Compliance plans as an enforcement measure – An emerging tool in ASIC’s regulatory toolkit?

With ‘no soul to be damned and no body to be kicked’, how are corporations held accountable for wrongdoing?

ASIC’s use of corrective or remedial compliance plans

In Australia, financial penalties remain the primary enforcement tool for corporate misconduct. However, they can lack the necessary deterrent effect, may become a “cost of doing business” and can disproportionately affect innocent shareholders, employees and third parties.

Another tool available to regulators involves requiring a company to adopt and implement a corrective or remedial compliance plan.

While such plans have been a long-standing feature in enforceable undertakings, the recent case of ASIC v Commonwealth Securities Limited [2022] FCA 1253 (CommSec) demonstrates that they may also feature in court-ordered remedies.

In CommSec, the defendants consented to the ordering of significant and detailed compliance plans designed to reduce the risk of further contraventions. The Court confirmed that it had the power to make such orders as an enforcement measure under section 1101B of the Corporations Act 2001 (Cth). It was the fifth time that ASIC has sought these orders.¹ It remains to be seen whether the Court would be willing to make them over opposition from a defendant.

The compliance plans in this case included the following elements typical of such plans:

• an independent expert reviewing the internal policies and procedures relevant to the breach, and how those policies or procedures are implemented “on the ground”;
• the company creating or updating its policies or procedures in response to the expert’s review;
• a follow-up review by the expert; and
• the company implementing any additional recommendations made in the follow-up review.

Compliance plans by other regulators and in other jurisdictions

With only five examples of court-ordered compliance plans made on ASIC’s application, there is little guidance about the circumstances in which those plans will be considered appropriate, or what measures they should include in any given case. It is instructive to look at cases involving other regulators, both in Australia and abroad.

In Australia, the ACCC has been using compliance plans regularly as part of its approach to regulating consumer protection issues. The ACCC also regularly accepts enforceable undertakings containing requirements to implement a compliance plan. Because of its longer history of using compliance plans in the context of enforcement action, the ACCC provides companies more guidance on what such plans should include.

In the USA, the Department of Justice and the Securities and Exchange Commission commonly seek the appointment of an independent compliance monitor as a corporate crime enforcement measure. These monitors not only review internal policies and systems and make recommendations, but also participate in the development and implementation of compliance plans. The DoJ recently emphasised that the requirement for a compliance monitor would be assessed on a case by case basis, having regard to, among other things, whether the underlying criminal conduct involved the exploitation of an inadequate compliance program, or whether the company has since implemented and tested an effective compliance program.

Meanwhile, in the UK, the Serious Fraud Office often enters into deferred prosecution agreements (DPAs), in lieu of taking a matter through to trial. DPAs can include a ‘quasi-monitorship’ compliance program.

Further uptake in Australia?

In recent years, ASIC stepped back from its ‘why not litigate?’ mantra. The CommSec decision shows that ASIC still has an appetite to pursue enforcement action where appropriate, which may include seeking non-monetary orders such as court mandated compliance plans. This, and international experience, would suggest that Australian companies facing enforcement action might find themselves on the receiving end of such orders, especially if their existing systems and processes are inadequate.

Of course, companies should not wait until they are ordered to do so before reviewing current compliance measures. An effective, risk-proportionate compliance program is an essential step in preventing and detecting corporate misconduct. It is also a factor that will be considered in deciding whether to prosecute alleged misconduct and, if so, what remedies to seek. Australian companies should regularly review their policies and procedures, and ensure they have in place tailored systems to prevent corporate misconduct, reducing the chance that a regulator will take enforcement action and mitigating any penalties imposed.

1. The previous four cases being: ASIC v AMP Financial Planning Pty Ltd (No 2) (2020) 377 ALR 55; ASIC v Port Philip Publishing Pty Ltd [2019] FCA 1483; ASIC v Westpac Banking Corp (No 3) (2018) 131 ACSR 585; ASIC v Superannuation Warehouse Australia Pty Ltd (2015) 109 ACSR 199.