Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

The Australian Securities and Investments Commission (ASIC) requires Australian financial services (AFS) licensees to have compliance and supervisory arrangements in place to ensure that they comply with all obligations on an ongoing basis, including the general obligations in section 912A(1) of the Corporations Act 2001 (Cth). Those general obligations include:

  • doing all things necessary to ensure that financial services are provided efficiently, honestly and fairly;
  • having adequate arrangements in place for managing conflicts of interest;
  • complying with the financial services laws and the conditions of the AFS licence;
  • having adequate risk management systems as well as sufficient financial, technological and human resources to provide financial services and to carry out supervisory arrangements (noting that this generally does not apply to entities regulated by the Australian Prudential Regulation Authority (APRA), which must comply with a parallel suite of obligations); and
  • maintaining the required level of competence to provide financial services.


ASIC does not adopt a one-size-fits-all approach, and recognises that an entity’s compliance and supervisory programmes will vary according to the nature, scale and complexity of an entity’s business. ASIC expects entities to document and report on their compliance and supervisory programmes, and regularly review their effectiveness. ASIC has a range of regulatory tools to gather information on these arrangements and has published regulatory guides to assist entities to understand ASIC’s expectations.

Elements of compliance programmes that ASIC has highlighted as ‘good practice’ are those that are characterised by board ownership, and responsive and agile governance models. ASIC has also suggested that entities may find the guidance in ‘AS ISO 37301:2021 Compliance management systems – Requirements’ helpful in complying with their obligations.


How important are gatekeepers in the regulatory structure?

ASIC recognises that directors, company officers and the internal audit function play an integral and ongoing role as gatekeepers of accountability in the regulatory structure.

In particular, ASIC recognises that the internal audit function can contribute to more effective risk management and good corporate governance. It does this by providing the entity’s board and committees with an independent review of the operation of its financial and non-financial control environment, the process for identifying and monitoring risks, and governance processes.

For entities listed on the Australian Securities Exchange (ASX), the ASX Corporate Governance Council’s Principles and Recommendations provide that, where a listed entity does not have an internal audit function, it needs to explain the reason for this. It is recognised that there should be another mechanism in place to manage risk and internal control processes.

In the case of ASIC v Healey & Ors (2011) FCA 717, the court reiterated the expectation of directors and the internal audit function to act as gatekeepers and, in doing so, will be held to a high standard to continually stay up to date and educated on the financial position of the company.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Directors’ duties have two sources: common law and statute.

The common law duties largely flow from the position of the director as a fiduciary, such as:

  • the duty to act in good faith;
  • the duty to act for proper purposes;
  • the duty to avoid conflicts of interest;
  • the duty to not profit from a position as a fiduciary; and
  • the duty to exercise care.


The statutory duties are set out in sections 180 to 183 of the Corporations Act 2001 (Cth) and supplement the common law duties. Among other things, directors are required to exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they were a director of a company in the same circumstances and occupied the office held by, and had the same responsibilities within the company, as the director in question. The standard of care for any individual director will vary and, when challenged, the court will have regard to a wide range of factors including the position of the director, the circumstances of the business and the degree of the foreseeable risk of harm.

When are directors typically held individually accountable for the activities of financial services firms?

Directors can be personally liable under the Corporations Act 2001 (Cth) for a range of matters, including:

  • failing to comply with his or her directors’ duties;
  • failing to prevent the company from trading while insolvent;
  • for certain taxes that have not been paid by the company; and
  • for companies listed on the ASX, failing to comply with the continuous disclosure obligations.


Directors can also be held individually accountable in circumstances where the company has contravened applicable law. This is referred to as stepping-stone liability, a form of secondary liability that does not require the director to have personally contravened the law or to have been an accessory to the contravention, but instead relies on the contravention by the company as the basis for finding that the director failed to comply with his or her directors’ duties.

Directors and senior executives of an authorised deposit-taking institution (ADI) are deemed to be accountable persons and individually accountable for every aspect of the entity’s business and operations under the Banking Executive Accountability Regime (BEAR). BEAR came into force for the major four domestic Australian banks on 1 July 2018 and to the rest of the ADI industry on 1 July 2019. Consequences for accountable persons for breaching BEAR can include financial penalties (for accessorial liability) and they can be disqualified from acting as an accountable person.

As at January 2022, BEAR is being reformed as the Financial Accountability Regime to apply to all financial services firms regulated by APRA. This new regime is expected to apply to ADIs from 1 July 2022, and to insurance and superannuation entities from 1 July 2023.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

The general law may confer private rights of action upon persons affected by breaches of general law principles (for example, in relation to breaches of contract or fiduciary duties). In addition, individuals may have private rights of action under relevant legislation. For example, section 1324 of the Corporations Act 2001 (Cth) allows a person whose interests have been, or would be, affected by contravening conduct to commence proceedings to restrain that conduct. Section 1317E of the Corporations Act 2001 (Cth) allows a person who suffers damage in relation to a contravention of a financial services civil penalty provision to apply for a compensation order.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

An AFS licensee must do all things necessary to ensure that financial services are provided efficiently, honestly and fairly under section 912A(1)(a) of the Corporations Act 2001 (Cth). This is a cornerstone obligation in Australian financial services law.

AFS licensees that provide financial product advice to retail clients have additional obligations, which include the duty to act in the best interests of the retail client under section 961 of the Corporations Act 2001 (Cth). They must meet the minimum standards that ASIC sets for the training of advisers that provide advice to retail clients. Further, the AFS licensee must comply with additional obligations in relation to dispute resolution and compensation arrangements, which typically consist of adequate professional indemnity insurance.

Does the standard of care differ based on the sophistication of the customer or counterparty?

Yes, the Corporations Act 2001 (Cth) distinguishes between a retail client and a wholesale client. The main effects of the distinction are that retail clients are afforded greater consumer protections, including:

  • retail clients must be given prescribed information and disclosures, including a Financial Services Guide, a Statement of Advice and a Product Disclosure Statement (as applicable);
  • only those licensees authorised under their AFS licence to provide financial products and services to retail clients can do so;
  • dispute resolution and compensation arrangements only apply in relation to retail clients;
  • ASIC’s mandated training obligations only apply to advisers of retail clients; and
  • the best-interests duty only applies in relation to retail clients.



How are rules that affect the financial services industry adopted? Is there a consultation process?

The sources of regulation of the financial services industry are many and varied, including acts of Parliament, legislative instruments (including regulations, class orders, prudential standards, ministerial determinations and notifiable instruments) and enforceable codes of conduct.

Both ASIC and APRA are empowered to supplement and, in some cases, modify the effect of legislation, including by determinations in legislative instruments. ASIC is also empowered, in limited circumstances, to exempt certain financial services providers from complying with specific legal obligations or take a no-action position.

Most commonly, the government will release a package of exposure draft legislation and explanatory materials for public consultation, which invites submissions from interested persons before the usual parliamentary debate process begins for the passage of that legislation. Industry bodies such as the Financial Services Council, the Insurance Council of Australia, the Association of Superannuation Funds of Australia and the Australian Banking Association may make submissions on behalf of their members. The government may make amendments to exposure draft legislation based on those submissions but is not required to do so. In formulating proposed legislation, the government may also conduct reviews and inquiries to evaluate the effectiveness of regulatory regimes or on other matters of public importance.