Chapter 9

Chapter 9

Commonwealth Financial Planning Limited: ASIC's investigations of misconduct at CFPL

9.1        As noted in the previous chapter, the committee received evidence from a number of CFPL clients and their representatives who contend that ASIC's handling of the CFPL matter was inadequate. In varying degrees, these witnesses argued that ASIC:

9.2        Also, the CICP implemented in April 2008 proved to be an inadequate response to the misconduct at CFPL, and one that placed too much store in the ability and willingness of CFPL/the CBA to address the problems that had been detected effectively. These complaints and the conduct of ASIC's investigations into misconduct at CFPL are explored further in this chapter.

9.3        The related complaint that ASIC put in place an inadequate and inappropriate enforceable undertaking with CFPL in 2011, and that this has enabled CFPL/the CBA to manipulate the process of compensating affected CFPL clients, is considered in the next two chapters.

The 2007–08 surveillance project

9.4        ASIC suggested in its first written submission that it had long been alert to potential problems with the quality of advice being provided by the financial planning industry in Australia. ASIC's concerns in this regard, it wrote, had prompted it to initiate surveillance projects on three of the largest industry participants in Australia: CFPL, AMP and Professional Investment Services. ASIC's surveillance project in relation to CFPL commenced in February 2007 and was completed in February 2008. The project involved interviews with various CFPL staff and the review of 496 pieces of advice provided by 51 advisers.[1]

9.5        According to ASIC, its surveillance of CFPL was not intended to identify problem advisers, but rather to 'examine the quality of advice and processes overall within CFPL'. Its surveillance found:

...significant concerns in relation to supervision, file review procedures, advice templates, breach reporting, record keeping and compliance, and significant and widespread problems with the quality of advice.[2]

9.6        It is worth noting that the import of this surveillance project is contested: ASIC, on the one hand, suggested that the project (and others undertaken in relation to AMP and Professional Investment Services) 'ultimately led to enforceable undertakings with all three firms'. Mr Morris, by contrast, suggested that CFPL believed ASIC had given it the 'all clear' at the end of the surveillance project (as discussed further below). The enforceable undertaking referred to in ASIC's submission was put in place on 26 October 2011.

9.7         Putting aside the degree to which the surveillance project 'ultimately led' to the enforceable undertaking in October 2011, the immediate outcome of the surveillance project was that in February 2008 ASIC wrote to the CBA advising it of the problems detected by the surveillance project and the concerns ASIC had about the CFPL business.[3]

9.8        Following a request from the committee at a public hearing on 10 April 2014, ASIC provided the committee with a copy of the letter it sent to CFPL on 29 February 2008. The content of the letter is consistent with the summary ASIC provided in its submission of the surveillance project findings but for one important fact: ASIC had not previously mentioned that, in addition to CFPL, the surveillance project also focused on the operations of another CBA subsidiary, Financial Wisdom Limited (FWL). The advice provided by FWL, and in particular by Mr Rollo Sherriff (an adviser at the Cairns-based financial advisory firm, Meridien Wealth, which was a subsidiary of FWL), was addressed as part of a recent joint Four Corners and Fairfax Media investigation.[4] Following this public disclosure, ASIC provided the committee with a supplementary submission explaining that it had conducted an investigation of Mr Sherriff's conduct, but had decided against taking any enforcement action against him. This supplementary submission, however, makes no mention of ASIC's surveillance of FWL in 2007–08.[5] The May 2014 revelations about CFPL and FWL are discussed further in Chapter 12.

9.9        ASIC's February 2008 letter to the CFPL referred to a number of compliance failures and other shortcomings in the CBA's financial advice business (specifically, CFPL and FWL), including:

9.10      In its letter to the CFPL, ASIC also noted that only seven of 38 CBA representatives who had been rated as 'critical' by the CBA's Risk Matrix were reported to ASIC under s912D of the [Corporations Act], one of which was after the surveillance had commenced. ASIC wrote:

Given the seriousness of the conduct, we have concerns about CBA's ability to discharge their obligation to report significant breaches under s912D of the Act.[7]

9.11      ASIC expressed particular concern that many of the problems it identified in its surveillance project had previously been 'put to CBA in 2006, after a smaller surveillance was undertaken of CFPL's Bankstown branch and FWL's Cairns branches'. These recurring concerns included the non-completion or poor quality of Financial Needs Analysis and Statement of Advice documents, and the failure to report significant compliance breaches to ASIC as required by section 912D of the Corporations Act. ASIC stated:

Despite assurances from CBA in May 2006 that CBA had overhauled its compliance arrangements and the suggestion that many of ASIC's concerns were historical, we have reason to believe, on the basis of our findings in this Surveillance, that our concerns are ongoing.[8]

9.12      Finally, ASIC concluded its letter to the CFPL by indicating that it was considering what action to take in relation to its findings. It further stated that the purpose of the letter was 'to give CBA an opportunity to put to ASIC a proposal that will satisfactorily address these issues.'[9]

The Continuous Improvement Compliance Program

9.13      In April 2008, CFPL implemented the CICP in response to ASIC's concerns. According to ASIC, the CICP was 'also intended to address problems identified by CFPL in a number of reviews it had undertaken itself, including reviews using an external firm'. The CICP consisted of eight work streams overseen by a CICP project steering committee within CFPL: strategy and risk framework; breach/incident reporting; advice documentation; systems and management reporting; operating structure; people and culture; retrospective analysis; and adviser competence and supervision. The CICP project steering committee met with ASIC on a monthly basis to discuss the project.[10]

9.14       The findings of ASIC's 2007–08 surveillance project and the subsequent implementation of the CICP were not made public at the time. This was, ASIC explained in its submission, consistent with ASIC's then practice of not making public comment on regulatory matters. Appearing before the committee, ASIC further explained that the view at ASIC in 2008 was that if a matter was not made public 'there was more chance of negotiating a good outcome from the entity involved' without a protracted legal battle. When the CICP was implemented, ASIC also reasoned that given the quality of financial advice was poor across the industry (affecting as much as 20 per cent of the market, according to ASIC's intelligence and analysis) it might have been unfair to publicly single out CFPL.[11]

9.15      In her submission, Ms Swan was highly critical of ASIC's decision not to release the findings of its surveillance project and 'warn investors of this grave situation' at CFPL.[12]

9.16      ASIC conceded that the decision not to publicly announce the surveillance project findings and the subsequent CICP was a mistake. While the decision was consistent with ASIC's approach to such matters at the time, ASIC emphasised that, were the surveillance and subsequent enforcement action to take place today, ASIC would make this public:

That was one of the other learnings. At the time, there was not sufficient public transparency around the continuous improvement compliance program, and the concerns that ASIC had at that time around CFP's advice were not announced publicly. As a matter of course, that would now be a public announcement with all the implications of that in terms of putting on additional pressure and public expectations, allowing committees like this to ask how things are going. So that is one aspect of an action today that would help to ensure that it progressed more effectively.[13]

Failure of the CICP to prompt the necessary change at CFPL

9.17      Evidence received by the committee, particularly from Mr Morris, indicated the CICP was regarded by staff at CFPL (including compliance staff) with an attitude that could be described as anything between indifference and contempt. 

9.18      Mr Morris was damning in his appraisal of both ASIC's surveillance project, which he suggested took too long to gather too little information, and the resulting CICP, which, in his view, had no substantive effect on how CFPL conducted its business:

[T]hey took a year to look at it, which is an awful long time to just be there gathering intelligence. They looked at 500 pieces of advice from 50 planners. Well, that should not take 12 months. Then they took another couple of months in April 2008. That is when they decided to have the much vaunted CICP program. I was in that business for years and I could not perceive any impact from that program. Leaving that [aside], if they commenced that program in April 2008, as they say, and yet 3½ years later, in October 2011, ASIC find it is necessary to go to an enforceable undertaking, what were they doing for those 3½ years of that CICP process?[14]

9.19      The experience of Mr Morris, as relayed in both his written submissions and oral evidence, is instructive in terms of the apparent indifference at CFPL to the CICP. Mr Morris's induction as an employee of CFPL in March/April 2008 roughly coincided with the conclusion of the surveillance project and the implementation of the CICP. According to Mr Morris, he was told by a manager during his induction that ASIC had just undertaken a full review of CFPL and given it a 'clean bill of health'. While the manager in question did not refer to the surveillance project and the CICP specifically, Mr Morris has since concluded that this is what the manager was referring to. The view that ASIC had effectively given CFPL the 'all clear' and that the CICP largely reflected this was, in Mr Morris' opinion, widespread at CFPL:

I suspect that perusal of the actual ASIC 'findings' of February 2008 and notes of the monthly meetings of the 'steering committee' of their 'CICP' process will show a fairly detached, theoretical and leisurely approach to any problems found.[15]

9.20      Mr Morris also argued that, from what he was able to observe personally, the CICP led to no meaningful change in how the CFPL conducted its business. According to Mr Morris, even compliance managers at CFPL were indifferent to meeting the objectives of the CICP. Mr Morris referred to the experience of one of his fellow whistleblowers to demonstrate the point:

One of the other whistleblowers was one of the planners who was reviewed. I think I put in my submission that he was asked to change a few things in a couple of financial plans and a couple of months later he went to give it to the compliance manager who said, 'Don't worry about it. ASIC's lost interest and gone away.' Nobody took it seriously, I suspect.[16]

9.21      Highlighting the apparent indifference at CFPL to the CICP, evidence received by the committee during the inquiry indicated that the CBA Board likely had minimal or no awareness of the CICP. In its written submission, ASIC suggested that the CICP 'had a very senior project steering committee that reported both to the Board of CFPL and the Board of the Commonwealth Bank of Australia'.[17] However, in response to questions from the committee, the CBA confirmed that the CBA Board had little if any visibility of the CICP. The CICP was, the CBA told the committee, initiated by the CFPL management team and neither required CBA Board approval nor operated under CBA Board oversight. The CBA further informed the committee that a review of the minutes of the CBA Board and its sub-committees suggested the CICP was first mentioned to the Board on 9 July 2009 (15 months after it was implemented) as part of a broader presentation on the CBA's financial advice business. The only other reference to the CICP in Board papers that the CBA could find was in a paper considered by the Board on 9 August 2011, which updated the Board on an internal audit report and regulator concerns regarding parts of the Colonial First State advice business. The reference to the CICP in that paper seems to have been a passing one in a paragraph outlining the history of regulatory issues at CFPL.[18] 

9.22      Regardless of the level of CBA oversight of the CICP, ASIC acknowledged that it should have moved toward an enforceable undertaking from CFPL sooner, rather than relying on CFPL's ability to 'identify and rectify all the problems that started to emerge'.[19] ASIC told the committee that ultimately the latter approach, as pursued through the CICP:

...did not prove effective. It was not proving effective over time, and whilst it possibly was reasonable to try that initially, we should have cut that short earlier. We should have monitored it more closely and put tougher time limits on it and tougher testing of the monitoring all along the way and made a decision earlier to give up on that process and move to the tougher enforceable undertaking process.[20]

9.23      The CBA itself conceded that the CICP failed to address the problems at CFPL, and suggested that ASIC was likely justified in eventually determining that the CICP was failing to achieve its objectives. Mr Cohen told the committee:

My impression is that, as [the CICP] progressed, ASIC increasingly felt uncomfortable around the business's ability to actually achieve the desired outcomes. That was my impression, that it was a gradual sense that came upon ASIC. I think, in fairness to ASIC and with the benefit of hindsight, that they had grounds for that concern. I do think that the CICP did not achieve what it was designed to achieve as quickly as it was designed to be achieved. That, I think, dawned upon ASIC as the matter progressed.[21]

ASIC's handling of reports of misconduct at CFPL

9.24      ASIC's acknowledgement that it should have 'monitored [the CICP] more closely and put tougher time limits on it' is particularly telling in light of the 17 months that elapsed between the whistleblowers contacting ASIC and ASIC moving toward formal enforcement action against CFPL. Indeed, one of the most important issues raised in this inquiry was why it took ASIC until March 2010 to form the view, as it puts it, that 'the CFPL matter needed to move from a cooperation resolution of concerns to a formal enforcement action with set timeframes and documents produced under notice'.[22]   

9.25      On 30 October 2008, seven months after the CICP was agreed, the CFPL whistleblowers made their first report to ASIC. In an anonymous fax, signed 'the three ferrets', Mr Morris and two of his colleagues detailed information regarding Mr Nguyen's misconduct and what they considered was a CFPL management cover up of that misconduct.[23] The CFPL whistleblowers concluded their fax to ASIC with a warning that the client files that could shed light on Mr Nguyen's misconduct were in the process of being sanitised by Mr Nguyen and his assistants:

The client files will basically tell the story—as they did for the internal compliance people. There is some urgency in securing them as they are being 'cleaned up'.[24]

9.26      According to Mr Morris, the whistleblowers had expected ASIC to 'turn up with a warrant to seize the files'. When that did not happen, the whistleblowers followed up their fax with a series of anonymous emails urging action:

However as the days passed with no sign of a fire breathing regulator on the doorstep, we decided to follow up ASIC by email. Weeks turned into months. Email followed email. ASIC said they were investigating. But if that were so, why hadn't they seized the files?[25]

9.27      In early December 2008, ASIC raised concerns about Mr Nguyen with CFPL, and requested that CFPL provide information on Mr Nguyen at a CICP meeting scheduled for 18 December 2008. Mr Nguyen's conduct was discussed at that meeting, and, according to ASIC, the CFPL advised in a follow-up communication that:

...four complaints had been received about Mr Nguyen, three of these had been resolved and CFPL was dealing with the remaining client, who had legal representation. CFPL also advised that Mr Nguyen was being closely supervised and his advice vetted prior to being provided.[26]

9.28      Mr Nguyen's conduct was discussed at subsequent CICP meetings. ASIC acknowledged in its submission that while it informed the whistleblowers that their complaints were under consideration, it did not inform them of how the matter was being handled or the broader work being undertaken in relation to CFPL.[27] In this respect, ASIC's account is consistent with evidence from Mr Morris, who noted that in March 2009, in response to a query as to the progress of their complaint, the whistleblowers were simply told the 'issues are still currently being considered'.[28]

9.29      In his submission, Mr Morris noted that after Mr Nguyen's resignation in July 2009, the CFPL whistleblowers were basically left exposed at CFPL, with ASIC apparently unwilling to take meaningful action against the organisation:

The Ferrets survived for the time being. The hostility from CFP managers towards us was pretty clear. It was an incredibly stressful situation. Aside from trying to survive in a hostile environment to continue gathering information, ASIC's indolence had forced us to basically expose ourselves [both CFP & Nguyen would easily work out who was behind the Investor Daily articles] and we had been concerned from the start about Nguyen's mental state. I always took special care when walking to my car in the underground carpark.[29]

9.30      Mr Morris further reported that at the end of 2009, one of the whistleblowers left CFPL, 'suffering acutely from the stress of the situation'. Mr Morris's fellow‑whistleblower had, according to Mr Morris, found the 'interrogation by [CBA] Group Security' particularly stressful.[30]

9.31      By March 2010, exasperated by ASIC's apparent inaction in relation to the information they had provided, and frustrated by what they regarded as the CBA's ongoing efforts to cheat CFPL clients out of proper compensation, the whistleblowers visited ASIC's office. Mr Morris wrote:

ASIC tries to imply that they instigated this meeting. Whilst it is literally true that they invited us to 'come in from the cold' and meet with them, this invitation was only in response to persistent follow ups from us. We knew we could have gone in at any time. We did not do so earlier because of our concerns about Nguyen and ASIC's ability to keep a secret. We would have preferred all along to remain anonymous. We went in when we did because we despaired of ever getting ASIC moving otherwise, because our cover was blown anyway and because not even our actions in mid 2009 had succeeded in getting through to them.[31]

9.32      According to Mr Morris, the whistleblowers were told by ASIC during their first meeting that from that day forward, they had whistleblower protection (under the Corporations Act), but that it 'wouldn't be worth much'. The meaning of this comment specifically, and the inadequacies of the current whistleblower protections generally, are explored further in Chapter 14.   

9.33      In their meeting with ASIC on 24 February 2010, the whistleblowers again urged ASIC to seize CFPL client files, 'which were still being worked on'. Mr Morris noted that they also offered their inside knowledge to help ASIC understand how client files had been manipulated; this offer, he pointed out, was never taken up.[32]

9.34      Independent of the actions by the CFPL whistleblowers, in March 2010 Maurice Blackburn launched the first of a number of court actions in the NSW Supreme Court against CFPL. The institution of proceedings was reported in the press, and Maurice Blackburn was advised that within 24 hours ASIC 'raided' CFPL's premises and confiscated documents and computer records.[33]

9.35      On 24 March 2010, ASIC notified CFPL that it required the 'immediate production of documents relating to Mr Nguyen'.[34] In an answer to a question on notice from Senate estimates in June 2013, provided on 17 October 2013, ASIC clarified that immediate production was required for client list and audit trail data (a section 19 notice), while CFPL was given until 9 April 2010 to hand over client files (a section 33 notice).[35]

9.36      Mr Morris was critical of the decision to give CFPL two weeks to hand over client files, suggesting this provided CFPL with time to undertake a final 'clean up' of the files. He also noted that only 79 client files were handed over to ASIC on 9 April 2010, with 423 files identified as missing. The fact that 139 of those 423 files were subsequently located and provided to ASIC on 17 June 2010 was, according to Mr Morris, more cause for suspicion. It should have been obvious to ASIC, he argued, that CFPL had used the extra time to 'work on these files'—that is, to further sanitise them.[36]

9.37      Upon review of Mr Nguyen's files, on 19 July 2010 ASIC referred a brief on Mr Nguyen to a delegate for consideration of banning action. Several days later, ASIC meet with CFPL, and CFPL gave a commitment to remediate former clients of Mr Nguyen. As discussed in the next chapter, from August to October 2010, negotiations took place between CFPL and ASIC regarding the compensation process that would be put in place to this end.[37]

9.38      ASIC's submission does not relate the exact sequence of events that led it to serve notices on CFPL requiring the production of documents. Nor does it shed any light on what role, if any, the whistleblower information or the action by Maurice Blackburn played in ASIC's decision-making. Rather, ASIC's submission simply reported: 'Following the work carried out in 2008 and 2009, ASIC made a decision in March 2010 that the matter should be dealt with by its Enforcement team'.[38]

9.39      In addition to criticism from Mr Morris and former CFPL clients, ASIC's apparent lack of responsiveness to the misconduct at CFPL was heavily criticised by the Rule of Law Institute. ASIC's mishandling of the whistleblower disclosures, argued the Institute, allowed the misconduct at CFPL to continue, and by extension meant that CFPL clients lost more money than they otherwise would have:

The history of the Commonwealth Bank's whistleblowers, who alerted ASIC to allegations of corruption within the CBA in October 2008, as described in a number of newspaper articles by investigative journalists Adele Ferguson and Chris Vedelago, is sobering. The extensive delays in responding to the concerns appropriately with enforcement action and providing the public information as self-described by ASIC in its submission enabled corrupt practices to continue and vulnerable consumers to lose more.[39]

9.40      ASIC conceded that it should have been more active in following up with the CFPL whistleblowers:

When we got that contact from the whistleblowers, we should have been back in contact with them, seeking more information straight away.


We acknowledge in our submission that that should have been done and did not happen. We have taken steps subsequently to make sure that in future a different approach will be taken.[40]

9.41      Asked whether ASIC would handle the problem of CFPL differently today, ASIC told the committee:

Under current ASIC operations we would not be in the very awkward position of having a non-public broad program [that is, the CICP] in place that we could not discuss with whistleblowers when they contacted us because we had not made it public. So we would not have been carrying that baggage to begin with. We would now go back to those whistleblowers very quickly, get more information from them and focus in on that issue.[41]

9.42      As discussed in Chapter 14, ASIC also informed the committee that one of the key lessons it had taken from the CFPL matter was that it needs to improve how it communicates with whistleblowers and handles the information they provide. As a result, ASIC has put in place new processes relating to whistleblowers (again, these changes are discussed further in Chapter 14).

9.43      ASIC told the committee that the information it received from the whistleblowers about Mr Nguyen in October 2008 was in part integrated into its broader program of monitoring the CFPL—a process that ASIC conceded 'did not end up working adequately'. However, ASIC also followed up with CFPL about Mr Nguyen specifically. Discussing this process, ASIC told the committee that it now recognised that it placed too much faith in the capacity of the CFPL to address these concerns. With regard to the whistleblower information on Mr Nguyen provided on 30 October 2008, ASIC advised that:

...within a month [it] confronted Commonwealth Financial Planning about Nguyen and asked for documents and various materials on Nguyen. We were given information on Nguyen and told that Nguyen was being addressed and that there was a program to look at the complaints that had been made and compensate people if necessary. Again, within the broader program that is the sort of thing that we were expecting them to do. Again, we put too much faith in them to do that well, and they did not do that as well as they should have. I think on their own evidence [the CBA] would acknowledge that.[42]

9.44      The 'faith' that ASIC placed in CFPL/the CBA was discussed by critics of ASIC's handling of the CFPL matter. In his written submission, Mr Morris posited that ASIC's 'incredible reluctance' to act on evidence of malfeasance at CFPL was likely a function of ASIC's genuine belief that 'everything was fine with the big players' in the financial advice industry.[43] Similarly, Ms Swan suggested that ASIC was too close to large financial institutions such as the CBA and was, therefore, poorly placed to police potential misconduct:

There seems to be an incredibly cosy relationship between the CBA, ASIC and the financial institutions. ASIC has just depended on the large financial institutions saying, 'Everything is okay; you do not have to worry.'[44]

Committee view

9.45      The committee notes that ASIC has acknowledged the shortcomings of the Continuous Improvement Compliance Program, and that all parties now accept that the CICP failed to rectify the serious problems with the quality of advice and standards of practice at CFPL. Nonetheless, the committee is concerned that at the time of providing its first written submission in August 2013, ASIC appeared to believe that the CICP had been subject to oversight from the CBA Board. Evidence from the CBA would suggest that whatever formal reporting lines existed between the CICP steering committee and the CBA Board, in practice the Board effectively had no oversight or ongoing awareness of the CICP.

9.46      The committee also believes that ASIC's suggestion that the surveillance project undertaken between February 2007 and February 2008 'ultimately led' to the enforceable undertaking accepted by ASIC in October 2011 needs to be heavily qualified. In particular, the committee notes that in the first instance the surveillance project led to an inadequate outcome: the CICP. Moreover, evidence received by the committee would suggest that information from a number of other sources, not least the CFPL whistleblowers, may have been more decisive than ASIC's surveillance in 2007–08 in leading to the enforceable undertaking. While the committee acknowledges that the intelligence gathered from the 2007–08 surveillance project may well have informed the subsequent decision by ASIC to seek an enforceable undertaking, it believes that the suggestion the project 'ultimately led' to the enforceable undertaking overstates the degree to which ASIC recognised the seriousness of the problems at CFPL prior to the CFPL whistleblowers forcing the issue.

9.47      Evidence received during this inquiry has underlined ASIC's poor handling of the CFPL whistleblowers and the information they provided. The committee regards the fact that it took ASIC nearly 17 months to take meaningful action in response to the information provided by the CFPL whistleblowers as a significant failure on the part of the corporate regulator. Having said that, the committee notes that ASIC has itself acknowledged its failures in this regard, both in terms of taking too long to move toward an enforceable undertaking (the terms and outcome of which are considered in the next two chapters) and in terms of its handling of the CFPL whistleblowers and the information they provided. The committee also notes advice from ASIC (discussed, along with the broader issue of Australia's corporate whistleblowing framework, in Chapter 14) that it has since reviewed its whistleblower processes.

9.48      So far in its examination of the CFPL episode, the committee has found that the conduct of some financial advisers was unethical, dishonest, well below professional standards and a grievous breach of their duty of care to their clients. The way in which they targeted vulnerable trusting people and placed conservative investors in high‑risk products showed a callous disregard for their clients' interests. ASIC's slow response and the CFPL's apparent preoccupation with its own difficulties added to the damage that resulted. That a major and reputable financial institution could have tolerated for so long conduct that involved bad advice, poor record keeping, missing or incomplete client files as well as allegations of forged documents is not easy to accept. ASIC's lack of attention and action is also hard to explain.

Navigation: Previous Page | Contents | Next Page