This decision offers important lessons of international relevance for senior executives and boards, particularly where they face AML/financial crime risks (and including financial services firms). In particular:
- non-executive directors are entitled to rely on management and executive directors, but not in the face of “red flags”;
- executive directors should escalate all material information to their Boards;
- directors in high-risk industries must apply heightened scrutiny;
- where a director or officer holds other roles (e.g. in-house counsel), then generally their statutory duties apply also to those roles, which cannot be compartmentalised; and
- boards should adopt formal policies on the use of AI to navigate board materials.
Background
ASIC sought civil penalties against each Board member of Star: the CEO, the company secretary and CLRO, and seven non-executive directors (two further executives settled before trial). ASIC alleged that each breached the statutory director’s duty of care and diligence under section 180(1) of the Corporations Act 2001 (Cth). This is the first time since the Centro decision in 2011 that ASIC has brought action against an entire Board.
The claims centred on Star’s dealings with its largest junket customer Suncity (in particular, money laundering suspicions) and misleading communications with Star’s principal banker about the use of China UnionPay (CUP) cards for gambling-related purposes.
No change to the law
The Court applied settled law. The s.180(1) duty of care and diligence requires a director to balance the foreseeable risk of harm against potential benefits, assessed prospectively and without hindsight. It does not impose a standard of perfection, and directors are not guarantors of corporate compliance.
That said, the s.180(1) standard is calibrated to the specific circumstances of the corporation and the offices held. Directors of high-risk enterprises (like casinos, financial services, mining and energy) must appreciate that they are operating in a singularly high-risk context and that the duty accordingly demands active engagement, and a willingness to interrogate, probe, and where necessary challenge management on these risks.
Further, Australia has a “business judgment” rule (s.180(2)) under which the s.180(1) duty is discharged by good faith, impartial and informed judgment-calls made on the rational belief that the judgment-call is in the corporation’s best interests. The Court confirmed that this protects positive acts but offers no shelter where directors “simply neglected to deal with proper safeguards”. So, this defence failed because the board minutes recorded no positive decision on point.
Executives: the duty to escalate
The Court found that the CEO intermediated the flow of material information between management and the board. Yet he did not ensure that the board was properly informed of serious legal and regulatory risks.
The information he possessed included an internal email identifying “unacceptable” risk exposure, reports revealing serious AML deficiencies, and on the CUP issue a warning that Star may have sent misleading communications to its principal banker.
Information forwarded with nothing more than “FYI” was sufficient to fix the CEO with knowledge of its contents.
Yet parts of ASIC’s case against the CEO failed because they were framed as “cascading” hypothetical counterfactuals. ASIC alleged that a reasonable director would first have made further enquiries, obtained information the director did not possess, and then taken further steps on that hypothetical basis. Instead, the Court decided that the breach, if any, lies in failing to act on information actually known to the director.
In-house counsel: indivisible duties and independent reporting
The CLRO held the successive roles of company secretary and group general counsel, and then company secretary and chief legal and risk officer. She argued that her duties were “divisible”: that she attended board meetings in her capacity as company secretary; yet e.g. as general counsel she reported to the CEO and was not herself obliged to escalate information to the board.
The Court firmly rejected this. It decided that in-house counsel who are officers cannot compartmentalise their responsibilities by reference to the different capacities in which they serve.
The implications extend beyond general counsel. Directors and officers often also hold a variety of senior legal, risk, compliance and internal audit roles. These roles often intermediate information flows to the board.
Non-executive directors: entitled to rely, but not to be passive
The Court confirmed that non-executive directors (indeed all directors) are entitled to rely without independent verification on the judgment, information and advice of management and other officers, at least except where they know, or by the exercise of ordinary care should have known, facts that would deny reliance. Here, the non-executive directors were insufficiently informed. ASIC could not bridge the gap between the inadequate disclosures made to them by executives, and what they should independently have discovered.
But the Court was far from complimentary. It stated that the board minutes “disclose little by way of sustained scrutiny or insistence upon explanation in circumstances where risks were obvious” and that this was “not a portrait of directors actively pressing management with difficult questions as to whether the business was being conducted ethically, lawfully and to the highest available standard”. Directors cannot substitute reliance on management for their own attention and examination of important matters falling specifically within the board’s responsibilities.
Interestingly, the sparse contemporaneous record assisted the non-executive directors: ASIC could not establish what the directors actually knew or discussed beyond this record. But that is a precarious foundation for a non-executive director’s defence. The better course is to actively engage with material risks at the time and ensure that board minutes reflect this. Directors should ask themselves: “where would the records show that I thought about this risk carefully?”
Information governance: board packs, minutes and AI
The Court rejected the suggestion that directors can claim lack of knowledge based upon the sheer volume of material they receive.
The Court described modern board packs as “Brobdingnagian electronic document dumps”. Without discipline, those preparing packs include everything, so that the pack becomes insurance for its preparers rather than a useful tool for the board. Since “no rational person can evaluate all this material meaningfully in the time available”, what follows is a form of directorial triage: reading what appears central, scanning what appears material, and trusting that anything alarming would have been signalled plainly.
But the Court said it is for boards to impose discipline on management to synthesise information. (Some practical suggestions here: covering papers should be concise and structured, with material risks surfaced prominently rather than buried in appendices. Minimum lead times for the delivery of board papers should be mandated and enforced, and the chair and company secretary should push back on papers that are too long or that fail to escalate material risks.)
Directors should also be encouraged to submit questions in advance of meetings. The Court singled out as “commendable” an instance where a director proactively interrogated a paper before the meeting.
The Court acknowledged that directors using AI to navigate board materials is “a contemporary reality” and “nothing inherently objectionable” but cautioned that “the use of technology may assist comprehension, but it cannot displace judgment”. Boards should adopt formal policies rather than tolerating informal “shadow use”.
While AI-generated summaries are no substitute for careful reading, appropriately governed AI tools may legitimately assist directors in discharging their duties.
Global perspectives: individual accountability for information flows and escalation
Regulators globally are building frameworks that impose personal liability for governance failures. In the United Kingdom, the Senior Managers and Certification Regime (SMCR) imposes “reasonable steps” obligations on those holding designated Senior Management Function (this can include some board members), and the UK regulators are actively enforcing it. The Monetary Authority of Singapore (MAS) issued its Guidelines on Individual Accountability and Conduct in September 2020, and Ireland followed with its Individual Accountability Framework modelled on the SMCR. Australia’s Financial Accountability Regime (FAR) is also modelled on the SMCR but applies to all directors of accountable entities. And Hong Kong’s Securities and Futures Commission (SFC) has been increasingly active in pursuing directors personally.
Globally, enforcement actions and civil proceedings increasingly feature issues of governance and process around information flows and escalations, and senior individuals’ roles in facilitating this. Often examined: particularly, whether reporting structures, escalation mechanisms and committee records demonstrate that the board was positioned to receive and act on material risk. For example, this features in a string of recent UK financial services enforcement actions including against TSB’s former Chief Information Officer in relation to informing its board about IT migration project risks, against directors and executives of the collapsed construction company Carillion plc for market disclosure shortcomings, and against senior executives and directors of Wyelands Bank and The Bank of London which prominently featured information flow issues relating to large exposures.
Key takeaways
It is important to ensure not only that the board makes appropriate decisions, but also that the organisation’s governance systems ensure that the board is given the appropriate information about relevant risks in good time, that senior individuals play their crucial part in this process, and that directors and officers engage meaningfully with the relevant information once they receive it.
Boards should exercise control over the volume and quality of board materials and maintain contemporaneous records of discussions on material risks. Where AI tools are used in preparing or reviewing board packs, formal policies should be adopted.
Non-executive directors may rely on management, but the Court’s pointed criticism of the Star board’s passivity is a clear warning: the jobs of all directors “are not just tokens or glittering prizes decorating a CV”; instead, they require “intelligent people prepared to engage actively”. Directors should ensure that board records reflect their genuine interrogation of management on risk issues.
CEOs bear personal responsibility for ensuring the board receives full, accurate and timely information on material risks that is known to the CEO. Three of the CEO’s four contraventions arose from failures to inform the board.
In Australia, a director or officer cannot argue that their statutory directors’ and officers’ duties apply only to their director or officer role and not other roles they may hold (whether in-house legal as in this case, or otherwise e.g. in risk, compliance or audit). The Australian duty in s.180(1) applies to the totality of an officer’s responsibilities (including but not limited to their responsibilities as an officer). This applies equally in other jurisdictions in which directors’ and officers’ duties are framed similarly – which often they are.
For financial services firms, directors’ duties compound existing senior manager duties in individual accountability regulatory regimes like the UK’s Senior Managers and Certification Regime and Australia’s Financial Accountability Regime.
