strengthening risk guidelines for any organisation regulatory · regulatory news briefs x page 8...

Financial crimes

Updates from leading media outlets

risk guidelines for any organisationall industries should be concerned about their risk frameworks

from anarchy to a federated grcusing planning to bring all the data together

facing the changing aml/ctf environment following the money trail outside of national borders

financial services reform in nZ — are we there yet?new Zealand’s journey towards implementation of a new regulatory regime for securities offerings

NOVEMBER 2015 | ThE Official MagaziNE Of ThE gRc iNsTiTuTE

strengthening regulatory

frameworks

Cover story

11 strengthening regulatory Frameworks Even though the financial system inquiry felt that the Australian financial system is already well regulated, all financial systems have potential vulnerabilities.

contact us

GRC Professional is the official monthly

publication of GRCI in Australia, New

Zealand, Hong Kong & South-East Asia.

grc institute

President: carolyn hanson vice President: lois Mccowandirector: Craig Greenwooddirector: susan cretandirector: stephen lukdirector: Christine Meaddirector: alexi Paxinosdirector: sasha culjkovicdirector: Martin Tolar

managing director: Naomi [email protected]

Business development manager: Elizabeth [email protected]

Ph: +61 2 9290 1788fax: +61 2 9262 3311www.thegrcinstitute.orgGPO BOX 4117 Sydney NsW 2001 australia

grc Professional

editor: Kwame Slusher [email protected]

advertising: Naomi Burley +61 2 9290 [email protected]

disclaimer: While GRCI uses its best endeavours in preparing and ensuring the accuracy of the content of this publication, it makes no representation or warranty with respect to the accuracy, applicability, fitness, legal correctness or completeness of any of the contents of this publication. Information contained in this publication is strictly for educational purposes only and should not be considered legal advice. Readers must obtain their own independent legal advice in relation to the application of any of the material published in this journal to their individual circumstances. The Institute disclaims any liability to any party for loss or any damages howsoever arising from the use of, or reliance upon, any of the material contained in this publication.

President’s message X page 3Book review X page 5regulatory news Briefs X page 8

grci2015 news risk guidelines for any organisationMedia organisations live and breathe risk management, just like any other organisation. X page 10

from anarchy to a federated grcThere is a need for a federated GRC, where the different GRC functions in an organisation formulate a synergistic relationship and do not operate in silo. X page 13

facing the changing aml/ctf environmentNation-state borders are not barriers for those who wish to exploit financial systems. During his presentation at the GRC2015, John Visser, Australian Transaction Reports and Analysis Centre National Manager, asserted that the only way to contend with the exploitation of financial systems is innovation and integration. X page 15

financial crimesCurrent affairs you may have missed. X page 17

nZ news

financial services reform in new Zealand — are we there yet?New Zealand’s journey towards implementation of a new regulatory regime for securities offerings and capital markets has been a long one, but we are beginning to see light at the end of the tunnel. X page 19

wynyard rePortinsider threats: the weakest linkWith the media focussing on external cyber threats, such as the recent hacking of the Obama administration’s network by Iran’s Revolutionary Guard, the spotlight has been taken off the danger of insider activity. X page 22

grc2015 conferenceGRCI Award winners X page 23

grci newsMeet the new GRCI Board X page 26

contents

http://www.thegrcinstitute.org

mailto:?subject=

carolyn Hanson , President, Grci.

President’s message

As your newly elected President, I would like to take this opportunity to share some of my thoughts on what I, as a member of GRCI, am looking for from the Institute.

Risk and compliance, as a profession, is relatively new. As such, we are still developing our professional standards and credentials.

In the current environment, not-for-profit, professional organisations, including the GRCI, are under pressure to do more for their members than has traditionally been their remit. Providing qualifications with connected accreditations and ongoing professional events, such as an annual conference, is – to my mind – no longer sufficient. As a member, I know I am looking for more.

The world is changing. Seven years ago, no one had an iPad or an iPhone; word of mouth has been replaced by “word of mouse” and, for the first time, just like the organisations from which its members come, GRCI has members spanning five generations. In this changing environment, leadership is becoming more and more about asking the right questions, rather than thinking you know all the answers. Leaders can’t know all the answers—not in a time where information, tools, and practices change so very fast.

The core focus of the GRCI continues to be qualifications and CPD but, as a group, I believe we need to mobilise more effectively. A new direction in any sphere requires the self-belief of those impacted – this means that GRCI members must believe in themselves as professionals, take control and invest in the future of the GRCI.

I know that any change is painful and proactivity takes effort. It is easy to wait for others to produce things for you and to complain that what’s offered is not what you consider to be sufficient. It’s difficult to take time out of your busy schedule to think ahead and contribute to the future.

Of course, not everyone wants to join the board, or write an article, but there are many ways to support other members, whether via mentoring, involvement in discussion groups or contributions to advocacy efforts. The GRCI needs its members to be proactive and to get involved.

In last month’s edition, our new Managing Director, Naomi, commented that our members are smart people, and I agree. I would also add that I think we are all leaders in some form or other – whether that be in our roles at work, at home or in our professional development.

I believe GRCI should continue to focus on what matters to members and strive to be member-centric in everything it does. To achieve this, the Grci needs to know what members want.

So what does 2020 look like for the GRCI? GRCI needs to understand the changing dynamics in the risk and compliance space and to support you, our members, to do the same. We need to know what you want and need in your professional lives. This, we understand, is often dependent upon what your organisations are demanding from you. As such, the GRCI needs your continuing support.

I firmly believe that the GRCI has a place among the influencers in Australia and the APAC region. It has the capacity to become more than just another provider of qualifications. I am really interested to hear members’ thoughts for GRCI 2020, and I am always happy to receive feedback and suggestions via email at [email protected]

Looking forward to hearing from you,

investing in the future

“In this changing environment, leadership is becoming more and more about asking the right questions, rather than thinking you know all the answers. Leaders can’t know all the answers—not in a time where information, tools, and practices change so very fast.”

3

Contact us for a demonstration +61 2 8096 8300 icsasoftware.com/bponeworld [email protected]

© 2015 ICSA Software International Limited.

Blueprint OneWorld is a registered trademark of ICSA Software International Limited.

Season’s Greetings

Bringing you a burst of new features in 2016

4 GRC Professional • November 2015

X

Book reviewEnterprise Risk Management: A Common Framework for the Entire OrganizationEditor Phillip e.l. Green

“the text tackles one of the major challenges faced by business managers when it comes to risk management in their respective organisations.”

the role of Boards With the announcement of new board of directors for the GRC Institute and the GRC2015, the section of the book titled, ‘The Role of the Board of Directors in Risk Management,’ by Peter Whyntie, an independent GRC consultant, seems most pertinent.

Whyntie writes that, “Though broad consensus holds that directors should govern and managers manage, there is less consensus on what that actually means.” Whyntie references a “prominent New Zealand Director”, Rob Campbell, who said that aforementioned assumption about the roles of the directors and the roles of managers is too simplistic.

He illustrates that there is a far more symbiotic relationship between directors and managers and their roles. Whyntie writes that, “The board has a critically important role in setting the culture necessary to support and maintain effective risk management”.

DuRING hIs PReseNTATIoN AT The GRC2015, Mark Wilson, Head of Risk and Audit at Seven West Media, listed what he called the “seven house rules”. The first of these rules was to educate yourself – that is, to read thought leadership papers, attend workshops and focus on professional development.

The text, Enterprise Risk Management: A Common Framework for the Entire Organization, should be read by any risk professional or aspiring risk professional who is wishing to stay ahead of the curve. The text seeks to “…equip the reader to manage an organisation’s risk.” More importantly, Green writes that the text will attempt to provide a common vocabulary for managing those risks. This is important because the text is a collection of writings from 22 different authors, all operating in different risk areas, and all holding their experience to the light to give the reader a sense of how certain issues can be considered.

“The idea,” Green writes, “is to help readers focus on the substantive aspects of several risk specialities, rather than on the semantic and the procedural.”

The text tackles one of the major challenges faced by business managers when it comes to risk management in their respective organisations, and that is, “…that the many fields of risk management are dominated by specialists and jargon.” Green writes that there also seems to be an, “…infinite variety of risk management processes,” as well.

The text itself makes no claims of being comprehensive; however, because of the subject matter’s inherent fluidity, it does focus on the connecting thread between various fields of risk, such as environmental risk, health and safety risks, project risk management, operational risk, cybersecurity, financial risk and global and strategic risks, to name a name a few. What the text does well is to highlight the cohesiveness of different risk fields, by underlining the commonly used terms.

Book review

5


Book review

Whyntie writes, “If directors continually investigate whether reporting is informing the board and its decision making, then management would better appreciate what is required.”

Like the other authors in the text, Whyntie uses a variety of examples and refers to the regulations to contextualise his piece – not so much in a prescriptive sense, but rather in a provocative one that allows readers to consider the chapter and to see how the discussion topics correlate with their organisational structures.

Enterprise Risk Management: A Common Framework for the Entire OrganizationEd. Phillip E.J. Greenpp 242, Butterworth Heinemann

However, understanding the parameters of that critical role can be challenging in a case where the language of the regulation raises questions like the one that Sarah Goodman, Executive General Manager of Australian Prudential Regulation Authority, addressed at the GRC2015. In 2014, APRA gave organisations instruction to review the CPS 220, and many organisations responded that there did not seem to be any clear delineation between the role of the board and the role of management. The fact is that the roles are different but are also interrelated, in the sense that they are dependent upon each other. Whyntie writes that, for a board to properly perform its governance responsibilities, it needs to receive, “accurate, relevant, and timely information and data.”

“the fact is that the roles are different but are also interrelated, in the sense that they are dependent upon each other.”

7

http://www.compliancewave.com/GRCI

regulatory news Briefs


from the australian competition and consumer commission (accc)The ACCC issued three infringement notices to Epharmacy because the company may have made misleading representations to consumers that they would save money off the recommended retail price for certain Healthy Care branded products, purchased through the Chemist Warehouse, My Chemist, or Epharmacy websites. The Healthy Care range of natural health products is a private label brand supplied exclusively to pharmacies that trade under the aforementioned names, which are part of the My Chemist Group.

“If the product has never been previously sold at the RRP, or the RRP does not reflect a current market price, then this type of comparison misrepresents the savings that may be achieved,” ACCC Commissioner, sarah Court, said.. •••

Following a joint investigation by the ACCC and NSW Fair Trading into the conduct of private colleges, the ACCC and the Commonwealth (for Department of education and Training) have instituted proceedings in the Federal Court against Phoenix Institute of Australia Pty Ltd (Phoenix) and Community Training Initiatives Pty Ltd (CTI).

The proceedings allege that Phoenix made false or misleading representations and engaged in unconscionable conduct, in breach of the Australian Consumer Law (ACL), when marketing and selling VET FEE-HELP-funded courses between January 2015 and October 2015 in New South Wales, Victoria, Queensland, Northern Territory and Western Australia.

Phoenix represented to prospective students that they would receive a free laptop and that the course(s) were free, or would be free, if the consumer did not earn approximately more than $50,000 per annum. In fact, the laptop they received was on loan, and students enrolled in the courses incurred a VET FEE-HELP debt payable to the Commonwealth Government. Repayment of this debt would commence if they earned more than a specified amount in a financial year ($54,126 in the 2014-2015 income year).

It is also alleged the CTI aided and abetted by providing administrative support.. •••

The Federal Court in Brisbane has sentenced Robert Paul Davies to 200 hours of community service for aiding, abetting, counselling or procuring the failure by Natural Food Vending Pty Ltd (Natural Food Vending) to comply with a compulsory notice issued by the ACCC, following his earlier conviction for this offence.. •••

Arnott’s Biscuits Ltd (Arnott’s) has paid penalties totaling $51,000, following the issue of five infringement notices by the ACCC relating to representations made by Arnott’s about its Shapes Light & Crispy product.

Between October 2014 and July 2015, Arnott’s represented on the packs of four varieties of Shapes Light & Crispy, and a multipack, that Shapes Light & Crispy contained “75% less saturated fat” than Arnott’s’ original Shapes biscuits, when in fact the product contained approximately 60 per cent less saturated fat than original Shapes.

In making the “75% less saturated fat” representation, Arnott’s was actually comparing its Shapes Light & Crispy product to potato chips cooked in 100% palm oil, and not to its original Shapes. This was included in a fine print disclaimer at the bottom of the packs. However, even if potato chips had been an appropriate comparison for the saturated fat content of Shapes Light & Crispy, the ACCC notes that since only around 20 per cent of potato chips sold in Australia are cooked in palm oil, the representation may still have been misleading.. •••

ACCC Chairman, Rod Sims, said that the review of the Australian Consumer Law will be an opportunity to improve the existing legislation.

According the ACCC, sims, “flagged some possible areas for review, including the adequacy of the ACL penalty regime in delivering deterrence, the application of the ACL to the sharing economy, challenges around adopting trusted international product safety standards, and in relation to Phoenix companies.”

Sims explained that there was a need to examine, “whether the ACL can adequately address any consumer protection issues that may arise within these transactions.”

ACCC media release concluded that, in 2016, Consumer Affairs Australia and New Zealand will conduct the review with a final report expected in March 2017.. •••

from the australian transaction reports and analysis centre Delegates at the first counter-terrorism financing summit in the Asia Pacific region have agreed on the urgent need to maximise the use of technology in the fight against terrorism.

The summit brought together officials and international experts from multilateral organisations and 19 countries, including from outside the region.

9

regulatory news Briefs

For the first time in official regional discussions on terrorism financing, representatives from the private sector, academia and independent think tanks also attended. •••

from the australian securities and investments commissionAustralian Securities and Investments Commission has accepted an enforceable undertaking from Simply Energy Solutions Pty Ltd.

Earlier this year, SES marketed and sold solar panel systems that customers could either pay for up-front or via a five-year instalment plan. The price should have been the same whether the consumer paid up front or by instalments. However, in setting the price, SES built in a figure over and above the cash price for the goods.

The National Credit Act provides that, where a person offers goods by instalment and the amount payable by instalments exceeds the cash price of goods, the person may be engaging in credit activities”.

In 2015, SES reviewed its position and determined that it was engaging in credit activities and required an ACL. •••

Australian securities and Investments Commission has disqualified James Dermody of New south Wales from being an approved self-Managed superannuation Fund (sMsF) auditor.

The regulatory body determined him not a fit person to act as an approved SMSF auditor because he signed independent auditor’s reports and auditor independence declarations for two companies for the years ending 30 June 2013 and 2014, when he was not a registered company auditor under the Corporations Act 2001.

The Superannuation Industry Supervision Act required all SMSF auditors to be registered in 2013, to ensure that all SMSF auditors meet the base standards of competency and expertise. •••


grc2015 news

risk guidelines for any organisation

“We were able to broadcast from a temporary newsroom and studio that were built from scratch in just under two hours, after we had to evacuate our main national news facility”

management is hindered by a number of factors. There is the challenge of management distraction, a pool of competing priorities that can paralyse decision-making in an organisation, and risk func-tions can get caught in the detail.

“However, it would be nice if it was just one change at a time. What there is, really, is a cumulative impact. These different effects compound and that has significant effect on the impacts of risk management,” Wilson stated.

Wilson listed the seven house rules that will help an organisation have the agility and adaptability it needs to face a crisis:1. educate yourself: read thought leadership

papers, attend workshops and focus on professional development.

2. Have a strategic band-aid: highlight the key strategic risks in your organisation and stay abreast of all the new and emerging risks.

3. Get involved in strategic planning: make sure all risks are incorporated in the process and talk about the results, if action is not taken on a particular key strategic risk. You need to have a doomsday scenario that can provide compelling rationale.

4. Develop your work plan: it is important to consider the risk function as more of a strategic business partner and as an enabler.

5. create a centre for excellence: set up a program to examine change within your organisation and your decision-making processes. With this information, you can more effectively prioritise investment and prioritise resources.

6. Be a champion for change: change needs influencers, so you have to make sure that it has the support of great leadership. The focus should go beyond changing the undesirable behaviours within the organisation – it should also leverage the good behaviours.

7. live it yourself: adopt these principles and change your own function. Make sure you are aligned to everything your organisation is trying to achieve, not just for the present, but also for the future. •••

MeDIA oRGANIsATIoNs LIVe AND breathe risk management, just like any other organisation.

Last month, Mark Wilson, Head of Risk and Audit at Seven West Media, presented at the GRC2015 Conference. He spoke about the challenges of risk management through the aperture of the Lindt Café Siege.

He explained that Seven West Media tests its disaster recovery plan across the country almost every day.

“As a result of that, we are not only testing our systems and maintaining their competence and ability, but also our people know instinctively what to do during a disruption such as this. However, no matter how many plans or scenarios we test, you can never anticipate everything that is going to happen and that is where it pays to be adaptable,” Wilson stated.

he begins his story. “so, Monday 15 December 2014, we were broadcasting The Morning Show. At 9:45 am, staff were alerted to events unfolding at the Lindt Café, just opposite our studios. We started covering what was initially believed to be a holdup that obviously turned into something more. At around 10:00 am, police started evacuating the buildings around Martin Place and our staff also became aware they would have to evacuate the building.”

It was their preparedness that allowed the media organisation to set up temporary broadcasting arrangements. “When most news organisations were ramping up for what was obviously a very significant story in our history, we were relocating our newsroom, which is obviously the nerve centre during these sort of situations,” he explained.

Wilson said that the organisation was able to broadcast from a temporary newsroom that was built from scratch in less than two hours.

every organisation should be prepared Wilson stated that the qualities needed in this situ-ation are the same qualities that organisations need to respond to massive organisational change. Just like other organisations, in times of change, risk

Head of Risk and Audit at Seven West Media, Mark Wilson.


feature story

the average mortgage risk rates for Authorised Deposit-Taking Institutions.

Australian Authorised Deposit-taking Institutions provide about:

• 90% of Domestic Credit • 60% are home Mortgages• 70% major Banks Domestic Lending

The five Internal Ratings Based banks risk rates for their mortgage portfolios on average around 16%. The rest of the banks in Australia use the Standardised Approach demanding credit risk, and they have risk rates that are somewhat higher. The FSI recommended that we narrow space between those two groups of risk rates by moving those IRB banks to an average risk rate of 25%. This is to be in place formally by July 2016.

tlac and tBtfA significant FsI recommendation was for Australia to implement a framework for minimum loss absorbing and recapitalisation capacity that is both in-line with emerging international practice, and sufficient to facilitate the orderly resolution of Australian ADIs and to minimise tax peer/power support. This framework is known as Total Loss Absorbing Capacity.

Goodman continued that, by the end of this year, the financial stability board will announce each term sheet for TLAC, internationally. “When you’ve got institutions that are considered too big to fail, those institutions end up with an implicit insurance or form of guarantee from the government, even if there is no such forms of arrangement in place. The idea that any company or bank is implicitly insured by the government is contrary to all market-based economic principles.

She explained that, while Australia does not have any systemically, globally important banks, lessons learned internationally attest that banks must be allowed to fail without dragging the entire financial system down with them, and that is part of the central concept of loss absorbing capacity.

strengthening regulatory frameworksFinding ways to strengthen an established regulatory frame

“even though the Financial system Inquiry felt that the Australian financial system is already well regulated, all financial systems have potential vulnerabilities”

EVEN THOUGH THE FINANCIAL SYSTEM Inquiry felt that the Australian financial system is already well regulated, all financial systems have potential vulnerabilities.

Sarah Goodman, Executive General Manager of Australian Prudential Regulation Authority, said that the Australian Government wants the regulatory framework for the financial sector stronger and more comfortable than economies overseas. In addition, banks are to take a greater responsibility for their own resilience, thus reducing the need for tax payer bailouts.

Due to a deficit of investors within Australia, a key feature of Australian banks is offshore funding.

Goodman said that, by the end of 2016, APRA will be taking steps to ensure banks have “unquestionably strong” capital ratios; what “unquestionably strong” means, however, has been left up to the APRA to determine.

She added that the FSI has suggested that capital ratios in the quartile, relative to internationally active banks, would be one measure of capital strength, but APRA released an international capital comparisons study paper this year showing where adjustments have been made to cater for the differences between the way we measure capital in Australia and the way it is measured overseas.

Goodman said that Australian banks are not yet in that top quartile, even after adjusting the conservative approach of APRA to measuring capital. However, while this kind of international comparison is a useful check, it is still important to define what the term “unquestionably strong” means in an Australian context.

However, it is not enough to look at capital ratios because capital is only one measure of strength. other things are relevant to financial strength—quality of assets, liquidity and the type of funding, earnings and the quality of management. If a bank is weak in any of these areas then capital strength of banks will not last long.

Goodman said that another recommendation of the FSI is to raise the average internal rating mortgage risk rates to narrow the difference between

Sarah Goodman, Executive General Manager of Australian Prudential Regulation Authority

X

12

feature story

products being offered by ADIs, those who deposit with the latter enjoy those depository protections.

why is international regulation so important to aPra?

Goodman said that it is important that Australia complies with international standards, adding, “Formally, we are not legally obliged to comply internationally because there is no treaty in place that requires that, but strong commitments were made by the G20 during the GFC, which means that, in practice, if we are materially out of step with the international standards, then the promise that Australia made as part of the G20 will be called into question.”

Most international regulation is written on the understanding that local financial regulators will eventually adapt it to best suit their local conditions. This is common practice for Australia.

“Compliance with international standards is a vital enabler for our banks and, to a lesser extent, to Australian insurers as well, especially when they are competing and operating overseas. Without substantial international compliance, Australian banks and insurers will not be able to compete overseas on similar terms. And particularly in the case of banking, major banks rely heavily on foreign investors to fund a substantial portion of their activity. International compliance directly supports the activity that Australian banks are doing here.” •••

why is loss absorbing capacity important, if the regulator is looking to deal with a failed bank? “The idea of loss absorbing capacity is that we avoid all that disruption with the bank holding certain types of debt that if they do become insolvent the debt can boost equity so the debt is taken off their liabilities and they return to a solvent position and they can continue to trade. That’s the idea of loss absorbing capacity,” Goodman explained.

APRA will implement a domestic TLAC for important domestic banks in Australia.

“One reason is because those banks conduct a lot of business offshore and it’s important that the capital looks and feels the same as its competitors. If it does not look and feel like the international ones, then they will be less likely to attract international investors. Secondly, the whole idea of a loss absorbing capacity is a very sound one, and we think that it’s worth implementing in Australia, though it is not a formal requirement from the international realm,” Goodman stated.

APRA must also develop a reporting template that would permit Australian ADIs to report their capital ratios in a way that is transparent in the Basel Minimum Framework. That will help Australian banks in accessing funding in international markets because it will enable overseas investors to make more direct comparisons.

When it comes to differentiating between products being offered by finance companies and

“the idea that any company or bank is implicitly insured by the government is contrary to all market-based economic principles.”

grc2015 news


from anarchy to a federated grcUsing planning to bring all the data together

then, at some point, things will have to break. Sometimes the law doesn’t have to change – just the enforcement of the law. The context around it and the enforcement actions change. So it is important to monitor trends in change in both regulation and enforcement,” he explained.

To avoid a Winchester Mystery House scenario, organisations need to collect and collate infrastructure so that when regulatory feeds come in, they are categorised appropriately and distributed to the right subject matter experts.

This structured distribution will allow subject matter experts a better vantage point from which to see the distribution and disconnected GRC data points. Rasmussen said that he knew of a financial institution who said that 80% of their compliance resources are dedicated to data reconciliation.

For this federated or synergistic relationship to work, there needs to be a blueprint or context that would affect organisational policy.

This vantage point would allow the subject matter experts to see the relationships between changes in different areas to avoid policy redundancies.

TheRe Is A NeeD FoR A FeDeRATeD GRC, where the different GRC functions in an organisation formulate a synergistic relationship and do not operate in silos. In his presentation at the GRC2015, Michael Rasmussen said that this federation is the only way to contend with GRC frameworks in an environment of constant change.

Rasmussen said that many existing GRC frameworks in organisations he has seen are like the Winchester Mystery House, which took 38 years to build and cost $5.5million. It had 147 different builders and no blueprint. “There are doors that open into walls and staircases that lead nowhere,” he said.

He added that, “The current situation is that there are a myriad of subject matter experts of compliance scattered all over the place, yet often, organisations find they have an insufficient head count of subject matter experts.”

Rasmussen said that he calls this the Hydra of Inefficiency or the Inevitably of Failure.

“If our approach to both regulatory and other changes is firing off lots of documents and emails,

Michael Rasmussen

“If our approach to both regulatory and other changes is firing off lots of documents and emails, then, at some point, things will have to break.”

X

14

Are there regulations across industries and industry-specific regulation?

What are the range of regulatory processes that affect my organisation, and which of these do we need to be concerned about?

How do we build that taxonomy? How do we plug regulatory content into that

taxonomy?These questions can only be answered properly

in a federated GRC framework that ensures an organisation is agile enough to contend with the regulatory change, or with a change in the enforcement of existing regulations. •••

“Global financial services firms are dealing with 180 regulatory changeovers every business day. In 2008, there were 8704 changes to laws, rules, and regulation enforcement actions, just to name a few. In 2014, there were 40,603 changes,” he said.

Of course, there are also the internal changes to contend with. Mergers and acquisitions for organisations often involve conflicting or redundant GRC policy frameworks.

According to Rasmussen, these are the questions businesses should be asking:

What are our regulatory classifications? What are the areas of regulation about which

we should be concerned?

grc2015 news

“In 2008, there were 8704 changes to laws, rules, and regulations enforcement actions, just to name a few. In 2014, there were 40,603 changes.”


financial crime

the nature, size and complexity of their businesses in proportion to the level of money laundering or terrorist financing risk, and they are best-placed to manage and assess the risk posed by their own customers.”

He continued that the remittance sector has long been recognised as vulnerable to exploitation by criminal and terrorist groups for money laundering and terrorism financing purposes. This sector accounts for 1% of the total value of funds going overseas.

“Despite the reports, analysis shows that de-risking has not led to a reduction in the volume of value or international transfers through remitters, with little change in the five-year trend. The number of remitters registered with AUSTRAC has remained relatively stable, even though some banks around the world have been exiting remittance accounts. At the end of July, 5,418 remittance providers were registered with AUSTRAC.”

However, according to Swati Pandey, a writer for Reuters, the Australian Remittance and Currency Providers Association said that AusTRAC findings were, “biased to the benefit to the big remitters.”

The ARCPA further challenged that the AUSTRAC report does not address the fact that de-risking and de-banking will lead to transactions moving to unregistered and unregulated entities, creating a bigger share for the black market. This could potentially increase the overall AML/CTF risk. ”The remittance firms argue that, without access to the global banking system, the costs of transferring money become substantially higher.”

In the United States, there are cases of widespread de-risking as financial institutions attempt to avoid perceived regulatory risk.

According to Banking Daily, “The Treasury Department is investigating the problem of banks severing relationships with a class of customers to avoid regulatory scrutiny.” X

facing the changing aml/ctf environment Following the money trail outside of national borders

“risk and compliance professionals are not always consulted or their advice is not always listened to at management or board-level discussions on strategy.”

NATIoN-sTATe BoRDeRs ARe NoT barriers for those who wish to exploit financial systems. During his presentation at the GRC2015, John Visser, Australian Transaction Reports and Analysis Centre National Manager, asserted that the only way to contend with the exploitation of financial systems is innovation and integration.

He stated that there should not be any barriers between law enforcement agencies, regulatory bodies, and industries.

He said that the Annual World Payment Report for this year revealed that Australia has the fourth highest rate of non-cash transactions per person in the world.

He added that, “Another recent study, this time with ACI Worldwide, and in conjunction IDC Financial Insight, shows that two thirds of Australians that have responded use online payments to purchase goods and services online.”

The study confirmed that there is rapid movement towards real-time and immediate payments, driven by customer demand for faster and more efficient payments.

“Non-financial services are driving these changes and they’re setting the pace as we move forward. They’re extending payments from online and mobile echo-systems into peer to peer payments, within social apps fostered through social media platforms.

“We encourage the use of new technology, but these need to be regulated to avoid criminal abuse. In this instance, we have already seen examples where digital currencies are misused for criminal purposes – for example Silk Road and Liberty Reserve,” he added.

managing risksVisser made a note of the recent coverage that highlighted a number of large banks terminating or refusing to conduct business with bitcoin operators. under the AML/CTF Act banks, “are required to develop risk-based systems and controls tailored to

John Visser, Australian Transaction Reports and Analysis Centre National Manager.

16

financial crime

financing, but now AusTRAC has over 530 sMRs that are worth $53m. “It is understood that about 170 people in Australia are known to be providing financial support to individuals and groups involved in the syria and Iraq conflicts.”

review The end result of the Statutory Review of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 maybe a range of changes so that there is a clear understanding for regulators, law enforcement and relevant industry bodies of the risk space in the Australian economy across all sectors.

“The review provides an opportunity for us to explore and reframe how our information has been used to maximise disruption to money laundering and terrorist financing and to enable greater collaboration with the private sector,” Visser said.

He added that the Minister of Justice said that the AML/CTF Review will be tabled by the end of the year. •••

Acting Undersecretary for Terrorism and Financial Crimes, Adam Szubin, said that most risks should be managed, and that, in the face of high instances of de-risking, some questions need to be investigated:• Are some institutions indiscriminately denying

access to broad classes of clients due to fears of regulatory enforcement?

• Is there a market effect that’s playing out, where correspondent banking may be consolidating into the hands of a smaller set of banks?

• Or are we transitioning to a new equilibrium in which us and foreign financial institutions have all strengthened their controls and cross-border relationships are both stable and deep?”

integrative approaches to end terrorism funding In his presentation, Visser said following the money trail is an essential element of tackling organised crime. he added that sMRs from financial institutions are important. He said that there were over 80,000 sMRs last year, which is a 6% increase on the previous year.

“Industry representatives, regulators and law enforcement can work together to produce financial intelligence that is accurate and is as near to real-time as possible. We are very well placed in the AML/CTF space to influence change. The international nature of money laundering and terrorist financing requires a coordinated collaborative response,” he said.

According to The Guardian, Australia, Michael Keenan, Minister of Justice, said at the Counter-Terrorism Summit 2015 that, “Suspected terrorism-related matters accounted for less than 0.01% of the reports to AusTRAC” in the last financial year, but that was 300% increase on the previous period.

For the 2012-2013 period there were 66 sMRs that were suspected to be related to terrorist

“He added that sMrs from financial institutions are important. He said that there were over 80,000 sMrs last year, which is a 6% increase on the previous year”


financial crime

From Voice of america

Over the past year there have been more than 530 SMRs that could be linked to radical organisations.

“The problem for us of course is that a terrorist act as we know can start from someone purchasing a knife, to someone purchasing air tickets, to obviously more complex terrorist acts,” said Paul Jevtovic, the head of AUSTRAC. This can make it challenging to link the indicators.

At the moment, authorities say that they are monitoring 100 people who are suspected to be financing crime and terrorism. •••

From news.com.au

The Australian Competition and Consumer Commission has accused JETSTAR and Virgin Australia of “drip pricing” and

now both airlines will face a hefty fine. According to News.com.au, Jetstar

charged their customers an $8.50 Credit Card fee and Virgin Atlantic charged their customers $7.70 for credit and debit card payments.

“The Federal Court found JETSTAR had not informed passengers of the fee upfront on its website in 2013 and on its mobile site in 2014, and was accused of misleading and deceptive conduct.

“Virgin Australia was found to have done the same on its mobile site in 2014 but was sufficiently transparent in other instances.”

Rod Sims, The Chairman of the ACCC said that the concern of the ACCC is to ensure that customers are not being misled by businesses.

“Breaches of Australian Consumer Law by corporations are punishable with fines of up to $1.1 million.

“In December 2012, AirAsia was ordered by the Federal Court to pay $200,000 for failing to display on its website the full price of airfares”. •••

From 7 news

Transparency International says that the system for identifying billions of dollars of criminal proceeds flowing

through Britain is “too fragmented and unaccountable to be effective.”

According to 7 News “The government’s 2015 money laundering and terrorist financing national risk assessment said there was ‘evidence of terrorist financing activity in the uK’ which uses the same methods as criminal money laundering.”

TI-UK also noted said the penalties imposed on those who are not compliant are too small.

The proposed solution by the TI-UK is to create an independent but accountable body to catch criminal proceeds. •••

From Bloomberg Business

Anthony Murgio is accused of operating a bitcoin exchange, Coin.mx, allegedly owned by the hacker who breached JP

Morgan Chase & Co. and other financial and publishing organisations.

According to Bloomberg Business “Murgio was charged separately from three alleged hackers who are accused of stealing information on more than 100 million customers of banks and publishing firms and generating hundreds of millions of dollars in illicit proceeds from pump-and-dump schemes and online gambling.”

The bitcoin exchange was used to launder the proceeds of crime. •••

From coconuts Hong Kong

Two people from Hong Kong, a 37-year-old woman and her 43 year old male employee, were arrested in part of a police

crackdown on a money laundering gang, which is suspected to be connected to a regional phone scam ring.

They had allegedly laundered hKD1.8 billion through the bureau de change and seven local bank accounts opened in the name of a shell company within two months.

of the hKD1.8 billion laundered, police believe about hKD6.5 million came from five different cross-strait phone scam cases. •••

From aBc news

The Independent Broad Based Anti-Corruption Commission in Victoria, Auditor-General and Ombudsman are all set

to receive more powers. Under new laws IBAC will not have to gather as much evidence before an investigation can begin.

At the moment, the watchdog organisation is only able to investigate “serious public sector corruption or police misconduct.”

Reforms to Victoria’s freedom of information laws next year to make the process easier. The office of the Public Access Counsellor will replace the Freedom of Information office.

It assessed 4,443 allegations of public sector corruption or police misconduct in the 2013-2014 financial year. •••

18

financial crime

From aBc news

Queensland’s Crime and Corruption Commission has charged two more people with

money laundering and fraud offences over alleged “boiler room” scams on the Gold Coast.

The CCC said it was alleged Douglas Owen Traynor and his Thai partner Natchamon Srisunanrat, were involved in fraudulent activity with a company called Pegasus Trader Pty Ltd.

It is one of three companies being investigated as part of Operation Lima Violin II, which sprang out of a Queensland Police

probe into white-collar crime linked to the Bandido and Black Uhlans motorcycle clubs.

Pegasus Trader was a company based on the Gold Coast involved in the cold-calling and selling of investment products purporting to offer high returns from sports trading. •••

From Business insideraustralia

Australian polices forces could soon be granted powers to search suspects without a court warrant amid crackdown

on terrorism, provided they are subject to an existing firearms prohibition order.

According Business Insider Australia, earlier this year, 15-year-old Farhad Khalil Mohammad Jabar shot and killed NsW police financial officer, Curtis Cheng, outside the Parramatta police headquarters, raising concerns about how he had been able to obtain the .38 Smith & Wesson handgun used in the shooting. It is alleged that he had obtained it illegally through 22-year-old Talal Alameddine.

An inquest into last year’s Sydney Siege also revealed that the gun used by Man Haron Monis was part of Australia’s “grey” weapons market which includes 250,000 guns that have never been registered. •••


nZ news

financial services reform in new Zealand — are we there yet?New Zealand’s journey towards implementation of a new regulatory

regime for securities offerings and capital markets has been a long

one, but we are beginning to see light at the end of the tunnel.

“the Act governs how financial products are created, promoted and sold, as well as determining the ongoing responsibilities of those who offer, deal and trade such products within New Zealand.”

financial service providers do not mislead or deceive investors. From an investor’s perspective, the existing

disclosure documents, being the investment statement and prospectus, are replaced by a single product disclosure statement, or PDs as it will be known. The PDs is required to be worded in a clear, concise and effective manner, with its length and content heavily prescribed in regulations. In addition, issuers of financial products are required to disclose documents related to the offer and any other material information on a publicly searchable register run by the Companies office. This register, called “Disclose”, is currently up and running and can be viewed at http://www.business.govt.nz/disclose Over time, it is proposed that Disclose will become a central repository of offer information with the capacity to obtain comparative material for investors.

The Act introduces a new concept to New Zealand – the managed investment scheme (MIs), which encompasses existing managed funds, such as unit trusts, superannuation and KiwiSaver schemes and collective investment entities. Most registered MIS’s will have to have a licensed manager and an independent licensed supervisor, with scheme property held by the supervisor or another independent custodian appointed by the supervisor. The Act establishes statutory duties for both managers and supervisors. This includes a duty to act honestly and with reasonable diligence, to act in

THE FINANCIAl MARkETS CONduCT ACT 2013 is heralded as the biggest reform of New Zealand’s financial markets in 30 years, its objectives being to restore investor confidence in financial markets and create robust capital markets – all essential elements to drive New Zealand’s business growth, exports and jobs.

With the Act introduced as part of a two-stage process, the first on 1 April 2014 and the second on 1 December 2014, continuous issuers of financial products now find themselves in a transitional period, with full compliance required by 1 December 2016. But what does all this change mean?

The Act governs how financial products are created, promoted and sold, as well as determining the ongoing responsibilities of those who offer, deal and trade such products within New Zealand. The core features of the reform includes and requires:• clear, concise and effective information for

investors, to enable them to make sound investment choices;

• information on licensed financial market service providers who, through the process of obtaining a licence from the Financial Markets Authority (FMA), must demonstrate they meet a range of capability standards;

• accountability of managed investment scheme and debt issuers to their supervisors for core obligations under the Act;

• licensed front-line supervisors: and• a fair-dealing regime that seeks to ensure

Tracey Cross, Partner at global law firm DLA Piper.

X

http://www.business.govt.nz/disclose

http://www.business.govt.nz/disclose

20

nZ news

“Governing documents such as trust deeds need to be reviewed and amended to bring them into line with the new accountability requirements in the Act, which will be common to all managed investment schemes and issues of debt securities.”

Governing documents such as trust deeds need to be reviewed and amended to bring them into line with the new accountability require-ments in the Act, which will be common to all managed investment schemes and issues of debt securities. Consistency of trust deed provisions, clear powers and improved accountability of issuers and supervisors are intended to lessen the risk to investors. All managed investment schemes will require a statement of investment policies and objectives, which will be publicly available, and which will be subject to on-going reporting to the supervisor and FMA.

The Act has consolidated the extensive range of exemptions that existed under the Securities Act 1978 into one schedule, clarifying the ter-minology around commonly used exemptions for offers to wholesale investors. New exemp-tions have been created to provide easier access to capital through the use of crowd funding and peer-to-peer lending platforms, which are licensed by FMA but which are exempt from the requirement to provide the level of disclosure commonly seen when companies wish to seek funding from the public. Examples are

the best interests of investors and to comply with professional standards of care.

The Act recognises the different types of schemes that may be offered to investors and provides specific and relevant rules, with additional requirements for these schemes. While KiwiSaver scheme requirements largely carry over from existing legislation, going forward superannuation schemes will need to be structured for the sole purpose of retirement. This will require that superannuation schemes have clear rules that ‘lock-in’ members’ savings until retirement, allowing withdrawals only in limited circumstances. This is a significant change for many existing superannuation schemes that contain very flexible withdrawal rules under the current “principal purpose for retirement” regime, and will bring them more in line with KiwiSaver schemes. In addition, self-managed superannuation schemes and certain discretionary investment management services (DIMs) are regulated under the Act. A new concept of a licensed independent trustee has been developed for superannuation schemes whose membership is restricted, for example, to one employer.

X


advisers, your supervisor, FMA and your third party service providers;

• Don’t underestimate the time required to get yourself set up on the Disclose register; and

• Ensure your licence application contains all of the required information, clearly showing how you satisfy the minimum standards.

If you are impacted by and have any questions about your obligations under the Financial Markets Conduct Act regime, or require assistance in respect of progressing your application, please contact Tracey Cross of DLA Piper New Zealand, [email protected] •••

nZ news

“While a welcome new addition to New Zealand’s capital markets, it remains to be seen whether investors reap the rewards of the inevitably higher risks they take in investing through this mechanism.”

PledgeMe and Snowball Effect, through which start-up ventures can issue shares to the public, and Harmoney which matches borrowers and lenders. While a welcome new addition to New Zealand’s capital markets, it remains to be seen whether investors reap the rewards of the inevi-tably higher risks they take in investing through this mechanism.

so how far has the New Zealand financial services industry got in its compliance with this new regime?

Currently, 93 licences have been granted by the FMA, covering managed investment scheme managers (11), DIMs providers (41), derivative issuers (12), crowd funding platforms (8), peer to peer lending platforms (4), licensed independent trustees (13) and licensed market operators, who operate exchanges (4). Given that the original expectation was for the number of MIS manager licences to reach several hundred, there are a significant number of applications yet to be filed. With only 12 months to go to a 1 December 2016 immovable deadline, and the given limited regu-latory and professional resources to go around, managers who do not act quickly to obtain a licence and be ready to comply with all of the obli-gations of the Act by that date will be off-market. Importantly, the FMA has advised it has no “plan B” to deal with any bottleneck of managers who leave it too late to apply for a licence in 2016.

Some tips for those who do need to apply for a licence under the Act:• Act now! Your preparatory work should be well

underway, with you having determined your FMCA processes and procedures;

• Engage proactively with your professional

Biography

tracey cross is a partner at global law firm DLA Piper. She heads the national Financial Services team and has more than 20 years’ experience in funds management, superannuation law, corporate governance and financial services regulation.

Tracey has been at the forefront of changes introduced by the Financial Markets Conduct Act. In particular, participating in various industry working groups, liaising with the Financial Markets Authority and Ministry of Business, Innovation, and Employment on industry issues, and proactively advising and guiding clients in respect of compliance with the new regime.

Tracey is the NZ Chair of DLA Piper’s Leadership Alliance for Women initiative, aimed at empowering women in law and business. she is also on the management committee of Women in super (Nz).

mailto:[email protected]

mailto:[email protected]

22

wynyard rePort

segregation of duties and processes to ensure users do not accumulate excessive privileges on critical information systems, all are important approaches when it comes to tackling these insider threats. However, these are no longer enough.

In order to mitigate the insider threat, security professionals must be able to detect suspicious activities within their networks and prevent valuable digital assets from leaving the organisation. Analytics software that continually analyses logs, events, users and asset data to identify unusual patterns and indicators of malicious activity is key. This approach identifies “oddities” in the behaviour within the network, either as a result of malicious code or disenfranchised employees, and alerts organisations to any unusual activities before significant damage is done.

These powerful tools constantly monitor inside perimeter defences, searching for anomalies in network behaviour, data flows, file access and traffic logs. Unusual and outside-the-norm behaviours – such as people accessing data outside normal working hours from unusual IP addresses, or from another geographical location – are alerted for further investigation. These could be hidden in multiple data sources, including domain name server, proxy, firewall, active directory, virtual private network, netflow and dynamic host configuration protocol logs. Identifying these threats means a company can pinpoint issues and isolate the threat in a timely manner.

By taking action quickly and responding rapidly to insider threats, an organisation can reduce the damage to its reputation, its customers and its operations. •••

Wynyard Group is a market leader in high-consequence crime fighting and security software, used by law enforcement and national security agencies, critical infrastructure operations and major corporations.

insider threats: the weakest link

“the weakest link within an organisation, however, is often the human element; as a result, insider threats remain a major source of security breaches and the perpetrators can be difficult to locate.”

WITh The MeDIA FoCusING oN external cyber threats, such as the recent hacking of the Obama administration’s network by Iran’s Revolutionary Guard, the spotlight has been taken off the danger of insider activity.

The weakest link within an organisation, however, is often the human element; as a result, insider threats remain a major source of security breaches and the perpetrators can be difficult to locate.

Cyber defence, therefore, is not just about preventing external access to your network. It must also focus on detecting malicious activities – such as data theft – from within. Certainly, businesses should continue to improve perimeter security, but the smartest approach to cybersecurity should start with the assumption that the threats are already inside your perimeter defences.

To make things more difficult, the insider threat can come in many forms. It may be a result of an employee’s accidental, rather than deliberate actions, such as clicking on an infected email or visiting an infected site that downloads malicious code to your network. This malicious threat can go undetected as the complexity of today’s computing environments creates the perfect hiding place for malware. On average, it can take 200 days from an initial compromise taking place to its detection. By this time, the damage has usually been done.

Threats can also come from a disenfranchised employee committing fraud or IP theft for personal gain – or of course, to sell to the highest bidder. Criminal gangs are always looking for valuable information, such as account and credit card information, corporate trade secrets, financial reports and employee and customer information. They understand that it is often easier to encourage an existing employee to reveal information or place one of their own on the inside, rather than mount an uncertain attack on the institution’s cyber defences.

Perimeter security layers, such as anti-virus tools and firewalls, are important for blocking out the vast majority of known external threats but are ineffective when it comes to insider threats. Good information assurance and security practices, and

2323

GRCI AWARDS WInneRS fRom GRC20152015 Compliance Professional and/or Team of the Year-AustraliaWinner: Risk & Compliance Team, Hydro Tasmania Insurance Compliance Professional of the Year New Zealand Regional Winner: Kane Patena Compliance Team of the Year Overall Winner: Risk & Compliance Team, Hydro Tasmania Insurance

2015 Risk Management Professional and/or Team of the Year-AustraliaWinner: Enterprise Risk and Clinical Governance, Medibank Private Limited Risk Management Team/Professional of the Year New Zealand Winner: Sarah Butler and Hock Choo, Westpac New Zealand Limited Risk Management Team/Professional of the Year Overall Winner: Enterprise Risk and Clinical Governance, Medibank Private Limited

Life Membership Winner: Alf Esteban David Squire Memorial Associate Graduate of the YearWinner: Hal Waddington CCP Graduate of the Year — Sponsored by Neill Buck & AssociatesWinner: Paul Neunhoffer


GRC2015 hIGhlIGhtS


grc Board Profiles

the new Board of directors

Lois is currently GRCI Vice-President, and a member of the Finance, Mergers & Acquisitions, and Ethics Committees.

Previously, Lois was Chair of the GRCI RTO Committee, Chair of the Professional Development Committee, and Member of the Audit and Risk, Ethics, and Finance Committees.

martin tolarMartin Tolar is the current CEO of the Waste Management Association of Australia and has had 14 years’ experience working within the association sector. Prior to this, he spent nine years with the GRC Institute as Managing Director. Martin has been invited to speak

at a numerous local and international conferences, particularly in relation to compliance, risk management and anti-corruption. Martin has also been a university lecturer in economics, finance and management, and possesses a strong understanding of government and its practices, thanks to time spent in local and federal government working parties. He holds a Masters in Commerce (hons), a Graduate Certificate in Compliance Management and is a graduate of the Australian Institute of Company Directors, as well as being a Certified Compliance Professional.

alex PaxinosAlexi Paxinos is a psychologist and risk management practitioner with nine years’ experience working in the fields of organisational psychology and operational risk. He worked within Westpac’s Australian Financial services Division using

organisational psychology principles to enhance management and understanding of risk.

lois mccowanLois is a governance, risk and compliance specialist with 20 years’ experience working in financial services. This has included roles in: financial planning (boutiques and trustee cos), superannuation, the mortgage industry and banking, the energy industry and State Government –

including not-for-profit organisations, construction projects and at board level.

Some of the companies for which Lois has worked include: esI super (now energy super), Trust Company of Australia, ING Financial Services, Whittaker McNaught Pty Ltd, Bank of Queensland, ergon energy, and the Department of Housing & Communities. Lois also served for six years as a Member Director of esI super.

X

27

stePhen lukStephen Luk, a risk professional with areas of expertise in governance, compliance, risk management, business management, accounting, operations and audit in asset/wealth management, banking, insurance and financial markets. He is a CPA and holds a Master’s degree in Accounting Studies

from the University of New England, Australia.Stephen had held various regional management

positions in NatWest Markets, JP Morgan Chase and a number of global banks in Asia and Australia. For over 11 years, he was the Regional Chief Compliance officer of ING Asia Pacific, overseeing the compliance function of insurance and asset management businesses in Asia Pacific, including the joint ventures in Australia, China and India. Stephen had been with AIA Group, looking after the overall compliance management support of the investment activities across the Group.

susan cretanSusan is a governance, risk and compliance professional with over 20 years’ experience in the financial services sector. she has also practiced as a lawyer at a commercial law firm and at ASIC. Currently, she holds the position of Director, Integrity, Governance and Risk at Flinders University.

sasha culjkovicSasha Culjkovic is a dynamic and enthusiastic GRC professional, who combines theoretical business knowledge with over a decade of GRC management experience to assist organisations in overcoming compliance challenges.

Sasha started compliance work at Qantas in 2003, and was responsible for ensuring the airline’s engineering business was compliant with relevant regulations. During the next decade, he added risk, governance, and safety to his portfolio, working in Qantas’ office of the Ceo to affect a change in safety culture. At Lend Lease, Sasha completed a holistic analysis of company’s global compliance learning landscape, and devised a strategy to overcome identified group-wide challenges through L&D, culture, reporting, and communication stream initiatives. Currently, Sasha is the Head of Corporate Compliance at staples, the world’s largest office products supplier.

Sasha holds a degree in Engineering, an MBA, a Cert IV in workplace training & assessment, an executive coaching qualification, and mentoring experience.

grc Board Profiles

X


grc Board Profiles

member of the Barbados Association of Compliance Professionals and was President of the Caribbean Regional Compliance Association conference committee for six years.

Carolyn continued her professional development in Australia by taking the Governance Risk and Compliance (GRCI) Certified Compliance Professional Grad Cert that confers an International Federation of Compliance Association accreditation.

craig greenwoodCraig is a risk and compliance professional with 15 years in the field, all gained within banking and financial services. Currently, he is Chief Compliance officer (and AML officer) for Toyota Finance, where he also sits on the Global Compliance

Group. Previous management roles in compliance and AML have included positions at HSBC, RBC Capital Markets, Westpac and IAG.

Craig holds postgraduate qualifications in Compliance Management, AML (two) and Applied Finance, together with a Masters in Professional ethics from uNsW. he is a certified professional in risk (CRP) and Compliance (CCP) with the GRC Institute, and in Insurance (CIP) through ANZIIF. He also holds accreditation with various overseas bodies, including ICCP and the ICA.

Areas of specific interest and expertise for Craig include compliance frameworks, culture and metrics, bribery and corruption, conflicts and other conduct risks, and governance and ethics.

Craig has been an active member of the GRC Institute since 2003, and is proud to serve as a Director on behalf of all members and GRC practitioners. He is particularly keen to see GRC continue on its journey as a valued, standalone profession, and looks forward to working with his fellow directors and Institute members in achieving this goal •••

carolyn hansonCarolyn Hanson has been in the compliance field for more than 20 years and is currently the Head of Financial Crime Compliance for the Wealth Management Division of the Commonwealth Banking Group. Having worked previously in the

international compliance environment, Australia is Carolyn’s eighth country of residence. CBA is the second of the Australian “big four” banks Carolyn for which has worked, having also worked at Westpac in the Australian Financial Services risk team in the Anti Money Laundering area.

Most of Carolyn’s experience has been gained in the UK, Isle of Man, Bahamas, Trinidad, Barbados and Dubai. As Course Director (International) for the International Compliance Association (ICA), Carolyn facilitated workshops in Bahamas, Barbados, Bermuda, Cayman and Hong Kong, and contributed to the main texts used by the ICA in their various international courses.

Working in the Caribbean region, Carolyn established compliance regimes for four key areas of a major banking group, and acted as the Regional Compliance Manager and Regional Money Laundering Reporting officer for two major financial institutions. her responsibilities have included prudential/regulatory and financial crime compliance, involving the day-to-day management of a team of 50 compliance managers, based in 10 jurisdictions across the Caribbean.

Having extensive customer facing experience in the insurance and investment industries, Carolyn is a Fellow of the ICA and is CAMS accredited. As well as being an accredited trainer, Carolyn has also acted as a Training and Competence officer in the uK. other qualifications that Carolyn holds are an Associate of the Chartered Insurance Institute, the Financial Planning Certificate and a degree in Business Management. Carolyn was a founding

29

DIE

GRCI MEMBERS2,500

Majority of members

are based in Australia,

whilst 13% are in Asia.

The remaining are

spread across New

Zealand, Europe, US &

Canada.

70%

NEWS & UPDATESFree monthly

emagazine & regulatory

updates. Thought

leadership opportunities

to contribute to

published submissions,

research papers and

magazine.NETWORKING &DISCUSSIONSESSIONSNetwork with like minded

professionals. Hear from others'

experiences, share knowledge,

challenges & ideas on solutions.

MENTORINGGive something back to the

community or learn from the

best.

PROFESSIONALDEVELOMENT

Enrol in nationally

recognised courses.

Earning & maintaining

accreditation keeps an

institution aware of, & engaged

in, current best practices.

ACCREDITEDCERTIFICATION

Be recognised within the

industry through yearly

awards presented at the

Annual GRC Conference.

AWARDS

BUILD YOURPERSONAL BRANDLearn how to market yourself

better at career progression

events.

MEMBERSHIPDISCOUNTSSave an average of 25% off of

GRCI events & educational

training courses.

FOR MORE INFORMATION VISIT WWW.THEGRCINSTITUTE.ORG

COMPLY OR

Sign up today to invest in your future as a

Governance, Risk & Compliance professional.

SUPPORTING GOVERNANCE, RISK & COMPLIANCE

PROFESSIONALS SINCE 1996

Sign up today to invest in your future as a Governance, Risk & Compliance professional.

Securely delivering digital papers across many devices

© 2015 ICSA Boardroom Apps Limited.

BoardPad is a registered trademark of ICSA Boardroom Apps Limited.

Spending days creating your board packs?BoardPad lets you produce & dispatch instantly

Your problem... Our solution!

Contact us today for a demonstrationICSA Boardroom Apps, Level 33, 264 George Street, Sydney+61 2 8096 8300 [email protected] boardpad.com

strengthening risk guidelines for any organisation regulatory · regulatory news briefs x page 8...

Documents