Some practical lessons on the regulatory “wildcard” – the efficiently, honestly and fairly obligation

Section 912A of the Corporations Act 2001 sets out the “ten(ish) commandments” for AFS licensees, the first of which is the obligation for a licensee to do all things necessary to ensure that financial services covered by its licence are provided efficiently, honestly and fairly (“the EHF obligation”).

Despite being the first on the list, the EHF obligation has earned the reputation of being one of the most unclear and elusive commandments.  Defining what compliance looks like – and on the flip side, what a breach looks like – is not always clear.

Nonetheless, recent regulatory actions have shown that ASIC has not been shy about cracking down on licensees for alleged breaches of this “first commandment”.  This article highlights some ASIC and other court actions in the past 18 months and the practical lessons to be learned from them.

Lesson #1: The EHF obligation is a separate, standalone obligation

While a breach of the EHF obligation is often coupled with other contraventions of the Corporations Act, such as the misleading or deceptive conduct provisions, more recent case law has demonstrated that it can be breached even where there is no contravention of an existing duty or obligation.

One key takeaway should be made clear from the outset: the requirement to provide financial services efficiently, honestly and fairly is not just a “mission statement” for good corporate governance; it is a standalone, civil penalty provision actionable in court, and one of ASIC’s favourite weapons in its arsenal.

In April 2024, the Federal Court ordered Macquarie Bank to pay a penalty of $10 million for failing to have effective controls to detect and prevent unauthorised fee transactions conducted by third parties, following a finding that Macquarie breached the EHF obligation.  This was a rare but noteworthy example of ASIC bringing an action (and winning) on the basis of a breach of the EHF obligation alone, as opposed to the more usual case of the EHF obligation being tacked on to a list of other obligations which ASIC alleges have been breached.  More recently, in December 2024, ASIC’s action against HSBC Bank for failing to adequately protect consumers from scams raised further alarm bells for licensees as it alleged that HSBC’s conduct breached the EHF obligation even where no other provision in the Corporations Act had been breached.  See our article here which summarises how ASIC’s allegations demonstrate its willingness to utilise the obligation as the regulatory “wildcard”.

Further, while it is still unclear whether the EHF obligation should be interpreted compendiously or whether it imposes three standalone obligations, recent judicial commentary suggests that the duty comprises of three separate obligations, so that a failure to discharge one – for example, providing services honestly and fairly, but not efficiently – could lead to a finding that the entire EHF obligation is breached.

What does this mean for licensees practically?  Licensees should not only ensure that they have in place effective compliance policies for more specific obligations, such as managing conflicts of interest, risk management, complaints handling and complying with financial services law, but they should have a separate, equally robust, compliance framework that needs to be developed for the EHF duty so that this obligation is not overlooked simply because of its seemingly vague or uncertain application.  For example, a separate item should be included in compliance checklists on whether the financial services are, among other things, being provided without undue delay, without systemic errors and with sufficient consumer protections against fraud in place.

Lesson #2: Prevention and remediation are key

As mentioned, compliance with the EHF obligation, and the threshold for breaching it, is not always clear.  However, one thing remains crystal clear from recent cases.  The standard is not perfection.

Compliance with the EHF obligation does not “require commercial perfection whereby any possibility of error or mistake is eliminated”.[i]  Licensees should rest easy knowing that all they can do to comply with the “first commandment”, and all they are expected to do, is to implement robust processes and procedures that prevent bad things from happening and, if those bad things happen, to remediate and reassess their processes so that those things are unlikely to happen again.

ASIC and the courts are not finding EHF breaches on the basis of a single error, a single transaction or a single oversight.  Breaches are more often being alleged and found where licensees fail to implement effective compliance frameworks leading to systemic errors, systemic failures to detect and prevent fraudulent or illegal activity, or systemic delays.  For example:

• ASIC filed civil penalty proceedings against the trustee of Cbus for its alleged failure to properly assess and identity the scale of delays (which affected more than 10,000 members and claimants) and the systemic nature of the problem;
• ASIC issued proceedings against HSBC on the basis that it allegedly did not have adequate controls to prevent and detect significant, widespread or systemic failures in its claims handling processes; and
• The Federal Court found a breach based on Mercer’s failures to have adequate systems and processes in place to ensure that its fee disclosure statements complied with financial services laws.

Further, the above cases also demonstrate that a licensee is more likely to breach the EHF obligation where the licensee learns of, or ought to have learnt of, the error and does not take steps to rectify or remediate.  The existence of a “reasonably suitable remediation program” is relevant to whether a breach has occurred.[ii]  For example, ASIC took action against HSBC on the basis that it did not investigate customer reports of unauthorised transactions within the specified timeframes required and did not promptly reinstate their banking services in a timely manner.

Given that the standard is not perfection, having robust prevention and remediation frameworks are key and are all that is expected of licensees under the EHF obligation.  Licensees are less likely to breach the EHF obligation when they have systems in place to mitigate against errors, delays, potential breaches of the law and fraudulent activity, and where they have in place ways to monitor for these systemic issues.

Where an incident or breach of the law does occur, licensees should also not be too quick to write them off as having occurred due to “human error”.  Licensees should do a deep dive into their existing controls and systems and ask whether the incident or breach was preventable and implement those measures to strengthen their compliance frameworks.  After all, the use of the word “ensure” has been stated by the court to impose a forward-looking obligation on licensees to ensure that financial services covered by the licence are provided efficiently, honestly and fairly.[iii]

Lesson #3: Consider community expectations

Recent breaches (and alleged breaches) of the EHF obligation have included:

• misclassification of clients as wholesale (where these clients are entitled to certain consumer protections as retail clients)
• failure to have adequate measures in place to protect consumers from scams
• systemic claims handling failures leading to significant and widespread delays for clients
• charging clients fees which the licensee is not entitled to charge, and failing to disclose this to clients
• failure to protect clients from unauthorised fee withdrawals conducted by third parties
• poor vulnerable client treatment.

What do these all have in common?  A focus on consumer protection.

A third lesson from recent ASIC and court actions is that breaches (alleged or proven) tend to be due to poor client treatment, and that ASIC and the courts are influenced by community (or clients’) expectations of how the licensee would provide financial services given its size, reputation and role in the Australian market.

Licensees should, therefore, pause and reflect on the following questions: If the roles were reversed and I was my own client, would I be happy with the financial service I am receiving?  Does it adhere to community standards of competence, commercial morality and ethics?  Would I think it is being performed efficiently, honestly and fairly, in accordance with reasonable community expectations?  Licensees should review their policies, processes, disclosures, targets and timelines for providing their service – all from a client’s perspective, to assess whether anything falls below the “community expectations” line.

Lesson #4:  The EHF obligation extends to your overseas activities

A fourth and final lesson from the recent Federal Court finding against Union Standard International Group Pty Ltd is that the EHF obligation extends to a licensee’s overseas activities.  The court confirmed that the general obligations of licensees are not limited to financial services provided to customers in Australia, confirming ASIC’s warning in 2019 that CFD issuers who were breaching overseas law were also potentially breaching the EHF obligation.  The case confirms that the EHF duty applies to “an infinite variety of corporate delinquency and self-interested commerciality”.[iv]  This duty just keeps on getting broader.

If you have overseas customers – that is, if you accept, onboard or solicit overseas customers – ensure that you have obtained legal advice in the relevant jurisdiction and that you are complying with any local registration or licensing requirements that may apply.  Where you offer financial services (which can include marketing your products) in overseas jurisdictions and fail to comply with local law, this will also lead to a breach of the EHF obligation.

Holley Nethercote has established an international network of referral partners and has helped clients obtain legal advice on offering financial services to clients in other jurisdictions from overseas law firms.  If you require advice on your overseas clients or activities, do not hesitate to reach out to us.

Author: Ellie Khor (Lawyer)

Do you want to know more?

[i] Australian Securities and Investments Commission v National Australia Bank Limited [2022] FCA 1324 at [357].

[ii] Australian Securities and Investments Commission v National Australia Bank Limited [2022] FCA 1324 at [373].

[iii] ASIC v CBA [2022] FCA 1411 at [156].

[iv] Australian Securities and Investments Commission v Union Standard International Group Pty Ltd (No 4) [2024] FCA 1481 at [1799].