A $35 million penalty rarely comes down to a single mistake.
In the case of Macquarie Securities (Australia) Limited (MSAL), millions of misreported short sales over a 15-year period were not caused by fraud or intent, but by something more concerning for risk professionals: systemic weaknesses in controls, risk assessment, and change management.1
At first glance, this looks like a technical reporting failure. It is not. It is a case study in how risks can sit undetected for years, even in highly regulated environments with established frameworks, policies, and oversight processes. This blog moves beyond ASIC’s media release to unpack what actually went wrong and, more importantly, what risk and compliance professionals should take from it.
From ineffective RCSAs to gaps in control design and failures in change management, the lessons are both practical and uncomfortable.
Before we dive in, if you’re reviewing your own controls environment, our Mastering controls for risk management eBook provides a practical framework for designing, testing, and strengthening controls across your organisation.
A summary of the breaches
I do not short shares in my spare time, nor do I moonlight as an analyst in a trading bank. But we can dispense with the more technical elements (details in the judgment if that is your bag2) and focus on the big picture before we get into the nitty gritty.
Since December 2009 under the Corporations Act, MSAL were required to report short sales data to market operators (in this case to the ASX). The key points of the case:
- Short sales data as part of MSAL’s Short Sale Reporting Process was misreported to the ASX since December 2009, when the requirement came into effect
- 10 different issues resulted in inaccurate data within those reports between 2009 and 2024 (the contravening period begins in 2019 due to limitation issues
- While there was no intention to deceive, it constituted breaches of misleading conduct as well as breaches of reporting requirements to the market operator
- Further, these also resulted in a breach of Corporate Act 912(1)(h), the requirement to have adequate risk management systems
- Contributing to that overall failure of risk management were a number of control failures or oversights
Risk management failures
In essence, all the other breaches are related to failures of risk management.
The judgment mentions the phrase RCSA (risk and control self-assessment) 12 times, and control is mentioned 101 times. Several policies and guiding documents are named. Each of those sections in the judgment have statements such as ‘X Policy relevantly included requirements for…’ – obvious foreshadowing that the policies were not followed.
Let’s start with RCSAs.
The Short Sales Reporting Controls were included in at least 34 RCSAs conducted during the entire period, typically twice a year. Perhaps the most critical observation is that none of the reviews that were conducted sufficiently considered the design of the Short Sale Reporting Process, particularly on identifying errors in logic.
The RCSA did assess that potential breaches of reporting requirements were material. The judgment calls out that some of the risk ratings, including “medium” or “very low” for inherent risk over the time period, had no basis.
It tickles my funny bone to imagine regulators making arguments over these qualitative labels, but I will give benefit of the doubt that the related policy (which is referenced) had sufficient objective criteria to make this claim.
More to the point though, when those risk ratings were of a high enough level, the Regulatory Reporting Policy Guidance required that an end-to-end mapping of Critical Design Elements (CDE) should be conducted.
You guessed it: that never happened.
I have questions:
- Why didn’t the RCSAs identify that there were control gaps?
- Why didn’t they consider the reports design and review overall outcomes?
- Were the RCSAs considered tick-the-box exercises rather than true value add?
The judgment is clear that there was no intent to mislead, never any intent not to comply, and noncompliance was reported immediately to once identified. But I still have to wonder, in over a decade did no-one identify any of the errors or underlying causes? Or did someone notice, but either didn’t know how or were disincentivized to raise it via formal channels?
Controls
Controls are central to the case.
Until 2018, there was one control over the Short Sale Reporting Process, the Trade Volume Check control.
The judgment describes it as ‘rudimentary’, which you can interpret as you will.
While additional controls were added after August 2018, those new controls did not identify the issues subject to proceeding.
There was also a distinct lack of detective controls. While the saying commonly goes that prevention is better than cure, I’m an advocate for a mix of control types. Good detective controls can promptly identify when preventive controls aren’t working as intended or raise red flags that the report itself is designed effectively.
Change management failures
Failures of change management were also a critical cause of the issues that arose. Multiple policies required assessing risks related to change, ensuring change control processes were in place, and that pre-implementation testing be performed. This included shared responsibility across the reporting and technology teams, but in most cases was not complete.
Insufficient change management practices impacted the logic used to generate the reports and either created new issues or allowed the existing ones to perpetuate without identification. I can’t help but wonder if some of those practices had been followed, could earlier issues have been identified sooner? You can’t prevent all risks, but it might have reduced the magnitude of the breaches and their impact.
Questions for risk managers, risk committees or boards
While this specific instance is technical, risk managers or those in oversight roles should leverage the findings of this incident more broadly, and prompt some critical questions:
- Could we have a similar data integrity timebomb sitting under our noses (whether regulatory or informing decisions / resource allocation)?
- What gives us confidence that we don’t?
- Are our RCSAs / risk assessment processes adding value? Is it supported by the right culture?
- Have we mapped our processes adequately to effectively inform those risk assessments?
- Do we have the right mix of controls?
- Are we adequately considering design, not just operation?
For those closer to the RCSA process, make sure you are considering not just whether individual controls are meeting their objective, but whether that control or collection of controls adequately addresses the risk.
Conclusions and next steps for your organisation
Cases like this are a reminder that control failures rarely happen overnight. They build quietly through gaps in design, weak assurance, and processes that appear sound but are not tested deeply enough.
The question is not whether your organisation has controls in place. It is whether they are working as intended, and whether you would know if they weren’t.
If you are reviewing your own controls environment:
Download the Mastering controls for risk management eBook to build a stronger, more structured approach to control design, testing, and integration
Watch our controls management product tour to see how a modern, centralised controls framework operates in practice
Request a demo of Protecht to explore how you can automate test scheduling, connect controls to risks and obligations, and gain real-time visibility across your organisation
Citations
1) Supreme Court orders Macquarie Securities to pay $35 million penalty in short sale misreporting case (ASIC)
2) In the matter of Macquarie Securities (Australia) Limited [2026] NSWSC 202 (NSW Caselaw)