About ohunter

The Australian Registrars' National Electronic Conveyancing Council (ARNECC) is the body established to facilitate the implementation and ongoing management of the regulatory framework for electronic conveyancing of real property in Australia.   Operating Requirement 14.7 of the ARNECC’s Model Operating Requirements (MOR) requires PEXA to establish, implement, review and keep current a Subscriber Review Process (SRP) to ensure Subscribers are complying with the Participation Rules.   Accordingly, Primary Subscriber Managers from all eligible Subscribers will be selected to participate in the SRP periodically. When your organisation is selected, you will have 30 days to complete the review. Completion of the SRP is a requirement of your organisation’s Participation Agreement with PEXA. The process for selecting recipients of the SRP is random and based upon criteria previously agreed with ARNECC. Recipients include, but are not limited to Financial Institutions, Legal Practitioners and Conveyancers.   Primary Subscriber Managers will be notified via email if their organisation has been selected to complete the SRP questionnaire. The email will not include a link to the Subscriber review portal as PEXA will never send a link to a login page in an email to its Subscribers. Instructions for accessing the portal are included in the notification email and outlined on the page 4 of these Guidance Notes.   If you have any questions please contact Member Support on 1300 085 515 or please send an email to subscriberreviewprocess@pexa.com.au   Subscriber Review Process Structure The SRP focuses on the following three categories of the Participation Rules: Eligibility Criteria; General Obligations; and System Security and Integrity These Guidance Notes are designed to assist PEXA Subscribers with answering the SRP questions. For each SRP question, you will see the following guidance structure: Question The question as it appears in the SRP questionnaire. Requirement Your obligation under the Participation Rules. Compliance demonstration How you can demonstrate your compliance in response to the question. Whilst completing the SRP questionnaire, it is recommended that you have these Guidance Notes readily available in addition to the following documentation: Participation Rules Version 5; and PEXA Subscriber Security Policy Further questions regarding the questionnaire or the Subscriber Review Process can be directed to: SubscriberReviewProcess@pexa.com.au Accessing the Questionnaire To access the Subscriber review portal, Primary Subscriber Managers will need to log into the PEXA Exchange and click on the ‘Subscriber Review’ button located on the right-hand side of their Dashboard as per the following screenshot: Alternatively, Primary Subscriber Managers can access the portal by navigating to www.pexa.com.au/srp , scrolling down to the Subscriber review portal section and clicking on the link included on the page. Upon clicking the ‘Subscriber Review’ button or the link from PEXA’s website, Primary Subscriber Managers will be directed to the Subscriber review portal where the questionnaire link will appear as highlighted by the light purple oval object as per Diagram 2. Primary Subscriber Managers will need to click on the “SRP ” link to access the SRP questionnaire. Note: If additional information is required after the review is initially submitted, this can be provided by clicking on ‘Tasks’ (located next to ‘Assessment’ in the portal)   Question 1 Question Are your organisation’s principals, directors, partners, officers and Subscriber Administrators deemed to comply with the good character and reputation matters listed in Participation Rule 4.3.1(b)?   Requirement Many Individuals are deemed to comply with this rule, including Australian Legal Practitioners, Licensed Conveyancers and officers or employees of Authorised Deposit-Taking Institutions. For a full list of those deemed to comply, please refer to Participation Rule 4.3.3. Your organisation has an obligation to ensure its principals, directors, partners, officers and Subscriber Administrators are of good character and reputation, where they are not deemed to comply. (Participation Rules: Section 4.3.1(b))   Compliance demonstration If all relevant Individuals within your organisation are deemed to comply with this rule, select Yes, and move on to Question 2. Where one or more of the relevant Individuals within your organisation are not deemed to comply, select No. If you select No, you will be prompted with a supplementary question: Supplementary question only applicable if you selected No What steps has your organisation taken to ensure principals, directors, partners, officers and Subscriber Administrators are not and have not been subject to any of the good character and reputation matters as listed in Participation Rule 4.3.1(b)? Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to provide this assurance. The following options will then be available for you to select from: (select all that apply) Background checks are conducted prior to onboarding Ongoing background checks are conducted on a regular basis Police checks are conducted prior to onboarding Ongoing police checks are conducted on a regular basis Bankruptcy checks (e.g. via Dunn and Bradstreet or similar) are conducted prior to onboarding Ongoing bankruptcy checks (e.g. via Dunn and Bradstreet or similar) are conducted on a regular basis ASIC banned and disqualified register check is conducted prior to onboarding Ongoing ASIC banned and disqualified register checks are conducted on a regular basis Other steps are taken to provide this assurance No steps are taken to provide this assurance Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to provide this assurance. A text box will appear for you to specify these steps. Where your organisation does not take any relevant steps, select No steps are taken to provide this assurance. A text box will appear for you to outline the steps you will take to provide the necessary assurance, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Question 2 Question How do you ensure all persons who use the PEXA Exchange in your organisation are aware of the terms of the Participation Rules as appropriate to their use of the PEXA Exchange?   Requirement Your organisation has an obligation to ensure that each User is aware of the terms of the Participation Rules as appropriate to their use of the PEXA Exchange. (Participation Rules: Section 6.1.1) Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange. The following options are available for you to select from: (select all that apply) An induction process for new starters that covers the Participation Rules Regular review of the Participation Rules and any updates on the ARNECC website Regular training sessions for staff on changes to the Participation Rules Nominated internal ‘expert’ provides others guidance on Participation Rules as required Other steps are taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange No steps are taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange. A text box will appear for you to specify these steps. Where your organisation does not take any relevant steps, select No steps are taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange. A text box will appear for you to outline the steps you will take to ensure the necessary awareness, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Question 3 Question How do you ensure yourself and any other Users in your organisation receive appropriate training in the use of the PEXA Exchange?   Requirement Your organisation has an obligation to ensure that each User has received training appropriate to their use of the PEXA Exchange. (Participation Rules: Section 7.2.1(b))   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure appropriate training is received. The following options are available for you to select from: (select all that apply) All Users (whether one User or many Users) regularly use the PEXA Exchange and are made aware of any changes relevant to their use of the PEXA Exchange Regular training received from an external provider (e.g. from a registered training organisation or industry body) Regular contact with PEXA representatives and Member Support personnel Nominated internal ‘expert’ provides others guidance on use of the PEXA Exchange as required Regular review or participation in PEXA Community Utilise PEXA training resources such as the Help menu Users read PEXA release notes Training manuals cover the use of the PEXA Exchange Induction / buddy programs cover the use of the PEXA Exchange Completion of the PEXA Certified program and associated training Other steps are taken to ensure appropriate training is received No steps are taken to ensure appropriate training is received Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure appropriate training is received. A text box will appear for you to specify these steps. Where your organisation does not take any relevant steps, select No steps are taken to ensure appropriate training is received. A text box will appear for you to outline the steps you will take to ensure the appropriate training is received, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Question 4 Question How does your organisation protect physical and electronic information provided by other Subscribers, the Registrar or by the PEXA Exchange from unauthorised use, reproduction or disclosure?   Requirement Your organisation has an obligation to ensure all information provided by another Subscriber, any Client, the Registrar or PEXA is protected from unauthorised use, reproduction or disclosure. (Participation Rules: Section 6.10)   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure information is protected from unauthorised use, reproduction or disclosure. The following options are available for you to select from: (select all that apply) Documents are shredded when no longer needed Documents are archived when appropriate An induction process for new starters that covers privacy and information security obligations Periodic refresher training process that covers privacy and information security obligations Work files and personal documents are locked away in a secure place Computer screens are locked Computers are securely stored (e.g. locked away in a drawer) A formal policy is in place to ensure desks are regularly cleared of sensitive information (e.g. a Clean Desk Policy) Secure printing practices are in place Other steps are taken to ensure information is protected from unauthorised use, reproduction or disclosure No steps are taken to ensure information is protected from unauthorised use, reproduction or disclosure Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure information is protected from unauthorised use, reproduction or disclosure. A text box will appear for you to specify these steps. Where your organisation does not take any relevant steps, select No steps are taken to ensure information is protected from unauthorised use, reproduction or disclosure. A text box will appear for you to outline the steps you will take to ensure information is appropriately protected, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Further guidance Additional information on what may constitute reasonable steps to protect information is available through the Office of the Australian Information Commissioner (OAIC) website: https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information Question 5 Question Did your organisation enter into a contract (Participation Agreement) directly with PEXA to use the PEXA Exchange (and it was not otherwise assigned, Novated, transferred or dealt to you from another entity)?   Requirement Your organisation has an obligation to maintain its own subscription to the PEXA Exchange, and a subscription cannot be assigned, Novated, transferred or otherwise dealt with. (Participation Rules: Section 6.12)   Compliance demonstration If your organisation has entered into a contract (Participation Agreement) directly with PEXA to use the PEXA Exchange (and it was not otherwise assigned, Novated, transferred or dealt to you from another entity), select Yes. If your organisation has not entered into a contract (Participation Agreement) directly with PEXA to use the PEXA Exchange (or it was otherwise assigned, Novated, transferred or dealt to you from another entity), select No. If you select No, a text box will appear for you to outline the steps you are taking to appropriately register your organisation to operate on the PEXA Exchange, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Question 6 Question Does your organisation comply with state- and territory-based practitioner regulatory requirements regarding who is entitled to electronically sign Registry Instruments, for all Signers?   Requirement This is only applicable to practitioners, such as Australian Legal Practitioners or Law Practices and Licensed Conveyancers including Conveyancing Practices. For all other Subscribers, this requirement is not applicable. There is an obligation for applicable organisations to ensure that each Signer complies with the laws of the Jurisdiction regarding who can Digitally Sign Registry Instruments within the relevant states and territories. (Participation Rules: Section 6.15(b))   Compliance demonstration Please refer to the below link for current guidance on who is eligible to sign: https://www.arnecc.gov.au/resources/guidance-practitioner-regulators If this requirement is not applicable to your organisation, select N/A – This requirement is not applicable to my organisation. If your organisation does comply with these state- and territory-based practitioner regulatory requirements, select Yes. If your organisation does not comply with these state-and territory-based practitioner regulatory requirements, select No. If you select No, a text box will appear for you to outline the steps you are taking to ensure compliance with these requirements, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Question 7 Question How do you ensure yourself and any other Users of the PEXA Exchange in your organisation are aware of and understand the terms of PEXA’s Subscriber Security Policy?   Requirement Your organisation has an obligation to provide a copy of the PEXA Subscriber Security Policy to Users, as well as to take reasonable steps to ensure they understand this Policy prior to allowing them access to the PEXA Exchange. (Subscriber Security Policy: Sections 4.4.1 & 4.4.4)   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure awareness and understanding of the Subscriber Security Policy. The following options are available for you to select from: (select all that apply) All Users (whether one User or many Users) are provided a copy of the Subscriber Security Policy and required to read the document prior to accessing the PEXA Exchange All Users (whether one User or many Users) are required to acknowledge they understand and will comply with the Subscriber Security Policy prior to accessing the PEXA Exchange Updates to Subscriber Security Policy are regularly reviewed Nominated internal ‘expert’ provides others guidance on Subscriber Security Policy as required Other steps are taken to ensure awareness and understanding of the Subscriber Security Policy No steps are taken to ensure awareness and understanding of the Subscriber Security Policy Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure awareness and understanding of the Subscriber Security Policy. A text box will appear for you to specify these steps. Where your organisation does not take any relevant steps, select No steps are taken to ensure awareness and understanding of the Subscriber Security Policy. A text box will appear for you to outline the steps you will take to ensure the necessary awareness, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.) Question 8 Question Does each Signer in your organisation have their own Digital Certificate and only sign documents using their allocated Digital Certificate?   Requirement Your organisation has an obligation to ensure each Signer has their own Digital Certificate and only sign documents using their allocated Digital Certificate. (Subscriber Security Policy: Section 4.2.1)   Compliance demonstration If your organisation does comply with this requirement, select Yes. If your organisation does not comply with this requirement for each Signer to have their own Digital Certificate and only sign documents using their allocated Digital Certificate, select No. If you select No, a text box will appear for you to outline the steps you are taking to ensure compliance with the requirements regarding Digital Certificate use, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.) Question 9 Question What measures does your organisation take to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not 1) used by more than one Individual or 2) subject to unauthorised access and use?   Requirement Your organisation has an obligation to have measures in place to protect Access Credentials, User profiles and Digital Certificates from 1) use by more than one Individual or 2) unauthorised access and use.  (Subscriber Security Policy: Sections 4.3.1, 4.3.2, 4.5.1 & 4.7)   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use. The following options are available for you to select from: (select all that apply) Use of the same PEXA Access Credentials, User profiles and Digital Certificates by more than one Individual is explicitly prohibited in your organisation (i.e. as outlined by a policy or guidance). Users are prohibited from disclosing PEXA Access Credentials to anyone, including colleagues, supervisors, family members or friends (i.e. as outlined by a policy or guidance). Any device used to receive verification codes that enable a User to login to the PEXA Exchange is not accessible by more than one Individual PEXA Access Credentials are immediately changed if they are suspected of being Compromised PEXA Access Credentials include a strong password that could not be easily guessed by others (i.e. passwords do not include a User’s date of birth, name, phone number or similar) Digital Certificates are stored in a safe location and removed from a User’s computer when no longer accessing the PEXA Exchange PEXA is immediately notified of any instance of theft, unauthorised disclosure or improper use of PEXA Access Credentials, User profiles or Digital Certificates Other steps are taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use No steps are taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use. A text box will appear for you to specify these steps. Where your organisation does not take any relevant steps, select No steps are taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use. A text box will appear for you to outline the steps you will take to remedy the situation, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.) Question 10 Question Has your organisation created a User account within PEXA that can be accessed by more than one Individual, such as a shared account for the office?   Requirement Your organisation has an obligation to take reasonable steps to ensure that only Users (natural persons) access the PEXA Exchange. In the Participation Rules, a User means “an Individual authorised by a Subscriber to access and use the ELN on behalf of the Subscriber.” An Individual means “a natural person” according to the Electronic Conveyancing National Law (ECNL). (Participation Rules: Section 7.2.1(a))   Compliance demonstration If your organisation has not created a User account within PEXA that can be accessed by more than one Individual, select No. If your organisation hascreated a User account within PEXA that can be accessed by more than one Individual, select Yes. If you select Yes, a text box will appear for you to outline the steps you are taking to remove this User account, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Question 11 Question Does your organisation have Anti-Virus Software installed on all computers that meets the following requirements? The ability to identify and remove viruses The ability to identify and remove other types of harmful computer software, generally referred to as Malware (or malicious software) The ability to automatically receive anti-virus updates from the relevant Anti-Virus Software vendors The ability to automatically scan for viruses and Malware in documents, on servers and workstations   Requirement Viruses and Malware are forms of malicious software introduced into an electronic device such as your computer or mobile device with the intent of causing harm to compromise the confidentiality, integrity or availability of your systems and computer networks or data held on these systems. Your organisation has an obligation to provide anti-virus protection against any unauthorised or uncontrolled access to IT systems and access points that are used by you to access the PEXA Exchange. This anti-virus protection must meet the criteria outlined in the review question and the Subscriber Security Policy. (Subscriber Security Policy: Section 4.2.3)   Compliance demonstration If your organisation outsources the management of your IT environment, you may need to engage your service provider to confirm that Anti-Virus Software in place is compliant with these obligations. If your organisation does have Anti-Virus Software installed on all computers that meets the requirements outlined, select Yes. If your organisation does not have Anti-Virus Software installed on all computers that meets the requirements outlined, select No. If you select No, a text box will appear for you to outline the steps you will take to implement compliant Anti-Virus Software, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.) Question 12 Question What steps does your organisation take to ensure security vulnerabilities in IT operating systems and applications are Patched and updated as necessary?   Requirement Your organisation has an obligation to keep your IT operating systems and applications up to date by taking reasonable steps to install Patches and updates (including security specific updates). The purpose of Patching and operating system updates is to address vulnerabilities discovered after the release of software. Patches apply to many different parts of an information system including operating systems, servers, routers, desktops, email clients, office suites, mobile devices, firewalls, and other components which exist within a computer network. Your organisation is required to have a software Patching schedule or procedure which is run frequently. This must include IT infrastructure such as operating systems, web browsers, endpoint devices that support your ability to access the PEXA Exchange. To ensure Patches and updates are correctly installed, please ensure you restart all computers on a regular basis. (Subscriber Security Policy: Sections 4.2.3, 4.2.4 & 4.2.5)   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure security vulnerabilities in IT operating systems and applications are Patched and updated as necessary. If your organisation outsources the management of your IT environment, you may need to engage your service provider to confirm the frequency of Patch and update installation. The following options are available for you to select from: (select all that apply) Patches and updates are installed automatically, and all computers are restarted following the installation Patches and updates are installed on at least a quarterly basis, and all computers are restarted following the installation Other steps are taken to ensure security vulnerabilities in IT operating systems and applications are Patched and updated as necessary Patches and updates are installed less frequently than once a quarter Patches and updates are not regularly installed Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure security vulnerabilities in IT operating systems and applications are Patched and updated as necessary. A text box will appear for you to specify these steps. Where your organisation installs Patches and updates less frequently than once a quarter, select Patches and updates are installed less frequently than once a quarter. A text box will appear for you to outline the steps you will take to ensure Patches and updates are installed more frequently. Where your organisation does not take any relevant steps, select Patches and updates are not regularly installed. A text box will appear for you to outline the steps you will take to remedy the situation, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.)   Further guidance It is considered good practice to align your organisation’s Patching processes to those recommended by the Australian Signals Directorate’s ‘Essential Eight’. This guidance recommends ‘extreme risk’ vulnerabilities be Patched within 48 hours. Further information on the ‘Essential Eight’ can be found at https://www.cyber.gov.au/publications/essential-eight-explained. To determine the severity of a vulnerability in need of Patching, the Common Vulnerability Scoring System (CVSS) is an accepted industry standard. Further information on CVSS can be found at https://www.first.org/cvss/. Question 13 Question How does your organisation detect and prevent any unusual or suspicious activities within the PEXA Exchange?   Requirement Your organisation has an obligation to take reasonable steps to monitor the usage of systems and activities of Users who are accessing the PEXA Exchange to identify unusual or suspicious activities. (Subscriber Security Policy: Section 4.4.3)   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to detect and prevent any unusual or suspicious activities within the PEXA Exchange. The following options are available for you to select from: (select all that apply) Confirm open and completed Workspaces are valid on a regular basis Undertake an additional check of financial line items prior to Workspace signing Review of information entered into Workspace prior to settlement Monitor the signing of documents and financial line items outside of normal hours Regular review of “Manage Users” in PEXA Exchange to confirm legitimacy of User access privileges Other detection / prevention measures are currently in place No detection / prevention measures are currently in place Where the steps taken by your organisation are not included in the options listed, select Other detection / prevention measures are currently in place. A text box will appear for you to specify these measures. Where your organisation does not take any relevant steps, select No detection / prevention measures are currently in place. A text box will appear for you to outline the steps you will take to implement appropriate detection / prevention measures, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.) Question 14 Question How does your organisation take reasonable steps to verify the accuracy of account details provided by or to clients?   Requirement The use of email to exchange financial information can be insecure, with the potential for interception by a third party without the knowledge of the sender or receiver. This can result in fraudulent payments and the loss of funds. It is recommended that organisations involved in exchanging bank account details with clients take reasonable steps to verify the accuracy of account details provided by or to clients. (Subscriber Security Policy: Section 4.2.6) This requirement is only applicable to organisations that exchange account details with clients.   Compliance demonstration You must specify the steps taken to verify the accuracy of account details provided by or to clients. The following options are available for you to select from: (select all that apply) Bank account details are sent and received via PEXA Key Bank account details are verified in person or over the phone if sent or received via any other means My organisation does not exchange account details with clients Other steps are taken to verify the accuracy of account details No steps are taken to verify the accuracy of account details Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to verify the accuracy of account details. A text box will appear for you to specify these steps. Where your organisation does not take any relevant steps, select No steps are taken to verify the accuracy of account details. A text box will appear for you to outline the steps you will take in future to verify the accuracy of account details to reduce the risk of a fraudulent payment or the loss of funds. If your organisation does not exchange bank account details with clients, select My organisation does not exchange account details with clients. Question 15 Question How does your organisation manage PEXA Exchange User access?   Requirement Your organisation has an obligation to perform User access reviews on at least an annual basis. Your organisation also has an obligation to promptly modify User access privileges when you no longer want a User to access the PEXA Exchange at all, or in a particular capacity (such as removal of privileges to act as a Signer or Subscriber Administrator). Reviewing the list of Users and Signers within the PEXA Exchange includes performing actions such as: Confirming only authorised Users continue to retain access to the PEXA Exchange Confirming only authorised Signers continue to hold a valid Digital Certificate Confirming PEXA Exchange permissions are still appropriate for each User For large organisations, it is good practice to embed changes to PEXA Exchange access privileges in your human resource offboarding processes. If a User’s Digital Certificate is no longer required, you are required to advise PEXA. To do this, please email registration@pexa.com.au advising the Digital Certificate that is to be cancelled. (Subscriber Security Policy: Sections 4.5.2 & 4.6.1)   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to monitor and manage PEXA Exchange User access. The following options are available for you to select from: (select all that apply) Regular review of the list of Users and Signers within the PEXA Exchange (at least annually) Modify User access privileges promptly when circumstances change (i.e. a staff member leaves the organisation, a staff member no longer requires access to PEXA or a staff member is away on extended leave) Disabling of Digital Certificates when no longer required Other steps are taken to monitor and manage PEXA Exchange User access No steps are taken to monitor and manage PEXA Exchange User access Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to monitor and manage PEXA Exchange User access. A text box will appear for you to specify these steps. Where your organisation does not take any relevant steps, select No steps are taken to monitor and manage PEXA Exchange User access. A text box will appear for you to outline the steps you will take in future to monitor and manage PEXA Exchange User access, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.) Question 16 Question Does your organisation immediately notify PEXA if yourself or any other User becomes aware of a suspected or actual breach of the PEXA Subscriber Security Policy?   Requirement Your organisation has an obligation to immediately, upon becoming aware, notify PEXA of any breach of the PEXA Subscriber Security Policy that may affect the PEXA Exchange or the integrity or security of the Electronic Lodgement Network (ELN). (Subscriber Security Policy: Section 6)   Compliance demonstration If your organisation immediately notifies PEXA when yourself or any other User becomes aware of a suspected or actual breach of the PEXA Subscriber Security Policy, select Yes. If your organisation is aware of the obligation to immediately notify PEXA but has not had to provide such a notification, select Organisation is aware of the obligation but has not had to provide such notification. If your organisation does not immediately notify PEXA if yourself or any other User becomes aware of a suspected or actual breach of the PEXA Subscriber Security Policy, select No. If you select No, a text box will appear for you to outline the steps you will take in future to notify PEXA of suspected or actual breaches, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.) Question 17 Question Are your organisation’s PEXA Signers deemed to comply with the good character and reputation matters listed in Participation Rule 7.4.1(b)?   Requirement Your organisation has an obligation to ensure its Signers are of good character and reputation, where they are not deemed to comply. Many Signers are deemed to comply with this rule, including Australian Legal Practitioners, Licensed Conveyancers and Public Servants acting on behalf of the Crown in right of the Commonwealth, a State or a Territory. For a full list of those deemed to comply, please refer to Participation Rule 7.4.2. (Participation Rules: Section 7.4.1)   Compliance demonstration If all Signers within your organisation are deemed to comply with this rule, select Yes, and move on to Question 18. Where one or more of the Signers within your organisation are not deemed to comply, select No. If you select No, you will be prompted with a supplementary question:   Supplementary question only applicable if you selected No What steps has your organisation taken to ensure Signers are not and have not been subject to any of the good character and reputation matters as listed in Participation Rule 7.4.1(b)?   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to provide this assurance. The following options will then be available for you to select from: (select all that apply) Background checks are conducted prior to onboarding Ongoing background checks are conducted on a regular basis Police checks are conducted prior to onboarding Ongoing police checks are conducted on a regular basis Bankruptcy checks (e.g. via Dunn and Bradstreet or similar) are conducted prior to onboarding Ongoing bankruptcy checks (e.g. via Dunn and Bradstreet or similar) are conducted on a regular basis ASIC banned and disqualified register check is conducted prior to onboarding Ongoing ASIC banned and disqualified register checks are conducted on a regular basis Other steps are taken to provide this assurance No steps are taken to provide this assurance Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to provide this assurance. A text box will appear for you to specify these steps. Where your organisation does not take any relevant steps, select No steps are taken to provide this assurance. A text box will appear for you to outline the steps you will take to provide the necessary assurance, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Question 18 Question Have there been any instances where a Conveyancing Transaction involving your organisation has been Jeopardised?   Requirement Where a Conveyancing Transaction has been Jeopardised to your knowledge, information or belief, you must: Unsign any electronic Registry Instruments and other Documents relating to the Conveyancing Transaction immediately, where possible. Immediately notify PEXA and the Registrar of the situation. Immediately notify the other Participating Subscribers of any information about the Conveyancing Transaction that it believes to be incorrect, omitted, false or misleading or that the Conveyancing Transaction has been Jeopardised. In the Participation Rules, Jeopardised means "put at risk the integrity of the Titles Register by fraud or other means" (e.g. any activity that has resulted in a fraudulent change to Documents electronically lodged to the Titles Register). (Participation Rules: Section 7.7.1)   Compliance demonstration If there have been no instances where a Conveyancing Transaction involving your organisation has been Jeopardised, select No, there have been no such instances involving my organisation, and move on to Question 19. If there have been any instances where a Conveyancing Transaction involving your organisation has been Jeopardised, select Yes. If you select Yes, you will be prompted with a supplementary question:   Supplementary question only applicable if you selected Yes Did you undertake the required actions upon discovery of the situation?   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must confirm if you undertook the required actions upon discovery of the situation. If your organisation did undertake the required actions, select Yes, these actions were taken. If your organisation did not undertake the required actions, select No, these actions were not taken. If you select No these actions were not taken, a text box will appear for you to outline the steps taken in response to the Jeopardised transaction(s) and how your organisation will ensure appropriate steps are always taken in future, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Question 19 Question Have there been any instances where your organisation’s Security Items have been or likely to have been Compromised?   Requirement Where a User's Security Items have been or are likely to be Compromised, you must: Immediately revoke the User’s authority to access and use PEXA and prevent the User from accessing and using PEXA. For a Digital Certificate: Immediately check all Workspaces where the Digital Certificate has been used. Where possible, unsign any Registry Instruments and other Documents you are aware or suspect have been signed without appropriate authorisation. Where it is not possible to unsign the Registry Instruments and other Documents, you must immediately notify PEXA of the situation. Promptly notify the Certification Authority (provider of the Digital Certificate) and revoke or cancel the Digital Certificate (including doing everything reasonably necessary to cause the Certification Authority to revoke or cancel it). Promptly notify PEXA. In the Participation Rules, Compromised means "lost or stolen, or reproduced, modified, disclosed or used without proper authority", such as historic credential sharing Subscriber Security Policy breaches. Security Item means "User Access Credentials, passphrases, Private Keys, Digital Certificates, Electronic Workspace identifiers and other items as specified from time to time." (Participation Rules: Section 7.9.1)   Compliance demonstration If there have been no instances where your organisation’s Security Items have been or likely to have been Compromised, select No, there have been no such instances involving my organisation, and move on to the Declaration. If there have been any instances where your organisation’s Security Items have been or likely to have been Compromised, select Yes. If you select Yes, you will be prompted with a supplementary question:   Supplementary question only applicable if you selected Yes Did you undertake the required actions upon discovery of the situation?   Compliance demonstration To demonstrate your organisation’s compliance with this requirement, you must confirm if you undertook the required actions upon discovery of the situation. If your organisation did undertake the required actions, select Yes, these actions were taken. If your organisation did not undertake the required actions, select No, these actions were not taken. If you select No these actions were not taken, a text box will appear for you to outline the steps taken to address the Compromised Security Items and how your organisation will ensure appropriate steps are always taken in future, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.) Declaration and Submission Following completion of responses to the questionnaire, you will be presented with the following statement: Failure to accurately complete PEXA’s Subscriber Review Process is a breach of my obligations under Schedule 7 of the Model Participation Rules. Knowingly providing false or inaccurate responses may result in the suspension of my Subscriber account. To submit your responses, you are required to confirm that I acknowledge the above statement and confirm all responses provided are accurate. If you wish to change any of your responses prior to submission, click on the Previous button to return to the questionnaire. Once you are ready to submit your responses, navigate back to the declaration.   Cases where a breach is identified Throughout the questionnaire, you are provided an opportunity to outline what steps you will take to address any breaches of the Participation Rules or Subscriber Security Policy that are immediately apparent from your responses. PEXA’s Subscriber Review Team will review the responses provided in these cases and work with you to ensure you are in a position to action these steps and demonstrate your compliance.    Glossary Capitalised terms used in these guidance notes have the meanings referenced or set out here or the meanings given to them in the Participation Rules, ECNL or by the industry regulator ARNECC.   Term Definition Anti-Virus Software Software utility that detects, prevents, and removes viruses, and other Malware from a computer. Most anti-virus programs include an auto-update feature that permits the program to download profiles if new viruses, enabling the system to check for new threats. Malware Also known as malicious software, is any program or file that is harmful to a computer user. Types of Malware can include computer viruses, worms, Trojan horses and spyware. Novated Substitution of an original party to a contract with a new party, or substitution of an original contract with a new contract Participation Agreement The Participation Agreement (PA) is the overarching agreement between PEXA and each Subscriber. The PA includes: Obligations of both parties including privacy, confidentiality, liability, suspension, termination, insurance, disputes and change management. The PEXA Service Charter, PEXA Pricing Policy and PEXA Security Policy. The terms and conditions governing Financial Settlement in PEXA. A commitment by each Subscriber to comply with the Model Participation Rules, as outlined by ARNECC. Patch A set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance. Primary Subscriber Manager The nominated PEXA contact of the Subscriber. The Primary Subscriber Manager holds the highest level of access to the PEXA Exchange. They have the ability to: Create and edit Subscriber details Setup and verify Financial Account information Create and edit Users Create and edit Workgroups Subscriber Administrator Does not have access to Subscriber details or financial account information. They do have the ability to: Create and edit Users Create and edit Workgroups Subscriber Security Policy Sets out the security requirements that Subscribers must ensure that they and their Users adhere to when using the PEXA Exchange in order to maintain the overall security of the PEXA Exchange. Workspace A shared area in PEXA where Subscribers prepare property instruments and settlement documents for a property exchange transaction to effect lodgement and or settlement.     ... View more

The new Settlement Summary FSS is in a limited pilot from November 11. We have listed the three main changes to the settlement summary below. If you are participating in this pilot and require further clarification or have any questions please reach out to your account manager or PEXA representative.    The three key features for this pilot are: Simpler path to agree on the Adjustments Status Flags/indicators included FSS Auto calculation Vendor Surplus via selection of a button Shortfall via selection of a button ... View more