Specifically, ‘compliance risk’ in this article, refers to a business’ risk of legal or regulatory penalties, reputational damage or material loss as a result of noncompliance with their legislative or regulatory obligations.

All Australian businesses should have systems in place to ensure that they are complying with their legal obligations and mitigating their compliance risk.

This paper touches upon 10 major compliance risks for Australian businesses. We have determined compliance risks as ‘major’ after considering the legal consequences of a single breach as well as any reputational damage that may follow.

The 10 compliance risks listed below have penalties of over 1 year imprisonment, a severe fine or carry significant reputational damage. A full list of the specific offences mentioned below are included in Table 1 at the end of this document.

Businesses can use this paper to prioritise and focus their compliance strategies and systems on the areas which carry the most significant risk for them.

1. Restrictive Trade Practices and Misleading and Deceptive Conduct

The Competition and Consumer Act 2010 (Cth) contains several offences aimed at curbing anti-competitive, misleading and deceptive behaviour including offences against cartel conduct, exclusive dealing and misleading conduct relating to goods and services (a full list of the offences are set out in Table 1).

Each of these offences carries fines of up to $10 million, 3 times the value of the benefit claimed or if the value is unable to be calculated, 10% of the annual turnover of the organisation – whichever is the greater. Among other things, an individual could face a fine of up to $444,000 and 10 years imprisonment. The Treasury Laws Amendment (More Competition, Better Prices) Bill 2022 (Cth) (the Bill) was introduced into Parliament on 28 September 2022. If the Bill is passed, the $10 million fine for companies will be increased to $50 million, and the penalty of 10% of the annual turnover of the company will be increased to 30%.

In December 2020, the ACCC laid criminal charges against a Queensland based pharmaceutical company and its CEO on the basis of alleged cartel conduct. The company produces and supplies an active pharmaceutical ingredient in antispasmodic medications taken to relieve stomach pain and bowel cramps. Both the CEO and the company pleaded guilty to certain of the charges and are now awaiting sentencing. The CEO faces up to 10 years in jail and a fine of $444,000.

Due to the risk of considerable financial penalties and imprisonment for noncompliance, these offences carry significant compliance risk.

2. Directors’ Duties

Directors of Australian companies registered under the Corporations Act 2001 (Cth) must comply with several duties. This includes four primary duties – the duty to exercise powers with care and diligence, to act in good faith, not to improperly use their position and not to improperly use information.

The failure to perform any of the above mentioned (and other) duties could expose directors personally to penalties of up to $200,000 and imprisonment for 5 years. Further, in certain circumstances, the director will be required to compensate the company for any losses or damages and may be disqualified from managing a company in the future.

All company directors are now required to apply to ASIC for a director identification number (director ID). A director ID is a unique identifier that a director will apply for once and keep forever. It is designed to prevent the use of false or fraudulent director identities. All directors of a company, registered Australian body, registered foreign company or Aboriginal and Torres Strait Islander corporation will need a director ID. Individuals who fail to apply for a director ID may be subject to a penalty of up to $1.1 million.

In addition to the penalties, the breach of a director’s duties may lead to significant reputational damage, which could result in an adverse market reaction and greater scrutiny from regulators and investors.

3. Australian Charities and Not-for-profits (Industry Specific)

Charities and Not-for-Profits risk losing their charitable status if they breach certain obligations under the Australian Charities and Not-for-Profits Commission Regulations 2013 (Cth).

An organisation’s registration may be revoked if an entity, among other things, contravenes the Act, a governance standard or external conduct standard. The Australian Charities and Not-for-profits Commissioner (ACNC) will only revoke a charity’s status in the most serious of cases, however, action will be taken if serious breaches of governance standards or mismanagement are found.

The loss of charitable status in turn leads to the loss of tax exemptions, concessions, and DGR status (if applicable) in addition to Safety the ability to display the ACNC registered charity tick.

4. Occupational Health and Safety (OH&S)

Any breach of OH&S legislation could lead to personal injury or harm and consequently should be considered the highest level of risk. As such, breaches of OH&S legislation carry significant penalties. If an organisation breaches their duty to provide and maintain a safe working environment they could face an individual penalty of $600,000 and the business could face a penalty of $3 million (in ACT, NSW, NT, SA and TAS) or $3.9 million (in QLD).

In Victoria, employers can face individual fines of up to $332,856 and businesses could receive fines exceeding $3.7 million. In WA, employers can face individual fines of up to $680,000 and businesses of $3.5 million.

In all jurisdictions, individuals could face up to 5 years of imprisonment.

Victoria, Queensland, Western Australia, the Northern Territory and the Australian Capital Territory also have the offence of industrial manslaughter. Industrial manslaughter occurs if a worker dies as a result of carrying out their work and the person conducting the business either causes the death or is negligent about causing the death of the worker. If convicted in the ACT, an individual could face 20 years imprisonment, and a body corporate could face a penalty of $16,500,000. In Queensland, an individual could face 20 years in prison, and a body corporate could face a fine of up to $14.4 million. In the Northern Territory, an individual could face life imprisonment and a company a fine of $10,205,000. In Victoria, businesses could be fined up to $18,492,000 and an individual could face up to 25 years imprisonment. In Western Australia, there is a maximum penalty of 20 years imprisonment and a $5 million fine for an individual, and a $10 million fine for a body corporate.

In March 2022 in Queensland, a Gympie businessman was the first person prosecuted and convicted under Queensland’s industrial manslaughter laws. At a hearing in the Gympie District Court, Jeffrey Owen was sentenced to five years jail over a workplace incident in which his friend who was helping out in the workplace was crushed to death by a falling generator being moved from the back of a truck.

These offences carry a major compliance risk due to the danger noncompliance poses to the personal safety of employees and severity of their penalties. Australian businesses must ensure that they have taken every step necessary to ensure the safety of their workers.

5. Bribery & False Accounting

The Criminal Code Act 1995 (Cth) contains a suite of offences aimed at preventing businesses from dishonestly obtaining financial advantages. The bribery of Commonwealth (or foreign) public officials and the prohibitions against false accounting attract significant criminal penalties.

Businesses risk a fine of $22.2 million, 3 times the value of the benefit obtained, or 10% of the annual turnover of the business – whichever is greater. Individuals may be fined $2.22 million and face 10 years in prison for the contravention of these offences.

Due to the risks of significant financial penalties and substantial terms of imprisonment, we have determined that these offences pose a major compliance risk for Australian businesses.

6. Privacy, Data Breaches, Cyber Security and Critical Infrastructure

All businesses that store or use consumer data face significant compliance risks.

The Privacy Act 1988 (Cth) broadly applies to all organisations with an annual turnover of more than $3 million, all private health services and some small businesses. Under this Act, businesses must, among other things, comply with the Australian Privacy Principles when handling personal information.

It is noteworthy that the Australian Privacy Principles require organisations to take steps to protect information from misuse, loss or disclosure even from third parties to whom they disclose the information. Consequently, a significant area of risk for Australian businesses relates to the sharing of personal information with third parties.

Businesses face a fine of up to $440,000 for contraventions of the Australian Privacy Principles under this Act.

In addition, the Notifiable Data Breaches scheme (NDB scheme), requires certain organisations to notify the Office of the Australian Information Commissioner of certain data breaches that are likely to result in serious harm to individuals.

Breaching obligations under the NDB scheme can attract fines of up to $2.1 million for businesses. Considering the media’s penchant for naming and shaming organisations that mishandle personal information, the embarrassment and loss of reputation for the business can be far more damaging – witness the recent backlash against Optus by both government and the media.

Australian businesses that have access to the My Health Record system must have systems in place to ensure that staff are aware of the offences and significant penalties which may apply. Under the My Health Records Act 2002 (Cth), if someone misuses My Health Record information, they may be subject to fines of up to $333,000 or up to 5 years imprisonment. Businesses may also receive fines of over $333,000 if they do not report any potential data breaches of their My Health Record system.

Further, the legal penalties are in addition to the significant reputational consequences that relate to the misuse of a person’s health information. As already discussed, the media has an appetite for misuse of personal information – this, however, would likely be amplified because My Health Record has already received considerable media coverage over concerns about the security of personal information.

In recent times, cyber security risk has emerged as a significant business risk. Cyber security is about protecting your technology and information systems from accidental or illegal access (such as hacking); corruption (such as malware); theft and damage.

Although there are currently no statutory penalties, a cyber-attack could cause:

• financial loss – theft of money and information, fraud, disruption to business and payment of a ransom
• business loss – embarrassment and damage to reputation
• costs – repairing and getting affected systems up and running again.

In addition, the recent case of ASIC -v- RI Advice Group Pty Ltd (RI Advice) shows how a regulator might go about “penalising” a business which does not do enough to protect its data and ICT systems. In this case, ASIC was successful in obtaining a declaration from the Federal Court that RI Advice, a financial services provider, breached s. 912A of the Corporations Act by failing to implement adequate cyber security controls or systems which led to several serious privacy breaches and spam emails. The Court required RI Advice to pay ASIC $750,000 towards its costs; engage (at its own expense) an independent cybersecurity firm to identify what further cybersecurity documentation and controls were necessary for RI Advice to adequately manage risk in respect of cybersecurity and cyber resilience; and provide written reports to ASIC.

Critical Infrastructure

On 3 December 2021, the Security of Critical Infrastructure Act 2018 (Cth) (the Act) extended the application of the Act to the following critical infrastructure asset sectors – healthcare and medical; water and sewerage; financial services and markets; higher education and research; food and grocery; data storage and processing; communications; energy; defence industry; transport and space technology.

Organisations operating in these sectors now have obligations with which they must comply if they are considered to be a “responsible entity” in relation to a critical infrastructure asset.

Generally speaking, a responsible entity is an entity that owns or operates a critical infrastructure asset. A critical infrastructure asset includes (among many other listed assets) a critical water asset and a critical hospital. A critical water asset means one or more water or sewerage systems or networks that are managed by a single water utility and ultimately deliver services to at least 100,000 water connections or 100,000 sewerage connections. A critical hospital means a hospital that has a general intensive care unit.

Responsible entities are now required to notify the Australian Cyber Security Centre (ACSC) if they become aware that a cyber security incident has occurred or is occurring that will have a significant impact on the availability of the critical infrastructure asset. This notification must be made within 12 hours after the entity becomes aware of the cyber security incident.

A cyber security incident is defined as one or more of the following:

• unauthorised access to or modification of computer data or a computer program;
• unauthorised impairment of electronic communication to or from a computer;
• unauthorised impairment of the availability, reliability, security or operation of a computer, computer data or a computer program.

Similarly, responsible entities are now required to notify ACSC within 72 hours if they become aware that a cyber security incident has occurred or is occurring that will have a “relevant impact” on a critical infrastructure asset. A cyber security incident will have a relevant impact on an asset if it impacts the availability, integrity, reliability or confidentiality of the asset.

Failure to comply with the above reporting requirements carries a penalty of 50 penalty units (currently $11,100).

Due to the sensitivity and critical nature of the assets covered by the Act such as hospitals and water supply, damage to a business’ reputation is far more significant than the immediate legal penalties which apply.

7. Wage Theft

Wage theft is the deliberate non-payment or underpayment of wages or employee benefits that are rightfully owed to an employee. This can include withholding of leave and penalty rates, and failure to make required superannuation contributions on the employee’s behalf.

Severe penalties now apply in Victoria and Queensland for individuals and businesses that commit wage theft. In Victoria, individuals are subject to a $221,904 fine and up to 10 years imprisonment, while a company may incur a fine of up to $1,109,520. In Queensland, an individual may be imprisoned for up to 10 years and companies face unlimited fines.

Whilst the penalties for wage theft are significant, they only apply to deliberate and dishonest conduct. The reality is that most cases of non-payment or underpayment of wages in Australia are inadvertent. As has been seen in recent media reports, even businesses which have inadvertently underpaid their workers are subject to public scorn and loss of reputation.

Due to the risks of significant financial penalties, substantial terms of imprisonment, and loss of reputation to businesses accused of wage theft and underpayment of wages, we have determined that these offences pose a major compliance risk for Australian businesses.

8. Modern Slavery Laws

The Modern Slavery Act 2018 (Cth) (the Act) came into force on 1 January 2019. Businesses need to report under the Commonwealth Act if they are an Australian entity or carry on business in Australia with a minimum annual consolidated revenue of $100 million (reporting entities).

The Act requires reporting entities to provide an annual Modern Slavery Statement for every 12 month period. A Modern Slavery Statement must provide the following:

• identify the reporting entity;
• describe the structure, operations and supply chains of the reporting entity;
  describe the risks of modern slavery practices in the operations and supply chains of the reporting entity, and any entities that the reporting entity owns or controls;
• describe the actions taken by the reporting entity and any entity that the reporting entity owns or controls, to assess and address those risks, including due diligence and remediation processes;
• describe how the reporting entity assesses the effectiveness of such actions;
• describe the process of consultation between each reporting entity and any subsidiary entities of each reporting entity; and
• any other information the entity preparing the statement, or any of the reporting entities consider relevant.

Modern Slavery Statements will be kept by the Minister in the Modern Slavery Statements Register which is accessible by the public free of charge on the internet.

Significantly, if a reporting entity fails to provide a statement, the Minister may publish on the Modern Slavery Statements Register the identity of the entity and any of its subsidiaries and the reasons why the Minister believes that the entity has failed to provide a statement. This will no doubt lead to embarrassment and reputation loss.

Due to the significant risk of reputation loss in not complying with the modern slavery regime, this is considered a major business risk.

9. Environmental Harm

Environmental offences are not limited to certain industries and present a risk to all Australian businesses.

Specific environmental offences vary between States and Territories, however, all businesses are prohibited from causing any harm to the environment. Businesses can face significant penalties for noncompliance with their environmental obligations and in certain circumstances company directors may be imprisoned.

For example, in NSW, businesses who dispose of waste in a manner, or have a substance leak, spill or otherwise escape that causes harm or likely harm to the environment can face fines of up to $5 million. Company directors may personally face fines of up to $1 million and up to 7 years imprisonment.

Further, it is often the case with environmental offences that damage to a business’ reputation is far more significant than the immediate legal penalties which apply.

10. Aged Care Registration (Industry Specific)

If an approved aged care provider does not comply with its quality of care, user rights and accountability obligations as stated under the Aged Care Act 1997 (Cth) it may be sanctioned.

Depending on the seriousness of the breach, the sanctions may, among other things, revoke or suspend an approved provider’s approval. Without approval, an aged care provider will lose its approved provider funding.

Regardless of the type of sanction issued, all care recipients at the affected service must be given a letter informing them of the provider’s noncompliance. Further, the sanction will be permanently published online. Such requirements increase the reputational damage caused by noncompliance with the Act.

Considering the added scrutiny on aged care providers as a result of the Royal Commission into Aged Care, Quality and Safety and that providers may now be subject to unannounced reaccreditation visits, we consider the risks associated with noncompliance under the Aged Care Act to be a major compliance risk.