Federal Court of Australia

Walker v Members Equity Pty Ltd (formerly Members Equity Bank Ltd) [2024] FCA 15

ORDERS

THE COURT ORDERS THAT:

    The defendant be convicted on all four charges.

    The defendant pay a fine of $820,000 within 60 days comprising:

(a)    a fine of $750,000 for charge 1;

(b)    a fine of $30,000 for charge 2;

(c)    a fine of $40,000 for charges 3 and 4 (being $5,000 for charge 3 and $35,000 for charge 4).

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

BROMWICH J:

1    These are reasons for sentences imposed upon the defendant, a now defunct bank, in relation to four summary strict liability offences committed contrary to:

(a)    s 12GB(1) of the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) in relation to conduct prohibited by s 12DB(1)(g) of that Act; and

(b)    ss 64(1) and 65(1) of the National Credit Code (which is in Schedule 1 of the National Consumer Credit Protection Act 2009 (Cth)).

2    The informant who laid the charges is Ms Caroline Walker, an officer of the Australian Securities and Investments Commission (ASIC). The prosecution is conducted for the informant by the Commonwealth Director of Public Prosecutions (CDPP).

3    The defendant, Members Equity Pty Ltd, formerly known as Members Equity Bank Ltd (ME Bank), was acquired by the Bank of Queensland (BOQ) on 1 July 2021, long after the offences were committed in the 20-month period between late December 2016 and early September 2018. On 28 February 2022, the assets and liabilities of ME Bank were transferred to BOQ and its licence was surrendered. Since that transfer, ME Bank has been a dormant subsidiary of BOQ. ME Bank was converted into a proprietary limited company to ease accounting requirements. BOQ continues to use the name “ME Bank” and “ME” for part of its business activities, but those activities are no longer conducted by a separate legal entity, and therefore not by the legal entity which is the defendant in this proceeding, although it is the same business. BOQ has undertaken to pay any fines imposed on its wholly owned subsidiary, formally known as ME Bank. It is convenient to continue to refer to the defendant as ME Bank.

4    The CDPP succinctly summarises the offending conduct in written submissions as follows:

In summary, the relevant conduct concerns ME Bank’s communications to its home loan customers. One count concerns letters that were sent to customers that misstated the minimum amount which those customers had to repay following expiry of the fixed-rate or interest-only period of their home loan. The remaining counts concern failures to send letters to customers [sic] whose repayment arrangements were due to expire and who were therefore not advised of the resultant changes to their interest rates and minimum repayment amounts.

5    The charges were admitted to at an early stage, having been compulsorily self-reported. ME Bank formally pleaded guilty at a sentence hearing, as had been foreshadowed. The sentence hearing then took place upon the basis of a statement of agreed facts, supplemented by one affidavit for ME Bank formally proving its acquisition by BOQ and the related change of business transactions referred to above.

The offences

6    The four charges in an amended information, each in the form of a between dates “roll up” which encompass multiple contraventions during the charge period, may be summarised as follows:

Charge 1:    Between 25 May 2018 and 3 September 2018, ME Bank made false or misleading representations about the price of financial services in 589 letters sent to customers, contrary to ss 12DB(1)(g) and 12GB(1) of the ASIC Act: maximum penalty $2.1 million (10,000 penalty units, at a time when it was $210 per penalty unit).

Charge 2:    Between 23 September 2017 and 23 February 2018, ME Bank, as a credit provider, failed 38 times to give debtors written notice of a change in the annual percentage rate payable under a credit contract by no later than the day on which that change took effect, contrary to s 64(1) of the National Credit Code: maximum penalty $105,000 (500 penalty units, at a time when it was $210 per penalty unit).

Charge 3:    Between 28 December 2016 and 27 June 2017, ME Bank, as a credit provider, failed 28 times to give debtors written notice setting out the particulars of a change in the amount of the minimum repayments under a credit contract by no later than 20 days before that change took effect, contrary to s 65(1) of the National Credit Code: maximum penalty $90,000 (500 penalty units, when it was $180 per penalty unit).

Charge 4:    Between 4 July 2017 and 12 February 2018, ME Bank, as a credit provider, failed 414 times to give debtors written notice setting out the particulars of a change in the amount of the minimum repayments under a credit contract by no later than 20 days before that change took effect, contrary to s 65(1) of the National Credit Code: maximum penalty $105,000 (500 penalty units, at a time when it was $210 per penalty unit).

7    Three observations should be made about the above charges.

8    First, ME Bank notes that 18 of the 38 occurrences in charge 2 involved conduct that also gave rise to 18 of the 414 occurrences in charge 4. That required totality is to be taken into account. Totality is an important final check on sentences imposed for more than one offence to ensure that they are not, taken as a whole, disproportionate to the overall offending: see Mill v The Queen (1988) 166 CLR 59 at 63. It is not a rigid rule of law, but rather a general principle to guide the exercise of the sentencing discretion.

9    Secondly, the term “rolled up” is used for each charge to describe the process by which charges for a number of individual offences committed over a period of time, each of which could be reflected in a separate charge, are instead charged as a single between-dates offence with numerous instances of offending conduct taking place over that period of time. Absent a guilty plea, charging in that way would ordinarily be objectionable as being duplicitous (that is, charging more than one offence in a single charge), requiring either an election as to which charge is proceeding, or an unrolling into individual charges: Environment Protection Authority v Truegrain Pty Ltd [2013] NSWCCA 204; 85 NSWLR 125 at [31]–[52], especially at [50], quoted with approval by Wigney J in Director of Public Prosecutions (Cth) v Kawasaki Kisen Kaisha Ltd [2019] FCA 1170; 137 ACSR 575 at [269], where his Honour observed:

In sentencing a rolled-up charge, the Court is required to assess the criminality of an offender’s conduct as particularised. The issue for the Court on sentence is the criminality disclosed by the offence, not the number of charges: R v Knight [2004] NSWCCA 145 at [25]–[26]. The more contraventions or episodes of criminality that form part of the rolled-up charge, the more objectively serious the offence is likely to be: R v Richard [2011] NSWSC 866 (R v Richard) at [65(f)]; R v Glynatsis (2013) 230 A Crim R 99; [2013] NSWCCA 131 at [66]; R v De Leeuw [2015] NSWCCA 183 at [116]. That said, the maximum penalty for the rolled-up charge is the maximum penalty for one offence, not the aggregate of the penalties for what could have been charged as separate offences: R v Richard at [105]; R v Donald [2013] NSWCCA 238 at [85].

10    A guilty plea to rolled up charges is a common outcome of charge bargaining (to be distinguished from plea bargaining). It is a convenient way of bringing all offending conduct to account at once for the purposes of sentencing, bringing finality to all conduct alleged for both the informant and defendant. It is also a process which usually involves a considerable degree of leniency because a single maximum penalty applies for all of the offences in the between dates charge period, rather than a separate maximum penalty for each offence: see R v Glynatsis [2013] NSWCCA 131; 230 A Crim R 99 at [66], quoting the observations of Garling J in R v Shawn Darrell Richard [2011] NSWSC 866 at [65]; see also [73].

11    Rolled up charges may also reflect the reality that although legally separate offences were committed, they were really just a repetition of the same behaviour, sometimes referred to as a single course of conduct. That is not entirely apposite in this case, because it was one defect or set of defects in ME Bank’s computer system that produced the offending conduct, rather than separate conduct on each occasion, although separate acts of representations or omissions did result. Sometimes the offence provision allows for between dates charging for such conduct without being duplicitous. That is not the case for the offences committed by ME Bank.

12    Thirdly, charges 3 and 4 would have been a single rolled up charge involving failing to give the necessary notice 442 times, but had to be split in two because the amount of a penalty unit increased from $180 to $210 on 1 July 2017. Charge 3 covers the conduct in the period prior to 1 July 2017; and charge 4 covers the period after 1 July 2017.

13    The dollar value of a penalty unit has increased several times since the offending conduct occurred as a result of regular indexing and is presently $275 per penalty unit. If the same conduct took place now, the 500 penalty unit maximum penalty for charges 2-4 would have a maximum fine of $137,000 and the 10,000 penalty unit penalty for charge 1 would have a maximum fine of $2.75 million. If the charges had been unrolled due to being defended, that maximum penalty would apply to each occurrence that was maintained in a separate charge. This gives an indication of the much greater penalties that an offender may be exposed to in unsuccessfully defending charges of this kind, which would have to be unrolled to avoid duplicity. This is relevant to take into account on sentence in relation to the overall general deterrence effect of the fines to be imposed.

Sentence issues in dispute

14    Section 16A(1) of the Crimes Act 1914 (Cth) requires this Court to impose a sentence for a federal offence that is of a severity appropriate in all the circumstances. Section 16A(2) then provides a non-exhaustive shopping list of matters that must be taken into account to the extent they are relevant and known to the Court. In particular, general deterrence is now explicitly required to be taken into account by s 16A(2)(ja), after its initial omission from the listed mandatory considerations when s 16A was first introduced.

15    There is no issue of specific deterrence of ME Bank given that it is defunct. The dispute on sentence is substantially confined to the characterisation of the conduct and its seriousness; the extent of the need for general deterrence; and the quantum of the fines that should be imposed to address that need, including the extent to which that is tempered by proportionality and totality.

16    The CDPP, constrained by Barbaro v The Queen [2014] HCA 2; 253 CLR 58 as to what a prosecutor can say about the penalty to be imposed in criminal proceedings, submits that a substantial penalty is appropriate having regard to the need for general deterrence. ME Bank disagrees, and submits that only a modest financial penalty is adequate and appropriate in all the circumstances. ME Bank has not nominated any particular penalty to be imposed, effectively electing not to exercise the undoubted right to do so. It has therefore been left to the Court, aided by competing submissions, to decide upon the quantum of fines to be imposed.

The facts as agreed to

17    The factual information in the following four subheadings is drawn from the statement of agreed facts (SOAF).

Background

18    ME Bank was incorporated in 1995, held an Australian credit licence and financial services licence and operated as an authorised deposit-taking institution engaging in the provision of banking and financial services to retail consumers. It acted as a credit provider by providing home loans via credit contracts. In the period from March 2015 to March 2018, ME Bank used a software system to administer home loans, including flexible loans which could be repaid under either a fixed or variable interest rate, flexible loans with a member package offering lower reference rates and the waiver of certain fees, and basic loans which were variable interest rate only. Customers had the option to split loans into multiple facilities with separate repayments. There was also the option of combinations of fixed and variable rates, and interest only and interest and principal repayments, which are referred to collectively as interest rate offers.

19    ME Bank sent a letter of offer to each loan customer containing details of the credit contract, including the number of loan facilities they had and details of the interest rate offer. A sample letter of offer is annexed to the SOAF. Some customers did not obtain an interest rate offer at the outset, but later varied their repayment arrangements such that they obtained such an offer, being variations that were documented in letters sent by ME Bank.

20    When an interest rate offer was due to expire, ME Bank generated and sent an expiry letter, advising of the new interest rate and repayment amount, and that date from which it would expire. Fixed rate customers were also given the opportunity to refix their interest rate for a further period, rather than opting for the variable rate which would otherwise apply.

Charge 1 offending conduct

21    Between 25 May 2018 and 3 September 2018, ME Bank sent 589 expiry letters to customers which represented that from a specified date they would be required to make minimum repayments in an amount that was less than was in fact payable from that date. In particular, such letters were sent to customers who had accepted fixed rate and/or interest only offers. The letters represented that the customers had to repay a certain minimum amount following the expiry of the fixed rate and/or interest only period. But the amount stated was incorrect and thereby false or misleading. A sample expiry letter and a representative set of details for one of the affected customers are annexed to the SOAF. The false or misleading representations did not result in any customers being charged the incorrect amount. However, some customers were charged missed payment fees because they did not have sufficient funds made available to meet the correct repayment amount. The total of all the missed payment fees charged was $3,854.93, which has been fully refunded.

Charges 2-4 offending conduct

22    ME Bank, as the holder of an Australian credit licence, was subject to obligations under the National Credit Code in Sch 1 to the National Consumer Protection Act 2009 (Cth), including per s 64(1), to give written notice to credit contract customers of changes in the annual interest rate payable on or by the day of the change; and per s 65(1) to give written notice to credit contract customers of changes in the amount, frequency and time for payment, and method of calculation of instalments or minimum repayments not later than 20 days before the change.

23    The offending conduct by omission for charges 2-4 is that between 28 December 2016 and 12 February 2018, ME Bank failed to send letters to a number of customers whose existing interest rates for credit contracts, being home loans, were due to expire, such that they were not advised of impending changes to their interest rates and minimum repayment amounts as required by ss 64(1) and 65(1) of the National Credit Code. For charge 2, no written notice was given on 38 occasions that, from a specified date, the rate of interest on the loan principal would increase. For charges 3 and 4, no written notice was given on a total of 442 occasions (28 for for charge 3, and 414 for charge 4) that, from a specified date, the minimum repayments payable would increase. A schedule to the SOAF sets out details of representative customers for each charge.

24    While the affected customers did not suffer any financial loss due to the offending conduct, the potential was for them to be prevented from or disadvantaged as to being able to query, re-negotiate or re-finance their loans before the changes came into effect. ME Bank contacted the affected customers in writing, offering to remediate by placing them in the same position they would have been in had the omissions not taken place.

The discovery, notification and remediation of the offending conduct

25    In November 2015, an internal audit approved by ME Bank’s risk and governance committee noted the potential for unknown discrepancies or defects in the operation of its loan administration software. The specific conduct the subject of charge 1 was not identified, but the audit report noted that some statement calculations exhibited system and process deficiencies which could indicate there were further unknown defects, an issue rated as “severe”; and that there was a lack of controls designed and implemented to ensure compliance with statutory requirements as to time and sufficient statements to customers, an issue rated as “high”. The existence of this report, and the failure of ME Bank to use this as a prompt to investigate further which likely could have resulted in the coding and data problems being detected and rectified at an earlier point in time does not aggravate the offending that followed per se, but provides context by which the ultimate assessment of seriousness falls to be considered. It goes to a question of state of mind, and has the capacity to deny the availability of a characterisation of a state of mind of innocence, even if it does not rise to the level for civil penalty purposes of courting the risk, negligence or recklessness: cf Australian Competition and Consumer Commission v Reckitt Benckiser (Australia) Pty Ltd [2016] FCAFC 181; 340 ALR 25 at [126].

26    Following the internal audit, in about February 2016 ME Bank conducted a focused audit to understand the design and operating effectiveness of internal controls related to the management of system defects and enhancements.

27    In relation to the omission offences in charges 2-4, in early 2018, ME Bank became aware that some customers were not being sent the interest rate offer expiry letters giving 20 days’ notice of new minimum requirements. This awareness arose from a staff member who was also a debtor under a credit contract who queried why she had not received a fixed rate expiry notification letter. On 1 February 2018, the team leader of ME Bank’s customer communications team lodged an incident report giving details of ME Bank becoming aware that interest rate offer expiry letters were not sent in December 2017 because the interest rate type in the loan account was missing from the customer file, and as a result the letter was not generated and the customer was not advised that her interest rate and repayments were increasing. ASIC was notified of the omissions by a series of communications by ME Bank, including by way of responses to resultant notices issued by ASIC, in the period from 13 March 2018 to 25 October 2018. This included an annual compliance certificate that advised of non-compliance with ss 64(1) and 65(1) of the National Credit Code, advising of the root cause of the problem, being incorrect coding and population of data fields, providing details of the 882 customers affected, advising of remedial steps taken in relation to the removal of an incorrectly coded field, and the sending of 361 apology letters to customers and to two guarantors (an example of the letters being annexed to the SOAF).

28    In addition to the 361 apology letters referred to above, ME Bank invited customers who had not refixed or closed their loans to make contact to discuss the effect of omitting to send the expiry letters on their loan arrangements and worked with them to put them in the same position as they would have been had those letters been sent, including the option of reviewing their interest rate options if they had been negatively affected.

29    In relation to the false or misleading representation offences in charge 1, in September 2018, ME Bank discovered a second set of errors affecting letters sent to flexible home loan customers. On 17 September 2018, ME Bank’s product designer of customer banking circulated a document setting out an issue whereby interest rate offer expiry letters incorrectly quoted the final interest-only repayment amount and date, instead of the new principal-and-interest minimum repayment amount and date; and in some cases an amount was not quoted and interest-only payments were quoted instead. A similar issue was identified affecting fixed-rate flexible home loans. On 22 October 2018, ME Bank lodged with ASIC a breach report advising as to expiry letters required to be sent out 35 days prior to the expiry date. As to interest only letters, they reported that for 887 out of 1,197 accounts, letters had been being sent with the incorrect information; as to fixed rate expiry letters, for 940 out of a potential 3,454 accounts, letters had been sent out with the incorrect information; and that customers who had been charged a missed payment fee would be refunded, with an interim measure of a daily manual review of letters prior to them being sent out with a manual correction when required.

30    On 19 December 2018, in response to an ASIC request for clarification about the breaches reported on 22 October 2018, ME Bank confirmed by letter that 836 accounts had been affected by the interest-only issue, 940 accounts by the fixed-rate issue, and 268 accounts by both issues. The letter also explained that:

(a)    incorrect population of data fields resulted in a mismatch between actual and quoted repayments, which were correct in the system, but incorrect in the letter;

(b)    because the new minimum repayment was higher than the repayment amount advised a missed payment fee was potentially charged (which in fact happened 69 times, but was refunded);

(c)    the proposed remediation plan was to refund any such fee until the correct information was disclosed; and

(d)    from September 2018, ME Bank implemented a daily manual review to address the false or misleading representations.

31    On 19 July 2019, ME Bank updated ASIC, advising that tactical and strategic fixes underlying the errors had been applied so that incorrectly populated fields would be detected before letters were sent out. The details of what had been done were set out, describing the successful IT software releases that had taken place on 9 December 2018 and 7 April 2019; and the implementation of a new “home loans product fixes team” from 1 July 2019 to continue with remediation and strategic fix activities, including addressing the backlog of fixes to be implemented.

32    On or about 28 March 2019, ME Bank wrote to customers affected by the false or misleading representations the subject of charge 1, an example of the letter being annexed to the SOAF. As noted above, all missed payment fees were refunded, including for closed accounts, resulting in the repayment of $3,854.93. Remediation for those customers was completed in March 2019.

The competing submissions and their resolution

33    As noted above, the issues in dispute on sentence are as to the characterisation of the charged offences, especially as to seriousness, the nature and need for general deterrence, and the role of proportionality in its different manifestations in tempering the quantum of the fines to be imposed.

34    The CDPP’s stance in relation to the offending in charge 1 is:

(a)    it was moderately serious, taking into account:

(i)    589 false or misleading representations made in letters sent to customers over more than 3 months;

(ii)    each representation was a separate offence;

(iii)    each representation was committed after ME Bank had been put on notice by an audit in 2015 of the possibility of further unknown defects, and after ME Bank had discovered that some letters were not being sent to customers, as required, at all in early 2018;

(iv)    each representation was in relation to the servicing of the debt over a home, likely to be the most significant purchase in the customers’ lives, resulting in a modest loss of just over $3,000 across all of the customers,

(b)    the seriousness of the conduct was alleviated by:

(i)    the absence of any evidence to suggest that the offending was intentional or motivated by any intention to profit or cause loss;

(ii)    the inference that can be drawn that the false or misleading representations in the letters were due to a technical fault and not independent actions on each separate occasion; and

(iii)    ME Bank not being on notice of the falsity of the letters at the time they were sent, albeit that it was on notice of a higher risk of errors in system calculations and the issuance of timely statements.

35    The CDPP’s stance in relation to the offending in charges 2-4 is:

(a)    each omission involved ME Bank failing to give written notice to home loan customers that the interest rate on the loan principal was going to increase (count 2), or that the minimum repayment was going to increase (counts 3 and 4), which was of moderate seriousness;

(b)    each omission was a separate offence, taking place over a period of several months for each, rather than being a one-off occurrence;

(c)    ME Bank had been put on notice by the 2015 audit of the possibility of further unknown defects (albeit that there was no specific knowledge of the omissions);

(d)    each omission concerned interest rates or minimum repayments on home loans, with notice of changes being important for financial planning by customers on a fully informed basis;

(e)    the seriousness of the conduct was alleviated by there being no evidence that the offending was motivated by any intention to profit or cause loss, no demonstrated actual loss being caused even though the customers were deprived of the correct information in a readily accessible format; and by again inferring that the conduct was due to a technical fault and not independent actions on each separate occasion and ME Bank was not on notice of the omissions at the time.

36    For all of the offences, the CDPP accepts that:

(a)    the guilty plea, indicated at the earliest stage, and resulting in a substantial utilitarian benefit to both the community and witnesses, evidences a subjective willingness to facilitate the course of justice, remorse and contrition, and although the prosecution had a strong case, that does not diminish the extent to which the guilty pleas should be understood to reflect genuine contrition, including by taking steps to inform customers and remediate what had taken place;

(b)    ME Bank cooperated with ASIC, but was required to self-report as it did under s 912D of the Corporations Act 2001 (Cth) and s 53 of the National Consumer Credit Protection Act 2009 (Cth) respectively, with no discount being available for compelled disclosures: see Ungureanu v The Queen [2012] WASCA 11; 272 FLR 84 at [71]; and

(c)    ME Bank does not have a prior criminal history, which is a relevant consideration, however where general deterrence is a significant consideration, it is well-established by a long line of authority that good character is not generally given significant weight.

37    The CDPP submits that there is a strong need to impose adequate punishment given the nature and extent of the offending, and that general deterrence should be regarded as especially important in this case because:

(a)    there is a high community expectation that entities in a position to offer consumer credit should comply with their statutory obligations, reflecting the significant position they occupy in the financial and social fabric of society;

(b)    a failure to comply with consumer protection provisions can cause great harm to the population measured in terms of the prevalence of home loans within the community and the significance of home loan repayments to financial planning by consumers, a home loan by its nature being a significant financial commitment; and

(c)    totality has a limited role to play given the rolled-up nature of the charges and the number of individual offences encompassed in them.

38    ME Bank’s stance is to the following effect:

(a)    the objective seriousness of the offending for each charge is low rather than moderate and a sentence of adequate severity on each is a modest fine because:

(i)    the offending occurred over a relatively short time frame;

(ii)    it was not planned or actively engaged in for profit or gain;

(iii)    it was not criminally negligent nor was it covert;

(iv)    each charge reflects discrete breaches caused by a technical issue without any criminal intention or purpose; and

(b)    the offending did not cause any material gain to ME Bank, or material loss to any customer at any stage, with the overall harm represented by charge 1 being a total of $3,854.93 over 589 customers, which was minimal and remediated shortly thereafter, and not caused by the conduct the subject of charges 2-4.

39    On the topic of state of mind, the following observations of the Full Court in Reckitt Benckiser in relation to civil penalty contraventions is apposite for strict liability criminal offences, because neither has a state of mind required to be established as an element of the contravention or offence (at [131]):

If a contravention does not involve any state of mind then it is for the party asserting any particular state of mind (be it a deliberate flouting of the law, recklessness, wilful blindness, “courting the risk”, negligence, or innocence or any other characterisation of state of mind) to prove its assertion. If, in the event, neither party discharges its onus to establish any particular state of mind in relation to the contraventions, the Court determines penalty on no more than the fact of the proscribed nature of the conduct (see, by analogy see R v Olbrich (1999) 199 CLR 270; 166 ALR 330; [1999] HCA 54 (Olbrich) at [22]–[28]). However, if any degree of awareness of the actual or potential unlawfulness of the conduct is proved then, all other things being equal, the contravention is necessarily more serious. Such awareness may be able to be inferred from the very nature of the conduct or representations constituting the conduct. However absence of such proof does not establish a mitigatory state of mind (see, by analogy, R v Storey [1998] 1 VR 359 at 369, quoted with approval by the majority in Olbrich at [27]; see also [25]). It means only that the neutral state of mind required for liability has not been disturbed for the purposes of penalty. If a contravening party wishes to go beyond the neutral statutory state of mind for liability and positively assert a lack of consciousness of the character of the conduct for the purposes of penalty, that is a circumstance of mitigation which the contravening party must prove.

40    Akin to the respondent in Reckitt Benckiser, this is not a case where a positive state of mind is asserted, but nor is it a case in which innocence in any relevant sense has been proven to lessen moral culpability. It follows that the absence of a relevant positive state of mind on the part of ME Bank does not mitigate its conduct. It does not provide any sound reason to reduce a sentence that is otherwise appropriate.

41    The key differences between the position of the informant, and thus the CDPP, and ME Bank are correctly identified by the CDPP in reply submissions as, in substance, being largely of the characterisation as follows:

(a)    ME Bank characterises the offences as having been caused by a technical issue. The CDPP contends that a technical issue can still be serious and the two concepts are not mutually exclusive, citing Australian Securities and Investments Commission v BT Funds Management Ltd [2021] FCA 844 (Wheelahan J) at [37] and [43], quoted with approval in Australian Securities and Investments Commission v Australia and New Zealand Banking Group Ltd [2022] FCA 1251; 164 ACSR 428 (O’Callaghan J) at [208], as to the approach to be taken with regards to inadvertent system errors (addressed further below). ME Bank places reliance upon BT Funds Management at [37].

(b)    ME Bank also characterises the consequences of its conduct as minor, especially as to the lack of any substantial financial loss, which has been fully rectified. However the CDPP, while accepting the actual losses were only modest, points to the importance of the banking system in Australian social and commercial life (citing Australian Securities and Investments Commission v Australia and New Zealand Banking Group Ltd [No 3] [2020] FCA 1421 at [13] (Allsop CJ)); the asymmetry of knowledge between banks and customers, the lack of control by the latter, and the entitlement of the latter to rely upon banks for the provision of accurate information (citing BT Funds Management at [37]), such that the customer’s perspective is important in assessing seriousness, including by reference to the complaint that was made that ultimately uncovered the problem.

(c)    ME Bank takes a more benign view towards its response to the November 2015 audit report as, in substance, being reasonable in all the circumstances, whereas the CDPP submits that where there is an identified severe risk of further unknown defects in a bank’s systems, the failure to take further steps identifies that the particular technical fault was serious.

(d)    ME Bank submits as substantial mitigation that the offending conduct did not take place at the point of purchase, but rather in the course of repayment. While the CDPP accepts that is so, this is characterised as still being significant because it related to financial management, with interest rates being highly relevant to making decisions as to financing, refinancing and financial planning. I accept the CDPP’s submission on this point. While it may or may not be a circumstance of aggravation that particular offending conduct took place at the point of entry into a credit contract so as to induce that taking place, it is no real mitigation that the present offending conduct instead took place in the course of repayment.

Consideration

42    Wheelahan J in BT Funds Management at [43] succinctly stated the real issue presented by the present case in which specific deterrence has no part to play:

Inadvertent system errors which have the capacity to cause undetected losses of the kind that occurred here are serious. That is particularly so when during the period relevant to this proceeding the errors went undetected for a period of over two years until one customer challenged the charging of an adviser fee. Financial services providers in the position of the defendants should not be able to take the benefits which arise from automated and offshore processes and systems, which it may be inferred contribute to substantial profits, without also undertaking the burden of ensuring that those systems work, and that they promptly identify occasions where they do not. An appropriate penalty should have the effect of deterring the defendants, and financial services providers generally, from maintaining defective systems, and conversely, providing an incentive to establish and maintain systems that are reliable.

43    This is the nub of the present case. It does not really assist ME Bank to point to the technical nature of the offending conduct as to any of the charges. The offending was only technical because ME Bank (legitimately) chose to use automated systems. Whatever goes wrong in such a system will inevitably be technical in nature, with different levels of human input always being a feature. But when such systems are used, very high levels of diligence are required and are to be encouraged and, correspondingly, inadequate diligence deterred.

44    The question to be asked at all times is not whether there are any defects in such systems, which is an inherently complacent approach or standard, but rather what and where are the inevitable defects in such complex systems, and what is being done to find them and eliminate them, noting that changes in software are likely to create new defects from time to time. It is almost counsel of perfection, because that is what is required. Prevention is everything, and the sanctioning response must reflect this in order to ensure this is what takes place. Temptation in favour of any lesser response must be deterred.

45    While it is not the case that proportionality has been abandoned as it has in large measure for civil penalties following Australian Building and Construction Commissioner v Pattinson [2022] HCA 13; 274 CLR 450, the outer limits of what is proportionate are greater than in other areas of criminal offending because of the singular importance of deterring inadequate or complacent levels of diligence; and encouraging active review systems, so as to ensure so far as humanly possible that no breaches occur.

46    Proper checking of computerised systems inevitably costs money and may be quite expensive. General deterrence is important to ensure that cost-cutting and risk taking to gain bottom line financial advantages of this kind are kept in check. The High Court in Pattinson at [41] approved a passage in Reckitt Benckiser at [152] which, although advanced in the context of civil penalties, is equally apposite to these offences and conduct in the banking and finance industry, and to the nature of the general deterrence calculus:

If it costs more to obey the law than to breach it, a failure to sanction contraventions adequately de facto punishes all who do the right thing. It is therefore important that those who do comply see that those who do not are dealt with appropriately. This is, in a sense, the other side of deterrence, being a dimension of the general deterrence equation.

47    In this case, the outcome is not the principal measure of the seriousness of the offending for any of the offences, although it is always relevant. The outcome in this case was largely a matter of happenstance. The same degree of lack of care and diligence on the part of ME Bank in relation to its computer system, resulting in the offending conduct, could have produced no consequence at all, because a coding error or a data entry defect did not manifest itself in anything untoward happening. Or it could have resulted in much more serious consequences, potentially resulting in more serious impacts with significant financial and other harm being inflicted. By analogy to the area of work health safety, an industrial death may be reflective of no offence even being committed (for example, because good, sound safety systems and training were overridden by the deceased), while there may be an extremely serious breach through wholly unacceptable practices although no one was hurt and no harm was done.

48    The major points of mitigation lie not in playing down the objective seriousness of the conduct, but rather in the response once the problem was detected, culminating in the guilty pleas. There is no criticism of that aspect by the CDPP. The response by ME Bank was appropriate and must be given due recognition.

49    I accept ME Bank’s submission that the number of discrete breaches across all charges were caused by a single set of root causes by way of coding and data errors, rather than separate steps being taken at any stage. That said, it is of concern that a significant to high proportion of customers in the relevant areas were affected. The number of breaches is relevant, but limiting the effect of the number of underlying offences is largely addressed by the rolled-up nature of the charges, and by treating charges 3 and 4 as being essentially one such date-range of offences only split into two because of the 1 July 2017 penalty unit value change. An important value of the number of breaches within each charge is to make it clear that there was a real and significant manifestation of a fundamental problem that should not have been permitted to remain in place to the point at which it manifested in a not insignificant number of false or misleading communications, or failures to communicate, which did not have any particularly serious consequences, more as a matter of luck than anything else.

50    ME Bank submits that the period of offending is of limited relevance, again relying on the single fault or set of faults rather than independent actions on each separate occasion, such that there can be no suggestion of continued offending after being on notice of the conduct, or some ongoing criminal negligence. While that is true, the fact that this was able to take place over a substantial period of time without detection or any sufficient system of detection, indicates its pervasive effect and again highlights the significance of not taking seriously enough the warning of a risk of a problem identified by the November 2015 audit. It is no answer to point to the focussed audit that followed, because that in itself proved to be an inadequate response to the warning given.

51    ME Bank suggests that the fact that the offences are strict liability and with a relatively low maximum penalty supports the idea that the offences committed were at the low end of seriousness. That may be accepted insofar as an aspect of the seriousness of any offence is the maximum penalty and any state of mind required to be admitted or proven, but no more, especially with rolled-up charges where the aggregate conduct is being assessed, not just each individual instance, because the maximum then applies to all of them within a single charge.

52    While the root causes were not identified by the November 2015 audit, the existence of a real risk of a serious problem was. Not having adequate prevention, detection and rectification systems in the first place, and not taking that audit warning seriously enough is important and significant for these strict liability offences where notice of a potential problem affects the characterisation of what follows.

53    In light of the reasoning above, I am unable to accept ME Bank’s submission that the gravity of the offending for charge 1, or for charges 2-4, can properly be characterised as low. The offending as to all of the charges is aptly described by the CDPP as being of moderate objective seriousness in all the circumstances. However, that characterisation is but the first step for penalty assessment. What is of importance is that despite the faults not having been detected or prevented, once they came to light in the first instance as a result of a staff customer complaint (rather than properly addressing the warnings in the November 2015 audit), they were addressed promptly and thoroughly. The cooperation and guilty pleas are also important.

54    I accept ME Bank’s submission that it is not appropriate to treat the automated offending arising from a single fault or set of faults in its computer system as a course of conduct. But this is a technical point as it had the same practical effect as repeated offending conduct. Each offence was the sending of a letter or other advice containing information that should not have been conveyed; or failing to provide information that should have been provided. Without an automated system, it would have been an active offence of commission or omission each time. ME Bank’s computer system with its built-in fault or faults instead created each act of commission or omission. So what took place is a course of outcomes from a single set of conduct, rather than a course of conduct. The practical effect was the same because it was a repeated manifestation of a single problem or set of problems. Just as objective seriousness is not to be dictated by the happenstance of less serious outcomes as opposed to the nature of the conduct (including omissions) giving rise to the offending, nor is it to be dictated by a series of events that flowed from that conduct. The focus must be on what was actually done (and not done).

55    It is common ground that:

(a)    there was no lasting harm;

(b)    ME Bank’s guilty pleas were a subjective willingness to facilitate the course of justice, remorse and contrition, which is not diminished by the strength of the prosecution case; and is also entered at the earliest stage and has resulted in a utilitarian benefit to the community and witnesses in avoiding a trial (which extends in my view to the resources of the Court and of ASIC and the CDPP);

(c)    genuine contrition has been evidenced by refunding in full missed payment fees for charge 1; inviting affected customers to contact ME Bank to discuss the effect of the conduct and working with them to put them in the same position as they would have been if the required letters had been sent for charges 2-4; and sending apology letters to all affected customers;

(d)    there has been a real measure of cooperation by the guilty pleas and engaging in the process of charge formation and the SOAF, and while this does not engage s 16A(2)(h) of the Crimes Act 1914 (Cth) because of the facts and the compulsory notification, these are relevant subjective factors to take into account; and

(e)    there is no suggestion of prior offending.

56    I accept ME Bank’s submission that there is no suggestion of cynical calculation in weighing up the cost of compliance against the risk of penalty of the kind identified in Singtel Optus Pty Ltd v Australian Competition and Consumer Commission [2012] FCAFC 20 at [62]-[63]. I also accept that the size of the now defunct ME Bank has little role to play. However, I do not accept ME Bank’s submission that the need for general deterrence is relatively minor for compliance with statutory obligations divorced from intentional or negligent wrongdoing. That proposition simply cannot stand in light of the analogous reasoning in Pattinson for civil penalty cases in which there is no necessary state of mind at all. General deterrence is directed to compliance by other would-be offenders and is a significant consideration in this case.

57    Nor do I accept ME Bank’s submission that merely a modest financial penalty is adequate and appropriate in the circumstances. The continuing need for general deterrence must be addressed. With the above findings, I proceed to the convictions to be entered and sentences to be imposed.

Conviction and sentence

58    ME Bank is convicted on all four charges.

59    I consider that the offence in charge 1, while of a shorter duration of just over three months, was more serious than the remaining charges because it was not just a failure to provide information that was required, but entailed providing false or misleading information. While the omissions for the remaining charges remain of serious concern and require general deterrence, the active provision of incorrect information is inherently more serious, especially given that ME Bank was fully able to prevent, or detect and rectify the issue, if it had the systems and corporate will to do so.

60    Taking into account all of the competing considerations and taking the final step of reducing the penalty to a fine for each charge, and after considering totality and being satisfied that no further adjustment is required in all the circumstances, I have concluded that the appropriate fines to impose are as follows:

(a)    For charge 1, carried out between 25 May 2018 and 3 September 2018, being just over three months, of making false or misleading representations about the price of financial services in 589 letters sent to customers, the appropriate penalty without the mitigating features identified above, and especially the remedial action, guilty plea, cooperation and contrition and remorse, would have been in the order of $1 million out of a maximum available penalty of $2.1 million. Taking those mitigating factors into account, while giving full account of a real and substantial need for general deterrence and through that the encouragement of better compliance practices, the appropriate fine is $750,000.

(b)    For charge 2, carried out between 23 September 2017 and 23 February 2018, being five months, of failing 38 times to give debtors written notice of a change in the annual percentage rate payable under a credit contract by no later than the day on which that change took effect, the appropriate penalty without the mitigating features would have been in the order of $40,000 out of a maximum available penalty of $105,000. Taking those mitigating factors into account, while again giving full account of a need for general deterrence and through that the encouragement of better compliance practices, the appropriate fine is $30,000.

(c)    For charges 3 and 4, carried out between 28 December 2016 and 27 June 2017 and between 4 July 2017 and 12 February 2018, being just over an aggregate of 13 months (split into two time periods only by reason of a change in value of a penalty unit rather than any difference in conduct), being failing 442 times (28 times in the first six-month period, and 414 times in the second just over seven month period) to give debtors written notice setting out the particulars of a change in the amount of the minimum repayments under a credit contract by no later than 20 days before that change took effect. The appropriate penalty without the mitigating features would have been in the order of $50,000 out of a maximum available penalty of $90,000 for the first period (28 times) and of $105,000 for the second period (442 times, and therefore the bulk). Taking those mitigating factors into account, while again giving full account of a need for general deterrence and through that the encouragement of better compliance practices, the appropriate fine is $40,000, being $5,000 for charge 3 and $35,000 for charge 4.

61    The total fine is therefore $820,000, to be paid within 60 days.

Associate:

Dated:    19 January 2024