Investigations trends and developments
Bribery, corruption, money laundering, and cybercrime continue to be priority areas for Australian authorities.
Australia’s new national corruption watchdog, the National Anti-Corruption Commission, has received many referrals following its establishment in July 2023. It had assessed 2,690 referrals and commenced 26 corruption investigations in the year ending June 2024. This reflects a continued focus by the Government, corporates, and the public on corruption issues.
The Commonwealth Director of Public Prosecution also remained active in 2024, securing high-profile convictions for syndicates engaged in money laundering and tax fraud, and sentences following convictions for cartel conduct in the waste industry.
The Australian Transaction Reports and Analysis Centre (AUSTRAC) maintained its focus on anti-money laundering and counter-terrorism financing (AML/CTF) compliance in the gaming industry. In 2024 it commenced an enforcement investigation against a betting agency and issued 16 infringement notices for failing to meet their reporting obligations under legislation.
The Australian Competition & Consumer Commission (ACCC) and Australian Securities & Investments Commission (ASIC) continue to scrutinse greenwashing, environmental, social, and governance (ESG) issues, and financial products.
Australia’s regulators and law enforcement bodies continue to cooperate, share information, and jointly conduct investigations with their counterparts overseas, with a particular focus on transnational cybercrime.
Law reforms impacting corporate criminal liability
New “failure to prevent bribery” offense
The introduction of a failure to prevent bribery offense in section 70.5A of the Schedule to Australia’s Criminal Code Act 1995 (Cth) (Criminal Code) was one of the most significant law reforms in 2024. It criminalizes a business that fails to prevent an “associate” from bribing a foreign public official for the benefit of the business. This is a strict liability offense. The only defense available to companies is that the company had adequate procedures in place to prevent bribery. This places the focus squarely on the company’s oversight, due diligence, and controls.
Guidance published by the Attorney-General’s Office sets out six key principles that companies should consider when implementing anti-bribery and corruption policies, and expressly emphasized that the mere existence of anti-bribery controls will not be considered adequate for the purpose of the defense. In-house counsel should review the guidance as well as the business’ internal policies and controls to ensure that the defense would be available if necessary. Unlike in earlier proposed iterations, deferred prosecution agreements have not been introduced at this time.
AML/CTF
The amendment to the country’s AML/CTF regime, which prescribes both civil penalties and criminal offenses, passed the Australian Parliament in late 2024, implementing “tranche 2” of reforms first promised close to a decade ago. This expands the regime from financial services, bullion, gambling, and digital currency exchange sectors to designated non-financial business and professional sectors including real estate agents and lawyers. We expect AUSTRAC to release guidance on new and changed obligations in mid-2025, and reporting entities will need to be compliant by March 2026.
Autonomous sanctions
The Australian Government has updated sanctions laws following recent court decisions to clarify that individuals and corporations can breach sanctions even if the misconduct took place in the past. Both past and present conduct can be a basis for sanctions enforcement, and organizations should conduct appropriate diligence on business partners (including senior officers).
Financial Accountability Regime
The Financial Accountability Regime (FAR) took effect in March 2024 for authorized deposit-taking institutions. From March 2025, the regime, prescribing both civil and criminal offenses, will extend to insurance entities and superannuation trustees. The FAR imposes a strengthened responsibility and accountability framework to improve the risk governance cultures of corporates regulated by the Australian Prudential Regulation Authority, as well as their directors and executives. The expansion of the FAR means that affected corporates will need to review their framework and processes to ensure that they comply with the obligations of the FAR.
Data protection, privacy, and cybersecurity
Australia is currently undergoing significant changes to its data protection, privacy, and cybersecurity regulatory landscape. In November 2024, Australia passed its first “stand-alone” Cyber Security Act 2024 (Cth), which introduces (among other things) a mandatory ransomware and cyber extortion reporting obligation for certain businesses to report ransom payments.
Further, the Privacy and Other Legislation Amendment Act 2024 (Privacy Act) significantly reforms Australia’s long-standing Privacy Act 1988 (Cth). Key reforms include the introduction of a new statutory tort for serious invasions of privacy, enhanced enforcement mechanisms for the Office of the Australian Information Commissioner (OAIC), new mid-tier and low-tier civil penalty provisions for interfering with the privacy of individuals, and a new criminal offense of “doxxing” which will be included in the Criminal Code.
Doxxing is the use of a “carriage service” to “make available, publish or otherwise distribute” personal information of an individual in a menacing or harassing way. The term “carriage service” captures a broad range of electronic communications, including the dissemination of data via internet services and telecommunications. The Explanatory Memorandum for the Privacy Bill makes clear that the concepts of “make available, publish or otherwise distribute” are intended to be applied broadly such that the operator of a website on which personal information is posted may potentially be considered to be involved in making available, publishing, or distributing the relevant material. This is the case even if they were not involved in deciding the content of the post. This means that website operators and other intermediaries should be prepared for the introduction of this new offense and take steps to remove offending material where necessary.
Digital platforms regime
The Government proposed a new digital competition regime that seeks to address anti-competitive conduct that exploits market power to harm Australian digital platform users. It follows the implementation of digital competition regimes around the world to protect consumers and innovation and will prioritize app marketplaces and ad tech services. With consultation open until early 2025 and expected draft legislation to follow, digital players should review their positioning in the market and monitor developments.
Internal investigations—key considerations
How corporations can maintain privilege over internal investigation reports continues to be an important consideration when structuring an internal investigation.
A recent decision of the Full Federal Court emphasizes that, under Australian law, an investigation report will only be subject to legal professional privilege if it was created primarily for the purpose of providing legal advice, or for use in anticipated or actual litigation. It is not enough that these are merely “substantial” purposes for the creation of a multi-purpose report. Where a report’s dominant purpose is to assist management in identifying the causes of, and remediating, an issue, as opposed to providing legal advice, it will not be privileged.
Following this decision, the engagement of external lawyers to conduct internal investigations means that the report may be, but will not necessarily be, privileged. In-house counsel should continue to ensure that the structure and objectives of an investigation are carefully considered, well-defined, and documented at the outset.
Sectors targeted by law reforms or criminal enforcement
ASIC's enforcement priorities for 2025 include:
- misconduct involving superannuation and insurance;
- strengthening investigation and prosecution of insider trading;
- licensee failures to have adequate cybersecurity protections;
- misleading conduct involving ESG claims, including greenwashing; and
- auditor misconduct.
These readily flow from the enforcement and focus areas in 2024, with ASIC continuing to use its enforcement powers to regulate greenwashing issues in the financial sector. ASIC successfully pursued two civil penalty proceedings against two financial services providers for greenwashing in 2024, with AUS12.9 million and AUS11.3 million ordered in civil penalties by the Federal Court of Australia. It also made 47 regulatory interventions and issued over AUS123,000 in infringement notice payments during the 15-month period to June 30, 2024. The continued scrutiny of greenwashing claims going forward will require organizations to ensure they conduct their own diligence and investigations into whether such claims can be substantiated before a regulator does so.
Though not yet confirmed, it is likely that ESG will remain one of the ACCC’s 2025-2026 priorities.
While we await AUSTRAC’s publication of its 2025 priorities, we expect that they will continue to focus on high-risk sectors including the banking, gambling, and remittance industries.
Predictions for 2025
In-house legal and investigation teams will need to ensure that they are compliant with the recent raft of legislative reform and stay on top of further reforms expected in the cybersecurity space, while continuing to manage increasing numbers of workplace misconduct investigations.
Investors’ growing interest in ESG issues has propelled marked changes to financial reporting and disclosure standards. New obligations to make climate-related financial disclosures for certain corporates commenced in January 2025. These obligations come hot on the heels of corporates scaling back voluntary ESG disclosures following regulatory and shareholder action for misleading or deceptive conduct. In-house legal teams should ensure that their ESG claims and disclosures are appropriately vetted and supported. Claims alleging that companies have harmed their investors by making material misstatements concerning sustainability related risks are on the rise, read more here.
On the horizon
Cybersecurity and data protection will remain a long-term focus as technology continues to advance and compliance with recently passed legislation is monitored and enforced. In-house legal teams should be prepared for increased regulatory scrutiny of their technology and operational processes relating to cybersecurity and data protection.
As ESG-related issues continue to increase in priority, regulators’ focus on greenwashing and ESG related reporting will also continue, including with the expansion of mandatory climate target reporting over the next three years.
Australia’s reform of its AML/CTF regime means that in-house legal teams will need to be prepared to review and update their compliance policies and programs.
Directory quotes
- “I value highly both their industry knowledge and experience across both legal requirements and operating risk consulting advice in the context of wholesale financial markets trading in Australian legal and regulatory compliance context.”—Asia Pacific Legal 500 (2024).
This article is part of the A&O Shearman Cross-Border White-Collar Crime and Investigations Review. Please click here for our overviews and insights in other jurisdictions.
