mychoicehomeloans.com.aumychoicehomeloans.com.au/.../uploads/2014/11/Compliance-Plan … · Web viewAppointed Credit Representative – see Credit Representative. Authorised Credit

Page 1 of 121

COMPLIANCE PLAN Table of Contents Page No

Section 1 – GENERAL COMPLIANCE REQUIREMENTS....................................................4Plan Version Number 3.8.....................................................................................................4Maintaining the plan.............................................................................................................4

Introduction...........................................................................................................................4Definitions.............................................................................................................................5

Business Overview...............................................................................................................6Counterparties......................................................................................................................6

Adelaide Bank Limited......................................................................................................6Advantedge Financial Services Pty Limited......................................................................7

Firstmac............................................................................................................................7FAST.................................................................................................................................7

Introducers........................................................................................................................7Referrers...........................................................................................................................7

Mortgage Brokers.............................................................................................................7Appointed Credit Representatives....................................................................................8

Auditing of Trust Accounts....................................................................................................8Monitoring and Reporting.....................................................................................................8

Procedure for conducting hindsight compliance reviews.....................................................8Breach Register....................................................................................................................9

Storing of our Compliance Documents...............................................................................10Financial resources............................................................................................................10

Financial records................................................................................................................10Key Performance Indicators...............................................................................................10

Professional indemnity insurance.......................................................................................10Conflict of Interest...............................................................................................................11

Requests for assistance because of hardship by borrowers..............................................11Compliance with other laws................................................................................................11

Security of Clients Information............................................................................................12Clean Desk Policy..............................................................................................................12

Section 2 – HUMAN RESOURCES......................................................................................13Recruitment........................................................................................................................13

Training...............................................................................................................................13

Page 2 of 121

Responsible Managers.......................................................................................................13Credit Representatives.......................................................................................................13

On-going Training...............................................................................................................14Mentoring Program.............................................................................................................14

Exiting of Employees..........................................................................................................14Human Resources - Risk Management..............................................................................14

Section 3 – INFORMATION & TELECOMMUNICATIONS SYSTEMS................................18Loan Works........................................................................................................................18

Email System......................................................................................................................18Stored Electronic Files........................................................................................................18

Storage of usernames and passwords...............................................................................18Telephone System..............................................................................................................18

Facsimile Machines............................................................................................................19Emergency Evacuation of the Premises.............................................................................19

Disaster Recovery Plan......................................................................................................19Key Contacts...................................................................................................................19

Safekeeping and Access to the DRP..............................................................................20Server Backup Strategy..................................................................................................20

Information Technology (I.T) Risk Assessment..............................................................20I.T Risk Matrix Assessment............................................................................................21

What Triggers the Disaster Recovery Plan (DRP)?........................................................22Notification of an Incident...................................................................................................22

IDRP Team Objectives.......................................................................................................22Emergency Alert, Escalation and DRP Activation..............................................................23

Contact with Employees.....................................................................................................23Updates..............................................................................................................................23

Work Continuation..............................................................................................................23Personnel and Family Notification......................................................................................23

Media Contact....................................................................................................................23Insurance............................................................................................................................23

Insurance Summary...........................................................................................................24Financial and Legal Considerations...................................................................................24

Financial Assessment.....................................................................................................24Financial Requirements..................................................................................................24

Legal Actions..................................................................................................................24DRP Reviews.....................................................................................................................24

Appendix A- Disaster Checklists........................................................................................24Section 4 – CUSTOMER DISPUTE RESOLUTION.............................................................31

Page 3 of 121

Internal Dispute Resolution (IDR).......................................................................................31External Dispute Resolution (EDR) membership...............................................................32

Section 5 – RESPONSIBLE LENDING DISCLOSURE OBLIGATIONS.............................33Introduction.........................................................................................................................33

Overview ............................................................................................................................33Process...............................................................................................................................33

Disclosure Documents and brief summary of their use......................................................34Definitions – What is Customer facing and providing Credit Assistance?..........................34

When are documents provided?.........................................................................................35Type 1 - Mortgageport Acts as Mortgage Manager and is Customer facing..................35

Type 2 - Mortgageport Acts as a Mortgage Manager but is NOT Customer Facing......35Type 3 - Mortgageport acts as a Mortgage Broker (FAST) and is Customer Facing.....36

Legal advice received regarding Responsible Lending disclosure.....................................37Work Flow for Issuance of Proposal Disclosure Document and Credit Guide...................39

Credit Guide 1 (Template)..................................................................................................40Credit Guide 2A Template..................................................................................................41

Credit Guide 2B (Template)................................................................................................42Proposal Disclosure Document (Template)........................................................................45

Section 6 – CHECK LISTS AND ADDENDUMS..................................................................46Item 1 - Credit licence.........................................................................................................46

Item 2 – Copy of our EDR Membership..............................................................................47Item 3 - Compliance Summary Checklist...........................................................................48

Item 4 - NCCP Compliance Checklist.................................................................................49Item 5 – Hindsight Compliance Review Check List............................................................51

Item 6- Compliance with other Credit Laws........................................................................52Item 7 - Authorised Credit Representative Checklist..........................................................53

Item 8 – Mortgage Broker Acreditation Checklist...............................................................55Item 9 – Referrer Checklist.................................................................................................57

Item 10 - Appendix A – Loanworks Introducer Module.....................................................58Item 11 - Appointment of Company Credit Representative...............................................61

Item 12 – Appointment of Credit Representative under NCCP..........................................65Item 13 – Annual Compliance Check for an Accredited Mortgage Broker.........................68

Item 14 – Annual Compliance Check for an Authorised Credit Representative ................69Item 15 – Internal Control Procedures for Loan Approval .................................................70

Item 16 – Adelaide Bank Mortgage and Origination Agreement........................................71Item 17 – Advantedge Mortgage and Origination Agreement............................................81

Item 18 – Advantedge Deed of Variation............................................................................97Item 19 – FAST Sub-Originators Agreement....................................................................102

Item 20 – Firstmac Origination Agreement.......................................................................105

Page 4 of 121

Section 1 – GENERAL COMPLIANCE REQUIREMENTS

Plan Version Number 3.9

Mortgageport Management is required to have and maintain a compliance plan as part of our obligations under the NCCP Act to ensure we comply with our obligations as a credit licensee. This compliance plan was established on 30 September 2010 and was last updated on 30th January 2013 as part of the annual Compliance Review undertaken by the Responsible Managers.

Maintaining the plan

This plan will be reviewed at least annually in late January every year by the Responsible Managers and a copy of the revised plan is to be provided to the board of Directors with the end of February financial results.

A calendar event has been created to remind Responsible Managers of their obligation to update this plan each year on the 27th January and this item has been added to our Compliance Summary Checklist (see Section 6 Item 3). This checklist is provided to each Company Director with our end of month financial statements.

Each time the compliance plan has been updated (which includes our Disaster Recovery Plan) it will be given a revised version number and the older version will be archived for a period of 7 years by saving it in the folder created on our computer server in the O Drive Compliance Folder.

Introduction

This compliance plan addresses the key fundamentals required by Australian legislation to engage in credit activities. The plan has been designed to suit the business activity of Mortgageport Management Pty Limited and our associated companies. The plan takes into account our business size and complexity; in particular it addresses the following key points:

1. Risk management systems2. Access to adequate resources3. Adequate documented systems to monitor compliance with regulations4. Have suitable compensation arrangements in place5. Membership of an approved external dispute resolution process (EDR)6. Have an internal dispute resolution process in place (IDR)7. Ensure our Credit Representatives are adequately trained8. Maintain our competence to engage in credit activities9. Take reasonable steps to ensure our Credit Representatives comply with legislation10. Comply with the legislative framework covering regulated credit11. Comply with the conditions of our Australian Credit Licence12. Have arrangements in place to ensure that our clients are not disadvantaged by any

conflicts of interest13. Do all things necessary to efficiently, honestly and fairly engage in credit activities

Page 5 of 121

Definitions

Appointed Credit Representative – see Credit Representative

Authorised Credit Representative – see Credit Representative

Compliance Summary Checklist – a checklist which is a summary of key actions, events and checks that we do to ensure that we operate efficiently and comply with our obligations

Counterparty - the other party to a financial transaction in our case our funders, lenders, referrers or appointed representatives

Compliance Plan Review – a process that is conducted annually by the Responsible Managers to ensure that the plan is current and relevant

Credit Assistance – is a term referred to by the NCCP for a person who in the course of their business or incidental to their business suggests or assists a consumer to apply for a new loan or an increase or remain in a particular credit contract with a particular credit provider

Credit Representative – a credit representative may be appointed to engage in specified credit activities on behalf of a licensee. The appointment may be in respect of some or all of a licensee’s credit activities

Fit and Proper people – Mortgageport’s directors and the company secretary plus any other senior managers appointed who perform duties in relation to credit.

Mortgage Broker – a person who holds their own credit licence or is an authorised credit representative of another credit licensee, provides credit advice and refers mortgage loans to Mortgageport for processing and approval.

NCCP - National Consumer Credit Protection Act 2009 is legislation that is designed to protect consumers & ensure ethical & professional standards in the finance industry, through the National Credit Code (NCC). The Act is regulated & enforced by ASIC. The Act provides that all lenders & mortgage brokers are required to hold a credit license or be registered as an authorised credit representative.

Referrer – is a person or entity that refers potential borrowers to us for credit advice (but does not include Appointed Credit Representatives or persons that hold their own credit licence)

Responsible Managers – is a term defined in the NCCP legislation as the people appointed by Mortgageport who provide their skills and expertise and have the primary responsibility for managing our credit activities

Responsible Lending – is a term defined in the NCCP legislation requiring a person who provides credit assistance to make reasonable enquiries about a consumers financial situation, their requirements and objectives and to take reasonable steps to verify the consumers situation and to then make a preliminary assessment about whether the credit is not unsuitable

Representative - the term representatives includes Mortgageport’s own directors and employees as well as contracting credit representatives who are engaged in credit activities.

Page 6 of 121

Business Overview

The business is conducted by Mortgageport Management Pty Ltd (Mortgageport). Mortgageport is currently holds an Australian Credit Licence. Licence Number 386360. Mortgageport also has the subsidiary company’s Mortgageport Origination Pty Limited and MP Mortgages Pty Limited both these companies are appointed credit representatives of Mortgageport.

This business description relates only to activities relating to credit regulated by the National Credit Code (NCCP) and our activities regulated by the National Consumer Credit Protection Act.

The company primarily acts as a Mortgage Manager and should not be referred to as a Non-Bank Lender.

Registered OfficeLevel 768 Alfred StreetMILSONS POINT NSW 2061

Credit Licence No:

386360 – see Index item 1

Principal location of businessLevel 768 Alfred StreetMILSONS POINT NSW 2061

Branch OfficesUnit 2, 128 Bowen StreetSPRING HILL BRISBANE 4000

Trading NamesLoanstar Home LoansLoanstar Mortgage Management

List of Directors / Fit and Proper PeopleCedric Ross BerglundGlen Clarence SprattMichael James McKelvie

List of Representatives who are directors or Employees:Glen Clarence Spratt (Director)Michael McKelvie (Director)Lindsay Horlor (Employee)Sam Micieli (Employee)Beth Stolyar (Employee)Col Sherry (Employee)Shayne Parry (Employee)Sharon Murphy (Employee)

List of Appointed Credit Reps: (Auth Rep No)MP Mortgages Pty Ltd ( 393 904)Dream Run Syndication Pty Ltd 9 (402144)Mortgageport Origination Pty Ltd (393 899)Ziggybid Pty Ltd (402 145)Frank McDonagh & Associates Pty Ltd (403 045)Frank McDonagh (365 129)Great South Land Finance (439 547)Cathy Bell (364 477)Bassem Fares (425 627)

List of Responsible ManagersGlen SprattMichael McKelvie

Company ACNMortgageport Management Pty Ltd - 082 753 679Dream Run Syndication Pty Ltd – 112 558 620Ziggybid Pty Ltd – 127 765 628Mortgageport Origination Pty Ltd – 093 668 092

Counterparties

We have a number of counterparties with the major ones listed below:

Adelaide Bank Limited (Subsidiary of Bendigo and Adelaide Bank Limited). We have a loan origination and management relationship which allows us to market, process approve and manage residential mortgage loans with them. We are bound by a formal contract, which sets out our obligations and rights. A copy of this agreement is included in Section 6 Item 16 – Adelaide Bank Mortgage and Origination Agreement.

Page 7 of 121

Advantedge Financial Services Pty Limited (owned by NAB) We have a loan origination and management relationship which allows us to market, process approve and manage residential mortgage loans with them. We are bound by a formal contract, which sets out our obligations and rights. A copy of this agreement is included in Section 6 Item 17 – Advantedge Loan Origination Agreement

Firstmac (non-bank lender) We have a loan origination and management relationship which allows us to market, process approve and manage residential mortgage loans with them. We are bound by a formal contract, which sets out our obligations and rights. A copy of this agreement is included this in Section 6 Item 20 – Firstmac Origination Agreement.

FAST (owned by Advantedge)Our subsidiary company Mortgageport Origination Pty Limited (Appointed Credit Representative) has a mortgage aggregation agreement which allows us to act as a mortgage broker and provide us access to sell mortgage loans on behalf of a panel of lenders. A copy of this agreement is included in Section 6 Item 19 – FAST Sub-Originators Agreement.

IntroducersMortgageport works with 3 different types of Introducer, each of which have specific regulatory requirements; Referrers, Mortgage Brokers and Authorised Credit Representatives.

ReferrersMortgageport works with a number of referral partners. A referrer is someone who refers people to us for credit advice and provided they comply with NCCP guidelines they are not required to hold a credit licence. Some examples of types of referrers Mortgageport would use include accountants, insurance brokers and lawyers. Referrers are paid commissions based on Tiers 1 to 4. See the Referral Commissions document located on Mortgageport website.

We have a procedure before we appoint a Referrer and this is set out in Section 6 Item 9 – Referrer Checklist.

Mortgage BrokersMortgageport works with a small number of Mortgage Brokers. A Mortgage Broker is differentiated from a referrer due to the fact that they provide the credit advice and then provide the application for us to process and approve.

It is critical to ensure that we only deal with reputable and trustworthy Mortgage Brokers who are compliant with all legislation and follow our lender’s procedures. It is an area that creates additional risk for the Company and our funders. Eg: documentation fraud, ID fraud, reputation risk, financial risk (claw backs and early discharge of loans).

We need to confirm at least once per annum that they maintain the credit licence, EDR membership, professional indemnity insurance and membership of the MFAA. The compliance officer will check all these items on the date the professional indemnity Insurance is due. See Section 6 Item 13 - Annual Compliance Check for an Accredited Broker.

We have strict requirements before we appoint a Mortgage Broker and these are set out in Section 6 Item 8 – Mortgage Broker Accreditation Checklist.

Page 8 of 121

Appointed Credit RepresentativesMortgageport may appoint a Credit Representative to provide credit advice and sell mortgages on our behalf. Unlike a Mortgage Broker who has their own ACL, a credit representative operates under Mortgageport ACL and therefore this creates higher obligations for us to monitor the Credit Representative and their compliance to NCCP Act.

We have very strict requirements before we would consider appointing a Credit Representative and these are set out in Section 6 Item 7 – Appointment of an Authorised Credit Representative Checklist.

They are required to hold their own P.I cover, be a member of an EDR scheme and have their own compliance program. The compliance officer will conduct an annual compliance review on or around the Credit Representative anniversary of appointment. See Section 6 – Item 14 – Annual Complaince Check for an Authorised Credit Representative.

We are also committed to ensuring Credit Representatives receive appropriate training. To ensure this they are included in our staff training programs and training hours tracked in the Training Register (saved on O Drive/Human Resources/Training/Master Training Register 2012)

Auditing of Trust Accounts

We do not take money on trust and do not maintain a trust account or have a need to have an audit. Our mortgage management deed requires us to on forward any monies that we may receive from borrowers for loan repayments directly to the lender.

Monitoring and Reporting

We have an on-going and continuous obligation to monitor the activities of our Representatives and Appointed Representatives to ensure that they comply with credit legislation and our procedures. We also have an obligation to take reasonable steps that any Mortgage Broker that is accredited with us is licenced to engage in credit activities.

Our Compliance Manager will once per quarter, supervise a review of a minimum of 10 files or 5% of total loan submissions in a hindsight review to check compliance with our systems and procedures.

These hindsight compliance reviews are conducted at the end of January, April, July and October. This task is included on our Annual Compliance Checklist. Refer Section 6 Item 5 – Hindsight Compliance Review Checklist.

Procedure for conducting hindsight compliance reviews

Each file is checked with reference to items on our Hindsight Review Checklist – see Section 6 Item 5

Generate a settlement report from Loan Works covering all loans that have settled over the period being reviewed and export to a spread sheet

Sort the loans by introducer and then select a minimum of 10 files or 5% of all files, ensuring that the selection includes at least one file for each Representative (employees who provide credit advice) and a selection from various other sources in the files to be reviewed.

Page 9 of 121

Using Loan Works conduct a review of every file in accordance with the Hindsight Compliance Review Checklist and Record the findings

If any breaches are found these are to be recorded in the breach register (see below) and reported to the person who caused the breach in writing and to all Responsible Managers, who will if necessary ask for a response or take further action

Provide a copy of the summary of the findings to all Responsible Managers and save the records of the hindsight reviews electronically in the folder on the server.

On-going monitoring of compliance is also required to be done by the Credit Manager who will provide on-going training and supervision to others.

We have deliberately separated the sales and credit processes to ensure we have a formal division between these two potentially conflicting areas and train the Credit Department to monitor compliance for each loan transaction. Refer Item

Remuneration incentives for sales staff and other selected staff are directly tied to meeting minimum compliance requirements. If they do not meet the compliance requirements no commissions are received.

In addition to this, we review monthly reports on Credit submissions from ABL and Advantedge.

Breach Register

We maintain a breach register in which we record any material breaches of compliance procedures. The Responsible Manager will review the breach register formally each year as part of the compliance plan review and include this in our annual ASIC return. Repeated offenders will be provided with warnings and if the behaviour does not improve may be removed as Representatives.

The format of our breach register appears below.

The breach register is a spread sheet and is stored on the server – O:/compliance/compliance plan/breach register

Page 10 of 121

Storing of our Compliance Documents

Not only are we required to comply with credit legislation we are required to document evidence of this compliance. Loan Works is used to store copies of loan applications, additional information, fact find sheets, credit guides, product disclosure documents, preliminary loan assessments, quotes and credit proposal documents. These are stored as attachments’ to each loan file and a quarterly hindsight sample review is done to monitor compliance.

Financial resources

Mortgageport is required to have adequate resources to engage in our desired credit activities. We prepare and review our financial position on a monthly basis at a board level to ensure the business has or has access to sufficient financial resources.

Mortgageport has built up sufficient trailing income that is recurring and provides reasonable certain cash flow to operate the business and has access to working capital in the event of new lower business volumes.

Mortgageport has a positive current asset position and is backed by shareholders who are tightly tied to the business who could (but not obliged to) provide financial support if required

Financial records

Our financial records are maintained on MYOB which is located on local computer server. We employ a full time qualified accountant who is responsible for the daily management of our accounting records, doing daily bank reconciliations and the preparation of monthly financial statements.

Our tax returns and annual accounts are prepared by an external accounting firm bdj partners at North Sydney.

Key Performance Indicators

Mortgageport prepares monthly reports that provide key decision makers with information about the key business drivers of the company, these KPI’s include monthly settlements, discharges, lending margins and revenue.

Professional indemnity insurance

We maintain Professional Indemnity insurance with Nova Underwriting Pty Limited for $2,000,000. This cover expires on the 16th October 2013. Our PI insurance does not extend to our external credit representatives - they are required to have their own cover.

PI cover for our brokers and credit representatives is checked periodically through the Loanworks database. A check is done every 3 months by the compliance officer to ensure all PI insurance is current and follow up any referrers where PI insurance is about to expire.

Page 11 of 121

Conflict of Interest

Generally we do not encounter conflicts of interest in our business. We include in our standard employment contracts a clause that precludes our employees from being persuaded because of a conflict of interest. We require our employees to sign an annual declaration confirming adherence to this policy.

We have no particular financial interests or other arrangements that are likely to give rise to a conflict of interest.

However there exists a potential conflict of interest as our Representatives have been given delegated authority to determine interest rates which in turn affects their bonus arrangements. This is an issue that is monitored by the Responsible Managers to ensure that clients are not disadvantaged.

Requests for assistance because of hardship by borrowers

Mortgageport acts in most cases as a mortgage manager or a mortgage broker, but where a borrower approaches us for assistance on the grounds of hardship the request should be referred to the lender and their procedures and decisions should be adopted.

In cases where a loan was advanced by Mortgageport this should be referred to the Managing director who will after reviewing their financial position make a judgement about the most effective way to resolve the issue with due regard to leaving the borrower in the best possible financial position while also having regard to protecting the interests of the company.

Compliance with other laws

We engage the services of Gadens Lawyers to provide on-going legal advice. There are a number of other laws that we need to be aware of such as:

The Privacy Act (see security of clients information below) Competitor and Consumer Act (all states now adopt same rules, formerly the state

based Trade Practices Act)

Through the MFAA and our continuing professional development, we are educated of basic legal requirements and the Responsible Managers and the company are members of the MFAA who provide industry updates and training programs.

From 1 July 2012 we will ensure that our licence number is stated in all documents legally required under NCCP Act Section 52. Documents which are required to display the Australian Credit Licence include:

Printed advertisements which relate to the provision of regulated credit Documents which are required to be given, created, published or produced under the

Code. This includes Credit Guides, PDD, Mortgages and guarantees. Business cards, emails and letters to customers (not advertising) are NOT required

to display the licence number. It is unclear whether websites are included but to ensure compliance Mortgageport has displayed it on the website.

Page 12 of 121

Security of Clients Information

Mortgageport is in possession of confidential financial information of our clients and keeping this information safe is a very high priority. We do this by having the following:

A firewall to prevent unauthorised access to our server Each computer terminal has a unique password and is timed to automatically lock

within 10 minutes of inactivity We have installed 4 security cameras We employ a clean desk policy Access to our work area where clients files are located requires a security clearance

and PIN Our computer server room is locked each evening along with the office doors We have offsite security monitoring and alarm system Each employee is required to sign a privacy act declaration and a code of conduct as

part of our standard employment contract We use a security bin to dispose of confidential client documents and train our staff

to destroy confidential documents by shredding or tearing We consider security measures before appointing outside suppliers and where

considered important take steps to confirm that our client’s confidential information is protected. (need assurance form LW)

Off site file policy – when staff members take client files off site for meetings any files left in the car must be locked in the boot out of sight. Only files needed for customer meetings that day are permitted to be taken out of the office.

Clean Desk Policy

A clean desk policy is where all files and associated paperwork is removed from each desk, every night and secured and that all work areas should remain free of unnecessary clutter and paperwork. It is required for privacy, security, management and brand reasons.

Leaving files on our desks unnecessarily and generally having a messy work environment could lead to the risk of misplacing client’s personal and or confidential information and / or this information being viewed, used or abused by unauthorised or authorised people who may enter our premises. As clearly outlined above, in addition to the Clean Desk Policy we employ other security measures such as PINs to enter premises and security cameras, alarms, security bins and locks.

Page 13 of 121

Section 2 – HUMAN RESOURCES

Recruitment

Mortgageport has a human resources manual which assists us in the proper management of our employees. More details can be found by referring to this policy which is stored on our server.

When we employ or appoint representatives or credit representatives, we ensure that they are fit and proper for the position. In particular we confirm that they have not committed any serious offence, been bankrupted or refused or disqualified by a professional or regulatory body. We do this by following a set procedure which is highlighted in our checklist

Recent criminal history check (AFP) Recent credit/bankruptcy check Character reference Employment contract/Origination contract Check that they are not ASIC banned or disqualified persons (see checklist) Conflict of interest declaration (which is included in our employment contract) Verification of qualifications

In particular, we ensure that all Representatives hold the required minimum education qualifications, which at present require a Cert IV in (Finance/Mortgage broking) and will confirm that from the 1st January 2013 all Representatives will have the minimum education qualification of Diploma in Financial Services.

We will insist that any Appointed Credit Representatives (sometimes referred to as an Authorised Credit Representative) is a member of an ASIC approved external dispute resolution scheme, has appropriate P.I cover and meets our other requirements and will check this each year as part of our annual compliance review.

We will set up an annual request on Loan Works to email the Authorised Representative at the anniversary of their accreditation to require them to provide updated evidence of their PI Cover, membership of an approved EDR and a copy of their credit licence renewal.

Training

Responsible ManagersAll Responsible Managers have completed a Diploma in Financial Services (Finance/Mortgage Broking) or have received an exemption (due to other education and experience) and have at least two years relevant problem free experience. As well, all responsible managers are required to complete 20 hours of continuing professional development (CPD) per year. This is done and tracked via the training register.

Credit RepresentativesAll Credit Representatives (internally and appointed) must have completed a Diploma in Financial Services (Finance/Mortgage Broking) or have received an exemption (due to other education and experience) and have at least two years relevant problem free experience.

Page 14 of 121

On-going TrainingEach Credit Representative and employee will undertake not less than 20 Hours of CPD (Continuing Professional Development) each year. For the purpose of what qualifies as CPD we have adopted the MFAA’s guidelines.

A record is maintained of the CPD in the following form for each Responsible Manager and Credit Representative.

Name of course

topics covered Date(s) Time

Total hours

training delivered

by CPD pointsPart of MFAA training? (Y/N)

learning method (online/classroom,

etc)

A training register is maintained and updated at least once every 6 months in January and July. The register is for all staff and details of education levels achieved and on-going achievements are recorded. The register is located on our server. Path o:/compliance/training register/master training register 2012

Mentoring Program

We may appoint Credit Representatives (internal and external) under our Mentor program, these are people who hold the minimum qualifications but lack the minimum 2 years’ experience to operate independently.

Individuals being mentored are required to work closely with a senior nominated Representative who will supervise their work and assist them with loan structuring, attending borrower interviews and reviewing files and ensuring compliance with our procedures and credit legislation. We will follow the mentor program as set out by the MFAA.

In all cases a mentor is to independently contact (as a minimum) the first 5 borrowers for loans lodged by a person being mentored to confirm that our compliance procedures have been conducted correctly. These findings are to be recorded using our hindsight review checklist. Refer Section 6 Item 5 – Hindsight Compliance review Checklist

Exiting of Employees

Employees who leave Mortgageport pose a risk to the business and the procedures set out in our Human resources manual are to be followed which include an exit check list to ensure all actions are taken.

Page 15 of 121

Human Resources - Risk Management

Description of Risk Potential Consequences

Risk Management Procedures

Severity of the Risk Insurarable Probability of the Risk

Occurring

Non-compliance with credit legislation

Loss of licence

Annual staff tests, internal hindsight

reviews and lender reviews

Extreme (5)

Unable to trade, business would

cease

High

IT RiskSee separate DRP in

section 5See separate DRP

in section 5See separate

DRP in section 5See separate DRP in

section 5

Negligence in identifying Fraudulent loan documentation

Lending loss, reputation risk with lender and financial

loss

Separation of credit and sales,

separation of verification clerk from approving

officer. Staff training and lender hindsight

audits and quality checks

High (4)

Loss of accreditation, large financial

loss which could lead to

insolvency of company

Yes Very High

Failure to properly identify borrowers in accordance with

lenders rules and AML

Loss of entire loan amount, loss of

accreditation with lender and ongoing legal dispute, loss of

credit licence

Hindsight Review, Lenders Audits and Quality Checks and

Staff Training

Extreme (5) Yes High

Non-compliance with lenders procedures and credit policy

Loss of part of the loan amount, loss of

accreditation with lender and ongoing legal dispute, loss of

credit licence





High (4)




High

Breach of privacy actLegal action by person affected and reputation

risk

Privacy policy, privacy consents, staff training and hindsight reviews.

Monitoring of phone calls

Medium (4)

Loss of customers,

fines, impaired reputation with

lenders and referrers –

adverse social media

High

Providing Advice we are not qualified for

Legal action by person affected and reputation

riskStaff Training, Medium (4) Medium

Victim of Financial Fraud on our own account

Loss of substantial funds

Bank signing requires 2 signatures,

electronic keys used, daily bank reconciliations

Medium (4)Moderate (2)

Page 16 of 121

Withdrawal of fundingUnable to write new

loans

Two funders and mortgage broking

model in placeHigh (4) No Low

Unable to gain professional indemnity insurance cover

Loss of licenceCompliance plan and monitoring

Extreme (5) No Low

Economic Risk

Adverse Media

Data integrity Loss of business, see IT risk

Training/ monitoring

Injury or Death of key employer/employee

Loss of morale, loss of corporate history, loss

of income

OHS, Workers Comp, Key man

insuranceMedium(3) Yes Low

Employee Fraud

Lending loss, reputation risk with lender and financial

loss





Compliance plan

Employee recruitment policy

Medium/High (4)




Yes Very high

Hostile Employee

Client information

Loss of business/ reputation

Exit interview, performance

reviewsMeduim

Referrers Risk (wrong advice) Loss of reputation, financial loss

Checklists for bringing on referrers

Ongoing review of qualifications etc

Medium/high

Page 17 of 121

Business Line: Risk Number:

Category:

Risk: Risk Rating

CONTRIBUTING FACTORS(What causes the risk to happen?)

MITIGATING CONTROLS(How you avoid, transfer, reduce or manage the risk?)

MEASURE:(How you monitor to alert you to any problems?)

ACTUAL EXPERIENCES CONSEQUENCES(What are the impacts of this risk?)

Control Rating (How effective are the existing management practices?)

Consequence Rating (What is the expected impact of the risk event?)

Likelihood Rating (What is likelihood of the risk occurring?)

Residual Risk Rating

RISK TREATMENT PLAN

Agreed Risk Treatment Plans Responsible GM Responsible Officer Timing Resource

Requirements

Page 18 of 121

Section 3 – INFORMATION & TELECOMMUNICATIONS SYSTEMSLoan Works

We use a loan processing and Customer Relationship Management system called Loan Works. This system has been specifically designed to cater for the mortgage management industry and holds vital company information including:

• Settled loans, including copies of scanned documents relating to each loan• List of all of our introducers• Produces Commissions Paid Reports

We use this system to manage our business which includes tasks such as, workflows for loans being processed, managing introducers, business KPI reporting, payment and receipt of commissions, loan tracking and exception reporting.

It maintains and keeps track of our referrers, mortgage brokers and authorised credit representatives. In Loan Works, they are referred to as Introducers. The system provides us with the ability to manage our introducer by diarising activities such as renewals of the MFAA, ACL, P.I insurance, etc. (Please see Appendix A for further details).

Our IT system is simple and we obtain external support from suppliers if and when required. We have available to us the following:

Remote monitoring Scheduled maintenance On-site support if needed After hours support Consulting and project services

This system is accessed using a high speed Internet connection with the data being stored on the Loan Works server at North Sydney and we have sought a copy of their disaster recovery procedures, which appear acceptable. (See attached addendum)

Email SystemOur emails are hosted on our local server MPM-SBS located in our communications room. Using Microsoft exchange, these emails can be accessed remotely using webmail and in the case of mortgage consultants these emails can be accessed on the company provided iphones.

Stored Electronic FilesOur company documents are stored on our local server in what we call our O:/drive; this separated into a number of different categories

Storage of usernames and passwordsWe have installed software called Password Safe on each person’s local pc to store passwords that are used to access our business partner’s websites. Each user has their own password database which is stored on the U drive and only they are able to access.This process allows users to only have to remember one password. We have had this software recommended to us by the IT security department of the Adelaide Bank.

Telephone SystemWe have an Avaya PABX system which requires software to run; this software is located on our server MPM-SBS.

Page 19 of 121

Facsimile MachinesWe have 2 facsimile machines which have been configured to send incoming faxes as emails, this means our capacity to receive faxes is highly dependent on our computer network system running.

Emergency Evacuation of the PremisesWhere the premises need to be evacuated, we have fire wardens nominated and all employees are required to follow that person’s direction. The evacuation plan identifies one primary evacuation assembly point, which is Bradfield Park

Disaster Recovery PlanThis section sets out our policies and procedures for technology disaster recovery, as well as our process-level plans for recovering critical technology platforms and the telecommunications infrastructure.

The objective is to ensure information system uptime, data integrity and availability, and business continuity. We will ensure that key staff members are made aware of the disaster recovery plan and their own respective roles and that the disaster recovery plan is to be kept up to date and reviewed each year as part of our annual compliance plan review.

Key ContactsInternal DRP Contacts

Glen Spratt, Managing DirectorWork 02 9466 8230Alternate 02 9466 8220Mobile 0411 858 886Home 02 9427 1010Email [email protected]

Michael McKelvie, DirectorWork 02 9466 8213Alternate 02 9466 8220Mobile 0413 156 717Home 02 9386 0567Email [email protected]

Colin Sherry, Portfolio ManagerWork 02 9466 8225Alternate 02 9466 8220Mobile 0414 187 985Home 02 9743 6084Email [email protected]

External Contacts

Strata Property ManagerCompany: Strata ChoiceContact: Derek BrienMobile: 0416 832 045

Power CompanyCompany: AGLContact: n/aAccount No: 9355 0317Work Phone: 133 835

Mobile Phone CarrierCompany: VodafoneAccount No: 712838670Password: 1234Telephone: 135 888

Telephone SystemsCompany: Voice & Coms Solutions Pty LimitedContact: Nick CrinitiAccount No: n/aTelephone: 02 8413 3500Mobile No: 0418 413 333Email [email protected]

IT Support and SupplierCompany: DancraiContact: Brad Van Der ReestAccount No: n/aTelephone: 02 8905 1400Mobile No: 0409 309 996Emergency No: 1300 30 82 30Email [email protected]

CRM/Loan ManagementCompany: Loan WorksContact Andrew Duerden Wayne McCartneyWork: 02 9436 1311Mobile Andrew: 0403 048 757Mobile Wayne: 0438 929 635Email [email protected] [email protected]

Office Supplies Office ChoiceAccount No: MOR007Telephone: 02 9906 1383User ID: [email protected]: MOR007Email [email protected]

Insurance BrokerCompany: InterRISK AustraliaContact: Mark WinwoodWork 02 9346 8086MobileEmail:[email protected]

Site SecurityCompany: Kings SecurityContact: Sally LiljeqvistAccount NumberWork 02 9310 1888Email:[email protected]

Off-Site Storage Access RecordsAccount No: 70058Work 02 9666 7744Fax 02 9666 7944

Internet and Office Phone SupplierPrimus TelecomAccount Number 9031688 5Log in: www.iprimus.com.auUser: mortgageport_int@datacenterPassword: LtWqH5XM3Work 1300 85 66 88

AggregatorFASTAccount Number Work 02 9233 8222Mobile 0437 399 096Email [email protected]

mailto:[email protected]

http://www.iprimus.com.au/







Page 20 of 121

Adelaide BankContact: Fons CaminitiAccount Number Work 08 8220 7409MobileEmail [email protected]

AdvantedgeContact: Dom Del DucaAccount Number Work 02 9560 2794Mobile 0422 391 230Email [email protected]

Banking ANZContact: Lee PedlerTelephone: 02 9329 7200Account No/s:012 366 352274953 (MPM)012 366 110694154 (MPO)012 040 185234136 (MPM CMA)

Website Hosting CompanySimplyTelephone (02) 9929 3300Contact: Dominic ProctorMobile Telephone 0410 617 418

Safekeeping and Access to the DRPThis plan is to be uploaded to the secure section of our website where it can be accessed by any staff member using their login. This server is hosted in another location. In addition to this a hard copy of the plan will be held by the Responsible Manager at their home.

Server Backup StrategyWe backup our main Server 1, which holds all of our emails and client files.

Tapes are to be removed each night at approximately 5.00pm and taken offsite each evening and stored in separate premises. This same tape is to be returned the following morning where it is stored in a locked filing cabinet. The latest monthly backup tape is stored in a fire proof safe.

We use a rotating tape system which comprises 30 tapes in total and we save tapes as follows:

Daily Tape – daily backups using tapes that are marked Mon 1, Tues 1 etc through to Fri-4.

Monthly Tape – we use this tape for the last working business day of the month and this tape is not overwritten until the end of the following year. For example in June 2012 we use the tape marked June which would be inserted into the server on the 29th June 2012. (The 30th June was a Saturday)

We record each time a tape backup is done in a register located near the computer server so that Responsible Managers can confirm the action is taking place at regular intervals.

Using this rotation system ensures that we have daily backup but also provides a safety net so we can retrieve data at the end of any of the previous 12 months or at any point of time over the past 30 days.

Backup logs are kept and reviewed by our outsourced IT providers on a regular basis. All backup failures and restorations from a backup are noted in the log.

Information Technology (I.T) Risk AssessmentWe have considered a range of potential I.T threats and the results are included in this section. This only includes I.T related risks as other business risks are dealt with in another section of the compliance plan.

The focus is on the level of business disruption and the severity that this disruption would have on the business. We have used two main categories external and internal risks.


Page 21 of 121

External Risks Example Internal Risks ExampleNatural Disaster Flood, earthquake Data NetworkHuman Caused Terrorism, sabotage Phone systemCivil Risks Transport strikes ServerSupplier Risks Receivership of IT Computer VirusFacility Risks Power or Internet down,

building unable to be accessedData backup

Unauthorised Access

I.T Risk Matrix Assessment

Description of Risk Consequences Probability Action taken Time to

RecoverRisk

Mitigation Impact

Flood

Unable to access building, potential for destruction of all files and computers. Could

be caused by fire sprinklers.

Low (1) due to being on Level 7

and office location

Enact Category A DRP plan

Over 1 month and

up to 3 months

Insurance Severe (5)

Fire

Unable to access building, potential for total destruction of all files, data and business

records fire investigations could be prolonged. Safety of

staff immediate priority.

Low (1) due to construction of building, fire

alarms, smoke detectors non-smoking policy

and proximately to Fire Station

Evacuate Building using pre-existing

plan and Enact

Category A DRP Plan

Over 3 months and

up to 24 months

Fire alarms, smoke

detectors non-smoking policy

Severe (5)

Act of Terrorism

Unable to access building, or local area, potential for total destruction of all files, data

and business records. Safety of staff immediate priority.

Low (1)

Co-operate with

authorities Evacuate

Building using pre-existing

plan and Enact

Category A DRP Plan

Over 12 months

Very Low Severe(5)

Act of sabotage a

person deliberately damages

systems or property.

Loss of data or misappropriate use of data. This could cause reputation

risk and the inability to service clients and protracted investigations by regulators and long periods of repairs.

Unlikely (2)

Enact Category A DRP plan or DRP Plan depending

upon severity

Less than 1 month but

longer term non critical disruptions

Security cameras, PIN

number access, after

hours security, building

secured after hours.

Thorough screening

conducted on all employees

Moderate (3)

Total Loss of Power

Air Conditioning would stop, telephone system would fail,

computers would fail with potential loss of data and lifts

would not work. Unable to continue to work.

Likely (4)

Divert office phone and fax to alternative number, work

form alternative

location until restored.

Less than 1 day provided

power is only lost for minor period

of time

Pay power bills and used

a power interruption device on

server

Minor (1)

Loss Of Office Phones -

Interruption to business, unable to effectively

communicate with customers and suppliers

Likely (4)

Contact to be made using

company mobile

phones, message to be placed on our

line by Telephone

carrier

Less than 1 day provided phones are only lost for minor period

of time

Pay power bills on time and engage

reliable phone service

technician

Minor (1)

Loss of Data Systems /

Virus

Interruption to business, unable to effectively

communicate with customers and suppliers, downtime for

Likely (4) Contact Dancrai, Revert to using our

Less than 7 days

Moderate, we have access

to local servers and off

Minor (1)

Page 22 of 121

staff and unable to meet service standards

paper based files, consider

using alternative

locations and consider DRP

Plan B

site servers and employ

virus software and computer

backups.

Computer / Data Supplier fails to provide

service

Unable to assist in the data recovery Unlikely (2)

Seek alternative supplier

Less than 7 days

Keep records of systems

and maintain and monitor

relationships.

Minor (1)

What Triggers the Disaster Recovery Plan (DRP)?The disaster recovery plan describes what action we will take given a certain set of circumstances and who is responsible for managing the DRP.

We have categorised events into two major sections the first is Category A and is for major disasters that would take a long time to recover from and have a major effect on the business, while category B would be for events that have a lower impact on the business and may only affect a small part of our operations or last less than one day.

Key trigger issues at office premises that would lead to activation of the DRP are listed above:

Category A - Critical Total loss of power Flooding of the premises Loss of the building Fire Act of terrorism

Category B - Moderate Total loss of all communications Evacuation of the building Bomb Scare Break and Enter

Notification of an IncidentWhen an incident occurs the person who has identified the issue should immediately refer the incident to any one of the Internal DRP Contacts (IDRP) and any one of these people are authorised to decide to what extent any DRP must be invoked.

Responsibilities of the IDRP Respond immediately to the incident and if required call emergency services (000)

and ensure staff safety Assess the extent of the disaster and its impact on the business, data centre, etc; Decide which elements of the DRP should be activated; Establish and manage employees to maintain vital services and return to normal

operation; Ensure employees are notified and allocated responsibilities and activities as

required.

IDRP Team ObjectivesThe team will be contacted and their responsibilities include:

Page 23 of 121

Establish facilities for an emergency level of service within 2.0 business hours; Restore key services within 4.0 business hours of the incident; Recover to business as usual within 8.0 to 24 hours after the incident; Communicate with staff, affected clients, referrers and other business partners Coordinate activities with disaster recovery team, first responders, etc.

Emergency Alert, Escalation and DRP ActivationThe IDRP will rely principally on key members of management and staff who will provide the technical and management skills necessary to achieve a smooth technology and business recovery.

Contact with EmployeesManagers will serve as the focal points for their departments, while designated employees will call other employees to discuss the crisis/disaster and the company’s immediate plans. Employees who cannot reach staff on their call list are advised to call the staff member’s emergency contact to relay information on the disaster.

Contact with our borrowers and referrersThe IDRP will take action to notify customers that are affected by the incident, if the incident is likely to affect them for a period of more than 24 hours. This will include:

Asking our website hosting company to make an announcement on our website Sending an email to all customers and referrers who have subscribed to our email

database Asking employees to call customers who have lodged an application that has not

settled but is in process ( this data may need be be recovered from their calendars or server backup, or iphones)

Ask our telephone provider to divert calls to another number or to a call centre

UpdatesFor the latest information on the disaster and the company’s response, staff members can call their reporting line manager for information on the nature of the disaster, assembly sites, and updates on work resumption.

Work ContinuationIf necessary, employees will work from home and continue business as usual until the office premises is re-established. Our daily business processes are conducted via web based applications which all employees can access by using their secure usernames and passwords.

Personnel and Family NotificationIf the incident has resulted in a situation which would cause concern to an employee’s immediate family such as hospitalisation of injured persons, it will be necessary to notify their immediate family members quickly.

Media ContactOnly a Responsible Manager is to coordinate with the media in the event of a disaster.

Insurance

Page 24 of 121

As part of the company’s disaster recovery and business continuity strategies a number of insurance policies have been put in place. These include workers compensation, professional indemnity, contents insurance and business interruption.

If insurance-related assistance is required following an emergency out of normal business hours, please contact: Mark Winwood on 02 9346 8086.

Insurance Summary

Policy Type Insurer Sum Insured Renewable Date Policy Number Contact

PersonContact Number

Professional Indemnity Nova $ 16/10/2013 190527 Mark

Winwood (02) 8251 0000

Fire and Peril (Contents) Business

InterruptionPublic Liability

CGU $ 30/09/2013 SYBP00026371 Mark Winwood (02) 9346 8086

Workers Compensation

Employers Mutual $ NSW 09/10/2013

QLD 13/02/201420W0109897122WAD130212514

Financial and Legal Considerations

Financial AssessmentThe emergency response team shall prepare an initial assessment of the impact of the incident on the financial affairs of the company. The assessment should include:

• Loss of financial documents• Loss of revenue• Theft of cheque books, credit cards, etc.• Loss of cash• Loss of clients files and personal information

Financial RequirementsThe immediate financial needs of the company must be addressed. These can include:

• Cash flow position• Temporary borrowing capability• Upcoming payments for taxes, payroll, commissions, taxes, etc.• Availability of credit cards to pay for supplies and services required post disaster• Insurance policy claims

Legal ActionsThe company management will review the aftermath of the incident and take advice on whether there may be legal actions resulting from the event; in particular, the possibility of claims by or against the company for regulatory violations, etc.

DRP ReviewsWe simulate a DRP exercise whenever it is thought appropriate by the Responsible Managers; this is expected to be when there have been significant staff changes or when a refresher exercise is thought appropriate due to the lapse of time.

Plan exercising ensures that emergency teams are familiar with their assignments and, more importantly, are confident in their capabilities.

Page 25 of 121

Appendix A – Disaster Checklists

Disaster action checklist

1. Plan Initiationa. Notify senior managementb. Contact and set up disaster recovery teamc. Determine degree of disasterd. Implement proper application recovery plan dependent on extent of disastere. Monitor progressf. Contact all necessary personnel both user and data processing and establish

schedulesg. Contact vendors--both hardware and softwareh. Notify users of the disruption of service

2. Follow-Up Checklista. Review the entire DRP b. List teams and tasks of eachc. Create temporary office if requiredd. List all personnel and their telephone numberse. Establish user participation planf. Set up the delivery and the receipt of mailg. Rent or purchase equipment, as neededh. Determine applications to be run and in what sequencei. Identify number of workstations neededj. Check out any off-line equipment needs for each applicationk. Check on forms needed for each applicationl. Set up primary vendors for assistance with problems incurred during emergencym. Check for additional magnetic tapes, if requiredn. Take copies of system and operational documentation and procedural manualso. Ensure that all personnel involved know their tasksp. Notify insurance companies

Page 26 of 121

1. Disaster Recovery Plan for Server (provide copy to Dancrai)

System Details

System Name: mpm-sbs.mortgageport.loc

OVERVIEW: Physical system for SBS 2008 – FSMO, Exchange 2007, Backup, File, DNS, DHCP

PRODUCTION SERVER Location: Communications Room

Server Model: Dell PowerEdge R710Operating System: Windows SBS 2008CPUs: Intel (R) Quad Core E5530 Xeon(R) CPU, 2.40 GHz, 8M CacheMemory: 12GB Memory (3x4GB) 133MHz Dual Ranked RDIMMsTotal Disk: 2 x 146 (15k SAS); 4 x 450(15k) SASService Tag: 2z9p62sSystem Serial #: 6486171652Gateway: 10.1.1.254IP Address: 10.1.1.5Other: DRAC 10.1.1.6Purchase Date: 13/09/2010Warranty Date: 13/09/2013Warranty Type: 4HR (24x7), 4 hours response on-site 24x7

Key ContactDancrai

Offsite Storage Becky Wang

System Recovery ProcedureThe recovery procedure would be managed by our outsourced supplier Dancrai who hold copies of all system requirements.

Scenario 1- Total Loss of DataRestore data from previous working day from the backup tape

Scenario 2 - Total Loss of HardwareContact Dancrai to order new server, estimated delivery time is 1 week. Partially restore mission-critical data from previous working day from the backup tape to mpm-svr2 in the interim.

Page 27 of 121

2. Disaster Recovery Plan for Desktop Environment

SYSTEM: OtherOVERVIEW & EQUIPMENT: 19 Staff including 6 laptop/mobile users

APPLICATIONS IN USE:

• MS Office, Excel, Word, and Outlook• RFS – Online Banking – Adelaide Bank (private WAN linked to Adelaide Bank – requires that VPN to be established with their hardware)• Utilise the O drive for company files• Avaya phone manager – used by Client services/receptionist to manage internal phone extensionsIphones in use with Active Sync for emailDesktop Anti-Virus is ESET NOD32MYOB19.5, 3 users, data files on serverANZ Online – 1 user, internet banking

AD Domain: mortgageport.locDHCP Settings: GW 10.1.1.254DNS: 10.1.1.1, 10.1.1.4

BACKUP STRATEGYAnytime Spare desktop for immediate use if one desktop fails, otherwise we will need to contact IT provider to order several new desktops

DISASTER RECOVERY PROCEDURE

Scenario 1Total Loss of DataAny business data is saved on O drive, no business information is stored on hardware so no recovery option needed.

Scenario 2Total Loss of HWUse spare workstation but if not available order new workstation and rebuild.

Page 28 of 121

3. Disaster Recovery Plan for Firewall

SYSTEM: Cyberoam CR25iaOVERVIEW:EQUIPMENT Location: Communications Room

Model No: CR25iaSystem Serial #: C047500604-8JJOF3IP Address (internal): 10.1.1.254/24

IP Address (external): 211.26.160.155/29

Gateway: 211.26.160.153Purchase date: 18/11/2010Warranty date: 18/11/2013Web Management (internal): http://10.1.1.254:8080 (HTTP) https://10.1.1.254:10443 (HTTPS)

Web Management (external): https://211.26.160.155:10443

Key Contact is: Dancrai

Backup StrategyDaily when a change is implemented, the new configuration is backed up Monthly When a change is implemented, the new configuration is backed up

Quarterly when a change is implemented, the new configuration is backed up

DISASTER RECOVERY PROCEDURE

Scenario 1Total Loss of NetworkNone

Scenario 2Total Loss of HWIn case of hardware failure, another device could be ordered with the same configuration and loaded with the backed up configuration of the failed firewall.

Page 29 of 121

4. Disaster Recovery Plan for Voice Communications

SYSTEM: Avaya IP OfficeOVERVIEW:EQUIPMENT Location:

Communications Room

Device Type: PABXModel No.: IPO 500Network Interfaces: ISDNIP Address: 10.1.1.11KEY CONTACTS Nick Criniti – Mobile: 0418 413 333Hardware Vendor: AVAYASystem Owners: MortgageportDatabase Owner: MortgageportApplication Owners: MortgageportSoftware Vendors: AvayaOffsite Storage: FonecomNetwork Services: Primus

Backup StrategyDaily Database on mpm-svr2Monthly Database on mpm-svr2Quarterly Database on mpm-svr2

Disaster Recovery Procedure

Scenario 1Total Loss of Switch Carrier Provider to divert all calls to either Call Centre or selected mobile phones

Scenario 2Total Loss of NetworkNone

Page 30 of 121

5. IT infrastructure

Photographs of our Hardware Infrastructure

MPM-SBS server Modems for Connections Server Room (modem)

Phone Switch Board Gigaswitch Board General User Desktop

Client Services Desktop General User Desktop General User Desktop

6. Software Infrastructure

All software configurations and licences are held by Dancrai – please refer to Dancrai for further information on this list.

Page 31 of 121

Section 4 – CUSTOMER DISPUTE RESOLUTION

Internal Dispute Resolution (IDR)

As part of our licensing and compliance practices we are required to have in place an Internal Dispute Resolution Process (IDR.) We review this procedure annually to ensure it remains appropriate for our business. Our customers are informed of our dispute resolution procedure and information about the process appears on our web site.

Our appointed credit representatives are also required to have their own IDR procedure and to provide evidence of this each year upon their review.

Our complaints register is established and held on our computer server saved in O drive: /Compliance/Registers/Internal Complaints Register and is maintained by the Client Services Manager and checked annually by the compliance manager. We also have created a separate account in MYOB to keep track of any moneys refunded as a result of disputes.

It is preferable to Mortgageport that we attempt to resolve a complainants issue through our IDR process. There is a cost to us if the complaint is lodged to the Office of the Ombudsman. It is Mortgageport’s general approach to resolve issues in a friendly way that maintains positive relations with our borrowers wherever possible without compromising on our core values.

Our Internal Dispute Resolution Process

Making Customers Aware of the IDRWe make customers aware of our IDR by providing them the information in the Credit Guide which is provided to each borrower at settlement as well as publishing the information on our web site.

Methods by which a borrower can lodge a complaint

Borrowers may lodge a complaint by any of the following methods: Telephone Email to [email protected] Letter to our PO Box Speaking with any staff member who may then refer the matter to our Complaints

Officer – Gloria Lawrence

What to do when a complaint is received

Step 1 – Record the complaintAny internal complaint that we receive, by any of the above methods, is to be recorded in our IDR complains register. The register records the following information:

Date of Complaint Name of Complainant Type of Complaint Acknowledged Receipt Date Result of the Investigation


Page 32 of 121

Complainant Advised Date ( of outcome )

Step 2 – Review the complaintOnce the complaint has been registered it will be reviewed by our complaints officer who will investigate the merits of the complaint and then document the findings, provided the complaint is not against the complaints officer.

Step 3 – Decide on ActionThese written findings will be then passed onto one of Mortgageport’s Responsible Managers for a decision on what action (if any) Mortgageport should take to address the borrowers concerns.

Step 4 –Notify the Person who lodged the complaintOnce a decision has been made the borrower will be advised in writing that we have investigated their complaint and tell them what action we are taking. We will also advise them of their right to refer the complaint to our External Dispute Resolution Process if they are still unsatisfied with our decision.

If the dispute is not resolved under our internal dispute resolution process (IDR), then the complaint may be lodged to the Office of the Ombudsman as an external dispute. Before a complaint can be lodged with the Ombudsman it must first have gone through our internal dispute process.

Notifying ASIC of Complaints Register ActivityEach year we are required to formally notify ASIC and provide them with a record of complaints received as part of our annual renewal

External Dispute Resolution (EDR) membership

We are members of the Credit Ombudsmen Service Limited (COSL). Our credit representatives are also required to be members of COSL.

Mortgageport Management Pty Ltd membership number is 400245. This is renewed annually in July (see Item 2)

Page 33 of 121

Section 5 – RESPONSIBLE LENDING DISCLOSURE OBLIGATIONSIntroduction

The National Consumer Credit Protection (NCCP) was introduced in October 2011 to provide a National set of rules and regulations for the consumer credit industry.

The NCCP Act implements new compliance obligations for businesses and people who engage in credit activities and includes:

Registration with ASIC Holding an Australian Credit Licence An obligation to engage in responsible lending Membership of EDR; and Complying with the National Credit Guide

Visit the ASIC website at www.asic.gov.au for further information on these requirements.

In order to fulfil the requirement to engage in responsible lending, certain disclosure documents must to be provided to borrowers at different stages throughout the credit process. This section of the compliance plan sets out the way in which Mortgageport deals with these disclosure requirements. We have sought advice from Gadens lawyers regarding these procedures.

Overview

The general intent of this legislation is to protect consumers and to make Mortgage Mangers, lenders or other industry participants responsible for ensuring that a lending product is NOT unsuitable.

This involves a number of steps, which now places a responsibility on Credit Advisors to NOT turn a blind eye to the facts and:

Make inquiries about the borrowers financial position and objectives Make an assessment about whether a lending product is Not Unsuitable Take steps to verify the borrowers financial position Make disclosures to the borrower

Process

http://www.asic.gov.au/

Page 34 of 121

Disclosure Documents and brief summary of their use

Credit Guide 1 This is required when Mortgageport is not customer facing regardless of the loan source. Although we are not required to provide this document where we are client facing (Credit Guide 2A complies with this obligation) we are required to provide it when we act as a Mortgage Manager and are NOT Customer facing. In order to simplify our procedures we have decided to provide this with our settlement letter in every instance.

Credit Guide 2AThis is required when Mortgageport is customer facing and acting as a Mortgage Manager through our lenders Adelaide Bank, Advantedge or Firstmac.

Credit Guide 2BRequired to be used by our Appointed Credit Representative when customer facing regardless of whether providing a managed loan or a loan through another lender (FAST)

Mortgageport QuoteRequired to be used where Mortgageport charges a fee for service (eg: brokerage or arrangement fee) which would be rare. Note: The charging of an application fee or the charging of a loan establishment fee is which is noted on the credit contract is NOT regarded as charging a fee for arranging credit and therefore a quote is not required to be provided if these are the only types of fees applicable.

Proposal Disclosure DocumentRequired to set out the terms of any loan agreement. This document explains what commissions we are receiving or paying to introducers (if applicable). This document is required to be sent out to the borrower at the time we lodge an application.

From the 1st October 2013, all Product Disclosure Documents along with the relevant credit guide are to be emailed to the borrower from Loan Works by the Credit Team so that there is an audit trail available. (Note: prior to this the PDD and Credit Guide were sent via email and cc’d to Compliance mail box as proof the borrower had received them).

Definitions

What is providing Credit Assistance?A person is considered to be providing credit assistance if, in the course of or incidentally to a business, the person:

Suggests or assists a consumer to apply for a particular credit contract or a lease with a particular credit provider

Suggests or assists a consumer to apply for an increase to the credit limit of a particular credit contract or a particular credit provider

FACT FIND Includes the

Application form and other relevant

information

PRELIMINARY ASSESSMENT

Involves considering both the

Current situation and Excepted future events to make sure they are unlikely to encounter financial

hardship

VERIFICATIONIncludes verifying

borrower information and keeping records of each step in the

process

DISCLOSURE DOCUMENTATION

provide Documentation to

the borrower throughout the

process

Page 35 of 121

Suggests that the consumer remain in a particular credit contract or lease with a particular credit provider

What is Customer Facing?The term customer facing is where we are providing credit assistance – this is where a member of the Mortgageport team is dealing directly with the borrower either face to face, by telephone or email.

We are not customer facing when the customer deals with an external mortgage broker and that broker completes the application and submits it to us as the mortgage manager.

NB: If a mortgage broker refers the customer to us and we complete the application with the borrower, i.e. the broker acts as a referrer and not as a broker, Mortgageport becomes customer facing.

When are documents provided?

There are a number of circumstances where the documentation required to be provided by Mortgageport varies, these are explained below.

Types of Client Interactions

Type 1 - Mortgageport Acts as Mortgage Manager and is Customer facing

Where Mortgageport is acting as a mortgage manager (not a mortgage broker using Mortgageport Origination Pty Limited) and is customer facing. Under these circumstances we are required to provide:

Credit Guide 2A Proposal Disclosure Document (PDD) Quote (if required) Credit Guide 1 (as noted above this is not strictly required but we provide it on all loans

to simplify our processes)

Steps (Time Line) for a typical customer facing managed loan

1. Talk to borrower about a potential loan and complete a fact find to comply with responsible lending requirements.

2. Give to each borrower Proposal Disclosure Document at the time application is lodged. As noted above from 1st October 2013 this is emailed to the borrower from the Loanworks system.

3. Provide credit recommendation.

4. When ready to apply for a loan provide Credit Guide 2A to the borrower – this would typically be before but at the same time we complete the application form. This is sent with the PDD via Loanworks by the Credit Team.

5. Provide Quote (if we are charging fees) which would be rare. This must be handed over before submitting the loan application, must be signed by each borrower and dated. Each borrower must be given their own copy to keep.

Page 36 of 121

6. Provide a copy of Credit Guide 1 with the ‘welcome letter’ after loan settlement

Type 2 - Mortgageport Acts as a Mortgage Manager but is NOT Customer Facing

(E.g. Appointed Credit Representative or broker introduced business)

Where Mortgageport is acting as a Mortgage Manager and has been provided with the application from a Mortgage Broker we are only required to provide the borrower with a copy of Credit Guide 1 at the time of settlement, because we assume that the Mortgage Broker would have provided the customer with required documentation as they are deemed to be customer facing. (As mentioned in the section above we comply with this our part of our obligations by sending out Credit Guide 1 in all instances at settlement).

For an appointed credit representative the disclosure documents must be provided from the credit representative. It is Mortgageport’s responsibility to ensure that any representative complies with the credit legislation. In order to do this our credit representatives use the Meteor System to provide disclosure documents to the customer and we monitor and track this through Loanworks in the same way we do when Mortgageport is customer facing. (see Monitoring and Reporting Section - hindsight compliance review for details)

Type 3 - Mortgageport acts as a Mortgage Broker (FAST) and is Customer Facing

When we act as a mortgage broker we use our subsidiary company Mortgageport Origination Pty Limited. This company is an Appointed Credit Representative of Mortgageport Management Pty Limited.

Under these circumstances we are required to provide:

Credit Guide 2B (as a broker) Proposal Disclosure Document (PDD). Quote (if required) Credit Guide 1 (as noted above this is not strictly required but we provide it on all loans

to simplify our processes)

Steps (Time Line) for a typical customer facing brokered loan

1. Talk to borrower about a potential loan and complete a fact find to comply with responsible lending requirements

2. When ready to apply for a loan provide Credit Guide 2B to the borrower – this would typically be before but at the same time we complete the application form. This is sent with the PDD via Loanworks.

3. Provide Quote (if we are charging fees) which would be rare. This must be handed over before submitting the loan application, must be signed by each borrower and dated. Each borrower must be given their own copy to keep.

4. Give to each borrower Proposal Disclosure Document at the time application is lodged. As noted above from 1st October 2013 this is emailed to the borrower from the Loanworks system.

Page 37 of 121

Legal Advice Received Regarding Responsible Lending

Disclosure of Commissions by a Mortgage Manager

According to legal advice obtained from Gadens lawyers on the 3rd August 2012 (by email) we are exempted from disclosing commissions we are entitled to receive in this document provided we meet all of the following:

commission is worked out on the difference between the interest rate charged to the mortgage manager by the credit provider or lessor and the interest rate payable by the consumer

the mortgage manager has day to day management of a loan

the mortgage manager gives credit assistance in relation to a managed contract (ie the mortgage manager is customer facing and is not marketing through brokers)

the mortgage manager told the consumer:

o about the written management agreement; and

o that the mortgage manager is not acting for the consumer in relation to the managed contract;

the maximum cost and the maximum interest rate are published on the credit provider’s or lessor’s website [Treasury has indicated that this will be changed to the manager’s website], and

the mortgage manager cannot increase the interest rate above the interest rate published on the web site.

Proposal Disclosure Document Issuance

The following legal advice was received from Gadens on 12th November 2013 from Amy Ciolek (via email).

Timing of issuing a PDDA credit assistance provider (broker or customer facing MM) must give a Proposal Disclosure Document at the same time as providing credit assistance (NCCP s121). This would be either when the application form is being completed, or when you suggest to the borrower a particular loan with a particular lender.

It would be acceptable to give the PDD before you process the application fee.

When a PDD needs to be reissuedThe objective of a PDD is to disclose commissions and third party fees. So, there is no need to reissue the PDD when the loan terms change, although the borrower should be informed of change. As the PDD has to be given when credit assistance is given, you can’t issue another after credit assistance is given. It will no longer be a complying PDD. So a PDD should only be reissued if there is a new different credit assistance activity occurring. For example, assistance is provided in relation to a different product with the same or a different

Page 38 of 121

lender. Changes to information specified in the PDD should be advised by email or similar, but not in a replacement PDD.

We do not know when in your process LW system sends the PDD, but in general, in respect to your examples, we would think that a PDD is only issued when you first assist the borrower lodge their application form. If any of the following information changes, you should probably inform the borrower with an email or letter.

Interest rate goes down Loan value goes down Mortgageport commissions change (these are not disclosed on PDD) Interest rate increases Loan value goes up Fees change (eg. Mortgage insurance now payable) Referrer commission rate changes

You may make a commercial decision not to inform the customer if the change is in their best interest, for example, the interest rate goes down.

Additional follow up advice received 15th November 2013

Thanks for calling on Wednesday. Just to summarise the call and respond to your email, credit assistance can be defined as when you submit the loan application to the lender. Prior to this time, the borrower has not committed to going ahead with any loan, they may change their mind, or change product. Collecting the information prior to providing credit assistance can be administrative, and the information can probably be used to apply for any credit product. You said The Sales team are arguing that the credit assistance has already been given at this stage (particularly with the transfer of information to the credit team) and therefore we are not meeting our obligations. We are not sure of Mortgageport’s precise process, but if all the sales team are doing is collecting information so that the credit team can conduct a suitability assessment, the sales team are not providing credit assistance. The credit assistance cannot occur until a suitability assessment has been conducted. If the sales team are conducting the preliminary suitability assessment, and do determine that the credit is not unsuitable, then anything after that will be credit assistance. If the consultant accidently fails to disclose commission in the proposal disclosure document, the PDD breaches the NCCP. The breach should promptly be remedied by issuing a correct PDD.

Page 39 of 121

Work Flow for Issuing PDD and Credit Guide

Changes advised to customer by email or approval letter NO new PDD

Credit Team advises Sales Consultant to

amend PDD

PDD IncorrectPDD Correct

Credit team emails the PDD and credit Guide to the customer via LW

Meteor sends an email to Processing inbox with PDF file

attached

Processing upload PDF file containing PDD and Credit guide

into LW

Sales consultant hits CREATE button in Meteor

Sales consultant completes PDD and Credit Guide in Meteor

Credit team reviews PDD to ensure details are correct

Loan product changes with the same or different borrower

Information changes in respect of the loan (refer legal advice for examples)

Page 40 of 121

Mortgageport Management Pty Limited ACN 082 733 679Level 7, 68 Alfred Street, Milsons Point NSW 2061

Credit Guide 1 (Template)

Welcome to Mortgageport. We are one of Australia’s leading and longest operating mortgage managers. We provide specially designed finance for our customers. We are a member of the MFAA (Mortgage and Finance Association of Australia), Australia’s peak industry body for the mortgage and finance industry.

We are licensed to arrange loans and leases under the National Consumer Credit Protection Act 2009 (NCCP Act). The NCCP Act regulates the activity of lending, leasing, and finance broking. Our Australian Credit Licence number is 386360.

We will be managing the loan you have taken out. You should contact us about your loan, including issues relating to repayments.

Our internal dispute resolution schemeWe hope you are satisfied with our services. If you have any complaints regarding our conduct you should notify us by contacting our Complaints Officer by:

telephoning (02) 9466 8200 e-mailing [email protected] writing to PO Box 51, Milsons Point NSW 1565 speaking to any representative of our business who will refer you to the Complaints

Officer, details of whom are shown above.

You should explain the details of your complaint as clearly as you can. You may do this verbally or in writing.

When we receive a complaint, we will attempt to resolve it promptly. We hope that in this way we will stop any unnecessary and inappropriate escalation of minor complaints.

Our external dispute resolution schemeIf we do not reach agreement on your complaint, you may refer the complaint to an ASIC Approved External Dispute Resolution (EDR) Scheme. Our external dispute resolution provider is COSL (Credit Ombudsman Services Limited) phone 1800 138 422, www.cosl.com.au. External dispute resolution is a free service established to provide you with an independent mechanism to resolve specific complaints. You can request further details about our dispute resolution procedures and obtain details of our privacy policy.

Questions?If you have any questions about this credit guide or anything else about our services, just ask at any time. We’re here to help you.

http://www.cosl.com.au/

Page 41 of 121

Credit Guide 2A Template

Saved as a pdf: O:\APPLICATION FORMS\Credit Guides

Page 42 of 121

Credit Guide 2B (Template)

[INSERT CREDIT REPRESENTATIVE’S NAME AND ACN][INSERT ADDRESS]Phone: 02 9466 8200 E-mail: [email protected] Representative Number XXX

CREDIT GUIDE

Thank you for contacting [INSERT CREDIT REP NAME]

[INSERT CREDIT REP NAME] is a credit representative of Mortgageport Management Pty Limited ACN 082 733 679 Australian Credit Licence number is 386360. Mortgageport Management structures, markets and manages the Mortgageport range of loans and also arranges loans from third party funders.

As a credit representative, we are authorised to arrange loans and leases under the National Consumer Credit Protection Act 2009. The NCCP Act regulates the activity of lending, leasing, and finance broking.

We will need information from you

Under the NCCP Act, we are obliged to ensure that any loan or principal increase to a loan we help you to obtain is not unsuitable for you. To decide this, we may need to ask you some questions in order to assess whether the loan is not unsuitable. The law requires us to:

make reasonable inquiries about your requirements and objectives;

make reasonable inquiries about your financial situation;

take reasonable steps to verify that financial situation.

Credit will be unsuitable if at the time of the assessment, it is likely that at the time the credit is provided:

you could not pay or could only pay with substantial hardship;

the credit will not meet your requirements and objectives.

For example, if you can only repay by selling your principal place of residence, it is presumed that the loan will cause substantial hardship unless the contrary is proved. For this reason we must ask you to provide a significant amount of information. It is therefore very important that the information you provide us is accurate.

We must provide you with a copy of our preliminary credit assessment of your application if you ask within 7 years of when we assist you. We are only required to give you a copy of the credit assessment if we give you credit assistance.

Page 43 of 121

If we arrange a loan for you to purchase or refinance real estate, remember you must make your own enquiries about the value of the real estate and its potential for future growth. Although we may obtain a valuation, that is for our own use and you should not rely on it.

Fees payable by youWe usually do not charge you for our services because we are paid commission by the financier. However, you may need to pay the financier’s application fee, valuation fees, and other fees.

Commissions received by usWe may receive commissions or management fees from the lenders who provide finance for you as our customers. These fees may be shared between Mortgageport and the credit representative. These are not fees payable by you. You may obtain from us information about a reasonable estimate of those commissions and how the commission is worked out.We have a volume bonus arrangement in place with under which those financiers may pay us additional commission depending on the total volume of business we arrange with them.

Commissions payable by us We source referrals from a broad range of sources. For example, we may pay fees to call centre companies, real estate agents, accountants, or lawyers for referring you to us. These referral fees are generally small amounts and accord with usual business practice. These are not fees payable by you. You may, on request, obtain a reasonable estimate of those commissions and how the commission is worked out.

Our internal dispute resolution schemeWe hope you are delighted with our services, but if you have any complaints you should notify us by contacting our Complaints Officer by:telephoning (02) 9466 8200e-mailing [email protected] to PO Box 51, Milsons Point NSW 1565or by speaking to any representative of our business who will refer you to the Complaints Officer.

You should explain the details of your complaint as clearly as you can. You may do this verbally or in writing.

When we receive a complaint, we will attempt to resolve it promptly. We hope that in this way we will stop any unnecessary and inappropriate escalation of minor complaints. Our external dispute resolution scheme

If we do not reach agreement on your complaint, you may refer the complaint to an ASIC Approved External Dispute Resolution (EDR) Scheme. Our external dispute resolution provider is COSL (Credit Ombudsman Services Limited) phone 1800 138 422, www.cosl.com.au. External dispute resolution is a free service established to provide you with an independent mechanism to resolve specific complaints. You can obtain further details about our dispute resolution procedures and obtain details of our privacy policy on request.

Things you should knowWe don’t make any promises about the value of any property you finance with us or its future prospects. You should always rely on your own enquiries.

http://www.cosl.com.au/

Page 44 of 121

We don’t provide legal or financial advice. It is important you understand your legal obligations under the loan, and the financial consequences. If you have any doubts, you should obtain independent legal and financial advice before you enter any loan contract.

Questions?If you have any questions about this credit guide or anything else about our services, just ask at any time. We’re here to help you.

Page 45 of 121

Proposal Disclosure Document

Page 46 of 121

Page 47 of 121

Section 6 - CHECK LISTS AND ADDENDUMS

Item 1 - Credit licence

This is a copy of our credit licence and the conditions; this is stored as an image on our server with the original document displayed in our reception area.

Page 48 of 121

Item 2 – Copy of our EDR Membership

Page 49 of 121

Item 3 - Compliance Summary Checklist

This is an overview document and a reminder to the Directors to check that Responsible Managers are discharging their responsibilities correctly. It is provided each month to the Company Directors with the financial statements and KPI’s. It is saved on our server path o:/compliance/checklist

Compliance Summary ChecklistCO

MPLIANCE SUM

MARY REG

ISTER

Review PeriodNext Due Date

Date Last Completed

Next Due DateDate Last Com

pletedNext Due Date

Date Last Completed

COM

PANY LODG

EMENTS

Annual Tax ReturnAnnually

31-Mar-14

14-Dec-12

31-Mar-14

14-Dec-12

31-Mar-14

14-Dec-12

ASIC Annual Company Return

Annually26-M

ay-131-Jun-12

7-Jul-1323-Jul-12

30-Jun-1317-Jul-12

Australian Credit LicenceAnnually

6-Dec-13

16-Jan-13

BAS Q

uarterly returnQ

uarterly28-Feb-13

25-Oct-12

28-Feb-1325-O

ct-1228-Feb-13

25-Oct-12

Change of Address of Companies

As Required

28 Days

28 Days

28 Days

Change of company nam

eAs R

equired14 D

ays14 D

ays14 D

aysChange of Details of O

fficersAs R

equired28 D

ays28 D

ays28 D

aysChange to Share Structure

As Required

28 Days

28 Days

28 Days

Days of Notice to Annual General M

eetingsAnnually

1-Aug-13-

--

-FBT Annual Return

Annually21-M

ay-1321-M

ay-12

Final Dividend Declared

AnnuallyIs this needed

Payroll Tax Annual Reconciliation

Annually21-Jul-13

23-Jul-12Statutory Accounts

Annually1-O

ct-1314-D

ec-121-O

ct-1314-D

ec-121-O

ct-1314-D

ec-12

MANAG

EMEN

T REVIEW

S

Car Park LevyAnnually

before 1/9/20131-Sep-12

Company Budgets

Annually31-M

ay-1329-Nov-11

Human Resources M

anual ReviewAnnually

31-Jan-1301-Nov-12

IDR Register ReviewAnnually

6-Dec-13

14-Dec-12

Monthly Accounts

Monthly

15th of each month

15-Nov-1215th of each m

onth15-Nov-12

15th of each month

15-Nov-12M

onthly Financials and KPI's

Monthly

3rd Thurs of every month




3rd Thurs of every month3rd Thurs of every m

onthO

ccupational Health and Safety (Internal Review)Annually

Sept of each year18-O

ct-11Sept of each year

18-Oct-11

Sept of each year18-O

ct-11Staff Perform

ance ReviewsSem

i- Annually31-M

ar-1301-Sep-12

Training RegisterQ

uarterly31-M

ar-1331-D

ec-12

INSURANCE REVIEWS

Business General Insurance

Annually30-Sep-13

1-Oct-12

30-Sep-131-O

ct-1230-Sep-13

1-Oct-12

Key Man Insurance (G

len Spratt)Annually

15-Feb-1315-Feb-12

Managem

ent Liability InsuranceAnnually

08-Oct-13

9-Oct-12

8-Oct-13

9-Oct-12

8-Oct-13

9-Oct-12

Pofessional Indemnity Insurance

Annually16-O

ct-1316-O

ct-1216-O

ct-1316-O

ct-1216-O

ct-1316-O

ct-12W

orkers Compensation - NSW

Annually01-Jul-13

9-Oct-12

Workers Com

pensation - QLD

Annually01-Jul-13

13-Feb-13

COM

PLIANCE REVIEWS

Appointed Credit Representative ReviewSem

i- Annually30-Jun-13

16-Jan-13Breach Register Review

Annually30-Jun-13

16-Jan-13Brokers Review

Semi- Annually

30-Jun-1316-Jan-13

30-Jun-13Com

pliance Plan ReviewAnnually

31-Jan-1430-Jan-13

COSL Renewal

Annually30-Jun-13

30-Jun-1222-Jul-13

22-Jul-1220-Jun-13

20-Jun-12Disaster Recovery Plan review

Annually31-Jan-14

16-Jan-13Hindsight File Com

pliance ReviewQ

uarterly31-Jul-12

27-Jul-12M

FAA RenewalAnnually

30/08/201331-Aug-12

NCCP Compliance Review

Semi- Annually

31-Jul-13In progress

Privacy Policy ReviewAnnually

31-Jan-14R

eviewing w

ith Gadens

MP M

ortgages Pty LtdM

ortgageport Managem

ent Pty LtdM

ortgageport Origination Pty Ltd

Task

Page 50 of 121

Item 4 – NCCP Compliance Checklist

This checklist is used every 6 months for the Responsible Managers to confirm we are complying with our credit licence requirements. Once completed the form is saved on our server.

Path: o:compliance/compliance plan/NCCP Compliance Checklist

Item Comments Date Completed

1) Is our licence appropriate to our Business activities?a) Has there been any change to our business

activities since the last review date?2) Is the Compliance Plan up-to-date and saved on the

Mortgageport website?a) Does the plan correctly list the fit and proper

people in the business?3) Have appropriate checks been carried out before

hiring key people (responsible manager or mortgage consultant) and do we review these checks from time to time?

Checks includei) Educational qualificationsii) Previous employers referencesiii) Police Check (not more than 12 months old)iv) Credit history report (not more than 3

months old)v) No conflict of interest declared (signed

annually)vi) No disqualification/problems in the last 10

years or an adequate explanation obtained4) Have credit representatives complied with credit

legislation including:a) COSL renewedb) PI Insurancec) MFAA membership or equivalentd) Adequate training completed and monitored

5) Has the training register been maintained for all representatives (employees and reps)?

6) Have Hindsight compliance reviews been carried out and breach register maintained and reviewed by a responsible manager?

7) Has the IDR scheme been reviewed and register of disputes maintained?a) Has a responsible manager reviewed the

register and how disputes have been resolved?8) EDR Membership renewed?9) Professional indemnity insurance maintained and

renewed?10) Do we have a process for ensuring we deal only

with licensees or credit representatives in relation to credit activities?

Page 51 of 121

11) ASIC reporting – have we ensured that all changes have been reported to ASIC as required?a) Appointment of or changes to credit

representatives (28 days)b) Lodgement of Annual compliance certificate

(ACL) within 45 days of anniversary of the grant of licence

12) Have our Credit representatives been properly appointed?a) Relevant checklist used for all appointments

13) Have our Mortgage Brokers been properly appointed?a) Relevant checklist used for all appointmentsb) Signed origination agreement on file

14) Does the business have adequate resources?a) Monthly financial resourcesb) ITc) Human resources

15) Are processes in place to retain records (other than financial) for 7 years?

16) Are procedures in place to ensure compliance with responsible lending requirements (ie. Not make unsuitable loans)?

17) Are procedures in place to ensure we comply with disclosure requirements when writing loans?a) Credit Guideb) Proposal disclosure documentc) Quote

18) Have we included our ACL number on all necessary correspondence?a) Responsible lending disclosure documentsb) Print adverts that relate to the provision of

regulated creditc) Documents required to be created by a

provision of the NCCPd) Documents lodged with ASIC that relate to the

provision of credit

Reviewed by …………………………………………

Signed ………………………………………………. Date………………..

Page 52 of 121

Item 5 – Hindsight Compliance Review ChecklistHindsight Compliance Review Check List

Date of Compliance Review

File No. (Dealing No.)

File Surname

Mortgage Consultant (Sales Consultant)

Credit Assessor (Owner)

Referrer Name

Referrer Category

Documents Reviewed Yes/No Follow Up / Comments

Section One - NCCP ComplianceFact Find(Filename: FF Surname XX & XX MMYY)Preliminary Assessment Form(Filename: PAF Surname XX & XX MMYY)Proposal Disclosure Document(Filename: PDS Surname XX & XX MMYY)Correct Credit Guide Issued(Filename: CG Surname XX & XX MMYY)Application Form & Privacy Act Signed(Filename: AF Surname XX & XX MMYY)Conflict of Interest Declared (if applicable)(Filename: COI Surname XX & XX MMYY)

Section Two – Credit File100 point ID properly executed(Filename: 100PT Surname XX & XX MMYY)

Loan Contract(Filename: LC Surname XX & XX MMYY)Valuation(Filename: VAL Surname XX & XX MMYY)

Section Three – OtherCorrect Calculation of Commission ReceivedCorrect Calculation of Commission PaidReferral /Broker/Credit Rep agreement in placeCommission Payable Disclosed in PDSOn Boarding Procedures Followed

I confirm that I conducted a hindsight audit of this file and the above observations were made and that my audit was not influenced by any other employee, referrer, Company Director of related party.

Signed…………………………

Page 53 of 121

Item 6- Compliance with other Credit Laws

This checklist is used each year in late January to confirm that a Responsible Manager has reviewed the below

ITEM STATUS

Privacy Act Rules for retaining information Rules for release of information Privacy consent for our own use

Is privacy policy up to date?

Ensure comparison rate disclosure in advertisements?

Ensure no unfair contract terms in our documents?

Compliance with MFAA Code of Practice?

Do we comply with ‘door to door sales’ legislation?

Do we undertake any activities for which an AFSL is required?

Are our AML/CTF(Anti-Money Laundering and Counter Terrorism Financing Rules) procedures appropriate?

I......................................................................confirm that I have completed this checklist honestly and completely with the information I had available to me.

................................................................................ / /Signature

Countersigned by Director................................................................................ / /

Page 54 of 121

Item 7 - Appointment of an Authorised Credit Representative ChecklistThis document is saved in O/Compliance/

Page 55 of 121

Page 56 of 121

Item 8 - Mortgage Broker Accreditation ChecklistThis document is saved in O/Compliance/

Page 57 of 121

Page 58 of 121

Item 9 – Referrer Checklist

Page 59 of 121

1Item 10 - Appendix A – Loanworks Introducer Module

When an Introducer (regardless of whether they are a referrer, broker or authorised representative) has agreed to introduce loans to Mortgageport, we need to enter their details via the Introducer module on Loanworks. Only certain authorised Mortgageport employees have access to the introducer module (i.e., finance/accounting and the administrator) to maintain the integrity of the data.The following information must be added:

Introducer Details – the entities full name that we have a contract withContact Details – the primary contact person for the IntroducerPersonal Details* (*indicates not mandatory)General Details Introducer Group (these are grouped by the state they are in)Introducer Status (active or inactive, a pre-determined date can be set for when they will be active or inactive)Business AddressPostal AddressIndustry Membership Details +ASIC Registration Details +AML Accreditation Details +Certificate IV Details +Insurance DetailsGeneral Accreditation DetailsExternal Dispute Resolution Scheme +Banking DetailsAccount Code DetailsWeb Broker Details +Commission Details

On the left hand side of the screen we have a sub-menu consisting of ‘Details’, ‘Notes’ and ‘Attachments’.

+ indicates not required for referrers of business ( a referrer is someone who does not give credit advice – eg: an accountant who refers their client to Mortgageport)

1

Page 60 of 121

Once we have entered in all the relevant details for the new introducer, we can click on the ‘Notes’ button which will bring us to this screen.

To make sure that we are aware of the anniversary dates of renewals we can ‘Add new introducer note’ where we can set email reminders to a nominated person in finance/accounting. This person will follow up on the renewal and make sure that we obtain an up-to-date certificate or renewal information and update the record accordingly on LoanWorks.

Page 61 of 121

We can also upload copies of their certificates for our records and for ease of access onto LoanWorks. We do this by clicking on ‘Attachments’ on the left hand side sub menu.

Page 62 of 121

Item 11 - Appointment of Company Credit Representative Agreement

APPOINTMENT OF CREDIT REPRESENTATIVES - COMPANIES

Under this document we appoint your company as our credit representative.

You should check all the information in this document is correct, have it fully signed, retain a copy, and return it to us. We will notify ASIC of the appointments.

Information Schedule

Our details (us/we): [NAME] [ADDRESS] [ACN] [REGO/LICENCE NUMBER]

Your details (you): [NAME] [ADDRESS] [ACN] [CREDIT REP NUMBER]

EDR Scheme: Membership number:

PI Insurer: [if covered by licensee’s insurance insert “N/A – covered by licensee’s policy”] Policy No:

Amount of cover: Expiry date:

Loan writers who areDirectors: [NAME] [ADDRESS]

Employees: [NAME] [ADDRESS]

1. Appointment of you as our credit representativeWe hereby appoint you to engage in the credit activities specified in Schedule 1 on our behalf. You accept this appointment and agree to the terms of this document by signing and returning this document. Your appointment commences on a date we notify you after we have received this document which has been signed by you, any other credit representatives, and any guarantors. We may terminate or amend your appointment at any time.

2. Information about you

You and each Delegate represent and warrant to us that you:

are not subject to a banning order or disqualification order in relation to any credit activities

are a member of the ASIC approved EDR scheme specified in the Information Schedule

are not banned from engaging in a credit activity under a law of the state or territory

if a company, none of your directors, secretaries, employees or senior managers who perform duties in relation to the credit activities are subject to any order under the Crimes (Criminal Organisations Control) Act 2009 (NSW) or the Serious and Organised Crime (Control) Act 2008 (SA)

Page 63 of 121

are not registered, licensed, or appointed (other than pursuant to this document) as a credit representative under the National Consumer Credit Protection Act 2009 Cth).

3. Conduct as a credit representative

You:

must conduct business as our credit representative in accordance with procedures specified by us from time to time

upon our request, must provide any information or documents requested by us regarding activities as our credit representative

are liable for any breach of any law including the National Consumer Credit Protection Act 2009 (Cth) arising from your or your conduct or inaction

must not accept appointment as a credit representative of any other licensee or obtain an Australian Credit Licence without our prior written consent

acknowledge that the appointment as our credit representative does not make you our employee or general agent

acknowledge that as our credit representative you will provide services to our panel lenders and other members of the public as authorised by us from time to time

authorise us to lodge any returns at ASIC regarding your apppointment, termination, change to particulars, or otherwise connected with any appointment as our credit representative.

4. Claims and breaches

You must promptly inform us of:

any claim that is made or threatened against you; and

any breach of any law, including in particular the National Consumer Credit Protection Act 2009 (Cth)

in respect of the conduct of your business as our credit representative.

5. PI insurance

If the Information Schedule indicates that you are to take out professional indemnity insurance:

you warrant that the insurance details specified in the Information Schedule are correct

you must maintain the professional indemnity insurance for six years after you cease to be our credit representative

Page 64 of 121

you must not change the terms of the professional indemnity insurance without our prior written consent.

6. EDR membership

You must maintain membership of the ASIC external dispute resolution scheme specified in the Information Schedule (if any) throughout the term of appointment as our credit representative and for at least one year after termination of appointment.

7. Notification of change

You must inform us promptly and in any event within two business days of any change to your name or business address.

8. Indemnity

You hereby indemnify us on a continuing basis against all or any actions, suits, claims, demands, losses, damages, liabilities, costs and extensions of any nature (including without limitation civil and criminal penalties) suffered or incurred by us at any time actually or contingently arising directly or indirectly out of your conduct as our credit representative. This indemnity continues despite the termination of your appointment as our credit representative.

9. Additional obligations

The obligations set out in this appointment are in addition to any obligations arising under any other documents or arrangements between us. For example, if there is an origination agreement between us, the obligations in this document are in addition to those set out in the origination agreement.

Signed on behalf of LICENSEE:

Date Authorised officer

Print name

Signed on behalf of BROKER COMPANY:

Secretary/Director Director

Print name Print name

Page 65 of 121

Schedule 1 – Authorised credit activitiesYou are authorised to provide credit services as defined in s 7 of the National Consumer Credit Protection Act 2009 (Cth).

Page 66 of 121

Item 12 - Appointment of Credit Representatives under the NCCP Act

Updated 30 August 2011

A business which is registered or licensed under the NCCP Act can start appointing credit representatives straight away. .Representatives of licenseesDirectors and employees (but not secretaries) of licensees are automatically representatives authorised to undertake credit activities on behalf of the licensee. There is no need for any further formal appointment or notification to ASIC.For the technically minded, this derives from s29(3) NCCP Act, which provides that employees or directors of a licensee or a related corporation of the licensee don’t need a licence to act on behalf of the licensee.Appointment of credit representativesHowever, when a company is appointed as a credit representative, the directors, and employees of the credit representative company are not authorised to conduct credit activities. Licensees will need to appoint both the company and its loan writers. This differs from the AFSL regime where normally only the natural person advisers are appointed. This is because the NCCP Act requires ‘intermediaries’ to be licensed or be appointed as credit reps as well as the person undertaking the work.Directors, employees, and any subcontractors of a credit representative company need to be sub-authorised by the corporate credit representative. The corporate credit representative requires consent from the licensee to do this. Only natural persons can be sub-authorised. The sub-authorised credit representatives become credit representatives of the licensee and not of the credit representative.If a subcontractor loan writer of the credit representative operates through a company, the licensee will need to appoint the corporate subcontractor directly, as credit representatives can’t sub-authorise companies.Instead of the credit representative sub-authorising its directors, employees, and any subcontractors, a licensee could appoint those people directly. Licensees may prefer to keep control over the appointment of credit representatives by not consenting to any sub-authorisations and appointing all credit representatives directly.The licensee is responsible for notifying ASIC about appointments and variations to credit representatives directly appointed. However, the credit representative company is responsible for notifying ASIC of appointments and changes to sub-authorised credit representative. If a licensee wants to notify ASIC of sub-authorisations by its corporate credit representatives, the licensee will need the ASIC key of the credit representative in order to file notifications for the corporate credit representative. It’s obviously easier for licensees to use their own key and appoint credit representatives directly, but this will result in the individual credit representatives having to take out their own EDR membership because they cannot come under the membership of their company.Sub-authorised directors and employees of a credit representative company can rely on the company’s EDR membership. However, contractors who are sub-authorised will need their own EDR membership. This derives from section 65(6) of the NCCP Act, which provides that a sub-authorisation is void unless the natural person is a member of an EDR scheme. However, regulation 16 of the NCCP Regulations adds the proviso that the natural person doesn’t need to be a member of an EDR scheme if the natural person is an employee or director of the credit representative.Credit representatives (including sub-authorised credit representatives) can be covered by the licensee’s PI insurance, or effect their own insurance so long as the credit repo has given an indemnity to the licensee for the conduct of the credit rep. – see RG210.27.All this is explained diagrammatically in the diagram at the end of this article.

Page 67 of 121

What about appointment of credit representatives before a licence is granted?Once a business is registered, it can proceed with appointing credit representatives (i.e. both before and after 30 June 2010). The appointment only takes effect from 1 July 2010 when the NCCP Act commences.When the registration converts to a licence, the credit representatives appointed while registered automatically become credit representatives of the licensed business.For the technically minded, the authority for the appointment of credit representatives at any time after registration is effected appears in section 32A and s33(1) of the NCCP (Transitional and Consequential Provisions) Act.Notices of appointment can only be lodged with ASIC on 1 July 2010, and so businesses will have 15 business days from 1 July 2010 to notify ASIC of pre-1July 2010 appointments. This means that the register of credit representatives will not be ‘complete’ for some time after 1 July 2010.Notifying sub-authorisation of credit representativesMany aggregators will appoint many credit reps. ASIC have said that this can be done in batches of 200. However, in most cases brokers operate through companies. Aggregators will want to notify both the broker company and the sub-authorisation of the individual broker. Section 71 of the NCCP Act provides that the credit rep company must notify sub-authorisations. Aggregators can arrange to notify those sub-authorisations on behalf of their members.There seems no difference in the legal or commercial risk of making a direct appointment instead of a sub-authorisation but if the licensee directly appoints a credit representative company’s employees or directors, those directors and employees cannot rely on their company's EDR. .

Using the MFAA credit representative appointment documentsThere are three key situations.1. Licensee appoints Broker Company as credit representative. Company sub-

authorises loan writers who can be:

employees of Broker Company (covered by Broker Company 's EDR)

directors of Broker Company (covered by Broker Company 's EDR)

natural person contracting with Broker Company (must have own EDR).Alternatively, the licensee could appoint the employees, directors, and contractors directly instead of a sub-authorisation, but in this case all would need their own EDR membership.

2. Licensee appoints a company which is a sub-contractor of Broker Company as its credit representative. This is a direct appointment because Broker Company cannot sub-authorise companies. Sub-contractor Company can sub-authorise loan writers in the same way as para 1, namely:

employees of Sub-contractor Company (covered by Sub-contractor Company 's EDR)

directors of Sub-contractor Company (covered by Sub-contractor Company 's EDR)

natural person contractors (must have own EDR) 3. Licensee appoints a natural person as a credit representative. Individuals cannot

sub-authorise. It's better to avoid appointing individuals because of the risk of them being classified as employees.

Page 68 of 121

Note that if in case 1 the licensee directly appointed Broker Company's employees or directors, those directors and employees cannot rely on Broker Company's EDR.A separate report is available dealing with sub-authorisations by credit representatives, EDR membership, and credit representatives who are partnerships.

NATURAL PERSON (C)

Sub-origination

Direct appointment

Must be a natural person.Operates as a CR of the licensee A.

If the person is a director or employee of B, and the person has been sub-authorised by B rather than being appointed directly, the person will be covered by B’s EDR membership.

Sub-authorisation needs

Directors and employees are NOT automatically authorised. Need to be either sub-authorised by B with A’s consent, or directly appointed by the licensee A

Appointment ascredit representative

Directors and employees automatically authorised

COMPANY (D)

LICENSEE (A)

COMPANY CREDIT REPRESENTATIVE

(B)

D needs its own EDR membership. D’s directors and employees will need to be sub-authorised by D with the consent of A, or appointed as credit representatives direct by D

Page 69 of 121

Item 13 – Annual Compliance Check for an Accredited Mortgage Broker

All Accredited Brokers are listed in LoanWorks as part of our obligations under the NCCP to keep a mortgage broker register.

The checklist below is to be followed annually for a Broker on or around the date the Mortgage Broker professional indemnity Insurance is due.

All updated documents must be scanned into LW and the details in LW updated to reflect changes.

Expiry dates can be checked by running a query in LW specifying an expiry date for the PI Insurance. It is advisable to conduct this review periodically (quarterly) to identify Brokers whose review date is coming up. Item Comments Date

Done

Verify that the Mortgage Broker ACL is current ASIC search to check ACL is active Note a new review date (for 12 months time usually in line

with PI Insurance) under ASIC Registration details in LW. Put in the expiry date box even though not actually an expiry date.

Check that the PI insurance is current or has been renewed Copy of certificate of currency on file in LW

Check that MFAA membership is being maintained Copy of Membership certificate on file in LW

Check that EDR membership is current Copy of membership certificate on file in LW(Note ACL is not valid if there is no EDR membership)

Ensure a signed Origination agreement is in place Agreement must be in current format. The standard

Origination Agreement is located on the server atO:\Introducers\Brokers\Origination Agreements\Origination (Broker) Agreement Template.docx

Page 70 of 121

Item 14 – Annual Compliance Check for an Authorised Credit Representative

All Accredited Authorised Credit Representatives are listed in LoanWorks as part of our obligations under the NCCP to keep a Credit Representative register.

The checklist below is to be followed annually for a Credit Representative on or around the date the Credit Representative professional indemnity Insurance is due.

All updated documents must be scanned into LW and the details in LW updated to reflect changes.presentatives whose review date is coming up. Item Comments Date

Done

Verify that the Credit Representative appointment is still current: ASIC search to check Credit Representative number is still

active. Also check whether they have been appointed as credit representative of any other ACL holder and that we have been notified of any such change.

Note a new review date (for 12 months time usually in line with PI Insurance) under ASIC Registration details in LW. Put in the expiry date box even though not actually an expiry date.

Check that the PI insurance is current or has been renewed Copy of certificate of currency on file in LW

Check that MFAA membership is being maintained Copy of Membership certificate on file in LW

Check that EDR membership is current Copy of membership certificate on file in LW(Note Credit Representative appointment is not valid if there is no EDR membership)

Ensure a signed Origination agreement and Authorised Credit Representative document is in place

Agreements must be in current format. The standard Origination Agreement is located on the server:

O:\Introducers\Brokers\Origination Agreements\Origination (Broker) Agreement Template.docx

The standard Authorised Credit Representative Appointment document is located on the server:O:\Introducers\Credit representatives \Credit Rep Appoint-company.docx

Ensure the Credit Representative is included on our training register and is recording adequate training hours:

Mentoring hours by a responsible manager should be included here

Page 71 of 121

Item 15 – Internal Control Procedures for Loan Approval

Internal Control Procedure for Loan Approval

CREDIT VERIFICATION

SALES SUPPORT

RM Funder Valuations

Valuations

Glen SprattMichael McKelvie

Mortgage Consultants

Credit RepsMortgage Brokers

Loan Increases

Val LMI Credit

Funder

(never approve own loans)

DIRECTOR SALES

INTERNAL SALES

EXTERNAL SALES

CLIENT SERVICES

Approve

Page 72 of 121

Item 16 – Adelaide Bank Mortgage and Origination Agreement

Page 73 of 121

Page 74 of 121

Page 75 of 121

Page 76 of 121

Page 77 of 121

Page 78 of 121

Page 79 of 121

Page 80 of 121

Page 81 of 121

Page 82 of 121

Item 17 – Advantedge - Loan Origination Agreement

Page 83 of 121

Page 84 of 121

Page 85 of 121

Page 86 of 121

Page 87 of 121

Page 88 of 121

Page 89 of 121

Page 90 of 121

Page 91 of 121

Page 92 of 121

Page 93 of 121

Page 94 of 121

Page 95 of 121

Page 96 of 121

Page 97 of 121

Page 98 of 121

Page 99 of 121

Item 18 – Advantedge Deed of Variation and Consent

Page 100 of 121

Page 101 of 121

Page 102 of 121

Page 103 of 121

Page 104 of 121

Item 19 – FAST Sub-Originators Agreement

Page 105 of 121

Page 106 of 121

Page 107 of 121

Page 108 of 121

Page 109 of 121

Item 20 – Firstmac Origination Agreement

Page 110 of 121

Page 111 of 121

Page 112 of 121

Page 113 of 121

Page 114 of 121

Page 115 of 121

Page 116 of 121

Page 117 of 121

Page 118 of 121

Page 119 of 121

Page 120 of 121

Page 121 of 121