Chris Deeble

New responsible lending rules have changed the way brokers and lenders should now calculate credit card costs in all lending applications .

In the first part of this series, we explained what the new responsible lending rules for credit cards are. These new rules also affect how you should calculate credit card costs in all other loan applications when determining whether someone will be in substantial hardship.

What should you do?

Your responsible lending assessment of an applicant should be based on whether they can repay their existing credit card limits within 3 years. This means you can’t just apply a nominal percentage to the total of all existing credit card balances any more.

When should you start doing this?

You don’t have time to sit back and think about this for too long – ASIC expects you to change the way you calculate credit card repayments by 1 July 2019.

What interest rate should you use?

When calculating how much an applicant will need to repay their credit cards, you should use the highest rate that applies under their contract. If you don’t know what the highest rate is on their existing cards, you should use the highest rate that’s reasonably likely to apply. ASIC suggests that this is 22%.

Should you include fees?

It’s not necessary to include all account-related fees in your assessment. But if you’re aware of fees that would significantly affect how long it would take someone to repay their credit card limit then you should include those in your calculation.

What should you do now?

You need to review your Responsible Lending Policy to make sure it meets these new rules. In particular, look carefully at how you assess credit card repayments. For further guidance you can also see ASIC’s Report 590.

By Chris Deeble

The post How lenders and brokers should assess credit card costs now appeared first on AdviserVoice.

Chris Deeble

Registered tax (financial) advisers have a higher obligation than other financial planners when disclosing information about their clients to third parties. This is because the Tax Practitioners Board’s (TPB) Code of Professional Conduct has more stringent requirements than the Privacy Act.

How the TPB and the Privacy Act differ

There are three key differences between the TPB’s requirements and privacy law:

• All client information is affected – The Privacy Act only applies to personal information. This means information that can be used to identify your client like their name or contact details. But the TPB Code applies to all information relating to your clients’ affairs. It doesn’t matter where you got the information from or whether it belongs to your client or not.
• Consent is always required – The privacy law only requires you to obtain your client’s consent if you’re disclosing sensitive information or using or disclosing personal information for a secondary purpose. In some cases, this consent can even be implied.

But the TPB Code requires you to obtain your client’s consent when disclosing any of their information to a third party.

• Consent must be positive – Under the Privacy Act, you can simply notify your clients about how their personal information will be used. In some cases, consent can even be implied. But this will not comply with the TPB Code. Instead, your clients must take a positive step to authorise you to disclose their information.

The ideal time to do this is early on in your relationship. Include information about how you will use and disclose your client’s information in your client engagement letter, fact find or other onboarding documents. You should discuss it with your client and ask them to give their consent by signing the relevant documents.

Information can be disclosed in a myriad of ways

It’s easy to overlook some of the ways you may disclose client information to third parties. Consider these examples – all of which require disclosure:

• You store client data in a data centre or in the cloud.
• You use marketing apps (like Mailchimp) to measure client engagement.
• Your clients use apps that are hosted on or via your website or server. This could include a savings app like myprosperity or e-sign solutions such as DocuSign.
• You provide client information to related businesses like subsidiaries or overseas branches that operate as separate legal entities.

To ensure you comply with both the Privacy Act and the TPB Code, you need to identify all the third parties you disclose client information to and make sure they’re described in your consent documents.

Ideally, you would tell your client each and every third party you’re disclosing their information to, but this can be complex and lengthy. So it is sufficient to provide a generic description of the types of businesses you may provide their information to.

Why are disclosure obligations higher for tax (financial) advisers

Registered tax (financial) advisers hold highly confidential financial information for their clients. The rigorous disclosure obligations in the TPB Code recognise that clients have a strong interest in ensuring that their information remains confidential.

Indeed, the TPB Code standard is helpful for any professionals who hold personal, legal or financial information for their clients.

If you’re a registered tax (financial) adviser or hold confidential client information, it’s a good idea to review your disclosure and consent processes and documents to make sure you meet your obligations.

By Chris Deeble

The post TPB ups the ante on privacy consent appeared first on AdviserVoice.

Chris Deeble

You may think you’re not affected by the European Union’s new General Data Protection Regulation because you don’t advise clients in the EU? Think again – especially if you use apps like Mailchimp or DocuSign.

Even if you merely monitor your clients’ behaviour when they are travelling in the EU, you’ll need to comply with the GDPR.

The GDPR expands the privacy requirements

The GDPR is a much expanded privacy law. Since 25 May 2018, it gives consumers new rights to require their data to be erased or transferred to another entity. These rights don’t currently exist under Australian privacy laws (although it is likely that they will be implemented as part of the open banking regime).

The GDPR’s extensive extra-territorial provisions mean that many businesses outside the EU are caught by it even if they don’t actually trade in the EU.

This is because it also applies to companies, no matter where they are located, who use any means to monitor their customers’ behaviour when they are in the EU. More particularly, it applies where companies:

• Track natural persons on the internet; and
• May subsequently use personal data processing techniques to profile a natural person using that data (even if they don’t actually do so)

In order to:

• Take decisions concerning the person; or
• Analyse or predict the person’s personal preferences, behaviours and attitudes.

Monitoring happens in many ways

Many technologies have inbuilt monitoring devices, of which users may not be aware, let alone deploy. Consider these scenarios, all of which will bring you within the ambit of the GDPR if your customers travel to the EU:

• Does your website track the pages that users look at and can you identify the user from additional information provided by your ISP?
• Does your website, app or other software give users targeted advertising based on the content they access?
• Do you use technology to profile individual customers and monitor their usage e.g. Mailchimp, or myprosperity?
• Do you provide any app to customers that records their usage and behaviour e.g. ewise or Yodlee, or DocuSign which record the time they sign, and their IP address?

The GDPR requirements are similar but more extensive

If you provide services to clients or monitor them via the internet while they are in the EU, at a minimum, you will need to do the following to comply with the GDPR obligations:

• Amend your privacy documentation – your privacy collection statement and privacy policy and procedures will need to tell customers about their additional rights and contain policies and procedures relating to those rights.
• Obtain consent – to the purposes for which you will manage customers’ personal information where there are no other lawful grounds to manage it.
• Obtain cookie consent from website users – explain the purpose of the cookies e.g. analytics, advertising, or customer preferences, even if the cookies are from third parties on your website e.g. Google Analytics.

If you regularly monitor people on a large scale or manage large amounts of sensitive information, you will also need to appoint a representative in an EU member state and appoint a data protection officer with expert knowledge of data protection law.

Data breaches which are likely to result in a risk to individuals’ rights and freedom must be notified to the EU Member State your representative is in within 72 hours after you become aware of the breach. There is no need to notify breaches that do not pose that risk.

What this means for you

For most businesses, it will be sufficient to amend your privacy documents and enhance your consent regimes. The Fold Legal can assist with this – we are updating our privacy materials to assist you to comply.

But businesses who regularly monitor people in the EU on a large scale or manage large amounts of sensitive information collected in the EU will need also representation in the EU.

By Chris Deeble

The post Impact of the GDPR on Australian businesses appeared first on AdviserVoice.

Chris Deeble

By now, all credit and financial services licensees, and superannuation trustees must have joined AFCA. But don’t overlook the additional work required to effectively transition from your existing external dispute body to AFCA by 1 November 2018.

The two key things you need to do are:

1. Update documents and your website to refer to AFCA

Any documents or information on your website that refers to CIO, FOS or the SCT need to be updated.

Different timeframes apply to various types of documents:

• Disclosure documents such as FSGs, PDSs and Credit Guides can refer to FOS/CIO from 21 September 2018 to 31 October 2018. By 1 July 2019 they must refer to AFCA.
• National Credit Code forms i.e. the ‘things you should know about’ forms for credit contracts, guarantees and leases i.e. Form 5, 9 and 17 must be updated by 1 July 2019 (provided you update your broader communications about how to complain with AFCA’s details by 1 November 2018).
• Other National Credit Code forms and notices e.g. default notices, must be updated with AFCA’s details by 1 November 2018.
• Complaints information on your website, complaints policy or in brochures can give details of FOS/CIO/SCT from 21 September to 31 October 2018, but must be updated with AFCA’s details by 1 November.
• IDR delay and final response letters must refer to both FOS/CIO/SCT and AFCA from 21 September 2018 to 31 October 2018. By 1 February 2019, these letters must only refer to AFCA.

2. Notify your AFCA membership details to ASIC

You should have been a member of AFCA by 21 September 2018. You will be able to notify ASIC about your membership between 1 and 30 November 2018. Diarise this, so you don’t forget it.

Yes, it’s complicated, but there’s a helpful table on AFCA’s website – it sets out the timeframes and provides AFCA’s preferred disclosures wordings.

By Chris Deeble

The post FOS / AFCA transition involves much work for AFL licensees appeared first on AdviserVoice.

Chris Deeble

AUSTRAC is serious about anti-money laundering and counter terrorism (AML-CTF). Just take a look at their recent actions against the Commonwealth Bank of Australia.

Any business that has an AML-CTF Program must have it reviewed regularly. This now includes digital currency exchanges.

Who can do this review depends on whether your business has a Part A or Part B AML-CTF Program.

What is a Part A AML-CTF Program?

A Part A AML-CTF Program identifies, manages and mitigates the money laundering or terrorism financing (ML-TF) risks your business has. It must include:

• An AML-CTF risk awareness training program for employees;
• An employee due diligence program; and
• Be approved by your governing board and senior managers.

Your business must have a Part A AML-CTF Program unless:

• It holds an Australian Financial Services Licence and provides services in the capacity of that licence; and
• It arranges for a person to receive another designated service from another reporting entity.

This means financial planners do not have to have a Part A AML-CTF Program.

If you have a Part A AML-CTF Program, an independent person must do the review.

What is a Part B AML-CTF Program?

A Part B AML-CTF Program sets out your customer identification and verification procedures. It includes the procedures for knowing your customers.

All reporting entities (including financial planners) must have a Part B AML-CTF Program. If you only have a Part B AML-CTF Program you don’t need to have it independently reviewed but it’s a good idea to.

What is an independent review?

An independent internal or external person must do the review. An independent internal person could be an employee who is not involved in your AML-CTF program. For example, they may be from your legal department. An independent external party may be an external auditor, a compliance specialist or an external lawyer.

AUSTRAC recently changed its rules to make sure the reviewer is truly independent and does not have a vested interest in the outcome of the review. Your reviewer must not have:

• Designed, implemented, or maintained the program; or
• Developed the program’s risk assessment or internal controls.

You must also be able to show that the reviewer is independent.

How often must you review your AML-CTF Program?

It’s up to you how often your program is reviewed. Some things you should take into account when making your decision include:

• The nature of your business;
• Your size;
• How complex your business is; and
• The type and level of ML-TF risks you have.

What must be reviewed?

The review must assess and test:

• The effectiveness of your AML-CTF program for your ML-TF risk;
• If your AML-CTF Program meets the AML/CTF rules;
• How effectively your AML-CTF Program has been implemented; and
• If you have actually followed your AML-CTF program.

You must give the outcome of this review to your governing board and senior management.

We can independently review your AML-CTF Program – Part A, Part B or both. If you need some help setting up or refining your AML-CTF Program, you can also purchase our AML/CTF Compliance Kit. We’d be happy to help.

By Chris Deeble

The post It’s AML-CTF review time appeared first on AdviserVoice.

How can you manage clients’ information to your benefit?

Organisations often want to use customer information for marketing and to pass it on to third parties with whom they have arrangements such as strategic alliances and referrals. Although it’s not strictly necessary to obtain the customer’s consent to do so, you do need to have notified the customer of how you’ll use or disclose their personal information at or before the time you collect it (or as soon as possible afterwards if it isn’t reasonably practicable to comply).

This notification establishes how you can use the information. This is because you may only use or disclose personal information for:

• The primary purpose for which you collect it; and
• Any secondary purpose for which the individual would reasonably expect you to use or disclose it (provided that secondary purpose is related to the primary purpose).
• The primary purpose will generally be ascertainable from the privacy collection statement that you give when you collect the information. Secondary purposes (e.g. marketing mentioned in that statement) can be treated as purposes for which the customer would ‘reasonably expect’ you to use or disclose their information.

So, if your privacy collection statement says you’ll pass the customer’s contact details on to another professional where you identify the customer needs additional advice outside your expertise, you should be able to pass on those details to make a referral.

Where new referral arrangements or alliances are created after personal information has already been collected, then ensure the information in the privacy collection statement was broad enough to include the new arrangement, otherwise you’ll need consent to pass on customer details.

Direct marketing

Be aware that stricter rules apply to direct marketing. You can’t use or disclose personal information for direct marketing purposes unless:

• You collected the information from the customer;
• The customer would reasonably expect you to use or disclose the information for that purpose;
• You provide a simple way for the customer to easily request not to receive direct marketing communications; and
• The customer has not made such a request to you.

Practical steps

If you intend to disclose a customer’s personal information, ensure that you notify them of this in your privacy collection statement. In all other cases, seek consent.

By Chris Deeble

The post How to use customer information for marketing and referrals appeared first on AdviserVoice.