NSW Floods March 2021

Monday, March 22, 2021 - Posted by Michael McCulloch

IF IT'S FLOODED: FORGET IT

Restricted Access to the LCollect Online Portal

Friday, March 12, 2021 - Posted by Michael McCulloch

RESTRICTED ACCESS TO THE LCOLLECT ONLINE PORTAL

first notification

Introduction
As you may be aware, over the last several months we have been undertaking a review of our internal IT processes which is in accordance with the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 (CPS 234) to develop and maintain robust and secure information security infrastructure, policies and procedures. As a result of our review, in consultation with leading Australian IT security experts, we have elected to increase the security of our online portal by restricting access to a range of IP addresses.

What's an IP address?
An IP address is a unique number which identifies your computer on the internet or a local network. Your IP address is one of 4.3 billion unique numbers!

Why the change?
The security of our online client portal is something that we take seriously. By restricting access to our portal by IP address we are ensuring that only authorised addresses have access to sign into the online client portal.
IP addresses that are not on a permitted "white list" will not be able to access our online client portal. This new measure is in addition to the existing https security in place, together with unique username, passwords and expiry dates in place.

What we need from you
Before 03/05/2021 we need from you a range of IP addresses for your organisation so access to our online service can continue. Your IT department may be best to speak with about supplying this information.
After 03/05/2021, if we do not receive an IP address from you, you will not be able to access our online client portal.

Questions?
If you have any questions about this change we urge you to speak with us on (02) 8923-1600.

APRA Compliance Information Security

Friday, February 05, 2021 - Posted by Michael McCulloch

APRA COMPLIANCE INFORMATION SECURITY
Prudential Standard CPS 234

first edition

Introduction
The Australian prudential Regulation Authority (APRA) Prudential Standard CPS 234 (CPS 234) requires APRA-regulated entities and third-party providers to develop and maintain robust and secure information Security Infrastructure, Policies and Procedures. Due to the sensitive and personally identifiable data that LCollect Pty Ltd and BH Lawyer Pty Ltd (incorporating Collection Law Partners), herein “the Group”, utilise in their daily business operations; it is recognised that this is the minimum requirement to ensure that any potential data exposure is minimised.
Under CPS 234 it is expected that an entity understands 3 key factors, the threat landscape, risk associated with the business based on the sensitivity of data and propensity as a target, and cybersecurity maturity as a business. The Group have undertaken a full risk assessment with the understanding that our data was high-risk and our cyber security maturity was also high. Based on the risk vs maturity as outlined by the federal Government, in order to fully comply with APRA requirements, our security posture needed more structure and coordination.

Roles & Responsibilities
The board of an APRA-regulated entity is ultimately responsible for information security.  The board must ensure the entity maintains information security in a manner reflective of its size and extent of threats to its information assets and enables the continued sound operation of the entity.
The Group have tasked their executive to oversee the end-to-end security of our data. The executive will act as the board for the purpose of monitoring and assessing APRA standards and requirements. As an SME the Executive are hands on and are best positioned to control the ISMS and ensure data integrity and compliance.

Information Security Capability
An APRA-regulated entity must have information security capability which corresponds with the size and threats to its information assets and enables the continued sound operation of the entity.
As an SME group, the Group have assessed their information usage, Data protection requirements and security infrastructure and believe we have a superior security posture to most businesses of a like size. We have a mix of hardware and application-based security services that are ISO27001 compliant and give us this level confidence.

Creating an Information Security Policy Framework
An information security policy framework must be maintained and provide direction on responsible parties who have an obligation to maintain information security.
The Group have developed a comprehensive security policy framework that covers all areas of APRA CPS234 and PCI DSS requirements. The policy covers all necessary aspects from Authority and Delegation, job function data requirements, Physical and logical security, data storage, security and back up requirements. It also outlined recruitment and required background checks, compliances required and testing and reporting.

Information Asset Identification & Classification
Information assets must be classified based on criticality and sensitivity.  These classifications must reflect the potential impact of an information security incident on the entity and the interests of depositors, policyholders, beneficiaries and customers.
All assets used in the company are categorised based on data access and storage requirements, environment and risk. Where possible we utilise ISO27001 compliant cloud environments that comply with CPS 231 and Data Protection Regulations. Our Cloud instances are secured using secure VPN for access and Cloud intrusion monitoring services.

Implementation of Controls
Controls must be in place to protect information assets including those managed by a related or third party.
The Group are in the process of auditing all suppliers to ensure compliance with Essential 8 Security practices. This is the minimum requirement for data and IT security as outlined by the ACSC (The Signals Directorate). Any contractors that must utilise sensitive or personally identifiable data are vetted to ensure compliance with data protection requirements and legislation. Contracts are being modified to incorporate cyber security as a necessity.
 
Testing of Control Effectiveness
A systematic testing program must be implemented to test the effectiveness of information security controls. These controls must be tested and conducted by skilled, independent specialists at least annually.
The Group have completed the initial Internal and External Penetration Testing and have implemented improvements and recommendations associated with the findings. This was completed first week of 2021. The testing found that our security infrastructure (Firewall, Malware detection and Interception and email and web security services) linked well to secure our environment.
Areas of improvement were based on password policy that has now been hardened as per recommendations and some applications needed the latest patching. This is all completed.

Incident Management
Robust mechanisms must be in place to detect and respond to information security incidents.  These mechanisms must manage all relevant stages of an incident, from detection to post-incident review as well as escalation and reporting of incidents to the boards, governing bodies and individuals responsible for the management of security incidents.
As part of the risk assessment, policies are in place to ensure incident management is structured and coordinated. Procedures have been documented and disseminated, authorities have been established and escalations have been outlined. The board will oversee any action plan resulting from an incident and all required reporting.

Auditing
Audit of the information security controls must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
As an SME our auditing is incorporated in our risk analysis exercises. We are developing a full ISMS that will be APRA compliant with a view to expanding this to ISO27001 compliance. This will be audited as per the ISO27001 standards requirement utilising specialist external independent companies / contractors. 

Notifying APRA
APRA regulated entities must notify APRA as soon as possible (and no later than 72 hours) after becoming aware of an information security incident that has materially affected or has the potential to affect materially, financially or non-financially, the entity or the interest of depositors, policyholders, beneficiaries or other customers.  Notification must also occur if an incident has been notified to other regulators, either in Australia or other jurisdictions.
If an information security control weakness is identified, the entity must notify APRA as soon as possible or no later than ten business days after it becomes aware of the weakness.
The Information Security Policy sets out the process to ensure incident and vulnerability reporting is an integral part of the security process. As this policy is overseen by the board, the reporting requirements are native to the policy and adherence is assured.

Coronavirus (COVID-19) Announcement {Update}

Monday, March 23, 2020 - Posted by Michael McCulloch

As we adapt to this fast-changing situation surrounding COVID-19, we have made the following amendments to our service. Will continue to review this situation and take pro-active steps where necessary in these unprecedented times.

LCOLLECT (COMMISSION / CONTINGENT ACCOUNTS)
LCollect is continuing to supply our collection service, with the below changes.

Hardship or Financial Difficulty
Where it is expressed or implied in our contact that someone is experiencing financial difficulty, a 6-month moratorium with a review at 3 months will be granted without the need to supply a statement of financial position or supporting documentation. Please contact us if you do not want this applied to your accounts.

Services Suspended Temporarily
Unless you otherwise instruct us, we will also temporarily cease issuing the following services on accounts fully outsourced to LCollect on a commission basis:

• the commencement of legal proceedings (the initiating action)
• field calls;
• repossessions; and
• process serving

Serious consideration has been given to this decision however we have elected to postpone face-to-face contact for the safety of the wider community as well as our agents. We have been informed by a number of clients of differing policies and approaches that we will action accordingly. On other files, we may be in contact with you prior to taking further action where we deem necessary to collect an account. Files where face-to-face contact is already occurring will be monitored closely.

COLLECTION LAW PARTNERS (FEE ACCOUNTS)

The Law Firm will continue to provide all services, and will follow our client’s policies and instructions. Be informed that we are aware that some process servers may no longer be providing face to face services at this time. This decision is understood and respected. There may be restrictions on other services available through the various Courts.

We will keep you informed on a matter by matter basis.

Services to Continue As Usual - Coronavirus (COVID-19) Announcement

Monday, March 16, 2020 - Posted by Michael McCulloch

We are monitoring the COVID-19 situation closely and are following the advice being provided by NSW Health and the Australian Government and continue to work out of our Sydney office.

In the event that external issues begin to impact upon our operations, such as mandatory self-isolation, we will activate our business continuity plan which will involve our staff working out of secure remote locations to ensure we meet our service commitments to our clients.

When working remotely our staff have the very same resources that are available in an office environment including the ability to make and receive calls, call recording, email, mail facilities.

If you have any questions or concerns regarding our response to this unprecedented event please speak with us on (02) 8923-1600.

2019-2020 Bushfire Emergency (Victoria and NSW)

Sunday, January 05, 2020 - Posted by Michael McCulloch

The Consequences of Bankruptcy

Tuesday, July 30, 2019 - Posted by Michael McCulloch

If you have worked in the debt collection industry for any period of time you would have spoken with people who believe that bankruptcy is the only way out of a financial mess.

While this may be the case for some people, at times they may not be fully educated about the consequences of taking this path with an emotional decision being made rather than a rational decision. We are not implying that it is your role to talk someone out of bankruptcy, however, always ask the person whether or not they understand the consequences of their decision. So what are these consequences?

Bankruptcy Can Impact Income and Employment
A person earning over the indexed amounts may be required to make compulsory payments to the Trustee. The base income threshold amount for a person with no dependents is currently $57,866.90 with the index rising to $78,698.98 for person supporting over 4 dependents. Compulsory payments are calculated by the Trustee and can be paid to creditors to reduce their liability.
While bankruptcy does not stop someone from being employed there are professions that impose restrictions and licence conditions on bankrupts. Some professions do not allow the management of Trust Accounts such as those held by accountants or Solicitors by a bankrupt nor can a bankrupt be a Director of a company, manage a company or hold certain public positions.

Not All Debts Are Released
Most unsecured debt are covered once a person files for bankruptcy however not all. Some exceptions include Child Support, HECS and HELP debts, penalties imposed by Courts and fines. Debts owing to Centrelink, the ATO, Victims of Crime and some toll fines may not be covered and enquiries should be made by the bankrupt to see if the bankruptcy covers them.

A Life on the National Personal Insolvency Index (NPII)
As a bankruptcy a record is maintained on the NPII for life. This is a searchable public register that records insolvency proceedings in Australia.

Obtaining Future Credit
Some creditors ask if a person has ever been bankrupt. This must be disclosed at the time of the application. Credit Reporting Bodies also keep a record of personal insolency for 5 years from the date of bankruptcy or 2 years from when the bankruptcy is discharged by law (whichever is later).
The indexed amounts pertaining to credit limits allow a bankrupt to apply for credit, such as goods or services on credit, hire purchase, leases, etc up to $5,778. Amounts over and above this the bankrupt must disclose they are bankrupt to the organisation providing them with credit.

Restricted Overseas Travel
Planning an overseas holiday? As a bankrupt permission must be sought from the Trustee to travel overseas. It is an offence to travel overseas without obtaining written consent from the Trustee.

Assets Can Be Sold
The Trustee in Bankruptcy may elect to sell assets, including real property, in which to satisfy creditors. Any assets must be declared to the Trustee and these assets must not be disposed of by the bankrupt.

Discharge of Bankruptcy
Bankruptcy usually last for 3 years and 1 day from the date the person files for bankruptcy or, where a creditor commences the bankruptcy proceedings, 3 years and 1 day from the date the Statement of Affairs is filed. In some cases a Trustee may apply to the Court to extend the automatic date of discharge for up to a period of 8 years.

This is not an exhaustive list of the restrictions that a Trustee may impose on a bankrupt. This list has been provided in good faith so that you may better educate people you come across in your day-to-day role about the possible consequences of their decision.

If you have any questions we urge you to speak with a qualified legal practitioner, Trustee or Collection Law Partners.

Disclaimer: This article is general information only and does not constitute legal advice and is not intended to be relied on in any way.

Debt Collection News Goes Quarterly

Tuesday, July 30, 2019 - Posted by Michael McCulloch

As most of our subscribers are aware we have released our newsletter every month for the last 10 years and have released over 550 free articles covering debt collection news around the world as well as debt collection tips and advice.

We have decided that our blog and newsletter will now be released quarterly following this issue. 

We hope that this change will result in more feature packed articles and news. If there are industry specific changes that we believe will have an impact on our industry we will release this information via our social networking channels on Facebook and LinkedIn.

We thank you for your continued support and loyalty and look forward to continuing to provide this free service.

Local Council Waives $760K in Debt

Tuesday, July 30, 2019 - Posted by Michael McCulloch

A local council in Perth has recently waived in excess of $760,000 in debt because staff overlooked referring the debts to their debt collection agency.

The Town of Victoria Park found that 11,148 unpaid fines, mainly from parking infringements, had failed to be outsourced for collection after a clerical error was discovered. Of those discovered as being unpaid 8,000 were uncollectable due to the limitation period expiring. With the oversight identified council wrote to the 1,000 of the larger unpaid debts demanding payment however only 49 were paid returning the council $6,617.

With council estimating that approximately $3,000 had been spent in attempting to recover the debts, which did not account for staff time, Councillors made the decision not to pursue the debt and agreed to write-off $767,199.13 at the June council meeting. Cr Karen Vernon stated that the unrecoverable debt was "disappointing on so many levels" as the money could have been utilised to make a difference to significant community projects or to pay down further debt owed by the council. Town of Victoria Park would not confirm to the Southern Gazette if any council staff were dismissed over the error.

In a statement to the media, Victoria Park Chief Executive Anthony Vulete said that their debt collection policy and practices were being reviewed and accepted that the situation was an administrative failure.

UK Debtors Granted 60 Day Payment Extensions

Friday, June 28, 2019 - Posted by Michael McCulloch

Debtors in the UK are to benefit from a new scheme where they will be provided 60 days grace from debt collectors and Bailiffs.

In an article that appeared in The Sun, people who are struggling with significant debt to local government bodies, such as tax arrears, personal tax debts and benefit overpayments, will have their debts frozen with all enforcement action also stopped. The scheme, which is due to be launched in 2021, is designed to provide the financially disadvantaged with time to find long-term solutions to their financial problems. During the "breathing space" period, which is what the scheme is being called, those debtors must work with professional financial counsellors to reach solutions to get back on track with their repayments.

The "breathing space" program also includes a "statutory debt repayment plan" which allows those in debt to repay debt over a more manageable period and could see monthly repayments adjust according to their disposable income.

Debt charity, StepChange, revealed in April of this year that 657,000 people had sought their assistance in 2018 and applauded the moves by HM Treasury.