includes: taking criminal action (such as seeking imprisonment); commencing civil proceedings (including seeking civil penalty orders); taking administrative action (such as banning orders and imposing licence conditions); or accepting a negotiated outcome (including an enforceable undertaking).

Enforceable undertakings

1.9 An enforceable undertaking (EU) is a written undertaking, given to ASIC by a regulated entity, that it will operate in a certain way.³⁰ For example, an EU may typically require an entity or an individual (the promisor) to:

• remedy the deficiencies in a company’s compliance systems by taking certain specified action, and having this reviewed by an independent auditor or expert;
• complete additional professional education, or for a set period of time, refrain from performing a significant role in an audit engagement, or be subject to technical supervision on future audit engagements;
• inform the market to correct false or misleading disclosures;
• perform a community service obligation (for example, by funding an education program for consumers of particular financial services); or
• write to investors or parties affected by misconduct, advising them of the existence of the EU, its terms and how a copy of it can be obtained.³¹

1.10 EUs are used as an alternative to civil court action or administrative actions (such as banning orders, imposing licence conditions, or issuing an infringement notice). In comparison to these, EUs provide a tailored and more certain outcome that can, for example, involve entities making substantial changes to their systems and cultures and, in appropriate cases, making restitution. EUs may be preferred to civil action as the latter is usually lengthier and the outcome is uncertain. Administrative actions such as infringement notices may not lead to cultural or behavioural change, as the entity may see the penalty as simply a cost of doing business. An EU is not an alternative to commencing criminal action, or to be used in cases of deliberate misconduct, fraud, or conduct involving a high level of recklessness.³²

1.11 ASIC is able to accept EUs from individuals and corporations and in respect of any area where ASIC has regulatory responsibility.³³ ASIC considers EUs are ‘an important component in [its] array of enforcement remedies to influence behaviour and encourage a culture of compliance’. In its view, an EU ‘can sometimes offer a more effective regulatory outcome than could otherwise be achieved through other available enforcement remedies’.³⁴ EUs have been identified as a form of restorative justice, where the objective is to address the harm done (restoration), repair relationships, and reduce recidivism.³⁵

1.12 Where an EU is not complied with, ASIC may apply to a court (generally, the Federal Court of Australia) for relevant orders, including for the promisor to: comply with a term of the undertaking; pay the Commonwealth an amount up to the amount of any financial benefit directly attributable to the breach; or compensate any other person who has suffered loss or damage as a result of the breach. Failure to comply with such an order is a contempt of court.

ASIC’s use of enforceable undertakings

1.13 ASIC’s use of EUs in the context of its other enforcement activities covering the period 1 January 2012 to 30 June 2014 is outlined in Table 1.1.

Table 1.1: ASIC enforcement outcomes, 1 January 2012 to 30 June 2014

Source: ASIC, Report 383: ASIC enforcement outcomes: July to December 2013 and ASIC, Report 402: ASIC enforcement outcomes: January to June 2014.

Note: ASIC reports outcomes per defendant, rather than per matter.

Note 1: Civil outcomes include declarations, injunctions and civil penalty orders.

Note 2: The figure for EUs also includes other negotiated outcomes. An example of an ‘other negotiated outcome’ is where ASIC negotiated with a home loan lender to have the lender refund early termination fees paid by consumers in breach of the relevant consumer credit law. ASIC’s publicly available enforcement statistics do not separate EUs from other negotiated outcomes.

Note 3: The large number of criminal convictions arising from small business compliance and deterrence activities reflects the high-volume investigative activities of ASIC’s Small Business Compliance and Deterrence team. These activities include: taking action against directors who fail to assist liquidators when their companies fail; investigating and banning directors; and preparing criminal briefs for matters including breaches of director’s duties, managing while disqualified, lodging false documents and failing to lodge financial statements.

1.14 Table 1.1 combines EUs and negotiated outcomes. To determine the number and nature of EUs entered into from 1 January 2012 to 30 June 2014, the Australian National Audit Office (ANAO) examined ASIC’s EUs register, available on its website (Table 1.2).

Table 1.2: Number and nature of enforceable undertakings entered into by ASIC, 1 January 2012 to 30 June 2014

Source: ANAO analysis.

Note 1: The Australian Bureau of Statistics definition of a large business is used—that is, one with 200 or more employees.

Note 2: Includes two EUs relating to influencing the Bank Bill Swap Rate, one EU relating to a breach of continuous disclosure obligations, one EU relating to corporate governance and one EU involving market misconduct.

Note 3: These figures are for the half year to June 2014. A further 13 EUs were accepted by ASIC in the period 1 July 2014 to 31 December 2014.

Note 4: The figures for EUs by entity size in 2014 add to 11 (rather than 10) because one EU accepted during the year involved both small companies and individuals associated with those companies.

1.15 From July 1998 (when EUs were introduced) to December 2014, a total of 388 EUs were accepted by ASIC (an average of 24 annually) and from January 2010 to December 2014, 92 EUs were accepted (an average of 18 annually). Table 1.2 shows that in 2013 and the first half of 2014, ASIC entered into more EUs with companies than with individuals. In this period, the EUs also related to comparatively more credit and financial services matters.

Parliamentary and other external scrutiny of ASIC

1.16 In June 2013, the Senate referred the performance of ASIC to the Senate Economics References Committee for inquiry. The terms of reference for the inquiry were:

• ASIC’s enabling legislation, and whether there are any barriers preventing ASIC from fulfilling its legislative responsibilities and obligations;
• the accountability framework to which ASIC is subject, and whether this needs to be strengthened;
• the workings of ASIC’s collaboration and relationships with other regulators and law enforcement bodies;
• ASIC’s complaints management policies and practices;
• the protections afforded by ASIC to corporate and private whistleblowers; and
• any related matters.³⁶

1.17 The Senate Economics References Committee tabled its final report on 26 June 2014. One area of focus for the Committee was the allegations of serious misconduct engaged in by financial advisers at Commonwealth Financial Planning Limited (part of the Commonwealth Bank of Australia Group) between 2006 and 2010. The chair of the Committee stated that ASIC’s slow response to the case and lack of scepticism was hard to explain, and that the agency ‘allowed itself to be lulled into complacency and placed too much trust in an institution that sought to patch over its problems.’ He added that:

The good work that ASIC has done in a challenging environment has been recognised. Even so, there is a need for ASIC to become a far more proactive regulator ready to act promptly but fairly. ASIC also needs to be a harsh critic of its own performance with the drive to identify and implement improvements.³⁷

1.18 The Committee made 61 recommendations generally aimed at enabling ASIC to fulfil its responsibilities and obligations more effectively and to promote greater confidence in the regulator. The Committee also raised concerns about ASIC’s enforcement decisions, and particularly, its use of EUs. Potential issues regarding ASIC’s EU processes and practices raised in submissions and highlighted by the Committee included:

• the extent of ASIC’s reliance on EUs, particularly as a remedy for misconduct by large entities—the Committee quoted submissions that suspected ASIC might have been ‘soft on the big end of town’;
• the clarity of EUs in specifying remedial actions and whether the undertakings placed sufficient conditions on entities whose strategies may be damaging financial consumers and investors;
• the extent of detail included in the EU about the alleged misconduct, such that other market participants may not be aware of the purpose of the undertaking;
• in its approach to negotiating EUs, ASIC may give excessive regard to the burden an undertaking might impose on a company; and
• scope to improve transparency in relation to the monitoring of EUs, such as through making publicly available the reports provided to ASIC by independent experts appointed as a condition of the undertaking.³⁸

1.19 As a consequence of these concerns, the Senate Economics References Committee included in its report a recommendation that the Auditor-General consider conducting a performance audit of ASIC’s use of EUs, including:

• the consistency of ASIC’s approach to EUs across its various stakeholder and enforcement teams³⁹; and
• the arrangements in place for monitoring compliance with EUs that ASIC has accepted.

1.20 The Auditor-General accepted the recommendation and agreed to conduct the audit, which is the subject of this report.

1.21 ASIC has responded to the Committee’s concerns, stating that EUs are not a soft option but a very effective regulatory tool ‘that generally require the person offering the EU to implement significant changes to the way they operate, and to provide substantial compensation, conditions that may be enforced in court’. It also noted that, ‘like all Commonwealth agencies, ASIC is required to act as a model litigant, including trying wherever possible to avoid court proceedings and considering settlements where appropriate’.⁴⁰

Previous ANAO coverage of ASIC

1.22 The ANAO has undertaken the following two performance audits of ASIC, tabled in 2006 and 2007:

• Audit Report No. 25 2005–06, ASIC’s Implementation of Australian Financial Services Licences; and
• Audit Report No. 18 2006–07, ASIC’s Processes for Receiving and Referring for Investigation Statutory Reports of Suspected Breaches of the Corporations Act 2001.

1.23 An element of ASIC’s registry functions was also included in the cross-agency audit of the Administration of the Australian Business Register, which was tabled in June 2014. None of these reports covered ASIC’s administration of EUs.

Audit objective, criteria and methodology

1.24 The objective of the audit was to assess the effectiveness of the Australian Securities and Investments Commission’s administration of enforceable undertakings.

1.25 To form a conclusion against this objective, the ANAO has adopted the following high-level criteria:

• management arrangements are in place that support the effective, consistent and transparent administration of EUs;
• offers of EUs are administered consistently, transparently and in accordance with ASIC’s policies and procedures; and
• EUs accepted by ASIC are monitored to ensure compliance with those undertakings, action is undertaken where non-compliance is identified and the effectiveness of EUs as a regulatory tool is assessed.

Audit methodology

1.26 The audit examined ASIC’s use of EUs as a regulatory tool across all stakeholder and enforcement teams involved in administering EUs. The audit examined all 53 EUs that were accepted by ASIC from 1 January 2012 to 30 June 2014.

1.27 The audit methodology included consulting with stakeholder groups and professional advisers with relevant experience and expertise, interviewing ASIC staff⁴¹, and examining relevant documentation and systems.

1.28 The audit has been conducted in accordance with the ANAO’s auditing standards at a cost of approximately $365 000.

Report structure

1.29 The structure of the report is outlined in Table 1.3 and reflects the audit criteria in paragraph 1.25.

Table 1.3: Structure of the report

Introduction

2.1 Sound management and governance arrangements support regulators to meet their legislative and regulatory responsibilities and to be accountable for their decisions, actions and performance.⁴² Regulators also need a risk-based compliance and enforcement approach that communicates regulatory requirements and how these requirements will be monitored and enforced in a consistent and transparent manner.

2.2 The ANAO examined ASIC’s:

• compliance and enforcement approach;
• management arrangements, including for the oversight and quality control of EUs;
• performance monitoring and reporting processes; and
• guidance and training arrangements that support ASIC officers involved in negotiating and monitoring compliance with EUs.

Compliance and enforcement approach

2.3 Regulators should have a compliance and enforcement approach that is risk-based and proportionate, and that supports consistency, accountability and transparency.⁴³ The approach should also be designed to promote voluntary compliance, and to detect and deal with non‐compliance.

Compliance approach

2.4 ASIC’s compliance approach is set out in its Strategic Framework and is based on a three stage process; detect, understand and respond (Figure 2.1).

Figure 2.1: ASIC’s approach to non-compliance

Source: ANAO, based on ASIC information.

Detecting and understanding misconduct or the risk of misconduct

2.5 ASIC detects misconduct or the risk of misconduct (including potential systemic industry issues) through the four main sources listed in Figure 2.1. ASIC states that it takes a proactive and risk-based approach to detecting and understanding misconduct.⁴⁴ At the strategic level, this occurs through formal business planning and risk management processes.⁴⁵ At the operational level, ASIC identifies, analyses and evaluates risks in the regulated population and focuses surveillance activities⁴⁶ on those areas it considers to be the highest risk. This program sits alongside reactive surveillance work, which arises from reports from whistleblowers, complaints from the public or breach reports.⁴⁷ A key focus for ASIC is detecting and understanding the drivers of risks to investors, financial consumers, and the sectors and participants that it regulates.

Responding to misconduct or the risk of misconduct

2.6 Where misconduct or the risk of misconduct (such as industry-wide issues or issues relating to the introduction of new regulation) is detected and understood, ASIC has a variety of responses, as outlined in Table 2.1.

Table 2.1: ASIC’s responses to misconduct or the risk of misconduct

Source: ANAO analysis of ASIC information.

2.7 ASIC publications emphasise the importance of voluntary compliance. For example, ASIC’s guidance on corporate compliance states: ‘we encourage high levels of voluntary compliance by being up-front about our educative and enforcement strategies and helping companies and officeholders comply with their obligations’.⁴⁸ Further, Information Sheet 172: Cooperating with ASIC encourages entities to cooperate with ASIC, including by self-reporting misconduct.⁴⁹ As outlined in Table 2.1, where ASIC identifies misconduct, it may take enforcement action in respect of that conduct.

Enforcement approach

2.8 ASIC’s overall enforcement approach is set out in Information Sheet 151: ASIC’s approach to enforcement, which is available on its website.⁵⁰ This information sheet covers the range of regulatory tools that ASIC can use to improve confidence in Australia’s financial markets and facilitate fair and efficient markets. These tools include education, engagement and guidance, and using its enforcement powers such as criminal and civil sanctions, administrative remedies and negotiated outcomes, depending on the seriousness and consequences of the misconduct.

2.9 ASIC’s approach to enforcement is similar to the commonly-used ‘regulatory pyramid’ compliance model. The model involves the less frequent use of the most severe sanctions, which form the apex of the pyramid, compared to the persuasion-focused methods of resolution that form the pyramid’s base.⁵¹ More severe sanctions, such as imprisonment of individuals involved in the misconduct and high pecuniary penalties, are used where the conduct is more serious and there is an unwillingness of the regulated entity to comply with the law. Where the conduct is less serious and the regulated entity is co-operative, the model identifies more moderate sanctions as being appropriate. ASIC advised that it sees EUs as normally sitting towards the bottom of the compliance pyramid, although this will depend on the content of a particular EU.

2.10 ASIC has processes in place to consider appropriate enforcement action. The decision whether to conduct a formal investigation will depend on ASIC’s initial assessment of the extent of harm or loss, the benefits of pursuing the misconduct and the seriousness of the misconduct. ASIC’s decision-making process is set out in Figure 2.2.

Figure 2.2: ASIC’s approach to enforcement

Source: ASIC Information Sheet 151: ASIC’s approach to enforcement.

Role of enforceable undertakings

2.11 In terms of EUs, the role of these regulatory tools in ASIC’s enforcement approach is outlined in ASIC’s Regulatory Guide 100: Enforceable Undertakings. According to this guide, ASIC views EUs: ‘as an important component in [its] array of enforcement remedies to influence behaviour and encourage a culture of compliance for the benefit of all participants’. Importantly, ASIC considers: ‘that an [EU] can sometimes offer a more effective regulatory outcome than could otherwise be achieved through other available enforcement remedies, namely civil or administrative action’.⁵²

2.12 Before deciding whether to accept an EU, ASIC will have already undertaken a number of compliance actions, including conducting a surveillance activity and/or an initial investigation of the regulated entity. A decision is then taken whether to conduct a formal investigation, based on a consideration of the matter’s strategic significance (including the seriousness of the misconduct, its impact on the market, and the likelihood and consequences of the conduct causing harm to investors and others) and the benefits of pursuing the misconduct.

2.13 If a breach is established and enforcement action is justified, ASIC may consider accepting an EU from among the enforcement tools available (outlined in the following section). This consideration involves an assessment of factors influencing the risk to the community, such as the compliance history of the entity, and whether it is likely to comply with the EU.⁵³ ASIC will also consider the relative uncertainty of an alternative course of action, such as a court, tribunal or disciplinary body action. For example, if an EU leads to a liquidator agreeing not to practice for three years, this may be preferred to Companies Auditors and Liquidators Disciplinary Board proceedings, where an outcome is uncertain and ASIC might have judged the likely outcome as being a ban of between two and four years.⁵⁴

Alternatives to enforceable undertakings

2.14 As previously discussed, ASIC has a range of tools to achieve its regulatory objectives. The selection of an EU is dependent on a comparison of the regulatory effectiveness of an EU to the other regulatory options available. These other options are outlined in Table 2.2.

Table 2.2: Regulatory alternatives to enforceable undertakings

Source: ANAO analysis of ASIC information.

2.15 As indicated in Table 2.2, EUs have a significant role to play in ASIC’s enforcement approach where other regulatory options: are unavailable; would not produce an outcome commensurate with the harm caused; or have other disadvantages. A potential benefit of EUs is in driving changes in an entity’s culture and systems, whereas an administrative penalty, or even a civil sanction, may not lead to behavioural change. Recognising this benefit, the Senate Economics References Committee concluded that EUs may correct behaviour within a particular organisation, but added that these undertakings ‘do not yield the wider and more significant regulatory benefits that are associated with successful court action’.⁵⁵ While a favourable court decision may have a greater general deterrent effect than an EU, as indicated in Table 2.2, the outcome of court action is uncertain in terms of the sanction⁵⁶ that a court might impose and the consequential effect on the entity’s business (such as improved compliance processes). During the period 1 January 2012 to 30 June 2014, as outlined in Table 1.1, there were a total of 1711 enforcement outcomes, of which 97 were EUs or other negotiated outcomes.

Other negotiated outcomes

2.16 As mentioned in Chapter 1, ASIC sometimes reaches negotiated outcomes with regulated entities that are not EUs (that is, they are not enforceable by statute, although they may be enforceable as a contract). These types of outcomes are used across a variety of matters. At the lower end, ASIC negotiates outcomes that involve, for example, an exchange of letters leading to the correction of misleading or deceptive conduct. At the higher end, a negotiated outcome may be similar to an EU. While these other negotiated outcomes can be quite significant, ASIC does not have a policy, definition or public register for this type of activity. There can also be less clarity about announcing the terms of the settlement.⁵⁷

2.17 Based on information provided by ASIC, the ANAO identified that in 2013–14, ASIC finalised at least 113 negotiated outcomes other than an EU.⁵⁸ However, given that ASIC does not have a policy, clear definitions or public register in relation to negotiated outcomes, these numbers are not exhaustive, and there are likely to be additional outcomes resolved through negotiations by the stakeholder and enforcement teams. To give regulated entities more certainty and to increase transparency, there would be merit in ASIC providing greater clarity around the circumstances in which it accepts and enters into other negotiated outcomes.

Management arrangements for enforceable undertakings

2.18 To help ensure that regulatory decisions (including for the use of EUs) are made consistently, transparently and proportionately, it is important that sound management arrangements are in place. Accordingly, the ANAO examined ASIC’s management arrangements for EUs.

2.19 As previously discussed, ASIC may become aware of a potential enforcement matter in a number of ways, including through reporting of misconduct and breaches. These matters can be referred to the relevant ASIC stakeholder team for further review or directed to an enforcement team to consider undertaking an investigation or initiating enforcement action.⁵⁹

2.20 Depending on the nature of the EU, staff from the enforcement and stakeholder teams will have varying degrees of involvement. EUs are generally negotiated and finalised by enforcement teams, which will also undertake monitoring if prompt follow-up action is required (for example, a community benefit payment must be made by a certain date). Otherwise, the stakeholder team, which is better placed to have an ongoing relationship with the promisor, monitors the EU. The relevant stakeholder and enforcement teams are expected to liaise with each other as necessary, for example to ensure that an EU contains appropriate terms and that the promises given will take into account the position of those affected by the alleged breaches. In practice, as discussed in paragraphs 4.12 to 4.14, the respective teams generally did consult as required.

Roles of senior executives and executive committees

2.21 According to ASIC guidance, a Senior Executive Leader (SEL)⁶⁰ must be consulted before ASIC enters into negotiations for a possible EU, and generally approves the EU. As at November 2014, there were 21 SELs (and two Senior Executives), whose roles included considering and approving EUs.⁶¹ For the 53 EUs reviewed by the ANAO, all were formally approved and signed by a SEL or a Senior Executive.

2.22 To support SELs, ASIC has an Enforcement Committee that makes decisions about the conduct, strategy and focus of major compliance matters and other significant enforcement actions, which can include EUs.⁶² Records indicate that the Committee has considered aspects of the administration of EUs, including the current status and whether an EU was being considered for, or had been concluded with, an entity.⁶³ There were also action items and matters carried forward (with due dates and persons responsible), and a record of the Committee’s decisions.

2.23 The Office of the Chief Legal Office (CLO) provides legal, strategic and other input into major compliance cases, and assists enforcement and stakeholder teams. In relation to EUs, the CLO is responsible for the policy and procedures, and is required to provide assurance about drafting clarity, legal certainty, enforceability and compliance with ASIC policies before ASIC accepts each EU. As discussed in Chapter 3, for most of the 53 cases examined by the ANAO, there was evidence of the CLO’s involvement in the EU process.

Internal monitoring and reporting of enforceable undertakings

2.24 Accurate performance reporting should inform ASIC senior managers of the extent to which regulatory objectives are being met and support management decision-making. In the case of EUs, it was expected that senior executives would track these in a systematic way to monitor how long negotiations are taking, what outcomes they are achieving, and if they have been effective in changing behaviours.

Internal monitoring and reporting of EU negotiations

2.25 Prior to acceptance of an EU, each stakeholder and enforcement team reports on the progress of the EU negotiation as part of their regular fortnightly and monthly reports. The reports provide a summary of developments in the cases being addressed by each team, including EUs.⁶⁴ With respect to EUs, the reports provide an update on the status of negotiations and any problem areas. However, the reports do not document senior management consideration and feedback (if any) regarding the progress of matters or suggested changes of approach. It would be helpful if reporting also focused on matters such as timeliness, obstacles faced or issues that have arisen in negotiations with entities, and shareing better practices where appropriate across teams.

Internal monitoring and reporting of EU compliance

2.26 It is important that there is appropriate oversight and accountability by senior management after an EU has been signed. This requires regular reporting to senior management about compliance with, and outcomes of, EUs.

2.27 In September 2014, the CLO developed a spreadsheet with information on the status of existing EUs, for consideration at Commission meetings. While the spreadsheet provides useful information for the Commission⁶⁵, it covered only around half of the EUs reviewed as part of the audit, and was limited to EUs involving ongoing positive obligations (undertakings to do or performance a certain act). To improve senior management visibility over the administration of EUs, further work could be undertaken to consider the coverage of EUs in the CLO report.

2.28 Overall, internal reporting on EUs is currently limited to reporting on the progress of EU negotiations, and more recently compliance with undertakings for some EUs. To reflect better practice and support senior management oversight of EUs, there would be merit in ASIC improving internal reporting to provide a greater focus on timeliness of EU negotiations, and consistency in approaches between stakeholder and enforcement teams.

Guidance, systems and training

2.29 As part of the audit, the ANAO examined the guidance, records management systems and training arrangements ASIC has in place to support its staff in entering into and monitoring compliance with EUs.

Guidance

2.30 ASIC has the authority to accept EUs under sections 93AA and 93A of the Australian Securities and Investments Commission Act 2001 and section 322 of the National Consumer Credit Protection Act 2009 (in relation to Commonwealth credit legislation). These provisions are broadly drafted and provide ASIC with discretion to exercise this authority.

2.31 Given the lack of specificity in these Acts, it is important for ASIC to issue guidance on how it exercises its authority, to support consistent decision-making processes and provide transparency about the criteria on which decisions will be based. ASIC uses a range of public and internal guidance documents to explain how it administers EUs. The key public guidance document is Regulatory Guide 100, which was last updated in February 2015 and is available on ASIC’s website.⁶⁶ The guide sets out: the circumstances in which ASIC will accept EUs; the terms that are acceptable or not acceptable to ASIC; how ASIC will report publicly on the outcomes of an EU; and how ASIC will respond to non-compliance with an EU.

2.32 While ASIC will normally follow the principles set out in a regulatory guide, it will not do so inflexibly or uncritically. In a particular instance, ASIC may form the view that there are relevant considerations that are not set out in its policy, but which it is required by law to take into account in making its decision. For example, ASIC’s policy states that it will not normally accept an EU in which the promisor does not at least acknowledge that ASIC’s views in relation to the misconduct which gave rise to the EU are reasonably held. However, in eight cases, ASIC did not insist on an acknowledgement clause, generally because an EU without such a clause was still viewed as the most effective regulatory outcome in the matter.

2.33 There are a number of public documents that further support ASIC’s EU policy: a policy on public comment, which outlines that it will usually issue a media release or media advisory when it accepts EUs and agreements by people to change their conduct⁶⁷; and a policy on cooperation, that states that cooperation will be relevant to ASIC’s decision on the type of enforcement action to pursue or remedy to seek.⁶⁸ Finally, ASIC’s Service Charter provides that ASIC is committed to ‘making consistent decisions, and advising [entities] of [its] decisions in a timely manner’.⁶⁹

Internal guidance

2.34 In addition to its public guidance, ASIC has a number of internal documents to guide its decision-making in relation to EUs. The most important of these is its Enforcement Manual, which provides detailed guidance to staff on how ASIC exercises its enforcement powers. The manual includes a chapter on EUs that sets out the process by which ASIC will enter into an EU. As previously noted, the CLO is responsible for ASIC’s policy and practice in relation to EUs. It provides and revises internal guidance on EUs and manages a Technical and Procedures Library, which is available to all staff and includes a page dedicated to EUs.

2.35 Overall, these documents contain clearly defined regulatory objectives and comprehensively set out the considerations that are taken into account in deciding whether an EU will be accepted, and if so under what terms.

2.36 Stakeholders and ASIC staff interviewed by the ANAO during the audit raised few concerns about their ability to apply ASIC’s guidance. However, some stakeholders suggested there could be more guidance provided regarding the appointment of, and ASIC’s expectations for, independent experts (discussed in Chapter 4). In relation to independent experts, these concerns have been largely addressed by the publication of a revised Regulatory Guide 100 in February 2015.

Records management systems

2.37 The recording of regulatory actions and the reasons for these actions is important for both transparency and accountability.⁷⁰ Consistent with these principles, ASIC’s internal Governance Protocol states that: ‘record keeping in relation to all matters, should be comprehensive, orderly and readily accessible’.⁷¹

2.38 ASIC officers use a range of disparate systems to track and store their work, including in relation to EUs:

• Search tools—ASCertain (a mainframe system) and the data warehouse search tool (a web-based system) allow ASIC staff to search across the data holdings in ASIC’s mainframe systems and workflow systems to research companies and individuals of interest.
• Registers—ASCOT is a mainframe system that is ASIC’s main registry system. It contains details about registered companies, persons associated with companies (such as directors), as well as professional registration information regarding auditors, liquidators and licensing information (including about Australian financial services licensees and Australian credit licensees).
• Workflow systems—The workflow systems are databases that are used for case management and reporting. The use of the workflow systems is inconsistent across the organisation.
• Document management—The main systems for recording documentation are ASIC’s paper files (centrally tracked through the EPSOM system) and ASIC’s electronic documents and records management system, ECM. In addition, the ANAO identified that ASIC staff also stored files in the workflow systems (referred to above), in staff emails or hard files, and in shared drives.

2.39 It was common for information relevant to an EU to be held in multiple systems (ECM, paper files and a workflow system). In many cases, these systems did not have all of the information relating to the EU and the ANAO had to obtain the documentation from the relevant ASIC officer (from staff emails or hard files). This presents risks for ASIC, as staff responsible for a certain part of the EU process (such as monitoring) may not have sufficient information to effectively carry out their responsibilities, particularly as matters often need to be handed over from stakeholder to enforcement teams, and vice versa. Accordingly, there would be value in consolidating information relating to EUs to reduce duplication, improve accessibility and facilitate better internal and external oversight of the EU process. A key first step would be to reinforce to staff the need to store all documentation relating to an EU in accordance with ASIC policies and procedures.

Staff training

2.40 ASIC mainly regards training in EUs as being acquired through on-the-job experience. Accordingly, it does not provide formal training. A significant proportion of ASIC’s workforce has undertaken legal studies (at least 350 of 1816 total staff, with a higher proportion of legally qualified persons in the enforcement and stakeholder teams), which should better position them to understand and apply the relevant rules and procedures. As previously noted, ASIC also provides guidance that is clear, comprehensive and straightforward to apply.

2.41 Notwithstanding the skill profile of ASIC’s staff and the availability of suitable guidance, the organisation is undergoing significant staff turnover, with staffing levels expected to fall by 209 (or 12 per cent) in 2014–15.⁷² This level of staff turnover and loss of corporate knowledge presents risks to administration, and there would be merit in ASIC considering whether some level of formal EU training should be provided.

Monitoring and reporting on the performance of enforceable undertakings

2.42 The Australian Government’s performance measurement and reporting framework requires entities to set out their outcome, programs, deliverables, key performance indicators (KPIs) and expenses in their Portfolio Budget Statements and to report against these in the annual report. Specifically:

• deliverables provide information on the goods and/or services produced and/or delivered; and
• KPIs provide information on how effective the program has been in achieving outcomes.

ASIC’s outcome, Program 1.1 Objective and KPIs for 2014–15 are set out in Figure 2.3.⁷³

Figure 2.3: ASIC’s key performance indicators for 2014–15

Source: ANAO, based on ASIC Portfolio Budget Statement 2014–15.

2.43 ASIC states that it delivers on its outcome and program objective through engagement with industry and stakeholders, surveillance, guidance, education, enforcement activities and policy advice. The impact and results of these activities are measured using 10 KPIs across ASIC’s three strategic priorities. The KPIs applicable to EUs are: misconduct is dealt with and deterred; fair and efficient processes are in place for resolution of disputes; product issuers, credit providers and advisers meet required standards; participants in financial markets meet required standards; and issuers (of securities) and their officers meet required standards.

2.44 These KPIs are designed to provide information that would assist in determining how ASIC undertakes its regulatory activities, including through EUs. However, in relation to the first two KPIs, ASIC has only reported in a limited way in its 2013–14 Annual Report⁷⁴, and did not report against the other three KPIs in relation to EUs. In addition, all five KPIs do not specify performance expectations, or include targets, benchmarks or timeframes for achievements. Nor do they indicate the extent to which ASIC’s efforts have contributed to achieving outcomes.⁷⁵

2.45 Given that an enhanced Commonwealth performance framework will come into effect on 1 July 2015, there is an opportunity for ASIC to develop more appropriate performance measures and to report on the extent to which EUs support ASIC in achieving regulatory outcomes. A key first step for ASIC is to include targets, benchmarks and/or timeframes in KPIs, and to provide meaningful information to key stakeholders on the effectiveness of EUs in achieving desired regulatory outcomes.

External reporting on EUs

2.46 ASIC reports externally on its enforcement activities through two main publications: its annual report and its half-yearly enforcement outcomes publications. In addition, EUs are published on the EU register on ASIC’s website and through ASIC issuing of a media release with each EU.

2.47 In its 2013–14 Annual Report, ASIC reported that it had achieved 596 enforcement ‘outcomes’,⁷⁶ including criminal and civil litigation, administrative action and EUs.⁷⁷ As in previous years, the annual report also referred to specific examples of EUs. ASIC’s enforcement outcomes publications⁷⁸ report on the number and detail of enforcement outcomes achieved, and provide information on ASIC’s views about certain conduct and the resulting enforcement outcome.

2.48 Neither the annual report nor the enforcement outcomes publications report on post-EU results (for example, the results of independent expert reports or whether promisors have complied with their obligations under an EU). The reports do not provide stakeholders with sufficient information about the outcomes achieved by these activities. ASIC has advised that it will include additional commentary on EUs commencing in its 2014–15 Annual Report. This will address a Senate Economics References Committee recommendation that ASIC include in its annual report additional commentary on: ASIC’s activities related to monitoring compliance with EUs; and how the undertakings have led to improved compliance with the law and encouraged a culture of compliance.⁷⁹

2.49 To enable a better understanding of the extent to which EUs contribute to ASIC achieving its compliance objectives, it should also develop, and report against, appropriate performance measures that assist management to monitor the effectiveness of EUs in addressing non-compliance. ASIC should also periodically assess the extent to which EUs are contributing to improved levels of voluntary compliance. Possible sources of information for such an assessment include complaints data, community satisfaction surveys and surveys of regulated entities (to identify the effect of EUs on their awareness of, and willingness to comply with, relevant obligations).

Recommendation No.1

2.50 To assess the effectiveness of enforceable undertakings as an appropriate regulatory tool and their contribution to ASIC achieving its compliance objectives, the ANAO recommends that ASIC:

1. develops appropriate performance measures to monitor the effectiveness of enforceable undertakings in addressing non-compliance, and regularly reports against these measures; and
2. periodically assesses, and reports on, the effectiveness of enforceable undertakings in contributing to improved levels of voluntary compliance.

ASIC response:

2.51 Agreed. In relation to Recommendation 1(a) ASIC monitors compliance with undertakings given by promisors in enforceable undertakings. Further, in February 2015 ASIC revised its policy about aspects of its administration of enforceable undertakings. One of those revisions was the adoption of a new policy that, for undertakings accepted by ASIC from 9 March 2015, ASIC will publicly report on whether promisors have complied with undertakings. The policy applies to all undertakings other than those to refrain from particular conduct. ASIC has also committed to enhanced enforceable undertaking reporting in its Annual Report.

2.52 In relation to Recommendation 1(b), the work to implement enhanced Commonwealth reporting obligations is being undertaken across ASIC’s broad regulatory functions and will provide a basis for implementing Recommendation 1(b). ASIC does not underestimate the challenges of developing performance measures that monitor the effectiveness of enforceable undertakings in a broader context.

2.53 Implementation of Recommendation 1(b) will allow both ASIC and its regulated population to periodically assess the effectiveness of enforceable undertakings, and enable ASIC to adapt its structured compliance and enforcement approach as required.

Measuring the costs of compliance options

2.54 To support the efficient allocation of resources, it is important that ASIC has a good understanding of the cost of its compliance activities, in absolute terms and relative to regulatory alternatives. ASIC should also take into account the regulatory burden it imposes on entities, noting that the burden of compliance (including with various types of enforcement action) should be proportionate to the seriousness of the breach.⁸⁰

2.55 Senior ASIC officers advised the ANAO that, while they have a good understanding of the costs of various types of enforcement action (including litigation and tribunal hearings), ASIC does not capture the costs of EUs.⁸¹ However, there have recently been some initiatives to determine aspects of these costs.⁸² There would be benefit in ASIC commencing work to establish a sound understanding of the costs of its EUs relative to other compliance options, to help allocate its resources effectively, and to ensure it is not placing an excessive burden on regulated entities.

Conclusion

2.56 ASIC’s decisions and actions regarding EUs are underpinned by a structured compliance and enforcement approach. EUs are an important sanction that have a clearly defined role within ASIC’s risk-based compliance and enforcement framework. ASIC has an understanding of the advantages and disadvantages of EUs when compared to other available alternative sanctions, although there is scope for ASIC to develop a better understanding of the costs of EUs.

2.57 ASIC has appropriate organisational arrangements underpinning the use of EUs. These arrangements are based on day-to-day administration by a stakeholder team or enforcement team across the various financial market segments. There is high-level direction and other input by SELs and the CLO, and involvement of the Enforcement Committee and Commission for more important matters. However, internal management reporting could be strengthened to better position senior management to monitor the consistency, timeliness and outcomes of EUs.

2.58 ASIC’s internal and external guidance is clear, comprehensive and straightforward to apply. However, ASIC’s workflow and document management systems are complex and procedures are not always followed. Consequently, there is scope for ASIC to consolidate information relating to EUs, and to reinforce to staff the need to store all documentation relating to an EU in accordance with ASIC policies and procedures.

2.59 ASIC reports externally the number of EUs entered into (through its annual report and enforcement outcomes publications), and publishes the full text of each EU on its website. It is also preparing to publicly report on the outcomes of EUs in its annual reports, in accordance with a recommendation by the Senate Economics References Committee. ASIC should also develop, and report against, appropriate performance measures that assess the effectiveness of EUs as a regulatory tool and the contribution they make to achieving compliance objectives.

Introduction

3.1 As previously discussed, EUs are a flexible regulatory tool used by ASIC to achieve a wide range of regulatory outcomes, many of which are not possible using the other regulatory options available. Entering into an EU in a consistent and transparent manner, and in accordance with ASIC’s policies and procedures, increases the prospect that the promisor will comply with the undertaking.

3.2 The ANAO examined ASIC’s processes for:

• accepting and negotiating an EU;
• drafting the terms of an EU; and
• finalising an EU.

To enable this assessment, the ANAO analysed the 53 EUs ASIC entered into between 1 January 2012 and 30 June 2014.⁸³

3.3 The ANAO also requested ASIC to advise the number of EUs offered or negotiated, but not entered into, over this period. While ASIC provided some relevant examples, it does not routinely collect data regarding such cases, including the reason why the EU was not accepted. Collecting such information could assist ASIC to review and improve its EU processes.

Accepting and negotiating enforceable undertakings

3.4 EUs can be proposed either by a regulated entity or ASIC. In 19 of the 53 cases reviewed, it was ASIC, rather than the promisor, that suggested an EU as a means of addressing the entity’s misconduct. Regardless of which party initiates the EU, senior management is involved in the process to determine whether the EU will produce an effective regulatory outcome.

Senior management involvement

3.5 ASIC’s Enforcement Manual requires that written approval be obtained from the relevant Senior Executive Leader (SEL) before an ASIC officer enters into discussions with a regulated entity about accepting an EU. Prior to obtaining approval, a memo should be prepared outlining the circumstances of the matter and why acceptance of the EU will change the entity’s behaviour, protect investors and/or creditors, or compensate wronged parties. Since August 2014, where the matter is a ‘high profile or controversial or major matter’, the SEL is required to brief a Commissioner or the Enforcement Committee before giving approval.

3.6 The ANAO reviewed the documentation relating to each of the EUs in the ANAO’s sample to determine whether approvals were obtained from SELs at an early stage in negotiations, in accordance with the Enforcement Manual. This review identified early-stage SEL approval for 41 of the 53 EUs reviewed (77 per cent).⁸⁴ For the remaining cases, it was often evident that the SEL had some involvement in the matter—sometimes even leading the negotiations with the regulated entity—even though there was no written approval on the case file. Table 3.1 outlines the level of SEL involvement in the 53 EUs reviewed by the ANAO.

Table 3.1: Level of involvement of Senior Executive Leaders in decisions to negotiate and accept enforceable undertakings

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

3.7 Of the eight EUs with limited or no evidence of SEL involvement, poor record keeping could be a contributing factor. In discussions with five SELs involved in these EUs, all exhibited considerable knowledge about the EUs for which they were responsible. Further, there were email records of meetings being arranged between ASIC staff and SELs relating to the decision to accept an offer of an EU, indicating that there may have been oral briefings.⁸⁵

3.8 While it may be appropriate to discuss the possibility of an EU informally prior to ASIC entering into formal discussions, there are risks in ASIC staff discussing potential terms of EUs without clear written instructions from senior management. For example, in one EU negotiation, an ASIC officer mistakenly advised a promisor that ASIC would agree to a period of suspension not requiring the cancellation of the auditor’s registration. Upon being informed about this, the relevant SEL required the ASIC officer to retract the statement as the SEL’s position was that ASIC should insist upon cancellation of the auditor’s registration.

3.9 Overall, while approvals and relevant documentation could be found for the majority of cases, the format and content of this documentation varied substantially between cases. Even though the Enforcement Manual provides clear procedures and directions in relation to these matters, this guidance was not consistently followed by ASIC staff. This was evident in the varying ways in which SELs were briefed on why an EU should be accepted (an oral briefing, a short email or a comprehensive formal memo) and the varying ways in which SELs gave their approval to an EU (usually by email, but occasionally by signing a memo). There would be merit in ASIC reinforcing to staff the importance of complying with the Enforcement Manual in relation to the processes for obtaining approvals for an EU, in order to improve accountability and better position SELs to make decisions about whether to accept an EU.

Decisions to accept an EU

3.10 In the absence of statutory guidance about when it is appropriate to accept an EU, ASIC has developed Regulatory Guide 100 to guide its use of EUs. The guide states that ASIC will only accept an EU as an alternative to seeking a civil order from a court, taking administrative action or referring a matter to another administrative body. It will not accept an EU as an alternative to criminal action, after the matter has been referred to a specialist body or in cases of deliberate misconduct, fraud or conduct involving a high level of recklessness (except where an EU best serves an urgent protective purpose and does not preclude later court action).⁸⁶

3.11 The ANAO assessed whether the 53 EUs were accepted in line with the circumstances described in Regulatory Guide 100. An EU was accepted in eight cases where ASIC officers considered there was possible criminal misconduct or where the facts revealed some level of deliberate misconduct, fraud or high level of recklessness. In these cases, the EU was to serve a protective purpose (removing the promisor from the industry), or to remove profits pending the finalisation of ASIC’s criminal or civil penalty investigation. In the other 45 cases, ASIC staff did not identify possible criminality, deliberate misconduct, fraud or a high level of recklessness.

Critical considerations

3.12 In assessing whether an EU would constitute an effective regulatory response, ASIC has regard to four critical considerations: the position of consumers and investors; the effect on the promisor’s future conduct; the effect on the regulated population as a whole; and whether the EU would present a quick and cost-effective outcome.⁸⁷ Decision-making documents for each of the 53 EUs reviewed were assessed to determine how ASIC had taken the critical considerations into account in deciding that the EU would provide an effective regulatory outcome. The results of this analysis are shown at Table 3.2.

Table 3.2: ASIC’s rationale for accepting an enforceable undertaking

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

3.13 The decision-making documentation for most EUs examined (44 of 53), revealed justification for the EU by reference to at least one of the factors outlined above. The most commonly considered critical consideration was the position of consumers and investors (36 of 53 EUs), with the effect on the promisor’s future conduct explicitly considered in fewer cases (19 of 53).⁸⁸ In slightly over half the cases reviewed, ASIC explicitly considered EUs as a quick and cost effective outcome. While this could be a convenient approach for ASIC, in 25 of the 27 cases there was also clear consideration of the comparative regulatory outcomes likely to arise from other enforcement actions, as discussed further in the following section.

3.14 It is also noted that the impact of the EU on the broader regulated population (the general deterrence effect) was explicitly considered in only 14 EUs. In an environment of constrained regulatory resources, it is important that regulatory decisions consider the impact on the broader regulated population, not just the individual regulated entity that is the subject of ASIC’s concerns. An example of general deterrence being considered as part of the decision-making process for an EU is shown in the following case study relating to the 2012 EU accepted from the Commonwealth Bank of Australia.

Source: ANAO analysis of ASIC documentation.

Considering regulatory outcomes

3.15 As well as having regard to the four critical considerations, the Enforcement Manual requires that, in deciding whether to accept an EU, the regulatory outcome that could be achieved by accepting an EU should be compared with the outcomes that might be achieved by taking other available action such as civil or administrative action. The ANAO identified that such comparisons were made between an EU and other regulatory options for 44 of the 53 EUs reviewed.⁸⁹

3.16 For 15 of the 44 EUs where there was an explicit comparison, ASIC staff had come to the view that an EU would provide an equivalent or greater outcome than through contested proceedings—particularly in terms of the length of suspension or banning that could be achieved through an EU compared to administrative or civil action. In many areas, ASIC had drawn on its corporate knowledge of the quantum of sanction that would likely be imposed by a particular court, tribunal or disciplinary body. Where ASIC identified that the court, tribunal or disciplinary body was likely to impose a sanction similar to or less than could be agreed with the promisor by way of an EU, ASIC preferred to use an EU to resolve the matter.

3.17 In 16 instances, ASIC considered that the other regulatory tools available would not sufficiently enhance the position of consumers or investors, or would not have the desired deterrence impact on the regulated population as a whole. An example of this was where the main regulatory alternative was issuing an infringement notice. In this circumstance, ASIC staff concluded that penalty amounts available through an infringement notice were insufficient to send a strong enough deterrence message to the regulated entity and the broader regulated population, and would not otherwise operate to improve the regulated entity’s compliance with the law. For five of the 53 EUs, ASIC combined the EU with the issuing of an infringement notice. In these cases, the EU operated in a protective manner to improve compliance of the regulated entity (through an independent expert review) or to remediate the consumers (through compensation or other rectification to consumers) and the infringement notice operated in a punitive way.

3.18 Another factor taken into consideration in accepting an EU, as opposed to taking other regulatory action, was the certainty of an EU compared to the other options. The decision-making documentation reviewed showed concerns that a court or administrative result was not certain, and even where achieved was subject to appeal. Particular concerns related to:

• evidence—the high evidential burden in criminal and civil penalty proceedings, matters being older and therefore harder to litigate, and in one case, the difficulty in getting consumers to appear as witnesses; and
• legal uncertainty—in some areas, ASIC has identified that the law is not clear and that there is a risk of an unfavourable interpretation by a court.

3.19 Overall, for 46 of the 53 EUs reviewed, the decision to accept an EU was defensible and there was appropriate justification for why the EU provided an effective regulatory outcome. In the case of the other seven EUs, there was limited or no documentation to support why the EU presented an effective regulatory outcome. For each of these seven EUs, the signing SEL provided the ANAO with a statement outlining why the EU presented an effective regulatory outcome. These statements indicated that the decision to accept an EU in each of the seven cases was defensible. However, the need for these statements highlights significant deficiencies in ASIC’s record keeping arrangements.

Negotiating enforceable undertakings

3.20 The process for negotiating an EU varies greatly, depending on the individual circumstances of each matter. In some cases, the offer to enter into an EU comes at a very early stage, with the entity proposing an EU in response to ASIC raising its initial concerns about the regulated entity’s conduct. In other cases, ASIC has agreed to accept the offer of an EU at a very late stage, such as following the referral of the matter to an administrative hearing delegate and in the days prior to that hearing.

3.21 Once ASIC has made a decision that it is willing to accept an EU, it will negotiate with the regulated entity as to the specific terms of the EU. According to the Enforcement Manual, while there may be room for compromise, protracted negotiations will not usually be appropriate.⁹⁰ Where an EU is subject to prolonged negotiations, this may detract from one of the key benefits of an EU—achieving community benefits as quickly and cost effectively as possible. To assess whether EU negotiations were concluded in a timely manner, the ANAO analysed the time elapsed between when an EU was first raised by ASIC or the regulated entity as a possibility for resolving a matter, and when the EU was formally accepted by ASIC (Figure 3.1).

Figure 3.1: Time taken from proposing to formally accepting an enforceable undertaking

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note: A month in this figure refers to a whole month. Accordingly, if an EU was concluded within one and a half months, it would appear in this figure in the 0 – 1 month grouping.

3.22 For 32 of the 53 EUs assessed, the time from an EU being initially proposed to acceptance was less than six months. This compares favourably to the likely length of time to resolve matters using other regulatory tools available to ASIC (such as court action or an application to a specialist body).

3.23 In five of the six instances where the time between an EU being proposed to acceptance was twelve months or more, the promisor had ceased the conduct that was the subject of ASIC’s concerns during or prior to negotiation of the EU. In the other case, although the promisor continued the conduct while the EU was negotiated, the outcome achieved was better, and concluded quicker, than that likely to have been achieved through court action. Similar factors existed for the 15 EUs where the time taken to finalise the EU was between six and 11 months. In no case reviewed did the length of time taken to negotiate the EU appear to have significantly detracted from the effectiveness of the EU as a regulatory outcome.

3.24 Overall, ASIC negotiates reasonably and in good faith—offers made by promisors are considered in the context of whether the proposal by the promisor would result in an effective regulatory outcome. Where ASIC rejects a proposal of the promisor, the basis for this rejection is explained to the promisor and the promisor given a chance to respond. ASIC did not differentiate based on the size of the entity. There were no instances identified where promisors were treated differently based on the size of their business, beyond those differences explained by the differing factual circumstances.

3.25 Decision-making in respect of the EUs entered into with large entities was somewhat more extensive than for the other EUs in the ANAO’s sample. None of the eight EUs for which the level of SEL involvement was assessed as ‘limited’ or ‘none’ involved a large entity, and only one of the seven EUs for which there was insufficient documentation to support whether the EU presented an effective regulatory outcome related to a large entity.⁹¹ Further, the decision-making documentation supporting the EUs with large entities revealed greater consideration of the impact on consumers and investors, the effect on the promisor’s future conduct and the general deterrence effect than for EUs in the ANAO’s sample as a whole.

Terms of enforceable undertakings

3.26 An important aspect of the negotiation of an EU is for ASIC and the promisor to agree to acceptable terms upon which the EU can be settled. As EUs are tailored to a specific matter, their terms will depend on the circumstances of the case and, in particular, the misconduct that is being addressed.

Clear statement about the alleged misconduct

3.27 In its report into ASIC’s performance, the Senate Economics References Committee recommended that ASIC ‘require a clearer acknowledgement in the undertaking of what the misconduct was’.⁹² This recommendation addresses comments by stakeholders that EUs did not always: contain sufficient detail about the alleged misconduct for the public to understand why the EU was being accepted; and include a sufficiently clear admission of fault.⁹³

3.28 ASIC’s Regulatory Guide 100 requires that EUs set out the detail of the relevant misconduct and ASIC’s assessment of that conduct. To assess compliance with this policy, the ANAO sought to identify the extent to which the undertakings were sufficiently clear about the alleged misconduct. The ANAO identified that 45 of the 53 EUs reviewed were sufficiently clear about the misconduct, although it was noted that the EUs were generally not comprehensive. For example, the EUs did not always include relevant information about the value of losses, or number of consumers or investors affected. In the cases where the alleged misconduct was not clearly identified, this was because the background was essentially limited to a statement of the legislative provisions that the promisor had allegedly contravened.

3.29 There would be merit in ASIC taking steps to ensure that EUs are clearer about the alleged misconduct, so that they better serve their educative, guidance and deterrence functions. It would also allow other industry participants to more fully understand ASIC’s views on certain conduct. ASIC advises that in practice many promisors strongly resist clear statements about misconduct and requiring more detail in EUs may lead to a reduced willingness by promisors to offer EUs. While appreciating this is likely to be a common response by promisors, it is important that ASIC sets expectations about the required content of EUs through its policies, and through consistent actions in requiring future EUs to include a sufficiently clear statement about the alleged misconduct.

Acknowledging ASIC’s position

3.30 Since February 2012, Regulatory Guide 100 has stated that ASIC will not generally accept an EU in which the promisor does not at least acknowledge that ‘ASIC’s views in relation to the misconduct which gave rise to the EU are reasonably held’.⁹⁴

3.31 The ANAO reviewed the 53 EUs to identify where and how frequently ASIC made an exception to the policy requiring promisors to acknowledge that ASIC’s views are reasonably held. The analysis identified that 19 EUs either did not have a clause in which the promisor acknowledged ASIC’s views were reasonably held and/or had a clause in which ASIC acknowledged that nothing in the EU constituted an admission by the promisor.

3.32 While agreeing to the inclusion of a non-admission clause or to the non-inclusion of a clause acknowledging the reasonableness of ASIC’s concerns may be appropriate in an individual case, consideration needs to be given to the possibility of that decision being seen as a precedent that other regulated entities negotiating an EU may seek to rely upon. Although previous EUs are not binding on future decisions of ASIC, they may make it more difficult to argue a principled position in later negotiations and may place ASIC in a more constrained bargaining position. On this basis, ASIC may wish to consider adopting a more consistent approach to the use of these terms in future EUs.

Substantive terms of enforceable undertakings

3.33 The terms of an EU are subject to negotiation between ASIC and the promisor, although ASIC is only to accept an EU where the terms offered will deliver an effective regulatory outcome. ASIC’s Regulatory Guide 100 gives an indication of the terms that ASIC may accept in an EU, including terms regarding: compliance and monitoring; rectification or compensatory action; and corrective notices. An overview of the EU terms, and their use in EUs is provided at Appendix 2.

3.34 Although the terms of an EU will necessarily depend on the results of negotiation between ASIC and the promisor, terms should be proportionate to the regulatory risks posed by the non-compliance at which the EU is directed. A proportionate response will minimise the level of regulatory intervention required to effectively mitigate the risks as well as the costs to the regulator and to the promisor.

3.35 To assess whether the terms in the EUs reviewed were a proportionate regulatory response to the non-compliance, the ANAO assessed the basis for including particular terms in EUs and the severity of those terms (such as the quantum of a payment or the period of suspension). This analysis is shown at Table 3.3.

Table 3.3: Basis for including terms in enforceable undertakings

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note a: ASIC, Regulatory Guide 98: Licensing: Administrative action against financial services providers.

Note b: ASIC, Regulatory Guide 218: Licensing: Administrative action against persons engaging in credit activities.

3.36 Table 3.3 indicates that in negotiating and accepting the terms of EUs, ASIC staff demonstrated an understanding of the regulatory aims sought to be achieved through the inclusion of a particular term, and that terms included within EUs were generally a proportionate regulatory response to the non-compliance. This is demonstrated, for example, by the fact that the periods of suspension for liquidators and auditors, and promisors engaged in credit or financial services, had regard to relevant regulatory guides and/or previous decisions of a disciplinary body or administrative decision-maker.

3.37 While terms in EUs were proportionate in the sense of having a clear connection with the non-compliance at which the EU was directed, it is noted in Chapter 4 that ASIC does not systematically assess the effectiveness of EUs in achieving desired regulatory outcomes, including improving the compliance of the promisor. A systematic evaluation of the compliance effectiveness of EUs is likely to allow ASIC to develop a greater understanding of the effectiveness of EU terms. This would allow ASIC to better understand the basis for including particular terms and in turn, provide a firmer basis for requiring the inclusion of particular terms in EUs.

3.38 The use of ‘good faith’ terms⁹⁵ in four of the EUs reviewed is one exception to the terms in EUs being proportionate to the level of non-compliance. Discussions with ASIC staff indicated that they believed the inclusion of these terms was occasionally necessary to prevent the promisors from undermining the EU. There would be benefit in ASIC evaluating its use of good faith terms to ensure that their inclusion does not unreasonably limit the legitimate free expression by promisors (including legitimate criticism of ASIC) or result in a perceived difference in treatment by ASIC of regulated entities.

Terms that specify monitoring arrangements

3.39 An important consideration in negotiating the terms of EUs are the arrangements for: ensuring that the alleged misconduct does not recur; monitoring compliance with the undertakings; and reporting to ASIC. In this regard, Regulatory Guide 100 requires that ASIC must be satisfied that ‘the promisor has adequate arrangements for monitoring how the undertaking is implemented and reporting to ASIC’.⁹⁶

3.40 The Enforcement Manual is generally silent on whether a monitoring term should be included in an EU. The main guidance provided by the Manual is that depending on the type of EU, ‘it may be appropriate at this stage to consider whether an external compliance expert will need to be appointed to review the company’s compliance.’ Following a recommendation by the Senate Economics References Committee, in February 2015 ASIC updated Regulatory Guide 100 to include guidance in relation to the public reporting of outcomes of EUs (discussed in Chapter 4).

3.41 The ANAO reviewed the EUs in its sample to understand the types of monitoring arrangements included. These are outlined in Table 3.4.

Table 3.4: Monitoring terms included in the ANAO’s review of enforceable undertakings

Source: ANAO review of EUs accepted by ASIC between 1 January 2012 and 30 June 2014.

3.42 Overall, 38 of the 53 EUs reviewed had one or more terms that facilitated the monitoring of compliance with the EU. Where the EU contained a monitoring term, these terms were generally well designed and likely to provide ASIC with a sound basis for determining whether there was compliance with the EU.

3.43 Of the 15 EUs that did not contain a monitoring arrangement, 12 had primarily negative obligations—that is, undertakings to refrain from doing specified acts, such as engaging in credit activities or providing financial services. In the remaining three cases, the EU imposed mainly positive obligations upon the promisor (for example, issuing corrective notices to consumers). There was no requirement for the promisors to report to ASIC on their performance of those positive obligations.

3.44 It is noted however, that of the 38 EUs with one or more terms facilitating the monitoring of compliance with the EU, these terms were not always exhaustive as they did not cover all positive obligations under the EU. This is particularly evident with EUs requiring the promisor to undertake continuing professional education, where just over half of the EUs (seven of 13) required the promisor to provide proof to ASIC of their completion of the educational requirements.⁹⁷ This inconsistency also relates to differences in practices between teams involved in negotiating EUs—with all six EUs involving a financial services matter that included a continuing professional education requirement also requiring proof of the education to be provided, while only one in five such EUs involving an auditor matter contained a term requiring proof to be provided.

3.45 In its report, the Senate Economics References Committee recommended that ASIC ‘as its default position, require that an independent expert be appointed to supervise the implementation of the terms of the undertaking’.⁹⁸ While the appointment of an independent expert is likely to improve the ability of ASIC to monitor compliance with an EU, in many cases these benefits may not outweigh the financial cost of an independent expert. This is especially the case where the EU involves one-off rather than ongoing obligations. Further, a large number of EUs contain undertakings that are not suitable for review by an independent expert. For example, those where an individual agrees to remove themselves from the industry for a period of time. On this basis, ASIC’s policy that the requirement for an independent compliance expert be assessed on a case-by-case basis remains appropriate.

3.46 Nevertheless, there is room for improvement in ASIC’s use of terms to monitor compliance with EUs. In particular, there would be merit in ASIC adopting a policy requiring that where an EU contains positive obligations on a promisor, an obligation be included in the EU for the promisor to report back to ASIC and provide proof of its performance of that obligation.⁹⁹ Including reporting obligations in respect of all positive obligations in EUs is likely to improve ASIC’s ability to monitor and report on compliance with EUs, and report on the effectiveness of these in achieving desired regulatory outcomes. Importantly, this information could be used by ASIC to inform its monitoring of a promisor’s compliance with an EU and, where necessary, to respond to non-compliance. The Enforcement Manual would need to be amended to provide guidance on the form that such reporting obligations should take.

Inclusion of standard terms

3.47 A master EU template is available on ASIC’s Technical and Procedures Library, which sets out the standard form for an EU and contains a number of standard clauses. These standard clauses relate to: media and publicity; access to documents; and non-derogation of ASIC’s rights to take action in relation to conduct which is not the subject of the background section of the EU.

3.48 The ANAO reviewed each of the EUs accepted during the review period to determine whether standard terms were included in EUs. The media and publicity and non-derogation terms were present in all 53 of the EUs reviewed. A term providing ASIC with access to relevant documents to assess compliance with the EU was identified for 50 of the 53 EUs.

Finalising enforceable undertakings

3.49 Once ASIC and the promisor come to an agreement on the terms of an EU and an offer is formally made to ASIC, the Enforcement Manual requires a number of steps to be taken to formally accept and finalise the EU. In particular:

• ASIC staff involved with an EU are required to seek approval from the Chief Legal Office (CLO) that the EU is in an acceptable form;
• the final EU is required to be signed (formally accepted) by a SEL; and
• a copy of the EU is to be sent to the Registry for publication on ASIC’s EU register, and a media release is to be drafted.

Approval from the Chief Legal Office

3.50 Prior to seeking final senior management approval for an EU, approval is to be obtained from a Special Counsel or Litigation Counsel in the CLO. This review primarily covers drafting clarity, legal certainty, enforceability and compliance with ASIC’s policies in relation to accepting EUs.

3.51 The ANAO reviewed the CLO approvals for the 53 EUs accepted between 1 January 2012 and 30 June 2014. The approvals provided by the CLO were email chains between a CLO Special Counsel or Litigation Counsel and the relevant ASIC staff in the enforcement or stakeholder teams. A summary of the ANAO’s assessment is at Table 3.5.

Table 3.5: ANAO assessment of Chief Legal Office approvals of enforceable undertakings

Source: ANAO analysis of ASIC decision-making documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

3.52 The practices for obtaining CLO approval for an EU varied significantly, on a case-by-case basis and depending on the staff involved. A particular problem was where the email chain showed some involvement by the CLO in the EU at some stage during its negotiation, but not an approval of the final form of the EU—this gap was often over several months.¹⁰⁰

3.53 The ANAO’s review of CLO approvals and decision-making documentation for the EUs identified that where the CLO was involved in the negotiation and finalisation of an EU, useful guidance and advice to enforcement and/or stakeholder teams was provided. CLO involvement also gave greater assurance of the quality of EUs, improving consistency between EUs and ensuring that EUs complied with relevant ASIC policies and procedures, including Regulatory Guide 100 and the Enforcement Manual.¹⁰¹

3.54 Given the value added by the CLO’s involvement, there would be merit in formalising the arrangements for CLO approval of EUs, as this would help to improve the quality of EUs and reduce the risk of drafting errors. In this regard, in three EUs reviewed by the ANAO, there were errors in drafting the executed EU (relating to drafting clarity, legal certainty and in one case, enforceability)—for two of these, there was no documented CLO approval.

Approval from senior management

3.55 Final approval for an EU must be obtained from an SEL. In addition, if the matter is ‘high profile or controversial or a major matter’, the acceptance of the EU must be submitted to the Commission or the Enforcement Committee for consideration and discussion.

3.56 The ANAO assessed the extent to which relevant final approvals were obtained and was able to identify SEL approvals for only 28 of the 53 EUs in the ANAO’s sample. While all EUs were ultimately signed by an SEL, a more rigorous approval process would provide quality assurance over the EU process. Accordingly, and consistent with paragraph 3.9, there is considerable scope for ASIC to improve documentation of the EU approvals and decision-making processes.

Media and publicity

3.57 ASIC will usually issue a media release when it secures an EU and will ‘always assert the right to make a regulatory outcome public’.¹⁰² According to ASIC, this is important for regulatory transparency and effective deterrence. This position is consistent with Regulatory Guide 100 and the Enforcement Manual, which also require EUs to be made available on a public register on ASIC’s website. For all 53 EUs reviewed, a copy of the signed EU was publicly available on ASIC’s website. For 52 of these EUs, a media release was also published by ASIC.

3.58 One area where there has been a lack of consistency with respect to media releases was in providing a promisor with a copy of the media release prior to its release. The usual practice was for ASIC to provide a copy of the media release to the promisor an hour or two before publication. It was common, however, for promisors to ask for a copy of the media release several days prior to its publication so that they could brief relevant stakeholders (such as staff or authorised representatives). This was generally rejected, with ASIC stating that this was not usual practice. In four cases, however, an EU was provided to a promisor prior to the day of publication of the media release. On 20 March 2015, in a statement to the Parliamentary Joint Committee on Corporations and Financial Services, the Chairman of ASIC advised that ASIC would be introducing a new policy that media releases will generally be provided to all promisors who enter into an EU, 24 hours before publication.

Conclusion

3.59 Decisions about whether to accept an offer of an EU were generally sound. For the majority (46 of 53) of EUs, ASIC documentation demonstrated some comparison being made between an EU and other regulatory options available to ASIC. Further, in the seven instances where record keeping was insufficient, ASIC was able to advise the reasons why entering into an EU would provide an effective regulatory outcome. Importantly, the ANAO did not identify any EUs where promisors were treated differently based on the size of their business.

3.60 In general, terms included in EUs provided a proportionate regulatory response to non-compliance, with individual terms in EUs being clearly aligned with the misconduct at which those terms were directed. ASIC does not, however, assess the effectiveness of EUs (and terms in EUs) to enable it to have a firmer basis for requiring the inclusion of particular terms in EUs. Terms facilitating the monitoring of compliance with EUs were found in a majority of EUs reviewed (38 of 53). However, there is scope for ASIC to strengthen its capacity to assess compliance with, and the effectiveness of, EUs by more systematically including reporting obligations in future EUs.

3.61 Documentation relating to the decision-making process for EUs was inconsistent, dispersed across multiple systems, and not always readily available. The ANAO was able to identify early stage SEL approvals for 41 of the 53 EUs and late stage SEL approvals for 28 EUs. In regards to CLO approvals, only 26 of 53 EUs were assessed as fully or largely compliant with ASIC policies. Even where documentation was available, it was not always readily apparent as to why a particular EU was accepted. The inconsistent documentation of decisions and approvals poses risks to the transparency, clarity, consistency, and enforceability of EUs. There would be merit in ASIC reinforcing to staff the importance of complying with its policies and procedures, and particularly, documenting all decisions relating to the acceptance of an EU.

Recommendation No.2

3.62 To strengthen decision-making and support the transparency of, and quality assurance over enforceable undertakings, the ANAO recommends that ASIC:

1. reinforces to staff the need for key documents and decisions relating to enforceable undertakings to be appropriately recorded in accordance with ASIC policies and procedures; and
2. formalises the processes for obtaining enforceable undertaking approvals.

ASIC response:

3.63 Agreed. Implementation of Recommendation 2 will assist ASIC to ensure transparency and consistency in its administration of enforceable undertakings.

Introduction

4.1 It is important that EUs are monitored, and any breaches are detected and dealt with appropriately and in a timely manner. Monitoring of EUs is mainly undertaken by ASIC but can sometimes involve an independent expert.¹⁰³ Adopting a risk-based approach to monitoring compliance provides a sound basis for focusing regulatory effort and cost-effectively deploying resources.

4.2 In its report, the Senate Economics References Committee raised concerns that the effectiveness of an EU in deterring misconduct within or by other regulated entities may be diminished by ‘a belief that the compliance with the undertaking will not be monitored effectively and the terms not enforced.’ In light of this, the Committee recommended that ‘ASIC should more vigilantly monitor compliance with [EUs] with a view to enforcing the undertaking in court if necessary.’¹⁰⁴

4.3 The ANAO examined whether ASIC:

• actively monitors compliance by promisors with the terms of their EUs, and takes action where breaches are identified;
• undertakes appropriate assessments of independence and expertise when approving independent experts and engages with independent experts to maximise regulatory benefits from the process; and
• measures and reports on the effectiveness of the EU in achieving desired regulatory outcomes.

4.4 In undertaking this review, the ANAO assessed the monitoring undertaken for the 53 EUs accepted between 1 January 2012 and 30 June 2014. Of these EUs, 30 included the appointment of an independent expert.

ASIC’s monitoring of compliance

4.5 Once ASIC formally accepts an EU, the terms of the undertaking become binding on the promisor. While the promisor is ultimately responsible for complying with the EU, ASIC is responsible for monitoring and verifying compliance after the EU has been accepted. Where ASIC considers that a promisor has failed to comply with any of the terms of an EU, it may apply to a court for enforcement of the undertaking.¹⁰⁵

Form and extent of monitoring

4.6 The Enforcement Manual recognises that the nature and extent of monitoring compliance with EUs will depend on the substantive obligations, and any reporting obligations, in the undertaking. The Enforcement Manual does not specify the form of monitoring that can or should be taken in respect of EUs, but states that ‘in many cases, [ASIC] will have active future involvement in monitoring obligations of the [EU] (for example, receiving and assessing reports from an auditor of a compliance program, or receiving and assessing documents from the company, such as financial reports)’.

4.7 The ANAO assessed documentation relating to the monitoring of EUs in the audit sample to identify the monitoring activities commonly undertaken (Table 4.1). Given the wide variety of obligations imposed under EUs, the monitoring activities depended on the particular terms of the EU.

Table 4.1: Common monitoring activities undertaken by ASIC for enforceable undertakings

Source: ANAO analysis of ASIC monitoring documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note: Individual EUs can have multiple forms of monitoring. This table does not include most forms of monitoring undertaken as part of the independent expert review progress. These forms of monitoring are considered in the next section of this chapter.

4.8 The most common forms of monitoring undertaken by ASIC were communication with the promisor (32 of 53 EUs) and receiving documentation under the EU (27 of 53 EUs). Where there were deliverables (such as reports or statements) under an EU, ASIC was able to provide evidence of receiving these in all but three cases (see paragraph 4.17). The content of discussions with the promisor depended on the nature of the EU and any issues arising. These discussions ranged from the relatively straightforward (such as ASIC providing approval for an individual to undertake a course to meet a continuing professional education obligation) to the more involved, as shown in the following case study.

4.9 The ANAO also reviewed the extent to which ASIC monitored the EUs. To undertake this review, the ANAO assessed the terms of each EU to determine the extent to which ASIC could be expected to actively monitor the EU. A higher level of monitoring was expected where the EU was complex or involved ongoing obligations (such as those requiring independent expert reviews and involving complex arrangements for the remediation of consumers/investors) compared to EUs involving simple, one-off obligations (such as correcting misleading advertising). The ANAO then reviewed documentation to assess the extent to which the EUs were monitored. The results of this assessment are shown at Table 4.2.

Table 4.2: ASIC’s level of monitoring compliance with enforceable undertakings

Source: ANAO analysis of ASIC monitoring documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note: Numbers in cells shaded grey represent EUs where monitoring was below ANAO expectations.

4.10 The ANAO identified adequate monitoring of undertakings for 44 of the 53 EUs reviewed (83 per cent). Of the nine instances where the level of monitoring fell short of expectations, the main obligation of six of these EUs required the individual to cease providing financial services for a specified period. In respect of these, documentation was not available to demonstrate that the Financial Advisers team was monitoring the exclusion of these individuals from the industry.¹⁰⁶

4.11 More generally, the form and extent of EU monitoring activities was adequate having regard to the nature of the EUs. Nevertheless, there is scope to improve the documentation supporting the monitoring activities and allocating responsibility for monitoring EUs, for example to a person in each stakeholder team. These changes would be especially beneficial where the EU imposes ongoing obligations but does not include reporting requirements (such as EUs involving an exclusion from an industry).

Team conducting the monitoring

4.12 Broadly, the roles and responsibilities for monitoring an EU will depend on the obligations contained in the EU. According to the Enforcement Manual, where compliance with the EU will occur immediately and is easily verifiable, verification is the responsibility of the enforcement team that negotiated the undertaking. Where the EU involves a continuing obligation, monitoring is the responsibility of the relevant stakeholder team. To assess the extent to which monitoring is undertaken in accordance with this policy, the ANAO assessed which team could be expected to have responsibility for monitoring each EU reviewed. The ANAO then identified which team was actually monitoring the EU. The results of this analysis are shown at Table 4.3.

Table 4.3: Monitoring of enforceable undertakings by stakeholder or enforcement teams

Source: ANAO analysis of ASIC monitoring documentation relating to EUs accepted between 1 January 2012 and 30 June 2014.

Note: Numbers in cells shaded grey represent EUs that were monitored by a team different to that expected to monitor the agreement (based on ASIC guidance).

4.13 Apart from the seven EUs for which there was no evidence of monitoring (see Table 4.2 and related discussion), in eight EUs the monitoring of compliance was by a different team than expected by the guidance in the Enforcement Manual. In each of these cases, this was because the matter remained with the enforcement team indefinitely or for an extended period after acceptance of the EU, rather than being transferred to a stakeholder team. There was no reason documented for the responsibility for monitoring of the EU not being transferred to the relevant stakeholder team in accordance with ASIC procedures.

4.14 While enforcement teams can continue to monitor an EU containing ongoing obligations, this approach may lead to teams being unclear about their roles and responsibilities in relation to monitoring EUs. For example, for one of the EUs reviewed, there was considerable overlap between the monitoring activities of the stakeholder and enforcement teams, leading to confusion among staff members about their roles and responsibilities, and to an expert report not being appropriately followed up. More generally, a higher level of engagement with independent experts was identified in cases where responsibility for monitoring of an EU was promptly transferred to the relevant stakeholder team (see paragraph 4.43). Further, stakeholder teams are likely to gain experience and expertise over time in monitoring EUs (particularly in assessing expert reports).

Breaches of EUs

4.15 Where ASIC has reason to believe that an EU is not being complied with, the Enforcement Manual says it ‘will usually first try to resolve the matter by drawing the matter to the attention of the [promisor].’ In cases where the breach is ‘of a substantive term or involves a failure of the [promisor] to satisfy a material obligation by a certain time’, ASIC’s policy is that it will not hesitate to apply to a court to enforce the EU.

4.16 To assess ASIC’s identification of, and responses to, breaches of EUs, the ANAO assessed compliance with the terms in the EUs based on information available to ASIC.¹⁰⁷ In making this assessment, the ANAO reviewed data sources including EU monitoring documentation, key systems and registers (such as complaints, licensing and registry systems) and relevant public information (such as websites, to determine whether corrective notices had been published). A summary of the ANAO’s assessment is shown at Table 4.4, which focuses on the more common obligations.

Table 4.4: Breaches of terms of enforceable undertakings

Source: ANAO analysis of ASIC EU monitoring documentation, ASIC registry and licensing databases, websites and other information relating to EUs accepted between 1 January 2012 and 30 June 2014.

Notes to Table 4.4

Note 1: The analysis is necessarily constrained by the available information. In the case of a promisor who has agreed to refrain from providing financial services and subsequently obtains employment with a financial service provider, it is unlikely that ASIC will identify this non-compliance except by receiving a complaint. The analysis is not intended to confirm that undertakings have been complied with, rather it provides assurance that there was no information in ASIC’s possession to indicate that an undertaking had not been complied with.

Note 2: A term was assessed where: the obligation was current at 15 November 2014; and information was available to enable an assessment—either because the EU had a reporting obligation or relevant information was available on ASIC’s various databases (including companies register, professional registers and complaints).

4.17 The ANAO identified four EUs where there was non-compliance with an obligation in an EU—three of these related to non-compliance with a continuing professional education obligation and one related to a promisor taking part in the management of a company despite an undertaking to refrain from doing so. In addition to the above, there were seven EUs where an obligation was not complied with in accordance with the timeframe specified in the EU. In all instances, ASIC was aware of the non-compliance. No instances were identified where information was available to ASIC about non-compliance with an EU, and the relevant team was unaware of that non-compliance.

4.18 For the two instances where an individual has not complied with their undertaking to complete specified continuing professional education, both individuals had advised ASIC that they were unemployed and in one case, unable to afford the course fees. ASIC has not demanded strict compliance with these undertakings. In the case of the company failing to ensure officers complete the education, this was due to differing expectations between ASIC and the promisor. To gain assurance that the obligation had been met, ASIC required the company to promptly fulfil the educational requirements and have the appointed independent expert produce a supplementary report in relation to that non-compliance (and certain other specified matters).

4.19 The one identified instance of non-compliance with an undertaking not to take part in the management of a corporation came to ASIC’s attention through a complaint from the public. In response to the complaint, ASIC contacted the promisor and relevant third parties to determine whether there had been a breach of the EU and sought relevant information. Although ASIC was of the view that a breach had occurred, it determined that it had insufficient evidence of the breach and that in any event, the risk posed to the public was limited. A letter was sent to the promisor to reinforce their obligations under the EU. Overall, and in the context of a risk-based regulatory framework, ASIC’s approach to responding to breaches of an EU has been suitable for the EUs reviewed by the ANAO.

Responding to complaints of a breach of an EU

4.20 An important means for ASIC to identify potential breaches of an EU is through complaints received from the public, as illustrated above. Reports of misconduct received from the public through ASIC’s website are assessed by the Misconduct and Breach Reporting (M&BR) team. M&BR also deal with Australian financial services licensee breach reports, auditors’ breach notifications and liquidators’ statutory reports, which also have the potential to reveal breaches of an EU.

4.21 To determine how ASIC deals with reports involving a potential breach of an EU, the ANAO reviewed the 71 cases in the Complaints Management System for which the activity description included a reference to an EU. Of these, 19 related to the 53 EUs reviewed as part of this audit. A diagram summarising the results of the ANAO’s testing is shown at Figure 4.1.

Figure 4.1: Outcomes of reports of misconduct relating to enforceable undertakings

Source: ANAO analysis of data in ASIC’s Complaints Management System.

4.22 Overall, the procedures for referring reports relevant to the monitoring of compliance with an EU are effective, with 10 of the 14 reports that raised a potential breach or information relevant to monitoring an EU being referred to the appropriate stakeholder or enforcement team. In two of the four cases where the report was not referred, the stakeholder team advised that it was already aware of the information and that the matter did not need to be referred. In a further case, evidence was considered insufficient for a formal referral, and in the final case, the complaint largely restated information from a previous case that had been referred to the enforcement team. In each case, the decision to not refer the report was appropriate in the circumstances.

Use of independent experts

4.23 One way that ASIC monitors compliance with EUs is to require the appointment of an independent expert to report to ASIC (either directly or through the promisor) on specified matters. In the review period, 30 of the 53 EUs included a term requiring a review to be undertaken by an independent expert. The form of review depended on the particular EU, but could be generalised into one of four types, as outlined in Table 4.5.

Table 4.5: Types of independent expert review required under enforceable undertakings

Source: ANAO analysis of EUs entered into from 1 January 2012 to 30 June 2014.

Note 1: One of these EUs involved a review of an individual’s compliance with legislation and a review of the firm’s compliance framework. The other EU involved a review of the promisor’s compliance with legislation and compliance with the EU (in terms of an obligation to refund consumers).

4.24 The requirement to appoint an independent expert can have a number of potential benefits, including allowing for the independent verification of remedial action and shifting the cost of monitoring compliance with the EU to the promisor. However, in its report, the Senate Economics References Committee identified some concerns regarding the management of the independent expert process, including in relation to transparency and the appointment process. In particular, the Committee queried the degree of certainty around the obligations of the expert, what constitutes expertise, and how potential conflicts of interest should be resolved.¹⁰⁸ The remainder of this section considers the process for appointing independent experts, the reports produced and ASIC’s engagement with independent experts.

Appointing independent experts

4.25 ASIC’s involvement in appointing an expert will depend on the terms of the particular EU. As a general position, independent experts under an EU and their terms of reference, are to be approved by ASIC before the promisor engages that expert. There are, however, exceptions to this general position—for example, if the independent expert was approved before the EU was accepted. Table 4.6 outlines the arrangements for approving independent experts under the EUs reviewed by the ANAO.

Table 4.6: Arrangements for approving independent experts under enforceable undertakings

Source: ANAO analysis of EUs entered into from 1 January 2012 to 30 June 2014.

Note 1: ‘Prior to EU’ indicates instances where the terms of reference were agreed before the acceptance of the EU because the independent expert was engaged prior to acceptance of the EU, or because the EU prescribes a form of terms of reference (attached as an appendix to the EU) to be used when engaging an independent expert.

4.26 As Table 4.6 indicates, ASIC’s approval of the expert was required in 24 of the 30 EUs where an independent review was to be undertaken. Of the six EUs that did not require ASIC’s approval of the independent expert, four related to financial advisers who, following the resumption of work after completing their periods of suspension, were required to have reviews undertaken of the compliance of financial advice provided by them with relevant laws. In each of these cases, although not requiring ASIC to approve the expert, there was some guidance as to who would constitute an acceptable reviewer.¹⁰⁹ It was not clear why ASIC’s approval was not required in these cases when for similar EUs (such as EUs involving auditors and liquidators), ASIC was required to provide a final approval.

4.27 Overall, the arrangements for approving experts varied considerably between EUs, with 13 of the 30 EUs not requiring ASIC approval of either the expert and/or the terms of reference. As the nature of ASIC’s consideration of an approval will necessarily depend on the nature and complexity of a matter, it is important that ASIC has a clear policy and consistent practices in appointing independent experts and their terms of reference.

Appointing experts in accordance with the EU

4.28 Of the 22 EUs where ASIC’s approval was required¹¹⁰: an approval was provided for 15 EUs; there was no record of approval for two EUs; and for the remaining five EUs, approvals were not yet required as the obligation to engage an expert was future-dated or contingent. Documented consideration of the appropriateness (expertise and/or independence) of an expert was identified for 10 of the 15 EUs where an approval had been given.

4.29 For the 12 EUs where ASIC was required to approve the terms of reference, there was documented approval for 11 of the 12 EUs—for seven of these 11 EUs, there was documented consideration of, or input into, the terms of reference.

ASIC’s consideration of the independence and expertise of experts

4.30 ASIC’s consideration of the independent expert and their terms of reference varied between EUs. While lacking a systematic approach to considering independent experts’ independence and expertise, common considerations included:

• the performance of an expert in past reviews conducted under an EU;
• the results of data warehouse and mainframe system searches (particularly, whether there have been past complaints/issues regarding the proposed reviewer, and whether the search identifies connections between the promisor and reviewer that could suggest a conflict of interest); and
• reviews of the curriculum vitae and statements of independence provided by the expert.

4.31 In four of the 10 EUs reviewed where there was documented consideration of the appropriateness of an independent expert, ASIC had rejected the initial expert proposed by the promisor. In two of these cases, the basis for the rejection was that ASIC did not believe the expert was sufficiently independent of the promisor. In one case, ASIC considered that the proposed independent expert lacked the relevant qualifications, regulatory knowledge and compliance experience to carry out the required tasks. In the other case, ASIC refused to approve the independent expert because of concerns about the quality of past reports prepared by the expert as well as a perceived conflict of interest.

4.32 While ASIC generally undertakes adequate assessments in relation to the appointment of independent experts, the practices for this differ greatly between teams and on a case-by-case basis. The fact that ASIC rejected the independent expert initially proposed by the promisor in 40 per cent of cases where there was documented consideration of the appropriateness of the independent expert, underscores the importance of consideration by ASIC of the independence and expertise of experts proposed by promisors, and the content of their terms of engagement.

4.33 In February 2015, a revised Regulatory Guide 100 was released that deals with many of the above matters. Importantly, the revised Guide states that where a promisor is to appoint an independent expert under an EU, ASIC will require a term in the EU that the promisor obtains ASIC’s approval of the appointment and of the terms of reference. The guide also lists considerations to be taken into account when determining whether an expert demonstrates: competence to undertake the engagement; independence from the promisor; and the existence of adequate arrangements to manage conflicts of interest arising during the engagement. While the revised Regulatory Guide 100 is a significant improvement, there would be merit in ASIC supporting the amendments with practical assistance to staff on how to apply the revised Guide by making amendments to its internal guidance on EUs.

Independent expert reports

4.34 Where an independent expert is required to be appointed as part of an EU, that expert is required to review certain matters (as outlined in Table 4.5) and report back to the promisor and ASIC on their findings. In some cases, the EU also requires the expert to make any relevant recommendations and for the promisor to implement these recommendations.

4.35 To support ASIC in effectively monitoring compliance with EUs, and to improve the compliance of individuals and businesses subject to EUs, it is important that the reports:

• address the EU requirements and areas of concern to ASIC;
• are comprehensive; and
• where appropriate, make meaningful recommendations.

4.36 The ANAO assessed 35 reports provided to ASIC against these criteria.¹¹¹ The results of this assessment are shown at Table 4.7.

Table 4.7: ANAO assessment of independent expert reports

Source: ANAO analysis of 35 independent expert reports received by ASIC pursuant to EUs accepted between 1 January 2012–30 June 2014.

4.37 Although some stakeholders raised concerns with the ANAO about the quality of reviewers appointed by some promisors, this was generally not supported by an assessment of reports produced by those reviewers. The overwhelming majority of reports reviewed were of sufficient quality having regard to addressing the EU requirements, being comprehensive and containing meaningful recommendations.

4.38 For two reports, however, the ANAO identified shortcomings. In one of these cases, ASIC also identified issues with the quality of the report. ASIC discussed these concerns with both the promisor and the independent expert and required a supplementary report to be provided to respond to the concerns raised. In the other case—an EU monitored by the enforcement team—ASIC had not identified similar issues.

4.39 As part of its review, the ANAO also assessed the extent to which the reports made findings critical of the compliance of a promisor—this being an indicator as to whether independent experts have applied appropriate professional scepticism in the discharge of their responsibilities.¹¹² The results of this assessment are shown at Table 4.8. Overall, just over half (52 per cent) of the reports had negative and/or mixed findings.

Table 4.8: Findings of independent expert reports

Source: ANAO analysis of 35 independent expert reports received by ASIC pursuant to EUs accepted between 1 January 2012 and 30 June 2014.

ASIC’s engagement with independent experts

4.40 To maximise the potential regulatory benefit from independent reviews under EUs, it is important that ASIC engages with independent experts to help ensure that the reviews undertaken address the areas of concern to ASIC and that appropriate remedial action is taken by promisors in response to issues raised by the expert. It is expected that in interacting with independent experts, ASIC will adopt a risk-based approach—a high level of engagement being required where the consequences or likelihood of misconduct are greater or where the expert is not performing as expected.

4.41 For each of the 20 EUs where an independent expert had been appointed and a report produced, the ANAO assessed the level of engagement and follow-up by ASIC in relation to the expert and their reports. There was evidence of ASIC communicating directly with the independent reviewer for 12 of these 20 EUs. The extent and nature of these discussions varied between EUs, ranging from ASIC providing input into the reviewer’s scope of work (four EUs) to one EU where ASIC had to arbitrate in a dispute between the promisor and the appointed independent expert. An example of an EU where ASIC has had a high level of ongoing engagement with both the promisor and the independent expert is provided in the following case study, relating to the EU accepted from Macquarie Equities Limited.

4.42 Of the 20 EUs where an independent expert report had been provided to ASIC, documentation (such as a memo, working paper or email) was available that demonstrated ASIC had assessed reports for 15 of these EUs. In 13 cases, ASIC had requested further information or arranged a meeting to discuss the report with the promisor. Importantly, ASIC undertook appropriate follow-ups in relation to seven of the eight reports having ‘Negative’ or ‘Generally Negative’ findings against the promisor. For the other EU, follow-up is to occur after the promisor has submitted their statement of implementation of recommendations.

4.43 There was a higher level of engagement with the independent expert where the ASIC team responsible for monitoring was a stakeholder team rather than an enforcement team. ASIC documentation indicated consideration of an expert report for 14 of the 16 EUs monitored by a stakeholder team where a report had been provided. ASIC records indicated consideration of an expert report for only one of the four EUs monitored by an enforcement team. There would be merit in ASIC taking steps to ensure that responsibility for monitoring EUs with expert reporting obligations is transferred to the relevant stakeholder team so that appropriate consideration is given to the reports produced under the EU.

4.44 Overall, ASIC’s engagement with independent experts generally reflected an appropriate risk-based approach. The differences in the extent to which ASIC engaged with the expert review process (through communication with the expert, and consideration and follow-up of reports) was generally explained by reference to factors including: the nature of the misconduct subject to the EU; the details of the review arrangement included in the EU (including whether the EU required multiple reviews); and whether issues were identified as part of the reviews conducted by the independent expert. Nevertheless, in light of the five cases where there was no documentation to demonstrate an assessment of the independent expert reports, there is scope for better record keeping and documentation of the independent expert process.

Public reporting on compliance with enforceable undertakings

4.45 In its report, the Senate Economics References Committee raised concerns about the transparency of compliance with EUs. Having regard to this, the Committee recommended that ASIC:

consider ways to make the monitoring of ongoing compliance with the undertaking more transparent, such as requiring that reports on the progress of achieving the undertaking’s objectives are, to the extent possible, made public.¹¹³

4.46 This recommendation was in addition to the recommendation discussed in Chapter 2 that ASIC include in its annual report additional commentary on: its activities to monitor compliance with EUs; and how the undertakings have led to improved compliance with the law and encouraged a culture of compliance.¹¹⁴

4.47 In response to the Committee’s recommendation, in August 2014, ASIC included in its Enforcement Manual interim guidance on the public reporting of outcomes. This guidance specified mandatory public reporting of outcomes of EUs (including by allowing ASIC to refer to the findings of expert reports), unless a Commissioner determines otherwise. In February 2015, Regulatory Guide 100 was revised to reflect a final position on the public reporting of outcomes. The revised Guide makes clear to regulated entities that for EUs accepted in the future, ASIC will report on whether the undertakings given by a promisor in an EU have been complied with. The revised Guide also states that where an EU requires reporting by an independent expert, ASIC will make ‘available publicly a summary of the final report or a statement that refers to the content of the report’.¹¹⁵

4.48 While not forming part of the broad sample, the ANAO assessed the 11 EUs entered into by ASIC between 4 August 2014 and 31 December 2014 to determine whether their terms reflect the interim policy outlined in the Enforcement Manual. Nine of the 11 EUs accepted were consistent with the policy, and for the five EUs where an independent expert report was required, the undertaking provided for this report to be made publicly available.¹¹⁶

Evaluating the effectiveness of EUs in achieving improved compliance

4.49 While it is important for transparency that compliance with EUs is reported, it is also important that ASIC goes further and assesses more broadly the effectiveness of each EU in achieving improved compliance.

4.50 As discussed in Chapter 2, ASIC does not currently systematically measure and report (internally or publicly) on the effectiveness of individual EUs in achieving desired outcomes. Though stakeholder teams and SELs often have a sense about the effectiveness of particular EUs in generating behavioural change, there would be merit in ASIC taking steps to more systematically collect data and report on these outcomes. The reporting obligations in many EUs (as well as other reporting obligations outside EUs)¹¹⁷ position ASIC well to report on compliance outcomes, as outlined below:

• for five of the eight EUs where multiple expert reports were provided under the EU, there was an improvement in the promisor’s compliance in subsequent reports compared to the initial report—suggesting that the review process had led to improved compliance¹¹⁸;
• in one case, after acceptance of an EU and following an independent expert review process, an Australian financial services licensee (AFSL) began submitting AFSL breach reports in relation to newly identified instances of prior non-compliance—suggesting that the EU had led to the promisor taking their AFSL obligations more seriously; and
• in one case, ASIC continued to receive regular reports of misconduct in relation to the conduct of franchisees of a franchisor whom ASIC had accepted an EU from—suggesting that greater attention may need to be given when accepting future EUs involving franchise operations.

4.51 While these examples demonstrate the effectiveness of EUs in providing specific deterrence, the impact of EUs as an effective regulatory tool for deterring and educating regulated entities more generally is also important, as discussed in Chapter 2.

Conclusion

4.52 Monitoring compliance with the terms of EUs varied depending on the nature of the obligations in EUs. Generally, the monitoring activities undertaken were appropriate in the circumstances and the level of monitoring was also adequate in a majority of cases (44 of 53 EUs reviewed). Where ASIC possessed information suggesting a breach of an EU, it had identified the breach and responded appropriately.

4.53 In terms of its use of independent reviews, there were inconsistencies in the process for appointing independent experts under an EU. Of the 30 EUs that required an independent expert to be appointed, 13 did not provide for ASIC to approve the expert and/or their terms of reference. ASIC has recently released new public guidance that requires these approvals. Where the EU required ASIC to provide relevant approvals, there was documented evidence of ASIC having provided those approvals. However, the inquiries undertaken and judgments made to support the approval of an expert were not consistently documented. To support a more consistent approach to the approval of independent experts and their terms of reference, ASIC should consider complementing its public guidance on independent experts with internal guidance to staff on the steps to be taken in approving the appointment of an independent expert.

4.54 In response to the Senate Economics References Committee’s recommendation that ASIC consider ways of increasing the transparency of monitoring compliance with EUs, in August 2014 ASIC introduced interim guidance requiring the public reporting of outcomes of EUs. A final position was reached in February 2015, with the release of a revised Regulatory Guide 100. EUs entered into since August 2014 have generally been accepted in line with the new policy.

4.55 In addition, to support future decisions to enter into EUs, there remains scope for ASIC to assess the effectiveness of each EU in achieving its desired regulatory outcomes. The information that ASIC receives through monitoring compliance with EUs positions it well to undertake this task. The assessment of the effectiveness of an EU should inform ASIC’s views on the circumstances in which it is appropriate to enter into an EU in the future and the terms to be included in these EUs.

Appendices

Please refer to the attached PDF for the Appendices:

• Appendix 1: Entity Response
• Appendix 2: Terms in Enforceable Undertakings Reviewed

Abbreviations

Glossary