Check against delivery

I begin today by acknowledging the Wurundjeri people, traditional custodians of the land on which we gather today, and pay my respects to their Elders past and present. I extend that respect to Aboriginal and Torres Strait Islander peoples here today.

The British philosopher Bertrand Russell once said that ‘we have, in fact, two kinds of morality, side by side: one which we preach, but do not practise, and another which we practise, but seldom preach.’

It’s the job of every compliance professional in the country to prove Russell wrong – every day. Because, when not taken seriously, compliance can devolve into a mere lip service, where what is practised isn’t preached, and what is preached not practised.^[1]

On the other hand, when true compliance is present, we see alignment between what is preached and what is practised. What is true compliance? It’s a culture of compliance built on integrity, trust and ethics in how people work – and not simply legal compliance with the rules. When there’s alignment between what’s preached and what’s practised, it’s much easier to nurture trust by consumers and investors. And without that trust as a foundation, the tower of business comes toppling down. That’s why, as I’ve said before,^[2] a profitable business is – and must be – a compliant one.

So the role of a compliance professional is a critically important one. You are part of the fabric of the business – not only to help your organisation meet its legal obligations, but to help create an ethical culture, where employees act in the best interests of its customers. Viewing compliance through this lens means it’s about more than meeting obligations – it’s about meeting, even exceeding, expectations – both investor and societal.

I would like to talk to you today about your roles as compliance professionals – what that means in practice, and how those roles can be most influential, rewarding and effective. A fundamental element of this is the need to keep an open and curious mind – one that asks questions, and never stops learning. This approach enables the compliance professional to play a key strategic role in the boardroom, and this should be everyone’s objective.

I will finish with some remarks on a number of key areas of focus for ASIC – and for you, in your roles as compliance specialists.

The changing face of compliance

Let’s face it: the items stacked on the compliance professional’s desk have dramatically multiplied in the last five to 10 years. Rapid advances in technology present enormous opportunities, but also increasing risk of scams and cyber-attacks. The growing global consensus on sustainability issues is reflected in Australia in the recent passing of a bill on mandatory climate-related reporting. This, too, is but one part of a larger ESG picture.

I think it’s fair to say that the demands and expectations on compliance professionals are growing exponentially. Regulatory expectations are becoming ever more complex and nuanced.

In a recent global survey of Chief Compliance Officers, KPMG found that 84% expected to face increasing regulatory expectations and scrutiny in the next two years. 34% say new regulatory requirements are the biggest compliance challenge, followed by data analytics (30%). 36% rate cybersecurity as their top compliance improvement priority, followed by data privacy (35%). 41% say ESG compliance programs are still in the planning and development stage.^[3]

ASIC is of course keenly aware of the impact of law reform and new regulatory requirements on business and markets. This is why, as industry adjusts to new requirements, our approach has generally been to take a pragmatic and proportionate approach to supervision and enforcement during the transition phase of any implementation.

And from the perspective of a compliance officer, when confronted with such a wide range of ever-changing issues, it’s helpful to return to the essential functions of a strong, fit-for-the-future compliance function.

It’s the role of the directors of a company to set the tone, establish and lead a culture of compliance. This includes monitoring the arrangements the company has in place to ensure compliance with regulatory obligations. But it’s the compliance professionals who are closer to the nuts and bolts of how the business runs. They actually do the work to support and implement those arrangements.

They’re the ones who can first spot the risks, and propose how to manage them – in a way that is commercial, legal, ethical, cost-effective and forward-looking – in consultation with the board and others. They’re the ones who work with management to implement the systems and controls, and see that they’re followed. And they’re the ones who communicate with and report to the board, calling out what’s working and what’s not, so that the board can hold management accountable.^[4]

And to do this effectively takes more than just a checklist approach. An effective regulatory compliance program must reflect the organisation’s key values and ethos – and focus on putting customers at the centre of how the organisation operates.

The need for a curious mind

A compliance professional is, in essence, a gatekeeper – a trusted adviser to the board, relied on for well-thought-out advice.

Public accountability for compliance will naturally fall on the directors. And one way for them to meet these expectations is to rely on the advice and performance of the compliance professionals in their organisation. Good advice and good service from you will protect the organisation from financial and non-financial risks – improve its operations – and uphold its reputation.

As compliance continues to be a key focus for directors, and a significant part of any meeting of directors, the strategic role of compliance professionals becomes more important.

In Australia, we’ve seen large, well-resourced businesses that have compliance systems and processes in place. And still, they’ve failed to prevent the very issues they were designed to avoid. Why? Because regulatory compliance was undermined by the culture and ethics of the organisation. They had the appearance of compliance – but it was a hollow, empty kind of compliance.

Written policies and procedures provide the framework for compliance. Systems, processes, and technology can be used to underpin and support compliance. But compliance in practice requires a culture of integrity, ethics, and trust.

So, what are the elements of such a culture? It is all about asking the right questions.

There’s no rule book that maps out every step of every response in every possible circumstance. What’s needed is an attitude of compliance, based on a curious mind that asks the right questions. Questions like What are our obligations? What are the risks? How can we manage them? What systems and controls should be in place to ensure we meet our obligations? Is what we are doing both legal and ethical? How can we make sure they’re being followed? Do I have an open line to the board? Am I keeping them informed?

Asking these – and other relevant – questions presents you as compliance professionals with an opportunity: the opportunity to take what you’re seeing, and influence your organisation to improve its performance. But this can only happen when you remain firmly committed to questioning and challenging management – and to continually upskilling and learning to ensure peak performance.

Key areas of focus for ASIC

So, if the role of the compliance professional is a complex one that requires alertness at all times to the myriad issues of the day – what are some of the issues that are – or should be – currently on your radar?

Perhaps the first to come to mind is mandatory climate reporting, which will, following Royal Assent, become the law. Compliance teams will obviously play a crucial role in ensuring that their organisations are able and ready to meet these new reporting obligations.

As I have previously observed, the introduction of a compulsory climate risk disclosure regime is the biggest change in Australia in financial reporting and disclosure standards in a generation.

We know these reporting standards are new and that some disclosures are novel – perhaps more forward-looking than those required to be disclosed under other periodic financial reporting obligations.

We also know there will be a period of transition as industry continues to build capability and implements the organisational changes that will be required to comply with the regime. We understand this. This is why, as I said before, we will be taking a ‘proportionate and pragmatic’ approach to the supervision and enforcement of the regime while industry adjusts to these new requirements.

In this regard, entities may wish to consider utilising existing processes and procedures that have likely been refined over many years to prepare and verify financial reporting disclosures. Consider the extent to which sustainability reporting disclosures can be integrated into existing risk and compliance measures. This applies to all entities that will eventually be captured by this regime – start engaging with these new obligations early, so you can be prepared when the time does come for you to lodge your first report.

Now to our work on greenwashing – and here I want to draw a distinction between ASIC’s enforcement approach to the new mandatory climate reporting regime, and our enforcement approach to misleading and deceptive greenwashing misconduct.

Our greenwashing work involves a focus on sustainability statements being made voluntarily by entities about their green credentials. As I’ve said many times before, this work is based on the longstanding prohibition against misleading and deceptive conduct and comes back to ensuring that you do what you say you are going to do.

As Justice Horan stated in his judgment on the Mercer Superannuation case, ‘it is vital that consumers in the financial services industry can have confidence in ESG claims made by providers of financial products and services [...] Any misrepresentations in relation to ESG policies or practices associated with financial products or services, whether as an aspect of “greenwashing” practices or otherwise, undermines that confidence to the detriment of consumers and the industry generally.’^[5]

Another critical issue for all of us – government, business and regulators – is of course technology, and in particular AI. As it rapidly reshapes so much about the way we work, the responsible development and ethical use of AI is increasingly urgent and critical. We need a strong regulatory framework to steer the course of AI toward safe and responsible development and use, and we’re taking small steps in this direction.

At ASIC, our focus is on the range of risks associated with the use of AI that arise in financial services and markets. These include risks around bias and discrimination, loss of privacy, misinformation and disinformation, lack of explainability, and transparency, unethical conduct and copyright issues. Safe and responsible use of AI can only be realised through strong governance, transparency and accountability, including human oversight, as well as robust information security to protect data and privacy.

But we’re not working from a blank sheet of paper. Existing laws and guidance apply to protect consumers and investors and don’t change with new technology. Businesses and individuals who develop and use AI are already subject to various Australian laws. These include laws relating to privacy, online safety, directors’ duties, AFSL obligations, corporations, intellectual property and anti-discrimination, which apply to all sectors of the economy.

But, of course, this is a changing space. Recently the Department of Industry, Science and Resources issued a consultation paper proposing mandatory guardrails for situations where AI use is considered high risk. The guardrails aim to address risks and harms from AI, build public trust, and provide businesses with greater regulatory certainty. The controversial Californian AI legislation is currently awaiting Governor Newsom's approval. I'm sure we will all watch these developments with great interest.

These are just a few of the current issues that are top of mind for ASIC and – I’m sure – many of you here today.

I’ve no doubt there are others – far more than I can mention here. But in all cases, the solution is the same: a clear commitment to learning and to asking questions.

Conclusion

In conclusion, as compliance professionals, it’s your job to be the gatekeeper, the trusted advisor to the board.

Your role is to refine the systems and controls, and to call out what’s working and what can be improved. That will enable the board to look ahead to spot the risks, think about how to balance the legal and commercial perspectives, and monitor the compliance arrangements that the company has in place.

And so, more than ever, you play an influential and strategic role in the boardroom – a role that is critical in ensuring effective compliance.

[1] An overview and sample of compliance statements made by companies convicted of compliance violations is laid out in Peter Gottschalk & Christopher Hamerton, Corporate Compliance: Crime, Convenience, and Control, (Palgrave Macmillan, 2022), pp. 104-106

[2] Joe Longo, “Start preparing now: Early ASIC guidance on the mandatory climate disclosure regime”, 22 April 2024 

[3] KPMG, “Stepping up to a new level of compliance”, KPMG Global Chief Ethics and Compliance Officer, Survey

[4] Cf. ASIC Regulatory Guide 132, “Funds Management: Compliance and Oversight”

[5] Australian Securities and Investments Commission v Mercer Superannuation (Australia) Limited 2024 [FCA] 850v, 148