Brits on IT Security; Liability Caps in Oz; More

British regulators are warning companies to do more to protect the security of customer data. The Financial Services Authority says financial firms must change their attitude toward data security, as too many customers are falling victim to identity fraud and other types of financial crime. And Information Commissioner Richard Thomas, who polices data protection laws, has said companies need to take the issue more seriously.

Thomas

The FSA warning followed a review of systems and controls for data security at 39 financial firms. The results: Many firms still underestimate the risk of data loss and fraud to their businesses, and especially to their customers. The FSA also found that when a firm did lose significant data, it usually was more worried about adverse media coverage than being open and transparent with its customers.

Its report flagged three main concerns: Many firms do not check whether third-party suppliers vet their employees or have adequate security arrangements in place to stop unnecessary access to customer data; many devoted adequate resources to data security risk, but placed too much emphasis on IT controls and not enough on staff awareness or regular risk assessments; and many small firms were wholly reliant on compliance consultants, who did not understand the importance of data security within the firm.

Robinson

“Despite increased public awareness of the impact that identity theft can have on customers, many firms are still not taking this risk seriously,” Philip Robinson, director of the FSA’s Financial Crime and Intelligence Division said in a recent statement. “Firms getting data security right is a key priority for the FSA, and we expect the industry to raise its standards.” Last year, the FSA fined two companies, Nationwide and Norwich Union, a respective $1.9 million and $2.5 million for information security lapses.

Information Commissioner Thomas also pointed the finger at banks, but said government and other organizations were weak in this area. Thomas said he was encouraged that more chief executives seem to be aware of the problem “but the evidence shows that more must be done to eradicate inexcusable security breaches.”

A recent survey from PricewaterhouseCoopers said 81 percent of U.K. boards gave a high priority to information security, but companies were still missing simple control measures. Four-fifths of those that had computers stolen had not encrypted their hard drives, for example.

EU Moves to Cut Company Law Burden

The European Commission has published its first batch of measures under a project to ease the burden of complying with its Company Law. The proposals approved in April will make life easier for small and medium-sized companies, EU officials say, saving an estimated $935 million annually.

Parent companies with no material subsidiaries will be able to stop producing consolidated accounts, and medium-sized companies will be exempt from providing detailed data in their annual accounts, such as a breakdown of turnover by category of business. The measures are part of a program to cut the administrative burden on companies by 25 percent over the next four years. More changes will soon follow.

The moves were welcomed by the Fédération des Experts Comptables Européens, the umbrella group of European professional bodies for accountants and auditors. Jacques Potdevin, FEE president, describes the changes as “helpful and well targeted” and says they will remove “excessive, costly, and outdated administrative requirements.”

But, Potdevin adds, it would be wrong to portray accounting and auditing rules as burdens or costs “without consideration of the benefits they bring to the market and the public interest”—a complaint FEE has voiced in the past. The EU is right to remove wasteful business costs, he says, but should only in a way that preserves and enhances transparency, stakeholders’ information, investor protection, and the overall stability of markets.

Japanese GAAP and IFRS Harmonization on Track

Efforts to converge Japanese accounting standards with International Financial Reporting Standards are progressing well, according to standard setters. All the major differences between Japanese standards and IFRS will be eliminated by the end of this year, they say.

The Accounting Standards Board of Japan and the International Accounting Standards Board agreed on a convergence timetable at a meeting in Tokyo last August. At a follow-up meeting in April, the two boards said that the “Tokyo Agreement” was being delivered on schedule.

The two boards have been working on their convergence project since 2005, when the Committee of European Securities Regulators, a European Union advisory group, published a report identifying the differences between Japanese standards and IFRS.

The aim is to remove the major differences between IFRS and Japanese GAAP by 2008 and to pick off any smaller ones by 2011. That target does not apply to any standards that IASB develops in the meantime, but the boards say they are working closely to ensure that international accounting approaches are accepted in Japan.

Understanding Australia’s Audit Liability Caps

Australia recently became one of the first countries to introduce statutory limits on auditor liability. Law firm Baker & McKenzie has produced a briefing paper explaining how the country’s approach works and noting the main implications for companies doing business there.

The state of New South Wales—which includes Sydney, Australia’s largest city—has had a liability-capping scheme in place for several years. Now the country’s other five states and two territories have similar arrangements, covering all the members of Australia’s three main accountancy bodies.

For audit work, the schemes cap liability to an amount equal to 10 times the reasonable fees for the service up to a maximum of A$75 million, or U.S. $70.6 million. For all other services the maximum is A$20 million (U.S. $18.8 million). Accountants cannot opt out of the schemes and have no discretion to increase the cap on audit and related work.

Andrade

The caps do not limit all liabilities. For example, there is no cap on claims for fraud or dishonest conduct, and civil liability to third parties under parts of the Australian Company Law that relate to raising capital are also outside the cap. Corporate finance work is also excluded, but this is being reviewed by the Australian Securities and Investments Commission, says Craig Andrade, a partner at Baker & McKenzie.

Meanwhile, businesses are advised to enter into separate engagement letters for work to be performed by an auditor and any work to be performed by a corporate finance affiliate. Baker & McKenzie also suggests that any engagement letter with an auditor should identify which liability scheme applies and confirm how each service—such as writing the audit report or providing a “sign off” letter—is categorized by the scheme, so that it is clear what liability limit applies.

Canada Seeks Comment on Control Requirements

Canadian securities regulators are seeking comment on proposed revisions to internal control reporting requirements that are expected to take effect later this year.

The Canadian Securities Administrators has proposed amendments to National Instrument 52-109, Certification of Disclosure in Issuers’ Annual and Interim Filings, and related materials. The proposed changes were based on response to comments on an earlier set of proposals published last year.

Among the proposed amendments: The CEO and CFO of a venture issuer wouldn’t be required to certify that they have designed and evaluated the effectiveness of disclosure controls and procedures and internal control over financial reporting; non-venture issuers will now be required to use a control framework for the design of internal control over financial reporting; the threshold for reporting a weakness in ICFR is a “material weakness” rather than the previous concept of “reportable deficiency,” and guidance for certifying officers will be expanded.

Comments are due June 17, 2008.

The instrument is expected to come into effect Dec. 15, 2008, and will apply to issuers’ financial years ending on or after that date.

The proposed rule, related companion policy and forms, and CSA notice and request for comments are available on CSA members’ Websites. (Canada regulates securities on a province-by-province basis, rather than a single national regulator.)