New Zealand Finance Minister Michael Cullen has announced that the New Zealand government is to introduce an opt-in retail deposit guarantee scheme for 2 years.

The scheme will cover all retail deposits of participating New Zealand-registered banks and retail deposits by locals in non-bank deposit-taking entities. This would include building societies, credit unions and deposit-taking finance companies.

The deposit guarantee scheme does not include related party liabilities.

For New Zealand incorporated registered banks deposits from both residents or non-residents, will be covered.

For non bank deposit takers and for the unincorporated branches of overseas entities only deposits of New Zealand citizens and New Zealand tax residents will be covered.

Deposit liabilities will be covered regardless of the currency in which they are denominated.

Deposits and other liabilities owed to financial institutions, whether in NZ or offshore, are explicitly excluded from this guarantee.

The new scheme is an opt-in scheme and would take the form of a bilateral contractual agreement between the Crown and the individual institutions which take up the guarantee.

The scheme will be free for institutions with total retail deposits under $5 billion. A fee of ten basis points per annum will be charged on total deposits above $5 billion.

The Prime Minister has announced the Australian Government will guarantee all deposits of Australian banks, building societies and credit unions and Australian subsidiaries of foreign-owned banks.

The guarantee applies to all types of deposits, regardless of the type of account through which the deposit is made. For example, it includes savings accounts, passbook accounts, cheque accounts, pensioner deeming accounts, term deposits, mortgage offset-accounts, farm management accounts, first home savers accounts and retirement savings accounts. Both retail and wholesale deposits are covered by the guarantee.

The guarantee applies to deposits held by all types of legal entities in Australia, including individuals (including joint accounts), partnerships, businesses, trusts and government entities.

The guarantee applies to deposits denominated in any currency.

The guarantee does not apply to deposits held in branches of foreign banks in Australia. These deposits are not subject to the depositor protection provisions of the Banking Act 1959.

The guarantee will operate for a period of three years from 12 October 2008 without a cap on the guarantee.

The Government will review the guarantee cap in 3 years.

If your mobile loans officer’s laptop computer is stolen from the back of his car, do you know what information is stored on it?

How do you decide whether to tell members whose information was stored on the computer? What are your procedures for notifying your members that their personal information is at risk and that they might be subject to identity fraud? Who else should you notify (eg police, Privacy Commissioner, your insurer)?

The same questions could be asked in respect of a lost flash drive (memory stick) with your staff’s personal details, a stolen box with out of date credit reports or a CD left in an airport computer.

Whilst there is no mandatory data breach notification law in Australia yet, the Privacy Commissioner has issued a Voluntary Data Breach Notification Guide.

If you don’t yet have a policy on these issues, the Guide contains an excellent framework for decision making and good sample scenarios.

The next Langes compliance meeting on 7 October in Sydney will discuss the following:

1. APS 330: Final check before 25 November 2008.

2. First Home Saver Update: Tier 2 Training and PDS sign-offs.

3. Personal Property Securities Reform: Single register, how does it affect Credit Unions?

4. APS 310 Checklist: Getting ready for October.

5. APS 520 – Fit and Proper: A note for new candidates.

6. Privacy Report: Data breach notification guide.

7. Changes to External Dispute Resolution Schemes.

8. AML/CTF Act reporting implementation policy

If you aren’t yet part of our program you can attend in person, by teleconference or web streaming.

Call me on 07 3878 5098 if you want to know more.

The failure last week of Lehmann Brothers and AIG raised the issue of whether we are going to see greater financial services regulation: What next? (The Economist)

Kevin Rudd has put his faith in Australia’s regulators: ABC interview.

What is certain is that your organisation’s compliance officers will need to be adequately resourced and trained to ensure you manage your compliance risks and keep up with any changes.

The story from the UK about the sale on eBay of a computer that contained information on several million bank customers (BBC News) raises issues about the security procedures of external service providers.

Apparently the computer was used by a data processing and archiving company which did credit card work for financial institutions.

The information is said to include account details and in some cases customers’ signatures, mobile phone numbers and mothers’ maiden names for 3 organisations.

In Putting the ‘mort’ back in mortgage – a pocket guide to the global credit crisis (pdf) ASIC deputy chair Jeremy Cooper looks at what went wrong with US mortgages and the collapses of the British bank Northern Rock and the American investment bank Bear Stearns.

The recent ALRC Privacy Law report noted that given the increasing fear of identity theft and fraud, most customers and users of government services believe they have a right to be informed when the security and privacy of their personal information have been compromised.

Consequently, the ALRC recommends the introduction of a mandatory data breach notification scheme.

The ALRC has recommended that an agency or organisation only be obliged to notify affected individuals and the Privacy Commissioner when a data breach has occurred that may give rise to serious harm to any affected individual.

The government has indicated it will deal with this issue in the second stage of its response in the next 12 to 18 months.

In the meantime, the Australian Privacy Commissioner, Karen Curtis, has released a "Guide to Handling Personal Information Security Breaches" (pdf). It is a voluntary guide for use by businesses, agencies and non-government organisations in preventing and, if necessary, responding to a data breach.

The Guide includes four key steps to consider when responding to a breach:

Step 1: Contain the breach and do a preliminary assessment

Step 2: Evaluate the risks associated with the breach (risk analysis is on a case-by-case basis: not all breaches necessarily warrant notification).

Step 3: Consider notification

Step 4: Prevent future breaches.

With regard to Step 3, the Guide suggests that individuals affected by a breach should only be notified where a breach creates a real risk of serious harm to the individuals.

The Guide incorporates illustrative examples which will assist in circumstances, such as whether notification is an appropriate response. 

The ANZ Bank’s report of a Review Committee
(pdf) which examined the Bank’s involvement in Securities Lending and
its relationship with Broker clients including the Opes Prime group has some important risk management lessons:

• your staff need to fully understand the products they deal in.
• you need to understand and manage all the risks in your business. In particular you need to identify unacceptable reputational and financial risks.
• Lack of a proper control environment: the Equity Finance business lacked an appropriate control framework, in particular with respect to credit limits and conditions relating to the quality and quantity of securities accepted by the Equity Finance business and the loan-to-value ratios applied to those securities.
• Poor accountability and ‘management by committee’: there was a lack of individual accountability within the line and risk management responsible for the Equity Finance business, with responsibility for many decisions resting with committees. This was compounded by deficiencies in the structure and management of the relevant committees.
• Failure to identify and act on warning signs: various concerns relating to the processes, personnel and systems utilised in the Equity Finance and Securities Lending businesses and the risks associated with these businesses were identified by various staff and in the course of internal audit reviews. However, they were not addressed in a timely or effective manner. There was a history of procrastinating on decisions to either invest in systems to remedy issues or to exit the business.
• Failure to report relevant issues to the Chief Executive Officer and Board: the gravity of the issues relating to the Equity Finance business should have been, but were not, properly brought to the attention of the Chief Executive Officer and Board.
• Breaches of ANZ employee conduct policies.

The weaknesses in the management and oversight of the Equity Finance
business within ANZ’s Securities Lending unit meant that ANZ did not
adequately identify and manage the range of risks which arose from the
operation of a business of this nature.

ANZ recognises that the legacy of its involvement in Equity Finance
may well be with the Bank for many years through legal cases that it
will continue to defend and also the impact of these issues on its
reputation.

Imagine the response if your customers received someone else’s account details in a letter addressed to them.

That is what happened to customers of Goldfish, a credit card subsidiary of Barclays (Telegraph UK).

According to ComputerWeekly a processing error at the printer the company uses to process statements meant the statements were printed
incorrectly. The front page was correct, but subsequent pages contained
the account information of other people.

What procedures do your contractors have to avoid these types of errors? How do you monitor them? (Some of my clients have "dummy members" so they see every mail out). How often do you audit their procedures?

And if something goes wrong do you have a rapid response plan?