In 'principles-based' regulation, Licensees are left to their own devices to piece together their obligations under the law.
As a result, the uninitiated can often fail to string together one plus one to get two. The information technology obligations for Australian Credit Licensees are a prime example.
For those that have not read it (the majority of Licensees), ASIC’s guidance specifically requires that an annual review is documented covering, amongst other things:
- security of information
- the currency, quality and relevance of IT systems
- disaster recovery and business continuity arrangements
However, what is only implicit throughout regulatory guidance is the expectation that Licensees will account for generally accepted good practice in these areas.
In the area of business continuity arrangements, for example, there is now an Australian Standard. The “one plus one” here is that AS/NZS5050:2010 would be the benchmark when determining whether or not a Licensee’s arrangements are adequate.
AS5050 is largely based on ISO31000 – the International and Australian Standard for risk management (ASIC please take note) and here is another piece of the puzzle. One of the general conduct obligations of a Licensee is to have a risk management programme in place. The risk management standard is all-pervasive and does not merely concern itself with the obligations of the NCCP Act. In managing the risks of “security of information”, many facets must be taken into account, such as:
- is business information adequately password-protected?
- is access to the office network from outside adequately controlled?
- is wireless access utilising the most up-to-date security protocols?
And all this has to be adequately tested as a part of a robust compliance programme. Information management is of such importance today that QED Risk Services’ programme QED CompliFast includes it as a compliance topic in every quarter’s testing. Using QED CompliFast itself as a case in point, system access is delivered with industry-standard security layers; client information is held on servers housed in Australia (to avoid any Privacy Act implications); client financial details are held in a different system and are inaccessible to QED staff; and there is an alternative backup system in place should the main application be rendered unavailable for any reason. Good to know that the compliance guys also follow the rules, hey?
To quote the regulator “if you need more information, it’s all contained in RG205” but, if that thought gives you chills, you’ll be pleasantly surprised at how cost-effective a good compliance programme can be.