The Australian Registrars' National Electronic Conveyancing Council (ARNECC) is the body established to facilitate the implementation and ongoing management of the regulatory framework for electronic conveyancing of real property in Australia.
Operating Requirement 14.7 of the ARNECC’s Model Operating Requirements (MOR) requires PEXA to establish, implement, review and keep current a Subscriber Review Process (SRP) to ensure Subscribers are complying with the Participation Rules.
Accordingly, Primary Subscriber Managers from all eligible Subscribers will be selected to participate in the SRP periodically. When your organisation is selected, you will have 30 days to complete the review. Completion of the SRP is a requirement of your organisation’s Participation Agreement with PEXA.
The process for selecting recipients of the SRP is random and based upon criteria previously agreed with ARNECC. Recipients include, but are not limited to Financial Institutions, Legal Practitioners and Conveyancers.
Primary Subscriber Managers will be notified via email if their organisation has been selected to complete the SRP questionnaire. The email will not include a link to the Subscriber review portal as PEXA will never send a link to a login page in an email to its Subscribers. Instructions for accessing the portal are included in the notification email and outlined on the page 4 of these Guidance Notes.
If you have any questions please contact Member Support on 1300 084 515 or please send an email to subscriberreviewprocess@pexa.com.au
Subscriber Review Process Structure
The SRP focuses on the following categories of the Participation Rules/Participation Agreement:
Eligibility Criteria;
General Obligations;
System Security and Integrity; and
Privacy.
These Guidance Notes are designed to assist PEXA Subscribers with answering the SRP questions.
For each SRP question, you will see the following guidance structure:
Question
The question as it appears in the SRP questionnaire.
Requirement
Your obligation under the Participation Rules/Participation Agreement.
Compliance demonstration
How you can demonstrate your compliance in response to the question.
Whilst completing the SRP questionnaire, it is recommended that you have these Guidance Notes readily available in addition to the following documentation:
Participation Rules; and
PEXA Subscriber Security Policy
Your organisation’s PEXA Participation Agreement.
Further questions regarding the questionnaire or the Subscriber Review Process can be directed to: SubscriberReviewProcess@pexa.com.au
Accessing the Questionnaire
To access the Subscriber review portal, Primary Subscriber Managers will need to log into the PEXA Exchange and click on the ‘Subscriber Review’ button located on the right-hand side of their Dashboard.
Alternatively, Primary Subscriber Managers can access the portal by navigating to www.pexa.com.au/srp , scrolling down to the Subscriber review portal section and clicking on the link included on the page. Upon clicking the ‘Subscriber Review’ button or the link from PEXA’s website, Primary Subscriber Managers will be directed to the Subscriber review portal where the questionnaire link will appear as highlighted by the light purple oval object as per Diagram 2. Primary Subscriber Managers will need to click on the “SRP ” link to access the SRP questionnaire.
Note: If additional information is required after the review is initially submitted, this can be provided by clicking on ‘Tasks’ (located next to ‘Assessment’ in the portal)
Question 1
Question
Are all your organisation’s principals, directors, partners, officers and Subscriber Administrators deemed to comply with the good character and reputation matters listed in Participation Rule 4.3.1(b)?
Requirement
Many Individuals are deemed to comply with this rule, including Australian Legal Practitioners, Licensed Conveyancers and officers or employees of Authorised Deposit-Taking Institutions. For a full list of those deemed to comply, please refer to Participation Rule 4.3.3.
Your organisation has an obligation to ensure its principals, directors, partners, officers and Subscriber Administrators are of good character and reputation, where they are not deemed to comply.
(Participation Rules: Section 4.3.1(b))
Compliance demonstration
If all relevant Individuals within your organisation are deemed to comply with this rule, select Yes, and move on to Question 2.
Where one or more of the relevant Individuals within your organisation are not deemed to comply, select No. If you select No, you will be prompted with a supplementary question:
Supplementary question only applicable if you selected No
What steps has your organisation taken to ensure all principals, directors, partners, officers and Subscriber Administrators are not and have not been subject to any of the good character and reputation matters as listed in Participation Rule 4.3.1(b)?
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to provide this assurance.
The following options will then be available for you to select: (select if applicable)
Background checks are conducted prior to onboarding and on a regular basis covering the matters as listed in Participation Rules 4.3.1(b)
Other steps are taken to provide this assurance
No steps are taken to provide this assurance
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to provide this assurance. A text box will appear for you to specify these steps.
Where your organisation does not take any relevant steps, select No steps are taken to provide this assurance. A text box will appear for you to outline the steps you will take to provide the necessary assurance, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Question 2
Question
How do you ensure all persons who use the PEXA Exchange in your organisation are aware of the terms of the Participation Rules as appropriate to their use of the PEXA Exchange?
Requirement
Your organisation has an obligation to ensure that each User is aware of the terms of the Participation Rules as appropriate to their use of the PEXA Exchange.
(Participation Rules: Section 6.1.1)
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange.
The following options are available for you to select from: (select all that apply)
An induction process for new starters that covers the Participation Rules
Regular review of the Participation Rules and any updates on the ARNECC website
Nominated internal ‘expert’ provides others guidance on Participation Rules as required
Other steps are taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange
No steps are taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange. A text box will appear for you to specify these steps.
Where your organisation does not take any relevant steps, select No steps are taken to ensure User awareness of the Participation Rules as appropriate to their use of the PEXA Exchange. A text box will appear for you to outline the steps you will take to ensure the necessary awareness, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Question 3
Question
How do you ensure yourself and any other Users in your organisation receive appropriate training in the use of the PEXA Exchange?
Requirement
Your organisation has an obligation to ensure that each User has received training appropriate to their use of the PEXA Exchange.
(Participation Rules: Section 7.2.1(b))
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure appropriate training is received.
The following options are available for you to select from: (select all that apply)
Regular training received from an external provider (e.g. from a registered training organisation or industry body)
Regular contact with PEXA representatives and Member Support personnel
Nominated internal ‘expert’ provides others guidance on use of the PEXA Exchange as required
Utilise PEXA training resources such as the Help menu
Users have been trained by PEXA personnel
Training manuals cover the use of PEXA Exchange
Induction / buddy programs cover the use of the PEXA Exchange
Completion of the PEXA Certified program
Other steps are taken to ensure appropriate training is received
No steps are taken to ensure appropriate training is received
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure appropriate training is received. A text box will appear for you to specify these steps.
Where your organisation does not take any relevant steps, select No steps are taken to ensure appropriate training is received. A text box will appear for you to outline the steps you will take to ensure the appropriate training is received, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Question 4
Question
How does your organisation protect physical and electronic information provided by other Subscribers, the Registrar or by the PEXA Exchange from unauthorised use, reproduction or disclosure?
Requirement
Your organisation has an obligation to ensure all information provided by another Subscriber, any Client, the Registrar or PEXA is protected from unauthorised use, reproduction or disclosure.
(Participation Rules: Section 6.10)
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure information is protected from unauthorised use, reproduction or disclosure.
The following options are available for you to select from: (select all that apply)
Documents are shredded when no longer needed
Documents are archived when appropriate
An induction process for new starters that covers privacy obligations relating to information provided by other Subscribers, the Registrar or by the PEXA Exchange
Periodic refresher training process that covers privacy obligations relating to information provided by other Subscribers, the Registrar or by the PEXA Exchange
Work files and personal documents are locked away in a secure place
Computer screens are locked
Computers are securely stored (e.g. locked away in a drawer)
A formal policy is in place to ensure desks are regularly cleared of sensitive information (e.g. a Clean Desk Policy)
Secure printing practices are in place
Other steps are taken to ensure information is protected from unauthorised use, reproduction or disclosure
No steps are taken to ensure information is protected from unauthorised use, reproduction or disclosure
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure information is protected from unauthorised use, reproduction or disclosure. A text box will appear for you to specify these steps.
Where your organisation does not take any relevant steps, select No steps are taken to ensure information is protected from unauthorised use, reproduction or disclosure. A text box will appear for you to outline the steps you will take to ensure information is appropriately protected, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Further guidance
Additional information on what may constitute reasonable steps to protect information is available through the Office of the Australian Information Commissioner (OAIC) website: https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information
Question 5
Question
Did your organisation enter into a Participation Agreement directly with PEXA (and it was not otherwise assigned, Novated, transferred or dealt to you from another entity)?
Requirement
Your organisation has an obligation to maintain its own subscription to the PEXA Exchange, and a subscription cannot be assigned, Novated, transferred or otherwise dealt with.
(Participation Rules: Section 6.12)
Compliance demonstration
If your organisation has entered into a Participation Agreement directly with PEXA (and it was not otherwise assigned, Novated, transferred or dealt to you from another entity), select Yes.
If your organisation has not entered into a Participation Agreement directly with PEXA (or it was otherwise assigned, Novated, transferred or dealt to you from another entity), select No.
If you select No, a text box will appear for you to outline the steps you are taking to appropriately register your organisation to operate on the PEXA Exchange, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Question 6
Question
Does your organisation comply with state- and territory-based practitioner regulatory requirements regarding who is entitled to electronically sign Registry Instruments, for all Signers?
Requirement
This is only applicable to practitioners, such as Australian Legal Practitioners or Law Practices and Licensed Conveyancers including Conveyancing Practices.
For all other Subscribers, this requirement is not applicable.
There is an obligation for applicable organisations to ensure that each Signer complies with the laws of the Jurisdiction regarding who can Digitally Sign Registry Instruments within the relevant states and territories.
(Participation Rules: Section 6.15(b))
Compliance demonstration
Please refer to the below link for current guidance on who is eligible to sign: https://www.arnecc.gov.au/resources/guidance-practitioner-regulators
If this requirement is not applicable to your organisation, select N/A – This requirement is not applicable to my organisation.
If your organisation does comply with these state- and territory-based practitioner regulatory requirements, select Yes.
If your organisation does not comply with these state-and territory-based practitioner regulatory requirements, select No.
If you select No, a text box will appear for you to outline the steps you are taking to ensure compliance with these requirements, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Question 7
Question
How do you ensure yourself and any other Users of the PEXA Exchange in your organisation are aware of and understand the terms of PEXA’s Subscriber Security Policy?
Requirement
Your organisation has an obligation to provide a copy of the PEXA Subscriber Security Policy to Users, as well as to take reasonable steps to ensure they understand this Policy prior to allowing them access to the PEXA Exchange.
(Subscriber Security Policy: Sections 4.4.1 & 4.4.4)
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure awareness and understanding of the Subscriber Security Policy.
The following options are available for you to select from: (select all that apply)
All Users (whether one User or many Users) are provided a copy of the Subscriber Security Policy and are required to read the document and acknowledge they understand and will comply with the Subscriber Security Policy prior to accessing the PEXA Exchange
Updates to Subscriber Security Policy are regularly reviewed
Nominated internal ‘expert’ provides others guidance on Subscriber Security Policy as required
Other steps are taken to ensure awareness and understanding of the Subscriber Security Policy
No steps are taken to ensure awareness and understanding of the Subscriber Security Policy
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure awareness and understanding of the Subscriber Security Policy. A text box will appear for you to specify these steps.
Where your organisation does not take any relevant steps, select No steps are taken to ensure awareness and understanding of the Subscriber Security Policy. A text box will appear for you to outline the steps you will take to ensure the necessary awareness, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.)
Question 8
Question
Does each Signer in your organisation have their own Digital Certificate and only sign documents using their allocated Digital Certificate?
Requirement
Your organisation has an obligation to ensure each Signer has their own Digital Certificate and only sign documents using their allocated Digital Certificate.
(Subscriber Security Policy: Section 4.2.1)
Compliance demonstration
If your organisation does comply with this requirement, select Yes.
If your organisation does not comply with this requirement for each Signer to have their own Digital Certificate and only sign documents using their allocated Digital Certificate, select No.
If you select No, a text box will appear for you to outline the steps you are taking to ensure compliance with the requirements regarding Digital Certificate use, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.)
Question 9
Question
What measures does your organisation take to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not 1) used by more than one Individual or 2) subject to unauthorised access and use?
Requirement
Your organisation has an obligation to have measures in place to protect Access Credentials, User profiles and Digital Certificates from 1) use by more than one Individual or 2) unauthorised access and use.
(Subscriber Security Policy: Sections 4.3.1, 4.3.2, 4.5.1 & 4.7)
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use.
The following options are available for you to select from: (select all that apply)
Use and disclosure of the same PEXA Access Credentials, User profiles and Digital Certificates by more than one individual, including colleagues, family or friends is explicitly prohibited in your organisation (i.e. as outlined by a policy or guidance).
Any device used to receive verification codes that enable a User to login to the PEXA Exchange is not accessible by more than one Individual
PEXA Access Credentials are immediately changed if they are suspected of being Compromised
PEXA Access Credentials include a strong password that could not be easily guessed by others (i.e. passwords do not include a User’s date of birth, name, phone number or similar)
Digital Certificates are stored in a safe location and removed from a User’s computer when no longer accessing the PEXA Exchange
PEXA is immediately notified of any instance of theft, unauthorised disclosure or improper use of PEXA Access Credentials, User profiles or Digital Certificates
Other steps are taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use
No steps are taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use. A text box will appear for you to specify these steps.
Where your organisation does not take any relevant steps, select No steps are taken to ensure PEXA Access Credentials, User profiles and Digital Certificates for the PEXA Exchange are not used by more than one Individual or subject to unauthorised access and use. A text box will appear for you to outline the steps you will take to remedy the situation, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.)
Question 10
Question
Has your organisation created a User account within PEXA that can be accessed by more than one Individual, such as a shared account for the office?
Requirement
Your organisation has an obligation to take reasonable steps to ensure that only Users (natural persons) access the PEXA Exchange.
In the Participation Rules, a User means “an Individual authorised by a Subscriber to access and use the ELN on behalf of the Subscriber.”
An Individual means “a natural person” according to the Electronic Conveyancing National Law (ECNL).
(Participation Rules: Section 7.2.1(a))
Compliance demonstration
If your organisation has not created a User account within PEXA that can be accessed by more than one Individual, select No.
If your organisation hascreated a User account within PEXA that can be accessed by more than one Individual, select Yes.
If you select Yes, a text box will appear for you to outline the steps you are taking to remove this User account, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Question 11
Question
Does your organisation have Anti-Virus Software installed on all computers that meets the following requirements?
The ability to identify and remove viruses
The ability to identify and remove other types of harmful computer software, generally referred to as Malware (or malicious software)
The ability to automatically receive anti-virus updates from the relevant Anti-Virus Software vendors
The ability to automatically scan for viruses and Malware in documents, on servers and workstations
Requirement
Viruses and Malware are forms of malicious software introduced into an electronic device such as your computer or mobile device with the intent of causing harm to compromise the confidentiality, integrity or availability of your systems and computer networks or data held on these systems.
Your organisation has an obligation to provide anti-virus protection against any unauthorised or uncontrolled access to IT systems and access points that are used by you to access the PEXA Exchange. This anti-virus protection must meet the criteria outlined in the review question and the Subscriber Security Policy.
(Subscriber Security Policy: Section 4.2.3)
Compliance demonstration
If your organisation outsources the management of your IT environment, you may need to engage your service provider to confirm that Anti-Virus Software in place is compliant with these obligations.
If your organisation does have Anti-Virus Software installed on all computers that meets the requirements outlined, select Yes.
If your organisation does not have Anti-Virus Software installed on all computers that meets the requirements outlined, select No.
If you select No, a text box will appear for you to outline the steps you will take to implement compliant Anti-Virus Software, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.)
Question 12
Question
What steps does your organisation take to ensure security vulnerabilities in IT operating systems and applications are Patched and updated as necessary?
Requirement
Your organisation has an obligation to keep your IT operating systems and applications up to date by taking reasonable steps to install Patches and updates (including security specific updates).
The purpose of Patching and operating system updates is to address vulnerabilities discovered after the release of software. Patches apply to many different parts of an information system including operating systems, servers, routers, desktops, email clients, office suites, mobile devices, firewalls, and other components which exist within a computer network.
Your organisation is required to have a software Patching schedule or procedure which is run frequently. This must include IT infrastructure such as operating systems, web browsers, endpoint devices that support your ability to access the PEXA Exchange.
To ensure Patches and updates are correctly installed, please ensure you restart all computers on a regular basis.
(Subscriber Security Policy: Sections 4.2.3, 4.2.4 & 4.2.5)
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to ensure security vulnerabilities in IT operating systems and applications are Patched and updated as necessary. If your organisation outsources the management of your IT environment, you may need to engage your service provider to confirm the frequency of Patch and update installation.
The following options are available for you to select from: (select all that apply)
Patches and updates are installed automatically, and all computers are restarted following the installation
Patches and updates are installed on at least a quarterly basis, and all computers are restarted following the installation
Patches and updates are installed less frequently than once a quarter
Other steps are taken to ensure security vulnerabilities in IT operating systems and applications are Patched and updated as necessary
Patches and updates are not regularly installed
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to ensure security vulnerabilities in IT operating systems and applications are Patched and updated as necessary. A text box will appear for you to specify these steps.
Where your organisation installs Patches and updates less frequently than once a quarter, select Patches and updates are installed less frequently than once a quarter. A text box will appear for you to outline the steps you will take to ensure Patches and updates are installed more frequently.
Where your organisation does not take any relevant steps, select Patches and updates are not regularly installed. A text box will appear for you to outline the steps you will take to remedy the situation, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.)
Further guidance
It is considered good practice to align your organisation’s Patching processes to those recommended by the Australian Signals Directorate’s ‘Essential Eight’. This guidance recommends ‘extreme risk’ vulnerabilities be Patched within 48 hours. Further information on the ‘Essential Eight’ can be found at https://www.cyber.gov.au/publications/essential-eight-explained.
To determine the severity of a vulnerability in need of Patching, the Common Vulnerability Scoring System (CVSS) is an accepted industry standard. Further information on CVSS can be found at https://www.first.org/cvss/.
Question 13
Question
How does your organisation detect and prevent any unusual or suspicious activities within the PEXA Exchange?
Requirement
Your organisation has an obligation to take reasonable steps to monitor the usage of systems and activities of Users who are accessing the PEXA Exchange to identify unusual or suspicious activities.
(Subscriber Security Policy: Section 4.4.3)
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to detect and prevent any unusual or suspicious activities within the PEXA Exchange.
The following options are available for you to select from: (select all that apply)
Confirm open and completed Workspaces are valid on a regular basis
Undertake an additional check of financial line items prior to Workspace signing
Review of information entered into Workspace prior to settlement
Monitor the signing of documents and financial line items outside of normal hours
Regular review of “Manage Users” in PEXA Exchange to confirm legitimacy of User access privileges
Other detection / prevention measures are currently in place
No detection / prevention measures are currently in place
Where the steps taken by your organisation are not included in the options listed, select Other detection / prevention measures are currently in place. A text box will appear for you to specify these measures.
Where your organisation does not take any relevant steps, select No detection / prevention measures are currently in place. A text box will appear for you to outline the steps you will take to implement appropriate detection / prevention measures, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.)
Question 14
Question
How does your organisation take reasonable steps to verify the accuracy of account details provided by or to clients?
Requirement
The use of email to exchange financial information can be insecure, with the potential for interception by a third party without the knowledge of the sender or receiver. This can result in fraudulent payments and the loss of funds.
It is recommended that organisations involved in exchanging bank account details with clients take reasonable steps to verify the accuracy of account details provided by or to clients.
(Subscriber Security Policy: Section 4.2.6)
This requirement is only applicable to organisations that exchange account details with clients.
Compliance demonstration
You must specify the steps taken to verify the accuracy of account details provided by or to clients.
The following options are available for you to select from: (select all that apply)
Bank account details are sent and received via PEXA Key
Bank account details are verified in person or over the phone if sent or received via any other means
My organisation does not exchange account details with clients
Other steps are taken to verify the accuracy of account details
No steps are taken to verify the accuracy of account details
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to verify the accuracy of account details. A text box will appear for you to specify these steps.
Where your organisation does not take any relevant steps, select No steps are taken to verify the accuracy of account details. A text box will appear for you to outline the steps you will take in future to verify the accuracy of account details to reduce the risk of a fraudulent payment or the loss of funds.
If your organisation does not exchange bank account details with clients, select My organisation does not exchange account details with clients.
Question 15
Question
How does your organisation manage PEXA Exchange User access?
Requirement
Your organisation has an obligation to perform User access reviews on at least an annual basis.
Your organisation also has an obligation to promptly modify User access privileges when you no longer want a User to access the PEXA Exchange at all, or in a particular capacity (such as removal of privileges to act as a Signer or Subscriber Administrator).
Reviewing the list of Users and Signers within the PEXA Exchange includes performing actions such as:
Confirming only authorised Users continue to retain access to the PEXA Exchange
Confirming only authorised Signers continue to hold a valid Digital Certificate
Confirming PEXA Exchange permissions are still appropriate for each User
For large organisations, it is good practice to embed changes to PEXA Exchange access privileges in your human resource offboarding processes.
If a User’s Digital Certificate is no longer required, you are required to advise PEXA. To do this, please email registration@pexa.com.au advising the Digital Certificate that is to be cancelled.
(Subscriber Security Policy: Sections 4.5.2 & 4.6.1)
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to monitor and manage PEXA Exchange User access.
The following options are available for you to select from: (select all that apply)
Regular review of the list of Users (whether one User or many Users) and Signers within the PEXA Exchange (at least annually)
Modify User access privileges promptly when circumstances change (i.e. a staff member leaves the organisation, a staff member no longer requires access to PEXA or a staff member is away on extended leave)
Disabling of Digital Certificates when no longer required
Other steps are taken to monitor and manage PEXA Exchange User access
No steps are taken to monitor and manage PEXA Exchange User access
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to monitor and manage PEXA Exchange User access. A text box will appear for you to specify these steps.
Where your organisation does not take any relevant steps, select No steps are taken to monitor and manage PEXA Exchange User access. A text box will appear for you to outline the steps you will take in future to monitor and manage PEXA Exchange User access, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.)
Question 16
Question
Does your organisation immediately notify PEXA if yourself or any other User becomes aware of a suspected or actual breach of the PEXA Subscriber Security Policy?
Requirement
Your organisation has an obligation to immediately, upon becoming aware, notify PEXA of any breach of the PEXA Subscriber Security Policy that may affect the PEXA Exchange or the integrity or security of the Electronic Lodgement Network (ELN).
(Subscriber Security Policy: Section 6)
Compliance demonstration
If your organisation immediately notifies PEXA when yourself or any other User becomes aware of a suspected or actual breach of the PEXA Subscriber Security Policy, select Yes.
If your organisation is aware of the obligation to immediately notify PEXA but has not had to provide such a notification, select Organisation is aware of the obligation but has not had to provide such notification.
If your organisation does not immediately notify PEXA if yourself or any other User becomes aware of a suspected or actual breach of the PEXA Subscriber Security Policy, select No.
If you select No, a text box will appear for you to outline the steps you will take in future to notify PEXA of suspected or actual breaches, as required in the Subscriber Security Policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Subscriber Security Policy.)
Question 17
Question
Are your organisation’s PEXA Signers deemed to comply with the good character and reputation matters listed in Participation Rule 7.4.1(b)?
Requirement
Your organisation has an obligation to ensure its Signers are of good character and reputation, where they are not deemed to comply.
Many Signers are deemed to comply with this rule, including Australian Legal Practitioners, Licensed Conveyancers and Public Servants acting on behalf of the Crown in right of the Commonwealth, a State or a Territory.
For a full list of those deemed to comply, please refer to Participation Rule 7.4.2.
(Participation Rules: Section 7.4.1)
Compliance demonstration
If all Signers within your organisation are deemed to comply with this rule, select Yes, and move on to Question 18.
Where one or more of the Signers within your organisation are not deemed to comply, select No. If you select No, you will be prompted with a supplementary question:
Supplementary question only applicable if you selected No
What steps has your organisation taken to ensure Signers are not and have not been subject to any of the good character and reputation matters as listed in Participation Rule 7.4.1(b)?
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must specify the steps taken to provide this assurance.
The following options will then be available for you to select from: (select all that apply)
Background checks are conducted prior to onboarding and on an ongoing basis, covering matters as listed in Participation Rule 7.4.1(b)
Other steps are taken to provide this assurance
No steps are taken to provide this assurance
Where the steps taken by your organisation are not included in the options listed, select Other steps are taken to provide this assurance. A text box will appear for you to specify these steps.
Where your organisation does not take any relevant steps, select No steps are taken to provide this assurance. A text box will appear for you to outline the steps you will take to provide the necessary assurance, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Question 18
Question
Have there been any instances where a Conveyancing Transaction involving your organisation has been Jeopardised?
Requirement
Where a Conveyancing Transaction has been Jeopardised to your knowledge, information or belief, you must:
Unsign any electronic Registry Instruments and other Documents relating to the Conveyancing Transaction immediately, where possible.
Immediately notify PEXA and the Registrar of the situation.
Immediately notify the other Participating Subscribers of any information about the Conveyancing Transaction that it believes to be incorrect, omitted, false or misleading or that the Conveyancing Transaction has been Jeopardised.
In the Participation Rules, Jeopardised means "put at risk the integrity of the Titles Register by fraud or other means" (e.g. any activity that has resulted in a fraudulent change to Documents electronically lodged to the Titles Register).
(Participation Rules: Section 7.7.1)
Compliance demonstration
If there have been no instances where a Conveyancing Transaction involving your organisation has been Jeopardised, select No, there have been no such instances involving my organisation, and move on to Question 19.
If there have been any instances where a Conveyancing Transaction involving your organisation has been Jeopardised, select Yes. If you select Yes, you will be prompted with a supplementary question:
Supplementary question only applicable if you selected Yes
Did you undertake the required actions upon discovery of the situation?
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must confirm if you undertook the required actions upon discovery of the situation.
If your organisation did undertake the required actions, select Yes, these actions were taken.
If your organisation did not undertake the required actions, select No, these actions were not taken.
If you select No these actions were not taken, a text box will appear for you to outline the steps taken in response to the Jeopardised transaction(s) and how your organisation will ensure appropriate steps are always taken in future, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Question 19
Question
Have there been any instances where your organisation’s Security Items have been or likely to have been Compromised?
Requirement
Where a User's Security Items have been or are likely to be Compromised, you must:
Immediately revoke the User’s authority to access and use PEXA and prevent the User from accessing and using PEXA.
For a Digital Certificate:
Immediately check all Workspaces where the Digital Certificate has been used. Where possible, unsign any Registry Instruments and other Documents you are aware or suspect have been signed without appropriate authorisation. Where it is not possible to unsign the Registry Instruments and other Documents, you must immediately notify PEXA of the situation.
Promptly notify the Certification Authority (provider of the Digital Certificate) and revoke or cancel the Digital Certificate (including doing everything reasonably necessary to cause the Certification Authority to revoke or cancel it).
Promptly notify PEXA.
In the Participation Rules, Compromised means "lost or stolen, or reproduced, modified, disclosed or used without proper authority", such as historic credential sharing Subscriber Security Policy breaches.
Security Item means "User Access Credentials, passphrases, Private Keys, Digital Certificates, Electronic Workspace identifiers and other items as specified from time to time."
(Participation Rules: Section 7.9.1)
Compliance demonstration
If there have been no instances where your organisation’s Security Items have been or likely to have been Compromised, select No, there have been no such instances involving my organisation, and move on to Question 20.
If there have been any instances where your organisation’s Security Items have been or likely to have been Compromised, select Yes. If you select Yes, you will be prompted with a supplementary question:
Supplementary question only applicable if you selected Yes
Did you undertake the required actions upon discovery of the situation?
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must confirm if you undertook the required actions upon discovery of the situation.
If your organisation did undertake the required actions, select Yes, these actions were taken.
If your organisation did not undertake the required actions, select No, these actions were not taken.
If you select No these actions were not taken, a text box will appear for you to outline the steps taken to address the Compromised Security Items and how your organisation will ensure appropriate steps are always taken in future, as required under the Participation Rules. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Rules.)
Question 20
Question
Does your organisation seek consent from the relevant individual(s) to the matters listed in clause 11.2 of the Participation Agreement before providing any Personal Information to PEXA or within an Electronic Workspace?
Requirement
Where a relevant individual’s Personal Information is provided to PEXA or within an Electronic Workspace, you must have first obtained the consent of the relevant individual to whom the Personal Information relates, as per the below matters:
The disclosure of that Personal Information to PEXA and for use in connection with an Electronic Workspace.
The disclosure of that Personal Information to other participants in the ELN (including through mobile applications provided by PEXA), an Electronic Workspace or in a Conveyancing Transaction the subject of an Electronic Workspace.
The use and disclosure of that Personal Information by PEXA and the other participants in an Electronic Workspace or in a Conveyancing Transaction the subject of an Electronic Workspace.
To the collection, use, handling and disclosure of their Personal Information, at least to the extent necessary to enable PEXA to provide the Services in accordance with the requirements of this Participation Agreement.
To the disclosure of their Personal Information to a Registrar or Duty Authority.
This requirement does not apply to Financial Institutions and/or Australian Credit License holders. Please refer to your organisation's Participation Agreement with PEXA for additional information and to confirm if this requirement applies in your circumstances.
(Participation Agreement: Section 11.2)
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must confirm that consent is received from the relevant individual before providing any Personal Information to PEXA or within an Electronic Workspace.
If your organisation does comply with this requirement, select Yes.
If your organisation does not comply with this requirement for consent to be received from the relevant individual before providing any Personal Information to PEXA or within an Electronic Workspace, select No.
If you select No, a text box will appear for you to outline the steps you will take to ensure compliance regarding the requirement to seek consent from relevant individuals. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Agreement.)
If your organisation is a Financial Institution and/or Australian Credit License holder, select N/A – This requirement is not applicable to my organisation and move to the Declaration.
Question 21
Question
Does your organisation refer the relevant individual(s) to PEXA’s privacy policy before providing any Personal Information to PEXA or within an Electronic Workspace?
Requirement
Where a relevant individual’s Personal Information is provided to PEXA or within an Electronic Workspace, you must refer the individual to PEXA’s privacy policy (currently available at http://www.pexa.com.au/privacy) before providing any Personal Information to PEXA or within an Electronic Workspace.
This requirement does not apply to Financial Institutions and/or Australian Credit License holders. Please refer to your organisation's Participation Agreement with PEXA for additional information and to confirm if this requirement applies in your circumstances.
(Participation Agreement: Section 11.2)
Compliance demonstration
To demonstrate your organisation’s compliance with this requirement, you must confirm that relevant individuals are referred to the PEXA privacy policy before providing any Personal Information to PEXA or within an Electronic Workspace.
If your organisation does comply with this requirement, select Yes and move to the Declaration
If your organisation does not comply with this requirement for the PEXA privacy policy to be referred to the relevant individual(s) before providing any Personal Information to PEXA or within an Electronic Workspace, select No.
If you select No, a text box will appear for you to outline the steps you will take to ensure compliance regarding the requirement to refer relevant individuals to PEXA privacy policy. (Refer to the Declaration and Submission section for further information on cases where your organisation is in breach of the Participation Agreement.)
Declaration and Submission
Following completion of responses to the questionnaire, you will be presented with the following statement:
Failure to accurately complete PEXA’s Subscriber Review Process is a breach of my obligations under Schedule 7 of the Model Participation Rules. Knowingly providing false or inaccurate responses may result in the suspension of my Subscriber account.
To submit your responses, you are required to confirm that I acknowledge the above statement and confirm all responses provided are accurate.
If you wish to change any of your responses prior to submission, click on the Previous button to return to the questionnaire. Once you are ready to submit your responses, navigate back to the declaration.
Cases where a breach is identified
Throughout the questionnaire, you are provided an opportunity to outline what steps you will take to address any breaches of the Participation Rules, Subscriber Security Policy or Participation Agreement that are immediately apparent from your responses. PEXA’s Subscriber Review Team will review the responses provided in these cases and work with you to ensure you are in a position to action these steps and demonstrate your compliance.
Glossary
Capitalised terms used in these guidance notes have the meanings referenced or set out here or the meanings given to them in the Participation Rules, ECNL or by the industry regulator ARNECC.
Term
Definition
Anti-Virus Software
Software utility that detects, prevents, and removes viruses, and other Malware from a computer. Most anti-virus programs include an auto-update feature that permits the program to download profiles if new viruses, enabling the system to check for new threats.
Malware
Also known as malicious software, is any program or file that is harmful to a computer user. Types of Malware can include computer viruses, worms, Trojan horses and spyware.
Novated
Substitution of an original party to a contract with a new party, or substitution of an original contract with a new contract
Participation Agreement
The Participation Agreement (PA) is the overarching agreement between PEXA and each Subscriber. The PA includes:
Obligations of both parties including privacy, confidentiality, liability, suspension, termination, insurance, disputes and change management.
The PEXA Service Charter, PEXA Pricing Policy and PEXA Security Policy.
The terms and conditions governing Financial Settlement in PEXA.
A commitment by each Subscriber to comply with the Model Participation Rules, as outlined by ARNECC.
Patch
A set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance.
Primary Subscriber Manager
The nominated PEXA contact of the Subscriber. The Primary Subscriber Manager holds the highest level of access to the PEXA Exchange. They have the ability to:
Create and edit Subscriber details
Setup and verify Financial Account information
Create and edit Users
Create and edit Workgroups
Subscriber Administrator
Does not have access to Subscriber details or financial account information. They do have the ability to:
Create and edit Users
Create and edit Workgroups
Subscriber Security Policy
Sets out the security requirements that Subscribers must ensure that they and their Users adhere to when using the PEXA Exchange in order to maintain the overall security of the PEXA Exchange.
Workspace
A shared area in PEXA where Subscribers prepare property instruments and settlement documents for a property exchange transaction to effect lodgement and or settlement.
... View more