Friday, February 05, 2021 - Posted by Michael McCulloch
APRA COMPLIANCE INFORMATION SECURITY
Prudential Standard CPS 234
The Australian prudential Regulation Authority (APRA) Prudential Standard CPS 234 (CPS 234) requires APRA-regulated entities and third-party providers to develop and maintain robust and secure information Security Infrastructure, Policies and Procedures. Due to the sensitive and personally identifiable data that LCollect Pty Ltd and BH Lawyer Pty Ltd (incorporating Collection Law Partners), herein “the Group”, utilise in their daily business operations; it is recognised that this is the minimum requirement to ensure that any potential data exposure is minimised.
Under CPS 234 it is expected that an entity understands 3 key factors, the threat landscape, risk associated with the business based on the sensitivity of data and propensity as a target, and cybersecurity maturity as a business. The Group have undertaken a full risk assessment with the understanding that our data was high-risk and our cyber security maturity was also high. Based on the risk vs maturity as outlined by the federal Government, in order to fully comply with APRA requirements, our security posture needed more structure and coordination.
Roles & Responsibilities
The board of an APRA-regulated entity is ultimately responsible for information security. The board must ensure the entity maintains information security in a manner reflective of its size and extent of threats to its information assets and enables the continued sound operation of the entity.
The Group have tasked their executive to oversee the end-to-end security of our data. The executive will act as the board for the purpose of monitoring and assessing APRA standards and requirements. As an SME the Executive are hands on and are best positioned to control the ISMS and ensure data integrity and compliance.
Information Security Capability
An APRA-regulated entity must have information security capability which corresponds with the size and threats to its information assets and enables the continued sound operation of the entity.
As an SME group, the Group have assessed their information usage, Data protection requirements and security infrastructure and believe we have a superior security posture to most businesses of a like size. We have a mix of hardware and application-based security services that are ISO27001 compliant and give us this level confidence.
Creating an Information Security Policy Framework
An information security policy framework must be maintained and provide direction on responsible parties who have an obligation to maintain information security.
The Group have developed a comprehensive security policy framework that covers all areas of APRA CPS234 and PCI DSS requirements. The policy covers all necessary aspects from Authority and Delegation, job function data requirements, Physical and logical security, data storage, security and back up requirements. It also outlined recruitment and required background checks, compliances required and testing and reporting.
Information Asset Identification & Classification
Information assets must be classified based on criticality and sensitivity. These classifications must reflect the potential impact of an information security incident on the entity and the interests of depositors, policyholders, beneficiaries and customers.
All assets used in the company are categorised based on data access and storage requirements, environment and risk. Where possible we utilise ISO27001 compliant cloud environments that comply with CPS 231 and Data Protection Regulations. Our Cloud instances are secured using secure VPN for access and Cloud intrusion monitoring services.
Implementation of Controls
Controls must be in place to protect information assets including those managed by a related or third party.
The Group are in the process of auditing all suppliers to ensure compliance with Essential 8 Security practices. This is the minimum requirement for data and IT security as outlined by the ACSC (The Signals Directorate). Any contractors that must utilise sensitive or personally identifiable data are vetted to ensure compliance with data protection requirements and legislation. Contracts are being modified to incorporate cyber security as a necessity.
Testing of Control Effectiveness
A systematic testing program must be implemented to test the effectiveness of information security controls. These controls must be tested and conducted by skilled, independent specialists at least annually.
The Group have completed the initial Internal and External Penetration Testing and have implemented improvements and recommendations associated with the findings. This was completed first week of 2021. The testing found that our security infrastructure (Firewall, Malware detection and Interception and email and web security services) linked well to secure our environment.
Areas of improvement were based on password policy that has now been hardened as per recommendations and some applications needed the latest patching. This is all completed.
Robust mechanisms must be in place to detect and respond to information security incidents. These mechanisms must manage all relevant stages of an incident, from detection to post-incident review as well as escalation and reporting of incidents to the boards, governing bodies and individuals responsible for the management of security incidents.
As part of the risk assessment, policies are in place to ensure incident management is structured and coordinated. Procedures have been documented and disseminated, authorities have been established and escalations have been outlined. The board will oversee any action plan resulting from an incident and all required reporting.
Audit of the information security controls must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
As an SME our auditing is incorporated in our risk analysis exercises. We are developing a full ISMS that will be APRA compliant with a view to expanding this to ISO27001 compliance. This will be audited as per the ISO27001 standards requirement utilising specialist external independent companies / contractors.
APRA regulated entities must notify APRA as soon as possible (and no later than 72 hours) after becoming aware of an information security incident that has materially affected or has the potential to affect materially, financially or non-financially, the entity or the interest of depositors, policyholders, beneficiaries or other customers. Notification must also occur if an incident has been notified to other regulators, either in Australia or other jurisdictions.
If an information security control weakness is identified, the entity must notify APRA as soon as possible or no later than ten business days after it becomes aware of the weakness.
The Information Security Policy sets out the process to ensure incident and vulnerability reporting is an integral part of the security process. As this policy is overseen by the board, the reporting requirements are native to the policy and adherence is assured.
Friday, June 28, 2019 - Posted by Michael McCulloch
The Australian Financial Complaints Authority (AFCA) has recently released a snapshot of statistics following their first 5 months of operation.
The release of these statistics follows an article, 'Appalling Treatment': Bank Customers Making 5,900 Complaints a Month in the Sydney Morning Herald where the Chair of AFCA, Helen Coonan said in a speech allegedly seen by The Sydney Morning Herald and The Age, "Poor culture in financial institutions has been identified as the main culprit that permitted a slew of bad practices, appalling treatment of consumers and small businesses, and in many cases arrogant indifference to regulatory and compliance risk. Now almost seven months old, AFCA is playing an important part in restoring shattered community trust and confidence in the financial services sector."
The statistics show that between 01/11/0218 and 31/03/2019 AFCA -
- Received 29,873 complaints (closing 55% as of 31/03)
- Awarded $67 million in compensation
- Identified 81 system issues that are still currently under investigation
- Attended and / or held 138 events and meetings across the ACT, NSW, QLD, SA, VIC and WA
- Received more than 61,237 phone calls; and
- Had 568,933 visits to their website
Both credit reporting and responsible lending topped the most complained about issues for credit providers (1,935 and 1,198 complaints) with 45% of complaints relating to credit related products. 1,142 complaints were received about debt collectors or buyers however the nature of these complaints were not disclosed.
Thursday, May 30, 2019 - Posted by Michael McCulloch
It is now being widely reported across several media sites, including Money | Management
, that the Australian Securities and Investments Commission (ASIC) has issued a discussion document to Financial Service Providers (FSPs) regarding complaints made via social media platforms such as Twitter and Facebook.
It is a move that appears to recognise that there are other channels for complaints to be made meaning that even a single tweet on Twitter could require the IDR process to be applied and legally acted on. ASIC Deputy Chair Karen Chester said in a statement to itnews.com.au
, "It is widely acknowledged there is room for much improvement when it comes to handling consumer complaints in our financial system. Consumers expect and need a fair, timely and effective way to have their complaints dealt with, and to be provided redress where appropriate. The absence of such effective redress, and the failure of firms to identify and look into systemic complaints, were key findings of the FSRC and the Prudential Inquiry into the CBA.
The discussion paper, which can be downloaded here
, asks contributors several questions including what constitutes a complaint, are complaints made via social media channels dealt with under IDR processes and is the treatment of a complaint handled differently if the complainant is made via an external platform and not the FSPs own social media platform.
ASIC have have indicated that it plans to release the revised regulatory guide by December 2019.
Thursday, May 30, 2019 - Posted by Michael McCulloch
Following on from last month where we looked at the AFCA Approach to Mortgagee Sales this month we look at the Australian Financial Complaints Authority (AFCA) approach to Financial Difficulty - Early Release of Superannuation.
The purpose of this article is to summarise the approach AFCA have regarding the early release of superannuation and what lenders obligations are when considering a request from a consumer to support the early release of superannuation.
Grounds for Release
There are 2 primary circumstances where a consumer may apply for the early release of superannuation. These are due to several financial hardship or compassionate grounds (mortgage arrears). A consumer that has been in receipt of a Government support payment, such as Newstart Allowance, continuously for 26 weeks may be entitled to the early release of superannuation on the grounds of financial hardship. A consumer may access between $1,000 to $10,000 once a year and the application must be made directly to their superannuation fund. The payment can be utilised for any purpose and does not require the support of the FSP.
Where the application is being made on compassionate grounds (mortgage arrears) the process is administered by the Australian Taxation Office (ATO). A consumers application to the ATO for payment of mortgage arrears will need a letter from their FSP stating that the amount is overdue and if the overdue amount is not paid by the due date the mortgagee will foreclose or force the sale of the consumers principal place of residence. More information is available from Access on Compassionate Grounds on the ATO website.
There is an expectation from AFCA that FSPs will consider alternatives rather than simply supporting a request for the release of superannuation as the release of superannuation is a last resort. AFCA expects FSPs to take appropriate steps to understand the consumers financial position, decide what assistance it can provide the consumer and communicate its decision to the consumer.
Factors to Consider
When considering if support should be given for the early release of superannuation the FSP, , should explore all alternative options -
Where it is apparent that the consumer can afford to continue with the contractual repayments but unable to clear the arrears the FSP may consider it more appropriate to capitalise the arrears.
Where the FSP is unable to determine if the consumer can meet their ongoing contractual obligations it may be more appropriate for the FSP to provide a reasonable moratorium period to allow the consumer time for their situation to improve.
Where it is clear that the consumer will be unable to meet their ongoing contractual obligations supporting a release for superannuation may not be appropriate as any release will only delay the inevitable. In certain situations it may be beneficial for the FSP to allow the consumer time to sell the security property which will preserve their superannuation and may offer some financial relief.
Failing to Meet Obligations
Where AFCA believe that the FSP has failed to meet their obligations AFCA may rule that the FSP has failed to meet financial difficulty obligations under the AFCA Rules. Where the consumer has suffered a financial loss AFCA may award compensation.
Where the FSP has supported an early release for superannuation that AFCA believe inappropriate they will generally not require the FSP to refund the superannuation monies or reimburse any tax paid as a result of the withdrawal of the funds as in most cases the consumer will have obtained the benefit of the funds and will have potentially saved on interest, fees and charges.
To learn more or to read this article in its entirety visit AFCA Approaches - Early Release of Super.
Disclaimer: This article is general information only and does not constitute legal advice and is not intended to be relief on in any way.
Monday, April 29, 2019 - Posted by Michael McCulloch
Recently the Australian Financial Complaints Authority (AFCA) released a series of guides outlining their approach to common complaints. This month we take a look at the AFCA approach to Mortgagee Sales.
Where a consumer (Borrower) is unable to repay a loan a Financial Service Provider (FSP) may elect to take possession of the property to sell it to reduce or payout the loan. AFCA have set out their guidelines as to what a FSP must do when it takes possession and what they will take into account if there is a complaint raised by the Borrower about the sale process -
The FSP must take reasonable care when it takes possession to ensure that the property is sold at its market value. The FSP does this by making important decisions at key milestones and oversees the entire sale process.
Consulting the Borrower
The FSP does not need to consult the Borrower about key decisions or the sales process nor is there an obligation to keep the Borrower informed as to the progress of the sale. There is however an obligation on the FSP to communicate to the Borrower when the sale is completed and how the sale proceeds have been used.
The FSP generally does not have to spend money to improve the property nor does it need to find new tenants or let existing tenants stay to make money prior to the sale. The FSP however may need to pay for common maintenance issues such as repairing broken windows or replacing locks to secure the property, cleaning, gardening or lawn mowing, repairing pool equipment or fencing a pool if it is required by law before the property can be sold.
Insuring the Property
The FSP should insure the property prior to taking possession.
The FSP should obtain at least 1 sworn valuation from an independent registered valuer.
According to the International Valuation Standards Council the definition of "market value" is -
"The estimated amount for which an asset or liability should exchange on the valuation date between a willing buyer and a willing seller in an arm’s length transaction, after proper marketing and where the parties had each acted knowledgeably, prudently and without compulsion.
Marketing the Property
The FSP should obtain at least 1 marketing proposal from a reputable property agent. This proposal should include recommendations on the market value, the best way to sell the property (auction, private sale, tender), marketing and advertising strategy and any work needed to prepare the property for sale such as repairs and maintenance.
Advertising campaigns may include print media, online ads through reputable sites such as domain.com.au and realestate.com.au, billboards at the property, flyers or handbills, contact with potential purchasers through an agents internal marketing list, public inspections or inspections by appointment.
It is at the discretion of the FSP is they advertise the sale of the property as a mortgagee in possession. This may attract more purchasers with the onus on the auctioneer to ensure that the auction generates competition between bidders to achieve a sale at market value.
The Sale Method
In a vast majority of cases the property will be sold an auction with AFCA recommending a minimum 4 week advertising campaign with weekly inspections and inspections on the day of the auction.
If there is advice from a the FSPs experts recommending a private sale the FSP must take reasonable care with marketing and advertising. It must show that it bought the property to the attention of all potential purchasers thus creating competition and achieving market value.
Where the property is being sold at auction all available information should be considered such as valuations, marketing reports and previous offers.
Proceeds of the Sale
All proceeds following the sale must be accounted for and must be explained to the Borrower after the sale has been completed.
Funds from the sale may be used to reduce or payout the debt the Borrower owes to the FSP or other Creditor with a mortgage over the property, pay reasonable costs incurred in taking possession of, maintaining and selling the property.
Any surplus from the sale should be paid to the Borrower. Where the Borrower has loans from the FSP for more than one property any surplus may be used to reduce the balance of the other loan.
The FSP should only do what is necessary to obtain possession of the property. For example if the Borrower is prepared to offer up possession and agreeing to the sale it would be unnecessary for legal action.
Once in possession the FSP can reimburse itself for costs relating to the security, insurance and maintenance of the property as well as the relevant advertising and sale costs including agent commissions.
The FSP, under the Loan Contract or Mortgage, will also usually be allowed to recover reasonable and proper legal costs. The FSP, of course, must not recover more costs than was paid to it legal representative and must apply any discount or rebate to the Borrowers loan.
In the event of a complaint the FSP must provide invoices for all costs it has taken from the sale proceeds.
To learn more or to read this article in it's entirety visit AFCA Approaches - Mortgagee Sales
Disclaimer: This article is general information only and does not constitute legal advice and is not intended to be relied on in any way.
Friday, March 29, 2019 - Posted by Michael McCulloch
In a recent matter before the Supreme Court in Victoria a Creditors Statutory Demand has been set aside by the Court on the basis that the demand was incorrectly addressed.
By way of background the Plaintiff, Mills Oakley, commenced proceedings against the Defendant, Assets HQ Australia, in the District Court in NSW and obtained a Judgment in October 2018. A Statutory Demand was issued in respect of the debt for $158,905.67 which remained unpaid. Pursuant to s459C(2)(a) of the Corporations Act a company is presumed to be insolvent if it has failed to satisfy a Statutory Demand within 21 days of service being effected.
In the proceedings Mills Oakley v Asset HQ Australia Pty Ltd  VSC 98, the Plaintiff relied on non-payment as a presumption of insolvency and commenced wind-up proceedings in the Supreme Court however Solicitors for Asset HQ Australia argued that there was insufficient evidence of the Statutory Demand being served. The basis of this argument focused around:
- the registered companies address being noted as "Pacific Way" rather than "Pacific Highway" on the Demand;
- the company claiming to have never received the Demand; and
- the Plaintiff being able to prove that service was affected by Australia Post.
In the decision handed down it was determined by the Court that as there was insufficient evidence of service being effected. The Court was not satisfied that the Demand was served at the Registered Office of Asset HQ Australia and noted in the Judgment:
- the Demand was not addressed exactly as it appeared in an ASIC search;
- the claims by the Plaintiff that there was no "material difference" or "practical difference" between "Way" and "Highway" was not to the point. "Way" was not the Registered Office of the Defendant; and
- The fact that the envelope was not "returned to sender" is insufficient evidence of the Demand having been served.
Judicial Registrar Matthews who heard the matter has indicated he will hear from the parties as to future progress of the matter and Costs.
Wednesday, February 27, 2019 - Posted by Michael McCulloch
It is being reported by the Sydney Morning Herald that electoral roll data of more than 16 million Australians is allegedly being used by buy now, pay later providers, betting agencies, marketing firms and debt collectors to identify individual consumers.
Data allegedly obtained from a data marketing company, Illion, allows companies such as Afterpay to match identities to addresses as it processes customers. The data is allegedly being accessed under recent changes to the Anti-Money Laundering and Counter-Terrorism Financing Act.
Historically, prior to changes to the way the electoral roll was accessed, the roll was being used by debtor collectors (among others), for the purpose of making enquiries to locate a debtor or verify that a debtor may be residing at an address prior to commencing further action. Changes to the laws prohibited the search of the electoral roll for this very purpose, specifically stating that information contained in the roll is protected information and that such protected information shall not be used for a commercial purpose.
The Australian Electoral Commission would not comment on whether use of the data by the companies involved was appropriate with enquiries being directed to Home Affairs.
In accordance with the Act, LCollect do not access electoral roll data for any commercial purpose and only monitor accounts on legally available search facilities complying with the requirements of the Privacy Act 1988 (Cth).
Wednesday, January 30, 2019 - Posted by Michael McCulloch
You may recall in our August 2018 edition of Debt Collection News that we reported that the Federal Court found against a debt collection company acting for Telstra after proceedings were commenced by the Australian Competition and Consumer Commission (ACCC) and the Australian Securities & Investments Commission (ASIC).
It has now been revealed by Yahoo! Finance that the Federal Court has ordered the debt collection agency involved to pay $750,000 in penalties for intimidation and harassment of the 2 customers who collectively owed $8,920.
The debt collection agency involved in the proceedings was ruled last year to have violated Australian Consumer Law after the ACCC commenced legal action in June 2016 where it was alleged that the agency had contacted a stroke victim on more than 40 occasions demanding payment including 20 demands made by letter despite the customer indicating to the agency that he had difficulty in speaking and could only utter single words like "stroke", "no" and "speech" in an attempt to indicate that he was disabled and unable to communicate.
ACCC Commissioner, Sarah Court, said in a statement, ".... continued harassment and intimidation of a care facility resident who had difficulty speaking after suffering multiple strokes is one of the worst cases of unconscionable conduct we have seen in the debt collection sector .... conduct towards another consumer who was in difficult financial circumstances, which included giving false information and making empty threats of court action, was also particularly egregious."
Commissioner Court went on to say, "Unconscionable conduct such as harassment, intimidation and coercion of consumers is unacceptable to not only the ACCC and the court, but the wider community."
A spokeperson for Telstra distanced the company from the proceedings stating, “collection activity is being conducted on behalf of the new owner, not on Telstra’s behalf” and that the telco sells debt to a third party only as a last resort."
Thursday, November 29, 2018 - Posted by Michael McCulloch
It's a question that we come across on a regular basis from our commercial clients and one that is more common than you may think.
Interest is the price (charge) paid for the use of someone else's money. For commercial clients, it is a charge that your clients pay when they don't pay that your invoice by the due date. When they don't pay you on the due date, they are effectively borrowing money from your organisation.
While those in the finance industry often have very well worded Contracts and Terms and Conditions that allow the calculation of an annual percentage rate (APR) many small business owners struggle to understand the requirements and while they understand the practical value of incurring interest they worry about the practicalities of applying additional interest fees or charges to an outstanding account.
Can you charge interest to a debt?
The short answer to this question is yes provided your terms and conditions permit it. There are however strict requirements you must meet in order for your claim for interest to be legally collectable, and we would recommend you seek legal advice to ensure your interest charges are recoverable.
What are the requirements?
There should be a provision in your Contract, Agreement and / or Terms and Conditions for the calculation of interest that the customer has agreed to prior to monies being advanced for the goods or services you have provided. This provision should be easy to understand, outline to the customer exactly when interest charges may apply, how they are calculated, the date that interest may start to accrue on the debt and should be a fair and reasonable rate.
What is a fair and reasonable rate?
A fair and reasonable rate can be difficult to determine however most businesses charge between 5% to 10% per annum. The interest charge should be at a rate that is a genuine estimate of the cost of the late payment to your business (ie your banks overdraft rate). Anything higher than this may not be enforceable.
The Local Court of NSW currently prescribes a pre-Judgment interest rate of 5.50%. This rate is 4.00% above the cash rate last published by the Reserve Bank of Australia and is reviewed every 6 months. The current rates can be found at Interest Rates Applicable After 1 July 2010
Should you charge interest?
Charging interest to a debt can have pros and cons, and is ultimately a commercial decision. Where a customer knows that interest may be charged on an overdue account or invoice it is often incentive enough for them to pay on time. On the other hand you may alienate a particular customer who may take their business elsewhere. While you may offer a better product or service than your competitor, applying interest to a debt could be the very reason you lose business.
In a situation like this it is often better to communicate to your customer that their payment is late and granting an extension for payment before charging interest and being flexible enough to agree to waive these charges if a customer can be retained.
Is there a minimum amount I can charge interest on?
In NSW the Uniform Civil Procedure Rules 2005 states the following:
36.7 Payment of Interest
(2) The Local Court may not order the payment of interest up to judgment in any proceedings in which the amount claimed is less than $1,000.
While interest may be charged on a debt less than $1,000, assuming that this is clearly set out in your Contract, Agreement and / or Terms and Conditions, it will, if legal proceedings prove necessary, be at the discretion of the Court as to whether or not interest will be awarded.
Have a question about interest, fees or charges? We recommend that you speak with Collection Law Partners
or a qualified legal practitioner.
This article is general information only and does not constitute legal advice and is not intended to be relied on in any way.
Tuesday, October 30, 2018 - Posted by Michael McCulloch
The Australian Securities & Investments Commission (ASIC) has provided transition relief for members of the Credit and Investments Ombudsman (CIO) who are currently awaiting membership certificates to be issued by the new Australian Financial Complaints Authority (AFCA).
In a statement to the media ASIC said, "ASIC understands that some licensees and credit representatives who are members of the CIO scheme have not yet obtained their membership to the AFCA scheme. ASIC understands that this includes licensees and credit representatives who: have lodged an application with AFCA Ltd, but membership has not yet been approved; and have not yet lodged an application with AFCA Ltd."
The initial deadline for licence holders was Friday, 21 September 2018 however ASIC said it would be giving transitional relief to prevent authorisations from becoming invalid due to circumstances however stressed to representatives affected by the changeover delays that they would only be granted relief as long as they ensure that their membership with CIO is maintained. A representative of ASIC went on to say that, "If you are not a member on 1 November, your authorisation will become invalid, and you will need to cease providing credit activities."
ASIC has recently sent a reminder to all financial services and credit licensees to join AFCA which combines the Financial Ombudsman Service, the Superannuation Complaints Tribunal and the Credit and Investments Ombudsman.
Source: TheAdviser - September 2018