Market Integrity Update - Issue 109 - October 2019
-
Online fraud syndicate member charged with siphoning millions from shares and superannuation
-
How to protect your share register against unauthorised access
-
Relief granted for OTC derivative transaction reporting of entity information
Report released on oversight of non-financial risk
We urge all companies to apply a greater focus and sense of urgency to the oversight and management of non-financial risk following the release of the Director and officer oversight of non-financial risk report.
Based on our review of seven large financial institutions, the report focused primarily on the oversight and management of compliance risk. The findings indicate that boards management of non-financial risks is less mature than required. For example:
- management were operating outside of board-approved risk appetites for non-financial risks, particularly compliance risk. Boards need to actively hold management accountable for operating within stated risk appetites
- reporting of risk against appetite did not effectively communicate the company’s risk position. Boards need to take ownership of the form and content of information they are receiving so that they can adequately oversee the management of material risks
- material information about non-financial risk was buried in dense, voluminous board packs – making it difficult to identify non-financial risk. Boards should require reporting from management to be clear and prioritised in order of importance
- the effectiveness of board risk committees could be improved by meeting more regularly, devoting enough time and actively engaging in the oversight of material risks.
While there is no ‘one size fits all’ solution, boards need to proactively identify and assess their own characteristics and processes.
To help them do this, we have provided a series of questions that all large ASX-listed companies should ask themselves. We urge boards to use the report as a roadmap to review their governance practices and accountability structures. While there are no ‘easy fixes’ to some of these issues, effective oversight and management of non-financial risk is possible.
Boards cannot afford to ignore the oversight of non-financial risks–all risk can have financial consequences. If not well managed, non-financial risks carry very real financial implications for companies, their investors and customers.
Online fraud syndicate member charged with siphoning millions from shares and superannuation
A 21-year-old Melbourne woman has been charged following the alleged theft of millions of dollars from the superannuation and share trading accounts of innocent victims.
The arrest follows an investigation by ASIC and the Australian Federal Police (AFP) into a major fraud and identity theft syndicate.
ASIC and the AFP allege that:
- the woman was part of a syndicate which used stolen identity information purchased from dark net marketplaces to undertake an ‘identity takeover’
- these identities were, among other means, used to open at least 70 bank accounts at various Australian banking institutions
- using fraudulently obtained identification documents and falsely established bank accounts, the syndicate then committed cybercrime offences to illegally steal money from the superannuation accounts of these victims, and from their share-trading accounts in ASX-listed companies
- the syndicate transferred the stolen funds to an overseas contact for the purpose of purchasing untraceable assets such as jewellery. It is suspected the money was then transferred back to Australia as cryptocurrencies.
Investigations are continuing to identify the number of affected victims and the scale of the alleged fraud, though it is expected to be worth millions of dollars.
This operation is now being conducted as part of the Government’s joint-agency Serious Financial Crime Taskforce. Investigations into the syndicate are continuing, and further arrests and charges have not been ruled out.
Digitalisation of the criminal economy is a major concern for ASIC and we’ll continue to pursue not only cyber-related market and superannuation offending but also the need for institutions to maintain their obligations to ensure they have adequate cyber resilience.
How to protect your business against share sale fraud
You’re reminded to remain vigilant to the possibility of share sale fraud after a member of an online fraud syndicate was charged with siphoning millions from share trading accounts.
If you’re a market participant, you must have robust procedures for:
- verifying clients, particularly where there’s no pre-existing relationship
- identifying and escalating any risks.
When conducting customer due diligence for one-off share sale clients, you should consider introducing a separate onboarding process that requires visual identification of the prospective client (in person or via videoconference) to ensure they match the supplied identity documents.
To avoid unintentionally facilitating fraudulent share sales, we encourage you to review your existing arrangements, including processes around one-off sales and the limits imposed on the size of transactions.
To help mitigate the risks to your clients and business, we urge you to read our guidance on:
- one-off share sales
- customer due diligence
- ongoing customer due diligence
- intermediary clients
- anti-money laundering and counter-terrorism financing training.
How to protect your share register against unauthorised access
If you're an issuer, you're responsible for maintaining a register of your shareholders, even if this is outsourced to a share registry. Although share registries in Australia are not regulated as a financial service provider, we still urge issuers and share registries to review information and cyber security policies and processes.
Minimise the risk of unauthorised access to shareholders’ personal information by ensuring:
- correspondence mailed to shareholders does not contain sufficient information to facilitate identity theft or share sale fraud
- member registers are maintained in accordance with your information security standards – including any outsourced administration of your register to a share registry – and that these standards are robust, effective and consistent with industry standards
- your cyber resilience practices are prepared for digitally perpetrated fraud.
Director charged with conspiring to manipulate market
Ananda Kathiravelu, of Perth, has been charged with conspiracy to commit market manipulation.
The charge follows an investigation into Mr Kathiravelu’s conduct in relation to trading in the shares of Radar Iron Limited (RAD) on the ASX on 17 May 2016, one day before the suspension of RAD shares from the official quotation of the ASX.
Mr Kathiravelu is the director of a number of companies, including corporate finance firm Armada Capital Pty Ltd.
ASIC alleges that between 12 May 2016 and 17 May 2016, Mr Kathiravelu conspired with another to take part in, or carry out, either directly or indirectly, transactions that had, or would likely have, the effect of creating or maintaining an artificial price for trading in RAD shares.
The charge carries a maximum penalty of 10 years imprisonment and/or a fine of up to $810,000.
The next court date has been set for 21 October 2019 in the Supreme Court of Western Australia.
The Commonwealth Director of Public Prosecutions (CDPP) is prosecuting the matter.
AOP annual notification reminder
If you operate an automated order processing (AOP) system, you’re reminded of your obligation to notify ASIC of certain information within 10 business days of the annual review date.
The AOP annual review date is 1 November each calendar year. This means that your notification must be submitted by Friday 15 November 2019. For more information see Rule 5.6.8B of the Market Integrity Rules (Securities Markets) 2017 and Regulatory Guide 241 Electronic trading.
We encourage you to provide this notification using Form M62 which is available on the MECS portal. The form includes instructions on how to complete and lodge the notification using MECS. Submitting the form through MECS will allow you to manage and retain a record of your interactions with ASIC.
If you have decommissioned an AOP and will not be providing an annual notification for this system, please advise the following:
- name of system
- version
- trading platform(s)
- date of initial certification
- date of decommission.
If you have any questions, please contact your Intermediary Supervisor.
Relief granted for OTC derivative transaction reporting of entity information
We’ve recently extended relief to reporting entities from the requirement to report entity information – either a Legal Entity Identifier (LEI) or interim entity identifier, Designated Business Identifier (AVID) or Business Identifier Code (BIC) – in certain circumstances: see ASIC Corporations (Amendment) Instrument 2019/0958.
The relief follows expiry of previous conditional relief from having to report one of the specified identifiers if the non-reporting counterparty was an Australian entity or a foreign entity that entered into the OTC derivative through its Australian branch.
The relief has been granted to accommodate the following situations:
- the reporting entity is unable to report the entity information because of circumstances outside their control, or
- the global market convention is to use a different identifier.
The relief applies to:
- historical transactions that are open as at 30 September 2019
- new transactions entered into after 30 September 2019, while an identifier is obtained
- the use of CDS Reference Entity Database Codes to identify the reference entity in a credit default swap or total return swap
- the ability to report an internal identifier for transactions involving multiple counterparties acting as joint or joint and several counterparties.
Reporting suspicious activity
We’ve been taking a close look at recent alleged misconduct reported directly through Suspicious Activity Reports (SARs) and indirectly through AUSTRAC Suspicious Matter Reports (SMRs).
Recent reports have indicated that suspicious activity is occurring in the fixed income, currencies and commodities space – in addition to listed securities and futures markets.
SARs are a valuable source of information. However, the number of SARS made to ASIC is significantly lower than the number reported to regulators in other jurisdictions. This disparity is concerning.
You’re reminded of your obligation to notify ASIC as soon as you see or suspect market misconduct, not after you have investigated it. Failure to do so may result in ASIC action, and a maximum penalty of 15,000 penalty units (currently $3.15 million) for bodies corporate.