The value of IPPC

📚 IPPC, what purpose do you exactly served? 

To be honest, many CSPs (even other regulated sectors) see IPPC as just a document to help "tick" one of the many boxes of their compliance obligations. Many CSPs just use templated IPPCs that restate regulatory obligations without taking into consideration their operational complexities. This has also been a repeated observation in compliance reviews and was shared by ACRA in CSP Conferences through these years. 

If you were a RFA since 2015, you will probably still remember the template provided in the early versions of the RFA guidelines, where you simply just fill in your company name, and the name of your compliance officer. Unfortunately, while that template was intended as a guide to help CSPs get started, its use often ended after CSPs filled in their company name. 

Hence you will have ludicrous situations where: 

🤦‍♂️ One-man-operation CSPs IPPC that mentioning "maker-checkers" when performing KYCs on their clients. 

🤦‍♂️ 🤦‍♀️ Unknown compliance officers that are not from the CSPs, or CSPs who are named "Insert Company Name".

🤦‍♂️ 🤦 🤦‍♀️ The RFA entire guidelines is just being renamed as "IPPC of XXX". 

As a former regulator, when I come across such observations during inspections, I can easily draw conclusions about the culture and values of the CSPs, and predict the likely outcome of the inspection.

With the new CSP Act, this mindset has to change. A better way to think about this is that your IPPC is like the blueprint that should be reflecting how the compliance programs for your firm is built in practice. 

🏠 This is going to be almost the exact approach when you renovate your home. You need to think about your context, your needs, and what threats you might face. Some consideration you might have include: 

👶If I have young toddlers, should I install window grills?

🦹If my area has many house break-ins, should I install a more secured lock?

💻 If I largely work from home, do I need a designated working area? 

With the release of the new CSP Act/Regs, this approach will not work any longer. The guidelines have gotten more prescriptive and granular and now require you to describe your CSP processes within the IPPC. 

My suggestion is start taking a hard look at Annex D of the CSP Guidelines, if you haven't by now. Answer these questions by understanding the requirements, thinking through your entire compliance process and identify where they meet or do not meet the requirements. If you have employees, do it together with them so that everyone can get familiarized with the new requirements (and it can even help you tick another box of your training requirements). Good luck.