Searching court records in Australia

A subject’s legal history says a lot about their integrity and suitability

Performing any sort of counterparty due diligence requires an understanding of the “whole person” (this applies to both individuals and legal entities). In financial sector or service delivery organisations, this is referred to as a “single view of customer” and is used to manage fraud risk, credit risk and regulatory compliance.

A subject’s legal history is an important element of the ‘whole person’; without it, managers may make decisions based on incomplete or inaccurate information only to regret it later. Performing legal checks requires an understanding of Australia’s courts to develop an informed search strategy.

grey concrete court-like building
Photo by Brett Sayles on

Australia’s court structure

In Australia, legal matters can be brought under State / Territory or Commonwealth law, as well as other mechanisms (such as professional standards schemes which are expected to regulate their members). Some dispute mechanisms are industry based.

State or Territory courts:

  • Local Court, County Court, Magistrates Court – hears most criminal and summary prosecutions and minor civil matters (e.g. <100,000). 95% of criminal cases commence at this level.
  • District Court (excluding TAS, NT and the ACT) – hears appeals from Local Court, serious criminal cases (excluding murder, treason), civil matters typically <$750,000.
  • Supreme Court – hears serious civil cases >$750,000 and serious criminal cases (including murder, treason and piracy).

Commonwealth (federal) courts:

  • Federal Court – has jurisdiction over 120 plus federal Acts of Parliament.
  • Family Court – jurisdiction over all divorces and maintainence over children and spouses.
  • High Court – primary role is to interpret and enforce the Constitution, amongst functions.

The State Library of NSW provides a useful overview of Australia’s courts and tribunals.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Where to search court records

Most Australian jurisdictions have consolidated their legal records, making the task of searching for a record relatively easy once you know what you are looking for:

JurisdictionCivil or CriminalSourceComments
NSWBothCaseLawGenerally within 24 hours
QLDBothCaseLawGenerally within 24 hours
VICBothMultiple WebsitesVaries
TASBothDecisionsPublished on AustLII*
NTBothMultiple Websites
Federal Court
Family Court
Federal Circuit
BothFederal Law Search
Federal CourtBothJudgementsReleased within 24 hours
@ForewarnedBlog (2022). Research.

* The Australian Legal Information Institute (AustLII) is jointly operated by the UTS and UNSW law faculties and aims to pubish public legal information, including primary and secondary legal materials. AustLII is not a primary source.

NSW Caselaw advanced search interface
NSW CaseLaw – advanced search interface

Criminal Records are considered ‘sensitive information’ under the Privacy Act

Note that searching court records is different to a National Police Check (‘criminal history check’). Under the Privacy Act 1988 (Cth), an individual’s criminal record is considered a category of sensitive information.

A National Police Check is the appropriate mechanism to understand whether an individual has a criminal record (such as for workforce screening purposes or before contracting with the management team of a prospective business partner). The National Police Check process considers important factors such as Spent Convictions.

Importantly, performing a National Police Check in Australia requires the individual’s informed consent.

How do you search court records?

Public Record checks are typically performed at the early stages of any due diligence or vetting process, once you have a clear understanding of the scope and parties involved. A typical process for searching court records is as follows:

1. Identify the full legal name of all entities and individuals, including close associates and related parties.

2. Determine which databases to query and over what timeframe. The scope and your professional judgement will set the timeframe, whilst jurisdiction is dependent on what you know (or need to know) about the subject. In some cases, a negative search result (i.e. no results returned for a party name) may be all need to know. If you have no idea where they have lived or operated, search every database (you may also need to search overseas).

3. Perform the search(es) and review the results. On the first pass, I use a spreadsheet to manage my searches and put all results in one of three categories: no match, possible match, match. Matches mean there is a record involving your subject (i.e. not another party with the same name). Possible match means you need to spend more time working out whether it’s your subject or not.

4. Assess the implications of your results

Vetting or due diligence is not simply about database checks – anyone can do this. Done properly, background investigations involve identifying potential risks based on what is and is not present (but should be), before determining the implications and what to do about them.

This is where diligence becomes an art. There is nothing in a database to tell you what is missing – this comes down to professional experience, judgement and skill.

Paul Curwell (2022). REfer Chapter 8 in ‘Terrorist Diversion’

5. Identify any other leads which need to be followed up.

6. Update your working papers or case notes, including what you did, when, where and the outcome. Databases and the internet change all the time, so a record that was there five minutes ago may be different when the same search is re-performed.

person working on black laptop
Photo by EVG Kowalievska on

Primary versus Secondary Sources

Wherever possible, primary (original) sources should be used. Secondary source vendors are often more expensive, yet serve two main purposes:

  • For companies that are willing to accept the risk of a record being inaccurate, incomplete, missing or out of date, secondary sources may offer an efficient alternative which enables multiple types of searches to be performed from a single location (e.g. court records, credit ratings, company ownership, land titles) as well as the ability to automating record search and retrieval to your case management system via API.
  • For investigators, secondary sources provide a handy way of quickly identifying potential relationships, transactions or other records which can the be verified via the primary source. Some vendors offer the ability to search all fields in a record, unlike the limited search functionality often offered by primary vendors.

When it comes to secondary, sources, Caveat Emptor: (1) they are not a primary source (hence they could be incomplete or out of date), and (2) they are often a ‘black box’ in terms of search parameters, so you may not actually know what is or is not being searched (some vendors have a nasty habit of changing search functionality without informing their customers, so what worked when you undertook your diligence one week may be completely different the next).

Court Lists

Court lists are published online in most Australian jurisdictions to inform parties to a case when and where they need to be. Often, court lists are published temporarily and subsequently removed. They are not an authoritative source.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What is Show and Shadow Manufacturing?

What is contract manufacturing?

The economics of manufacturing in the 21st century meant many factories relocated to developing countries where labour is plentiful and costs lower. To further reduce costs and focus on ‘core business’, many manufacturers (principals) outsourced production to Contract Manufacturing Organisations (CMOs). This involves standard outsourcing activities as well as winding down a principal’s factories in favour of focusing on higher value add activities such as R&D, product management, sales and marketing. Examples of industries using CMOs include pharmaceutical and electronics companies.

Contract manufacturing allows outsourcing of noncore functions
Photo by Los Muertos Crew on

Whilst use of CMOs might make commercial sense, it also introduces unique risks such as ‘shadow manufacturing’ which must be managed to maintain brand, product and supply chain integrity.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

‘Show factories’ versus ‘shadow factories’ – what’s the difference?

Most CMOs are completely above-board and legitimate, offering excellent service and conforming to a host of certification standards and regulatory obligations. However, ‘show factories’ and ‘shadow factories’ are an exception. Show and shadow factories can be defined as follows (adapted from APEC, 2017):

  • Show factories – typically ‘impressive’ facilities which claim to manufacture a given product or component; however, this is intended to mislead (defraud) the principal seeking to contract with the show factory CMO
  • Shadow factories – manufacturing facilities which operate in the shadows, either owned by a show factory or a ‘sub-contractor’ to a show factory

Theoretically, there is nothing to say a CMO cannot become a show factory at some point during the supplier lifecycle. Examples of triggers for this transition might include management or ownership changes, local crime or corruption in the area where the factory is based, or financial distress. This highlights the importance of performing regular, ongoing supplier integrity and supplier assurance throughout the supplier lifecycle.

Shadow factories can involve forced labour
Photo by u041cu0430u0440u0438u044f u041au0430u0448u0438u043du0430 on

Shadow factories introduce a host of risks for principals

The nature of shadow factories mean they expose the principal to a wide variety of risks, some of which can materialise or persist many years after the shadow factory has been shut down or eliminated from the supply chain, such as regulatory action or litigation arising from involvement with modern slavery. Examples of these risks include:

  • Product Diversion – conforming product can be diverted, such as through overproduction using molds or trade marked materials supplied by the Principal to the show factory
  • Product Integrity – shadow factories can introduce problems with product conformance and product safety, which mean the product obtained by an end user does not meet expectations and can give rise to financial, brand, ESG and safety ramifications
  • IP and Trade Secrets theft – shadow factories might be provided with commercially valuable IP, such as trade secrets, manufacturing molds, recipes and authentic packaging. When uncontrolled, these could be used for counterfeiting, product diversion, and establishing competing businesses
  • Brand Integrity & reputation risk – companies which find shadow factories in their supply chain can be left with adverse brand and reputation damage, as well as be required to pay damages to workers who may be victims of wage theft, modern slavery, or workplace accidents
  • Modern Slavery – workers in shadow factories are often also vulnerable members of society. There is a high chance workers could be victims of modern slavery, such as bonded labour, debt bondage, or child labour
  • Occupational Health & Safety (OHS) – shadow factories often have poor safety conditions, which can give rise to deaths or dreadful workplace accidents. Shadow factory owners may bribe public officials, such as workplace inspectors, to look the other way, further impacting the welfare of factory workers
  • Environmental protection – as with OHS, a track record of environmental damage is common with shadow factories, particularly those which use hazardous chemicals or substances. The need for environmental remediation to remove legacy toxins or pollution is common when shadow factories are closed
  • Business Continuity – shadow factories run as lean as possible, and are unlikely to be able to effectively mitigate unplanned interruptions. Further, show factories might not be able to scale up quickly enough in the event something happens to the shadow factory, leaving the principal with a false sense of security and no protection against business interruptions

By their nature, shadow factories are much cheaper as they typically lack the quality management, regulatory compliance, occupational health and safety, and environmental protections found in legitimate factories. Additionally, workers in shadow factories may be victims of modern slavery, which introduces legal, ethical and integrity issues for the contracting principal, not to mention ESG risk for the principal’s lenders or investors.

Indicators of show and shadow factories

When thinking about how we can detect show and shadow factory activity it is important to remember that manufacturing is a process comprising inputs (raw materials, components) which feed production, resulting in a standardised output. Conforming products are manufactured to a consistent standard, with inputs defined by the Bill of Materials (or BOM lists the precise inputs and quantities required to produce a conforming product).

It is possible to forensically identify potential shadow factory activity
Photo by Anton Mislawsky on

The nature of manufacturing means it is possible to identify discrepancies between expected and actual inputs, production metrics, and outputs which could indicate a CMO is actually operating a ‘show’ factory and that work is being performed by elsewhere by a ‘shadow’ factory. According to APEC, indicators used to determine whether a CMO is operating a show or shadow factory include:

  • Capacity versus output calculations in relation to a given factory’s estimated production capacity
  • Recieving records which may indicate discrepancies in volumes, values, dates / times or other data points
  • Materials reconciliation – reconciling usage versus output may identify unexplained anomalies or inconsistencies
  • ‘Unavailability of packaging materials’ onsite for a given client – such as where the expected packaging materials are not physically located in the show factory (i.e.because they have been shipped to the shadow factory)
  • Maintenance records – including records showing longer than expected gaps between servicing due to inactivity
  • Production records – including staff rosters and payroll records
  • Distribution records – including vehicle logs and delivery records
  • Security access control records and vehicle access logs such as truck deliveries via a security gate)
  • Equipment usage logs – including records showing below expected machinery usage counts
  • Cleaning logs – potentially showing cleaning performed infrequently or less than planned in the show factory
  • Accountability and traceability of rejected materials or defects arising during manufacture
  • Utility usage versus manufacturing output – comparisison of electricity, gas, water usage and bills against plan

Identification of these red flags requires organisation. Prior to performing a site visit or desktop audit, auditors or investigators should have already built a spreadsheet model or similar assessment tool which outlines the expected case value for each of these indicators specific to the product, location of the factory, and other relevant contextual information. This allows auditors to focus on collecting the information necessary to provide an evidence-based assessment, as well as minimising distractions on what they need to collect or questions to ask during a site visit and enabling a laser focus on what they are seeing and hearing during the inspection.

Manufacturer Fraud Audit

To this day I can recall one of the earliest fraud audits performed in my career involving a manufacturing facility recieving government grants. I was green in those days and assigned to perform the audit alone. After spending a few hours examining the manufacturer’s books and records, something wasn’t adding up. I went into the CFO’s office asking him to explain some discrepancies, only to be asked which set of records I would like to see – the records he provided me, a set they maintained for tax purposes, or the real records!

Shocked, I left his office and called my boss, who informed the government. Suffice to say the CFO no longer worked there when I went back to continue my work the next day. However, the moral of the story for these types of audits is that you only have a limited time onsite in which to make sense of the data you are being given and take action. You need to be efficient, organised and prepared, otherwise you will miss your window of opportunity – by the time you get a chance to come back, all evidence of fraud or non-compliance will likely be destroyed.

As highlighted in this article, the involvement of shadow factories in your supply chain can introduce a host of risks, not to mention legal, ethical, safety, and brand concerns. The positive, however, is that it is possible to identify potential show and shadow factory involvement in your supply chain using data analytics. Analytics, supplemented with intelligence, can be used to target your audits or investigations towards high risk third parties, ensuring they know the right questions to ask and what to look out for during site inspections.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Theft of fuel from HMS Bulwark – a diversion case study

What happened?

This story broke in the media on 7 April 2022, with multiple articles claiming the theft of fuel from a high security Royal Navy base in the United Kingdom. According to Sky News, “the diesel was siphoned from a tanker in a heist that reportedly “ran for weeks” with most of it having been “flogged on the black market”. Some articles claim the fuel was being used to run diesel generators on HMS Bulkwark whilst it is alongside and undergoing refit.

HMS Bulkwark, Albion-class assault ship, Royal Navy, United Kindgom

Further details on the case are limited, other than the fact that the case is under invetistigation by the UK Ministry of Defence and that the alarm was drawn when a guard at the base became suspicious. Unfortunately the theft of fuel is a common occurance – as a perisable commodity which retains its value in the market, fuel is in high demand and can be readily converted to cash when diverted even in small quantities, or alternately consumed for personal use.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

A case of diversion or shrinkage? Motive is key

The fact that fuel was stolen means this is an offence of theft, or potentially fraud depending on whether deception was used to perpetrate the crime. Given events took place on a secure military base where it is reasonable to assume you cannot simply walk in or out, it is reasonable to assume an element of deception (i.e. fraud).

Either way, whilst details are limited in the public domain it is possible to develop further insights into the crime for the purposes of building this case study. For example, we know this scam went on for weeks. According to Wikipedia, the capacity of a fuel tanker truck ranges from 20,800 to 43,900 litres. Google reveals that the average capacity of an SUV on the road is up to 70 litres.

To provide an order of magnitude, 2% of 43,900 litres is 878 litres, which equates to around 12.5 full SUV tanks. If this scam was perpetrated once a day for 7 days, we are talking about over 6,000 litres of diesel being stolen each week. With current Australian diesel costs averaging $1.95 per litre as at 14 April 2022, this equates to illicit earnings of just under AUD$12,000 per week (AUD$624,00 per annum). To be clear, there is no indication of quantum or order of magnitude in the media, so this is hypothetical and indicative only.

AA van with Jeep SUV broken down in Kensington Gardens by David Hawgood is licensed under CC-BY-SA 2.0

So does this activity equate to shrinkage or diversion?

  • Shrinkage is an accounting term used to describe when a store has fewer items in stock than in its recorded book inventory (Shopify). Shrinkage can be the result of process or quality issues, as well as theft and fraud.
  • Product Diversion refers to goods that are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel (Curwell)

In practice, I tend to view shrinkage as being less organised and not ‘commercial’ in scale, whereas diversion is typically more organised and more commercial in nature. Given this has been going on for weeks as well as the volume and illicit revenue estimates outlined above, I would suggest this is clearly a case of product diversion. Further, in my taxonomy of product diversion risks, this is defined as “Product stolen from distribution or supply chain“.

How can these types of product diversion events be detected generally?

Product diversion shares similarities with other frauds. According to the Association of Certified Fraud Examiners (ACFE) Occupational Fraud 2022: Report to the Nations study:

  • 42% of business frauds globally are detected via tip offs,
  • 16% through internal audit, and,
  • 12% through management review.

Interestingly, 5% of cases were detected by accident – exactly how the Royal Navy guard discovered this diversion incident.

When you know what you are looking for, the application of fraud analytics techniques means product diversion can be detected provided you have the right data and you assemble and analyse this data in a manner that will allow you to identify potential indicators of diversionary activity.

Photo by Lou00efc Manegarium on

From my understanding of the situation, there are at least four primary records that, when ‘joined‘ together, could be used to identify similar product diversion cases pertaining to oil and fuel:

  • Order records – invoices and purchase orders should state the quantity of fuel ordered and the delivery dates. Given this is a military base, there are likely to be some sort of movement records to register in advance the potential delivery.
  • Tanker truck records – records of how many tanker trucks entered the base and their capacity (this might be captured at the front security gate for emergency management reasons in case of fire).
  • Fuel transfer records – these should record how much fuel was actually delivered from the tanker to HMS Bulwark, and would likely be maintained by the driver or the fuel tanker company’s order delivery system (most likely a smart phone app). Requirements to supply these to the customer could be mandated in the contract of sale.
  • Fuel receipt records – these would be maintained by the crew of HMS Bulwark, recording all details of the delivery including fuel quality records through onsite Quality Assurance testing performed by the ship’s engineers as well as the quantity of fuel recieved.

These four datasets could be collected by customers and monitored on a proactive, ongoing basis to identify discrepancies indicative of potential product diversion using data visualisation tools such as Tableau or even Microsoft Excel. Alternately product diversion schemes such as this may also be identified during distributor audits or compliance investigations.

What other preventative and detective controls might be relevant in this scenario?

In addition to the data points outlined above, a range of other preventative and detective controls could be used to identify potential diversion. These measures may be more expensive than the ‘books and records’ approach outlined above, hence their application should be risk-based. Relevant examples include:

  • Accurate calibration of measures to calculate the volume of fuel delivered – just like petrol stations, fuel delivery measures need regular re-calibration, and in some instances may be tampered with to under- or over- deliver. There may be two such devices in this example – (1) the tanker truck and (2) HMS Bulwark.
  • Quality checks should be performed by the customer to ensure the diesel is appropriate quality and that product substitution has not occured (e.g. fuel diluted with another substance, fuel sitting on top of a heavier substance to give the appearance of conformance).
  • GPS monitoring on the tanker truck allows both the vendor and customer to monitor for unscheduled stops, which could be indicative of an accident or unscheduled delay, cargo theft (e.g. hijacking), or collusion with organised crime elements. These systems typically generate an alarm or alert in an operations centre.
  • IOT sensors may also be attached to fuel lines or guages, to confirm quality and volume of product in real-time as it is decanted from the tanker to the fuel storage tank.
  • High-value or sensitive facilities should be subject to a range of physical security measures.
  • Third parties loitering in a secure area, either pre- or post-fuel delivery, are also indicative of suspicious activity that would warrant further investigation (as allegedly occured in this case)

As you can see, the Internet of Things (IOT) and the proliferation of sensors in daily life provide excellent opportunities for detecting product diversion in near real-time.

Lessons learned – what to do about it?

Performing a thorough anti-diversion risk assessment, and then implementing appropriate detective measures to identify potential diversion incidents early, before any substantial loss is the foundation of a proactive approach to managing diverison risk. The data required for detecting this type of diversion is likely to be readily collected in most organisations, and simple tools such as a spreadsheet can help identify anomalies. Detecting diversion in your data can be easy and cost-effective when you know what to look for.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Ukraine and looming Russian sanctions – implications for supply chains

Historically, awareness of sanctions has been mixed in Australia and typically strongest in financial services and commodities. This article examines what sanctions are, who issues them, the core components of a Sanctions Compliance Program, and what the introduction of sanctions on Russia as a result of any future invation of Ukraine might mean for Australian supply chains.

Moscow, one part of Russia which will feel the pinch of international sanctions.
Photo by u0414u043cu0438u0442u0440u0438u0439 u0422u0440u0435u043fu043eu043bu on

What are sanctions?

According to HM Treasury, “sanctions are restrictions put in place to achieve a specific foreign policy or national security objective. They can (a) limit the provision of certain financial services, or (b) restrict access to financial markets, funds and economic resources”.

Each jurisdiction uses its own terminology for sanctions, but the United Kingdom categorises sanctions into three simple categories:

  • Targeted asset freezes – for individuals and entities
  • Restrictions on financial markets and services – for individuals, entities, specified groups or entire sectors including:
    • Investment bans
    • Restrictions on access to capital markets
    • Directions to cease banking relationships and activities
    • Requirements to notify or seek authorisation prior to certain payments being made or received
    • Restrictions on the provision of financial, insurance, brokering or advisory services or other financial activities
  • Directions to cease all business – specifying the type of business and applicable to a specific person, group, sector or country

As you can see, sanctions and their impact can by quite broad and far reaching. One particular challenge with sanctions lies in identifying parties who are indirectly sanctioned. This requires more sophisticated due diligence and compliance oversight to manage properly.

Photo by RANJITH AR on

Who promulgates sanctions?

The UN Security Council (UNSC) has the power to levy economic and trade sanctions however this requires consensus from the five permanent members of the UNSC, which is rare.

In addition to the UNSC, individual countries have also recognised the strategic power of sanctions, resulting in country specific legislation that impacts companies and individuals resident of, or operating in their jurisdiction that has been enacted since the use of blockades during World War One (Mulder, 2022).

Some national sanctions regimes are politically motivated, such as where foreign dissidents, human rights defenders, or the political opposition are targeted, but this sort of behaviour is typically restricted to non-democratic countries. Globally, major sanctions bodies align with the worlds main financial centres, including:

Of these, OFAC is undoubtedly the strongest in terms or reach, influence and enforcement. This is because of the United States’ position as the global financial centre, with most companies having a presence or nexus to that market (including through their bank transactions). OFAC is also an active regulator, levying substantial fines and penalties on companies worldwide. This means that OFAC can be used as the benchmark for any sanctions compliance program – if you satisfy OFAC, you will probably satisfy all other regulators as well.

As it’s global power and influence grows, the People’s Republic of China is increasingly becoming a player in relation to sanctions as highlighted in the Atlantic Council’s Global Sanctions Dashboard. China’s rise and influence in relation to sanctions will be increasingly important.

Photo by Sabel Blanco on

What should a sanctions compliance program comprise?

In 2019, the U.S. Treasury published its 12-page guidance on designing and implanting a Sanctions Compliance Program in a document entitled “A Framework for OFAC Compliance Commitments”. OFAC expects regulated entities to undertake at least five core elements in their compliance program:

  • Management Commitment
  • Risk Assessment
  • Internal Controls
  • Testing and Auditing
  • Training

On face value, these elements are much like any other risk or compliance program we would expect to see. However, with sanctions the devil lies in the detail and particularly the complexity of the various regimes. This post is not intended to be a detailed overview of sanctions compliance, rather to provide context for the following discussion on what this means for supply chains.

If your sanctions program is not up to scratch, or if you don’t have one at all, seek specialist advice as the fines and penalties for non-compliance can be substantial and extend beyond the enforcement action to potentially mean your suppliers and customers will no longer do business with you due to the risk you present.

Photo by ThisIsEngineering on

What does the situation in Ukraine mean for supply chain hazards, as an example?

Under Australia’s new Security of Critical Infrastructure (SOCI) Act, one of the key elements of the associated Rules, Supply Chain Hazards, requires regulated entities to ‘establish and maintain in the entity’s program a process or system that the entity uses to minimise or eliminate the material risk of, or mitigate, the relevant impact of” amongst other things “(d) disruptions and sanctions of the asset due to a disruption in the supply chain”.

With the prospect of more sanctions on Russia, companies need to start working now to review their suppliers, update their risk assessments, and identify any potential connections to Russian individuals, entities and sectors. Some of the steps you may need to take include:

  • Examining the geographic presence of your suppliers – are any based and / or headquartered in Russia or its allies?
  • Ultimate Beneficial ownership or control – who (individuals) or what (other legal entities) one some or all of your suppliers and are any of them Russian, or do they have a nexus to Russia?
  • Once you have identified your suppliers and their beneficial owners, be prepared to conduct name screening against the relevant sanctions lists, or alternately use a reliable vendor solution such as Refinitive’s WorldCheck, Dow Jones Watchlist, LexisNexus World Compliance.
  • Identify any other potential foreign influence from Russia or its proxies that could impact your supply chain or operations.

If you are new to sanctions, your reaction is probably that this would take a lot of effort and involve some cost. In my experience, this is exactly the case. Once sanctions are promulgated, you need to compare the sanctions list(s) to your supplier data to ensure there are no matches. Your bank will do the same, so if you don’t do this you risk a supplier payment being confiscated by a regulator which can be hard to recover. In addition, intentionally or unintentionally breaking a sanction has serious criminal and civil penalties.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Upcoming changes to private investigator and security licencing in New South Wales

Australia’s path to security industry regulation

Australia has had legislation to regulate the security industry since the 1980’s, and was introduced to establish minimum qualification and character requirements (including criminal history checks) and to try to prevent infiltration of the sector by organised crime (see Prenzler and Sarre 2012).

This is State or Territory-based legislation: there is no regulation of the private security industry by the Commonwealth, and arrangements involving Australian Government security clearances and the Defence Industrial Security Program are completely separate. State police predominately manage security licencing in Australia, however there are exceptions where this role is performed by a state’s Office of Fair Trading. Legislation in each state or territory contains provisions for mutual recognition of licences held in other Australian jurisdictions, as well as limited provisions for temporarily working in other states.

Photo by Rijan Hamidovic on

Current legislation in NSW

In New South Wales (NSW), Australia’s most populous state, the NSW Police currently manages licencing for Private Investigators and Security Consultant’s under two pieces of legislation as at the time of writing:

  • Security Industry Act 1997 (NSW)
  • Commercial Agents & Private Inquiry Agents Act 2004 (NSW)

The legislation establishes licencing requirements for individuals (known as ‘operator licences’) and employers (known as ‘master licences’). In 2016, the Security Industry Amendment (Private Investigators) Act 2016 No 40 (not commenced) was passed to establish the legal basis for these changes, however there was no date when this was to take effect until October 2021, creating an element of confusion for licencees.

Effective 1 July 2022, licencing of private investigators will be incorporated into the Security Industry Act. In practice, this means professionals who offer both private investigator and security consulting services go from requiring two master and operator licences to one of each category. The addition of Class 2E to an operator’s security licence authorises the licensee to act as a private investigator or act in a similar capacity. These improvements to regulations, warmly welcomed by me as a holder of both licences, will streamline compliance.

Photo by Noelle Otto on

Individual (operator) licencing in Australia

In Australia, it is common to find individuals working in roles that provide services which involve private investigation and security consulting within the same engagement. An example might be where an investigation is performed into theft, which also results in advice on how an organisation can improve its internal controls to prevent theft in the future.

Cybersecurity professionals are not explictly included or excluded from the need for operator licencing in Australia, which means some people are licenced and others are not. In my view, licencing of cybersecurity professionals is overdue, this gap creates confusion and inconsistency. It is reasonably safe to assume that some unlicenced activity is being undertaken in Australian industry.

The scope of licenced security consulting and private investigation services in NSW are as follows:

Private Investigatorprivate investigator means a person who is employed or engaged for the purposes of either or both of the following:(a)  the investigation of persons, being any activity carried out by a person on behalf of a second person (not being his or her employer) that involves finding a third person or investigating a third person’s business or personal affairs,
(b)  the surveillance of persons, being any activity carried out by a person on behalf of a second person (not being his or her employer) that involves the surveillance of a third person.
Security ConsultantSecurity Consultant (licence class 2A) —authorises the licensee:
(i)  to sell security methods or principles, and
(ii)  to act as a consultant by identifying and analysing security risks and providing solutions and management strategies to minimise those security risks,
Definitions of activity licenceable under NSW law

To be eligible for the above licence, individuals must hold the relevant qualifications, as well as satisfy relevant employment experience and character requirements (including undergoing fingerprinting by police).

Performing the above services without a licence is a criminal offence in all Australian states and territories. The maximum penalty for “carrying on a security activity” unlicenced in NSW is a fine of 500 penalty units ($110 fine per penalty unit, so $55,000) or imprisonment for 2 years, or both (refer legislation).

Employer (master) licencing in Australia

Holding a master licence means organisations can provide licensed security operatives to carry out security activities in NSW (i.e. including security consulting services and, as of 1 July 2022, private investigation services). Master licence holders must ensure that only appropriately licenced employees provide security services. There are three categories of master licence holder under NSW law:

  1. Individual – individuals registered as a sole trader (or partnership) who wish to either carry out security activities in a self-employed capacity with a Class 1 or Class 2 security operative licence, or provide security operatives under an ABN
  2. Corporation – ASIC-registered corporations, excluding trusts and partnerships, that wish to provide security operatives to carry out security activities
  3. Government Agency – government agencies that wish to provide security operatives to carry out security activities.

A master licence holder is subject to a number of prerequisites as well as character checks of directors and ‘close associates’. As with individual licences, there are penalties for providing unlicenced security services. These are currently 1,000 penalty units in the case of a corporation ($110,000) or in the case of an individual, 500 penalty units ($55,000) or imprisonment for 2 years, or both.

Photo by Lukas on

How to check an individual or business is licenced in Australia?

The regulator for security industry and private investigator licencing in each state or territory manages their own register of licencees. In NSW, this register can be queried by members of the public here: Service NSW.

As with any industry, there are a range of practitioners from those offering highly professional, highly skilled services through to those with substantially less experience. Prospective buyers of these services should perform appropriate due diligence.

Further reading:

  • New South Wales Police (2021). Fair Trading seeks feedback on proposed Commercial Agents rules, SLED News, 28 October 2021,
  • New South Wales Police Security Licencing and Enforcement Directorate
  • Prenzler, T. and Sarre, R. (2012). The Evolution of Security Industry Regulation in Australia: A Critique. International Journal for Crime, Justice and Social Democracy, 1, 1, 38-51.

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

How should I perform due diligence to comply with Australia’s Modern Slavery Act 2018 (part 2)?

Author: Paul Curwell


This article is the second in a series on Australia’s Modern Slavery Act, this time with a focus on due diligence practices. Readers of my previous post may recall that one of the requirements of the MSA is to ‘Describe the actions taken by the reporting entity and any entities it owns or controls to assess and address these risks, including due diligence and remediation processes‘ (p29). The Guidance goes on to say that due diligence is a key term within the UN Guiding Principles (pp46-47), and directs readers to the OECD Due Diligence Guidance for Responsible Business Conduct as a source of ‘key international standards and guidance’ (p90).

In this second article, I aim to help readers understand the Australian Government’s expectations of a Reporting Entity’s human rights due diligence program so as to comply with the MSA in a clear and practical manner.

Australia's Parliament House
Australia’s Parliament House

The UN Guiding Principles establish the concept of ‘human rights due diligence’

The United Nations Guiding Principles on Business and Human Rights (UNGPs) were endorsed by the United Nations Human Rights Council in June 2011. The UNGPs are intended to apply to both nation states and businesses regardless of factors such as size or jurisdiction, and set out the intended duties and responsibilities of both parties. Under the UNGPs, what constitutes ‘human rights’ are defined as those rights outlined in the International Bill of Human Rights and the International Labour Organisation Declaration on the Fundamental Principles and Rights at Work (UNGP 12).

Of the 31 Guiding Principles, three in particular establish responsibilities for business in relation to human rights due diligence, as follows:

  • GP 13 – requires businesses to avoid causing human rights impacts through their operations or activities, and to seek to prevent or mitigate any adverse human rights impacts linked to them
  • GP 15 – states that in order to meet their human rights responsibilities, businesses should have: (a) a human rights policy, (b) a human rights due diligence process, and (c) a process to enable remediation
  • GP 17 – states that human rights due diligence is required by business to ‘identify, prevent, mitigate and account’ for adverse human rights impacts. This activity “should include assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are assessed”

The Australian Government’s Modern Slavery Act Guidance for Reporting Entities is aligned to the UNGPs, hence an understanding of them is useful when designing a due diligence program in order to comply with the Modern Slavery Act.

The OECD’s Multinational Enterprise Guidelines compliments and expands upon the UNGPs

In May 2010, the governments of the 42 OECD and non-OECD countries which adhere to the OECD Declaration on International Investment and Multinational Enterprises and related Decision, of which Australia is a member, commenced work to update the original OECD Multinational Enterprise (MNE) Guidelines originally developed in 2000. In addition to providing concepts and principles, the Guidelines provide specific guidance in eight domains:

  • Human Rights
  • Employment and Industrial Relations
  • Environment
  • Combating Bribery, Bribe Solicitation and Extortion
  • Consumer Interests
  • Science and Technology
  • Competition, and,
  • Taxation

The revised version of the MNE Guidelines included a new chapter on Human Rights which is consistent with the UNGPs. The MNE Guidelines are intended to provide “non binding principles and standards for Responsible Business Conduct”, and are “the only multilaterally agreed and comprehensive code of responsible business conduct that governments have committed to promoting” (p3).

The MNE Guidelines contain a number of requirements pertaining to Human Rights Due Diligence (i.e. Modern Slavery Act due diligence practices), however this guidance aligns with that of the UNGPs and does not warrant repeating.

Why should the OECD’s MNE Guidelines matter to Australian businesses?

Australia is a signatory to the OECD Declaration on International Investment and Multinational Enterprises and Decisions. To effect this, the Australian Treasury manages Australia’s OECD MNE ‘National Contact Point’ to promote and implement the MNE Guidelines. The Government expects Australian businesses to comply with the MNE Guidelines and the OECD Due Diligence Guidance for Responsible Business Conduct and associated sector due diligence guidelines (see below) as they “represent standards of behaviour that supplement Australian law and therefore do not create conflicting requirements“. Non-judicial complaints can be brought against Australian businesses, and are investigated by an Independent Examiner (currently WA Barrister Mr John Southalan).

To assist business in interpreting and implementing the MNE Guidelines, the OECD has produced its Due Diligence Guidance for Responsible Business Conduct, supported by additional sector specific due diligence guidance for:

The OECD also introduces new sector-specific guidelines periodically.

The OECD has developed guidance for business on how to undertake ‘human rights due diligence’

Photo by Roman Pohorecki on

As an Australian, I struggle with the way the ‘human rights due diligence’ concepts are presented in the UNGPs and OECD guidelines. We so frequently design our governance, risk and compliance frameworks along the lines of ISO31000 – Risk Management and ISO19600 – Compliance Management Systems that it is easy to forget these elements are not so ingrained overseas.

I raise this because the OECD Due Diligence Guidelines for Responsible Business Conduct (DDGs) introduce a six-step due diligence process which contains some functions we might ordinarily consider constituting part of a risk and compliance framework, as follows (Figure 1, p21):

  1. Embed Responsible Business Conduct into policies and management systems
  2. Identify and assess adverse impacts in operations, supply chains and business relationships
  3. Cease, prevent or mitigate adverse impacts
  4. Track implementation and results
  5. Communicate how impacts are addressed
  6. Provide for, or cooperate in, remediation where appropriate

Although the OECD states that businesses may not see these elements as being exclusive to a due diligence program per se, the DDG also states the focus of human rights due diligence processes should be external to the business itself (as opposed to risk management’s traditionally internal focus) and focused on its extended operations, products or services, and its ‘business relationships’ (what Australians might consider as Third Party Risk Management).

Human Rights Due Diligence can build off (although it is broader than) traditional transactional or ‘Know Your Counterparty’ (KYC) due diligence processes

The DDGs are not intended to replace those practices commonly referred to as ‘Know Your Customer‘ (KYC), ‘Know Your Supplier‘ (KYS), ‘Know Your Partner‘ (KYP) or ‘Enhanced Due Diligence‘ (under AML/CTF laws, legislated in Australia as ‘Enhanced Customer Due Diligence’) (p16). These due diligence activities are different to human rights due diligence, albeit there will likely be some overlap, and commonly focus on around some variation of the following nine key areas:

  • Identification and Identity Verification
  • Legal entity formation and directors
  • Determination of Beneficial Ownership
  • Financial viability, credit ratings and performance
  • Litigation, bankruptcy & lien searches
  • Name screening (adverse media, Politically Exposed Persons, Sanctions)
  • Assessment of management’s style, integrity, competence and track record
  • Reputation in business, industry, the company or community
  • Disclosed and undisclosed Conflicts of Interest, Related Party relationships and other red flags

Simplifying the OECD’s six-step due diligence process

When I look at the OECD’s six-step due diligence process outlined earlier, Step 2 constitutes what I would consider to be the crux of the actual due diligence (Figure 1, p21). The purpose of Step 2 is to “identify and assess actual and potential adverse impacts associated with the enterprise’s operations, products or services”, which the guidance decomposes into four elements:

  • 2.1 – Develop an enterprise-level risk assessment to identify the areas of highest risk based on a range of internal and external factors, including information gaps. Complete the due diligence from areas of highest to lowest risk
  • 2.2 – Undertake iterative and increasingly in-depth assessments of operations, suppliers and other business relationships to identify and assess adverse Responsible Business Conduct impacts, starting with the highest risk areas first from 2.1 (above)
  • 2.3 – Assess whether the enterprise caused (would cause), contribute to, or whether the adverse impact is (would be) directly linked to its operations in order to determine an appropriate response (i.e. is it actually involved, or potentially involved)
  • 2.4 – Prioritise the most significant risks and impacts for action based on severity and likelihood

Step 2.1 will resonate well with anyone familiar with the principles of risk management in that resources should always be concentrated towards those areas of the highest risk exposure.

Step 2.2 is an interesting one. In Terrorist Diversion (Routlege, 2021), I wrote the chapter on due diligence practices for non-profit organisations. In this, I outlined a risk-based process where the level (extent) of due diligence initially undertaken is predicated on the perceived inherent risk prior to commencing due diligence. Where indications are encountered that an entity is actually higher risk whilst performing the diligence, the extent of diligence can be easily increased. Step 2.2 aligns with these principles.

Steps 2.3 and 2.4 start to get into matters of liability and social responsibility for any identified (or potential adverse) findings, and subsequently a treatment plan. Depending on your organisation, this may or may not be the responsibility of the team actually performing the due diligence itself.

To make it easier for readers to follow all of this, I have developed this simple cheat sheet which I hope will be a useful resource (please remember to cite me appropriately).

– (C) Copyright Paul Curwell (2000, Australia).

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Modern Slavery, Human Trafficking & People Smuggling? (Part I)

Author: Paul Curwell


According to Antislavery.Org, “someone is in slavery if they are forced to work through coercion, mental or physical threats; trapped and controlled by an employer; dehumanised, treated as a commodity, or sold as property; and subject to physical movement constraints”. Antislavery.Org identifies six primary forms of slavery:

  • Forced labour
  • Debt bondage (bonded labour)
  • Human trafficking
  • Descent-based slavery (people born into slavery)
  • Child slavery (as opposed to child labour)
  • Forced and early marriage

The 2016 figures from the International Labour Organisation (ILO) are startling:

  • 40.3 million people are in modern slavery, including 24.9 million in forced labour
  • This is a ratio of 5.4 victims (slaves) per 1,000 people, with 25% of those being children
  • 64% of the victims of forced labour are exploited in private sector industries such as domestic work, construction or agriculture, and almost 17% are in forced labour imposed by government authorities
  • Females are disproportionately affected, accounting for 58% of forced labour victims across all sectors except the commercial sex industry, where they represent 99% of victims

Globally, the international legal framework to address modern slavery includes the Universal Declaration on Human Rights, and various other international conventions and into different forms of slavery, forced labour and human trafficking.

It is common to see the terms ‘modern slavery’, ‘human trafficking’ and ‘people smuggling’ used interchangeably, but they are actually different concepts with different actors, motives and outcomes (see Australian Criminal Offences below).

Key Definitions

Whilst the concepts of Modern Slavery and Human Trafficking are related, People Smuggling is a different concept, as outlined below:

  • Modern Slavery in Australia is defined as conduct that consitutes:
    • An offence under Division 270 or 271 of the Criminal Code 1995 (Cth),
    • A form of Child Labour (as defined by the ILO), or
    • Trafficking in persons, as defined in Article 3 of the Protocol to Prevent, Suppress and Punish Trafficking in Persons, Especially Women and Children, supplementing the United Nations Convention against Transnational Organized Crime (2000)
  • Human Trafficking – the physical movement of people (recruiting, transporting or harboring) across and within borders through deceptive means, force or coercion.  The people who commit human trafficking offences are motivated by the continuing exploitation of their victims once they reach their destination country (AFP)
  • People Smuggling – the organised, illegal movement of people across borders, usually on a payment for service basis (AFP). Unlike Human Trafficking, although ‘illegals’, smuggled people are free upon arrival in their destination country

Australia’s regulatory landscape

Broadly speaking, there are now seven main pieces of legislation relating to modern slavery and human trafficking in Australia:

  • Criminal Code Act 1995 (Cth) criminalises trafficking, slavery and slavery-like practices
  • Crimes Act 1914 (Cth) protects trafficked persons when giving evidence and allows a court to make reparation to victims
  • Migration Act 1958 (Cth) creates offences for allowing an unlawful non-citizen to work or breach work-related visa conditions
  • Fair Work Act 2009 (Cth) empowers the Fair Work Ombudsman to enforce compliance with the Fair Work Act
  • Marriage Act 1961 (Cth) provides offences for solemnising underage marriages
  • Proceeds of Crime Act 2002 – provides for tracing, restraining and confiscating the proceeds of crime, including trafficking and slavery
  • Modern Slavery Act 2018 (Cth) is the newest piece of slavery-related legislation in Australia

What does the Modern Slavery Act 2018 (Cth) require of Australian Companies?

At the macro level, the purpose of the Act is to raise awareness and increase transparency of the problem of Modern Slavery in Australian supply chains, and to require companies to take steps to understand the risks and change existing practices which are conductive to slavery and slave-like conditions. The Act requires companies that meet the criteria (termed a ‘reporting entity’) to submit a modern slavery statement annually to the relevant Minister, which is also made available to the public. Mandatory content of these statements includes describing:

  • (b) the structure, operations and supply chains of the reporting entity
  • (c) the risks of modern slavery practices in the operations and supply chains of the reporting entity, and any entities that the reporting entity owns or controls
  • (d) actions taken by the reporting entity to assess and address those risks, including due diligence and remediation processes
  • (e) how the reporting entity assesses the effectiveness of such actions
  • (f) the process of consultation with (i) any entities that the reporting entity owns or controls; and (ii) in the case of a reporting entity covered by a statement under section 14—the entity giving the statement; and
  • (g) any other information considered relevant

By requiring larger companies to produce these statements, government’s objective is that over time modern slavery risks in the supply chain will be reduced and that these requirements will propagate throughout global supply chains, including down to smaller suppliers – after all, a rising tide floats all boats.

Definitions of slavery in the Modern Slavery Act are mapped to the various Australian criminal offences, meaning that in order to identify inherent risks or exposures of a prospective third party or business partner, potential joint venture partner or acquisition target, you need to be able to determine their exposure to the various offences.

Australian Criminal Offences

Criminal Offences in Australia are either national, at the Commonwealth level and enshrined in either the Crimes Act 1901 (Cth) or the Criminal Code Act 1995 (Cth), or State or Territory-based jurisdiction (e.g. Crimes Act 1900 (NSW)). Offences pertaining to Slavery, Trafficking and People Smuggling can be found in the Criminal Code Act 1995. To make it easier to identify slavery and trafficking related risks during initial or ongoing due diligence, I have developed the following taxonomy based on the legislation which can be used as a reference:

High risk industries exposed to modern slavery

Some industries are more typically exposed to modern slavery risks than others. These include the following, which have been grouped below by typology:

TypologyHigh Risk Industries
Forced Labour (Global Slavery Index 2018 – see below for citation)Cotton
Garments – Apparel and Clothing Accessories
Sugar Cane
Electronics – laptops, mobile phones, computers
Human Trafficking (Anti-Slavery International – see below for citation)Trafficking is the act of moving the person internationally. Upon arrival they are usually driven into other typologies, such as:
Sexual Servitude (prostitution)
Forced labour
Forced begging
Forced organised crime
Domestic servitude
Forced marriage
Forced organ harvesting
Servitude (Anti-Slavery International – see below for citation)Domestic servitude (e.g. housekeeping, cleaning, maid duties, childcare, cooking)
Sexual servitude (forced prostitution)
Deceptive Recruiting (International Labour Organisation)Labour hire organisations and their extended networks of recruiters use deception to make an adult or parent believe that they (or their child) will be going to work in a reputable job, only for the victim to find they are later channeled into Forced Labour or Servitude. Sometimes, victims even pay for their traffickers.
Debt Bondage (Anti-Slavery International – see below for citation)Agriculture
Brick kilns
Breakdown of exposure to modern slavery by Industry

As illustrated above, ‘deceptive recruiting’ and ‘human trafficking’ can be pathways for victims to Forced Labour and Servitude. Companies would rarely be exposed to every typology of modern slavery identified above: typical activities of Australian companies mean that modern slavery in the supply chain is most likely to manifest itself as Forced Labour or Debt Bondage, although Servitude may arise in the case of expatriates working offshore who employ domestic workers via an ‘agent’ for tasks such as household duties.

Jurisdictions and Human Trafficking Patterns

A number of useful publications exist to understand the prevalence and risk profile of human trafficking in the supply chain, including the annual ‘Trafficking in Persons‘ report published by the US State Department and the ‘Global Reports on Trafficking in Persons‘ issued by the United Nations Office on Drugs and Crime (UNODC).

Every country is different, and is typically classified as an Origin (source), Transit, or Destination country for Human Trafficking. As shown in this figure from the UNODC (2006), Australia is a Destination country for Human Trafficking, whilst many countries in Asia are both Origin and Destination countries. The prevalence of Destination countries in Asia means there is an increased likelihood that various forms of modern slavery would be prevalent in global supply chains given that Asia is the world’s manufacturing hub.

Photo Credit: United Nations Office on Drugs and Crime (2006). Trafficking in Persons:
Global Patterns, April 2006, Vienna,

As a primarily Destination country, Australia also has an interesting Human Trafficking profile, with key highlights from the 2019 US State Department Trafficking in Persons report including:

  • Both domestic and foreign victims are exploited in Australia
  • Women from Asia, Eastern Europe and Africa are frequently exploited in the commercial sex industry, whilst men are typically engaged in forced labour
  • Some women may also be exploited via forced marriages or domestic servitude situations
  • Employers and labour hire agencies are increasingly being linked to forced labour, bonded labour and exploitation (wage underpayment, falsification of records, excessive work hours) in agriculture, cleaning, construction and hospitality
  • There have also been instances of people on student visas becoming victims of modern slavery scams, whilst also having to pay substantial academic and related tuition fees
  • Also, many overseas students do not understand Australia’s complex employment award (salary) schemes, and some students do not feel they can approach the police for assistance due to a lack of trust in their home country
  • There have also been allegations of foreign diplomats abusing foreign household staff in Australia, as these household staff may not fall under standard Australian protections due to their employer’s diplomatic status

As we can see, no country is immune from the scourge of Modern Slavery, however a greater understanding of the way it can manifest both in the supply chain and locally in Australia means more effective risk identification and targeted due diligence practices, which in time will help combat this global problem.

Next Steps – Due Diligence, Risk Assessments and Customer Risk

As the first in a three-part series, this is Part I of a three part series on modern slavery and human trafficking. Part II will be published shortly, and will discuss the guidance provided to ‘Reporting Entities’ under the Modern Slavery Act 2018 in terms of their obligations, with a target audience of supply chain professionals and investment managers. Part III will address risks relating to slavery and human trafficking offences, which are designated categories of offences for money laundering (often referred to as ‘predicate offences’) by The Financial Action Task Force (FATF / GAFI).

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

The trouble with company registers – not a uniquely Australian problem

Author: Paul Curwell


On Friday 28th February 2020, Dan Oaks and Jeremy Story Carter of the Australian Broadcasting Corporation (ABC News) reported again on the issue of director registration in Australia. Whilst this recent article was presumably triggered largely by most recent sitting of the Parliamentary Joint Committee on Corporations and Financial Services on the same date, the official hansard for the previous sitting date of 19 November 2019 is now available. In the hansard, Senator Whish-Wilson asks a number of questions about ASIC’s director registration process of Commissioner John Price. Commissioner Price’s responds to the Senator’s questions as follows:

“I think it is really important for members of the committee to understand that the company registration process is just that—a registration process. We do not test identity data about directors of companies.That is not provided for in the legislation we have at the moment. The government is looking at a program of work called registry modernisation. It may well be as part of that, and the introduction of what is known as director identification numbers will be an authentication process for director identity when that is introduced.” (p26).

According to an excellent report prepared by the World Bank Stolen Assets Recovery Initiative (STAR) called “The Puppet Masters“, company registers have a four-fold function (van der Does de Willebois et al, 2011, p69):

  • To record the establishment of a new legal entity (typically an incorporated entity and not a trust, foundation, partnership or other unincorporated vehicle),
  • To capture any information required by law,
  • To keep the registry up to date (with limitations, as highlighted by Oaks and Story Carter, such as how a director’s appointment might be backdated), and,
  • To make certain information available to the public.
adolescent adult black and white casual

“Elvis Presley, Homer Simpson and Bob Marley could be installed as Australian company directors, ASIC admits”

Dan Oaks and Jeremy Story Carter, ABC News, Friday 28 February 2020.

While it might be tempting to think this is a uniquely Australian problem, the identification of directors in company registers is part of a global issue, as reported by the Tax Justice Network in relation to the 2019 Financial Action Task Force (FATF) report on Beneficial Ownership.

How has this problem arisen? Why do we find ourselves here?

In order to understand why we find ourselves at this juncture, we must first understand how company registers are used today. As part of global trade and commerce and increasing risk and regulation, as a society we are increasingly required to rely on the content of company registers for processes including Anti-Money Laundering / Counter Terrorist Financing (AML/CTF), credit risk, supplier vetting or end user verification, identifying employee conflicts of interest, anti-corruption and economic & trade sanctions enforcement, which contrasts with the original intended purpose of company registers as outlined in the Puppet Masters report. Interestingly, in some countries company registers have even been privatised. At the most basic level, there is a fundamental issue with the way most company registers operate:

“Registries generally take information on good faith, with most documents and filings being accepted “as is” unless an omission of information is blatant. On-site visits and data verification fall well outside the typical duties of registries. The information is usually in the form of self-declarations by applicants and subscribers.” (van der Does de Willebois et al, 2011, p71).

As a professional, I use the information held in company registers almost every day, however I recognise this is only a starting point for any inquiry and that it has not been verified. I frequently come across other professionals who do not understand the concept of identity or the origins of company registers generally. Many individuals seek to place reliance upon company registers for processes that need to be legally defensible, such as with regulatory compliance. However, this perspective does nothing for risk scenarios such as fraud or credit risk, where the consumer of that information may suffer a loss or become a victim as a result of placing reliance upon that information without performing further due diligence. In these scenarios, caveat emptor again applies when consuming company register information:

“The value of company registries has its limitations. For example, most registries are government depositories and inherently archival in nature. Indeed, all the registry representatives with whom we spoke were involved in almost exclusively receiving and logging information, rather than undertaking any quality controls or verifying the information received from incorporators.” (van der Does de Willebois et al, 2011, p17).

So what can be done about this problem?

So, now we understand how company registries have evolved from limited historical use to becoming a foundational element of many commercial processes today. And we understand the functions of a company register, the fact that some are even privatised, that company registers are actually quite limited in terms of their coverage of the universe of legal entity types in a given jurisdiction (i.e. typically incorporated only), and that verification of information provided by the company is the exception rather than the rule (although to be fair, if you are caught and it can be proven you provided false information, you may often be prosecuted).

ASIC talks about implementing some sort of unique numbering system for company directors in Hansard but a simple starting point might be adapting existing standard Australian identification and verification processes and simply bolt these on to existing ASIC processes, along with a reconciliation of current director data against government information holdings to identify current offenders.

The nuts and bolts of a standard Identification and Verification Process in Australia

About 14 years ago, my first assignment on joining the consulting firm Booz Allen Hamilton was as an adviser on Identity Crime and Identity Security to the Howard Government’s now withdrawn ‘Access Card‘ program run by the Department of Human Services. I had joined Booz Allen from another consulting firm, where I worked on a project with the Chief Internal Auditor of Centrelink to review their Identity Fraud programs. Since then, the concept of identity has evolved substantially but the concepts remain the same.

Any identification process, whether of legal entities or individuals, involves a two-stage process:

  • Identity Validation – this step seeks to answer the question ‘does the identity exist’, and is achieved by taking the biographical (and potentially biometric) attributes for a claimed identity and comparing them to the relevant official government register to ensure the identity is not fictitious or invented.
  • Identity Verification – is the second step in any identification process, which seeks to answer ‘is the person claiming the identity actually the true owner of that identity’

The process of Identity Verification aims to conclusively tie the person or legal entity claiming that identity to (1) something they know, such as a password or date of birth, (2) something they have, such as a passport, official document or RSA SecureID token, or (3) something they are, which is a biometric identifier including a fingerprint or iris scan.

To simplify the application of identification concepts in an Australian context, where there is no single identity credential (such as a national identity card), the National Identity Proofing Guidelines have evolved to encompass five distinct steps (Commonwealth of Australia, 2016):

  • Objective 1: Confirm uniqueness of the identity in the intended context to ensure that individuals can be distinguished from one another and that the right service is delivered to the right individual.
  • Objective 2: Confirm the claimed identity is legitimate to ensure the identity has not been fraudulently created (i.e. the identity is that of a real person) through evidence of commencement of identity in Australia.
  • Objective 3: Confirm the operation of the identity in the community over time to provide additional confidence that an identity is legitimate in that it is being used in the community (including online where appropriate).
  • Objective 4: Confirm the linkage between the identity and the person claiming the identity to provide confidence that the identity confirmed through objectives 2 and 3 is not only legitimate, but that the person claiming the identity is its legitimate holder.
  • Objective 5: Confirm the identity is not known to be used fraudulently to provide additional confidence that a fraudulent (either fictitious or stolen) identity is not being used.

Tools for Automated Identification & Verification (IDV) in Australia

In Australia, we have the Document Verification Service (DVS) which was setup in 2009 and is now managed by the Australian Government’s Department of Home Affairs, to help streamline the Identification and Verification (IDV) process. By typing the details of an official document, such as the Biographical Data Page of an Australian Passport into the DVS portal, users receive an automated ‘yes’ (match) or ‘no’ (no match) result based on the comparison of document identifiers against the Issuer’s (Issuing Government Department) records. Note that this service does not actually verify the person holding the identity document is who they actually claim to be (i.e. it does not verify biometrics, such as comparing a photo of the holder with the person presenting the passport for a service). However, there is a second element to DVS, the Face Verification Service, which recently started coming online for selected government agencies.

The challenge of identifying foreign nationals

As a global citizen, Australia allows foreign nationals (i.e. those individuals without Australian Citizenship, Permanent Residency or a long term visa) to operate a business in Australia. Whilst some countries have a residency requirement for company directors (e.g. Singapore), this does not apply in Australia. This means that it is quite conceivable that the director of a company will be from overseas. Conducting IDV for foreign nationals can be a challenge. Contrary to popular belief, there is no ‘global database’ of all people in the world, and most countries do not share wholesale databases of their citizens with other countries (even friendly ones). This means that when you try to check that a foreign passport is legitimate, you cannot use DVS (the record is not held there).

Aside from sighting the identification documents of the foreign national to see if they appear real (e.g. do an initial check of the passport), there are only two options for validating and verifying a foreign identity:

  • Verify the visa details, which involves entering the holder’s name and passport details into the Immigration Department’s VEVO platform to obtain a ‘match’ or ‘no match’ for the records (which can also be verified via the DVS platform), or,
  • Verify the individuals identity information against a database or service similar to DVS but operated by the foreign national’s government (e.g. Singapore, for a Singaporean Citizen).

This second option is much more complicated and may be subject to restrictions on privacy, IP address geoblocking, and other challenges. The challenge with the VEVO option is that the person’s details may not be in the system if they don’t hold the right visa, or if they haven’t notified Immigration of things like a new passport number. Unfortunately, an exceptions process is still required at this time for cases where IDV cannot be easily automated through platforms such as DVS.

The promise of a trusted digital identity – an ideal solution for verifying Company Directors in Australia?

Aside from political resolve to increase transparency, addressing the problem of company director aliases could be relatively simple through the use of emerging Digital Identity technology, which could be easily integrated into any online ASIC application for Australian citizens and permanent residents. Whilst some IDV workarounds would initially be required for foreign nationals who are Australian company directors, as other countries bring their Digital Identification solutions online they could also be linked to ASIC’ processes, thereby avoiding the issue I flagged with DVS above in that it only works with people who already have a strong nexus to Australia.

Digital Identification is one technological innovation with real promise, especially since the need to identify someone is only increasing in society today. I was privileged enough to consult a few years ago on product fraud and security risk to a company which develops Digital Identity products, giving me real insight into the benefits and utility of the solution for a whole range of applications, from obtaining credit to confirming the identity of a tradesperson before engaging them.

Digital Identity products work like a virtual identity credential in the online environment, however unlike traditional identity credentials such as a physical driver’s licence they can be verified with the Issuer of the identification credential and updated in real time. These products can even be designed in ways that increase the privacy of the user whilst also increasing the utility of the identity token; take, for example, where a digital identity might tell a user the holder is over 18 without disclosing their date of birth. Those who are interested can read more about how Australia’s Digital Identity ecosystem is being designed at the Digital Transformation Agency.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Building a media monitoring capability 101

Author: Paul Curwell

Media Monitoring as part of a wider externally-focused risk intelligence capability

Businesses cannot operate effectively without an external listening capability that helps identify current and emerging issues in the operating environment. Competitors, regulatory change, technological innovation, and important developments involving suppliers and key customers have historically been ‘followed’ by businesses everywhere. However, with the rising importance of reputation risk and regulatory compliance, topics such as economic & trade sanctions, corruption, fraud, privacy & security incidents, business interruptions, modern slavery and environmental issues are also being increasingly watched, especially where suppliers or contractors pose a risk ‘by association’ to the buyer.

Our 24/7 news cycle and the global pace of change means it is no longer viable to read the newspaper once a day or occasionally Google a competitor every few months in your spare time to identify changes in your operating environment – media monitoring today needs to be a core part of your risk intelligence capability, employed on a systematic, continuous basis and integrated into other business processes to add value.

Conceptually, media monitoring seems relatively straightforward, but it follows the iceberg principle with most of the challenges laying beneath the surface. Many organisations struggle with media monitoring when they need to operate across large volumes of search criteria, countries, languages and mediums. Practically speaking, there are also differences between monitoring traditional print, TV and radio channels and social media: This post focuses on traditional channels, whilst social media will be addressed in a future article. The article outlines the key considerations when designing a media monitoring capability, the challenges, what to focus on, and what to do with what you’ve found.

Selecting sources and monitoring tools

The majority of media monitoring programs are run in an ad-hoc manner, without any real understanding of the sources or content of interest. The sophistication of these programs range from performing ad-hoc searches in the internet browser, to using tools such as Google Alerts and data aggregators. Typically, businesses focus on print media to the exclusion of TV and Radio, despite both having interesting and relevant content (take for example, an executive from a competitor being interviewed on the business channel).

The first step in selecting sources involves thinking about what, and who, you want to monitor, and where the content would be published. This ‘where’ is a function of both geography but also industry, as some of the richest coverage might be featured on niche industry platforms. Media monitoring typically focuses either on people or entities, both of which involve name-based searches (e.g. ‘Apple’ or ‘Tim Cook’). Where large numbers of search results are returned, it is normal to use boolean operators to write queries which search for the individual or entity’s name in conjunction with other search criteria, such as ‘strategy’ or ‘fraud’. This process can get quite complex, involving potentially dozens of words of interest (or derivatives of them, such as ‘Crim*’ to search for ‘criminal’, ‘crime’, etc in the same search) in addition to the entity name (i.e. “[name]” and “crim*”).

Media Monitoring Challenges

Licensing and Copyright – news information is subject to copyright, and many IP Rights Owners require their content to be licensed. These costs, and any licensing constraints (e.g. forwarding of a complete article is prohibited without an enterprise license) will require some thought around how any capability is designed, as well as impacting budget.

Syndication – increasingly common globally, syndication has the effect of increasing the volume of search results. Platforms such as Factiva have in-built tools to remove duplicates, however manual processes (e.g. Google Alerts) may take additional time to process

Reliability of free tools – free media monitoring tools use a variety of technologies to identify and index content, which can impact reliability. Unlike platform providers, they typically require closer scrutiny to ensure they are performing as intended.

Press Freedom and ‘Right to Forget’ laws – the reliability and coverage of the mainstream media is increasingly being influenced by attacks, government constraints on journalists, and corruption. In other jurisdictions, ‘Right to Forget’ laws mean the subjects of adverse coverage can have articles such as coverage of convictions or imprisonment deleted, impacting historical search results.

Where large volumes of search queries are required and where budgets allow, news aggregators such as Factiva and ProQuest, as well as other specialised industry journals, represent an excellent option provided they have coverage of the content you are seeking. Once you have identified your sources, you should check to see where their content is published as some publications are not covered by aggregators or news syndication services.

As with print media, television and radio content is also searchable via specialised aggregators. Typically these providers will index the content (i.e. note keywords and other search terms), to enable a word-based search to be performed via their portals. Once results are returned, they can then be screened for relevant content. Two examples of television indexes include BBC Monitoring and InformIT TV News.

Case Management: Reviewing, storing and evaluating matches

Media articles or other search results are typically recorded in some sort of ‘case management system’, which can be anything from a register kept in Microsoft Excel to a database or workflow system such as ServiceNow. There are a few steps in this stage of the process, including:

  • Reviewing each returned search result to determine whether it meets your criteria for retention (i.e. is it relevant, timely and actionable in relation to the question you are seeking to answer and is this new information, or is it a duplicate?)
  • Documenting selected fields / information from the article in your case management system – such as names or addresses of parties mentioned
  • Copying details of names, addresses, relationships, events or other reporting which could affect your relationships with key customers, suppliers or employees into a separate database (this is particularly important for fraud prevention and legal disputes)

This raises the question of who is performing the media monitoring, and how well they understand the intended recipients (i.e. their readers or internal ‘customers’). All too often media monitoring is performed by a central team, with consumers in the business being forwarded copies of news articles they have already read or receiving lots of emails that go unopened. Whether the function is performed centrally or by business line, the most important thing is that information is converted to intelligence so it is actually useful.

Whilst media monitoring can be started with the best of intentions, it quickly becomes a waste of time and effort if the generated content is not relevant and actionable to the recipient (i.e. can they actually do something useful with it) and timely (telling them an event has occurred 3 months after they’ve known about it is useless), if the content is not properly curated and searchable as volumes increase, and if the team performing the role becomes seen as a sender of spam.

Actioning what you’ve found

Once you have identified what’s important, the next step is to do something with it. By this stage of your process, you should be left with a number of articles that contain content of interest. In my experience, this is the stage where many media monitoring processes begin to fall apart.

Case Study:

A large bank had implemented a robust media monitoring process to track strategic developments involving competitors and the market. They were actively monitoring multiple channels, saving articles of interest to PDF from print media sources, and uploading them to a Document Library on their intranet (SharePoint). Over time they had thousands of articles containing rich information but it was never extracted and developed into intelligence. To make use of their collection, they had to individually review each search result rather than being able to see what all search results meant in the wider context. In time, it became quicker for users to simply use Google and the whole effort became a complete waste of time.

Media monitoring is only the first capability building block in an external listening process, and if your process relies upon emails or file libraries in a shared folder or on SharePoint once you hit a certain number of files you will start to encounter data challenges that affect our ability to extract any real value from your media monitoring. To avoid this situation, I recommend you add two steps to the end of your media monitoring process:

Dealing with information about people, events, places and things

Articles with content such as names, incidents, relationships, events and places need to have this information extracted into a structured format (ideally a database but CSV format will also suffice), with the original article attached. Whilst you can use document tags instead of structured content, it is not as effective (1) because you will still need to extract the data into a structured format to properly analyse it, and (2) over time libraries of tags will become unmanageable and you may encounter system limitations. To keep pace with volumes, I find this information most efficiently captured as the article is reviewed, rather than letting everything pile up.

These sort of articles typically relate to issues such as a key customer or supplier’s financial solvency, highlight relationships between employees and a supplier or customer (i.e. conflicts of interest or fraud risks), and legal disputes which might disrupt the supply chain. Consequently, the typical audience for this information will be finance / procurement, legal, audit, risk and compliance.

Articles of a strategic nature

In contrast to information about people, places and things, information of a strategic nature (e.g. articles on regulatory change, interviews given by a competitor on their new product) should be compiled into a separate document or ‘wiki’. Environmental Scanning is a common technique used in the strategic analysis and intelligence communities and is ideal for compiling and analysing this type of content, and will be covered in a future post.

The key difference between strategic information and that of people, places and things is the way it is used – it is mainly employed by strategy teams, product managers, or in other planning activities rather than more operational tasks, hence it needs to be reviewed less frequently. Strategic information is typically reviewed in the context of other strategic information or when making specific decisions.

Optimising your capability

The last step in developing any capability is to periodically evaluate its performance. For a media monitoring capability, this means running separate searches to ensure you haven’t missed anything with current search criteria (have you had consumers in the business ask about something you didn’t pick up?), ensuring that sources are reliable and credible and that search parameters are current, and that your downstream processes in terms of storing, evaluating and reporting remain valid.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.