You are here

C08/2008 Client security checks before releasing or accepting information

Document

DATE OF ISSUE:  09 April 2008

Client security checks before releasing or accepting information

Purpose

The purpose of this Departmental Instruction is:

  • to restate the requirement that security checks be undertaken when releasing or accepting information from clients and their representatives; and
  • to document the agreed procedures for conducting security checks.

This follows a recent Internal Audit report, Review of Proof of Identity

Process 06-07 undertaken by KPMG, which assessed whether the DVA

procedures to identify clients and their representatives were effective in

accurately identifying the person and their authority to deal with DVA.

KPMG Audit

The KPMG audit focused on the consistency and completeness of POI procedures, the adequacy of documentation, the timeliness of POI processing and the methods for handling claimants who cannot meet the POI requirements.  In respect of notification arrangements, the audit found that:

The processes used within DVA to identify individuals (clients, representatives and agents) prior to releasing information and/or accepting instructions eg. by phone, letter or in person, were largely informal and undocumented.

The audit made the following recommendation (Recommendation #1) to address this issue:

The Department should document guidelines that cover how POI checks should be conducted and recorded before releasing information and/or accepting instructions by phone, POA, written/e-mail and in person.

The KPMG audit did not identify specific case studies where client identity had not been satisfactorily addressed, and concluded that the existing DVA processes provide a reasonable assurance that individuals have been accurately identified, with the necessary authority to deal with DVA.  However, the audit results indicated that inconsistent POI procedures were being performed across business lines and locations.

Agreed Management Response

To address this audit finding, the following Management Response was agreed:

Service Delivery as a whole to adapt and apply procedures as outlined in the CLIK Procedure Library in respect of Manner of Payment (MOP) change for Releasing Information and/or accepting instructions eg. by phone, letter or in person.

New POI procedures to be based on Manner Of Payment changes

The Manner of Payment (MOP) procedures can be found in the CLIK Procedure Library at Part 11/Chapter 5/Section 2, Notification of Payment Destination Changes.

The MOP procedures require that, where a payment destination change request is received from a third party (such as an agent, trustee or relative), a more rigorous POI process is to be applied.  In view of the heightened possibility of fraudulent advice being received regarding a change of payment destination, the MOP procedures provide that changes should not be made until a valid third party authority is in place.  A valid third party authority generally requires that documentation establishing the authority of a person or agency to act for a pensioner has already been received, recorded and placed on the pensioner's file.

In determining the acceptability of a third party authority, such as a written letter provided by a veteran, POA authorisation or similar documentation, delegates must apply the test of “reasonable satisfaction” as set out in the VEA at subsection 120(4).  This test requires that the delegate must consider a fact is more likely than not to be true.

Departmental Instruction B42/92 remains in force

The MOP procedures need to be read in conjunction with Departmental Instruction B42/92, Guidelines for Processing Notification of Change of Circumstances Received by Telephone, which still remains in force.

This DI provides guidelines for processing notification of change of circumstances received by telephone.  It followed the Repatriation Commission's decision, under paragraph 54(4)(c) of the VEA, to approve the manner in which changes in circumstances may be notified to the Department.  In accepting notification of changed circumstances by telephone, the Commission agreed at the time that later written confirmation of the change is not always required.

However, this DI also identified that a greater degree of risk arises in cases of changes to the manner of payment.  Assessors were asked to exercise a higher degree of caution in these cases, with callers being required to know the old account number, date of birth, and DVA file number.  It was considered reasonable to accept telephone advice of a payment change, without later written confirmation, only where the new account remains in the payee's name, or where there is a change in the partner's name (with the new account being in the partner's name, or in joint names).  In all other cases, written notification was required.

Extent of identity check must consider the associated  risk

Taken together, both DI B42/92 and the MOP procedures provide that greater scrutiny of a person's identity is necessary, where there is a higher risk of fraud.

This approach is in keeping with the Department's Risk Management Strategy, which provides that the extent of risk is to be explicitly considered when undertaking business planning and in significant decision making processes.

This risk assessment should also continue to recognise the unchanged policy position, based on the Commission's decision in 1992, to facilitate notification of changed circumstances by telephone wherever possible.  This Commission decision followed the recommendations of an internal efficiency review, together with the general preference of most pensioners and their representatives to be able to notify changes by telephone.

Prior written authorisation is preferred

The risk of receiving invalid or fraudulent advice by telephone from a person claiming to represent a client is minimised where prior written authorisation of the person's authority to act for the client has already been received by the Department.  For this reason, family members, carers or other people who contact the Department on behalf of a client for the first time, or who have not previously been authorised, should be asked to obtain written authorisation from the client, and to forward this to the Department.

A client may authorise another person to act on their behalf by way of a general written authorisation, through a formal power of attorney arrangement, or otherwise (in relation to the receipt of pension payments) as an appointed agent.  Details of the required procedures for more formal authorisation (and the limits on a person's authority to act) are contained in Fact Sheet LEG01, Arrangements for other people to act on your behalf, which should be forwarded to people contacting the Department on behalf of a client, where they are likely to continue to represent that client.

Client's written authorisation should provide instructions

Where a client provides written authorisation for another person to act on their behalf, the written authority should contain details of the pensioner's instructions – for example, whether the third party is also to receive mail on behalf of the veteran, or to notify changed circumstances only.  Where the authority extends to the receipt and management of pension payments, the formal appointment of the person as an agent under section 58D of the VEA is required.  Form D2693 Application for Appointment of an Agent should also be forwarded in these cases.

The authority for a person to act under a PoA arrangement may be limited, according to the type of PoA that is entrusted to a person and the relevant State/Territory law under which it is made, and does not extend to the person receiving pension payments on the client's behalf.

Release/
acceptance of information on behalf of a partner

Where a person sharing a joint pension assessment with their partner contacts the Department with information about their partner (or requests that information about their partner be released to them), it is not essential that they have written authorisation from the partner that they are acting on their behalf.

The notification obligations within the VEA require that pensioners notify the Department of any event or change in circumstances that might affect their pension payment.  Joint pension assessments involve the pooling and sharing of the assets and income of both partners, and can also be affected by other shared events including residential changes.  As the pension assessments are interdependent, it is acceptable for one member of the couple to fulfil the couple's combined and shared notification obligations by advising the Department of an event affecting their partner.  Similarly, it is appropriate for information (such as a pension summary) regarding one partner to be provided on request to the other partner, where that information is likely to have an impact on both pensions.

Joint pension assessments frequently arise out of an initial joint claim, or where one partner subsequently becomes eligible, or comes into payment, based on the circumstances of the first claimant.  The claims are based on mutual agreement and as a result of their shared pensioner status, it is acceptable for the notification/release of information to also be treated as applying equally.  Care should however be exercised with this arrangement where it is known that the couple may be separating or are estranged.  In these circumstances, it is appropriate to advise the non-notifying member of the couple that information/requests have been received on their behalf.

Client's notification obligations are not affected

It should be noted that a written authorisation for a person to act on behalf of a client, or a formal PoA arrangement, does not affect the status of the notification obligations under the VEA, which remain with the pensioner.  The written authorisation is a means by which a person may assist the pensioner in complying with these requirements.

Where a written authorisation has already been received, a security check is then conducted to verify the person's identity when contacting the Department.

What is a security check?

A security check is where a client or a representative is asked to provide information to prove their identity. If the contacting person is a representative of the client, the security check needs to establish both the identity of the person, and also that they have the client's consent to provide and receive information, by written authorisation or by completed agent or trustee form, on the client's behalf.

When to conduct security checks

A security check must be conducted when someone contacts the department to provide information about a client or enquire about a client's personal information.

If someone contacts the department to make a non-client specific enquiry then a security check is not necessary.

How to conduct security checks

In all cases where contact is by a third party , an initial check should be made whether there is written authorisation, a POA arrangement or a completed agent or trustee form on the client record which identifies the caller as a person who can act on the pensioner's behalf.

Where written authorisation of the third party does not already exist, the notified event may in some circumstances still be recorded and actioned, subject to authorisation subsequently being obtained from the client.  The procedures for subsequent authorisation are set out in the Security Checking Procedures form at Attachment A.

The client (or third party) must then be able to provide at least two client-specific pieces of information, as proof of their identity, such as:

  • DVA file number
  • current pension payment account details (including BSB and account number);
  • partner's full name;
  • details of investments; or
  • accepted disabilities.

Recording of security checks

Recording that a security check has been done should be part of the normal process for recording the contact. For example:

  • when using the D2629 Change of Circumstances for counter and telephone use then complete the security check part of the form
  • if the contact is recorded as a file minute then record in the minute that a security check was conducted
  • if the client is recorded in the Client Contact Facility (CCF) then complete the identity verification field.

New Security Checking Procedures pro forma

The new Security Checking Procedures pro forma is at Attachment A.  It is adapted from both the MOP procedures and the still current DI.  The procedures are aimed at addressing the concerns arising out of the KPMG audit, while also maintaining, where appropriate, the advantages arising out of telephone notification of changes.

Action

All business groups should ensure that their staff are aware of the requirement to identify clients and their representatives before information is provided or taken from them, and the need to record that a security check has been conducted.

The guidelines included in this document will be stored in TRIM and links made available on the intranet at

http://sharepoint/programsandprojects/clik/procedures/Pages/CLIK%20Procedure%20Library%20-%20Links.aspx

Contact officer

Any queries regarding this instruction should be directed to NAT Policy Advisings Income Support.

Ric Moore

A/g National Manager

Income Support and Aged Care Policy Group

9 April 2008

John Sadeik

National Manager

Income Support

9 April 2008


ATTACHMENT A: Security Checking Procedures

Security check for a person receiving AP, SP, ISS, DP & WWP, or their representative, when contacting DVA in writing, by phone, or face to face interview

Follow the next seven steps to conduct a security check and verify the identity of a person receiving AP, SP, ISS, DP & WWP, or their representative, when they contact DVA by phone, face to face interview, or in writing.

Note: Follow these procedures and verify a person's identity BEFORE releasing information.

Step

Action

1

To check the identity of a pensioner when they are contacting the department directly go to step 3, for the pensioner's representative go to step 2.

Note 1: A representative may be a guardian, power of attorney, trustee, or agent etc.

Note 2: For an age pensioner the representative must be nominated by the client as either a Correspondence Nominee, a Payment Nominee or a Person Permitted to Enquire.

2

Check in VIEW Comments, or the aDVAnce record of the DVA client that the person contacting has the relevant authority/consent to enquire.

If the consent is...

Then...

recorded

go to step 3.

not recorded, but the person states that DVA has already been provided the written authority

before continuing check the pensioner file and any unprocessed correspondence and if authority is

  • found, go to step 3, or
  • not found, process as for 'not recorded'.

for an AP recipient & not either a Correspondence Nominee, Payment Nominee or Person Permitted to Enquire

advise the person that:

  • as an interim measure we will phone the pensioner to confirm permission to obtain and/or release personal information is temporarily authorized,
  • we will write to the pensioner to confirm that permission to obtain and/or release personal information is in fact authorized, and
  • when written confirmation is returned, then the details provided will be processed and go to step 6.

not recorded

3

Check that the written correspondence includes, or ask the person to provide, at least two client-specific facts such as:

  • DVA file number
  • current pension payment account details (including BSB and account number);
  • partner's full name;
  • details of investments; or
  • accepted disabilities.

If the correspondence includes a change to the manner of payment destination, go to step 4.  For all other notifications, go to step 5.

Note: If in doubt about the identity of the person, or the person acting as the pensioner's representative, compare the signatures on the documentation with signatures on the pensioner's file, or ask for additional information which may confirm their identity, e.g. maiden name, date of last contact with DVA.

4

If the notification is for a change to the manner of payment, the information can be taken by phone.  However, delegates must exercise a higher degree of caution as this type of change involves a higher risk of fraud. Completion of the Phone Notification Amended Account Details worksheet is required, which includes directions for identifying the caller. http://sharepoint/Documents/programsandprojects/0642349E.tr5

Note: For an age pensioner the representative must be nominated by the client as a Payment Nominee, otherwise payment destination change details cannot be accepted.

5

Following the security check:

If the person...

Then...

passed the check and

is authorised

  • record details in file minute, CCF, VIEW, D2629 as required, &
  • release/obtain information and end process here.

passed the check but no authorisation recorded

  • record details in file minute, CCF, VIEW, D2629 as required,
  • action request on receipt of telephone or written authorisation from client,
  • Date of Effect – the date of the original telephone notification of a change of circumstances may be used for date of effect purposes, provided confirmation is subsequently obtained from the client that the contacting person is authorised to act on their behalf, and
  • go to step 6.

notified by email and passed the check

  • client information may be obtained by email, but is not to be released by email, see Note below
  • reply and include the following paragraph:
  • "The Department is currently improving its Internet services and expects to be able to safely forward information to you over the Internet at a future time. In the meantime, could you please advise an alternative means of communication."
  • end process here.

failed the check

  • do not update client details, or release client information,
  • contact & advise the pensioner or authorised third party that someone has attempted to obtain or change their details, ask if they know who this person might be,
  • record file minute of attempted contact, note caller ID phone number, if available,
  • record warning message on VIEW comments,
  • consider if matter warrants referral to National Fraud Control Unit,
  • attach documentation to file and end process here.

Note: Refer to section 6.3 Client E-Mail of Use of DVA Electronic Facilities Online Policy (http://sharepoint/supportingbusiness/communication...)

for more information.

6

Send the client the standard letter as follows, if receiving:

  • SP, ISS, DP, and WWP, letter Authorisation for Client Representative, folder Trustees - Agents – POA for completion for and then go to step 7, or
  • AP, letter AP - Nominee cover letter.dot, folder Trustees - Agents – POA for completion, and

Note: For SP, ISS, DP & WWP purposes only, the written authority does not have to be on a specific form. However the Standard Letter Authorisation for Client Representative has the minimum information needed to enable a representative to be authorised to obtain and provide personal information and for a participant to be created in aDVAnce.

7

On receipt of the written authority from the client, record details of the representative through the Participant Registration Service (PRS) in aDVAnce.  Procedures on how to create a contact can be found in the PRS General User Guide (http://sharepoint/Documents/servingourcustomers/06100568E_prs.tr5).

Record details in aDVAnce, under the contacts screen. Complete the Comments field with the details as follows:

  • type of authority or documentation provided, such as letter or legal document, and
  • date sighted.

If the representative is a Power of Attorney, also record:

  • whether sole, joint or several attorneys have been appointed. &
  • the type of information that may be released such as personal or financial or both.

Once the details about release of information and contact have been saved electronically, attach the paper documentation to file.

Note: The comments added via PRS will be transferred automatically to the Notes section of aDVAnce and to the Comments screen in VIEW.