Federal Court of Australia

Australian Securities and Investments Commission v Mercer Superannuation (Australia) Limited [2026] FCA 832

ORDERS

THE COURT DECLARES THAT:

1.    The Defendant’s systems for compliance with ss 912DAA(1) and 912DAA(7) of the Corporations Act 2001 (Cth) (Corporations Act) were deficient during the period 1 October 2021 to 30 September 2024 and the Defendant (MSAL) thereby contravened ss 912A(1)(a) and 912A(5A) of the Corporations Act by failing to do all things necessary to ensure the financial services covered by its AFSL were provided efficiently, honestly and fairly.

2.    MSAL contravened ss 912DAA(1) and 912DAA(7) of the Corporations Act by failing to:

(a)    notify ASIC of a reportable situation of the kind described in s 912D(1)(c) within 30 days after MSAL first knew that, or was reckless with respect to whether, there were reasonable grounds to believe that a reportable situation had arisen in respect of each of the following incidents:

(i)    INC-0011906;

(ii)    INC-0013541;

(iii)    INC-0017604;

(iv)    INC-0017236;

(v)    INC-0016363;

(vi)    INC-0016689;

(vii)    INC-0017268; and

(viii)    INC-0019650;

(b)    notify ASIC of a reportable situation of the kind described in s 912D(1)(d) within 30 days after MSAL first knew that, or was reckless with respect to whether, there were reasonable grounds to believe that a reportable situation had arisen in respect of each of the following incidents:

(i)    INC-0013541;

(ii)    INC-0017604;

(iii)    INC-0017236;

(iv)    INC-0016363;

(v)    INC-0016689;

(vi)    INC-0017268; and

(vii)    INC-0019650.

3.    MSAL contravened s 1308(5) of the Corporations Act by failing to take all reasonable steps to ensure that the reportable situation and other reports provided to ASIC regarding INC-0011906 dated 27 October 2023, 10 May 2024, and 15 November 2024 were not materially false or misleading because of statements made in those documents.

THE COURT ORDERS THAT:

4.    Within 30 days of this order, MSAL pay to the Commonwealth a pecuniary penalty of:

(a)    $4,062,500 in respect of MSAL’s contravention of ss 912A(1)(a) and 912A(5A);

(b)    $5,300,000 in respect of MSAL’s 15 contraventions of ss 912DAA(1) and 912DAA(7); and

(c)    $937,500 in respect of MSAL’s three contraventions of s 1308(5).

5.    Within 30 days of this order, MSAL pay ASIC’s costs of and incidental to the proceeding in the agreed amount of $1,200,000.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

BUTTON J:

OVERVIEW

1    These proceedings were commenced by the Australian Securities and Investments Commission (ASIC) against the Defendant, Mercer Superannuation (Australia) Limited (ACN 004 717 533) (MSAL), alleging that MSAL failed to comply with, and failed to have appropriate systems to facilitate compliance with, its obligations under the reportable situations regime in Subdiv B of Div 3 of Pt 7.6 (Ch 7) of the Corporations Act 2001 (Cth) (Corporations Act), including the obligation under s 912DAA(1) to notify ASIC of reportable situations within the prescribed timeframe.

2    By a statement of agreed facts and admissions filed 21 May 2026 (SAFA), ASIC has alleged, and MSAL has admitted, that between 1 October 2021 and 30 September 2024 (Relevant Period), MSAL contravened the Corporations Act as follows:

(a)    MSAL contravened ss 912A(1)(a) and 912A(5A) — being the obligation to do all things necessary to ensure that the financial services covered by its Australian Financial Services Licence (AFSL) were provided efficiently, honestly and fairly — by failing to have in place an adequate system to identify and report reportable situations of the kind referred to in s 912D(1)(c) of the Corporations Act, being investigations into whether there was a significant breach of a core obligation (Investigation(s)) that continued for more than 30 days (Reportable Investigation(s));

(b)    MSAL contravened ss 912DAA(1) and 912DAA(7) on 15 occasions, by reason of its failure to report at least eight Reportable Investigations to ASIC within the time prescribed by s 912DAA(3) of the Corporations Act or, in seven of those eight instances, at all; and

(c)    MSAL contravened s 1308(5) on three occasions, by reason of MSALnot taking the necessary steps to ensure that the reports lodged with ASIC in relation to one Reportable Investigation did not contain materially false or misleading information.

3    The facts and admissions in the SAFA provide the factual foundation for the exercise of the Court's jurisdiction to make the orders sought.

4    The parties filed joint submissions on liability and relief. The parties initially proposed a single penalty in the amount of $10,300,000 but, at the prompting of the Court, made supplementary submissions proposing penalties in respect of each of the three sets of contraventions identified above. The parties have also agreed that MSAL will pay ASIC’s costs. At the hearing, the Court was informed by counsel that the amount of those costs was agreed to be $1,200,000.

5    For the reasons set out below, I am satisfied that declarations ought to be made identifying when and how MSAL contravened the Act. Declarations of this kind serve to publicly express the Court’s disapproval of the contravening conduct: Australian Competition and Consumer Commission v Coles Supermarkets Australia Pty Ltd [2014] FCA 1405 at [78], [196] (Gordon J); Australian Building and Construction Commissioner v Construction, Forestry, Mining and Energy Union [2017] FCAFC 113; (2017) 254 FCR 68 at [93] (Dowsett, Greenwood and Wigney JJ). Orders will also be made imposing pecuniary penalties.

FACTUAL OVERVIEW AND THE CONTRAVENING CONDUCT

6    MSAL is a subsidiary of Mercer (Australia) Pty Ltd (MAPL) and the trustee of a superannuation fund known as the Mercer Super Trust (MST). MSAL holds an AFSL and a Registrable Superannuation Entity licence. As the holder of an AFSL, MSAL is a financial services licensee for the purposes of the Corporations Act.

7    On 1 April 2023, members of the BT Super Fund transferred into the MST (BT Merger). Following the BT Merger, MSAL became the trustee of the seventh largest superannuation fund in Australia by members. As at 30 June 2025, the MST had approximately $79.8 billion in total funds under management and approximately 1,062,008 members.

8    For the 2023 calendar year MSAL’s profit was $3,869,000, for the 2024 calendar year, it was $8,302,000 and for the 2025 calendar year, it was $3,960,000. In those same years, MAPL made a loss of $3,195,000 in 2023 and profits of $62,787,000 and $106,058,000 in 2024 and 2025 respectively. As at 31 December 2025, the MST had an operational risk reserve of $210,100,000.

9    MSAL did not have any employees during the Relevant Period. The staff and systems involved in its compliance functions were provided by MAPL pursuant to a Master Services and Resources Agreement dated 9 March 2012. Notwithstanding that arrangement, as the holder of an AFSL, MSAL remained solely responsible for its obligations under the Corporations Act, including, relevantly:

(a)    the obligation in s 912A(1)(a) to do all things necessary to ensure that the financial services covered by its licence are provided efficiently, honestly and fairly; and

(b)    the obligation to report reportable situations to ASIC in accordance with s 912DAA.

The Reportable Situations Regime

10    Section 912DAA(1) of the Corporations Act requires a financial services licensee to lodge a report with ASIC when there are reasonable grounds to believe that a “reportable situation” has arisen. That report must be lodged within 30 days after the licensee first knows that, or is reckless with respect to whether, there are reasonable grounds to believe the reportable situation has arisen: s 912DAA(3). A failure to lodge a report with ASIC within the time required constitutes a contravention of s 912DAA(1) and, in turn, a contravention of the civil penalty provision in s 912DAA(7). In these reasons, I refer to this regime as the Reportable Situations Regime.

11    The Reportable Situations Regime, in its current form, came into effect on 1 October 2021 and, as ASIC has acknowledged, represented a significant change from the previous breach reporting regime in the Corporations Act.

12    The change was brought about as a result of the Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, which had called for reform to clarify and strengthen the breach reporting regime for financial services licensees. Those reforms were introduced by the Financial Sector Reform (Hayne Royal Commission Response) Bill 2020 (Cth), and were described in the accompanying Explanatory Memorandum as “a cornerstone of Australia’s financial services regulatory structure”: Explanatory Memorandum, Financial Sector Reform (Hayne Royal Commission Response) Bill 2020 (Cth) and Corporations (Fees) Amendment (Hayne Royal Commission Response) Bill 2020 (Cth) (Explanatory Memorandum) at [11.3].

13    Relevantly to this proceeding, one of the key changes introduced by the Reportable Situations Regime is that the fact that a financial services licensee is conducting an investigation may, in certain circumstances, itself amount to a reportable situation that must be reported to ASIC.

14    Section 912D defines the term “reportable situation”. Section 912D(1) provides that there is a reportable situation in relation to a financial services licensee if one of the following is satisfied:

(a)    the financial services licensee or a representative of the financial services licensee has breached a core obligation and the breach is significant;

(b)    the financial services licensee or a representative of the financial services licensee is no longer able to comply with a core obligation and the breach, if it occurs, will be significant;

(c)    the financial services licensee or a representative of the financial services licensee conducts an investigation into whether there is a reportable situation of the kind mentioned in paragraph (a) or (b) and the investigation continues for more than 30 days; or

(d)    an investigation described in paragraph (c) discloses that there is no reportable situation of the kind mentioned in paragraph (a) or (b),

(each being a Reportable Situation).

15    The Reportable Situations referred to in s 912D(1)(a) and (b) are concerned with an actual or anticipated significant breach of a core obligation (as defined in s 912D(3)–(5)). In the present case, the relevant Reportable Situations are of the kind referred to in s 912D(1)(c) and (d). Section 912D(1)(c) concerns investigations into whether a significant breach of a core obligation has occurred or is anticipated to occur (to which I refer in these reasons as an Investigation). Where a licensee conducts an Investigation and it continues for more than 30 days, the Investigation is itself a Reportable Situation under s 912D(1)(c) (a Reportable Investigation) — and must be reported to ASIC within 30 days of the licensee first having reasonable grounds to believe that a Reportable Situation has arisen (ie, within 60 days of the commencement of the Investigation) — even if the Investigation does not ultimately disclose a significant breach. If the Investigation concludes without disclosing a significant breach under s 912D(1)(a) or (b), the conclusion of the Investigation is itself a separate and further Reportable Situation under s 912D(1)(d).

16    Recent decisions of this Court have summarised and applied the provisions of the Reportable Situations Regime in connection with failures to report a significant breach of a core obligation (ie, the circumstances described in paragraphs 14(a) and (b) above), including Australian Securities and Investments Commission v United Super Pty Ltd [2025] FCA 1453 at [39]–[42] (O’Callaghan J) and Australian Securities and Investments Commission v Australia and New Zealand Banking Group Ltd (Treasury Bonds Case) [2025] FCA 1592 at [180]–[186] (Beach J). However, there otherwise does not appear to have been any specific judicial consideration of the obligation to report Reportable Investigations.

17    One of the stated objectives of making such investigations separately reportable was to ensure that ASIC “has visibility of protracted investigations, and incentivises licensees to prioritise and streamline investigation processes where appropriate”: Explanatory Memorandum at [11.50]. The parties agree that the Reportable Situations Regime allows ASIC to fulfil its statutory function of monitoring and promoting market integrity and consumer protection in relation to the Australian financial system (pursuant to s 12A of the Australian Securities and Investments Commission Act 2001 (Cth)), by enabling it to detect potentially significant non-compliant behaviours early, monitor Reportable Investigations, and take action where appropriate.

18    The term “investigation” is not defined in the Corporations Act, and thus takes its ordinary meaning, being “a searching inquiry in order to ascertain facts”, as was stated in the Explanatory Memorandum at [11.43]–[11.47]:

[11.43]    The term ‘investigation’ is not defined in the legislation and has its ordinary meaning. What constitutes an investigation is likely to vary significantly depending on the size of the licensee’s business, their internal systems and processes, and the type of breach.

[11.44]    The Macquarie Dictionary defines ‘investigation’ as ‘a searching inquiry in order to ascertain facts.’ Accordingly, if a financial services licensee is considering whether it has conducted an investigation, a relevant factor would be whether there has been some information gathering or human effort applied by the licensee to determine whether a breach has occurred or will occur. Examples of information gathering may include:

•    communicating with representatives or staff of the licensee who may have been involved in the relevant conduct;

•    communicating with potentially affected clients;

•    or seeking specialist or technical advice.

[11.45]    Merely entering a suspected compliance issue into a risk management system is unlikely to amount to a searching inquiry to ascertain facts, although this will depend on the circumstances in each case.

[11.46]    The intention is that the term ‘investigation’ applies irrespective of how the licensee describes an investigation in its internal processes, as long as it satisfies the ordinary meaning of the term.

[11.47] The time at which an investigation commences is a matter of fact and is not a subjective determination by the licensee. For example, after receiving a complaint from a client, if the licensee begins to look into the matter or takes steps towards ascertaining whether a significant breach has occurred, this would generally be considered to be when the investigation has commenced.

19    ASIC has issued Regulatory Guide 78: Breach reporting by licensees and credit licensees (RG78), which provided guidance throughout the Relevant Period on licensees’ obligations to comply with the Reportable Situations Regime. RG78 included an explanation of the meaning of the term “investigation” by reference to the Explanatory Memorandum, and provided various examples of when an Investigation will, and will not be considered to have commenced, and when an Investigation becomes a Reportable Situation under s 912D of the Corporations Act. RG78 stipulates that, separate from the expected updates listed in RG78, licensees may voluntarily use the Regulatory Portal's update functionality at any time to keep ASIC informed on the progress of a reportable situation. Information “callouts” were also presented to users completing reports, which guided them on providing estimates and instructed that, where an estimate was provided, an update should be provided once more information is known.

The contravening conduct

20    As noted above, the contravening conduct alleged by ASIC and admitted by MSAL falls into three categories: first, MSAL’s failure to have in place an adequate system to identify and report Reportable Investigations throughout the Relevant Period (the System Breach); second, MSAL’s failure to report at least eight Reportable Investigations to ASIC within the time required or, in seven of those eight instances, at all (the Eight Incidents); and third, MSAL’s failure to take all reasonable steps to ensure the reports submitted to ASIC in relation to one of those Reportable Investigations were not materially false or misleading (the Misstatements to ASIC).

The System Breach

21    ASIC has alleged, and MSAL has admitted, that throughout the Relevant Period, MSAL failed to have in place an adequate system to identify when an Investigation had commenced, track its duration, and report a Reportable Investigation to ASIC when required. The parties agree that this failure constitutes a single, sustained contravention of ss 912A(1)(a) and 912A(5A) of the Corporations Act, spanning a period of approximately three years.

22    During the Relevant Period, MSAL’s system for identifying and tracking Investigations, and reporting Reportable Investigations (the Mercer Incident System), comprised three main components: documented policies and procedures (Policies and Procedures); a governance, risk and compliance database known as “Scout” (GRC Database), used for recording incidents, incident verification and assessments, compliance assessments and rectification; and various other processes for compliance assessments and tracking Investigations undertaken by relevant members of the Risk and Compliance team (Compliance Assessment and Tracking Processes). The Mercer Incident System dealt with all incidents affecting MSAL’s business, including the Reportable Situations Regime, other potential contraventions of law, and non-compliance with internal policies.

23    A central limitation of the Mercer Incident System was that the GRC Database — the primary repository in which incidents were recorded, assessed and tracked — lacked the functionality to identify when an Investigation had commenced or to track its duration. In particular, the GRC Database did not include a specific field for recording the commencement date of an Investigation, the date falling 30 days after commencement, or the date by which a report was required to be lodged with ASIC. Key date fields in the GRC Database were auto-generated when the relevant tab was saved, meaning they were at risk of being overridden if any fields in the relevant tab were later reviewed or updated. The GRC Database therefore could not, in and of itself, identify whether an Investigation had become a Reportable Investigation.

24    To address the GRC Database’s limitations, the Risk and Compliance team developed other processes to track Investigations. Between 1 October 2021 and 1 April 2023, the Risk and Compliance team held weekly triage meetings and maintained an “Assessment Triaging Spreadsheet” and an “RG78 Tracker” to help identify, record and track Investigations. However, those spreadsheets did not facilitate an adequate or consistent approach to calculating the start and end dates of Investigations.

25    From May 2023 until around June 2024 — a period of approximately 13 months — the Line 2 Risk and Compliance team ceased using the RG78 Tracker, or any other document outside of the GRC Database, to track Investigations, and from 27 June 2023, the team ceased having weekly triage meetings. Instead, the Senior Compliance Manager conducted a weekly review of incidents in the GRC Database. During that same 13-month period, following a presentation to the MSAL Board in May 2023 concerning MSAL’s breach reporting obligations, MSAL proceeded on the incorrect understanding that an Investigation commenced at the time an incident was assessed by the Significant Incident Review Panel (SIRP), rather than when the first step was taken to gather information to assess whether a significant breach of a core obligation had occurred.

26    In or around June 2024, MSAL recognised the error and reintroduced the RG78 Tracker to track Investigations. From around August 2024, MSAL also resumed weekly triage meetings and began its transition to a replacement GRC Database known as “Frank”. This transition also involved developing a new spreadsheet to manually track the commencement, duration, and reportability of Investigations (the New RG78 Tracker).

27    ASIC has alleged and MSAL has admitted that, throughout the Relevant Period, the Mercer Incident System was not adequate to facilitate compliance with the Reportable Situations Regime for the following key reasons (the Deficiencies):

(1)    MSAL’s policy and procedure documents were not sufficient to enable relevant members of the Risk and Compliance team to adequately and consistently identify the commencement of an Investigation, track the duration of an Investigation, and/or identify whether and when to report an Investigation to ASIC in accordance with the Reportable Situations Regime.

(2)    There was no adequate definition or description of an Investigation or a Reportable Investigation available to enable members of the Risk and Compliance team to adequately and consistently identify the commencement of an Investigation.

(3)    There was no adequate function within the GRC Database to adequately and consistently identify the commencement of an Investigation, track the duration of an Investigation and/or identify whether and when to report an Investigation to ASIC in accordance with the Reportable Situations Regime.

(4)    By reason of the matters in (1)–(3) above, the fact that an Investigation had continued for more than 30 days was not necessarily considered or captured and such Investigations were therefore not necessarily escalated as being potentially reportable or in fact reported.

(5)    There was no adequate process to record and report Investigations which continued for more than 30 days and disclosed that there was no significant breach of a core obligation or inability to comply with a core obligation where the breach if it occurred would be significant.

28    These issues were known to MSAL’s senior management. At various points between March 2022 and April 2024, MSAL’s external auditors (Deloitte) raised concerns in audit reports that incidents had been open in the GRC Database for more than 30 days without being reported to ASIC, and that MSAL’s level of reporting was at the lower end compared to similar retail entities. Those observations were brought to the attention of the board of MAPL (MSAL’s parent company) and the MSAL Audit and Risk Committee, which noted and discussed them. Despite being on notice of the shortcomings, and the risk that Reportable Investigations were not being identified and reported to ASIC — which the parties agree is a significant aggravating factor — MSAL continued to rely on the Mercer Incident System throughout the Relevant Period. While MSAL did take some steps in response, including requiring all incidents to be subject to a compliance assessment and commencing a project to replace the GRC Database, MSAL has conceded that those changes did not overcome the Deficiencies during the Relevant Period.

The Eight Incidents

29    ASIC has alleged, and MSAL has admitted, that on at least 15 occasions during the Relevant Period, MSAL failed to lodge a report with ASIC in respect of a Reportable Investigation within the time prescribed by s 912DAA(3), or at all. ASIC relies on the Eight Incidents as examples of that failure, which occurred at least in part due to the Deficiencies, and which collectively give rise to 15 separate contraventions of ss 912DAA(1) and 912DAA(7) of the Corporations Act.

30    The Eight Incidents share a common theme: in each case, the Deficiencies (at least in part) meant that MSAL either did not identify that a Reportable Investigation had arisen, or did not do so until after the 30-day period for lodging a report had expired. The incidents are identified by reference to their incident numbers in the GRC Database: INC-0011906, INC-0013541, INC-0017604, INC-0017236, INC-0016363, INC-0016689, INC-0017268, and INC-0019650. Their circumstances are summarised in table form in Annexure B to the SAFA, and set out in detail in Annexures C to J to the SAFA.

31    It is not necessary to go into detail for each of the Eight Incidents in these reasons. However, in order to expose the way in which the shortcomings in MSAL’s systems led to its failure to comply with its obligations under the Reportable Situations Regime, it is useful to set out one of the incidents in further depth. The contraventions of s 1308(5) of the Corporations Act also concern this incident — INC-0011906 — so it is necessary to explain it further in any event.

32    INC-0011906 arose from the decommissioning of MSAL’s previous employer gateway, known as Spectrum, and its replacement with a new gateway known as SuperStream. Under SuperStream, employers could submit Member Registration Requests (MRRs) to open employer-sponsored accounts on behalf of employees. However, a technical error meant that if an employer submitted an MRR to create a new member account under the employer’s sub-plan and the details matched an account already existing in the MST, the MRR was automatically closed without creating the new account. As a result, affected members were at risk of missing out on the benefits available under their employer’s sub-plan, including lower fees, default insurance, and specific insurance premiums. Members were likely unaware that their accounts had not been correctly established.

33    The incident first occurred on 20 December 2021, was identified on 1 February 2022, and was lodged in the GRC Database on 7 February 2022, with an initial rating of “insignificant”. Between 7 February 2022 and 1 December 2022, MSAL undertook fact-finding in relation to the incident. On 2 December 2022, the incident was updated in the GRC Database to record a compliance impact and a risk and compliance assessment was commenced. The parties jointly submitted that this was the first step taken to gather information to assess whether the incident involved a significant breach of a core obligation and/or whether MSAL was no longer able to comply with a core obligation and the breach, if it occurred, would be significant. An Investigation, for the purposes of s 912D(1)(c), accordingly commenced on 2 December 2022.

34    By 2 January 2023, the Investigation had been continuing for more than 30 days. A Reportable Situation accordingly arose under s 912D(1)(c), and a report was required to be lodged with ASIC by no later than 1 February 2023. MSAL did not lodge a report by that date. Instead, the compliance staff responsible for the incident recorded the commencement of the Investigation in the RG78 Tracker as 22 March 2023 — under the heading “Date Reported to Line 2 (Fact finding complete)” — rather than 2 December 2022, when fact-finding to assess the compliance impact had first begun. MSAL lodged its first breach report to ASIC on 21 April 2023, being 30 days after the date MSAL had recorded in the RG78 Tracker as the commencement of the Investigation. By that point, the Investigation had been continuing for at least 140 days. MSAL has admitted that the report should have been lodged at least by 1 February 2023.

35    In addition to lodging this report well past the statutory due date, updating reports made to ASIC were inaccurate. Those inaccuracies are set out from paragraph 37ff below.

36    In each of the remaining seven of the Eight Incidents, no report was ever lodged with ASIC. Like INC-0011906, each failure was at least partially attributable to one or more of the Deficiencies. The GRC Database could not identify when an Investigation had commenced; the Compliance Assessment and Tracking Processes were informal, undocumented, and varied between compliance staff; and, in six of the seven incidents, the fact-finding process began during or after the 13-month period from May 2023 to June 2024 when MSAL had been operating on the incorrect understanding that an Investigation commenced only when first considered by the SIRP. Because those Investigations never reached the SIRP within 30 days of the relevant fact-finding commencing — or never reached it at all — MSAL did not identify them as Reportable Investigations requiring a report to ASIC.

The Misstatements to ASIC

37    MSAL lodged five reports with ASIC in connection with INC-0011906. The first, lodged on 21 April 2023, was an initial report under s 912DAA(1) notifying ASIC of the Reportable Investigation (which, as noted at paragraph 34 above, should have been lodged by 1 February 2023). The second and third reports, lodged on 27 October 2023 and 10 May 2024 respectively (the Second and Third Report(s)), were update reports submitted in accordance with ASIC’s expectations under RG78, providing ASIC with information about the progress of the Investigation and the extent of member impact. The fourth report was lodged on 15 November 2024 (Fourth Report). A fifth and final report was lodged on 30 April 2025. The three contraventions of s 1308(5) arise from materially false or misleading statements in the Second, Third, and Fourth Reports, which were the result of MSAL not taking all reasonable steps to ensure that reports were not materially false or misleading.

38    In the Second Report, MSAL was asked whether the Reportable Situation had affected (or was likely to affect) any clients. MSAL answered that it was “Not known”. That was false. By the time the Second Report was lodged on 27 October 2023, MSAL was aware from its own records that at least 231 members of one sub-plan had been identified as affected by INC-0011906 and had been remediated and issued an apology (the Known Impact). The fact that 231 members had been identified as being affected had been recorded in the GRC Database since 12 May 2023, and was reflected in documents sent to the Senior Compliance Manager responsible for completing the Second Report on multiple occasions between 20 June 2023 and 19 July 2023. MSAL should have disclosed that at least 231 members were known to be affected. MSAL has admitted that, by not consulting, or properly considering, those materials before lodging the Second Report, it failed to take all reasonable steps to ensure that the report was not materially false or misleading.

39    In the Third Report, MSAL stated that approximately 50 clients were affected by the Reportable Situation. That was an understatement. By that time, the Known Impact of 231 affected members remained recorded in the GRC Database and was available to the responsible compliance staff, including the Senior Compliance Manager who submitted the Third Report. The Third Report also stated that there were only four instances of the event relating to the Reportable Situation — a figure that was similarly false or misleading, as the number of instances should have been at least equal to the estimate of affected clients.

40    In the Fourth Report, MSAL stated that it had completed its Investigation, and that there were seven instances of the event relating to the Reportable Situation, and approximately 450 clients that were potentially affected. Each of those statements was incorrect, and appears to have been based on information given by the incident manager around 22 October 2024, which had been limited to a particular sub-plan that remained under investigation, and was not intended to reflect the impact of the incident as a whole. The parties agree that the Senior Compliance Manager should have instead referred to the GRC Database entry for INC-0011906, which had been updated on 1 November 2024 — being 14 days prior to the submission of the Fourth Report — to record that MSAL had reviewed 12,357 MRRs in total and had identified 122 valid MRRs which required remediation for affected members, and a further 5,709 invalid MRRs that were still being considered for further investigation and/or remediation. Based on that information, and the Known Impact referred to at paragraph 38 above, the Fourth Report incorrectly stated that the Investigation was complete (given 5,709 invalid MRRs were still being considered), and materially understated both the number of affected clients and the number of instances of the event relating to the Reportable Situation.

41    In each case, ASIC accepts that the misstatements did not result from any deliberate attempt by MSAL to mislead ASIC. Rather, they reflected a failure by MSAL to consider, or properly to consider, the contemporaneous records available to it, including entries in the GRC Database, or make other relevant inquiries, prior to lodging the relevant reports with ASIC.

42    On that basis, MSAL has admitted that, in respect of each of the Second, Third, and Fourth Reports, it failed to take all reasonable steps to ensure the report was not materially false or misleading, and thereby contravened s 1308(5) of the Corporations Act on three occasions.

Principles concerning penalties

Purpose of civil penalties

43    The principles governing the nature of civil penalties, which I set out in Australian Energy Regulator v AGL Loy Yang Marketing Pty Ltd [2023] FCA 1299 at [69]–[70] may be shortly restated. The primary, if not sole, purpose of a civil penalty is deterrence, both specific and general: Australian Building and Construction Commissioner v Pattinson [2022] HCA 13; (2022) 274 CLR 450 (Pattinson) at [14]–[19] (Kiefel CJ, Gageler, Keane, Gordon, Steward and Gleeson JJ); Australian Building and Construction Commissioner v Construction, Forestry, Mining and Energy Union [2018] HCA 3; (2018) 262 CLR 157 (ABCC v CFMEU) at [87] (Keane, Nettle and Gordon JJ). The penalty must be fixed at a level that carries sufficient sting or burden to secure that deterrent effect, and thus to encourage compliance, but not so high as to be oppressive: ABCC v CFMEU at [116] (Keane, Nettle and Gordon JJ). Equally, it must not be set so low as to be regarded as merely a cost of doing business: Australian Securities and Investments Commission v Westpac Banking Corporation (No 3) [2018] FCA 1701; (2018) 131 ACSR 585 (Westpac (No 3)) at [120] (Beach J).

Principles where penalties agreed between parties

44    The approach to making orders proposed by agreement in a civil penalty proceeding was outlined by the High Court in Commonwealth v Director, Fair Work Building Industry Inspectorate [2015] HCA 46; (2015) 258 CLR 482 (Agreed Penalties Case) at [58] (French CJ, Kiefel, Bell, Nettle and Gordon JJ) (emphasis in original, citations omitted):

Subject to the court being sufficiently persuaded of the accuracy of the parties' agreement as to facts and consequences, and that the penalty which the parties propose is an appropriate remedy in the circumstances thus revealed, it is consistent with principle and, for the reasons identified in Allied Mills, highly desirable in practice for the court to accept the parties' proposal and therefore impose the proposed penalty.

45    A further consideration identified by the plurality in the Agreed Penalties Case was that, by reason of its role in securing compliance within the industry, the regulator is able to offer “informed submissions as to the effects of contravention on the industry and the level of penalty necessary to achieve compliance”: at [60]. However, “the submissions of a regulator will be considered on their merits in the same way as the submissions of a respondent and subject to being supported by findings of fact based upon evidence, agreement or concession”: at [61].

46    The agreed penalty need not be the same as the penalty amount that the Court may have ordered; it is sufficient that the penalty be within an appropriate range: Agreed Penalties Case at [48].

Pecuniary Penalties

47    Section 1317G(1)(a) of the Corporations Act provides that:

A Court may order a person to pay the Commonwealth a pecuniary penalty in relation to the contravention of a civil penalty provision if:

(a)    a declaration of contravention of the civil penalty provision by the person has been made under s 1317E.

48    Section 1317G(6) outlines that, in determining the pecuniary penalty, the Court must consider all relevant matters, including:

(a)    the nature and extent of the contravention;

(b)    the nature and extent of any loss or damage suffered because of the contravention;

(c)    the circumstances in which the contravention took place; and

(d)    whether the person has previously been found by a court (including a court in foreign country) to have engaged in similar conduct.

49    These matters are augmented by the well-known “French Factors”:

(a)    the extent to which the contravention was the result of deliberate or reckless conduct by the corporation, as opposed to negligence or carelessness;

(b)    the number of contraventions, the length of the period over which the contraventions occurred, and whether the contraventions comprised isolated conduct or were systematic;

(c)    the seniority of officers responsible for the contravention;

(d)    the capacity of the defendant to pay, but only in the sense that whilst the size of a corporation does not of itself justify a higher penalty than might otherwise be imposed, it may be relevant in determining the size of the pecuniary penalty that would operate as an effective specific deterrent;

(e)    the existence within the corporation of compliance systems, including provisions for and evidence of education and internal enforcement of such systems;

(f)    remedial and disciplinary steps taken after the contravention and directed to putting in place a compliance system or improving existing systems and disciplining officers responsible for the contravention;

(g)    whether the directors of the corporation were aware of the relevant facts and, if not, what processes were in place at the time or put in place after the contravention to ensure their awareness of such facts in the future;

(h)    any change in the composition of the board or senior managers since the contravention;

(i)    the degree of the corporation's cooperation with the regulator, including any admission of an actual or attempted contravention;

(j)    the impact or consequences of the contravention on the market or innocent third parties;

(k)    the extent of any profit or benefit derived as a result of the contravention; and

(l)    whether the corporation has been found to have engaged in similar conduct in the past.

50    Regard must also be had to the maximum penalty for the contravention. Section 1317G(2) sets out that the pecuniary penalty must not exceed the maximum penalty applicable to the contravention. In a civil penalty context, a prescribed maximum penalty is “but one yardstick that ordinarily must be applied”: Pattinson at [53] (Kiefel CJ, Gageler, Keane, Gordon, Steward and Gleeson JJ), quoting Australian Competition and Consumer Commission v Reckitt Benckiser [2016] FCAFC 181; (2016) 340 ALR 25 (Reckitt Benckiser) at [155] (Jagot, Yates and Bromwich JJ). Care must be taken not to apply the maximum penalty mechanically, but to treat it as one of a number of relevant factors, albeit an important one: Reckitt Benckiser at [156].

Multiple contraventions — course of conduct and totality

51    Where there are multiple contravening acts and omissions occurring over a particular period and there is sufficient interrelationship between the legal and factual elements of the contraventions, the “course of conduct” and “totality” principles are relevant.

52    The principles in relation to the course of conduct and totality principles were set out by O’Bryan J in Australian Securities and Investments Commission v Vanguard Investments Australia Ltd [2024] FCA 1086 at [37]:

Fifth, in determining the appropriate penalty for a multiplicity of civil penalty contraventions, the Court may have regard to two common law principles that originate in criminal sentencing: the “course of conduct” principle and the “totality” principle: Australian Competition and Consumer Commission v Yazaki Corporation (2018) 262 FCR 243 (Yazaki Corporation) at [226]. Under the “course of conduct” principle, the Court considers whether the contravening acts or omissions arise out of the same course of conduct or the one transaction, to determine whether it is appropriate that a “concurrent” or single penalty should be imposed for the contraventions: Yazaki Corporation at [234]. Whether multiple contraventions should be treated as a single course of conduct is a question of fact and degree: Construction, Forestry, Mining and Energy Union v Cahill [2010] FCAFC 39; 269 ALR 1 (Cahill) at [39] per Middleton and Gordon JJ, and the application of the principle requires an evaluative judgement in respect of the relevant circumstances: Australian Competition and Consumer Commission v Cement Australia Ply Ltd (2017) 258 FCR 312 at [425]. The principle guards against the risk that the respondent is punished twice in respect of multiple contravening acts or omissions that should be evaluated, for the purposes of assessing an appropriate penalty, as a lesser number of acts of wrongdoing: Cahill at [39]. However, as noted by the Full Court in Yazaki Corporation (at [227]), it is not appropriate or permissible to treat multiple contravening acts or omissions as just one contravention for the purposes of determining the maximum limit dictated by the relevant legislation. Accordingly, the maximum penalty for the course of conduct is not restricted to the prescribed statutory maximum penalty for each contravening act or omission: Reckitt Benckiser at [141]; Yazaki Corporation at [229]-[235]. The “totality” principle operates as a “final check” to ensure that the penalties to be imposed on a wrongdoer, considered as a whole, are just and appropriate and that the total penalty for related offences does not exceed what is proper for the entire contravening conduct in question: Trade Practices Commission v TNT Australia Pty Ltd (1995) ATPR 41-375 at 40 and 169 and Australian Competition and Consumer Commission v Australian Safeway Stores Pty Ltd (1997) 145 ALR 36.

CONSIDERATION

Contravention of s 912A(1)(a) as a result of the System Breach

53    Section 912A(1)(a) requires a financial services licensee to do all things necessary to ensure that the financial services covered by its licence are provided efficiently, honestly and fairly. The provision does not impose a standard of perfection but a reasonable standard of performance: Australian Securities and Investments Commission v National Australia Bank Ltd [2022] FCA 1324; (2022) 164 ACSR 358 at [364] (Derrington J); Australian Securities and Investments Commission v Commonwealth Bank of Australia [2022] FCA 1422 at [151]–[152] (Downes J). Section 912A(1)(a) is primarily directed at the systems and procedures of licensees and is forward-looking. That is, it requires the identification of things that it was necessary for a licensee to do, but which it omitted to do: Australian Securities and Investments Commission v AustralianSuper Pty Ltd [2025] FCA 102; (2025) ACSR 615 (AustralianSuper) at [144] (Hespe J). A contravention may be established by demonstrating that the performance of a licensee’s functions falls short of the reasonable standard of performance that the public is entitled to expect: Australian Securities and Investments Commission v AGM Markets Pty Ltd (in liq) (No 3) [2020] FCA 208; (2020) 275 FCR 57 (AGM Markets) at [508] (Beach J); see also Australian Securities and Investments Commission v Lanterne Fund Services Pty Ltd [2024] FCA 353 (Lanterne) (McEvoy J). A breach of s 912A(1)(a) is a contravention of s 912A(5A), which may attract a pecuniary penalty order.

54    The parties agree that compliance with both provisions required MSAL to have in place an adequate system sufficient to: (a) identify and record the commencement date of an Investigation; and (b) track the duration of an Investigation and/or alert MSAL to lodge a report when a Reportable Investigation had arisen. The reasonable standard of performance expected of that system was informed by MSAL’s size, the nature of its business, its resources (including the sum of funds under management), the number of members for which it held retirement funds, and the purposes of the statutory obligation to report Reportable Investigations.

55    The parties jointly submit, and I accept, that by failing to have in place an adequate system for compliance with the Reportable Situations Regime, MSAL failed to do all things necessary to ensure that the financial services covered by its AFSL were provided efficiently, honestly and fairly, and thereby contravened s 912A(1)(a).

56    It has been accepted, in many cases, that system deficiencies associated with the provision of a financial service can give rise to a contravention of s 912A(1)(a): see, eg, Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496; (2022) ACSR 204 (RI Advice) (Rofe J); Australian Securities and Investments Commission v FIIG Securities Ltd [2026] FCA 92 (Derrington J); Australian Securities and Investments Commission v Macquarie Bank Ltd [2024] FCA 416 (Macquarie Bank) (Wigney J); AustralianSuper; AGM Markets; Lanterne. A number of those cases have involved contraventions of other subsections of s 912A(1), with the contravention of s 912A(1)(a) being linked to, or arising from, contravention of another subsection of s 912A: see, eg, RI Advice; Lanterne. Here, ASIC does not allege contravention of any other subsection of s 912A(1). That does not present any impediment because contravention of s 912A(1)(a) is not contingent on contravention of any other subsection of s 912A(1); it can be a standalone contravention even if contravention of that subsection is often accompanied by contravention of other provisions.

57    Section 912A(1)(a) refers to a failure to do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly. It is fair to observe that most of the decided cases involving system deficiencies are ones in which there is an observable nexus with what might be thought of as the “front end”, customer-facing activities of financial services licensees, or involve issues directly affecting customers. For example, in RI Advice, the contravention involved a failure to have adequate systems for data protection and management of cybersecurity risk in relation to client data held by authorised representatives. Similarly, in Macquarie Bank, it was a failure to implement effective controls to prevent or detect transactions by third parties that fell outside the scope of their authority. Cases of that kind involve a more obvious nexus with the financial services provided to customers (using that expression broadly to include members of a superannuation fund), as compared with system issues that affect a licensee’s capacity to comply with its obligations to report matters to ASIC.

58    However, having received supplementary submissions from the parties on this matter, I am satisfied that MSAL’s obligation to do all things necessary to ensure that the financial services covered by its licence were provided efficiently, honestly and fairly was contravened on the basis that its system for compliance with the Reportable Situations Regime was deficient.

59    MSAL was authorised by its AFSL to provide financial product advice in respect of superannuation, deal in financial products in respect of superannuation, and provide a superannuation trustee service to retail and wholesale clients. Those are the financial services covered by its licence. It should be noted that providing a superannuation trustee service is, in and of itself, provision of a financial service and a person provides a superannuation trustee service if the person operates a registrable superannuation entity as trustee of the entity: s 766A(1)(ec), s 766H(1).

60    One of MSAL’s obligations, as the holder of an AFSL authorised to, inter alia, provide the financial service constituted by providing a superannuation trustee service, was to comply with the Reportable Situations Regime.

61    As set out above, the Reportable Situations Regime plays an important role by bringing investigations into potentially significant breaches of core obligations to ASIC’s attention. The regime supports the provision of financial services in a manner that conforms to a licensee’s statutory obligations more broadly, by ensuring that ASIC is informed of investigations that trigger a reporting obligation, and so can intervene as necessary. The regime also incentivises licensees to ensure that they are aware of, investigate, and address potentially significant matters as and when they arise. In this way, the Reportable Situations Regime also supports the efficient, honest and fair provision of a licensee’s “front end” financial services — in MSAL’s case providing financial product advice in respect of superannuation, and dealing in financial products in respect of superannuation.

62    Having regard to these matters, I am satisfied that there is the necessary nexus between the conduct in question and the financial services covered by MSAL’s licence, and that MSAL contravened s 912A(1)(a) as ASIC alleges, and as MSAL accepts it did. It is appropriate to make declarations in the terms put forward by the parties, and to impose a civil penalty in respect of this contravention.

63    The parties jointly propose a penalty of $4,062,500 in respect of this contravention of s 912A(1)(a) (which triggers a contravention of s 912A(5A)).

64    The parties submit, and I accept, that the penalty amount is an appropriate penalty, having regard to the following matters:

(1)    MSAL is the trustee of a large superannuation fund, and the contravention occurred over a period of about three years.

(2)    MSAL was on notice that its compliance system was not adequate.

(3)    ASIC was denied the opportunity to supervise MSAL’s Reportable Investigations, and the parties agree that it may be inferred that the Deficiencies in MSAL’s systems resulted in its underreporting Reportable Investigations going beyond (but including) its failure to report seven out of the Eight Incidents addressed below.

(4)    MSAL was not indifferent to its compliance obligations and did have a compliance system in place, albeit it was inadequate.

(5)    It is not suggested that MSAL sought to, or did, benefit from its contravening conduct. It is also not suggested that harm has been suffered by its members as a result of the contravening conduct.

(6)    MSAL has significantly improved its compliance program in relation to its system, and also cooperated with ASIC.

(7)    The proposed penalty is just under half of the statutory maximum penalty (at least $11,000,000).

(8)    The proposed penalty will have sufficient “sting” to serve the purpose of specific and general deterrence. In relation to specific deterrence, the proposed penalty is higher than MSAL’s profit for the 2025 calendar year and will not be seen as a “cost of doing business”: Westpac (No 3) at [120] (Beach J).

(9)    The proposed penalty is lower than the operational risk reserve of the MST, and will not have an impact on beneficiaries of MSAL.

Contravention of s 912DAA(7) as a result of the Eight Incidents

65    ASIC alleges, and MSAL admits, that MSAL failed to report eight Reportable Investigations on time, or at all, during the Relevant Period.

66    As set out in greater detail above, where there are reasonable grounds to believe that a Reportable Situation has arisen in relation to a financial services licensee, s 912DAA(1) requires the licensee to lodge a report in relation to the Reportable Situation with ASIC, and to do so in accordance with s 912DAA. Failure to comply with s 912DAA(1) results in a contravention of s 912DAA(7), which is a civil penalty provision.

67    Section 912DAA(3) requires that the report must be lodged with ASIC within 30 days after the financial services licensee first knows that, or is reckless with respect to whether, there are reasonable grounds to believe the Reportable Situation has arisen. Pursuant to s 912D(1)(c), there will be a Reportable Situation when the licensee (or a representative) conducts an investigation into whether there is a Reportable Situation of the kind mentioned in (a) or (b) — breach of a core obligation which breach is significant, or no longer being able to comply with a core obligation and any breach would be significant — and the investigation has continued for more than 30 days. Section 912D(1)(d) provides that there will also be a Reportable Situation where the investigation discloses that there is no Reportable Situation of the kind mentioned in (a) or (b). Consequently, there may be more than one Reportable Situation in connection with any investigation.

68    The parties’ joint SAFA contained several annexures setting out details of the Reportable Investigations in relation to the Eight Incidents. Those annexures included a summary specifying:

(a)    the date on which the incident occurred;

(b)    the date it was identified;

(c)    the date it was lodged in MSAL’s “Scout” system;

(d)    the date the investigation was commenced, the day that was “day 31”, being the day after the date on which a report was required to be made to ASIC in order to comply with the deadline specified in s 912DAA(3);

(e)    the date that MSAL considered no Reportable Situation under s 912D(1)(a) or (b) had arisen, and, relatedly, the date that a report should have been lodged pursuant to s 912D(1)(d); and

(f)    the number of days of investigation.

69    The parties’ joint SAFA also contained a detailed separate annexure for each of the Eight Incidents, describing the issue that was being investigated, and matters concerning the course of the investigation and how MSAL’s systems functioned (or failed to function adequately). Some of those investigations were of “substantial duration” between at least 93 and 434 days; these Reportable Investigations did not involve missing statutory reporting deadlines by a few days, or even weeks.

70    There were eight Reportable Investigations. In respect of seven of those investigations, MSAL failed to lodge any report with ASIC despite the statutory criteria for lodging a report about the existence of the investigation having been satisfied, and also failed to lodge a report advising ASIC that those investigations had concluded that no Reportable Situation of the kind referred to in s 912D(1)(a)–(b) existed. Accordingly, for those seven Reportable Investigations, there were two breaches for each investigation given that there were two Reportable Situations in respect of those investigations, one pursuant to s 912D(1)(c), and another pursuant to s 912D(1)(d). For the eighth Reportable Investigation — being the one described in more detail above at paragraph 32ff — a report was lodged with ASIC, but it was lodged late, giving rise to one contravention.

71    Accordingly, the parties have identified, and I accept that MSAL contravened s 912DAA(7) on 15 occasions, but those 15 contraventions were in respect of Eight Incidents. The parties also jointly submit, and I accept, that these contraventions came about because of the Deficiencies in MSAL’s systems, most strikingly, the failure of those systems to reliably identify when an “investigation” had been commenced. Identifying when an investigation commences is critical to ensuring compliance with the Reportable Situations Regime.

72    The parties have jointly proposed a penalty in respect of the contraventions relating to the Eight Incidents of $5,300,000. I accept that this is a reasonable penalty for the 15 contraventions. The contraventions arose from a common cause, namely the shortcomings of MSAL’s systems for compliance with the Reportable Situations Regime, and are to be treated as arising from a single course of conduct.

73    The parties jointly submitted, and I accept, that the proposed penalty is appropriate having regard to the following matters:

(1)    Given the number of contraventions, the statutory maximum penalty is high: $234,000,000. While this figure provides a point of reference, and points to the seriousness of the conduct and need to impose a meaningful penalty, it is so high as not to constitute a useful quantitative measure.

(2)    The Eight Incidents involved matters that (at least) had the potential to have a detrimental effect on members. The potential impact on members is exposed by the incidents being investigated relating to matters such as: a failure to update some member accounts leading to higher fees and less favourable insurance arrangements; charging insurance premiums after a member’s death; failure to provide death and permanent disability insurance cover for some eligible members; disclosure of an incorrect investment fee in a product disclosure statement.

(3)    In the absence of timely and accurate reporting to ASIC, it was prevented from having proper oversight of the investigation of those incidents, so as to be appraised of any systemic issues that were exposed and how MSAL was responding to them, and ensuring that any affected members were properly remediated. Given the long duration of the investigations in relation to the Eight Incidents, ASIC’s supervisory role was seriously compromised.

(4)    The proposed penalty is sufficiently high as to reflect the seriousness of the conduct, and to present sufficient “sting” to serve the purposes of general and specific deterrence. In relation to specific deterrence, the proposed penalty is higher than MSAL’s profit for the 2025 calendar year and will not be seen as a “cost of doing business”: Westpac (No 3) at [120] (Beach J).

(5)    Like the proposed penalty in respect of the System Breach, the proposed penalty for the contraventions of s 912DAA(7) is lower than the operational risk reserve of the MST and will not have an adverse impact on the beneficiaries of to MSAL.

(6)    The proposed penalty also recognises MSAL’s cooperation and the fact that it has already taken steps to upgrade the systems whose insufficiency caused the contraventions in relation to the Eight Incidents.

Contravention of s 1308(5) by a failure to take reasonable steps to ensure documents submitted to ASIC were not materially false or misleading

74    One of the Eight Incidents was incident INC-0011906. The nature of that incident, the course of MSAL’s investigation and the deficiencies in its reports to ASIC, have been set out above (at paragraph 32ff). As explained above, MSAL submitted five reports in relation to this incident. The admitted contraventions of s 1308(5) concern the Second, Third and Fourth Reports.

75    Section 1308(5) of the Corporations Act provides that a person contravenes the provision if:

(a)    a document: (i) is required under or for the purposes of the Corporations Act; or (ii) is lodged with or submitted to ASIC or the Registrar; and

(b)    the person: (i) makes, or authorises the making of, a statement in a document; or (ii) omits, or authorises the omission of, a matter or thing from a document; and

(c)    the document is materially false or misleading because of the statement or omission; and

(d)    the person did not take all reasonable steps to ensure that the document was not materially false or misleading because of the statement or omission.

76    It is relevant to observe that there can be a contravention of s 1308(5) in relation to documents that are voluntarily submitted to ASIC (not just in relation to documents that are required by legislation). This is relevant as the Second, Third and Fourth Reports that were submitted by MSAL were not reports that were required by the Reportable Situations Regime to be submitted, but were reports submitted voluntarily, albeit that ASIC, in RG78 and through the “callouts” visible to users, made clear its expectation reports would be updated.

77    Section 1308(6) relevantly provides that a document is “materially false or misleading” if the document includes a statement that is false in a material particular or materially misleading (s 1308(6)(a)(i)), or omits something that renders the document false in a material particular or materially misleading (s 1308(6)(b)).

78    The standard imposed by s 1308(5) is objective: it asks whether MSAL took all reasonable steps to ensure accuracy, not whether it intended to mislead. While ASIC had initially alleged in its Originating Application that MSAL contravened s 1308(4) of the Corporations Act — which would have required ASIC to prove knowledge or recklessness on the part of MSAL — that allegation is no longer pressed by ASIC. What ASIC ultimately alleged, and MSAL has admitted, is that MSAL failed to take all reasonable steps to ensure that the Second, Third and Fourth Reports it lodged with ASIC in connection with INC-0011906 were not materially false or misleading.

79    In view of the information known to MSAL concerning the number of members affected, or potentially affected, by the incident and what was known to MSAL about the number of members in respect of which further investigation or remediation was being considered, I accept: that the information MSAL provided to ASIC by submission of the Second, Third and Fourth Reports was materially false or misleading; and that MSAL contravened s 1308(5) by failing to take reasonable steps to ensure that the reports it submitted to ASIC were not materially false or misleading.

80    Those reports were submitted between October 2023 and November 2024 and contained statements about the number of clients affected by, and the number of instances of, the relevant conduct, which were materially false or misleading. Each failure constitutes a separate contravention of s 1308(5) of the Corporations Act.

81    The parties jointly proposed a total penalty of $937,500 for the three contraventions of s 1308(5). They submit that that penalty is appropriate having regard to the following matters:

(1)    There being three admitted contraventions, the maximum penalty is $47,500,000, but that figure is so high as not to provide a meaningful yardstick for penalty for the contraventions in question.

(2)    The three contraventions are to be treated as a course of conduct; each contravention arose from the same failing, namely a failure properly to consider information held within the business concerning affected members and potentially affected members.

(3)    The contraventions arose from a failure to take reasonable steps. MSAL did not deliberately intend to mislead ASIC.

(4)    The contraventions did not cause loss to members.

(5)    MSAL has cooperated with ASIC.

(6)    The size of the penalty, while substantially lower than the penalties proposed for the other contraventions, is nonetheless appropriate to serve the purposes of general and specific deterrence.

82    I accept that the proposed penalty is appropriate, for the reasons given by the parties. In the absence of a jointly proposed penalty, I may have been inclined to impose a somewhat higher penalty in respect of these contraventions. However, it is clear on the authorities that the Court’s task, in a case like the present, is to consider whether a penalty proposed by a regulator and the contravener is an appropriate penalty in the circumstances, and is within an appropriate range: Agreed Penalties Case at [47], [58] (French CJ, Kiefel, Bell, Nettle and Gordon JJ).

Conclusion

83    Orders will be made providing for declarations to be made concerning the contravening conduct, and for the imposition of civil penalties in respect of the contraventions, in the amounts set out above. The sum of those penalties is $10,300,000. That sum presents a sufficient sting to serve the purposes of general and specific deterrence, and reinforces the vital importance of financial services licensees ensuring that the systems they deploy in the provision of those services are designed and operated in a way that connects with integers of the statutory regime under which financial services licensees operate (here, in particular, the Reportable Situations Regime). In addition, the penalty in respect of the third set of contraventions reinforces the need for financial services licensees to design and operate systems that are “joined up” so that important information is captured and not overlooked when reports are made to ASIC.

84    An order will also be made, as agreed between the parties, that MSAL pay ASIC’s legal costs in the amount of $1,200,000.

Associate:

Dated:    26 June 2026