ASIC’s enforcement toolbox: breach reporting and infringement notices create the perfect storm

17 December 2021
Matthew Bode, Partner, Brisbane

In the wake of our previous article on the introduction of Mandatory Breach Reporting for Australian Financial Services (AFS) and Australian Credit (AC) licensees, these obligations have now been in force for a couple of months. Due to these changes, most licensees that we interact with have experienced a very large increase in the volume of their reportable breaches. In the wake of this influx, ASIC is likely to be more active than ever – and they have an extensive toolbox of enforcement options at their disposal.

Due to its flexibility and ease of use, one of the enforcement tools that ASIC has the potential to utilise to a greater extent than Court action is infringement notices. Infringement notices are strict liability offences that are easy for ASIC to issue – essentially, expensive parking tickets. These enable ASIC to hand out fines that act as a strong punitive measure and deterrent to misconduct.


Following the Financial Services Royal Commission, the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2019 (Penalties Act) was introduced. This increased the financial exposure of both individuals and corporations by consolidating the penalty frameworks in many of Australia’s most significant pieces of legislation[1], and broadening the scope and severity of their civil penalty provisions.

One of ASIC’s primary enforcement mechanisms as a Government regulator is to use its enforcement powers as a punitive measure and corrective tool to deter misconduct. The introduction of mandatory breach reporting coupled with ASIC’s enhanced enforcement powers combine to create a varied enforcement toolbox. The Penalties Act also expanded the existing infringement notice regime.

Infringement Notices

If on reasonable grounds, ASIC believes that an individual or corporation has contravened a provision subject to an infringement notice, they can issue an infringement notice for the alleged contravention. All strict and absolute liability offences, prescribed offences and civil penalty provisions are subject to an infringement notice. ASIC has the discretion to issue these notices on a strict liability basis – no defence or challenge can be raised. The notice penalty must be paid, otherwise the business risks ASIC rescinding their licence as a worst-case scenario.

For most offences, including strict and absolute liability offences, the maximum penalty will be half of the pecuniary penalty for the relevant offence.[2] ASIC will issue notices with a maximum penalty of 12 penalty units for individuals and 60 penalty units for corporations for contraventions of civil penalty provisions.[3] Under the NCCP Act, the maximum penalty issued under an infringement notice is one fifth of the pecuniary penalty for the relevant offence, and 50 penalty units for individuals and 250 penalty units for bodies corporate for breaches of civil penalty provisions.[4]

Of the hundreds of civil penalty provisions scattered throughout key credit and financial services legislation, the following are examples of breaches that must be reported to ASIC. If ASIC has reason to believe that they have been contravened, penalties will be payable under an infringement notice. They may not be liable to be prosecuted in a court or for a pecuniary penalty for the alleged contravention.[5]

  • Governance failures in a responsible entity – If a licensee is a responsible entity of a registered MIS and becomes aware that in exercising its powers and carrying out its duties as responsible entity it has not complied with the compliance plan for the registered scheme – $2,222.[6]
  • Quality of advice and failure to act in interests of the client – A licensee identifies that four of its representatives have failed to comply with their best interests duty and duty to provide appropriate advice to multiple clients. As a result, the licensee is in breach of its obligation to take reasonable steps to ensure that its representatives comply with the best interests duty – $2,664 – $13,320.[7]
  • Charging prohibited fees to a debtor – A credit licensee conducts a review of its credit contracts and identifies that it is imposing a fee or charge that is prohibited. The licensee must report this to ASIC, even if the fee or charge is only imposed on one debtor – $11,100 – $55,000.[8]
  • Trust account obligations – If a credit service licensee withdraws money from their trust account for the purpose of paying a person who is not lawfully entitled to receive that money – $222,000.[9]
  • Financial records – If a credit service licensee that is required to make a financial record, fails to retain that record for seven years after the transaction is completed – $222,000.[10]
  • Failure to notify ASIC of changes in key persons – If a licensee is required as a condition of its licence to report to ASIC when a person ceases to be an officer or perform duties on behalf of the licensee, and it fails to inform ASIC within the required time period and lodge information in relation to the replacement of that key person – $2,664 – $55,500.[11]

Individual breaches, such as disclosing incorrect information to a customer over the phone or a system error which results in an annual statement being sent to a client that is inaccurate by $10, are not likely to be pursued by ASIC by way of an infringement notice. However, if there are multiple reports of a similar breach, it may become apparent that the licensee can no longer comply with your obligations under the financial services laws or credit legislation. Frequent breaches will increase the likelihood of ASIC issuing infringement notices to penalise this conduct, as the seriousness of the suspected misconduct is of a greater magnitude, and the licensee has arguably not engaged in appropriate conduct after the alleged contravention(s) occurred. As a result, the following are examples contraventions which may be subject to an infringement notice.

  • Obligation to have adequate resources to provide financial services covered by your licence – $2,664 – $13,320.[12]
  • Obligation to have adequate arrangements to ensure compliance with your general obligations – $222,000.[13]
  • Obligation to have adequate risk management systems and adequate resources to provide credit activities covered by your licence – $222,000.[14]

Each of the examples mentioned are contraventions of the relevant provisions and must be reported to ASIC. Failure to do so could potentially result in an infringement notice. It is important to reiterate that these are strict liability offences that will be issued quickly. See our breach reporting article here.

Civil Penalties

Following the introduction of the Penalties Act, ASIC has had the ability to impose civil penalties for failing to report a breach. Civil penalties for individuals, are up to 5,000 penalty units (currently $1.11 million), and the highest of 50,000 penalty units (currently $11.1 million), three times the benefit obtained, and detriment avoided, or 10% of annual turnover (capped at 2.5 million penalty units or $555 million) for body corporates for each civil penalty provision.

Further Enforcement Powers

While daunting, the above penalties are not the extent of ASIC’s enforcement powers. In the event of serious or serial misconduct by a licensee, ASIC may resort to imposing conditions on an AFS or AC licensee, or even suspend their licence.

For example, in recent breaches of client money handling provisions by AFS licensees, ASIC has imposed licence conditions including:

  1. a requirement to appoint an independent expert to conduct a review to assess the company’s ongoing ability to comply with client money requirements;
  2. a requirement that Senior Executive and non-executive board members provide attestations to ASIC;
  3. a requirement that the licensee maintains a minimum number of full-time compliance staff for a certain time period; and
  4. a requirement to appoint an independent expert to review compliance procedures and controls, and to implement the expert’s proposed remedial actions.

Licence conditions of this nature will necessitate greatly increased expenditure on compliance and remediation, and may also result in the licensee having to alter its business practices to adapt to newly imposed licence requirements.

A step further than this is the consequence that every licensee must attempt to avoid at all costs, a suspension or revocation of their licence. Due to the highly regulated nature of the credit and financial services industries in today’s world, this essentially acts as a serious blow to any business, as continuing in the industry without the appropriate licence is impossible.

Next Steps and Practical Guidance

Due to the powers available to ASIC, and the likelihood of them being utilised more due to the volume of reporting that is likely to occur, it is more important than ever for AFS and AC licensees to have adequate systems in place to ensure they are compliant with breach reporting requirements. This includes measures such as ensuring robust arrangements are in place with all persons acting on behalf of the licensee including authorised representatives and credit representatives, implementing a training scheme for employees to ensure they are aware of the circumstances that may cause a breach to occur, and having robust policies and procedures in place to assign processes, roles and responsibilities within the business.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:
Freda Zacharia, Senior Associate
Cameron Jones, Graduate
Georgia Bunz, Vacation Clerk


[1] Corporations Act 2001 (Cth) (Corporations Act), ASIC Act 2001 (Cth) (ASIC Act), National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) and Insurance Contracts Act 1984 (Cth).

[2] Corporation Act s1317DAP(2)(a).

[3] Corporation Act s1317DAP(2)(c).

[4] NCCP Act s288L.

[5] Corporation Act s1317DAP(1)(i).

[6] Corporations Act ss601FC(1), 1311F, 1317DAP(2)(a).

[7] Corporations Act ss961L, 1317DAP(2)(c).

[8] National Credit Code s23(1); NCCP Act s288L(s).

[9] NCCP Act ss99, 288L(s).

[10] NCCP Act ss95, 288L(s).

[11] Corporations Act ss912A(1)(b), 912D(5), 1317DAP(2)(c); NCCP Act ss47(1)(c), 50A(5), 288L(s).

[12] Corporations Act ss912A(1)(d), 1317DAP(2)(c).

[13] NCCP Act ss46, 47(1)(k).

[14] NCCP Act s47(1)(l); Corporations Act s912A(1)(h).

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch