Work health and safety is everyone’s business: National Safe Work 2017



Sharing safety knowledge and experience benefits everyone

Everyone has a right to come home from work each day safe and healthy.

Workplaces around Australia are currently taking part in October’s National Safe Work Month, committing to trying to lower the number of work-related injuries, illnesses and deaths.

The theme for 2017 is “Sharing safety knowledge and experience benefits everyone”. It’s a reminder that everyone is responsible for ensuring the safety and health of the people we work with.


Reducing workplace fatalities

The national work health and safety regulator, Safe Work Australia began in 2008. Since then, the rate of workplace fatalities has been on the decline. But we still have a long way to go.

The Minister for Employment, Senator Michaelia Cash, acknowledged the need for progress when she launched Safe Work Month. Senator Cash noted, “One death or injury is one too many.”

In 2017, 129 Australians have been killed at work.

Historically, around half of all workplace fatalities occur in agriculture, forestry and fishing industry and transport, postal and warehousing industries. Most fatalities across all industries continue to come about because of motor vehicle accidents.

But the need to monitor health and safety applies wherever people do work, whether it’s offsite or in offices.

Work health and safety (WHS) resources

Employers looking for ideas on how to identify and address work health and safety (WHS) issues should have a look at the resources provided by Safe Work Australia.

Safe Work Australia has described “Five steps to a safe and healthy workplace”.

You can also share your own ideas and experiences on Twitter and elsewhere using the hashtag #safeworkmonth.

GRC Solutions offers a wide range of Work Health and Safety training options, including off-the-shelf and customised online training content.

Our courses cover the full range of obligations, from ground-level staff, to managers and officers, to WHS representatives and committees.


We support marriage equality

GRC Solutions wouldn’t be where it is today if it weren’t for its diverse team.

We represent the many backgrounds and beliefs that are so typical of Australian society, and every day we work together to develop learning products that reflect this.

For us, work is as much about the people as the products we create. Equality is at the core of who we are.

We cannot wait to see this right extended to all Australians – not just in the workplace, but in all facets of life.

Therefore, GRC Solutions supports the Yes vote in the upcoming postal survey.

Bullying and harassment faced by one third of emergency doctors

One third of emergency doctors in Australian hospitals face workplace bullying and harassment, according to a new national survey.

In the survey of over 2,100 members of the Australasian College for Emergency Medicine (ACEM), physicians cited their experiences of bullying and harassment at work.

Key points

  • Verbal abuse and personal attacks reported
  • Of the 20 percent reporting bullying and discrimination, 6 percent experienced sexual harassment
  • Bullying tends to target female doctors, trainees and foreign-trained doctors

A group of doctors wait in a corridor. One doctor looks pensively into a glass room.

Physicians reported being humiliated while presenting their patients’ cases to other doctors and being verbally abused by their peers. Trainees faced personal attacks when seeking feedback about their job performance.

President Tony Lawler has said he felt “sickened” when he read the results. “It is a tragedy that any individual would feel so disempowered and threatened in their workplace that is supposed to be a safe and supported place for them,” he said.

The national survey comes after a 2013 Beyond Blue survey of 14,000 medical students and doctors found that an alarming 1 in 5 medical students had had thoughts of suicide, compared to 1 in 45 in the general population.


Doctors describe public humiliation and discrimination

The survey described Australian doctors in emergency departments as undergoing “ongoing, severe, daily bullying”. This abusive treatment raises concerns about how it impairs doctors’ performance. It also sparks fears about patient safety.

One doctor said, “I was yelled at in front of patients and colleagues, and then taken to an empty corridor and yelled at some more”. Another reported a “consultant [doctor] yelling and shaming me in public”.

Female trainees more likely to be discriminated and sexually harassed

Female trainees were singled out for discrimination. A respondent says she was told “not to apply for a resident job if they planned on getting pregnant”. Another says she had to endure “unwanted touching, sexual remarks and requests for sex whilst on a conference with a consultant I work with”.

Over 20 percent of those surveyed experienced harassment, with more than 6 percent experiencing sexual harassment.

In 2006, a senior surgeon at Monash Medical Centre was accused of sexually sexually harassing one of his trainees, Caroline Tan. Ms Tan won the case and was awarded AUD$100,000 damages by the Victorian Civil and Administrative Tribunal.


GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Diversity & Equality. Contact us today for more information.


Source:,-harassment-rife-among-emergency-doctors:-survey/8809940 ;

Long-awaited Competition Law reform begins: a new misuse of market power

The Australian Parliament has passed laws to repeal and replace the prohibitions against misuse of market power in section 46 of the Competition and Consumer Act 2010.

The Act passed on 15 August 2017 is the first piece of legislation to implement one of the 56 recommendations made in the 2015 Harper Review.


Why the controversy over section 46?

Section 46 prohibits a corporation with substantial degree of market power from using that power to damage or eliminate a competitor. Section 46 has been in debate even before the Harper Review, for almost four decades. Significantly, critics have argued that it is difficult to prove misuse of market power.

Perhaps the biggest argument of all has been that the existing ‘purpose test’ is subjective. According to critics, it fails to take an objective view of the harm done.

Moreover, some argue that the test contradicts the international regulatory approach. This is because it focuses on the harm done to an individual competitor rather than on the competitive process.

Some, like Westfarmers chief Richard Goyder, have unsuccessfully argued that no compelling evidence exists to reform section 46.


What is the effect of the new section 46?

Under the new rules, the ‘purpose test’ will coincide with an alternative test – an ‘effects test’. Corporations with market power will be found liable if their conduct has the ‘purpose, effect or likely effect of substantially lessening competition’. The new provision also shifts the focus on competition itself, aligning with the international jurisprudence.

Other proposed amendments to enable the regulator to approve questionable conduct by a corporation if the public benefit outweighs the harm.


GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Competition and Consumer Protection. Contact us today for more information.

Source: Australian Parliament, Harper Review

Mandatory data breach reporting and the Red Cross case

Australian Red Cross (ARC) Data breach

In September 2016, a person accidentally found themselves with access to personal information belonging to over 500,000 potential ARC donors.

The information, including names, dates of birth, sexual and medical histories of the donors, had been saved on a public ARC web server.

The Office of Australian Information Commissioner (OAIC) found that the data breach occurred due to human error on the part of a third-party contractor.


Mandatory data breach reporting

From February 2018, businesses will be required to notify affected individuals and the OAIC of significant data breaches, like the ARC breach.

Under the new laws, a breach needs reporting if a reasonable person would conclude that a data breach would result in a likely risk of serious harm to the individuals whose personal or sensitive information was leaked.



Organisations may baulk at the idea of being forced to report data breaches. As in the ARC case, many data breaches are accidental not malicious. Mandatory reporting all but ensures that businesses that make a simple mistake leading to a data breach will suffer reputational damage. How many individuals affected by the ARC breach have had second thoughts about giving their personal details when making a blood donation appointment on

But notifying individuals will allow them to take steps to mitigate any subsequent harm from having their information leaked. In the ARC case, the potential donors could change their personal details to avoid identity theft.

Meanwhile, a failure to report significant data breaches could result in an OAIC investigation and further action.


GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Data Protection, Fraud Awareness and Privacy. Contact us today for more information.


Source: GRC Solutions, Federal Legislation, OAIC

Cartel case leads to first criminal cartel prosecution

Shipping cartel conduct attracts one of the biggest fines everThe Federal Court has issued an AUD$25 million fine in relation to a shipping cartel. It’s one of the largest fines ever recorded under the existing competition regime. It also marks the first successful prosecution under current criminal cartel laws.

According to the Australian Competition and Consumer Commission (ACCC), it’s the first time in 100 years that “a cartelist was convicted, sentenced and fined for a breach of the criminal law”.

The recipient is Nippon Yusen Kabushiki Kaisha (“NYK”), one of the world’s largest shipping conglomerates.

NYK admitted to striking deals with other carriers not to alter their market shares or try to win business from each other. The deals involved the importation of Nissan, Suzuki, Honda, Toyota and Mazda vehicles.


Cartel penalty is big. But it could have been bigger.

NYK’s fine is the second biggest in ACCC history. But remarkably, it could’ve been worse.

This is because the Court issued a 50 percent discount on the penalty in recognition of NYK’s guilty plea. It also took into account the conglomerate’s “past and future assistance and cooperation” with ACCC investigations.

Significantly, NYK’s cartel began back in 1997. Yet this operation only focused on conduct occurring between 2009 and 2012, since Australia’s current criminal cartel provisions (under Competition and Consumer Act, or “CCA”) didn’t exist until 2009.


ACCC lessons from the shipping cartel case

Over the past three years, the ACCC has devoted an expanding range of resources to investigating cartels.

ACCC Chairman Rod Sims said the penalty “sends a strong warning to the industry and the business community at large. The [Commonwealth Director of Public Prosecution] and ACCC can and will criminally prosecute cartel conduct.”

He also noted that the case highlighted how the authorities could exercise leniency in the face of early engagement and cooperation.

NYK has encountered several anti-cartel challenges worldwide.

Sources: ACCC, Australian Competition Law Blog, AFR


GRC Solutions offers a wide-ranging library of Salt Compliance online training, including a Competition and Consumer Protection suite of courses. Contact us today for more information.

Commonwealth Bank anti-money laundering breach allegations


The Commonwealth Bank of Australia (CBA) is dealing with allegations that it committed over 50,000 anti-money laundering breaches.

On 3 August 2017, Australia’s financial intelligence agency, AUSTRAC, started civil proceedings against CBA.

AUSTRAC claims CBA breached the Anti-Money Laundering and Counter-Terrorism Financing Act 53,700 times.

The allegations concern CBA’s roll out in May 2012 of its Intelligent Deposit Machines (IDMs), which customers use to deposit cash and cheques.

It’s said CBA failed to identify certain deposits made via the machines as suspicious. Nor did it submit correct transaction reports to AUSTRAC in the correct time – which can attract fines of up to AUD$18 million.


Commonwealth Bank’s role in assessing money laundering risks

The CBA case highlights the role banks play in assessing ML/TF risk. Financial institutions must uphold high standards to combat ML/TF.

The law imposes various obligations on ‘reporting entities’ such as CBA. For example, there’s a key obligation to establish a AML/CFT program to identify, mitigate and manage ML/TF risk.

According to AUSTRAC, CBA did not adequately assess the machines’ money laundering and terrorism financing (ML/TF) risk between May 2012 and September 2015. In particular, AUSTRAC says CBA failed to:

  • comply with its AML/CFT program
  • carry out ongoing due diligence
  • report 53,506 threshold transactions totalling $624.7 million
  • report suspicious transactions totalling over $77 million


Fintech and regtech implications of Commonwealth Bank case

For the Bank’s part, it argues that the breaches occurred as a result of a coding error. This error, the Bank says, prevented its machines from raising the red flag on so-called ‘threshold transactions’ of over $10,000.

For this reason, commentators, in analysing CBA’s use of deposit machines, will almost inevitably focus their scrutiny on the rise of technology in financial services, or ‘fintech’.

But fintech is only part of the story. The other part concerns ‘regtech’.

Regtech – the use of technology to facilitate regulation and promote cultures of compliance – is a burgeoning field. And it’s rapidly transforming the way organisations are preventing and identifying breaches.

So this case poses an interesting question about how regtech can assist reporting entities like CBA. Does a better way exist to embed ‘compliance by design’ into deposit machine technology?

Or to put things differently: what’s the most effective, most secure way to identify red flags, before either reporting entities or the regulators have to identify suspicious transactions manually?



GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Anti-Money Laundering. Contact us today for more information.

GRC Solutions partners with RHT Compliance Solutions, the leading and largest standalone compliance consultancy in Southeast Asia

Through our partnership, RHT Compliance Solutions will be able to offer their clients access to GRC Solutions’ award-winning Salt Web Compliance Learning Management System.

The partnership will grant companies across Southeast Asia access to legal and compliance training content built by an expert team in line with international standards and benchmarks.

GRC Solutions is a recognised leader in the online compliance training market. Our e-Learning promotes speed to competence: we want your staff to get the most out of their online compliance training in the shortest possible time. We’ve helped hundreds of private, government and not-for-profit organisations around the world build resilient cultures in the face of complex and evolving regulatory obligations.

Our training covers regulatory compliance, risk and ethics. We develop content for many industries, including financial services, professional services, insurance, pharmaceutical, engineering and construction.

As a specialist compliance eLearning publisher, we know what works in compliance training and can help you reduce mandatory training hours, minimise pushback from employees and improve training outcomes.

For further information, please contact Sam Gibbins or Darlina Djumadi.

Egg-producer handed ‘record’ AUD$1m fine over false free-range labelling

Eggs on the ground. One of the eggs has been smashed open.One of Australia’s largest egg producers has been fined AUD$750,000 by the Federal Court and ordered to pay $300,000 more in court costs for falsely labelling some of its products free range – the largest fine in Australian history for a breach of its kind.

The Australian Competition Consumer Commission brought the action against WA company Snowdale Holdings – the company behind six WA egg labels and one of the biggest supermarket suppliers in the state – over its farms in Carabooda and the Swan Valley.

In May 2016, the Federal Court found the company guilty of misleading customers after ACCC investigations revealed the company sold 71 percent of its eggs as ‘free range’ between 2012 and 2013 and had made claims the eggs were laid by hens that were able to go outdoors and roam freely.

The Federal Court heard that half the chickens probably never got outside because the sheds were overstocked, with 17,000 chickens kept in a barn and some barns holding up to 14 chickens per square meter. Under current national standards, chickens must have “meaningful and regular” outdoor access, and there must be no more than one chicken per square metre, to claim free-range status.

The court also heard that Snowdale’s “Free Range Eggs by Ellah” were advertised as being sourced from the Swan Valley farm, but they were consolidated from both properties and put indiscriminately into cartons.

The Humane Society International (HSI) has said the landmark fine was a “major victory for Australian consumers” against a company that has been “charging a premium for eggs produced in anything but free-range conditions for 14 years”, according to HIS Director Verna Simpson.

ACCC commissioner Mick Keogh said consumers paying for premium products should have an expectation they will not be “duped” by producers making false claims. “This is the highest penalty that a court has ordered in relation to misleading ‘free range’ egg claims,” he said. “It reflects the seriousness of Snowdale’s conduct and the importance of egg producers being truthful about marketing claims they make.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Competition and Consumer Protection. Contact us today for more information.

Source: Sydney Morning Herald


Officer charged under new WHS legislation for lacking due diligence

A Ferris wheel rideA South Australian amusement ride operator has been convicted in the wake of a fatal incident involving its “Airmaxx” ride at the Royal Adelaide Show.

In September 2014 an eight year old girl suffered fatal injuries when she was ejected from the Airmaxx.

C, J Sons Amusements Pty Ltd owned and operated the Airmaxx. One of its officers was convicted by the South Australian Employment Tribunal for failing to exercise health and safety due diligence under the South Australian Work Health and Safety Act 2012.

The Tribunal fined the operator AUD$94,500 for failing to provide and maintain the plant in a safe condition and have safe systems of work in place in relation to the risk of death or serious injury.

The Tribunal also imposed a $63,000 penalty against the director for her failure to exercise due diligence to ensure that the operator complied with its duties under the WHS Act (Section 27).

The director failed to take due diligence steps to ensure:

  • repairs, maintenance and inspection of the equipment was performed by appropriately qualified persons
  • safe systems of work were maintained, and policies and procedures for the operation of the equipment were in place
  • the operator had appropriate systems and processes in place to record maintenance and repair work undertaken on the equipment, as well as recording hazards, risks or injuries relating to the operation of the equipment
  • the equipment was appropriately registered and that it was not used until its design registration was authorised

While the Tribunal noted that both the operator and the director had been let down by the experts it relied upon, the director had “ample opportunities” to be more careful in her duty to discharge the due diligence obligations of an officer.

Moreover, the Tribunal found that while the operator and director did not behave with reckless intent, the lack of due diligence and the way in which they “did not necessarily cover everything they ought to have” could not be excused.

The Tribunal’s emphasis on deterrence in relation to “significant risk” reinforces the need for employers to have in place safety corporate governance structures at the highest levels, and for directors and officers to take appropriate steps to show they are performing due diligence.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Work Health and Safety. Contact us today for more information.

Source: Ashurst

GRC Solutions acquires renowned compliance division of COBA

GRC Solutions Pty Ltd has recently acquired the compliance division business of COBA (Customer Owned Banking Association). The compliance division is responsible for developing a range of resources, including compliance manuals, guides, training content and associated services.

“This is a fantastic development that will showcase the complementary strengths of both businesses,” GRC Solutions Managing Director Julian Fenwick says.

“GRC Solutions has a longstanding commitment to developing and delivering premium quality compliance training to a wide range of industries, including an ever-expanding base of financial services clients.”

“COBA and its compliance division are highly regarded in the financial services sector for their thought leadership in advocacy, advice and training.”

“Our priority is to ensure that the compliance business maintains the same high standards for which it’s renowned, with its team of exceptional lawyers and compliance advisers.”

“We look forward to seeing how each business can enhance the other and elevate the profile of our combined people, training products and services.”


What the incoming European data protection laws mean to your business

The European Union flag with the Union Jack displayed in the background The European Union (EU) General Data Protection Regulation (GDRP) takes effect from 25 May 2018. The GDRP aims to preserve individuals’ rights to have their personal data protected in today’s global and digital era.

The EU GDRP will apply to Australian businesses if they have an office in the EU or offer goods and services in the EU or monitor behaviour of individuals in the EU. Businesses that need to comply with the GDRP but lack an office in the EU will have to appoint a representative as a point of contact for the supervising authority, the European Data Protection Supervisor.

The GDRP and Australian laws are similar in some respects. For instance, both laws apply to personal information that identifies or can identify an individual. But Australian businesses should note that the GDRP deems a wide range of data to be personal information, including location data, online identifiers and physical identifiers. There are extensive requirements for businesses under the GDRP, including appointing a “privacy champion” in certain situations, choosing data controllers that provide sufficient guarantee and undertaking a compulsory data protection impact assessment.

Failure to comply with the requirements of the GDRP may result in penalties up to €20 million or 4% of the business’ worldwide turnover, whichever is greater. Given the severity of penalties, businesses should take a proactive role in understanding GDRP and ensure they implement a compliant personal data handling regime. This means an organisation’s officers aren’t the only ones who need to have an extensive understanding of the requirements – employees who collect, use and manage personal information need to as well.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Privacy and Cyber Security/Data Protection. Contact us today for more information.

Source: OAIC, EDPR, Australasian Lawyer


Millions of dollars of celebrity’s jewellery linked to 1MDB case

Australian model Miranda Kerr is the latest celebrity to be caught up in Malaysia’s 1Malaysia Development Berhad (1MDB) corruption and money laundering scandal.

Malaysian financier Low Taek Jho gifted Kerr USD$8 million worth of jewellery allegedly paid for with funds misappropriated from the 1MDB fund. Kerr recently turned the jewellery over to US authorities and has not been accused of any wrongdoing.

1MDB investors have also alleged that the 2013 Hollywood film The Wolf of Wall Street was partly financed with diverted 1MDB funds. Actor Leonardo DiCaprio has returned USD$12 million worth of artwork and a Marlon Brando Oscar statuette given to him by 1MDB financiers.

The US Justice Department has sought to collect USD $1.7 billion worth of goods bought with misappropriated 1MDB funds. So far this has included a luxury yacht, a Bombadier jet, real estate in New York, Los Angeles and London, as well as Kerr’s jewellery and DiCaprio’s Picasso painting.

The 1MDB scandal first made headlines in 2015, with allegations that Malaysian Prime Minister Najib Tun Raza had siphoned off almost USD$700 million from the government fund for national development for his own personal benefit. Malaysia’s first lady was also accused of receiving $30 million in jewellery paid for by the stolen funds.

Law enforcement agencies in countries including the US, Singapore, Hong Kong, the UAE and Switzerland have been conducting their own investigations into the issue, and taking action to freeze accounts and recover assets. The cases are ongoing.

Want to learn more about anti-bribery and corruption or anti-money laundering? GRC Solutions offers off-the-shelf e-learning, bespoke content and face-to-face workshops. Contact us today for more information.

Why diversity and equality matters: the cautionary tale of Uber

Legendary management consultant Peter Drucker once said, “Culture eats strategy for breakfast”. Perhaps Uber – and particularly its recently-departed CEO Travis Kalanick – had never heard of the quote or decided that revenue and expansion were more important than treating employees with basic decency.

Taxis on a dark ominous looking streetFormer Uber employee Susan Fowler blew the whistle on the infamous start-up in a now-famous blog post back in February. Her article detailed how a select few individuals within Uber were deemed untouchable. Not only were they immune to any complaints of sexual harassment, Kalanick went so far as to publicly acknowledge them as embodying the 14 core values of the organisation.

When people talk about Uber, they’re often referencing its status as one of the prized darlings of Silicon Valley and its fabled rise from tiny start-up to a titanic taxi-industry disrupter. Today, the company is valued at $70 billion and operates in 83 different countries.

But as Fowler’s article demonstrates, even a giant “success story” like Uber is not immune to the reputational damage caused by poor workplace culture. Nor can it escape other costs, including paying compensation to victims of harassment and the costs of replacing staff who can no longer work in hostile environments.

Uber is not the first company whose serious corporate culture issues have made international news. Sadly, too many organisations normalise sexism and too many victims and other employees are discouraged from speaking out against it. It’s startling to think that Uber’s harassment problems could have remained buried, and its business model unquestioned, if it hadn’t been for one brave female engineer taking a stand. Diversity and equality training has been around long enough now that staff expect their employers to take harassment claims seriously, and that they will not be victimised for blowing the whistle on toxic behaviour.

GRC Solutions offers Diversity and Equality training for staff at all levels within an organisation – both online learning courses that everyone take or tailored workshops for small groups or management. Contact us today to find out how we can help.

Google fined record $3.57 billion by European Union for anti-competitive behavior

European Union regulators have slapped a record €2.42Bn ($AU3.57 billion) fine on U.S tech giant Google for breaching antitrust rules with its online shopping service.

Following a seven-year long investigation of Google’s search engine practices in the European Union, the EU competition watchdog, the European Commission has alleged Google denied “consumers a genuine choice” by unfairly promoting its shopping platform (Google Shopping) in internet searches to the detriment of its rivals. The fine is the highest ever imposed in Europe for anti-competitive behavior.

The Commission has accused Google to have “abused its market dominance as a search engine by giving an illegal advantage to another Google product”. Investigators found Google acted illegally by giving priority placement to its own shopping service, while relegating results from rivals to areas where potential buyers were much less likely to click.

The action was prompted by scores of complaints by rivals including US consumer review website Yelp, TripAdvisor, UK price comparison site Foundem, News Corp and lobbying group Fair Search.

EU competition commissioner Margrethe Vestager described the action as “illegal under EU antitrust rules”, and has said it “denied other companies the chance to compete on the merits and to innovate”.

It gave the Californian company 90 days to stop or face fines of up to 5 percent of the average daily worldwide turnover of parent company Alphabet.  Alphabet has more than $120 billion in cash, including about $73 billion in accounts outside of Europe.

Google has maintained that it was trying to package its search results in a way that made it easier for consumers to find what they wanted. Google has said it will review the Commission’s decision in detail as it considers an appeal.

The EU has also accused the Silicon Valley tech giant of abusing its market position by imposing restrictions on Android device manufactures and mobile network operators.

Talk to GRC Solutions today about our Salt Compliance online training library, including our Competition and Consumer Protection courses.

The human factor

On 19 June, BBC News ran the following story: “Sensitive personal details relating to almost 200 million US citizens have been accidentally exposed by a marketing firm contracted by the Republican National Committee. The 1.1 terabytes of data include birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population. The data was available on a publicly accessible Amazon cloud server. Anyone could access the data as long as they had a link to it…”

The huge database was hosted online but the data lacked any type of protection from public access. While there is no evidence of any malintent by the marketing firm, the fact that this event went unnoticed until data security firm UpGuard discovered it by accident, points to the biggest challenge in protecting organisations from cyberattacks and keeping data secure: the human factor.

Cybercrime the number-one threat

Australia’s financial services sector is leading the way when it comes to tackling cyber threats. ASX research into the risks of cyberattacks on Australian businesses shows the majority of boards are alive to the potential impact from the loss of key information and data assets.

But organisations’ increased awareness in cyber threats has been met with a significant increase in cyberattacks. The WannaCry attack in May was said to be the biggest ransomware attack in history (affecting 230,000 organisations in 150 countries). Now, news articles warn us daily of the likelihood of even bigger attacks.

Dan Tehan, Minister Assisting the Prime Minister on cybersecurity says, “Cybercrime is the number one threat that the business community is facing. The cost is conservatively put at $1 billion a year to our economy.” Research undertaken by the Australian Computer Society indicates the average cost of a cyberattack to an Australian business is about $276,000.

Digital literacy

Despite these stark warnings, human error – the risk posed by employees clicking on malicious emails or not changing passwords – is still not adequately addressed. It is estimated that nearly two-thirds of Australian companies see cyber breaches as an “IT issue” rather than a major business risk. While most organisations offer employees some security awareness training, the vast majority of employees have inadequate levels of digital literacy.

The Sans Institute estimates that 95 percent of cyberattacks start with spear phishing emails that target a specific individual. It is really a no-brainer that everyone within an organisation should know the range of issues they need to look out for. A telling example comes from the 2016 US presidential election. Hillary Clinton’s campaign chairman John Podesta’s Gmail account was hacked after a fake email from the URL “” prompted him to change his password. To this day, many speculate that ongoing hacks and cyber interference damaged Clinton’s campaign beyond repair and cost her the Presidential title.

Countering carelessness

Cybersecurity is as much about people as it is about technical defence. Everyone – not just IT staff – needs a basic understanding of cyberthreats and how to recognise them. This way, employees are aware of the threats they face and the part they are expected to play in guarding against them. The better informed everyone within an organisation is, the less likely it is that the organisation will fall victim to an attack.

Keep it relevant

As with any training program, relevance is key. Why? The more learning is tailored towards a specific type of firm or job role, the more it will “stick”. Research shows time and again that effective learning is learning that is relevant. In other words, if you don’t find the learning engaging, it is probably not going to sink in.

Talking about which…

Any reputable Cybersecurity training program should, as a minimum, include the following topics:

  • Social engineering (tricking people into giving up sensitive or confidential information)
  • Information handling
  • Phishing (an email with a link or attachment embeds malicious code and gives a hacker a route in)
  • Password management
  • Bring your own device (BYOD)
  • Removable media (i.e. USB keys)
  • Remote working
  • Social media


SAFAA accredited e-learning

GRC Solutions have developed a Cybersecurity CPD course that is accredited by the Stockbrokers and Financial Advisers Association. The e-learning delves into the topics mentioned before and gives a well-rounded overview, including recent cases and FS-related examples. It has been developed with Australian retail and institutional stockbroking firms and investment banks in mind.

The learning platform easily connects to most learning management systems meaning all the benefits of personalised e-learning are there – including reporting capabilities. Individual subscriptions are available as well as a subscription package to a range of RG146 topics.

Salt CPD is not a tick-and-flick exercise: it is a carefully developed program designed to help advisers and brokers grow their skills and maintain high levels of competency.

For further information, visit:

or email us:


ACCC: nearly 6,000 businesses affected by scams in 2016

The Australian Competition and Consumer Commission (ACCC)’s Targeting Scams report reveals that Australian businesses lost a total of around $3.8 million due to scams in 2016.

The Report ranks the most common types of scams, including ransomware (when a hacker holds a user’s computer hostage with rogue software), business email compromises schemes, false billing and investment scams. The Report also found that that there had been a four-fold increase in hacking scams between 2015 and 2016.

Organisations need to implement measures that protect the data they hold, not only to prevent losses to scammers but also to avoid penalties for possible breaches of relevant laws. For instance, scammers could also gain access to personal information of the customers of the business, which could amount to contraventions of the Privacy Act 1988. Under the Privacy Act, personal information of another must be protected from misuse, interference and loss.

With this in mind, what are some key strategies you can implement to prevent financial loss and potential compliance breaches? Installing data protection software and staying vigilant against suspicious emails is always a good start. But most of all, organisations need to ensure employees are aware of the risks facing the business, their obligations under various laws, and the consequences if the business falls victim to a scam.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Data Protection, Fraud Awareness and Privacy. Contact us today for more information.

Source: ACCC, Target Scam Report, The Guardian


Wrap-up: RegTech Australia 2017

The recent inaugural RegTech Australia cJulian Fenwick, Managing Director of GRC Solutions chairs a discussion at the RegTech eventonference, hosted by InnovationAus, saw the leaders of financial institutions get together with regulators and innovators.

As part of this event, Julian Fenwick, Chairman of the RegTech Association and Managing Director of GRC Solutions, moderated a panel discussion about what the industry can expect in the year ahead. The high-profile panel included Jost Stollmann of Tyro Fintech Hub, Westpac Group’s Rebecca Lim, Mark Adams of ASIC and IBM’s Murray Bruce.

The discussion touched on issues that ranged from artificial intelligence and augmented intelligence to data management and staff engagement. Each panel member shared their personal views as to what they envision the future of RegTech holds in Australia and around the globe.

Another highly rated session discussed Australia’s competitive advantage over our Asian neighbours and how to maintain this position. There was an expressed need for Australian companies to take a more collaborative approach to be truly seen as innovative and cutting edge within the Asian pacific region. There is also a need for Australian companies to invest more in Regtech start-ups. Australian companies can be too risk averse which could stifle creativity and growth within the RegTech sector.

RegTech is forging ahead at an incredible pace and we foresee some huge changes in the way the industry operates. GRC Solutions is looking forward to playing a key role in facilitating and enabling the change.

Optus gives undertaking for misleading and deceptive conduct

Optus has given an enforceable undertaking to the Australian Competition and Consumer Commission
(ACCC) to compensate its customers who received less data and fewer calls and texts inclusions (“inclusions”) than the advertised offer.

In 2013, Optus had advertised that its prepaid customers would receive certain inclusions for a specified period, upon activating or recharging their SIM cards. Two years later, Optus reduced the inclusions and period of usage. These changes also affected customers who had purchased one of the Optus Prepaid Products before the changes were implemented.

Under Australian Consumer Law (ACL), businesses must not engage in conduct that is likely to mislead or deceive. Optus failed to advise its customers to activate or recharge their SIM cards before a certain date so that they could use the inclusions they were promised at purchase.

Optus has accepted that implementing the reduction in inclusions amounted to misleading and deceptive conduct and false misrepresentation under the ACL. It does not matter whether Optus intended to mislead or deceive its customers.

Optus has promised to compensate customers who were affected by its conduct and to not reduce inclusions without meeting certain conditions. Optus has also undertaken to ensure its compliance program accurately reflects its ACL obligations.

Businesses should always ensure their advertisements are based on current and correct information. Customers must always be notified of any changes to products/services so that they can make informed consumer decisions.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Competition and Consumer Protection. Contact us today for more information.

Salt CPD well received at Stockbrokers Conference

Last week’s annual conference organised by the Stockbrokers And Financial Advisers Association (SAFAA) was captivating and thought-provoking. Over two days, industry figure heads and prominent speakers (including former prime minister John Howard) and shared their thoughts on the current issues and challenges facing the industry, and what outlook Australia is facing.

The event was accompanied by a media frenzy. Over two days, many of the Financial Review’s “most read” articles were derived from insights shared by Magellan Financial Group’s Hamish Douglass, ASIC’s chairman Greg Medcraft and JBWere chief executive Justin Greiner’s views on gender diversity.

The SAFAA Conference also saw the office launch of Salt CPD. As the Association’s official e-learning partner, GRC Solutions displayed a new library of SAFAA approved professional development courses that taps into the heart of the problems the industry is facing – such as the increased volume of cyber-attacks on financial services and what to make of the current insider trading cases plaguing the profession.

Many practitioners are a few points short of their yearly CPD target and flocked to the GRC Solutions exhibition booth to enrol, or to find out more about the subscription model on offer.

The SAFAA conference was a resounding success and GRC Solutions is proud to have been part of such a well-organised, professional industry event.







GRC Solutions wins LearnX award for tenth straight year by partnering with ANZ

The Platinum award logo for LearnX

GRC Solutions is very pleased to announce that, in conjunction with ANZ Bank, we have won:

Platinum Award for Best Compliance Training Project at the 2017 LearnX Impact Awards.

The LearnX Impact Awards recognise the exceptional impact of organisational learning, technology and performance in the compliance space.

ANZ has launched a major initiative to invest in training and development across the bank. As part of the program ANZ sought to redevelop its ANZ Compliance Essentials course.

This e-learning course is a core component of the mandatory learning program and is assigned annually to all 60,000 staff members located throughout the bank’s network, in both Australia and other countries.

ANZ selected GRC Solutions to work with them on this project. Given ANZ’s size, global reach and diverse workplace, the requirements for the project were extremely high. ANZ needed a program that maintained the integrity of the compliance content while showcasing its focus on learning and commitment to innovation.
The GRC Solutions team developed interactive, multi-tiered global heat maps that enabled individual learners to self-select relevant content based on their location and job role. The team then created multiple training paths with diverging instances of content to account for differences in compliance responsibilities based on the various locations and role-specific materials, before returning learners to the main learning path.

GRC Solutions is extremely proud to be working with ANZ and for that work to be recognised at the LearnX awards. This is the tenth straight year GRC Solutions’ Salt Compliance training courses have won the “Best Learning Project in Compliance” category.

The LearnX Awards will be presented on September 18 at the Sofitel Sydney Wentworth, following the annual LearnX Conference.


What Privacy Awareness Week means for you

Privacy Awareness Week (PAW) ran between 15 and 19 May and is intended to promote awareness of privacy issues and the importance of protecting personal information. This year’s theme for PAW is “Trust and Transparency”, promoting the importance of organisations handling personal information with care.

PAW is an initiative of the Asia Pacific Privacy Authorities, of which the Office of the Australian Information Commissioner (OAIC) is a member.

In Australia, the Privacy Act 1988 regulates how personal information is handled. The Act contains the Australian Privacy Principles, which outline how APP entities, including businesses and government agencies, must handle, use and manage personal information.

Privacy is a hot topic in Australia, thanks to several recent high-profile cases. This includes journalist Ben Grubb’s case in which he unsuccessfully argued that metadata constituted personal information.

Moreover, there is heightened interest in privacy following the announcement that a new privacy reform will come into effect next year. The mandatory data reporting obligation will require APP entities to report breaches involving people’s personal information to both the OAIC and the individuals affected.

This mandatory reporting obligation aims to empower individuals whose personal information has been disclosed due to data breach to take appropriate measures to prevent or reduce financial loss or identity theft.

Privacy concerns have also reared their head because of recent international breaches, such as the WannaCry ransomware attack. The attack affected a wide range of operations, including the UK’s National Health Service, which resulted in the cancellation of medical operations after patients’ records became unavailable.

The OAIC has released a survey about privacy called “Australian Community Attitudes to Privacy Survey (Privacy Survey) Report”. The OAIC has found that 69% of the community feels that the biggest risk for privacy revolves around online services.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Privacy. Contact us today for more information.

Source:Privacy Awareness WeekOAIC, The Guardian, Federal Register of Legislation

Australia’s largest private hospital operator in court for alleged anti-competitive conduct

The Australian Competition and Consumer Commission has commenced a Federal Court action against Ramsay Health Care (Ramsay Health) for allegedly breaching the anti-competitive provisions of the Competition and Consumer Act (CCA).

Ramsay Health is Australia’s largest private hospital operator, with substantial market power in the private health industry. It runs the only private hospital and day surgery facilities in the Coffs Harbour region.

Ramsay Health executives are said to have threatened to restrict or provide access to its operating theatres in Coffs Harbour to surgeons if they established a competing surgical facility in Coffs Harbour.

Under the CCA, businesses with substantial market power like Ramsay Health are prohibited from taking advantage of that power for illegal purposes when dealing with customers, suppliers and competitors.

ACCC alleges that Ramsay Health, by seeking to deter surgeons to start a competing surgical facility, has misused its market power and engaged in anti-competitive conduct in breach of the CCA.

The competition regulator expressed concern that Ramsay Health’s conduct puts consumers at disadvantage because there will be no competitive price for surgeries if businesses are deterred from entering the market.

Businesses with substantial market power must not engage in conduct that causes damage to other businesses, or deters either entry to the market or competition.

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Competition and Consumer Law. Contact us today for more information.

Source: ACCC

28 April is World Day for Safety and Health at Work

The World Day for Safety and Health at Work takes place on 28 April, highlighting both the right and the role we all have in making our work environments safe and healthy.

The day, which was first declared by the International Labour Organisation (ILO) in 2003, is an opportunity to focus on what we can all do to prevent work-related injuries, illnesses and deaths.

While work-related fatality rates in Australia are declining, Safe Work Australia still reported that there were 178 fatalities in 2016.

The ILO is using the event to promote the importance of gaining big data about health and safety, citing the “critical need for countries to improve their capacity to collect and utilise reliable occupational safety and health (OSH) data.”

Work health and safety has long been a focus for GRC Solutions, which offers compliance training on the topic for Australia and New Zealand.

New Salt Compliance course on Work Health and Safety (Australia)

On 1 June 2017, GRC Solutions will be launching a new Australian Work Health and Safety (WHS) course, which makes the key concepts of work health and safety more succinct and engaging than ever.  This course follows the updated New Zealand WHS that we released late last year to comply with the new legislation in New Zealand.

The course, which is based on the harmonised Model Laws, places the law in practical context, helping learners understand their workplace health and safety duties and obligations.

Learners will discover how to identify and respond to everyday WHS risks and what to do when a notifiable incident occurs.

All-new scenarios will help you gauge your understanding of each learning outcome. New case studies and formal assessment quiz questions keep you engaged while you learn about the technical details, from PCBUs and health and safety inspectors to enforceable undertakings.

A visually rich new design gives the training a fresh look and feel.

Where possible, we have designated modules to specific responsibilities, so that learners only train in content that is relevant to them.

Sources: Safe Work Australia, International Labour Organisation


Proposed changes to Australian foreign bribery laws

The Australian Government has proposed major new foreign bribery laws to overcome challenges in enforcing Australian foreign bribery law.

A man puts money into his suit jacket pocket. The Australian Government has proposed major new foreign bribery laws to overcome challenges in enforcing Australian foreign bribery laws.

The proposed amendments include the following:

  • A new offence where the accused recklessly bribes a foreign official
  • A new corporate offence for failing to prevent foreign bribery.

This offence would follow a similar provision of the UK Bribery Act, making companies automatically liable in the event that its employees, contractors and agents bribe foreign public officials. Companies may be able to raise a defence if they have a system of internal controls and adequate compliance to prevent bribery from occurring.

  • Introduction of the concept of “improperly influencing” a foreign official to obtain an advantage

The Government intends for this new concept to overcome the difficulty of proving that the benefit was “not legitimately due” given that most bribes are disguised as legitimate payments. There are various factors included in the proposal that can be taken into consideration, such as the nature and value of the benefit, in determining whether the accused has “improperly influenced” the relevant officials.

  • The advantage is not required to be gained by the accused and may include a non-business advantage. There is further clarification that if you commit a bribe you will still be found liable even if you don’t receive the benefit directly. Furthermore, the scope of the bribe may include non-business advantages.

If these changes go ahead, they will not only bolster the Government’s aim of creating tougher anti-bribery laws; they will give organisations added incentive to develop adequate compliance programs.

Department of the Attorney-General

Apple sued for alleged breach of the Australian Consumer Law

The Australian Competition and Consumer Commission (ACCC) has commenced proceedings against Apple, alleging that Apple has made false, misleading or deceptive representations regarding consumer rights.

Apple customers had complained about an error (error 53) which disabled their devices after updating software. The ACCC’s investigation found that Apple had told customers their devices could not be repaired if they had previously been worked on by non-Apple technicians. Apple has since provided customers with remedies for error 53 but the ACCC is concerned with Apple’s misrepresentations about consumer guarantees.
The Australian Consumer Law (ACL) includes consumer guarantees that the quality and other characteristics of goods and services are of an acceptable standard. This is in addition to the manufacturers’ warranties, such as Apple’s one-year limited warranty and Apple Care protection.

Unlike manufacturers’ warranties, the ACL’s consumer guarantees are not limited by time and can’t be excluded by an agreement. In this case, the fact that some Apple customers had their devices repaired by a third party does not negate their right to have their devices later repaired by Apple.

Apple has previously been given a court enforceable undertaking that it would comply with the ACL by educating its employees and consumers about the statutory consumer guarantees. The regulator’s action highlights the importance for businesses to ensure they have policies that comply with the laws. But business should also ensure that their policies are effective, by educating their employees about the underlying laws.

Talk to GRC Solutions today about our Salt Compliance online training library, including our Competition and Consumer Protection courses.

Source: ACCC, Sydney Morning Herald


Data breach reporting passed into law

Australian entities that hold personal information about individuals will soon be required to notify those individuals if that information is compromised.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”) has recently passed both houses of Parliament, has received Royal Assent and will be introduced into Australian law on 23 February 2018. It is hoped that the new reporting requirements are a step forward in the fight to protect personal information.

The Bill shows the growing importance of data protection in the face of cyber threats, and follows the 2015 release of ASIC’s Cyber Resilience: Health Check Report. The report highlighted the importance of preparedness against cyber attacks.

What is the purpose of the Data Breach Bill?

Cyber security and the protection of personal information has been a growing concern globally for a number of years. Cyber attacks to obtain, use and disclose the private information of individuals are continuing to increase, in both number and severity. Unauthorised access to personal information is particularly damaging where the individual is unaware that a breach has occurred and therefore cannot take steps to minimise its impact.

The purpose of the Bill is to impose mandatory reporting provisions on entities that are currently regulated by the Privacy Act 1988. The reporting provisions create a legal requirement for entities to notify both the individual(s) affected and the Office of the Australian Information Commissioner (OAIC) where they have reasonable grounds to believe there has been an eligible breach of personal information.

It is intended that the data breach reporting requirement will allow individuals whose personal information has been compromised the opportunity to take proactive steps to protect their interests. It is also hoped that the requirement, and the potential implications for an entity’s reputation or standing, will encourage the relevant entities to treat the protection of their client’s personal information as a priority.

What is an eligible data breach and when does a reporting obligation arise?

A data breach is an eligible data breach in the context of reporting obligations where;

  • There has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure; and
  • A reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.

Whether the effect of the breach constitutes serious harm will require an assessment of particular circumstances. Parliament has identified severe physical, psychological, emotional, economic and financial harm, along with serious harm to reputation as examples of where serious harm may occur. However some entities have already raised concerns about the ambiguity of this assessment threshold. It is likely that this will need to be tested to a degree before the Judiciary before the reporting mandate is clear.

In a circumstance where an entity suspects but does not have reasonable grounds to believe that an eligible data breach has occurred the entity must, within 30 days, carry out “a reasonable and expeditious assessment of whether the relevant circumstances constitute an eligible data breach of the entity”.

Notification requirements

The entity must, where practicable, notify the contents of the statement to

  • Each individual to whom the personal information relates; and
  • Each individual considered to be at risk from the eligible data breach;

using the method it would usually employ to communicate with the individual.

If it is not practicable to notify the individuals using the above method, the entity must attempt to do so by publishing the statement on the entity’s website and take any other reasonable steps necessary to publicise the details of the breach to ensure those affected are notified.

Remedial Action

There are a number of exceptions to the reporting requirement under the Bill. One exception is where the entity has taken remedial steps to mitigate the breach, before any serious harm has occurred. The entity will not be required to notify the individual(s) concerned or the OAIC where, as a result of that remedial action a reasonable person would conclude that the unauthorised access or unauthorised disclosure is unlikely to result in serious harm to them.

Consequences for failure to comply

Where an entity has reasonable grounds to believe that a data breach has occurred and fails to meet their reporting obligations, this will be considered an interference with the privacy of an individual for the purposes of the Privacy Act. In such a situation the OAIC will be able to invoke their existing powers to investigate, make determinations and provide remedies in relation to suspected non-compliance.

The Implications for AFSL holders

ASIC has in recent times highlighted the importance of an AFSL holder being vigilant about the protection of their client’s data. It is a critical part of an AFSL holder’s obligations to have considered the risks to their business and clients from cyber threats and identified any weaknesses or areas of particular concern in the current business structure. This may include an audit of IT and data protections by a specialist firm.

Once clear about the cyber risks it faces the AFSL holder needs to take steps to be resilient to cyber attacks. This will include developing a response plan, and in some circumstances the implementation of stronger protection software and IT systems. The AFSL holder’s response plan for a data breach should include, to the extent possible, the information and mitigation advice to be given to clients if a data breach occurs as well as information on how that information will be disseminated. The more quickly the client receives this information, the better likelihood the client’s steps in mitigation will be effective against the breach.

ASIC is clear that an AFSL holder’s ability to respond to, mitigate and recover from a cyber attack will hinge on plans put in place by the AFSL holder before such an attack occurs.

Where to from here?

While the reporting requirement is a step in the right direction some industry groups do not believe it goes far enough to protect client privacy. Issues that have been raised in respect of the data breach laws include; that the obligation only applies to limited types of entities, the high threshold for determining ‘serious harm’ and the exceptions that apply to the obligation. Time will tell whether the data breach laws are effective in their current form.

This article only summarises the Bill and its requirements.

Please contact Sophie Grace for a more detailed discussion about whether the reporting requirements apply to you, and what your obligations may be.

About the author

Victoria Dryden – Lawyer

The author of the blog post Victoria Dryden – LawyerVictoria works primarily with the legal services team at Sophie Grace Legal Pty Ltd and assists in the drafting and review of legal documentation for participants in the financial services industry. Victoria also supports the Compliance Consultants in the provision of AFSL, ACL and on-going compliance services to clients. Victoria provides advice and legal services to clients and assists with the preparation of legal documentation, negotiation and advocacy on behalf of clients. Victoria also assists in implementing ongoing compliance support and the preparation of AFSL and ACL applications and variations. Victoria is admitted as a Barrister and Solicitor in New Zealand and a Solicitor in New South Wales.

Bringing down the house: analysis of four key real estate markets shows Australia most vulnerable to money laundering

Anti-money laundering is an issue all companies must take seriously. A new Transparency International report found that Australia’s real estate sector has major anti-money laundering deficiencies. The report identified 10 main legal loopholes and regulatory shortcomings allowing criminals to laundering their proceeds by purchasing luxury properties in Australia, Canada, the UK and the US. Australia was the only country assessed to be rated has being deficient in all 10 areas.

Currently, in Australia, real estate agents are outside the scope of anti-money laundering law and have no due diligence or reporting obligations. Although property purchasers’ nationalities are relevant for stamp duty purposes, there are no rules or requirements for checking for PEPs (or their associates), or for the beneficial owners of foreign entity purchasers. Other parties who are commonly involved in the buying and selling of real estate, such as developers, lawyers and accountants, are also not covered by anti-money laundering rules, leaving the onus on customer due diligence and suspicious transaction reporting to financial institutions.

The real estate market has always been popular with criminals as an avenue through which to launder or invest stolen money or other illegally, especially in cities with high, stable property values such as New York, London and Paris. In March 2017, The Australian reported that almost 80 percent of foreign demand for housing in NSW was from Chinese buyers and in 2016, CEO of Charles Pittar said that 70 percent of the Chinese property buyers his company deals with pay with cash.

Transparency International has recommended several reforms to rectify the deficiencies, including widening the scope of anti-money laundering provisions to include entities involved in real estate transactions and enforcing identification procedures on foreign buyers of property.

Are you up to date on your AML/CTF obligations? Contact GRC Solutions today for information about our off-the-shelf and custom online compliance training on customer due diligence, monitoring and reporting obligations and other AML risks.


Sources: Transparency International, BoingBoing, SBS News, The Australian

New Australian RegTech Association launches in style

The new RegTech Association launched in spectacular style on Thursday 31 March with “a clear vision to make Australia a global leader in building higher performing, ethical and compliant businesses through RegTech innovation and investment”.

The event, held at Allens Linklaters in Deutsche Bank Place Sydney, was a coming together of “early true believers” in the productive unification of regulation with technology, as Association Chairman (and Managing Director of GRC Solutions) Julian Fenwick put it.

In his introductory address, Mark Adams (SEL – Strategic Intelligence, ASIC) praised the inaugural event and Association founding, highlighting ASIC’s openness to fostering collaborative pathways.

Matt Symons (Director, Red Marker) followed up in his keynote address by thanking Adams, declaring, “I think it’s terrific that you as the regulator are here”. He encouraged everyone to “take out an entrepreneur” from the event for lunch over the next twelve months, ask questions and learn how RegTech can support their organisations.

For the main part of the event, Danny Gilligan (MD, Reinventure Group) moderated a panel session consisting of Anthony Quinn (CEO, Arctic Intelligence), Lisa Schutz (CEO, Verifier), Karen Malzard (Head of Risk, ANZ Wealth) and Annick Donat (CEO, Madison Financial Group).

Discussion was lively, as panellists noted how quickly RegTech had surfaced as a topic of interest worldwide. Anthony Quinn attributed this in part to the “number of scandals” such as the Panama Papers that had rocked the financial services sector globally, which has led to the need for greater compliance frameworks and a “significant increase in the number of local and international regulations”.

Karen Malzard (Head of Risk, ANZ Wealth) observed a common complaint about the burgeoning proliferation of regulations, commenting that “to run a super fund in Australia you have to deal with six different regulators”. She suggested that the solution to this problem should not involve “throwing more people at it”, but coming up with effective tools – and this lay at the heart of the modern RegTech debate.

Annick Donat believes that there is “reg fatigue”, which technology can help to ease.

Gilligan picked up this theme, noting how technology has caused an “increasing liquidity and mobility of data” which makes “automated reporting” easier to achieve.

Malzard also riffed on the notion that RechTech is facilitating standard protocols of data protection and reporting: “Our data is the crown jewel, and we will protect it…working with the regulator to maintain that protection”.

Trust was another theme, as panellists noted the need to challenge the perception that everyone in the financial services sector is criminal and untrustworthy.

Donat enthused that RegTech could help “create a social movement” that will “change behaviour”. “RegTech done well”, she said, will “amplify positive behaviour”.

She added that RegTech can also help regulators extract big data on behavioural trends. “Regulators spend an inordinate amount of time investigating”. RegTech is a “great opportunity for regulators to analyse behaviours”.

Lisa Schutz argued that RegTech was capable of not only “exporting trust” but also “exporting identity”, showcasing organisations and entrepreneurs that are trustworthy and compliant.

Answering a question from the floor about how RegTech can produce innovation (not just automation of processes), Julian Fenwick declared that “the way we encourage innovation is through the collaboration piece” enabled by the Association, which he said can be “the central point to take your problems”.

The formal part of the evening concluded with a ‘speed dating-style’ session in which members of the Association took turns to stand up and introduce their innovative businesses to the engaged and enthralled audience.


TABCORP slammed with AUD$45 million penalty for anti-money laundering violations

People inside a room stand around looking at TV screens of horses racing. People are placing bets on the outcome of the race. Gambling corporation TABCORP has agreed to pay AUSTRAC (Australian Transaction Reports and Analysis Centre) a AUD$45 million dollar penalty after failing to comply with anti-money laundering regulations. It’s the largest civil penalty ever in corporate Australia.

Federal Court judge Nye­ Perram yesterday ruled that TABCORP had contravened the Money Laundering and Counter-Terrorism Financing Act 108 times over more than five years.

While TABCORP did not deliberately seek to mislead AUSTRAC, it has admitted it failed to report suspicious gambling activities.

Examples include failing to identify a customer who won $100,000. TABCORP failed to lodge the appropriate information with the agency in the time required by law.

Another example included “credit betting incidents”, whereby a TABCORP agent approved a line of credit, which is illegal, to a customer.

“The penalty of $45 million sends an unequivocal message to the financial and gambling sectors in this country, if you don’t take your AML (anti-money laundering) and CTF (counter-terrorism financing) obligations seriously, we will take action,” AUSTRAC Chief Executive Paul Jevtovic said on Thursday.

It’s not the first time AUSTRAC has taken action against TABCORP, having previously done so in 2015.

The size of this penalty will be a wakeup call for other companies to take their money laundering and terrorism financing obligations seriously.

Source: The Australian, Skynews

GRC Solutions’ Certified Compliance Professional courses in Nairobi and Dubai a big success

Sam Gibbins with the group of attendees at the Certified Compliance Professional courseThe GRC Solutions Singapore team has conducted another two highly successful runs of the Certified Compliance Professional course, in Nairobi, Kenya and Dubai, UAE.

Covering a total of 18 compliance practitioners across these jurisdictions, GRC Solutions continues to prove to be a valuable partner to the compliance profession, working alongside industry and regulators to upskill individual and advance thought leadership across the industry.

The five-day Certified Compliance Professional course is accredited by the International Academy of Business and Financial Management. The content aligns with ISO19600 Compliance Management Standard guidelines and principles.

The course covers both organisational and individual development, with the aim of providing participants with the skills and knowledge to advance to a mature, sustainable state of compliance effectiveness. Participants gain an understanding of strategic compliance, moving away from tactical responses towards significant organisational change.

The course also places the challenges of managing business risk and compliance requirements within the context of the broader regulatory environment, considering the dangers posed by poor conduct risk and compliance culture, financial crime and terrorist financing.

The workshops received acclaim for the way they combined theory with case studies and real-life examples to tie the concepts to practical actions.

A participant from Nairobi said, “The program was relevant and exciting”, with another exclaiming, “The training is very good with lots of information and examples”.

In Dubai, one participant said:

Sam Gibbins takes a selfie with the Certified Compliance Professional attendees “The real insights of market knowledge and case studies was useful. The trainer knowledge was up to date and the real-life examples were related well to the key concepts in the Compliance Risk, AML and Governance area.”

Another declared:

“Sam Gibbins is an excellent trainer, he is clear, accurate, eloquent and made the long and hard course quite fun and digestible. His information was updated, engaging and relevant to the participants. Sam did a great job in making the…sessions fun as well.”

Further runs of the Certified Compliance Professional course are due to take place in Harare, Zimbabwe (March), Kuwait (May), Ghana (May), and Johannesburg, RSA (July).

Contact us for further information on any of these programs or our other offering, including our extensive library of online courseware and tailored content.

We look forward to seeing you on one of our courses soon!

Jetstar and Virgin ordered to pay fine for misleading “drip pricing” practices

Jetstar and Virgin have both been fined for misleading drip pricing practices.The Federal Court has fined Jetstar Airways AUD$545,000 and Virgin Australia $200,000 for breaching the Australian Consumer Law. Both companies were penalised for drip pricing, whereby customers are drawn in by the promise of cheap products only to be saddled with additional fees and charges.

Drip pricing is the practice of advertising an attractive price for goods or services then charging the consumer additional fees on top off the original advertised price. These fees are often unavoidable charges. The fees and charges are added incrementally to the cost of the good or services the further the consumer goes down the purchase timeline.

The ACCC investigated the airlines after becoming concerned that the companies had failed to adequately disclose the extra fees. This left consumers to pay higher prices than those advertised, or more than they intended.

Both Jetstar and Virgin have been implicated for separate instances of misleading advertising over the past three years.

In 2014 the ACCC was unsuccessful in establishing that misrepresentations were made by Jetstar on its website and in its promotional emails.

In a statement, ACCC Chairman Rod Sims warned that consumer guarantees in the airline industry are firmly on the corporate watchdog’s radar.

GRC Solutions’ Competition and Consumer Protection online compliance training modules can bring your staff up to speed on how to avoid false advertising and misleading and deceptive conduct.

Contact us today for more information about our off-the-shelf and customised offerings.


Sources: ACCCGizmodo

OzHarvest CEO CookOff 2017

From GRC Solutions CEO Julian Fenwick: Thank you to all those who supported me again in this year’s OzHarvest.

The combined culinary skills and fundraising efforts of Australia’s top chefs and CEOs came to fruition as close to $1.7 million was raised at OzHarvest’s CEO CookOff held at The Cutaway, Barangaroo. The fundraising total will allow OzHarvest to deliver 3.4 million meals to help feed vulnerable people across Australia. Over one thousand special guests from charitable agencies supported by OzHarvest enjoyed a variety of gourmet meals prepared and served by teams of CEOs under the guidance of celebrity chefs, Neil Perry, Matt Moran, Peter Gilmore and Paul Carmichael to name a few.  I was lucky enough to get to cook with Paul Carmichael who taught us how to make a delicious chicken pozole.

OzHarvest Founder and CEO, Ronni Kahn said the flagship fundraiser allows OzHarvest to rescue and redistribute more fresh food, helping to feed people in need at over 900 charities across Australia. Two million people seek food relief each year and many agencies say they could take double to meet demand.

We were also treated to a surprise performance from Aussie music legend, Jimmy Barnes. Donations can still be made to OzHarvest at

Hong Kong’s former leader, Donald Tsang, jailed for 20 months for misconduct

Hong Kong’s former Chief Executive, Donald Tsang Yam-kuen, has become the city’s highest ranked official to be put behind bars.

Mr Tsang, 72, was found guilty of misconduct in public office for failing to disclose a conflict of interest involving a property developer, Bill Wong Cho-bao, and the granting of broadcast licences.

The high profile six-week trial centred on Mr Tsang’s purchase of a luxury three-story apartment from Mr Wong, which he failed to disclose when he approved three applications for radio broadcast licences for Wave Media, a company Mr Wong had a 20 per cent stake in.

The jury concluded Mr Tsang had deliberately concealed his connection to the developer. But they acquitted him of a related misconduct charge involving an interior designer that he nominated for an official honour without declaring that the same designer had renovated his apartment.

The jury could not reach a majority verdict for a bribery charge, again involving the same apartment and property developer. The charge is set to be retried in September.

In handing down the sentence, the judge, Justice Chan, credited Mr Tsang’s dedicated and extensive public service but added that the seriousness of the case was due to Mr Tsang’s official position and the trust placed in him by the people of Hong Kong and China.

The case comes at a time when the public is increasingly interested in the links between public officials and business people, raising suspicions over bribery, corruption and abuse of power.

In 2014, Mr Tsang’s deputy, Rafael Hui, was convicted of misconduct in public office over his own dealings with a billionaire property developer. Hong Kong’s current leader, Leung Chun Ying, is also facing corruption allegations relating to bribery involving Australian engineering firm UGL.

GRC Solutions offers and extensive library of online compliance training courses, including Anti-Bribery and Corruption training. Contact us today for more information about our off-the-shelf and customised course offerings.


Privacy laws are tightening

A new amendment to privacy laws will require organisations to notify customers of data breaches.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by Parliament on 13 February 2017. The amendment requires organisations to notify individuals and the Australian Information Commissioner where data breaches are likely to result in serious harm.

Failure to comply with the new provisions will incur the same penalties as those for breaching existing privacy law, which includes compensation payments and civil penalties of up to AUD$1.8 million.

The amendment comes at a time of heightened focus on privacy law in Australia and New Zealand. In January, the Federal Court of Australia further clarified the meaning of “personal information” in the Privacy Act, while just last week, the New Zealand Privacy Commissioner recommended stronger penalties for serious data breaches in that country.

Privacy laws also drew media interest recently over so-called ‘metadata’ held by telecommunications companies for access by government agencies. Metadata includes information such as location data stored by mobile phones.

Journalist Ben Grubb took Telstra to court after the telco’s privacy department refused to grant him access to the same metadata it retains for access by government agencies on request.

Grubb argued that he had a right to this metadata because it related to his own personal information, which is the fundamental concept of privacy laws.

The court upheld Telstra’s claim that metadata connected to Grubb’s mobile phone was not specifically about Grubb and so did not amount to personal information.

It should be noted that the Grubb/Telstra case was based on the older instance of the Privacy Act.

When the mandatory data breach reporting amendment will come into effect is not yet known, but it will be within twelve months of Royal Assent.

Source: Parliament of Australia, Gizmodo

Samsung chief Lee Jae-yong arrested on bribery and corruption charges

Many Australian 50 dollar bills.The de facto head of the Samsung empire, Lee Jae-yong, has been arrested and is facing corruption charges relating to bribery, embezzlement, illegal transfer of overseas assets and perjury.

The charges against Mr Lee, known as Jay Y. Lee in many business circles, connect to the national bribery and corruption scandal that led to the impeachment of South Korean President Park Geun-hye in December 2016.

In January 2017, a South Korean court denied an arrest warrant for Mr Lee, citing a lack of evidence. However, investigators have since collected additional evidence and presented this before Judge Han Jeong-seok who felt there was now sufficient grounds to issue the warrant.

Investigators have accused Mr Lee and Samsung of paying bribes totalling AUD$47 million (43 billion Korean won) to President Park’s associate, Choi Soon-sil, to secure government support for the merger of two Samsung affiliates in 2015.

The complex case is exceptionally significant for South Korea’s increasing attempts to target pervasive business and government collusion. If Ms Park’s impeachment is upheld by the Constitutional Court in coming weeks, she will become the country’s first democratically elected leader forced from office.

Samsung is the largest and most profitable family-owned conglomerate, or chaebol, in South Korea, accounting for around 20 percent of the country’s GDP. Mr Lee inherited the reins of the company in 2014 from his father, Lee Kun-hee, who was twice convicted of financial crimes but received suspended sentences and was presidentially pardoned.

While many Koreans fear the high-profile case will hurt the national economy, others welcome the move as a sign that powerful chaebol bosses will be increasingly be held accountable for their actions.

GRC Solutions offers and extensive library of online compliance training courses, including Anti-Bribery and Corruption training. Contact us today for more information about our off-the-shelf and customised course offerings.


Sources: The SMH

GRC Solutions appointed eLearning partner for Stockbrokers and Financial Advisers Association

Wednesday 22nd February, Sydney, Australia. In a joint first, GRC Solutions, a global leader in innovative compliance training, has been appointed e-learning partner for the Stockbrokers and Financial Advisers Association (SAFAA).

The partnership coincides with last week’s announcement by Kelly O’Dwyer, Minister for Revenue and Financial Services, that new requirements to raise the competency and ethical conduct standards of financial advisers will commence on 1 January 2019. This includes compulsory education requirements for new and existing financial advisers, supervision conditions for new advisers, an industry-wide benchmark exam and a code of ethics as part of the mandate.

GRC will be offering an array of new online courses that is tailored specifically for SAFAA’s members, including those practitioners who provide tax advice.

“The team at GRC Solutions is thrilled to be partnering with such a highly-regarded industry body,” says GRC Solutions’ Managing Director Julian Fenwick. “The partnership aligns with our focus on servicing the financial services market with high quality, professional compliance and regulatory training.

Andrew Green, Chief Executive of SAFAA says, “We already provide education and training that sets the benchmark in the financial services industry. This new e-learning partnership with GRC will provide members with access to courses that lifts the bar even higher.”

Internationally, GRC also recently announced the appointment of Hong Kong’s HJ Innoxcell as its e-learning affiliate. The partnership improves access to quality compliance e-learning in the Asian market and further consolidates GRC’s strong presence in the region, supported by the Singapore office.

Deutsche Bank fined A$833 million for inadequate anti-money laundering controls

Shadowy figures running away, with American dollars in the background.Deutsche Bank has been fined by both UK and US authorities for failing to implement proper anti-money laundering control frameworks, which resulted in clients illegally moving A$13 billion out of Russia.

Britain’s Financial Conduct Authority (FCA) fined Deutsche Bank A$271 million and the New York Department of Financial Services fined them A$562 million. The authorities cited significant deficits in Deutsche Bank’s global anti-money laundering framework, including inadequate customer due diligence processes and deficient anti-money laundering policies and procedures.

Without sufficient customer information, risk assessment processes and transaction monitoring are ineffective.

As a consequence of these failings, unidentified customers were able to transfer around A$13 billion from Russia to offshore bank accounts using ‘mirror trades’. These trades involved clients purchasing shares in roubles in Moscow then the same stocks were sold through Deutsche Bank’s London branch for US dollars.

Whilst ‘mirror trades’ can be legal, the FCA said that the “covert transfer of those funds out of Russia” and lack of economic purpose was highly suggestive of financial crime. The trades also highlighted the lack of anti-money laundering controls in place at Deutsche Bank.

In imposing the largest penalty for anti-money laundering control failings ever, the FCA highlighted that Deutsche Bank’s actions had exposed the UK and global financial systems to serious risk. As such, the size of the fines is reflective of the seriousness of the anti-money laundering failings.

Criminal investigations by the US Department of Justice and other regulators and law enforcement authorities are ongoing.

This case highlights the complexity of anti-money laundering regulations. GRC Solutions offers an extensive library of online compliance training courses, including Anti-Money Laundering training. Contact us today for more information about our off-the-shelf and customised course offerings.

Sources: The Guardian; BBC

Korean court denies arrest warrant for Samsung head Lee Jae-yong following bribery and corruption probe

A Samsung phone tangled up in headphones and keys. Samsung itself has been tangled up in an bribery and corruption scandal.South Korean court has cited a lack of evidence in denying an arrest warrant for Lee Jae-yong, also known as Jay Y. Lee, the heir-apparent to the Samsung Group empire. Mr Lee was accused of involvement in a national bribery and corruption scandal that led to the impeachment of South Korean President Park Geun-hye in December 2016.

Mr Lee faced charges of bribery, embezzlement and perjury as Samsung is accused of having paid bribes of nearly $US 36.6 million (43 billion Korean won) in exchange for governmental backing of a merger of two Samsung affiliates in 2015. Prosecutors allege that these bribes would ultimately help transfer the control of Samsung to Mr Lee.

The case is part of an ongoing investigation into the actions of Ms Park and close associate, Choi Soon-sil. Ms Park is accused of working with Ms Choi to exchange favours with companies such as Samsung for bribes paid to non-profit foundations backing presidential initiatives. Samsung has admitted to providing funds to such foundations but has consistently denied receiving any business favours.

The denial of the warrant is expected to hamper authorities’ efforts to further investigate Ms Park’s involvement in the bribery scandal.

Mr Lee is part of the third generation of the Lee family to control the Samsung conglomerate. He was widely viewed as spearheading a new style of transparent business, following his father’s own troubled history. Mr Lee’s father, Lee Kun-hee, was convicted of embezzlement and tax evasion but was pardoned twice.

While some business groups are concerned about the impact of the bribery probe on the nation’s economy, many civil organisations are appalled at the growing evidence of ongoing collusion between business and the government.

GRC Solutions offers and extensive library of online compliance training courses, including Anti-Bribery and Corruption training. Contact us today for more information about our off-the-shelf and customised course offerings.

Rolls-Royce fined AUD$1.1 billion in bribery and corruption crackdown

Rolls-Royce has been fined in a bribery and corruption case.

Rolls-Royce has paid $1.1 billion to settle bribery and corruption investigations with authorities in Britain, the United States and Brazil.

The investigation into Rolls-Royce by the US Department of Justice and the UK Serious Fraud Office came following a joint exposé from Fairfax Media and The Huffington Post into Unaoil, a Monaco-based oil industry fixer.

The wide-ranging bribery and corruption investigations revealed that billions of dollars in government contracts were awarded to a number of companies, including Rolls-Royce and an offshore arm of Australian company Leighton Holdings (now CIMIC), as a direct result of bribes.

The US and UK fines were the result of a Deferred Prosecution Agreement (DPA) whereby a company can admit corruption but not face court. For Britain’s Serious Fraud Office (SFO), it was the biggest settlement to date.

Australian authorities are involved in an ongoing global joint investigation with the FBI, US Department of Justice and the SFO into pervasive bribery in the oil industry, particularly involving Unaoil.

The Australian Federal Government is now considering introducing a DPA scheme following the settlement successes in the Rolls-Royce case.

This is not the first bribery and corruption scandal that Rolls-Royce has faced. Increasingly serious regulations and ongoing global cooperation in bribery and corruption investigations, highlight the importance of all organisations tackling bribery and corruption throughout their operations.

GRC Solutions offers an extensive library of online compliance training courses, including Anti-Bribery and Corruption training. Contact us today for more information about our off-the-shelf and customised course offerings.




Singapore jails Swiss bank’s ex-manager in multinational money laundering crackdown

A former manager at a Swiss private bank has been sentenced to 28 weeks in jail and fined $AUD 120,000 for breaching Singapore’s anti-money laundering regulations.Shadowy figures running away, with American dollars in the background.

Early this year, a Singapore court found Jens Sturzenegger, a former branch manager at Falcon Private Bank, guilty of six charges including failing to report suspicious transactions totalling more than $1.7 billion.

Sturzenegger, a Swiss national, is the first foreigner to be charged in Singapore following an ongoing money laundering investigation into Malaysian state investment fund 1Malasia Development Berhad (1MDB).

1MDB, founded by Malaysian Prime Minister Najib Razak, is at the centre of money laundering investigations in at least six countries, including Singapore and the United States. Over $4.76 billion is alleged to have been misappropriated from fund by people close to Razak.

Sturzenegger pleaded guilty to six counts, including lying to police and the Monetary Authority of Singapore (MAS) about his connections to financier Low Taek Jho, a key figure at the centre of the international money laundering investigations into 1MDB.

In October 2016, MAS shut down and withdrew Falcon Private Bank’s Singapore banking licence and imposed a fine of $4.05 million for breaching money laundering and terrorism financing regulations. Fines were also imposed on DBS Bank and UBS for similar regulatory breaches.

GRC Solutions offers an extensive library of online compliance training courses, including Anti-Money Laundering training with specific regional courses for Singapore and Malaysia. Contact us today for more information about our off-the-shelf and customised course offerings.

Source: ABC News; Strait Times; Strait Times


More pain for Nurofen with fine increased to AUD$6 million

Pharmaceutical company Reckitt Benckiser is set to pay the highest penalty ever awarded for misleading consumers in Australia over its Nurofen products.

A mortar and pestle mixing drugs. Nurofen is likely to receive a headache from this issue. Earlier this year, the Australian Competition and Consumer Commission (ACCC) sued Reckitt Benckiser for misleading consumers about its “specific pain” product range. The “specific pain” products were marketed as “targeting” specific types of pain and set at a higher price to regular Nurofen.

In fact, all the “specific pain” products contained the same dose of the same active ingredient, ibuprofen lysin 342mg.

The Federal Court condemned the marketing strategy, which the company had persisted with for five years, as being “designed around the creation and promotion of a fiction of difference and choice where none existed”. It also noted that the way the products were marketed created a risk of double-dosing: for example, people suffering different types of pain might take both tablets believing them to each target a specific type of pain, when there was no additional benefit.

The Court ordered Reckitt Benckiser to remove all Nurofen specific pain products from sale within three months and post corrective notices. In December 2016, it increased the company’s fine to $6 million, up from $1.7 million.

Reckitt Benckiser insists it did not intend to mislead consumers, “however, we recognise that we could have done more to assist our consumers in navigating the Nurofen Pain Specific Range.”

The Productivity Commission recently recommended that fines for consumer law breaches should be increased to match the $10 million fine for competition law breaches.

According to ACCC chairman Rod Sims, the ACCC has recently started legal proceedings for a number of similar cases.

GRC Solutions’ Competition and Consumer Protection online compliance training modules can bring your staff up to speed on how to avoid false advertising and misleading and deceptive conduct. Contact us today for more information about our off-the-shelf and customised offerings.

Sources: ABC News; the AFR.


GRC Solutions Wins Silver in the 2016 Brandon Hall Group Excellence in Technology Awards Program

Best Advance in Learning Management Technology for Compliance Training

GRC Solutions has won the Silver Award for excellence in technology awards. GRC Solutions, an international leader in innovative compliance training and RegTech, has won a coveted Brandon Hall Group award for excellence in the category of Best Advance in Learning Management Technology for Compliance Training.

GRC Solutions’ Silver Award win was announced on December 15th in Florida, USA. All winners are listed at

The award went to GRC Solutions for using its Salt Adaptive platform to deliver anti-money laundering e-learning to American Express.

Mandatory compliance training has become a huge annual burden for companies. Using the new Salt Adaptive technology, companies can save tens of thousands of hours of employees’ time by leveraging adaptive learning technology to dynamically generate compliance training for each individual.

By only training people on what they don’t already know, Salt Adaptive can increase individual engagement with the training as well as reduce staff pushback. Further time and money can be saved by enabling staff to complete training anywhere, in multiple languages, from any device.

At GRC Solutions we know compliance! GRC Solutions provides online legal compliance training under the Salt Compliance brand to hundreds of clients worldwide from financial services, professional services, insurance, pharmaceutical, engineering & construction and many other industries. Our offices are located internationally, from New York and Singapore to New Zealand and throughout Australia.

The award consolidates our reputation as being a top RegTech company that uses innovative training and technology to help clients manage complex regulatory obligations.

GRC Solutions’ content team has years of experience in writing and developing e-learning for compliance. We work with broad-ranging clients to develop specific content areas or custom-built training based on existing materials. We manage ongoing legislative updates and keep the training content refreshed.

“This is a significant win for the team at GRC Solutions. Brandon Hall’s reputation in this area is unsurpassed. We strongly believe in the ROI of adaptive compliance training, and in providing staff with engaging and educative programs. The technology has proven to be extremely effective and easy for our clients to use. We will continue to develop and improve our platform while expanding our library of premium courses.”

Julian Fenwick, CEO, GRC Solutions.

GRC Solutions – Year in Review

2016 is drawing to a close and it has been another fascinating year. Here at GRC Solutions there has been a lot of exciting stuff going on.

In January we opened our New York office, headed up by Matt Wadley, a Brisbane boy who has called the US home for the last 20 years.

map1We launched our Salt Adaptive platform with which we aim to reduce the amount of mandatory training hours using technology that recognises prior learning and improves training effectiveness. The response has encouraged a group of compliance companies to start the International Regulatory Technology (RegTech) Association. The group now has 150 members and is already engaged with regulators here and in Asia.

GRC Solutions has also expanded our presence in Asia with a partnership with Right Shift Solutions in Malaysia and Darlina Djumadi joining our Singapore team. The team also exhibited at the Singapore Fintech Festival, a huge event attended by over 12,000 people.

Over the year we have worked with some amazing clients, including American Express, which is using the Salt Adaptive platform to train over 100,000 people in anti-money laundering in eight languages. This project won us the LearnX Award for Best Compliance Training Program for the ninth year in a row.

In a year that has brought us many tumultuous and unexpected changes to the political landscape, there have also been major corporate compliance issues and scandals. In the spirit of the 12 days of Christmas I give you my top 12:

12. Anti-money laundering

In Singapore there was huge drama when BSI Bank and Falcon Bank licences revoked causing the closure of their operations in the Nation State. In addition, major banks including SCB, DBS, UBS, the private bank Coutts have been fined. The director of a company which engaged in money laundering involving some $1.2 million was jailed for more than two years, with more cases pending.

11. Corruption & Unaoil

I think Melbourne’s Age newspaper described this best: “In the list of the world’s great companies, Unaoil is nowhere to be seen. But for the best part of the past two decades, the family business from Monaco has systematically corrupted the global oil industry, distributing many millions of dollars’ worth of bribes on behalf of corporate behemoths including Samsung, Rolls-Royce, Halliburton and Australia’s own Leighton Holdings”.

10. Foreign Corrupt Practices Act – JP Morgan pays $264m fine

The Securities and Exchange Commission announced that JPMorgan Chase & Co. has agreed to pay over $130 million to settle SEC charges that it won business from clients and corruptly influenced government officials in the Asia-Pacific region by giving jobs and internships to their relatives and friends in violation of the Foreign Corrupt Practices Act (FCPA).

JPMorgan also is expected to pay $72 million to the Justice Department and $61.9 million to the Federal Reserve Board of Governors for a total of over $264 million in sanctions resulting from the firm’s referral hiring practices.

9. South Korean President impeached – The South Korean parliament has voted to impeach their leader, Park Geun-hye, the country’s first female president. Her downfall has resulted from her relationship with an advisor who had no official position within the government.

The adviser, Choi Soon-sil, is the daughter of the founder of an obscure sect called the Church of Eternal Life and a long-time friend of Park. Choi has been indicted on charges of having manipulated the president for personal financial gain, including using her relationship with the President to coerce large companies into donating huge amounts of money to the not-for-profit foundations Choi runs. Choi allegedly siphoned some of that money for personal use.

Hundreds of thousands of people came out to demonstrate and call for the President to resign.

8. Unconscionable Conduct – price hikes for EpiPen

Mylan Pharmaceutical has upped the price of the lifesaving allergy treatment once again. The list price on a two-pack of EpiPens in the US is now $609, up 400% from seven years ago.

We should also mention Turing Pharma’s 5000% price hike on the AIDS medication, Daraprim. Turing CEO Martin Shkreli, one of America’s most hated CEOs, was arrested after being indicted on federal charges of securities fraud. He has since resigned as CEO.

7. ‘Striking tigers and flies’ goes international

Since Xi Jinping took leadership of the Chinese Communist Party over 400,000 officials have been disciplined and a further 200,000 have been prosecuted as a result of the crackdown on corruption – “striking”, as Xi put it in 2014, “tigers and flies at the same time”.

Much of the program is targeted at getting control of the 90 million members of the CCP who for many years have worked to the Chinese proverb shan gao, huangdi yuan meaning “The mountains are high and the emperor far away.” The crackdown aims to limit region powers and remind members who is in charge.

In 2016 the program’s international reach was expanded targeting increasing capital outflows which have been impacting real estate prices from London to Auckland.

6. US$17m Whistle-blower payout – June 9, 2016

The US Securities and Exchange Commission announced a whistle-blower award of over $17 million to a former company employee whose detailed tip substantially advanced the agency’s investigation and ultimate enforcement action. The SEC’s whistleblower program has now awarded over $85 million to 32 whistleblowers since the program began in 2011.

5. Banks cartel behaviour

A five-year investigation by competition authorities in Brussels into rigging of interest rates drew to a close on December 7th 2016 when HSBC, JP Morgan and Credit Agricole were fined €485m (£412m) for colluding to manipulate a crucial benchmark rate. In Australia, the Federal Court has imposed penalties on Australia and New Zealand Banking Group Limited (ANZ) of AUD$9m and Macquarie Bank Ltd AUD$6m for attempted cartel conduct concerning the attempted rigging of the benchmark rate for the Malaysian ringgit.

4. Corruption & FIFA

Technically this is a 2015 case in which fourteen people were indicted in connection with an investigation by the FBI and the US Internal Revenue Service for wire fraudracketeering, and money laundering.

But this case will keep on giving for years to come. In November 2016, Aaron Davidson, a former sports marketing executive who was arrested last year in a US corruption probe involving FIFA pleaded guilty.  So far 17 people and two companies have pleaded guilty.

3. Corruption – 1 MDB

2016 saw the continuation of the 1Malaysia Development Berhad Scandal political scandal. Malaysia’s Prime Minister, Najib Tun Razak, has been accused of channelling over RM2.67 billion (nearly USD 700 million) from 1MDB, a government-run strategic development company, to his personal bank accounts held in his own name at a prominent Malaysian bank.

In a celebrity twist, Leonardo DiCaprio has offered to help US authorities in their corruption probe. The actor’s charity foundation and movie The Wolf of Wall Street allegedly received money that was siphoned off the Malaysian fund.

2. Corporate governance & culture – Wells Fargo

In September 2016, Wells Fargo fired 5,300 people for signing up customers for accounts and credit cards without their knowledge. Two million fake accounts were opened with forged signatures, phony email addresses, and fake PIN numbers, by employees who were pressured from supervisors to meet daily quotas. Wells Fargo has been ordered to pay $185 million in fines

1. Cyber security – Panama Papers

In what has to be the year’s biggest cyber security breach, the files of Panamanian law firm Mossack Fonseca were leaked to German journalist Bastian Obermayer.

Wikipedia describes the Panama Papers as11.5 million leaked documents that detail financial and attorney–client information for more than 214,488 offshore entities; some date back to the 1970s.

The leaked documents contain personal financial information about wealthy individuals and public official which had previously been kept private. While offshore business entities are legal, reporters found that some of the Mossack Fonseca shell corporations were used for illegal purposes, including fraud, kleptocracy, tax evasion, and evading international sanctions.”

According to the International Consortium of Investigative Journalists, “The Panama Papers investigation has produced an almost daily drumbeat of regulatory moves, follow-up stories and calls for more action to combat offshore financial secrecy – including at least 150 investigations in 79 countries and $110 million recouped by governments so far.

Politicians, business executives and thousands of their supporters have responded with vitriol, threats, cyberattacks and lawsuits against reporters who continue to unveil the hidden economic holdings of a global elite.”

In August this year, the president of the Law Council of Australia, Stuart Clark, said that cyber security is a ‘major problem’ for law firms. This seems a slight understatement in the case of Mossack Fonseca.

It is the pure size and reach of this breach that makes the Panama Papers my number one pick for 2016.

So there are my top 12 for the year. No doubt you can think of a few more that I have missed, so feel free to send them through.

From all of us here at GRC Solutions, we hope that you have had a wonderful, safe and merry Christmas and a prosperous New Year!




Highlights of the 2016 Innoxcell Annual Symposium in New York City

Matt Wadley, our business development manager in the USA, recently attended the Innoxcell Annual Symposium on December 6, 2016 in NYC. Here he discusses some of the highlights of the event.

 I looked forward to this event for a number of reasons, including the profile of the attendees, the speakers, and the subject matter up for discussion. But most interestingly, a lot of the conversation was about what the regulatory environment would look like under a Trump administration – more about that later.

Attendees of the Innoxcell Annual Symposium in New York City talk in a roundtable discussion.The Innoxcell Annual Symposium consists of a series of global events in Hong Kong, Beijing, Shanghai, Singapore, Australia and the United States and covers a wide variety of legal and compliance topics. The global span gives the event a more international flavor than that provided by other organizations and many of the topics touched on cross-border issues. While it was a small event, the speakers were of a high quality and the format allowed for a lot of Q&A and discussion generally. Attendees mainly consisted of compliance professionals from law firms and smaller companies in the finance industry.

Cyber Security

With all the hacking in the news, the high-profile data breaches being reported, and the increasing emphasis on the role of Big Data in business, cyber security was a well-represented topic of discussion throughout the day. Scott Warren, the head of the Cybersecurity and Data Privacy practice for Squire Patton Boggs in Asia, presented an excellent history of the evolution of the cyber security landscape. There were several topics that stood out from Scott’s presentation and discussions through the day:

  1. Cyber security presents cross-border challenges

Cross-border issues arising from global commerce are increasingly complicating the picture with respect to cyber security and compliance. In particular, the contrast in compliance requirements between the EU and the rest of the world create numerous scenarios where companies are subject to obligations they may be unaware of. Simply acquiring information from EU customers may require some companies to comply with compliance regulations even where they do not have subsidiaries or a physical presence in the EU.

  1. Companies don’t know they have been hacked

Some companies are completely unaware they have been hacked and their data compromised. While the period is shortening overall, the times between hacking, discovery, and remedy are still much longer that most imagine.

  1. Hackers are targeting law firms

Law firms are increasingly being targeted by hackers. This should come as no surprise. Law firms are recipients and custodians of some of the most valuable data imaginable. However, they have been relatively slow to ensure their physical defenses are sufficient and their processes and procedures are adequate. A lot of this can be credited to the legal profession’s reluctance to look at themselves as simply another vendor (subject to all the necessary security audits) and not simply a trusted advisor/partner.


Specific regulations created a lot of interest and discussion:

  • ISO37 001

This international bribery standard has been adopted by more than 37 countries, specifying a series of measures to help organizations prevent, detect, and address bribery. These include adopting an anti-bribery policy, appointing a person to oversee anti-bribery compliance, training, risk assessments, and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting and investigation procedures.

  • Department of Financial Services (DFS) Cybersecurity guidelines

The regulation requires banks, insurance companies, and other financial services institutions regulated by the NYS State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. It is expected to come into effect in January 2017 and is significant because it is regulation rather (previously) recommendation.

  • Department of Labor (DOL) Fiduciary Rule

This sweeping will automatically elevate all financial professionals who work with retirement plans or provide retirement planning advice to the level of a fiduciary, bound legally and ethically to meet the standards of that status. While the new rules are likely to have at least some impact on all financial advisors, it is expected that those who work on commission, such as brokers and insurance agents, will be impacted the most. They will not be able to offer or sell financial products that are not in the best interests of their clients.


The other aspect of regulation that generated a lot of discussion was the potential impact of a Trump administration on the regulatory environment. There has been a lot of speculation of what regulations (if any) may be rolled back and to what extent. Particular attention has been paid to elements of the Dodd-Frank such as the Consumer Financial Protection Bureau and the Volcker Rule. There has also been discussion about rolling back the DOL Fiduciary Rule described above.

The speakers at the conference included former members of the SEC and other regulatory bodies. While they stressed that each regulation and framework should be considered separately with respect to possible repeal or amendment, their overwhelming consensus was that the assumption should be made that nothing would be repealed. Regulations, once in place are hard to reverse for many reasons and companies should assume that their compliance obligations will remain largely unchanged.

Overall it was a very interesting conference, with high quality of speakers and very relevant discussions topics.



Police expose $29 million Hong Kong-Australia drug money laundering plot

Australian police have uncovered an elaborate money laundering scheme in which a Chinese crime syndicate laundered AUD$29 million in drug money within 10 months.

Australian money. 50 dollar bills sprawled across the table.A joint investigation conducted by Western Australian detectives and the Australian Federal Police found that the syndicate dispersed the money in deposits of up to $40,000 in several Commonwealth Bank and Westpac branches throughout Perth between March and December 2015.

12 Australian-registered companies were set up as fronts for the scheme, with the directors all being Hong Kong nationals on working visas.
“The money was then electronically transferred from the accounts to Sydney-based money remitters within one or two days of the deposit,” the Supreme Court of Western Australia has heard.

One Perth-based recruit is said to have made 11 deposits amounting to $419,970 in just one day.

Another recruit not only made deposits but also helped to import almost 2kgs of methamphetamine into Australia from a drug dealer based in Hong Kong. Justice Jeremy Allanson sentenced the recruit to seven years’ imprisonment for money laundering.

GRC Solutions provides anti-money laundering online training and program reviews.

The Western Australian

Don’t get caught in the CRS-fire

In September, Singapore and Australia signed a Competent Authority Agreement under the Common Reporting Standard (CRS) to exchange information about residents of each state holding financial accounts with the other state’s financial institutions.

Shadowy figures running away, with American dollars in the background. The CRS is a global protocol developed by the Organisation for Economic Cooperation and Development (OECD) for the automatic exchange of information. Over 96 countries, including the UK, New Zealand, Hong Kong, Japan and Malaysia, have agreed to share information on foreign tax residents’ assets and incomes with relevant tax authorities in other signatory states.

The signing of this agreement – the first of what looks to be many bilateral CRS agreements for Singapore – is a timely reminder that the commencement date for CRS is fast approaching. Australian financial institutions need to be prepared for the additional due diligence and on-boarding processes by 1 July 2017, when its CRS obligations take effect.

You’ll often hear the CRS mentioned in the same breath as the Foreign Account Tax Compliance Act (FATCA). But you will still need to get ready for the CRS even if you’ve already dealt with your FATCA requirements. Though the CRS and FATCA are similar, there are many differences in application, and the CRS is significantly broader in scope.

FATCA is a US law designed to make offshore banking more transparent and to combat tax evasion by US taxpayers. It requires foreign financial institutions to report on the assets and income of US account holders. Financial institutions who don’t comply with FATCA face a 30% withholding on all US-sourced payments and payments from FATCA participants.

GRC Solutions has delivered custom e-learning on FATCA and the CRS and is currently developing a series of facilitated workshops on the automatic exchange of information regimes. Contact us today for more information about our online training content and international workshops.

Insights from Singapore Fintech Festival 2016

Julian Fenwick, Managing Director GRC Solutions, recently attended the inaugural Singapore Fintech Festival. Here he captures insights from the event.

“A network of companies focused on developing common technological solutions to regulatory processes (Regtech) promises to make the financial system both more accessible and more secure.” – Christophe Chazot, Group Head of Innovation, HSBC

Joe Bennett from GRC Solutions talks to attendees from the Singapore Fintech FestivalI have recently returned from a fantastic week at the inaugural Singapore Fintech Festival, one of the largest industry events globally, which drew almost 11,000 people from around the world for a diverse range of events – including a day thought-provoking Regtech Forum attended by well over 1,200 delegates.

Singapore’s innovation ecosystem is a major hub and community that nurtures new Fintech and Regtech innovations. It was great to learn about how The Monetary Authority of Singapore (MAS) is paving the way with this festival and by inviting Fintech and Regtech companies to demonstrate their systems to the regulator, signifying how government, industry, and the innovation community are collaboratively engaging for market impact.

Here are my 4 key learnings from the week of discussions with key leaders and disruptors in the fintech space:

1. Banks need to invest more in Regtech. Most banks only use 30% of their own data because the rest is stored in legacy systems which are too difficult or time-consuming to access. In Australia, Singapore and beyond, banks and other highly regulated industries need to invest in Regtech solutions to help improve outdated legacy systems, bring their costs down and carve out a more competitive profile.

2. Fintech is starting to threaten the banks’ business model. At the same time, compliance costs are going up. With a lack of highly experienced compliance staff available globally, financial institutions will need to rely even more heavily on Regtech solutions to improve compliance outcomes and meet regulator expectations. Fintechs themselves will soon have to think about how they manage compliance.

3. Outcomes not hours. Regulators globally are looking at ways in which they can monitor, measure and improve culture and behaviour particularly in financial institutions. Improvements in the quality of training and learning outcomes for staff are needed – not just training hours for the sake of earning points. Continuing Professional Development (CPD) programs which monitor hours of training are becoming outdated as more sophisticated approaches are evolving.

4. Banks and regulators are under pressure to offer APIs (application programming interfaces). Many Fintech and Regtech solution providers are calling for banks and regulators to offer APIs to allow better access to data, with the aim of creating better efficiency between banks and regulators. The general consensus is that data sharing or ‘data democracy’ is a good idea, but there are issues of commercial secrecy and of individual customers’ privacy to be considered.

Rio Tinto senior managers fired for “consultancy” payments

A paddle wheel in action at a Mine.Rio Tinto has taken action against two of its executives, firing them as a result of payments made to “advisory” services in the African nation of Guinea. The firing demonstrates a tough stance against potential evidence of bribery and corruption.

The mining corporation released Energy and Minerals chief executive Alan Davies and the head of Legal and Regulatory Affairs Debra Valentine after it found that payments of $AUDS14.3 million had been made to an individual for “advisory services” in 2011.

Mr Davies was suspended from all of his duties while Rio Tinto was conducting an internal probe. Mr Davies was accountable for the Simandou iron ore project in Guinea.

When the payments occurred in 2011, Rio Tinto had praised the Guinea government for its constructive engagement with the company.

“The board’s decision does not pre-judge the course of any external inquiries into this matter,” a company declared in a statement. Rio Tinto has referred the matter to the relevant authorities within the United Kingdom, United States of America and Australia.

The company has refused to comment further while the investigations are ongoing.

Mr Davies has claimed that accusations levelled against him are unsubstantiated.

Last month Rio Tinto sold the Simandou iron ore project in Guinea to the Chinese mining giant Chinalco. The deal is expected to make the company up to $US1.3 billion.

Source: ABC News


GRC Solutions launches new Australian Privacy course

At GRC Solutions, we know compliance.

We’re proud to announce the launch of our new online Privacy training course in November.

The course boasts a fresh new look and feel that is designed to attract learners’ active engagement without overwhelming them with unnecessary details.

The content puts complicated privacy requirements into practical context using more scenarios and case studies than ever before.

Privacy breacScreenshot of the new privacy coursehes attract wide media interest, making headlines regularly. But while everyone thinks they know what privacy is, they may struggle to understand how the laws work. The requirements under Australian law can be very particular.

Our new Privacy course breaks down those requirements into language our learners can understand. As with all our Salt Compliance e-learning courses, it reaffirms our commitment to developing courses with speed to competence in mind – that is, to helping learners become competent quickly in training topics.

This is balanced against the need to cover the training content in adequate detail, so that our clients can be confident the training meets their requirements and needs under the law.

The introductory module summarises the key concepts. For learners who are tasked with undertaking privacy training every year, this module can also be used as a short piece of refresher training.

Subsequent modules explore the Australian Privacy Principles in more detail. The final module focuses on credit reporting obligations.

As with all Salt Compliance courses, the new Privacy course can be customised to reflect nuances specific to your industry or your company policies, and branded with your company logo and colours.