Australian Securities and Investments Commission v Commonwealth Securities Limited
[2022] FCA 1253
•25 October 2022
FEDERAL COURT OF AUSTRALIA
Australian Securities and Investments Commission v Commonwealth Securities Limited [2022] FCA 1253
File number(s): NSD 150 of 2021 Judgment of: ABRAHAM J Date of judgment: 25 October 2022 Catchwords: BANKING AND FINANCIAL INSTITUTIONS – proceeding for civil contraventions of Corporations Act 2001 (Cth) and Australian Securities and Investments Commission 2001 (Cth) – whether appropriate for court to make declarations of contravention, impose civil penalties and order defendants to implement a compliance plan – where conduct serious and unacceptable and where defendants have previously faced proceedings before the Market Disciplinary Panel – where defendants cooperated with regulator, remediated harm caused to customers, expressed contrition and have taken steps and made investments to improve future compliance – where parties agree on proposed relief – where parties agree that a discount from headline penalty is appropriate – where court satisfied that agreed penalty is appropriate having regard to all relevant matters Legislation: Corporations Act 2001 (Cth) ss 798G, 798H, 912A, 912C, 1101B 1317E and 1317G
Australian Securities and Investments Commission 2001 (Cth) ss 12DB, 12GBA, 93AA and 102
Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2019 (Cth) s 48
Federal Court of Australia Act 1976 (Cth) s 21B
Banking Act 1959 (Cth) s 5
Corporations Regulations 2001 (Cth) r 7.2A.10
Cases cited: ASIC v National Australia Bank Limited [2020] FCA 1494
ASIC v Pegasus Leverages Options Group Pty Ltd [2002] NSWSC 310; (2002) 41 ACSR 561
ASIC v Westpac Banking Corporation (No 3) [2018] FCA 1701; (2018) 131 ACSR 585
ASIC v Westpac Securities [2019] FCAFC 187; (2019) 272 FCR 170
Australian Building and Construction Commission v Pattinson [2022] HCA 13; (2022) 399 ALR 599
Australian Competition and Consumer Commission v Hillside (Australia New Media) Pty Ltd trading as Bet365 (No 2) [2016] FCA 698
Australian Competition and Consumer Commission v Reckitt Benckiser (Australia) Pty Ltd [2016] FCAFC 181; (2016) 340 ALR 25
Australian Competition and Consumer Commission v Yazaki Corporation [2018] FCAFC 73; (2018) 262 FCR 243
Australian Securities and Investments Commission v AGM Markets Pty Ltd (in liq) (No 3) [2020] FCA 208; (2020) 275 FCR 57
Australian Securities and Investments Commission v Avestra Asset Management Limited (in liq) [2017] FCA 497; (2017) 348 ALR 525
Australian Securities and Investments Commission v Camelot Derivatives Pty Ltd (in liq) [2012] FCA 414; (2012) 88 ACSR 206
Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023; (2016) 336 ALR 209
Australian Securities and Investments Commission v Commonwealth Bank of Australia [2020] FCA 790
Australian Securities and Investments Commission v Fisher & Paykel Customer Services Pty Ltd [2014] FCA 1393
Australian Securities and Investments Commission v Gallop International Group Pty Ltd [2019] FCA 1514; (2019) 138 ACSR 395
Australian Securities and Investments Commission v MLC Nominees Pty Ltd [2020] FCA 1306; (2020) 147 ACSR 266
Australian Securities and Investments Commission v Monarch FX Group Pty Ltd [2014] FCA 1387; 103 ACSR 453
Australian Securities and Investments Commission v Stone Assets Management Pty Ltd [2012] FCA 630; (2012) 205 FCR 120
Australian Securities and Investments Commission v Warrenmang [2007] FCA 973; (2007) 63 ACSR 623
Australian Securities and Investments Commission v Westpac Banking Corporation (No 2) [2018] FCA 751; (2018) 266 FCR 147Construction, Forestry, Mining and Energy Union v Cahill [2010] FCAFC 39; (2010) 269 ALR 1
Fair Work, NW Frozen Foods Pty Ltd v Australian Competition Commission [1996] FCA 1134; (1996) 71 FCR 285
Minister for Industry, Tourism and Resources v Mobil Oil Australia Pty Ltd [2004] FCAFC 72; (2004) ATPR 41-993
Seven Network Ltd v News Ltd [2009] FCAFC 166; (2009) 182 FCR 160
Singtel Optus Pty Ltd v Australian Competition and Consumer Commission [2012] FCAFC 20; (2012) 287 ALR 249
Story v National Companies and Securities Commission (1988) 13 NSWLR 661
Volkswagen Aktiengesellschaft v Australian Competition and Consumer Commission [2021] FCAFC 49; (2021) 284 FCR 24
Division: General Division Registry: New South Wales National Practice Area: Commercial and Corporations Sub-area: Regulator and Consumer Protection Number of paragraphs: 122 Date of hearing: 3 March 2022 Counsel for the Plaintiff: Dr S Pritchard SC and Mr R Davies Solicitor for the Plaintiff: Australian Securities & Investments Commission Counsel for the Defendants: Ms E Collins SC, Mr P Kulevski and Mr B Hancock Solicitor for the Defendants: Clayton Utz ORDERS
NSD 150 of 2021 BETWEEN: AUSTRALIAN SECURITIES AND INVESTMENTS COMMISSION
Plaintiff
AND: COMMONWEALTH SECURITIES LIMITED ACN 067 254 399
First Defendant
AUSTRALIAN INVESTMENT EXCHANGE LIMITED ACN 076 515 930
Second Defendant
ORDER MADE BY:
ABRAHAM J
DATE OF ORDER:
25 OCTOBER 2022
DEFINITIONS:
In these orders the following terms mean:
ASIC Act means the Australian Securities and Investments Commission Act 2001 (Cth).
ASX Rules means the ASIC Market Integrity Rules (ASX Market) 2010, in force between 1 August 2010 and 6 May 2018.
Corporations Act means the Corporations Act 2001 (Cth).
Exchange Markets Rules means the ASIC Market Integrity (Competition in Exchange Markets) Rules 2011, in force between 5 May 2011 and 6 May 2018.
Market Integrity Rules means the ASX Rules, the Exchange Markets Rules and the Securities Markets Rules.
Securities Markets Rules means the ASIC Market Integrity Rules (Securities Markets) 2017, in force between 7 May 2018 to the present.
PURSUANT TO S 21 OF THE FEDERAL COURT OF AUSTRALIA ACT 1976 (CTH), THE COURT DECLARES THAT:
1.By reason of:
(a)the conduct of the first defendant (CommSec) referred to in [4(a)-(m)] below (the CommSec Reported Conduct); and
(b)various failures in relation to systems, processes and people in the delivery of financial services identified in the internal root cause analysis conducted by CommSec in or around 2019 to identify common underlying factors in respect of the CommSec Reported Conduct (the CommSec Root Cause Analysis),
CommSec failed to do all things necessary, during the period 1 March 2015 to 18 June 2020, to ensure that the financial services covered by its AFSL were provided efficiently, honestly and fairly, in contravention of s 912A(1)(a) of the Corporations Act.
2.By reason of:
(a)the conduct of the second defendant (AUSIEX) referred to in [5(a)-(h)] below (the AUSIEX Reported Conduct); and
(b)various failures in relation to systems, processes and people in the delivery of financial services identified in the internal root cause analysis conducted by AUSIEX in or around 2019 to identify common underlying factors in respect of the AUSIEX Reported Conduct (the AUSIEX Root Cause Analysis),
AUSIEX failed to do all things necessary, during the period 1 March 2015 to February 2019, to ensure that the financial services covered by the AUSIEX License were provided efficiently, honestly and fairly, in contravention of s 912A(1)(a) of the Corporations Act.
3.CommSec contravened s 12DB of the ASIC Act by representing that it considered ASX CentrePoint (ASXCP) as an execution venue for orders when it did not in fact consider ASXCP as an execution venue for orders from ASB customers during the period 1 March 2015 to 26 March 2018.
PURSUANT TO S 1317E OF THE CORPORATIONS ACT 2001 (CTH) THE COURT DECLARES THAT:
4.CommSec contravened s 798H of the Corporations Act by reason of the following contraventions of the Market Integrity Rules:
(a)rule 2.1.3 of the ASX Rules and rule 2.1.3 of the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to have in place appropriate supervisory policies and procedures to ensure brokerage services were provided in compliance with s 912A(1)(a) of the Corporations Act, from 1 March 2015 until the introduction of enhanced control reports between August 2018 and May 2019;
(b)rule 3.5.9 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to ensure that 1,237 reconciliations of trust accounts performed between 1 March 2015 and 23 March 2020, were accurate in all respects;
(c)rule 3.5.10 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to notify ASIC within 2 business days that a trust account reconciliation that was accurate in all respects had not been performed in accordance with rule 3.5.9 of the ASX Rules or Securities Markets Rules (as applicable) or that there was a deficiency of funds in its trust account according to a reconciliation performed pursuant to rule 3.5.9, on 9 occasions between 31 May 2018 and 28 November 2019;
(d)rule 3.4.1(1) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to provide trade confirmations as required with respect to 1,206 trade confirmations that were required to be issued between 1 March 2015 and 6 November 2019;
(e)rule 3.4.1(3)(a) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing confirmations in respect of market transactions in exchange traded options which did not accurately provide the information required to be included in a confirmation under Division 3 of Part 7.9 of the Corporations Act, being information the clients needed to understand the nature of the transaction to which the confirmations related, on 187,891 occasions between 1 March 2015 and 15 June 2019;
(f)rule 3.4.1(3)(f) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing equities trade confirmations which did not include a statement that the transaction involved a crossing (being a transaction in respect of which CommSec acted on behalf of both buying and selling clients to the transaction), in circumstances where the transaction did involve a crossing, on 17,307 occasions between 24 April 2017 and 29 April 2019;
(g)rule 4.2.1(1)(h) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to maintain accurate records in sufficient detail in relation to confirmations issued between 1 March 2015 and 1 December 2018 for rebooked trades through CommSec, since CommSec did not maintain accurate records in sufficient detail to show particulars of the incorrect brokerage and ASX clear fees used to derive the total value following the rebooked trade shown in confirmations;
(h)rule 2.1.3 of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to have appropriate supervisory procedures in place between 1 March 2015 to October 2018, to ensure that trade confirmations issued by CommSec complied with the requirements of rule 3.4.1 and 4.2.1 of the Market Integrity Rules.
(i)rule 5.6.1(a) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to have in place an appropriate automated pre-trade filter in the relevant automated order processing system through which orders from ASB customers were directed between 1 March 2015 and 1 November 2018, to detect possible trades where there would be no change in beneficial ownership;
(j)5.6.3(1)(a) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to ensure, between 1 March 2015 and 1 November 2018, that the relevant automated order processing system through which orders from ASB customers were directed, had in place appropriate organisational and technical resources (as evidenced by the failure in paragraph (i) above);
(k)rule 3.2.2 of the Exchange Markets Rules and 3.9.2 of the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to comply with:
(i)its Best Execution Policy as published on its website between 1 March 2015 and 26 March 2018 in that ASX CentrePoint was not considered as an execution venue for ASB customers during that period; and
(ii)its Best Execution Policies and Procedures in the period June 2016 to February 2019, in so far as it failed to monitor best execution policy performance on a monthly basis, for each month in the month immediately following or shortly thereafter;
(l)rule 3.1.2(3) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to provide an explanatory booklet in respect of warrants to 49 retail clients (who between them held 32 accounts) before accepting an order from a client to purchase a warrant on the market for the first time, during the period 1 March 2015 to 18 June 2020;
(m)rule 3.1.8 of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to enter into the required warrant agreement forms with those 49 retail clients (who between them held 32 accounts) prior to entering into a market transaction to buy warrants on behalf of the client, during the period 1 March 2015 to 18 June 2020, affecting 376 buy transactions during that period;
(n)rule 5A.2.1(1) of the Exchange Markets Rules and rule 7.4.2(1) of the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to include the relevant intermediary identification (by reference to an AFSL number) in regulatory data submitted to relevant market operators on 84,196 occasions during the period 1 March 2015 and 18 July 2019.
5.AUSIEX contravened s 798H of the Corporations Act by reason of the following contraventions of the Market Integrity Rules:
(a)rule 3.5.9 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to ensure that 1,175 reconciliations of trust accounts performed between 1 March 2015 and 18 September 2019, were accurate in all respects;
(b)rule 3.5.10 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to notify ASIC within two business days that a trust account reconciliation that was accurate in all respects had not been performed in accordance with rule 3.5.9 of the ASX Rules or the Securities Markets Rules (as applicable) on 4 occasions between 6 June 2018 and 23 September 2019;
(c)rule 3.4.1(1) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to provide trade confirmations as required with respect to 3,424 trade confirmations that were required to be issued between 1 March 2015 and 27 November 2019;
(d)rule 3.4.1(3)(a) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing confirmations in respect of market transactions which did not accurately provide the information required to be included in a confirmation under Division 3 of Part 7.9 of the Corporations Act, being information the clients needed to understand the nature of the transaction to which the confirmations related, on 18,367 occasions between 9 November 2015 and 15 June 2019;
(e)rule 3.4.1(3)(f) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing equities trade confirmations which did not include a statement that the transaction involved a crossing (being a transaction in respect of which AUSIEX acted on behalf of both buying and selling clients to the transaction) in circumstances where the transaction did involve a crossing, on 297 occasions between 24 April 2017 and 7 May 2019;
(f)rule 4.2.1(1)(h) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to maintain accurate records in sufficient detail to show particulars of the incorrect expiry date showing the “Liquidation Advice” section of confirmations issued between 1 March 2015 and 23 February 2019, since AUSIEX did not retain records containing the particulars of the incorrect expiry date shown on confirmations issued to customers during that time;
(g)rule 2.1.3 of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to have appropriate supervisory procedures in place between 1 March 2015 to October 2018, to ensure that trade confirmations issued by AUSIEX complied with the requirements of rule 3.4.1 and 4.2.1 of the Market Integrity Rules;
(h)rule 3.2.2 of the Exchange Markets Rules and 3.9.2 of the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to comply with its Best Execution Policies and Procedures in the period June 2016 to February 2019, in so far as it failed to monitor best execution policy performance on a monthly basis, for each month in the month immediately following or shortly thereafter;
(i)rule 5A.2.1(1) of the Exchange Markets Rules and rule 7.4.2(1) of the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to include the relevant intermediary identification (by reference to an AFSL number) in regulatory data submitted to relevant market operators on 113 occasions during the period 27 October 2016 and 12 August 2019.
THE COURT ORDERS THAT:
6.Pursuant to s 12GBA of the ASIC Act and s 1317G of the Corporations Act, CommSec pay to the Commonwealth a pecuniary penalty in the amount of $20 million in relation to the contraventions of s 12DB of the ASIC Act and s 798H of the Corporations Act referred to at [3] and [4] above.
7.Pursuant to s 1317G of the Corporations Act, AUSIEX pay to the Commonwealth a pecuniary penalty in the amount of $7.12 million in relation to the contraventions of s 798H of the Corporations Act referred to at [5] above.
8.Pursuant to s 1101B of the Corporations Act, CommSec implement the agreed compliance plan set out at Schedule 1 to these orders.
9.Pursuant to s 1101B of the Corporations Act, AUSIEX implement the agreed compliance plan set out at Schedule 2 to these orders.
10.CommSec and AUSIEX pay the plaintiff’s costs of the proceeding to be agreed or assessed.
Note: Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.
SCHEDULE 1
COMMSEC COMPLIANCE PROGRAMME
1.1Definitions: In addition to terms defined elsewhere in this document the following definitions apply:
AFSL means Australian Financial Services Licence.
ASIC means the Australian Securities and Investments Commission.
ASIC Act means Australian Securities and Investments Commission Act 2001.
ASX Rules means the ASIC Market Integrity Rules (ASX Market) 2010.
Business Day means a day (other than a Saturday, Sunday or public holiday) on which market participants are open for general business in Sydney.
Compliance Programme means the compliance programme orders pursuant to section 1101B of the Corporations Act.
CommSec means Commonwealth Securities Limited ACN 067 254 399.
Competition Rules means ASIC Market Integrity (Competition in Exchange Markets) Rules 2011.
Corporations Act means the Corporations Act 2001 (Cth).
Orders of the Court means the orders made by the Court pursuant to section 1101B of the Corporations Act.
Independent Expert means the Independent Expert engaged by CommSec in accordance with paragraph 12.
Leadership Team means the leadership team responsible for CommSec business activities.
Market Integrity Rules means the ASX Rules, Competition Rules and Securities Markets Rules.
Market Participant means a person allowed to directly participate in a Market (as defined in the Market Integrity Rules).
Project Rampart means the internal project instigated by CommSec and AUSIEX in 2018 to review systems and processes regarding trust reconciliation and to remediate their trust account issues.
Project Umbrella means the internal project instigated by CommSec and AUSIEX in 2018 following identification of the Trade Confirmation Issues.
Relevant Provisions means those sections of the ASIC Act, the Corporations Act and the Market Integrity Rules identified in the SOAFAC (as defined below in paragraph 1.2) that are admitted to have been contravened by CommSec in the SOAFAC.
Reported Conduct has the meaning given in Schedule 1.
Securities Markets Rules means ASIC Market Integrity Rules (Securities Markets) 2017.
Systems and Controls means the systems and controls in place at CommSec which relate to the financial services provided by CommSec as a Market Participant under CommSec's AFSL, including:
a. Technology and technological governance, including the technology strategy, enterprise architecture that maps the business and technology capabilities, target operating model, approach to system deployment and ensuring system compatibility;
b. Oversight function, including roles and responsibilities, reporting lines and governance;
c. Control mechanisms, processes and policies, including on design approval, testing, incident management and change management;
d. Human resources, skills and competencies; and
e. Operational risk management, including, delivery and ongoing operation of a) to c.
1.2The Statement of Agreed Facts and Contraventions (SOAFAC) sets out the factual basis for the admitted contraventions by CommSec of the Corporations Act, Market Integrity Rules and the ASIC Act. A summary is contained at Annexure A of the SOAFAC.
1.3As described in Section L of the SOAFAC, CommSec has undertaken an assessment of the causes of the Reported Conduct and has categorised the types of causes identified as relating to one or more of the following categories, at a high level: people, systems and processes. In particular, the Reported Conduct primarily relates to failures across multiple systems, processes and business areas, including both legacy and current systems. The specific root cause categorisations assigned to the Reported Conduct are set out at paragraph 558 of the SOAFAC (Root Causes) and include, but are not limited to:
a. business requirements incorrectly coded/inadequately incorporated in system specifications;
b. inadequate/ineffective testing of specified system requirements;
c. system specification, including user requirements, were not adequately captured;
d. outdated and/or incompatible system/software versions;
e. current standards, policies and/or procedures may not be adequately designed to address or clearly describe risks and/or related controls; and
f. inadequate design and development of change (scoping, approval and assessment, etc.).
1.4ASIC considers the number, breadth and duration of the Reported Conduct to be indicative of material failures in broader systems and controls at CommSec. The scope of this Compliance Programme is designed to take a holistic approach to CommSec’s Systems and Controls relevant to the Reported Conduct and/or its Root Causes.
Phase 1
2. Phase 1 Review
2.1The Independent Expert (IE) will be required to conduct and complete a review, testing and assessment (Phase 1 Review) of the following matters:
a. the adequacy and effectiveness of existing remediation (where relevant) relating to the Reported Conduct and its Root Causes, including but not limited to, Project Rampart and Project Umbrella; and
b. the adequacy and effectiveness of all Systems and Controls;
such that reasonable steps have been taken by CommSec to ensure current and ongoing compliance with the Relevant Provisions.
3. Phase 1 Report
3.1CommSec will instruct the IE to provide a written report, in relation to the Phase 1 Review (Phase 1 Report) which includes the following:
a. a statement containing details of any gap, weakness, risk or deficiency of the existing remediation and the Systems and Controls identified during the course of the Phase 1 Review (Deficiencies), as well as details of the cause of any Deficiencies;
b. assessment and benchmarking of any Deficiencies against existing internationally recognised standards, such as:
i.ISO 31000: Risk management;
ii.ISO/IEC 38500: 2015 Information technology – Governance of IT for the organisation;
iii.COBIT 5, and
c. if any Deficiency is identified:
i.details of how the Deficiency impacts the assessments required by the Phase 1 Review at paragraph 2;
ii.recommendations on how to rectify identified Deficiencies; and
d. if no Deficiency is identified, or recommendation made, an explicit statement as to whether the IE has determined in the course of the Phase 1 Review:
i.that existing remediation resulting from the Reported Conduct and its Root Causes (where applicable) is adequate and effective; and
ii.that all Systems and Controls are adequate and effective,
such that CommSec has taken reasonable steps to ensure current and ongoing compliance with the Relevant Provisions.
3.2CommSec must ensure that the terms of the IE engagement require the IE:
a. to conduct the Phase 1 Review and deliver the Phase 1 Report to CommSec and ASIC within 4 months after the date of the appointment of the IE (or such longer period as agreed in writing by ASIC and CommSec);
b. to hold monthly bilateral meetings with ASIC to provide ASIC with updates in relation to the Phase 1 Review and the Phase 1 Report (or such longer period as agreed in writing by ASIC); and
c. if requested by ASIC, also hold tripartite meetings with CommSec and ASIC in relation to the Phase 1 Review and the Phase 1 Report.
4. Phase 1 Remedial Action Plan
4.1CommSec will address all Deficiencies identified in the Phase 1 Report and any recommendations to rectify all Deficiencies by the IE and develop a plan (Phase 1 Remedial Action Plan) to rectify any such Deficiencies and address the IE’s recommendations from the Phase 1 Report in accordance with this paragraph 4.
4.2Any Phase 1 Remedial Action Plan must:
a. detail the action CommSec proposes to take to address the recommendations identified in the Phase 1 Report to rectify the Deficiencies;
b. specify the date by which each action will be taken;
c. identify a suitably senior and qualified representative of CommSec to be responsible for implementation and timely and effective delivery of each action under the Phase 1 Remedial Action Plan; and
d. detail any accelerated remedial action for any recommendation identified in the Phase 1 Report to be of high priority.
4.3In developing a Phase 1 Remedial Action Plan, CommSec must:
a. work with the IE to produce actions to address the Deficiencies and recommendations identified in the Phase 1 Report;
b. meet with the IE and ASIC no later than 1 month prior to the submission of the Phase 1 Remedial Action Plan to ASIC and the IE in accordance with the time frame set out in paragraph 4.4(a), for discussion of any proposed implementation of the IE recommendations from the Phase 1 Review, including the proposed terms of any Phase 1 Remedial Action Plan;
c. within 3 Business Days of the meeting held in accordance with paragraph 4.3 (b), provide ASIC and the IE with a draft of the proposed Phase 1 Remedial Action Plan; and
d. make any reasonable modifications to the proposed Phase 1 Remedial Action Plan requested by:
i.ASIC, provided ASIC has made such a request within 20 Business Days (or such longer period as agreed in writing by ASIC and CommSec) after ASIC was provided with a draft of the proposed Phase 1 Remedial Action Plan in accordance with paragraph 4.3(c); or
ii.the IE, provided the IE has made such a request within 10 Business Days (or such later date as agreed) after the IE was provided with a draft of the proposed Phase 1 Remedial Action Plan in accordance with paragraph 4.3(c).
4.4CommSec must:
a. provide the Phase 1 Remedial Action Plan to ASIC and the IE within 3 months following receipt of the Phase 1 Report (or such longer period as ASIC approves in writing); and
b. seek written confirmation from ASIC that it has no objections to the terms of the Phase 1 Remedial Action Plan, such confirmation not to be unreasonably withheld and upon receipt of that confirmation, the Phase 1 Remedial Action Plan will be finalised in the terms that are subject to the confirmation; and
c. meet with ASIC on a monthly basis to provide progress updates in relation to the implementation of the Phase 1 Remedial Action Plan.
4.5CommSec must, within 5 Business Days of implementation of all of the actions required under the Phase 1 Remedial Action Plan, provide written notification to ASIC and the IE that the Phase 1 Remedial Action Plan has been fully implemented.
4.6If the Phase 1 Report does not identify any Deficiencies or include any recommendation by the IE, there will be no Phase 2 Review.
Phase 2
5. Phase 2 Review
5.1CommSec will instruct the IE to conduct and complete a review which includes testing and assessment of the following matters (Phase 2 Review):
a. whether the actions (if any) implemented from the Phase 1 Remedial Action Plan have rectified the Deficiencies and addressed the recommendations made by the IE in the Phase 1 Report; and
b. the effectiveness of CommSec’s implementation of any recommendations and actions arising from the Phase 1 Report; and
if any Deficiency still exists, to provide further recommendations to adequately and effectively rectify the Deficiency.
5.2CommSec must ensure that the terms of the IE engagement require the IE:
a. to commence the Phase 2 Review within 3 months after the date of the implementation of the Phase 1 Remedial Action Plan or such alternative time agreed with ASIC (such agreement not be unreasonably withheld); and
b. to provide ASIC with monthly progress updates (or such longer period as agreed in writing by ASIC and CommSec) in relation the Phase 2 Review and the Final Report (as defined below).
6. Final Report
6.1CommSec will instruct the IE to produce and deliver a report, in relation to the Phase 2 Review (Final Report) which includes:
a. details of the outcome of the testing and assessment set out at paragraph 5.1 above; and
b. a statement as to whether each of the actions set out in the Phase 1 Remedial Action Plan have been effectively implemented; and
c. any further recommendation that the IE considers is necessary or appropriate for CommSec to implement in order to ensure:
i.any actions in the Phase 1 Remedial Action Plan that the IE considers have not been effectively implemented are effectively implemented; and
ii.any Deficiencies are adequately and effectively rectified; and
d. if no Deficiency is identified or recommendation made, an explicit statement as to whether the IE has determined in the course of the Phase 2 Review:
i.that Phase 1 Remedial Action Plan was adequate and effective in addressing the Deficiencies identified and recommendations made by the IE in the Phase 1 Report; and
ii.that all Systems and Controls are adequate and effective,
such that CommSec has taken reasonable steps to ensure current and ongoing compliance with the Relevant Provisions.
6.2CommSec must ensure that the terms of the engagement require the IE to:
a. deliver the Final Report to CommSec and ASIC within 2 months after the date of commencement of the Phase 2 Review (or such longer period as agreed in writing between ASIC and CommSec);
b. hold monthly bilateral meetings with ASIC to provide ASIC updates in relation the Phase 2 Review and the Final Report (or such longer period as agreed in writing by ASIC); and
c. if requested by ASIC, hold tripartite meetings with CommSec and ASIC in relation the Phase 2 Review and the Final Report.
7. Phase 2 Remedial Action Plan
7.1CommSec will be required to address all Deficiencies identified in the Final Report and the recommendations to rectify them by the IE in the Final Report and, if there are any, develop a plan (Phase 2 Remedial Action Plan) to rectify each Deficiency and address the IE’s recommendations from the Final Report. If the Final Report does not identify any Deficiencies and the IE has determined in the course of the Phase 2 Review that the recommendations in the Phase 1 Report have been effectively addressed and actions in the Phase 1 Remedial Action Plan have been effectively implemented (as contemplated in the statement at 6.1(d)), then there will be no Phase 2 Remedial Action Plan.
7.2Any Phase 2 Remedial Action Plan must:
a. detail the action CommSec will to take to rectify any Deficiency identified in the Final Report and address the IE’s recommendations in the Final Report (if any); and
b. set out the proposed timeline for completing implementation of each action required under the Phase 2 Remediation Action Plan; and
c. identify a suitably senior and qualified representative of CommSec to be responsible for implementation and timely and effective delivery of each action under the Phase 2 Remediation Action Plan; and
d. detail any accelerated remedial action for any recommendation identified in the Final Report to be of high priority.
7.3In developing any Phase 2 Remedial Action Plan, CommSec must:
a. produce actions to address the Deficiencies and recommendations identified by the IE in the Final Report (if any); and
b. meet with the IE and ASIC no later than 1 month prior to the submission of the Phase 2 Remedial Action Plan to ASIC and the IE in accordance with the time frame set out in paragraph 7.4(a) for discussion of any proposed implementation of the IE recommendations from the Phase 2 Review, including the proposed terms of any Phase 2 Remedial Action Plan; and
c. within 3 Business Days of the meeting held in accordance with paragraph 7.3 (b), provide ASIC and the IE with a draft of the proposed Phase 2 Remedial Action Plan; and
d. make any reasonable modifications to the proposed Phase 2 Remedial Action Plan requested by:
i.ASIC, provided ASIC has made such a request within 20 Business Days after ASIC was provided with a draft of the proposed Phase 2 Remedial Action Plan in accordance with paragraph 7.3(c); or
ii.the IE, provided the IE has made such a request within 10 Business Days after the IE was provided with a draft of the proposed Phase 2 Remedial Action Plan in accordance with paragraph 7.3(c).
7.4CommSec must:
a. provide the Phase 2 Remedial Action Plan to ASIC and the IE within 3 months following receipt of the Final Report (or such longer period as ASIC approves in writing);
b. seek written confirmation from:
i.ASIC that it has no objection the terms of the Phase 2 Remediation Action Plan, such confirmation not to be unreasonably withheld; and
ii.the IE that the Phase 2 Remedial Action Plan will, in the professional judgment of the IE, if implemented, satisfactorily address the Deficiencies and the recommendations made by the IE in the Final Report,
and upon receipt of those confirmations, the Phase 2 Remedial Action Plan will be finalised in the terms that are subject to the confirmations; and
c. meet with ASIC on a monthly basis to provide progress updates in relation to implementation of the Phase 2 Remedial Action Plan including if the implementation of the Phase 2 Remedial Action Plan is likely to be delayed. If the Phase 2 Remedial Action Plan is likely to be delayed, CommSec must seek ASIC’s agreement to amend the deadline for the implementation of the Phase 2 Remedial Action Plan, such agreement not to be unreasonably withheld.
7.5CommSec must, within 5 Business Days after the implementation of the actions required under any Phase 2 Remedial Action Plan, provide written confirmation to ASIC that the Phase 2 Remedial Action Plan is fully implemented.
8. Attestation
8.1ASIC is to be provided a written statement on behalf of CommSec, signed by the Executive General Manager of CommSec (or equivalent position, as agreed by ASIC) attesting to the following matters (Attestation):
a. that he or she has read and understood the Phase 1 Report and any Final Report; and
b. if any remedial actions were required in response to the IE’s recommendations set out in the Phase 1 Report or the Final Report, states whether he or she believes, having made reasonable enquiries, that CommSec has implemented the actions identified in the Phase 1 Remedial Action Plan and if applicable, the Phase 2 Remedial Action Plan; and
c. states, whether he or she believes, having made reasonable enquiries:
i.that the remediation relating to the Reported Conduct and its Root Causes (where applicable) has been adequate and effective; and
ii.the Systems and Controls are adequate and effective,
such that, reasonable steps have been taken by CommSec to ensure current and ongoing compliance with the Relevant Provisions.
8.2The Attestation will be provided to ASIC at the earlier of:
a. 20 Business Days following the delivery by the IE of the Phase 1 Report, if the Phase 1 Report identifies no Deficiencies and makes no recommendations, which contains the statement contemplated in paragraph 3.1(d);
b. 20 Business following the delivery by the IE of the Final Report, if the Final Report identifies no Deficiencies and makes no recommendations;
c. 20 Business Days following the giving of the written notice to ASIC referred to in paragraph 7.5; or
d. such other date agreed in writing between ASIC and CommSec.
8.3In the event that:
a. CommSec does not provide the Attestation to ASIC by the time required in paragraph 8.2; or
b. ASIC considers (acting reasonably) that the Attestation is in terms which are unacceptable;
ASIC may notify CommSec in writing accordingly and provide CommSec with 20 Business Days (or such longer period as ASIC approves in writing) to respond. If CommSec fails to respond, ASIC may commence proceedings to enforce compliance with the Court's Orders.
9. Ending of the Compliance Programme
9.1The Compliance Programme will end following compliance with all obligations under the Court’s Order including compliance with the Attestation clause referred to in paragraph 8 above.
10. Other
10.1The Phase 1 Report, any Final Report, any Phase 1 Remedial Action Plan and any Phase 2 Remedial Action Plan, including a list of concluded actions, must be provided to the Leadership Team and Board of Directors of CommSec.
10.2CommSec will, within a reasonable period of receiving a request from ASIC, provide all documents and information reasonably requested by ASIC from time to time for the purposes of assessing CommSec’s compliance with the Compliance Programme, including any correspondence with the IE, other than any documents or information subject to a claim of legal professional privilege.
10.3CommSec will be responsible for the costs of its compliance with the Compliance Programme.
10.4CommSec and/or ASIC may apply to the Court for a variation of the terms of this Compliance Programme at any time and the Compliance Programme is subject to the Orders of the Court from time to time.
11. Non-compliance
11.1CommSec must notify ASIC as soon as reasonably practicable and in any event within 10 Business Days after becoming aware of any failure to comply with the Orders of the Court.
11.2If CommSec fails to comply with the Orders of the Court, ASIC may commence proceedings to enforce compliance, following:
a. written notice to CommSec of ASIC’s intention to commence proceedings; and
b. providing CommSec with 20 Business Days (or such longer period as ASIC approves in writing) to respond.
12. Appointing the IE
12.1CommSec must request ASIC to approve, within 30 Business Days of the date of the Orders of the Court, or within such longer period as may be agreed in writing by ASIC and CommSec:
a. the appointment of the IE required for the purposes of the Compliance Programme which meets the criteria in paragraph 12.2 below;
b. the draft terms of engagement for that IE that meet the requirements of the Compliance Programme; and
c. if ASIC approves the nominated IE and draft terms of engagement following a request by CommSec under paragraph 12.1, CommSec undertakes to appoint the approved IE on the terms approved by ASIC, within 10 Business Days of receiving ASIC’s approval, or within such longer period as may be agreed by ASIC and CommSec.
12.2The IE nominated by CommSec:
a. must have the necessary expertise, experience and operational capacity to perform the role contemplated by the Compliance Programme; and
b. must be independent of CommSec, its related bodies corporate and its officers and will at all material times be capable of exercising objective and impartial judgement.
12.3The appointment of the IE must be approved by ASIC in writing before the appointment takes effect (such approval not to be unreasonably withheld).
12.4CommSec will provide ASIC with any information, explanation or documents it requests for the purposes of determining whether to approve the appointment of the IE, subject to a claim of legal professional privilege.
12.5CommSec must advise ASIC of the expertise and any prior association of the proposed IE with CommSec, its related bodies corporate and officers at the time approval is sought from ASIC.
13. Appointing a new independent expert
13.1If the IE advises CommSec and ASIC in writing that he or she is unable to continue his or her appointment, or if the engagement is terminated because of an actual or potential conflict of interest of the IE that arises during the engagement, CommSec must within 15 Business Days (or such longer period agreed in writing with ASIC) after the ending or termination of the engagement, appoint and engage another independent expert in accordance with paragraph 12 (with such appointment to take effect for the remaining duration of the Compliance Programme).
14. Terms of engagement
14.1The terms of engagement for the IE will be approved by ASIC in writing before the engagement takes effect (such approval not to be unreasonably withheld) and once ASIC has provided its approval, the terms of engagement may only be varied with the agreement of ASIC (acting reasonably).
14.2CommSec must ensure that the terms of engagement provided to ASIC for approval under paragraph 12.1:
a. require CommSec to engage the IE to perform the tasks necessary to fulfil CommSec’s obligations under the Compliance Programme;
b. require CommSec to permit the IE, subject to any claim of legal professional privilege, to the extent that it is reasonable having regard to the requirements of this Compliance Programme, to have access to its books, to interview present employees, contractors, agents and/or consultants and to consult with ASIC and disclose to ASIC any further information obtained by the IE in the course of carrying out the engagement for the purposes of the Compliance Programme;
c. require CommSec to give the IE any information, document, or explanation reasonably requested by the IE in relation to any matter in any way connected with the reports required to be prepared by the IE for the purposes of the Compliance Programme (other than information, documents or explanations subject to a claim of legal professional privilege);
d. require CommSec to reasonably assist the IE in conducting the work required for the purposes of the Compliance Programme;
e. include a statement to the effect that the work of the IE is being carried out for CommSec and ASIC, and acknowledging that ASIC is relying on the work of the IE;
f. include a statement that, if requested by ASIC, ASIC is to be copied into all or some communications between CommSec and the IE;
g. require that the IE provide ASIC with a copy of the final versions of the Phase 1 Report and any Final Report at the same time as the final version of each report is provided to CommSec;
h. include an acknowledgement that in relation to the Phase 1 Report and any Final Report to be provided to ASIC and CommSec, ASIC may from time to time:
i.publicly refer to the content of the reports; and
ii.make public:
1.a summary of the content of the reports; or
2.a statement that refers to the content of the reports.
i. require that the IE provide ASIC with a copy of its proposed work and testing plan in relation to the assessment, review and testing required for the purposes of the Compliance Programme;
j. require that the IE must make any reasonable modifications to its work and testing plan requested by ASIC, provided ASIC has made such request within 10 Business Days after ASIC was provided with a copy of the proposed work and testing plan (or such longer period as agreed in writing by ASIC); and
k. make provision for circumstances where an actual or potential conflict of interest arises in relation to the IE, including by requiring that the IE:
i.as soon as possible after becoming aware of an actual or potential conflict of interest that arises during the engagement, inform ASIC of the actual or potential conflict of interest;
ii.follow the reasonable directions of ASIC to effectively manage the actual or potential conflict of interest; and
iii.if the actual or potential conflict of interest cannot be effectively managed, follow the reasonable directions of ASIC to terminate the engagement.
15. ASIC public reporting
15.1In relation to the Phase 1 Report, Final Report, any Phase 1 Remedial Action Plan, and any Phase 2 Remedial Action Plan arising from the IE’s recommendations, ASIC:
a. may issue a media release referring to the outcome, content, or compliance with any of those reports or plans; and
b. may from time to time publicly refer to the content of the written reports or plans, and may make available for public inspection a summary of the content of the written reports or plans, or a statement that refers to the content of those report or plans.
15.2In relation to the Compliance Programme, ASIC:
a. may issue a media release on the Compliance Programme ordered by the Court, refer to any such order, and refer to the concerns of ASIC which led to the court-ordered Compliance Programme; and
b. may from time to time publicly refer to the Compliance Programme.
15.3In relation to paragraph 15.1 and 15.2, ASIC will delete, remove or redact any information prior to publication if (acting reasonably) ASIC is satisfied that the information:
a. is personal information (as defined in the Privacy Act 1988 (Cth));
b. should not be disclosed because it would be against the public interest to do so; or
c. contains information that would be unreasonable to release because the release of the information would unreasonably affect the business, commercial or financial affairs of CommSec.
16. Interpretation of Compliance Programme
16.1In the event that CommSec and the IE are unable to agree on the interpretation of any matter the subject of this Compliance Programme, CommSec and the IE must use reasonable efforts to resolve the disagreement and if unable to do so, may request a meeting with ASIC to discuss the matter in an effort to resolve the disagreement. If ASIC requests, each of CommSec and the IE are to provide ASIC with a written submission as to the matter in dispute 3 Business Days before any such meeting.
Schedule A
The Reported Conduct is:
a. incorrect brokerage fees charged by CommSec, as detailed at paragraphs [23] to [68] of the SOAFAC (Brokerage Issue);
b. breaches of client money and trust account requirements by CommSec, as detailed at paragraphs [86] to [165] of the SOAFAC, (Client Money Issue);
c. inaccuracies in trade confirmations sent or failure to send trade confirmations as required by CommSec, as detailed at paragraphs [237] to [323] of the SOAFAC (Trade Confirmations Issue);
d. inadequate automated order processing (AOP) filter by CommSec to determine no change in beneficial ownership (NCBO), as detailed at paragraphs [445] to [454] of the SOAFAC (AOP Issue);
e. best execution obligations failures by CommSec, as detailed at paragraph [457] to [481] of the SOAFAC (Best Execution Issue);
f. trading of warrants on CommSec client accounts without having provided a copy of the current explanatory statement in respect of warrants published by the relevant market operator and without a valid Warrant Agreement Form (WAF) on record, as detailed at paragraphs [494] to [506] of the SOAFAC (Warrant Agreement Issue); and
g. failure to adhere to regulatory data requirements by CommSec, as detailed at paragraphs [511] to [521] of the SOAFAC (Regulatory Data Issue).
SCHEDULE 2
AUSIEX COMPLIANCE PROGRAMME
1.1Definitions: In addition to terms defined elsewhere in this document the following definitions apply:
AFSL means Australian Financial Services Licence.
ASIC means the Australian Securities and Investments Commission.
ASIC Act means Australian Securities and Investments Commission Act 2001.
ASX Rules means the ASIC Market Integrity Rules (ASX Market) 2010.
AUSIEX means the Australian Investment Exchange Limited ACN 076 515 930.
Business Day means a day (other than a Saturday, Sunday or public holiday) on which market participants are open for general business in Sydney.
Compliance Programme means the compliance programme orders pursuant to section 1101B of the Corporations Act.
Competition Rules means ASIC Market Integrity (Competition in Exchange Markets) Rules 2011.
Corporations Act means the Corporations Act 2001 (Cth).
Orders of the Court means the orders made by the Court pursuant to section 1101B of the Corporations Act.
Independent Expert means the Independent Expert engaged by AUSIEX in accordance with paragraph 12.
Leadership Team means the Chief Executive Officer of AUSIEX and his or her direct reports.
Market Integrity Rules means the ASX Rules, Competition Rules and Securities Markets Rules.
Market Participant means a person allowed to directly participate in a Market (as defined in the Market Integrity Rules).
NRI means Nomura Research Institute, Ltd.
Project Rampart means the internal project instigated by CommSec and AUSIEX in 2018 to review systems and processes regarding trust reconciliation and to remediate their trust account issues.
Project Umbrella means the internal project instigated by CommSec and AUSIEX in 2018 following identification of the Trade Confirmation Issues.
Relevant Provisions means those sections of the ASIC Act, the Corporations Act and the Market Integrity Rules identified in the SOAFAC (as defined below in paragraph 1.2) that are admitted to have been contravened by AUSIEX in the Statement of Agreed Facts and Contraventions.
Reported Conduct has the meaning given in Schedule 1.
Sale means the agreement to sell AUSIEX to a subsidiary of NRI announced on 28 April 2020.
Securities Markets Rules means ASIC Market Integrity Rules (Securities Markets) 2017.
Systems and Controls means the systems and controls in place at AUSIEX after completion of the Sale that relate to the financial services provided by AUSIEX as a Market Participant under AUSIEX's AFSL, including:
a. Technology and technological governance, including the technology strategy, enterprise architecture that maps the business and technology capabilities, target operating model, approach to system deployment and ensuring system compatibility;
b. Oversight function, including roles and responsibilities, reporting lines and governance;
c. Control mechanisms, processes and policies, including on design approval, testing, incident management and change management;
d. Human resources, skills and competencies; and
e. Operational risk management, including, delivery and ongoing operation of a) to d).
1.2The Statement of Agreed Facts and Contraventions (SOAFAC) sets out the factual basis for the admitted contraventions by AUSIEX of the Corporations Act, Market Integrity Rules and the ASIC Act. A summary is contained at Annexure A of the SOAFAC.
1.3As described in Section L of the SOAFAC, AUSIEX has undertaken an assessment of the causes of the Reported Conduct and has categorised the types of causes identified as relating to one or more of the following categories, at a high level: people, systems and processes. In particular, the Reported Conduct primarily relates to failures across multiple systems, processes and business areas, including both legacy and current systems. The specific root cause categorisations assigned to the Reported Conduct are set out at paragraph 568 of the SOAFAC (Root Causes) and include, but are not limited to:
a. inadequate/ineffective testing of specified system requirements;
b. system specification, including user requirements, were not adequately captured; and
c. current standards, policies and/or procedures may not be adequately designed to address or clearly describe risks and/or related controls.
1.4ASIC considers the number, breadth and duration of the Reported Conduct to be indicative of material failures in broader systems and controls at AUSIEX. The scope of this Compliance Programme is designed to take a holistic approach to AUSIEX’s Systems and Controls relevant to the Reported Conduct and/or its Root Causes.
Phase 1
2. Phase 1 Review
2.1The Independent Expert (IE) will be required to conduct and complete a review, testing and assessment (Phase 1 Review) of the following matters:
a. the adequacy and effectiveness of existing remediation (where relevant) relating to the Reported Conduct and its Root Causes, including but not limited to, Project Rampart and Project Umbrella; and
b. the adequacy and effectiveness of all Systems and Controls;
such that reasonable steps have been taken by AUSIEX to ensure current and ongoing compliance with the Relevant Provisions.
AUSIEX may make submissions to the IE and ASIC and the IE and ASIC may agree that certain Systems and Controls are outside the scope of the IE’s review because AUSIEX intends to replace that system or control as part of its transition to a new control environment following completion of its sale to NRI.
3. Phase 1 Report
3.1AUSIEX will instruct the IE to provide a written report, in relation to the Phase 1 Review (Phase 1 Report) which includes the following:
a. a statement containing details of any gap, weakness, risk or deficiency of the existing remediation and the Systems and Controls identified during the course of the Phase 1 Review (Deficiencies), as well as details of the cause of any Deficiencies;
b. assessment and benchmarking of any Deficiencies against existing internationally recognised standards, such as:
i.ISO 31000: Risk management;
ii.ISO/IEC 38500: 2015 Information technology – Governance of IT for the organisation;
iii.COBIT 5, and
c. if any Deficiency is identified:
iv.details of how the Deficiency impacts the assessments required by the Phase 1 Review at paragraph 2;
v.recommendations on how to rectify identified Deficiencies; and
d. if no Deficiency is identified, or recommendation made, an explicit statement as to whether the IE has determined in the course of the Phase 1 Review:
i.that existing remediation resulting from the Reported Conduct and its Root Causes (where applicable) is adequate and effective; and
ii.that all Systems and Controls are adequate and effective,
in order to ensure that AUSIEX has taken reasonable steps to ensure current and ongoing compliance with the Relevant Provisions.
3.3AUSIEX must ensure that the terms of the IE engagement require the IE:
a. to conduct the Phase 1 Review and deliver the Phase 1 Report to AUSIEX and ASIC within 18 weeks after the latter of the Sale or the date of the appointment of the IE (or such longer period as agreed in writing by ASIC and AUSIEX);
b. to hold monthly bilateral meetings with ASIC to provide ASIC with updates in relation to the Phase 1 Review and the Phase 1 Report (or such longer period as agreed in writing by ASIC); and
c. if requested by ASIC, also hold tripartite meetings with AUSIEX and ASIC in relation to the Phase 1 Review and the Phase 1 Report.
4. Phase 1 Remedial Action Plan
4.1AUSIEX will consider all Deficiencies identified in the Phase 1 Report and any recommendations to rectify all Deficiencies by the IE and develop a plan (Phase 1 Remedial Action Plan) to rectify any such Deficiencies and address any IE’s recommendations from the Phase 1 Report in accordance with this paragraph 4.
4.2Any Phase 1 Remedial Action Plan must:
a. detail the action AUSIEX proposes to take to address the recommendations identified in the Phase 1 Report to rectify the Deficiencies;
b. specify the date by which each action will be taken;
c. identify a suitably senior and qualified representative of AUSIEX to be responsible for implementation and timely and effective delivery of each action under the Phase 1 Remedial Action Plan; and
d. detail any accelerated remedial action for any recommendation identified in the Phase 1 Report to be of high priority.
4.3In developing a Phase 1 Remedial Action Plan, AUSIEX must:
a. work with the IE to produce actions to address the Deficiencies and recommendations identified in the Phase 1 Report;
b. meet with the IE and ASIC no later than 1 month prior to the submission of the Phase 1 Remedial Action Plan to ASIC and the IE in accordance with the time frame set out in paragraph 4.4(a), for discussion of any proposed implementation of the IE recommendations from the Phase 1 Review, including the proposed terms of any Phase 1 Remedial Action Plan;
c. within 3 Business Days of the meeting held in accordance with paragraph 4.3 (b), provide ASIC and the IE with a draft of the proposed Phase 1 Remedial Action Plan; and
d. make any reasonable modifications to the proposed Phase 1 Remedial Action Plan requested by:
i.ASIC, provided ASIC has made such a request within 20 Business Days (or such longer period as agreed in writing by ASIC and AUSIEX) after ASIC was provided with a draft of the proposed Phase 1 Remedial Action Plan in accordance with paragraph 4.3(c); or
ii.the IE, provided the IE has made such a request within 10 Business Days (or such later date as agreed) after the IE was provided with a draft of the proposed Phase 1 Remedial Action Plan in accordance with paragraph 4.3(c).
4.4AUSIEX must:
a. provide the Phase 1 Remedial Action Plan to ASIC and the IE within 2 months following receipt of the Phase 1 Report (or such longer period as ASIC approves in writing); and
b. seek written confirmation from ASIC that it has no objections to the terms of the Phase 1 Remedial Action Plan, such confirmation not to be unreasonably withheld and upon receipt of that confirmation, the Phase 1 Remedial Action Plan will be finalised in the terms that are subject to the confirmation; and
c. meet with ASIC on a monthly basis to provide progress updates in relation to the implementation of the Phase 1 Remedial Action Plan.
4.5AUSIEX must, within 5 Business Days of implementation of all of the actions required under the Phase 1 Remedial Action Plan, provide written notification to ASIC and the IE that the Phase 1 Remedial Action Plan has been fully implemented.
4.6If the Phase 1 Report does not identify any Deficiencies or include any recommendation by the IE, there will be no Phase 2 Review.
Phase 2
5. Phase 2 Review
5.1AUSIEX will instruct the IE to conduct and complete a review which includes testing and assessment of the following matters (Phase 2 Review):
a. whether the actions (if any) implemented from the Phase 1 Remedial Action Plan have rectified the Deficiencies and addressed the recommendations made by the IE in the Phase 1 Report; and
b. the effectiveness of AUSIEX’s implementation of any recommendations and actions arising from the Phase 1 Report, and
if any Deficiency still exists, to provide further recommendations to adequately and effectively rectify the Deficiency.
5.2AUSIEX must ensure that the terms of the IE engagement require the IE:
a. to commence the Phase 2 Review within 3 months after the date of the implementation of the Phase 1 Remedial Action Plan or such alternative time agreed with ASIC (such agreement not be unreasonably withheld); and
b. to provide ASIC with monthly progress updates (or such longer period as agreed in writing by ASIC and AUSIEX) in relation the Phase 2 Review and the Final Report (as defined below).
6. Final Report
6.1AUSIEX will instruct the IE to produce and deliver a report, in relation to the Phase 2 Review (Final Report) which includes:
a. details of the outcome of the testing and assessment set out at paragraph 5.1 above; and
b. a statement as to whether each of the actions set out in the Phase 1 Remedial Action Plan have been effectively implemented; and
c. any further recommendation that the IE considers is necessary or appropriate for AUSIEX to implement in order to ensure:
i.any actions in the Phase 1 Remedial Action Plan that the IE considers have not been effectively implemented are effectively implemented; and
ii.any Deficiencies are adequately and effectively rectified; and
d. if no Deficiency is identified or recommendation made, an explicit statement as to whether the IE has determined in the course of the Phase 2 Review:
i.that Phase 1 Remedial Action Plan was adequate and effective in addressing the Deficiencies identified and recommendations made by the IE I the Phase 1 Report; and
ii.all Systems and Controls are adequate and effective,
such that AUSIEX has taken reasonable steps to ensure current and ongoing compliance with the Relevant Provisions.
6.2AUSIEX must ensure that the terms of the engagement require the IE to:
a. deliver the Final Report to AUSIEX and ASIC within 2 months after the date of commencement of the Phase 2 Review (or such longer period as agreed in writing between ASIC and AUSIEX);
b. hold monthly bilateral meetings with ASIC to provide ASIC updates in relation the Phase 2 Review and the Final Report (or such longer period as agreed in writing by ASIC); and
c. if requested by ASIC, hold tripartite meetings with AUSIEX and ASIC in relation the Phase 2 Review and the Final Report.
7. Phase 2 Remedial Action Plan
7.1AUSIEX will be required to address all Deficiencies identified in the Final Report and the recommendations to rectify them by the IE in the Final Report and, if there are any, develop a plan (Phase 2 Remedial Action Plan) to rectify each Deficiency and address the IE’s recommendations from the Final Report. If the Final Report does not identify any Deficiencies and the IE has determined in the course of the Phase 2 Review that the recommendations in the Phase 1 Report have been effectively addressed and actions in the Phase 1 Remedial Action Plan have been effectively implemented (as contemplated in the statement at 6.1(d)), then there will be no Phase 2 Remedial Action Plan.
7.2Any Phase 2 Remedial Action Plan must:
a. detail the action AUSIEX will to take to rectify any Deficiency identified in the Final Report and address the IE’s recommendations in the Final Report (if any);
b. set out the proposed timeline for completing implementation of each action required under the Phase 2 Remediation Action Plan;
c. identify a suitably senior and qualified representative of AUSIEX to be responsible for implementation and timely and effective delivery of each action under the Phase 2 Remediation Action Plan; and
d. detail any accelerated remedial action for any recommendation identified in the Final Report to be of high priority.
7.3In developing any Phase 2 Remedial Action Plan, AUSIEX must:
a. produce actions to address the Deficiencies and recommendations identified by the IE in the Final Report (if any); and
b. meet with the IE and ASIC no later than 1 month prior to the submission of the Phase 2 Remedial Action Plan to ASIC and the IE in accordance with the time frame set out in paragraph 7.4(a) for discussion of any proposed implementation of the IE recommendations from the Phase 2 Review, including the proposed terms of any Phase 2 Remedial Action Plan; and
c. within 3 Business Days of the meeting held in accordance with paragraph 7.3 (b), provide ASIC and the IE with a draft of the proposed Phase 2 Remedial Action Plan; and
d. make any reasonable modifications to the proposed Phase 2 Remedial Action Plan requested by:
i.ASIC, provided ASIC has made such a request within 20 Business Days after ASIC was provided with a draft of the proposed Phase 2 Remedial Action Plan in accordance with paragraph 7.3(c); or
ii.the IE provided the IE has made such a request within 10 Business Days after the IE was provided with a draft of the proposed Phase 2 Remedial Action Plan in accordance with paragraph 7.3(c).
7.4AUSIEX must:
a. provide the Phase 2 Remedial Action Plan to ASIC and the IE within 2 months following receipt of the Final Report (or such longer period as ASIC approves in writing); and
b. seek written confirmation from:
i.ASIC that it has no objection the terms of the Phase 2 Remediation Action Plan, such confirmation not to be unreasonably withheld; and
ii.the IE that the Phase 2 Remedial Action Plan will, in the professional judgment of the IE, if implemented, satisfactorily address the Deficiencies and recommendations made by the IE in the Final Report,
and upon receipt of those confirmations, the Phase 2 Remedial Action Plan will be finalised in the terms that are subject to the confirmations; and
c. meet with ASIC on a monthly basis to provide progress updates in relation to implementation of the Phase 2 Remedial Action Plan including if the implementation of the Phase 2 Remedial Action Plan is likely to be delayed. If the Phase 2 Remedial Action Plan is likely to be delayed, AUSIEX must seek ASIC’s agreement to amend the deadline for the implementation of the Phase 2 Remedial Action Plan, such agreement not to be unreasonably withheld.
7.5AUSIEX must, within 5 business days after the implementation of the actions required under any Phase 2 Remedial Action Plan, provide written confirmation to ASIC that the Phase 2 Remedial Action Plan is fully implemented.
8. Attestation
8.1ASIC is to be provided a written statement on behalf of AUSIEX, signed by the Chief Executive Officer of AUSIEX (or equivalent position, as agreed by ASIC) attesting to the following matters (Attestation):
a. that he or she has read and understood the Phase 1 Report and any Final Report; and
b. if any remedial actions were required in response to the IE’s recommendations set out in the Phase 1 Report or the Final Report, states whether he or she believes, having made reasonable enquiries, that AUSIEX has implemented the actions identified in the Phase 1 Remedial Action Plan and if applicable, the Phase 2 Remedial Action Plan; and
c. states whether he or she believes, having made reasonable enquiries:
i.that the remediation relating to the Reported Conduct and its Root Causes (where applicable) has been adequate and effective; and
ii.the Systems and Controls are adequate and effective,
such that reasonable steps have been taken by AUSIEX to ensure current and ongoing compliance with the Relevant Provisions.
8.2The Attestation will be provided to ASIC at the earlier of:
a. 20 business days following the delivery by the IE of the Phase 1 Report, if the Phase 1 Report identifies no Deficiencies and makes no recommendations, which contains the statement contemplated in paragraph 3.1(d);
b. 20 business days following the delivery by the IE of the Final Report, if the Final Report identifies no Deficiencies and makes no recommendations;
c. 20 business days following the giving of the written notice to ASIC referred to in paragraph 7.5; or
d. such other date agreed in writing between ASIC and AUSIEX.
8.3In the event that:
a. AUSIEX does not provide the Attestation to ASIC by the time required in paragraph 8.2; or
b. ASIC considers (acting reasonably) that the Attestation is in terms which are unacceptable;
ASIC may notify AUSIEX in writing accordingly and provide AUSIEX with 20 business days (or such longer period as ASIC approves in writing) to respond. If AUSIEX fails to respond, ASIC may commence proceedings to enforce compliance with the Court's Orders.
9.Ending of the Compliance Programme
9.1The Compliance Programme will end following compliance with all obligations under the Court’s Order including compliance with the Attestation clause referred to in paragraph 8 above.
10.Other
10.1The Phase 1 Report, any Final Report, any Phase 1 Remedial Action Plan and any Phase 2 Remedial Action Plan, including a list of concluded actions must be provided to the Leadership Team and Board of Directors of AUSIEX.
10.2AUSIEX will, within a reasonable period of receiving a request from ASIC, provide all documents and information reasonably requested by ASIC from time to time for the purposes of assessing AUSIEX’s compliance with the Compliance Programme, including any correspondence with the IE, other than any documents or information subject to a claim of legal professional privilege.
10.3AUSIEX will be responsible for the costs of its compliance with the Compliance Programme.
10.4AUSIEX and/or ASIC may apply to the Court for a variation of the terms of this Compliance Programme at any time and the Compliance Programme is subject to the Orders of the Court from time to time.
11.Non-compliance
11.1AUSIEX must notify ASIC as soon as reasonably practicable and in any event within 10 business days after becoming aware of any failure to comply with the Orders of the Court.
12.Appointing the IE
12.1AUSIEX must request ASIC to approve, within 30 business days of the date of the Orders of the Court, or within such longer period as may be agreed in writing by ASIC and AUSIEX:
a. the appointment of the IE required for the purposes of the Compliance Programme which meets the criteria in paragraph 12.2 below;
b. the draft terms of engagement for that IE that meet the requirements of the Compliance Programme; and
c. if ASIC approves the nominated IE and draft terms of engagement following a request by AUSIEX under paragraph 12.1, AUSIEX undertakes to appoint the approved IE on the terms approved by ASIC, within 10 Business Days of receiving ASIC’s approval, or within such longer period as may be agreed by ASIC and AUSIEX.
12.2The IE nominated by AUSIEX:
a. must have the necessary expertise, experience and operational capacity to perform the role contemplated by the Compliance Programme; and
b. must be independent of AUSIEX, its related bodies corporate and its officers and will at all material times be capable of exercising objective and impartial judgement.
12.3The appointment of the IE must be approved by ASIC in writing before the appointment takes effect (such approval not to be unreasonably withheld).
12.4AUSIEX will provide ASIC with any information, explanation or documents it requests for the purposes of determining whether to approve the appointment of the IE, subject to a claim of legal professional privilege.
12.5AUSIEX must advise ASIC of the expertise and any prior association of the proposed IE with AUSIEX, its related bodies corporate and officers at the time approval is sought from ASIC.
13.Appointing a new independent expert
13.1If the IE advises AUSIEX and ASIC in writing that he or she is unable to continue his or her appointment, or if the engagement is terminated because of an actual or potential conflict of interest of the IE that arises during the engagement, AUSIEX must within 15 business days (or such longer period agreed in writing with ASIC) after the ending or termination of the engagement, appoint and engage another independent expert in accordance with paragraph 12 (with such appointment to take effect for the remaining duration of the Compliance Programme).
14.Terms of engagement
14.1The terms of engagement for the IE will be approved by ASIC in writing before the engagement takes effect (such approval not to be unreasonably withheld) and once ASIC has provided its approval, the terms of engagement may only be varied with the agreement of ASIC (acting reasonably).
14.2AUSIEX must ensure that the terms of engagement of the IE provided to ASIC for approval under paragraph 12.1:
a. require AUSIEX to engage the IE to perform the tasks necessary to fulfil AUSIEX’s obligations under the Compliance Programme;
b. require AUSIEX to permit the IE, subject to any claim of legal professional privilege, to the extent that it is reasonable having regard to the requirements of this Compliance Programme, to have access to its books, to interview present employees, contractors, agents and/or consultants and to consult with ASIC and disclose to ASIC any further information obtained by the IE in the course of carrying out the engagement for the purposes of the Compliance Programme;
c. require AUSIEX to give the IE any information, document, or explanation reasonably requested by the IE in relation to any matter in any way connected with the reports required to be prepared by the IE for the purposes of the Compliance Programme (other than information, documents or explanations subject to a claim of legal professional privilege);
d. require AUSIEX to reasonably assist the IE in conducting the work required for the purposes of the Compliance Programme;
e. include a statement to the effect that the work of the IE is being carried out for AUSIEX and ASIC, and acknowledging that ASIC is relying on the work of the IE;
f. include a statement that, if requested by ASIC, ASIC is to be copied into all or some communications between AUSIEX and the IE;
g. require that the IE provide ASIC with a copy of the final versions of the Phase 1 Report and any Final Report at the same time as the final version of each report is provided to AUSIEX;
h. include an acknowledgement that in relation to the Phase 1 Report and any Final Report to be provided to ASIC and AUSIEX, ASIC may from time to time:
i.publicly refer to the content of the reports; and
ii.make public:
1.a summary of the content of the reports; or
2.a statement that refers to the content of the reports.
i. require that the IE provide ASIC with a copy of its proposed work and testing plan in relation to the assessment, review and testing required for the purposes of the Compliance Programme;
j. require that the IE must make any reasonable modifications to its work and testing plan requested by ASIC, provided ASIC has made such request within 10 business days after ASIC was provided with a copy of the proposed work and testing plan (or such longer period as agreed in writing by ASIC); and
k. make provision for circumstances where an actual or potential conflict of interest arises in relation to the IE, including by requiring that the IE:
i.as soon as possible after becoming aware of an actual or potential conflict of interest that arises during the engagement, inform ASIC of the actual or potential conflict of interest;
ii.follow the reasonable directions of ASIC to effectively manage the actual or potential conflict of interest; and
iii.if the actual or potential conflict of interest cannot be effectively managed, follow the reasonable directions of ASIC to terminate the engagement.
15.ASIC public reporting
15.1In relation to the Phase 1 Report, Final Report, any Phase 1 Remedial Action Plan, and any Phase 2 Remedial Action Plan arising from the IE’s recommendations, ASIC:
a. may issue a media release referring to the outcome, content, or compliance with any of those reports or plans; and
b. may from time to time publicly refer to the content of the written reports or plans, and may make available for public inspection a summary of the content of the written reports or plans, or a statement that refers to the content of those report or plans.
15.2In relation to the Compliance Programme, ASIC:
a. may issue a media release on the Compliance Programme ordered by the Court, refer to any such order, and refer to the concerns of ASIC which led to the court-ordered Compliance Programme; and
b. may from time to time publicly refer to the Compliance Programme.
15.3In relation to paragraph 15.1 and 15.2, ASIC will delete, remove or redact any information prior to publication if (acting reasonably) ASIC is satisfied that the information:
a. is personal information (as defined in the Privacy Act 1988 (Cth));
b. should not be disclosed because it would be against the public interest to do so; or
c. contains information that would be unreasonable to release because the release of the information would unreasonably affect the business, commercial or financial affairs of AUSIEX.
16.Interpretation of Compliance Programme
16.1.In the event that AUSIEX and the IE are unable to agree on the interpretation of any matter the subject of this Compliance Programme, AUSIEX and the IE must use reasonable efforts to resolve the disagreement and if unable to do so, may request a meeting with ASIC to discuss the matter in an effort to resolve the disagreement. If ASIC requests, each of AUSIEX and the IE are to provide ASIC with a written submission as to the matter in dispute 3 Business Days before any such meeting.
Schedule A
The Reported Conduct is:
a. breaches of client money and trust account requirements by AUSIEX, as set out in paragraphs [172] to [200] of the SOAFAC;
b. inaccuracies in trade confirmations sent, or failure to send trade confirmations as required, by AUSIEX, as set out in paragraphs [336] to [430] of the SOAFAC;
c. best execution obligations failures by AUSIEX, as set out in paragraphs [488] to [491] of the SOAFAC; and
d. failure to adhere to regulatory data requirements by AUSIEX, as set out in paragraphs [526] to [536] of the SOAFAC.
REASONS FOR JUDGMENT
ABRAHAM J:
The defendants, Commonwealth Securities Limited (CommSec) and Australian Investment Exchange Limited (AUSIEX), provide financial services to clients, including services that allowed clients to trade securities and maintain a trading account online. Clients of CommSec could make trades in equities, exchange traded options and other financial products.
Each were, at all relevant times, subsidiaries of the Commonwealth Bank of Australia Limited (CBA). CommSec and AUSIEX each is the holder of an Australian Financial Services Licence (AFSL) and is a market participant of the ASX Limited (the ASX) and Chi-X Limited (Chi-X) financial markets. As participants of the ASX and Chi-X, CommSec and AUSIEX were subject to the Market Integrity Rules (see Corporations Act 2001 (Cth) (Corporations Act) s 798H(1)(b)).
How the plaintiff characterised the defendants’ contraventions
This proceeding is characterised by a high degree of cooperation between the parties. The defendants largely agree with the way in which the plaintiff, the Australian Securities and Investments Commission (ASIC), has characterised their contraventions of obligations held under their AFSL, pursuant to the Market Integrity Rules and consequently, the Corporations Act (and additionally for CommSec, the Australian Securities and Investments Commission 2001 (Cth)) (ASIC Act). In this context, it is convenient to draw upon the plaintiff’s submissions and the statement of agreed facts and contraventions (SOAFAC) to explain the legal context in which the contraventions arise and the nature of the contraventions, before I recall the parties’ submissions and turn to consider whether the contraventions have been established and the appropriate remedies to flow from these.
CommSec and AUSIEX have taken action directed toward remedying the causes of each of the issues giving rise to the contravening conduct. This has included changes to information technology systems, introduction of greater human oversight and controls, and changes to policies and procedures. CommSec and AUSIEX have entered into agreements with third-party providers which require them to provide further assurance that their services comply with the specifications required by CommSec and AUSIEX. More specifically, following identification of the Client Money Issues, CommSec and AUSIEX established Project Rampart. Following identification of the Trade Confirmation Issues, CommSec and AUSIEX established Project Umbrella. These projects are explained further in Annexure A. Since the establishment of those projects, ASIC has received some further breach reports in respect of both Client Money Issues and Trade Confirmations Issues, including as a result of the work undertaken as part of those projects.
CommSec and AUSIEX accept that there were inadequacies in their processes and procedures to ensure compliance with the relevant obligations. While they did have in place processes addressing operational risk and compliance, these processes were not sufficient to ensure compliance with the relevant regulatory obligations.
As noted at [10] above, ASIC does not allege, and there is no evidence to indicate that, any of the contraventions were deliberate, or that the conduct constituting the contraventions was conduct of senior management.
CommSec and AUSIEX have cooperated with ASIC in relation to these issues and voluntarily taken steps to address the issues and to remediate any client detriment. In some instances, identified below, CommSec and AUSIEX did not provide notifications to ASIC in relation to reconciliations as part of the Client Money Issue within the time period required, but have reported all of the issues and its approach to addressing them.
It is unnecessary, for present purposes, to repeat the detail of each of the contraventions, as set out in the SOAFAC. Suffice to say I have taken that detail into account.
Submissions
ASIC’s submissions
ASIC made submissions, inter alia, as to the nature and seriousness of each of the contraventions by issue, and the legal framework in which the contraventions occurred. In relation to each issue, ASIC made submissions as to the factual and legal bases of the contraventions and the relief sought. As previously explained, the defendants largely agree with the way ASIC has characterised the contraventions. In addition, ASIC made submissions which addressed the steps taken by CommSec and AUSIEX implementing improvements as a consequence of the contravention, and recognised factors said to be in mitigation of the conduct for the purposes of imposing penalty.
ASIC addressed the compliance plans to which orders are sought, pursuant to s 1101B of the Corporations Act. These plans have been developed in consultation between ASIC and each of CommSec and AUSIEX, with a view to ensuring that the systems and controls relevant to the Reported Conduct for each of CommSec and AUSIEX are reviewed to ensure compliance with relevant obligations and any ongoing deficiencies addressed. ASIC acknowledged the significant work already undertaken by each of CommSec and AUSIEX in relation to systems and processes related to the Reported Conduct, including (among other matters) pursuant to Project Rampart (in relation to Client Money Issues) and Project Umbrella (in relation to Trade Confirmations Issues). However, ASIC also noted that each of CommSec and AUSIEX have continued to file notifications with ASIC in relation to ongoing issues of a related kind to the Reported Conduct, as detailed in the McKenzie Affidavit). While ASIC noted the ongoing work being undertaken by CommSec and AUSIEX, it submitted that a compliance program in the terms agreed is necessary to address the underlying causes of the Reported Conduct and related notifications that continue to be reported by CommSec and AUSIEX. Each of CommSec and AUSIEX have consented to the proposed compliance plans and ASIC submitted that the proposed orders and compliance plans satisfy the criteria identified in ASIC v Westpac Banking Corporation (No 3).
ASIC identified the relevant maximum penalties for each of the contraventions, and made submissions as to what it said is the appropriate penalty for each contravention, and the basis thereof.
The contraventions and suggested penalties for each were conveniently summarised in a table annexed to ASIC’s submissions, which is annexed to these reasons as Annexure B.
In summary, ASIC submitted that a substantial penalty is warranted, taking into account the extensive and systemic nature of the Reported Conduct which has affected multiple aspects of the businesses of both CommSec and AUSIEX, and the extended time period over which the contraventions took place.
The total of the pecuniary penalties that ASIC submitted are appropriate is as follows:
(1)$28.6 million in respect of CommSec; and
(2)$10.17 million in respect of AUSIEX.
ASIC acknowledged the Mitigating Factors, being that is that there is no evidence to indicate any of the contraventions were deliberate or the conduct of senior management, the defendants have cooperated, expressed contrition for the Reported Conduct, taken steps to remediate client detriment where suffered and to address the issues the subject of the Reported Conduct, and have agreed to ongoing compliance programs. ASIC submitted that having regard to the evidence of CommSec and AUSIEX admitted at the hearing, and the Mitigating Factors, that a 30 per cent discount to the headline penalty amounts is appropriate in this proceeding.
In submitting that was the appropriate discount, ASIC noted that in ASIC v National Australia Bank Limited [2020] FCA 1494 at [161], Lee J applied a 30 per cent discount to the headline penalty figure to reflect the respondent’s cooperation, its early admissions and the adoption of a remediation scheme and the other mitigating factors.
Application of such a discount would result in pecuniary penalties of:
(1)$20.02 million in respect of CommSec (to be rounded down to $20 million); and
(2)$7.12 million in respect of AUSIEX.
ASIC submitted, these amounts appropriately reflect the totality of the wrongdoing and are proportionate to the circumstances of the case. ASIC contends penalties in the range of those submitted by ASIC are necessary to satisfy the purpose of acting as a personal and general deterrent, and to ensure that the penalty amount is not such as to be regarded by the parties or others as an acceptable cost of doing business.
As previously explained, ASIC also sought that various declarations be made as to the contravening conduct. The form of the declarations is set out at [1]-[5] of the Amended Originating Process.
CommSec’s and AUSIEX’s submissions
In summary, CommSec and AUSIEX submit that there a number of features common to the Reported Conduct that ought to be considered in mitigation of the contraventions. In addition, CommSec and AUSIEX have expressed genuine contrition, both in statements by senior officers and through their conduct, including the early admission of contraventions and cooperation with ASIC. Relatedly, CommSec and AUSIEX have consented to the ordering of a significant and detailed compliance plan designed to reduce the risk of further contraventions. This is in addition to the taking of a number of steps to improve compliance processes already in train before this proceeding was commenced.
It was submitted that these matters, taken together, support a conclusion that the penalties to be ordered by the Court may be lower than would otherwise have been the case. The 30% discount proffered to the Court by ASIC on account of these factors in mitigation is supported further by matters with significant overlap to the Mitigating Factors identified by ASIC that I will set out in further detail below. In this light, CommSec and AUSIEX submitted that a 30% discount is an appropriate recognition by this Court of the role that early acceptance of wrongdoing, contrition, and co-operation with regulators play in serving the administration of justice and furthering future compliance with the law by both them and other corporations.
Conduct that CommSec and AUSIEX rely on to support a discount
CommSec and AUSIEX accept that the Reported Conduct was serious and unacceptable. In that context it was submitted that the conduct at issue in these proceedings did not involve deliberate contraventions of the relevant obligations, but were, as described by ASIC, of a “technical nature” and generally arose from inadvertent errors.
In addition, each of CommSec and AUSIEX had in place significant compliance systems and risk management frameworks, policies and processes directed to ensuring compliance with their obligations. They show that CommSec and AUSIEX took compliance with regulatory obligations seriously, while accepting that more needed to be done. However, despite CommSec and AUSIEX’s compliance systems and risk management frameworks and policies, and their approach to compliance generally, there were a number of specific failures of IT systems, human errors and data entry errors that led to the Reported Conduct.
It was submitted that the Reported Conduct occurred despite genuine and significant efforts on the part of CommSec and AUSIEX to ensure compliance with their regulatory obligations. This characterisation of both the cause of the contraventions as errors, and the attitude of CommSec and AUSIEX to compliance, is reflected by the comparatively small scale of affected customers and harm when judged against the scale of the businesses. As such, CommSec and AUSIEX accept that the fact the Reported Conduct was able to take place as it did suggests that there were inadequacies in their compliance systems and processes. In addition to rectifying systems to prevent reoccurrence of the Reported Conduct, CommSec and AUSIEX have made significant investment in risk and compliance generally, including by increasing the number of risk and compliance roles and undertaking several significant programs of work directed to upgrading existing compliance systems and controls to reduce the risk of similar conduct reoccurring. Importantly, CommSec and AUSIEX began making these improvements before the commencement of this proceeding.
It was submitted that in considering the seriousness of the contraventions arising from the Reported Conduct, the Court should have in mind that, with limited exceptions, the contraventions did not cause harm to customers. No customers were affected by the Client Money Issues, the AOP Issue or the Regulatory Data Issue. The Trade Confirmations Issue did affect customers, in the sense that there was a failure to send trade confirmations that contained all required information, that were accurate, or at all, but there is no suggestion that customers suffered any financial or other significant detriment by reason of those failures, including because in many instances the missing information was available from other sources. No instances of customers suffering detriments by reason of the Best Execution Issue or the Warrant Agreement Issue have been identified, although it is accepted that those issues gave rise to that possibility. For that reason, potentially affected customers have been compensated based on assumptions favourable to the customers. The Brokerage Issues involved customers being charged more than they ought to have been. It involved errors that overcharged affected customers in the order of $10 to $50 per trade for brokerage costs. Affected customers have been compensated for that overcharging.
It was submitted that it is appropriate for the Court to recognise the relatively small scale of financial harm done to customers through this inadvertent error, when compared to the many cases that involve deliberate overcharging, or errors that cause far greater financial detriment or remain un-remedied, while recognising the unacceptable conduct of taking fees without a lawful entitlement to do so.
In addition to potential customer harm, the Market Integrity Rules seek to prevent undermining of the integrity of the relevant markets. Most of the Reported Conduct had no effect on the relevant markets. While, as Mr Vacy-Lyle (Group Executive for Business Banking, CBA Group, who is responsible for the CommSec Business) accepts in his affidavit sworn 20 August 2021, some of the issues arising from the Reported Conduct, particularly the AOP Issue, Best Execution and Regulatory Data Issues, had the potential to affect the relevant markets there is no suggestion that there was any such effect.
Other than in the case of the Brokerage Issues, CommSec and AUSIEX did not derive any revenue or direct benefit from the Reported Conduct. While the Brokerage Issues led to increased revenue to CommSec, that increased revenue has been returned to affected customers with interest, and was not material to the operations of CommSec or AUSIEX. It was submitted that the Court can safely proceed on the basis that CommSec and AUSIEX did not retain any additional revenue derived from the Brokerage Issues, or obtain any other direct benefit from the Reported Conduct.
Instances of contravention of obligations concerning client monies inevitably give rise to concerns that client moneys were misappropriated or lost. CommSec and AUSIEX submit that is not this case in this proceeding. Rather, the funds the subject of the Client Money Issues always remained in CommSec or AUSIEX accounts, albeit in the limited cases of trust account deficiencies, the funds were kept in general accounts mixed with non-trust funds. No clients suffered any detriment by reason of those issues. Further, in many instances, the Client Money Issues actually related to surpluses in relevant trust accounts. In the case of AUSIEX, all of the Client Money Issues involved a surplus in relevant trust accounts.
Finally, while it is apparent that there were many individual instances of the Reported Conduct, that occurred in the context of the large volume of business conducted by CommSec and AUSIEX. Further, many of the individual instances of contravention stemmed from single errors. For the most part, the Reported Conducted affected relatively low proportions of relevant customers and transactions. Where the harm caused by the issues is capable of a dollar quantification, the vast bulk involved relatively low amounts.
It was submitted that both CommSec and AUSIEX have demonstrated sincere contrition for the conduct the subject of these proceedings, a matter ASIC accepts. CommSec and AUSIEX’s contrition has been demonstrated in a number of ways, including explicit statements by senior officers of each company, as well as through the actions taken in response to the identification of the issues and the conduct of CommSec and AUSIEX in its dealings with ASIC and their conduct of this proceeding. CommSec and AUSIEX highlighted the relevant evidence in that regard. It was submitted that contrition is also demonstrated by their early admissions of contravention and cooperation with ASIC.
CommSec and AUSIEX submitted that their willingness and commitment to address any remaining inadequacies is demonstrated by their agreement to enter into a court-ordered compliance program. It was submitted that a key aspect of the compliance plan is the appointment of an independent expert, who will be approved by ASIC, to review the adequacy and effectiveness of CommSec’s and AUSIEX’s systems and controls generally. The compliance program was the subject of negotiation and is comprehensive.
The defendants observed that ASIC accepts that the detailed compliance plans to which CommSec and AUSIEX have agreed are designed to ensure that any outstanding issues are addressed. This should give the Court comfort that the limited number of instances in which CommSec and AUSIEX have reported further instances similar to the Reported Conduct are unlikely to reflect ongoing issues, and that the penalties to be awarded in this case do not need to be fashioned so as to provide specific deterrence for the repetition of the Reported Conduct; CommSec and AUSIEX, in undertaking the compliance program, are doing what they can to prevent that occurring, in a manner approved by ASIC.
A key aspect of the compliance plan is the independent expert’s review of the adequacy and effectiveness of CommSec’s and AUSIEX’s systems and controls generally. Systems and controls include matters such as technology and technological governance, oversight function, control mechanisms, processes and policies, human resources, skills and competencies, and operational risk management.
CommSec and AUSIEX also addressed other factors relevant to penalty, including the following.
As to the involvement of senior management, CommSec and AUSIEX submitted that there was no suggestion that the Report Conduct arose from the conduct of senior management of CommSec or AUSIEX or that they permitted the conduct to take place or continue. Rather, the compliance systems in place at the time and the improvements made to those systems during the period of the Reported Conduct suggest that CommSec’s and AUSIEX’s senior management were and remain committed to ensuring compliance with regulatory obligations. However, CommSec and AUSIEX accept that the fact that the Reported Conduct occurred is reflective of a failure of the systems put in place to meet that commitment. There have been relevant changes to the board or senior management of CommSec and AUSIEX since the contravening conduct occurred.
As to remediation, CommSec and AUSIEX submit and ASIC agrees that to the extent any of the conduct did, or had the potential to, cause a financial detriment to customers, they have been compensated with interest. It was submitted that this was done on bases favourable to the potentially affected customers and that CommSec took a proactive approach to remediating customers.
CommSec and AUSIEX provided considerable detail on the historical compliance systems and governance structures and submitted that the Court ought to find that CommSec and AUSIEX had in place governance structures, policies and procedures, controls and infrastructure designed to ensure compliance with their regulatory obligations. The extent of this internal structure supports a finding that CommSec and AUSIEX were genuinely committed to compliance with their regulatory obligations.
It was submitted that in addition to specific actions taken to rectify issues arising from the Reported Conduct, each of CommSec and AUSIEX have taken a number of steps to improve their risk management and compliance arrangements generally. Many of these steps commenced well before ASIC brought these proceedings. Again, detailed submissions and evidence were addressed to the steps taken.
It was submitted that CommSec and AUSIEX have cooperated with ASIC in respect of the Reported Conduct. Their cooperation included self-reporting almost all of the relevant conduct and explaining to ASIC the approach being taken to address the issues. The cooperation shown by CommSec and AUSIEX has dramatically reduced the expense and time required to be dedicated to these issues by both ASIC and the Court.
In respect of each of the contravention issues referred to in [4] above, CommSec and AUSIEX addressed, inter alia, the steps taken to escalate the issues within management once they had been identified and other mitigating factors including for some issues the compliance systems that had existed and any improvements to those systems and processes. It is unnecessary to repeat the detail of those submissions.
In addition, in relation to the Trade Confirmations Issues, CommSec addressed the prior instances on which it has been the subject of proceedings before the MDP for contraventions of r 3.4.1 of the Market Integrity Rules. It submitted there was only one such proceeding that relevantly concerned trade-confirmation issues, provided details and described what had been done to improve the systems as a result. CommSec also addressed ASIC’s apparent reliance on the conduct at issue in another proceeding before the MDP, namely proceeding MDP15/14, as relevant antecedent conduct, but submitted that conduct did not involve trade confirmations and bears little similarity to any of the Reported Conduct. CommSec also noted that compliance within an infringement notice is not an admission of guilt and does not mean that CommSec or AUSIEX is to be taken to have contravened s 798H of the Corporations Act: Corporations Regulations 2001 (Cth), r 7.2A.10(2)(d), (e).
CommSec and AUSIEX ultimately submitted that:
(1)the declaratory relief sought by ASIC ought to be granted;
(2)the penalties agreed by the parties ought to be imposed; and
(3)the compliance programs sought by ASIC ought to be ordered.
Consideration
Having considered the facts as agreed, the submissions of the parties, the evidence relied on by CommSec and AUSIEX, the contraventions and relevant principles, I am satisfied that it is appropriate to order the pecuniary penalties in the amount agreed, make the declarations sought and order the compliance program.
It is readily apparent from the submissions of ASIC and CommSec and AUSIEX, that they have given close and careful consideration to the relevant issues, with one of the parties being ASIC, a specialist regulator, to the appropriate declarations, orders and pecuniary penalties. In that context, in DFWBII the High Court at [60]-[61] noted the relevance of the fact that submissions were being advanced by a specialist regulator able to offer “informed submissions as to the effects of contravention on the industry and the level of penalty necessary to achieve compliance”, albeit that such submissions will be considered on the merits in the ordinary way.
The number, breadth and duration of the Reported Conduct is significant and indicates that CommSec and AUSIEX did not have adequate systems and processes in place to ensure compliance with their relevant obligations under their AFSLs and pursuant to the Market Integrity Rules and consequently, the Corporations Act (and additionally for CommSec, the ASIC Act). The conduct is properly characterised as being extensive and systematic, occurring over an extended period of time, which affected multiple aspects of the businesses of both CommSec and AUSIEX.
I accept ASIC’s submission that a substantial penalty is warranted.
It should be recalled that it is important to impose a penalty of sufficient size to act as a strong deterrent to ensure CommSec and AUSIEX and others do not treat the risk of non-compliance as a mere cost of doing business.
In the circumstances of this case, the agreed penalty is appropriate as reflecting the seriousness of the contravention, yet recognising the mitigating factors present, including that there is no evidence to indicate any of the contraventions were deliberate or the conduct of senior management, CommSec and AUSIEX have cooperated with ASIC and in this proceeding, expressed contrition for the Reported Conduct, taken steps to remediate client detriment where suffered and to address the issues the subject of the Reported Conduct including agreeing to ongoing compliance programs. I accept those mitigating factors. I also recognise CommSec’s and AUSIEX’s acknowledgement that the contraventions are serious and unacceptable.
Where the Court is persuaded by the accuracy of the parties’ agreement as to facts and consequences, and that the agreed penalty proposed is an appropriate remedy in all the circumstances, as in this case, it is highly desirable in practice for the Court to accept the parties’ proposal and therefore impose the proposed penalty: Volkswagen at [124]-[129].
Nonetheless, this Court must impose a penalty that is appropriate. I am satisfied the agreed penalty of $20 million with respect to CommSec and $7.12 million with respect to AUSIEX, in the circumstances, satisfies the significant element of deterrence required in this proceeding. It carries with it a sufficient sting to ensure that the penalty amount is not such as to be regarded by the parties or others as an acceptable cost of doing business. Weighing all the relevant factors, bearing in mind the protective and deterrent purpose of a pecuniary penalty, as applied to the facts of this case, I am satisfied that agreed penalty is appropriate.
These proceedings are a matter of public interest, and the circumstances of the contraventions call for marking of the Court’s disapproval of the conduct. Consequently, the declarations sought have significant utility. I am satisfied that it is in the interests of justice to make the declarations sought. Given the circumstances of the contraventions, and the terms of the compliance program, I am also satisfied that the orders sought with respect to the compliance programs, should be made.
I will make the declarations and other orders in the form agreed by the parties.
I certify that the preceding one hundred and twenty two (122) numbered paragraphs are a true copy of the Reasons for Judgment of the Honourable Justice Abraham. Associate:
Dated: 25 October 2022
Annexure A
.Annexure B
2
1
6