Information, oversight and modern duty of care: governance lessons from ASIC v Star directors and officers

Federal Court Justice Michael Lee’s 500-page judgment in the ASIC v Star directors and officers litigation will be remembered for its literary flair, sharp observations about boardroom culture and its pointed criticism of senior executives. But its real significance lies elsewhere. Beneath the colourful language lies a clear message: corporate governance law is increasingly concerned not simply with the decisions boards make, but with the systems through which information and risk reach them.

Seen in this light, the decision is about information architecture. It reinforces a practical lesson for boards: modern governance enforcement increasingly turns on whether directors can demonstrate that they were engaged with the systems through which risk was identified, escalated and considered.

On 5 March, the Federal Court handed down its decision in ASIC’s enforcement proceedings against the directors and officers of The Star Entertainment Group Limited (Star), finding that its CEO and General Counsel had breached their duties and the remaining board members had not. The Court’s decision has broad significance for corporate governance. 

The Court emphasised that boards must “control the information they receive” and take reasonable steps to position themselves to guide and monitor management. Directors are not passive recipients of board papers. They are responsible for ensuring the organisation’s reporting and escalation systems can surface material risk and for demonstrating that they engaged with the information placed before them.

The decision reinforces a practical lesson for directors: the modern duty of care is increasingly concerned with the systems through which directors supervise management and monitor risk. Modern enforcement action requires directors to demonstrate that they were engaged: asking questions, probing management and ensuring that the organisation’s reporting systems surfaced the right risks at the right time.

The case also underscores the limits of the business judgment rule. It protects conscious commercial decisions but it offers no shelter where directors fail to engage with systems of oversight. As his Honour observed, a director who neglects proper safeguards without considering what safeguards there should be “has not made a business judgment”. In modern governance litigation, the question is increasingly not “what decision did the board make?” but “what information systems allowed the board to understand the risk?”

Background 

The case arose against the backdrop of heightened regulatory scrutiny of casino governance in Australia, following the various domestic public inquiries and royal commissions into the largest casino operators. In 2022, ASIC brought civil penalty proceedings against 11 current or former Star directors and officers for alleged breaches of their statutory duty of care and diligence under section 180 of the Corporations Act 2001 (Cth). ASIC alleged that these defendants failed to pay sufficient attention to the risk of money laundering and criminal associations at the casino.

The case sits within an evolving line of authority on directors’ oversight responsibilities that includes AWA and Centro, and subsequent cases examining the board’s role in supervising management and risk. Those cases progressively clarified that the statutory duty of care requires directors not to merely consider matters placed before them, but to position themselves to supervise management and monitor the company’s affairs. 

The issues did not raise novel legal principles. The content of the duty is settled, but its application is contextual and requires an evaluative judgment by reference to the company’s circumstances, the responsibilities of the office held and the information then known. 

As Lee J put it, modern law expects significantly more from company officers than the “languid, listless indifference of gentleman directors” tolerated in earlier eras.

Outcome 

The Federal Court found that:

• the non-executive directors did not breach their duties; and 
   
• Star’s former CEO and the General Counsel and Company Secretary breached their duties under section 180(1) in connection with Star’s dealings with junkets known to pose money laundering risks and its interactions with its bank in relation to UnionPay credit cards. In particular, they failed to apprise the board of information they held and escalate matters appropriately. 

Two other executive members, Star’s former Chief Casino Officer and former CFO, settled the case against them in February 2025, admitting to breaches of their duties of care.

The Court made a number of observations for directors and general counsel to keep front of mind.

Controlling the information that reaches the board

The Court emphasised the board’s responsibility for the information environment in which it operates. Justice Lee observed that boards must “control the information they receive” and take reasonable steps to place themselves in a position to guide and monitor management. The proposition is not entirely new; ever since the High Court’s decision in Centro, boards have been warned about the need to manage the flow of information coming to them to ensure they can properly fulfil their obligations. What the ASIC v Star directors and officers judgment does is place that principle at the centre of the modern duty of care.

Directors are not passive recipients of board papers. The duty of care and diligence requires directors and officers to ensure the organisation’s information architecture can surface material risk. Put differently, the law is increasingly concerned with the systems through which information is escalated, filtered and presented to the board.

Two related points in the judgment are worth emphasising. First, the Court stressed directors are remunerated to do the job, and the job “requires real engagement with information provided to them”. Directors are expected to take a “diligent and intelligent interest” in available information, to understand it, and to apply an “enquiring mind”. For non-executive directorships in high-risk enterprises such as casinos, “the job requires intelligent people prepared to engage actively” and “can require a willingness to interrogate, to probe, and, where necessary, to challenge”. 

Secondly, the board’s oversight role is not a substitute for management acting with integrity and competence. His honour repeatedly emphasised the importance of distinguishing between failures of management and failures of oversight. The reasons caution against allowing management failure to obscure careful analysis of the board’s conduct.

This focus reflects a broader evolution in corporate governance. Large organisations now operate through complex reporting structures, layered management hierarchies and specialised compliance functions. Information does not flow to the board in raw form. It is curated, interpreted and distilled by management before it reaches directors.

The legal question therefore increasingly becomes whether the board has positioned itself to receive the information it needs to perform its supervisory role.

In this respect, modern director liability cases are often less about individual decisions and more about institutional evidence of process. Courts examine reporting structures, escalation mechanisms, board minutes and committee records. These artefacts demonstrate that the board exercised judgment rather than simply receiving information. 

Information overload, board packs and ‘triage’ including AI

The judgment also contains an excellent discussion of board pack overload, which aligns with recent AICD commentary. Justice Lee noted that, after several hours with the materials, “no rational person can evaluate all this material meaningfully in the time available”, and that what follows is a form of directorial ‘triage’: reading what appears central, scanning what appears arguably material, and trusting that anything alarming would have been signalled plainly. 

He went further, identifying why the volume in the board pack grows. Without imposing discipline to synthesise and summarise, those preparing packs may ‘chuck in everything’ and the pack can become as much an insurance policy for preparers as an information tool for the board. 

This is also where his Honour made an important observation about AI. His Honour recognised the “profound impact” of AI on information exchange and analysis, including that directors may already be using AI informally to prepare for meetings and that AI may be used in the creation of packs by management and company secretaries. However, his Honour cautioned that “the use of technology may assist comprehension, but it cannot displace human judgment”.

The punchline is pure governance: “directors must be furnished, by whatever means are adopted, with information in a form that is both comprehensive and capable of proper digestion”. The passage reflects a broader governance problem: in large organisations the challenge is often not the absence of information but the absence of synthesis.

Delegation, reliance and red flags

The decision is also notable for what it says about the limits of the business judgment rule.

Section 180(2) was introduced into the Corporations Act with considerable fanfare.  It was portrayed as a significant protection for directors who make commercial decisions in good faith. The safe harbour was intended to reassure directors that courts would not second guess business judgments made honestly and on an informed basis.

In practice, however, the protection has proved narrower than many anticipated. The simple fact is that the business judgment rule has rarely provided a decisive defence in Australian governance litigation.  In this case the Court reiterated the rule applies only where a director has consciously exercised judgment. The statutory definition requires a “decision to take or not take action”. A failure to turn one’s mind to the issue is not protected. As the Court observed, a director who simply neglects to address safeguards “has not made a business judgment”.

Equally important, the rule operates in relation to decisions. It does not extend to the supervisory functions through which boards oversee corporate risk.

This distinction has important consequences for modern director liability cases, which often arise not from affirmative commercial decisions but from failures in systems, controls or escalation processes. In those circumstances the business judgment rule offers little assistance.

A related, and very practical, point is the statutory framework for reliance. Section 189 creates a rebuttable presumption that reliance on information or advice is reasonable if the statutory conditions are met. Lee J summarised the provision as creating “a rebuttable statutory presumption” of reasonableness where conditions are satisfied, although it was unnecessary to deal with the presumption because it was not advanced in submissions. 

The significance for practice is not the fate of section 189 on these pleadings but the interaction between reliance and red flags. When ‘warning signals’ are flashing, reliance without probing, challenge or verification becomes harder to defend. Where warning signals appear, the obligation shifts from reliance to inquiry.

The reliance principle also helps explain why the claims against the non-executive directors failed. In large organisations, boards necessarily rely on management and internal reporting systems to surface risks. The statutory framework recognises this practical reality. What the law requires is not that directors independently verify every item of information placed before them, but that they take reasonable steps to ensure the reporting system is capable of identifying and escalating material issues. Where that system appears to function normally, reliance on management information will generally be reasonable. Where red flags emerge, however, the position changes. At that point reliance gives way to inquiry, challenge and verification.

Decision discipline and the evidentiary role of minutes

The judgment also contains a significant reminder about the important evidentiary role of board processes.

In rejecting reliance on the business judgment rule in relation to the continuation of the relationship with Suncity, a Macau-based junket operator associated with Star’s VIP gambling, Lee J noted if the directors had consciously decided to maintain the relationship it would reasonably be expected that the conclusion and the basis for it would have been recorded in the board minutes.

The absence of such a record made it difficult to characterise the board’s discussions as a business judgment.

As Lee J observed, “what occurred, and what can be proven to have occurred, are not always the same thing.” 

The point reinforces an important practical reality of governance litigation. Contemporaneous board minutes are how “engagement” becomes visible to the courts who look for evidence that directors asked questions, sought further information, challenged assumptions and required follow-up where risks appeared. They often constitute the primary evidence that directors actually exercised judgment.

Where minutes do not record a decision or the reasoning supporting it, directors will find it more difficult to demonstrate they informed themselves appropriately or that they exercised a rational judgment, particularly when the litigation often concerns events a number of years ago.

In circumstances where other evidence was absent, his Honour observed the minutes and contemporaneous documents were the “only other guides” as to the actions of directors and that the minutes disclosed little by way of sustained scrutiny or insistence upon explanation where risks were obvious, save for a notable exception. 

As discussed elsewhere, the lesson is not that minutes should be transformed into lengthy transcripts. Rather, it is that the discipline of decision making and the documentation of that process remain central features of effective governance.

Culture and values must be more than platitudes

One of the more pointed passages in the judgment concerned organisational culture. The Court observed it is easy to be cynical about corporate governance statements identifying the board’s role as “overseeing the Company’s organisational culture and values”, but for boards who adopt them “one presumes they are supposed to be more than platitudes”. This is directly in line with comments by then Chief Justice Tom Bathurst that directors and officers could be liable for conduct falling short of a strict breach of the law, which is nevertheless inappropriate or unethical, where such conduct results in significant reputational damage with consequent financial implications.

This passage ties culture directly to oversight. For a casino operator, Lee J observed, “this was no ordinary enterprise, and the role demanded vigilance.” Elsewhere in the judgment he described the culture that prevailed at Star in stark terms, commenting that serious misconduct by junket operators was tolerated for too long and that senior management acted tardily in addressing obvious problems.

The implication is that culture cannot be treated as a generic board-pack heading or aspirational statement. It is an aspect of risk governance that demands attention, particularly where the business model is inherently high-risk.

Star: not the stepping stone case many expected

Some commentators expected the ASIC v Star directors and officers litigation to become another major stepping stone case.

Stepping stone liability typically arises where a company is alleged to have contravened the Corporations Act and directors are alleged to have breached their duty of care by permitting or failing to prevent the alleged contravention. Cases such as Cassimatis, Mariner and Vocation illustrate the regulatory thesis. 

Given the allegations concerning money laundering risk and regulatory exposure, the ASIC v Star directors and officers proceedings appeared at first glance to be a natural candidate for that approach. However, the judgment reinforces the orthodox position that liability under section 180 turns on governance processes and the evaluative assessment of what directors and officers actually knew and did. The judgment does not expand stepping stone liability. The business judgment rule protects commercial decisions, but it offers no protection where directors have failed to engage with the systems through which risk is reported to the board.

In that sense, the judgment sits comfortably within the existing line of authority on oversight and monitoring, rather than representing an extension of the stepping stone doctrine.

The ASIC v Star directors and officers litigation confirms that even where the underlying corporate conduct appears deeply problematic, liability under s 180 still requires the regulator to prove failures in the governance processes through which risks were identified, escalated and considered.

Justice Lee also makes the broader point that directors are not guarantors of corporate compliance, and that company contraventions are a relevant factor rather than an automatic pathway to liability for breach of the duty to exercise their powers and discharge their duties with “care and diligence.”

Why were the non-executive directors not liable?

One question that will inevitably be asked is how the non-executive directors were not held liable in circumstances where the governance failures appear so stark. The answer appears to lie in the Court’s careful distinction between failures in management systems and the evaluative standard applied to non-executive oversight.

Directors are required to take reasonable steps to place themselves in a position to guide and monitor the management of the company. But the statutory duty of care is applied through evaluative judgment informed by context and experience, not by mechanical application of rules.

The Court expressly recognised hindsight bias and the need to judge conduct by the “snapshot of knowledge and perspective available at the time”. 

In large organisations, boards necessarily rely on management and internal reporting systems. The law does not require non-executive directors to assume that those systems have failed absent some reason to doubt them.

ASIC faced a difficult evidentiary challenge. The case required the Court to assess allegations that executives failed to ensure critical risk information reached the board while also alleging that non-executive directors should have recognised the inadequacy of the information they received. Reconciling the tension between those propositions proved difficult on the evidence before the Court. 

If management fails to escalate information, the evidentiary burden of establishing that directors should nevertheless have detected the deficiency becomes substantial. As a result, while the culture that prevailed at The Star was described in stark terms, the legal analysis required a careful separation between organisational failure and personal liability of the directors.

Two further observations in the judgment are relevant. First, Lee J observed that neither the Chair nor any other non-executive director gave evidence. They bore no onus and were required only to meet ASIC’s pleaded case. The forensic choice not to enter the witness box was ‘vindicated’.

Secondly, Lee J is explicit that the duty to exercise their powers and discharge their duties of care and diligence “does not demand omniscience or impose a standard of perfection”. ASIC bears a heavy persuasive onus and must be confined to its pleaded case. 

That distinction, and the evidentiary burden it creates for regulators, are likely to attract close attention. Whether ASIC chooses to appeal will also be closely watched.  

The role of corporate gatekeepers and general counsel

A further theme in the judgment concerns the role of internal corporate gatekeepers– the group of officers responsible for ensuring that risk information is properly escalated and understood. General counsel, chief risk officers, compliance heads and internal audit functions all play a role in this information ecosystem.

These functions are often the internal gatekeepers through whom legal and regulatory risk is filtered before reaching the board. The ASIC v Star directors and officers litigation demonstrates that where escalation mechanisms fail, boards may find themselves making decisions in informational environments that are incomplete or distorted.

The design of these reporting frameworks is typically a matter for management, but boards retain responsibility for ensuring that the structure is capable of surfacing material risks to directors.

The judgment is also notable for what it says about the role of in-house General Counsel, particularly where the General Counsel also holds the office of Company Secretary. Justice Lee makes clear that an officer with legal training may be expected to apply that expertise in identifying and escalating legal risk within the organisation. In that sense, the duty attaches to the individual rather than the particular ‘hat’ they happen to be wearing at a given moment. An in-house lawyer who is also a company officer cannot compartmentalise their responsibilities by reference to formal titles.

The reasoning is consistent with the High Court’s approach in Shafron, where the Court rejected the suggestion that a general counsel who also held the office of company secretary could divide those functions for the purpose of assessing statutory duties. The statutory duty attaches to the person and to the responsibilities they undertake within the corporation, including the application of their professional expertise.

In practice, many large organisations combine the roles of General Counsel and Company Secretary, and sometimes allocate additional governance or risk responsibilities to the same officer. The judgment does not suggest such arrangements are inappropriate. What it does emphasise is where a senior officer occupies multiple governance roles, the information available to them (and the expectations attached to their expertise) may expand accordingly.

The practical implication is organisations should give careful thought to reporting lines and escalation frameworks so legal and regulatory risks identified within management structures are capable of reaching the board in a clear and timely way.

Where material legal or regulatory risks arise, the law may expect those with relevant expertise to recognise their significance and ensure that the board is appropriately informed. In practical terms, the judgment reinforces that the governance system through which legal risk reaches the board is not merely a management process; it is a central feature of the company’s compliance architecture.

The effectiveness of board oversight therefore depends not only on the diligence of directors but also on the integrity of these internal reporting structures.

A broader lesson from Star

Corporate law is increasingly concerned with the governance systems through which boards supervise management and monitor risk. For officers and executive directors, the duty of care requires vigilance in identifying and escalating material risks within the organisation. For non-executive directors it requires positioning the board to receive and interrogate the information necessary to supervise the company’s affairs.

The most important lesson for directors arising out of the ASIC v Star directors and officers litigation is not whether the board made the right decision. It is whether the organisation’s governance system was capable of ensuring that the right risks reached it in time and whether the directors and officers engaged meaningfully with that information once it did. 

The case also demonstrates that where senior officers fail to ensure that critical risks are identified and escalated, personal liability may follow. It shows modern governance liability operates on both sides of the boardroom table: failures of escalation expose senior officers, while failures of oversight may expose non-executive directors.