Abstract
Australian corporate law allows for significant civil penalties to be imposed by a court on negligent corporate officers, including directors. For more than a decade, Australian Securities and Investments Commission used civil prosecutions for negligence exclusively in situations where an officer is alleged to have exposed their corporation to foreseeable risk of harm that would flow from a contravention by the corporation of a regulatory or disclosure obligation. This enforcement strategy—known as ‘stepping-stones’—has been strongly criticised, including by Rares J in his 2020 dissenting opinion in the Cassimatis appeal. This article explains how stepping-stones works as an enforcement strategy in the context of corporate compliance failures, explores the various criticisms of it, and argues for reform. It proposes a legislative alternative that rebalances individual officer liability, to reflect contemporary governance practices and encourage better management and oversight of non-financial risk in corporations.
I Introduction
For years, Australian corporate law has struggled to articulate the proper basis upon which directors and other corporate officers ought to be liable to the state when their behaviour risks—by action or inaction—their corporation contravening the law. 1 In the absence of a positive duty on corporate officers to take reasonable steps to ensure their corporation conducts its affairs in accordance with all or specified regulatory requirements, 2 the Australian Securities and Investments Commission (‘ASIC’) has adopted a civil enforcement strategy—commonly referred to as ‘stepping-stones’ 3 —that utilises s 180(1) of the Corporations Act 2001 (Cth) (‘Corporations Act’) in this context. ASIC’s line of stepping-stones cases concerned with regulatory (as distinct from disclosure) failures includes the 2020 decision of the Full Federal Court in Cassimatis v Australian Securities and Investments Commission (‘Cassimatis Appeal’), which arose out of the failure by the licensed financial advice firm Storm Financial Limited (‘Storm’) to comply with financial advice laws in the years before the 2008 global financial crisis (‘GFC’). 4
Section 180(1) of the Corporations Act imposes a statutory duty of care and diligence on corporate officers, 5 the content of which overlaps with their duties of care owed to the corporation in contract, equity and tort. It is a civil penalty provision for the purposes of pt 9.4B; 6 contravention carries a potential maximum pecuniary penalty of 5000 Commonwealth penalty units (currently AUD $1,110,000) along with the possibility of relinquishment orders and the likelihood of temporary disqualification from holding corporate office. 7 These consequences can be ordered by a court even when the corporation itself may have no compensable claim against the officer for breach of duty, for example, because the corporation has ratified the officer’s conduct or has not suffered any actual loss or damage as result of the officer’s negligence. 8
In devoting scarce public resources to running stepping-stones cases, it is likely that ASIC is seeking to protect or vindicate the public interest in the proper management of corporations, rather than to safeguard the private interests of an individual corporation and its shareholders and creditors. 9 This is apparent in the Cassimatis litigation, where the defendant executive directors were Storm’s only shareholders and the prospect of meaningful financial recovery by Storm for the benefit of its creditors was remote. Where the stepping-stones strategy is used in connection with disclosure failures, including contraventions of the continuous disclosure requirement contained in s 674 of the Corporations Act, ASIC’s regulatory interest is in protecting market efficiency, transparency and integrity. 10 Where the strategy is used in connection with regulatory failures—like the failure of Storm to comply with a regulatory requirement not to give unsuitable financial advice to its clients—ASIC’s interest is likely to be in improving compliance by regulated corporations, for the benefit of both the stakeholders whose interests are protected by the particular regulatory regime (financial advice clients, in the case of Storm) and of the broader community in ensuring corporations comply with the law. 11
From a regulatory perspective, why use stepping-stones? As real but artificial entities, corporations do not necessarily respond to the coercive force of law in the same way as natural (that is, human) legal persons. 12 Therefore, identifying the individual officers within corporations who control or influence decisions that impact on corporate compliance, and then guiding (through the development of legal precedent) and incentivising (through general deterrence) those individuals to approach compliance-related issues with greater care, skill and diligence, might be a credible strategy for a regulator interested in improving overall levels of corporate compliance with regulation in the public interest. Secondly, stepping-stones as an enforcement strategy provides a legal pathway for holding individuals publicly to account in connection with corporate compliance failures when there is media and political pressure on the regulator to do so, despite that individual’s involvement falling short of that required to establish accessorial liability. 13
For a regulator, stepping-stones may be a cogent strategy. But it is a problematic one. In his dissenting opinion in the Cassimatis Appeal, Rares J criticised ASIC for employing s 180(1) of the Corporations Act in an ‘arcane and backdoor fashion’. 14 This is an important criticism, given that all but one ASIC enforcement actions seeking civil penalties based on (or including) an alleged breach of s 180(1) decided in superior courts over the last decade have been stepping-stones actions. 15
More broadly, there are concerns in the business community that stepping-stones is predicated on a misunderstanding of the role of the board and senior management in compliance and, in its application, is acutely vulnerable to hindsight bias of the kind identified by Hayne J in Vairy v Wyong Shire Council (‘Vairy’). 16 These concerns are compounded by three factors. The first is the conceptual difficulty that arises in applying the calculus from Wyong Shire Council v Shirt (‘Shirt’) to compliance or conduct (as distinct from financial or operational) risks. 17 The Shirt calculus, a cornerstone of the law of negligence, is so named after the comments of Mason J in Shirt; 18 it involves the balancing by the tribunal of fact in negligence cases of ‘the magnitude of the risk and the degree of the probability of its occurrence, along with the expense, difficulty and inconvenience of taking alleviating action and any other conflicting responsibilities which the defendant may have’ in determining what a reasonable defendant would have done in the circumstances. 19 The second is the excision by courts of decisions about design and resourcing of the corporate compliance function from the business judgment safe harbour in s 180(2) of the Corporations Act, and the third is the absence (to date) of a clearly articulated collective board duty of oversight from the Australian jurisprudence. Underlying the unease about stepping-stones are deeper disquiet about the fairness and proportionality of engaging the civil penalty regime for individual negligence and the distorting impact of potential public enforcement actions (as distinct from private claims) on director behaviour. These concerns have flowed through to the wider debate about the current settings for directors’ and other officers’ liability in Australian corporate law, 20 including over the Banking Executive Accountability Regime (‘BEAR’) and the government’s proposed expansion of that regime. 21
This article critically examines stepping-stones as an enforcement strategy for improving corporate regulatory compliance and for holding blameworthy corporate officers to account. We focus specifically on situations involving compliance (rather than disclosure) failures by corporations and on the application of s 180(1) of the Corporations Act as a regulatory provision rather than as a private law duty owed by the individual officer to their corporation. 22 We divide stepping-stones cases arising out of corporate compliance failures into three groups: contraventions resulting from a transaction turning out otherwise than expected; contraventions resulting from a failed process or control (that is, where there was a credible but not perfect procedure in place to manage compliance risk, but it failed at the implementation level); and contraventions arising from the corporation carrying out its activities as intended, but without due regard for the legal consequences of its decision or action. The reasons for distinguishing the cases in this way are explained below.
Our aims for the article are threefold: to identify and explain the legal and policy underpinnings of the stepping-stones strategy; to tease out and consider the various criticisms of it; and to suggest a way forward that more effectively balances the public interest in improving corporate compliance with the development of workable governance arrangements for the oversight and management of non-financial risk.
The discussion is organised as follows. This Part introduces the argument and includes some general observations about the current enforcement climate, the class of persons potentially exposed to stepping-stones actions and the relationship between s 180(1) of the Corporations Act and other statutory sources of officer liability. Part II explains how s 180(1) is applied where there is a foreseeable risk that a corporation may suffer adverse consequences because of a failure to comply with federal laws governing its business operations. Part III analyses the criticisms of stepping-stones made by Rares J in the Cassimatis Appeal along with broader conceptual concerns about the strategy and its potential impact on director behaviour. Part IV suggests a legislative alternative that removes s 180 of the Corporations Act as a civil penalty provision and substitutes a separate duty on officers to take reasonable steps to secure compliance by the corporation with specified Commonwealth laws. Part V concludes.
A The Current Enforcement Environment
Regulatory policy, including enforcement policy, is never formed in a vacuum. It cannot be understood separate from its broader economic, political and societal context. That context informs the current debate over officers’ liability generally. Arguably, media and political pressure on regulators to hold individual officers publicly to account in connection with corporate compliance failures increased after the GFC. 23 Justifiably or otherwise, there was a perception that wealthy and powerful individuals enjoyed the upside of corporate risk-taking but failed to take appropriate responsibility when it resulted in significant negative externalities. 24 A decade later in Australia, the widely televised proceedings of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (‘BFRC’) 25 in 2018 brought the failure of prominent financial institutions to obey the law, and the failure of regulators to respond effectively, to public prominence and put faces to those failures. In response, ASIC announced a ‘renewed and re-invigorated’ enforcement approach that included ‘[w]hen appropriate, proceeding against both the corporation and the individual corporate officers responsible for the contravening actions of the company’ as its ‘primary objective’. 26
Also following the BFRC, two law reform measures were floated to increase individual officers’ legal liability in connection with corporate compliance failures. The terms of reference for the Australian Law Reform Commission (‘ALRC’) inquiry into corporate criminal responsibility, issued in April 2019, included an examination of ‘mechanisms which could be used to hold individuals (eg senior corporate office holders) liable for corporate misconduct’. 27 Proposal 9 in the ALRC discussion paper, released in November 2019, was to amend the Corporations Act so that, when a body corporate commits a relevant criminal offence or engages in conduct covered by a relevant offence provision, ‘any officer who was in a position to influence the conduct of the body corporate in relation to the contravention is subject to a civil penalty, unless the officer proves that the officer took reasonable measures to prevent the contravention’. 28 This proposal, which included reversing the burden of proof in favour of the state, was subsequently abandoned by the ALRC following sharp criticism in submissions. 29
The second law reform measure was the proposed expansion of individual liability for finance industry officers and executives beyond the existing BEAR, 30 to cover all financial sector entities regulated by ASIC or the Australian Prudential Regulation Authority (‘APRA’) (not just banks) and to create civil penalty liability for individuals who breach their ‘accountability obligations’. 31 Neither of these changes was among the BFRC recommendations. 32 Work on this proposed reform was suspended as part of the Treasury response to the COVID-19 pandemic. 33
Professor Baxt asked in the late 1990s whether the directors’ duty of care depends on ‘the swing of the pendulum’. 34 In the initial phase of the pandemic, there were signs that the pendulum may swing away from greater legal liability for individual corporate officers, as part of a broader deregulatory agenda. 35
Of course, legal liability is not the only way to make individuals accountable. Institutional and other investors may expect senior corporate officers to accept something akin to old-style ministerial responsibility, 36 falling on their swords when problems emerge in the part of the business over which they have managerial responsibility. 37 Subject to normal employment and other contractual considerations, this can be a form of ‘soft’ accountability imposed by social or market forces, rather than legal tools. This swing of the pendulum may see the government postponing or jettisoning measures to expand legal liability, but it remains to be seen whether it will be persuaded to wind back existing settings, for example, through amendments to s 180 or the creation of new defences to liability. 38
B Scope
The statutory duty of care is imposed on any person who is an ‘officer’ of a corporation. The definition in s 9 of the Corporations Act relevantly includes a director or secretary of the corporation and any person ‘(i) who makes, or participates in making, decisions that affect the whole, or a substantial part, of the business of the corporation; or (ii) who has the capacity to affect significantly the corporation’s financial standing; or (iii) in accordance with whose instructions or wishes the directors of the corporation are accustomed to act’. 39 The High Court’s 2020 decision in Australian Securities and Investments Commission v King makes it clear that, in order to come within the definition, it is not necessary that the person holds or occupies a named office or a recognised position with rights and duties attached to it. 40 What matters is the actual influence or control the person has; in corporate groups, a senior executive of the parent company may have significant capacity to influence the conduct of the affairs of the entire group, including a particular subsidiary. 41 However, a single (non-executive) director on the board of the parent but not the subsidiary is unlikely in the ordinary course to exert the kind of individual influence over other group entities to bring that person within the definition.
An important policy question, to which we return briefly in Part IV, is whether senior managers who are responsible for significant business functions—but whose involvement in broader corporate management falls short of that required to bring them within the statutory definition of an officer—should be within the regulatory net. The ALRC’s revised position on individual accountability ‘confirm[ed] its view that there is an “accountability gap” in relation to holding senior managers of the largest corporations liable for corporate misconduct’. 42 The existing BEAR, and the Financial Accountability Regime proposal, both extend accountability obligations to senior managers who are not officers of the corporation in the relevant sense. 43 A related question is whether the legal responsibilities of non-executive directors should be framed differently from those of executive officers.
C Individual Liability Otherwise than For Negligence
Of course, officers implicated by act or omission in a corporate compliance failure can be personally liable through direct and indirect legal mechanisms or pathways other than for breach of s 180(1) of the Corporations Act. 44 These are direct (including concurrent) liability, what the ALRC describes as ‘extended management’ liability (including deemed liability), and accessorial liability. Concurrent liability arises where, on the facts, the officer has contravened the law alongside their corporation. 45 Deemed liability arises (in limited circumstances) where a person who is a director of a corporation that contravenes a Commonwealth law is deemed to have contravened the same law simply because of the office they hold. 46
Accessorial liability 47 for corporate contraventions of Commonwealth law typically arises under s 79 of the Corporations Act and its statutory analogues. 48 Any person, not just an officer, can potentially be an accessory to a corporation’s contravention. But following Yorke v Lucas, 49 accessorial liability (criminal and civil) generally requires both knowledge or awareness of the corporation’s contravening conduct and some active contribution to its furtherance. 50 Something more than negligence is required on the part of an officer to make him or her an accessory to the corporation’s contravention. 51
II The Law Applied
This Part explains how s 180 of the Corporations Act applies in stepping-stones cases involving corporate compliance failures.
The stepping-stones terminology comes from Keane CJ’s 2011 description of ASIC’s proceedings in Australian Securities and Investments Commission v Fortescue Metals Group Ltd, 52 a case against the chairman and chief executive of a listed entity arising out of allegedly misleading and deceptive market announcements made in contravention of s 1041H of the Corporations Act. 53 In 2012, Herzberg and Anderson described stepping-stones as a strategy by ASIC that:
applies directors’ duties in a novel context. The first stepping stone involves an action against the company for contravention of the [Corporations Act]. The establishment of corporate fault then leads to the second stepping-stone: a finding that by exposing their company to the risk of criminal prosecution, civil liability or significant reputational damage, directors contravened their statutory duty of care with the attendant civil penalty consequences.
54
Stepping-stones is useful shorthand for grouping the cases brought by ASIC in situations involving corporate compliance or disclosure failures, but courts have emphasised these cases still involve the orthodox application of the duty of care. 55 As Greenwood J says in the Cassimatis Appeal:
shorthand phrases such as
His Honour’s comments accord with established authority that the statutory duties ‘are not concerned with any general obligation owed by directors to conduct the affairs of the company in accordance with the law generally or the Corporations Act’. 57 What matters is only whether the defendant’s conduct fell short of the objective standard set by the statute, which is to
exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they: (a) were a director or officer of a corporation in the corporation’s circumstances; and (b) occupied the office held by, and had the same responsibilities within the corporation as, the director or officer.
58
Relevant principles are:
It is usual but not necessary in these cases for ASIC to establish that the corporation contravened the law. 59
Where the corporation has contravened the law, it does not automatically follow that one or more officer(s) contravened s 180(1). The statutory duties
do not necessarily make a director liable for a breach by the company of another provision in the Corporations Act. The corollary is that it cannot be said that every breach by a company of the Corporations Act necessarily gives rise to a breach of the directors’ duties provisions.’
60
What matters is whether the individual officer’s own conduct has met the objective standard of care and diligence, which is set having regard to the corporation’s circumstances and the officer’s own role and background. In
considering the acts or omissions of a particular director, one looks at factors including the director’s position and responsibilities, the director’s experience and skills, the terms and conditions on which he has undertaken to act as a director, how the responsibility for the company’s business has been distributed between the directors and the company’s employees, the informational flows and systems in place and the reporting systems and requirements within the company’.
61
Deciding whether there has been a breach of a duty of care involves two separate inquiries. The first is whether there was a foreseeable risk of harm to the corporation. The second is whether the defendant’s conduct was a reasonable response to that risk.
The burden is on ASIC to show both that the individual officer’s act or omission exposed the corporation to foreseeable risk of harm and that a reasonable person in the officer’s position would not have so acted or failed to act.
Both determinations (as to the foreseeability of the risk and as to the reasonableness of the defendant’s response to it) must be made based on the state of affairs that existed at the time of the defendant’s act or omission, and not hindsight. If ‘instead of looking forward, the so-called Shirt calculus is undertaken looking back on what is known to have happened, the tort of negligence becomes separated from standards of reasonableness’. 62
To show a foreseeable risk to the interests of the corporation, it is not enough for ASIC to show that there was a possibility that the corporation would contravene the law. It must show that the possibility of a contravention created a foreseeable risk of harm to the corporation’s interests. However, the
foreseeable risk of harm to the corporation which falls to be considered in s 180(1) is not confined to financial harm. It includes harm to all the interests of the corporation. The interests of the corporation, including its reputation, include its interests which relate to compliance with the law.’
63
A risk is real and therefore foreseeable if it is not ‘far-fetched or fanciful’. This is considered a low bar. But ‘the existence of a foreseeable risk…does not in itself dispose of the question of breach of duty. The magnitude of the risk and its degree of probability remain to be considered with other relevant factors’. 64
In deciding what a reasonable person faced with a foreseeable risk of harm to the corporation would have done in the officer’s position, the Shirt calculus requires
the tribunal of fact to determine what a reasonable man would do by way of response to the risk. The perception of the reasonable man’s response calls for a consideration of the magnitude of the risk and the degree of the probability of its occurrence, along with the expense, difficulty and inconvenience of taking alleviating action and any other conflicting responsibilities which the defendant may have. It is only when these matters are balanced out that the tribunal of fact can confidently assert what is the standard of response to be ascribed to the reasonable man placed in the defendant’s position.
65
It ‘has been iterated and reiterated by the High Court that, at the second stage of enquiry, the measure of the discharge of the duty is what a reasonable person would, in the circumstances, have done by way of response to a foreseeable risk’. 66
In establishing that the officer’s conduct fell short of the objective standard, ASIC should be able to point to what a prudent officer, in the officer’s position, would have done at the relevant time, without the benefit of hindsight. 67
Proof that an officer could have done something to prevent the contravention is not sufficient to establish negligence. The ‘failure to eliminate a risk that was reasonably foreseeable and preventable is not necessarily negligence’. 68 The proper inquiry is whether the officer should have done that, having regard to the objective standard formulated in accordance with the statute. This is answered by the court assessing ‘the magnitude of the risk and the degree of the probability of its occurrence, along with the expense, difficulty and inconvenience of taking alleviating action and any other conflicting responsibilities which the defendant may have’. 69
These legal principles are well supported by authority and are not controversial. But they only take the analysis so far. Each case is different. Applying the principles often involves the court inquiring into the circumstances of the corporation’s contravention. A corporation’s contravention may result from a transaction turning out otherwise than expected; it might result from a failed process or control (that is, where there was a credible but not perfect procedure in place to manage compliance risk, but it failed at the implementation level); or it may arise from the corporation carrying out its activities as intended, but without due regard for the legal consequences of its decision or action.
Teasing the different types of contraventions apart may be significant for two reasons. The first is that decisions relating to transactions that unfold otherwise than expected may attract the operation of the business judgment rule in s 180(2) of the Corporations Act. The second concerns the way in which the balancing of risk and benefit, encapsulated by the Shirt calculus, works where the risk involved is a compliance rather than commercial risk.
A Application of the Business Judgment Rule
The statutory business judgment rule provides that, if certain elements are made out, an officer is taken to have met the duty of care under s 180(1) of the Corporations Act and their equivalent duties in law and equity. 70 It only applies in situations where the officer ‘makes a business judgment’. 71 The failures that result in compliance breaches are generally considered not to involve business judgments in the relevant sense. 72 The conduct protected by the business judgment rule must involve a judgment and cannot be, for example, non-feasance; therefore, conduct that is an unconsidered failure to act on the part of directors is not covered by the business judgment rule. In Australian Securities and Investments Commission v Rich, Austin J said:
[T]he discharge by directors of their ‘oversight’ duties, including their duties to monitor the company’s affairs and policies and to maintain familiarity of the company’s financial position, is not protected by the business judgment rule, because the discharge or failure to discharge those duties does not involve any business judgment as defined.
73
Unlike Delaware courts, 74 Australian courts do not appear to defer to the commercial judgment of officers in relation to compliance risk management. This means that decisions about investment in compliance systems and controls—bluntly, whether to spend $100 or $1000 on non-financial risk management—may be treated as business judgments in Delaware but are not in Australia. 75 This is relevant for compliance failures that fall into the second category—where compliance systems were present but failed. Similarly, commercial judgments about whether particular information about an entity ‘is information that a reasonable person would expect, if it were generally available, to have a material effect on the price or value of ED securities of the entity’ 76 for the purposes of the Australian continuous disclosure laws are not treated as business judgments. 77
This greatly limits the scope of s 180(2) of the Corporations Act in the stepping-stones context—a point to which we return in Part IV. In the Cassimatis Appeal, Greenwood J endorses the extra-curial view of Justice Geoffrey Nettle that ss 180(2) and 180(3) seem to be ‘of little, if any, practical utility’. 78 This may be true in cases, like Cassimatis, where the corporate compliance failure was due to poor regard for compliance risk or failed compliance controls. 79 But as Beach J indicates (in obiter) in Australian Securities and Investments Commission v Mariner Corporation Ltd (‘Mariner’), 80 the position is different where the compliance failure results from a transaction unfolding otherwise than as intended. Because the risk of contravention in Mariner arose from a ‘business judgment’ made by the relevant officers, the safe harbour was potentially triggered. 81
E Balancing Risk and Benefits
The second reason for distinguishing between contraventions that might flow from a business failure, and those that flow from either a failure of the corporation’s compliance systems or a disregard for the potential legal and regulatory consequences of a business decision, concerns the way risks and benefits are balanced.
It is never open to a corporate officer to deliberately or recklessly cause or allow the corporation to contravene the law; to do so would be a breach of their duty under s 181(1)(a) of the Corporations Act to ‘exercise their powers and discharge their duties…in good faith in the best interests of the corporation’. 82 Compliance failures in the third group—where the officer has ignored or disregarded the legal and regulatory implications of a decision or action—may breach this duty. Knowingly causing the corporation to contravene the law would make the officer an accessory to the corporation’s contravention. 83 Judicial statements about ‘balancing’ the matters and considerations that influence how an officer responds to a foreseeable risk of harm to the corporation flowing from a compliance failure must be understood in this light.
The Shirt calculus in the law of negligence involves a pragmatic recognition by courts that, in managing foreseeable risk, decision-makers must make resource allocation decisions in conditions of uncertainty. But risk and benefit can rarely be reduced to numbers in a ledger. A local council could manage a foreseeable risk that people might fall from a cliff by fencing off all cliffs, but the cost would be prohibitive, and it would adversely impact on community amenity. Against that, a local council must care about, and guard against, the risk of catastrophic injury to people who come onto its land because those people matter—not just because it wants to avoid damages claims. Similarly, corporate boards and senior executives must care about, and guard against, the risk of regulatory contraventions because contravening the law is wrong and is inherently corrosive to the purpose of a corporation which, as Edelman J points out, is to be used as a ‘vehicle for lawful activity’. 84
In Vrisakis v Australian Securities Commission, Ipp J spoke of the need for corporate officers to balance risk and benefit in conducting legitimate entrepreneurial activity, noting that ‘the question whether a director has exercised a reasonable degree of care and diligence can only be answered by balancing the foreseeable risk of harm against the potential benefits that could reasonably have been expected to accrue to the company from the conduct in question’. 85 In Australian Securities and Investments Commission v Maxwell (‘Maxwell’), Brereton J said that where there is jeopardy to the interests of the corporation because of ‘actual or potential exposure of the company to civil penalties or other liability’ under the Corporations Act, ‘it may no doubt be a breach of a relevant duty for a director to embark on or authorise a course which attracts the risk of that exposure, at least if the risk is clear and the countervailing potential benefits insignificant’. 86
These passages should not be read as contemplating or condoning a deliberate trade-off of a small (but highly likely) compliance consequence and a large commercial benefit. 87 In Cassimatis [No 8], Edelman J said of the passage from Maxwell that ‘[t]he qualification at the end of the paragraph is important’: 88
The reference to ‘at least’ includes the obvious cases of contravention. At the other extreme, there are cases which can be easily excluded. For example, conduct by a director which subsequently causes a corporation to breach the law will not be a breach of a duty of care and diligence merely because it causes the corporation to breach the law if, at the time, no reasonable person holding the director’s office with the director’s responsibilities, acting reasonably, could ever have foreseen that the conduct would cause the corporation to breach the law.
89
There is a commercial ocean between corporate conduct that will obviously contravene the law and individual conduct that no reasonable person in the defendant’s position could have foreseen would cause the corporation to contravene the law. Most stepping-stones cases lie somewhere in between. As Edelman J said, ‘the reference to “balancing” in the assessment of due care and skill in Vrisakis should not be taken literally. The factors to be considered are not to be balanced or weighed as though by a common metric’. 90
The balancing required by the Shirt calculus is undertaken by the court, as the tribunal of fact, to determine what a reasonable person in the position of the officer at the relevant time would have done to manage the foreseeable risk to the corporation of adverse consequences flowing from a corporate compliance failure. It is not a cost/benefit analysis undertaken by the officer, where the ‘cost’ of noncompliance ignores the externalities or the public interest in corporations obeying the law even where it is inconvenient to do so. 91 In the Cassimatis Appeal, Thawley J said:
The balancing exercise is not necessarily confined to commercial considerations or to a comparison of monetary consequences, but extends to considering all of the interests of the corporation, including its continued existence and its interest in pursuing lawful activity. It is to be accepted that companies are often formed and operated to permit the taking of risks that individuals may not be willing to assume themselves and that it is of the essence of commercial activity to take risks. However, it must also be recognised that the company fiction did not evolve to facilitate unlawful risky activity without personal responsibility.
92
As with all cases founded on principles of negligence, the focus must be on evaluating the reasonableness of the officer’s response to the foreseeable risk before the harm materialised. The fact that, in a particular situation, adverse consequences for the corporation from a compliance breach were foreseeable, and that measures were available to avert or avoid them, does not mean the officer was negligent in not implementing those measures. 93 The only question to be answered is whether a reasonable person, in the position of the officer and knowing what they knew or ought to have known at the relevant time, would have implemented those preventative measures in the context of their role, the resources available to them and all the competing calls on those resources.
In the stepping-stones cases, the distinction we drew above—between corporate compliance failures that arise from business plans not coming to fruition and those that arise from disregard of law or failure of a compliance system or control—may be relevant. In Mariner, where the corporation’s breach occurred because of the failure of the planned takeover, Beach J said:
The countervailing benefits to Mariner well exceeded the theoretical risks. The modest financial consequences of these theoretical risks were well outweighed by the benefits that could be achieved by Mariner. The present case is not of a type discussed in Australian Securities and Investments Commission v Cassimatis (2013) 220 FCR 256 at [172] where it was said that to argue that financial benefits could be offset against a possible breach of the law offended public policy. In the present case, the upside benefit was not of a kind where one was profiting from one’s wrongdoing.
94
In the Cassimatis actions, the corporation’s breach was the result of failure to ensure that the service it provided was legally compliant. Storm was a financial advice firm based in Townsville that held an Australian Financial Services Licence (‘AFSL’) issued by ASIC under pt 7.6 of the Corporations Act. Storm recommended a highly-leveraged investment approach to its clients in the years before the GFC; it was accepted by the court that it contravened the financial services laws by recommending this approach to a group of clients for whom it was unsuitable, although Storm itself was never prosecuted. 95 The commercial effect was that Storm profited from selling the Storm model to a wider class of customers than it should have. Greenwood and Thawley JJ in separate judgments upheld the first instance decision of Edelman J that Mr and Mrs Cassimatis, owners and executive directors of Storm, 96 had contravened s 180(1) of the Corporations Act because, through their negligence, they exposed Storm to a foreseeable risk that it would be harmed by regulatory or legal action arising from such a failure. 97
At first instance, Edelman J had concluded that the defendants fell short of the required standard of care ‘by exercising their powers in a way which caused or “permitted” (by omission to prevent) inappropriate advice to be given’, when ‘[t]he consequences of that inappropriate advice would be catastrophic for Storm (the entity to whom the directors owed their duties). It would have been simple to take precautionary measures to attempt to avoid the application of the Storm model to this class of persons’. 98 The defendants’ negligence lay in their failure to take ‘some alleviating precautions to prevent the giving of that advice’. 99
On appeal, Greenwood J held that ‘reasonable directors, with the responsibilities of Mr and Mrs Cassimatis, standing in Storm’s circumstances, ought to have guarded against’ the foreseeable risk of harm to Storm’s interests; 100 his Honour considered that ‘plainly enough the directors could have taken steps to ensure that the subject matter of the advice was properly considered and investigated, reasonable in all the circumstances relevant to each of the individual 11 vulnerable investors, and appropriate to each of them having regard to the consideration and investigation which ought to have occurred but did not’. 101
The balancing exercise undertaken by Edelman J at first instance was between the commercial benefit Storm would derive from selling the Storm model to a wider group of potential clients, and the foreseeable risk of adverse consequences for Storm of being found to have sold to clients for whom the model was unsuitable. 102
In cases where the corporate compliance failure is the result of a business judgment that turned out otherwise than as planned, such as Mariner, the balancing exercise is easier. But in cases where the failure is due to a misunderstanding or disregard by the corporation of the legal consequences of its action, 103 or the failure of a compliance system or control, the balancing may be more nuanced.
III Criticisms
This Part analyses the criticisms of stepping-stones made by Rares J in his dissenting judgment in the Cassimatis Appeal, and broader concerns about the strategy and its potential impact on director behaviour. We focus on five distinct criticisms: that it rests on an ‘arcane theory’ of liability; that it is used as a backdoor method for imposing accessorial liability; that it is contributing to a widening expectation gap over the role of the board; that the cases miss an important step in applying the principles of negligence; and that the prospect of civil penalty liability for negligence is influencing officer behaviour in a way that impacts detrimentally on corporate governance and management.
A An Arcane Theory of Liability
In dissent in the Cassimatis Appeal, Rares J concluded that ASIC’s case employed s 180(1) of the Corporations Act ‘in an arcane and backdoor fashion’, 104 a conclusion with which the other members of the Court disagreed. 105 The strategy is ‘arcane’ in that it requires ASIC to establish a duty ‘not merely to prevent the contraventions of [the relevant law] at all, but to guard Storm against the likely or possible regulatory consequences of the discovery of those contraventions’. 106 For Rares J, the problem for ASIC’s case was that ‘it was unwilling to prove that it would have so acted’. 107 Because the strategy requires ASIC to frame its case in this way, a court must balance the cost and practicality of taking preventative measures against the (secondary) consequences of a corporate compliance breach, rather than the (primary) fact of a breach.
The circularity of the case theory is evident when ASIC has not prosecuted the corporation for the breach. It relies on ASIC alleging that the director failed to act to prevent the breach in the face of a foreseeable risk of material harm, being ASIC’s own assertion that it would have taken enforcement action with serious consequences. The fact that ASIC could have taken such action should not be sufficient to establish a contravention of s 180(1) of the Corporations Act by the director; instead, the theory should require ASIC to prove that it was likely to do so at the relevant time. That ‘proof’ is likely to lack force when ASIC did not in fact take action. Under this theory, the risk the officer must guard against is the risk of detection and enforcement. Taken to its extreme, this would suggest that officers are not negligent in permitting the corporation to contravene the law if they are confident that the corporation’s internal systems make the breach undetectable, or that the regulators are asleep at the wheel, or that any regulatory action is unlikely to harm the corporation.
This is where Rares J took issue with the plurality. His Honour was not satisfied that ASIC had established that it was reasonably foreseeable that the provision of inappropriate advice, where ASIC’s case relied on demonstrating Storm’s contravention in relation to only 11 of its thousands of clients, would have harmful consequences for Storm, and certainly not of the type that would have been ‘catastrophic’. 108
B A Backdoor Method of Imposing Liability
Rares J also concluded that the strategy was ‘a backdoor way of creating liability on Mr and Mrs Cassimatis as accessories to Storm’s substantive contraventions’. 109 Greenwood J and Thawley J disagreed, 110 relying on the frequently cited comment of Brereton J in Maxwell that the directors’ duties provisions ‘do not provide a backdoor method for visiting, on company directors, accessorial civil liability for contraventions of the Corporations Act in respect of which provision is not otherwise made. This is all the more so since the Corporations Act makes provision for the circumstances in which there is to be accessorial civil liability’. 111
The position adopted by the plurality is clearly correct at law—s 180(1) of the Corporations Act does provide a separate and freestanding basis for the state to impose penalties, over and above any private law right of recovery available to the corporation, on officers whose negligent acts or omissions implicate them in corporate compliance failures. But this disregards the broader question of whether the practical effect is to impose accessorial-type liability on those caught up in corporate compliance breaches, including where: the corporation has contravened a statutory provision that, on its terms, creates accessorial liability but: the officer’s involvement falls short of that required to establish accessorial liability under the principles of Yorke v Lucas;
112
or the officer has an available defence to accessorial liability but no corresponding defence to an alleged contravention of s 180(1) of the Corporations Act; or the corporation has contravened a statutory provision that does not, on its terms, create accessorial liability; or the corporate contravention is foreseeable, but it and any consequential harm to the corporate interest do not eventuate or are not proved against the corporation; or the corporation has contravened a statutory provision that does not attract, for the corporation, a penalty commensurate with the officer’s penalty for a contravention of s 180(1) of the Corporations Act arising out of the same incident.
113
In the Cassimatis Appeal, Rares J considered it ‘unlikely that the Parliament intended that s 180(1) [of the Corporations Act], as a general provision, would displace, modify or affect a specific statutory duty or power conferred on a director or officer, including a duty to obey, or not to contravene or be involved (within the meaning of s 79) in a contravention of, a specific provision of the Act’. 114 His Honour concluded:
It is important to appreciate that the result at which I have arrived is the consequence of the artificial way in which ASIC sought to establish its case, by inference and not direct evidence, as to what it would have done. That case employed s 180(1) in an arcane and backdoor fashion. ASIC did not seek to prove directly that merely because of Mr and Mrs Cassimatis’ roles, as principals or accessories, in Storm’s actual contraventions of s 945A(1)(b) and (c), they had breached a duty under s 180(1). Instead, ASIC deliberately eschewed such a case and relied on the arcane argument that an indirect consequence of the contraventions was that it was likely that ASIC would have pursued a severe regulatory outcome, when it was unwilling to prove that it would have so acted.
115
Nevertheless, Greenwood J dismissed as misconceived criticisms that stepping-stones gives rise to ‘some sort of dystopian accessorial liability’. 116 This rhetorical flourish, while running a close second to ‘wagyu and shiraz’ as the judicial phrase of the year, disregards the following concerns.
First, it is only because s 180 of the Corporations Act carries a civil penalty for negligence that these cases are run at all. They would not be run if the objective were merely to seek compensation for the company, demonstrated by the fact that ASIC rarely seeks compensation orders in these cases. Instead, s 180 of the Corporations Act gives ASIC an ability to secure penalties in relation to corporate contraventions where the directors have not been knowingly involved in the contravention.
Second, it is only because of the company’s contravention or alleged contravention that the behaviour of the directors is impugned. The stepping-stones cases look to attribute fault to directors with double hindsight bias: first, it is established that the company breached the law or was likely to do so (whether or not the company has been found by a court to have done so) and then, but only then, does the regulator ask the court to consider whether the breach can be attributed to a negligent act or failure by the board. These cases have all the hallmarks of accessorial liability, and the decided cases demonstrate that it is rare for directors to escape stepping-stones liability where they were merely aware or should have been aware of the circumstances in which it was reasonably foreseeable that the contravention would or would be likely to occur, and would cause harm to the company. No actual involvement is necessary: the critical elements of accessorial liability are irrelevant.
Third, these cases create an increased exposure to penalties only for a particular class of individuals. This unique feature of stepping-stones cases cannot be ignored. The law has long-established principles by which individuals can be found directly liable for their involvement in a contravention, either based on fiduciary obligation or under rules applicable to accessorial liability. As a consequence of the stepping-stones cases, the test for individual liability in connection with a breach of the law by a corporation differs depending on the office held. A person who merely breaches a duty of care to the company, thereby causing the company to breach the law and suffer harm, but who is not subject to s 180(1) of the Corporations Act, cannot be penalised by the state. However, if the person is an officer, the lower test of negligence applies with not dissimilar consequences.
Fourth, it is disingenuous to proceed to decide these cases on the basis that responsibility for harm suffered by a corporation as a consequence of a breach of the law is no different from harm suffered by a company as a result of other causes which may be attributed to a breach of the duty of care and diligence by the directors, and therefore that the stepping-stones cases are not actually a form of accessorial liability. The state has determined that it is in the public interest to impose and enforce the law breached by the corporation. It has also determined that it is in the public interest for accessories and defaulting fiduciaries to be accountable for that breach. There is no basis to assert that, with respect to a particular law applicable to the company, the state has determined as a matter of public policy that officers should also be accountable to the state for that breach if caused by negligence short of the requirements of accessorial or fiduciary liability. As noted above, Rares J observed that ‘[i]t is unlikely that the Parliament intended that s 180(1)…would displace…a specific statutory duty…not to contravene or be involved…in a contravention of, a specific provision of the Act’. 117
Fifth, stepping-stones involves ASIC making an ‘end run’ around s 79 of the Corporations Act, and those provisions of the Corporations Act that provide defences to directors who may otherwise have been found to be involved in a company’s contravention, such as s 674(2B). 118
For these reasons, the public interest objectives concerning s 180 of the Corporations Act as a civil penalty provision need to be reconsidered, especially when used to lower the bar for accessorial-type liability of directors and officers for corporate contraventions. Consideration of the public interest, the need for certainty when imposing a statutory norm, and suggestions for law reform, are considered below.
C A Widening Expectation Gap
A separate criticism is levelled at stepping-stones by the business community. It is that the selection of cases by ASIC and the disposition of those cases—particularly in the Federal Court—is contributing to a widening expectation gap over what individual officers can and should do to ‘ensure’ corporate compliance. 119 The gap is between what the community sees as a responsibility of corporate directors and other officers and what an individual officer can practically achieve in relation to compliance. It is acknowledged that boards and senior management are expected to manage non-financial as well as financial risk in corporations; the question is about the actual nature of their respective roles. 120
For example, in a review of board governance commissioned by a major bank in relation to significant breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), released in June 2020, 121 the experienced reviewers 122 said:
Assessing whether a board has done well or poorly is substantially determined by views about what boards can and cannot be expected to do. This is a something of an ‘elephant in the room’ issue. It is rarely discussed but is central to our considerations. And here we see society’s steadily increasing expectations, which are not necessarily well founded, on what boards are set up to achieve… Discussions about the responsibilities of board members rarely touch on what is realistically feasible for them to achieve. In risk management, are they an additional line of defence conducting detailed diligence; or rather a high level overseer of risk management strategy and policy and a high level monitor of risk management competence and effectiveness? To what extent can boards be expected to pick up major mistakes deep inside their company?
123
The question raised by the Board Governance of AML/CTF Obligations at Westpac: The Advisory Panel Review (‘Westpac Review’) panel about the proper role of the board may be intended as rhetorical, but it does point to ongoing confusion in the business community about what the law requires of it. In advising boards, corporate lawyers typically take the view that the board has an active and collective duty of oversight over management’s risk and compliance practices and accountabilities. This is consistent with orthodox guidance for compliance and risk management frameworks, including the ‘three-lines-of-defence’ model. 124 The presence of red or amber flags, indicating for example that a known compliance problem is persisting or that regulators or others have compliance concerns, will trigger the need for more active inquiry and if necessary intervention, including by individual officers. 125
The vulnerability of the oversight governance model is, of course, in the quality of the information flowing to the board. This was identified by the Westpac Review panel 126 and has been a factor in both compliance-related and disclosure-related stepping-stones cases. The extent to which individual officers (particularly non-executive directors) are required to look beyond assurances from management was at issue, for example, in Australian Securities and Investments Commission v Vocation Ltd (in liq) and in Australian Securities and Investments Commission v Flugge & Geary, 127 and is not easily resolved by reference to ss 189 and 190 of the Corporations Act.
For boards and their advisers, part of the problem with stepping-stones as an enforcement strategy is that the decided cases provide little by way of guidance on how directors and officers in general should behave in future. Each decision is highly fact-dependant and idiosyncratic. For example, the degree of control that Mr and Mrs Cassimatis had over the Storm business—which was central to the liability finding—would never be present outside a founder-controlled business. 128 The decision provides no meaningful lessons for the wider director community on what their responsibilities are.
In other words, the stepping-stones cases are often of little precedent value. This leaves the statutory norm inchoate. The duties contained in pt 2D.1 of the Corporations Act, including s 180, derive their content from their general law analogues but have a fundamentally different character. On one view, the ‘duty’ of care in the law of negligence is a principle for the just allocation of loss or damage ex post that incentivises optimal precautions to prevent that loss or damage, not an instruction to a defendant about how to behave in a particular situation ex ante. The transposition of a private law liability principle into a statutory norm is only effective and consistent with the rule of law if the obligation it creates is sufficiently certain that a regulated person can adjust their behaviour ex ante to comply with it. As Lee J recently observed in another context:
Civil penalty provisions are justified on the basis that they prevent or punish public harm. Given that a punitive sanction can flow from a breach of such provisions, one would expect that any norm which, upon contravention, attracts a civil penalty, should be expressed with clarity to ensure that those regulated are left in no doubt as to what they are required to do (or not do).
129
Added to this is a perception that ASIC selects stepping-stones cases based on the notoriety of the corporation’s conduct, rather than the blameworthiness of the individual defendant’s conduct. When, as in the stepping-stones cases arising out of compliance failures at AWB and Storm, the corporation has behaved in a way that attracts significant public opprobrium, ASIC reaches for an action against one or more corporate officers under s 180(1) of the Corporations Act as a basis for satisfying public demands for someone to be accountable, particularly where enforcement action against the corporation itself is not possible. Because a ‘bad’ outcome occurred, the temptation is to formulate the duty of care ‘retrospectively as an obligation purely to avoid the particular act or omission said to have caused loss, or to avert the particular harm that in fact eventuated’. 130 But as Gummow and Hayne JJ point out in a different context in Graham Barclay Oysters Pty Ltd v Ryan, this is ‘of its nature likely to obscure the proper inquiry as to breach’. 131
D A Problematic Application of the Principles of Negligence
A related concern, to which Rares J’s dissenting judgment in the Cassimatis Appeal draws attention, is with the way in which the two constituent parts of negligence—reasonable foreseeability and the Shirt calculus—are addressed by ASIC in their case selection and applied by the Federal Court in its disposition of these cases.
The question of whether the risk was reasonably foreseeable is answered having regard to what the person knew or ought to have known at the time, without the benefit of hindsight. And the risk must be reasonably foreseeable to the defendant. As the Review of the Law of Negligence (‘Ipp Review’) pointed out (in the personal injury context) in 2002, in negligence the concept of reasonableness ‘is concerned with how much knowledge about risks it is reasonable to attribute to people. It does not follow from the fact that someone knows about a risk that it would be reasonable to expect everyone to know about the risk and be able to foresee it.’ 132
Risk management—including compliance risk management—in any corporation requires its officers to make judgments about future matters. Most business transactions and processes carry with them a level of compliance risk, and inherent in that risk is a prospect that the financial or other interests of the corporation would be damaged by a compliance failure. So, the first question—whether a risk of harm to the corporation was foreseeable—is often quite a low bar. 133 But it is a bar nonetheless.
As Rares J points out in the Cassimatis Appeal, the question is whether it was reasonably foreseeable in 2007 that a failure to comply with s 945A of the Corporations Act in respect of a small number of Storm clients would derail the entire business (with or without the GFC). His Honour points to reasons why no reasonable person in the position of the defendants before December 2008 would have foreseen the possibility of ‘catastrophic’ consequences being visited on Storm by ASIC because of the advice failures. 134 And it must be established that a reasonable person in the position of the individual defendant would have known of the facts pointing to this as a risk. His Honour said that:
while Mr and Mrs Cassimatis were responsible by their (unintended) negligence for Storm’s contraventions of [the financial services law], I am not satisfied that a reasonable director in their position in all of the circumstances came under a duty under s 180(1) to prevent the contraventions for the reason that the primary judge found: namely, that ‘the consequences of that inappropriate advice would be catastrophic for Storm’. I am not satisfied that he or she should have perceived a risk, or likelihood, of ASIC taking action to suspend or cancel Storm’s AFSL or the imposition of a banning order and then that he or she should have acted, for that reason, to prevent that action occurring.
135
Crucially, establishing that a risk was reasonably foreseeable is only the first stage of the inquiry. The second part of the inquiry—applying the Shirt calculus—is undertaken once it has been determined that the risk in question was foreseeable. The calculus ‘provides a framework for deciding what precautions the reasonable person would have taken to avoid the harm that has occurred and, hence, what precautions the defendant can reasonably be expected to have taken’, having regard to the four components of the calculus. 136
Here we arrive at the nub of the problem, which is the same one identified by the Ipp Review in the context of personal injury law. It is that courts may jump from deciding that, because a risk was foreseeable, ipso facto it was negligent for an officer not to take precautions against it. The Ipp Review pointed to
[the] danger, perceptible in some judicial pronouncements, that the concepts of foreseeability and probability may be conflated. The problem with this is that a court may jump from the proposition that a risk is foreseeable as a not insignificant possibility, to the conclusion that the reasonable person would have taken precautions against it. But…foreseeability is merely a precondition of liability for negligence. The fact that a risk is foreseeable (even as a not insignificant possibility) does not, by itself, justify the conclusion that the reasonable person would have taken precautions against it.
137
In the corporate context, the concern is that the regulators and the courts are increasingly falling into this trap in the stepping-stones cases. The allegation that a corporation may have contravened the law, if accepted by the court, is used as a basis to conclude that such a contravention (and the resulting detriment to the corporation) must have been foreseeable to the defendant. And this is bootstrapped into a conclusion that failure to take measures to avert the risk was negligent, without the regulator (in deciding to instigate civil penalty proceedings) or the court (in deciding whether to make a declaration of contravention) paying proper regard to the Shirt calculus.
E Civil Penalties for Negligence
Finally, stepping-stones raises the policy question of whether it is appropriate to include s 180(1) in the civil penalty regime created by pt 9.4B of the Corporations Act.
The history of the Australian statutory duty of care is reviewed by Edelman J in the Storm directors’ duty litigation at first instance 138 and in the case law and scholarly work to which his Honour refers. 139 The possibility of state sanctions—first criminal, then criminal and civil—for breach of the duty of care dates back to the Companies Act 1958 (Vic); criminal penalties were removed as part of a broader project to simplify the law in 1999. 140 As a result of the imposition of state sanctions, the duty of care imposed on corporate officers is, as Greenwood J observes in the Cassimatis Appeal,
While it is true that s 180(1) is a public duty and has been for many years, this is a different question from whether it should be. Certainly, it makes Australia a corporate law outlier. 142 Failure to take care in other occupations or fields of private endeavour does not usually attract a state sanction, at least in the absence of a positive ‘reasonable steps’ requirement to achieve a particular outcome, such as compliance with a specified law. An officer cannot insure against, or be indemnified for, a civil penalty incurred for a contravention of s 180(1) of the Corporations Act. 143 And courts do not treat honesty or good faith as a basis for excusing a negligent director under s 1317S of the Corporations Act. 144
There are a variety of possible rationales for allowing public enforcement action against individuals implicated in corporate wrongdoing, ranging from specific or general deterrence to ‘just deserts’. 145 Civil penalties are typically used in relation to behaviours that are considered serious enough to justify public sanctioning, but not the opprobrium of a criminal conviction—the primary focus is on deterrence. 146
Civil penalty provisions involve the use of the powers and resources of the state to prosecute individuals without those individuals having the benefit of the full rights, privileges and protections provided by the criminal law. 147 As the ALRC observed in 2015, ‘[a] person may be denied their criminal process rights where a regulatory provision is framed as a civil penalty, when it should—given the nature and severity of the penalty—instead have been framed as a criminal offence’. 148 If an officer is found, on the balance of probabilities, to have contravened a civil penalty provision and the contravention is serious, significant penalties (against which the officer cannot be insured) can be ordered, along with disqualification from holding corporate office. For individuals the subject of civil penalty proceedings—regardless of whether they are eventually found to have contravened the law or have a pecuniary penalty imposed—the detrimental financial, professional and personal impact of the proceedings (which typically take many years to resolve) is very significant.
Deciding whether breach of an officer’s duty of care should attract state sanctions—and not just liability to the corporation for any loss that results under the corresponding general law duties—involves weighing considerations of fairness and efficacy. Some argue that ‘there is a need for public enforcement of the duty of care and diligence, the adequate enforcement of which performs a critical function in maintaining good standards of corporate governance’. 149 This argument is supported by evidence that s 180 of the Corporations Act is enforced by ASIC more often than other director liability provisions, and more often by ASIC than private plaintiffs. 150 This may be true, but it does not answer the policy question. The policy question is whether, by bringing these enforcement actions arising out of s 180 of the Corporations Act, the regulator is improving the governance of Australian corporations overall. Research by the Australian Institute of Company Directors recently found that:
Directors continue to feel negative about the impact of legislation on director liability in the second half of 2019. 36% of directors feel that it has negatively affected their business decision-making, 40% on their willingness to continue on a board and 50% on their willingness to accept new board appointments. 70% of directors agree there is a risk-averse decision-making culture on Australian boards, and the main reason for this is the excessive focus on compliance over performance.
151
This suggests that the effect is otherwise, and that the perceived risk of facing a stepping-stones action (which may take many years and extract a significant financial and personal toll) is interfering with good governance.
IV A Legislative Alternative
Stepping-stones is concerned with whether, and if so on what basis, an individual officer of that corporation should be exposed to a civil penalty 152 when their corporation breaches or may breach a regulatory or disclosure requirement contained in a substantive Commonwealth law.
Because s 180(1) of the Corporations Act is a civil penalty provision, it provides a basis for ASIC to hold individual officers to account in connection with corporate compliance breaches where the statutory requirement does not provide for accessorial liability or where the individual officer’s involvement in the breach, while negligent, fell short of the level of culpability required to establish accessorial liability.
The attraction to ASIC is obvious. Over the last decade, ASIC’s enforcement of s 180 of the Corporations Act as a civil penalty provision has been limited 153 to stepping-stones situations—it has not extended, for example, to wealth-destroying business ventures negligently embarked upon. Probably (although not explicitly), this reflects the broader public interest that arises in the stepping-stones context, in corporations being law-abiding. It also reflects the fact that business judgments, even those that turn out badly, are protected by the safe-harbour in s 180(2) (although imperfectly, given that the burden of proof in establishing the elements of s 180(2) falls on the defendant). 154
However, for the reasons explored in Part III, we think the enforcement strategy is problematic and is having an adverse impact on Australian corporate governance. Various suggestions for reforming the liability regime for corporate officers have been made over the years. These include clarifying or expanding the business judgment rule so that it covers commercial judgments in relation to compliance or disclosure matters, creating a general ‘honest and diligent director’ defence and extending the exoneration provision in s 1317S of the Corporations Act. 155
In this Part, we propose an alternative that provides a more comprehensive response to the problems identified in Part III. It is to remove s 180(1) from the civil penalty regime, and instead create a ‘reasonable steps’ obligation based on s 344 of the Corporations Act for officers to ensure that their corporation complies with specified Commonwealth laws.
We have argued before that s 180(1) ought not be a civil penalty provision and remain of that view, 156 noting that the option was raised but dismissed by the ASIC Enforcement Review in 2017. 157 If this suggestion were adopted, even without including a new reasonable steps provision, an individual officer would still be exposed to potential accessorial liability for corporate crimes and for all other corporate contraventions where Parliament has decided to impose it, including for involvement in corporate contraventions of many civil penalty provisions. 158 An officer would also continue to face potential civil penalty liability where their conduct contravened other relevant provisions of pt 2D.1, including s 181, which requires the officer to exercise their functions and discharge their duties in good faith in the best interests of the corporation and for a proper purpose.
However, we recognise that this reform would leave regulators without a standalone basis to penalise a corporate officer for failing to take care to ensure the corporation complies with applicable Commonwealth law, which is clearly in the public interest. 159 In its Discussion Paper 87, the ALRC proposed in relation to corporate executives that where they ‘have clear responsibilities to prevent corporate misconduct, and where the relevant individuals fail to take reasonable measures to do so, they should be personally liable’. 160
Given that ASIC has demonstrated little or no appetite for enforcing s 180(1) of the Corporations Act as a civil penalty provision outside the stepping-stones context, 161 indicating it sees no pressing public interest in doing so, this adjustment to the present liability settings seems worthy of consideration. ASIC’s other enforcement rights, and the corporation’s private enforcement rights, would be unaffected by the proposed change.
This leaves the replacement ‘reasonable steps’ provision to be formulated. One option, based on s 344 of the Corporations Act, is a provision to the effect that:
A director or other officer of a corporation contravenes this provision if they fail to take reasonable steps to secure compliance by the corporation with a relevant Commonwealth law and it is proved that:
(a) substantial harm to the corporation as a consequence of the alleged contravention by the corporation was reasonably foreseeable by the officer at the time of the alleged contravention; and (b) a reasonable person in the position of the officer would have taken steps to secure compliance, having regard to: the probability that the harm to the corporation would occur if care was not taken; the likely seriousness of that harm; the burden of taking precautions to avoid the harm; and the social utility of the risk-creating activity; and (c) the corporation contravened a relevant Commonwealth law, to the standard required to penalise the corporation for that breach.
‘Relevant Commonwealth law’ should be defined for this purpose as any law of the Parliament of Australia that, if contravened by the corporation, would attract a criminal or civil penalty; it is deliberately framed to extend beyond legislation administered by ASIC. Like s 344(1), the provision would be a civil penalty provision, and could go on to provide (like s 344(2)) that ‘[a] person commits an offence if they contravene subsection (1)…and the contravention is dishonest’.
This drafting also addresses, in para (b), the problem of the content of the rule—in other words, the nature and extent of the ‘reasonable steps’ obligation—which is necessary in view of the risk of regulators and courts falling into the same error in the corporate context as was identified by the Ipp Review in the personal injury context two decades ago. The proposed para (c) requires the corporate breach to be proved to the relevant standard. If the breach cannot be proved, even after the event, this suggests that the problem may not have been reasonably foreseeable.
Only ASIC could institute proceedings for a breach of this provision, which would carry a civil penalty but not a liability to compensate the corporation or third parties (noting that the corporation retains its private rights to enforce the duty of care against the officer in this context). The burden of proof to establish all elements of a breach would lie with ASIC.
If this approach is adopted, a separate question arises concerning to whom the rule should apply. It may be appropriate, for example, to extend the rule to senior managers within the scope of their operational responsibilities in a manner that reflects the BEAR and the recommendations of the ALRC referred to above.
V Conclusion
As we observed at the outset, Australian corporate law has struggled to articulate the proper basis upon which directors and other corporate officers ought to be exposed to civil penalties and other state sanctions when their action or inaction risks their corporation contravening the law. Section 180(1) of the Corporations Act has provided a fortuitous but imperfect means by which the regulator and the courts can satisfy the public appetite for individual accountability for corporate compliance failures by imposing penalties on individual directors and officers in these circumstances. However, the lack of clear judicial guidance on the nature and extent of a board’s collective duty of oversight 162 arising out of, and consistent with, the general negligence standard limits the effectiveness of stepping-stones as a principle to guide board behaviour ex ante. Section 180(1) of the Corporations Act was not devised to address the public interest in corporate compliance, and the longstanding issues discussed in this article demonstrate its shortcomings.
Modest law reform along the lines proposed in Part IV, based on concepts used in existing provisions of the Corporations Act, can address these issues. This reform can also provide the certainty required of a statutory norm and clarity for directors and officers of Australian corporations.
