Explainer: what exactly must companies disclose to investors?

Mark Humphery-Jenner, UNSW

The Commonwealth Bank of Australia is now facing the possibility of a class action lawsuit over allegations it failed to adequately disclose to investors that it may have breached Australian anti-money laundering rules, as far back as 2015.

This class action provides an opportunity for the courts to clarify companies’ precise disclosure obligations. Often, companies settle these cases before they get to court so there isn’t much precedent to go by.

But companies’ disclosure requirements are clearly set out in the ASX listing rules, the Corporations Act and the ASIC Act – public companies must immediately disclose any information that could affect the price or value of their shares.

Should the CBA case make it to court, it would be a significant step towards clarifying what and when exactly companies need to disclose to investors. But this is not the only current case relating to company disclosures. Newcrest Mining, Slater & Gordon, Bellamy’s, and Murray Goulburn are all currently facing class action litigation over their disclosure practices.

What are the disclosure obligations?

The listing rules of the Australian Stock Exchange state that companies must immediately inform the ASX if they become “aware of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity’s securities”.

This covers any number of developments, from the impact of product market concerns, and major changes affecting the valuation of assets. US law indicates that it could also include exposure to possible liabilities. Companies must also lodge financial reports with the Australian Securities and Investments Commission.

Potential litigation or regulatory intervention, for example, should be disclosed. Research shows both litigation and regulatory actions generally affect share prices and raise the risk of financial penalties. Even if the company wins the case, it must still spend significant sums on lawyers. This makes the firm’s future cash flows more risky and can affect how much investors are willing to pay for the firm’s shares. Under similar laws in the US, failing to disclose such litigation risk has precipitated class actions.

These disclosure obligations are enshrined in law and are part of a company’s contract with the ASX. As long as the company remains listed on the ASX, it effectively makes a statement that it is complying with that contract.

On top of all this, disclosures have to be accurate. Australian law specifically prohibits companies from “mak[ing] a statement, or disseminat[ing] information” that is false or misleading, is likely to affect the price of a financial product, and that should reasonably have been known to be false.

What if companies fail to disclose?

Shareholders can recover loss or damage if they can show that the misleading statement affected stock prices. In basic terms, this involves showing that the price declined when traders became aware that the information was false.

For example, US technology company Fitbit was sued because of alleged misstatements that led to a share price decline. The litigants explicitly noted the fall in share price in arguing that the alleged false statements caused loss or damage and that the company traded at an inflated price.

Shareholders can recover damages from the company, or any other “person involved in the contravention” of the Corporations Act. This can include company directors, in some cases. In practice, litigation insurers often pay the damages.

But class actions also have wider implications. On top of damaging a firm’s reputation, class actions can hurt executive’s career prospects and make it harder for companies to access credit.

Failing to meet disclosure obligations can also mean directors aren’t fulfilling their duties of care. These require directors to act “with the degree of care and diligence that a reasonable person would exercise”, and violations of this duty can lead to lawsuits and regulatory intervention by ASIC.

What about omissions?

Companies can make a relevantly false statement in two ways. They can disclose incorrect or misleading information. Alternatively, they can fail to disclose material information.

Remaining silent is impractical as companies must release some information – such as financial reports – to satisfy their obligations. Omitting negative information from these disclosures renders the disclosure “misleading” and likely to at least stabilise the firm’s share price.

In the related field of consumer protection, on which these provisions are loosely based, omitting information that would have changed the person’s mind is also prohibited.

In the end, the law does not specify what makes a statement “materially misleading”. However, in this context, it would likely mean a statement that could affect the firm’s share price. This contrasts with small errors in disclosure that would not affect share prices or would not affect the decision to buy the shares.

At the moment there is little guidance from the courts on the scope of companies’ disclosure requirements and the damages shareholders can recover if companies violate them. This CBA case might clarify this and motivate companies to comply with their obligations. It could also better enable shareholders to pursue remedies when companies violate them.

Mark Humphery-Jenner, Associate Professor of Finance, UNSW

This article was originally published on The Conversation. Read the original article.

National coffee chain suspended from government’s PaTH intern scheme after allegedly underpaying workers

Dominic Powell / Friday, September 1, 2017

A national coffee chain has been booted off the government’s controversial PaTH employment scheme following allegations it was underpaying young workers and offering Visa gift cards as reimbursement.

Buzzfeed News uncovered the alleged underpayments earlier this week after a worker on the PaTH scheme at the Espresso Lane coffee chain told the publication they were being underpaid. Espresso Lane operates 10 stores around Australia.

The government’s PaTH scheme — which stands for ‘Prepare, Trial, Hire’ — was unveiled in the 2016 budget and has been rolled out since, including with a range of retail partnerships announced in April this year

Businesses that sign up for the program can employ young people who are receiving Centrelink benefits as interns within their companies for three months. The overall goal is for PaTH interns to receive on-the-job training and potentially permanent work at the end of the program.

Businesses also receive an $1000 upfront payment from the government for taking on these workers, and may also be eligible for up to $10,000 via the Youth Bonus Wage subsidy if the workers are hired at the end of the program.

However, the scheme has came under scrutiny from the union movement and the opposition over concerns about how workers are paid under the program, with participants earning $200 a fortnight on top of their income support payments for taking part, reports SBS.

Concerns were also raised about the potential for exploitation by some businesses, leading to experts warning businesses should know “where the boundaries are”.

Interns under the PaTH program are allowed to work a maximum of 50 hours per week, however, PaTH workers at Espresso Lane told Buzzfeed News they worked in excess of that amount, with one worker now reportedly chasing over $2000 in unpaid wages.

Another worker under the PaTH scheme at the same chain was allegedly rostered on at the business for two eight-hour shifts prior to signing her employment contract. The worker was then allegedly offered Visa gift cards as remuneration.

The other worker was also allegedly offered Visa gift cards as compensation for his unpaid wages.

In response, the Department of Employment has suspended Espresso Lane from the PaTH program, with a spokesperson telling Buzzfeed News “it was a clear violation”.

“The department urges all young people to notify their employment service provider or the department directly and immediately if they are unsure about their internship agreement,” the spokesperson said.

SmartCompany contacted Espresso Lane but the business was unable to provide a comment. However, a manager at one store told BuzzFeed News they were “planning” to compensate the first worker, and the Visa cards were just a “token of appreciation”.

The Department of Employment confirmed to SmartCompany the chain has been suspended from the program, and warned employers would be taken off the program if interns were found to be exploited.

PaTH could blur line between intern and employee

Speaking to SmartCompany, employment and workplace lawyer at TressCox Lawyers Chris Molnar says while it’s hard to know what occurred in this case without a proper investigation, the alleged actions raise “a number of issues” for businesses and employees involved in the PaTH program.

“If you look at what’s happening here, it’s a potentially common issue for these sorts of programs which are designed to get in young people who lack work experience. They’re not designed to get these people to do actual work a business could pay someone else for,” Molnar says.

“Internships are about getting experience and understanding how a business works and maybe getting some training. It’s about the person doing the internship, it’s not about the business.

“Principally, there needs to be an obvious benefit for the internee.”

Molnar believes the dividing line between PaTH applicants being internees or employees could potentially be blurred for some employers, and while the program specifies applicants must be provided with a “reasonable prospect” of getting a job, Molnar thinks there is a potential for some businesses to exploit the system.

“The idea is the government gives the business and the PaTH applicant some money, and after the program, if the business likes them and the applicant likes the business, then golly gosh, you might get a job,” he says.

“The risk here is that some business might think this could be abused. They might get someone in to do what would otherwise be paid work, and then at the end, not offer them a job.”

The inclusion of both a payment for businesses and applicants from the government has the potential to blur the lines even further says Molnar.

He says despite payments to businesses being reasonable, due to the training businesses are supposed to provide under the scheme, the money in the system “can lead to the intern-employee relationship being blurred”.

More education needed for businesses

Molnar says there’s a lack of education for companies interested in the PaTH scheme, saying businesses just have to fill in a few forms and sign a contract with the internee.

On the government’s resources page for businesses interested in the PaTH scheme, two documents are provided: a sample contract for employees and interns and a short information document for businesses.

“At the front end, much more education needs to be given to employers signing up to these programs around what work is suitable to be given to the applicants and how it is not a way to avoid hiring someone,” Molnar says.

“At the back end, interns need to be made aware that if they have complaints, they are entitled to complain to the Fair Work Ombudsman or the Department of Employment.”

Original article found at SmartCompany HERE. 

Banks can’t fight online credit card fraud alone, and neither can you

Cassandra Cross, Queensland University of Technology

Online credit card fraud is on the rise in Australia, but pointing the finger at any one group won’t help. It’s an ecosystem problem: from the popularity of online shopping, to the insecure sites that process our transactions, and the banks themselves.

A recent report from the Australian Payments Network found that:

• the overall amount of fraud on Australian cards increased from A$461 million in 2015 to A$534 million in 2016
• “card not present” fraud increased to A$417.6 million in 2016, up from A$363 million in 2015
• 78% of all fraud on Australian cards in 2016 was “card not present” fraud.

“Card not present” fraud happens when valid credit card details are stolen and used to make purchases or other payments without the physical card, mainly online or by phone.

Read more: Inside the fight against malware attacks

While these numbers may seem alarming, it’s important to put them in context. Australians are increasingly carrying out transactions online; the report notes that we made 8.1 billion card transactions totalling A$715.5 billion in 2016.

The shift towards online credit card fraud also comes at the cost of other types of fraud. Cheque fraud, for example, was down to A$6.4 million in 2016, from A$8.4 million in 2015.

Still, it’s fair to ask: are the banks doing enough to keep our details secure?

The banks and security

The banks currently have a range of measures in place to protect customers from card fraud:

• Chip and pin: Australia mandates the use of “chip and pin” technology. This replaced the need to swipe the magnetic strip on credit cards and is recognised as being more secure.
• Two-factor authentication: Many Australian banks use text messages or tokens that generate a unique, time-limited code to help verify the legitimacy of transactions.
• Monitoring of customer habits: Australian banks typically have a complex set of algorithms that monitor the spending habits and transactions of their customers. They frequently have the ability to identify a suspicious (often fraudulent) transaction and block it.

Overall, Australian financial institutions are investing time and technology into the prevention of fraud. However, recent allegations that the Commonwealth Bank of Australia breached anti-money laundering laws suggest that the big banks are not immune from the problem.

Data breaches and malware

Credit card fraud is going where the action is.

According to the research company Neilsen, “nearly all online Australians have used the internet to do some form of purchasing activity”. This means that Australians are increasingly sharing their credit card details with companies around the world.

Large-scale data breaches are a common occurrence. Many organisations have been compromised in some way, including Australian companies like Kmart and David Jones. A variety of personal information can be exposed, and this often includes customers’ credit card details.

Batches of stolen credit card details can be sold on the dark web to other motivated offenders. In one UK example, such details were being sold for as little as £1 per card.

Offenders are also using different types of malware, or computer viruses, to obtain the personal information of unsuspecting victims. In many cases, this includes bank account and credit card details through successful phishing attempts (or spam emails).

Read more: Everyone falls for fake emails: lessons from cybersecurity summer school

The liability fight

Banks will generally refund customers for any fraudulent losses incurred on their credit cards. However, customer must take “due care with their confidential data”.

There is also an onus on the customer to check their credit card statements and notify their bank of any suspicious activity.

But this may not always be the case. In 2016, the former Metropolitan Police Commissioner in the UK made headlines for suggesting that customers should not be refunded by banks if they failed to protect themselves from fraud.

Instead, he argued that customers were being “rewarded for bad behaviour” rather than being encouraged to adopt cyber-safety practices, such as antivirus software and strong passwords.

These statements were met with anger by many advocacy groups who equated them with victim blaming. It was further exacerbated by a leaked proposal by the City of London Police to shift the responsibility of fraud losses from banks to the individual.

While this recommendation was never adopted, the tension may continue to grow when it comes to fraud liability.

Looking for answers

Pointing the finger of blame at any one party is not a constructive solution. Banks alone cannot combat online credit card fraud. Neither can their customers.

There are simple steps to reduce the likelihood of online fraud: having up-to-date antivirus software and strong passwords is an important step. There are sites such as haveibeenpwned that demonstrate how vulnerable and exposed our passwords can be.

Still, it’s difficult to protect against social engineering techniques used by offenders to manipulate victims into handing over their personal details. Not to mention, the risks posed by third-party data breaches, which are beyond the control of individuals.

The introduction of mandatory data breach reporting legislation in Australia in 2017 may have a positive impact. By requiring organisations to let their customers know when their personal information has been compromised, individuals can be proactive about cancelling cards, changing passwords and taking out credit reports to check for fraudulent activity.

Businesses also need to recognise the importance of protecting their customer information. It is critical to overcome the mentality that cybersecurity is simply a technology problem or an IT issue. It should be firmly on the corporate management agenda.

Fraud is inevitable, regardless of the technology being used. Collaborative efforts between banks, businesses, government and individual consumers must improve.

No one group alone can effectively end online credit card fraud. Nor should they be expected to.

Cassandra Cross, Senior Lecturer in Criminology, Queensland University of Technology

This article was originally published on The Conversation. Read the original article.

Artificial intelligence cyber attacks are coming – but what does that mean?

Jeremy Straub, North Dakota State University

The next major cyberattack could involve artificial intelligence systems. It could even happen soon: At a recent cybersecurity conference, 62 industry professionals, out of the 100 questioned, said they thought the first AI-enhanced cyberattack could come in the next 12 months.

This doesn’t mean robots will be marching down Main Street. Rather, artificial intelligence will make existing cyberattack efforts – things like identity theft, denial-of-service attacks and password cracking – more powerful and more efficient. This is dangerous enough – this type of hacking can steal money, cause emotional harm and even injure or kill people. Larger attacks can cut power to hundreds of thousands of people, shut down hospitals and even affect national security.

As a scholar who has studied AI decision-making, I can tell you that interpreting human actions is still difficult for AI’s and that humans don’t really trust AI systems to make major decisions. So, unlike in the movies, the capabilities AI could bring to cyberattacks – and cyberdefense – are not likely to immediately involve computers choosing targets and attacking them on their own. People will still have to create attack AI systems, and launch them at particular targets. But nevertheless, adding AI to today’s cybercrime and cybersecurity world will escalate what is already a rapidly changing arms race between attackers and defenders.

Faster attacks

Beyond computers’ lack of need for food and sleep – needs that limit human hackers’ efforts, even when they work in teams – automation can make complex attacks much faster and more effective.

To date, the effects of automation have been limited. Very rudimentary AI-like capabilities have for decades given virus programs the ability to self-replicate, spreading from computer to computer without specific human instructions. In addition, programmers have used their skills to automate different elements of hacking efforts. Distributed attacks, for example, involve triggering a remote program on several computers or devices to overwhelm servers. The attack that shut down large sections of the internet in October 2016 used this type of approach. In some cases, common attacks are made available as a script that allows an unsophisticated user to choose a target and launch an attack against it.

AI, however, could help human cybercriminals customize attacks. Spearphishing attacks, for instance, require attackers to have personal information about prospective targets, details like where they bank or what medical insurance company they use. AI systems can help gather, organize and process large databases to connect identifying information, making this type of attack easier and faster to carry out. That reduced workload may drive thieves to launch lots of smaller attacks that go unnoticed for a long period of time – if detected at all – due to their more limited impact.

AI systems could even be used to pull information together from multiple sources to identify people who would be particularly vulnerable to attack. Someone who is hospitalized or in a nursing home, for example, might not notice money missing out of their account until long after the thief has gotten away.

Improved adaptation

AI-enabled attackers will also be much faster to react when they encounter resistance, or when cybersecurity experts fix weaknesses that had previously allowed entry by unauthorized users. The AI may be able to exploit another vulnerability, or start scanning for new ways into the system – without waiting for human instructions.

This could mean that human responders and defenders find themselves unable to keep up with the speed of incoming attacks. It may result in a programming and technological arms race, with defenders developing AI assistants to identify and protect against attacks – or perhaps even AI’s with retaliatory attack capabilities.

Avoiding the dangers

Operating autonomously could lead AI systems to attack a system it shouldn’t, or cause unexpected damage. For example, software started by an attacker intending only to steal money might decide to target a hospital computer in a way that causes human injury or death. The potential for unmanned aerial vehicles to operate autonomously has raised similar questions of the need for humans to make the decisions about targets.

The consequences and implications are significant, but most people won’t notice a big change when the first AI attack is unleashed. For most of those affected, the outcome will be the same as human-triggered attacks. But as we continue to fill our homes, factories, offices and roads with internet-connected robotic systems, the potential effects of an attack by artificial intelligence only grows.

Jeremy Straub, Assistant Professor of Computer Science, North Dakota State University

This article was originally published on The Conversation. Read the original article.

From the crime scene to the courtroom: the journey of a DNA sample

Caitlin Curtis, The University of Queensland and James Hereward, The University of Queensland

The O.J. Simpson murder trial in 1995 introduced DNA forensics to the public. The case collapsed, partly because the defence lawyers cast doubt on the validity of the evidence thanks to the inappropriate way the samples were handled.

Things have changed since then. There are now safeguards in place to ensure the integrity of the chain of evidence. Laboratory protocols and procedures have also advanced.

By following a piece of evidence from the crime scene to the courtroom, we’ll explain just how DNA is studied in the lab and used in the modern legal system.

Read more: Explainer: Forensic science

From the crime scene

The DNA sample’s journey begins at the crime scene.

There are several principles that guide DNA evidence collection by the crime scene examiner. In particular, the avoidance of contamination or DNA degradation, and ensuring the chain of custody.

The risk of contamination (from the collector or other evidence samples) is reduced by using sterile, disposable supplies. Degradation is minimised by drying samples before bagging.

Storing dried samples in paper bags rather than plastic, and maintaining samples at the proper temperature helps preserve the DNA and prevent microbial contamination.

It is also important to plan what to collect and how – sufficient material may be required for independent testing by the defence.

To the lab

When any sample arrives in a lab, the first step is to extract the DNA.

The blood samples analysed in the O.J. Simpson trial were typical of the time when large amounts of DNA were required to conduct testing. Today, small amounts of DNA, known as trace DNA, can be analysed from items such as cigarette butts, hair follicles, saliva, semen, and even faeces.

This is possible because of the invention of a method in the 1980s called the polymerase chain reaction or “PCR”, which allows an individual strand of DNA to be replicated many times. This creates thousands of copies until there is enough DNA to conduct tests.

Analysis begins

The mainstay of modern DNA identification is short tandem repeat (STR) markers, which are small sections of DNA that vary by length (the number of repeats).

Multiple STR markers are used to create a DNA profile. They are tested using commercial kits that often incorporate a sex determination test (the amelogenin gene).

Mitochondrial DNA

Another method uses mitochondrial DNA.

Mitochondrial DNA tends to last longer than other types of DNA and is often relied on in cold cases. The sequence of mitochondrial DNA “letters” is passed down from mother to child (with the exception of rare mutations), so mothers and grandmothers share the same DNA sequence as their children (but fathers do not).

This makes mitochondrial DNA useful in identifying missing persons – the bones of Daniel Morcombe were identified this way.

Read more Ned Kelly remains are positively identified … but how was it done?

The Y chromosome

The Y chromosome is present only in males and is passed from father to son. This makes Y chromosome STR markers a useful tool in situations such as sexual assault cases where male and female DNA samples might be mixed and the male suspect’s identity needs to be established.

In the same way as mitochondrial markers, Y-markers can be used for identification through family matching. The process of familial matching in criminal investigations raises privacy concerns but is increasingly commonplace.

In one recent incident, it was suggested that the surname of a suspect was identified from records of male family members in public genetic ancestry databases.

DNA databases and sample matching

Australian law enforcement uses the National Criminal Investigation DNA Database (NCIDD), which is managed by the Australian Criminal Intelligence Commission.

The more records added to the database, the greater the odds of making an accidental match. This is because the number of potential matches increases.

To reduce the risk of false “hits”, genetic profiles can be made more complex.  Increasing the number of STRs in each profile reduces the risk of a spurious match because the probability of a match (at 20 markers, for example) is estimated by multiplying the probabilities of each STR marker.

The Australian system originally used nine STR’s and a sex-determination gene. In 2013 this was increased to 18 core markers.

Internationally, there are moves towards a standard set of 24 markers (such as GlobalFiler). With this many markers, the odds of two people having the same profile (twins excepted) are incredibly small. This makes an STR profile a powerful way to exclude suspects as well as making matches.

In the courtroom

Modern DNA forensic methods are powerful and sensitive, but great care must be taken to prevent miscarriages of justice.

It is difficult for people to comprehend probabilities like one in a quadrillion, and the presentation of such numbers in court can become prejudicial.

In the case of Aytugrul v the Queen, DNA evidence was presented as an exclusion percentage of 99.9, and the defence argued that this would indicate certainty of guilt to the jury.

Although the High Court of Australia ultimately allowed the DNA evidence presentation in Aytugrul v the Queen, survey data suggest that the statistical presentation of genetic evidence may affect how it is understood and used by a jury.

Such issues have lead to guidelines by the US Department of Justice, among other justice groups, for the language used in forensic testimony and reports.

There’s also a risk that contamination might implicate an innocent person. For that reason, DNA evidence is best used in support of other types of evidence.

In the case of R v Jama, DNA evidence was the sole basis of the rape case. Only after 16 months’ imprisonment was it revealed that the sample taken by the doctor was probably contaminated.

Forensics in the future

DNA forensics will continue to evolve.

Take a genetic test that can predict eye and hair colour: this test examines (or “genotypes”) 24 single letter DNA variants. These are analysed with a statistical model that provides probabilities for hair and eye colour based on a large database that links DNA variants to appearance.

Understanding how DNA is linked to facial features has even led to the creation of DNA-based mugshots.

“Massively parallel” sequencing machines are also a significant advance. These can turn the approximately 3.2 billion DNA “letters” of the human genome into digital information in a matter of hours.

This opens up all of the information contained in our genetic code to law enforcement. For example, some researchers claim it’s possible to predict the age of a suspect from a blood sample within a mean error margin of 3.8 years, based on methylation markers in the DNA, and this may be improved with the assistance of machine learning.

The more we understand the link between appearance and DNA, the better its predictive power will be. It’s tempting to speculate how the O.J. Simpson trial may have turned out with modern forensic DNA protocols and technology.

Caitlin Curtis, Honorary Research Fellow, The University of Queensland and James Hereward, PostDoc Ecological and Evolutionary Genetics, The University of Queensland

This article was originally published on The Conversation. Read the original article.