Company director liability: Australia more ‘burdensome’ than comparable jurisdictions

Wilcock says, “In 2019, we concluded that Australia’s director liability environment was uniquely burdensome, compared with those of Canada, Hong Kong, New Zealand, the UK and the USA. In 2025, we concluded that that remained the case. The fundamental features of the director liability environments of the countries we looked at did not change from 2019 to 2025. However, each country had to grapple with emerging governance issues, including cyber security and sustainability reporting. Taken as a package, Australian directors assumed the most rigorous set of new obligations in relation to emerging governance issues over the 2019 to 2025 period.”

Australia’s legal landscape for Company Directors is comparatively burdensome when we look further afield to the jurisdictions of Canada, the UK, the US, New Zealand and Hong Kong. The statutory duties to act in good faith, in the best interests of the company, to show diligence and care are standard. So too are the obligations to ensure compliance with employee entitlements, tax and superannuation, and safety laws. Delivered on 8 September 2025, a comprehensive report by Allens, commissioned by the Australian Institute of Company Directors, revealed the similarities and key differences between Australia’s laws and international laws regarding company director liability. Allens had issued a memo in 2019, stating that Australia’s regime for the liability of company directors was “unique and generally more burdensome”, and reiterated that in last year’s report.

Personal liability of company directors

Wilcock says, “Several aspects of Australia’s director liability regime make it comparatively burdensome. Australia regulates a broad range of subject matter through the imposition of director liability. It is relatively quick to impose director liability in respect of emerging governance issues. It imposes criminal liability on directors relatively liberally. And Australian directors are exposed to relatively harsh penalties. It is also noteworthy that, among the countries surveyed, Australia is the only one that predominantly relies on enforcement of directors’ duties by a public regulator, rather than through private shareholder litigation.”

Amongst the report’s observations, it found that the use of criminal liability comes “despite longstanding principles endorsed by the Council of Australian Governments (COAG) to the effect that [it] should be confined to limited circumstances.”

The report states: “Australia utilises a unique corporate criminal liability model, which can compel analysis of corporate culture, and which exposes Australian directors to entanglement in corporate criminal proceedings, even when their own conduct is not impugned.”

Under the Corporations Act 2001 (Cth), there are a number of key concerns relating to personal director liability. The breach of any of these responsibilities may result in civil penalties, disqualification by ASIC, or criminal charges where conduct is dishonest or reckless. According to the Australian Institute of Company Directors, the obligations of company directors include:

• Insolvent Trading: Under s588G of the Corporations Act, directors must prevent the company from incurring debts if it is insolvent or becomes insolvent as a result.
• Statutory Duties: Directors must act in good faith, in the best interests of the company, with care and diligence, and for a proper purpose.
• Tax and Superannuation (Director Penalty Regime): The ATO can hold directors personally liable for unpaid Pay As You Go (PAYG) withholding and Superannuation Guarantee Charge (SGC).
• Employee Entitlements: Directors can be held liable for underpayment of wages.
• Work Health and Safety (WHS): Personal liability arises from failure to exercise due diligence to ensure company compliance with safety laws.
• Misleading or Deceptive Conduct: Liability may apply under the Australian Consumer Law if directors are closely involved in such conduct.

New liabilities since 2019

Since 2019, Allens has identified material new exposures for Australian company directors across corporations law (new illegal phoenixing laws), cyber security, financial accountability (a new Financial Accountability Regime), foreign bribery (a new failure to prevent foreign bribery by associates corporate offence), health and safety (new industrial manslaughter offences in all Australian states and territories), and sustainability reporting (new sign-off obligations).

Civil and criminal liability

Australia, like the comparative jurisdictions, upholds three general grounds for imposing liability on directors. According to the report, these are:

• direct liability, pursuant to which liability is imposed directly on a director as a principal for their conduct;
• accessorial liability, pursuant to which liability is imposed on a director as an accessory to principal liability imposed on a company (or any other natural person); and
• deemed liability, pursuant to which a director is deemed liable for a contravention by a company.

Each of the jurisdictions surveyed imposes direct civil liability on directors for breaches of their duty to act in good faith and in the best interests of the company (or similar), however Australia and New Zealand differ in imposing direct criminal liability on directors for dishonest (and also, in the case of Australia, reckless) breaches of this duty. Further, Australia, Canada and New Zealand impose direct liability on directors for certain workplace health and safety violations (all Australian states and territories impose direct liability on directors for industrial manslaughter, as does Canada). Australia and the UK impose direct criminal liability in relation to financial accountability obligations, and the UK and Hong Kong impose direct civil liability.

Australia stands out from the pack on stepping-stone liability

Allens’ report states that: “[S]tepping stone liability remains an entrenched feature of the Australian director liability environment. As at the time of the 2019 Memo, judgment had been delivered in 18 stepping stone liability cases brought by ASIC. Since then, ASIC has brought at least five further cases that can be classified as being based on stepping stone principles. A recent empirical study identifies that ASIC was successful in 72 per cent of its stepping stone liability claims between July 2001 and March 2020.”

To date, the Australian Securities and Investments Commission (ASIC) has commenced a number of civil penalty applications alleging ‘stepping stone liability’. This holds directors and officers as potentially having personal liability for the failure to prevent contraventions of law by their corporation.

Nonetheless, since an unsuccessful case in 2016, ASIC has not successfully brought a stepping stone liability case founded exclusively in a non-Corporations Act breach (usually relating to misleading the market, workplace or environmental laws).

In Australian Securities and Investments Commission (ASIC) v Wilson [2023] (ASIC v Wilson), ASIC alleged that managing director of Quintis, Frank Wilson, had committed three breaches of his duty of care under sections 1041H, 180(1) and 674 of the Corporations Act. ASIC was ultimately unsuccessful. However, in Australian Securities and Investments Commission (ASIC) v Holista Colltech Ltd [2024], the former director (Dr. Rajen Manicka) was held personally liable for contraventions by a company of sections 674(2) and 1041H of the Corporations Act, relating to the allowance of misleading statements to the ASX. This resulted in his exclusion from being a director for 4 years. He was also fined $150,000.

Following the ASIC v Vocation Ltd (in liq) [2023] ruling, the Governance Institute of Australia published an opinion piece by Anil Hargovan, UNSW. In Vocation, Justice Nicholas of the Federal Court found that Vocation Ltd breached its continuous disclosure obligations under s 674(2) of the Corporations Act and that the chief executive officer and the non-executive chair were liable under s 180(1) by causing or permitting Vocation’s breach of its disclosure obligations.

Hargovan concluded: “For any breach of continuous disclosure obligations committed after March 2019, the maximum penalty per contravention for individuals is $1.05 million and $10.5 million for companies. Thus, in future, company officers can expect the stepping stone approach to liability to have a much greater bite.”

An ASIC spokesperson told LSJ Online that: “Civil penalty proceedings are one of the range of regulatory and enforcement tools available to ASIC. Decisions about enforcement action depend on the specific facts and circumstances, including the seriousness of the alleged conduct, harm or risk of harm, evidence available and the public interest.”

Further, “Directors and other officeholders are expected to understand and comply with their obligations under the Corporations Act, including their duty to act with care and diligence.”

Cyber security

In a comparative survey of jurisdictions, Allens found that Australia, along with the UK and US, imposed burdensome cyber and data security obligations on directors. The report points to the express requirement for directors to make attestations under the Security of Critical Infrastructure Act 2018 (Cth) regarding the accuracy of their organisation’s annual report lodged with the Critical Infrastructure Security Centre, direct criminal liability, accessorial civil liability, and the readiness of Australian regulators to enforce action against directors where breaches of privacy, data management or cyber resilience are apparent.

Canada, Hong Kong, and New Zealand are assessed as being less burdensome. In the UK, US, Canada and Hong Kong, there is no direct criminal liability. In Canada, Hong Kong and New Zealand, there is “no explicit commentary from regulators regarding application of regime to cyber security”.

Increasingly, directors are being held responsible for governance and planning around the responsible use of AI, data governance, and the effect of AI on their workforce. For example, on 20 January 2026, the Australian Council of Superannuation Investors (ACSI) released the two-yearly update of its Governance Guidelines, which expressly convey guidelines for cyber security, diversity, director elections and re-elections, along with the role and structure of boards.

Consumer protection law

In the event of misleading or deceptive conduct, or in making false or misleading representations, the report assessed Australia as a “high-water mark”, with Canada and the UK deemed “comparably burdensome”.

The rationale was Australia’s broad liability regime for such conduct, which was also present for Canada. Hong Kong, comparably less burdensome, was considered to have a robust liability regime, and a lesser scope of prohibitions than Australia. Likewise, New Zealand imposes lesser penalties than Australia. All of the surveyed jurisdictions, except for the US, impose direct criminal liability; all except for Hong Kong impose direct civil liability, and none imposed deemed civil liability; only Australia, Canada, New Zealand and the UK impose accessorial civil liability; and only Canada imposes deemed criminal liability on officers and directors for certain offences; all jurisdictions except for the US allow for fault-based defences (knowledge, reliance), and only New Zealand and the US do not impose prison as a possible penalty.

All jurisdictions impose damages, all but Hong Kong and New Zealand impose civil penalty orders, and all but Hong Kong and the US provide for disqualification.