Recent Federal Court decisions reinforce the breadth of the section 912A obligation

Recent Federal Court decisions in Australian Securities and Investments Commission v HSBC Bank Australia Limited [2026] FCA 847 (the HSBC Decision) and Australian Securities and Investments Commission v Mercer Superannuation (Australia) Limited [2026] FCA 832 (the Mercer Decision) reinforce that the obligation under section 912A(1)(a) of the Corporations Act 2001 (Cth) (Corporations Act) extends well beyond isolated instances of misconduct. Instead, the obligation requires Australian financial services (AFS) licensees to implement and maintain systems, controls and governance frameworks that proactively identify, manage and respond to operational and compliance risks.

Although the HSBC Decision and the Mercer Decision arose in different factual contexts, both decisions emphasise that section 912A is principally concerned with whether a licensee’s systems are reasonably designed to ensure financial services are provided efficiently, honestly and fairly. Deficiencies in governance, compliance frameworks or operational controls may themselves constitute a contravention, even where there is no allegation of dishonesty.

The proceedings resulted in civil penalties of $35 million against HSBC and $10.3 million against Mercer, highlighting ASIC’s continued enforcement focus on systemic governance failures.

HSBC: failures in operational systems and customer protection

The proceedings against HSBC arose from admitted contraventions over almost five years involving deficiencies in operational systems affecting customers, including:

  • Inadequate fraud prevention and detection controls, with HSBC failing to implement appropriate fraud detection and interception capabilities on its internal payment rail despite recognising heightened fraud risks.
  • Deficient systems for compliance with the ePayments Code, with HSBC failing to maintain adequate systems to investigate unauthorised transaction reports, correctly apply liability provisions, communicate investigation outcomes and monitor compliance. Approximately 97% of reports involved at least one compliance failure.
  • Failure to maintain adequate customer remediation processes, with HSBC lacking an adequate process for restoring customer access to restricted accounts after reports of unauthorised transactions.

Mercer: failures in compliance systems and breach reporting

Unlike the HSBC case, the Mercer case concerned deficiencies in internal compliance systems supporting statutory breach reporting obligations.

Between October 2021 and September 2024, Mercer failed to maintain an adequate system for identifying, tracking and reporting reportable investigations. The deficiencies meant Mercer failed to identify when investigations commenced, failed to monitor investigation timeframes and failed to report numerous reportable investigations to ASIC within the statutory timeframes, or at all.

The Court found that Mercer’s systems failed to identify investigation commencement dates, track investigation duration, identify reportable investigations, provide adequate policies and procedures, and ensure accurate reporting to ASIC.

These deficiencies resulted in a contravention of section 912A(1)(a). The Court also imposed penalties for failures under the reportable situations regime and for materially false or misleading reports provided to ASIC.

The Court’s approach to section 912A

Together, the HSBC Decision and the Mercer Decision reinforce that section 912A is directed primarily towards the adequacy of a licensee’s systems, controls and governance arrangements.

In the HSBC Decision, the Court emphasised that licensees must continually assess emerging operational risks and adapt their systems before customer harm occurs. In the Mercer Decision, the Court confirmed that section 912A is a forward looking obligation extending to internal compliance systems supporting regulatory obligations. Adequate compliance systems enable ASIC to perform its supervisory role and encourage prompt identification and management of significant compliance issues.

Both decisions emphasised that while section 912A does not require perfection, licensees must maintain systems and controls that are reasonably appropriate having regard to the size, complexity and nature of their financial services business.

Practical implications for AFS licensees

The HSBC Decision and the Mercer Decision demonstrate that ASIC is increasingly focusing its enforcement activity on the adequacy of a licensee’s governance framework, rather than simply the occurrence of individual compliance failures. AFS licensees should therefore view section 912A as requiring ongoing investment in governance, systems and operational resilience, rather than a reactive obligation that is only engaged once issues arise.

In particular, licensees should consider whether their existing systems:

  • are capable of identifying and responding to emerging operational and compliance risks before they result in customer harm or regulatory breaches;
  • appropriately monitor and escalate known system deficiencies so they are remediated within a reasonable timeframe;
  • accurately identify and track regulatory obligations, including breach reporting and other statutory notification requirements;
  • produce reliable management information that enables boards and senior management to exercise effective oversight; and
  • support accurate, timely and complete reporting to ASIC.

These decisions also reinforce that where a licensee becomes aware of deficiencies in its systems or controls, failing to promptly remediate those deficiencies may itself become a significant aggravating factor in subsequent regulatory proceedings.

Key takeaway

The HSBC and Mercer decisions demonstrate that section 912A is fundamentally a systems and governance obligation. Whether the issue concerns fraud controls, customer remediation, breach reporting or regulatory compliance, licensees are expected to maintain robust governance frameworks capable of preventing foreseeable failures before they result in consumer harm or regulatory breaches.

For further information, please contact Chris Mee at cmee@cnmlegal.com.au or Jessica Bauers at jbauers@cnmlegal.com.au, or call 07 3211 4010.

This article is produced as general information in summary for clients and should not be relied upon as a substitute for detailed legal advice or as a basis for formulating business or other decisions. CNM Legal asserts copyright over the contents of this article.