Lessons to be learned from an enforceable undertaking

An enforceable undertaking is one of the major challenges that can confront a financial services business, writes Grant Holley, but it need not be a nightmare and can be a force for good. 

Most businesspeople, if asked to comment on the state of the EU, would provide their views on the problems facing the European economies.  

For those in the Australian financial services industry the question may prompt a very different answer.

For example, “Our EU is costing us a fortune. We’ve had experts and consultants trawling through our business for the last 12 months” or  “The training never seems to stop. I wish we could get it over and done with and get back to business”. 

VIEW ALL

View all

An enforceable undertaking, or EU, is an undertaking offered to the Australian Securities and Investments Commission (ASIC), by what we affectionately refer to as “the Pingee”, which sets out in writing certain actions that the Pingee is prepared to undertake to address ASIC’s concerns.

Those concerns will usually have arisen from a surveillance or investigation conducted by ASIC. Typically that surveillance or investigation will have involved the issue of notices by ASIC to gather documentary and, perhaps, oral evidence. 

The objective of the Pingee in offering an EU is, of course, to prevent further action by ASIC. That action, depending upon the matters that ASIC is concerned about and the extent of the evidence it has gathered, may be of a criminal, civil penalty or administrative nature. 

ASIC’s objective in accepting an EU is to obtain a good regulatory outcome without having to conduct proceedings which would require it to prove its case and may result in an outcome that is less flexible or less comprehensive. 

If the Pingee breaches the enforceable undertaking, ASIC can take action for that breach without the necessity of proving the underlying activity that led to the undertaking.  

ASIC’s legislation gives ASIC the power to “accept” an EU but not to demand one. Of course, it can create the environment in which it is becomes attractive to offer one. ASIC will not always accept an EU and its guidance to industry about when it will – and when it won’t – can be found in RG 100.  

Over a number of years we have been involved in various ways with EUs entered into with ASIC and also with the Australian Competition and Consumer Commission (ACCC).

Our roles have included: advising clients in their dealings with the regulator; acting as expert consultants to assist clients in meeting their obligations under the EU; acting as reviewers to provide reports to the regulator on whether clients have met their obligations under the EU; and providing training mandated in the EU to directors, responsible managers and staff.  

We hope the reader finds some of our observations from these experiences which follow of relevance and interest.  

A look through the ASIC register reads like a ‘Who’s Who’ of Australian financial services. All of the big Australian banks are on it, as well as a number of other household names. However, not all those who enter EUs are large corporations; some are small businesses and some are individuals. 

The financial impact of an EU can be significant and may lead to cash flow difficulties for the affected business or person. Sometimes the Pingee agrees to pay compensation, but even in the absence of this, the professional fees and business interruption can be significant. 

All EUs are public documents, because the transparency of ASIC’s dealings is important and can be easily accessed through ASIC’s website.  

Typically ASIC also issues a media release informing the community of the EU – and this can have reputational impact. 

However, there is also a positive side to EUs. Typically, the matters that raise ASIC’s concerns are breaches of what we like to refer to as ‘the 10 Commandments’.  

Not THE 10 Commandments, of course, but the general obligations of licensees set out in section 912A of the Corporations Act.  

These are the obligations to have things such as: a risk management framework; a process of managing conflicts of interest; a program for the training of staff and appropriate procedures to monitor and supervise them; a good complaints handling and dispute resolution system; and adequate technological, human and financial resources. Another common ASIC concern is ‘culture’. I will come back to that shortly. 

The way to look at these obligations is as a series of business systems, rather than as isolated regulatory obligations.

One of the policy objectives of the Corporations Act is to have an efficient and healthy financial services sector.

The 10 Commandments should be seen as a “how to” for running a successful financial services business. If each of the systems is working and the information flowing from the systems is informing the other systems, the outcome will be a well run business. 

For example, if the risk management framework is being properly used it will assist the business to understand the environment in which it is conducting its business. 

The environment will include the business’ internal environment, which will force it to look at things like its mission, its values and its service and/or product offering.

It will also include the business’ external environment, requiring it to inform itself of the economy, upcoming changes in legislation, what its competitors are doing, what the politicians and the regulators are doing, what is on offer with changes in technology and so on. 

The business can then identify the risks, which include the risk of missing out on opportunities, and evaluate and treat them.

In this way the business’ scarce resources are allocated efficiently, and the somewhat competing objectives in the obligation to conduct its business “efficiently, honestly and fairly” can be managed. 

Some of the actions put in place to treat particular risks will include training. Information gathered during training can inform risk assessment.  

Complaints provide valuable intelligence for the business and assist in identifying client needs and ways to better meet them. That information will inform risk assessments and also the training programs.   

The failure to report breaches is a common concern leading to EUs. The breach reporting obligation is a form of industry self-regulation. The regulatory regime is complex and it is difficult to know all of the obligations and to keep up with changes. 

It is even more difficult, particularly for large licensees with geographically-spread workforces, to ensure that all of their representatives comply with all of the laws all of the time.

I would go so far as to say that it is impossible or, to put it another way, everybody is breaching. I hope this gives the reader some comfort. 

A failure to report breaches may therefore be more of an indication that the licensee does not have a functioning system for identifying, considering and reporting breaches than that there have not been any breaches. It may also be indicative of a culture which seeks to hide breaches rather than to deal with them. 

The best run, healthiest organisations, just like communities and families, are those which have an open culture where problems are identified and brought into the open quickly so they can be dealt with – a culture which is not about the fear of reprisals, but which seeks positively to make the best of an imperfect world. That brings me finally to the issue of culture. 

An oft-stated concern of ASIC’s in EUs is: 

“A poor compliance culture meaning that deficiencies were not identified, escalated and remedied in a timely and efficient manner.”  

Culture is important in a formal legal sense and in a practical sense. In the formal legal sense a corporation’s culture provides a way of proving the intention of the company to breach the law for the purpose of establishing guilt for offences against Commonwealth legislation.

It is also taken into account by the courts when they are considering the amount of the monetary penalty in civil penalty cases. 

In a practical sense, culture is the glue that sticks everything else together. Let me explain. We have our policy statements, our corporate processes, compliance manuals, training programs and so on. We refer to these things as “procedural compliance”. 

If ASIC is to come calling, most licensees have, or should have, lots of documents that together establish their compliance frameworks.  Procedural compliance is important. 

However, if we come to the attention of a regulator or if a client sues us for poor advice, it is likely to be because of some action or inaction. We refer to this as behavioural compliance.

At the end of the day the procedures are just tools to help achieve behavioural outcomes. The glue that makes them work is the culture. If the culture is wrong, the procedures are ineffective or, in the words of Corporal Benjamin-Roberts Smith: “Culture beats strategy every time”. 

What then is the best cultural approach to take to an EU? If you have been unfortunate enough to have come to the regulator’s attention and have entered into an EU, try to see the positives in the EU. 

If you are in the financial services industry and want to stay off the regulator’s radar, we encourage you to see the 10 Commandments as a series of business systems, rather than as a ‘tick-a-box’ list of obligations – and give serious thought to integrating them effectively into the running of your business.  

Grant Holley is a founding partner at Holley Nethercote.