3.6 Enforceable undertakings

ASIC rightly describes an enforceable undertaking (EU) as a form of administrative settlement that ASIC may accept as an alternative to civil court action or certain other administrative actions.[1] ASIC may accept EUs given by a person, or a responsible entity of a managed investment scheme, in connection with a matter for which ASIC has a function or power under the ASIC Act or related legislation.[2]

In Regulatory Guide 100, ASIC sets out its approach to accepting EUs. The approach has two component parts. It is necessary to say something about each.

The first is that ASIC will not consider an EU unless it has reason to believe there has been a contravention of relevant legislation and it has commenced an investigation or surveillance of the conduct it believes gives rise to the suspected contravention.[3]

These are important conditions. They are important because they identify the essential foundations for ASIC’s acceptance of an EU.

The second part of ASIC’s stated approach is that it will only use EUs where they result in a ‘more effective regulatory outcome’.[4] ASIC says it will generally consider accepting an EU only where:[5]

  • it has weighed up the nature of the alleged breach and the effectiveness of the regulatory outcome offered by the EU compared with outcomes offered by other available enforcement remedies; and
  • it believes an EU is the most effective and appropriate regulatory outcome given the significance of the issues to the market and the community, the nature and seriousness of the alleged breach and the compliance history of the entity.

ASIC says it considers an EU to be an effective regulatory outcome if it does all or any of the following:[6]

  • promotes the integrity of, and public confidence in, Australia’s financial markets and corporate governance;
  • specifically deters the person from future instances of the conduct that gave rise to the undertaking;
  • promotes general deterrence by making the business community aware of the conduct and the consequences arising from engaging in that conduct;
  • provides an ongoing benefit by way of an improved compliance program.

In the Interim Report, I observed that entities often only acknowledge ASIC’s ‘concerns’ when they accept EUs, rather than acknowledge or accept their breach of specific provisions.[7] That is, the facts agreed to in the EU often are not sufficient to establish a breach of the provisions said to have been breached.

EUs are a negotiated outcome between ASIC and the regulated entity. They can be used only if the entity agrees to give the undertaking. It may be assumed that the entity’s decision to agree to give the undertaking will be influenced by its willingness to acknowledge ASIC’s ‘concerns’, the strength of the evidence available to support ASIC’s concerns, and the availability and nature of other remedies for ASIC to pursue.[8]

Should the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Bill 2018 (Cth) be enacted, ASIC will be given disgorgement remedies in civil proceedings and a directions power, which extends to ordering remediation. In these circumstances, it will be more difficult to show that an EU will result in a more effective regulatory outcome than could be achieved by other means. It would follow that ASIC’s use of EUs may be expected to be less frequent.

The flexibility of EUs has undoubted appeal. But that appeal cannot be allowed to distract attention from the fact that EUs ordinarily are given in circumstances where the regulator has formed a view that the law has been breached. That is, they are used in aid of enforcement of the law.

As I have said above, and as ASIC has accepted, the first question to be asked when misconduct has been identified is ‘why not litigate?’. One answer to that question is that a better regulatory outcome can be achieved by the use of an EU. But that view cannot be formed without having first given proper consideration to questions of deterrence, both general and specific. A regulatory response to a breach of law that does not deter, generally and specifically, will rarely be a more effective regulatory outcome.

When an entity fails to acknowledge that it has done wrong the risk is that it considers the promises made in the EU as no more than the cost of doing business or the cost of placating the regulator. And the absence of a judicial determination means that none of the regulator, the entity concerned, or the market more generally, can be sure if the conduct was wrongful. All of those factors will ordinarily point firmly away from accepting an EU.

If, despite all of these considerations, an EU can still be said to be a more effective regulatory outcome, ASIC should adopt a policy that it will generally not agree to an EU in respect of a civil penalty provision without the entity acknowledging that it has breached one or more specific legislative provisions.


[1]ASIC, Regulatory Guide 100, February 2015, 5–7.

[2] See ASIC Act ss 93AA, 93A.

[3] ASIC, Regulatory Guide 100, February 2015, 8 [100.17].

[4] ASIC, Regulatory Guide 100, February 2015, 9 [100.24]–[100.25].

[5] ASIC, Regulatory Guide 100, February 2015, 9 [100.20].

[6] ASIC, Regulatory Guide 100, February 2015, 9 [100.25].

[7] FSRC, Interim Report, vol 1, 271.

[8] See the discussion in the ASIC Taskforce Review, Report, 100.