Gaining Support
The first step is to gain support from your CEO, Company Secretary or Board. This is an essential step for your Framework project to be successful. It will be much easier to get the necessary support from middle management if upper management support your Framework initiative.If upper-level management are not willing to give your Framework support, it is likely that they don’t fully understand the risks that your organisation is exposed to. It is your job as compliance professional to communicate these risks to them. To do this you must have a short, sharp and easy to understand message. Delivering the message to the leaders in person is always the best communication channel.

It is more prudent to get the support of one or two senior managers before you arrange that important meeting with your company secretary or CEO to inform them of the risks to the organisation and ask for their support to implement a Framework.

Team Building & Planning
Team-building and communication is essential in order to build a successful Framework. Specialist knowledge and assistance is required from various stakeholders before beginning to design the Framework. Engaging the right stakeholders from the start will minimise project delivery time. Don’t expect to do everything yourself, compliance is very much a team effort. Alliances are necessary from various departments from within your organisation such as Risk, IT, HR, Finance, Communications, Learning and Development and Document Management.

You should start by making a compliance committee consisting of the SME’s that you select from each area. Regular compliance meetings with the compliance committee are a great way to gain support, communicate and stay on top of compliance issues. The SME’s respective areas or departments may already have some type of compliance controls in place. You will save a lot of time if you learn to leverage from their current systems and interdependencies rather than taking a ‘start from scratch’ approach. Even if you believe their systems are less than adequate, learning what doesn’t work is often as beneficial as understanding what will work.

Complying with Your Obligations
It is important to understand that compliance involves more than meeting your legal obligations. There are other obligations that will vary depending on the values of your organisation which may include company policy, board direction, corporate social responsibility and in the case of a GOC; ministerial direction.

Knowledge of your organisation’s business activities (‘Activities’) is necessary in order to fully understand relevant compliance obligations (‘Obligations’). The fastest and most accurate method to uncover your organisation’s Activities is to engage managers or subject matter experts (SME’s) that have a comprehensive understanding of the day to day operation within their department.

The best practice is to engage those SME’s that have enough seniority to make decisions or those who are in a position to highly influence the decision-making process but are not too busy for you to get regular access to.

You may then create a list of Activities that you believe is relevant to that area. Once you have finished, facilitate a brain storm session with the SME’s so that they can build and refine the list of Activities. Once you have a firm understanding of the Activities, you may then take the next step in development of the Framework which is to map the Obligations to the Activities.

Calculating Risk
It is necessary to know what your organisation’s acceptable levels of risk are. Engaging your organisation’s risk department to inform you of the acceptable level of risk tolerances within your organisation is an important step. There are three key areas of risk that you need to be particularly mindful of when developing the Framework, they are:
• reputational damage;
• imprisonment; and
• high pecuniary penalties

Obligations can best be determined when they are measured against your organisation’s risk tolerances. Some Obligations may not be relevant unless they meet the risk tolerance levels of your organisation. For example, infringement of a particular offence may potentially result in imprisonment of an officer however, there may be an extremely limited chance of such a breach and therefore the overall risk may not be significant enough to address in your Framework. On the other hand, your organisation may be exposed to a moderate financial penalty however which has a high-chance of occurrence and therefore be assessed as high risk and consequently should be contemplated when developing your Framework.

In large organisations it is impossible to manage every single risk in the Framework. There should be two layers of compliance. The top level is your Framework and the other smaller risks should be managed by SME’s as part of their business as usual management process within each department.

Communication and Culture.
This is where you will need to be creative. Compliance is something that people should want to do, rather than feel obligated. This may require a culture change within your organisation. Many organisations engage the marketing and communications department to advise in this process. The message that you send out to your organisation must be clear, precise, fun and easy to understand.

Get excited and get everyone involved. Compliance can certainly be exciting if you believe it can be exciting. This is your chance to really make a difference. Make a fun corporate video, caps, conduct learning activities, keep regular communication – even create a mascot or celebrity to deliver the compliance message. To invoke a corporate change you will need to get attention and it all starts with you as compliance professional.

Remember, your organisation is built from individuals with different education levels, genders, backgrounds, cultures and religions. Your message, however you choose to communicate it needs to be clear and concise so it can be clearly understood by all individuals within your organisation. By all means make your communications fun, but be sure that it does not offend.

The message should also point out exactly how compliance can benefit each individual within your organisation directly. By doing this your message is more likely to have a greater impact.

The Framework itself
A successful Framework will consist of training, systems and business processes backed by the legal department and management who will provide support to employees that request it.

Before implementing the Framework it is important to not bite off more than you can chew. Starting with a pilot program (‘Pilot’) is a very smart way to begin the Framework development and implementation process before rolling out the entire Framework throughout your entire organisation. The Pilot should focus on implementing the Framework into one or two key areas of your organisation. The best area to implement the Pilot will be dependent on your organisation’s Activities.

Consider the following questions when contemplating which area the Pilot should be implemented into:
• which area poses the highest risk to your organisation?
• which area has compliance work already done?

The answer to both of these questions will likely be the same and will therefore be the ideal place to start implementing the Pilot.
The Framework should live and breathe within your organisation which will require be face to face interaction required to review your organisation’s business as usual processes that you can discuss with managers and SME’s.

The IT system (‘IT System’) should ideally have a number of functions such as facilitating online training, legislative summaries, obligation library, resources, points of contact and a method of breach and incident reporting. A system such as this to be built from the ground up will be very expensive. Not to mention the time it will take to develop.

To reduce cost and development time, your organisation may opt for an off-the-shelf product. If you do, ensure that it integrates with other systems such as SAP that are used by HR which will enable all employees to be imported into the system and be provided different levels of access (and information) based on their role.

Maintaining the Framework
The Framework will need to be maintained throughout its existence. This means that you should subscribe to a service that provides legislative and regulatory updates so that you can keep the online training, legislative summaries, obligation library and other resources up to date. You should also keep up to date on policies and procedures within your organisation as they will vary from time to time. Having a mechanism in the document management area that reports to you when such documents are updated is invaluable.

Legal compliance professionals require high level communication skills not only to develop a Framework, but to maintain it as well. Building and maintaining relationships throughout your organisation are an important skill that will make your compliance journey a more comfortable and rewarding one. Cooperation often demands finding mutually beneficial solutions to your organisation’s departments and compliance requirements.

Also see the compliance article on PCI Compliance.

What credit card information can be stored?

Standard credit card information such as credit card number, cardholder name, exiry date can be stored as if the information is encrypted when stored on a system
that has a satisfactory firewall system and an up to date commercial antivirus.

What part of the card cannot be stored?

It is contrary to PCI-DSS standards to store sensitive information such as:

• CVV numbers or
• Digital Stripe Data

CCV Number

The CVV or CCV number is (usually) the 3 digital number that is on the back of the card.

Digital Stripe Data

The digital stripe data is contained within the black magnetic strip of your card.

So what are the standards?
The standards are referred to as the digital dozen. They are listed below.

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

The dangers of not complying:
In the event of not complying with PCI Standards, the merchant may be in breach of the agreement with the bank.
This gives the Bank the right to terminate their contract with you.

The other danger is if the credit card numbers that you are storing are stolen, then the bank has the (contractual) right
to force you to pay fees related to the stolen cards.

For further and more detailed information, please visit the PCI Standards Web site.

There are certain rights that you need to be aware of. These are largely outlined in consumer law in Australia.

The Coporations Act says that you have 21 days to respond to a statutory demand. If you don’t, there can be big problems for you to overcome. For example, the Court may presume that the Company that has been issued a statutory demand, is insolvent. This really means that if you receive a statutory demand you can:

1. Pay the demand

This is an obvious remedy. Of course if you owe the money it is a good idea to pay it. You may wish to read the other options if you want to oppose the demand.

2. Apply to the Court to set the statutory demand aside

This must be done within 21 days. Generally speaking, you will need to convince the court of the following points to set aside a statutory demand aside.

> Genuine dispute as to the debt

The whole reason behind a statutory demand is that there is a pre-agreed amount due as a result of a previous agreement. It is important to remember that there is no need to prove the entire case when applying to set the demand aside. Generally, there is a fairly low bar in order to prove that there is a dispute. However, remember that there has to be some obvious reason that there is a dispute.

> Genuine offsetting claim

If there is an claim of offset then there is a reason for the court to set aside the demand. Obviously,  the offsetting claim must be bona fide and a genuine one.

> Defect in the demand

There is no doubt that that the form of the demand should follow the rules of the Corporations Act.

> Defect in the accompanying affidavit

You can apply to set aside the statutory demand.

3. Do nothing

As you can imagine, this is  is not a wise choice. The worst case scenario is that the person issuing the statutory demand can apply for orders from the Court to wind up the Company. Which means that the company may be forced to be deregistered.