AICD publishes new guidance on directors’ oversight of company compliance obligations
On 8 October 2024, the Australian Institute of Company Directors (AICD) published new guidance which specifically focuses on the section 180 duty of care and diligence in overseeing a company’s regulatory compliance obligations, particularly in the current risk environment and ASIC’s focus on this area.
The new guidance includes:
- by Michael Hodge KC and Sonia Tame (commissioned by the AICD) which clarifies what is required of directors in discharging this duty including:
Individual director accountability versus the board as a collective.
The extent to which directors can rely on the advice of management and experts.
What role board minutes can play in demonstrating active director oversight.
The key takeaways from the new guidance are:
A company’s breach of its legal or regulatory compliance obligation does not necessarily mean a director has breached their duty of care and diligence.
Equally, it is not necessary for a company to actually breach its compliance obligation for a director to be found in breach of their duty of care and diligence.
Directors must take reasonable steps to place themselves in a position to guide and monitor the company, remain alert to, and act on, ‘red flags’, and challenge management appropriately.
There may be certain existential risks specific to the company that will require more intensive oversight by directors due to their significance.
While directors are entitled to rely upon the advice of management and advisers, directors must critically assess such advice and bring their own independent judgment to bear.
See also AICD media release .
Final merger reform Bill introduced
On 10 October 2024, the Treasury Laws Amendment (Mergers and Acquisitions Reform) Bill 2024 was introduced into Parliament, and has now been referred to the Senate Economic Legislation Committee for report by 13 November 2024.
In addition:
The new merger system moves Australia to a mandatory and suspensory notification administrative regime representing a significant departure from the longstanding voluntary informal clearance process with a judicial enforcement model.
Prior to formal commencement, merger parties may elect to notify under the new system from 1 July 2025. Grandfathering provisions apply to mergers authorised or granted informal clearance by the ACCC between 1 July and the end of 2025, provided the acquisition is completed within 12 months of the date of authorisation or clearance.
Largest greenwashing penalty so far of $12.9 million imposed on Vanguard
On 25 September 2024, the Federal Court ordered Vanguard Investments Australia Ltd to pay a $12.9 million penalty, after Vanguard admitted it had made false or misleading representations and engaged in conduct that was liable to mislead the public in relation to an ‘ethically conscious’ fund, in breach of the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act).
We are still awaiting the penalty in ASIC’s third and final greenwashing case against Active Super, with the Court finding in June 2024 that Active Super made false or misleading representations by claiming it would not invest in companies associated with gambling, tobacco, oil tar sands and coal mining. The matter is listed for hearing later in December, so we expect the penalty judgment to be handed down in 2025.
AASB issues inaugural Australian Sustainability Reporting Standards
Following the passing of the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Act 2024 (Cth) and a vote by the Australian Accounting Standards Board (AASB) on 20 September 2024, the AASB has now issued its two inaugural Australian Sustainability Reporting Standards. These standards apply to sustainability reports to be prepared by reporting entities under the new sustainability-related financial disclosure framework in the Corporations Act 2001 (Cth) (Corporations Act).
Based on the ISSB International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board, the AASB has adopted two separate standards: AASB S1 General Requirements for Disclosure of Sustainability-related Financial Information (AASB S1) and the AASB S2 Climate-related Disclosures AASB S2 ). As the new sustainability reporting regime only requires disclosure with respect to climate-related financial risks, the AASB has only issued the AASB S2 as a mandatory standard (and the AASB S1 as a voluntary standard):
Both AASB S1 and AASB S2 will inform sustainability reports prepared for annual reporting periods beginning on or after 1 January 2025 (that is the same reporting period for which the largest category of entities will be required to submit sustainability reports under the new sustainability-related financial disclosure framework in the Corporations Act), with the AASB S2 being the criteria the report must contain and the AASB S1 containing broader sustainability criteria that the reporting entity can also elect to report on.
The Auditing and Assurance Standards Board has also released an Exposure Draft: Proposed Australian Standard on Sustainability Assurance ASSA 5010 Timeline for Audits and Reviews of Information in Sustainability Reports under the Corporations Act 2001 which outlines a proposed timeline for when information in a sustainability report would be subject to audit and/or review. Consultation is open until 16 November 2024 (see consultation page), with a view to the standards being adopted in December 2024.
Australia’s cybersecurity legislation package introduced
On 9 October 2024, following extensive consultation in December 2023 and September 2024, a new cybersecurity legislation package was introduced into Parliament. The package was referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry and report and submissions closed on 25 October 2024.
The package, if passed, will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy (Strategy), addressing legislative gaps to bring Australia in line with international best practice and take the next step to ensure Australia is on track to become a global leader in cyber security. The package includes:
The Cyber Security Bill 2024 (Cth), which will address gaps in current legislation to establish Australia's first standalone Cyber Security Act, which comprises, at a high level:
A mandatory requirement for a ‘reporting business entity’ to notify the Department of Home Affairs and the Australian Signals Directorate (ASD) if it pays a ransom to a cyber threat actor within 72 hours of making the payment
‘Limited use’ obligations that restrict how cyber security incident information provided to the National Cyber Security Coordinator during a cyber security incident can be shared with and used by other Australian Government entities, including regulators.
A requirement for manufacturers and suppliers of internet connected devices to comply with cyber security standards as determined by the Australian Government from time to time.
Establishment of a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents.
A recent G+T Insight considers the Bill in more detail.
The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (Cth), which will progress and implement reforms under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) to:
Clarify existing obligations in relation to systems holding business critical data.
Enhance government assistance measures to better manage the impacts of all hazards incidents on critical infrastructure.
Simplify information sharing across industry and government.
Introduce a power for the government to direct entities to address serious deficiencies within their risk management programs.
Align regulation for the security of telecommunications into the SOCI Act.
A recent G+T Insight considers the proposed reforms to the SOCI Act in more detail.
The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Cth), which:
Amends the Intelligence Services Act 2001 (Cth) to legislate a limited use obligation to protect the information voluntarily provided to, or acquired or prepared by, the ASD during an impacted entity's engagement in relation to a cyber security incident or a cyber security incident that may potentially occur.
Amends the Freedom of Information Act 1982 (Cth) to include an exemption from Freedom of Information requests for a document given to, or received by, the National Cyber Security Coordinator for the purposes set out under Part 4 of the Cyber Security Bill 2024 (Cth).
See also Department of Home Affairs media release.
Time for a whistleblower policy and procedure health check?
Some recent developments have shown that companies, now more than ever, need to review and improve their whistleblower management processes and systems.
Privacy amendment Bill: a new risk landscape
The Privacy and Other Legislation Amendment Bill 2024 (Bill) was tabled in the House of Representatives on 12 September 2024 and is currently before the Senate.
The Bill focuses on the enforcement regime, protection of children, and dealing with the ills of the online world through the creation of new offences against doxxing and a new tort for serious invasions of privacy. However, it does not implement some of the more substantive proposals from an individual rights perspective - for example, the proposed changes to the definition of ‘personal information’, the ‘fair and reasonable’ requirement for collecting, using and disclosing personal information, and the direct right of action for individuals.
However, the Bill makes material changes to the Privacy Act penalties regime and the breadth of orders that can be made by the Federal Court under the Privacy Act. It also introduces a whole new statutory tort which changes the application of the Privacy Act. These changes have the potential to rewrite the risk profile of Privacy Act compliance in Australia.
Bill expanding anti-money laundering and counter-terrorism financing regime introduced
On 11 September 2024 the Attorney-General of Australia, the Hon Mark Dreyfus KC MP, introduced the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 which has now passed through the House of Representatives and is currently before the Senate.
The Bill will close a regulatory gap in Australia by expanding the regime to address vulnerabilities within ‘tranche-two’ entities, including lawyers, accountants, real estate professionals and dealers in precious stones and metals. AUSTRAC’s recent Money Laundering National Risk Assessment noted criminals are increasingly exploiting these sectors to conceal illicit wealth and launder money.
The Bill will also help bring Australia into line with international standards set by the Financial Action Task Force (FATF). Australia is now one of only five jurisdictions out of more than 200 that do not regulate these tranche-two entities or ‘gatekeeper’ professions. It means Australia is at serious risk of being ‘grey-listed’ by the FATF, which would not only be damaging to Australia’s international reputation but could result in significant economic harm to Australians and businesses.
The government is taking the opportunity to simplify, clarify and streamline the AML/CTF regime. This will reduce the regulatory burden on businesses and make it easier to understand and implement effective measures to combat financial crime. The reforms will allow businesses to take a risk-based approach, allowing industry to prioritise their resources. The reforms will also lead to better quality financial data and make it easier for businesses to protect themselves from misuse by criminals.
See Attorney General’s media release and AUSTRAC .
Thanks to Silvana Wood’s team for this insight.
Proposed scams framework: a whole of ecosystem approach to protecting Australians from scams
On 13 September 2024, the government released exposure draft legislation on Australia’s proposed new scams prevention framework (Scams Framework). Consultation closed on 4 October 2024.
The exposure draft legislation, if passed, will establish a new whole-of-ecosystem approach containing specific ‘principles-based’ legal requirements (that is to prevent, detect, report, disrupt and respond to scams, and to establish governance systems accordingly) for addressing scams and liability for breaching these principles.
Payday super and employee onboarding reforms
In May 2023, the government announced it was intending to pass legislation that would require employers to pay superannuation at the same time as paying staff salary and wages, starting from 1 July 2026. This reform has come to be known as ‘payday super’.
On 18 September 2024, Treasury released a fact sheet on the payday super reforms confirming the government is still intending to proceed with those reforms. The reforms are still expected to take effect from 1 July 2026. Consultation and drafting will take place during the remainder of 2024.
A practical update on ancillary liability under the Competition and Consumer Act 2010: Productivity Partners Pty Ltd v ACCC; Wills v ACCC [2024] HCA
Businesses and in-house corporate counsel are frequently plagued by the question of whether the business could be found liable for another’s breach. The question often arises when the business itself is not directly involved in, nor does it have actual knowledge of, the contravention.
This issue is particularly relevant when the nature of the business is such that it inherently has to rely on another party to do the right thing. For example, businesses that operate platforms (marketplaces) or display third-party claims. It is also relevant to individuals and parent companies involved in making and approving decisions made by companies within a group.
Incorporation of terms by signature and reference: Michael Hill Jeweller (Australia) Pty Ltd v Gispac Pty Ltd [2024] NSWCA 211
In Michael Hill Jeweller (Australia) Pty Ltd v Gispac Pty Ltd [2024] NSWCA 211 , the NSW Court of Appeal has allowed Michael’s Hill’s appeal against the Supreme Court decision earlier this year, in part, and reduced Michael Hill’s liability from approximately $2.3million to approximately $360,000 plus interest. However, the findings in relation to incorporation of terms, the focus of this summary, have essentially been upheld.
The case reinforces the rule that if you sign a contract you are bound by the terms of that contract. The terms may include terms that are incorporated by reference even if those terms are not supplied.
By way of reminder of the facts, Gispac provided paper carry bags to Michael Hill. In 2014 and 2015, a Michael Hill employee signed contracts for the future supply of bags and placed a tick in a check box that expressly stated that Michael Hill was agreeing to certain terms and conditions that could be found in a web link provided (Terms). No attempt was made by the employee to open that link and read the Terms. However, it was also not proven that the link worked.
The Supreme Court found that by ticking the box and signing the sales contracts, the Terms were incorporated by reference, and Michael Hill was bound by them. The principle the judge applied was that the act of signing would lead a reasonable person in the position of the other party to believe you were agreeing to the Terms.
On appeal, the Court (Bell CJ and Payne JA) agreed with the primary judge’s finding that by signing and ticking the box, the Terms were incorporated in to the sales contracts, and it did not matter whether the link was operable at the time of execution or not - Bell CJ stated (at [14]):
“that part of the clause which stated that the Terms could be found at the particular URL link was not an essential part of the parties’ agreement, objectively ascertained; rather, it was merely pointing out where (or how) Gispac’s Terms could be located, if Michael Hill wanted or needed to consult them”.
Basten AJA agreed that by signing and ticking the box Michael Hill was bound by any identified terms but that there was an evidential void as to the content of the alleged terms.
Thanks to Professor Gregory Tolhurst, consultant for his contribution to this insight.