Class actions and regulatory intervention – Two sides of the same sword?

Since 1992, when class actions were enshrined in Australia’s legal framework, the link between them and regulatory interventions has been ever-present, and evolving.

Having acted for parties on either side of both types of action, in this article, we explore:

• the established pattern of private enforcement following public enforcement
• some key differences and similarities between them
• what this all means for regulated entities aiming to manage these related risks.

ASIC’s role in class actions

It may come as a surprise to some, that ASIC may (subject to limitations) provide to third parties copies of, or access to, documents and interview transcripts obtained during its investigations, for use in private litigation (see ASIC Information Sheet 181).  Such records may also be produced by ASIC in response to a court order for non-party discovery, or a notice to produce.  These valuable sources of information are commonly used by litigants or their lawyers contemplating launching a class action.

Interestingly, ASIC itself may commence a class action following its own investigation.  ASIC’s power in section 50 of the ASIC Act 2001 (“the ASIC Act”) allows it to commence civil proceedings on behalf of a company, as well as (with consent) in the name of an individual.

However, consistent with its Information Sheet 180, ASIC will only use this power where it is in the public interest to do so, considering its obligation to use its finite public resources efficiently.  This “public interest” test is quite a high hurdle to jump.  Consequently, besides commencing a number of section 50 actions in 2007/2008 seeking compensation for investors, following the collapse of the Westpoint property investment scheme, this is a power that ASIC has used very sparingly.  This coincides with the increasingly fertile legal ground for private class actions, leading to significant growth in these over the same time period.

Private class actions following regulatory interventions

Private class actions have followed hot on the heels of regulatory interventions in three recent, high-profile examples:

1. ASIC reviews and interventions to ban or restrict contracts for difference (“CFDs”) and binary options (2019-2021);
2. AUSTRAC civil penalties against banks for anti-money laundering and counter-terrorism financing (“AML/CTF”) failures (2018-2020); and
3. Royal Commissions and public inquiries into AML/CTF failures by casino operators (2019-2022).

While these examples all involve hundreds or thousands of class members, it is important to remember that class actions can also be brought by a very small number of members.  In the Federal Court of Australia, a class action can be commenced on behalf of just seven or more people who have a claim arising out of similar circumstances.  For example, a case against auditors of the company run by Melissa Caddick (a disappeared Ponzi scheme operator) was brought on behalf of only 32 victims, and recently settled for over $3.5million (Kraft v BPR Audit Pty Ltd [2025] FCA 422).

CFD issuers

The origins of current class actions against major Australian CFD providers can be traced back to at least, and as far as, ASIC’s Report 626: Consumer harm from OTC binary options and CFDs (“REP 626”), published in August 2019.

REP 626 highlighted ASIC’s concerns around the high likelihood of significant consumer losses, inducements being used to attract increasing numbers of financially vulnerable consumers, and those consumers likely underestimating the high risks.  ASIC proposed stringent regulatory interventions to address these concerns.

After consultation, ASIC followed through by issuing respective Product Intervention Orders (“PIOs”), imposing conditions on the issue and distribution of CFDs to retail clients (2020), as well as an outright ban on the issue and distribution of binary options to retail clients (2021).

Subsequently, ASIC brought civil penalty actions against CFD issuers/distributors or their authorised representatives for wrongdoing under the ASIC Act and Corporations Act 2001 (Cth) (“the Act”) including:

• misleading, deceptive or unconscionable conduct
• unlicensed personal financial advice
• failure to act efficiently, honestly and fairly
• breaches of design and distribution obligations (“DDO”).

Somewhat predictably, beginning in 2022, a raft of class actions have been brought against Australian CFD issuers, regarding similar subject matter and alleged breaches.

Banks and AML/CTF

In 2018, AUSTRAC obtained a $700m civil penalty against CBA, for a range of serious breaches of AML/CTF legislation connected to its intelligent deposit machines (“IDMs”), including failures to:

• carry out an appropriate assessment of the money launder / terrorism financing (“ML/TF”) risks posed by its IDMs;
• file over 53,000 threshold transaction reports arising from IDM use;
• report suspicious matters to AUSTRAC on time, or at all, including organised crime drug and firearms importation; and
• monitoring transactions or customers to mitigate ML/TF risk.

In 2020, AUSTRAC obtained a $1.3b civil penalty against Westpac due to significant misconduct related to International Funds Transfer Instructions (“IFTIs”), including the failure to:

• properly report to AUSTRAC nearly 20 million IFTIs amounting to over $11b;
• pass on information regarding the origin of some of those IFTIs to other banks in the transfer chain in order for them to manage their own ML/TF risks; and
• carry out proper customer due diligence (“CDD”) in relation to suspicious transactions associated with possible child exploitation.

Subsequently, shareholder class actions were commenced against the ASX-listed Westpac and CBA, for breaches of continuous disclosure obligations following sharp drops in their share prices once the AUSTRAC investigations and potential misconduct became public knowledge.

Casinos and AML/CTF

Beginning in 2019, a series of State regulatory inquiries and Royal Commissions publicly exposed a plethora of systemic misconduct within Australia’s major casino operators, namely Crown, The Star and Sky City.  This included failures to:

• properly assess, manage and mitigate ML/TF risk, including by facilitating international customers to launder hundreds of millions of dollars through the casinos;
• implement “responsible gambling” requirements and protect consumers from gambling harm, including instances of inducing vulnerable people to borrow to gamble, and then gamble more to pay off debts; and
• implement adequate risk management, compliance and corporate governance measures connected to all of the above.

At around the same time, AUSTRAC began investigating each of the casino groups, ultimately resulting in civil penalties against Crown ($450m) and Sky City ($67m), while its action against The Star is ongoing.

ASIC has investigated and, in some instances, brought civil penalty actions against directors and officers of the corporate entities.  This includes The Star, where several senior executives have recently admitted to breaches and agreed to significant personal penalties.  At ASIC’s request, The Star has made a $150m provision in its accounts for a probable AUSTRAC fine.

State-based casino regulators, wielding increased powers, have imposed hundreds of millions of dollars in fines on the casino operators, as well as suspending their licences and appointing external monitors to supervise their remediation.

Predictably, shareholder class actions have followed suit against all ASX-listed casino operators, except Sky City (although one is presently under investigation by a litigation funder).  Similar to the banks cases, these class actions allege breaches of continuous disclosure obligations, following declines in share prices once regulatory interventions and potential breaches were publicised.

Key differences

The differences are largely self-evident, given the distinct parties involved, being either private or public in nature.

Regulatory actions are generally commenced first and resolved quicker.  There is usually little difficulty in securing financial resources to commence the case.  Compulsory information gathering powers give regulators a significant advantage.

The courts have also made it clear that, out of fairness to individual defendants, generally a regulatory proceeding should be disposed of first where the same individuals are also involved in a class action (see ASIC v Helou [2019] FCA 1634).

In contrast, class actions, due to large numbers of class members, protracted commercial negotiations, and appropriate judicial scrutiny of any settlement agreements, can take many years to resolve.

Key similarities

In addition to the reliance on similar subject matter and evidence described above, regulatory and class actions share a common motive; deterrence, both specific and general:

• holding corporate wrongdoers to account in a public setting, exposing their systemic misconduct; and
• inflicting financial consequences on them, either through civil penalties or consumer/shareholder compensation, to penalise them but also to prevent others from future violations.

The purely commercial risks posed to entities are also similar, caused by reputational damage and the erosion of public trust.

However, other similarities, and the insights that can be gleaned from them, are often overlooked:

• Public attention and Government sentiment: The actions represent the culmination of consumer harm/complaints, media investigations, Government attention and public inquiries.
• Victim type: Large numbers of Australian consumers, vulnerable persons or the public at large were or may be harmed by the misconduct.
• Product type: The products or services involved are inherently high risk, either in terms of customer losses or public harm.
• Systemic nature: The misconduct occurred over several years, with multiple failures to implement systems and controls to address risks that were or should have been known.
• Non-disclosure: The entities failed to report suspicions or misconduct to their boards, regulators and shareholders when they should have, or at all.
• Revenue gained: The product earned significant revenue for a sustained period, introducing the moral hazard of prioritising profits over compliance.

What does this mean for regulated entities?

A regulated entity, in managing regulatory risks, should also consider the risk of class actions arising from clients or shareholders that have suffered loss due to regulatory breaches.

Digging a little deeper, there are some practical measures that regulated entities may take to mitigate such risks:

• Strong corporate governance and risk/compliance culture: While this may start with a “top-down” approach with Board-approved policies, etc., the above cases demonstrate that this is unlikely to be enough. There must be a combination of “top down, bottom up, and middle out” measures that can be proven to have been implemented.  The need to be adequately resourced with people is built into this measure.  Finally, all of this should be well documented in your policies and procedures.

• Be aware of change, and able to adapt: Several of the examples post-date public knowledge of emerging industry risks and suspected misconduct.  If compliance gaps were addressed appropriately at the time, public/private enforcement could have been avoided or at least mitigated.  Ensure measures are in place to stay up to date with regulatory developments in your sector and the broader industry.
• Early engagement and cooperation: Examples show that the natural instinct to “circle the wagons” (or worse, “double down” with contrived denials) when faced with a corporate crisis, can serve to only compound the problem. In contrast, where appropriate, early and open engagement with all stakeholders, including consumers and regulators, can help mitigate ultimate penalties, as well as legal costs (see ASIC Regulatory Guide 271: Internal dispute resolution and ASIC Information Sheet 172: Cooperating with ASIC).
• Early remediation: Extending the previous point, consideration should be given to implementing a credible remediation plan, which may result in an apology and/or adequate compensation where compliance breaches are detected. This helps to identify the potential class of victims and quantify their potential loss, as well as identify the root cause of the failures to mitigate the risk of them reoccurring.  This is consistent with regulatory requirements, including in section 912EB of the Act (see ASIC Regulatory Guide 277: Consumer remediation).
• Early expert advice and assistance: Connected to all of the above, too often we see instances of entities attempting to respond to significant regulatory interventions on their own, with experts only brought in at latter stages when irreparable damage may already have been done. This applies not only to legal expertise, but also to compliance and corporate/regulatory affairs experts to manage engagement and communications.

At Holley Nethercote Lawyers, we can help implement the above measures by providing you with legal advice and regulatory updates, review or assist with amending your policies and procedures to ensure ongoing compliance, and defend or respond to regulatory interventions and class actions.

Author: Anthony Jensen (Special Counsel)