Quick summary
The spring edition of our Above Board update covers need-to-know developments in corporate governance and board practice for the quarter.
- New legislation to mandate climate-related financial disclosure (CRFD) in annual reports passed the Senate in August, and the new record-keeping and reporting obligations are likely to commence for most very large entities from FY26.
- The Commonwealth Government has accepted most of the recommendations of Dr Kevin Lewis’ review of the continuous disclosure laws and is likely to remove the fault element for ASIC enforcement proceedings but retain it for private litigation.
- Draft legislation to implement aspects of the Government’s cyber strategy, including an obligation to report on ransomware payments, is imminent; meanwhile APRA’s letter to its regulated entities on common cyber control weaknesses contains useful guidance that is relevant to most businesses.
- ASIC’s published enforcement priorities have been expanded to include a renewed focus on market integrity, including in private markets.
- In August, the Commonwealth Attorney-General published guidance on “adequate procedures” for identifying, managing and avoiding the risk of associates engaging in foreign bribery. From 8 September, an Australian company is guilty of an offence if its associates engage in foreign bribery for its benefit, unless the company can prove the existence of adequate procedures.
- The Australian Government has begun consultation on its proposals for regulating high-risk uses of artificial intelligence (AI).
- Despite delays in implementing proposed reforms to the Commonwealth environmental laws, the global nature positive agenda is gaining ground, including in the new sustainability due diligence laws recently adopted in Europe.
- APRA’s new capital charge on ANZ Bank of $750 million shows how important it is to remain on top of “non-financial” risk, including the risk of misconduct. The release of the second Bell inquiry into The Star casino business shows how difficult it can be to change corporate culture in acknowledging and addressing these risks.
- An independent review of the electronic meetings and documents amendments to the Corporations Act 2001 (Cth), made in 2021, has concluded its consultation.
Robust governance is the key to every successful, sustainable and resilient business. Our specialist Board Advisory & Governance team works closely with boards and senior management in understanding stakeholder expectations and meeting contemporary governance standards.
Mandatory climate-related financial disclosure passes the Senate
- Legislation to mandate climate-related financial disclosure (CRFD) in annual reports passed the Senate in late August. We have been watching the development of the legislation closely; our earlier commentary explains the January 2024 exposure draft bill, the April 2024 bill, and the May 2024 Senate Committee report.
The legislation is largely in the form of the April 2024 bill, but with amendments made in the Senate to firm up the requirements relating to scenario analyses. The new reporting requirement will initially cover material climate-related financial risks and opportunities, metrics and targets, and governance.
The law provides for a separate ‘sustainability report’ to be included in the annual report. The contents will be specified in new reporting standards being developed by the Australian Accounting Standards Board. In a welcome development in July, AASB announced that it was revising its earlier consultation draft of the standards to align the Australian requirements more closely with the International Sustainability Standards Board’s IFRS S1 and IFRS S2 baseline.
CRFD applies to companies, disclosing entities, registered managed investment schemes and registrable superannuation entities that lodge annual reports with ASIC, and that are either subject to the National Greenhouse and Energy Reporting Act 2007 (Cth) (NGER), or above a specified size. It will be phased in between 2025 and 2028 for very large, large and medium entities.
Directors will be required to make a declaration as to whether, in their opinion, the sustainability report complies with the sustainability standards and provides full disclosure, including of metrics and targets relating to scope 1, 2 and 3 greenhouse gas emissions. However, the form of the declaration is modified for the first three years to whether, in the director’s opinion, the entity has taken reasonable steps to ensure the report complies. Directors will not have the benefit of a full audit report until 2030.
Modified liability arrangements apply for the first three years, which are intended to exclude private litigation over “protected statements” – that is, statements about scope 3 emissions, scenario analyses, transition plans, or the future. This does not preclude enforcement by ASIC.
Government responds to continuous disclosure review
The Federal Government has released its response to the independent review of the changes to the continuous disclosure laws.
Changes made to the continuous disclosure laws in 2021 introduced a “fault element”, requiring both ASIC and private litigants to establish, in civil claims for compensation (including class actions) or civil penalty proceedings, that the disclosing entity or its officers had acted with knowledge, recklessness or negligence.
The review (which we have summarised in our earlier article) made six recommendations, four of which have been accepted by the Government – including the primary recommendations that:
- the fault element requirement should be removed for civil proceedings brought by ASIC; and
- the fault element requirement should be retained for civil proceedings brought by private litigants.
The Government has also committed to amending the Corporations Act to address how knowledge, recklessness or negligence is to be attributed to a disclosing entity within the continuous disclosure regime, and has left open the door for further reform based on the independent review in the context of potential broader changes to the regime.
We have provided a more detailed overview of the Government’s response in our article, ‘Federal Government commits to refine continuous disclosure laws’.
Cyber security reforms still pending
The Department of Home Affairs is continuing to develop legislation to implement the Government’s 2023-2030 Australian Cyber Security Strategy with an exposure draft bill, promised following a consultation process that closed in March, still in the works. The strategy proposes nine legislative measures that include ransomware reporting and limited use restrictions on information shared by businesses with ASD and NCSC during a cyber incident.
Meanwhile, APRA has published a letter to its regulated entities providing additional insights on common cyber resilience weaknesses. The eight observations relate to security in configuration management, privileged access management, and security testing. These include “inadequate management and oversight of security test findings”; APRA’s guidance is that test results should be reported to the appropriate governing body or individual, with associated follow-up actions formally tracked. Testing, like threat detection, only works if it is followed through.
ASIC updates its enforcement priorities for markets
Helpfully, ASIC now publishes both its annual and enduring enforcement priorities as a signal to the market of its key areas of focus. Most relate to its functions as the financial consumer regulator, but the enduring priorities continue to include “governance and directors’ duties failures”.
This year’s annual priorities include misleading conduct in relation to sustainable finance including greenwashing. In the 15 months to 30 June 2024, ASIC made 47 regulatory interventions to address greenwashing, including the commencement of two Federal Court proceedings and over $123,000 in infringement notice payments. ACCC is also focused on sustainability-related issues in its enforcement priorities published earlier in the year and discussed by our Competition team in March in our Insight article, 'ACCC Compliance and Enforcement Priorities for 2024-2025: consumers first'.
In late August, ASIC Chair Joe Longo announced that the regulator was adding a new pillar in its strategic priorities that underscored a commitment to strengthening integrity across Australia’s public and private markets. As JWS Consultant Professor Pamela Hanrahan pointed out in her column in Company Director magazine in September, this harks back 50 years to ASIC’s genesis in the Poseidon bubble and the Rae Committee’s 1974 report on securities markets regulation in Australia. ASIC also announced that it had commenced proceedings against ASX Limited for breach of the misleading conduct laws in the Australian Securities and Investments Commission Act 2001 (Cth) in connection with its failed CHESS market infrastructure replacement project.
New foreign bribery ‘adequate procedures’ law commences
The changes to the Commonwealth Criminal Code dealing with foreign bribery offences were discussed in our winter 2024 edition of Above Board. In summary, they mean that an Australian company will be guilty of a strict liability offence if it conducts business overseas through an “associate” and the associate engages in foreign bribery for the direct or indirect benefit of the Australian company, unless the Australian company can prove that it had adequate procedures in place to identify, manage and avoid the risk of such behaviour occurring. The company bears the legal burden of establishing the defence.
The Commonwealth Attorney-General’s Department has now published its Guidance on adequate procedures to prevent the commission of foreign bribery.
Proposal for regulation of AI released
The Australian Government has released two key documents relating to AI: a Voluntary AI Safety Standard and a Proposals Paper for regulation of AI in high-risk settings (published 5 September 2024).
From a governance viewpoint, the Safety Standard will provide something of a benchmark for organisations to use to develop or evaluate their AI governance frameworks. The Safety Standard uses the expression “guardrails”, which include things like (among others) accountability processes, risk management processes, testing and monitoring, and measures to achieve “meaningful human oversight”.
The Proposals Paper foreshadows a risk-based approach to regulation of AI, with proposed legislation to regulate “high risk” AI, with a focus on preventative measures. The paper refers to the “precautionary principle” that has been applied in other regulatory domains, while acknowledging that “risks cannot be foreseen” or may be “emergent” for highly capable general purpose AI models.
The intention is to classify AI as high risk (or not) based on intended and foreseeable uses, and also try to capture general purpose AI with unforeseeable uses and hence unforeseeable risks.
The Proposals Paper seeks feedback on whether the legislation should adopt a list approach or have a statement of general principles, to be supplemented by “centralised guidance”. We suspect that ultimately a hybrid approach may well be adopted.
The Proposals Paper acknowledges the need for international alignment, given that many AI models will not be developed domestically in Australia.
The Proposals Paper then goes on to propose legislated “guardrails” for high-risk AI, which, perhaps unsurprisingly bear a close resemblance to many of the “guardrails” in the Safety Standard. Of particular note are accountability processes, risk management processes, testing and monitoring, and measures to achieve “meaningful human oversight” (see above) as well as a requirement to undertake conformity assessments and certify compliance with the other “guardrails”.
Of course, many other pieces of legislation may apply to AI-related activities, including the Competition and Consumer Act 2010 (Cth) and the Australian Consumer Law, and the Government will need to ensure that all the legislation of general application will be fit for purpose when applied to AI-related activities.
Consultation will close on 4 October 2024.
Our Technology team also discussed the Safety Standard and Proposals Paper in our recent article, 'Responsible use of AI: call for submissions on new safety Standard and consultation paper'.
Global nature positive agenda gathers pace
The Commonwealth Government’s nature positive plan, announced in December 2022, has been delayed with the Nature Positive (Environment Information Australia) Bill 2024, the Nature Positive (Environment Protection Australia) Bill 2024, and the Nature Positive (Environment Law Amendments and Transitional Provisions) Bill 2024 referred to the Senate Environment and Communications Legislation Committee in June. The Committee released its report in early September.
However, the voluntary disclosure regime published in 2023 by the Taskforce for Nature-related Financial Disclosure (TNFD) is moving ahead. It is designed to encourage business and finance to assess, report and act on nature-related dependencies, impacts, risks and opportunities. In June, TNFD announced Additional Sector Guidance covering eight real economy sectors and Additional Guidance for Financial Institutions on nature-related disclosure. This sector guidance includes recommended sector-specific metrics for disclosure. Additional Guidance on consideration of nature-related issues across value chains was also released. For further commentary on the nature positive agenda in Federal and State legislation, see our Environment & Planning team's Insight, 'Turning a new leaf in environmental regulation in Australia'.
Nature, biodiversity and the environment also form part of the European Directive on corporate sustainability due diligence (Directive 2024/1760), which came into force in June. This Directive establishes a corporate due diligence duty for large European entities, that requires affected entities to identify and address potential and actual adverse human rights and environmental impacts in the company’s own operations, their subsidiaries and, where related to their value chain(s), those of their business partners. In addition, the Directive sets out an obligation for large companies to adopt and put into effect, through best efforts, a transition plan for climate change mitigation aligned with the 2050 climate neutrality objective of the Paris Agreement as well as intermediate targets under the European Climate Law.
Managing “non-financial risk” remains critical
The phrase “non-financial risk” became part of the corporate governance lexicon with the publication of the Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia in 2018. That Inquiry was commission by APRA to examine “the frameworks and practices in relation to governance, culture and accountability within the CBA group that have contributed” to a series of incidents that had damaged the group’s reputation and public standing. Those incidents, and others, eventually led to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
It is generally understood to refer to conduct, compliance and operational risks within the business. Of course, mismanaging these risk can have direct and indirect financial implications for the business.
In August, APRA increased the capital add-on applied to Australia and New Zealand Banking Group (ANZ) from $500 million (imposed in 2019 following the Royal Commission) to $750 million in response to heightened concerns about the bank’s non-financial risk management practices.
The decision was prompted by issues emerging in the bank’s Markets business including that it misreported bond trading data to the Australian Office of Financial Management (AOFM) in 2022-23. At issue are the adequacy of the measures adopted by ANZ to address “deficiencies in controls, risk culture, governance and accountability.”
The second Bell Report into The Star, released by the NSW Independent Casino Commission at the end of August, shows how difficult it can be to change corporate culture concerning the management of these risks, as pointed out in our earlier reflections by Special Counsel Isaac Evans.
Statutory review of virtual meetings and digital execution reforms
During COVID 19, the Commonwealth Governance introduced emergency measures to allow for holding virtual meetings and facilitating digital execution of documents by Australian companies. Permanent measures were enacted in 2022, including making electronic communications with shareholders the default setting.
The legislation implementing the permanent measures required a review of the legislation to be undertaken after two years and the statutory review was announced in June 2024, with a consultation paper and roundtables held in Sydney and Melbourne during July.
One issue which has divided opinion since the enactment of the permanent measures is the requirement for an express authorisation in a company’s constitution to hold a fully virtual meeting, as opposed to a party in person and partly virtual meeting – a so-called hybrid meeting.
Some stakeholders press the view that the hybrid meeting is the “gold standard” and all companies should give shareholders the choice to attend in person or online. However, more and more companies seem to be opting for in-person only meetings so as not to incur the cost and complexity of managing a hybrid meeting.
Many companies have baulked at seeking to amend their constitutions to provide for fully virtual meetings, and in some cases, proposed resolutions have been withdrawn.
It is hoped that the report of the review, when released by the Government, will consider whether requiring express constitutional authorisation is the right policy setting, or whether all companies should have the option of holding a fully virtual meeting.