Australian Securities and Investments Commission v Commonwealth Securities Limited

Australian Securities and Investments Commission v Commonwealth Securities Limited - [2022] FCA 1253 - FCA 2022 case summary — Zoe

[13]

PURSUANT TO S 1317E OF THE CORPORATIONS ACT 2001 (CTH) THE COURT DECLARES THAT: 4. CommSec contravened s 798H of the Corporations Act by reason of the following contraventions of the Market Integrity Rules: (a) rule 2.1.3 of the ASX Rules and rule 2.1.3 of the Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to have in place appropriate supervisory policies and procedures to ensure brokerage services were provided in compliance with s 912A(1)(a) of the Corporations Act, from 1 March 2015 until the introduction of enhanced control reports between August 2018 and May 2019; (b) rule 3.5.9 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to ensure that 1,237 reconciliations of trust accounts performed between 1 March 2015 and 23 March 2020, were accurate in all respects; (c) rule 3.5.10 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to notify ASIC within 2 business days that a trust account reconciliation that was accurate in all respects had not been performed in accordance with rule 3.5.9 of the ASX Rules or Securities Markets Rules (as applicable) or that there was a deficiency of funds in its trust account according to a reconciliation performed pursuant to rule 3.5.9, on 9 occasions between 31 May 2018 and 28 November 2019; (d) rule 3.4.1(1) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to provide trade confirmations as required with respect to 1,206 trade confirmations that were required to be issued between 1 March 2015 and 6 November 2019; (e) rule 3.4.1(3)(a) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing confirmations in respect of market transactions in exchange traded options which did not accurately provide the information required to be included in a confirmation under Division 3 of Part 7.9 of the Corporations Act, being information the clients needed to understand the nature of the transaction to which the confirmations related, on 187,891 occasions between 1 March 2015 and 15 June 2019; (f) rule 3.4.1(3)(f) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing equities trade confirmations which did not include a statement that the transaction involved a crossing (being a transaction in respect of which CommSec acted on behalf of both buying and selling clients to the transaction), in circumstances where the transaction did involve a crossing, on 17,307 occasions between 24 April 2017 and 29 April 2019; (g) rule 4.2.1(1)(h) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to maintain accurate records in sufficient detail in relation to confirmations issued between 1 March 2015 and 1 December 2018 for rebooked trades through CommSec, since CommSec did not maintain accurate records in sufficient detail to show particulars of the incorrect brokerage and ASX clear fees used to derive the total value following the rebooked trade shown in confirmations; (h) rule 2.1.3 of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to have appropriate supervisory procedures in place between 1 March 2015 to October 2018, to ensure that trade confirmations issued by CommSec complied with the requirements of rule 3.4.1 and 4.2.1 of the Market Integrity Rules. (i) rule 5.6.1(a) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to have in place an appropriate automated pre-trade filter in the relevant automated order processing system through which orders from ASB customers were directed between 1 March 2015 and 1 November 2018, to detect possible trades where there would be no change in beneficial ownership; (j) 5.6.3(1)(a) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to ensure, between 1 March 2015 and 1 November 2018, that the relevant automated order processing system through which orders from ASB customers were directed, had in place appropriate organisational and technical resources (as evidenced by the failure in paragraph (i) above); (k) rule 3.2.2 of the Exchange Markets Rules and 3.9.2 of the Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to comply with: (i) its Best Execution Policy as published on its website between 1 March 2015 and 26 March 2018 in that ASX CentrePoint was not considered as an execution venue for ASB customers during that period; and (ii) its Best Execution Policies and Procedures in the period June 2016 to February 2019, in so far as it failed to monitor best execution policy performance on a monthly basis, for each month in the month immediately following or shortly thereafter; (l) rule 3.1.2(3) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to provide an explanatory booklet in respect of warrants to 49 retail clients (who between them held 32 accounts) before accepting an order from a client to purchase a warrant on the market for the first time, during the period 1 March 2015 to 18 June 2020; (m) rule 3.1.8 of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to enter into the required warrant agreement forms with those 49 retail clients (who between them held 32 accounts) prior to entering into a market transaction to buy warrants on behalf of the client, during the period 1 March 2015 to 18 June 2020, affecting 376 buy transactions during that period; (n) rule 5A.2.1(1) of the Exchange Markets Rules and rule 7.4.2(1) of the Securities Markets Rules (as in force at the relevant time), by reason of CommSec's failure to include the relevant intermediary identification (by reference to an AFSL number) in regulatory data submitted to relevant market operators on 84,196 occasions during the period 1 March 2015 and 18 July 2019. 5. AUSIEX contravened s 798H of the Corporations Act by reason of the following contraventions of the Market Integrity Rules: (a) rule 3.5.9 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX's failure to ensure that 1,175 reconciliations of trust accounts performed between 1 March 2015 and 18 September 2019, were accurate in all respects; (b) rule 3.5.10 of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX's failure to notify ASIC within two business days that a trust account reconciliation that was accurate in all respects had not been performed in accordance with rule 3.5.9 of the ASX Rules or the Securities Markets Rules (as applicable) on 4 occasions between 6 June 2018 and 23 September 2019; (c) rule 3.4.1(1) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX's failure to provide trade confirmations as required with respect to 3,424 trade confirmations that were required to be issued between 1 March 2015 and 27 November 2019; (d) rule 3.4.1(3)(a) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing confirmations in respect of market transactions which did not accurately provide the information required to be included in a confirmation under Division 3 of Part 7.9 of the Corporations Act, being information the clients needed to understand the nature of the transaction to which the confirmations related, on 18,367 occasions between 9 November 2015 and 15 June 2019; (e) rule 3.4.1(3)(f) of the ASX Rules and Securities Markets Rules (as in force at the relevant time), by reason of issuing equities trade confirmations which did not include a statement that the transaction involved a crossing (being a transaction in respect of which AUSIEX acted on behalf of both buying and selling clients to the transaction) in circumstances where the transaction did involve a crossing, on 297 occasions between 24 April 2017 and 7 May 2019; (f) rule 4.2.1(1)(h) of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX's failure to maintain accurate records in sufficient detail to show particulars of the incorrect expiry date showing the "Liquidation Advice" section of confirmations issued between 1 March 2015 and 23 February 2019, since AUSIEX did not retain records containing the particulars of the incorrect expiry date shown on confirmations issued to customers during that time; (g) rule 2.1.3 of the ASX Rules and the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX's failure to have appropriate supervisory procedures in place between 1 March 2015 to October 2018, to ensure that trade confirmations issued by AUSIEX complied with the requirements of rule 3.4.1 and 4.2.1 of the Market Integrity Rules; (h) rule 3.2.2 of the Exchange Markets Rules and 3.9.2 of the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX's failure to comply with its Best Execution Policies and Procedures in the period June 2016 to February 2019, in so far as it failed to monitor best execution policy performance on a monthly basis, for each month in the month immediately following or shortly thereafter; (i) rule 5A.2.1(1) of the Exchange Markets Rules and rule 7.4.2(1) of the Securities Markets Rules (as in force at the relevant time), by reason of AUSIEX's failure to include the relevant intermediary identification (by reference to an AFSL number) in regulatory data submitted to relevant market operators on 113 occasions during the period 27 October 2016 and 12 August 2019.

[15]

SCHEDULE 1 COMMSEC COMPLIANCE PROGRAMME 1.1 Definitions: In addition to terms defined elsewhere in this document the following definitions apply: AFSL means Australian Financial Services Licence. ASIC means the Australian Securities and Investments Commission. ASIC Act means Australian Securities and Investments Commission Act 2001. ASX Rules means the ASIC Market Integrity Rules (ASX Market) 2010. Business Day means a day (other than a Saturday, Sunday or public holiday) on which market participants are open for general business in Sydney. Compliance Programme means the compliance programme orders pursuant to section 1101B of the Corporations Act. CommSec means Commonwealth Securities Limited ACN 067 254 399. Competition Rules means ASIC Market Integrity (Competition in Exchange Markets) Rules 2011. Corporations Act means the Corporations Act 2001 (Cth). Orders of the Court means the orders made by the Court pursuant to section 1101B of the Corporations Act. Independent Expert means the Independent Expert engaged by CommSec in accordance with paragraph 12. Leadership Team means the leadership team responsible for CommSec business activities. Market Integrity Rules means the ASX Rules, Competition Rules and Securities Markets Rules. Market Participant means a person allowed to directly participate in a Market (as defined in the Market Integrity Rules). Project Rampart means the internal project instigated by CommSec and AUSIEX in 2018 to review systems and processes regarding trust reconciliation and to remediate their trust account issues. Project Umbrella means the internal project instigated by CommSec and AUSIEX in 2018 following identification of the Trade Confirmation Issues. Relevant Provisions means those sections of the ASIC Act, the Corporations Act and the Market Integrity Rules identified in the SOAFAC (as defined below in paragraph 1.2) that are admitted to have been contravened by CommSec in the SOAFAC. Reported Conduct has the meaning given in Schedule 1. Securities Markets Rules means ASIC Market Integrity Rules (Securities Markets) 2017. Systems and Controls means the systems and controls in place at CommSec which relate to the financial services provided by CommSec as a Market Participant under CommSec's AFSL, including: a. Technology and technological governance, including the technology strategy, enterprise architecture that maps the business and technology capabilities, target operating model, approach to system deployment and ensuring system compatibility; b. Oversight function, including roles and responsibilities, reporting lines and governance; c. Control mechanisms, processes and policies, including on design approval, testing, incident management and change management; d. Human resources, skills and competencies; and e. Operational risk management, including, delivery and ongoing operation of a) to c. 1.2 The Statement of Agreed Facts and Contraventions (SOAFAC) sets out the factual basis for the admitted contraventions by CommSec of the Corporations Act, Market Integrity Rules and the ASIC Act. A summary is contained at Annexure A of the SOAFAC. 1.3 As described in Section L of the SOAFAC, CommSec has undertaken an assessment of the causes of the Reported Conduct and has categorised the types of causes identified as relating to one or more of the following categories, at a high level: people, systems and processes. In particular, the Reported Conduct primarily relates to failures across multiple systems, processes and business areas, including both legacy and current systems. The specific root cause categorisations assigned to the Reported Conduct are set out at paragraph 558 of the SOAFAC (Root Causes) and include, but are not limited to: a. business requirements incorrectly coded/inadequately incorporated in system specifications; b. inadequate/ineffective testing of specified system requirements; c. system specification, including user requirements, were not adequately captured; d. outdated and/or incompatible system/software versions; e. current standards, policies and/or procedures may not be adequately designed to address or clearly describe risks and/or related controls; and f. inadequate design and development of change (scoping, approval and assessment, etc.). 1.4 ASIC considers the number, breadth and duration of the Reported Conduct to be indicative of material failures in broader systems and controls at CommSec. The scope of this Compliance Programme is designed to take a holistic approach to CommSec's Systems and Controls relevant to the Reported Conduct and/or its Root Causes. Phase 1 2. Phase 1 Review 2.1 The Independent Expert (IE) will be required to conduct and complete a review, testing and assessment (Phase 1 Review) of the following matters: a. the adequacy and effectiveness of existing remediation (where relevant) relating to the Reported Conduct and its Root Causes, including but not limited to, Project Rampart and Project Umbrella; and b. the adequacy and effectiveness of all Systems and Controls; such that reasonable steps have been taken by CommSec to ensure current and ongoing compliance with the Relevant Provisions. 3. Phase 1 Report 3.1 CommSec will instruct the IE to provide a written report, in relation to the Phase 1 Review (Phase 1 Report) which includes the following: a. a statement containing details of any gap, weakness, risk or deficiency of the existing remediation and the Systems and Controls identified during the course of the Phase 1 Review (Deficiencies), as well as details of the cause of any Deficiencies; b. assessment and benchmarking of any Deficiencies against existing internationally recognised standards, such as: i. ISO 31000: Risk management; ii. ISO/IEC 38500: 2015 Information technology - Governance of IT for the organisation; iii. COBIT 5, and c. if any Deficiency is identified:

[16]

i. details of how the Deficiency impacts the assessments required by the Phase 1 Review at paragraph 2; ii. recommendations on how to rectify identified Deficiencies; and d. if no Deficiency is identified, or recommendation made, an explicit statement as to whether the IE has determined in the course of the Phase 1 Review: i. that existing remediation resulting from the Reported Conduct and its Root Causes (where applicable) is adequate and effective; and ii. that all Systems and Controls are adequate and effective, such that CommSec has taken reasonable steps to ensure current and ongoing compliance with the Relevant Provisions. 3.2 CommSec must ensure that the terms of the IE engagement require the IE: a. to conduct the Phase 1 Review and deliver the Phase 1 Report to CommSec and ASIC within 4 months after the date of the appointment of the IE (or such longer period as agreed in writing by ASIC and CommSec); b. to hold monthly bilateral meetings with ASIC to provide ASIC with updates in relation to the Phase 1 Review and the Phase 1 Report (or such longer period as agreed in writing by ASIC); and c. if requested by ASIC, also hold tripartite meetings with CommSec and ASIC in relation to the Phase 1 Review and the Phase 1 Report. 4. Phase 1 Remedial Action Plan 4.1 CommSec will address all Deficiencies identified in the Phase 1 Report and any recommendations to rectify all Deficiencies by the IE and develop a plan (Phase 1 Remedial Action Plan) to rectify any such Deficiencies and address the IE's recommendations from the Phase 1 Report in accordance with this paragraph 4. 4.2 Any Phase 1 Remedial Action Plan must: a. detail the action CommSec proposes to take to address the recommendations identified in the Phase 1 Report to rectify the Deficiencies; b. specify the date by which each action will be taken; c. identify a suitably senior and qualified representative of CommSec to be responsible for implementation and timely and effective delivery of each action under the Phase 1 Remedial Action Plan; and d. detail any accelerated remedial action for any recommendation identified in the Phase 1 Report to be of high priority. 4.3 In developing a Phase 1 Remedial Action Plan, CommSec must: a. work with the IE to produce actions to address the Deficiencies and recommendations identified in the Phase 1 Report; b. meet with the IE and ASIC no later than 1 month prior to the submission of the Phase 1 Remedial Action Plan to ASIC and the IE in accordance with the time frame set out in paragraph 4.4(a), for discussion of any proposed implementation of the IE recommendations from the Phase 1 Review, including the proposed terms of any Phase 1 Remedial Action Plan; c. within 3 Business Days of the meeting held in accordance with paragraph 4.3 (b), provide ASIC and the IE with a draft of the proposed Phase 1 Remedial Action Plan; and d. make any reasonable modifications to the proposed Phase 1 Remedial Action Plan requested by: i. ASIC, provided ASIC has made such a request within 20 Business Days (or such longer period as agreed in writing by ASIC and CommSec) after ASIC was provided with a draft of the proposed Phase 1 Remedial Action Plan in accordance with paragraph 4.3(c); or ii. the IE, provided the IE has made such a request within 10 Business Days (or such later date as agreed) after the IE was provided with a draft of the proposed Phase 1 Remedial Action Plan in accordance with paragraph 4.3(c). 4.4 CommSec must: a. provide the Phase 1 Remedial Action Plan to ASIC and the IE within 3 months following receipt of the Phase 1 Report (or such longer period as ASIC approves in writing); and b. seek written confirmation from ASIC that it has no objections to the terms of the Phase 1 Remedial Action Plan, such confirmation not to be unreasonably withheld and upon receipt of that confirmation, the Phase 1 Remedial Action Plan will be finalised in the terms that are subject to the confirmation; and c. meet with ASIC on a monthly basis to provide progress updates in relation to the implementation of the Phase 1 Remedial Action Plan. 4.5 CommSec must, within 5 Business Days of implementation of all of the actions required under the Phase 1 Remedial Action Plan, provide written notification to ASIC and the IE that the Phase 1 Remedial Action Plan has been fully implemented. 4.6 If the Phase 1 Report does not identify any Deficiencies or include any recommendation by the IE, there will be no Phase 2 Review. Phase 2 5. Phase 2 Review 5.1 CommSec will instruct the IE to conduct and complete a review which includes testing and assessment of the following matters (Phase 2 Review): a. whether the actions (if any) implemented from the Phase 1 Remedial Action Plan have rectified the Deficiencies and addressed the recommendations made by the IE in the Phase 1 Report; and b. the effectiveness of CommSec's implementation of any recommendations and actions arising from the Phase 1 Report; and if any Deficiency still exists, to provide further recommendations to adequately and effectively rectify the Deficiency. 5.2 CommSec must ensure that the terms of the IE engagement require the IE: a. to commence the Phase 2 Review within 3 months after the date of the implementation of the Phase 1 Remedial Action Plan or such alternative time agreed with ASIC (such agreement not be unreasonably withheld); and b. to provide ASIC with monthly progress updates (or such longer period as agreed in writing by ASIC and CommSec) in relation the Phase 2 Review and the Final Report (as defined below). 6. Final Report 6.1 CommSec will instruct the IE to produce and deliver a report, in relation to the Phase 2 Review (Final Report) which includes: a. details of the outcome of the testing and assessment set out at paragraph 5.1 above; and b. a statement as to whether each of the actions set out in the Phase 1 Remedial Action Plan have been effectively implemented; and c. any further recommendation that the IE considers is necessary or appropriate for CommSec to implement in order to ensure: i. any actions in the Phase 1 Remedial Action Plan that the IE considers have not been effectively implemented are effectively implemented; and ii. any Deficiencies are adequately and effectively rectified; and d. if no Deficiency is identified or recommendation made, an explicit statement as to whether the IE has determined in the course of the Phase 2 Review: i. that Phase 1 Remedial Action Plan was adequate and effective in addressing the Deficiencies identified and recommendations made by the IE in the Phase 1 Report; and ii. that all Systems and Controls are adequate and effective, such that CommSec has taken reasonable steps to ensure current and ongoing compliance with the Relevant Provisions. 6.2 CommSec must ensure that the terms of the engagement require the IE to: a. deliver the Final Report to CommSec and ASIC within 2 months after the date of commencement of the Phase 2 Review (or such longer period as agreed in writing between ASIC and CommSec); b. hold monthly bilateral meetings with ASIC to provide ASIC updates in relation the Phase 2 Review and the Final Report (or such longer period as agreed in writing by ASIC); and c. if requested by ASIC, hold tripartite meetings with CommSec and ASIC in relation the Phase 2 Review and the Final Report. 7. Phase 2 Remedial Action Plan 7.1 CommSec will be required to address all Deficiencies identified in the Final Report and the recommendations to rectify them by the IE in the Final Report and, if there are any, develop a plan (Phase 2 Remedial Action Plan) to rectify each Deficiency and address the IE's recommendations from the Final Report. If the Final Report does not identify any Deficiencies and the IE has determined in the course of the Phase 2 Review that the recommendations in the Phase 1 Report have been effectively addressed and actions in the Phase 1 Remedial Action Plan have been effectively implemented (as contemplated in the statement at 6.1(d)), then there will be no Phase 2 Remedial Action Plan. 7.2 Any Phase 2 Remedial Action Plan must: a. detail the action CommSec will to take to rectify any Deficiency identified in the Final Report and address the IE's recommendations in the Final Report (if any); and b. set out the proposed timeline for completing implementation of each action required under the Phase 2 Remediation Action Plan; and c. identify a suitably senior and qualified representative of CommSec to be responsible for implementation and timely and effective delivery of each action under the Phase 2 Remediation Action Plan; and d. detail any accelerated remedial action for any recommendation identified in the Final Report to be of high priority. 7.3 In developing any Phase 2 Remedial Action Plan, CommSec must: a. produce actions to address the Deficiencies and recommendations identified by the IE in the Final Report (if any); and b. meet with the IE and ASIC no later than 1 month prior to the submission of the Phase 2 Remedial Action Plan to ASIC and the IE in accordance with the time frame set out in paragraph 7.4(a) for discussion of any proposed implementation of the IE recommendations from the Phase 2 Review, including the proposed terms of any Phase 2 Remedial Action Plan; and c. within 3 Business Days of the meeting held in accordance with paragraph 7.3 (b), provide ASIC and the IE with a draft of the proposed Phase 2 Remedial Action Plan; and d. make any reasonable modifications to the proposed Phase 2 Remedial Action Plan requested by: i. ASIC, provided ASIC has made such a request within 20 Business Days after ASIC was provided with a draft of the proposed Phase 2 Remedial Action Plan in accordance with paragraph 7.3(c); or ii. the IE, provided the IE has made such a request within 10 Business Days after the IE was provided with a draft of the proposed Phase 2 Remedial Action Plan in accordance with paragraph 7.3(c). 7.4 CommSec must: a. provide the Phase 2 Remedial Action Plan to ASIC and the IE within 3 months following receipt of the Final Report (or such longer period as ASIC approves in writing); b. seek written confirmation from: i. ASIC that it has no objection the terms of the Phase 2 Remediation Action Plan, such confirmation not to be unreasonably withheld; and ii. the IE that the Phase 2 Remedial Action Plan will, in the professional judgment of the IE, if implemented, satisfactorily address the Deficiencies and the recommendations made by the IE in the Final Report, and upon receipt of those confirmations, the Phase 2 Remedial Action Plan will be finalised in the terms that are subject to the confirmations; and c. meet with ASIC on a monthly basis to provide progress updates in relation to implementation of the Phase 2 Remedial Action Plan including if the implementation of the Phase 2 Remedial Action Plan is likely to be delayed. If the Phase 2 Remedial Action Plan is likely to be delayed, CommSec must seek ASIC's agreement to amend the deadline for the implementation of the Phase 2 Remedial Action Plan, such agreement not to be unreasonably withheld. 7.5 CommSec must, within 5 Business Days after the implementation of the actions required under any Phase 2 Remedial Action Plan, provide written confirmation to ASIC that the Phase 2 Remedial Action Plan is fully implemented. 8. Attestation 8.1 ASIC is to be provided a written statement on behalf of CommSec, signed by the Executive General Manager of CommSec (or equivalent position, as agreed by ASIC) attesting to the following matters (Attestation): a. that he or she has read and understood the Phase 1 Report and any Final Report; and b. if any remedial actions were required in response to the IE's recommendations set out in the Phase 1 Report or the Final Report, states whether he or she believes, having made reasonable enquiries, that CommSec has implemented the actions identified in the Phase 1 Remedial Action Plan and if applicable, the Phase 2 Remedial Action Plan; and c. states, whether he or she believes, having made reasonable enquiries: i. that the remediation relating to the Reported Conduct and its Root Causes (where applicable) has been adequate and effective; and ii. the Systems and Controls are adequate and effective, such that, reasonable steps have been taken by CommSec to ensure current and ongoing compliance with the Relevant Provisions. 8.2 The Attestation will be provided to ASIC at the earlier of: a. 20 Business Days following the delivery by the IE of the Phase 1 Report, if the Phase 1 Report identifies no Deficiencies and makes no recommendations, which contains the statement contemplated in paragraph 3.1(d); b. 20 Business following the delivery by the IE of the Final Report, if the Final Report identifies no Deficiencies and makes no recommendations; c. 20 Business Days following the giving of the written notice to ASIC referred to in paragraph 7.5; or d. such other date agreed in writing between ASIC and CommSec. 8.3 In the event that: a. CommSec does not provide the Attestation to ASIC by the time required in paragraph 8.2; or b. ASIC considers (acting reasonably) that the Attestation is in terms which are unacceptable; ASIC may notify CommSec in writing accordingly and provide CommSec with 20 Business Days (or such longer period as ASIC approves in writing) to respond. If CommSec fails to respond, ASIC may commence proceedings to enforce compliance with the Court's Orders. 9. Ending of the Compliance Programme 9.1 The Compliance Programme will end following compliance with all obligations under the Court's Order including compliance with the Attestation clause referred to in paragraph 8 above. 10. Other 10.1 The Phase 1 Report, any Final Report, any Phase 1 Remedial Action Plan and any Phase 2 Remedial Action Plan, including a list of concluded actions, must be provided to the Leadership Team and Board of Directors of CommSec. 10.2 CommSec will, within a reasonable period of receiving a request from ASIC, provide all documents and information reasonably requested by ASIC from time to time for the purposes of assessing CommSec's compliance with the Compliance Programme, including any correspondence with the IE, other than any documents or information subject to a claim of legal professional privilege. 10.3 CommSec will be responsible for the costs of its compliance with the Compliance Programme. 10.4 CommSec and/or ASIC may apply to the Court for a variation of the terms of this Compliance Programme at any time and the Compliance Programme is subject to the Orders of the Court from time to time. 11. Non-compliance 11.1 CommSec must notify ASIC as soon as reasonably practicable and in any event within 10 Business Days after becoming aware of any failure to comply with the Orders of the Court. 11.2 If CommSec fails to comply with the Orders of the Court, ASIC may commence proceedings to enforce compliance, following: a. written notice to CommSec of ASIC's intention to commence proceedings; and b. providing CommSec with 20 Business Days (or such longer period as ASIC approves in writing) to respond. 12. Appointing the IE 12.1 CommSec must request ASIC to approve, within 30 Business Days of the date of the Orders of the Court, or within such longer period as may be agreed in writing by ASIC and CommSec: a. the appointment of the IE required for the purposes of the Compliance Programme which meets the criteria in paragraph 12.2 below; b. the draft terms of engagement for that IE that meet the requirements of the Compliance Programme; and c. if ASIC approves the nominated IE and draft terms of engagement following a request by CommSec under paragraph 12.1, CommSec undertakes to appoint the approved IE on the terms approved by ASIC, within 10 Business Days of receiving ASIC's approval, or within such longer period as may be agreed by ASIC and CommSec. 12.2 The IE nominated by CommSec: a. must have the necessary expertise, experience and operational capacity to perform the role contemplated by the Compliance Programme; and b. must be independent of CommSec, its related bodies corporate and its officers and will at all material times be capable of exercising objective and impartial judgement. 12.3 The appointment of the IE must be approved by ASIC in writing before the appointment takes effect (such approval not to be unreasonably withheld). 12.4 CommSec will provide ASIC with any information, explanation or documents it requests for the purposes of determining whether to approve the appointment of the IE, subject to a claim of legal professional privilege. 12.5 CommSec must advise ASIC of the expertise and any prior association of the proposed IE with CommSec, its related bodies corporate and officers at the time approval is sought from ASIC. 13. Appointing a new independent expert 13.1 If the IE advises CommSec and ASIC in writing that he or she is unable to continue his or her appointment, or if the engagement is terminated because of an actual or potential conflict of interest of the IE that arises during the engagement, CommSec must within 15 Business Days (or such longer period agreed in writing with ASIC) after the ending or termination of the engagement, appoint and engage another independent expert in accordance with paragraph 12 (with such appointment to take effect for the remaining duration of the Compliance Programme). 14. Terms of engagement 14.1 The terms of engagement for the IE will be approved by ASIC in writing before the engagement takes effect (such approval not to be unreasonably withheld) and once ASIC has provided its approval, the terms of engagement may only be varied with the agreement of ASIC (acting reasonably). 14.2 CommSec must ensure that the terms of engagement provided to ASIC for approval under paragraph 12.1: a. require CommSec to engage the IE to perform the tasks necessary to fulfil CommSec's obligations under the Compliance Programme; b. require CommSec to permit the IE, subject to any claim of legal professional privilege, to the extent that it is reasonable having regard to the requirements of this Compliance Programme, to have access to its books, to interview present employees, contractors, agents and/or consultants and to consult with ASIC and disclose to ASIC any further information obtained by the IE in the course of carrying out the engagement for the purposes of the Compliance Programme; c. require CommSec to give the IE any information, document, or explanation reasonably requested by the IE in relation to any matter in any way connected with the reports required to be prepared by the IE for the purposes of the Compliance Programme (other than information, documents or explanations subject to a claim of legal professional privilege); d. require CommSec to reasonably assist the IE in conducting the work required for the purposes of the Compliance Programme; e. include a statement to the effect that the work of the IE is being carried out for CommSec and ASIC, and acknowledging that ASIC is relying on the work of the IE; f. include a statement that, if requested by ASIC, ASIC is to be copied into all or some communications between CommSec and the IE; g. require that the IE provide ASIC with a copy of the final versions of the Phase 1 Report and any Final Report at the same time as the final version of each report is provided to CommSec; h. include an acknowledgement that in relation to the Phase 1 Report and any Final Report to be provided to ASIC and CommSec, ASIC may from time to time: i. publicly refer to the content of the reports; and ii. make public:

a summary of the content of the reports; or
a statement that refers to the content of the reports. i. require that the IE provide ASIC with a copy of its proposed work and testing plan in relation to the assessment, review and testing required for the purposes of the Compliance Programme; j. require that the IE must make any reasonable modifications to its work and testing plan requested by ASIC, provided ASIC has made such request within 10 Business Days after ASIC was provided with a copy of the proposed work and testing plan (or such longer period as agreed in writing by ASIC); and k. make provision for circumstances where an actual or potential conflict of interest arises in relation to the IE, including by requiring that the IE: i. as soon as possible after becoming aware of an actual or potential conflict of interest that arises during the engagement, inform ASIC of the actual or potential conflict of interest; ii. follow the reasonable directions of ASIC to effectively manage the actual or potential conflict of interest; and iii. if the actual or potential conflict of interest cannot be effectively managed, follow the reasonable directions of ASIC to terminate the engagement.
ASIC public reporting 15.1 In relation to the Phase 1 Report, Final Report, any Phase 1 Remedial Action Plan, and any Phase 2 Remedial Action Plan arising from the IE's recommendations, ASIC: a. may issue a media release referring to the outcome, content, or compliance with any of those reports or plans; and b. may from time to time publicly refer to the content of the written reports or plans, and may make available for public inspection a summary of the content of the written reports or plans, or a statement that refers to the content of those report or plans. 15.2 In relation to the Compliance Programme, ASIC: a. may issue a media release on the Compliance Programme ordered by the Court, refer to any such order, and refer to the concerns of ASIC which led to the court-ordered Compliance Programme; and b. may from time to time publicly refer to the Compliance Programme. 15.3 In relation to paragraph 15.1 and 15.2, ASIC will delete, remove or redact any information prior to publication if (acting reasonably) ASIC is satisfied that the information: a. is personal information (as defined in the Privacy Act 1988 (Cth)); b. should not be disclosed because it would be against the public interest to do so; or c. contains information that would be unreasonable to release because the release of the information would unreasonably affect the business, commercial or financial affairs of CommSec.
Interpretation of Compliance Programme 16.1 In the event that CommSec and the IE are unable to agree on the interpretation of any matter the subject of this Compliance Programme, CommSec and the IE must use reasonable efforts to resolve the disagreement and if unable to do so, may request a meeting with ASIC to discuss the matter in an effort to resolve the disagreement. If ASIC requests, each of CommSec and the IE are to provide ASIC with a written submission as to the matter in dispute 3 Business Days before any such meeting. Schedule A The Reported Conduct is: a. incorrect brokerage fees charged by CommSec, as detailed at paragraphs [23] to [68] of the SOAFAC (Brokerage Issue); b. breaches of client money and trust account requirements by CommSec, as detailed at paragraphs [86] to [165] of the SOAFAC, (Client Money Issue); c. inaccuracies in trade confirmations sent or failure to send trade confirmations as required by CommSec, as detailed at paragraphs [237] to [323] of the SOAFAC (Trade Confirmations Issue); d. inadequate automated order processing (AOP) filter by CommSec to determine no change in beneficial ownership (NCBO), as detailed at paragraphs [445] to [454] of the SOAFAC (AOP Issue); e. best execution obligations failures by CommSec, as detailed at paragraph [457] to [481] of the SOAFAC (Best Execution Issue); f. trading of warrants on CommSec client accounts without having provided a copy of the current explanatory statement in respect of warrants published by the relevant market operator and without a valid Warrant Agreement Form (WAF) on record, as detailed at paragraphs [494] to [506] of the SOAFAC (Warrant Agreement Issue); and g. failure to adhere to regulatory data requirements by CommSec, as detailed at paragraphs [511] to [521] of the SOAFAC (Regulatory Data Issue).

[17]

SCHEDULE 2 AUSIEX COMPLIANCE PROGRAMME 1.1 Definitions: In addition to terms defined elsewhere in this document the following definitions apply: AFSL means Australian Financial Services Licence. ASIC means the Australian Securities and Investments Commission. ASIC Act means Australian Securities and Investments Commission Act 2001. ASX Rules means the ASIC Market Integrity Rules (ASX Market) 2010. AUSIEX means the Australian Investment Exchange Limited ACN 076 515 930. Business Day means a day (other than a Saturday, Sunday or public holiday) on which market participants are open for general business in Sydney. Compliance Programme means the compliance programme orders pursuant to section 1101B of the Corporations Act. Competition Rules means ASIC Market Integrity (Competition in Exchange Markets) Rules 2011. Corporations Act means the Corporations Act 2001 (Cth). Orders of the Court means the orders made by the Court pursuant to section 1101B of the Corporations Act. Independent Expert means the Independent Expert engaged by AUSIEX in accordance with paragraph 12. Leadership Team means the Chief Executive Officer of AUSIEX and his or her direct reports. Market Integrity Rules means the ASX Rules, Competition Rules and Securities Markets Rules. Market Participant means a person allowed to directly participate in a Market (as defined in the Market Integrity Rules). NRI means Nomura Research Institute, Ltd. Project Rampart means the internal project instigated by CommSec and AUSIEX in 2018 to review systems and processes regarding trust reconciliation and to remediate their trust account issues. Project Umbrella means the internal project instigated by CommSec and AUSIEX in 2018 following identification of the Trade Confirmation Issues. Relevant Provisions means those sections of the ASIC Act, the Corporations Act and the Market Integrity Rules identified in the SOAFAC (as defined below in paragraph 1.2) that are admitted to have been contravened by AUSIEX in the Statement of Agreed Facts and Contraventions. Reported Conduct has the meaning given in Schedule 1. Sale means the agreement to sell AUSIEX to a subsidiary of NRI announced on 28 April 2020. Securities Markets Rules means ASIC Market Integrity Rules (Securities Markets) 2017. Systems and Controls means the systems and controls in place at AUSIEX after completion of the Sale that relate to the financial services provided by AUSIEX as a Market Participant under AUSIEX's AFSL, including: a. Technology and technological governance, including the technology strategy, enterprise architecture that maps the business and technology capabilities, target operating model, approach to system deployment and ensuring system compatibility; b. Oversight function, including roles and responsibilities, reporting lines and governance; c. Control mechanisms, processes and policies, including on design approval, testing, incident management and change management; d. Human resources, skills and competencies; and e. Operational risk management, including, delivery and ongoing operation of a) to d). 1.2 The Statement of Agreed Facts and Contraventions (SOAFAC) sets out the factual basis for the admitted contraventions by AUSIEX of the Corporations Act, Market Integrity Rules and the ASIC Act. A summary is contained at Annexure A of the SOAFAC. 1.3 As described in Section L of the SOAFAC, AUSIEX has undertaken an assessment of the causes of the Reported Conduct and has categorised the types of causes identified as relating to one or more of the following categories, at a high level: people, systems and processes. In particular, the Reported Conduct primarily relates to failures across multiple systems, processes and business areas, including both legacy and current systems. The specific root cause categorisations assigned to the Reported Conduct are set out at paragraph 568 of the SOAFAC (Root Causes) and include, but are not limited to: a. inadequate/ineffective testing of specified system requirements; b. system specification, including user requirements, were not adequately captured; and c. current standards, policies and/or procedures may not be adequately designed to address or clearly describe risks and/or related controls. 1.4 ASIC considers the number, breadth and duration of the Reported Conduct to be indicative of material failures in broader systems and controls at AUSIEX. The scope of this Compliance Programme is designed to take a holistic approach to AUSIEX's Systems and Controls relevant to the Reported Conduct and/or its Root Causes. Phase 1 2. Phase 1 Review 2.1 The Independent Expert (IE) will be required to conduct and complete a review, testing and assessment (Phase 1 Review) of the following matters: a. the adequacy and effectiveness of existing remediation (where relevant) relating to the Reported Conduct and its Root Causes, including but not limited to, Project Rampart and Project Umbrella; and b. the adequacy and effectiveness of all Systems and Controls; such that reasonable steps have been taken by AUSIEX to ensure current and ongoing compliance with the Relevant Provisions. AUSIEX may make submissions to the IE and ASIC and the IE and ASIC may agree that certain Systems and Controls are outside the scope of the IE's review because AUSIEX intends to replace that system or control as part of its transition to a new control environment following completion of its sale to NRI. 3. Phase 1 Report 3.1 AUSIEX will instruct the IE to provide a written report, in relation to the Phase 1 Review (Phase 1 Report) which includes the following: a. a statement containing details of any gap, weakness, risk or deficiency of the existing remediation and the Systems and Controls identified during the course of the Phase 1 Review (Deficiencies), as well as details of the cause of any Deficiencies; b. assessment and benchmarking of any Deficiencies against existing internationally recognised standards, such as: i. ISO 31000: Risk management; ii. ISO/IEC 38500: 2015 Information technology - Governance of IT for the organisation; iii. COBIT 5, and c. if any Deficiency is identified:

[18]

iv. details of how the Deficiency impacts the assessments required by the Phase 1 Review at paragraph 2; v. recommendations on how to rectify identified Deficiencies; and d. if no Deficiency is identified, or recommendation made, an explicit statement as to whether the IE has determined in the course of the Phase 1 Review: i. that existing remediation resulting from the Reported Conduct and its Root Causes (where applicable) is adequate and effective; and ii. that all Systems and Controls are adequate and effective, in order to ensure that AUSIEX has taken reasonable steps to ensure current and ongoing compliance with the Relevant Provisions. 3.3 AUSIEX must ensure that the terms of the IE engagement require the IE: a. to conduct the Phase 1 Review and deliver the Phase 1 Report to AUSIEX and ASIC within 18 weeks after the latter of the Sale or the date of the appointment of the IE (or such longer period as agreed in writing by ASIC and AUSIEX); b. to hold monthly bilateral meetings with ASIC to provide ASIC with updates in relation to the Phase 1 Review and the Phase 1 Report (or such longer period as agreed in writing by ASIC); and c. if requested by ASIC, also hold tripartite meetings with AUSIEX and ASIC in relation to the Phase 1 Review and the Phase 1 Report. 4. Phase 1 Remedial Action Plan 4.1 AUSIEX will consider all Deficiencies identified in the Phase 1 Report and any recommendations to rectify all Deficiencies by the IE and develop a plan (Phase 1 Remedial Action Plan) to rectify any such Deficiencies and address any IE's recommendations from the Phase 1 Report in accordance with this paragraph 4. 4.2 Any Phase 1 Remedial Action Plan must: a. detail the action AUSIEX proposes to take to address the recommendations identified in the Phase 1 Report to rectify the Deficiencies; b. specify the date by which each action will be taken; c. identify a suitably senior and qualified representative of AUSIEX to be responsible for implementation and timely and effective delivery of each action under the Phase 1 Remedial Action Plan; and d. detail any accelerated remedial action for any recommendation identified in the Phase 1 Report to be of high priority. 4.3 In developing a Phase 1 Remedial Action Plan, AUSIEX must: a. work with the IE to produce actions to address the Deficiencies and recommendations identified in the Phase 1 Report; b. meet with the IE and ASIC no later than 1 month prior to the submission of the Phase 1 Remedial Action Plan to ASIC and the IE in accordance with the time frame set out in paragraph 4.4(a), for discussion of any proposed implementation of the IE recommendations from the Phase 1 Review, including the proposed terms of any Phase 1 Remedial Action Plan; c. within 3 Business Days of the meeting held in accordance with paragraph 4.3 (b), provide ASIC and the IE with a draft of the proposed Phase 1 Remedial Action Plan; and d. make any reasonable modifications to the proposed Phase 1 Remedial Action Plan requested by: i. ASIC, provided ASIC has made such a request within 20 Business Days (or such longer period as agreed in writing by ASIC and AUSIEX) after ASIC was provided with a draft of the proposed Phase 1 Remedial Action Plan in accordance with paragraph 4.3(c); or ii. the IE, provided the IE has made such a request within 10 Business Days (or such later date as agreed) after the IE was provided with a draft of the proposed Phase 1 Remedial Action Plan in accordance with paragraph 4.3(c). 4.4 AUSIEX must: a. provide the Phase 1 Remedial Action Plan to ASIC and the IE within 2 months following receipt of the Phase 1 Report (or such longer period as ASIC approves in writing); and b. seek written confirmation from ASIC that it has no objections to the terms of the Phase 1 Remedial Action Plan, such confirmation not to be unreasonably withheld and upon receipt of that confirmation, the Phase 1 Remedial Action Plan will be finalised in the terms that are subject to the confirmation; and c. meet with ASIC on a monthly basis to provide progress updates in relation to the implementation of the Phase 1 Remedial Action Plan. 4.5 AUSIEX must, within 5 Business Days of implementation of all of the actions required under the Phase 1 Remedial Action Plan, provide written notification to ASIC and the IE that the Phase 1 Remedial Action Plan has been fully implemented. 4.6 If the Phase 1 Report does not identify any Deficiencies or include any recommendation by the IE, there will be no Phase 2 Review. Phase 2 5. Phase 2 Review 5.1 AUSIEX will instruct the IE to conduct and complete a review which includes testing and assessment of the following matters (Phase 2 Review): a. whether the actions (if any) implemented from the Phase 1 Remedial Action Plan have rectified the Deficiencies and addressed the recommendations made by the IE in the Phase 1 Report; and b. the effectiveness of AUSIEX's implementation of any recommendations and actions arising from the Phase 1 Report, and if any Deficiency still exists, to provide further recommendations to adequately and effectively rectify the Deficiency. 5.2 AUSIEX must ensure that the terms of the IE engagement require the IE: a. to commence the Phase 2 Review within 3 months after the date of the implementation of the Phase 1 Remedial Action Plan or such alternative time agreed with ASIC (such agreement not be unreasonably withheld); and b. to provide ASIC with monthly progress updates (or such longer period as agreed in writing by ASIC and AUSIEX) in relation the Phase 2 Review and the Final Report (as defined below). 6. Final Report 6.1 AUSIEX will instruct the IE to produce and deliver a report, in relation to the Phase 2 Review (Final Report) which includes: a. details of the outcome of the testing and assessment set out at paragraph 5.1 above; and b. a statement as to whether each of the actions set out in the Phase 1 Remedial Action Plan have been effectively implemented; and c. any further recommendation that the IE considers is necessary or appropriate for AUSIEX to implement in order to ensure: i. any actions in the Phase 1 Remedial Action Plan that the IE considers have not been effectively implemented are effectively implemented; and ii. any Deficiencies are adequately and effectively rectified; and d. if no Deficiency is identified or recommendation made, an explicit statement as to whether the IE has determined in the course of the Phase 2 Review: i. that Phase 1 Remedial Action Plan was adequate and effective in addressing the Deficiencies identified and recommendations made by the IE I the Phase 1 Report; and ii. all Systems and Controls are adequate and effective, such that AUSIEX has taken reasonable steps to ensure current and ongoing compliance with the Relevant Provisions. 6.2 AUSIEX must ensure that the terms of the engagement require the IE to: a. deliver the Final Report to AUSIEX and ASIC within 2 months after the date of commencement of the Phase 2 Review (or such longer period as agreed in writing between ASIC and AUSIEX); b. hold monthly bilateral meetings with ASIC to provide ASIC updates in relation the Phase 2 Review and the Final Report (or such longer period as agreed in writing by ASIC); and c. if requested by ASIC, hold tripartite meetings with AUSIEX and ASIC in relation the Phase 2 Review and the Final Report. 7. Phase 2 Remedial Action Plan 7.1 AUSIEX will be required to address all Deficiencies identified in the Final Report and the recommendations to rectify them by the IE in the Final Report and, if there are any, develop a plan (Phase 2 Remedial Action Plan) to rectify each Deficiency and address the IE's recommendations from the Final Report. If the Final Report does not identify any Deficiencies and the IE has determined in the course of the Phase 2 Review that the recommendations in the Phase 1 Report have been effectively addressed and actions in the Phase 1 Remedial Action Plan have been effectively implemented (as contemplated in the statement at 6.1(d)), then there will be no Phase 2 Remedial Action Plan. 7.2 Any Phase 2 Remedial Action Plan must: a. detail the action AUSIEX will to take to rectify any Deficiency identified in the Final Report and address the IE's recommendations in the Final Report (if any); b. set out the proposed timeline for completing implementation of each action required under the Phase 2 Remediation Action Plan; c. identify a suitably senior and qualified representative of AUSIEX to be responsible for implementation and timely and effective delivery of each action under the Phase 2 Remediation Action Plan; and d. detail any accelerated remedial action for any recommendation identified in the Final Report to be of high priority. 7.3 In developing any Phase 2 Remedial Action Plan, AUSIEX must: a. produce actions to address the Deficiencies and recommendations identified by the IE in the Final Report (if any); and b. meet with the IE and ASIC no later than 1 month prior to the submission of the Phase 2 Remedial Action Plan to ASIC and the IE in accordance with the time frame set out in paragraph 7.4(a) for discussion of any proposed implementation of the IE recommendations from the Phase 2 Review, including the proposed terms of any Phase 2 Remedial Action Plan; and c. within 3 Business Days of the meeting held in accordance with paragraph 7.3 (b), provide ASIC and the IE with a draft of the proposed Phase 2 Remedial Action Plan; and d. make any reasonable modifications to the proposed Phase 2 Remedial Action Plan requested by: i. ASIC, provided ASIC has made such a request within 20 Business Days after ASIC was provided with a draft of the proposed Phase 2 Remedial Action Plan in accordance with paragraph 7.3(c); or ii. the IE provided the IE has made such a request within 10 Business Days after the IE was provided with a draft of the proposed Phase 2 Remedial Action Plan in accordance with paragraph 7.3(c). 7.4 AUSIEX must: a. provide the Phase 2 Remedial Action Plan to ASIC and the IE within 2 months following receipt of the Final Report (or such longer period as ASIC approves in writing); and b. seek written confirmation from: i. ASIC that it has no objection the terms of the Phase 2 Remediation Action Plan, such confirmation not to be unreasonably withheld; and ii. the IE that the Phase 2 Remedial Action Plan will, in the professional judgment of the IE, if implemented, satisfactorily address the Deficiencies and recommendations made by the IE in the Final Report, and upon receipt of those confirmations, the Phase 2 Remedial Action Plan will be finalised in the terms that are subject to the confirmations; and c. meet with ASIC on a monthly basis to provide progress updates in relation to implementation of the Phase 2 Remedial Action Plan including if the implementation of the Phase 2 Remedial Action Plan is likely to be delayed. If the Phase 2 Remedial Action Plan is likely to be delayed, AUSIEX must seek ASIC's agreement to amend the deadline for the implementation of the Phase 2 Remedial Action Plan, such agreement not to be unreasonably withheld. 7.5 AUSIEX must, within 5 business days after the implementation of the actions required under any Phase 2 Remedial Action Plan, provide written confirmation to ASIC that the Phase 2 Remedial Action Plan is fully implemented. 8. Attestation 8.1 ASIC is to be provided a written statement on behalf of AUSIEX, signed by the Chief Executive Officer of AUSIEX (or equivalent position, as agreed by ASIC) attesting to the following matters (Attestation): a. that he or she has read and understood the Phase 1 Report and any Final Report; and b. if any remedial actions were required in response to the IE's recommendations set out in the Phase 1 Report or the Final Report, states whether he or she believes, having made reasonable enquiries, that AUSIEX has implemented the actions identified in the Phase 1 Remedial Action Plan and if applicable, the Phase 2 Remedial Action Plan; and c. states whether he or she believes, having made reasonable enquiries: i. that the remediation relating to the Reported Conduct and its Root Causes (where applicable) has been adequate and effective; and ii. the Systems and Controls are adequate and effective, such that reasonable steps have been taken by AUSIEX to ensure current and ongoing compliance with the Relevant Provisions. 8.2 The Attestation will be provided to ASIC at the earlier of: a. 20 business days following the delivery by the IE of the Phase 1 Report, if the Phase 1 Report identifies no Deficiencies and makes no recommendations, which contains the statement contemplated in paragraph 3.1(d); b. 20 business days following the delivery by the IE of the Final Report, if the Final Report identifies no Deficiencies and makes no recommendations; c. 20 business days following the giving of the written notice to ASIC referred to in paragraph 7.5; or d. such other date agreed in writing between ASIC and AUSIEX. 8.3 In the event that: a. AUSIEX does not provide the Attestation to ASIC by the time required in paragraph 8.2; or b. ASIC considers (acting reasonably) that the Attestation is in terms which are unacceptable; ASIC may notify AUSIEX in writing accordingly and provide AUSIEX with 20 business days (or such longer period as ASIC approves in writing) to respond. If AUSIEX fails to respond, ASIC may commence proceedings to enforce compliance with the Court's Orders. 9. Ending of the Compliance Programme 9.1 The Compliance Programme will end following compliance with all obligations under the Court's Order including compliance with the Attestation clause referred to in paragraph 8 above. 10. Other 10.1 The Phase 1 Report, any Final Report, any Phase 1 Remedial Action Plan and any Phase 2 Remedial Action Plan, including a list of concluded actions must be provided to the Leadership Team and Board of Directors of AUSIEX. 10.2 AUSIEX will, within a reasonable period of receiving a request from ASIC, provide all documents and information reasonably requested by ASIC from time to time for the purposes of assessing AUSIEX's compliance with the Compliance Programme, including any correspondence with the IE, other than any documents or information subject to a claim of legal professional privilege. 10.3 AUSIEX will be responsible for the costs of its compliance with the Compliance Programme. 10.4 AUSIEX and/or ASIC may apply to the Court for a variation of the terms of this Compliance Programme at any time and the Compliance Programme is subject to the Orders of the Court from time to time. 11. Non-compliance 11.1 AUSIEX must notify ASIC as soon as reasonably practicable and in any event within 10 business days after becoming aware of any failure to comply with the Orders of the Court. 12. Appointing the IE 12.1 AUSIEX must request ASIC to approve, within 30 business days of the date of the Orders of the Court, or within such longer period as may be agreed in writing by ASIC and AUSIEX: a. the appointment of the IE required for the purposes of the Compliance Programme which meets the criteria in paragraph 12.2 below; b. the draft terms of engagement for that IE that meet the requirements of the Compliance Programme; and c. if ASIC approves the nominated IE and draft terms of engagement following a request by AUSIEX under paragraph 12.1, AUSIEX undertakes to appoint the approved IE on the terms approved by ASIC, within 10 Business Days of receiving ASIC's approval, or within such longer period as may be agreed by ASIC and AUSIEX. 12.2 The IE nominated by AUSIEX: a. must have the necessary expertise, experience and operational capacity to perform the role contemplated by the Compliance Programme; and b. must be independent of AUSIEX, its related bodies corporate and its officers and will at all material times be capable of exercising objective and impartial judgement. 12.3 The appointment of the IE must be approved by ASIC in writing before the appointment takes effect (such approval not to be unreasonably withheld). 12.4 AUSIEX will provide ASIC with any information, explanation or documents it requests for the purposes of determining whether to approve the appointment of the IE, subject to a claim of legal professional privilege. 12.5 AUSIEX must advise ASIC of the expertise and any prior association of the proposed IE with AUSIEX, its related bodies corporate and officers at the time approval is sought from ASIC. 13. Appointing a new independent expert 13.1 If the IE advises AUSIEX and ASIC in writing that he or she is unable to continue his or her appointment, or if the engagement is terminated because of an actual or potential conflict of interest of the IE that arises during the engagement, AUSIEX must within 15 business days (or such longer period agreed in writing with ASIC) after the ending or termination of the engagement, appoint and engage another independent expert in accordance with paragraph 12 (with such appointment to take effect for the remaining duration of the Compliance Programme). 14. Terms of engagement 14.1 The terms of engagement for the IE will be approved by ASIC in writing before the engagement takes effect (such approval not to be unreasonably withheld) and once ASIC has provided its approval, the terms of engagement may only be varied with the agreement of ASIC (acting reasonably). 14.2 AUSIEX must ensure that the terms of engagement of the IE provided to ASIC for approval under paragraph 12.1: a. require AUSIEX to engage the IE to perform the tasks necessary to fulfil AUSIEX's obligations under the Compliance Programme; b. require AUSIEX to permit the IE, subject to any claim of legal professional privilege, to the extent that it is reasonable having regard to the requirements of this Compliance Programme, to have access to its books, to interview present employees, contractors, agents and/or consultants and to consult with ASIC and disclose to ASIC any further information obtained by the IE in the course of carrying out the engagement for the purposes of the Compliance Programme; c. require AUSIEX to give the IE any information, document, or explanation reasonably requested by the IE in relation to any matter in any way connected with the reports required to be prepared by the IE for the purposes of the Compliance Programme (other than information, documents or explanations subject to a claim of legal professional privilege); d. require AUSIEX to reasonably assist the IE in conducting the work required for the purposes of the Compliance Programme; e. include a statement to the effect that the work of the IE is being carried out for AUSIEX and ASIC, and acknowledging that ASIC is relying on the work of the IE; f. include a statement that, if requested by ASIC, ASIC is to be copied into all or some communications between AUSIEX and the IE; g. require that the IE provide ASIC with a copy of the final versions of the Phase 1 Report and any Final Report at the same time as the final version of each report is provided to AUSIEX; h. include an acknowledgement that in relation to the Phase 1 Report and any Final Report to be provided to ASIC and AUSIEX, ASIC may from time to time: i. publicly refer to the content of the reports; and ii. make public:

a summary of the content of the reports; or
a statement that refers to the content of the reports. i. require that the IE provide ASIC with a copy of its proposed work and testing plan in relation to the assessment, review and testing required for the purposes of the Compliance Programme; j. require that the IE must make any reasonable modifications to its work and testing plan requested by ASIC, provided ASIC has made such request within 10 business days after ASIC was provided with a copy of the proposed work and testing plan (or such longer period as agreed in writing by ASIC); and k. make provision for circumstances where an actual or potential conflict of interest arises in relation to the IE, including by requiring that the IE: i. as soon as possible after becoming aware of an actual or potential conflict of interest that arises during the engagement, inform ASIC of the actual or potential conflict of interest; ii. follow the reasonable directions of ASIC to effectively manage the actual or potential conflict of interest; and iii. if the actual or potential conflict of interest cannot be effectively managed, follow the reasonable directions of ASIC to terminate the engagement.
ASIC public reporting 15.1 In relation to the Phase 1 Report, Final Report, any Phase 1 Remedial Action Plan, and any Phase 2 Remedial Action Plan arising from the IE's recommendations, ASIC: a. may issue a media release referring to the outcome, content, or compliance with any of those reports or plans; and b. may from time to time publicly refer to the content of the written reports or plans, and may make available for public inspection a summary of the content of the written reports or plans, or a statement that refers to the content of those report or plans. 15.2 In relation to the Compliance Programme, ASIC: a. may issue a media release on the Compliance Programme ordered by the Court, refer to any such order, and refer to the concerns of ASIC which led to the court-ordered Compliance Programme; and b. may from time to time publicly refer to the Compliance Programme. 15.3 In relation to paragraph 15.1 and 15.2, ASIC will delete, remove or redact any information prior to publication if (acting reasonably) ASIC is satisfied that the information: a. is personal information (as defined in the Privacy Act 1988 (Cth)); b. should not be disclosed because it would be against the public interest to do so; or c. contains information that would be unreasonable to release because the release of the information would unreasonably affect the business, commercial or financial affairs of AUSIEX.
Interpretation of Compliance Programme 16.1. In the event that AUSIEX and the IE are unable to agree on the interpretation of any matter the subject of this Compliance Programme, AUSIEX and the IE must use reasonable efforts to resolve the disagreement and if unable to do so, may request a meeting with ASIC to discuss the matter in an effort to resolve the disagreement. If ASIC requests, each of AUSIEX and the IE are to provide ASIC with a written submission as to the matter in dispute 3 Business Days before any such meeting. Schedule A The Reported Conduct is: a. breaches of client money and trust account requirements by AUSIEX, as set out in paragraphs [172] to [200] of the SOAFAC; b. inaccuracies in trade confirmations sent, or failure to send trade confirmations as required, by AUSIEX, as set out in paragraphs [336] to [430] of the SOAFAC; c. best execution obligations failures by AUSIEX, as set out in paragraphs [488] to [491] of the SOAFAC; and d. failure to adhere to regulatory data requirements by AUSIEX, as set out in paragraphs [526] to [536] of the SOAFAC.

[20]

How the plaintiff characterised the defendants' contraventions 3 This proceeding is characterised by a high degree of cooperation between the parties. The defendants largely agree with the way in which the plaintiff, the Australian Securities and Investments Commission (ASIC), has characterised their contraventions of obligations held under their AFSL, pursuant to the Market Integrity Rules and consequently, the Corporations Act (and additionally for CommSec, the Australian Securities and Investments Commission 2001 (Cth)) (ASIC Act). In this context, it is convenient to draw upon the plaintiff's submissions and the statement of agreed facts and contraventions (SOAFAC) to explain the legal context in which the contraventions arise and the nature of the contraventions, before I recall the parties' submissions and turn to consider whether the contraventions have been established and the appropriate remedies to flow from these. 4 Between 1 January 2017 and 14 August 2020, CommSec and AUSIEX provided a series of notifications to ASIC in relation to: incorrect brokerage fees charged by CommSec (Brokerage Issues); breaches of client money requirements and trust account reconciliation rules by CommSec and AUSIEX (Client Money Issues); a failure to send trade confirmations as required and failure to send accurate trade confirmations by each of CommSec and AUSIEX (Trade Confirmations Issues); inadequate automated order processing filters by CommSec to determine no change in beneficial ownership (AOP Issue); a failure to comply with best execution obligations by CommSec and AUSIEX (Best Execution Issue); trading of warrants on CommSec accounts without a valid Warrant Agreement Form on record (Warrant Agreement Issue); and failure to adhere to regulatory data requirements by CommSec and AUSIEX (Regulatory Data Issue) (collectively referred to as the Reported Conduct). 5 It is common ground between the parties that CommSec contravened: (1) s 798H of the Corporations Act, as set out at paragraph [4] of the Amended Originating Process; (2) s 12DB of the ASIC Act, as set out at paragraph [3] of the Amended Originating Process; and (3) s 912A(1)(a) of the Corporations Act, as set out at paragraph [1] of the Amended Originating Process. 6 It is also common ground between the parties that AUSIEX contravened: (1) s 798H of the Corporations Act, as set out at paragraph [5] of the Amended Originating Process; and (2) s 912A(1)(a) of the Corporations Act, as set out at paragraph [2] of the Amended Originating Process. 7 The Reported Conduct spanned the period from 1 August 2010 to 18 June 2020 for CommSec and from 6 May 2010 to 27 November 2019 for AUSIEX, and related to failures across multiple systems, processes and business areas. Due to limitation periods, declarations and penalties are sought in relation to conduct occurring on or after 1 March 2015 (the Limitation Date), although conduct occurring prior to that date is referenced to contextualise later conduct or to establish a continuing course of conduct. 8 The contravening conduct concerns a range of services and issues. There is not a single cause of all of the offending conduct. Nevertheless, there are common features across the conduct. The issues arose from failures such as information technology system coding or systems issues, human error, and/or data entry errors. The number, breadth and duration of the Reported Conduct when viewed in totality is significant and indicates the entities did not have adequate systems and processes in place to ensure compliance with their relevant obligations under their AFSLs and pursuant to the Market Integrity Rules and consequently, the Corporations Act (and additionally for CommSec, the ASIC Act). 9 I note that CommSec has been before the Markets Disciplinary Panel (MDP) for contraventions of the Market Integrity Rules on seven previous occasions since 2012, receiving fines totalling $1,055,000. It has also been subject to a Court Enforceable Undertaking in 2013 for client money and trust account failings. 10 That said, ASIC does not allege, and there is no evidence to indicate that, any of the contraventions the subject of these proceedings were deliberate, or that the conduct constituting the contraventions was conduct of senior management of either CommSec or AUSIEX. Both defendants have cooperated with ASIC in relation to these proceedings, expressed contrition for the Reported Conduct, taken steps to address the issues the subject of the Reported Conduct, and to remediate any client detriment. The defendants have also agreed to ongoing compliance programs. These common factors relevant to the Reported Conduct are referred to as the 'Mitigating Factors' and ASIC has also taken these into account by submitting that a 30% discount to the headline penalty figures proposed is appropriate. 11 I note that while there appear to be some ongoing issues in relation to matters similar to the Reported Conduct, each of the parties has agreed to enter into detailed compliance plans to ensure any outstanding issues are addressed. 12 This proceeding relates to the relief sought as a result of the admitted contravention. 13 As will be readily apparent from even that brief description, there has been significant co-operation by parties, and the matter proceeded on the basis of a very detailed SOAFAC. In those circumstances it is unnecessary to recite in detail those facts, which I accept, and I attach that statement to these reasons as Annexure A. I will only refer to some brief aspects.

[23]

Section 798H of the Corporations Act 18 Participants in licensed markets "must comply with the market integrity rules": s 798H(1) of the Corporations Act. ASIC is granted power to make market integrity rules under s 798G of the Corporations Act. Prior to 2017, ASIC had a series of market-specific rule-books in operation, including, relevantly, the ASX Rules and the Exchange Markets Rules. From 7 May 2018, the market specific rules were replaced with a common set of market integrity rules for securities markets (the Securities Markets Rules). 19 Section 798H(1) is a civil penalty provision. The imposition of a penalty is discretionary: s 1317G. In determining the appropriate pecuniary penalty, the Court must take into account all relevant matters, including (s 1317G(6)): (1) the nature and extent of the contravention; (2) the nature and extent of any loss or damage suffered because of the contravention; (3) the circumstances in which the contravention took place; and (4) whether the person has previously been found by a court (including a court of a foreign country) to have engaged in similar conduct. 20 If a Court is satisfied that a person has contravened a civil penalty provision, "it must make a declaration of contravention": s 1317E. In contrast to the pecuniary penalty, this is a mandatory requirement: Australian Securities and Investments Commission v Warrenmang [2007] FCA 973; (2007) 63 ACSR 623 at [31]. 21 By virtue of the time period over which they occurred, the contraventions concern both the Securities Markets Rules and equivalent provisions under the earlier ASX Rules and Exchange Market Rules. The significant difference in the transition in rules, is in the maximum penalty amounts applicable to Reported Conduct which occurred wholly on or after 13 March 2019: Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2019 (Cth) (Amendment Act). 22 The Market Integrity Rules (including the Securities Markets Rules, applicable to contraventions on and from 13 March 2019) contain within them tiered maximum penalty amounts in respect of different rules. However, those maximums only apply in respect of conduct that occurred, or commenced, prior to 13 March 2019, since the Amendment Act removed s 798G(2) of the Corporations Act (Amendment Act s 48), which had provided ASIC with the power to stipulate a penalty amount in respect of a contravention of the Market Integrity Rules. 23 The applicable penalty regime for contravention of the Market Integrity Rules after 13 March 2019 is set out in s 1317G(4) of the Corporations Act. 24 As a consequence, the maximum penalty for each alleged contravention is: (1) if the conduct occurred or commenced prior to 13 March 2019 - the maximum penalty specified in the relevant rule (being one of $1 million, $100,000 and $20,000): see former ss 798G(1C)-(1D) and 798G(2) of the Corporations Act; (2) if the conduct occurred wholly on or after 13 March 2019: approximately $525 million in respect of each contravention by CommSec; and $525 million in respect of each contravention by AUSIEX.

[24]

Section 12DB of the ASIC Act 25 This provision addresses false or misleading representations. To prove a contravention, it must be established that: (1) the defendant made a representation; (2) which was false or misleading about one or several matters listed in sub-s (1); (3) which was made in trade or commerce; and (4) which was made: (a) in connection with the supply or possible supply of financial services; or (b) in connection with the promotion by any means of the supply or use of financial services. 26 For the period relevant to the admitted contravention of s 12DB, being 1 March 2015 to 26 March 2018, the ASIC Act did not contain any provision which specifically gave the Court power to make declarations: (c.f. s 12GBA of the current ASIC Act). The Court's power to make declarations in relation to contraventions of s 12DB of the ASIC Act for that period is found in s 21 of the Federal Court of Australia Act 1976 (Cth) (FCA Act). 27 Pecuniary penalties for contraventions for the period relevant to the admitted contravention were dealt with in s 12GBA of the ASIC Act, which relevantly provided that, if the Court is satisfied that a person has contravened s 12DB, "the Court may order the person to pay to the Commonwealth such pecuniary penalty, in respect of each act or omission by the person to which the section applies, as the Court determines to be appropriate." In determining the appropriate pecuniary penalty, the Court must have regard to all relevant matters including (s 12GBA(2)): (1) the nature and extent of the act or omission and of any loss or damage suffered as a result of the act or omission; (2) the circumstances in which the act or omission took place; (3) whether the person has previously been found by the court in proceeding under subdivision G (of Pt 2, Div 2), to have engaged in any similar conduct. 28 For each contravention of s 12DB, the maximum penalty payable by a body corporate under s 12GBA(3) of the ASIC Act is 10,000 penalty units. Over the relevant period, the value of a penalty unit has been: (1) between 1 March 2015 and 30 July 2015, $170; (2) between 31 July 2015 and 30 June 2017, $180; and (3) from 1 July 2015 to 26 March 2018, $210. 29 Therefore, the maximum penalty for a contravention of s 12DB during the relevant applicable period has ranged from $1.7 million to $2.1 million. A contravention of s 12DB occurs each time the relevant false or misleading representation is made to a person. In cases involving representations made on a website (relevant to the contraventions of s 12DB in these proceedings), a representation is made each time that the relevant content on the website is accessed and viewed by a user of the website: Australian Competition and Consumer Commission v Hillside (Australia New Media) Pty Ltd trading as Bet365 (No 2) [2016] FCA 698 at [12]; Australian Securities and Investments Commission v Gallop International Group Pty Ltd [2019] FCA 1514; (2019) 138 ACSR 395 at [288].

[25]

Section 912A(1)(a) of the Corporations Act 30 This provision provided that a financial service licensee must do all things necessary to ensure that the financial services are provided "efficiently, honestly and fairly". This applied to each defendant in respect of the services provided by that entity. 31 In Australian Securities and Investments Commission v Camelot Derivatives Pty Ltd (in liq) [2012] FCA 414; (2012) 88 ACSR 206 at [69]-[70], Foster J observed in relation to s 912A(1)(a): [69] In support of the relief which it seeks based upon s 912A(1)(a) of the Corporations Act, ASIC made the following submissions: (a) The words "efficiently, honestly and fairly" must be read as a compendious indication meaning a person who goes about their duties efficiently having regard to the dictates of honesty and fairness, honestly having regard to the dictates of efficiency and fairness, and fairly having regard to the dictates of efficiency and honesty: Story v National Companies and Securities Commission (1988) 13 NSWLR 661 at 672. ([126]) (b) The words "efficiently, honestly and fairly" connote a requirement of competence in providing advice and in complying with relevant statutory obligations: Re Hres and Australian Securities and Investments Commission (2008) 105 ALD 124 at [237]. They also connote an element not just of even handedness in dealing with clients but a less readily defined concept of sound ethical values and judgment in matters relevant to a client's affairs: Re Hres and Australian Securities and Investments Commission (2008) 105 ALD 124 at [237]. ([127]) (c) The word "efficient" refers to a person who performs his duties efficiently, meaning the person is adequate in performance, produces the desired effect, is capable, competent and adequate: Story v National Companies and Securities Commission (1988) 13 NSWLR 661 at 672. Inefficiency may be established by demonstrating that the performance of a licensee's functions falls short of the reasonable standard of performance by a dealer that the public is entitled to expect: Story v National Companies and Securities Commission (1988) 13 NSWLR 661 at 679. ([128]) (d) It is not necessary to establish dishonesty in the criminal sense: R J Elrington Nominees Pty Ltd v Corporate Affairs Commission (SA) (1989) 1 ACSR 93 at 110. The word "honestly" may comprehend conduct which is not criminal but which is morally wrong in the commercial sense: R J Elrington Nominees Pty Ltd v Corporate Affairs Commission (SA) (1989) 1 ACSR 93 at 110. ([129]) (e) The word "honestly" when used in conjunction with the word "fairly" tends to give the flavour of a person who not only is not dishonest, but also a person who is ethically sound: Story v National Companies and Securities Commission (1988) 13 NSWLR 661 at 672. ([130]) [70] The submissions which I have extracted at [69] above are correct and I accept them. 32 Foster J's statement was cited with approval in, for example: Australian Securities and Investments Commission v Commonwealth Bank of Australia [2020] FCA 790 at [50]; Australian Securities and Investments Commission v Avestra Asset Management Limited (in liq) [2017] FCA 497; (2017) 348 ALR 525 at [191]; Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023; (2016) 336 ALR 209 at [674]; Australian Securities and Investments Commission v Westpac Banking Corporation (No 2) [2018] FCA 751; (2018) 266 FCR 147 at [2347]; Australian Securities and Investments Commission v AGM Markets Pty Ltd (in liq) (No 3) [2020] FCA 208; (2020) 275 FCR 57 at [505] and Australian Securities and Investments Commission v MLC Nominees Pty Ltd [2020] FCA 1306; (2020) 147 ACSR 266 at [50]. 33 ASIC also referred to the recent obiter comments of O'Bryan J in ASIC v Westpac Securities [2019] FCAFC 187; (2019) 272 FCR 170 at [426]: With respect, it is not apparent that either reason provides a sound basis for reading the phrase, as it appears in s 912A(1)(a) of the Act, compendiously in the manner suggested by his Honour [referring to Young J's construction of s 912A in Story v National Companies and Securities Commission (1988) 13 NSWLR 661]. In particular, it is not apparent why a licensee cannot comply with each of the three obligations, efficiently, honestly and fairly, applying the ordinary meaning of each word. One of the meanings of the word "efficiently", and the meaning well adapted to the statutory provision, is competent, capable and having and using the requisite knowledge, skill and industry: cf ASIC v Camelot at [69(c)]. The word "honestly" includes dishonesty in the criminal sense but may also comprehend conduct which is not criminal but which is morally wrong in the commercial sense: RJ Elrington Nominees Pty Ltd v Corporate Affairs Commission (SA) (1989) 1 ACSR 93 at 110. The word "fair" as used in s 912A(1)(a) has not received detailed judicial consideration. However, it seems to me that there is no reason why it cannot carry its ordinary meaning which includes an absence of injustice, even-handedness and reasonableness. As is the case with legislative requirements of a similar kind, such as provisions addressing unfair contract terms, the characterisation of conduct as unfair is evaluative and must be done with close attention to the applicable statutory provision: cf Paciocco v Australia and New Zealand Banking Group Ltd (2015) 236 FCR 199 at [364]. It seems to me that the concepts of efficiently, honestly and fairly are not inherently in conflict with each other and that the ordinary meaning of the words used in s 912A(1)(a) is to impose three concurrent obligations on the financial services licensee: to ensure that the financial services are provided efficiently, and are provided honestly, and are provided fairly. 34 As O'Bryan J stated at [424], immediately before those observations, the point was not the subject of argument. Allsop CJ reserved "for an occasion where the matter was fully argued the question whether the phrase is compendious and, if it is, its meaning and application": at [170]. I note that there was no suggestion by ASIC that O'Bryan J's dicta had changed the law. 35 As ASIC submitted, ultimately, the distinction may be of limited practical impact, as was recognised by Young J who originally articulated the composite approach in Story v National Companies and Securities Commission (1988) 13 NSWLR 661, as he observed that "in the long run it does not seem to me to much matter whether one reads the words cumulatively or disjunctively, because unless a licence holder possesses the three attributes whether as one package or as three separate parcels, the Commission can revoke his licence". I note that the point was not fully argued before me and I do not think it is necessary to add anything further here.

[27]

Pecuniary penalties 39 The purpose of a civil penalty is primarily protective, in promoting the public interest in compliance by deterrence from further contravening conduct: Australian Building and Construction Commission v Pattinson [2022] HCA 13; (2022) 399 ALR 599 at [15]. A penalty of appropriate deterrent effect "must be fixed with a view to ensuring that the penalty is not such as to be regarded by [the] offender or others as an acceptable cost of doing business": Pattinson at [17] citing Singtel Optus Pty Ltd v Australian Competition and Consumer Commission [2012] FCAFC 20; (2012) 287 ALR 249 at [62]. 40 The assessment of penalty of appropriate deterrent value will have regard to a number of factors including: (1) the nature and extent of the contravening conduct; (2) the amount of loss or damage caused; (3) the circumstances in which the conduct took place; (4) the size of the contravening company; (5) the degree of power it has, as evidenced by its market share and ease of entry into the market; (6) the deliberateness of the contravention and the period over which it extended; (7) whether the contravention arose out of the conduct of senior management or at a lower level; (8) whether the company has a corporate culture conducive to compliance, as evidenced by educational programs or other corrective measures in response to an acknowledged contravention; and (9) whether the company has shown a disposition to co-operate with the authorities responsible for the enforcement of the Act in relation to contravention: Pattinson at [18]. These are not to be considered to be a rigid list of factors to be ticked off: Pattinson at [19], but rather are to inform a multifactorial investigation that leads to a result arrived at by a process of "instinctive synthesis" addressing the relevant considerations: Australian Competition and Consumer Commission v Reckitt Benckiser (Australia) Pty Ltd [2016] FCAFC 181; (2016) 340 ALR 25 at [44]. 41 It is recognised that ordinarily separate contraventions arising from separate acts should attract separate penalties. However where separate acts give rise to separate contraventions which are inextricably interrelated, they may be regarded as a "course of conduct" for penalty purposes: Australian Competition and Consumer Commission v Yazaki Corporation [2018] FCAFC 73; (2018) 262 FCR 243 at [234]. This avoids double-punishment for those parts of the legally distinct contraventions which involve overlap in wrongdoing: see for example, Construction, Forestry, Mining and Energy Union v Cahill [2010] FCAFC 39; (2010) 269 ALR 1 at [39] and [41].Whether the contraventions should be treated as a single course of conduct is a question of fact having regard to all of the circumstances of the case. 42 The principle of totality requires the Court to make a "final check" of the penalties to be imposed on a wrongdoer, considered as a whole, to ensure that the total penalty does not exceed what is proper for the entire contravening conduct: Australian Competition and Consumer Commission v Australian Safeway Stores Pty Ltd [1997] FCA 450; (1997) 145 ALR 36 at 53, citing Mill v The Queen [1988] HCA 70; (1988) 166 CLR 59. 43 The principles to be applied in considering a jointly proposed penalty were considered in Commonwealth v Director, Fair Work Building Industry Inspectorate [2015] HCA 46; (2015) 258 CLR 482 (DFWBII), where the majority observed at [46]: [T]here is an important public policy involved in promoting predictability of outcome in civil penalty proceedings and that the practice of receiving and, if appropriate, accepting agreed penalty submissions increases the predictability of outcome for regulators and wrongdoers. As was recognised in Allied Mills and authoritatively determined in NW Frozen Foods, such predictability of outcome encourages corporations to acknowledge contraventions, which, in turn, assists in avoiding lengthy and complex litigation and thus tends to free the courts to deal with other matters and to free investigating officers to turn to other areas of investigation that await their attention. 44 Further, their Honours said at [58]: ... Subject to the court being sufficiently persuaded of the accuracy of the parties' agreement as to facts and consequences, and that the penalty which the parties propose is an appropriate remedy in the circumstances thus revealed, it is consistent with principle and ... highly desirable in practice for the court to accept the parties' proposal and therefore impose the proposed penalty. 45 Those observations about the desirability of acting upon agreed penalty submissions were made in the context of a broader recognition that as a civil litigant in civil proceedings, civil penalties are but one of numerous forms of relief which regulators can pursue, and it is entirely orthodox for regulators to make submissions as to that relief: see DFWBII at [24], [57]-[59], [63], [103], [107]. Those principles to be applied in considering a jointly proposed penalty were recently considered in Volkswagen Aktiengesellschaft v Australian Competition and Consumer Commission [2021] FCAFC 49; (2021) 284 FCR 24 at [124]-[131], referring to Fair Work, NW Frozen Foods Pty Ltd v Australian Competition Commission [1996] FCA 1134; (1996) 71 FCR 285 and Minister for Industry, Tourism and Resources v Mobil Oil Australia Pty Ltd [2004] FCAFC 72; (2004) ATPR 41-993. A number of points were highlighted including: first, the Court must be satisfied that the penalty proposed by the parties is appropriate: at [125]; second, if persuaded of the accuracy of the parties' agreement as to facts and that the proposed penalty is an appropriate remedy, it is highly desirable for the Court to accept the proposal: at [126]; third, in considering whether the proposed penalty is appropriate, it is necessary to bear in mind that there is no single appropriate penalty, but rather a permissible range. The proposed penalty may be "an" appropriate penalty if it falls within that range: at [127]; fourth, the Court should generally recognise that it most likely was a result of compromise and pragmatism on the part of the regulator, and while the regulator must estimate the penalty necessary to achieve deterrence, the Court must assess the proposed penalty on its merits, being wary of the possibility that the regulator may have been too pragmatic: at [129]; fifth, the Court's task is not limited to simply determining whether the jointly proposed penalty is within the permissible range, though that might be expected to be a highly relevant and perhaps determinative consideration. The overriding statutory directive is for the Court to impose a penalty which is determined to be appropriate having regard to all relevant matters: at [131]. 46 ASIC submitted that at least in so far as pecuniary penalties in respect of contraventions of the Market Integrity Rules and s 798H is concerned, there has been only one other civil penalty case brought to date in respect of that provision of the Corporations Act, and that involved an agreed penalty for conduct occurring prior to the Amendment Act. 47 As noted above (at [21]-[22]), there has been a significant increase in maximum penalties for comparable offences under the Market Integrity Rules where contraventions occur wholly on or after 13 March 2019. The theoretical maximum penalty amounts for the Reported Conduct are in some instances many times the assets of the entities involved. While penalties must be set at appropriate levels to address the goals of specific and general deterrence, ASIC accepted that the maximum theoretical penalty amounts in these proceedings are a disproportionate yardstick when viewed against the technical nature of the underlying offences here, particularly where there are many contraventions of a similar nature. Notwithstanding that, the legislative amendments brought about by the Amendment Act reflect a clear intention that penalties for contraventions of s 798H of the Corporations Act be increased above the penalties applicable prior to that date. ASIC submitted that the penalty amounts suggested by ASIC are a genuine attempt to reflect that clear legislative intention of the Parliament.

[31]

CommSec's and/or AUSIEX's affidavits 56 The first affidavit read by AUSIEX was an affidavit of Eric Blewitt verified on 20 August 2021. Mr Blewitt was the Chief Executive Officer and a director of AUSIEX, and made the affidavit on AUSIEX's behalf. In his position, during all relevant periods, Mr Blewitt was a Responsible Manager for AUSIEX, being a person nominated by an AFSL licensee who has direct responsibility for significant day-to-day decisions in their regulatory environment. 57 Mr Blewitt noted that since 13 August 2021, AUSIEX is no longer owned by the CBA. His affidavit explained AUSIEX's governance structures both prior to and subsequent to its separation from the CBA group. He also explained the structure of teams that existed to manage compliance within AUSIEX and the improvements to compliance systems that AUSIEX has already made, including implementing Project Rampart and Project Umbrella which were developed before the separation from the CBA group and are discussed further at [73] below. 58 Mr Blewitt also described the remediation work that has been undertaken by AUSIEX since separating from the CBA group to ensure compliance with obligations relating to aspects of the Reported Conduct including the handling of client monies, issuing of trade confirmations to customers, monitoring of best execution and the provision of regulatory data to market operators. Mr Blewitt said he considered that ensuring AUSIEX has in place systems, processes and controls to ensure compliance with those obligations and avoid repetition of AUSIEX's Reported Conduct to be of the highest importance. Mr Blewitt highlighted that he had emphasised the importance of compliance at a Board Meeting of AUSIEX and that, in this context, he anticipated that any future breaches would be escalated to him in addition to AUSIEX following the formal processes under the company's Incident and Breach Policy. 59 The second affidavit read by CommSec and AUSIEX was an affidavit of Michael Vacy-Lyle verified on 20 August 2021. Mr Vacy-Lyle was the Group Executive for Business Banking at the CBA and made the affidavit on behalf of both CommSec and AUSIEX. Since 1 February 2020, Mr Vacy-Lyle has been one of the accountable persons within the meaning of s 5 of the Banking Act 1959 (Cth) of the CBA. In that capacity, he has had senior executive responsibility for the management or control of the Business Banking business, which includes CommSec and included AUSIEX prior to 3 May 2021. Mr Vacy-Lyle has chaired and participated in a number of committees across the CBA group that focus on compliance and also has attended CommSec's board meetings since 18 February 2020, where he would review packs providing details on the Reported Conduct and remediation projects in relation to these. 60 Mr Vacy-Lyle's affidavit admitted, and apologised on behalf of CommSec and AUSIEX for, the Reported Conduct. He emphasised that the contraventions should not have occurred, took place over an extended period of time, had the potential to undermine market integrity, were serious and occurred despite previous proceedings before the MDP. Mr Vacy-Lyle also apologised for the failures to report contraventions in a timely manner, and for the financial detriment or potential financial detriment that was caused to clients by the Brokerage, Best Execution and Warrant Agreement issues. Mr Vacy-Lyle accepted that in light of the previous proceedings before the MDP, it was appropriate for ASIC to bring civil penalty proceedings in this court to achieve deterrence. 61 Mr Vacy-Lyle highlighted that CommSec and AUSIEX had proactively taken steps to remediate clients who suffered or may have suffered financial detriment, and undertaken significant work and restructuring directed at remedying the causes of client monies and trade confirmation issues and generally to improve compliance and risk management. 62 The third affidavit read by the defendants was an affidavit of David Smith verified on 28 August 2021. Mr Smith was the Head of Compliance since around September 2014 at CommSec and he makes the affidavit on behalf of CommSec and AUSIEX. As the Head of Compliance, Mr Smith's responsibilities generally included leading a team of compliance advisers providing compliance support to the CommSec and (prior to 3 May 2021) AUSIEX businesses to ensure they are aware of and comply with the relevant compliance rules, regulations, industry codes and organisational requirements. 63 Mr Smith's affidavit provided significant detail on the structure of the teams, policies, procedures and controls at CommSec designed to ensure compliance. Mr Smith also described relevant changes to these teams since the Limitation Date and enhancements that have been made to issue and incident management procedures across CommSec and the CBA group more broadly. He indicated that CommSec has established a separate team to co-ordinate implementation of the proposed court-ordered compliance plan. 64 Mr Smith then described how CommSec and AUSIEX's systems and processes applicable to the contraventions in the SOAFAC operated. He explained how the companies detected each category of the Reported Conduct, and how they internally escalated and then externally reported these issues. 65 Finally, Mr Smith addressed antecedent conduct engaged in by CommSec and AUSIEX prior to the Reported Conduct and the work undertaken by them to address that conduct. This included conduct that resulted in CommSec and AUSIEX giving an enforceable undertaking under s 93AA of the ASIC Act and conduct that resulted in CommSec and AUSIEX being parties to proceedings before the MDP.

[32]

The contraventions and the defendants' response 66 As explained above, this matter proceed by way of a detailed SOAFAC. 67 Each of CommSec and AUSIEX provided financial services to clients, including services that allowed clients to trade securities and maintain a trading account online. Most of the trades were in equities (with CommSec issuing to clients 4,588,620 equities trade confirmations in 2015, and 6,483,457 in 2019 - noting that a trade confirmation may relate to multiple trades; AUSIEX issuing 1,653,906 in 2015 and 1,871,664 in 2019), but there were also trades in exchange traded options and other financial products. 68 By reason of s 798H of the Corporations Act, in providing many of these services, CommSec and AUSIEX as participants in the relevant markets were obliged to comply with market integrity rules made by ASIC under s 798G of the Corporations Act, including the Market Integrity Rules. 69 The contraventions of the Corporations Act with which this proceeding is concerned arose in the context of CommSec and AUSIEX providing brokering and execution services to their clients, many of whom were retail clients. Clients generally placed orders online and the systems and records used to charge for the services provided and to manage related matters such as the handling of client monies and the discharge of related regulatory obligations were largely dependent on information technology systems, including (particularly in relation to client monies) third party provided systems. 70 The contravening conduct concerns a range of services and issues. 71 As identified in [4] above, the contraventions, generally speaking, fall into eight categories: (1) Brokerage Issues (CommSec); (2) Client Money Issues (CommSec and AUSIEX); (3) Trade Confirmations Issues (CommSec and AUSIEX); (4) AOP Issue (CommSec); (5) Best Execution Issue (CommSec and AUSIEX); (6) Warrant Agreement Issue (CommSec); (7) Regulatory Data Issue (CommSec and AUSIEX); (8) Failure to provide services "efficiently, honestly and fairly": s 912A(1)(a) of the Corporations Act; 72 The only issue which resulted in any actual financial detriment to customers was the Brokerage Issue, although potential financial detriment to customers may have arisen from the Best Execution Issue and Warrant Agreement Issue. To the extent any clients of CommSec or AUSIEX actually or potentially suffered a financial detriment by reason of the contravening conduct in relation to the Brokerage Issue, the Best Execution Issue and the Warrant Agreement Issue, CommSec and AUSIEX have provided compensation, including interest. With respect to the balance of the issues, CommSec and AUSIEX accept non-compliance may also give rise to potential client detriment (albeit not financial detriment) or market integrity implications. Other than in relation to the Brokerage Issue, ASIC does not allege, and there is no evidence to indicate that, any of the issues resulted in any revenue or direct benefit being derived by CommSec or AUSIEX. However, CommSec acknowledged it is possible they may have obtained benefits as a result of the AOP Issue and Best Execution Issue, in the form of trades placed that may otherwise not have been placed. 73 CommSec and AUSIEX have taken action directed toward remedying the causes of each of the issues giving rise to the contravening conduct. This has included changes to information technology systems, introduction of greater human oversight and controls, and changes to policies and procedures. CommSec and AUSIEX have entered into agreements with third-party providers which require them to provide further assurance that their services comply with the specifications required by CommSec and AUSIEX. More specifically, following identification of the Client Money Issues, CommSec and AUSIEX established Project Rampart. Following identification of the Trade Confirmation Issues, CommSec and AUSIEX established Project Umbrella. These projects are explained further in Annexure A. Since the establishment of those projects, ASIC has received some further breach reports in respect of both Client Money Issues and Trade Confirmations Issues, including as a result of the work undertaken as part of those projects. 74 CommSec and AUSIEX accept that there were inadequacies in their processes and procedures to ensure compliance with the relevant obligations. While they did have in place processes addressing operational risk and compliance, these processes were not sufficient to ensure compliance with the relevant regulatory obligations. 75 As noted at [10] above, ASIC does not allege, and there is no evidence to indicate that, any of the contraventions were deliberate, or that the conduct constituting the contraventions was conduct of senior management. 76 CommSec and AUSIEX have cooperated with ASIC in relation to these issues and voluntarily taken steps to address the issues and to remediate any client detriment. In some instances, identified below, CommSec and AUSIEX did not provide notifications to ASIC in relation to reconciliations as part of the Client Money Issue within the time period required, but have reported all of the issues and its approach to addressing them. 77 It is unnecessary, for present purposes, to repeat the detail of each of the contraventions, as set out in the SOAFAC. Suffice to say I have taken that detail into account.

[33]

ASIC's submissions 78 ASIC made submissions, inter alia, as to the nature and seriousness of each of the contraventions by issue, and the legal framework in which the contraventions occurred. In relation to each issue, ASIC made submissions as to the factual and legal bases of the contraventions and the relief sought. As previously explained, the defendants largely agree with the way ASIC has characterised the contraventions. In addition, ASIC made submissions which addressed the steps taken by CommSec and AUSIEX implementing improvements as a consequence of the contravention, and recognised factors said to be in mitigation of the conduct for the purposes of imposing penalty. 79 ASIC addressed the compliance plans to which orders are sought, pursuant to s 1101B of the Corporations Act. These plans have been developed in consultation between ASIC and each of CommSec and AUSIEX, with a view to ensuring that the systems and controls relevant to the Reported Conduct for each of CommSec and AUSIEX are reviewed to ensure compliance with relevant obligations and any ongoing deficiencies addressed. ASIC acknowledged the significant work already undertaken by each of CommSec and AUSIEX in relation to systems and processes related to the Reported Conduct, including (among other matters) pursuant to Project Rampart (in relation to Client Money Issues) and Project Umbrella (in relation to Trade Confirmations Issues). However, ASIC also noted that each of CommSec and AUSIEX have continued to file notifications with ASIC in relation to ongoing issues of a related kind to the Reported Conduct, as detailed in the McKenzie Affidavit). While ASIC noted the ongoing work being undertaken by CommSec and AUSIEX, it submitted that a compliance program in the terms agreed is necessary to address the underlying causes of the Reported Conduct and related notifications that continue to be reported by CommSec and AUSIEX. Each of CommSec and AUSIEX have consented to the proposed compliance plans and ASIC submitted that the proposed orders and compliance plans satisfy the criteria identified in ASIC v Westpac Banking Corporation (No 3). 80 ASIC identified the relevant maximum penalties for each of the contraventions, and made submissions as to what it said is the appropriate penalty for each contravention, and the basis thereof. 81 The contraventions and suggested penalties for each were conveniently summarised in a table annexed to ASIC's submissions, which is annexed to these reasons as Annexure B. 82 In summary, ASIC submitted that a substantial penalty is warranted, taking into account the extensive and systemic nature of the Reported Conduct which has affected multiple aspects of the businesses of both CommSec and AUSIEX, and the extended time period over which the contraventions took place. 83 The total of the pecuniary penalties that ASIC submitted are appropriate is as follows: (1) $28.6 million in respect of CommSec; and (2) $10.17 million in respect of AUSIEX. 84 ASIC acknowledged the Mitigating Factors, being that is that there is no evidence to indicate any of the contraventions were deliberate or the conduct of senior management, the defendants have cooperated, expressed contrition for the Reported Conduct, taken steps to remediate client detriment where suffered and to address the issues the subject of the Reported Conduct, and have agreed to ongoing compliance programs. ASIC submitted that having regard to the evidence of CommSec and AUSIEX admitted at the hearing, and the Mitigating Factors, that a 30 per cent discount to the headline penalty amounts is appropriate in this proceeding. 85 In submitting that was the appropriate discount, ASIC noted that in ASIC v National Australia Bank Limited [2020] FCA 1494 at [161], Lee J applied a 30 per cent discount to the headline penalty figure to reflect the respondent's cooperation, its early admissions and the adoption of a remediation scheme and the other mitigating factors. 86 Application of such a discount would result in pecuniary penalties of: (1) $20.02 million in respect of CommSec (to be rounded down to $20 million); and (2) $7.12 million in respect of AUSIEX. 87 ASIC submitted, these amounts appropriately reflect the totality of the wrongdoing and are proportionate to the circumstances of the case. ASIC contends penalties in the range of those submitted by ASIC are necessary to satisfy the purpose of acting as a personal and general deterrent, and to ensure that the penalty amount is not such as to be regarded by the parties or others as an acceptable cost of doing business. 88 As previously explained, ASIC also sought that various declarations be made as to the contravening conduct. The form of the declarations is set out at [1]-[5] of the Amended Originating Process.

[35]

Conduct that CommSec and AUSIEX rely on to support a discount 91 CommSec and AUSIEX accept that the Reported Conduct was serious and unacceptable. In that context it was submitted that the conduct at issue in these proceedings did not involve deliberate contraventions of the relevant obligations, but were, as described by ASIC, of a "technical nature" and generally arose from inadvertent errors. 92 In addition, each of CommSec and AUSIEX had in place significant compliance systems and risk management frameworks, policies and processes directed to ensuring compliance with their obligations. They show that CommSec and AUSIEX took compliance with regulatory obligations seriously, while accepting that more needed to be done. However, despite CommSec and AUSIEX's compliance systems and risk management frameworks and policies, and their approach to compliance generally, there were a number of specific failures of IT systems, human errors and data entry errors that led to the Reported Conduct. 93 It was submitted that the Reported Conduct occurred despite genuine and significant efforts on the part of CommSec and AUSIEX to ensure compliance with their regulatory obligations. This characterisation of both the cause of the contraventions as errors, and the attitude of CommSec and AUSIEX to compliance, is reflected by the comparatively small scale of affected customers and harm when judged against the scale of the businesses. As such, CommSec and AUSIEX accept that the fact the Reported Conduct was able to take place as it did suggests that there were inadequacies in their compliance systems and processes. In addition to rectifying systems to prevent reoccurrence of the Reported Conduct, CommSec and AUSIEX have made significant investment in risk and compliance generally, including by increasing the number of risk and compliance roles and undertaking several significant programs of work directed to upgrading existing compliance systems and controls to reduce the risk of similar conduct reoccurring. Importantly, CommSec and AUSIEX began making these improvements before the commencement of this proceeding. 94 It was submitted that in considering the seriousness of the contraventions arising from the Reported Conduct, the Court should have in mind that, with limited exceptions, the contraventions did not cause harm to customers. No customers were affected by the Client Money Issues, the AOP Issue or the Regulatory Data Issue. The Trade Confirmations Issue did affect customers, in the sense that there was a failure to send trade confirmations that contained all required information, that were accurate, or at all, but there is no suggestion that customers suffered any financial or other significant detriment by reason of those failures, including because in many instances the missing information was available from other sources. No instances of customers suffering detriments by reason of the Best Execution Issue or the Warrant Agreement Issue have been identified, although it is accepted that those issues gave rise to that possibility. For that reason, potentially affected customers have been compensated based on assumptions favourable to the customers. The Brokerage Issues involved customers being charged more than they ought to have been. It involved errors that overcharged affected customers in the order of $10 to $50 per trade for brokerage costs. Affected customers have been compensated for that overcharging. 95 It was submitted that it is appropriate for the Court to recognise the relatively small scale of financial harm done to customers through this inadvertent error, when compared to the many cases that involve deliberate overcharging, or errors that cause far greater financial detriment or remain un-remedied, while recognising the unacceptable conduct of taking fees without a lawful entitlement to do so. 96 In addition to potential customer harm, the Market Integrity Rules seek to prevent undermining of the integrity of the relevant markets. Most of the Reported Conduct had no effect on the relevant markets. While, as Mr Vacy-Lyle (Group Executive for Business Banking, CBA Group, who is responsible for the CommSec Business) accepts in his affidavit sworn 20 August 2021, some of the issues arising from the Reported Conduct, particularly the AOP Issue, Best Execution and Regulatory Data Issues, had the potential to affect the relevant markets there is no suggestion that there was any such effect. 97 Other than in the case of the Brokerage Issues, CommSec and AUSIEX did not derive any revenue or direct benefit from the Reported Conduct. While the Brokerage Issues led to increased revenue to CommSec, that increased revenue has been returned to affected customers with interest, and was not material to the operations of CommSec or AUSIEX. It was submitted that the Court can safely proceed on the basis that CommSec and AUSIEX did not retain any additional revenue derived from the Brokerage Issues, or obtain any other direct benefit from the Reported Conduct. 98 Instances of contravention of obligations concerning client monies inevitably give rise to concerns that client moneys were misappropriated or lost. CommSec and AUSIEX submit that is not this case in this proceeding. Rather, the funds the subject of the Client Money Issues always remained in CommSec or AUSIEX accounts, albeit in the limited cases of trust account deficiencies, the funds were kept in general accounts mixed with non-trust funds. No clients suffered any detriment by reason of those issues. Further, in many instances, the Client Money Issues actually related to surpluses in relevant trust accounts. In the case of AUSIEX, all of the Client Money Issues involved a surplus in relevant trust accounts. 99 Finally, while it is apparent that there were many individual instances of the Reported Conduct, that occurred in the context of the large volume of business conducted by CommSec and AUSIEX. Further, many of the individual instances of contravention stemmed from single errors. For the most part, the Reported Conducted affected relatively low proportions of relevant customers and transactions. Where the harm caused by the issues is capable of a dollar quantification, the vast bulk involved relatively low amounts. 100 It was submitted that both CommSec and AUSIEX have demonstrated sincere contrition for the conduct the subject of these proceedings, a matter ASIC accepts. CommSec and AUSIEX's contrition has been demonstrated in a number of ways, including explicit statements by senior officers of each company, as well as through the actions taken in response to the identification of the issues and the conduct of CommSec and AUSIEX in its dealings with ASIC and their conduct of this proceeding. CommSec and AUSIEX highlighted the relevant evidence in that regard. It was submitted that contrition is also demonstrated by their early admissions of contravention and cooperation with ASIC. 101 CommSec and AUSIEX submitted that their willingness and commitment to address any remaining inadequacies is demonstrated by their agreement to enter into a court-ordered compliance program. It was submitted that a key aspect of the compliance plan is the appointment of an independent expert, who will be approved by ASIC, to review the adequacy and effectiveness of CommSec's and AUSIEX's systems and controls generally. The compliance program was the subject of negotiation and is comprehensive. 102 The defendants observed that ASIC accepts that the detailed compliance plans to which CommSec and AUSIEX have agreed are designed to ensure that any outstanding issues are addressed. This should give the Court comfort that the limited number of instances in which CommSec and AUSIEX have reported further instances similar to the Reported Conduct are unlikely to reflect ongoing issues, and that the penalties to be awarded in this case do not need to be fashioned so as to provide specific deterrence for the repetition of the Reported Conduct; CommSec and AUSIEX, in undertaking the compliance program, are doing what they can to prevent that occurring, in a manner approved by ASIC. 103 A key aspect of the compliance plan is the independent expert's review of the adequacy and effectiveness of CommSec's and AUSIEX's systems and controls generally. Systems and controls include matters such as technology and technological governance, oversight function, control mechanisms, processes and policies, human resources, skills and competencies, and operational risk management. 104 CommSec and AUSIEX also addressed other factors relevant to penalty, including the following. 105 As to the involvement of senior management, CommSec and AUSIEX submitted that there was no suggestion that the Report Conduct arose from the conduct of senior management of CommSec or AUSIEX or that they permitted the conduct to take place or continue. Rather, the compliance systems in place at the time and the improvements made to those systems during the period of the Reported Conduct suggest that CommSec's and AUSIEX's senior management were and remain committed to ensuring compliance with regulatory obligations. However, CommSec and AUSIEX accept that the fact that the Reported Conduct occurred is reflective of a failure of the systems put in place to meet that commitment. There have been relevant changes to the board or senior management of CommSec and AUSIEX since the contravening conduct occurred. 106 As to remediation, CommSec and AUSIEX submit and ASIC agrees that to the extent any of the conduct did, or had the potential to, cause a financial detriment to customers, they have been compensated with interest. It was submitted that this was done on bases favourable to the potentially affected customers and that CommSec took a proactive approach to remediating customers. 107 CommSec and AUSIEX provided considerable detail on the historical compliance systems and governance structures and submitted that the Court ought to find that CommSec and AUSIEX had in place governance structures, policies and procedures, controls and infrastructure designed to ensure compliance with their regulatory obligations. The extent of this internal structure supports a finding that CommSec and AUSIEX were genuinely committed to compliance with their regulatory obligations. 108 It was submitted that in addition to specific actions taken to rectify issues arising from the Reported Conduct, each of CommSec and AUSIEX have taken a number of steps to improve their risk management and compliance arrangements generally. Many of these steps commenced well before ASIC brought these proceedings. Again, detailed submissions and evidence were addressed to the steps taken. 109 It was submitted that CommSec and AUSIEX have cooperated with ASIC in respect of the Reported Conduct. Their cooperation included self-reporting almost all of the relevant conduct and explaining to ASIC the approach being taken to address the issues. The cooperation shown by CommSec and AUSIEX has dramatically reduced the expense and time required to be dedicated to these issues by both ASIC and the Court. 110 In respect of each of the contravention issues referred to in [4] above, CommSec and AUSIEX addressed, inter alia, the steps taken to escalate the issues within management once they had been identified and other mitigating factors including for some issues the compliance systems that had existed and any improvements to those systems and processes. It is unnecessary to repeat the detail of those submissions. 111 In addition, in relation to the Trade Confirmations Issues, CommSec addressed the prior instances on which it has been the subject of proceedings before the MDP for contraventions of r 3.4.1 of the Market Integrity Rules. It submitted there was only one such proceeding that relevantly concerned trade-confirmation issues, provided details and described what had been done to improve the systems as a result. CommSec also addressed ASIC's apparent reliance on the conduct at issue in another proceeding before the MDP, namely proceeding MDP15/14, as relevant antecedent conduct, but submitted that conduct did not involve trade confirmations and bears little similarity to any of the Reported Conduct. CommSec also noted that compliance within an infringement notice is not an admission of guilt and does not mean that CommSec or AUSIEX is to be taken to have contravened s 798H of the Corporations Act: Corporations Regulations 2001 (Cth), r 7.2A.10(2)(d), (e). 112 CommSec and AUSIEX ultimately submitted that: (1) the declaratory relief sought by ASIC ought to be granted; (2) the penalties agreed by the parties ought to be imposed; and (3) the compliance programs sought by ASIC ought to be ordered.

[36]

Consideration 113 Having considered the facts as agreed, the submissions of the parties, the evidence relied on by CommSec and AUSIEX, the contraventions and relevant principles, I am satisfied that it is appropriate to order the pecuniary penalties in the amount agreed, make the declarations sought and order the compliance program. 114 It is readily apparent from the submissions of ASIC and CommSec and AUSIEX, that they have given close and careful consideration to the relevant issues, with one of the parties being ASIC, a specialist regulator, to the appropriate declarations, orders and pecuniary penalties. In that context, in DFWBII the High Court at [60]-[61] noted the relevance of the fact that submissions were being advanced by a specialist regulator able to offer "informed submissions as to the effects of contravention on the industry and the level of penalty necessary to achieve compliance", albeit that such submissions will be considered on the merits in the ordinary way. 115 The number, breadth and duration of the Reported Conduct is significant and indicates that CommSec and AUSIEX did not have adequate systems and processes in place to ensure compliance with their relevant obligations under their AFSLs and pursuant to the Market Integrity Rules and consequently, the Corporations Act (and additionally for CommSec, the ASIC Act). The conduct is properly characterised as being extensive and systematic, occurring over an extended period of time, which affected multiple aspects of the businesses of both CommSec and AUSIEX. 116 I accept ASIC's submission that a substantial penalty is warranted. 117 It should be recalled that it is important to impose a penalty of sufficient size to act as a strong deterrent to ensure CommSec and AUSIEX and others do not treat the risk of non-compliance as a mere cost of doing business. 118 In the circumstances of this case, the agreed penalty is appropriate as reflecting the seriousness of the contravention, yet recognising the mitigating factors present, including that there is no evidence to indicate any of the contraventions were deliberate or the conduct of senior management, CommSec and AUSIEX have cooperated with ASIC and in this proceeding, expressed contrition for the Reported Conduct, taken steps to remediate client detriment where suffered and to address the issues the subject of the Reported Conduct including agreeing to ongoing compliance programs. I accept those mitigating factors. I also recognise CommSec's and AUSIEX's acknowledgement that the contraventions are serious and unacceptable. 119 Where the Court is persuaded by the accuracy of the parties' agreement as to facts and consequences, and that the agreed penalty proposed is an appropriate remedy in all the circumstances, as in this case, it is highly desirable in practice for the Court to accept the parties' proposal and therefore impose the proposed penalty: Volkswagen at [124]-[129]. 120 Nonetheless, this Court must impose a penalty that is appropriate. I am satisfied the agreed penalty of $20 million with respect to CommSec and $7.12 million with respect to AUSIEX, in the circumstances, satisfies the significant element of deterrence required in this proceeding. It carries with it a sufficient sting to ensure that the penalty amount is not such as to be regarded by the parties or others as an acceptable cost of doing business. Weighing all the relevant factors, bearing in mind the protective and deterrent purpose of a pecuniary penalty, as applied to the facts of this case, I am satisfied that agreed penalty is appropriate. 121 These proceedings are a matter of public interest, and the circumstances of the contraventions call for marking of the Court's disapproval of the conduct. Consequently, the declarations sought have significant utility. I am satisfied that it is in the interests of justice to make the declarations sought. Given the circumstances of the contraventions, and the terms of the compliance program, I am also satisfied that the orders sought with respect to the compliance programs, should be made. 122 I will make the declarations and other orders in the form agreed by the parties. I certify that the preceding one hundred and twenty two (122) numbered paragraphs are a true copy of the Reasons for Judgment of the Honourable Justice Abraham.

At a glance

Court

Decision date

Before

Source

Judgment (36 paragraphs)

Parties

Legislation Cited (7)

Cases Cited (51)

Cited By (2)