The well-known maxim that a fish rots from the head down gives the clear message that when an organisation has failings, its leaders are to blame.

Some say the fish’s intestines decompose first (and discreetly out of sight)  – meaning that the problem lies with the staff.  But the staff can only be the problem if the organisation’s leaders have not set or communicated the required standard of corporate conduct, or if they have failed to detect or act upon transgressions by their staff.

Which brings us back to the rotting head – leaders (directors and senior managers) must prevent conduct breaches, and must take steps to detect and remedy any that might occur.  Leaders must ask whether the culture being set at the top is in fact permeating the organisation, and must ensure that compliance regimes are implemented effectively.

This is nothing new – compliance and risk matrices have been embedded in mature corporate governance practice for many years.  Since 2001, a corporation’s culture has been relevant to its liability for certain Commonwealth criminal offences.  But more broadly-mandated higher standards are on the way.

What is new is the heightened focus placed on culture by Australia’s corporate and financial regulators – ASIC and APRA.  This push is gaining traction at a government and corporate level.  The chairs of ASIC and APRA (Greg Medcraft and Wayne Byres respectively) have made numerous references to corporate culture in speeches, appearances at Senate Committee hearings and in formal submissions, as well as to the changes the regulators want to achieve.

These include legislative changes to the regulators’ enforcement options, including the consideration of culture when determining whether a wider range of contraventions have occurred.  This change is aimed at sheeting responsibility for the conduct of individuals back to a corporation’s leadership and the corporation itself.

Following the Financial System Inquiry, the Commonwealth government has committed to a review of ASIC’s powers.

ASIC seeks to widen the circumstances in which the  lack of a culture of compliance can be relied upon to demonstrate corporate criminal liability.  Simply stated, ASIC’s view is that when an officer breaches a law ASIC administers – and corporate culture is responsible – then both the officer and the corporation should be held responsible.

The Corporations Act adopts Part 2.5 of the Commonwealth Criminal Code.  At present, if it can be proved that corporate culture directed, encouraged, tolerated or led to non-compliance with a provision of the Act attracting a criminal penalty, then the company can be found to have committed that offence.  In this context ‘corporate culture’ means an attitude, policy, rule, course of conduct or practice within an organisation or parts of it.

So, criminal liability can arise because your culture permitted non-compliant staff conduct, or did not discourage it.  Moreover, individuals may be criminally liable as accessories.

However, this ‘corporate culture’ provision does not apply to the parts of the Corporations Act dealing with financial services and financial product provisions – specifically Chapter 7.  This area has had a high profile recently – covering ASIC’s investigations and enforcement activities in relation to foreign exchange, interest rate benchmarks and financial advice.  ASIC wants failures in corporate culture to lead to criminal liability in these areas also.

ASIC also wants offences that arise from culture failures to be actionable as civil penalty offences – with the corresponding lower standard of proof.  This is a more explicit focus on not just ’talking the talk’ (by writing policies) but walking the walk (in actual policy implementation and a lack of tolerance for breaches).  Mere existence of policies does not suffice.  As the Federal Court said when imposing a penalty in cartel proceedings “The ... Compliance Manual might have been written in Sanskrit for all the notice anybody took of it. “

Two recent instances are a reminder of the importance of establishing and maintaining appropriate corporate culture – not only to benefit the organisation, but to protect it, its directors and senior management. One occurred in the “financial services” space, the other concerned a managed investment scheme.

Each involved sophisticated corporations with existing compliance programmes and training.  A fair presumption is that the training did not condone the identified conduct.  Although these matters have been resolved administratively (by either an enforceable undertaking or an administrative banning order against the individual), we can imagine a different outcome in the more stringent environment ASIC seeks – especially where the actual corporate environment is at odds with the requirements set out in compliance training.

In the first example, a stockbroker employed by an institutional broking firm received confidential information from a client about the client’s potential trading intentions in a particular stock.  The stockbroker emailed another of the firm’s hedge fund clients.  That client then placed an order with another broker to short sell the stock.  All parties acknowledged ASIC’s concern that there had been an unauthorised disclosure of confidential client information, and that the short sale trade should not have occurred.  It was recognised that the conduct engaged in was potentially unprofessional (in breach of Market Integrity Rules) and that financial services were not provided efficiently, honestly and fairly – in breach of s.798H(1)(b) of the Corporations Act.  Enforceable undertakings were agreed, imposing burdensome compliance obligations and monitoring obligations, and requiring an independent expert to report to ASIC on the corporations’ compliance culture.

In the second example, an individual who was a director and responsible manager of a financial services licensee was banned from providing financial services for six years, under section 920A of the Corporations Act.  The individual created a fake email address and sent emails to competitors, purportedly from a potential client.  The emails sought confidential commercial information from the competitors, supposedly to help the potential client decide whether to engage the competitor.

ASIC determined that the individual breached his duties – and so contravened section 610FD of the Corporations Act – by not acting honestly, misusing his position as a director, and misusing information he acquired to gain an improper advantage.  (We note that as of writing, the individual still has a right of appeal).


  • Further regulator focus on failures in corporate culture – and greater regulatory powers – are near certain.
  • Corporate and individual criminal and civil exposure is likely if the cultural settings are not right and the ’talk is not walked’.
  • Directors and corporate leaders should be vigilant in monitoring corporate culture and ensuring compliance measures are effective.