Download - Veda - The Assurance Report
Veda - The Assurance
Report September 2014
Page 2
Contents Contents .................................................................................................................................................... 2
Executive Overview ....................................................................................................................................... 3
2. Executive summary and forward plan ............................................................................................................ 4
2.1 Introduction ....................................................................................................................................... 4
Veda’s Regulatory Compliance Approach ................................................................................................... 4
Role of Employees ..................................................................................................................................... 4
Role of our Customers ............................................................................................................................... 4
Compliance Team ...................................................................................................................................... 4
Corporate .................................................................................................................................................. 4
Summary ................................................................................................................................................... 5
3. 2014 Assurance Report (Prepared in accordance with clause 9 of the Credit Reporting Privacy Code 2004
(“the Code”)) for the Office of the Privacy Commissioner (OPC) ........................................................................ 6
3.1 An Evolving Report ............................................................................................................................. 6
3.2 Feedback ........................................................................................................................................... 6
3.3 Explanation ........................................................................................................................................ 6
4. Notes .......................................................................................................................................................... 16
4.1 What does our reasonable assurance process look like? .................................................................. 16
4.2 The Review Committee .................................................................................................................... 17
Independent Person ................................................................................................................................ 17
4.3 Our systematic review process ......................................................................................................... 18
Our Review Methodology ........................................................................................................................ 18
Evidence Selected .................................................................................................................................... 19
4.4 Standards Used ................................................................................................................................ 19
5. Appendices - Assurance detail ................................................................................................................. 20
5.1 Confidential and Commercially Sensitive ............................................................................................... 20
CCR content for annual Assurance Report................................................................................................ 20
5.2 Addressing specific areas of interest ................................................................................................ 21
Page 3
Executive Overview
Credit reporting is integral to the development and wellbeing of modern economies. The World Bank has
ranked transparent credit reporting as one of the key drivers for the development of both consumer and
commercial prosperity. Credit reporting comes with great responsibility in terms of integrity of data and
privacy obligations to ensure that information is used in the correct manner and that all various stakeholders’
ultimate outcomes are fully understood and complied to.
It gives us great pleasure to present our third annual assurance report from our Credit Reporting Privacy Code
obligations. Assurance reporting for us is a journey rather than a destination for Veda. Each year we have
reviewed the previous year’s assessment and ensuing roadmap of improvement we have continued to raise
our own internal standards. This year to continue to progress our transparency during this process we have
appointed an independent assessor.
Veda has appointed Richard Kirkland, a partner in the professional services practice Risk & Regulation, who
was previously a Partner at Deloitte in New Zealand, and is a subject matter expert on governance, risk and
compliance management.
This assurance process has become formally embedded in how we operate. To that end we have again formed
a Compliance Committee consisting of senior Veda management and our nominated independent advisor
(Richard Kirkland). This committee has met on a regular basis to review key findings found in the assurance
review, monitor progress on any system/process changes and equally identify any other areas for
improvement.
We trust that this report addresses all the key areas that the Office of The Privacy Commissioner expressed
interest in, at our meeting regarding the assurance report and its independent viewpoint.
We look forward to receiving feedback on our report in due course.
Kind regards,
John Roberts
Managing Director New Zealand & International
Page 4
2. Executive summary and forward plan
2.1 Introduction
Veda’s Regulatory Compliance Approach
Veda, as the leading credit reporter in Australasia, is committed to having a strategic regulatory compliance framework. This includes providing guidance and training for employees by way of updates on developments in the laws that regulate our business and ensuring that we have the systems and processes in place to ensure that we are meeting the prescribed compliance standard to the very best of our corporate and individual abilities.
Role of Employees
Regulatory compliance is the responsibility of every Veda employee and an integral part of their day to day roles. Employees are expected to comply with all applicable laws and regulations, as well as Veda’s internal policies. Employees are expected to take an active stance on regulatory compliance and are encouraged to do this on an ongoing and regular basis.
Role of our Customers
Regulatory compliance is also the responsibility of our customers. However, the Credit Reporting Privacy Code
2004, (the Code) in using a subscriber agreement model treats Veda in itself as a quasi-regulator with
responsibility to require our customers, (who are the ultimate end user of our products and services), to
comply with the Code and with their obligations under the subscriber agreement .
Compliance Team
Regulatory compliance is supported by Veda’s Compliance Team. The role of the Compliance Team is to
provide advice about Veda’s regulatory obligations and to encourage and support business units to comply
with Veda’s legal and regulatory obligations. The compliance team is also responsible for monitoring and
reporting on Veda’s compliance with regulatory obligations.
Corporate
Within the organisational framework, processes exist to ensure that the organisation is complying with its
obligations. This assurance report indicates how compliance is being achieved and/or where there may be
areas for future improvement and that proper governance is in place to ensure that outcomes can be
achieved.
Page 5
Summary
In the past 12 months in New Zealand Veda processed in excess of 4 million consumer credit enquiries through
its bureau. This has resulted in statistically very low levels of complaints but high levels of resolution of
consumer complaints. The statistics are detailed in the end notes. We believe this in itself is a measure of our
compliance once you place in relevant context volume of throughput (consumer enquires) vs. resulting levels
of consumer complaints.
We trust that the following report will provide a strong measure of assurance to Office of the Privacy
Commissioner (OPC) and we would also welcome any commentary in this regard.
Page 6
3. 2014 Assurance Report
(Prepared in accordance with clause 9 of the Credit Reporting Privacy
Code 2004 (“the Code”)) for the Office of the Privacy Commissioner (OPC)
3.1 An Evolving Report
Assurance reporting is still a new obligation and was imposed to balance the greater access to data involved in Comprehensive Credit Reporting (CCR). It can be expected to change to reflect the progress of CCR over time.
The OPC has indicated it is taking a heightened interest in the assurance report including addressing what independence means in relation to an independent person appointed to a credit reporters Committee to prepare the assurance report.
Veda has also re-evaluated what ‘independence’ should mean. We decided to appoint a new person to act as our independent person on our Committee. Richard Kirkland is our new independent person and his details are available in the table below.
Veda sets out below in a table the response required by the Code. We have the following additional features: An additional column within the table, notes and appendices.
We will also supply a redacted version of our report as some elements are commercially sensitive, and might enable fraud or hacking or require redaction to protect intellectual property.
3.2 Feedback
The feedback from the OPC in advance of this year’s review has been well received by Veda and we appreciate the distinctive insights that the OPC can bring to improved privacy outcomes, given its broad market purview.
We have endeavoured to meet expectations as shared during those discussions.
Veda looks forward to receiving feedback regarding our report from the Office of the Privacy Commissioner (OPC).
We understand that a new person has been appointed in the OPC regarding the Codes. We look forward to interacting with this person in the future.
The report will always be aimed at addressing specific Code requirements primarily but we expect it to continuously evolve as we work to continuously improve our own business.
3.3 Explanation
In the table below we include our formal response on our Code obligations in column 2. In column 3 we
include general commentary on that formal response to give a deeper understanding of the response in
column 2. We also note any changes from the 2013 Assurance Report responses.
Reference Response Commentary on Response & any changes from last year’s report noted.
1. Process of Review and Reporting
The systematic review process and the methodology followed as in previous years, was to prepare the assurance report as a Project, thereby engaging all relevant stakeholders required to produce the report. (See further details on the review process and methodology in the Notes) Veda elected to prepare the report by a review committee under clause 9(2)(b). The members of Veda's review committee are:
John Roberts, Managing Director, New Zealand and International;
Tracy Pennell, General Manager - Product;
Michelle Chignell , NZ Legal Counsel;
Chris Woodhead, Head of Data and Architecture;
Emily Upton, Manager – Product Strategy and Growth Initiatives
Hana Fuimaono, Customer Services Operations Manager;
Lisa Davies, Project Manager;
Richard Kirkland, Independent Person
Independent Person The Independent person on the Committee, Richard Kirkland is a partner in the professional services practice Risk & Regulation. He was previously a partner with Deloitte New Zealand where he led that firm’s risk advisory service line delivering risk advisory and assurance services to a wide range of public and private sector clients. Richard has over 30 years of risk management and compliance experience through senior positions held at Westpac Banking Corporation, the Development Bank of Southern Africa and Swiss SA Reinsurance with responsibilities covering: governance, risk management, compliance, credit risk, capital and solvency management, operational risk and change. Richard is fully conversant with the Code and the outcomes it seeks to achieve. He has also been involved in helping a number of banking institutions prepare for Comprehensive Credit Reporting during its early stages. Richard Kirkland is not an employee, director, or owner of Veda nor has he provided any other services or consulting advice to Veda other than as an independent person on this Committee. Whilst Richard is independent he was
Changes to Committee: Richard Kirkland, Tracy Pennell
Role of Committee
Whether input from a new independent person with an audit and risk background would add value in the next year (2014 reporting year) was discussed by the Committee.
Veda has not undertaken a systematic independent overall review in 2013 of the effectiveness of its policies, procedures and controls.
In effect the Code does not require such a review except annually in the Assurance report.
The Committee discussed this and how that could be achieved in the next reporting year (2015).
Veda committed to forming an ongoing review Committee and driving this and other reviews with an independent element.
Another aspect which will be addressed by this is-Veda monitors its systems usage and information quality, and checks compliance with agreements, policies, procedures and controls and the requirements of the Code as it relates to Storage, Security and Accuracy of Credit Information).
Veda has constraints in that the subscriber model requires Veda to act as a quasi-regulator of their subscribers but has no regulatory enforcement power outside of contract. Veda uses cooperation to supplement contractual powers but that has practical limitations.
Page 8
Reference Response Commentary on Response & any changes from last year’s report noted.
remunerated for his participation. As part of the review process Richard was given full access to all necessary Veda resources to fulfil his terms of reference as an independent reviewer. Some elements of his review went beyond the current requirements for the assurance report but this has led to other outcomes such as the formation of an ongoing Committee which will add value to the process of compiling the assurance report in the future. As part of his independent evidence gathering Richard led an independent staff compliance culture survey in order to validate assertions. This is likely to be a regular occurrence in future with a wider sampling. In the Notes we reference the process he and the Committee engaged in. The review committee both participated in and reviewed the participation of other relevant participants to arrive at the assurance report.
2. Assurances Relating to the Policies, Procedures, Controls and Subscriber Agreements
Veda provides reasonable assurance in terms of Schedule 6 clause 2 that in relation to the period from 1 July 2013 to 30 June 2014 Veda had formal and informal policies in place to give effect to the
(a) Veda had policies in place that give effect to the requirements of the Code. Veda has a series of formal and informal processes which it believes cover the requirements of the Code pre-Comprehensive Consumer Reporting (CCR) and post CCR data collection and disclosure. These include its Policies for Use which subscribers are contractually obliged to comply with. Once CCR data collection and disclosure is fully implemented with full data sharing those policies may be further updated.
(b) Veda had internal procedures and controls in place to give effect to the policies and requirements of the Code; Veda has internal policies, procedures and controls to give effect to the Code including automated access detection. Veda has reviewed its processes, procedures and controls. Veda intends to further review these over time.
2(a) No change.
Veda continues to give effect to the requirements of the Code through a suite of complementary policies and supporting procedures and tools)
2(b)
Veda has detailed procedures in place to guide staff and ensure consistency in the application of consumer credit reporting policies in day to day operations.
Page 9
Reference Response Commentary on Response & any changes from last year’s report noted.
requirements of the Code. In particular:
(c) Veda provided information and training to its staff to ensure compliance with the policies, procedures and controls; Veda provides training to all staff on compliance matters. Training includes the access to data which may be made by staff. Training is provided on the basis of function.
(d) Veda ensured that subscriber agreements that complied with
Schedule 3 were in place before disclosing credit information. Veda's processes are designed to ensure that no disclosure of credit information is made except to a subscriber with a subscriber agreement in place (or as otherwise permitted by law). In addition the new terms for CCR data must be agreed to before there is any CCR data participation.
2(c)
Compliance with procedures is independently checked by functional heads, periodic independent checks and in the case of IT systems by automated access detection.
At recruitment – part of the induction process covers training on Code requirements and how Veda gives effect to Code compliance through its performance management process and risk and compliance framework. Training is referenced back to the Employee Handbook that clearly details employee obligations, including in relation to privacy and security.
Ongoing team and ‘one-on-one training’ is held by functional leads. This focuses on detailed aspects of the Code and how employees help Veda discharge its obligations.
All employees are required to complete annual privacy compliance training through an on-line compliance testing application (Safetrac).
o Equal Opportunity Workplace for Employees – Aus/NZ o OHS/OSH Workplace for Employees – Aus/NZ o Trade Practices – NZ o Credit reporting Privacy Code 2004 o Privacy – NZ o Insider Trading o Veda Data Security o Equal Opportunity Workplace for Managers and Supervisors –
Aus/NZ o OHS/OSH Workplace for Managers and Supervisors – Aus/NZ
2(d)
Veda has subscriber agreements that have been drafted recognising all Code requirements (including changes to the Code over time)
No services can be provided unless a duly executed subscriber agreement is in place. The NZ Subscriptions Process provides ‘step-by-step’ details. In order to achieve this.
Authorised signatories are required with responsibility to ensure that all requisite subscriber on-boarding (including any changes for existing subscribers) steps have been appropriately completed.
Page 10
Reference Response Commentary on Response & any changes from last year’s report noted.
In the case of CCR the terms and conditions similarly require that data must be agreed to before there is any CCR data participation.
3. Monitoring of Policies, Procedures, Controls and Subscriber Agreements
In accordance with clause 3 of Schedule 6, this Report provides a reasonable assurance that:
(a) The credit reporter believes it followed its own policies, procedures and controls. Veda has been reviewing its internal compliance and continues to do so in order to improve where possible. Given the low level of complaints to either Veda or to the OPC and from the internal and external reviews undertaken to date, and from the automatic and system controls around access of data held regarding credit reporting, Veda holds this belief reasonably.
(b) The information held by Veda was protected by reasonable security
safeguards. Veda has robust security policies including system access controls which are applied group wide. We also have firewalls; secure housing of the database with disaster relief back up provisions; restricted accesses and controlled and monitored log-ins. Internal and external access safe guards are in place. Therefore Veda understands it holds this belief reasonably.
3(a)
Veda’s Regulatory Compliance Policy states: “………Regulatory compliance is an essential part of Veda’s value proposition as a trusted custodian of data, a trusted business partner and an employer…….”
Veda fosters a strong compliance culture.
An independently administered culture survey administered as part of this assurance review yielded largely positive results- with particular strength in: values and ethics, skills, knowledge and personal accountability.
3(b)
The reference standard applied for comparative purposes is ISO27001 – Information Security.
Veda has undertaken a high-level comparison of Rule 5 requirements to the ISO standard, having regard for what is reasonable and applicable to local conditions.
Architecture
The technology architecture is well proven in terms of security and control.
There are appropriate disaster recovery arrangements in place.
User access internally and externally is by a variety of means, mainly secure web or native terminal. The documented standards (e.g. HTTPS, SFTP) are fit for use.
Periodic security testing takes place, and the platform has a managed release cycle that includes testing.
User access is managed through two key programs related to the Code. o Personnel access management offers menu (application) level
control over who can see what. o Privacy access logging tags records at the database level, and
then logs any interaction alongside a purpose Code. o Access logs are reported for permission verification on a
monthly basis.
Page 11
Reference Response Commentary on Response & any changes from last year’s report noted.
(c) The credit reporter processed information privacy requests in
accordance with Rule 6 and 7 of the Code. Veda monitors requests for credit information and holds the belief that such requests are processed in a way that meets the requirement of rules 6 and 7 of the Code. Veda notes that the outcome of C/24879was that there was no interference with privacy in relation to the complainant. (This led to an own motion investigation which subsequently led to Amendment 9.. Compliance with the Amendment took effect outside of the period reported on.)
(d) Veda took such measures that were reasonably practicable to avoid
the incorrect matching of information. Veda has complex automated routines to underpin how its data matching is undertaken. As the OPC is aware, these are automatic system processes, not manual. As these processes are automatic they are difficult to audit outside the IT environment. However from the low level of complaints around data matching, Veda believes that it complies with this obligation.
Process Control
Major processes are covered by the following key documents: Subscriber agreement; Employee handbook; Data security policy; Subscription process
These set out the system rules (incorporating areas such as data transfer) adequately to meet the Code.
Through interview the user community indicate a good level of understanding (of the importance of security) and compliance. There is a good culture of privacy and good practice.
3(c)
Veda has a comprehensive suite of product and service information for Subscribers, to help public consumers make fully informed decisions in relation to accessing and correcting their credit information, including:
o Your credit file explained o Your rights explained o Comprehensive reporting – what it means for you o Understanding your VedaScore
These are supported by a systematic investigation process with a range of template letters covering a wide range of client requests.
The investigation process is systematic with defined pathways and timelines to handle all requests.
A database is used to keep track of all requests from the time on initiation until formally ‘closed out’.
3(d)
Veda has complex automated routines to underpin how its data matching is undertaken.
The key data fields to match on are name, address and date of birth.
Veda takes a deliberately conservative stance on matching and will not match and merge any records unless its confidence levels are very high that there is a genuine ‘match’. Veda achieves this in the first instance through a set of ‘policy rules’, based on past experience, statistical
Page 12
Reference Response Commentary on Response & any changes from last year’s report noted.
The IT processes are clearly documented. Complex algorithms underpin the processes. The key data fields to match on are name, address and date of birth. Driver licence data is not available on every file to match, however Veda believes over time use of driver licence data will further improve matching accuracy as this information builds on the database.
(e) The information held by Veda was subject to reasonable checks to ensure it was accurate, up to date, complete, relevant and not misleading. Veda reasonably believes that the information is up to date, and that it is complete, relevant (more a function of system design) and not misleading. This is based upon the level of complaints from individuals around data; assessments made in investigations of such complaints and on the assurances Veda seeks from its subscribers both through their contractual obligations and through the monitoring it does undertake (see below) to ensure data accuracy.
(f) Veda's reporting and retention of credit information was in
accordance with Rule 9 and Schedule 1 of the Code. Veda has automated processes regarding reporting of information and how long data is retained for; accordingly it reasonably believes that it meets these requirements. The relevant data fields listed in Schedule 1 of the Code are assigned an automated removal date and the system is designed for those fields to be removed in accordance with that date.
modelling and clearly documented.
The above processes are also underpinned by data quality remediation routines driven by the processing of privacy requests (under 3(c) – above).
3(e)
Veda’s approach and strategy to ensuring that information is accurate, up to date, complete, relevant (more a function of system design) and not misleading relies on both preventative and detective controls.
Preventative controls comprise:
Subscriber contractual obligations
Conservative (stringent) data matching policies
Prompt remediation of any known data quality issues, including sanctioning of non-compliant subscribers
Internal data quality policies and procedures e.g. mandatory fields, missing data etc.
Employee training
Detective controls comprise:
Level of complaints received
Results of subscriber monitoring
3(f)
Veda has automated processes regarding reporting of information and how long data is retained for; accordingly it reasonably believes that it meets these requirements.
The relevant data fields listed in Schedule 1 of the Code are assigned an automated removal date and the system is designed for those fields to be removed in accordance with that date.
Page 13
Reference Response Commentary on Response & any changes from last year’s report noted.
(g) Veda processed direct marketing lists in accordance with Rule 10(1)(C). Special contractual terms apply to the processing of direct marketing lists which aim to ensure that the subscriber meets their obligations in this regard. Veda has policies that state access cannot take place without the subscriber agreeing to these terms. The current policies require sign off from senior staff members who are trained in privacy compliance before any such access is made available. Veda notes that such services are available to a very limited range of subscribers.
(h) Veda processed suppression, release, or cancellation requests in accordance with Schedule 7. Veda notes that there have continued to be very low levels of such requests during the period covered by this report. Veda is satisfied as to its level of compliance.
(i) Veda processed complaints in accordance with Clause 8 of the Code.
Veda is satisfied that complaints are dealt with in accordance with Clause 8. The personnel involved in dealing with complaints have processes to follow which comply with the Code. Those processes include diary follow ups to ensure that key dates are met. Internal reporting on a monthly basis is designed to ensure that appropriate personnel in the organisation can check on such complaints and
3(g) No changes
Special contractual terms apply to the processing of direct marketing lists which aim to ensure that the subscriber both understands and meets their obligations in this regard.
Veda has policies that state access cannot take place without the subscriber agreeing to these terms.
The current policies require sign off from senior staff members who are trained in privacy compliance before any such access is made available.
These services are only available to a very limited range of subscribers. 3(h)
Change =
Veda has implemented controls around identifying CCR data and pre-existing credit accounts
3(i)
Veda has a systematic complaints procedure that accords with the Code (Refer also 3(c) above).
The personnel involved in dealing with complaints are well trained in the Code requirements and dealing with the public. Their familiarity with the process as well as dealing with recurring complaints allows them to discern potential issues not necessarily evident through other means (e.g. the low level of complaints does not lend itself to the use of advanced
Page 14
Reference Response Commentary on Response & any changes from last year’s report noted.
offers a reactive check on such processes. Monthly complaints outcomes are monitored and Veda looks for anomalies or trends which can then be addressed. Veda believes this is an appropriate level of compliance for the size and nature of most complaints.
(j) Veda's website disclosed accurate information that gave effect to Rules 6(4)(b), 7(4)(b), 8(3)(A) and 8.1 of Schedule 7. Veda believes it complies with this obligation.
(k) Subscribers complied with agreements and controls. To the best of Veda's knowledge this is the case. Veda notes that (as it has made the OPC aware) there are inherent difficulties and conflicts in requiring an organisation to police its major customers. All subscribers are required to have a subscriber agreement which contractually obliges those customers to comply with the relevant obligations of the Code. If it is identified either by monitoring or by complaint investigation that a subscriber is not complying, Veda takes appropriate remedial action to deal with such subscriber. Veda believes this is appropriate.
analytics).
Complaints statistics are closely monitored including any potential correlation with other factors e.g. results of subscriber monitoring.
3(j)
A periodic website review against the Code requirements is undertaken.
The website is not to be changed without a compliance and legal review of the proposed changes
(The latest review was in the context of Amendment 9. Another review was undertaken after the reporting period in the implementation project for Amendment 9 changes.) 3(k)
Preventative controls comprise:
Subscriber contractual obligations
Review of subscriber’s privacy terms and conditions on signing up subscribers and at other opportunities (e.g. when complaints are received)
Detective controls comprise:
Results of subscriber monitoring
Changes since 2013:
Veda intends to adopt a more risk-based approach to monitoring its subscribers while ensuring adequate representation of its subscriber base
The majority of Veda’s customers are compliant. There are instances however where as a result of our subscriber monitoring we have had occasion to remove subscribers for ‘non-compliant’ practices
Veda continues to use a range of preventative and detective controls to ensure subscriber compliance.
4. Assurances Relating to Action Taken on Deficiencies Identified
(a) During Veda's systematic reviews, monitoring activities or as a result of a complaint, where Veda identified a breach of an agreement, policy, procedure, control or requirement of the Code, Veda investigated that breach and where appropriate took prompt remedial action Veda notes from the above that it takes remedial
4(a)
During Veda's systematic reviews, monitoring activities or as a result of a complaint, where Veda identified a breach of an agreement, policy, procedure, control or requirement of the Code, Veda investigated that breach and where appropriate took prompt remedial action
Page 15
Reference Response Commentary on Response & any changes from last year’s report noted.
action where appropriate. Veda reviews investigations and complaints regularly and systematically looks for and addresses any systemic issues.
(b) No deficiencies were identified in the previous year's report.
Veda reviews investigations and complaints regularly and systematically looks for and addresses any systemic issues.
4(b) No change
5. Schedule & Transitional Provisions
Clause 6 of Schedule 8: Veda provides a reasonable assurance that:
Clause 4.1 - Veda has incorporated the requirement in its CCR terms. The data standards agreed upon at RCANZ
1 mean that the date when notice was given
by a subscriber to their customers can be reported to Veda.
Veda captures the date of the clause 4.2(b) notice. Requiring a date to be supplied is a measure to address clauses 4.1 and 4.2 in a way which will be transparent and compulsory.
Changes since 2013:
Veda intends to, as part of its ongoing subscriber monitoring (refer 3k - above) to also formally check this aspect as part of the monitoring process.
Veda also intends to also institute an automated checking process to confirm that its subscribers have complied and notified their customers of the uploading of comprehensive redit information.
1 The Retail Credit Association of New Zealand Inc. (RCANZ) is a specialist industry association set up to create a forum for: providers of credit to individuals (major bank, non-bank and utility service organisations); the major credit reporters; and organisations able to access positive credit data under the Credit Reporting Privacy Code 2004.A sub group of RCANZ has formulated the data standards which members of RCANZ agreed would enable CCR data sharing. The data standards work like a data dictionary enabling consistent CCR data collection and sharing.
4. Notes
4.1 What does our reasonable assurance process look like?
The figure below helps put our 2014 Assurance Review process in context and illustrates how ‘users’ could
be expected to acquire confidence in this Assurance Report.
Each component of this Model was considered and debated by the Committee and used to inform the
review process and methodology.
A number of the more important components of the Model are explained in the immediately succeeding
sections below.
______
Page 17
<Insert heading> 4.2 The Review Committee
Veda has elected to have this Assurance Report prepared by a Review Committee in accordance with
Clause 9(2)(b) of the Code.
The members of the Review Committee are shown below, with their respective areas of specialisation and
focus as Committee members shown.
The Committee has been carefully selected to ensure the rigour of the assurance process:
• The Committee possesses, both as individual committee members and collectively, appropriate experience, competencies and personal qualities, including professionalism and personal integrity.
• The Committee collectively has adequate knowledge and experience relevant to each of Veda’s core business activities in order to enable effective governance and oversight.
• The Committee also collectively has a good understanding of local and international trends in privacy and of the related legal and regulatory environment.
• The role and responsibility of the Independent Person to challenge the Chair and other members of the Committee on substantive issues (as distinct from a conventional ‘box-ticking’ focus on process) has been formally written into that position description
Independent Person
As stated in the table -the Independent person on the Committee, Richard Kirkland is a partner in the
professional services practice Risk & Regulation. As part of the review process Richard was given full access
to all necessary Veda resources to fulfil his terms of reference as an independent reviewer. As part of his
independent evidence gathering Richard led an independent staff compliance culture survey as part of the
assurance evidence gathering process – see below.
______
Page 18
<Insert heading> 4.3 Our systematic review process
The review has been undertaken using a combination of documentation review, an (independently administered) staff survey and interviews with senior management and other key personnel responsible for delivery of consumer credit reporting services across Veda.
The results and findings were initially discussed and challenged in a series of sessions of the Review Committee before being finalised and fed into this final 2014 Assurance Report.
The following schematic overviews the review process followed:
Our Review Methodology
The methodology followed for the review involved the following progressive phases:
1. Understanding and documenting the core functions and processes of Veda’s business model as it
relates to consumer credit reporting (Business Model)
2. Mapping the Code requirements onto the Business Model (‘in-scope’ Assurance Requirements)
3. Developing a review schema and programme using good practice assurance standards (Assurance
Review Programme) and
4. Using robust, evidence-based criteria to source and assess the evidence and results (Compliance
Evidence).
Veda initial (Self)
Assessment
Documentation
ReviewSurvey
Interviews
(incl. high-level walk-through)
Evaluate and Discuss
(In Committee)
Conclude & Report
Interviews
(incl. high-level walk-through)
COMPLIANCE
MANAGEMENT
CYCLE
Figure 1: Review Process
______
Page 19
<Insert heading> Evidence Selected
Five (5) types of evidence were sourced and used for the Review:
1. Statements of intent, philosophy 2. Documentary evidence of policies, procedures and controls 3. Relevant activity and performance metrics 4. Structured interviews 5. Compliance culture survey
4.4 Standards Used
The standards that Veda considers relevant and has applied in undertaking the 2014 Review are the
following:
New Zealand Standard (NZS/AS 3806:2006) Compliance Programmes.
New Zealand Standard (AS/NZS ISO 31000:2009) Risk management – Principles and Guidelines
New Zealand Auditing Standards and the International Standard on Assurance Engagements (New
Zealand) 3000: ISAE (NZ) 3000 - Assurance Engagements other than Audits or Reviews of Historical
Financial Information
ISO 27001:2013 Information security management.
In addition a number of interpretations for key terms used in the Code have, to the extent they are not
explicitly defined in the Code, been drawn from similarly oriented disciplines. The terms concerned are:
Systematic reviews
Monitoring activities
Reasonably practicable
______
Page 20
<Insert heading>
5. Appendices - Assurance detail
5.1 Confidential and Commercially Sensitive
CCR content for annual Assurance Report
Overview
Following amendments 4 and 5 to the Credit Reporting Privacy Code 2004 which permitted Comprehensive
Credit Reporting (CCR) in New Zealand, it has taken the industry time to ready itself and formally
commence the transition to positive reporting. While the majority of Credit Providers, who intended to
participate in CCR, issued the required notice to consumers in 2012, it is fair to say the industry took time
to reach agreement on the underlying principles of CCR. Agreement on formal data standards and
reciprocity (data sharing) principles continued post 1st April 2012 via the Retail Credit Association of New
Zealand (RCANZ) with the latter only being ratified in late 2012.
We are pleased to announce that CCR is now live on the NZ Veda bureau and several major banks and
finance companies are now formally sharing CCR data with each other. We also anticipate additional
Credit Providers joining this live data sharing group in the coming months.
Veda was the first credit bureau to achieve critical data mass in New Zealand and worked proactively with
the industry over several years to achieve this outcome. Anecdotally, early adopter Credit Providers have
reported that provision of a more complete picture of a consumer’s credit worthiness i.e. credit limits and
repayment history has resulted in different, more prudent lending decisions starting to be made in a
positive reporting environment.
In terms of the transformation of our own business, Veda established a dedicated program of work over
multiple years to ensure our business was CCR ready from the first date at which CCR was permissible (1st
April 2012) from a customer, business, product, process and legal/compliance perspective. Of particular
note, is the effort applied to ensuring our consumer investigation and query support processes were
appropriately expanded under CCR – this has been an area we have reviewed and refined consistently as
theory become practice on the CCR front. We have invested significantly in CCR over the past 5 years
(inclusive of consumer awareness) and will continue to do so over the coming years.
CCR going live in New Zealand represents a significant milestone for our industry and certainly we
anticipate close attention from Australia as they commence their own transition to CCR.
CCR provides a more balanced and complete reporting system which will firmly underpin responsible
lending practices and more prudent lending disciplines. It too provides consumers with a mechanism to
demonstrate credit rehabilitation following an adverse event and potentially access quality credit at a more
reasonable price.
______
Page 21
<Insert heading>
5.2 Addressing specific areas of interest
1. Consumer notice and access
The majority of Credit Providers, who intended to participate in CCR, issued the required notice to
consumers in 2012. As part of Veda’s enrolment process and terms for CCR, Credit Providers must
demonstrate they have given the appropriate notice to consumers and provide a copy of this notice. Veda
has captured and formally logged each individual notice from Credit Providers so as we have this on file
and can reference this, in general terms, if required to support a consumer query.
In terms of consumer access to CCR data, from the point at which Credit Providers provided live CCR data
to Veda (irrespective of whether this data was yet being shared with other Credit Providers or not)
consumers have been able to see all CCR data reported on them via our MyCreditFile consumer credit
reports (free and paid).
2. Consumer CCR investigations and complaints
Veda actively monitors CCR investigations and complaints and indeed separates these from other
investigations to ensure we can proactively monitor the volume of consumer query in this area. We have
introduced specific CCR relevant dispute, amendment and investigation coding so that we will be able to
overtime relevantly compare and discern statistical information relating to CCR.
As at the 24th September 201, only 16 disputes from consumers resulted in an amendment to the information supplied to Veda by Credit Providers supplying CCR data. When placed in relevant context in terms of the large volume of CCR data loaded by Veda to date it is clear the quality of the information supplied by Credit Providers is very high and yet this has resulted in an extremely small number (16) of amendments to consumer credit files.