Simplicity + Certainty = Confidence
monitor screenshots
Secure

Secure

Your information is securely held, communications are safely encrypted. Our fully encrypted backups occur often and regularly. Flexible and secure user password security.

Fast

Fast

Fast interfaces, user experience and reporting through the latest database design and web technology. User management tools aide efficient processes

Simple

Simple

Uncluttered user interfaces, multiple browser tab access, effortless data links. Our user-friendly and easy to learn user interface means no steep learning curve. Logical data entry flow with what you expect where you expect.

Customisable

Customisable

You select the modules you use and customise to your needs. You control your reports' content, you tailor your installation to suit your businesses needs

Standardised

Standardised

We support the global standards on Risk Management (ISO 31000) and Compliance (ISO 19600) and APRA SSP 220

Centralised

Centralised

One stop for all of your risk and compliance office needs. View completed and incomplete controls. Retain all your controls and records in the one accessable data base

How it Works

Feature diagram

CRS Certus becomes your record of your risks, risk profile, risk mitigators, obligations, responsible managers and staff, policies and procedures. It holds your proof of control execution. It facilitates recording and managing issues, incidents and complaints. CRS Certus can be interrogated to deliver reports on all data it holds in a format your audience needs.

Risks

Full risk management system. Customisable risk register. Multiple entity ratings support. Links to mitigating controls and issues register. Risk appetites tied to strategic objectives. Risk tolerance triggers and questionnaire system.

Obligations

Record obligations. Link to legislative or regulatory sources. Reconcile obligations with business controls

Controls

Document business controls. Link to risks and obligations. Assign responsibilities to managers. Automatically generate controls self-assessment questionnaires. Managers alerted when questionnaires are ready, complete within CRS Certus

Assessments

Controls response assessment navigation. Record testing results. Full audit records of resolution and further action. Directly load adverse responses into Issues Register.

Incidents

Capture incidents originating from within CRS Certus and reported by your business. Customise incident categories. Workflow management. Assign activities. Capture reportability assessment, related documents and developments.

Complaints

Customise complaint categories. Seamless flag as incidents, breaches or risk mitigation controls failures.

Registers

Breach register with regulator reporting assessments. Personal dealing approvals and register, gifts & benefits, training, conflicts of interest, relatedy party, legal documents, administrative documents, publications, office holder registers amongst others.

Alerts

Email alerts issued out of the system directed to your defined positions. Customisable email content and triggers. Email service log validates that communications are sent.

Policies & Procedures

Policies and procedures library. Alert users to new content to review within CRS Certus. Capture user confirms of access and understanding of policies and procedures. The library becomes your single point of truth.

Reporting

Flexible reporting to PDF and XLS(X). Customisable report content, period and presentation, tailored and relevant for the audience. Reports returned immediately. Aides regulatory enquiry, annual audit, demonstrates the control you have over your business

Consultancy and Outsourced Management

In addition to providing CRS-Certus as a software service, we provide consulting and outsourced management services. These services are available separately from CRS-Certus.

We can help to:

  • Operationalise your risk and compliance management system.
  • Workshop your risks.
  • Build Controls.
  • Document your regulatory obligations.
  • Implement incident/complaints reporting.
  • Document your policies & Procedures

Compliance & Risk Services Pty Ltd has been providing risk and compliance management solutions for businesses for over 10 years.

Our speciality in financial expertise

We have particular experience with financial Australian financial institutions such as Australian Financial Services Licensee, APRA regulated entities, Australian Credit licensees and AUSTRAC reporting entities.

  • Australian Financial Services ('AFS') Licence applications and licence variations
  • RSE licence applications
  • AFS Licence compliance reviews
  • Managed investment scheme registrations
  • Draft compliance plans
  • Draft Product Disclosure Statements ('PDS')
  • PDS due diligence
  • MDA contracts
  • Provide outsourced compliance management
  • Anti-money laundering & counter terrorism financing ('AML/CTF') programs
  • Independent reviews of AML/CTF programs
  • External Compliance Committee members
  • Temporary compliance staff placements
  • Risk management frameworks
  • Local agent for foreign licensees
  • Technical and product advisory services
  • Responsible manager training

Our values and ideals

Experience

We are experienced risk and compliance management practitioners experienced in developing and operating risk and compliance management systems.
CRS-Certus is developed through our experience as risk and compliance management practitioners.

In-house programming team

Our programming team is retained in-house. We believe that the partnership of practitioner and programmer provides a strength that few competitors may match.

Secure IT architecture and backups

Our system uses contemporary database design, programming languages, and hardware. We have implemented a constant backup regime using offsite encrypted storage.

Trust

We have provided services to over 200 clients over the globe. We have acted as topic experts under ASIC enforceable undertakings, engaged as experts in litigation and ASX disciplinary reviews.

Articles

ASIC commences action against the RI Advice Group Pty Ltd
By Terry Dalziel at 24/08/2020
Deferral of mortgage broker reforms and design & distribution obligations
By Murray Jones at 12/05/2020
ASIC amends requirements where COVID-19 related advice is provided
By Terry Dalziel at 16/04/2020
AUSTRAC Industry engagement
By Adam Bold at 02/03/2020
Financial Sector Reform (Hayne Royal Commission Response - Stronger Regulators (2019 Measures) Act 2020
By Gerald O'Byrne at 24/02/2020
Code of Ethics Guide
By Terry Dalziel at 21/10/2019
ASIC's Corporate Plan to 2023
By Adam Bold at 13/09/2019
Update on information to be entered into the Financial Advisers Register (FAR)
By Terry Dalziel at 26/08/2019
Whistleblower policies - draft ASIC Regulatory Guide
By Murray Jones at 23/08/2019
Relief for amending registered schemes’ constitutions in particular circumstances
By Murray Jones at 23/08/2019
Update: Recognition of Prior Learning undertaken through a Professional Body / Financial Adviser Examination
By Terry Dalziel at 08/08/2019
Design and Distribution Obligations and Product Intervention Powers
By Malina Zhuang at 31/07/2019
Proposed changes to ASIC's Internal Dispute Resolution requirements
By Gerald O'Byrne at 28/05/2019
Whistleblower Reforms
By Malina Zhuang at 26/02/2019
Financial Planners and Advisers Code of Ethics 2019 Determination issued by FASEA
By Terry Dalziel at 25/02/2019
FASEA FPS001 Education Pathways Policy
By Terry Dalziel at 25/02/2019
Financial Adviser Standards & Ethics Authority – work and training professional year standard
By Terry Dalziel at 19/02/2019
FASEA Examination Policy (FPS 006)
By Terry Dalziel at 13/02/2019
FASEA Continuing Professional Development Policy (FPS 004)
By Terry Dalziel at 13/02/2019
ASIC Industry Levy Invoices Issued
By Gerald O'Byrne at 31/01/2019
ASIC commences action against the RI Advice Group Pty Ltd

On 21 August 2020, ASIC issued a media release against the RI Advice Group Pty Ltd (RI) for alleged failure to meets several of its licensing conditions due to inadequate cyber security systems in place.   At the time RI was 100% owned by the ANZ Banking Group Ltd.

It is interesting that the cyber breaches occurred in several of its authorised representatives.  I have provided considerable background as it provides a context for the outcomes ASIC is seeking.  

Licensee Obligations

s912A(1) Corporations Act details the general obligations all Licensees are required to meet. Sub-section (h) requires a licensee to have in place adequate risk management systems. 

Detailed Allegations

In summary the detailed allegations are:

  1. Failed to do all things necessary to ensure the financial services covered by the License was preformed efficiently, honestly and fairly.
  2. Failure to comply with the condition of its AFSL that it establish and maintain compliance measures to ensure reasonably practical that the licensee complies with financial services laws.
  3. Failure to comply with the financial services laws
  4. Failed to have available adequate resources (including financial, technical and human resources) to provide the financial services by the license and to carry out supervisory arrangements. 
  5. Failed to have adequate risk management systems in place. 

Penalties being sought

In addition to a finding of contraventions of the Corporation Act, ASIC is seeking a pecuniary penalty order being the greater of:

  1. 50,000 penalty units, being $10,600,000 or 
  2. 10% of the annual turnover of the IOOF Group for the 12 months ended 1 May 2020. 

Background to proceedings

In the statement of claim ASIC identified the following cyber breaches having occurred in its authorised representatives. 

On or about 3 January or 3 March 2017 RI became aware of a cyber security breach informed by an adviser as having taken place in late December 2016.

On 30 May 2017, RI became aware of another cybersecurity incident that occurred on that day as a result of being informed by an authorised representative.

Another cyber security incident occurred between December 2017 and April 2018.    The authorised representative was the subject of a “brutal force” attack and as a result a malicious user successfully gained remote access to the authorised representative’s server for 155 hours.   On 15 May 2018, the authorised representative informed RI of the breach having been aware of the breach on 16 April 2018.

On 29 May 2018, RI became aware of cyber security incident on 23 May 2018 that arose as result of Trojan software installed on the laptop of an Authorised Representative. 

ASIC is alleging that RI should have but failed to: 

  1. properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network, including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and 

incident response controls; and ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience. 

ASIC assessment of the cyber security documentation in place

Many cybersecurity documents were ANZ-developed documents specific to the ANZ organisation and its IT environment and were not tailored to RI and its ARs’ requirements.  RI and its ARs had not implemented and operationalised these ANZ-developed documents as part of RI’s governance and management of cybersecurity resilience and risk management.  RI did not adopt and implement adequate and tailored cybersecurity documentation and controls in each of the following cybersecurity domains: governance and business environment, risk assessment and risk management, asset management, supply chain risk management, access management, personnel security training and awareness, data security, secure system development life cycle and change management, baseline operational security, security continuous monitoring, vulnerability management, incident response and communication, and continuity and recovering planning.

How did RI respond to the cyber security matters

It commissioned experts to provide it with reports.   

It received its first report on 7 August 2018.  In that report deficiencies identified included 90% of desktops identified as not having up to date antivirus software, no filtering or quarantining of emails, no offsite backups having been performed and passwords and other security details found in text files on the server desktop. 

During September 2018 RI commissioned another expert to perform a cyber assurance risk review on five authorised representatives.    Between September and October 2018 this expert provided a cyber assurance review report on each representative.  Three of the authorised representatives were rated “poor”, the remaining two “fair”.  In a final report provided to RI during October 2018 there was a recommendation that a cyber assurance risk review be undertaken on all authorised representative organisations. 

On 24 October 2018 RI receive an expert report on an assessment of the breach noted in point 3 above authorised representative cyber breach. 

What ASIC expected RI should have been done

RI should have, in consultation with internal or external cybersecurity experts, promptly adopted a cybersecurity framework to guide all of its cyber related activities, undertaken a risk assessment across its entire network of ARs, and then sought technical security assurance across a number of its ARs as a technical  measure of the cybersecurity risks that exist in their organisations.  Armed with this information, it should then have analysed the results to determine the current cybersecurity risks applicable to its network of ARs, and then developed and implemented a cybersecurity remediation plan and supporting initiatives that were tailored to its AR network.

After the takeover of RI by IOOF 1 October 2018

Following the change of ownership of RI from ANZ to IOOF, RI replaced ANZ-developed documentation relating to cybersecurity with IOOF developed documentation which often pre-dated IOOF’s acquisition of RI.  Like the ANZ documents, the IOOF documents were not tailored to RI and its ARs’ requirements, and RI and its Ars did not implement and operationalise them as part of RI’s own governance and management of cybersecurity resilience and risk management.  RI’s risk management systems and resources with respect to cybersecurity and cyber resilience remained inadequate, including as of 12 March 2019.

On 23 August 2019, an authorised representative informed RI of a cybersecurity incident. RI was informed of a further cybersecurity incident by another authorised representative on 15 April 2020.

ASIC view post IOOF takeover

The view as to what should have been done post that time is what has been noted above. Additionally, the steps taken by RI in relation to cybersecurity in the period from 1 November 2019 to 1 May 2020 were neither initiated nor completed in a sufficiently timely manner and were not sufficiently broad.  RI’s risk management systems and resources with respect to cybersecurity and cyber resilience remained inadequate, including as at 1 May 2020.

Our comment

Consider ASIC’s view on cybersecurity requirements by a Licensee. 

The court application does not indicate if ASIC became aware of the cybersecurity breaches through self-reporting by RI.

Contact Us

Feel free to drop us a message if you have any questions or requests.

Or give us a call at

P: 03 9663 4456

and post us at

P.O. Box 18009
Collins Street East
Melbourne, VIC 8003

We're located at

Level 25, 360 Collins St
Melbourne, VIC, 3000