2022 saw another year of high levels of regulatory and enforcement activity in Australia. The regulatory landscape has continued to experience significant shifts as the economy encounters greater inflation, geo‑political tensions, increasing environmental concerns and a growing number of cybersecurity threats. The Australian Securities and Investments Commission (ASIC), Australia’s financial services regulator, departed from its much-publicised and controversial “why not litigate” approach in favour of an approach that prioritises promoting Australia’s economic recovery from the Covid-19 pandemic and the inflationary pressures that are currently being experienced.
With the victory of the Anthony Albanese-led Labor Party over the conservative incumbent government led by now former Prime Minister Scott Morrison in the May 2022 federal election, a steady stream of new legislation has started making its way through federal parliament. Several of these bills will impact white collar crime and investigations, with more reform to come, including in relation to data protection, money laundering and terrorism financing, and corruption.
At the end of 2022, a bill was passed providing for the creation of a National Anti-Corruption Commission, likely mid-way through 2023. It is likely to result in high-profile investigations in the years ahead.
- Investigations trends/developments
- Law reforms impacting corporate criminal liability
- Internal investigations – key considerations
- Sectors targeted by law reforms or enforcement action
- Cross‑border coordinated investigation or enforcement activity
- Predictions for 2022
A move away from ASIC’s ‘why not litigate’ approach
In late 2021, ASIC updated its guidance on its approach to enforcement and published its response to the Australian Government’s ‘Statement of Expectations’, which outlines how the Government expects ASIC will achieve its objectives, carry out its functions and exercise its powers. These publications evidence ASIC’s move away from a ‘why not litigate’ approach in recent years to a ‘lighter more impactful’ approach to regulation that identifies and pursues opportunities to contribute to the Government’s economic goals, including supporting Australia’s economic recovery from the pandemic. ASIC states that it intends to adopt the full suite of its regulatory tools and to do so in a targeted and proportionate way and will decide what cases to pursue through the lens of whether they are going to make a difference. The move away from the ‘why not litigate’ approach has prompted criticism of ASIC, to which it has responded by noting that ASIC is an active and focused law enforcement agency and is probably the busiest litigator in the Commonwealth. In the period between January and June 2022, 60 investigations were commenced with 148 investigations ongoing. Further, seven civil penalty proceedings were commenced in this period with 40 civil penalty cases still currently before the Courts.
ASIC’s targets sustainability, technology risks and product design
The ASIC August 2022 Corporate Plan reveals its strategic priorities for the next four years. These include:
- Sustainable finance and ‘greenwashing’ – to supervise and enforce governance, transparency and disclosure standards in relation to sustainable finance. ASIC is actively monitoring the market for potential greenwashing and has taken enforcement against companies, including a listed energy company.
- Technology risks – to promote good cyber risk and resilience practices and address digital misconduct such as scams. ASIC successfully brought Australia’s first test case against a company for failing to have adequate cybersecurity systems and processes in place, in breach of its Australian Financial Services Licence. This will likely remain an area of particular focus for ASIC in light of several high‑profile data breaches in major companies in the telecommunications and insurance sectors (as discussed further below). This is similarly a focus of the Australian Consumer and Competition Commission (ACCC), with the Chair of the ACCC noting on a conservative estimate that Australians were defrauded of AUD1.8 billion in 2021.
- Product design and distribution – to increase compliance with regulations and reduce the risk of harm to consumers of financial and credit products caused by poor product design and distribution practices. ASIC fined a bank a combined penalty of AUD113 million for poor product design and distribution practices, which resulted in consumer harm such as the overcharging of interest on credit card debt.
- Retirement decision‑making – to protect consumers as they plan for retirement, focusing on relevant financial products and advice.
See more detail in our blog on sustainable finance, governance and greenwashing.
Developments at Australia’s competition regulator
The ACCC’s strategic priorities complement ASIC. It also focuses on environmental claims and sustainability as well as consumer and competition issues in the digital economy.
New National Anti-Corruption Commission
An Act establishing a new National Anti-Corruption Commission was passed on 30 November 2022, with the new Commission expected to be formed in mid-2023. The Commission will be empowered to investigate serious corrupt conduct in the federal public sector.
It will investigate corporations and their officers insofar as they may have adversely affected the honest or impartial exercise of a public official’s powers, functions or duties.
There are a number of key concepts which create uncertainty. For example, in order to commence an investigation the Commission must be of the opinion that possible corruption is ‘serious or systemic’, concepts which are not defined.
These uncertainties carry real risks for corporates engaging with the Federal Government.
Increased penalties for privacy breaches
Following major data breaches within the telecommunications and insurance sectors, the Government has introduced a Bill to significantly increase penalties for serious or repeated privacy breaches. Maximum penalties for breaches of the Privacy Act 1988 (Cth) will increase from the current AUD 2.22 million to whichever is the greater of:
- AUD 50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30% of a company’s adjusted turnover in the relevant period.
The Bill will also grant the Office of the Australian Information Commissioner (OAIC) powers to request information about a data breach, assess a corporate’s compliance with the notifiable data breach scheme and disclose information and documents to third parties, including the general public where it is in the public interest to do so.
These reforms sit alongside ASIC’s strategic priority on technology risks, discussed above, and its willingness to take enforcement action against companies which fail to have adequate cybersecurity processes and procedures in place.
Financial Accountability Regime
Two new Bills are aimed at implementing recommendations from the 2018 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services industry. The Bills will create a Financial Accountability Regime (the Regime) that seeks to improve the operating culture of companies in this sector by imposing obligations on:
- Accountability – requiring entities, their directors and most senior and influential executives, to conduct business with honesty, care, skill and diligence.
- Key personnel – requiring entities to nominate senior executives to be responsible for all areas of their business operations.
- Deferred remuneration – requiring entities in the industries to defer at least 40% of the variable remuneration of directors and senior executives for a minimum of four years and reduce their variable remuneration for non-compliance with their accountability obligations.
- Notification – requiring entities to provide the Regulator with certain information about their business, directors and most senior and influential executives.
The Regime will be jointly regulated by ASIC and APRA (Australia’s prudential regulator).
A breach of an obligation by a corporation may result in a maximum penalty of at least AUD 11.1 million. Individuals who are deliberately involved in a contravention may also be liable under the ancillary contravention penalty provisions, with a maximum penalty of at least AUD 1.1 million.
New Powers for ASIC
Since October 2021, issuers and distributors of financial products have been required to publish Target Market Determinations (TMD) that set out the class of consumers a financial product is likely to be appropriate for. To accompany these new obligations, ASIC’s regulatory toolkit has been expanded to include Product Intervention Powers and Stop Orders. These new enforcement tools enable ASIC to temporarily order a company to refrain from engaging in certain conduct in relation to issuing or distributing financial products. ASIC has signalled that it considers that these new powers will be a significant tool in the protection of consumers. We expect to see increased enforcement of TMD obligations and the use of these new powers in 2023.
Increased and new penalties for competition offences
On 1 November 2022, the ACCC welcomed significant amendments to the Competition and Consumer Act 2010, including the Australian Consumer Law, with the recent passage of the Treasury Laws Amendment (More Competition, Better Prices) Bill 2011.
Major amendments to the competition enforcement regime are twofold:
- First, significant increases in maximum penalties for relevant breaches of the competition and consumer laws; and
- Second, the introduction of penalties and other changes relating to unfair contract terms.
Under the changes, the new maximum penalties for companies that breach relevant provisions of the competition and consumer law are the greater of:
AUD 50 million
This is a five-fold increase from the current AUD 10 million
Three times the value derived from the relevant breach
This is unchanged from the current position
30% of the company’s turnover during the period it engaged in the conduct (if the value derived from the breach cannot be determined)
This is an increase from the current position of 10% of annual turnover in the 12 months prior to the breach
For individuals, the maximum penalty will increase to AUD 2.5 million (from AUD 500,000 presently).
These penalties apply to a range of offences and civil penalty provisions under the Australian Consumer Law, including: unconscionable conduct, false or misleading representations, harassment and coercion, products that do not comply with safety or information standards, and more.
The penalties also apply to most civil and criminal offences under the competition law, including: cartel offences, the news media bargaining code, international liner cargo shipping provisions, and prohibited conduct in the energy market provisions.
The changes introduce the first-ever penalties for businesses that include unfair contract terms in their standard form contracts with consumers and small businesses. Previously, the courts could declare specific terms of a contract unfair and therefore void, but they were not prohibited and courts could not impose any penalties on businesses that included them in the standard form contracts.
The penalty provisions only apply to new contracts, or existing contracts (once renewed or varied), made at the end of the 12-month grace period after Royal Assent.
Further, the changes will also expand the coverage of the unfair contract terms regime to more small business contracts, will apply irrespective of the value of the contract, and clarify other aspects of the laws including more clearly defining ‘standard form contracts’.
Anti-Money Laundering and Counter-Terrorism Financing Amendment (Making Gambling Businesses Accountable) Bill 2022
Recent anti-money laundering reforms have been proposed in the wake of several reviews into Australia’s two largest casino operators. The proposed amendments impose a positive obligation on entities which provide gambling services to report to AUSTRAC (Australia’s financial intelligence agency) if they have reason to suspect a person is betting with ‘stolen property’. It is proposed that this be a civil penalty provision.
Regulators have continued to challenge legal professional privilege claims made by companies over documents which would otherwise have been disclosable.
In a recent case brought by the Australian Taxation Office (ATO), the Court found that a large consultancy firm incorrectly claimed legal privilege over a large number of documents. The ATO argued that the company had attempted to involve lawyers purely for the purpose of covering work in a ‘cloak of privilege’. Ultimately, the judge found that the assessment of privilege must be conducted for each document individually, as simply routing documents through the inbox of a lawyer would not mean that the documents would attract privilege. 
Similar criticisms were also made by Counsel assisting in a high‑profile public Commission of Inquiry into one of Australia’s largest casino operators.
Companies should continue to bear in mind that communications by a lawyer will not necessarily attract legal privilege, and that regulators continue to aggressively interrogate claims of privilege by individuals and companies. As always, a document‑by‑document analysis of the ‘dominant purpose test’ is required.
The gaming, telecommunications and insurance industries have been the subject of regulatory scrutiny and have been targeted for law reform.
Two significant data breaches by leading companies in the telecommunications and insurance sectors resulted in the personal data of millions of Australians being compromised. Some of this is very sensitive personal data, for example, data relating to government‑issued identification documents and detailed health data. Some data has been released on to the internet and has been used to extort some of the people affected.
We expect these data breaches will result in all sectors being subject to increased regulatory scrutiny of the justification for, and measures taken to protect, personal data held by companies.
Technology risks have already been identified as a strategic priority for ASIC and reform has already been made to the Privacy Act 1988 to strengthen the penalties for contravention of the Act. In addition, the Government has increased its budget allocation for OAIC to support its response to the recent data breaches and OAIC has indicated that it has ‘shifted to a stronger enforcement posture in line with increased privacy risks and the community’s growing concerns over the protection of their data’.
The gaming industry has been under particular scrutiny. Significant AML failures have been identified at both of Australia’s major casinos. Law reform has already been proposed and it is likely that more will follow although the impact to industries outside the gaming industry remains unclear.
Information sharing and operational coordination has been a priority for Australia’s key regulators, including the ACCC and ASIC. This has extended to cooperation with regulators in other jurisdictions. For example, the Australian Federal Police (AFP) in a recent investigation into alleged bribes paid by two Australians to foreign officials to obtain construction contracts in Sri Lanka involved coordination with the FBI, Royal Canadian Mounted Police, and authorities in India, Sri Lanka and Bangladesh.
There has been increasing cooperation between the AFP and the Serious Fraud Office (SFO) in the United Kingdom, where requests were made by the AFP to obtain evidence gathered in the context of a bribery investigation carried out by the SFO.
Similar to other jurisdictions, this year saw significant changes to Australia’s Autonomous Sanctions regime. Russia’s invasion of Ukraine and the new Magnitsky-style sanctions reforms introduced at the end of last year may result in difficulties for corporates navigating this changing landscape. Falling in line with other countries, Australia has established a dedicated intelligence unit that will sit within AUSTRAC to monitor compliance with sanctions against Russia. Companies should conduct regular reviews of their compliance risk policies and procedures to ensure their sanctions regime remains up to date as these developments make it a likely target for increased regulatory focus.
In line with regulatory developments globally, greenwashing will be a priority area of regulatory focus for ASIC. Companies offering sustainability-related products will need to pay particular attention not to fall foul of the prohibition against misleading and deceptive conduct. In June 2022 ASIC advised that vague terminology and inadequate explanations should be avoided when communicating information about sustainability-related products to the market.
On 27 October 2022 ASIC took its first action against a company for greenwashing.ASIC’s prompt response signals to the market that it is closely monitoring companies and will take enforcement action for any breaches. In‑house legal teams should take a cautious approach with respect to sustainability-related products and ensure that any communication to shareholders, members and the market is accurate and has a reasonable basis.
Separately, we note that, with recent leadership changes at ASIC, the Australian Competition and Consumer Commission (ACCC) and the Australian Prudential Regulatory Authority (APRA), there may be changes on the horizon for Australia’s enforcement landscape.
This article is part of the Allen & Overy Cross-border White collar Crime and Investigations Review. Please visit the review homepage for our overviews and insights in other jurisdictions.
 ASIC v RI Advice Group Pty Ltd  FCA 496; see also our article discussing this case: https://www.allenovery.com/en-gb/global/blogs/investigations-insight/managing-cyber-security-risks-key-learnings-from-australias-first-test-case.
Jason is clearly a subject matter expert when it comes to compliance matters, giving legal advice that is not only compelling but also very much valued.
Chambers Asia Pacific 2022 (White Collar Crime & Corporate Investigations, Australia
[Jason Gray is] [e]xtremely knowledgeable within the practice area. … Very good at adapting to the client brief and delivering an appropriate solution, nothing over-engineered.
Asia Pacific Legal 500 2021 (Australia – White Collar Crime)
[Jason] is very hands-on, very commercially aligned with our objectives, and very easy to work with.
Asia Pacific Legal 500 2022 (White Collar Crime, Australia)
Download the Cross-Border White Collar Crime and Investigations Review
The 'Cross-Border White Collar Crime and Investigations Review' analyses the latest developments and trends, and highlights the most significant among the current and emerging issues that white collar crime and investigations in-house counsel should prioritise in the year ahead.