Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

The nature and content of compliance varies depending on the activities in which the entity is engaged.


Australian financial services licensees have general obligations that must be complied with under the Corporations Act. These obligations (discussed in further detail in question 15) include ensuring financial services are provided efficiently, honestly and fairly, managing conflicts of interest, complying with licensing conditions and financial services laws, carrying out supervisory arrangements, maintaining a dispute resolution system for retail clients and ensuring representatives of the licence are adequately trained and competent.

The extent of a licensee’s obligations is determined by the nature, scale and complexity of the business. Relevant factors include the products and services offered, volume and size of the transactions, number and type of clients (wholesale or retail), the diversity and structure of the operations, size of the organisation and whether financial services is a core provision of the business. It is crucial that licensees have adequate processes, procedures or arrangements that cover all obligations, including general obligations, licensing conditions and any applicable financial services law.

Additionally, licensees must have adequate risk management systems in place on an ongoing basis to identify, evaluate and mitigate potential risks to an acceptable minimum. Risk management systems must be based on a structured and systematic process that take into account a licensee’s obligations.


Market licensees must ensure continuous compliance with their licensing obligations and report on the extent of their compliance annually. Relevant factors for ensuring compliance include monitoring and assessing to identify actual or potential breaches, ensuring the market is fair, orderly and transparent and closely supervising the market to handle conflicts of interest, monitor conduct of participants and trading activity, and dealing with suspected breaches.


Australian credit licensees must comply with general obligations that aim to ensure businesses are operated properly. In addition to these, licensees must also adhere to more specific obligations and regulations, which include:

  • responsible lending requirements that ascertain and verify whether a consumer’s financial situation and assess whether the credit contract is suitable;
  • requirements in the National Credit Code dealing with precontractual disclosure and conduct in relation to the terms of credit contracts and consumer leases; and
  • maintaining trust accounts.

Credit licensees must also lodge an annual compliance certificate with ASIC to certify that their obligations as a licensee have been complied with.

CS facility licensees

CS facility licensees must comply with a number of general obligations under the Corporations Act. These obligations include complying with the RBA’s financial stability standards, reducing systemic risk, providing services in a fair and effective manner, complying with licensing conditions, ensuring adequate arrangements are in place for handling conflicts of interest and enforcing compliance with the facility’s operating rules, and having sufficient resources to operate supervisory arrangements. It is important for CS facility licensees to report to ASIC and RBA at least annually on whether these licence obligations are being satisfied.


ADI licence holders have a number of ongoing obligations. These include ensuring that their risk management and internal control systems are adequate and appropriate for monitoring and mitigating risk, satisfying requirements of the composition and functioning of the board and ensuring people in key positions of the ADI are fit and proper.


How important are gatekeepers in the regulatory structure?

Gatekeepers play a crucial role in the overall operation of the Australian financial system. Although the roles and responsibilities of gatekeepers in the financial services industry are governed by ASIC, the system is ‘self-executing’. ASIC expects gatekeepers to act professionally and treat investors fairly, maintain effective risk management and internal supervision, and ensure investors are fully compensated when losses result from poor conduct. Within the financial services system, the key gatekeepers include directors, financial planners and financial advisers, custodians, research houses, auditors, trustees and responsible entities.

Directors and company officers function as the primary gatekeepers in maintaining the integrity of financial markets and upholding regulatory obligations. Companies are expected to have strong internal auditing and compliance functions, and directors are expected to drive a strong culture of compliance within their organisation. ASIC closely monitors gatekeeper conduct and holds directors to account for failure to properly execute their obligations. It is important for companies to have proper internal processes for handling revelations from whistle-blowers, train staff on company conduct and obligations, and periodically check on the effectiveness of compliance policies and regulatory requirements, including identifying, escalating and reporting breaches to ASIC.

ASIC has overall responsibility for the surveillance, investigation and enforcement of the financial reporting and auditing requirements of the Corporations Act. Internal auditors must maintain independence from the audit committee or board of directors in order to form a true and fair opinion about whether the financial report complies with the accounting standard. Directors must not rely on the auditor when forming their own opinion on the financial report and ensure the company has its own system, processes, controls and resources to produce high-quality financial reports.

Such gatekeepers are also coming under greater scrutiny in the banking industry, including with the introduction of the Banking Executive Accountability Regime (BEAR). Administered by APRA, BEAR imposes increased accountability obligations on senior executives and directors of ADIs in relation to their specific roles within the organisation as it relates to compliance with laws and notification of non-compliance.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Duties are imposed on directors under both general law and the Corporations Act. Among these duties, some of the most significant are:

  • to act in good faith in the best interests of the company and for a proper purpose;
  • to exercise care and diligence;
  • to avoid conflicts between the interests of the company and personal interests;
  • not to improperly use a position to gain a personal advantage, or to cause detriment to the company;
  • not to improperly misuse information;
  • to maintain proper financial and accounting records;
  • to prevent the company from trading while insolvent (ie, while it is unable to pay its debts as and when they fall due); and
  • if the company is being wound up, to report to the liquidator on the affairs of the company and provide assistance.

In addition, at common law and in equity, directors are regarded as fiduciaries and therefore owe a duty of care to their company. Directors are required to exercise their powers with the standard of care and diligence that a reasonable person would use in similar circumstances. There is no specified standard of care. However, when determining whether a duty has been breached, a court will have regard to factors such as the circumstances of the business, the responsibilities of the directors within the company, the outcomes of decisions and the foreseeable risk of harm associated with them.

Additional obligations apply to directors on the board of a responsible entity of a registered managed investment scheme. These duties include:

  • to act honestly and exercise the degree of care and diligence that a reasonable person would exercise in the position;
  • to act in the best interests of the members of the scheme;
  • not to improperly misuse information;
  • not to improperly use a position to gain a personal advantage or cause detriment to the members of the scheme; and
  • taking reasonable steps to ensure the responsible entity complies with licensing requirements and the scheme’s constitution and compliance plan.

AFSL holders also owe a number of statutory obligations under the Corporations Act in addition to complying with licensing conditions and financial services laws and ensuring their representatives do so also. These obligations include taking all reasonable steps to ensure financial services are provided efficiently, act honestly and fairly, managing conflicts of interest and maintaining the resources and competence to provide the services. If an AFSL holder’s clients include retail clients, there must be an internal dispute resolution system and also appropriate compensation arrangements in place, as well as a duty to act in the best interests of their clients and prioritise their clients’ interests if personal advice is being provided by the licensee.

Responsible managers are key individuals within a business and are thoroughly checked by ASIC to ensure that the AFSL holder is ‘competent’. Responsible managers must be of good fame and character, have the requisite skill and knowledge and be directly responsible for significant day-to-day decisions about the ongoing provision of financial services.

In January 2019, ASIC amended information required for body corporates applying for an AFSL and now requires information about their ‘responsible officer’. ASIC must be satisfied that there is no reason to believe that any of the applicant’s responsible officers are not of good fame or character. A responsible officer is defined as an officer of the AFSL applicant who would perform duties in connection with the holding of an AFSL. An officer includes a director or secretary of the applicant, a person who makes (or participates in making) decisions that affect all or a substantial part of the applicant’s business, or a person in accordance with whose instructions the directors of the applicant are accustomed to act. Responsible officers may also be responsible managers of the AFSL holder.

ASIC must also be satisfied that an individual is a ‘fit and proper person’ to engage in credit activities before an ACL can be granted. ASIC considers whether each of the people involved in managing a credit business are fit and proper people to perform that role. Relevant factors that determine a fit and proper person include competency, attributes of good character, conflicts of interest and any disqualification from the law.

When are directors typically held individually accountable for the activities of financial services firms?

Although a company has a distinct legal existence, directors may be held individually accountable under certain circumstances for any adverse outcomes deriving from activities of the firm. Key areas of potential personal liability include debts incurred when the company becomes insolvent due to insolvent trading, breach of director’s duties, guarantees over personal assets, illegal phoenix activity involving the intentional transfer of assets from an indebted company to a new company to avoid tax obligations or debts incurred by companies acting as trustees.

Directors may also be held personally liable for breaches of other laws administered by other agencies, such as failing to satisfy a company’s tax obligations.

A director who fails to perform his or her duties may be guilty of a criminal offence with a penalty of up to a maximum of A$200,000 or imprisonment of up to five years, or both, be ordered to pay a civil financial penalty of up to A$200,000, be personally liable to compensate the company or others for any loss or damage they suffer, and be prohibited from managing a company.

Where a responsible manager of an AFSL holder acts solely in the capacity to maintain organisational competency, it is unlikely that they would be held personally liable unless they contributed to any breach, in which case they may be banned or required to pay a fine. However, if a responsible manager is also an employee providing financial advice or director of the licensee, he or she may be held personally liable if the advice breaches financials services laws or where the director’s duties (discussed above) are breached.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Private rights of civil action apply to violations in certain circumstances, including for a breach of a statutory duty under the Corporations Act, a breach of the common law, breach of contract or breach of fiduciary duty.

To establish that there was a breach of a statutory duty, a claimant bringing a private action must first prove that a duty of care was owed, the duty was breached, the breach caused the claimant to suffer an injury and the damage was a foreseeable consequence of the breach of the duty.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

Financial services providers are required to provide financial services in a way that is fair, efficient and honest. This standard applies to the provision of all financial services, regardless of the sophistication or experience of clients. Higher standards apply to financial services that are provided to retail clients. Financial services providers that provide personal financial product advice to retail clients have a further obligation to act in the best interests of such clients, and prioritise client needs over the provider’s own.

Does the standard of care differ based on the sophistication of the customer or counterparty?

The Corporations Act distinguishes between retail and wholesale clients, with all clients assumed to be retail unless they satisfy one of the wholesale categories. The wholesale categories include clients with a gross annual income of A$250,000 or more in each of the previous two years or net assets of at least A$2.5 million.

Under the Corporations Act, retail investors are afforded greater consumer protections than a ‘sophisticated investor’. Sophisticated investors are expected to have a greater level of knowledge and, to a degree, to be able to look after their own interests to a greater extent as compared with retail investors.

On the other hand, firms providing financial services to retail clients must adhere to certain conduct and disclosure obligations. These obligations are designed to ensure retail clients receive good quality advice and are able to make informed decisions on that advice. Generally, a financial services firm must provide various disclosure documents before issuing a financial product to retail clients. This includes a financial services guide (disclosing what service the client receives), a statement of advice (disclosing what personal advice has been given considering the client’s circumstances) and a product disclosure statement (PDS) (disclosing what the financial product the client is buying), as well as information regarding compensation and complaint handling arrangements.

ASIC has published guidance for issuers of certain superannuation products and managed investment products issued to retail clients, which are required to make fee disclosures. Broadly, the enhanced fee disclosure regulations require an issuer to issue a PDS, describe certain transactions in periodic statements, disclose indirect costs and, in the case of superannuation products, other fees, and total fees and costs. Notably, this guidance has recently been reviewed by ASIC, which is seeking industry feedback on proposals to update the guidance and associated regulations with a view to ensuring fees and costs information is practicable for industry while being informative for consumers.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

Rules that affect the financial services industry in Australia include federal legislation and associated regulations, regulator-specific rules, regulatory guidance and class orders. Much of the applicable legislation allows regulators to vary its effect on industry participants (including relief) through the use of RGs and class orders.

The adoption process varies depending on the nature of the rules or regulations being implemented or changed. Consultation processes will generally be undertaken with industry participants in relation to variations that will significantly alter the current regulatory framework. ASIC issues consultation papers seeking feedback from stakeholders on matters it is considering. These consultation papers outline ASIC’s proposals and questions for public consultation (eg, whether or not they agree with ASIC’s proposals and supporting reasons). Based on the public comments received from submissions to ASIC, ASIC decides whether or not to implement the changes to the relevant rules.