FEDERAL COURT OF AUSTRALIA

Australian Securities and Investments Commission v Commonwealth Securities Limited [2022] FCA 1253

ORDERS

DEFINITIONS:

In these orders the following terms mean:

PURSUANT TO S 21 OF THE FEDERAL COURT OF AUSTRALIA ACT 1976 (CTH), THE COURT DECLARES THAT:

1.    By reason of:

(a)    the conduct of the first defendant (CommSec) referred to in [4(a)-(m)] below (the CommSec Reported Conduct); and

(b)    various failures in relation to systems, processes and people in the delivery of financial services identified in the internal root cause analysis conducted by CommSec in or around 2019 to identify common underlying factors in respect of the CommSec Reported Conduct (the CommSec Root Cause Analysis),

CommSec failed to do all things necessary, during the period 1 March 2015 to 18 June 2020, to ensure that the financial services covered by its AFSL were provided efficiently, honestly and fairly, in contravention of s 912A(1)(a) of the Corporations Act.

2.    By reason of:

(a)    the conduct of the second defendant (AUSIEX) referred to in [5(a)-(h)] below (the AUSIEX Reported Conduct); and

(b)    various failures in relation to systems, processes and people in the delivery of financial services identified in the internal root cause analysis conducted by AUSIEX in or around 2019 to identify common underlying factors in respect of the AUSIEX Reported Conduct (the AUSIEX Root Cause Analysis),

AUSIEX failed to do all things necessary, during the period 1 March 2015 to February 2019, to ensure that the financial services covered by the AUSIEX License were provided efficiently, honestly and fairly, in contravention of s 912A(1)(a) of the Corporations Act.

3.    CommSec contravened s 12DB of the ASIC Act by representing that it considered ASX CentrePoint (ASXCP) as an execution venue for orders when it did not in fact consider ASXCP as an execution venue for orders from ASB customers during the period 1 March 2015 to 26 March 2018.

PURSUANT TO S 1317E OF THE CORPORATIONS ACT 2001 (CTH) THE COURT DECLARES THAT:

4.    CommSec contravened s 798H of the Corporations Act by reason of the following contraventions of the Market Integrity Rules:

(a)    rule 2.1.3 of the ASX Rules and rule 2.1.3 of the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to have in place appropriate supervisory policies and procedures to ensure brokerage services were provided in compliance with s 912A(1)(a) of the Corporations Act, from 1 March 2015 until the introduction of enhanced control reports between August 2018 and May 2019;

(b)    rule 3.5.9 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to ensure that 1,237 reconciliations of trust accounts performed between 1 March 2015 and 23 March 2020, were accurate in all respects;

(c)    rule 3.5.10 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to notify ASIC within 2 business days that a trust account reconciliation that was accurate in all respects had not been performed in accordance with rule 3.5.9 of the ASX Rules or Securities Markets Rules (as applicable) or that there was a deficiency of funds in its trust account according to a reconciliation performed pursuant to rule 3.5.9, on 9 occasions between 31 May 2018 and 28 November 2019;

(d)    rule 3.4.1(1) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to provide trade confirmations as required with respect to 1,206 trade confirmations that were required to be issued between 1 March 2015 and 6 November 2019;

(e)    rule 3.4.1(3)(a) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing confirmations in respect of market transactions in exchange traded options which did not accurately provide the information required to be included in a confirmation under Division 3 of Part 7.9 of the Corporations Act, being information the clients needed to understand the nature of the transaction to which the confirmations related, on 187,891 occasions between 1 March 2015 and 15 June 2019;

(f)    rule 3.4.1(3)(f) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing equities trade confirmations which did not include a statement that the transaction involved a crossing (being a transaction in respect of which CommSec acted on behalf of both buying and selling clients to the transaction), in circumstances where the transaction did involve a crossing, on 17,307 occasions between 24 April 2017 and 29 April 2019;

(g)    rule 4.2.1(1)(h) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to maintain accurate records in sufficient detail in relation to confirmations issued between 1 March 2015 and 1 December 2018 for rebooked trades through CommSec, since CommSec did not maintain accurate records in sufficient detail to show particulars of the incorrect brokerage and ASX clear fees used to derive the total value following the rebooked trade shown in confirmations;

(h)    rule 2.1.3 of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to have appropriate supervisory procedures in place between 1 March 2015 to October 2018, to ensure that trade confirmations issued by CommSec complied with the requirements of rule 3.4.1 and 4.2.1 of the Market Integrity Rules.

(i)    rule 5.6.1(a) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to have in place an appropriate automated pre-trade filter in the relevant automated order processing system through which orders from ASB customers were directed between 1 March 2015 and 1 November 2018, to detect possible trades where there would be no change in beneficial ownership;

(j)    5.6.3(1)(a) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to ensure, between 1 March 2015 and 1 November 2018, that the relevant automated order processing system through which orders from ASB customers were directed, had in place appropriate organisational and technical resources (as evidenced by the failure in paragraph (i) above);

(k)    rule 3.2.2 of the Exchange Markets Rules and 3.9.2 of the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to comply with:

(i)    its Best Execution Policy as published on its website between 1 March 2015 and 26 March 2018 in that ASX CentrePoint was not considered as an execution venue for ASB customers during that period; and

(ii)    its Best Execution Policies and Procedures in the period June 2016 to February 2019, in so far as it failed to monitor best execution policy performance on a monthly basis, for each month in the month immediately following or shortly thereafter;

(l)    rule 3.1.2(3) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to provide an explanatory booklet in respect of warrants to 49 retail clients (who between them held 32 accounts) before accepting an order from a client to purchase a warrant on the market for the first time, during the period 1 March 2015 to 18 June 2020;

(m)    rule 3.1.8 of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to enter into the required warrant agreement forms with those 49 retail clients (who between them held 32 accounts) prior to entering into a market transaction to buy warrants on behalf of the client, during the period 1 March 2015 to 18 June 2020, affecting 376 buy transactions during that period;

(n)    rule 5A.2.1(1) of the Exchange Markets Rules and rule 7.4.2(1) of the Securities Markets Rules (as in force at the relevant time), by reason of CommSec’s failure to include the relevant intermediary identification (by reference to an AFSL number) in regulatory data submitted to relevant market operators on 84,196 occasions during the period 1 March 2015 and 18 July 2019.

5.    AUSIEX contravened s 798H of the Corporations Act by reason of the following contraventions of the Market Integrity Rules:

(a)    rule 3.5.9 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to ensure that 1,175 reconciliations of trust accounts performed between 1 March 2015 and 18 September 2019, were accurate in all respects;

(b)    rule 3.5.10 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to notify ASIC within two business days that a trust account reconciliation that was accurate in all respects had not been performed in accordance with rule 3.5.9 of the ASX Rules or the Securities Markets Rules (as applicable) on 4 occasions between 6 June 2018 and 23 September 2019;

(c)    rule 3.4.1(1) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to provide trade confirmations as required with respect to 3,424 trade confirmations that were required to be issued between 1 March 2015 and 27 November 2019;

(d)    rule 3.4.1(3)(a) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing confirmations in respect of market transactions which did not accurately provide the information required to be included in a confirmation under Division 3 of Part 7.9 of the Corporations Act, being information the clients needed to understand the nature of the transaction to which the confirmations related, on 18,367 occasions between 9 November 2015 and 15 June 2019;

(e)    rule 3.4.1(3)(f) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing equities trade confirmations which did not include a statement that the transaction involved a crossing (being a transaction in respect of which AUSIEX acted on behalf of both buying and selling clients to the transaction) in circumstances where the transaction did involve a crossing, on 297 occasions between 24 April 2017 and 7 May 2019;

(f)    rule 4.2.1(1)(h) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to maintain accurate records in sufficient detail to show particulars of the incorrect expiry date showing the “Liquidation Advice” section of confirmations issued between 1 March 2015 and 23 February 2019, since AUSIEX did not retain records containing the particulars of the incorrect expiry date shown on confirmations issued to customers during that time;

(g)    rule 2.1.3 of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to have appropriate supervisory procedures in place between 1 March 2015 to October 2018, to ensure that trade confirmations issued by AUSIEX complied with the requirements of rule 3.4.1 and 4.2.1 of the Market Integrity Rules;

(h)    rule 3.2.2 of the Exchange Markets Rules and 3.9.2 of the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to comply with its Best Execution Policies and Procedures in the period June 2016 to February 2019, in so far as it failed to monitor best execution policy performance on a monthly basis, for each month in the month immediately following or shortly thereafter;

(i)    rule 5A.2.1(1) of the Exchange Markets Rules and rule 7.4.2(1) of the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX’s failure to include the relevant intermediary identification (by reference to an AFSL number) in regulatory data submitted to relevant market operators on 113 occasions during the period 27 October 2016 and 12 August 2019.

THE COURT ORDERS THAT:

6.    Pursuant to s 12GBA of the ASIC Act and s 1317G of the Corporations Act, CommSec pay to the Commonwealth a pecuniary penalty in the amount of $20 million in relation to the contraventions of s 12DB of the ASIC Act and s 798H of the Corporations Act referred to at [3] and [4] above.

7.    Pursuant to s 1317G of the Corporations Act, AUSIEX pay to the Commonwealth a pecuniary penalty in the amount of $7.12 million in relation to the contraventions of s 798H of the Corporations Act referred to at [5] above.

8.    Pursuant to s 1101B of the Corporations Act, CommSec implement the agreed compliance plan set out at Schedule 1 to these orders.

9.    Pursuant to s 1101B of the Corporations Act, AUSIEX implement the agreed compliance plan set out at Schedule 2 to these orders.

10.    CommSec and AUSIEX pay the plaintiff’s costs of the proceeding to be agreed or assessed.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

SCHEDULE 1

COMMSEC COMPLIANCE PROGRAMME

1.1    Definitions: In addition to terms defined elsewhere in this document the following definitions apply:

1.2    The Statement of Agreed Facts and Contraventions (SOAFAC) sets out the factual basis for the admitted contraventions by CommSec of the Corporations Act, Market Integrity Rules and the ASIC Act. A summary is contained at Annexure A of the SOAFAC.

1.3    As described in Section L of the SOAFAC, CommSec has undertaken an assessment of the causes of the Reported Conduct and has categorised the types of causes identified as relating to one or more of the following categories, at a high level: people, systems and processes. In particular, the Reported Conduct primarily relates to failures across multiple systems, processes and business areas, including both legacy and current systems. The specific root cause categorisations assigned to the Reported Conduct are set out at paragraph 558 of the SOAFAC (Root Causes) and include, but are not limited to:

1.4    ASIC considers the number, breadth and duration of the Reported Conduct to be indicative of material failures in broader systems and controls at CommSec. The scope of this Compliance Programme is designed to take a holistic approach to CommSec’s Systems and Controls relevant to the Reported Conduct and/or its Root Causes.

Phase 1

2.     Phase 1 Review

2.1    The Independent Expert (IE) will be required to conduct and complete a review, testing and assessment (Phase 1 Review) of the following matters:

such that reasonable steps have been taken by CommSec to ensure current and ongoing compliance with the Relevant Provisions.

3.    Phase 1 Report

3.1    CommSec will instruct the IE to provide a written report, in relation to the Phase 1 Review (Phase 1 Report) which includes the following:

c.    if any Deficiency is identified:

3.2    CommSec must ensure that the terms of the IE engagement require the IE:

4.    Phase 1 Remedial Action Plan

4.1    CommSec will address all Deficiencies identified in the Phase 1 Report and any recommendations to rectify all Deficiencies by the IE and develop a plan (Phase 1 Remedial Action Plan) to rectify any such Deficiencies and address the IE’s recommendations from the Phase 1 Report in accordance with this paragraph 4.

4.2    Any Phase 1 Remedial Action Plan must:

4.3    In developing a Phase 1 Remedial Action Plan, CommSec must:

4.4    CommSec must:

4.5    CommSec must, within 5 Business Days of implementation of all of the actions required under the Phase 1 Remedial Action Plan, provide written notification to ASIC and the IE that the Phase 1 Remedial Action Plan has been fully implemented.

4.6    If the Phase 1 Report does not identify any Deficiencies or include any recommendation by the IE, there will be no Phase 2 Review.

Phase 2

5.    Phase 2 Review

5.1    CommSec will instruct the IE to conduct and complete a review which includes testing and assessment of the following matters (Phase 2 Review):

5.2    CommSec must ensure that the terms of the IE engagement require the IE:

6.    Final Report

6.1    CommSec will instruct the IE to produce and deliver a report, in relation to the Phase 2 Review (Final Report) which includes:

6.2    CommSec must ensure that the terms of the engagement require the IE to:

7.    Phase 2 Remedial Action Plan

7.1    CommSec will be required to address all Deficiencies identified in the Final Report and the recommendations to rectify them by the IE in the Final Report and, if there are any, develop a plan (Phase 2 Remedial Action Plan) to rectify each Deficiency and address the IE’s recommendations from the Final Report. If the Final Report does not identify any Deficiencies and the IE has determined in the course of the Phase 2 Review that the recommendations in the Phase 1 Report have been effectively addressed and actions in the Phase 1 Remedial Action Plan have been effectively implemented (as contemplated in the statement at 6.1(d)), then there will be no Phase 2 Remedial Action Plan.

7.2    Any Phase 2 Remedial Action Plan must:

7.3    In developing any Phase 2 Remedial Action Plan, CommSec must:

7.4    CommSec must:

7.5    CommSec must, within 5 Business Days after the implementation of the actions required under any Phase 2 Remedial Action Plan, provide written confirmation to ASIC that the Phase 2 Remedial Action Plan is fully implemented.

8.    Attestation

8.1    ASIC is to be provided a written statement on behalf of CommSec, signed by the Executive General Manager of CommSec (or equivalent position, as agreed by ASIC) attesting to the following matters (Attestation):

8.2    The Attestation will be provided to ASIC at the earlier of:

8.3    In the event that:

ASIC may notify CommSec in writing accordingly and provide CommSec with 20 Business Days (or such longer period as ASIC approves in writing) to respond. If CommSec fails to respond, ASIC may commence proceedings to enforce compliance with the Court's Orders.

9.    Ending of the Compliance Programme

9.1    The Compliance Programme will end following compliance with all obligations under the Court’s Order including compliance with the Attestation clause referred to in paragraph 8 above.

10.    Other

10.1    The Phase 1 Report, any Final Report, any Phase 1 Remedial Action Plan and any Phase 2 Remedial Action Plan, including a list of concluded actions, must be provided to the Leadership Team and Board of Directors of CommSec.

10.2    CommSec will, within a reasonable period of receiving a request from ASIC, provide all documents and information reasonably requested by ASIC from time to time for the purposes of assessing CommSec’s compliance with the Compliance Programme, including any correspondence with the IE, other than any documents or information subject to a claim of legal professional privilege.

10.3    CommSec will be responsible for the costs of its compliance with the Compliance Programme.

10.4    CommSec and/or ASIC may apply to the Court for a variation of the terms of this Compliance Programme at any time and the Compliance Programme is subject to the Orders of the Court from time to time.

11.    Non-compliance

11.1    CommSec must notify ASIC as soon as reasonably practicable and in any event within 10 Business Days after becoming aware of any failure to comply with the Orders of the Court.

11.2    If CommSec fails to comply with the Orders of the Court, ASIC may commence proceedings to enforce compliance, following:

12.    Appointing the IE

12.1    CommSec must request ASIC to approve, within 30 Business Days of the date of the Orders of the Court, or within such longer period as may be agreed in writing by ASIC and CommSec:

12.2    The IE nominated by CommSec:

12.3    The appointment of the IE must be approved by ASIC in writing before the appointment takes effect (such approval not to be unreasonably withheld).

12.4    CommSec will provide ASIC with any information, explanation or documents it requests for the purposes of determining whether to approve the appointment of the IE, subject to a claim of legal professional privilege.

12.5    CommSec must advise ASIC of the expertise and any prior association of the proposed IE with CommSec, its related bodies corporate and officers at the time approval is sought from ASIC.

13.    Appointing a new independent expert

13.1    If the IE advises CommSec and ASIC in writing that he or she is unable to continue his or her appointment, or if the engagement is terminated because of an actual or potential conflict of interest of the IE that arises during the engagement, CommSec must within 15 Business Days (or such longer period agreed in writing with ASIC) after the ending or termination of the engagement, appoint and engage another independent expert in accordance with paragraph 12 (with such appointment to take effect for the remaining duration of the Compliance Programme).

14.    Terms of engagement

14.1    The terms of engagement for the IE will be approved by ASIC in writing before the engagement takes effect (such approval not to be unreasonably withheld) and once ASIC has provided its approval, the terms of engagement may only be varied with the agreement of ASIC (acting reasonably).

14.2    CommSec must ensure that the terms of engagement provided to ASIC for approval under paragraph 12.1:

15.    ASIC public reporting

15.1    In relation to the Phase 1 Report, Final Report, any Phase 1 Remedial Action Plan, and any Phase 2 Remedial Action Plan arising from the IE’s recommendations, ASIC:

15.2    In relation to the Compliance Programme, ASIC:

15.3    In relation to paragraph 15.1 and 15.2, ASIC will delete, remove or redact any information prior to publication if (acting reasonably) ASIC is satisfied that the information:

16.    Interpretation of Compliance Programme

16.1    In the event that CommSec and the IE are unable to agree on the interpretation of any matter the subject of this Compliance Programme, CommSec and the IE must use reasonable efforts to resolve the disagreement and if unable to do so, may request a meeting with ASIC to discuss the matter in an effort to resolve the disagreement. If ASIC requests, each of CommSec and the IE are to provide ASIC with a written submission as to the matter in dispute 3 Business Days before any such meeting.

Schedule A

The Reported Conduct is:

SCHEDULE 2

AUSIEX COMPLIANCE PROGRAMME

1.1    Definitions: In addition to terms defined elsewhere in this document the following definitions apply:

1.2    The Statement of Agreed Facts and Contraventions (SOAFAC) sets out the factual basis for the admitted contraventions by AUSIEX of the Corporations Act, Market Integrity Rules and the ASIC Act. A summary is contained at Annexure A of the SOAFAC.

1.3    As described in Section L of the SOAFAC, AUSIEX has undertaken an assessment of the causes of the Reported Conduct and has categorised the types of causes identified as relating to one or more of the following categories, at a high level: people, systems and processes. In particular, the Reported Conduct primarily relates to failures across multiple systems, processes and business areas, including both legacy and current systems. The specific root cause categorisations assigned to the Reported Conduct are set out at paragraph 568 of the SOAFAC (Root Causes) and include, but are not limited to:

1.4    ASIC considers the number, breadth and duration of the Reported Conduct to be indicative of material failures in broader systems and controls at AUSIEX. The scope of this Compliance Programme is designed to take a holistic approach to AUSIEX’s Systems and Controls relevant to the Reported Conduct and/or its Root Causes.

Phase 1

2.    Phase 1 Review

2.1    The Independent Expert (IE) will be required to conduct and complete a review, testing and assessment (Phase 1 Review) of the following matters:

AUSIEX may make submissions to the IE and ASIC and the IE and ASIC may agree that certain Systems and Controls are outside the scope of the IE’s review because AUSIEX intends to replace that system or control as part of its transition to a new control environment following completion of its sale to NRI.

3.    Phase 1 Report

3.1    AUSIEX will instruct the IE to provide a written report, in relation to the Phase 1 Review (Phase 1 Report) which includes the following:

3.3    AUSIEX must ensure that the terms of the IE engagement require the IE:

4.    Phase 1 Remedial Action Plan

4.1    AUSIEX will consider all Deficiencies identified in the Phase 1 Report and any recommendations to rectify all Deficiencies by the IE and develop a plan (Phase 1 Remedial Action Plan) to rectify any such Deficiencies and address any IE’s recommendations from the Phase 1 Report in accordance with this paragraph 4.

4.2    Any Phase 1 Remedial Action Plan must:

4.3    In developing a Phase 1 Remedial Action Plan, AUSIEX must:

4.4    AUSIEX must:

4.5    AUSIEX must, within 5 Business Days of implementation of all of the actions required under the Phase 1 Remedial Action Plan, provide written notification to ASIC and the IE that the Phase 1 Remedial Action Plan has been fully implemented.

4.6    If the Phase 1 Report does not identify any Deficiencies or include any recommendation by the IE, there will be no Phase 2 Review.

Phase 2

5.    Phase 2 Review

5.1    AUSIEX will instruct the IE to conduct and complete a review which includes testing and assessment of the following matters (Phase 2 Review):

5.2    AUSIEX must ensure that the terms of the IE engagement require the IE:

6.    Final Report

6.1    AUSIEX will instruct the IE to produce and deliver a report, in relation to the Phase 2 Review (Final Report) which includes:

6.2    AUSIEX must ensure that the terms of the engagement require the IE to:

7.    Phase 2 Remedial Action Plan

7.1    AUSIEX will be required to address all Deficiencies identified in the Final Report and the recommendations to rectify them by the IE in the Final Report and, if there are any, develop a plan (Phase 2 Remedial Action Plan) to rectify each Deficiency and address the IE’s recommendations from the Final Report. If the Final Report does not identify any Deficiencies and the IE has determined in the course of the Phase 2 Review that the recommendations in the Phase 1 Report have been effectively addressed and actions in the Phase 1 Remedial Action Plan have been effectively implemented (as contemplated in the statement at 6.1(d)), then there will be no Phase 2 Remedial Action Plan.

7.2    Any Phase 2 Remedial Action Plan must:

7.3    In developing any Phase 2 Remedial Action Plan, AUSIEX must:

7.4    AUSIEX must:

7.5    AUSIEX must, within 5 business days after the implementation of the actions required under any Phase 2 Remedial Action Plan, provide written confirmation to ASIC that the Phase 2 Remedial Action Plan is fully implemented.

8.    Attestation

8.1    ASIC is to be provided a written statement on behalf of AUSIEX, signed by the Chief Executive Officer of AUSIEX (or equivalent position, as agreed by ASIC) attesting to the following matters (Attestation):

8.2    The Attestation will be provided to ASIC at the earlier of:

8.3    In the event that:

ASIC may notify AUSIEX in writing accordingly and provide AUSIEX with 20 business days (or such longer period as ASIC approves in writing) to respond. If AUSIEX fails to respond, ASIC may commence proceedings to enforce compliance with the Court's Orders.

9.    Ending of the Compliance Programme

9.1    The Compliance Programme will end following compliance with all obligations under the Court’s Order including compliance with the Attestation clause referred to in paragraph 8 above.

10.    Other

10.1    The Phase 1 Report, any Final Report, any Phase 1 Remedial Action Plan and any Phase 2 Remedial Action Plan, including a list of concluded actions must be provided to the Leadership Team and Board of Directors of AUSIEX.

10.2    AUSIEX will, within a reasonable period of receiving a request from ASIC, provide all documents and information reasonably requested by ASIC from time to time for the purposes of assessing AUSIEX’s compliance with the Compliance Programme, including any correspondence with the IE, other than any documents or information subject to a claim of legal professional privilege.

10.3    AUSIEX will be responsible for the costs of its compliance with the Compliance Programme.

10.4    AUSIEX and/or ASIC may apply to the Court for a variation of the terms of this Compliance Programme at any time and the Compliance Programme is subject to the Orders of the Court from time to time.

11.     Non-compliance

11.1    AUSIEX must notify ASIC as soon as reasonably practicable and in any event within 10 business days after becoming aware of any failure to comply with the Orders of the Court.

12.    Appointing the IE

12.1    AUSIEX must request ASIC to approve, within 30 business days of the date of the Orders of the Court, or within such longer period as may be agreed in writing by ASIC and AUSIEX:

12.2    The IE nominated by AUSIEX:

12.3    The appointment of the IE must be approved by ASIC in writing before the appointment takes effect (such approval not to be unreasonably withheld).

12.4    AUSIEX will provide ASIC with any information, explanation or documents it requests for the purposes of determining whether to approve the appointment of the IE, subject to a claim of legal professional privilege.

12.5    AUSIEX must advise ASIC of the expertise and any prior association of the proposed IE with AUSIEX, its related bodies corporate and officers at the time approval is sought from ASIC.

13.    Appointing a new independent expert

13.1    If the IE advises AUSIEX and ASIC in writing that he or she is unable to continue his or her appointment, or if the engagement is terminated because of an actual or potential conflict of interest of the IE that arises during the engagement, AUSIEX must within 15 business days (or such longer period agreed in writing with ASIC) after the ending or termination of the engagement, appoint and engage another independent expert in accordance with paragraph 12 (with such appointment to take effect for the remaining duration of the Compliance Programme).

14.    Terms of engagement

14.1    The terms of engagement for the IE will be approved by ASIC in writing before the engagement takes effect (such approval not to be unreasonably withheld) and once ASIC has provided its approval, the terms of engagement may only be varied with the agreement of ASIC (acting reasonably).

14.2    AUSIEX must ensure that the terms of engagement of the IE provided to ASIC for approval under paragraph 12.1:

15.    ASIC public reporting

15.1    In relation to the Phase 1 Report, Final Report, any Phase 1 Remedial Action Plan, and any Phase 2 Remedial Action Plan arising from the IE’s recommendations, ASIC:

15.2    In relation to the Compliance Programme, ASIC:

15.3    In relation to paragraph 15.1 and 15.2, ASIC will delete, remove or redact any information prior to publication if (acting reasonably) ASIC is satisfied that the information:

16.    Interpretation of Compliance Programme

16.1.    In the event that AUSIEX and the IE are unable to agree on the interpretation of any matter the subject of this Compliance Programme, AUSIEX and the IE must use reasonable efforts to resolve the disagreement and if unable to do so, may request a meeting with ASIC to discuss the matter in an effort to resolve the disagreement. If ASIC requests, each of AUSIEX and the IE are to provide ASIC with a written submission as to the matter in dispute 3 Business Days before any such meeting.

Schedule A

The Reported Conduct is:

REASONS FOR JUDGMENT

ABRAHAM J:

1    The defendants, Commonwealth Securities Limited (CommSec) and Australian Investment Exchange Limited (AUSIEX), provide financial services to clients, including services that allowed clients to trade securities and maintain a trading account online. Clients of CommSec could make trades in equities, exchange traded options and other financial products.

2    Each were, at all relevant times, subsidiaries of the Commonwealth Bank of Australia Limited (CBA). CommSec and AUSIEX each is the holder of an Australian Financial Services Licence (AFSL) and is a market participant of the ASX Limited (the ASX) and Chi-X Limited (Chi-X) financial markets. As participants of the ASX and Chi-X, CommSec and AUSIEX were subject to the Market Integrity Rules (see Corporations Act 2001 (Cth) (Corporations Act) s 798H(1)(b)).

How the plaintiff characterised the defendants’ contraventions

3    This proceeding is characterised by a high degree of cooperation between the parties. The defendants largely agree with the way in which the plaintiff, the Australian Securities and Investments Commission (ASIC), has characterised their contraventions of obligations held under their AFSL, pursuant to the Market Integrity Rules and consequently, the Corporations Act (and additionally for CommSec, the Australian Securities and Investments Commission 2001 (Cth)) (ASIC Act). In this context, it is convenient to draw upon the plaintiff’s submissions and the statement of agreed facts and contraventions (SOAFAC) to explain the legal context in which the contraventions arise and the nature of the contraventions, before I recall the parties’ submissions and turn to consider whether the contraventions have been established and the appropriate remedies to flow from these.

4    Between 1 January 2017 and 14 August 2020, CommSec and AUSIEX provided a series of notifications to ASIC in relation to: incorrect brokerage fees charged by CommSec (Brokerage Issues); breaches of client money requirements and trust account reconciliation rules by CommSec and AUSIEX (Client Money Issues); a failure to send trade confirmations as required and failure to send accurate trade confirmations by each of CommSec and AUSIEX (Trade Confirmations Issues); inadequate automated order processing filters by CommSec to determine no change in beneficial ownership (AOP Issue); a failure to comply with best execution obligations by CommSec and AUSIEX (Best Execution Issue); trading of warrants on CommSec accounts without a valid Warrant Agreement Form on record (Warrant Agreement Issue); and failure to adhere to regulatory data requirements by CommSec and AUSIEX (Regulatory Data Issue) (collectively referred to as the Reported Conduct).

5    It is common ground between the parties that CommSec contravened:

(1)    s 798H of the Corporations Act, as set out at paragraph [4] of the Amended Originating Process;

(2)    s 12DB of the ASIC Act, as set out at paragraph [3] of the Amended Originating Process; and

(3)    s 912A(1)(a) of the Corporations Act, as set out at paragraph [1] of the Amended Originating Process.

6    It is also common ground between the parties that AUSIEX contravened:

(1)    s 798H of the Corporations Act, as set out at paragraph [5] of the Amended Originating Process; and

(2)    s 912A(1)(a) of the Corporations Act, as set out at paragraph [2] of the Amended Originating Process.

7    The Reported Conduct spanned the period from 1 August 2010 to 18 June 2020 for CommSec and from 6 May 2010 to 27 November 2019 for AUSIEX, and related to failures across multiple systems, processes and business areas. Due to limitation periods, declarations and penalties are sought in relation to conduct occurring on or after 1 March 2015 (the Limitation Date), although conduct occurring prior to that date is referenced to contextualise later conduct or to establish a continuing course of conduct.

8    The contravening conduct concerns a range of services and issues. There is not a single cause of all of the offending conduct. Nevertheless, there are common features across the conduct. The issues arose from failures such as information technology system coding or systems issues, human error, and/or data entry errors. The number, breadth and duration of the Reported Conduct when viewed in totality is significant and indicates the entities did not have adequate systems and processes in place to ensure compliance with their relevant obligations under their AFSLs and pursuant to the Market Integrity Rules and consequently, the Corporations Act (and additionally for CommSec, the ASIC Act).

9    I note that CommSec has been before the Markets Disciplinary Panel (MDP) for contraventions of the Market Integrity Rules on seven previous occasions since 2012, receiving fines totalling $1,055,000. It has also been subject to a Court Enforceable Undertaking in 2013 for client money and trust account failings.

10    That said, ASIC does not allege, and there is no evidence to indicate that, any of the contraventions the subject of these proceedings were deliberate, or that the conduct constituting the contraventions was conduct of senior management of either CommSec or AUSIEX. Both defendants have cooperated with ASIC in relation to these proceedings, expressed contrition for the Reported Conduct, taken steps to address the issues the subject of the Reported Conduct, and to remediate any client detriment. The defendants have also agreed to ongoing compliance programs. These common factors relevant to the Reported Conduct are referred to as the ‘Mitigating Factors’ and ASIC has also taken these into account by submitting that a 30% discount to the headline penalty figures proposed is appropriate.

11    I note that while there appear to be some ongoing issues in relation to matters similar to the Reported Conduct, each of the parties has agreed to enter into detailed compliance plans to ensure any outstanding issues are addressed.

12    This proceeding relates to the relief sought as a result of the admitted contravention.

13    As will be readily apparent from even that brief description, there has been significant co-operation by parties, and the matter proceeded on the basis of a very detailed SOAFAC. In those circumstances it is unnecessary to recite in detail those facts, which I accept, and I attach that statement to these reasons as Annexure A. I will only refer to some brief aspects.

The proposed relief

14    ASIC proposes pecuniary penalties in respect of the admitted contraventions in the following amounts (after application of the 30% discount for co-operation):

(1)    $20 million in respect of CommSec; and

(2)    $7.12 million in respect of AUSIEX.

15    Each defendant agreed to the overall penalty amounts proposed by ASIC. CommSec and AUSIEX have also agreed to the form of compliance plans attached at Schedule 1 and Schedule 2 to the orders I will make.

16    As explained in the reasons below, having considered the facts and circumstances, in light of the relevant legal principles, I agree that the proposed declarations, penalties and orders appropriately reflect the seriousness of the contraventions.

Contravention provisions – the legal context

17    As there is no relevant controversy between the relevant applicable principles, I have taken the below summary, in large part, as correctly outlined by the parties in its submissions.

Section 798H of the Corporations Act

18    Participants in licensed markets “must comply with the market integrity rules”: s 798H(1) of the Corporations Act. ASIC is granted power to make market integrity rules under s 798G of the Corporations Act. Prior to 2017, ASIC had a series of market-specific rule-books in operation, including, relevantly, the ASX Rules and the Exchange Markets Rules. From 7 May 2018, the market specific rules were replaced with a common set of market integrity rules for securities markets (the Securities Markets Rules).

19    Section 798H(1) is a civil penalty provision. The imposition of a penalty is discretionary: s 1317G. In determining the appropriate pecuniary penalty, the Court must take into account all relevant matters, including (s 1317G(6)):

(1)    the nature and extent of the contravention;

(2)    the nature and extent of any loss or damage suffered because of the contravention;

(3)    the circumstances in which the contravention took place; and

(4)    whether the person has previously been found by a court (including a court of a foreign country) to have engaged in similar conduct.

20    If a Court is satisfied that a person has contravened a civil penalty provision, “it must make a declaration of contravention”: s 1317E. In contrast to the pecuniary penalty, this is a mandatory requirement: Australian Securities and Investments Commission v Warrenmang [2007] FCA 973; (2007) 63 ACSR 623 at [31].

21    By virtue of the time period over which they occurred, the contraventions concern both the Securities Markets Rules and equivalent provisions under the earlier ASX Rules and Exchange Market Rules. The significant difference in the transition in rules, is in the maximum penalty amounts applicable to Reported Conduct which occurred wholly on or after 13 March 2019: Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2019 (Cth) (Amendment Act).

22    The Market Integrity Rules (including the Securities Markets Rules, applicable to contraventions on and from 13 March 2019) contain within them tiered maximum penalty amounts in respect of different rules. However, those maximums only apply in respect of conduct that occurred, or commenced, prior to 13 March 2019, since the Amendment Act removed s 798G(2) of the Corporations Act (Amendment Act s 48), which had provided ASIC with the power to stipulate a penalty amount in respect of a contravention of the Market Integrity Rules.

23    The applicable penalty regime for contravention of the Market Integrity Rules after 13 March 2019 is set out in s 1317G(4) of the Corporations Act.

24    As a consequence, the maximum penalty for each alleged contravention is:

(1)    if the conduct occurred or commenced prior to 13 March 2019 – the maximum penalty specified in the relevant rule (being one of $1 million, $100,000 and $20,000): see former ss 798G(1C)-(1D) and 798G(2) of the Corporations Act;

(2)    if the conduct occurred wholly on or after 13 March 2019: approximately $525 million in respect of each contravention by CommSec; and $525 million in respect of each contravention by AUSIEX.

Section 12DB of the ASIC Act

25    This provision addresses false or misleading representations. To prove a contravention, it must be established that:

(1)    the defendant made a representation;

(2)    which was false or misleading about one or several matters listed in sub-s (1);

(3)    which was made in trade or commerce; and

(4)    which was made:

(a)    in connection with the supply or possible supply of financial services; or

(b)    in connection with the promotion by any means of the supply or use of financial services.

26    For the period relevant to the admitted contravention of s 12DB, being 1 March 2015 to 26 March 2018, the ASIC Act did not contain any provision which specifically gave the Court power to make declarations: (c.f. s 12GBA of the current ASIC Act). The Court’s power to make declarations in relation to contraventions of s 12DB of the ASIC Act for that period is found in s 21 of the Federal Court of Australia Act 1976 (Cth) (FCA Act).

27    Pecuniary penalties for contraventions for the period relevant to the admitted contravention were dealt with in s 12GBA of the ASIC Act, which relevantly provided that, if the Court is satisfied that a person has contravened s 12DB, “the Court may order the person to pay to the Commonwealth such pecuniary penalty, in respect of each act or omission by the person to which the section applies, as the Court determines to be appropriate.” In determining the appropriate pecuniary penalty, the Court must have regard to all relevant matters including (s 12GBA(2)):

(1)    the nature and extent of the act or omission and of any loss or damage suffered as a result of the act or omission;

(2)    the circumstances in which the act or omission took place;

(3)    whether the person has previously been found by the court in proceeding under subdivision G (of Pt 2, Div 2), to have engaged in any similar conduct.

28    For each contravention of s 12DB, the maximum penalty payable by a body corporate under s 12GBA(3) of the ASIC Act is 10,000 penalty units. Over the relevant period, the value of a penalty unit has been:

(1)    between 1 March 2015 and 30 July 2015, $170;

(2)    between 31 July 2015 and 30 June 2017, $180; and

(3)    from 1 July 2015 to 26 March 2018, $210.

29    Therefore, the maximum penalty for a contravention of s 12DB during the relevant applicable period has ranged from $1.7 million to $2.1 million. A contravention of s 12DB occurs each time the relevant false or misleading representation is made to a person. In cases involving representations made on a website (relevant to the contraventions of s 12DB in these proceedings), a representation is made each time that the relevant content on the website is accessed and viewed by a user of the website: Australian Competition and Consumer Commission v Hillside (Australia New Media) Pty Ltd trading as Bet365 (No 2) [2016] FCA 698 at [12]; Australian Securities and Investments Commission v Gallop International Group Pty Ltd [2019] FCA 1514; (2019) 138 ACSR 395 at [288].

Section 912A(1)(a) of the Corporations Act

30    This provision provided that a financial service licensee must do all things necessary to ensure that the financial services are provided “efficiently, honestly and fairly”. This applied to each defendant in respect of the services provided by that entity.

31    In Australian Securities and Investments Commission v Camelot Derivatives Pty Ltd (in liq) [2012] FCA 414; (2012) 88 ACSR 206 at [69]-[70], Foster J observed in relation to s 912A(1)(a):

[69]    In support of the relief which it seeks based upon s 912A(1)(a) of the Corporations Act, ASIC made the following submissions:

(a)    The words “efficiently, honestly and fairly” must be read as a compendious indication meaning a person who goes about their duties efficiently having regard to the dictates of honesty and fairness, honestly having regard to the dictates of efficiency and fairness, and fairly having regard to the dictates of efficiency and honesty: Story v National Companies and Securities Commission (1988) 13 NSWLR 661 at 672. ([126])

(b)    The words “efficiently, honestly and fairly” connote a requirement of competence in providing advice and in complying with relevant statutory obligations: Re Hres and Australian Securities and Investments Commission (2008) 105 ALD 124 at [237]. They also connote an element not just of even handedness in dealing with clients but a less readily defined concept of sound ethical values and judgment in matters relevant to a client’s affairs: Re Hres and Australian Securities and Investments Commission (2008) 105 ALD 124 at [237]. ([127])

(c)    The word “efficient” refers to a person who performs his duties efficiently, meaning the person is adequate in performance, produces the desired effect, is capable, competent and adequate: Story v National Companies and Securities Commission (1988) 13 NSWLR 661 at 672. Inefficiency may be established by demonstrating that the performance of a licensee’s functions falls short of the reasonable standard of performance by a dealer that the public is entitled to expect: Story v National Companies and Securities Commission (1988) 13 NSWLR 661 at 679. ([128])

(d)    It is not necessary to establish dishonesty in the criminal sense: R J Elrington Nominees Pty Ltd v Corporate Affairs Commission (SA) (1989) 1 ACSR 93 at 110. The word “honestly” may comprehend conduct which is not criminal but which is morally wrong in the commercial sense: R J Elrington Nominees Pty Ltd v Corporate Affairs Commission (SA) (1989) 1 ACSR 93 at 110. ([129])

(e)    The word “honestly” when used in conjunction with the word “fairly” tends to give the flavour of a person who not only is not dishonest, but also a person who is ethically sound: Story v National Companies and Securities Commission (1988) 13 NSWLR 661 at 672. ([130])

[70]    The submissions which I have extracted at [69] above are correct and I accept them.

32    Foster J’s statement was cited with approval in, for example: Australian Securities and Investments Commission v Commonwealth Bank of Australia [2020] FCA 790 at [50]; Australian Securities and Investments Commission v Avestra Asset Management Limited (in liq) [2017] FCA 497; (2017) 348 ALR 525 at [191]; Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023; (2016) 336 ALR 209 at [674]; Australian Securities and Investments Commission v Westpac Banking Corporation (No 2) [2018] FCA 751; (2018) 266 FCR 147 at [2347]; Australian Securities and Investments Commission v AGM Markets Pty Ltd (in liq) (No 3) [2020] FCA 208; (2020) 275 FCR 57 at [505] and Australian Securities and Investments Commission v MLC Nominees Pty Ltd [2020] FCA 1306; (2020) 147 ACSR 266 at [50].

33    ASIC also referred to the recent obiter comments of O’Bryan J in ASIC v Westpac Securities [2019] FCAFC 187; (2019) 272 FCR 170 at [426]:

With respect, it is not apparent that either reason provides a sound basis for reading the phrase, as it appears in s 912A(1)(a) of the Act, compendiously in the manner suggested by his Honour [referring to Young J’s construction of s 912A in Story v National Companies and Securities Commission (1988) 13 NSWLR 661]. In particular, it is not apparent why a licensee cannot comply with each of the three obligations, efficiently, honestly and fairly, applying the ordinary meaning of each word. One of the meanings of the word “efficiently”, and the meaning well adapted to the statutory provision, is competent, capable and having and using the requisite knowledge, skill and industry: cf ASIC v Camelot at [69(c)]. The word “honestly” includes dishonesty in the criminal sense but may also comprehend conduct which is not criminal but which is morally wrong in the commercial sense: RJ Elrington Nominees Pty Ltd v Corporate Affairs Commission (SA) (1989) 1 ACSR 93 at 110. The word “fair” as used in s 912A(1)(a) has not received detailed judicial consideration. However, it seems to me that there is no reason why it cannot carry its ordinary meaning which includes an absence of injustice, even-handedness and reasonableness. As is the case with legislative requirements of a similar kind, such as provisions addressing unfair contract terms, the characterisation of conduct as unfair is evaluative and must be done with close attention to the applicable statutory provision: cf Paciocco v Australia and New Zealand Banking Group Ltd (2015) 236 FCR 199 at [364]. It seems to me that the concepts of efficiently, honestly and fairly are not inherently in conflict with each other and that the ordinary meaning of the words used in s 912A(1)(a) is to impose three concurrent obligations on the financial services licensee: to ensure that the financial services are provided efficiently, and are provided honestly, and are provided fairly.

34    As O’Bryan J stated at [424], immediately before those observations, the point was not the subject of argument. Allsop CJ reserved “for an occasion where the matter was fully argued the question whether the phrase is compendious and, if it is, its meaning and application”: at [170]. I note that there was no suggestion by ASIC that O’Bryan J’s dicta had changed the law.

35    As ASIC submitted, ultimately, the distinction may be of limited practical impact, as was recognised by Young J who originally articulated the composite approach in Story v National Companies and Securities Commission (1988) 13 NSWLR 661, as he observed that “in the long run it does not seem to me to much matter whether one reads the words cumulatively or disjunctively, because unless a licence holder possesses the three attributes whether as one package or as three separate parcels, the Commission can revoke his licence”. I note that the point was not fully argued before me and I do not think it is necessary to add anything further here.

Principle applicable to the relief sought

Declarations

36    As previously observed, s 1317E governs the making of declarations in respect of the acknowledged contraventions of s 798H of the Corporations Act, once the Court is satisfied that a contravention has been established.

37    The admitted contraventions of s 912A(1)(a) of the Corporations Act commenced prior to that provision becoming a civil penalty provision on 13 March 2019. The contraventions with respect to s 12DB of the ASIC Act took place prior to the introduction of a specific power to make declarations for contraventions of the ASIC Act.

38    The Court has a discretionary power to make declarations in respect of the contraventions of s 912A(1)(a) of the Corporations Act and s 12DB of the ASIC Act pursuant to s 21 of the FCA Act: Australian Securities and Investments Commission v Fisher & Paykel Customer Services Pty Ltd [2014] FCA 1393 at [50]. The Court’s power to grant declaratory relief pursuant to s 21 of FCA Act "is a very wide one" and the court is "limited only by its discretion": Seven Network Ltd v News Ltd [2009] FCAFC 166; (2009) 182 FCR 160 at [1016]. Three requirements need to be satisfied before making declarations: (1) the question must be a real and not a hypothetical or theoretical one; (2) the applicant must have a real interest in raising it; and (3) there must be a proper contradictor. Other factors relevant to the exercise of the discretion include: (a) whether the declaration will have any utility; (b) whether the proceeding involves a matter of public interest: ASIC v Pegasus Leverages Options Group Pty Ltd [2002] NSWSC 310; (2002) 41 ACSR 561 at 571; and (c) whether the circumstances call for the marking of the Court’s disapproval of the contravening conduct: Australian Securities and Investments Commission v Monarch FX Group Pty Ltd [2014] FCA 1387; 103 ACSR 453 at [63]; Australian Securities and Investments Commission v Stone Assets Management Pty Ltd [2012] FCA 630; (2012) 205 FCR 120 at [42].

Pecuniary penalties

39    The purpose of a civil penalty is primarily protective, in promoting the public interest in compliance by deterrence from further contravening conduct: Australian Building and Construction Commission v Pattinson [2022] HCA 13; (2022) 399 ALR 599 at [15]. A penalty of appropriate deterrent effect “must be fixed with a view to ensuring that the penalty is not such as to be regarded by [the] offender or others as an acceptable cost of doing business”: Pattinson at [17] citing Singtel Optus Pty Ltd v Australian Competition and Consumer Commission [2012] FCAFC 20; (2012) 287 ALR 249 at [62].

40    The assessment of penalty of appropriate deterrent value will have regard to a number of factors including: (1) the nature and extent of the contravening conduct; (2) the amount of loss or damage caused; (3) the circumstances in which the conduct took place; (4) the size of the contravening company; (5) the degree of power it has, as evidenced by its market share and ease of entry into the market; (6) the deliberateness of the contravention and the period over which it extended; (7) whether the contravention arose out of the conduct of senior management or at a lower level; (8) whether the company has a corporate culture conducive to compliance, as evidenced by educational programs or other corrective measures in response to an acknowledged contravention; and (9) whether the company has shown a disposition to co-operate with the authorities responsible for the enforcement of the Act in relation to contravention: Pattinson at [18]. These are not to be considered to be a rigid list of factors to be ticked off: Pattinson at [19], but rather are to inform a multifactorial investigation that leads to a result arrived at by a process of “instinctive synthesis” addressing the relevant considerations: Australian Competition and Consumer Commission v Reckitt Benckiser (Australia) Pty Ltd [2016] FCAFC 181; (2016) 340 ALR 25 at [44].

41    It is recognised that ordinarily separate contraventions arising from separate acts should attract separate penalties. However where separate acts give rise to separate contraventions which are inextricably interrelated, they may be regarded as a “course of conduct” for penalty purposes: Australian Competition and Consumer Commission v Yazaki Corporation [2018] FCAFC 73; (2018) 262 FCR 243 at [234]. This avoids double-punishment for those parts of the legally distinct contraventions which involve overlap in wrongdoing: see for example, Construction, Forestry, Mining and Energy Union v Cahill [2010] FCAFC 39; (2010) 269 ALR 1 at [39] and [41].Whether the contraventions should be treated as a single course of conduct is a question of fact having regard to all of the circumstances of the case.

42    The principle of totality requires the Court to make a “final check” of the penalties to be imposed on a wrongdoer, considered as a whole, to ensure that the total penalty does not exceed what is proper for the entire contravening conduct: Australian Competition and Consumer Commission v Australian Safeway Stores Pty Ltd [1997] FCA 450; (1997) 145 ALR 36 at 53, citing Mill v The Queen [1988] HCA 70; (1988) 166 CLR 59.

43    The principles to be applied in considering a jointly proposed penalty were considered in Commonwealth v Director, Fair Work Building Industry Inspectorate [2015] HCA 46; (2015) 258 CLR 482 (DFWBII), where the majority observed at [46]:

[T]here is an important public policy involved in promoting predictability of outcome in civil penalty proceedings and that the practice of receiving and, if appropriate, accepting agreed penalty submissions increases the predictability of outcome for regulators and wrongdoers. As was recognised in Allied Mills and authoritatively determined in NW Frozen Foods, such predictability of outcome encourages corporations to acknowledge contraventions, which, in turn, assists in avoiding lengthy and complex litigation and thus tends to free the courts to deal with other matters and to free investigating officers to turn to other areas of investigation that await their attention.

44    Further, their Honours said at [58]:

... Subject to the court being sufficiently persuaded of the accuracy of the parties’ agreement as to facts and consequences, and that the penalty which the parties propose is an appropriate remedy in the circumstances thus revealed, it is consistent with principle and ... highly desirable in practice for the court to accept the parties’ proposal and therefore impose the proposed penalty.

45    Those observations about the desirability of acting upon agreed penalty submissions were made in the context of a broader recognition that as a civil litigant in civil proceedings, civil penalties are but one of numerous forms of relief which regulators can pursue, and it is entirely orthodox for regulators to make submissions as to that relief: see DFWBII at [24], [57]-[59], [63], [103], [107]. Those principles to be applied in considering a jointly proposed penalty were recently considered in Volkswagen Aktiengesellschaft v Australian Competition and Consumer Commission [2021] FCAFC 49; (2021) 284 FCR 24 at [124]-[131], referring to Fair Work, NW Frozen Foods Pty Ltd v Australian Competition Commission [1996] FCA 1134; (1996) 71 FCR 285 and Minister for Industry, Tourism and Resources v Mobil Oil Australia Pty Ltd [2004] FCAFC 72; (2004) ATPR 41-993. A number of points were highlighted including: first, the Court must be satisfied that the penalty proposed by the parties is appropriate: at [125]; second, if persuaded of the accuracy of the parties’ agreement as to facts and that the proposed penalty is an appropriate remedy, it is highly desirable for the Court to accept the proposal: at [126]; third, in considering whether the proposed penalty is appropriate, it is necessary to bear in mind that there is no single appropriate penalty, but rather a permissible range. The proposed penalty may be “an” appropriate penalty if it falls within that range: at [127]; fourth, the Court should generally recognise that it most likely was a result of compromise and pragmatism on the part of the regulator, and while the regulator must estimate the penalty necessary to achieve deterrence, the Court must assess the proposed penalty on its merits, being wary of the possibility that the regulator may have been too pragmatic: at [129]; fifth, the Court’s task is not limited to simply determining whether the jointly proposed penalty is within the permissible range, though that might be expected to be a highly relevant and perhaps determinative consideration. The overriding statutory directive is for the Court to impose a penalty which is determined to be appropriate having regard to all relevant matters: at [131].

46    ASIC submitted that at least in so far as pecuniary penalties in respect of contraventions of the Market Integrity Rules and s 798H is concerned, there has been only one other civil penalty case brought to date in respect of that provision of the Corporations Act, and that involved an agreed penalty for conduct occurring prior to the Amendment Act.

47    As noted above (at [21]-[22]), there has been a significant increase in maximum penalties for comparable offences under the Market Integrity Rules where contraventions occur wholly on or after 13 March 2019. The theoretical maximum penalty amounts for the Reported Conduct are in some instances many times the assets of the entities involved. While penalties must be set at appropriate levels to address the goals of specific and general deterrence, ASIC accepted that the maximum theoretical penalty amounts in these proceedings are a disproportionate yardstick when viewed against the technical nature of the underlying offences here, particularly where there are many contraventions of a similar nature. Notwithstanding that, the legislative amendments brought about by the Amendment Act reflect a clear intention that penalties for contraventions of s 798H of the Corporations Act be increased above the penalties applicable prior to that date. ASIC submitted that the penalty amounts suggested by ASIC are a genuine attempt to reflect that clear legislative intention of the Parliament.

Compliance plans

48    Section 1101B of the Corporations Act is broad enough to empower the making of an order requiring a contravener to establish a compliance program tailored to remedying the contraventions established. In ASIC v Westpac Banking Corporation (No 3) [2018] FCA 1701; (2018) 131 ACSR 585 at [183], Beach J noted three things in relation to the power:

First and generally speaking, one should not read provisions conferring jurisdiction on, or granting powers to, a court by making implications or imposing limitations which are not found in the express words. Second, it is no objection to an order requiring a compliance program to be established that it is in a form of mandatory injunction; I would note that the illustrative orders set out in s 1101B(4) contain examples that are mandatory in nature. Third, what the court "thinks fit" is not at large. The power must be exercised judicially having regard to the text, context and purpose of the Corporations Act. Given that this is a power that must relate to a contravention, a compliance program can be readily accommodated within its scope as an order designed to ensure that a contravention of a similar kind does not occur again. And given that one of the purposes of the civil penalty regime is deterrence, a compliance program can address specific deterrence.

49    The compliance program must have a connection with the contravening conduct that has been found: ASIC v Westpac Banking Corporation (No 3) at [186], citing ACCC v Z-Tek Computer Pty Ltd [1997] FCA 871; (1997) 78 FCR 197 at 205.

50    It must strike the appropriate balance between prescription, so as to avoid uncertainty, and over particularity, so as to avoid unworkability: ASIC v Westpac Banking Corporation (No 3) at [187] citing ACCC v Virgin Mobile Australia Pty Ltd (No 2) [2002] FCA 1548 at [24].

Evidence

51    As noted above, this matter is characterised by a high degree of cooperation between the parties and proceeded largely by way of a detailed statement of agreed facts and contraventions, which, as stated above, I accept. In addition, ASIC relied on one affidavit, and CommSec and/or AUSIEX relied on three affidavits. All four affidavits were read without objection and no deponents were required for cross-examination.

ASIC’s affidavit

52    The affidavit read by ASIC was the affidavit of Anita McKenzie verified 27 May 2021 (McKenzie Affidavit). Ms McKenzie was a Senior Manager in the Markets Enforcement team of ASIC, and pursuant to s 102 of the ASIC Act had been delegated certain functions and powers including functions and powers under Pt 3 of the ASIC Act relating to ASIC’s investigation and information gathering.

53    Ms McKenzie explained that on 27 May 2019, an investigation was commenced under s 13 of the ASIC Act in relation to suspected contraventions by CommSec and AUSIEX of the Corporations Act and the Market Integrity Rules. The investigation was expanded on 16 October 2019 to include suspected contraventions of the ASIC Act and other market integrity rules.

54    Ms McKenzie then described a notice of direction that ASIC issued to CommSec pursuant to s 912C(1) of the Corporations Act on 26 August 2019, requiring CommSec to provide a written statement of the details of all complaints or queries from customers about being incorrectly charged brokerage rates / fees. The McKenzie affidavit annexes the relevant portions of CommSec’s response to the notice of direction.

55    The McKenzie affidavit next addresses subsequent breach notifications made by CommSec and AUSIEX subsequent to the period covered by the SOAFAC. The relevant parts of these breach notifications are annexed to her affidavit. Finally, the affidavit annexes financial statements and reports for CommSec and AUSIEX for the 2019-20 financial year.

CommSec’s and/or AUSIEX’s affidavits

56    The first affidavit read by AUSIEX was an affidavit of Eric Blewitt verified on 20 August 2021. Mr Blewitt was the Chief Executive Officer and a director of AUSIEX, and made the affidavit on AUSIEX’s behalf. In his position, during all relevant periods, Mr Blewitt was a Responsible Manager for AUSIEX, being a person nominated by an AFSL licensee who has direct responsibility for significant day-to-day decisions in their regulatory environment.

57    Mr Blewitt noted that since 13 August 2021, AUSIEX is no longer owned by the CBA. His affidavit explained AUSIEX’s governance structures both prior to and subsequent to its separation from the CBA group. He also explained the structure of teams that existed to manage compliance within AUSIEX and the improvements to compliance systems that AUSIEX has already made, including implementing Project Rampart and Project Umbrella which were developed before the separation from the CBA group and are discussed further at [73] below.

58    Mr Blewitt also described the remediation work that has been undertaken by AUSIEX since separating from the CBA group to ensure compliance with obligations relating to aspects of the Reported Conduct including the handling of client monies, issuing of trade confirmations to customers, monitoring of best execution and the provision of regulatory data to market operators. Mr Blewitt said he considered that ensuring AUSIEX has in place systems, processes and controls to ensure compliance with those obligations and avoid repetition of AUSIEX's Reported Conduct to be of the highest importance. Mr Blewitt highlighted that he had emphasised the importance of compliance at a Board Meeting of AUSIEX and that, in this context, he anticipated that any future breaches would be escalated to him in addition to AUSIEX following the formal processes under the company’s Incident and Breach Policy.

59    The second affidavit read by CommSec and AUSIEX was an affidavit of Michael Vacy-Lyle verified on 20 August 2021. Mr Vacy-Lyle was the Group Executive for Business Banking at the CBA and made the affidavit on behalf of both CommSec and AUSIEX. Since 1 February 2020, Mr Vacy-Lyle has been one of the accountable persons within the meaning of s 5 of the Banking Act 1959 (Cth) of the CBA. In that capacity, he has had senior executive responsibility for the management or control of the Business Banking business, which includes CommSec and included AUSIEX prior to 3 May 2021. Mr Vacy-Lyle has chaired and participated in a number of committees across the CBA group that focus on compliance and also has attended CommSec’s board meetings since 18 February 2020, where he would review packs providing details on the Reported Conduct and remediation projects in relation to these.

60    Mr Vacy-Lyle’s affidavit admitted, and apologised on behalf of CommSec and AUSIEX for, the Reported Conduct. He emphasised that the contraventions should not have occurred, took place over an extended period of time, had the potential to undermine market integrity, were serious and occurred despite previous proceedings before the MDP. Mr Vacy-Lyle also apologised for the failures to report contraventions in a timely manner, and for the financial detriment or potential financial detriment that was caused to clients by the Brokerage, Best Execution and Warrant Agreement issues. Mr Vacy-Lyle accepted that in light of the previous proceedings before the MDP, it was appropriate for ASIC to bring civil penalty proceedings in this court to achieve deterrence.

61    Mr Vacy-Lyle highlighted that CommSec and AUSIEX had proactively taken steps to remediate clients who suffered or may have suffered financial detriment, and undertaken significant work and restructuring directed at remedying the causes of client monies and trade confirmation issues and generally to improve compliance and risk management.

62    The third affidavit read by the defendants was an affidavit of David Smith verified on 28 August 2021. Mr Smith was the Head of Compliance since around September 2014 at CommSec and he makes the affidavit on behalf of CommSec and AUSIEX. As the Head of Compliance, Mr Smith’s responsibilities generally included leading a team of compliance advisers providing compliance support to the CommSec and (prior to 3 May 2021) AUSIEX businesses to ensure they are aware of and comply with the relevant compliance rules, regulations, industry codes and organisational requirements.

63    Mr Smith’s affidavit provided significant detail on the structure of the teams, policies, procedures and controls at CommSec designed to ensure compliance. Mr Smith also described relevant changes to these teams since the Limitation Date and enhancements that have been made to issue and incident management procedures across CommSec and the CBA group more broadly. He indicated that CommSec has established a separate team to co-ordinate implementation of the proposed court-ordered compliance plan.

64    Mr Smith then described how CommSec and AUSIEX’s systems and processes applicable to the contraventions in the SOAFAC operated. He explained how the companies detected each category of the Reported Conduct, and how they internally escalated and then externally reported these issues.

65    Finally, Mr Smith addressed antecedent conduct engaged in by CommSec and AUSIEX prior to the Reported Conduct and the work undertaken by them to address that conduct. This included conduct that resulted in CommSec and AUSIEX giving an enforceable undertaking under s 93AA of the ASIC Act and conduct that resulted in CommSec and AUSIEX being parties to proceedings before the MDP.

The contraventions and the defendants’ response

66    As explained above, this matter proceed by way of a detailed SOAFAC.

67    Each of CommSec and AUSIEX provided financial services to clients, including services that allowed clients to trade securities and maintain a trading account online. Most of the trades were in equities (with CommSec issuing to clients 4,588,620 equities trade confirmations in 2015, and 6,483,457 in 2019 - noting that a trade confirmation may relate to multiple trades; AUSIEX issuing 1,653,906 in 2015 and 1,871,664 in 2019), but there were also trades in exchange traded options and other financial products.

68    By reason of s 798H of the Corporations Act, in providing many of these services, CommSec and AUSIEX as participants in the relevant markets were obliged to comply with market integrity rules made by ASIC under s 798G of the Corporations Act, including the Market Integrity Rules.

69    The contraventions of the Corporations Act with which this proceeding is concerned arose in the context of CommSec and AUSIEX providing brokering and execution services to their clients, many of whom were retail clients. Clients generally placed orders online and the systems and records used to charge for the services provided and to manage related matters such as the handling of client monies and the discharge of related regulatory obligations were largely dependent on information technology systems, including (particularly in relation to client monies) third party provided systems.

70    The contravening conduct concerns a range of services and issues.

71    As identified in [4] above, the contraventions, generally speaking, fall into eight categories:

(1)    Brokerage Issues (CommSec);

(2)    Client Money Issues (CommSec and AUSIEX);

(3)    Trade Confirmations Issues (CommSec and AUSIEX);

(4)    AOP Issue (CommSec);

(5)    Best Execution Issue (CommSec and AUSIEX);

(6)    Warrant Agreement Issue (CommSec);

(7)    Regulatory Data Issue (CommSec and AUSIEX);

(8)    Failure to provide services “efficiently, honestly and fairly”: s 912A(1)(a) of the Corporations Act;

72    The only issue which resulted in any actual financial detriment to customers was the Brokerage Issue, although potential financial detriment to customers may have arisen from the Best Execution Issue and Warrant Agreement Issue. To the extent any clients of CommSec or AUSIEX actually or potentially suffered a financial detriment by reason of the contravening conduct in relation to the Brokerage Issue, the Best Execution Issue and the Warrant Agreement Issue, CommSec and AUSIEX have provided compensation, including interest. With respect to the balance of the issues, CommSec and AUSIEX accept non-compliance may also give rise to potential client detriment (albeit not financial detriment) or market integrity implications. Other than in relation to the Brokerage Issue, ASIC does not allege, and there is no evidence to indicate that, any of the issues resulted in any revenue or direct benefit being derived by CommSec or AUSIEX. However, CommSec acknowledged it is possible they may have obtained benefits as a result of the AOP Issue and Best Execution Issue, in the form of trades placed that may otherwise not have been placed.

73    CommSec and AUSIEX have taken action directed toward remedying the causes of each of the issues giving rise to the contravening conduct. This has included changes to information technology systems, introduction of greater human oversight and controls, and changes to policies and procedures. CommSec and AUSIEX have entered into agreements with third-party providers which require them to provide further assurance that their services comply with the specifications required by CommSec and AUSIEX. More specifically, following identification of the Client Money Issues, CommSec and AUSIEX established Project Rampart. Following identification of the Trade Confirmation Issues, CommSec and AUSIEX established Project Umbrella. These projects are explained further in Annexure A. Since the establishment of those projects, ASIC has received some further breach reports in respect of both Client Money Issues and Trade Confirmations Issues, including as a result of the work undertaken as part of those projects.

74    CommSec and AUSIEX accept that there were inadequacies in their processes and procedures to ensure compliance with the relevant obligations. While they did have in place processes addressing operational risk and compliance, these processes were not sufficient to ensure compliance with the relevant regulatory obligations.