Firstmac fined $8 million for breaching DDO – is this the baseline penalty?

Insights30 Jan 2025

On three occasions in the last 12 months, the Federal Court has imposed a penalty of $8 million for breaches of the design and distribution obligations (DDO).[1] In the latest case, Firstmac was fined $8 million for breaches of its ‘reasonable steps’ obligation (Firstmac case).[2] Here, the HW Funds team explains the background and what the Court considered in reaching the penalty then we set out what steps fund managers should take towards cultivating a culture of compliance and how we can help. 

Key takeaways

  1. Deterrence appears to be a critical feature of penalty decisions relating to the DDO. While courts will take into account the size of an organisation and the actions of an entity after contraventions are identified, it seems deterrence and the public interest in ensuring entities comply with the DDO take precedence. 
  2. The consequences of breaching the DDO should not be regarded as an acceptable ‘cost of doing business’. Even though the conduct might not result in a consumer making an investment or suffering any loss, the courts are unlikely to give this much (if any) weight when determining the penalty.
  3. It is essential fund managers and advisors cultivate a culture of compliance by creating and implementing effective DDO policies and procedures, providing DDO training to staff (including boards, senior management and operational teams), and meticulously reviewing and identifying the reasonable steps they should take to comply with the DDO when distributing financial products.

The penalty decision in ASIC v Firstmac

The penalty in Firstmac related to Firstmac’s distribution of a product disclosure statement for a mortgage-backed securities product (High Livez) to existing term deposit holders. The Court ruled Firstmac breached the DDO by failing to take reasonable steps that would have resulted in, or would have been likely to have resulted in, the distribution being consistent with the target market of High Livez. We detailed these proceedings in a recent article

The penalty was imposed despite Firstmac’s conduct resulting in only one term deposit holder investing in High Livez and suffering a loss of $184.71 (on a $50,000 investment). Firstmac received a mere $150 in management fees for the investment.

The contraventions

Firstmac sent 115 emails (from October 2021 to about April 2022) and 716 letters (on or about 29 August 2022) to retail clients who held Firstmac’s term deposit product, totalling 831 contraventions of section 994E(3) of the Corporations Act 2001 (Cth) (Act).  Firstmac argued there were only two contraventions, which the Court rejected, but the Court did acknowledge the contraventions arose from two courses of conduct. 

The actual loss caused by these communications was a mere $184.71, which was suffered by a single investor who had made a $50,000 investment. Similarly, Firstmac’s resulting benefit was in the form of a $150 management fee from this investment, which the Court noted is a negligible amount. 

The penalty

The theoretical maximum penalty, as a result of the 831 contraventions, was $9.22 billion. 

However, the Court readily acknowledged that this theoretical penalty was disproportionate to the harm. ASIC instead sought a lower penalty of $25 million. While, Firstmac also accepted that a penalty was warranted, it argued that ASIC’s requested penalty was excessive and instead suggested a penalty of $4 million to $4.5 million would be appropriate.

In deciding the penalty ($8 million), the Court considered its powers under section 1317G(6) of the Act and focused on the principles from a previous High Court decision, including that there is no requirement for the penalty to be proportionate to the seriousness of the conduct and the purpose of a civil penalty is to promote the public interest in ensuring compliance. 

Emphasis on deterrence

Ultimately, deterrence was the primary driver of the significant value of this penalty decision. Although the actual harm was minimal, the Court took the view that the ‘risk’ of financial harm was notable.

Primarily, the Court considered that Firstmac failed to have in place adequate DDO systems, policies, and procedures. This included a failure to prepare and distribute adequate written DDO policies, lack of DDO training to staff, and a failure to adequately review cross-selling strategies or identify reasonable steps. The Court was clear that the related penalty must demonstrate that contraventions resulting from inadequate systems will have serious consequences. 

The Court also considered Firstmac to be ‘objectively reckless’, in that it ‘courted the risk’ as to whether its conduct would contravene the DDO. The Court stated that objective recklessness includes instances where a person proceeds to cause harm despite an obvious risk of harm which is not appreciated.  Among other things, the Court referred to the fact that Firstmac had received (and was responding to) section 33 notices issued by ASIC which sought information (inter alia) about its DDO practices.  In particular, the Court referred to an email from Firstmac’s in-house counsel[3] regarding the continued marketing of High Livez while waiting for the outcome of ASIC’s investigation might be ‘a risk worth taking in order to create leads’.

Based on these factors, the Court found a significant penalty was necessary to ensure Firstmac would not simply perceive the penalty as an ‘acceptable cost of doing business’. 

Finally, in determining the value of the fine, the Court highlighted numerous mitigating factors (see below) and noted similarities between this case and Australian Securities and Investments Commission v American Express Australia Limited [2024] FCA 784 in which a penalty of $8 million was also imposed.

Mitigating factors

Despite these findings, the Court concluded the penalty sought by ASIC was excessive and would be greater than was necessary to achieve deterrence. Some mitigating factors in favour of Firstmac included the negligible actual loss to consumers and Firstmac’s subsequent steps to:

  • amend its operations, policies, and procedures to ensure compliance with the DDO; 
  • create an executive role of Head of Risk and Compliance; 
  • engage an external consultant to provide training to employees, board, and department managers;
  • engage external consultants to assist Firstmac to update its DDO Policy; and
  • require all staff and board members to complete online training on the updates to the DDO Policy and complete an assessment module.

All in all, the decision is not a great outcome for Firstmac, but without these mitigating factors could have been worse. It is a good reminder for fund managers to ensure they have good systems and staff who are properly trained.

How we can help

We offer the full spectrum of DDO services tailored to your business needs, from advice on documents you prepare to a comprehensive implementation of the DDO into the operations of your business. Reach out to the HW Funds team to learn more about our services, including:

  1. Preparing target market determinations (TMDs).
  2. Preparing written policies and procedures.
  3. Training, including board DDO sessions and responsible manager and distribution staff training series.
  4. Comprehensive review of DDO infrastructure.

This article was prepared with the assistance of Law Graduate, Roger Miyumo.


[1] The other cases are Australian Securities and Investments Commission v Bit Trade Pty Ltd (No 2) [2024] FCA 1422 (Nicholas J) and Australian Securities and Investments Commission v American Express Australia Limited [2024] FCA 784 (Jackman J)
[2] Australian Securities and Investments Commission v Firstmac Limited (Penalty Hearing) [2025] FCA 12
[3] Australian Securities and Investments Commission v Firstmac Limited (Penalty Hearing) [2025] FCA 12 @ 67

Contact

Hall & Wilcox acknowledges the Traditional Custodians of the land, sea and waters on which we work, live and engage. We pay our respects to Elders past, present and emerging.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of service apply.