Enforceable undertakings (EUs) are a regulatory tool used by the Australian Securities and Investments Commission (ASIC) for dealing with breaches by Australian financial services (AFS) licensees and their officers of their financial services obligations. In recent years we have seen EUs experience a resurgence and ASIC has used them extensively: for example, the ASIC Enforceable Undertakings Register reveals that 27 EUs were accepted in 2013 and 6 have already been accepted in 2014. By contrast, during the period between 2006 and 2010, ASIC only accepted 10 undertakings on average per year1. Accordingly, the regulatory trend seems to be that ASIC will continue to use EUs as an alternative to civil or administrative action where it considers that it will provide a more effective regulatory outcome.
EUs - some practical guidance
If you find yourself in the unenviable position of potentially negotiating an EU with ASIC, we recommend that you keep the following considerations front of mind.
An EU may by initiated by the regulated party and so there could be benefits from voluntarily co-operating with ASIC, as this can influence ASIC's choice of enforcement mechanism. ASIC may be more inclined to accept a negotiated outcome than use court proceedings and will acknowledge a regulated partyfs co-operation in the EU, which may help to minimise reputational harm. In self-reporting breaches to ASIC, regulated parties should always ensure that they attempt to take remedial measures as soon as the breach is identified, that they present ASIC with a remedial plan and fully co-operate with ASIC. Essentially, ASIC is looking for a positive and genuine commitment to rectify the breach and prevent it from reoccurring.
What ASIC will be likely to accept
ASIC is more likely to accept an EU from a regulated party who is prepared to compensate clients who have suffered loss or harm; improve internal compliance arrangements; appoint an independent expert to review parts of their business; oversee their implementation of the EU and report on performance to ASIC; or refrain from engaging in certain activities for a period of time. While these undertakings can be onerous, the regulated party will at least have the opportunity to negotiate the content and drafting of the EU with ASIC before it is finalised, which affords the regulated party some degree of input into the process. For example, the regulated party may seek to retain the power to select and appoint an independent expert, or limit the extent of reporting obligations to "substantial" non-compliance with the EU.
Regulated parties should think carefully about what obligations they agree to assume in relation to compensation, for example:
- an EU should not be used to secure the de facto payment of a pecuniary civil penalty (this should be determined by a court); and
- the regulated party may be assuming obligations that are quite unrelated to the contravention (for example, one regulated party undertook to contribute $1 million to Financial Literacy Australia Limited).
ASIC will not accept an EU that denies liability completely and so the regulated party will need to acknowledge ASIC's concerns. However, such acknowledgement can be followed by the words "nothing contained in the undertaking constitutes an admission." In some EUs, regulated parties have also been allowed to state that "they do not agree with the view formed by ASIC." This wording is important as it can help preserve the regulated party's access to insurance and minimise the risk of a third party using the EU in court proceedings as evidence of an admission of the alleged breach.
ASIC will also not accept an EU unless it includes clauses acknowledging that the EU does not affect the rights of third parties, or ASIC's power to investigate and conduct surveillance or to pursue criminal or civil penalty proceedings. Accordingly, while an EU may be used to achieve immediate resolution, it may be merely an adjunct to the other remedies ASIC seeks. Therefore regulated parties need to be mindful of the risk of ASIC pursuing other avenues of redress and consider whether it is to their strategic advantage to enter into an EU.
Preserving legal professional privilege
Legal professional privilege needs to be preserved during the negotiation process and during the operation of the EU. During negotiations with ASIC any documents or information produced to ASIC should be reviewed for legal professional privilege and arrangements should be made to ensure that a claim of privilege is not waived by disclosure. This is especially significant in voluntary negotiations, as the statutory protections found in sections 68 and 92 of the ASIC Act (regarding self-incrimination and third party claims) will not be available.
In terms of ongoing monitoring of the EU, ASIC will often add a clause seeking that the regulated party agrees to provide all documents and information requested by ASIC for the purpose of assessing compliance. It is important that such clauses are qualified by adding the words "subject to legal professional privilege." There may also be scope to include additional qualifications to such clauses.
Compliance with an EU is costly - both in terms of direct monetary cost (e.g. external legal and/or compliance advisersf fees) - and in terms of opportunity cost, including the existing internal resources that need to be devoted to the EU. In addition, another potential cost to be wary of in negotiating an EU, is that ASIC may seek to recover its costs from the regulated party.
The negotiations surrounding the acceptance and drafting of an EU are private, however once finalised the EU will be publicly available on ASIC's Enforceable Undertakings Register and publicised by ASIC by a media release2. Therefore any EU will involve some risk of reputational harm for the regulated party. However, the regulated party can ask that certain information not be released, for example if it is commercial in confidence, consists of an individualfs personal details or would be against the public interest. If ASIC is satisfied as to one of these matters and the information is deleted, the EU will appear on the register with a note stating that certain information has been removed.
In addition, since ASIC will not remove EUs from the register even once they have been fully complied with or have expired, a regulated party should ensure that, in so far as possible, it is comfortable with the contents of an EU.
While it is possible for ASIC to attempt to enforce an EU in court where there is a substantial breach, the likelihood of this occurring seems relatively low. When an EU is breached ASIC tends to seek to reopen negotiations and either vary the initial EU or enter into a new EU. This may be because of the cost of instituting enforcement proceedings as well as because the court will not automatically enforce an EU. When asked to enforce an EU, the court will consider procedural fairness and the appropriateness of the terms of the EU3. Thus the court must first determine whether a breach of the EU has occurred (if there is no breach no enforcement consequences will follow) and, if a breach can be shown, whether the EU can be enforced (for example, its terms may lack certainty). This can lead to very uncertain prospects of success for ASIC in seeking to enforce compliance with an EU.
The bottom line
EUs have emerged as a prevalent regulatory enforcement tool in recent years and this trend is only likely to continue.
This can been seen as a constructive development in enforcement trends, since the negotiated aspects of EUs allow the regulated party to influence the enforcement outcome and preserve their reputation, while still allowing breaches to be rectified in a timely and cost effective manner.
2 ASIC's policy on public comment is found in Information Sheet 152.
3 Marina Nehme, 'Enforceable undertakings: are they procedurally fair?' (2010) 32 Sydney Law Review 471, 496.