Compliance: Theory and Practice in the Financial Services Industry

2. The Role of Compliance

Inhouse Home Compliance Course Visit the Library

IMPORTANT NOTE: These slides have been provided primarily for the use and benefit of students taking the "Compliance: Theory and Practice in the Financial Services Industry" course at Sydney University Law School. They are a summary only of the subject matter covered and are not intended to be, nor should they be relied upon as, a substitute for legal or other professional advice. In particular, it should be noted that the slides are not always verbatim quotes from the underlying source material and that material may have been abridged or paraphrased for presentational purposes. There also may have been legislative, regulatory or other developments since these slides were last updated that are not incorporated.

These slides are made available without the assumption of a duty of care by Inhouse Legal Solutions Pty Limited ("ILS") or the officers, employees or agents of ILS who were involved in their preparation and without any representation or warranty as to accuracy or completeness. Your use of these slides is subject to the terms and conditions set out on our Legal Notices page.

These slides were created with Microsoft FrontPage 2002 and are best viewed with Internet Explorer 6.0+.


   What is "Compliance"?
   The Difference between Compliance, Legal and Internal Audit
   The Justification for a Compliance Function
   International Standard ISO 19600-2014
   Regulatory Pronouncements on Compliance Systems
   Judicial Pronouncements on Compliance Systems
   The Desirable Features Of A Financial Services Compliance System
   A Sample Financial Services Compliance Mission Statement
   A Sample List of Financial Services Compliance Policies
   Dealings with Regulators


What is "Compliance"?

Australian and International Standards
•     International Standard ISO 19600-2014

Compliance: "meeting all the organization's compliance obligations" (cl 3.17).


Compliance obligation: a compliance requirement (ie a requirement that an organization has to comply with) or a compliance commitment (ie a requirement that an organization chooses to comply with).


Australian Standard AS 3806-2006


Compliance: "adhering to the requirements of laws, industry and organizational standards and codes, principles of good governance and accepted community and ethical standards" (cl 1.3.3).


Compliance program: "a series of activities that when combined are intended to achieve compliance" (cl 1.3.6).

•     Australian Standard AS 3806-1998

Compliance: "ensuring that the requirements of laws, regulation, industry codes and organisational standards are met" (cl 1.4.2).

Query the reference in AS 3806-2006 to "accepted community and ethical standards". Is it really the role of Compliance to act as the conscience of the organisation and police moral standards that are not reflected in legal or regulatory requirements? This is especially so when there are a number of laws - such as the obligation to "do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly" (CA s912A(1)(a)) and not to engage in misleading and deceptive conduct (CA s1041H) - that elevate standards of good behaviour into legal requirements.

cp Basel Committee Definition of Compliance
Compliance: "an independent function that identifies, assesses, advises on, monitors and reports on the bank’s compliance risk, that is, the risk of legal or regulatory sanctions, financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with all applicable laws, regulations, codes of conduct and standards of good practice." (per Basel Committee on Banking Supervision, "Compliance and the Compliance Function in Banks" (April 2005))


cp ACCC Definition of Compliance
"A trade practices compliance program ... is a mechanism designed to identify and reduce the risk of breaching the Trade Practices Act 1974 ... and to rapidly and effectively remedy any breach that may occur. A successful compliance program will engender a culture of compliance within the organisation and assist the company to become or remain a good corporate citizen.
There is no generic compliance program as each organisation’s circumstances are different. Depending on the size and risk profile of the company, a compliance program can be as simple as implementing an effective complaints handling system and providing all relevant staff with trade practices training tailored to the business activity; or it could be more comprehensive and include:
>   setting up a team of dedicated compliance staff
>   conducting regular trade practices compliance risk assessments and compliance program reviews
>   designing detailed guidelines and procedures for different business units that face operational trade practices risks
>   establishing systems to keep track of the company’s legal and regulatory requirements
>   developing and maintaining staff education programs.
Whatever the type and style of the compliance program it should be well managed, adequately resourced, properly documented and actively supported by the board and senior management." (ACCC, Corporate Trade Practices Compliance Programs (November 2005), at page 3, since retired)


My Functional Definition of Compliance
Compliance is an internal risk control function which works closely with the inhouse legal function and which is responsible for:
•     developing and administering systems and procedures to comply with legal and regulatory requirements;
•     developing and administering training programs covering legal and regulatory requirements;
•     assisting line personnel with day to day legal and regulatory issues as they arise;
•     developing and administering monitoring and surveillance systems to detect potential breaches of legal and regulatory requirements;
•     investigating, rectifying and reporting on breaches of legal and regulatory requirements (including client complaints);
•     filing various notices and returns with regulators;
•     liaising with regulators in relation to regulatory matters,
(save for those legal and regulatory requirements relating to employees, company secretarial matters, financial statements, prudential returns and taxation, which are generally taken care of by other corporate functions).

Note that the phrase "legal requirements" doesn’t just refer to statutory obligations. It includes common law obligations, fiduciary obligations, contractual obligations and obligations under prospectuses and other offering materials. So, for example, checking whether a proposed investment for a managed investment fund falls within the list of authorised investments (as per its constitution or the relevant offer document) is something usually done by the Compliance function.

Similarly, "regulatory requirements" doesn't just mean obligations under regulation. It includes obligations under stock exchange listing rules, market rules, regulator guidelines and self-regulatory/industry codes of practice.

Return to Outline

The Difference between Compliance, Legal and Internal Audit

The Difference Between Compliance and Legal
There is significant overlap. The two Departments share responsibility for ensuring the organisation complies with its legal and regulatory obligations and will often jointly undertake the functions above. In some industries, the Legal Department performs both legal and compliance functions. Generally, however, in the financial services industry:
•     Compliance does not act as legal representative for the organisation and therefore does not draw up contractual documentation, act in litigation or give formal legal opinions; and
•     Legal generally acts in a representative or advisory capacity and does not get involved in administration of systems and procedures nor in monitoring and surveillance.

As an example, a staff trading policy, would typically be drafted, administered and monitored by Compliance with very little Legal involvement apart from signing off that the policy is appropriate in terms of meeting the Chinese wall requirements in the Corporations Act and the ASIC ASX Market Integrity Rules and, if someone breaches it, dealing with any legal issues that may arise (eg advice on reporting obligations to regulators or on disciplinary measures against offending staff).

The Difference Between Compliance and Internal Audit
Internal Audit is a risk control function that is responsible (amongst other things) for testing the adequacy of internal control systems and recommending improvements. Inevitably, this will overlap with some areas that also fall within the responsibility of Compliance. However, Internal Audit typically carries out its reviews ex post facto on an audit (sample and test) basis whereas the monitoring and surveillance undertaken by Compliance is typically done real-time or on a periodic basis.

One example of overlap is order records, which have both generic control aspects and compliance aspects. Compliance, as an internal control system, should itself be subject to internal audit.

Return to Outline

The Justification for a Compliance Function

Theoretical Foundations
The case for having a Compliance function can be founded upon:
(a)   the self-evident proposition that one should take steps to comply with legal obligations or else face criminal and/or civil liability for breach - "comply or die";
(b)   statutory due diligence defences;
(c)   statutory and common law obligations of directors/officers to exercise reasonable care;
(d)   the duty of directors to assure themselves that they are reasonably informed of material events concerning the corporation, including possible breaches by it of legal obligations;
(e)   avoidance of corporate criminal responsibility for breaches by individual officers and employees;
(f)   mitigation of penalties in the event of breach;
(g)   maintenance of market integrity; and
(h)   the legal requirements applicable to AFSL holders.

If you are interested in some more general reading on this topic, see Parker & Conolly, "Is there a Duty to Implement a Corporate Compliance System in Australian Law?" (2002) 30 ABLR 273.

(a) Comply or Die –
Re Supply of Ready Mixed Concrete (No 2)
Per Lord Nolan @ [1995] 1 All ER 135, 151: "Liability [for breach of competition laws] can only be escaped by completely effective preventative measures. How great a burden the devising of such measures will cast upon individual employers will depend upon the size and nature of the particular organisation. There are, of course, many areas of business life, not only in the consumer protection field, where it has become necessary for employers to devise strict compliance procedures. If the burden is in fact intolerable then the remedy must be for Parliament to introduce a statutory defence for those who can show that they have taken all reasonable preventative measures."

In Re Supply of Ready Mixed Concrete (No 2) an injunction had been granted restraining a concrete company from giving effect to or enforcing agreements restricting competition. By direction from its senior management, the company forbade its employees from entering into such agreements. Notwithstanding that express direction, some of its employees entered into a price-fixing and job allocation agreement with representatives of other concrete companies in breach of the injunction. Proceedings were brought against the company for contempt of court. It was held that the company was, through the action of its employees, liable for contempt of court notwithstanding that they were acting beyond their express authority. Lord Nolan said (at p151):


"…I am unable to accept that a prohibition at some senior level against the making of an agreement or arrangement which is ignored by the employees concerned is none the less sufficient to prevent the employing company from becoming a party to the agreement or arrangement when made. The Act is not concerned with what the employer says but with what the employee does in entering into business transactions in the course of his employment. The plain purpose of [the Act] is to deter the implementation of agreements or arrangements by which the public interest is harmed, and the [Act] can only achieve that purpose if it is applied to the actions of the individuals within the business organisation who make and give effect to the relevant agreement or arrangement on its behalf.


This necessarily leads to the conclusion that if such an agreement is found to have been made without the knowledge of the employer, any steps which the employer has taken to prevent it from being made will rank only as mitigation. Liability can only be escaped by completely effective preventative measures. How great a burden the devising of such measures will cast upon individual employers will depend upon the size and nature of the particular organisation. There are, of course, many areas of business life, not only in the consumer protection field, where it has become necessary for employers to devise strict compliance procedures. If the burden is in fact intolerable then the remedy must be for Parliament to introduce a statutory defence for those who can show that they have taken all reasonable preventative measures."

There being no such defence in this case, the employer was found liable for contempt of court.


(b) Due Diligence Defences –
Corporations Act
•     A person does not commit an offence against s728(3), and is not liable under s729 for a contravention of s728(1), because of a misleading or deceptive statement in, or omission of a particular matter from, a prospectus if the person proves that they:
  •     made all inquiries (if any) that were reasonable in the circumstances; and
  •     after doing so, believed on reasonable grounds that the statement was not misleading or deceptive or that there was no omission in relation to that particular matter from the prospectus, as the case may be (ss731(1) and (2)).
•     In any proceedings against a person for an offence based on s952E(1) or (3) (issuing defective disclosure material), it is a defence if the person took reasonable steps to ensure that the disclosure document or statement would not be defective (s952E(5)).

There are also due diligence defences in CA ss952G(8), (9) and (10), 953B(6), 1017B(8), 1021E(4) and 1022B(7).

(b) Due Diligence Defences –
Australian Consumer Law

In a prosecution for a contravention of a provision of this Chapter, it is a defence if the defendant proves that:


the contravention was due to the act or default of another person, to an accident or to some other cause beyond the defendant’s control; and


the defendant took reasonable precautions and exercised due diligence to avoid the contravention (s208(1)).

ACL s208(2) provides that s208(1) does not apply in relation to the act or default of another person who was, at the time when the contravention occurred, an employee or agent of the defendant or, if the defendant is a body corporate, a director, employee or agent of the defendant.

There are also due diligence defences in ACL ss32(3), 36(5), 154(3) and 158(8) and ASICA ss12DE(2B).

(b) Due Diligence Defences –
Anti-Discrimination Act 1977 (NSW) s53
(1)   An act done by a person as the agent or employee of the person's principal or employer which if done by the principal or employer would be a contravention of this Act is taken to have been done by the principal or employer also unless the principal or employer did not, either before or after the doing of the act, authorise the agent or employee, either expressly or by implication, to do the act. …
(3)   Despite s53(1), a principal or an employer is not liable under that subsection if the principal or employer took all reasonable steps to prevent the agent or employee from contravening the Act.


(b) Due Diligence Defences –
Protection Of The Environment Operations Act 1997 (NSW) s169(1)
If a corporation contravenes … a provision of this Act attracting special executive liability, each person who is a director of the corporation or who is concerned in the management of the corporation is taken to have contravened the same provision, unless the person satisfies the court that:
(a)   (repealed)
(b)   the person was not in a position to influence the conduct of the corporation in relation to its contravention of the provision, or
(c)   the person, if in such a position, used all due diligence to prevent the contravention by the corporation.

Section 169(1A) of the above Act contains a long list of provisions that attract "special executive liability".

(b) Due Diligence Defences –
Cp Environment Protection Act 1997 (ACT) s153
(1)   It is a defence to a prosecution for an offence … that the defendant exercised due diligence to prevent the act or omission alleged to constitute the offence or an element of the offence.
(2)   ... in deciding whether the defendant exercised due diligence, the court may have regard to -
  (a)   if the defendant is a corporation, the steps taken by it -
    (i)   to ensure that people employed or engaged by it were aware of the requirements of this Act and any relevant environmental laws and standards relating to the prevention or minimisation of environmental harm or likely environmental harm;
    (ii)   to ensure compliance with those laws and standards by those people; or
    (iii)   to establish an environmental management system and to ensure implementation and compliance with it;
  (b)   if the defendant was the director of a corporation or other [responsible manager] -
    (i)   whether the defendant was personally familiar with the requirements of this Act and any relevant environmental laws and standards relating to the prevention or minimisation of environmental harm or likely environmental harm;
    (ii)   whether the defendant had taken all reasonable steps to comply with those laws and standards;
    (iii)   the steps taken by the defendant to ensure other people for whom it was relevant were familiar with this Act and any relevant laws and standards, and compliance with those laws and standards by those people;
    (iv)   the steps taken by the defendant to establish an environmental management system and to ensure familiarity and compliance with it by other people for whom it was relevant; or
    (v)   whether the defendant reacted immediately and personally when the defendant became aware of any non-compliance with the environmental management system or other incident connected with the environmental harm or likely environmental harm that happened; …

This section enacts a due diligence defence for environmental breaches in the ACT and effectively codifies the requirements for an environmental compliance program. Para (a) sets out the corporate standard of due diligence expected. The factors this focuses upon are (i) training; (ii) supervision of staff; and (iii) a system which is monitored. Para (b) sets out the standard of due diligence expected of individual directors and senior managers. The factors this highlights include (i) personal awareness of legal requirements; (iii) training and supervision of staff; (iv) a system to address them, which is communicated to staff and supervised; and (v) an immediate and effective response to non-compliance.

The awareness of directors and, in particular, senior managers of legal and regulatory requirements is an important factor that is often overlooked in the overall make-up of a compliance framework. If your senior managers don’t understand their legal and regulatory obligations, they won’t be able to recognise compliance issues and won’t be able to supervise their staff adequately. This was formally recognised by Forgie DP in Re Kippe and ASIC (1997) 16 ACLC 190, at paragraph 209, who observed that: "A person cannot be said to operate efficiently [in terms of the obligation of a licensee to act "efficiently, honestly and fairly"] if he or she has no knowledge, or only a very limited knowledge, of the laws which must be followed and which may circumscribe his or her actions."

BTW if you are wondering why the reference to consumer, discrimination, occupational health and environmental laws in a course on financial services, it is because these are the areas where we get most of our case law on compliance systems.

Having a properly staffed and supervised Compliance function looking after legal and regulatory issues is one factor to which a director or other officer could point to show that they had exercised due diligence.

(c) Reasonable Care
Corporations Act s180(1)
A director or other officer of a corporation must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they:
(a)   were a director or officer of a corporation in the corporation's circumstances; and
(b)   occupied the office held by, and had the same responsibilities within the corporation as, the director or officer.


(c) Reasonable Care –
Corporations Act s601FC(1)
In exercising its powers and carrying out its duties, the responsible entity of a registered scheme must: …
(b)   exercise the degree of care and diligence that a reasonable person would exercise if they were in the responsible entity's position …

In a similar vein, CA s601FD(1) provides that an officer of the responsible entity of a registered scheme must: … (b) exercise the degree of care and diligence that a reasonable person would exercise if they were in the officer's position; and ... (f) take all steps that a reasonable person would take, if they were in the officer's position, to ensure that the responsible entity complies with: (i) the Corporations Act; (ii) any conditions imposed on the responsible entity's AFSL; (iii) the scheme's constitution; and (iv) the scheme's compliance plan.

Similarly, CA s601JD(1)(b) provides that a member of a scheme's compliance committee must exercise the degree of care and diligence that a reasonable person would exercise if they were in the member's position.

(c) Reasonable Care –
Life Insurance Act 1995 s48
(1)   A director of a life company has a duty to the owners of policies referable to a statutory fund of the company.
(2)   The director's duty is a duty to take reasonable care, and use due diligence, to see that, in the investment, administration and management of the assets of the fund, the life company:
  (a)   complies with this Part; and
  (b)   gives priority to the interests of owners and prospective owners of policies referable to the fund.


(c) Reasonable Care –
Superannuation Industry (Supervision) Act 1993 s52
(1)   If the governing rules of a registrable superannuation entity do not contain covenants to the effect of the covenants set out in this section, those governing rules are taken to contain covenants to that effect.
(2)   The covenants … include the following covenants by each trustee of the entity: …
  (b)   to exercise, in relation to all matters affecting the entity, the same degree of care, skill and diligence as a prudent superannuation trustee would exercise in relation to an entity of which it is trustee and on behalf of the beneficiaries of which it makes investments …


(c) Reasonable Care –
Work Health And Safety Act 2011 (Cth) s27(1)
If a person conducting a business or undertaking has a duty or obligation under this Act, an officer of the person conducting the business or undertaking must exercise due diligence to ensure that the person conducting the business or undertaking complies with that duty or obligation.

Section 27(5) of the Work Health and Safety Act defines "due diligence" to include taking reasonable steps: (a) to acquire and keep up‑to‑date knowledge of work health and safety matters; (b) to gain an understanding of the nature of the operations of the business or undertaking of the person conducting the business or undertaking and generally of the hazards and risks associated with those operations; (c) to ensure that the person conducting the business or undertaking has available for use, and uses, appropriate resources and processes to eliminate or minimise risks to health and safety from work carried out as part of the conduct of the business or undertaking; (d) to ensure that the person conducting the business or undertaking has appropriate processes for receiving and considering information regarding incidents, hazards and risks and responding in a timely way to that information; (e) to ensure that the person conducting the business or undertaking has, and implements, processes for complying with any duty or obligation of the person conducting the business or undertaking under the Act; and (f) to verify the provision and use of the resources and processes referred to in (c) to (e).

Again, having a properly staffed and supervised Compliance function looking after legal and regulatory obligations is one way a director or other officer might show reasonable care in meeting those obligations.

(d) Duty to be Informed
Re Caremark International Inc. Derivative Litigation (1996) 698 A.2d 959 - boards of directors have an obligation to be reasonably informed concerning the corporation and that includes an obligation to assure themselves that information and reporting systems exist in the corporation that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation's compliance with law and its business performance.

In Re Caremark International Inc. Derivative Litigation, a 4 year investigation by the United States Department of Health and Human Services and the Department of Justice into alleged violations by Caremark employees of federal and state health care laws culminated in Caremark being charged on indictment in 1994 with multiple felonies. It thereafter entered into a number of agreements with the Department of Justice and others, including a plea agreement in which it pleaded guilty to a single felony of mail fraud and agreed to pay civil and criminal fines. Subsequently, Caremark agreed to make reimbursements, totalling approximately US$250 million, to various private and public parties in respect of the breaches. The plaintiffs, shareholders in Caremark, brought a derivative action on behalf of Caremark against its directors alleging that they had breached their fiduciary duty of care to Caremark and seeking recovery of these losses from them personally. A settlement was proposed and presented to the Delaware Court of Chancery for approval. In the course of his judgment, Chancellor Allen said (at pp968-70):


"In 1963, the Delaware Supreme Court in Graham v. Allis-Chalmers Mfg. Co. addressed the question of potential liability of board members for losses experienced by the corporation as a result of the corporation having violated the anti-trust laws of the United States. There was no claim in that case that the directors knew about the behavior of subordinate employees of the corporation that had resulted in the liability. Rather, as in this case, the claim asserted was that the directors ought to have known of it and if they had known they would have been under a duty to bring the corporation into compliance with the law and thus save the corporation from the loss. The Delaware Supreme Court concluded that, under the facts as they appeared, there was no basis to find that the directors had breached a duty to be informed of the ongoing operations of the firm. In notably colorful terms, the court stated that "absent cause for suspicion there is no duty upon the directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists."  The Court found that there were no grounds for suspicion in that case and, thus, concluded that the directors were blamelessly unaware of the conduct leading to the corporate liability. …


In light of [developments since 1963], it would, in my opinion, be a mistake to conclude that our Supreme Court's statement in Graham concerning "espionage" means that corporate boards may satisfy their obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation's compliance with law and its business performance.


Obviously the level of detail that is appropriate for such an information system is a question of business judgment. And obviously too, no rationally designed information and reporting system will remove the possibility that the corporation will violate laws or regulations, or that senior officers or directors may nevertheless sometimes be misled or otherwise fail reasonably to detect acts material to the corporation's compliance with the law. But it is important that the board exercise a good faith judgment that the corporation's information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.


Thus, I am of the view that a director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards."

The court noted that the record did not support the conclusion that the defendant directors either lacked good faith in the exercise of their monitoring responsibilities or conscientiously permitted a known violation of law by the corporation to occur and that the claims asserted against them ought to be viewed as extremely weak. However, it approved the proposed settlement agreement on the basis that it was an adequate, reasonable and beneficial outcome for all parties.

There is no direct equivalent case law that I am aware in Australia, although I think the High Court would find this dicta persuasive. The obligation for directors to keep themselves informed on compliance matters is, I believe, inherent in the requirement in CA s180(1) (see above) that directors exercise reasonable care and diligence. It is also reinforced by CA s180(2), which provides:

  "A director or other officer of a corporation who makes a business judgment is taken to meet the requirements of s180(1) (the duty to exercise reasonable care and diligence - see above), and their equivalent duties at common law and in equity, in respect of the judgment if they:
  (a)   make the judgment in good faith for a proper purpose;
  (b)   do not have a material personal interest in the subject matter of the judgment;
  (c)   inform themselves about the subject matter of the judgment to the extent they reasonably believe to be appropriate; and

rationally believe that the judgment is in the best interests of the corporation.


The director's or officer's belief that the judgment is in the best interests of the corporation is a rational one unless the belief is one that no reasonable person in their position would hold."

In ASIC v Adler [2002] NSWSC 171 (at para 372), Santow J espoused the following proposition in relation to the obligations of a director under s180, which is only a short step away from the views of the Delaware Court of Chancery in Caremark:


"In accordance with these responsibilities directors are required to take reasonable steps to place themselves in a position to guide and monitor the management of the company ... [t]hat is to say:



a director should become familiar with the fundamentals of the business in which the corporation is engaged;



a director is under a continuing obligation to keep informed about the activities of the corporation;



directorial management requires a general monitoring of corporate affairs and policies, by way of regular attendance at board meetings; and


a director should maintain familiarity with the financial status of the corporation by a regular review of financial statements. Indeed, he or she will be unable to avoid liability for insolvent trading by claiming that they had never learned to read financial statements ..."


(e) Corporate Criminal Responsibility
CCC s12.3 Fault Elements Other Than Negligence
(1)   If intention, knowledge or recklessness is a fault element in relation to a physical element of an offence, that fault element must be attributed to a body corporate that expressly, tacitly or impliedly authorised or permitted the commission of the offence.
(2)   The means by which such an authorisation or permission may be established include:
  (a)   proving that the body corporate's board of directors intentionally, knowingly or recklessly carried out the relevant conduct, or expressly, tacitly or impliedly authorised or permitted the commission of the offence;
  (b)   proving that a high managerial agent of the body corporate intentionally, knowingly or recklessly engaged in the relevant conduct, or expressly, tacitly or impliedly authorised or permitted the commission of the offence;
  (c)   proving that a corporate culture existed within the body corporate that directed, encouraged, tolerated or led to non-compliance with the relevant provision; or
  (d)   proving that the body corporate failed to create and maintain a corporate culture that required compliance with the relevant provision.
(3)   S12.3(2)(b) does not apply if the body corporate proves that it exercised due diligence to prevent the conduct, or the authorisation or permission.
(4)   Factors relevant to the application of s12.3(2)(c) or (d) include:
  (a)   whether authority to commit an offence of the same or a similar character had been given by a high managerial agent of the body corporate; and
  (b)   whether the employee, agent or officer of the body corporate who committed the offence believed on reasonable grounds, or entertained a reasonable expectation, that a high managerial agent of the body corporate would have authorised or permitted the commission of the offence. …
(6)   In this section:
  board of directors means the body (by whatever name called) exercising the executive authority of the body corporate.
  corporate culture means an attitude, policy, rule, course of conduct or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activities takes place.
  high managerial agent means an employee, agent or officer of the body corporate with duties of such responsibility that his or her conduct may fairly be assumed to represent the body corporate’s policy.

Part 2.5 of Commonwealth Criminal Code sets out general principles governing the responsibility of bodies corporate for the criminal conduct of their officers, employees and agents. It applies to all offences under Commonwealth law, unless expressly included. This includes the Corporations Act (see CA s1308A) apart from Chapter 7 (see CA s769A). Corporate criminal responsibility in relation to CA Chapter 7 is dealt with by CA s769B, which we looked at in lecture 1. The latter section provides that a body corporate is fixed with the conduct and state of mind of any director, employee or agent of the body corporate acting within the scope of their actual or apparent authority. That leads to a wider scope for attributed criminal liability in relation to CA Chapter 7 than that provided for under the CCC provisions.

The CCC characterises offences as generally having a physical element and a fault element (s3.1), although some offences attract strict liability or absolute liability without any fault element (ss6.1 and 6.2).

Under CCC s12.2, if a physical element of an offence is committed by an employee, agent or officer of a body corporate acting within the actual or apparent scope of his or her employment, or within his or her actual or apparent authority, the physical element must also be attributed to the body corporate. CCC ss 12.3 and 12.4 then deal with how the fault element of an offence may be attributed to a body corporate.

The references to "corporate culture" in s12.3 were considered quite revolutionary when the CCC was first introduced. The legislative intent behind these provisions is clear – every corporation should have appropriate policies, which it monitors and enforces, requiring compliance with key Commonwealth legislative requirements. If it doesn’t, then the prosecution may well be able to prove that it did not create and maintain a corporate culture that required compliance with those provisions and the corporation will therefore be criminally liable for any breach of those provisions by its officers, employees and agents.

(e) Corporate Criminal Responsibility –
CCC s12.4 Negligence
(2)   If:
  (a)   negligence is a fault element in relation to a physical element of an offence; and
  (b)   no individual employee, agent or officer of the body corporate has that fault element;
  that fault element may exist on the part of the body corporate if the body corporate's conduct is negligent when viewed as a whole (that is, by aggregating the conduct of any number of its employees, agents or officers).
(3)   Negligence may be evidenced by the fact that the prohibited conduct was substantially attributable to:
  (a)   inadequate corporate management, control or supervision of the conduct of one or more of its employees, agents or officers; or
  (b)   failure to provide adequate systems for conveying relevant information to relevant persons in the body corporate.

CCC s12.4(1) provides that the test of negligence for a body corporate is that set out in s5.5. The latter section provides that a person is negligent with respect to a physical element of an offence if his or her conduct involves: (a) such a great falling short of the standard of care that a reasonable person would exercise in the circumstances; and (b) such a high risk that the physical element exists or will exist; that the conduct merits criminal punishment for the offence.

See also CCC s12.5, which provides that a body corporate can only rely on section 9.2 (mistake of fact (strict liability)) in respect of conduct that would, apart from s12.5, constitute an offence on its part if: (a) the employee, agent or officer of the body corporate who carried out the conduct was under a mistaken but reasonable belief about facts that, had they existed, would have meant that the conduct would not have constituted an offence; and (b) the body corporate proves that it exercised due diligence to prevent the conduct. For these purposes, a failure to exercise due diligence may be evidenced by the fact that the prohibited conduct was substantially attributable to: (a) inadequate corporate management, control or supervision of the conduct of one or more of its employees, agents or officers; or (b) failure to provide adequate systems for conveying relevant information to relevant persons in the body corporate.

(f) Mitigation of Penalties
Per ACCC v Rural Press Ltd [2001] ATPR ¶41-833, at p43,291:
      "The fact that a contravener of a provision of Pt IV of the Act has in place a trade practices compliance program which is carefully designed and properly implemented is a factor relevant to the assessment of a pecuniary penalty under s 76, even if in the particular instance it proved to be ineffective to prevent the contravention. … The fact that, following a contravention, a contravening entity has implemented at its own expense a trade practices compliance program to ensure its compliance and that of its employees and agents with the Act, will also be a consideration which will mitigate the level of a pecuniary penalty."
See also ACCC v Nissan Motor Company (Australia) Pty Ltd [1998] FCA 1048, TPC v CSR Ltd [1991] ATPR ¶41-076 and ASIC v Chemeq Ltd [2006] FCA 936.
Cf Chapter 8 of the 2016 US Federal Sentencing Guidelines Manual.

In ACCC v Rural Press Ltd, the court also said (at p 43,291): "The significance of such a compliance program will depend upon its thoroughness and the extent of the commitment to its implementation…. Sometimes the fact of the contravention will demonstrate that the compliance program is not effective, and in such cases there will be little reason to give much credit to the contravening entity in fixing a pecuniary penalty."

ACCC v Nissan Motor Company (Australia) Pty Ltd involved a prosecution for misleading advertisements promoting an end of year sale for Nissan Patrol 4WD motor vehicles at $39,990 and claiming savings of $6,000 on the price of the car, including free air conditioning otherwise valued at $2,000. While those savings were true as against the original recommended retail price of $44,000, the car had in fact been available at $39,990 for some time and so the only real saving was the $2,000 saving on the air conditioning. There was also a problem with the photographs used in some of the advertisements, which showed accessories that were not included in the $39,990 price. The court noted that Nissan had earlier been convicted of similar offences and "therefore had direct experience of the need for a comprehensive compliance program". Even though "extensive efforts [had since] been made to devise and implement a compliance program that should ensure that errors of the kind which occurred will not happen in the future", Von Doussa J nonetheless imposed significant penalties for the breach, in part because "the shortcomings in the compliance program operating at the time of these offences contributed to the happening of each offence".

In TPC v CSR Ltd, the company was criticised for having a compliance program that was "less than vigorous" and for not taking steps to avoid a repetition of the kind of conduct which was the subject of the proceedings. It had not updated its compliance manual since it was introduced in 1980 and had not conducted any staff training since a seminar held in 1985. French J said (at p52,152-3):


"The assessment of a penalty of appropriate deterrent value will have regard to a number of factors which have been canvassed in the cases. These include the following:


[First listing 5 other factors and then adding]: …6. The deliberateness of the contravention and the period over which it extended. 7. Whether the contravention arose out of the conduct of senior management or at a lower level. 8. Whether the company has a corporate culture conducive to compliance with the Act, as evidenced by educational programs and disciplinary or other corrective measures in response to an acknowledged contravention. 9. Whether the company has shown a disposition to co-operate with the authorities responsible for the enforcement of the Act in relation to the contravention."

And then later (at p52,155):


"There was little convincing evidence of a corporate culture seriously committed to the need to comply with the requirements of the Act. The compliance program as indicated by the evidence appeared desultory and in need of reinforcement. No indication of any corrective measures or revitalisation of that program was offered. The corporate culture was, I think, reflected in CSR’s dealings with the Commission and the conduct of this litigation. It is to its credit that it has withdrawn its defences and submitted to injunctions restraining further contravention. However that withdrawal and submission came nearly two years after proceedings were instituted and followed a period of protracted stonewalling in CSR’s dealings with the Commission. I have no doubt that the preparation of the case by the Commission has consumed an enormous amount of time and financial resources. CSR’s conduct in its dealings with the Commission and in relation to these proceedings, when viewed in the light of the admissions it now makes, is an aggravating factor."

ASIC v Chemeq Ltd involved a prosecution against Chemeq for breaching the continuous disclosure requirements of the Corporations Act. In an agreed settlement, Chemeq consented to two declarations that it had contravened the market disclosure provisions by failing to tell the ASX about the increased costs of constructing and commissioning a manufacturing facility and the commercial impact of a US patent it was granted. Chemeq was order to pay penalties totalling $500,000 in respect of the contraventions and ASIC was awarded costs of $170,000. In delivering his decision, French J said:


In considering the appropriate penalty for the contravention by a corporation of a regulatory requirement, whether it be a requirement imposed by the Act or the Trade Practices Act 1974 (Cth) or other regulatory frameworks, it is relevant to consider whether the corporation has in place policies and procedures designed to achieve compliance with such requirements.


The Court will consider the form and content of the policies and procedures and also the measures adopted by the corporation to ensure that they are understood and applied. A well drafted set of policies and procedures will mean little if there is no follow up in terms of training of company officers (including directors) and, where appropriate, refresher training. In the present case there is provision for induction training but no clear evidence of follow-up and refresher training.


Compliance policies and procedures will not be effective unless there is, within the corporation, a degree of awareness and sensitivity to the need to consider regulatory obligations as a routine incident of corporate decision-making. This kind of general sensitivity to the issues underpins what is sometimes called a ‘culture of compliance’. It does not require a risk averse mentality in the conduct of the company's business, but rather a kind of inbuilt mental check list as a background to decision-making. This may be more difficult to achieve where, as in the present case, there is a positive obligation that is not related to any particular decision. The conduct of corporate business may involve consideration of the many shifting circumstances that make up a dynamic business environment. To identify those matters, including changes in circumstance, which attract the obligation of continuous disclosure, may not always be a straightforward exercise. There will be clear cases, and not so clear cases. There should be some process for ensuring that changes in circumstances or market information requiring disclosure are identified. Absent a positive monitoring mechanism, the company's compliance system may leave open the risk of non-disclosure by oversight. ...


The factors relevant to the level of penalty for contravention of the continuing disclosure provisions of the Act may be identified in part by reference to the elements of the contravention set out in the Act where those elements accommodate a spectrum of possibilities affecting its seriousness. The greater the seriousness of the contravention when measured by reference to those elements, the greater the harm that will be done if like re-offending should occur and the higher the penalty that should be imposed to minimise that risk. Issues of deliberation, recklessness and negligence are also relevant to risk of recurrence and what is necessary to deter such conduct by the particular company and others in the future.


The presence or absence of compliance systems is of importance. It is desirable also that the Court, in fixing penalty, is made aware of the reasons for the contravention. This may enable it to determine whether there were inadequate compliance systems or whether the contravention involved aberrant disregard by an individual of relevant policies and procedures. The seniority of those in the company who were involved in the contravention is also relevant because it goes to the risk of recurrence and the extent to which their conduct is likely to be noticed by subordinates within the company and by others in the wider corporate community. The degree of damage, if any, inflicted on the market by the non-disclosure is relevant as part of the exercise of assessing the seriousness of the contravention and so the level of risk associated with re-offending.


The acknowledgment by a corporation that it has contravened the law, its cooperation with the regulator in that regard, the steps it has taken internally to avoid repetition and relevant changes in the composition of the board or senior management should also be taken into account in the kind of risk assessment that informs a deterrent approach to punishment.


It may also be relevant to consider the impact, if any, on shareholders when a penalty is sought against a corporation. Penalties imposed on officers of the corporation for their part in such contraventions affect those officers alone. Penalties imposed on the corporation may affect shareholders including those who have become shareholders on a set of assumptions induced by the very non-disclosure complained of. In some cases it is possible also that creditors may be affected. Who then is being deterred when only the corporation is penalised? I am not sure that there is a satisfactory answer to this concern within the present statutory scheme. One might imagine that if a penalty is to be significant to a corporation it will also be significant to its shareholders in its impact on the capital which backs their shares. In a company with capitalisation as high as that of Chemeq, the impact on individual shareholders may be insignificant. The penalties that count most are likely to be those imposed on the responsible individuals. Nevertheless the law as presently framed requires the assumption that the contravening corporation is a person distinct from its shareholders and that it can be deterred by the imposition of appropriate penalties.


From the preceding discussion I extract the following factors relevant to the level of penalty for contravention of the continuous disclosure provisions. The list is non-exhaustive:


1. The extent to which the information not disclosed would have been expected to and (if applicable) did affect the price of the contravening company's shares (s 674(2)(c)).
2. The extent to which the information, if not generally available, would have been discoverable upon inquiry by a third party (s 676(2)).
3. The extent (if any) to which acquirers or disposers of the company’s shares were materially prejudiced by the non-disclosure (s 1317G(1A)).
4. The extent to which (if at all) the contravention was the result of deliberate or reckless conduct by the corporation.
5. The extent to which the contravention was the result of negligent conduct by the corporation.
6. The period of time over which the contravention occurred.
7. The existence, within the corporation, of compliance systems in relation to its disclosure obligations including provisions for and evidence of education and internal enforcement of such systems.
8. Remedial and disciplinary steps taken after the contravention and directed to putting in place a compliance system or improving existing systems and disciplining officers responsible for the contravention.
9. The seniority of officers responsible for the non-disclosure and whether they included directors of the company.
10. Whether the directors of the corporation were aware of the facts which ought to have been disclosed and, if not, what processes were in place at the time, or put in place after the contravention to ensure their awareness of such facts in the future.
11. Any change in the composition of the board or senior managers since the contravention.
12. The degree of the corporation's cooperation with the regulator including any admission of contravention.
13. The prevalence of the particular class of non-disclosure in the wider corporate community.

The US Federal Sentencing Guidelines Manual is a publication of the US Sentencing Commission, an independent federal agency in the judicial branch of US government established under the Sentencing Reform Act of 1984. Its duties include developing guidelines for sentencing in federal courts; collecting data about crime and sentencing; and serving as a resource to Congress, the Executive Branch and the Judiciary on crime and sentencing policy. It first published its Sentencing Guidelines Manual in 1987 to provide federal judges with a set of rules to ensure that similar offenders who committed similar offences received similar sentences. Originally, the guidelines only applied to individual offenders. The guidelines on sentencing of organisations were added in 1991 and now form Chapter 8 of the Sentencing Guidelines Manual.

The guidelines on the sentencing of organisations are credited with helping to establish the compliance and ethics industry in the US: see Diana E. Murphy, The Federal Sentencing Guidelines for Organizations: A Decade of Promoting Compliance and Ethics (2002) 87 Iowa L Rev 697, at 710-1. See also In re Caremark, supra, at 969, where the Delaware Court of Chancery credited the organisational guidelines with providing "powerful incentives for corporations today to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to make prompt, voluntary remedial efforts."

The guidelines for sentencing organisations start with a base level "culpability score" of 5 points (the higher the culpability score, the higher the penalty imposed). They then add prescribed numbers of points if the organisation's management was knowingly involved in, condoned, or was tolerant of, the criminal act, if the organisation has a history of prior breaches, if it has violated a court order or if it has obstructed justice. They deduct prescribed numbers of points if the organisation has co-operated with authorities and accepted responsibility for its conduct and, relevantly for our purposes, if the offence occurred even though the organisation had in place at the time of the offence an effective compliance and ethics program (§8C2.5(f)). §8B2.1 defines for these purposes what is meant by an "effective compliance and ethics program".

The prescribed deduction in culpability score for an effective compliance and ethics program is 3 points. This deduction does not apply if, after becoming aware of an offence, the organisation unreasonably delayed reporting the offence to appropriate governmental authorities or if certain high level personnel participated in, condoned, or were wilfully ignorant of, the offence.

In a similar vein, the Principles of Federal Prosecution of Business Organizations in the United States Attorney’s Manual describe specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements. These factors include "the existence and effectiveness of the corporation’s pre-existing compliance program" and the corporation’s remedial efforts "to implement an effective corporate compliance program or to improve an existing one." it is worth looking at the US Department of Justice Criminal Division Fraud Section's Evaluation of Corporate Compliance Programs to see the types of question the DOJ commonly asks in determining the effectiveness of a corporate compliance program.


(g) Market Integrity
"The board of directors and senior management of a financial institution should establish ethical standards and codes of conduct governing its employees' activities. These standards are intended to protect the institution's integrity and standing in the market as well as protect the institution from legal and reputational risks. The orderly operation of financial markets depends greatly on an overall level of trust among all market participants. At all times, traders and marketing and support staff must conduct themselves with unquestionable integrity to protect the institution's reputation with customers and market participants." [US Federal Reserve Board Manual on Trading and Capital-Markets Activities, Section 2150.1 Ethics]

A non-legal foundation for a Compliance function - compliance with legal and ethical obligations promotes confidence in market integrity and trust in business dealings. It therefore encourages an environment where all market participants can prosper.

Many industry bodies have codes of ethics and codes of conduct designed to promote market integrity - see, for example, the Australian Financial Markets Association, Financial Planning Association, Financial Services Council and Stockbrokers Association of Australia.

Note that there is a strong correlation between legal obligations and ethical standards, eg, through the obligation to "do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly" (CA s912A(1)(a)) and not to engage in misleading or deceptive conduct (CA s1041H).

The US Federal Reserve Board's Manual on Trading and Capital-Markets Activities, from which the above quote is extracted, is a useful guide to the sorts of quasi-legal/ethical issues that should be addressed in any financial services compliance plan.

(h) AFSL Requirements –
Corporations Act s912A(1)
A financial services licensee must:
(a)   do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly;
(aa)  have in place adequate arrangements for the management of conflicts of interest …
(b)   comply with the conditions on the licence;
(c)   comply with the financial services laws;
(ca)   take reasonable steps to ensure that its representatives comply with the financial services laws;
(d)   … have available adequate resources (including financial, technological and human resources) to provide those financial services and to carry out supervisory arrangements; …
(f)   ensure that its representatives are adequately trained, and are competent, to provide those financial services; …
(h)   … have adequate risk management systems; …


(h) AFSL Requirements –
ASIC AFS Licence Application Question B3.1 - Compliance Arrangements
Have you established compliance and reporting arrangements for your AFS licence activities?
•     Are your compliance arrangements documented (either on an entity or group basis)?
•     Do your compliance arrangements specify how often compliance with procedures is monitored and reported on?
•     Do you use a documented process to maintain the adequacy of your compliance and monitoring arrangements?
  •     How often will you review your compliance and monitoring arrangements?
•     Is there a person(s) responsible for ongoing reporting in relation to your levels of compliance and for ensuring the adequacy of your compliance arrangements?
  •     Does this person(s) have direct access to your governing body?
•     Are your compliance arrangements generally consistent with the Australian Standard on Compliance Programs?

If you are interested in seeing the extensive list of the questions that one must answer in an AFSL licence application, see ASIC's Sample Licence Application.

(h) AFSL Requirements –
ASIC Pro Forma 209 – Standard AFS Licence Conditions re Compliance
4. The licensee must establish and maintain compliance measures that ensure, as far as is reasonably practicable, that the licensee complies with the provisions of the financial services laws.

ASIC Pro Forma 209 sets out the pro forma conditions, including financial conditions, typically imposed by ASIC when it grants a financial services licence. Condition 4 above is imposed on all licensees.

(h) ASX MIR Requirements –
ASX MIR 2.1.3 - Supervisory Procedures
A market participant must have appropriate supervisory policies and procedures to ensure compliance by the market participant and each person involved in its business as a market participant with these Rules, the Market Operating Rules and the Corporations Act.

The predecessor to this Market Integrity Rule (ASX Market Rule 3.6.3) required a market participant to have appropriate supervisory policies and procedures, and to meet any standards set out or referred to in the ASX Procedures, to ensure compliance by it and each person involved in its business as a market participant with the ASX Market Rules and the Corporations Act. Under Procedure 3.6.3, ASX prescribed the following standards for the purpose of that Rule: (a) Australian Standard AS 3806-2006 on Compliance; (b) Australian Standard AS NZ 4360-2004 on Risk Management; (c) Australian Standard AS ISO 10002-2006 on Customer Satisfaction; (d) ASIC Regulatory Guides 104 and 105; and (e) Securities & Derivatives Industry Association and Securities Institute Best Practice Guidelines for Research Integrity.

Return to Outline

International Standard ISO 19600-2014

Development of Compliance Standards
•    AS 3806-1998
•    AS 3806-2006
•    ISO 19600-2014

For an historical perspective on the introduction of AS 3806-1998, see Carroll & McGregor-Lowndes, "A Standard for Regulatory Compliance? Industry Self-regulation, the Courts and AS3806–1998" (2001) 60 Australian Journal of Public Administration 80 and Parker, "The Emergence of the Australian Compliance Industry: Trends and Accomplishments" (1999) 27 ABLR 178.

ISO 19600-2014 – Key Points
•     Provides guidelines, and not requirements, for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization (Introduction and cl 1)
•     The extent of the application of the guidelines depends on the size, structure, nature and complexity of the organization (cl 1)
•     An organization should systematically identify its compliance obligations and their implications for its activities, products and services (cl 4.5.1)
•     An organization should identify and evaluate its compliance risks (cl 4.6)
•     The governing body and top management should demonstrate leadership and commitment with respect to the compliance management system (cl 5.1) and establish a compliance policy (cl 5.2.1)
•     The governing body and top management should:
  •     ... ensure that the commitment to compliance is maintained and that non-compliance and non-compliant behaviour are dealt with appropriately;
  •     include compliance responsibilities in the position statements of top managers;
  •     appoint or nominate a compliance function with ... clear and unambiguous support from and direct access to the governing body and top management and ... the authority and capacity to execute countervailing power ...;
  •     ensure that the compliance function has authority to act independently and is not compromised by conflicting priorities, particularly where compliance is embedded in the business (cl 5.3.3)
•     The compliance function, working together with management, should be responsible for:
  •     identifying compliance obligations ... and translating those obligations into actionable policies, procedures and processes;
  •     integrating compliance obligations into existing policies, procedures and processes;
  •     providing or organizing ongoing training support for employees to ensure that all relevant employees are trained on a regular basis;
  •     promoting the inclusion of compliance responsibilities into job descriptions and employee performance management processes;
  •     setting in place a compliance reporting and documenting system;
  •     developing and implementing processes for managing information, such as complaints and/or feedback by means of hotlines, a whistle-blowing system and other mechanisms;
  •     establishing compliance performance indicators and monitoring and measuring compliance performance;
  •     analysing performance to identify the need for corrective action;
  •     identifying compliance risks and managing those compliance risks relating to third parties such as suppliers, agents, distributors, consultants and contractors;
  •     ensuring the compliance management system is reviewed at planned intervals;
  •     ensuring there is access to appropriate professional advice in the establishment and implementation and maintaining of the compliance management system;
  •     providing employees with access to resources on compliance procedures and references; and
  •     providing objective advice to the organization on compliance-related matters (cl 5.3.4)
•     The organization should determine and provide the resources needed for ... a compliance management system appropriate to its size, complexity, structure and operations (cl 7.1)
•     Top management has a key responsibility for aligning the organization's commitment to compliance to its values, objectives and strategy in order to position compliance appropriately ... (cl
•     The development of a compliance culture requires the active, visible, consistent and sustained commitment of the governing body, top management and management towards a common, published standard of behaviour that is required throughout every area of the organization (cl
•     The compliance management system should be monitored to ensure compliance performance is achieved (cl 9.1.2)
•     The governing body, management and the compliance function should ensure that they are effectively informed on the performance of the organization's compliance management system and of its continuing adequacy (cl 9.1.7)
•     Accurate, up-to-date records of the organization's compliance activities should be maintained to assist in the monitoring and review process and demonstrate conformity with the compliance management system (cl 9.1.9)
•     A clear and timely escalation process should be adopted and communicated to ensure that all non-compliances are raised, reported and eventually escalated to relevant management (cl 10.1.2)
•     The compliance management system should be the subject of audit (cl 9.2) and review by top management (cl 9.3) at regular intervals
•     An organization should seek to continually improve the suitability, adequacy and effectiveness of the compliance management system (cl 10.2)

ISO 19600-2014 is a decided improvement on AS 3806-2006 and AS 3806-1998, particularly if you view it as the introduction suggests - ie, as guidelines rather than a standard.

FPA Guideline For Implementing AS 3806-1998
"While legal input is needed, making compliance work requires good management and is not therefore a 'legal skill'."(??)
"These steps must(??) be done effectively and with a real intention to make the system work:
•     Pass a resolution committing the organisation to full compliance with the laws, regulations, ASIC and FPA requirements and to adhering to good ethics.
•     Have the CEO add his/her own personal commitment to compliance which also requires everyone else to comply - no exceptions!
•     Announce the compliance policy clearly internally to everyone and be prepared to give full information about it. Also advise contractors and (if thought fit) clients.
•     Display copies of the resolution (signed by the Chair) and the signed CEO's commitment (all on one page) prominently in all of the organisation's locations - including those of all advisers(??). …"
"You don't have to have a compliance committee, but they will often be valuable in saving the time of the CEO and the Board. The size of a committee varies with the size of the organisation, but 5 is about the maximum. A well-balanced committee should include:
•     a Board member (apart from the CEO);
•     the CEO;
•     one other person (internal or external) with good understanding of the business;
•     for preference, an independent person with good compliance experience (ie not the internal compliance officer, who should report to and service the committee)(??);
•     audit skills can also be useful, but are not the same as compliance skills(??).
If you want a smaller committee, it is suggested that either the CEO or the other Board member can be the first to be deleted, followed by the audit skills."

This guideline was written in relation to Australian Standard AS 3806-1998, but I am fairly sure the author would have it apply equally to AS 3806-2006 and ISO 19600-2014.

Return to Outline

Regulatory Pronouncements on Compliance Systems

•     Compliance with your obligations as a licensee is central to the protection of consumers and the promotion of market integrity. Having effective compliance measures is a way for you to ensure you comply with your obligations as a licensee, including identifying and appropriately dealing with instances of non-compliance. Compliance measures also help you demonstrate to us that you can comply and are complying with your obligations. [ASIC Regulatory Guide 104 Licensing: Meeting the general obligations para 37]
•     ASIC expects your compliance measures will:
  •     cover all of your obligations as a licensee including: (a) the general obligations in CA s912A; (b) your licence conditions; and (c) any other financial services laws that apply to you [RG104.38];
  •     take into account the specific compliance risks of your business, especially those that may materially affect consumers or market integrity [RG104.39(a)]; and
  •     enable you to: (i) communicate to your representatives what they need to do to comply; (ii) monitor compliance with all of your licensee obligations; and (iii) address and report any compliance breaches [RG104.39(b)].

ASIC acknowledges that what are appropriate compliance measures will vary depending on the nature, scale and complexity of the licensee's business and that: "As a general rule, the smaller and simpler your business, the smaller and simpler we expect your measures to be" [RG104.40].

ASIC’s View of AS 3806
In thinking through your compliance obligations, you might find it helpful to look at:

Australian Standard AS 3806–2006 Compliance Programs; and

•     the principles set out in the IOSCO report Compliance Function at Market Intermediaries (March 2006). [Note to RG104.39]

In the predecessor to RG 104, Policy Statement 164, ASIC expressed a somewhat stronger endorsement of AS 3806: "In deciding whether a specific licensee’s compliance measures, processes and procedures are adequate, the licensee may wish to refer to the Australian Standard on Compliance Programs (AS 3806 1998). The standard is a useful benchmark that we expect licensees to use as a guide in planning and implementing compliance measures, processes and procedures. ... We accept that there may be compliance arrangements that are not consistent with every element of AS 3806 1998 but which nevertheless may ensure compliance with the licensee obligations (eg local subsidiaries of global companies which adopt the compliance measures, processes and procedures of their parent globally across the organisation, or systems specifically developed for an entity). Nonetheless, AS 3806 1998 can play a role in helping a licensee decide whether such compliance measures, processes and procedures are adequate to ensure the licensee complies with Australian law." [ASIC Policy Statement 164, para 42 and 55].

The essential ingredients of an effective compliance program are:
1.    Total commitment by senior management to compliance.
2.    A compliance policy, which needs to include a clear statement of the company’s commitment to compliance with applicable laws, regulations, codes and organisational standards. This policy needs to be understood and acted on by those who work for the company, whether internally or externally.
3.    An operational system that will address the problems identified through the audit and ensure breaches of the law will be avoided. Typically, the system will consist of, but not be limited to:
  •     compliance management procedures used to support the compliance systems, such as ongoing legal obligation identification, trade practices training programs, breach monitoring and reporting, disciplinary policy/code and complaint handling;
  •     documented due diligence procedures to ensure promotional materials are not misleading or deceptive;
  •     incentive/reward schemes for those employees who are diligent in complying with the law;
  •     in-house vetting committees with trade practices expertise;
  •     checking of contracts by trade practices practitioners; and
  •     product testing.
4.    Maintenance of the compliance program. The compliance program and systems should be monitored, maintained and communicated to staff to ensure that they continue to be both effective and efficient. This should be done, among other things, through:
  •     record keeping;
  •     regular and ongoing in-house compliance auditing to ensure that compliance failures are identified and addressed on a proactive basis;
  •     regular external reviews by someone with independent expertise (e.g. every two years) to ensure that the system is properly maintained and is meeting current regulatory requirements;
  •     ongoing liaison with regulatory authorities. [ACCC, Forward and Introduction, "Best and Fairest" Compliance Manual: a Trade Practices Training Program"

The "Best and Fairest" Compliance Manual is currently being reviewed by the ACCC.

ACCC’s View of AS 3806
"The Australian Standard - Compliance Programs (AS 3806) - can help companies develop a comprehensive and effective program. Copies can be bought from Standards Australia in each capital city." [ACCC, Foreword and Introduction, Best and Fairest Compliance Manual: a Trade Practices Training Program]

In a speech to the Australian Compliance Institute on 26 May 2005 ('The regulator’s approach to compliance: Crackdown, confrontation or compliance culture'), ACCC Commissioner David Smith noted:


With compliance programmes in recent times the Federal Court has indicated its reluctance to make orders for trade practices compliance programs in terms of the existing standard for compliance programs. In response to those concerns the ACCC has developed four trade practices compliance templates which assist greater clarity and measurability. (Parenthetically, these templates make no reference at all to AS 3806.) ...


The ACCC notes that there is no generic trade practices compliance program as each organisation’s circumstances are different. Depending on the size and risk profile of the company, a Trade Practices Compliance Program can be as simple as implementing an effective complaints handling system and training relevant staff; or as comprehensive as setting up a team of dedicated compliance staff and conducting regular risk assessment checks. ...


The templates do not seek to diminish the importance of the Australian Standard for Compliance Programs. The Commission’s Compliance staff are actively involved in the revision of the Standard and it is hoped that this revision will continue to provide the overarching compliance principles and guidelines required by Australian business."

Despite his protestations to the contrary, the fact these undertakings have been published and make no mention of AS 3806 does significantly diminish the stature of that Standard. The templates can be viewed on ACCC's website at:


"[Developing or reinforcing] … a compliance culture within your organisation [is] … an important part of maintaining the integrity of the industry and a sound defensive strategy in an increasingly compliance oriented environment." [Program Summary, ASX/ASIC Trading BEST Self-Assessment Questionnaire]


ASX’s View of AS 3806
"When considering your internal policies and procedures … or … improvements to your existing compliance regime, we recommend that you ... have regard to the Australian Standard on Compliance (AS 3806 1998), Australian Standard on Risk Management (AS NZ 4360 1999) and Australian Standard on Complaints Handling (AS 4269 1995)." [Program Summary, ASX/ASIC Trading BEST Self-Assessment Questionnaire]

As mentioned above, the predecessor to ASX MIR 2.1.3 (ASX Market Rule 3.6.3) required a market participant to have appropriate supervisory policies and procedures, and to meet any standards set out or referred to in the ASX Procedures, to ensure compliance by it and each person involved in its business as a market participant with the ASX Market Rules and the Corporations Act. The prescribed standards set out in the Procedures included Australian Standard AS 3806-2006 on Compliance.

Return to Outline

Judicial Pronouncements on Compliance Systems

Judicial Views on Compliance Programs
•     Per ACCC v Rural Press Ltd, supra: The existence of a proper compliance program may be taken into account in reducing the penalty that might otherwise be imposed for a breach. An undertaking to establish a proper compliance program after a breach is also a relevant factor in assessing penalties for the breach.
•     Per ACCC v Australian Safeway Stores Pty Ltd [1997] ATPR ¶41-562: The mere existence of a compliance program is not enough. It must be successfully implemented and effective.

Per Goldberg J in ACCC v Australian Safeway Stores Pty Ltd (at p43,815):


"The relevance of GWF's compliance program was in issue between the parties. The Commission submits that it is not a substantial mitigating circumstance as it had no effect on the behaviour of GWF's management. GWF places great weight upon the compliance program. One needs to look at the compliance program in two respects. Firstly one must ask whether there was a substantial compliance program in place which was actively implemented by GWF; the answer is in the affirmative which is a mitigating factor as is GWF's revision of the program …. The compliance guide made it quite clear that the Act could not be ignored and that "severe pecuniary penalties" were involved if the Act was contravened. Seminars were also conducted. Secondly, one must ask whether the implementation of the compliance program was successful and in the circumstances of this case the answer must be in the negative. It appears that all GWF's officers who participated in the contraventions were well aware, or ought to have been well aware from the documentation that they had received and seminars some had attended, that what they were doing was a clear contravention of the Act which "may involve severe pecuniary penalties". To this extent the compliance program failed and has been the subject of revision since the contraventions became known. Such failure was not an isolated failure; it occurred on different occasions and with different officers. In my view the level of penalties should take this failure into account."

And then subsequently (at p43,817):

      "The contraventions were blatant, implicating the top Victorian management of the Tip Top bread division of GWF. True it is that a compliance program was in place but the program in the circumstances of the contraventions under consideration was not effective. It was disregarded or ignored by the top Victorian management of the Tip Top division. If it is not effective with management at the level involved in these contraventions it must be brought home to GWF and its officers at every level that they must obey the law. In my opinion a significant deterrent element is required in relation to these contraventions."


Judicial Views on AS 3806-1998
•     Per Mansfield J in ACCC v Rural Press Ltd, supra:
  •     AS 3806-1998 has no statutory recognition.
  •     AS 3806-1998 itself recognises that it is only a guide and that individual corporations should use the system best suited to their operations.
  •     It should not be assumed that AS 3806-1998 is necessarily superior to a tailored compliance program prepared by an independent expert for a particular entity.
•     Per French J in ACCC v Real Estate Institute of Western Australia [1999] ATPR ¶41-673:
  •     AS 3806-1998 "imposes standards which are aspirational in their expression and not readily measured in application".
•     See also ACCC v Wizard Mortgage Corporation Limited [2002] FCA 1317 and ACCC v Gary Peer & Associates Pty Ltd [2005] FCA 404.

I am not aware of any judicial pronouncements on ISO 19600-2014 or AS 3806-2006. There were, however, a number in relation to AS 3806-1998 that came about because, up until 2005, it was common for the ACCC to seek orders in litigation that a defendant implement a compliance program that complied with that standard.

In ACCC v Rural Press Ltd, ACCC sought an order that the defendants implement a compliance program conforming to AS 3806, which the defendants opposed on the basis that they had already adopted an adequate compliance program of their own. Per Mansfield J (at pp43,293-4):


"The compliance programs proposed by the ACCC are based upon AS3806-1998. As noted earlier, it does not have statutory recognition. It makes clear that it is a guide only, so that individual corporations should use the system best suited to their operations: cl 1.1.


… [T]he Court has received only limited evidence as to the quality of the trade practices compliance program being implemented by Rural Press and Bridge, compared to that contained within AS3806-1998. The Court, in the face of opposition to implementing AS3806-1998, should not assume that it is necessarily superior to that proposed by another independent expert formulator or provider of such programs in achieving an effective compliance program for a particular entity. In this matter, Rural Press has retained independent solicitors to advise it about what steps it should take to procure and implement a trade practices "training tool" to develop a trade practice compliance culture within that group and to prevent conduct which might contravene the Act. It received that advice, and has commenced to implement it. It has requested its adviser to integrate the proposed action so as to ensure compliance with AS3806-1998. It will incur considerable expense in implementing that program. The ACCC has pointed to features of AS3806-1998 which do not appear to be the subject of specific preventative or instructive action within the Rural Press group if it fully implements that which it has been advised to undertake. However, the capacity to point to particular features of AS3806-1998 which do not find expression in the trade practices compliance program to be undertaken by Rural Press does not mean that its program is not a sound or sensible one. As I have noted, it has been adopted upon the basis of independent expert advice. I accept that it is a program genuinely directed to ensuring a culture of compliance with the Act within its organisation. There is no reason to think that the quality of the advice given is other than professional and competent, or that the program is not comprehensive in relation to the structure and needs of Rural Press. I am not, in those circumstances, disposed to direct Rural Press and Bridge to undertake a trade practices compliance program different from that which it proposes to undertake."

A cross-appeal by the ACCC against the trial judge's refusal to order that the defendants implement a compliance program conforming to AS 3806 was unanimously rejected by the Full Federal Court in Rural Press Ltd v ACCC [2002] FCAFC 213. The Full Court said:


"We agree with the reasons given by the primary Judge for refusing to grant a mandatory injunction. In particular, his Honour was correct to draw attention … to difficulties inherent in the terms of the mandatory injunction sought by the ACCC. It would have obliged Rural Press and Bridge Printing to implement a program that had not yet been developed and which was, in any event, to be approved by a person appointed by Rural Press with "expert knowledge of trade practices law". The Court should not delegate to a third person the task of specifying the obligations that are the subject of injunctive orders."

ACCC v Real Estate Institute of Western Australia involved proceedings against REIWA and 2 other TAFE colleges for alleged price fixing on real estate courses. The matters were resolved by agreement between the parties and a consent order was placed before the court for approval. It included a requirement that REIWA institute a trade practices compliance program complying with AS 3806. French J said (at p 42,606-7):


"Once an undertaking is accepted by the Court or a consent order made, their breach is enforceable by proceedings for contempt. The undertakings and orders must therefore be formulated with precision so that they are capable of being readily obeyed. Undertakings or orders which are likely to involve vague evaluative judgments or significant debates on their interpretation are not likely to be given the Court's sanction. Similarly, undertakings or orders which are likely to require the Court to be concerned with the ongoing supervision of the conduct of the parties to them will also raise serious questions as to their appropriateness. So in this case the requirement of compliance with the Australian Standards Association standard for compliance programmes imposes standards which are aspirational in their expression and not readily measured in application."

Recognising this, French J amended the order so that the requirement for compliance with the AS 3806 was in the form of a "best endeavours" undertaking.

In ACCC v Wizard Mortgage Corporation Limited, the Federal Court refused to grant an injunction sought by the ACCC requiring the defendant to implement a trade practices compliance program for 3 years complying with AS 3806. Merkel J said:


"I am satisfied that Wizard does not intend to repeat its contravening conduct and has set in place procedures which it regards as sufficient to prevent a repetition of that conduct. In my view the contravening advertisement resulted from a systemic failure within Wizard to set in place procedures that ensured that all advertising received legal approval. However, I am not satisfied that the procedures that Wizard has set in place since the advertisement are adequate to prevent a repetition of contravening conduct of the kind that has occurred. Thus, the present case is one where it is appropriate to grant an injunction to deter a repetition of the contravening conduct and to mould the grant of relief accordingly. One aspect of that deterrence is an expectation that, as a result of the injunction, Wizard will set in place a formal process, based on the recommendations of its legal advisers, that will ensure that there will not be a repetition of the contravening conduct. …


The above conclusions are also sufficient to dispose of the ACCC's application for the implementation of a compliance program. The injunctive orders that I propose to grant [that the respondent by itself, its employees, servants and agents or howsoever otherwise, be restrained for a period of 18 months … from causing the publishing or broadcasting of advertisements for its housing mortgage loans which represent that the loans have features that they do not have, or that loans at a specified interest rate have features that they do not have] are a sufficient inducement to Wizard to establish an appropriate compliance program based on the legal advice it receives. In such circumstances I do not regard it is as appropriate or necessary for the Court to exercise its injunctive power to impose such a program on Wizard."

Similarly, in ACCC v Gary Peer & Associates Pty Ltd, the court declined to make an order sought by the ACCC requiring the respondent to implement and maintain for three years an appropriate compliance program “to the extent necessary to ensure compliance” by the respondent with ss 52, 53 and 53A of the Trade Practices Act. Sundberg J noted that the "institution of the proceeding, its conduct, its outcome, including the findings of contravention, the making of the declarations and the costs order, will in my view sufficiently concentrate the minds of the respondent and its officers on the need in the future to avoid contravening conduct to make it unnecessary for a compliance program to be imposed on them".


Case Law on Compliance Systems
•     There must be a system directed to preventing a contravention of relevant legal or regulatory requirements: State Pollution Control Commission v Kelly (1991) 5 ACSR 607; Guthrie v Doyle Dane & Bernbach Pty Ltd (1977) 30 FLR 116; Adams v Eta Foods Ltd (1987) ATPR ¶40-831.
•     The system must be adequate for that purpose – ie objectively capable of detecting/preventing a contravention: EPA v Great Southern Energy [1999] NSWLEC 192.
•     The system must be communicated to all affected staff: Evans v Lee and Commonwealth Bank of Australia (1996) EOC 92-822 and Hopper v Mount Isa Mines Ltd [1997] QADT 3.
•     The policies and procedures that make up the system must be committed to writing and must be clear and capable of being understood by relevant staff: Chapel Road Pty Limited and ASIC [2003] AATA 660 and EPA v Great Southern Energy [1999] NSWLEC 192.
•     In this regard, it is not sufficient just to provide manuals or place material on the intranet – all relevant staff must be informed about the system and properly trained: Coyne v P & O Ports [2000] VCAT 657.
•     The system must include proper escalation procedures so that actual or potential breaches are brought to the attention of senior managers: EPA v Great Southern Energy [1999] NSWLEC 192.
•     The system must be properly supervised or policed to make sure it is applied: Videon v Barry Burroughs Pty Ltd (1981) 53 FLR 425 and Ali v Hartley Poynton Ltd [2002] VSC 113.
•     The system must include adequate procedures for logging and dealing with customer complaints: Universal Telecasters (Qld) Ltd v Guthrie (1978) 32 FLR 360.
•     The system must be monitored or audited for effectiveness: Hopper v Mount Isa Mines Ltd [1997] QADT 3.
•     The system must be kept under review and updated when necessary: TPC v CSR Ltd [1991] ATPR ¶41-076.

State Pollution Control Commission v Kelly was a case of no system at all. A company director was charged under s10 of the Environmental Offences and Penalties Act 1989 (the precursor to the Protection Of The Environment Operations Act 1997 (NSW)) for the escape of ammonia into stormwater and its release into a stream. He somewhat cynically sought to rely on the due diligence defence in s10(1)(c) arguing that he had used all due diligence to prevent the company’s contravention. The court rejected his argument on the facts, saying that not only did he not take appropriate precautions, he in fact had elected to take none at all. Per Hemmings J (at pp608-9):


"A defendant has the onus to prove not only diligence, but all due diligence. This requires that everything properly regarded as due diligence should be done. … [I]n a similar context requiring the taking of "all reasonable precautions", a standard of perfection was rejected …. I respectfully agree and am of the opinion that in s10, while "all" must have its proper connotation, similar stress must be given to "due".


Due diligence, of course, depends upon the circumstances of the case, but contemplates a mind concentrated on the likely risk. The requirements are not satisfied by precautions merely as a general matter in the business of the corporation, unless also designed to "prevent the contravention".


Whether a defendant took the precautions that ought to have been taken must always be a question of fact and, in my opinion, must be decided objectively according to the standard of a reasonable man in the circumstances."

Guthrie v Doyle Dane & Bernbach Pty Ltd also involved a case of no system at all. In that case, an advertising agency was prosecuted under the former TPA s53(e), prohibiting the making of false or misleading statements concerning the existence or amount of a price reduction. It had prepared an advertisement on behalf of its client, a car dealer, implying incorrectly that a sales tax cut which had been introduced would only be available for a certain period. The agency relied on the due diligence defence in TPA s85(1)(c) and submitted that the client was a responsible and well managed organisation and that the advertisement was subject to approval by the client. On the facts, it was held that the agency had not taken reasonable precautions or exercised due diligence sufficient to establish the defence. Further, it was held that whatever system the agency had implemented was not devised for the purposes of avoiding a contravention of the Act. Per St John J (at p121):


"In addition to there having been no precautions taken there is also no evidence of the exercising of any diligence. The incidence of sales tax and the treasurer’s intentions in relation to it are matters of public knowledge available to those who took the trouble to inquire. No reasonable explanation could be advanced as to why … the defendant company could not have made its own inquiries as to the incidence of sales tax and the duration of any sales tax cuts. There is no evidence of specific attention being given to avoiding contravention of s53(e) of the Act."

Adams v Eta Foods Ltd involved a system but it was not directed to avoiding a breach of legislation. ACCC prosecuted Eta Foods for describing pies as beef pies when they contained mutton. Eta relied on all 3 defences in s85(1), saying that it brought from a reputable meat supplier who had stated that the mince supplied was beef. It had systems in place for testing and controlling the quality of pies but none that went to testing for species substitution. It was held that it had made out the defence of honest and reasonable mistake under s85(1)(a) but not due diligence under s85(1)(c). The court said (at p48,972):


"That brings me to paragraph (c)(ii). … Eta …  would have to show it took reasonable precautions and exercised due diligence, not as a general matter in its business, but "to avoid the contravention". The precautions and diligence must be directed at a result, the avoidance of a state of affairs. The defendant need not have in specific prospect the terms of the TP Act, but a party in the position of Eta could not be said to have taken precautions and exercised due diligence to avoid the perils of species substitution in raw mince supplied to it to fill orders for minced beef when it had no cognizance of any such peril. It had procedures to deal with fat and gristle content and excessive moisture levels. But, one cannot, in my view reason from that to decide that Eta took reasonable precautions and exercised due diligence to avoid the contraventions. I conclude that Eta has not made out the defence under paragraph (c)."

EPA v Great Southern Energy involved a prosecution against Great Southern Energy for spillage of PCB contaminated oil into waterways. It had pleaded guilty but offered in mitigation the steps it had taken to be a responsible environmental operator. This included spending over $1m in obtaining accreditation of its environmental management program under ISO 14001. The court said:


"Despite the defendant’s enormous expenditure on accreditation, there were numerous failings in the system or practices adopted by the defendant at the time of the incident. Whilst obviously directing attention to its general concern for the environment the defendant appears to have overlooked the most basic and elementary requirements, namely of ensuring that its employees were adequately trained in all handling, safety and emergency procedures, and familiar with the defendant’s voluminous Codes of Practice. The employees involved had received a copy of a publication entitled Technical Response Group Operating Manual prior to the incident but neither had been instructed concerning its contents nor application. At least one of the operators has said that he did not receive any written instruction concerning oil spill procedures nor been given any training in oil spill response prior to receiving the manual. There is no evidence that the contents of the manual was ever brought to the attention of the employees by specific instruction. …


A bund was not provided around the oil treatment operation and there is no explanation before the Court for such deficiency. The spill kits available on the site were completely inadequate to deal with the oil spillage problem and no pumps exist for any emergency. There is no evidence before the court which suggests any proper audit had been made of emergency equipment nor an awareness by employees of the emergency procedures."

The court criticised the defendant for not having adequate escalation procedures. It said:


"Upon the leak having been discovered a strict code ought to have been implemented which was fail-safe. This occurrence has revealed a difficulty in communication at all levels. Within the company’s own operations there was no access to a central authority which was available to provide expert advice and assistance. Instead contact was attempted with Mr Donaldson who did not receive the message for some four hours after it was given that an oil spill had occurred. The message did not suggest urgency and his attention was already diverted with another problem. The fact that he was uncontactable and there was nobody else in senior management to take charge of the emergency operations is alarming."

The court also criticised the defendant for the complexity of its "voluminous" staff manuals, saying "The complexity of the Codes of Practice suggest that unless explicit instruction was provided they would be bewildering to most employees."

In Evans v Lee and Commonwealth Bank of Australia, CBA sought to avoid liability for sexual harassment and discrimination committed by one of its bank managers against a female customer by raising the "all reasonable steps" defence. The Human Rights and Equal Opportunity Commission rejected the defence. Per Commissioner Jones (at pp79,055-7):


"The CBA, … in the event that its manager, Mr Lee, was found guilty of unlawful conduct, seeks to avoid its liability by establishing that it took all reasonable steps to prevent the occurrence of those unlawful acts. These steps are relevant to both the areas of discrimination and sexual harassment.

      The CBA points specifically to the following facts:-
      > the development of [sic and] promulgation of relevant policies and a code of conduct;


> a system of audits of performance by managers of their responsibility. …


CBA has a duty to ensure that its policies are communicated effectively to its executive officers, and that they accept the responsibility for promulgating the policies and for advising of the remedial action when breached. In my view, the evidence discloses that in the CBA’s policies there was virtually no focus on sexual discrimination/sexual harassment in the provision of banking services. There was clearly no instruction to the staff at the [relevant] branch about these matters nor, it seems, was there any check through the audit process that the CBA’s policies, limited as they were, were communicated to the staff. In particular, there does not appear to have been clear guidelines as to how the staff ought to handle a problem where conduct was engaged in by a manager which might be classified as unlawful under the discrimination legislation.


On balance, I am not satisfied that the CBA took all reasonable steps to prevent its employee, Mr Lee, from doing the acts which I have found to have been unlawful."

Hopper v Mount Isa Mines Ltd also involved an employer trying to avoid vicarious liability for sexual harassment and discrimination committed against a female mine apprentice by relying on the "all reasonable steps" defence. The employer had given detailed briefing sessions to 600 – 700 supervisors and told them that they had to identify any breaches of the Act that might exist in their departments and eliminate them. Unfortunately it failed to mention to the supervisors that they had a responsibility to train the staff they supervised. MIM employed over 4,000 people and there were a large number of employees who in fact had not received any formal training on their anti-discrimination obligations. The Queensland Anti-Discrimination Tribunal rejected MIM's defence. It criticised MIM for not carrying out any formal follow-up to ensure that its supervisors had passed on to employees their rights and responsibilities under anti-discrimination legislation. It also found that MIM had not adequately monitored compliance with its policies. For instance, while supervisors had been told that posters of semi-clad women and insulting or graphic graffiti would have to be removed, nobody had checked whether this had occurred and in fact it hadn’t. Also, nobody had been monitoring the drop-out rate of female apprentices. If they had, they would have realised that it was disproportionately high compared to male apprentices and warranted following up why that might be so.

Chapel Road Pty Limited and ASIC involved an action by a banned securities dealer to have the ban set aside in the Administrative Appeals Tribunal. In the course of the Tribunal's judgment, it was observed about the obligation of the dealer under its licence to establish and maintain adequate training, supervision and compliance procedures that: "In the Tribunal's view, as a matter of practicality and good management, this would ordinarily require that those procedures should be set out in writing".

In Coyne v P & O Ports, a woman working in a canteen at a wharf was sexually assaulted by a wharfie. The issue was whether his employer had exercised reasonable precautions against sexual harassment in the workplace so as not to be vicariously liable for the wharfie’s misconduct. The court said no:


"It is well settled in this jurisdiction that to avail itself of the [reasonable precautions] defence, a respondent will be able to show that it carried out a package of affirmative action to ensure that steps and strategies have been put in place aimed at preventing sexual harassment. The preventive measures to be taken would ordinarily include the implementation of adequate educational programmes on sexual harassment issues and monitoring of the workplace to ensure compliance with its sexual harassment policies. …


An essential component is that the respondent must have taken appropriate steps to communicate its sexual harassment policies to all employees, the objective being that they become aware of what may constitute sexual harassment and that it is unlawful."

The employer tried to meet this obligation by pointing to a corporate policy prohibiting sexual harassment that was contained in hard copy in its staff manual, a copy of which was kept in the office near the canteen and was also available on the intranet. It also pointed to an induction training program that all new employees had to undertake that went through their obligations in this area and a booklet it said that it had mailed to all staff explaining the policy prohibiting harassment. The court said that this was not enough. The induction training program had only been in operation since 1996 and had only covered 49% of staff. The protagonist in this case had been employed before 1996 and had not received the training. None of the employees who gave evidence at the case had any recollection of receiving the booklet explaining the policy. The court also pointed out that the booklet was only printed in English and there was evidence that many staff came from non-English speaking backgrounds. The court said that it had no evidence before it whether the protagonist in this case had received the booklet or whether he had understood it. Further, as a wharfie, the court said that he would not have had access to a computer to view the policy on the intranet and there was evidence that very few employees had ever consulted the staff manual in the office.

In Videon v Barry Burroughs Pty Ltd, the ACCC took action against Barry Burroughs, a real estate agent, and Beneficial Finance, its client, in relation to a misleading land sales brochure. The brochure was supposed to be approved by Beneficial Finance before printing. There was no clear evidence one way or the other whether it was in fact submitted for approval before printing. Beneficial sought to rely, amongst other things, on the due diligence defence in TPA s85(1)(c). Per Fisher J (at p453):


"Assuming that it can establish that the contravention was due to the act or default of Barry Burroughs or some other cause beyond its control, Beneficial Finance must prove that it took reasonable precautions and exercised due diligence. It is my opinion that reasonable precautions and due diligence were not taken by the officers of the State Branch in that they failed to carry out the instructions of Head Office to approve the brochure prior to printing. Such officers included the Branch Manager and the Real Estate Manager and it was not disputed that they were "core personnel" and, no limitation on their authority having been proved, they are "the company" for the purposes of such default.


… Beneficial Finance laid down an effective procedure in an attempt to ensure that no misleading material appeared in its brochure. However it failed to supervise and "police" this procedure, in that it failed to take steps to ensure that the procedure was followed. By failing to ensure that a draft brochure was presented for approval and, when presented, approved and any misleading statements excised, Beneficial Finance has denied itself the benefit of the defence. It did not take reasonable precautions and it did not exercise due diligence to avoid the contravention."

Ali v Hartley Poynton Ltd involved a claim against Hartley Poynton for improper trading on a client's discretionary account. The judge noted that there was no proper supervision or control of the way in which the employee managing the account had carried out his trading activities, notwithstanding that the employer was on notice that the employee needed close supervision because of earlier misconduct. The judge found for the plaintiff and awarded exemplary damages against Hartley Poynton for its "conscious contumelious disregard" for the rights of the plaintiff. He said:


"A stockbroker employing brokers cannot supervise each dealing they make as they make it. It can, however, set down policies. This the defendant did through its Compliance Committee in Perth. Policies, however, are worthless without systems and people in place to enforce those policies by checking from time to time that they are being applied. …


I have referred above to the statements in the defendant's published governance documents about its core values which include acting with integrity and ensuring compliance with the spirit and letter of relevant Acts, Rules and Regulations and its policies. I have also referred to the production from time to time of various compliance policy documents. Plainly the officers of the defendant had directed their minds to what would be proper conduct by individual brokers. In part, the intent was to protect the interests of clients. As noted above, however, on the evidence, nothing effective was done to enforce the law or those policies. … The compliance officer and Committee do not appear to have done anything effective to protect the interests of the clients. To promote itself publicly, in the way the defendant did, and to recognise the need for, and develop, policies which will address the rights and interests of clients but do nothing effective to enforce them, shows a contempt for the rights and interests of all clients."

Universal Telecasters (Qld) Ltd v Guthrie involved an appeal by the broadcaster which had televised the offending advertisement in Guthrie v Doyle Dane & Bernbach Pty Ltd against its conviction under s53(e). It relied on the due diligence defence in s85(1). Evidence was given that the general manager of the company provided instructions to the sales service manager in relation to the vetting of advertisements for compliance with the TPA prior to them being screened. The general manager had instructed that in the event of any doubt about the legality of a commercial, that doubt should be communicated either to the company secretary or to the general manger, who would seek legal advice if necessary. Evidence was given of the operation of the system in practice and the level of supervision provided by the general manager. The court held that a proper system had been instituted for vetting advertisements before they were telecast and that that system, as far as it went, was adequately supervised. However, in the subject case, a complaint had been made by a member of the public following the screening of the advertisement. The court found that, although a system had been devised to deal with viewer complaints, it was not adequate and, further, there had been no adequate supervision of it. The court therefore held that the due diligence defence had not been made out. Per Bowen CJ (at p363-4):


"The second aspect concerns the defence under s.85(1) that Universal Telecasters "took reasonable precautions and used due diligence". While these are plain English words, which have to be applied as they stand, it appears to me that two responsibilities which Universal Telecasters would have to show it had discharged, in order to establish this defence, would be that it had laid down a proper system to provide against contravention of the Act and that it had provided adequate supervision to ensure the system was properly carried out. Universal Telecasters did institute a system and did provide for supervision. The mere fact that its system and supervision has proved inadequate to prevent error, does not necessarily establish that its system is defective. Even the best systems may break down due to human error. It is necessary to make a judgment about the system and the provision for supervision.


The system of having advertisements checked by Mr. Yardley before transmission appears to have been basically a sound one, although it would have been stronger if it had not placed so much weight upon his mere personal knowledge and reaction to the advertisements which he viewed. However, I would not be prepared to hold that the system was defective in not requiring an advertisement, such as that in the present case, to be checked with the relevant government department or in not requiring the advertisement to be verified by the advertiser. The failure to provide a better system of dealing with telephone complaints made at the time, in the evening, when the advertisement was to be broadcast, raises a more difficult question. It is, in my opinion, not enough for Universal Telecasters to show that it had a careful system of vetting advertisements before it put them to air. In the case of advertisements which are to be broadcast during the evening period on more than one day, I think a proper system should include some procedure whereby a complaint made during this period that an advertisement is misleading or otherwise contravenes the Trade Practices Act will be referred promptly to an appropriate officer. No system had been established which made adequate provision for this. In this respect I think the company failed to make out the defence under s85(1) …"

TPC v CSR Ltd, supra, highlights the need for the periodic review and updating of compliance procedures. In that case, the company was criticised by the court for not updating its compliance manual since it was introduced some 11 years earlier, and not conducting any staff training since a seminar held some 6 years earlier.

Return to Outline

The Desirable Features Of A Financial Services Compliance System

Note: the features below are what I consider to be the desirable features of the optimal compliance system for a large financial services organisation. The fact a large financial services organisation does not conform to these features does not mean that its compliance system is flawed, just that (in my view) it is not optimal. Note that this list of features may not necessarily be appropriate for smaller financial services organisations.

Core Values
•     A clear and unequivocal declaration enshrined in the organisation’s core values statement of the fundamental importance of compliance with legal and regulatory requirements and ethical business standards.
•     Constant reinforcement of that message from senior management – both in words and in deeds.
•     A mission statement for Compliance that embodies that core value.


•     If the organisation has a Chief Legal Officer, they should be the ultimate head of, and accountable to the board for, the Compliance function (with the Head of Compliance reporting to them). If the organisation does not have a Chief Legal Officer, the Head of Compliance should be a senior person with legal qualifications.
•     Adequate number of suitably qualified staff.
•     Adequate library (including on-line services).
•     Access to training and continuing education programs.
•     Access to internal computer systems (for monitoring and investigation).
•     Allocation of IT overhead and investment for computerised surveillance systems.


•     Reporting lines:
  •     Compliance staff should report to the Chief Legal Officer/Head of Compliance, with no solid or dotted reporting lines to business line management; and
  •     Chief Legal Officer/Head of Compliance should report directly to the Chief Executive Officer.
•     Remuneration:
  •     For Compliance staff should be determined by the Chief Legal Officer/Head of Compliance, with minimal involvement from business line management; and
  •     For Chief Legal Officer/Head of Compliance should be determined by the Chief Executive Officer.

Paragraph 47 of ASIC Regulatory Guide 104 Licensing: Meeting the general obligations says: "You need to ensure that the area responsible for compliance: (a) is independent enough to do its job properly; (b) has adequate staff, resources and systems; and (c) has access to relevant records."

Similarly, paragraph 35 of ASIC Regulatory Guide 181 Licensing: Managing conflicts of interest suggests that licensees should consider how their organisational structure, physical layout and reporting processes affect their conflicts management and, in particular, should carefully consider whether it is appropriate to have compliance or internal audit staff reporting to a business unit.

Documented Policies and Procedures
•     Identification of core compliance requirements and development of policies and procedures in respect of those.
•     Drafted in plain English.
•     Where practicable, integrated into operational processes.
•     Signed off by internal or external lawyers.
•     Endorsed, and stated to be endorsed, by the Board or CEO.
•     Manuals available in hard copy and on intranet.
•     Reinforced with appropriate training for all affected staff.
•     Reviewed periodically for currency and effectiveness.

Compliance "policies" tend to be statements of principle and set out rules that staff must follow to ensure that they and the organisation comply with the law. Often they are targeted at a broad cross-section of staff (eg all staff in the organisation or all staff in a particular business unit). Compliance "procedures", on the other hand, tend to be process-type documents that are written for those staff members administering the procedure in question. With a procedure, you can generally assume a underlying level of knowledge and technical expertise and write the procedure accordingly.

Some tips on writing compliance policies (as distinct from procedures):


You must attune your policy to your target audience. If, for example, you are writing a staff trading policy for all staff in the organisation, you need to take account of the fact that some of your target audience may not have tertiary degrees, some may not have English as their first language, some may not have any knowledge or experience of financial markets, and so on. However, if you are writing a trading policy for equity research analysts, you can reasonably assume your target audience will have some knowledge of financial markets.


Use plain English. Don't use technical legal expressions (such as "Division 3 financial products" or "Section 1020B products") and don't use Latin expressions (such as "prima facie", "inter alia" etc) that only lawyers generally use.


Don't just recite the law. Summarise the law in terms that a lay person in your target audience will understand and, where appropriate, illustrate the principles with examples that the target audience will find meaningful and relevant.


Don't quote section numbers and case names in your policy. These details are only of interest to lawyers and compliance professionals. [If you really feel a need to quote a section or a case as authority for a proposition, put it in a footnote or endnote so that it does not interrupt the flow of the policy.]


Don't employ legalistic styles of writing. While lawyers may appreciate the technical precision of starting a compliance policy with pages of meticulous definitions, most lay people will find that style of writing uninteresting and a turn-off.


Keep the policy concise. Anything longer than 5 A4 pages is going to be too long for most staff members to absorb and remember - preferably it should be much shorter. Test every sentence in the policy by asking: "Does my target audience really need to know this information?"


Avoid unnecessary detail. For example, staff don't really need to know that the penalty for breaching the insider trading prohibition is a fine of 2,000 penalty units and/or 5 years’ jail for individuals and 10,000 penalty units for bodies corporate if prosecuted as a criminal offence and a penalty of $200,000 for individuals and $1,000,000 for corporations if prosecuted as a civil penalty. It is generally sufficient to say that a breach attracts very significant criminal and civil penalties. If you think it might be useful for staff to understand the magnitude of the penalties that they might attract if they breach the policy, you can mention that in the training on the policy. You don't need to mention it in the policy itself.


Don't clog up your policy with statements that should be self-evident or that are of little or no relevance to your target audience. Comments such as the policy is administered by Compliance or that it is going to be reviewed periodically for effectiveness are relevant to those in Compliance but not to other staff. Likewise for statements that staff will have to attend training in relation to the policy. They will understand that when they get the email inviting them to a training session.


If your organisation has a statement of core values, mention it in the introduction and draw the link between your compliance policy and those core values.


Be realistic about the role of the board in the administration of the policy. While often you will see references in regulatory guides to the board having the ultimate responsibility for ensuring compliance, that does not mean that each and every minor compliance breach has to be reported to and considered by the board. In large organisations, only the most serious of compliance breaches would warrant escalation to the board.


Think carefully about the cost-benefit analysis of using IT systems as part of your compliance regime. In large organisations, even apparently simple IT changes can be very difficult and costly to roll out. Students often suggest, for example, having staff acknowledge that they have read and understood various compliance policies each day when they sign in to their computer as part of the log in process. That type of perfunctory acknowledgement frankly would be of little benefit and generally would not warrant the costs involved.


Training and Education
•     Induction training for all new employees.
•     Periodic refresher training for all employees.
•     Remedial training for employees who breach.
•     Training must be tailored to businesses and risks involved, with liberal use of examples.
•     Records of attendance must be kept.
•     Consider using exams or other assessment to test understanding.

Just as you need to tailor compliance policies for your target audience, you also need to tailor your training, in terms of who gets trained and how and how often they get trained. Face to face training is costly, especially in terms of lost productive time for the staff attending the training, and in large organisations can be very difficult to implement.

Monitoring and Surveillance
•     Identification of high risk areas.
•     Development of procedures to test compliance in those and other areas (audits, spot reviews, computerised surveillance routines etc).
•     Documentation/audit trail of procedures performed and investigations undertaken.
•     Periodic analysis of patterns or trends to identify problem business areas or employees that might warrant closer supervision or refresher training.


Reporting/Escalation Procedures
•     Formal escalation procedure (who gets notified and when).
•     Action logs which are regularly reviewed and updated.
•     Procedures for reports to, and review by, a compliance or control committee.
•     Board reporting procedures, with appropriate criteria and thresholds.


Employee Policies and Procedures
•     Reference and background checks on employees before hiring.
•     Standard employment contracts that include a term requiring compliance with corporate policies and procedures and failure to do so as an express ground for disciplinary action, up to and including dismissal.
•     Compliance included as a criteria in performance/remuneration reviews.
•     Meaningful and proportional disciplinary action for compliance breaches.
•     Annual compliance sign-offs.
•     Established procedures for staff interviews/investigations.

On the first bullet point, see the ASIC/Standards Australia guide book Reference Checking in the Financial Services Industry.

Performance Monitoring and Continuous Improvement
•     Performance benchmarking (eg number of customer complaints, dollar value of customer settlements, number of regulatory actions and enquiries, dollar value of ASX fines etc).
•     "Lessons learned" reviews after major compliance issues.
•     Periodic reviews by Internal Audit.

See generally Parker, "Evaluating Regulatory Compliance: Standards and Best Practice" (1999) 7 TPLJ 62.

Compare the principles above with the 10 guiding principles for Compliance propounded by the Basel Committee on Banking Supervision in its paper "Compliance and the Compliance Function in Banks" (April 2005):


The bank’s board of directors is responsible for overseeing the management of the bank’s compliance risk. The board should approve the bank’s compliance policy, including a formal document establishing a permanent and effective compliance function. At least once a year, the board or a committee of the board should assess the extent to which the bank is managing its compliance risk effectively.


The bank’s senior management is responsible for the effective management of the bank’s compliance risk.


The bank’s senior management is responsible for establishing and communicating a compliance policy, for ensuring that it is observed, and for reporting to the board of directors on the management of the bank’s compliance risk.


The bank’s senior management is responsible for establishing a permanent and effective compliance function within the bank as part of the bank’s compliance policy.


The bank’s compliance function should be independent.


The bank’s compliance function should have the resources to carry out its responsibilities effectively.


The responsibilities of the bank’s compliance function should be to assist senior management in managing effectively the compliance risks faced by the bank. If some of these responsibilities are carried out by staff in different departments, the allocation of responsibilities to each department should be clear.


The scope and breadth of the activities of the compliance function should be subject to periodic review by the internal audit function.


Banks should comply with applicable laws and regulations in all jurisdictions in which they conduct business, and the organisation and structure of the compliance function and its responsibilities should be consistent with local legal and regulatory requirements.


Compliance should be regarded as a core risk management activity within the bank. Specific tasks of the compliance function may be outsourced, but they must remain subject to appropriate oversight by the head of compliance.

Compare too the 8 principles for Compliance propounded by the Technical Committee of IOSCO (the International Organization of Securities Commissions) in its report "Compliance Function at Market Intermediaries" (March 2006):

1.   Establishing a Compliance Function:
  (a) Each market intermediary should establish and maintain a compliance function.


(b) The role of the compliance function is, on an on-going basis, to identify, assess, advise on, monitor and report on a market intermediary’s compliance with securities regulatory requirements and the appropriateness of its supervisory procedures.

2.   Role of Senior Management and the Governing Authority:
  (a) It is the role of senior management to establish and maintain a compliance function, and compliance policies and procedures designed to achieve compliance with securities regulatory requirements.


(b) The governing authority should obtain adequate assurance that senior management is carrying out this role effectively.

3.   Independence and Ability to Act:


The compliance function should be able to operate on its own initiative, without improper influence from other parts of the business, and should have access to senior management and/or, as appropriate, to the governing authority.

4.   Qualification of Compliance Personnel


Staff exercising compliance responsibilities should have integrity, an understanding of relevant rules, the necessary qualifications, industry experience and professional and personal qualities to enable them to carry out their duties effectively.

5.   Assessment of the Effectiveness of the Compliance Function:
  (a) Each market intermediary should periodically assess the effectiveness of its compliance function.


(b) In addition to any internal evaluations, the compliance function should be subject to periodic external review. Such reviews may be conducted by independent third parties, such as external auditors, SROs or regulators.

6.   Regulators’ Supervision:
  (a) Regulators’ supervision of market intermediaries should include the assessment of the compliance function, taking into account the intermediary’s size and business.


(b) Regulators should take steps to encourage market intermediaries to improve their compliance function, particularly when the regulators become aware of deficiencies. In addition, regulators should have the authority to bring enforcement actions, or other appropriate disciplinary proceedings, against market intermediaries relating to their compliance function.

7.   Cross-border Compliance Arrangements:


Where market intermediaries operate on a cross-border basis, the compliance function must understand the applicable laws in each jurisdiction in which the market intermediary operates, and take steps to help ensure that it has the necessary personnel and expertise to comply with them.

8.   Outsourcing of the Compliance Function:
  Some market intermediaries may consider outsourcing certain compliance tasks to third party service providers. The market intermediaries, however, still retain full legal liability and accountability to the regulator for any and all functions or tasks that they outsource to a service provider.

Return to Outline

A Sample Financial Services Compliance Mission Statement

"To assist XYZ and its employees to comply with XYZ’s global commitment to conduct all business lawfully and in accordance with high standards of personal and corporate integrity.
XYZ’s [Corporate Values Statement] confirms its commitment to conduct all business lawfully and in accordance with high standards of personal and corporate integrity. The mission of the XYZ Compliance Department is to assist XYZ and its employees to comply with this commitment.
The XYZ Compliance Department is an independent control function reporting to XYZ’s Chief Legal Counsel. It administers XYZ’s global compliance policies within Australia, including its [Rules for Business Conduct, Chinese Walls policies and procedures and anti-money laundering compliance program].
In conjunction with the XYZ Legal Department, the XYZ Compliance Department helps line management to identify and interpret key legal and regulatory requirements affecting their business and to develop and disseminate policies and procedures to address those requirements. It also supports line management in developing and implementing training programs for employees in respect of those laws, regulations, policies and procedures.
The XYZ Compliance Department performs monitoring and surveillance procedures to evaluate adherence to particular legal and regulatory requirements. Where a breach is detected, the XYZ Compliance Department ensures that it is reported to management and, if necessary, to the board of directors and relevant regulators. It also works with line management to determine the steps necessary to remedy the breach and to avoid a re-occurrence.
The XYZ Compliance Department shares the responsibility for ensuring that XYZ complies with its legal and regulatory obligations with the XYZ Legal Department and a number of other XYZ control groups. For instance, compliance with accounting and prudential reporting requirements is a matter for Corporate Reporting; taxation laws for Corporate Tax; company secretarial matters for the Company Secretary; employment laws for Human Resources; and so on. It also shares that responsibility with all XYZ employees, each of whom has a personal duty to ensure that their business dealings on behalf of XYZ are conducted lawfully and in accordance with high standards of personal and corporate integrity.

Return to Outline

A Sample List of Financial Services Compliance Policies

Core Policies
•    Employee trading policy
•    Insider trading and Chinese walls
•    Confidentiality
•    Conflicts of interest
•    Anti-money laundering, counter-terrorism financing and suspect transaction reporting
•    Gifts and inducements
•    Political donations
•    Competition and fair trading
•    New business/products
•    Proprietary information
•    Use of copyright materials and other IP (eg client logos)
•    Handling media enquiries
•    Client complaints
•    Trust accounts and client property
•    Document retention
•    Reporting obligations and escalation procedures

If the financial services is aa ASX-listed entity, it would also generally have a continuous disclosure policy to meet its requirements in that regard under the ASX Listing Rules.

The policy on conflicts of interest should cover personal investments, personal affiliations, outside business activities and political activities. The policy on gifts and inducements should cover bribes and foreign corrupt practices issues.

Note that document retention policies are very sensitive matters since the Arthur Andersen/Enron scandal in the US (see US v Arthur Andersen, LLP 544 U.S. 696 (2005)) and the McCabe/British American Tobacco litigation in Australia (see McCabe v British American Tobacco Australia Services Limited [2002] VSC 73; reversed on appeal British American Tobacco Australia Services Limited v Cowell (as representing the estate of Rolah Ann McCabe, deceased) [2002] VSCA 197; special leave to appeal refused Cowell v British American Tobacco Australia Services Ltd [2003] HCATrans 384). Also requiring consideration is the US Sarbanes-Oxley Act of 2002 §802, which provides for criminal penalties of up to 20 years imprisonment and fines up to $10 million for anyone who knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under the US Bankruptcy Code, or in relation to or contemplation of any such matter or case.

Legal Department Policies
•    Litigation
•    Instructing outside counsel
•    Dealings with regulators


HR Related Policies
•    Equal opportunity, discrimination, harassment and victimisation
•    Workplace health and safety
•    Use of email and internet
•    Relationships between supervisors and staff
•    Drugs and alcohol in the workplace
•    Gambling
•    Whistle blowers


Trading Procedures
•    Market manipulation and other misconduct
•    Front running
•    Retail investor obligations
•    Account opening procedures
•    Order records and other documentation requirements
•    Best execution/timely execution obligations
•    Use of suspense and error accounts
•    Client order precedence (including bunching and allocation policy)
•    Principal trading
•    Discretionary trading
•    Short sales
•    Off-market transactions
•    Linked transactions
•    Non-market price transactions
•    Trading from home
•    After hours trading
•    Telephone taping


Business Specific Procedures
•    Research clearance procedures
•    Credit approval procedures
•    Underwriting procedures
•    Advisory engagement letter procedures (especially indemnities)
•    Etc etc etc

Return to Outline

Dealings with Regulators

Suggested Policy
•     A financial services organisation should have a clear published policy that officers and employees must treat regulators with courtesy and respect, not obstruct them in their lawful activities and, when asked to provide information by a regulator, not intentionally mislead, deceive or conceal material information from them.
•     It should also be acknowledged, however, that the organisation needs to be properly represented in its dealings with regulators on compliance-related matters. Accordingly, Legal/Compliance should have the carriage of all such matters. Information should not be given to a regulator on a compliance-related matter without first consulting Legal/Compliance.

Misleading regulators or concealing information from them can land you in serious hot water. By way of example, Credit Suisse had its Japanese business closed down in 1999 by the Japanese Financial Services Agency for misleading tax and regulatory authorities there (see the Japanese FSA's statement of findings). Among other things, it was found that Credit Suisse had removed documents offsite, and had filed other documents in a secret room and falsified its office floor plans to conceal the location of the room, to avoid their discovery by regulators. Credit Suisse was subsequently fined Ł4m by its primary regulator, the UK Financial Services Authority, for the same conduct, even though it had occurred in Japan (see the UK FSA's 19 December 2002 press release). At the time, it was the largest fine ever imposed by the UK FSA, by a factor of two. The FSA made it clear that the size of the penalty was a message to other financial firms that it would not tolerate breaches of rules that require firms to cooperate with regulators and keep proper records.

In a similar vein, Deutsche Bank was fined Ł227 million, also then a record fine, by the UK Financial Conduct Authority for LIBOR and EURIBOR manipulation and for misleading the regulator (see the FCA's 23 April 2015 press release). The FCA said: "Deutsche Bank’s failings were compounded by them repeatedly misleading us. The bank took far too long to produce vital documents and it moved far too slowly to fix relevant systems and controls. This case shows how seriously we view a failure to cooperate with our investigations ..." Deutsche Bank was also fined in excess of US$2.1 billion by US regulators for similar misconduct (see CFTC press release pr7159-15).

Suggested Procedure
Every financial services organisation should have clear published procedures, tailored for that organisation, for handling queries from regulators on compliance-related matters. By way of example, in a larger organisation, those procedures might involve:
•     If an employee receives an enquiry from a regulator on a compliance-related matter, they should immediately notify Legal and/or Compliance and let them respond.
•     Unless the matter is routine or relatively trivial, the CLO/Head of Compliance should be notified forthwith.
•     The CLO/Head of Compliance should determine who else needs to be notified, based on the nature of the enquiry (eg CEO, CFO, head of internal audit, head of HR, board of directors).
•     Compliance should review available evidence (files, emails, voice tapes, order/trading records, market data, staff interviews) to determine ASAP whether there is any suggestion of a compliance breach by the organisation – preferably, if time permits, before a response is made to the enquiry.


What is a Compliance Related Matter?
Compliance related matters exclude routine enquiries or filings within a person’s normal area of responsibility but include:
•     a notice from a regulator that it intends to conduct an audit or inspection;
•     a query from a regulator about a customer complaint;
•     a query from a regulator about a transaction or series of transactions;
•     a request or notice to produce documents or records;
•     a request or notice requiring a member of staff to attend an interview or hearing; or
•     any query from the police, Australian Crime Commission or ICAC.

Example of routine enquiries – the financial reporting area dealing with accounting regulators at ASIC on a financial return; the financial reporting area dealing with APRA on a prudential filing; the corporate advisory area discussing with ASIC a modification of Chapter 6 for a client etc.

What if You Get a Request Rather Than a Formal Notice?
•     Remember that you may have confidentiality obligations to clients that could be breached if you volunteer information to a regulator.
•     If there are any concerns in this regard, explain the situation to the regulator and ask them if they wouldn’t mind issuing a formal notice. Keep them on side by indicating that you will start compiling the materials in the meantime pending receipt of the notice.
•     Ditto if you receive a notice which on its face appears to be defective (eg addressed to the wrong party).

Return to Outline

Copyright © 2002-2017 Inhouse Legal Solutions Pty Limited ABN 16 003 663 456.