Preview
Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre

 Resources

Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

June 19, 2013

Electronic offers of securities

ASIC has released Consultation Paper 211, Facilitating electronic offers of securities: Update to RG 107 (CP 211) , which includes a proposed update to Regulatory Guide 107 Electronic Prospectuses (RG 107) to ensure that ASIC's guidance reflects current market practices and technological advancements.

ASIC's proposed guidance will cover:
(a) how to make electronic disclosure documents easy for investors to access, read, retrieve and save; and
(b) how to minimise exposure to the risks associated with electronic distribution, such as unauthorised tampering and security risks.

ASIC thinks it is good practice for offerors and distributors to continue to make free paper copies of disclosure documents and application forms available to investors on request.

ASIC also proposes that:
(a) to comply with the requirements of Chapter 6D, electronic disclosure documents must contain the same information in the same sequence and with the same prominence as the paper disclosure document lodged with ASIC; and
(b) it is good practice for electronic disclosure documents to only contain hypertext links within the disclosure document itself or to documents lodged with ASIC and incorporated by reference under section 712.

Print This Post Print This Post

Posted 19th June 2013 by David Jacobson in Corporations Act, Web/Tech

Regulation reviews to help tech start-ups

The Government has announced two reviews designed to assist tech start-ups.

The Government will undertake consultation on Australian crowd-sourced equity funding (CSEF), which will consider whether Australia’s corporations law properly regulates and facilitates CSEF.

This follows ASIC's guidance published last year to promoters of crowd fundraising.

Treasury has separately announced a review into employee share schemes to help address the barriers faced by start-up companies in attracting and retaining staff.

Print This Post Print This Post

Posted 19th June 2013 by David Jacobson in Corporations Act, Funds, Web/Tech, Workplace

June 11, 2013

Privacy Data Breach Bill update

The Privacy Amendment (Privacy Alerts) Bill 2013 has been passed by the House of Representatives and will now be considered by the Senate.

To comply with your obligations in the Privacy Act to keep customers' personal information secure and to avoid being put in the situation of notifying your customers of a hacking of your system you should consider the Commonwealth Department of Defence's Strategies to Mitigate Targeted Cyber Intrusions.

It lists the top 35 measures to counter risk, in order of efficacy and categorised by user resistance and cost. Its top 4 strategies are the place to start.

The Top 4 mitigations are: application whitelisting; patching applications and operating systems and using the latest versions; and minimising administrative privileges.

"While no single strategy can prevent malicious activity, the effectiveness of implementing the Top 4 strategies remains very high. At least 85% of the intrusions that DSD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package. ...

The combination of all four strategies, correctly implemented, will help protect an organisation from low to moderately sophisticated intrusion attempts. Put simply, they will make it significantly more difficult for an adversary to get malicious code to run on your ICT system, or continue to run undetected. This is because the Top 4 strategies enable multiple lines of defence against cyber intrusions."

Print This Post Print This Post

Posted 11th June 2013 by David Jacobson in Compliance, Privacy, Web/Tech

May 30, 2013

Mandatory data breach notification provisions introduced

The Government has introduced the Privacy Amendment (Privacy Alerts) Bill 2013 into the House of Representatives.

If passed the Bill will introduce mandatory data breach notification provisions for agencies and organisations that are regulated by the Privacy Act.

The Bill will commence immediately after the amendments to the Privacy Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 commence on 12 March 2014.

Notification would be provided to those whose privacy had been infringed when data breaches relating to their personal information causing ‘a real risk of serious harm’ occurred. Notification would be compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest.

There are specific provisions relating to serious data breaches by credit providers and credit reporting bodies of credit eligibility information and credit reporting information. There is also a requirement relating to tax file number information.

A data breach arises where there has been unauthorised access to, or disclosure of, personal information, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure.

Data breaches can be the result of hacking, poor security and sometimes carelessness.

Serious harm, in this context, includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm. The risk of harm must be real, that is, not remote, for it to give rise to a serious data breach.

It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of notification fatigue on the part of individuals, and the lack of utility where notification does not facilitate mitigation.

In the event of a serious data breach, the regulated entity is required to provide notification to the Commissioner and affected individuals as soon as practicable after the entity believes on reasonable grounds that there has been a serious data breach.

The notice must include:

  • the identity and contact details of the entity
  • a description of the serious data breach
  • the kinds of information concerned
  • recommendations about the steps that individuals should take in response to the serious data breach, and
  • any other information specified in the regulations.

The Privacy Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements.

Background

Print This Post Print This Post

Posted 30th May 2013 by David Jacobson in Compliance, Financial Services, Privacy, Web/Tech

May 13, 2013

Data risk and privacy

The OAIC's comments on APRA's draft Draft Prudential Practice Guide (PPG 235) Managing Data Risk is a useful guide to analysing an organisation's data security procedures from a privacy perspective:

  • does the procedure concern the collection, disclosure, use and storage of "personal information" (as defined in the Privacy Act?)
  • does "confidentiality" include "privacy"?
  • are the obligations regarding the handling of personal information set out in the Privacy Act (including the Privacy Principles) considered?

NPP 1 (which will be replaced by APP 2 which deals with the collection of solicited personal information) requires that:

  • personal information may only be collected where necessary for a function or activity of the organisation
  • collection must not be by unfair or unlawful means, and
  • reasonable steps must be taken to provide the individual to which the information relates with notice of specified matters, including the identity of the organisation collecting the information, the purpose of the collection, and the contact details of the organisation.

NPP 2 (which will be replaced by APP 6) provides that personal information may only be used or disclosed for the purpose for which it was collected (the ‘primary purpose’), unless a specified exception applies. This requires an organisation to have a clearly defined purpose for the initial collection of personal information, which is also consistent with the requirements of NPP 1.

NPP 4 (which will be replaced by APP 11) relates to data security and requires organisations to take ‘reasonable steps’ to protect the personal information that they hold from misuse or loss and from unauthorised access, use, modification or disclosure.

The OAIC is currently developing guidance on the reasonable steps with respect to information security that organisations are required to take under the Privacy Act.

The OAIC has also published a voluntary Data Breach Notification Guide which outlines steps that organisations should consider in preparing for and responding to information security breaches, including notifying affected individuals. The Government is considering mandatory data breach notification provisions.

NPP 9, which relates to trans-border data flows, currently provides that organisations cannot avoid their Privacy Act obligations by sending personal information offshore.

NPP 9 generally prohibits an organisation from disclosing personal information to someone in a foreign country who is not subject to a comparable information privacy scheme, unless the individual has consented.

NPP 9 will be replaced by APP 8 which deals with cross-border disclosures of personal information: this principle will not prohibit cross-border disclosures of personal information but organisations will be accountable for any disclosure of personal information outside Australia, unless one of a number of exceptions applies. Before any actual cross border disclosure of personal information occurs, an organisation must have put into place appropriate arrangements in relation to the information.

The Tax File Number Guidelines 2011 (TFN Guidelines) issued under the Privacy Act regulate the collection, storage, use, disclosure, security and disposal of individuals’ TFN information.

Guideline 6 of the TFN Guidelines states that TFN recipients must take ‘reasonable steps’ to safeguard TFN information. This includes protecting TFN information from misuse and loss, and from unauthorised access, use, modification or disclosure, and ensuring that access to records containing TFN information is restricted to individuals who need to handle that information for legal purposes.

Part IIIA of the Privacy Act governs the handling of credit information files, credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. CRAs and credit providers must also ensure that credit information files and credit reports are subject to security safeguards as are ‘reasonable in the circumstances’.

The OAIC suggests that the Draft APRA Practice Guide also refer to de-identification as a tool for managing data risks.

Print This Post Print This Post

Posted 13th May 2013 by David Jacobson in Financial Services, Privacy, Risk Management, Web/Tech

April 16, 2013

Bank IT operational risk and regulatory compliance

Information technology research and advisory company Gartner has published a report "Banks That Are 'Too Big to Fail' Are Also Too Big to Succeed."

Gartner cites higher levels of regulatory compliance, increased investment in risk management and technology advancements as stress points.

The report concludes that increased size and operational complexity as banks change focus from agility in response to external conditions to risk control creates performance drags by accelerating demand and complexity.

It says there is a "law of diminishing IT returns" under which any technological progress that increases the efficiency with which a resource is used tends to increase (rather than decrease) the rate of consumption of that resource.The paradox is that increased efficiency leads to increased demand.

As demand continues to rise, Gartner says the critical factor is not the number of devices, but rather the number of digital services offered via the Internet. These in turn, will continue to mean that efficiency gains in supply are overwhelmed by consumption.

For all financial service providers, new technologies, customer expectations and market conditions require closer attention to IT governance to maintain continuity of customer services.

Related article

Print This Post Print This Post

Posted 16th April 2013 by David Jacobson in Financial Services, Risk Management, Web/Tech

April 8, 2013

Privacy issues for mobile app developers

The Office of the Australian Information Commissioner (OAIC) is seeking comment on a consultation draft of Mobile privacy: A better practice guide for mobile app developers.

The OAIC has developed this guide to help mobile device application (app) developers embed better privacy practices in their products and services.

The Commissioner comments that:

It is clear that the mobile environment, along with the new app economy it has generated, presents risks as well as potential. If you are a mobile app developer, whether you work on your own, or for a business or government agency, you should adopt a ‘privacy by design’ approach, where privacy-enhancing practices are applied throughout the life cycle of the personal information – that is, its collection, use (including data matching and analytics), disclosure, storage and destruction.

Given the growing popularity of apps, app developers can expect increased scrutiny of the privacy practices in the app industry in the years ahead – by both regulators and the market itself, driven by increasingly informed, discerning and influential consumers.

The draft guide contains a privacy checklist for app developers.

Print This Post Print This Post

Posted 8th April 2013 by David Jacobson in Privacy, Web/Tech

January 31, 2013

Developing a social media policy for your business

While social media (any form of interactive online communication) is a relatively new marketing channel for you to generate new business and interact with customers, the laws that apply to other means of communication apply equally to social media.

The risks include potential consumer protection law breaches and other legal, reputation, and operational risks.

Increased risk can arise from poor oversight or control.

The ACCC has published an Information Sheet setting out its view that businesses using social media channels like Facebook, Twitter and YouTube have a responsibility to ensure content on their pages is accurate, irrespective of who put it there.

A business that has chosen not to use social media should still be prepared to address the potential for liability for defamation or negative comments or complaints that may arise in social media.

Activities that result in dissatisfied consumers and/or negative publicity could harm your reputation even if you have not breached any law.

Employees’ communications via social media, even through employees’ own personal social media accounts, may be viewed by the public as reflecting their employer’s official policies or may otherwise reflect poorly on the employer. Therefore, you should establish appropriate policies to address employee participation in social media that implicates your business.

If you haven't reviewed your policy recently (or don't have one) here are some issues to consider:

  • Have you planned for compliance with laws relating to data security, privacy, debt collection, misleading or deceptive marketing, the Spam Act, workplace issues, consumer protection, fraud, consumer complaints, payment system issues and AML/CTF ?
  • Do you intend to limit comment to authorised employees or allow all staff to make comments about your business whether or not they are at work?
  • If you allow your employees to use social media on behalf of the company, can they take their social media account with them when they leave?
  • Do you require all employees using social media to talk about the business to disclose their association with the business?
  • Do you prohibit the disclosure of confidential business information?
  • Do you prohibit the disclosure of customer information?
  • Do you require staff to inform you about negative comments about your business they become aware of?
  • Do you prohibit unlawful or offensive comments?
  • Will a breach of your policies result in dismissal?
  • What arrangements do you have for keeping a record of your social media activity?

What do you need to do?
1. Develop policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable laws. The policies and procedures should address risks from online postings, edits, replies, and retention.

2. Implement an employee training program that incorporates your policies and procedures for official, work-related use of social media.

3. Monitor information posted to social media sites administered by you.

Background

Print This Post Print This Post

Posted 31st January 2013 by David Jacobson in Compliance, Marketing, Privacy, Web/Tech, Workplace

January 29, 2013

ePayments Code transition ends on 20 March

The ePayments Code which replaces the existing Electronic Funds Transfer Code of Conduct (EFT Code) will commence for all financial services providers who subscribe to it from 20 March 2013.

The Code regulates consumer electronic payments including ATM, EFTPOS, debit and credit card transactions (including contactless transactions), online payments, internet banking and BPAY.

The ePayments Code:
•requires subscribers to give consumers terms and conditions,
•information about changes to terms and conditions (such as fee increases), receipts and statements,
•sets out the rules for determining who pays for fraudulent and unauthorised transactions, and
•establishes a regime for recovering mistaken internet payments.

Subscribers must update their consumer information and procedures.

ASIC is responsible for the administration of the ePaymentsCode, including monitoring compliance and reviewing it regularly.

Print This Post Print This Post

Posted 29th January 2013 by David Jacobson in Financial Services, Web/Tech

November 29, 2012

IT glitches and operational risk

The Payments System Board has released a report setting out the Board's conclusions from an informal consultation on operational incidents in retail payments systems over the last few years which caused considerable disruption to customers of the authorised deposit-taking institutions (ADIs) in question, as well as to other ADIs and their customers.

The Reserve Bank previously announced it would be formalising a requirement for RITS members to report significant retail operational incidents.

The report identifies the operational risk that arises from the continued use of legacy systems; until recently many participants have tended to underinvest in payments infrastructure.

The Board has concluded that at present there is no need for a regulatory response to operational incidents in this sector. It is proposed that at least for the time being the Bank's role be limited to monitoring retail operational incidents and collecting data on them.

Print This Post Print This Post

Posted 29th November 2012 by David Jacobson in Financial Services, Risk Management, Web/Tech
Older Posts »