Australia

General context, key principles and hot topics

1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.

Inquiries into licensing suitability and the regulatory framework in the gaming industry have dominated headlines in 2021, bringing with them allegations of money laundering and poor governance. An independent inquiry in New South Wales was followed by Royal Commissions in Western Australia and Victoria, along with a multi-jurisdictional investigation by the Australian Transaction Reports and Analysis Centre (AUSTRAC) into all of Australia’s major casino operators.

The broadening focus emphasises that key regulatory concerns for Australian regulators are now heavily focused on due diligence, the adequacy of compliance frameworks and money laundering accountability with AUSTRAC, noting the link between these areas and organised crime groups or national security interests.

2 Outline the legal framework for corporate liability in your country.

Under Australian law, offences committed by ‘a person’ will, unless specifically excluded, include a corporation (including those offences punishable by imprisonment). At a federal level, criminal liability is generally established if both physical and fault elements are proven. Fault elements include intention, knowledge, recklessness and negligence. In the case of strict or absolute liability offences, there are exceptions to the proof of fault elements. These offences are more commonly pursued against a corporation.

If a fault element is required to be proved against a corporation, it may be shown in a variety of statutorily defined ways, including by proof that a corporation failed to maintain a corporate culture of compliance.

State and territory law equivalents exist in a variety of legislative forms.

3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?

Regulation of Australian companies is principally done at federal level, with some limited involvement by state and territory regulators primarily relating to fraud, theft or private sector bribery. There is a broad range of law enforcement agencies that have authority to investigate corporations, including, but not limited to, the following:

  • Australian Securities and Investments Commission (ASIC), an independent statutory body that enforces and administers the Corporations Act 2001 (Cth), which is the main corporations legislation in Australia;
  • Australian Prudential Regulatory Authority (APRA), a statutory body that supervises the banking, insurance and superannuation bodies;
  • Australian Competition and Consumer Commission (ACCC), which regulates the interaction between consumers and businesses;
  • Australian Criminal Intelligence Commission, which investigates national serious and organised crime, such as cybercrime;
  • Australian Federal Police (AFP), which investigates and enforces cross-border crime, including fraud, drug trafficking, organised crime, money laundering, foreign bribery and corruption, and people smuggling;
  • Australian Taxation Office, which enforces compliance with Australia’s taxation legislation;
  • AUSTRAC, which regulates and enforces cross-border financial transactions; and
  • Commonwealth Director of Public Prosecutions, which prosecutes federal criminal misconduct based on referrals from investigatory bodies.

Australian regulatory bodies generally coordinate their efforts so as to share information and intelligence-gathering powers (subject to certain restrictions). In the event of serious criminal allegations, it is common for two or more regulatory authorities to be involved. For example, search warrants executed by the AFP may be attended by members of ASIC in the case of corporate crime allegations. Joint task forces, such as the Serious Financial Crime Taskforce housed with the AFP, have been established to streamline and consolidate information sharing, investigation and reporting lines in Australia.

4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?

Regulators have wide-ranging statutory investigatory powers. The trigger point is generally suspicion of a breach of legislation within a regulator’s jurisdiction. For example, an investigation under section 13 of the ASIC Act 2001 (Cth) will be commenced if ASIC thinks it expedient for the due administration of corporation legislation and when it has reason to suspect that a contravention may have been committed. The degree of suspicion is not defined but, generally, the threshold is low.

5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?

A company should carefully consider the scope of a notice or subpoena and any grounds for objecting to it, including whether it has been properly issued, the information sought is clearly defined and relevant, and the request is not oppressive or unreasonable particularly in relation to time for compliance. Any concerns should be raised directly with the law enforcement authority to ascertain whether clarity or revision of the notice is appropriate. Otherwise, parties can make an application to the court to set aside the notice or subpoena. Challenges to the issue of certain notices, such as search warrants, are often more difficult to achieve as the basis for their issue cannot be readily ascertained with authorities generally claiming public interest immunity over this information.

6 Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?

Australian regulators have significantly changed their approach to immunity and leniency in recent years. In addition to the traditional prosecution policy indemnity applications, regulators such as the ACCC and ASIC have adopted immunity policies to formally confer a benefit to those who wish to co-operate with authorities. The ACCC has a ‘first past the post’-style policy that provides immunity to the individual or corporation who is first to disclose cartel conduct and co-operate fully with the investigation. In 2021, ASIC made an immunity policy available to individuals (not corporations) involved in market misconduct, providing immunity from criminal prosecution and civil penalties.

As to leniency, sentencing for criminal conduct is entirely at the discretion of the court. The High Court’s decision in Barbaro v. The Queen made it clear that a prosecuting body cannot make submissions to the court regarding a preferred sentence or penalty range. More flexibility is provided for negotiated outcomes in civil penalty proceedings.

ASIC issued an Information Sheet (INFO172) in February 2021 outlining the benefits of co-operation, and its approach is similar to other federal agencies.

7 What are the top priorities for your country’s law enforcement authorities?

AUSTRAC has emerged as a key law enforcement agency in recent years, with Australian regulators focused clearly on money laundering and corporate governance systems and compliance. Covid-19 lockdowns have contributed to this as an increasing risk. Other areas linked to covid-19 issues are likely to include consideration of both cryptocurrency and ‘buy now, pay later’ regulation limitations.

The fallout from the Financial Services Royal Commission can still be seen in an increased focus on corporate culture, including executive accountability.

8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?

A number of enforcement authorities provide guidance to companies regarding compliance programmes, including ASIC, the Australian Securities Exchange (ASX) and the AFP. Guidance is publicly available via regulator websites, examples including the ‘ASX Corporate Governance Principles and Recommendations’ and ASIC’s ‘Director and officer oversight of non-financial risk report’. Further guidance can also be found in recent enforceable undertakings entered into between APRA and corporate entities as a result of concerns about weaknesses in risk culture, risk governance and risk management.

Specific guidance on aspects of compliance programmes can be found in regulatory policies, such as for credit licensees or those who need to have compliant whistleblowing policies.

The introduction of new legislation, including an offence of failing to prevent foreign bribery and a corresponding defence that adequate procedures are in place, will further necessitate a comprehensive compliance programme. Comprehensive guidance will be provided by the Attorney General’s Department as to what this programme looks like.

Cyber-related issues

9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities in your country to cybersecurity-related failings.

Cybersecurity is legislated at both federal level and state and territory level through various legislative frameworks relating specifically to cybersecurity and more broadly to data protection and privacy. The Australian Cyber Security Centre (ACSC) leads Australian efforts to improve cybersecurity and sits within the Australian Signals Directorate. To further these efforts, the Joint Cyber Security Centre, established by the ACSC, brings together business, government, academia and other key partners. Cybersecurity incidents are reportable to the ACSC.

The Office of the Australian Information Commissioner (OAIC) regulates privacy and freedom of information. Suspected or actual data breaches involving personal information as a result of cybersecurity incidents are reportable in certain instances to the OAIC under the Notifiable Data Breaches Scheme.

In March 2019, the Australian government announced an intention to increase penalties under the Privacy Act 1988 (Cth) (the Privacy Act) from A$2.1 million to A$10 million or 10 per cent of the company’s annual domestic turnover, expand the OAIC’s scope to ensure breaches are addressed and add further protections to certain vulnerable groups. Delay in implementing these amendments has been attributed to the government’s current focus on responding to the covid-19 pandemic.

For entities regulated by the Australian Prudential Regulatory Authority (APRA), obligations can be found in Prudential Standard CPS 234, which states that notification of an ‘information security incident’ must be no later than 72 hours after the incident has been discovered. Further, an entity must notify APRA within 10 business days of becoming aware of a ‘material information security control weakness’ that the entity is unable to rectify.

10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?

Legislation provides regulation for computer-related and internet-related offences, such as unlawful access and computer trespass, and creates investigation powers and criminal offences designed to protect security, reliability and integrity of computer data and electronic communication. New federal legislation, the Online Safety Act 2021 (Cth), was introduced in July 2021 and introduces an adult cyber abuse system that removed content posted with the likely intention of causing serious harm. The Act also enhances child cyberbullying protections and the process of removing abusive imagery from the internet.

Since March 2013, Australia has been a member of the Council of Europe Convention on Cybercrime, which addresses both domestic and international responses to cybercrime.

Cross-border issues and foreign authorities

11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.

Criminal law generally has extraterritorial effect, provided there is an appropriate nexus to Australia. Conduct must have been either wholly or partly undertaken within Australia. Foreign entities who do business in Australia, or who have Australian subsidiaries or associated entities, will fall within Australian laws as regards conduct in Australia. For example, if a foreign entity is conducting business in Australia through a subsidiary and the subsidiary breaches Australia’s laws, both might possibly be charged (depending on the applicable facts); for example, the subsidiary for a breach of domestic laws and the foreign entity for directly breaching domestic laws or aiding and abetting the breach.

12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.

Australia has entered into mutual assistance treaties with numerous countries in a bid to facilitate information sharing and to expedite investigations. There are also information-sharing arrangements with certain jurisdictions, and therefore a formal request for mutual assistance is not always required. Examples include tax information exchange agreements, agreements forged under the international foreign bribery taskforce and the coordinated approach named ‘Five Eyes’, which includes Australia, Canada, New Zealand, the United Kingdom and the United States. However, challenges arise when there are inconsistent approaches to an investigation by regulators. Legislative requirements as to the limitations on gathering or sharing of evidence, the integrity of investigators and the reliance on compulsory powers can present issues in cross-border matters.

13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?

A person or corporation cannot be tried twice for the same alleged breach of Australian legislation. There is no prohibition in Australia against being prosecuted by multiple authorities where alleged contraventions of the law span the jurisdiction of multiple regulatory agencies; however, there is usually coordination between jurisdictions and agencies, to ensure prosecutions remain in the public interest.

Double jeopardy does not apply internationally. If offending has traversed multiple jurisdictions, a defendant can be charged with an offence under Australian legislation despite having concluded proceedings of a similar nature in another country. A guilty plea or a negotiated outcome in another jurisdiction, however, may affect the investigation, charge or sentencing in Australia.

There is nothing expressly analogous in Australia to the ‘anti-piling on’ policy in the United States.

14 Are ‘global’ settlements common in your country? What are the practical considerations?

Global settlements are not common, per se. Ordinarily, any negotiations regarding settlement in Australia will take into account the settlements or negotiations for them in other jurisdictions.

15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?

Given the co-operation mechanisms available to Australian regulators (such as mutual assistance agreements and the International Organization of Securities Commissions’ Multilateral Memorandum of Understanding), it is possible to conduct concurrent investigations in multiple jurisdictions regarding the same factual matters. It is usual for one or more Australian investigatory bodies to coordinate domestically and with international investigatory bodies. A coordinated effort will usually result in one regulator taking the lead in an investigation and other jurisdictions supporting its efforts to round out the information gathering. This is not always the case, however, and therefore strategic calls as to regulatory co-operation may need to be made quickly in a variety of jurisdictions.

Economic sanctions enforcement

16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.

The administration and implementation of Australia’s sanctions laws is carried out at federal level by the Department of Foreign Affairs and Trade (DFAT). From 1 January 2020, the Australian Sanctions Office, part of DFAT, became the national sanctions regulator. There is a dedicated sanctions portal, Pax, which encourages Australians to ask about sanctions, request assessments or apply for permits. Sanctions are implemented in accordance with (1) the United Nations Security Council (UNSC) regime and (2) an autonomous, Australia-specific sanctions regime. DFAT has the power to issue a sanctions permit, should it be suitable, which will allow an importer or exporter to undertake activity that would otherwise contravene a sanction imposed in Australia. A full list of Australia’s sanctions regimes is publicly available and it is expected that individuals and companies doing business in Australia should make their own enquiries to ensure compliance.

Sanctions against both individuals and entities are constantly being updated. In April 2019, Australia imposed sanctions on the direct or indirect supply, sale or transfer to the Central African Republic of arms or related materials without the issuance of a sanctions permit. In March 2019, Australia issued autonomous ‘financial sanctions and travel bans on seven Russian individuals for their role in the interception and seizure of Ukrainian naval vessels’. In February 2020, a number of individuals were included in financial sanctions and travel bans as ‘elected’ members of the Republic of Crimea and Sevastopol.

17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?

Australia is obliged to closely follow the UNSC in relation to enforcement of sanctions. Contraventions are enforceable against Australian individuals and companies, and certain sanctions will have effect irrespective of whether the activities have taken place in Australia or overseas. The Australian government has successfully prosecuted a number of companies for sanctions violations. A small number of Australian individuals have also been charged, including one who was convicted of breaching sanctions laws in 2021 in respect of activities in North Korea. He was sentenced to three and a half years’ imprisonment.

In recent times, there has been discussion as to whether sanctions enforcement should also more readily incorporate the Australian Transaction Reports and Analysis Centre, which regulates cross-border monetary transactions, including money laundering and the financing of terrorism.

18 Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?

DFAT may consult other government agencies, other countries or the Sanctions Committee of the UNSC on a range of issues, including in consideration of whether to agree to a sanctions permit.

Australia is also a member of the Financial Action Task Force (FATF), which is the global money laundering and terrorist financing regulatory body setting international standards with the aim of preventing global money laundering and terrorism financing. FATF recommendations have included the need for implementation of targeted financial sanctions as critical to combat these illicit activities.

19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.

Australia currently does not have blocking legislation in relation to sanctions measures taken by third countries.

20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?

Not applicable.

Before an internal investigation

21 How do allegations of misconduct most often come to light in companies in your country?

There are a number of ways in which misconduct can be brought to the attention of a company, including the following:

  • The Australian Securities and Investments Commission (ASIC) conducts a preliminary investigation into every allegation of misconduct to assess whether further action is required. ASIC may be made aware of suspected contraventions by shareholders, media reports or whistleblowers.
  • Whistleblower legislation requires that certain companies have whistleblower policies in place that include avenues for employees to report suspected misconduct. These reports may trigger internal investigations or investigations by ASIC. In 2019, following enhancements to whistleblower legislation and protection, ASIC established the Office of the Whistleblower. Further, companies will often have policies and practices in place, such as audit procedures or due diligence requirements, which may bring to light misconduct. Australian companies, often with operations, parent or subsidiary companies overseas, generally work towards international best practice.
  • The Australian Transaction Reports and Analysis Centre monitors international transactions and transactions of A$10,000 (or more) and will investigate any suspicious transactions under anti-money laundering and counter-terrorism legislation. It is mandatory to report suspicious transactions (such as money laundering, terrorism financing, operating under a false identity, tax evasion or the proceeds of crime) within 24 hours if the transaction relates to terrorism, or otherwise three business days.
  • The Australian Securities Exchange (ASX) monitors share trading in publicly listed companies and can inquire into suspicious activities, including spikes in trading volume or share price. The ASX can refer suspected contraventions (such as insider trading) to ASIC for further investigation.
  • Since 2018, the Financial Services Royal Commission has been a significant source of reporting of misconduct in the Australian financial services industry. Regulatory activity has increased as a result, including the institution of court proceedings and a number of high-profile settlements with regulators such as ASIC.

Information gathering

22 Does your country have a data protection regime?

The Privacy Act 1988 (Cth) (the Privacy Act) regulates the handling of personal information and the Australian Privacy Principles (APPs) provide guidelines for dealing with such information. The Notifiable Data Breaches scheme, established through the Privacy Act, obliges entities to notify individuals whose personal information is the subject of a data breach and the Office of the Australian Information Commissioner (OAIC), when it is likely the breach will result in serious harm.

23 To the extent not dealt with above at question 9, how is the data protection regime enforced?

The data protection regime is enforced through the OAIC. The Privacy Act confers powers on the Commissioner to facilitate compliance with best practice. The OAIC’s preferred regulatory approach is to facilitate compliance and prevent breaches, although it also has investigative and enforcement powers. In December 2020, the OAIC made a submission as part of the Privacy Act Review being undertaken by the Attorney General’s Department, advocating for greater enforcement powers, organisational accountability and greater interoperability. A discussion paper, including possible reforms of the Privacy Act, was released in 2021, seeking feedback by early 2022.

24 Are there any data protection issues that cause particular concern in internal investigations in your country?

The APPs regulate how personal information is collected and used. If an entity investigates the actions of an employee, it must be careful that any personal data is collected in accordance with these principles. A heightened level of protection attaches to sensitive information, such as a person’s religious beliefs, sexual orientation or health information. Entities must comply with their legal obligations, particularly those that require an employee to be notified that personal data has been collected. It is also important to consider any implications of cross-border transfer of personal information and the interplay with legal obligations in other jurisdictions, which at times can be stricter than those in Australia.

25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?

Employers are bound by contractual arrangements with employees, which often specify the rights an employer has over communications made during the course of employment. Interception of employment-based communications can be triggered by an internal investigation or well-founded suspicion of a contravention of company policy or legal obligations. Interception of personal, non-work-associated communications is governed by strictly applied privacy and telecommunications legislation and is likely to be illegal if beyond the scope of the employment arrangement and without consent.

Dawn raids and search warrants

26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.

Generally, the Australian Federal Police (AFP) executes search warrants on behalf of Commonwealth agencies. If an investigation is being conducted by another regulatory body, AFP officers may attend with officers of that regulatory body. Warrants contain information as to the restrictions on entry time, dates and the evidence that can be gathered during the execution of the search warrant, which may include hard copies of documents as well as stored communications (such as computer hard drives or mobile phones). Defendants are entitled to observe the search being undertaken, to have legal representatives present and to request an itemised list of the property seized, and have a right to challenge the warrant’s validity.

Legislation introduced in 2020, known as the Stronger Regulators Act, has strengthened the search warrant powers of the Australian Securities and Investments Commission (ASIC) by allowing the Commission to seize evidential materials, instead of the more restrictive ‘books’ under previous legislation, if the evidential materials are seized in connection with an indictable offence. Further, once materials have been seized, they can now be used for civil penalty proceedings, not just criminal proceedings.

27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?

Defendants may claim legal professional privilege (LPP) over materials seized during a legitimate search. Practically, this may mean the materials are sealed and delivered to the relevant court registry or regulator to await resolution of any disputed privilege claim by litigation or negotiation. The mere seizure of material without it being read does not constitute a waiver of privilege.

For disclosures to ASIC, companies can agree to enter into a voluntary confidential legal professional privilege disclosure agreement, which would provide ASIC with privileged documentation, without waiving privilege over those documents. This may be particularly useful for companies seeking a co-operative approach with the regulator but wanting to reduce the risk of losing the rights available to them. The efficacy of ASIC’s voluntary disclosure agreement has not been tested in the courts.

28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?

During an investigation by a regulator, an individual can usually be compelled to give evidence in an examination. The individual cannot refuse to answer questions on the basis that those answers may tend to incriminate him or her. However, the individual can claim privilege against self-incrimination, meaning that the investigatory body cannot use the evidence gathered as an admission by the individual. Some regulatory bodies can derivatively use the information gathered during these types of examinations.

In a litigation context, an accused person has a right to claim privilege against self-incrimination or self-exposure to penalty, which means that they cannot be required to give evidence during proceedings against them. An exception to this is if the accused, or a witness, is asked to give evidence on a topic that is not the subject of the trial but would tend to incriminate them in other proceedings. The witness can seek a certificate, under section 128 of the Evidence Act 1995 (Cth) or the state-based equivalent, which, in essence, compels an answer but protects the witness from self-incrimination. A witness may object to giving evidence in proceedings if the response would tend to prove that the witness had committed an offence under Australian or foreign laws, or make him or her liable to a civil penalty.

Whistleblowing and employee rights

29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?

Whistleblower protections are captured under the Corporations Act 2001 (Cth) (the Corporations Act) and apply to both current and former employees within a defined list of roles. The legislation outlines the reporting lines and the role of a corporation in affording protections to whistleblowers. It is a strict liability offence for certain companies not to have a company policy relating to whistleblowing.

There is no financial incentive programme in Australia for whistleblowers.

Corporate whistleblowers who provide information to the Australian Securities and Investments Commission (ASIC) about contraventions of the Corporations Act are granted three main legal protections, which are that:

  • their identity and the information given cannot be disclosed unless authorised by law;
  • they are protected against civil or criminal liability for making the disclosure (e.g., for defamation); and
  • they are protected against being victimised for making their disclosure.

ASIC has provided industry guidance, under Regulatory Guide 270, to assist companies in understanding the requirements for a whistleblower policy and providing guidance on good practice for implementing and maintaining their policies.

30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?

Under the Fair Work Act 2009 (Cth), certain employees are protected against unfair dismissal. In the event of an internal investigation, certain omissions by the employer may violate the right against unfair dismissal, including failing to provide the employee with a support person. The employee has a right to be given information relating to the allegations against him or her and adequate time to respond.

Under the Corporations Act, officers and directors are subject to significantly higher standards of conduct. Contravention of these duties may attract significant penalties, disqualification or imprisonment.

31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?

If an employee has engaged in misconduct, his or her rights will depend on the precise nature of the misconduct. For example, an internal finding of serious misconduct may constitute valid grounds for dismissal. However, a finding of serious misconduct by law enforcement may constitute an offence, and the employee’s rights would depend on the associated laws.

There are no express requirements for employers to impose disciplinary or other steps if an employee is suspected of misconduct.

If ‘serious misconduct’ is established, the employee’s contract of employment may be immediately terminated. The Fair Work Regulations 2009 (Cth) define ‘serious misconduct’ as including wilful or deliberate behaviour that causes serious or imminent risk to the health or safety of employees or reputation to business; examples include theft, fraud, assault, being intoxicated at work, or refusing to carry out lawful and reasonable instructions.

32 Can an employee be dismissed for refusing to participate in an internal investigation?

Mere refusal to participate in an internal investigation is unlikely to constitute valid grounds for dismissal. However, an employee may open himself or herself up to grounds for dismissal if the refusal is deemed to be a breach of a reasonable direction given by the employer.

Commencing an internal investigation

33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?

It is common to set out the scope of an investigation before it commences, although this is not mandatory. Consideration should be given to any regulatory compliance obligations, including reporting obligations. It is common for a board of directors to refer an internal investigation to an external adviser, such as a law firm, particularly if the board has concerns about litigation and risk management and would like the investigation to be covered by legal professional privilege.

Terms of reference, if prepared, should outline the key allegations or concerns, define the sources of information that it is proposed should be gathered during the investigation, and identify who will report on the findings or recommendations of the investigation and the recipient of the report.

34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?

When a company becomes aware of potential issues, an investigation should be undertaken to identify the nature and extent of any misconduct. Care should be taken in setting up the investigation, including to ensure that communications are confidential and privileged to the extent possible.

A company may be obliged to report to regulators in relation to certain breaches, or may elect to self-report or seek immunity. Legal advice should be sought prior to making such decisions as the consequences may be serious. Guidelines are available for various breaches, such as foreign bribery and breaches of licences.

A company should work towards containing the breaches and, as far as possible, secure complete cessation of the offending behaviour. Evidence of the suspected breaches should not be destroyed and document preserva­tion notices should be issued in appropriate circumstances. Any dismissal or discipline of individuals suspected to have participated in the misconduct should be carefully managed and based on legal advice.

35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?

Compulsory document production notices must be strictly complied with as it is a criminal offence not to do so without a reasonable excuse. The notice may be addressed to an individual or the ‘appropriate officer’ within the company. The named individual does not have to coordinate the response but they should be kept informed as they may be held personally liable for any non-compliance. It is usually advisable to seek legal advice regarding notices and often advisers can become a point of contact with the regulatory agency. For smaller organisations, such an approach may alleviate the need for persons of interest in the investigation to liaise directly with investigators and avoid unwittingly waiving fundamental rights that could attach to that status.

It is necessary to make ‘reasonable endeavours’ to respond to a notice. A structured approach to the collation and production of materials should be taken, including where data will be sourced, relevant individuals or custodians of data, document preservation, and how the documents will be collated and stored to preserve original documents and metadata. A subpoena, requiring production of documents to a court, must also be complied with. The same considerations should be made by a company issued with a subpoena to produce.

36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?

If the internal investigation is confidential, there is no requirement for a company to disclose the existence of the investigation publicly. Disclosure may be desirable or required if it is not possible for the conduct to be contained or if media or market speculation needs to be addressed. If the company is being investigated by regulators, disclosure will often depend on the preferred approach of that regulator. It is usual for regulators to ask that disclosure of the fact of their investigation not be made public unless mutually agreed. However, continuous disclosure obligations for listed companies must also be considered to the extent that they apply.

Private companies have no legislative obligation to disclose the existence of an internal investigation or contact from law enforcement.

37 How are internal investigations viewed by local enforcement bodies in your country?

An efficiently run internal investigation may be welcomed by the regulator, particularly if it leads to self-reporting. In some circumstances, a regulator may ask the corporate entity to undertake the first stage of the investigation. If an internal investigation is running concurrently with a regulator’s investigation, co-operation in expediting the process and ultimate outcome is encouraged.

Attorney–client privilege

38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?

Communications made for the dominant purpose of giving or receiving legal advice, or regarding the provision of professional legal services for existing or contemplated litigation, can be subject to a legitimate claim for legal professional privilege (LPP). If there is more than one purpose relating to an investigation, it is unlikely that the communication will be privileged.

Lawyers’ notes regarding internal investigations are usually protected by LPP. To protect the privilege, all communications should be marked as confidential and privileged and should not be distributed outside the lawyer–client communication lines unless necessary.

A 2021 Federal Court decision in a cartel matter saw privilege over entire documents lost when the company, which was under an obligation to co-operate with regulators in return for being granted immunity, provided the regulators with extracts of the privileged documents. The court ordered that the documents could not be properly understood unless read in full and therefore privilege had been lost in respect of the entire document. The case highlights the complexities faced by companies seeking protection from prosecution, while attempting to maintain the rights ordinarily afforded to them.

39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?

LPP is held by the client (company or individual), not the legal adviser. Employees of the company may have grounds to assert common interest privilege or joint privilege, if the employee reasonably believed the lawyer was giving them legal advice and his or her interests were not adverse to the company. If a company seeks to maintain control over the privileged information, lawyers will ordinarily be instructed to communicate that distinction, adopting a US-style Upjohn or corporate Miranda warning.

40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?

Yes. The dominant purpose test applies, irrespective of whether the lawyer is internal or external to the company. Best practice is for in-house counsel to hold a current practising certificate and be independent. Privilege claims of advice from in-house counsel generally will be scrutinised, particularly if another non-legal position is held within the company, or if counsel is accustomed to providing commercial advice (which will not be privileged).

41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to (internal or external) investigations in your country?

Yes. Australian clients can claim the privilege if the communications are with a qualified lawyer admitted to practise in the foreign country and the communications satisfy the dominant purpose test.

42 To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?

It is normal for companies and individuals to maintain claims of LPP. Waivers are generally restricted to circumstances in which the entity is essentially opening its doors on a no-restrictions basis, has been done on a limited basis subject to agreement, such as in co-operation with a regulator or if a party is obliged to waive privilege in furtherance of an agreement for immunity. It may be considered that not claiming LPP signals an increased level of co-operation with the investigating authority. A court, tribunal or commissioner to a royal commission may compel an entity to produce documents if it has been determined that the claims for privilege cannot be maintained. Regulators are increasingly challenging claims for LPP, including taking some matters to court to dispute claims by companies withholding production of documents on the basis of LPP.

43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?

Yes. For instance, a party responding to a compulsory notice to produce documents to the Australian Securities and Investments Commission (ASIC) may enter into a voluntary confidential LPP disclosure agreement, which allows production of the documents to ASIC, while arguably protecting them from disclosure to third parties. ASIC will undertake to treat the information as confidential and will defer to the privilege holder if ASIC is compelled to produce the documents. These agreements have not been tested by the courts as to whether they will withstand a challenge.

44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?

Possibly. Relevant considerations will include the context in which the waiver was made (under compulsion or voluntarily), the use of the information subsequent to the waiver and whether, in Australia, privilege would still properly apply to the information.

45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?

Common interest privilege does exist. The interest of the parties claiming the privilege must be the same, or almost the same (such that the parties could use the same lawyer), and it will not be available if they are potentially adverse. There is no requirement for a formal agreement between parties to establish this privilege, nor to identify an intention to claim the privilege at the time of communication, although it is advisable to do so to establish the extent of the common interest.

46 Can privilege be claimed over the assistance given by third parties to lawyers?

It is not uncommon for lawyers to brief third-party experts to assist on matters relevant to the giving of legal advice. Communications with the third party will usually be covered by LPP if they fall within the dominant purpose test.

If a party serves a report or advice prepared by a third party during litigation, all materials (including briefing materials) used by the third party in informing an opinion generally become discoverable. There are limited circumstances in which a party can resist production of communications underpinning a report.

Witness interviews

47 Does your country permit the interviewing of witnesses as part of an internal investigation?

Organisations are permitted to conduct fact-finding interviews during an internal investi­gation. Consideration should be given to ensuring that the individual is afforded the appropriate amount of time to prepare and respond to questions. Whistleblowers, who may be among the first interviewed, are afforded additional legislative protections that must be adhered to. Immunity applicants are required to keep confidential any fact that commentators have indicated could be a complication in internal investigations.

48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?

Legal professional privilege can be claimed over witness interviews and reports prepared by legal advisers for the dominant purpose of giving or receiving legal advice or in the preparation of legal proceedings.

49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?

Corporate Miranda or Upjohn warnings are not required to be given, although they are common in cross-border investigations. It is prudent to outline the scope of a lawyer’s engagement at the time of the interview, to avoid any misconception as to whether the parties intend privilege to apply. The same approach applies to both current employees and third parties, although there is less scope for privilege to apply to third parties.

50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?

There are no set requirements for internal interviews in Australia and often the style of interview will depend on the seriousness of the allegations being investigated. Notes of interviews should be kept confidential and a record of any materials discussed during an interview should be retained for future reference. Generally, a witness will be asked for an independent recollection of events before being presented with any documents. Documents put to a witness are usually restricted to those about which the witness has first-hand knowledge. If the allegations are serious and directed to the interviewee, then it is not unusual to provide the interviewee with the option of having their own legal representation at the interview, though an interviewee may not necessarily have an enforceable right to have their own legal representation.

Reporting to the authorities

51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?

It is mandatory under anti-money laundering and counter-terrorism financing legislation to report suspicious financial transactions to Australian Transaction Reports and Analysis Centre. The company must have formed a suspicion that the dealings may be related to an offence (such as money laundering, terrorism financing or operating under a false identity, tax evasion or proceeds of crime) and must report within 24 hours if it relates to terrorism, or otherwise three business days.

Australian financial services licensees must report any significant breaches, or anticipated breaches, of obligations under the Corporations Act 2001 (Cth).

State legislation may also apply. In New South Wales, for instance, it is an offence to conceal knowledge or belief of a serious indictable offence having been committed. This provision is unique to New South Wales.

52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?

If an internal investigation has led to findings of misconduct, a decision will need to be made whether to self-report. Self-reporting may be advisable if the findings are likely to affect the company’s ability to conduct its business or trading of the company’s shares.

Disclosure to regulators outside Australia may depend on whether the conduct has occurred outside the jurisdiction and the reporting obligations in those other jurisdictions.

Companies often make a decision to self-report to regulators, either when dealing with multiple jurisdictions within the country, or internationally if they expect public attention arising from the investigation. This is often considered to be ‘controlling the message’ to both the public and regulators.

53 What are the practical steps you need to take to self-report to law enforcement in your country?

In self-reporting, the company should be prepared to co-operate honestly and completely with authorities and assist regulators’ investigations, which may go beyond internal investigation. This may involve providing to authorities any information gathered during the internal investigation at the time of self-reporting. There is an added benefit in creating a clear line of reporting between the company and the regulator.

The company should be prepared to plead guilty to any offence identified and may be required to assist in the prosecution of related parties. Public disclosure will need to be considered for listed companies, consistent with disclosure obligations.

In certain circumstances, immunity for being first-in-time can be sought when reporting to the Australian Competition and Consumer Commission or the Australian Securities and Investments Commission.

Legislation allowing deferred prosecution agreements is proceeding through the Parliament of Australia. It has been the subject of extensive consultation and the timing for its implementation is not yet known. Once passed, it is anticipated that this legislation will provide benefits to corporates who self-report relevant offences.

Responding to the authorities

54;In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?

Companies take seriously their obligation to comply with compulsory production requests from regulators. It is possible to enter into a dialogue with a regulator in relation to a notice or subpoena, particularly if there are concerns about scope or time for production. This is done by speaking or writing to a representative of the regulator in the first instance.

In recent years, Australian regulators have indicated a greater willingness to engage with companies to address concerns or to encourage self-reporting of misconduct prior to the issuing of charges. If in the course of preparing a response to the compulsory production request, broader issues are identified by a company, the current environment encourages discussion with regulators. Post-charge negotiation in criminal proceedings is governed by the relevant prosecution policy.

55 Are ongoing authority investigations subject to challenge before the courts?

A company may challenge an investigation in particular circumstances, for example if the investigation is an abuse of process or harassment.

56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?

Consistency is key when a company is facing allegations of wrongdoing regarding the same facts in multiple jurisdictions. A company should ensure responses are coordinated and that production of documents or information is strictly responsive to the notice or subpoena. There is no requirement to go beyond the strict terms of the notice or subpoena and doing so may amount to voluntary disclosure and not be afforded protections (such as confidentiality and privilege) that would otherwise be available.

57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for, and produce material, in other countries to satisfy the request? What are the difficulties in that regard?

Materials must be produced if they are in the possession, custody or control of a company in Australia (irrespective of the location where they are held). It may be possible to resist production of materials outside Australia if to do so would be oppressive or if their production was contrary to the law of the jurisdiction where the documents are located.

58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?

Australian regulators routinely share information or investigative material and make use of mutual recognition agreements with regulators from other jurisdictions, such as the International Organisation of Securities Commissions. Less formal arrangements exist between some regulators, such as the Australian Federal Police’s arrangements with other police agencies globally. Mutual assistance requests are a formal mechanism by which authorities can obtain information from overseas regulators for use in criminal proceedings.

59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?

Information produced under compulsion can only be used for the purpose for which it was obtained. Materials can be shared between regulators, subject to satisfying legislative requirements, and can be disclosed to third parties during an investigation if it is deemed necessary and legislative requirements are satisfied.

60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?

Refusing to produce a document that is required under a notice will be a breach and may give rise to legal action by the regulator. Open dialogue with the regulator is encouraged at an early stage to attempt to negotiate an amendment to the notice to exclude production of documents that give rise to a breach of laws in another jurisdiction. Otherwise, the company should look at avenues to challenge the notice.

61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?

Australian data privacy laws prevent the disclosure of certain personal and sensitive information. The Australian Privacy Principles (APPs) apply to government agencies, private sector and not-for-profit organisations (those with an annual turnover of more than A$3 million), private health providers and small businesses.

Disclosure is permitted if compelled (such as by a document production notice or subpoena) or reasonably necessary for one or more enforcement-related activities by an enforcement body. In defending allegations of misconduct, data may also be transferred for the purposes of, or in connection with, legal proceedings (including prospective legal proceedings) or for the purposes of establishing, exercising or defending legal rights. However, restrictions on the cross-border transfer of data may remain.

62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?

It is common for companies to request that a regulator issue a notice to compel the production of materials to preserve claims of confidentiality and privilege. Such a claim may be waived by voluntary production. Regulators can be compelled to produce documents to third parties by court order, but may segregate documents that are subject to claims of privilege (including legal professional privilege and public interest immunity) and confidentiality, and leave it to the court to rule on such claims. However, in limited circumstances a company may identify a reputational risk in the use of compulsory production notices and a co-operative approach may be preferred. A company should weigh up the merits and ramifications of each approach.

The APPs should be considered when voluntarily producing materials to authorities, as this will not fall under the exemption of compelled production.

Prosecution and penalties

63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?

Companies can face significant financial penalties for criminal misconduct, calculated at the greater of 45,000 penalty units (currently A$9.45 million), three times the benefit derived or detriment avoided, or 10 per cent of annual turnover. Civil penalties are also available against a company and vary greatly according to the relevant provisions. The maximum civil penalty available against a company is the greater of 50,000 penalty units (A$11.1 million), three times the benefit obtained or detriment avoided, or 10 per cent of annual turnover, capped at 2.5 million penalty units (A$555 million).

Penalties against an individual will vary depending on the offence. Criminal wrongdoing may result in imprisonment or financial penalties, or both. Civil penalty proceedings can result in fines, compensation orders and disqualification from managing corporations. In certain circumstances, administrative action to seek banning orders may also be commenced.

64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?

The Commonwealth, state and territory governments do not automatically suspend or disbar a company for any conduct, although they do have discretion to preclude a company from public procurement contracts.

65 What do the authorities in your country take into account when fixing penalties?

Courts will consider a range of factors, including the seriousness of the offence, the number of contraventions and the period during which they occurred, the need for general deterrence, remorse, retribution, co-operation and any relevant personal circumstances. In light of applicable high court authority, a prosecutor cannot recommend to a court a preferred criminal sanction, such as a prison sentence for an individual. In civil penalty proceedings, a proposed penalty can be agreed between the parties in settlement discussions and this can be jointly presented to the court. The court is not required to accept the negotiated penalty figure but can (and often will) take the negotiated outcome into consideration when ordering penalties.

In recent years, there has been a significant increase in penalty amounts set by legislators and applied in the courts for corporate misconduct. This is mostly attributable to the significant increase in penalty limits available to the Australian Securities and Investments Commission since the passing of revised legislation in February 2019, when the regulator publicly announced its intention to pursue harsher civil penalties and criminal sanctions.

Resolution and settlements short of trial

66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?

Deferred prosecution agreements (DPAs) are not currently available but draft legislation is before Parliament, which may lead to them being introduced. Based on the current proposed legislation, DPAs will allow companies to negotiate terms of settlement for allegations of serious corporate crime, such as foreign bribery, which include the setting of a penalty for contravention, but will require approval by an approving officer (a former judicial officer) before they can be finalised. Not all corporate crimes are covered in the proposed legislation and DPAs will not be available to individuals.

DPAs under the proposed legislation are similar to non-prosecution agreements under US law.

Another mechanism in which a company may reach agreement with authorities to avoid prosecution in return for co-operation is by seeking an indemnity, more formally referred to as an undertaking, under the Director of Public Prosecutions Act 1983 (Cth). The circumstances in which an indemnity may be granted are generally governed by the Prosecution Policy of the Commonwealth. In the context of cartel prosecutions, applications are governed by the Australian Competition and Consumer Commission’s Immunity and Cooperation Policy for Cartel Conduct. In February 2021, the Australian Securities and Investments Commission (ASIC) introduced an immunity policy, available to individuals seeking protection for contraventions of certain market misconduct offences under the Corporations Act 2001 (Cth).

67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?

There is no certainty regarding implementation of DPAs in Australia at present; however, the Bill currently proceeding through Parliament proposes that a DPA be published in full, except in exceptional circumstances, such as when the publication would prejudice court proceedings. This approach is consistent with that currently adopted when a company has pleaded guilty, or been granted an indemnity from prosecution, but proceedings against connected individuals or corporate entities are continuing (such as in the case of cartel proceedings).

68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?

Considerations relevant to settlement include an assessment of the facts and allegations made against the company, the strength of the evidence, the terms on which the regulator is willing to settle (where they can be agreed) and the potential consequences of any settlement (including on business operations, investigations in other jurisdictions and the risk of collateral civil litigation). These considerations generally apply only in the context of civil penalty proceedings, with criminal proceedings presently unable to be ‘settled’ in the traditional sense.

69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?

The proposed DPA process suggests the use of an independent monitor, paid for by the company, to assess compliance with the terms of the DPA. The reason for this is, in part, that the body responsible for entering into DPAs with companies, the Commonwealth Director of Public Prosecutions, does not have a monitoring function. External corporate compliance monitors have also often had a role in enforceable undertakings with ASIC. The Australian Prudential Regulatory Authority and the Australian Transaction Reports and Analysis Centre also use independent reviewers in these tools.

70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?

Private actions are permitted to run in parallel with criminal or regulatory proceedings, provided they do not prejudice the accused’s right to a fair trial, or the right to maintain privilege against self-incrimination or exposure to penalty, and do not interfere with the criminal proceedings. It is possible for private or civil actions to be stayed pending the outcome of criminal proceedings.

Private plaintiffs are entitled to apply to regulators to access files through various mechanisms, including freedom of information requests and subpoenas. In addition, ASIC has the power to provide information to private litigants in certain circumstances. The disclosure of information by regulatory bodies is subject to overriding considerations of public interest, the risk of prejudice to an ongoing investigation or proceeding, and statutory restrictions.

Publicity and reputational issues

71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.

Criminal investigations are generally confidential. An accused has the right to a fair trial and a presumption of innocence. Investigatory bodies, such as the Australian Federal Police and the Australian Securities and Investments Commission, have media policies that restrict the publication of information that may prejudice an ongoing investigation or affect an accused’s right to a fair trial, particularly in tainting the jury pool.

Criminal court proceedings are a matter of public record. There are limited situations in which a corporation or individual can restrict access to, or publication of, the court proceedings once they are formally commenced. Although the media are entitled to report on public hearings, they are required to follow orders from the judge concerning non-publication of certain information.

Jury deliberations are confidential. It is an offence to publish anything regarding the identity of a juror or the discussions that take place in the jury room.

72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?

It is common for public relations firms to be hired, particularly in high-profile matters. Lawyers will generally work with a public relations firm hired in these circumstances to provide strategic advice, to ensure accuracy of reporting and in making any public statements during an investigation or proceeding.

73 How is publicity managed when there are ongoing related proceedings?

Corporations need to carefully manage the release of information regarding ongoing proceedings to avoid being in contempt of, or prejudicing, the proceedings, especially any criminal proceedings before a jury, and to meet any relevant continuous disclosure obligations. Regulators will announce the commencement of proceedings and may provide procedural updates but generally will not comment on substantive matters for the duration of the proceeding.

Duty to the market

74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?

If the settlement is likely to have a material effect on the price or value of the company’s securities and does not fall within an exception (such as the information being confidential), it is required to be disclosed to the market by a public company. Confidentiality alone is not grounds for non-disclosure of the fact of settlement. It is often the case that parties agree the terms of disclosure of a settlement as part of the settlement negotiations.

Environmental, social and corporate governance (ESG)

75 Does your country regulate ESG matters?

The absence of an Australian standard approach to ESG reporting often increases the cost and complexity of compliance for investors, with requirements found in a variety of state and federal legislation. For instance, the Corporations Act 2001 (Cth) (the Corporations Act) regulates company governance and the duties and obligations of directors and officers, and the rights and interests of aboriginal and Torres Strait islanders is primary governed by the Native Title Act 1993 (Cth) and requires corporations to comply with native title claims.

Workplace governance standards such as workers’ rights are covered in a number of state and federal statutes. Whistleblower protections are incorporated in the Corporations Act. Legislation such as the Fair Work Act 2009 (Cth), the Workplace Gender Equality Act 2012 (Cth), the Modern Slavery Act 2018 (Cth) (the Modern Slavery Act) and various state and territory equivalent legislation cover rights and obligations for workers. Unlike other jurisdictions, the reporting criteria in Australia is mandatory under the Modern Slavery Act.

Environmental laws are also covered on both a federal and state or territory level, with the primary legislation being the Environment Protection and Biodiversity Conservation Act 1999 (Cth). Other state-based legislation covers a range of matters, such as waste management and contamination. Major facilities are legislatively required to meet reporting obligations under the National Greenhouse and Energy Reporting Act 2007.

A number of voluntary and statutory measurement, reporting and disclosure frameworks are used in Australia with respect to ESG. In addition to international standards such as the UN Principles of Responsible Investment, there are various voluntary standards and best practices that are commonly followed with respect to integrating ESG factors into investment decisions, including those released by the Responsible Investment Association Australasia, the Australian Council of Superannuation Investors (ACSI) and the Investor Group on Climate Change.

When it comes to ESG reporting and disclosure frameworks in Australia, the obligation regime (e.g., mandatory versus ‘comply or explain’) for companies often depends on whether or not they are listed. By way of example, Australian Securities Exchange (ASX) Listing Rule 4.10.3 requires a listed entity to include certain information in its annual report, including a corporate governance statement that meets the requirements of that rule, or the URL of the page on its website where a corporate governance statement that meets the requirements of that rule is located. A corporate governance statement must disclose the extent to which that listed entity has followed the recommendations set by the ASX Corporate Governance Council during the relevant reporting period or the reasons for not following the recommendation and what (if any) alternative governance practices it adopted in lieu of the recommendation during that period.

As of 1 January 2020, the ASX Corporate Governance Principles and Recommendations issued by the ASX Corporate Governance Council recommend that listed entities benchmark certain corporate governance practices that are the ‘reasonable expectation of most investors’, including topics such as board diversity and sustainability disclosures. In particular, Recommendation 1.5 (‘A listed entity should have and disclose a diversity policy’) and Recommendation 7.4 (‘A listed entity should disclose whether it has any material exposure to economic, environmental and social sustainability risks and, if it does, how it manages or intends to manage those risks’) should be noted.

The ESG Reporting Guide for Australian Companies released by ACSI and the Financial Services Council is commonly adopted voluntarily by both listed and unlisted companies to assist with their understanding, pricing, analysis and management of ESG investment risks. It is designed to complement the reporting requirements of other best practice guides, such as the ASX Corporate Governance Principles and Recommendations.

76 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address ESG matters?

Australian regulators have shown an increased appetite to address failings in the disclosure and management of non-financial risks, with a growing number of these being ESG-related.

In 2019, the Australian Securities and Investments Commission (ASIC) updated a raft of regulatory guidance and information notes to specifically refer to climate change considerations in corporate governance. ASIC recognises the Taskforce for Climate-related Financial Disclosures, established by the Financial Stability Board, and recommends that listed companies adopt the framework and guidance provided by the Taskforce. ASIC conducts surveillance, including examinations of large listed companies, and has indicated that adopting the Taskforce’s reporting materially improves the standards of climate-related governance and disclosure in the market. ASIC is considering enforcement action in circumstances of serious disclosure failures.

Similarly, the Australian Prudential Regulatory Authority (APRA) encourages the adoption of the Taskforce’s frameworks, as noted in its letter to APRA-regulated entities in 2020. APRA proposes to produce a practice guide to assist its members.

The ASX makes mention of the Taskforce’s frameworks, encouraging entities to consider whether they have a material exposure to climate change risk, in its 2019 Corporate Governance Principles and Recommendations.

The Organisation for Economic Co-operation and Development (OECD) has commented that Australia is one of the most resource-intensive and carbon-intensive OECD countries and that the state of its biodiversity is poor and worsening. Significant criticism and pressure has been placed on the Australian government to address greenhouse emissions and to combat climate change issues.

Climate change proposals from shareholders at companies’ annual general meetings (AGMs) are driving greater levels of ESG-linked reporting among boards and directors. For example, shareholders can apply pressure by using a special resolution to amend a company’s constitution regarding the way in which a power vested in the directors has been, or should be, exercised. Shareholders can then propose resolutions (contingent on the passing of the special resolution) regarding a specific matter – for example, the reporting of climate change management. Details of these ‘proposed contingent resolutions’ are later released on the company’s ASX AGM results announcement. It is anticipated that shareholder pressure through means such as this will drive regulatory or legislative change in the future.

Directors’ exposure to personal liability for climate change inaction is a live issue that has received endorsement by ASIC and the legal profession. Climate risk and disclosure have become a shared focus of Australian financial regulators and investor groups, engaging questions about directors’ personal liability for associated corporate inaction. Following the ‘Climate Change and Directors’ Duties Memorandum of Opinion’ (7 October 2016) (the Opinion) and the ‘Climate Change and Directors’ Duties Supplementary Memorandum of Opinion’ (26 March 2019) by The Centre for Policy Development (the Supplementary Opinion), there is an emerging view that a director’s duty to act with reasonable care and diligence under section 180 of the Corporations Act positively mandates the active identification, proper disclosure and appropriate response to foreseeable climate change risks. In predicting the ‘exponential’ increase of individual directors’ personal exposure to climate change litigation, the Supplementary Opinion rejects any scenario going forward whereby ‘climate change will not intersect with the interests of [their] firms’, citing relevant advances in ‘event attribution science’ capable of identifying the link between climate change and individual extreme weather events.

Companies should also consider the derivative risks for directors arising from the ASX Guidelines on ESG-linked reporting.

From a practical standpoint, the issues of directors’ personal liability for climate change have a direct effect on business operations; as such, maintaining strong effective corporate governance has received endorsement by both the ASIC Commissioners and former Australian High Court Justice Kenneth Hayne SC.

77 Has there been an increase in ESG-related litigation, investigations or enforcement activity in recent years in your country?

Like many other jurisdictions, ESG issues are an important topic on a range of fronts. Australia has seen an increase in investigations relating to ESG across a full spectrum of issues.

An inquiry into sexual harassment against women in the FIFO (fly-in, fly-out) mining industry brings to the forefront discussions regarding the health and safety of workers in Western Australia. Most major mining companies with operations in Australia have indicated overwhelming support for the inquiry and a promise to engage in the issues arising from the evidence.

Climate-related litigation, both privately led and regulator-led, has already been an area of focus in Australia, with long history and a number of high-profile cases in the courts. The Australian Competition and Consumer Commission has historically commenced a number of cases against car companies for claims that their products were environmentally friendly (Goodyear Tyres, 2008) or advertised as green, with carbon emissions neutral across the range (GM Holden’s claims regarding its Saab vehicles, 2008). A class action against the Commonwealth Bank of Australia in 2017 was ultimately withdrawn by shareholders, but nevertheless resulted in the bank reporting on the risk of climate change and pledging to undertake climate change scenario analysis to estimate the risks to its business. A settlement in McVeigh v. Retail Employees Superannuation Trust (REST being one of Australia’s largest superannuation funds) resulted in a commitment by REST to new disclosure protocols and climate change-related initiatives.

In 2020, the Australian government was sued by a Melbourne law student for failing in its duty to disclose the effects of climate change on the value of government bonds. This case is ongoing.

ASIC announced in July 2021 that it is reviewing offerings by managed funds and superannuation funds providing investment products focused on ESG and the concern regarding the potential for ‘greenwashing’ of financial products.

Anticipated developments

78 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?

The corporate and legal community eagerly await any developments in draft legislation that will introduce deferred prosecution agreements and amendments to the anti-bribery and corruption legislation (a topic that has been discussed since 2017). The current draft legislation has been before Parliament since 2019. There is currently no indication of when further movement on this legislation will occur.

Regulators such as the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission have communicated their increased focus on consumer protection in areas such as cybersecurity, which has become an increasing risk to consumers during lockdown periods arising from covid-19 outbreaks. The effects on corporations will be seen in the security measures put in place to protect their customers.


Footnotes

1 Tim Grave is a partner and Lara Gotti is a senior associate at Clifford Chance. The authors thank their colleague, Kirsten Scott, for her contribution to this chapter.

Unlock unlimited access to all Global Investigations Review content