Tag: ASIC

Keeping track of company directors

insolvency-phoenix-companies
Image: Locked gates, Jody Davis www.pixabay.com

It’s been nine years since someone suggested a way to stop company directors from avoiding creditors by creating a ‘Phoenix’ company.

‘Phoenixing’ describes the process when a new business arises from the ashes of a liquidated company. It’s a loophole that allows unscrupulous people to leave their debts behind with the liquidated company and start afresh (leaving creditors out in the cold).

The total cost of Phoenixing to the Australian economy is estimated to be between $2.9 billion and $5.1 billion annually, according to the Australian Taxation Office (ATO). It is typically done by transferring assets to the new entity (leaving liabilities with the old company). ‘Dummy’ directors are used to set up the new company. Dummy directors play no actual role in the company. Liquidators and investigators have uncovered instances of people who had no idea they were a director of their spouse’s company. They have also found homeless people, distant relatives, fictitious names and variations on real names. (Donald Duck is apparently a director of several companies. Ed.)

The Phoenix Project, an academic investigation, has long been investigating this tactic and how people get away with it.

The project was initially set up by Professor Helen Anderson, then of the University of Melbourne, in collaboration with Monash University. She first suggested using a 12-point identity check in 2013 and it was one of the key recommendations in the 2017 Phoenix Project report.

The first problem for corporate enforcers is that setting up a new company while the other is in liquidation is technically legal. There have been many instances when a new company legitimately arises from the wreckage of an insolvent one (company restructures, buyouts, rescues etc).

These arrangements are usually supervised and strive to ensure creditors and employees are paid what they are owed.

The illegal Phoenix company, however, ignores creditors and allows the principals to continue in business unchallenged.

I’m sure we’ve all read about the more egregious examples. They usually happen in the construction industry. Subcontractors and tradies turn up to the building site as usual, only to find the gates locked and the ‘boss’ nowhere to be found. While liquidators take over the business, these unsecured creditors take their place at the end of the queue. Meanwhile, the principals have a new banner at a site elsewhere in town. This gives the media plenty to rant about, but it solves nothing.

Writing in The Conversation in 2016, Prof Anderson said the aim of illegal phoenix activity was to defraud taxation authorities, trade creditors and employees. She said the practice is widespread in Australia, with a Productivity Commission report in 2015 finding there were between 2,000 to 6,000 phoenix companies operating here. A Senate Economics References Committee inquiring into the Australian construction industry found illegal phoenix activity was a problem “throughout the economy”. The committee suggested it was “a significant culture of disregard for the law”.

The long-running exercise to stop this happening is being driven by the Australian Taxation Office, which is at the top of the creditor queue. In a new regime, the ATO is bringing 30 different business registries under the one entity, Australian Business Registry Services.

ABRS deputy registrar Karen Foat said this would allow regulators and advisors to obtain a more complete picture of a director’s corporate history. Ms Foat said it would also help authorities crack down on illegal phoenix firms.

“These are companies that time and time again wind up their firms leaving employees without salary, entitlements and superannuation, as well as leaving contractors, other businesses and government in the lurch,” she wrote in an Australian Financial Review feature.

Ah…so you didn’t know? The deadline is November 30 and if you don’t apply in time you are liable to a fine of up to $13,000.

There are 2.5 million company directors in Australia, with more than 1 million of them yet to apply for their unique, 15-digit Director ID number (DIN). An ABC item updated this week reported that more than 1.5 million directors had applied for (and had been issued with) a DIN since it was introduced in April last year. This leaves about one million directors who have just five days to apply.

A DIN is a unique identifier given to a director who has verified their identity with the ATO. It is much like the 12-point identity check we all endure to open a bank account.

Until this process began in 2021, company directors could be signed up without much in the way of verification.

She Who is Also a Director signed up for a DIN, as did I. It was a bit of a palaver as you had to use the Federal Government’s myGovID mobile phone app. I already had an account but had to go through several stringent steps to prove my identity. #wehatetechnology

Those who need to apply include company directors, corporate trustees (of an SMSF) and directors of charities and not-for-profit organisations. In short, anything registered under the Corporations Act, including directors of foreign companies registered with ASIC and carrying on business in Australia (no matter where they live).

The ATO acknowledges that the vast majority of company directors behave with ‘extreme probity’, which is consistent with the trust the Australian community places in them.

Yes indeed, we acted with said extreme probity when applying for our director ID last month. The one major problem with a 15-digit number is, how the hell do you remember it? Oh right. Log on to your ABRS account and voila. No hackers here.

We mentioned this topic briefly a few weeks back when investigating the flurry of data breaches and hacking going on within large organisations. Ironically, ASIC warned company directors last month that email and text scammers were posing as the ABRS. As always, do not click on links or divulge your personal details in these instances. It’s not called ‘phishing’ for nothing.

Prof Anderson, who has since retired from the University of Melbourne’s School of Law, said the issuing of a DIN would enable tracking of directors who have been involved in multiple failed companies. It would also reveal fictitious directors, the bane of credit rating agencies and the ATO.

“Requiring would-be directors to quote their DIN on applications to incorporate companies would let ASIC build a valuable database of directors’ corporate histories, helping it to identify repeat offenders and candidates for disqualification from managing corporations.”

I’ll admit this week’s FOMM is a little arcane, reporting on a topic you only ever read about in law and accountancy journals.

But we all ought to be concerned about rorts that potentially cheat the country of up to $5.1 billion a year. Almost everyone would know of a subbie or tradie who got burnt in circumstances just as outlined here.

I’m sure you will agree that everything would work better if we all acted with ‘extreme probity’.

I initially misread this as ‘extreme Proby’ which says a bit about my youthful musical obsessions. Probity means ‘complete and confirmed integrity, uprightness and honesty.  Proby (with a PJ) means a deep voiced pop singer whose best-known hits were songs from West Side Story.

Leaving you with an offering from DJ Probity.

 

 

Cybersecurity, scams and data breaches

cybersecurity-scams-databreaches
Image of programming code by Lorenzo Cafara www.pixabay.com

Call it coincidence, but I was in the midst of a domestic internet security overhaul when news of the Optus hack broke. As we know, what the press is calling the biggest hack in Australian history left the private information of up to 10 million Optus customers open to potential abuse. Optus customers are clamouring to have their drivers’ licences and passports re-issued and there is talk of class actions.

Like most of us whose lives are largely lived online, we are, or should be, aware of the threat posed by scammers. Any day of the week you will hear of pensioners who lost their life savings, falling for some elaborate call centre scam. The sophisticated level of social engineering being employed by scammers is such that even savvy older people are falling victim to seemingly plausible communications via mobile phone, social media apps and email.

Just as we all lock doors and windows and turn on security systems before going on holidays, we should all be thinking about security for our electronic communications. My IT adviser swears by password managers – that is, subscribing to a company that will encrypt all of your online logins and passwords. You manage things at your end with a master password. But wait, I ask, isn’t this putting all of your eggs in one basket? If someone nabs your master password you’re screwed, right?

The best protection against electronic fraud is to use a two-step authentication system. This may be as simple as: login, password (now enter the four-digit code we just sent to your mobile phone).

Last time I went to do some internet banking, I was informed that my security token would soon expire. This is a small gadget (most people call them dongles) which display six constantly changing numbers). The process is: logon, password (dongle code).

In theory it is unhackable, as the security codes are constantly changing. I decided to order another ‘dongle’, only to be told that the bank preferred me to use their secure phone app. Send me a dongle, I replied, via secure email. After jumping through a few security hoops, I ordered a new physical dongle. The bank employee I dealt with (online) said the bank would waive the $20 fee as I had been a valued customer for many years (Melbourne Cup, here I come).

As a result of increasing data breaches and scams, we can expect government organisations and others to tighten security. After thoroughly checking it out first, I found that the Australian Securities and Investment Commission (ASIC) now requires all company directors to apply for a ‘digital security ID number’.

The recommended method for applying for a director identification number is by using the MyGovID phone app. The app requires you to scan identification documents into a mobile phone app. They also want your date of birth, physical address, email address and mobile phone number. Then you have to scan any unique identifying marks (moles, birthmarks, tattoos) – no wait, I made that bit up.

It’s quite an exercise.

But what if some enterprising Black Hat (master hacker) breaks into MyGovId? In theory this will create a lot of work for people whose professions involves producing ID documents. Just as we are seeing now with the Optus hack, everyone who uses MyGovID would need to replace their ID documents,

This new requirement by ASIC (which only applies to company directors), will, as they say, “help prevent the use of false or fraudulent director identities”. Directors who were appointed prior to November 2021 have until November 30, 2022 to apply. ASIC adds, “it is a criminal offence if you do not apply on time”.

If you think about it, multiple government and non-government organisations hold all manner of confidential information on us. At the very least, many of them already have our date of birth, passport and driver’s licence numbers, credit card details, direct debit for bank accounts and so on. When was the last time you booked online for a concert? Credit card?

In August, I was required to fill in an online hospital admission form when signing up for elective surgery. They wanted to know everything about me – even my BMI. I had to ask Sister Dee to explain that one. It’s a number arrived at by squaring your weight with your height. Anaesthetists need to know.

They’ve got my height and weight,” I said to the admitting nurse. “He can work it out.” (Ed: It’s 23.6)

Then they wanted a copy of my power of attorney. I didn’t have a copy so had to ask our lawyer to send me one, post haste. Now that’s online too.

But methinks I doth protest too much – I did after all wake up.

It’s a good thing I decided to sign up for the now-obligatory company director security number. In the process, I discovered my passport will expire next year. Since we have plans to go to New Zealand, Canada and maybe Japan, I’d best get on my bike and order a new one. I suppose how long it takes depends on the Optus backlog, eh?

In the meantime, everyone who reads this column on a regular basis should know about the Scamwatch website. The Australian Competition and Consumer Commission (ACCC) keeps a running tally of internet scams, pesky robot phone calls and phishing scams (someone pretending to be your internet service provider, bank, tax office – whatever). Currently Scamwatch is alerting Australians that fraudsters will seek to exploit the Optus data breach. Last month the ACCC warned people who use WhatsApp to watch out for the ‘Hello Mum’ scam. Briefly, someone who apparently knows you have a son or daughter overseas will start a text conversation.

“Hi Mum, it’s me. I lost my phone and got locked out of my bank. Can you help?”

The correct answer should be something like – “If you are my daughter, what was the name of our cat when you were 12 and what was her favourite food?”

It’s no laughing matter. On August 3 Scamwatch reported that consumers lost $20 million to imposter bond investment scams. These scams impersonate real financial companies or banks and claim to offer government/Treasury bonds or fixed term deposits. People often fall victim after searching online for investment opportunities. Watch out for fake third-party comparison sites and too-good-to-be-true returns.

I have had a few interactions with our internet service provider over the years about phishing emails. They would often arrive in my inbox on iiNet letterhead (the sender’s email address is always dodgy). The gist is usually, “There is a problem with your invoice (which I just paid). Please click on this link and update your credit card details.” My arse!

The last time I complained, I forwarded the fake email to iiNet as requested. iiNet (second largest ISP in Australia), must have had some success since, as these rogue messages appear to have stopped. Their customers are not the only target. There are myriad instances of bogus emails purporting to be from banks, finance companies, telcos, e-commerce companies etc. The best response is block/blacklist/delete and keep doing it until they move on. And always report it to the company being impersonated. Oh, and always log out of Facebook and Messenger. But you knew that.