Australian Securities and Investments Commission v Commonwealth Bank of Australia

Federal Court of Australia|2020-06-05|Before: Mr J, Mr P, Beach J

The Commonwealth Bank sold special farming packages promising fee waivers, cheaper loans and bonus savings interest. Because its systems were manual, fragmented and had no owner, it failed to deliver those benefits to thousands of farmers for over a decade while still charging the package fees. The bank eventually discovered the problem itself, told ASIC quickly, fixed its systems, closed the product and repaid every customer with interest. ASIC and the bank agreed on the facts. Beach J held the bank had broken the misleading-conduct and unfair-practices rules and its licensee obligations. He ordered a $5 million fine, declarations, a corrective notice on the bank's website and costs. The judge decided the fine was enough for general deterrence because the bank had shown real contrition and fixed the problem thoroughly; specific deterrence was less pressing given the remediation.

In these declarations and orders, terms which are defined in the Concise Statement dated 16 March 2020 have the same meaning as they do in that document.

By the AA+ Package Brochures, AA+ Package Application Form and AA+ Package Terms and Conditions (Contractual Documents) and in all the circumstances, on 123 occasions during the period 16 March 2014 and 31 December 2015 (Penalty Period) CBA represented to a customer in trade or commerce (the Benefits Representations) that: (a) CBA had adequate systems and processes in place to ensure that AA+ Package customers received the benefits to which customers were entitled under the AA+ Package, including fee waivers and interest rate discounts, and bonus interest on savings (AA+ Package Benefits), each of which were financial services within s 12BAB(1)(g) of the Australian Securities and Investments Commission Act 2001 (Cth) (the ASIC Act) in relation to 20 financial products within the meaning of s 12BAA of the ASIC Act (Relevant Products) (as applicable) in accordance with the Contractual Documents; and (b) AA+ Package customers received AA+ Package Benefits on Relevant Products (as applicable) in accordance with the Contractual Documents; which Benefits Representations were each: (i) a false or misleading representation that services have benefits, in connection with the supply or possible supply of financial services, in contravention of s 12DB(1)(e) of the ASIC Act; and (ii) misleading or deceptive conduct, or conduct that was likely to mislead or deceive, in relation to financial services, in contravention of s 12DA(1) of the ASIC Act.
By the Contractual Documents and in all the circumstances, on 123 occasions during the Penalty Period CBA represented to a customer in trade or commerce (the Price Representations) that: (a) CBA had adequate systems and processes to ensure that AA+ Package customers received fee waivers and interest rate discounts (AA+ Package Price Benefits) on Relevant Products (as applicable) in accordance with the Contractual Documents, in circumstances where CBA did not; and (b) AA+ Package customers received AA+ Package Price Benefits on Relevant Products (as applicable) in accordance with the Contractual Documents, in circumstances where AA+ Package customers did not, which Price Representations were each: (i) a false or misleading representation with respect to the price of services, in connection with the supply or possible supply of financial services, in contravention of s 12DB(1)(g) of the ASIC Act; and (ii) misleading or deceptive conduct, or conduct that was likely to mislead or deceive, in relation to financial services, in contravention of s 12DA(1) of the ASIC Act.
By the Contractual Documents and in all the circumstances, on 123 occasions during the Penalty Period CBA represented to a customer in trade or commerce (the Future Benefits Representations) that upon acquiring the AA+ Package and during the period for which the customer would be entitled to AA+ Package Benefits: (a) CBA would have adequate systems and processes in place to ensure that AA+ Package customers would receive AA+ Package Benefits on Relevant Products (as applicable) in accordance with the Contractual Documents; and (b) CBA would apply AA+ Package Benefits on Relevant Products (as applicable) in accordance with the Contractual Documents, which Future Benefits Representations were each a representation with respect to a future matter within the meaning of s 12BB(1) of the ASIC Act in circumstances where CBA did not have reasonable grounds for making the representation, and therefore: (i) a false or misleading representation that services have benefits, in connection with the supply or possible supply of financial services, in contravention of s 12DB(1)(e) of the ASIC Act; and (ii) misleading or deceptive conduct, or conduct that was likely to mislead or deceive, in relation to financial services, in contravention of s 12DA(1) of the ASIC Act.
By the Contractual Documents and in all the circumstances, on 123 occasions during the Penalty Period CBA represented to a customer in trade or commerce (the Future Price Representations) that upon acquiring the AA+ Package and during the period for which the customer would be entitled to AA+ Package Benefits: (a) CBA would have adequate systems and processes to ensure that AA+ Package customers received AA+ Package Price Benefits on Relevant Products (as applicable) in accordance with the Contractual Documents; and (b) CBA would apply AA+ Package Price Benefits on Relevant Products (as applicable) in accordance with the Contractual Documents, which Future Price Representations were each a representation with respect to a future matter within the meaning of s 12BB(1) of the ASIC Act in circumstances where CBA did not have reasonable grounds for making the representation, and therefore: (i) a false or misleading representation with respect to the price of services, in connection with the supply or possible supply of financial services, in contraventions of s 12DB(1)(g) of the ASIC Act; and (ii) misleading or deceptive conduct, or conduct that was likely to mislead or deceive, in relation to financial services, in contravention of s 12DA(1) of the ASIC Act.
On each of the 3,905 occasions during the Penalty Period that CBA in trade or commerce accepted payment of the AA+ Package Fees for the provision of the AA+ Package Benefits, which are financial services within the meaning of s 12DI(3)(a) of the ASIC Act, when there were reasonable grounds for believing that CBA would not be able to supply the financial services within a reasonable time, in contravention of s 12DI(3) of the ASIC Act.
On each occasion that CBA contravened ss 12DA(1), 12DB(1)(e), 12DB(1)(g) and 12DI(3) of the ASIC Act, as referred to in paragraphs 1 to 5 above, CBA breached its general obligation as a financial service licensee to comply with financial services laws in contravention of s 912A(1)(c) of the Corporations Act 2001 (Cth).
By its conduct in each of: (a) failing to apply the AA+ Package Benefits to customer accounts in respect of Relevant Products on 32,927 occasions during the Penalty Period when it was required to do so by the Contractual Documents; (b) mischarging customers who migrated from the AgriAdvantage Package to the AA+ Package on 837 occasions during the Penalty Period; and (c) continuing and maintaining throughout the Penalty Period systems that were not capable of ensuring compliance with obligations to customers, CBA breached its obligation to do all things necessary to ensure that the financial services covered by its financial services licence were provided efficiently, honestly and fairly, and thereby contravened s 912A(1)(a) of the Corporations Act.

Within 30 days, CBA pay to the Commonwealth of Australia a pecuniary penalty of $5,000,000 in respect of CBA's conduct declared to be contraventions of: (a) s 12DB(1)(e) of the ASIC Act, as arising out of the 123 occasions that CBA made a Benefits Representation between 16 March 2014 and 31 December 2015; (b) s 12DB(1)(g) of the ASIC Act, as arising out of the 123 occasions that CBA made a Price Representation between 16 March 2014 and 31 December 2015; (c) s 12DB(1)(e) of the ASIC Act, as arising out of the 123 occasions that CBA made a Future Benefits Representation between 16 March 2014 and 31 December 2015; (d) s 12DB(1)(g) of the ASIC Act, as arising out of the 123 occasions that CBA made a Future Price Representation between 16 March 2014 and 31 December 2015; and (e) s 12DI(3) of the ASIC Act, as arising out of the 3,905 occasions that CBA accepted payment of the AA+ Package Fees for the provision of the AA+ Package Benefits between 16 March 2014 and 31 December 2015.
Within 30 days, CBA shall take all reasonable steps to cause to be published, at its own expense, a notice in the terms set out in Annexure A to this Order on the appropriate part of its website www.commbank.com.au in Arial font no less than 10 point.
CBA pay ASIC's costs of and incidental to the proceeding. Note: Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011. Annexure A CORRECTIVE NOTICE Corrective Notice ordered by the Federal Court of Australia CBA's conduct in making misleading representations and accepting payment where there were reasonable grounds to believe services would not be provided On 5 June 2020, Beach J of the Federal Court of Australia (in proceeding VID 180 of 2020) ordered CBA to pay a pecuniary penalty of $5 million to the Commonwealth for its conduct in relation to the AgriAdvantage Plus product (offered by CBA between May 2005 and November 2015) (AA+ Package). The Court ordered CBA to pay the pecuniary penalty because it was found to have, between 16 March 2014 and 31 December 2015 (Penalty Period): (a) made false or misleading representations to customers that CBA had adequate systems and processes in place to be able to provide customers the benefits offered under the AA+ Package and CBA would apply those benefits in accordance with the terms and conditions of the AA+ Package; and (b) accepted payments from customers in exchange for CBA applying the benefits under the AA+ Package when there were reasonable grounds for believing that CBA would not be able to provide the benefits under the AA+ Package. The Court found that, during the total period over which the AA+ Package was offered (May 2005 to 31 December 2015) (Relevant Period), a total of 8,659 customers were harmed by CBA's conduct on 131,542 occasions, through incorrectly charged fees and interest on loans, underpaid interest on savings, and as a result of mischarging annual fees for the AA+ Package. CBA remediated the full amount of $8,087,267.23 (which included interest for the time that had passed) to its affected customers. During the Penalty Period, CBA accepted payments of AA+ Package Fees from 6,953 customers for the provision of the AA+ Package Benefits. The total amount of Accepted Payments within the Penalty Period was $1,704,650. Any customers harmed by this conduct were remediated as part of the $8,087,267.23 payment for the Relevant Period. CBA co-operated with ASIC during its investigations and has remediated those customers affected by the conduct described above. This Corrective Notice has been paid for by CBA pursuant to the Court's orders.

BEACH J: 1 From May 2005 to December 2015 the CBA sold 7,077 AgriAdvantage Plus Packages and AgriAdvantage Packages to 13,063 rural customers (AA+ Packages). They related to numerous CBA products and entitled customers to benefits in the form of fee waivers, interest rate discounts and bonus interest on savings, in exchange for the payment of package fees. During the period between 16 March 2014 and 31 December 2015 (the penalty period), CBA sold 123 AA+ Packages to 334 customers. 2 ASIC has alleged that contrary to the terms and conditions of the AA+ Packages, benefits were not provided to customers on many of these products. As a result, they were overcharged fees and interest on loans, and were underpaid interest on savings. 3 CBA admits that when selling the AA+ Packages, it had inadequate systems and processes in place to ensure the provision of AA+ Package benefits. It admits that it made misleading representations in contravention of ss 12DB(1)(e) and (g) of the Australian Securities and Investments Commission Act 2001 (Cth), and that it engaged in misleading or deceptive conduct contrary to s 12DA(1). 4 Further, during the broader period from May 2005 to December 2015 (the relevant period), on 18,679 occasions CBA accepted the payment of AA+ Package fees for the provision of the AA+ Package benefits. During the penalty period, there were 3,905 accepted payments from 6,953 customers. The total value of accepted payments within the penalty period was $1,704,650. CBA admits that it accepted payments when there were reasonable grounds for believing that it would not be able to supply the AA+ Package benefits. Such acceptance was therefore in contravention of s 12DI(3). 5 Further, CBA admits that by the above contraventions it breached its general obligation to comply with financial services laws in contravention of s 912A(1)(c) of the Corporations Act 2001 (Cth). And it also admits that in contravention of s 912A(1)(a) it failed to establish and maintain appropriate systems and processes to ensure that it could consistently apply the AA+ Package benefits, and it incorrectly charged AA+ Package fees. 6 ASIC has sought civil penalties and declarations for CBA's contraventions of ss 12DB(1)(e) and (g) and 12DI(3) of the ASIC Act that occurred within the penalty period. 7 In summary, in my opinion a pecuniary penalty of $5 million is appropriate in the circumstances for CBA's contraventions. 8 First, its contraventions arose out of its failure to establish and maintain systems and processes to ensure that it could provide the AA+ Package benefits in accordance with the AA+ Package terms and conditions. In my view, this should be seen as a specific systems deficiency rather than a broader deficit in CBA's corporate culture. 9 Second, although ASIC has sought only penalties and declarations as to CBA's contraventions during the penalty period, the seriousness of those contraventions is to be viewed in the context of CBA's failings for a broader period of over 10 years. Throughout the relevant period there was a poor control environment with no adequate system for reporting issues with the AA+ Packages. Further, CBA's complaints handling processes were inadequate. CBA did not have systems in place to identify complaints made about the AA+ Packages. Further, CBA did not have an appropriate IT system in place to administer the AA+ Packages. Further, CBA failed to establish any business unit or team who was ultimately responsible for ensuring that the AA+ Package benefits were being applied to the relevant products held by customers in accordance with the AA+ Package terms and conditions. And this was all in the context where the AA+ Packages were complex to administer and were administered manually notwithstanding that there were numerous relevant products. 10 Third, the position of each of the individuals who comprised the relevant customers was not insignificant. The AA+ Package was designed especially for Australian farmers. Now although farmers as a group comprise both sophisticated and less sophisticated customers, much like the rest of us, these customers were not in a position to recognise the degree to which CBA was or was not applying AA+ Package benefits to the relevant products. 11 Fourth, I accept that a penalty of $5 million may be seen to be on the light side. But it must be appreciated that in the present context the CBA took early self-generated steps to remedy the deficiencies and remediate its customers. It also reported the deficiencies to ASIC at an early stage. Accordingly, there is little need for a substantial penalty to serve the objective of specific deterrence. General deterrence is another matter of course, although this will be sufficiently served by both the $5 million penalty, my declarations and any consequent reputational damage. 12 Before turning to the detail I note that as sufficient factual matters have been agreed, I have not been required to determine any factual question on its merits. Accordingly, the recitation of what follows is premised on the relevant facts not being in issue between the parties, which is the consequence of invoking s 191 of the Evidence Act 1995 (Cth). To so invoke s 191 provides a sufficient factual foundation to support my exercise of power to impose a penalty and to make the required declarations without any necessity to receive evidence let alone independently adjudicate on whether those facts exist. Accordingly, all that I need to be satisfied of is whether the agreed facts on their face provide a sufficient foundation for the declarations and orders sought. The text of s 191(2)(a) makes this plain. Let me now summarise parts of the agreed facts taken from the more detailed statement of agreed facts, the supplementary statement and the extensive schedules, one of which I have annexed to these reasons.

The factual foundation 13 The AA+ Packages were first offered by CBA in May 2005. They were withdrawn from sale to new customers on 12 September 2014 and closed for existing customers on 27 November 2015. Benefits ceased for existing customers on 31 December 2015. 14 During the relevant period, 13,063 customers applied for and took up 7,077 AA+ Packages. The AA+ Package entitled these relevant customers to benefits in the form of fee waivers and interest rate discounts, and bonus interest on savings, on 22 CBA products in exchange for the payment of package fees. 15 Over the relevant period, CBA issued brochures in respect of the AA+ Package dated 16 September 2005, 25 July 2008, 22 October 2010, 17 August 2012 and 15 February 2013. 16 As part of the AA+ Package application process, CBA provided an application form to each relevant customer. To be entitled to the AA+ Package benefits, relevant customers submitted a completed AA+ Package application form through their relationship manager. 17 In taking up the AA+ Package, each relevant customer entered into a contract with CBA, governed by the AgriAdvantage Plus terms and conditions. Between May 2005 and 14 September 2010, the AA+ Package terms and conditions were contained in AA+ Package brochures dated 16 September 2005 and 25 July 2008. From 15 September 2010, the AA+ Package terms and conditions were contained in documents titled "AgriAdvantage Plus Terms and Conditions" dated 15 September 2010, 7 June 2011, 6 July 2012, and 17 May 2013. Each of these incorporated by reference details of AA+ Package benefits, as set out in the then applicable AA+ Package brochures. 18 The AA+ Package benefits involved the application of benefits and concessions to 22 CBA products already on offer to CBA customers. Between 11 May 2005 and 9 October 2015, CBA did not apply AA+ Package benefits to some customers for 20 of these products (the relevant products). 19 In summary, the AA+ Package benefits comprised: (a) reduced or waived fees on the relevant products; (b) discounted interest rates on the relevant products; and (c) bonus interest on the relevant products providing for interest upon savings. 20 Various statements were made within the AA+ Package application form, the AA+ Package terms and conditions, and the AA+ Package brochures. I will set out examples of these later. 21 Relevant customers were required to pay the "Annual Package Fee" as described in the AA+ Package terms and conditions on CBA's receipt of the AA+ Package application form and on each anniversary of the date of that payment whilst the agreement continued. During the relevant period, the annual fee was $500 for AA+ Package customers. For customers who purchased an AgriAdvantage Package between May 2005 and 14 November 2010 and whose package was migrated to an AA+ Package on or around 15 November 2010, the annual fee was and remained $300. From 15 November 2010 onwards, in addition to the annual fee, new customers were also required to pay a "one-off establishment fee of $1000 or 0.25% of [the customer's] total borrowing limit, whichever [was] greater" (collectively, the AA+ Package fees). 22 During the relevant period, on 18,679 occasions CBA accepted payment of AA+ Package fees for the provision of the AA+ Package benefits (the accepted payments). Of this, during the penalty period there were 3,905 accepted payments. The total value of the accepted payments within the penalty period was $1,704,650. 23 Over the relevant period including the penalty period, CBA failed to apply AA+ Package benefits to relevant products as required by the AA+ Package terms and conditions. In this respect, CBA: (a) charged customers fees on certain relevant products to which it was not entitled pursuant to the AA+ Package terms and conditions; (b) charged customers interest on certain relevant products at rates higher than that which it was entitled to charge pursuant to the AA+ Package terms and conditions; (c) paid customers interest on certain relevant products providing for interest upon savings at rates lower than that which it was obliged to pay pursuant to the AA+ Package terms and conditions. 24 These failures caused CBA during the relevant period on 131,542 occasions to, in the case of fees or interest on loans, incorrectly deduct and, in the case of interest on savings, incorrectly retain a total of $6,711,105.37 from customers who held an AA+ Package, in circumstances where CBA had no entitlement to overcharge fees and interest on loans or to underpay interest on savings. During the penalty period there were 32,927 such occasions. The total value of AA+ Package benefits that CBA failed to apply during the penalty period was $633,783.03 including interest. 25 These failures arose out of CBA's continuing failure over the relevant period to establish and maintain appropriate systems and processes to ensure that it could provide the AA+ Package benefits in accordance with the AA+ Package terms and conditions (AA+ Package system failings). In particular: (a) the provision of AA+ Package benefits involved highly manual processes that relied on a relationship manager establishing the product correctly and ensuring AA+ Package benefits were applied; (b) the AA+ Package was complex to administer in a highly manual environment, in that the AA+ Package offered benefits on 22 CBA products, with many offering different or multiple benefits to the customer; (c) there was a poor control environment with no adequate system for reporting issues with the package or monitoring of any complaints about the package or auditing of the package, and with there being no team or person responsible for the AA+ Package; (d) there were inadequacies in the complaints handling system in that CBA did not have systems in place to identify complaints made about the AA+ Package; (e) there were no appropriate IT systems to administer the product, with multiple systems being used and not all products being on the same IT system; (f) there was no business unit, team or person who was ultimately responsible for ensuring that the AA+ Package benefits were being applied to the relevant products held by customers in accordance with the AA+ Package terms and conditions. 26 Further, by the AA+ Package brochures, AA+ Package application form and AA+ Package terms and conditions (the contractual documents) and in all the circumstances, CBA represented to each relevant customer that: (a) CBA had adequate systems and processes in place to ensure that AA+ Package customers received AA+ Package benefits on relevant products in accordance with the contractual documents and also represented that AA+ Package customers received AA+ Package benefits on relevant products in accordance with the contractual documents (benefits representations); (b) upon acquiring the AA+ Package and during the period for which the customer would be entitled to AA+ Package benefits, CBA would have adequate systems and processes in place to ensure that AA+ Package customers would receive AA+ Package benefits on relevant products in accordance with the contractual documents and also represented that CBA would apply AA+ Package benefits on relevant products in accordance with the contractual documents (future benefits representations); (c) CBA had adequate systems and processes to ensure that AA+ Package customers received fee waivers and interest rate discounts (AA+ Package price benefits) on relevant products in accordance with the contractual documents and also represented that AA+ Package customers received AA+ Package price benefits on relevant products in accordance with the contractual documents (price representations); and/or (d) upon acquiring the AA+ Package and during the period for which the customer would be entitled to AA+ Package benefits, CBA would have adequate systems and processes to ensure that AA+ Package customers received AA+ Package price benefits on relevant products in accordance with the contractual documents and also represented that CBA would apply AA+ Package price benefits on relevant products in accordance with the contractual documents (future price representations). 27 These representations were made on 7,077 occasions during the relevant period and on 123 occasions during the penalty period. 28 Further, during the relevant period on 2,746 occasions, and in the amount of $1,376,717.11, CBA mischarged AA+ Package fees for certain customers whose package was migrated from the AgriAdvantage Package. And as a subset, during the penalty period there were mischarged AA+ Package fees on 837 occasions in the amount of $237,218.

Section 12DB(1)(e) and (g) of the ASIC Act 29 CBA admits that by making each benefits representation and future benefits representation, CBA made a misleading representation in contravention of s 12DB(1)(e). And it admits that by making each price representation and future price representation, it made a misleading representation in contravention of s 12DB(1)(g). CBA admits its contraventions of s 12DB(1) by way of four forms of representation made by it to relevant customers in the terms that I have just set out. 30 For present purposes, the parties agree that each form of representation arose at least impliedly out of the relevant contractual documents consisting of the AA+ Package brochures, the AA+ Package application form, the AA+ Package terms and conditions and the surrounding circumstances. 31 As at 16 March 2016 being the commencement of the penalty period, examples of the contractual documents identified by the parties to me included: (a) AA+ Package application form; Section 1 - Borrower(s) details: The Bank will apply the concessions and benefits as set out in the AgriAdvantage Plus Package to the borrower(s) stated above. (b) AA+ Package terms and conditions; Clause 3, Concessions: While this Agreement continues, except as otherwise indicated, you (and any other party nominated by you, as per the terms in Clause 1 above), will be entitled to the concessions and benefits from us, as set out in the AgriAdvantage Plus Package Brochure, subject to our usual Terms and Conditions for the respective products and our normal credit criteria and assessment. We may charge establishment fees for any increases in your borrowing limit. … The concessions will be applied on all of the accounts you have notified to us, either on the Package Application Form or in writing to us, on the day we process your notification. … (c) AA+ Package brochures; [Heading] An exclusive package for Australian Agribusiness: It's an exclusive package of discounted research, advice, banking services and financial solutions designed especially for Australian farmers … When you join Agri Advantage Plus, you'll receive discounts and preferential rates on specially selected Commonwealth Bank products and services. So you'll pay less interest and fewer fees, while enjoying higher returns on your money … 32 The AA+ Package brochures also listed specific AA+ Package benefits. As at 16 March 2016 those AA+ Package benefits included: (a) no monthly account fees for Business Transaction Accounts (otherwise $10); (b) no monthly account fees for Premium Business Cheque Accounts (otherwise $15); (c) no monthly account fees for Overdraft Cheque Accounts (otherwise $5); (d) interest on Farm Management Deposit Accounts being: (i) for at-call deposits: the cash rate less 0.1% pa; (ii) for fixed term deposits: an additional 0.25% bonus rate on the standard advertised rates; (e) interest on Business Online Saver Accounts being an additional 0.15% bonus rate on the standard advertised rates; (f) interest on Cash Deposit Accounts being: (i) for at-call deposits: the cash rate less 0.1% pa; (ii) for term deposits and bank bills: "Ask your Agribusiness Manager about our current special rates for AgriAdvantage Plus members"; (g) no establishment fee for business credit cards (otherwise $300); (h) no establishment fee for corporate credit cards (otherwise $300); (i) for business overdrafts: 0.25% discount on our standard establishment fee (currently 0.5% of the overdraft limit) A discount on our standard Overdraft Line Fee (currently 1.12% of your limit). The size of the discounted fee depends on your overdraft limit: Up to $100,000: Nil $100,000 plus: 0.20% of limit pa. (j) for CommBiz Accounts: (i) two monthly security tokens (otherwise $27.50 each); (ii) no monthly token fee for two tokens (otherwise $5.50 each); (iii) no establishment fee (otherwise $66); (k) for asset finance: $100 discount on our standard documentation fees (currently $395) $200 discount on establishment of the Master Agreement (currently $395) Discounted interest rates when you spend more than $250,000 a year. (l) for an Agri Line of Credit: 0.25% discount on standard establishment fee (otherwise 0.5% of loan amount); (m) for a Better Business Loan: (i) no loan service fee; (ii) 0.25% discount on standard establishment fee (otherwise 0.5% of loan amount); (n) for commercial bills: 0.25% discount on standard establishment fee (otherwise 0.5% of loan amount); (o) for Business Wealth Management: $400 discount on the fee from preparing the cutomer's wealth management plan; (p) for Wealth Protection: 5% discount on first year's premium; (q) for a standard variable rate home loan / investment home loan: (i) interest rate discounts: $150,000 - $349,999: 0.5% pa $350,000 - $749,999: 0.6% pa More than $750,000: 0.7% pa (ii) no up-front establishment fee (otherwise $600); (iii) no monthly loan service fee (otherwise $8 per month); (r) for a fixed rate home loan / investment home loan: (i) interest rate discount of 0.15% pa; (ii) no up-front loan establishment fee (otherwise $600); (iii) no monthly loan service fee (otherwise $8 per month); (s) for a CommSec Margin Loan: 0.25% pa discount of variable or fixed rate. 33 The parties agree that during the relevant period, CBA made 7,077 sets of representations corresponding with 7,077 sales of the AA+ Package. And they agree that during the penalty period, CBA made 123 sets of representations corresponding with 123 such sales. 34 On the basis of the agreed facts in my view there is little doubt that the elements of ss 12DB(1)(e) and (g) of the ASIC Act have been made out concerning the making of the representations and their falsity or misleading aspect.

Section 12DA(1) of the ASIC Act 35 Further, CBA admits that by making each benefits representation and future benefits representation, CBA engaged in misleading or deceptive conduct or conduct that was likely to mislead or deceive in contravention of s 12DA(1). And it admits that by making each price representation and future price representation, it engaged in misleading or deceptive conduct or conduct that was likely to mislead or deceive in contravention of s 12DA(1). 36 CBA admits that in the penalty period it committed 492 contraventions of s 12DA(1), comprising: (a) 123 contraventions by way of the benefits representations; (b) 123 contraventions by way of the future benefits representations; (c) 123 contraventions by way of the price representations; and (d) 123 contraventions by way of the future price representations. 37 There is little doubt on the agreed facts that these contraventions are established.

Section 12DI(3) of the ASIC Act 38 CBA also admits that by each accepted payment, it contravened s 12DI(3). In the penalty period, there were 3,905 accepted payments from 6,953 customers. The total value of the accepted payments during the penalty period was $1,704,650. 39 Section 12DI(3) relevantly provides: A person contravenes this subsection if: (a) the person, in trade or commerce, accepts payment or other consideration for financial services; and (b) at the time of acceptance, there are reasonable grounds for believing that the person will not be able to supply the financial services within the period specified by the person or, if no period is specified, within a reasonable time. 40 Clearly, the elements of a contravention of s 12DI(3) are: (a) an accepted payment; (b) the payment is accepted in trade or commerce; (c) the payment is for financial services; (d) at the time of acceptance there are reasonable grounds for believing that the person will not be able to supply the financial services within the period specified by the person or, if no period is specified, within a reasonable time. 41 Now there is limited authority dealing with s 12DI(3). Further, little guidance is to be found in authorities addressing other statutory analogues. When s 12DI was introduced it was relevantly identical to those analogues. In particular it included a requirement that: there are reasonable grounds, of which the corporation is aware or ought reasonably to be aware, for believing that the corporation will not be able to supply the services within the period specified by the corporation or, if no period is specified, within a reasonable time. (emphasis added). 42 But the Financial Services Reform (Consequential Provisions) Act 2001 (Cth) repealed the original s 12DI and substituted a reformulated s 12DI. Since then s 12DI(3) has not had the italicised words. As such, s 12DI(3) now differs from s 36(3) of the Australian Consumer Law. The extrinsic material to the amending Act provides no insight as to why the italicised words were removed. But in my view the amendment to s 12DI(3) must be taken to manifest a legislative intention to remove the requirement to prove that the financial services provider "is aware or ought reasonably to be aware" of the reasonable grounds. 43 In the result, in order to prove a contravention of s 12DI(3) it is only necessary to prove that objectively as at the time of acceptance by CBA of the payment of AA+ Package fees, there were facts and circumstances which constituted reasonable grounds for believing that CBA would not be able to supply the relevant financial services being the AA+ Package benefits. There is no requirement to establish that CBA was aware or ought reasonably to have been aware of the relevant reasonable grounds. 44 Now as I have said, relevant customers were required to pay the "Annual Package Fee" as described in the AA+ Package terms and conditions on CBA's receipt of the AA+ Package application form and on each anniversary of the date of that payment whilst the agreement continued. 45 CBA admits that during the relevant period it accepted payment of these AA+ Package fees for the provision of the AA+ Package benefits on 18,679 occasions. Of this, during the penalty period there were 3,905 accepted payments. The total value of the accepted payments during the penalty period was $1,704,650. CBA admits that each accepted payment was in trade or commerce. Further, CBA admits that each accepted payment was for financial services within the meaning of s 12DI(3)(a). Further, CBA admits that at the time of each accepted payment there were reasonable grounds for believing that it would not be able to supply the financial services within a reasonable time. 46 In summary, there is little doubt that these contraventions have been established.

Section 912A of the Corporations Act 47 It is next convenient to turn to the allegations of contravention of s 912A(1) of the Corporations Act. 48 CBA admits that on each occasion that it engaged in the above contraventions it breached its general obligation to comply with the financial services laws in contravention of s 912A(1)(c). 49 Further, CBA admits that, first, by its conduct in failing to apply the AA+ Package benefits to customer accounts in respect of relevant products during the penalty period when it was required to do so by the AA+ Package terms and conditions, second, by its conduct in charging the mischarged AA+ Package fees during the penalty period and, third, by its conduct on a continuing basis of not having systems that were capable of ensuring compliance with obligations to customers during the relevant period, it breached its obligation to do all things necessary to ensure that the financial services covered by its Australian financial services licence (AFSL) were provided efficiently, honestly and fairly. Accordingly it contravened s 912A(1)(a). 50 In terms of the relevant principles, I have had cause to write on s 912A(1)(a) before. I repeat what I said in Australian Securities and Investments Commission v AGM Markets Pty Ltd (in liquidation) (No 3) [2020] FCA 208 at [505] to [528] and in Australian Securities and Investments Commission v Westpac Banking Corporation (No 2) (2018) 266 FCR 147 at [2347] to [2350]. It would be supererogation on my part to elaborate further. 51 Let me say something more on the admissions concerning s 912A(1). 52 First, CBA admits that it contravened s 912A(1)(c) upon each occasion of its contraventions of s 12DB(1)(e) and (g), s 12DA(1), and s 12DI(3) of the ASIC Act as I have set out above. 53 Second, CBA admits that it contravened s 912A(1)(a). This contravention arose out of three forms of conduct. 54 The contravention arose out of CBA's conduct over a period of approximately 10 years from May 2005 to December 2015 in not having systems that were capable of ensuring compliance with obligations to customers during the relevant period. 55 Further, the contravention arose out of CBA's failure to apply the AA+ Package benefits to customer accounts in respect of relevant products when it was required to do so by the AA+ Package terms and conditions. These failures involved CBA deducting, in the case of fees or interest on loans, and incorrectly retaining, in the case of interest on savings, a total of $6,711,105.37 during the relevant period from customers who held an AA+ Package, in circumstances where CBA had no entitlement to overcharge fees and interest on loans, or to underpay interest on savings. Further, during the penalty period, the value of the AA+ Package benefits not applied was $633,783.03 and there were 32,927 such occasions when the AA+ Package benefits were not applied. 56 Further, during the relevant period on 2,746 occasions, CBA mischarged AA+ Package fees for certain customers whose packages were migrated from the AgriAdvantage Package in the amount of $1,376,717.11. And including within these figures, during the penalty period customers were mischarged AA+ Package fees on 837 occasions in the amount of $237,218. 57 In summary there is little doubt that CBA breached its obligation to do all things necessary to ensure that the financial services covered by its AFSL were provided efficiently, honestly and fairly, and thereby contravened s 912A(1)(a).

Penalty 58 ASIC seeks civil penalties for CBA's contraventions of ss 12DB(1) and 12DI(3) which occurred within 6 years of the commencement of the present proceeding, that is, within the penalty period. 59 The matters that I have described earlier provide a sufficient foundation to be satisfied that CBA committed: (a) 123 contraventions of s 12DB(1)(e) concerning the benefits representations made during the penalty period; (b) 123 contraventions of s 12DB(1)(g) concerning the price representations made during the penalty period; (c) 123 contraventions of s 12DB(1)(e) concerning the future benefits represent-ations made during the penalty period; (d) 123 contraventions of s 12DB(1)(g) concerning the future price representations made during the penalty period; (e) 3,905 contraventions of s 12DI(3) arising out of the 3,905 occasions that CBA accepted payment of the AA+ Package fees for the provision of the AA+ Package benefits during the penalty period. 60 ASIC submits that an appropriate pecuniary penalty is $5 million. CBA submits that this should be the maximum in the frame. Having considered the relevant material for myself, in my view that is an appropriate penalty for the offending. 61 Section 12GBA(1) as relevantly in force until 12 March 2019 provided that the Court may order a person who has contravened ss 12DB or 12DI to pay such pecuniary penalty in respect of each act or omission as the Court determines to be appropriate. 62 The then s 12GBA(2) requires the Court in determining the penalty to have regard to all relevant matters including: (a) the nature and extent of the act or omission and of any loss or damage suffered as a result of the act or omission; (b) the circumstances in which the act or omission took place; and (c) whether the person has previously been found in proceedings under Subdivision G to have engaged in any similar conduct. 63 The then s 12GBA(3) provides that the maximum penalty for a body corporate for each act or omission that relates to ss 12DB or 12DI is 10,000 penalty units. The value of a penalty unit over the penalty period in the present case has increased such that it has been: (a) between 28 December 2012 and 30 July 2015, $170; and (b) between 31 July 2015 and 30 June 2017, $180. 64 In the circumstances of the present case the maximum penalty for each act or omission to which ss 12DB and 12DI applied during the penalty period therefore ranged from $1.7 million to $1.8 million per contravention. 65 Now the process to be used in setting a civil penalty for contravention of statutory provisions is similar to that used in criminal sentencing. The maximum penalty must be given due attention because it has been legislated for, it invites comparison between the worst possible case and the case before the Court at the relevant time, and it provides a form of yardstick. But it may be an arid exercise in cases such as the present to engage in a mere arithmetical calculation multiplying the maximum penalty by the number of contraventions to get a theoretical maximum for all offending even if one could theoretically quantify that latter number (see Australian Competition and Consumer Commission v Coles Supermarkets Australia Pty Ltd (2015) 327 ALR 540 at [17], [18], [84] and [85] per Allsop CJ). But I do accept that some estimate of the number of contraventions is to be taken into account in getting some sense of the overall maximum. Now in the present case, I am theoretically considering orders of magnitude above a single contravention. But it is not productive to quantify this further. Moreover, it is not appropriate to quantify a theoretical maximum for the purpose of then ratcheting down, which is an impermissible exercise. 66 Let me make some other general observations at this point. 67 First, the paramount objective of a pecuniary penalty is deterrence. There are two dimensions, namely, specific deterrence and general deterrence. 68 Second, in addition to the stipulations in s 12GBA(2), a number of other non-exhaustive factors or considerations have been identified as relevant to the exercise of my discretionary power to impose and quantify a penalty. These factors, some of which overlap with the mandatory considerations in s 12GBA(2), can be traced back to the exposition by French J in Trade Practices Commission v CSR Limited (1991) ATPR 41-076. For convenience, I repeat what I said in Australian Securities and Investments Commission v Westpac Banking Corporation (No 3) (2018) 131 ACSR 585 at [49] that: The fixing of a pecuniary penalty involves the identification and balancing of all the factors relevant to the contravention and the circumstances of the defendant, and the making of a value judgment as to what is the appropriate penalty in light of the purposes and objects of a pecuniary penalty that I have just explained. Relevant factors include the following: (a) the extent to which the contravention was the result of deliberate or reckless conduct by the corporation, as opposed to negligence or carelessness; (b) the number of contraventions, the length of the period over which the contraventions occurred, and whether the contraventions comprised isolated conduct or were systematic; (c) the seniority of officers responsible for the contravention; (d) the capacity of the defendant to pay, but only in the sense that whilst the size of a corporation does not of itself justify a higher penalty than might otherwise be imposed, it may be relevant in determining the size of the pecuniary penalty that would operate as an effective specific deterrent; (e) the existence within the corporation of compliance systems, including provisions for and evidence of education and internal enforcement of such systems; (f) remedial and disciplinary steps taken after the contravention and directed to putting in place a compliance system or improving existing systems and disciplining officers responsible for the contravention; (g) whether the directors of the corporation were aware of the relevant facts and, if not, what processes were in place at the time or put in place after the contravention to ensure their awareness of such facts in the future; (h) any change in the composition of the board or senior managers since the contravention; (i) the degree of the corporation's cooperation with the regulator, including any admission of an actual or attempted contravention; (j) the impact or consequences of the contravention on the market or innocent third parties; (k) the extent of any profit or benefit derived as a result of the contravention; and (l) whether the corporation has been found to have engaged in similar conduct in the past. 69 I have considered these augmented French factors in the present case insofar as they are relevant. 70 Third, s 12GBA contemplates a penalty "in respect of each act or omission" that constitutes a contravention. Accordingly, the statutory language requires assessment of whether the circumstances of the case disclose one or more contraventions. 71 Fourth, even if the application of the statutory language would dictate a finding of multiple contraventions, a question arises as to whether such contraventions can be or should be grouped under what has been conveniently described as the course of conduct principle. Yesterday, Mr James Peters QC for ASIC correctly submitted that the following principles guide the assessment as to whether ongoing conduct affecting multiple customers ought be regarded informally as one contravention or multiple contraventions for the purposes of determining an appropriate penalty. 72 It is important to ensure that a respondent is not sanctioned more than once for what is in substance one episode of contravention. It is appropriate to consider whether, and the extent to which, the contravening conduct should be regarded as a single course of conduct and penalised as one offence in relation to each category of contravention, on the principle that a contravener should not be penalised more than once for the same conduct. 73 Further, where there is an interrelationship between the legal and factual elements of a contravention, the course of conduct principle may be able to be applied to group contraventions. But it represents a tool of analysis only. 74 Further, where there have been discrete episodes each involving deliberation, then such a grouping may be inapposite, even if they reflected a common theme, strategy or model. 75 Further, even a single strategy involving a single or substantially consistent form of conduct might deny such a grouping where the conduct is directed towards numerous recipients. 76 I would also re-iterate what I said in ASIC v Westpac (No 3) at [131] to [134] and Australian Competition and Consumer Commission v Hillside (Australia New Media) Pty Ltd (t/as Bet 365) (No 2) [2016] FCA 698 at [21] to [25] on this topic. 77 Fifth, it is appropriate to consider the question of parity. But in all but the co-offender scenario or analogues thereof it is conceptually problematic to look at penalties in other cases to calibrate a figure in the present case when all that one has from the other cases are single point determinations produced by opaque intuitive synthesis. Deconvolution analysis of the single point determinations in order to work out the causative contribution of any particular factor is unrealistic. No juridical style Fourier transformation is possible. But unless that can be done, comparisons outside the co-offender or like scenario have little value. Moreover, the comparative value of other single point determinations is even further reduced in cases where they have been substantially influenced by the parties' identification of and then consensus to the relevant figure or range. 78 Sixth, ultimately the size of the penalty is a matter of discretion and the process of fixing the quantum is not an exact science. All of the circumstances must be weighed and the approach to be adopted is one of intuitive synthesis. Intuitive synthesis requires a weighing together of all relevant factors, rather than an arithmetical algorithmic process that starts from some pre-determined figure and then makes incremental additions or subtractions for each factor according to a set of pre-determined rules. And it is also important to note that intuitive synthesis conducted in criminal sentencing does not have the same boundaries and content as intuitive synthesis in the context that I am considering. In criminal sentencing, the synthesis involves not only the facts and circumstances of the offending, but also conflicting sentencing considerations such as retribution and rehabilitation, and differing sentencing options along a broader spectrum than the civil context from a donation to the poor box through to imprisonment. 79 Seventh, the totality principle is also relevant. It requires me to consider the entirety of the underlying contravening conduct to determine whether the aggregate penalty is just and appropriate. It is the final check to ensure that the penalty is appropriate overall.

What should be the penalty in the present case? 80 Applying the above principles, in my view an overall penalty of $5 million is appropriate. 81 First, relevant to both specific and general deterrence, CBA is a substantial Australian bank with not insignificant financial resources. But notwithstanding those resources, for a protracted period it failed to ensure that it could fulfil the promises made to customers under the AA+ Packages. And it was also unable to detect that AA+ Package benefits were not being provided. Indeed the processes and systems developed and relied upon by CBA to provide services to customers allowed its failures to go unnoticed by relevant personnel within the CBA for over 10 years. And it was not until CBA carried out a group-wide review of packaged-based arrangements, through which it was revealed that there were issues with fees charged under those arrangements, that CBA became aware of the issues with the AA+ Packages. 82 In terms of general deterrence, the proposed penalty, although relatively modest given CBA's size, should create a disincentive for large financial institutions to fail to maintain adequate processes and systems. As for specific deterrence, there is less of a need for this in the present case given the nature of the contraventions, the relevant remediation that has occurred and the changes to the CBA's systems that have been implemented. I will set out further detail of these matters in a moment. 83 Second, in making my assessment, the nature and extent of the contravening conduct and the circumstances in which the conduct took place is significant. 84 By way of context, during the relevant period a total of 8,659 relevant customers were harmed by CBA's conduct as to the representations on 131,542 occasions, in circumstances where CBA prior to remediation benefited substantially in incorrectly charged fees and interest on loans and underpaid interest on savings. Further, during the relevant period, on 18,679 occasions, CBA accepted payment of AA+ Package fees for provision of the AA+ Package benefits. 85 Further, during the penalty period, CBA sold 123 AA+ Packages to 334 relevant customers and there were 3,905 accepted payments from 6,953 customers totalling $1,704,650. 86 The contraventions were the result of CBA's failure to introduce and maintain adequate systems so as to ensure the adequate provision of AA+ Package benefits. In this sense, the conduct was serious and involved CBA receiving moneys for the supply of services that were not provided to many customers in circumstances where it ought to have known that the services were not being provided. 87 Further, although the AA+ Package was designed for Australian farmers, the AA+ Package was complex and the relevant customers generally were not in a position to recognise the degree to which CBA was not applying AA+ Package benefits to the relevant products. Now some relevant customers did make complaints as to the non-provision of AA+ Package benefits, but as a result of its own systemic deficiencies CBA did not identify those complaints. 88 Let me say something further about CBA's systems relevant to the present context. 89 During the relevant period, several IT systems were used to implement the AA+ Package benefits. Of these systems, the main one used to host the relevant products was the Systems, Applications and Products system (SAP), which is CBA's core banking system. It is used for recording limits and exposures for all AUD and non-AUD loans and is responsible for the accrual and charging of interest rates and fees. 90 At the time, CBA had manual and complex processes in place to identify whether a relevant customer was eligible for the AA+ Package benefits. And the process for identifying the relevant customers and applying the relevant benefits was product specific. 91 For products hosted on the SAP platform, products were manually linked to the AA+ Package. Relevant benefits were automatically applied once linked to the AA+ Package. For products not hosted on the SAP platform, a manual process was required to apply or remove any relevant benefits. The process differed depending on the product. 92 How these manual and complex systems were set up and operated explains the genesis of the present problem. 93 Now on 19 June 2014, following a CBA-wide review of package-based arrangements that identified fee issues with those arrangements, a CBA review of the AA+ Package revealed that a number of AA+ Package benefits had not been properly applied. On identification of this problem, steps were taken immediately to escalate the issue to senior management. The CBA's senior management, being the GM Home Loans and the Executive Legal Counsel - Banking Group Corporate Affairs, first became aware of the issue with the AA+ Package at this time. 94 On 20 June 2014, the CBA took steps to commence its investigation of the issue and staff were engaged to conduct further investigations as a matter of priority. 95 In late June and early July 2014, CBA's Group Audit and Assurance team conducted an internal audit to ascertain the number of potentially impacted accounts and the financial impact on those accounts. Results from the audit conducted at the time indicated that a total of 2,696 customers and 4,677 accounts were potentially at risk and the total estimated impact on a worst-case scenario was $7,378,020. 96 Further investigations into the AA+ Package issue conducted at the time indicated that extensive testing was required to determine actual financial impacts and root causes. It indicated that the Corporate and Commercial Lending team should work with the remediation programs within CBA then underway to share learnings and to ensure that a consistent and thorough remediation was undertaken. And it indicated that a strategic review of the AA+ Package was required which would investigate products offered, customer value propositions and the best path forward. Further, the review would include considering options such as continuing the product offering, product simplification or ceasing the product offering. 97 By 4 July 2014, CBA's initial investigations into the AA+ Package system failings issue found that benefits had not been correctly applied as intended. Issues that had contributed to this occurring included product complexity, with the AA+ Package applying to multiple products, multiple systems hosting a range of products, and a manual process in place to link, maintain and de-link products to the package. The investigations also found that there had been no customer complaints and accordingly that the issue had been undetected for a significant time. 98 On 14 July 2014, CBA made a "potential" breach report to ASIC. At the time of this reporting, CBA informed ASIC that it had 2,655 active AA+ Packages on offer. Also at the time of this reporting, CBA informed ASIC that it had not identified any formal customer complaints with respect to the AA+ Package. However, complaints were subsequently identified by CBA. It would seem that complaints were not identified before this reporting to ASIC due to the then deficiencies in CBA's complaints recording and reporting systems. 99 I should note that since 30 July 2014, CBA has made investments and improvements in its systems relating to monitoring customer complaints. The details of the steps taken and decisions made by CBA, which have also applied to other retail banking products, are set out in one of the many detailed schedules that were provided to me by the parties which I have annexed to these reasons. 100 On 30 July 2014, CBA established Project Combine, a cross-business team designed to review the AA+ Package and to conduct a customer remediation program. The objectives of Project Combine were to: (a) ensure that relevant customers were receiving benefits that they were entitled to; (b) prevent risk of future remediation and consequent customer impact; (c) improve controls for ongoing package management; and (d) develop strategic product solutions for relevant customers. 101 On 12 September 2014, the AA+ Package was withdrawn from sale to new customers. In October 2014, Project Combine considered whether to further offer the AA+ Package and what changes would need to be made to fix the system problems that had led to the AA+ Package system failings. The estimated cost of implementing controls robust enough to automatically apply the AA+ Package benefits to customers was considered by CBA to be too expensive such that the costs would have outweighed the benefits of making the changes including the revenue generated by the AA+ Package. The AA+ Package was also considered to be too complex and CBA was not expecting much further demand for it. As a result, CBA made the decision to close the AA+ Package. It was ultimately closed for existing customers on 27 November 2015. 102 On 18 September 2014, CBA wrote to ASIC indicating that CBA had reassessed to "significant" the potential breaches identified in its 14 July 2014 potential breach report for the purposes of s 912D of the Corporations Act. 103 From September 2014 to December 2014, CBA took steps to address the AA+ Package system failings by making improvements and addressing issues in relation to processes, IT systems and detection systems. But the AA+ Package system failings continued to occur throughout 2015 and did not stop until CBA closed the AA+ Package. 104 Five controls were developed or applied to the AA+ Package to prevent or detect new errors in applying the AA+ Package benefits, namely: (a) a Post Origination Control Report (POC Report); (b) a Weekly New Sales Report; (c) refunds approved within delegations; (d) monitoring of customer complaints; and (e) the AA+ Package Product Training & Awareness. 105 The POC Report was a tool built by Project Combine specifically for the AA+ Package and was aimed at ensuring that customers received the benefits they were entitled to. The other four controls were existing but were modified to have specific application to the AA+ Package. 106 The design and implementation of the POC Report was the strongest control available to ensure that relevant customers received AA+ Package benefits. The POC Report was run and reviewed on a daily basis to identify when an existing customer had entered into or amended an eligible product, to ensure AA+ Package benefits were applied correctly and to provide the customer with a refund where they were not. What has been described to me as Line 1 assurance was undertaken initially on a weekly or fortnightly basis to ensure that the five controls were operationally sound. CBA also prepared a rectification guide titled "Applying Benefits & Refunding Guide" to assist with the POC Report procedures and applying benefits and/or refunding. CBA also undertook stress testing of the POC Report to ensure that the relevant products were accurately appearing on the POC Report and to verify the application methodology. 107 Between 29 September 2014 and 26 August 2015, CBA met with ASIC on five occasions on a quarterly basis. At these meetings, CBA provided general updates to ASIC in the form of updated remediation packs on the progress of: (a) its investigations into the AA+ Package system failings; (b) decisions and activities undertaken by the bank in relation to Project Combine and customer remediation; (c) proposed customer communications; and (d) testing, review and assurance strategies. 108 In July 2015, CBA engaged KPMG to conduct an investigation of the AA+ Package issues. In conducting its investigation, KPMG: (a) considered and agreed with the project plan at the commencement of each stage of its investigation; (b) reviewed individual structured query language queries set up for each relevant product and assessed whether the queries being used reflected terms of reference documents that in turn reflected design decisions approved by Project Combine; (c) reviewed the suitability of the selection criteria in compiling that data; (d) cross-referenced steps in the code to functional requirements of the terms of reference documents; (e) requested Project Combine to run specific queries or views as designed by KPMG on-site to validate or confirm particular aspects which were not clear on the documents which CBA had provided to KPMG as part of their engagement; (f) reported their findings to CBA as found, along with recommended revisions; and (g) confirmed any negative findings with Project Combine. 109 The investigation by KPMG concluded in August 2015. During the course of the investigation, KPMG raised 169 queries or issues. These were resolved during the course of the review and KPMG ultimately concluded that the calculation methodology used for each product was accurate and appropriate. These 169 queries or issues were all resolved prior to the commencement of the customer remediation. 110 From October 2014 to August 2015, CBA quantified the financial impact to customers of the AA+ Package benefits being incorrectly applied. Between 29 September 2014 and 26 August 2015, CBA kept ASIC updated on the remediation methodology used by CBA for remediation purposes. 111 The number of AA+ Packages affected was 6,632 AA+ Packages out of a total of 7,077 AA+ Packages established by CBA between May 2005 and September 2014. 112 Between September 2015 and May 2016, of all customers whom CBA had identified at that time as having not received the AA+ Package benefits to one or more relevant products in accordance with the prevailing AA+ Package terms and conditions or were the subject of mischarged AA+ Package fees, CBA paid $7,404,670.15 in remediation to 7,730 customers. 113 CBA attempted to make payments to 8,306 customers. Of that number, CBA remediated 7,261 customers by November 2015 and a further 469 customers by May 2016. 193 customers did not meet CBA's minimum payment threshold of having a current transaction account with CBA and were due a refund of less than $5.00. 114 With respect to these 193 customers, the quantum of the moneys attributable to these customers who did not meet CBA's minimum payment threshold totalled $326.57. On 19 January 2016, a cheque for that amount was donated to the National Rural Health Alliance. 115 Let me move further forward in time. 116 As a result of ASIC's investigation, on 24 February 2020 CBA identified that data from an old legacy system, which was data for package fees for the period prior to 2008, had not been combined and analysed with the post-2008 package fees data for the remediation of AA+ Package fees under Project Combine. CBA investigated the gap in the remediation data and identified a gap in the remediation of mischarged AA+ Package fees that had occurred during the period 2005 to 2008. CBA identified 471 packages which were subject to mischarged AA+ Package fees during the period 2005 to 2008. These impacted packages related to 1,381 customers, of which 353 had not previously been included in the remediation under Project Combine, bringing the total number of customers requiring remediation across all AA+ Package benefits and mischarged AA+ Package fees from 8,306 to 8,659. They also related to additional mischarged AA+ Package fees which had not previously been included in the remediation on 513 occasions during the period 2005 to 2008, bringing the total number of mischarged AA+ Package fees to 2,746 and the total number of occasions that CBA had incorrectly charged fees and interest on loans and underpaid interest on savings over the relevant period to 131,542, and to a value of $438,257.57, raising the total value of the incorrectly charged fees and interest on loans and underpaid interest on savings over the relevant period from $7,649,018.66 to $8,087,726.23. 117 On or around 6 March 2020, CBA took steps to remediate the 1,381 customers who held such an impacted package. 118 What can be summarised generally from the foregoing narrative is that the CBA after identifying the AA+ Package system failings: (a) ceased offering the AA+ Package to new customers in September 2014 and ultimately withdrew the AA+ Package for existing customers on 27 November 2015; (b) continued to calculate the AA+ Package benefits up to and including 31 December 2015 on the basis that existing customers were entitled to AA+ Package benefits up to and including that date; (c) at a group-wide level, undertook measures to improve its processes and controls for the monitoring of its financial products, including those that contributed to the AA+ Package system failings; (d) introduced measures to improve its customer complaints monitoring systems; (e) undertook remediation of affected customers; and (f) engaged KPMG to undertake an independent audit of its remediation methodology. 119 The steps taken by the CBA once it had identified the problem were timely and thorough. Moreover, it brought ASIC into the loop at the earliest opportunity. 120 Third and relatedly, let me deal with the question of corporate culture. 121 ASIC submits that CBA's failure to identify the non-provision of AA+ Package benefits over a 10 year period indicates that CBA's corporate culture was over that time not conducive to compliance. But what I have just set out would indicate more that there was a specific systems deficiency rather than a broader corporate culture problem. 122 Let me say something about the contemporary concept of corporate culture. What does it mean? For the moment I will use the definition in Part 2.5 of the Criminal Code (Commonwealth) which neutrally and therefore usefully defines "corporate culture" to mean: an attitude, policy, rule, course of conduct or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activities takes place. 123 The context of the CBA's conduct is that it was attempting to provide a benefit to a cohort of customers it considered could be genuinely assisted by its efforts. In context its failures lay in the lack of any robust systems and processes to effectuate those desires, thereby causing loss to the customers it sought to assist. 124 Further, it is well apparent that CBA's conduct in relation to the AA+ Package benefits was neither intentional nor of a kind that was undertaken to generate revenue without seeking to provide meaningful commensurate benefits to customers. Nevertheless, CBA has properly recognised the seriousness of its failings, given that it represented that benefits would be delivered and it accepted the fees it received, without ensuring the conferral of those benefits. 125 Clearly CBA failed to establish and maintain appropriate systems and processes to ensure that it could provide the AA+ Package benefits in accordance with the AA+ Package terms and conditions. Unfortunately, CBA had only highly manual processes in place to administer a complex product. There were no appropriate IT systems to administer the product and CBA did not establish any business unit, team or person who was responsible for ensuring that the AA+ Package benefits were being properly applied. And clearly those significant failings continued for over 10 years, and prejudiced Australian farmers for whom the AA+ Package was specifically designed. 126 But I reject ASIC's contention that the failure of CBA to identify the non-provision of AA+ Package benefits over a 10 year period indicates that CBA's corporate culture was during that time not conducive to compliance. 127 Now it is the case that CBA should have taken care to ensure that its systems and processes would deliver the promised benefits, but the better measure of CBA's prevailing culture is how it responded when the problem was identified. When so assessed by the chronology that I have previously detailed, it does not seem to me that there was a corporate culture problem. 128 Moreover, I accept the submissions of Mr Neil Young QC for the CBA that in a financial institution of the scale of CBA, many financial services are delivered day in, day out, just as they were promised or represented. And it seems from the material that in CBA seeking to assist rural customers, the delivery of those services depended on highly complex manual processes. This was because CBA had created a package that sought to benefit customers from a particular sector, where those customers held transaction and other accounts to which those benefits would be applied, and where such accounts were also held by many other customers not in the relevant rural sector. 129 In my view and contrary to ASIC's submissions and despite the contraventions, at no time during the relevant period did CBA's corporate culture in the context that I am considering condone or positively support non-compliance with statutory obligations. Rather it seems to me that in the present case there were serious system deficiencies. 130 Further, CBA's early potential and significant breach notifications to ASIC, its remediation program and its system changes point against a significant corporate culture problem. 131 In summary, after CBA identified the issue in June 2014, in July 2014 it established a cross business team designed to review the AA+ Package and to conduct a customer remediation program. It kept ASIC informed of its progress in this regard, meeting with ASIC on five occasions between 29 September 2014 and 26 August 2015. I agree with CBA that once the systems failings became apparent to CBA, its engagement with ASIC was swift and co-operative, and urgent steps were taken to remediate the customers fully and to cease the conduct. 132 Between September 2015 and May 2016, to 7,730 customers that CBA had identified at that time as having not received the AA+ Package benefits to one or more relevant products in accordance with the prevailing AA+ Package terms and conditions or were the subject of mischarged AA+ Package fees, CBA paid $7,404,670.15 in remediation. 133 Further, as I have said, in February 2020 from data from a legacy system CBA identified 471 packages which were subject to mischarged AA+ Package fees during the period 2005 to 2008, relating to 1,381 customers. And although outside the penalty period for the purposes of these proceedings, CBA took steps to remediate the 1,381 customers not previously captured by CBA's prior remediation. 134 Fourth, let me deal with the question of the role of senior management. ASIC does not submit that senior management were involved in the contraventions or relevantly aware of the AA+ Package system failings. The CBA's senior management, being the "GM Home Loans" and the "Executive Legal Counsel - Banking Group Corporate Affairs", became aware of the issues with the AA+ Package upon CBA first identifying the AA+ Package system failings in June 2014. 135 Fifth, let me say something about the question of deliberateness and the period of conduct. ASIC does not submit that CBA intended the outcomes derived from the inadequacies of these manual systems. CBA did not intend the AA+ Package system failings. 136 Sixth, as to the number of contraventions and the course of conduct principle, I should make the following observations. 137 ASIC accepts that in the circumstances of the present case there can be no meaningful overall maximum penalty and that the maximum penalty should not be applied mechanically and should instead be treated as one of a number of relevant factors, albeit an important one. 138 But ASIC does say that the contraventions of ss 12DB(1) and 12DI(3) should be viewed as two distinct categories of contravention. By the s 12DB(1) allegations, CBA made a series of false or misleading representations as to its ability to provide certain benefits. The 123 relevant representations were made to 334 customers. By the s 12DI(3) allegations, CBA accepted payments for services notwithstanding objective uncertainty as to its ability to provide those same services. The fees were accepted by CBA on 3,905 occasions from 6,953 customers. 139 Accordingly, ASIC submits that the contraventions of s 12DB(1) ought give rise to a pecuniary penalty of $2,500,000. 140 And it submits that the contraventions of s 12DI(3) ought give rise to a penalty in the region of $3,500,000 as there were a greater number of contraventions. Further, ASIC submits that the conduct was more serious in that it involved CBA taking payment when there were reasonable grounds to believe it could not provide the services. 141 Applying the totality principle, ASIC submits that an overall pecuniary penalty of $5 million is appropriate. 142 But I am more inclined to accept the CBA's characterisation that there is the one foundational systems deficiency that has then caused or manifested the two types of contraventions. Perhaps it may not matter at the end of the day as CBA did not strongly argue for a penalty lower than $5 million in total. 143 Seventh, as to previous contraventions, in another context I found CBA to have engaged in conduct in contravention of the consumer protection provisions of the ASIC Act and I have taken this into account in the present context. 144 In Australian Securities and Investments Commission v Commonwealth Bank of Australia (2018) 128 ACSR 289, I considered the penalty appropriate where CBA had admitted to market manipulation and unconscionable conduct concerning trading in prime bank bills in the bank bill market during the period 31 January 2012 to 5 June 2012. On five dates over that period, CBA had engaged in conduct that amounted to an attempted contravention of s 12CB(1) of the ASIC Act. In resolving the case, CBA agreed to enter into an enforceable undertaking to the effect that it would pay $15 million into a fund to be applied to the benefit of the community. It also agreed to pay $5 million as to ASIC's costs including its investigative costs. I imposed a pecuniary penalty of $5 million. 145 In imposing such a pecuniary penalty I observed that a penalty towards the upper end of the available range was warranted because inter-alia: (a) CBA's conduct was deliberate in the sense that it was engaged in with the intention of achieving an outcome proscribed by the ASIC Act, and was not transparent to counterparties; (b) there were multiple occasions over a period spanning approximately 5 months; (c) CBA's conduct involved senior staff; (d) the conduct was not prevented by CBA policies and systems or by its senior management; (e) none of the relevant employees or senior executives had been adequately trained about the implications of attempts to influence the bank bill swap rate for their compliance with CBA's policies; (f) CBA's conduct was engaged in for the purpose of making not insignificant profits in circumstances where CBA knew that if successful, it may have gained at the expense of others who were vulnerable. 146 Of course there are obvious distinguishing features between that case and the present case which I do not need to dwell on. 147 Finally, CBA has co-operated with ASIC in its investigation of the AA+ Package, and assisted with the efficient and less expensive resolution of the proceedings. It has made complete admissions at the first opportunity to all of the allegations contained in the Concise Statement, and has agreed to the declaratory relief sought by ASIC. Further, and as I have said earlier, it had consulted with ASIC on five occasions between 2014 and 2015 with respect to the remediation methodology to be applied to affected customers. More generally, I accept that CBA has shown substantial contrition and accepted accountability for its systemic deficiencies and the admitted contraventions, which contrition and acceptance have been manifested by both its words and, more importantly, its actions.

Conclusion as to appropriate penalty 148 In my view a pecuniary penalty of $5 million is appropriate having regard to the number of contraventions, the prejudice to customers, the duration of the contraventions and the inadequacy of CBA's internal systems and processes. 149 Such a penalty recognises the gravity of the contraventions whilst taking into account the very substantial mitigating circumstances discussed above, including that the contravening conduct was not deliberate and that there has been substantial indeed complete rectification and remediation. 150 Further, such a penalty gives appropriate weight to general deterrence as the primary consideration in this case in fixing the penalty. As I have indicated, specific deterrence is less relevant in the present context because CBA has made changes which are intended and designed to avoid similar failings in the future.

Declarations and other matters 151 ASIC also seeks declarations as to CBA's contraventions of ss 12DA(1), 12DB(1) and 12DI(3) of the ASIC Act and s 912A(1) of the Corporations Act. ASIC seeks declarations only as to CBA's contraventions of the relevant provisions occurring within 6 years prior to the commencement of this proceeding, that is, within the penalty period. 152 I have an almost unlimited discretionary power to make declarations bounded only by the limits of federal judicial power and the need to act judicially. But the real question is not the existence or extent of such a power, but whether I should exercise it in the present case. In my view, declaratory relief is justified for the following reasons. 153 First, I am dealing with real rather than hypothetical questions. There are real questions as to whether CBA's conduct in failing to provide the AA+ Package benefits, and in mischarging AA+ Package fees, contravened the said statutory provisions. 154 Second, ASIC has a real interest in seeking the declarations by reason of its regulatory role. The declarations concern contraventions of statutes administered by ASIC. 155 Third, there is a proper contradictor. CBA, as the entity to be declared to have contravened the law, has an interest in opposing the relief. This remains so notwithstanding its admissions and agreement. 156 Fourth, there is utility in making declarations that set out the particular liability found and the basis for the penalty ordered, including importantly to facilitate the objective of general deterrence. 157 Finally, I have the power to make an adverse publicity order in relation to a person who has been ordered to pay a pecuniary penalty under s 12GBA of the ASIC Act. And I accept that it is appropriate to make an order for CBA to publish within 30 days a notice in the terms of the draft submitted to me. First, the publication by CBA on its website of my findings with respect to its conduct and the penalty accordingly imposed will serve the purposes of correcting any misapprehensions or false impressions created by CBA's conduct and alerting customers to CBA's conduct. Second, the order sought is not unduly burdensome to CBA, in that it does no more than require CBA to publish a notice on the appropriate part of a website already operated by CBA.

Conclusion 158 I will make orders and declarations accordingly to reflect these reasons. I certify that the preceding one hundred and fifty-eight (158) numbered paragraphs are a true copy of the Reasons for Judgment herein of the Honourable Justice Beach.

Financial Services Reform (Consequential Provisions) Act 2001(Cth)

But the Financial Services Reform (Consequential Provisions) Act 2001(Cth)

Australian Securities and Investments Commission Act 2001(Cth)ss 12BB, 12DA, 12DB, 12DI, 12GBA, 12GBC

Corporations Act 2001(Cth)ss 760A, 912A

Outcomeplaintiff

Disposition:

The Court made declarations of multiple contraventions of the ASIC Act and Corporations Act, ordered CBA to pay a $5,000,000 pecuniary penalty within 30 days, directed publication of a corrective notice on its website, and ordered CBA to pay ASIC's costs.

At a glance

Result

Key principles

Issues before the court

Plain English Summary

Deep Dive

Cited legislation

What happened

Why the court decided this way

Before and after state of the law

Key passages with plain-English translation

What fact patterns trigger this precedent

How later courts have treated it

Still-open questions

Judgment (14 paragraphs)

Parties

Legislation Cited (6)

Cases Cited (4)

AI Analysis