ASIC's focus on culture of compliance extends beyond financial services companies
During 2015 the Australian Securities & Investments Commission (ASIC) made clear that it considers that it is vital for financial services companies to establish a culture of compliance in order to improve conduct within the financial industry in Australia.
However, the actions of the Federal Government and ASIC in the past year also indicate that a company's compliance culture will be examined when testing the scope of directors' duties for all companies, not just those in the financial services sector.
Two investigative areas where this is likely to be a key consideration are anti-bribery and corruption and cybersecurity (see ASIC's Report 429 Cyber resilience: Health check).
This is because the existing thresholds for proving a company has committed a breach of laws relating to these areas are very high and forensically difficult to prove. It is foreseeable that ASIC may, instead of attempting to prove specific breaches of corruption or cybersecurity legislation, try to prove that a director or officer has, in a more general sense, breached his or her duties as a director by not acting in the best interests of the company or with care and diligence by failing to create and foster a culture of compliance.
Culture of compliance
What does it mean to create a culture of compliance?
In the context of anti-bribery and corruption and cybersecurity, the types of activities which would generally be regarded as necessary to create a culture of compliance include:
- conducting a risk assessment which is tailored to the company's circumstances;
- formulating policies and procedures which will establish a system(s) for identifying, investigating, mitigating and resolving risks;
- regularly monitoring compliance with those systems, including where necessary conducting further risk assessments;
- where an incident or potential incident is identified, conduct a timely and proportionate investigation. For example, one issue which arose in the AWB proceedings brought by ASIC against the former chief executive officer of AWB was the scope of the investigation conducted into the bribery allegations and the information which was conveyed to the board about that investigation;
- considering whether the company has any notification obligations under legislation, contractual obligations or in equity in relation to the incident. For example, the Federal Government is seeking to introduce mandatory data breach notification laws which may be relevant in the aftermath of a cybersecurity incident - the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015; and
- considering whether the company has any other legal obligations to discharge and having a plan to properly discharge those obligations. For example, does the company need to take legal action to protect the confidentiality of its customers' information if there has been a cybersecurity incident? In November, Baker & McKenzie released its Asia Pacific Cybersecurity Counter-offensive Guide, which provides detailed guidance on the assessment of the severity of different data breaches and identifies what, if any, legal action may be taken to track and recover data which has been leaked or accessed without authorisation.
For directors and officers, the issues which are likely to arise in relation to discharging their obligations in these areas include:
- ensuring that the company has a plan to deal with foreseeable risks such as the uncovering of corrupt practices or cyber breaches;
- being aware of whether the activities above have been undertaken and if so, the outcome of those activities;
- leading by example, including by encouraging an environment where implementing and monitoring the policies and procedures is prioritised;
- being involved in an investigation of an incident; and
- if they are provided with information which indicates there may be a risk which has not been adequately addressed, raising questions.
Actions to consider
Company's should, if they have not recently done so, consider conducting a health check on their systems of compliance in relation to a range of issues, including anti-bribery and corruption and cybersecurity to ensure those systems are adequate and will stand up to scrutiny from a regulator.
Our recommendation is usually that there is great benefit in stress testing those systems, including by subjecting them to a "dry run".
Another consideration is whether the company and its directors and officers have taken steps to mitigate the financial and other impact of an incident by, for example, ensuring that there is appropriate insurance cover, and that contractual arrangements with third parties (such as sub-contractors) appropriately distribute the financial and legal risks.