Debt Collection Specialists | Sydney | LCollect
Debt Collection Agency | LCollect

Debt Collection News

Released every month our debt collection blog contains news, stories and tips to keep you informed.

APRA Compliance Information Security

Friday, February 05, 2021 - Posted by Michael McCulloch

Prudential Standard CPS 234

first edition

The Australian prudential Regulation Authority (APRA) Prudential Standard CPS 234 (CPS 234) requires APRA-regulated entities and third-party providers to develop and maintain robust and secure information Security Infrastructure, Policies and Procedures. Due to the sensitive and personally identifiable data that LCollect Pty Ltd and BH Lawyer Pty Ltd (incorporating Collection Law Partners), herein “the Group”, utilise in their daily business operations; it is recognised that this is the minimum requirement to ensure that any potential data exposure is minimised.
Under CPS 234 it is expected that an entity understands 3 key factors, the threat landscape, risk associated with the business based on the sensitivity of data and propensity as a target, and cybersecurity maturity as a business. The Group have undertaken a full risk assessment with the understanding that our data was high-risk and our cyber security maturity was also high. Based on the risk vs maturity as outlined by the federal Government, in order to fully comply with APRA requirements, our security posture needed more structure and coordination.

Roles & Responsibilities
The board of an APRA-regulated entity is ultimately responsible for information security.  The board must ensure the entity maintains information security in a manner reflective of its size and extent of threats to its information assets and enables the continued sound operation of the entity.
The Group have tasked their executive to oversee the end-to-end security of our data. The executive will act as the board for the purpose of monitoring and assessing APRA standards and requirements. As an SME the Executive are hands on and are best positioned to control the ISMS and ensure data integrity and compliance.

Information Security Capability
An APRA-regulated entity must have information security capability which corresponds with the size and threats to its information assets and enables the continued sound operation of the entity.
As an SME group, the Group have assessed their information usage, Data protection requirements and security infrastructure and believe we have a superior security posture to most businesses of a like size. We have a mix of hardware and application-based security services that are ISO27001 compliant and give us this level confidence.

Creating an Information Security Policy Framework
An information security policy framework must be maintained and provide direction on responsible parties who have an obligation to maintain information security.
The Group have developed a comprehensive security policy framework that covers all areas of APRA CPS234 and PCI DSS requirements. The policy covers all necessary aspects from Authority and Delegation, job function data requirements, Physical and logical security, data storage, security and back up requirements. It also outlined recruitment and required background checks, compliances required and testing and reporting.

Information Asset Identification & Classification
Information assets must be classified based on criticality and sensitivity.  These classifications must reflect the potential impact of an information security incident on the entity and the interests of depositors, policyholders, beneficiaries and customers.
All assets used in the company are categorised based on data access and storage requirements, environment and risk. Where possible we utilise ISO27001 compliant cloud environments that comply with CPS 231 and Data Protection Regulations. Our Cloud instances are secured using secure VPN for access and Cloud intrusion monitoring services.

Implementation of Controls
Controls must be in place to protect information assets including those managed by a related or third party.
The Group are in the process of auditing all suppliers to ensure compliance with Essential 8 Security practices. This is the minimum requirement for data and IT security as outlined by the ACSC (The Signals Directorate). Any contractors that must utilise sensitive or personally identifiable data are vetted to ensure compliance with data protection requirements and legislation. Contracts are being modified to incorporate cyber security as a necessity.

Testing of Control Effectiveness
A systematic testing program must be implemented to test the effectiveness of information security controls. These controls must be tested and conducted by skilled, independent specialists at least annually.
The Group have completed the initial Internal and External Penetration Testing and have implemented improvements and recommendations associated with the findings. This was completed first week of 2021. The testing found that our security infrastructure (Firewall, Malware detection and Interception and email and web security services) linked well to secure our environment.
Areas of improvement were based on password policy that has now been hardened as per recommendations and some applications needed the latest patching. This is all completed.

Incident Management
Robust mechanisms must be in place to detect and respond to information security incidents.  These mechanisms must manage all relevant stages of an incident, from detection to post-incident review as well as escalation and reporting of incidents to the boards, governing bodies and individuals responsible for the management of security incidents.
As part of the risk assessment, policies are in place to ensure incident management is structured and coordinated. Procedures have been documented and disseminated, authorities have been established and escalations have been outlined. The board will oversee any action plan resulting from an incident and all required reporting.

Audit of the information security controls must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
As an SME our auditing is incorporated in our risk analysis exercises. We are developing a full ISMS that will be APRA compliant with a view to expanding this to ISO27001 compliance. This will be audited as per the ISO27001 standards requirement utilising specialist external independent companies / contractors. 

Notifying APRA
APRA regulated entities must notify APRA as soon as possible (and no later than 72 hours) after becoming aware of an information security incident that has materially affected or has the potential to affect materially, financially or non-financially, the entity or the interest of depositors, policyholders, beneficiaries or other customers.  Notification must also occur if an incident has been notified to other regulators, either in Australia or other jurisdictions.
If an information security control weakness is identified, the entity must notify APRA as soon as possible or no later than ten business days after it becomes aware of the weakness.
The Information Security Policy sets out the process to ensure incident and vulnerability reporting is an integral part of the security process. As this policy is overseen by the board, the reporting requirements are native to the policy and adherence is assured.

Who is Becoming Bankrupt

Wednesday, September 01, 2010 - Posted by Philip Harvey

Statistics for this were obtained from the ITSA website. 

What are your experiences on your ledger concerning age and occupation of  bankruptcy ? 

Your comments in the new forum below will be greatly appreciated. 

1/ Bankruptcy by Age 

Debt Agreement Bankruptcy 

Age Group      

     Debt agreement 
(part 9)


 Under 25



 25 to 34



 35 to 44



 45 to 54



 over 55



2/ Causes of Bankruptcy 

 Overuse of credit




 Domestic Discord


 Ill Health


 Adverse Litigation


 Gambling or speculation




3/ Occupation of people filing for Part 9 agreements. 





 Assoc Professionals










 Other (unemployed,spouses)


A couple of brief observations :
1/ The difference in the type of bankruptcy used by age.
2/ Unemployment is not the biggest cause of bankruptcy.

Early Release of Superannuation

Sunday, November 01, 2009 - Posted by Philip Harvey

The early release of superannuation can be an effective way for a debtor to clear their arrears and get back on track with their mortgage.  Both ASIC & APRA have some basic requirements that need to be met before superannuation is released.

When reviewing these requirements, you will note that a Credit Card / Personal Loan is not included. Also of note is that an investment property / second property is not included.

ASIC Requirements:


Requires the debtor to contact the superannuation fund. The debtor may also be paid a 'non-commutable' income stream during a period of temporary incapacity (debtors won't be able to get a lump sum in the case of a temporary incapacity). 

Severe financial hardship 

Requires the debtor to contact the superannuation fund. If the rules allow early release of benefits, you must satisfy the trustee that you have been receiving a Commonwealth income support payment for a continuous period of 26 weeks and you cannot meet your reasonable and immediate family living expenses. 

Compassionate grounds 

Requires the debtor to contact the superannuation fund. If the rules allow early release of benefits, the 'compassionate grounds' are set out in the law. 
Compassionate grounds involve medical treatment for serious conditions that is not readily available through the public health system, transport for medical treatment, changes to a home or vehicle because of a severe disability, palliative care, funeral and burial expenses, or to prevent the forced sale of your home by your mortgagee. 

APRA Requirements:

Medical treatment 

To help pay for medical costs, for you or your dependant, required to: 
- treat a life-threatening illness or injury; and/or 
- alleviate acute or chronic physical pain; and/or 
- alleviate an acute or chronic mental condition 
provided that the treatment is not readily available through the public health system and is not covered by any applicable private health insurance and/or Workers’ Compensation. 

Medical transport 

To assist with the cost of transportation to and from medical treatment, for you or your dependant, when that treatment is required to: 
- treat a life-threatening illness or injury; and/or 
- alleviate acute or chronic physical pain; and/or 
- alleviate an acute or chronic mental condition 
provided that the transport is not readily available through the public health system and is not covered by any applicable private health insurance and/or Workers’ Compensation. 

Mortgage assistance 

To prevent your home from being sold by the lender with whom you have the home’s mortgage. 

This ground does not include rent, or making payment on a mortgage: 
- for which you expect to have difficulty paying in the future (but are not yet in arrears); 
- for which you are in arrears, but not to the extent that the lender has decided to sell; 
- for which one of your dependants, other family member or friend is liable; or 
- that is for a second or investment property. 

The substantiation required from the mortgagee (lender) to satisfy APRA's requirements may be set out in a single letter or document or in separate letters or documents. Providing mortgage account details and BSB numbers will also enable funds to be directly deposited to the mortgage account once they are released by the superannuation fund. Documentation from mortgagees (lenders) must be clear about the mortgagee’s (lender’s) intention to continue or commence enforcement action. Using phrases such as “may proceed”, “may be entitled to commence”, or “reserve the right to proceed” is not considered sufficient to meet the requirements of the 
legislation. The legislation requires that the mortgagee (lender) must state that if the borrower fails to pay the overdue amount, the mortgagee (lender).

LCollect can issue a Mortgage Default Notice on your behalf which satisfies the requirements for superannuation to be released under this category.

Modifications to your home and/or motor vehicle 

To pay for modifications required to accommodate special needs if you or one of your dependants has a severe disability 

Funeral assistance 

To assist with funeral, burial, cremation and other expenses related to the death of a dependant. 

The deceased person must have been reliant on you financially, domestically or personally on you: it is not enough that the person was a family member. 

Care for terminal medical condition 

To provide care for yourself or your dependant if you or your dependant is dying from a terminal medical condition. This kind of care is often referred to as “palliative care”.

APRA Statistics for the Early Release of Superannuation

Sunday, November 01, 2009 - Posted by Philip Harvey

You will note a downward trend for 2008/09 which can be directly attributable to the sharp decline in interest rates during the period.                                                                       

Financial year  

 Number of 
applications received

in part or full  

for release 

Average amount 
per application 































*Revised figures.

Debt Collection & APRA Provisioning Guidelines

Thursday, October 01, 2009 - Posted by Philip Harvey

The effectiveness of your organisations Debt Collection has a direct impact on the Provisions for Bad Debts your organisation must make. Provisions for Bad Debts are expenses to your organisation that can add up very quickly and can threaten the profitability of your organisation on a poor performing ledger.

As a collector, have you ever completely understood why you are sometimes put under intense pressure to reduce the arrears, order new valuations and consequently, reducing the required provisioning? By summarising the APRA Provisioning Guidelines (Guidance Note AGN 220.3) below, we hope to increase your understanding. Please take note that your own organisations provisioning guidelines may be different to the APRA Guidelines (ie more conservative). 

The provisioning guidelines are divided into 4 categories based upon the associated risk of each Loan Type, being;

  1. Category 1 - Well-Secured Facilities,  including;
    • a residential fully mortgage insured registered 1st mortgage,
    •  a residential registered 1st mortgage where the loan balance is less than or equal to 80% of the property value (without mortgage insurance) Note: Where the exposure is 90 days or more worth of payments past due, and the valuation must be no older than 12 months
    • a residential registered 2nd mortgage where;
      •  the value 1st mortgage + the value of the 2nd mortgage is less than or equal to 80% of the property value and the first mortgage cannot be extended without it being subordinated to the second mortgage OR
      • the value 1st mortgage + the value of the 2nd mortgage is between 80 & 100% of the property value and the first mortgage cannot be extended without it being subordinated to the second mortgage AND the outstanding balance is 100% mortgage insured
  2. Category 2  - Registered 1st Mortgages on residential properties where the total loan balance (less any component that is mortgage insured) is between 80% - 100% of the property value (where the loan is 90 days or more worth of payments past due, the valuation must be no older than 12 months).
  3. Category 3 - Personal & Commercial Loans (Secured & Unsecured) and mortgage loans where the Total Loan balance less any mortgage insurance is greater than 100% of the Property Value. Please note that APRA do also allow some exemptions which can be applied for in this category.
  4. Category 4 - Overdrawn Savings Accounts and Overdrawn Limits on credit cards, overdrafts and line of credit facilities.

The % of the Total Loan Balance that must be provisioned per APRA Guidelines is determined by the number of days in arrears the borrower is in meeting contractual obligations. The categories & percentages are outlined below;

                                            % Provision Required by Category

# Days in Arrears Cat 1 Cat 2 Cat 3 Cat 4
0-13 Days 0% 0% 0% 0%
14-89 Days 0% 0% 0% 40%
90-181 Days 0% 5% 40% 75%
182 - 272 Days 0% 10% 60% 100%
273 - 364 Days 0% 15% 80% 100%
365 + Days 0% 20% 100% 100%

You can see as a Collector how the performance of your arrears ledger will have on your provisioning when you apply the above matrix.

For Category 1 & 2, the guide mentioning a valuation that is not older than 12 months becomes important. For example, if you had a category 1 loan without mortgage insurance that was more than 90 days in arrears without  a valuation performed in the last 12 months, this would Default to be a Category 3 loan. Lets attach a loan value of $100,000 to this example, this means that instead of having a provision of zero, a provision of $40,000 would be required, going straight to your organisations bottom line. 

Another important consideration for your Category 1 (& somewhat category 2) Loans is the potential consequence of doing nothing when an account is in arrears. We have seen examples of case law where due to inaction / slow action of the lender that has lead to excessive interest & fees being accrued against the loan, the Courts reversing these excessive amounts in favour of the borrower. The key point to remember is though your provisioning is not impacted, if your lack of action is to the financial detriment of the borrower, the Court may award in favour of the borrower for the amount of the financial loss suffered from the lack of action.

The full APRA Guidance Note (AGN 320.3) can be located on the APRA Website.

Recent Posts



Copyright © LCollect 2021 | All Rights Reserved | Licensed Mercantile Agent License #409661517 | ABN 44 089 892 688 |
Australian Credit Licence #430659
HomeSite Information | Privacy Policy