Loading...
Loading...
Three questions every board must answer — and why most cannot
The ASIC v Commonwealth Bank case established a deceptively simple standard for director accountability. If a board cannot answer three questions about any material decision, directors face personal liability. Most boards fail on question two. Almost all fail on question three.
In 2017, AUSTRAC commenced civil penalty proceedings against the Commonwealth Bank of Australia for systemic breaches of anti-money laundering and counter-terrorism financing law. The case revealed that CBA's Intelligent Deposit Machines had failed to report over 53,000 suspicious transactions. The total penalty: $700 million — the largest civil penalty in Australian corporate history.
But the penalty was not the lasting consequence. What followed was more significant: ASIC pursued the directors personally. The regulator's argument was not that directors had acted dishonestly or in bad faith. It was that they had failed to exercise reasonable care and diligence under section 180 of the Corporations Act — because they could not demonstrate that adequate governance processes were in place to surface the compliance failures before they became systemic.
53,506 contraventions
CBA's Intelligent Deposit Machines failed to report transactions above the $10,000 threshold to AUSTRAC, resulting in over 53,000 individual breaches of anti-money laundering law.
$700 million fine
The largest civil penalty in Australian corporate history at the time. CBA settled with AUSTRAC in 2018, paying $700M for systemic compliance failures.
Board was unaware
The Prudential Inquiry (Hayne Royal Commission follow-up) found the board did not have adequate visibility into operational risk. Management reports did not surface the compliance failures.
ASIC pursued directors
ASIC took action against CBA directors including CEO Matt Comyn and former CEO Ian Narev, arguing directors failed to exercise reasonable care and diligence under s180 of the Corporations Act.
The precedent: ASIC v Bekier did not establish that directors must prevent every compliance failure. It established that directors must be able to demonstrate — after the fact — that they had governance systems capable of surfacing material risks. The standard is not perfection. It is traceability.
The case distilled director accountability into three questions that regulators can ask about any material decision. If a board cannot answer all three, directors may face personal liability for breach of duty of care.
Percentage of boards that can satisfactorily answer each of ASIC's three questions for material decisions made in the prior 12 months.
Source: Synthesised from APRA Prudential Inquiry findings, AICD governance surveys, and ASIC regulatory guidance
The three-question standard is not difficult because the questions are complex. It is difficult because the infrastructure to answer them does not exist in most organisations. Board governance is built on documents and meetings, not on systems that capture decisions as structured, traceable data.
Directors depend on management for information. Management controls what the board sees. The board cannot ask questions about things it does not know exist. The CBA board did not ask about AML compliance because management's reports did not flag it as a concern.
Critical decisions happen in discussions that are never recorded. Board minutes capture resolutions, not deliberations. The reasoning — the 'on what basis' — lives only in the memories of people who were in the room. Memory is unreliable, and people leave.
There is no system that connects a decision to its context, its basis, and its outcome over time. Decisions are point-in-time events that disappear into the past. When a regulator asks about a decision made 18 months ago, directors are reconstructing from fragments.
Governance quality degrades over time. A decision made today is well-understood. The same decision in 90 days is a vague recollection. In 12 months, it is a line in the minutes that no one remembers the context for. Regulators operate on the 12-month timeline.
The structural problem: Board governance is episodic — it happens in meetings that occur monthly or quarterly. Institutional decisions happen continuously. The gap between episodic oversight and continuous decision-making is where accountability breaks down. ASIC v Bekier made this gap legally visible.
Ask any director to explain the reasoning behind a decision made last week, and they will give you a detailed, accurate account. Ask about a decision made three months ago, and the account becomes vague. Ask about a decision made a year ago, and the answer is effectively: “I would need to check the minutes.”
The minutes will tell you what was decided. They will not tell you why. The “why” lived in the discussion, which was not recorded. The papers that informed the discussion have been superseded by newer versions. The context that made the decision make sense at the time has been replaced by new context. The decision is an orphan — it exists, but its parentage is lost.
Director recall accuracy vs document quality over time. The gap between what directors remember and what documents capture widens rapidly.
Recoverable
Directors can recall key decisions. Papers are current. Context is fresh. Reconstruction is possible, if time-consuming.
Degrading
Recall becomes selective. Directors remember conclusions but not reasoning. Papers have been updated. Context is shifting. Reconstruction requires significant effort.
Lost
Recall is unreliable. The basis for decisions has effectively evaporated. Minutes show what was decided but not why. Regulators operate on this timeline.
The 90-day gap is not a people problem — it is an infrastructure problem. Boards are not failing because directors are careless. They are failing because the tools of board governance (minutes, papers, resolutions) were designed for a world where decisions happened infrequently and could be recorded manually. That world no longer exists.
Governance telemetry replaces episodic recording with continuous tracing. Every consequential decision generates a decision trace at the moment it occurs — not hours or days later when someone drafts the minutes. The trace captures what was decided, by whom, under what authority, against which constraints, and with what expected outcome.
Every decision is recorded as a structured trace at the moment of action. The trace includes the decision itself, the alternatives considered, and the authority under which it was made. This is not a summary — it is the primary record.
The decision trace includes the constraints that were active at the time, the precedents that were consulted, the information that was available, and any governance checks that were triggered. The basis is not reconstructed from memory — it is part of the record.
Decision traces link forward to outcomes. When a decision produces measurable results, those results are connected back to the original trace. Over time, this creates an institutional feedback loop: the organisation can see which types of decisions reliably produce which types of outcomes.
The analogy: Aviation does not rely on pilots writing post-flight summaries of what happened during a flight. It records telemetry — altitude, speed, heading, control inputs — continuously and automatically. When something goes wrong, investigators do not ask pilots what they remember. They read the black box. Governance telemetry gives institutions a black box for decisions.
The three-question standard was established when all material decisions were made by humans. AI changes the equation fundamentally. When AI systems make decisions on behalf of an organisation — approving transactions, prioritising risk assessments, filtering communications, recommending actions — those decisions are material. They affect stakeholders. They create liability. And they are completely invisible to most boards.
Without governance telemetry
With governance telemetry
The uncomfortable question
If ASIC v Bekier established that directors must be able to answer three questions about human decisions, what happens when AI makes those decisions? The duty of care does not distinguish between human and algorithmic decisions. If a material decision was made and the board cannot answer the three questions, the source of the decision is irrelevant. The liability attaches to the directors.
Traditional Board | Governed Board | |
|---|---|---|
| Decision recording | Board minutes — retrospective summary drafted days later | Decision trace — captured at moment of action with full context |
| Basis for decisions | Board papers + verbal discussion (verbal portion is lost) | Constraints, precedents, and deliberation recorded as structured data |
| Outcome tracking | Ad hoc — depends on management reporting what the board asks for | Systematic — every decision linked to measurable outcomes over time |
| 90-day reconstruction | Impossible — minutes are summaries, memories fade, context is lost | Trivial — complete decision trace available indefinitely |
| Regulator inquiry response | Weeks of document gathering, legal review, gap identification | Immediate — query the governance trace, export the audit trail |
| AI decisions | Invisible — AI acts, board has no trace of what AI decided or why | Fully traced — every AI action checked against constraints, recorded |
| Director liability exposure | High — cannot demonstrate due diligence for decisions made months ago | Low — continuous governance trace provides contemporaneous evidence |
| Institutional memory | Degrades with board turnover — new directors inherit nothing | Compounds — every decision, precedent, and contestation persists |
The difference is not incremental improvement. It is a structural change in how governance evidence is produced. Traditional boards create governance evidence retrospectively, from memory, at intervals. Governed boards produce governance evidence continuously, automatically, at the moment of decision. The three-question standard rewards the second approach and penalises the first.
The three-question standard is not theoretical. It is the basis on which ASIC evaluates director conduct. If your board cannot answer these three questions for every material decision made in the past 12 months, you have a governance gap that creates personal liability. The solution is not better minutes. It is governance infrastructure that produces decision traces automatically.
Every AI system making material decisions on your behalf is creating potential three-question liability. If a regulator asks what your AI decided, on what basis, and what resulted — and you cannot answer — the liability falls on the board. AI governance is not optional. It is the extension of the duty of care into algorithmic decision-making.
ASIC v Bekier is an early signal of where corporate governance is heading. As AI makes more decisions, as organisations become more complex, and as regulatory scrutiny increases, the ability to produce governance evidence on demand will become a baseline expectation — not an advanced capability. Organisations that build governance telemetry now will compound institutional memory. Those that do not will face an ever-widening 90-day gap.
Decision Trace
A structured record of who decided, what was decided, on what basis, what alternatives were considered, and what resulted. The atomic unit of governance accountability. Unlike minutes, a decision trace is created at the moment of decision, not retrospectively.
Governance Telemetry
The continuous, automatic recording of institutional decisions and their contexts. Analogous to flight telemetry in aviation — a permanent, contemporaneous record that can be reconstructed at any point in the future. Solves the 90-day gap structurally.
Director Liability
Under s180 of the Corporations Act, directors owe a duty of care and diligence. ASIC v Bekier established that this duty includes the ability to demonstrate that decisions were made on an informed basis — which requires a traceable governance record.
The 90-Day Gap
The observation that boards cannot reconstruct the reasoning behind decisions made more than approximately 90 days ago. Board minutes record outcomes; verbal deliberation is lost; context evaporates. This creates a structural vulnerability to regulatory inquiry.
Duty of Care (s180)
Section 180 of the Australian Corporations Act 2001 requires directors to exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise. ASIC v Bekier interpreted this as requiring demonstrable governance processes.
Prudential Inquiry
APRA's independent investigation into CBA following the AUSTRAC proceedings. The inquiry found systemic failures in governance, accountability, and risk culture. Its findings informed the three-question standard that ASIC subsequently applied to director conduct.
How the duty of care extends to AI governance — and what directors must do now
The relationship between decision authority and organisational capacity
Why legitimacy is determined at the option level, not the outcome level
Why 'who decides?' matters more than 'how smart?' in AI governance