Policies

  1. Risk Management Policy
  2. Access Control Policy
  3. Dispute Resolution / Complaints Management
  4. Information Security Policy Scope
  5. Change Management, Incident Response & Exception Management
  6. Business Continuity Plan & IT Disaster Recovery Plan
  7. Privacy Policy
  8. Fraud Management Policy

1. Risk Management Policy

Risk management is about understanding and managing the risk environment and taking measures, where necessary, to ensure that risks are contained to acceptable levels consistent with the risk appetite for the relation to products and services in which TMEX Pty Ltd offers to its clients. This document sets out, at a high level, a policy for managing this process.

Scope

This policy applies to all TMEX Pty Ltd (The Company). It forms part of the company governance framework and applies to all employees, contractors, and volunteers.

Objectives

The objective of the Risk Management Policy is to ensure the implementation of an effective risk management framework consistent with the company achieving its policy and operating objectives. In doing so, it follows accepted standards and guidelines for managing risk.

The principle underpinning the company’s approach is that risk management is an integral part of the management function in the organisation and, as such, is the clear responsibility of management. As TMEX Pty Ltd is a currency exchange provider, it must identify different kinds of risks it may face, document them in the AML/CTF program, and take necessary steps to manage them at acceptable levels.

General Responsibilities

Compliance Officer: Provides policy oversight, review of risk management, transaction monitoring, fraud management, AML program oversight, and staff training.

Technology Leads: Continuously improve risk management policy, strategy, and supporting IT framework.

Staff: Comply with risk management policies and procedures.

Policy

The company's framework endeavors to cover the full spectrum of risks faced by the company through evaluating risk from a business perspective. This framework is consistent with the accepted Australian standard (ISO 31000-2018 Risk Management) and comprises several important steps, which are documented in the AML/CTF program of TMEX Pty Ltd:

  • Identifying and analyzing the main risks facing the company.
  • Evaluating those risks and making judgments about whether they are acceptable or not.
  • Implementing appropriately designed control systems to manage these risks in a way that is consistent with the Company's Risk Management Policy.
  • Treating unacceptable risks by formulating responses following the identification of unacceptable risks, including actions to reduce the probability or consequences of an event and formulating contingency plans.
  • Documenting these processes, with summary tables (risk registers) as the main forms of documentation, supplemented by risk manuals or related documents as appropriate.
  • Ongoing monitoring, communication, and review.
  • While the framework is applied consistently across the company, individual areas must identify and analyze the risks in their areas, assess the controls in place to deal with those risks, and make decisions about whether to mitigate a particular risk—fully or partially—given its effects and the costs of mitigation. If a residual risk is judged to be unacceptable, the ‘owner’ area is responsible for developing and implementing/overseeing a remedial plan.
  • Where risks are considered ‘cross-sectional’ or ‘common’—that is, owned by one area and managed by another (e.g., IT-related risks)—a process is established for ensuring that the risks are both communicated and action is agreed upon between the concerned areas.
  • Processes are also in place to facilitate appropriate liaison and consultation with external entities whose activities could inform the company’s risk environment.

2. Access Control Policy

This policy outlines the rules relating to authorizing, monitoring, and controlling access to TMEX Pty Ltd through developed applications and information systems.

Scope

This policy applies to any person or system that is granted or grants access to accounts, information, or information systems owned, developed, or operated by TMEX Pty Ltd (The Company).

Objectives

Compliance with this policy enables consistent controls to be applied to all applications and information systems, minimizing exposure to security breaches while allowing developers, customers, systems, and security administration and technical support staff to conduct their activities within the framework of the law.

This policy aims to ensure that, by having the appropriate access controls in place, the right information is accessible by the right people at the right time and that access to information, in all forms, is appropriately managed and periodically audited.

General Responsibilities

All personnel (e.g., employees, contractors, vendors, and third parties) working with the company must abide by relevant information security and access control policies and procedures.

  • Only use their account and access in accordance with the company’s Code of Practice.
  • Secure their credentials in line with the password guidance.
  • Be responsible for the systems, services, and data within their control.

Access Control Implementation - Developer Guideline for Identity Management Implementation

  • All applications must be password protected where necessary, and only authenticated users can access the applications.
  • Implement two-factor authentication (SMS and Google Authenticator) for all administrator-level application access.
  • All logins must be developed role-based so that users can only perform actions limited to their access and role level.
  • Formal user registration and de-registration processes must be implemented to enable the assignment of identities and accounts on an individual basis.
  • Provide access to information, accounts, systems, and resources based on the principle of least privilege.
  • Implement a One-Time Password (OTP) system where possible; dynamic PINs work as extra layers of protection.
  • Recommendation to implement mandatory password changes to significantly reduce security risks by enforcing regular password updates for customers and application users.
  • An easy-to-track monitoring system should be in place to detect and analyze suspicious activity. Additionally, a solution to prevent data breaches by blocking an account after several suspicious transactions should always be implemented.

Database Access Control Guidelines

  • Our database access should be blocked on the internet, and only applications running in the same Virtual Private Cloud (VPC) should be allowed to access the database with their username and password with restricted permissions.
  • Only database administrators should have access to databases via a secure tunnel or a virtual private network.

3. Dispute Resolution / Complaints Management

The Company has developed internal complaints handling procedures which comply with relevant dispute handling legislation in Australia, considering:

  • The size and type of our business
  • The nature of our client base
  • The likely number and complexity of complaints

Objectives

This procedure aims to:

  • Ensure clients have easy access to an inexpensive complaints handling process
  • Enhance client confidence in the Company’s services
  • Provide important feedback to the Company about the level of client satisfaction

This procedure is intended to be used when a client makes a complaint about:

  • The services and products received or recommended by the Company
  • The operation of the Company in general

Policy & Procedures

1. Receiving Complaints

All complaints are to be dealt with promptly and professionally. Upon receiving a complaint, the staff member will:

  • Thank the client and reassure them of the company’s commitment to resolving the issue
  • Inform the client that the Company will respond within 48 hours
  • Complete a Complaints Form and submit it to the Compliance Officer

The Compliance Officer will then:

  • Log the complaint in the Company’s complaints register
  • Determine necessary actions and assign responsibilities
  • Monitor and ensure resolution within 30 days
  • Keep the client informed
Complaint Procedure Rules

All complaints must be addressed within the specified timeframes to ensure compliance with legal obligations.

  • Within 14 days: Send acknowledgment of complaint receipt
  • Within 45 days: Make a decision on the complaint
  • Within 14 days of resolution: Notify the complainant of the decision and any actions taken
3. Resolved Complaint

The Compliance Officer will confirm resolution with the client and ensure proper procedures were followed.

4. Unresolved Disputes and External Dispute Handling

If the complaint remains unresolved, the Compliance Officer will:

  • Inform the client of the Company’s decision
  • Advise the client of their rights to escalate the complaint
  • Document any further interactions
5. Referring Complaints to External Dispute Resolution Bodies

The Company’s external complaints resolution process includes:

  • Providing disclosure documents outlining the internal complaint handling process
  • Notifying the client about external dispute resolution bodies if internal resolution is unsuccessful
6. TMEX Pty Ltd Dispute Handling

TMEX Pty Ltd follows AzuPay policies and requirements in handling disputes.

7. Disputed Transaction Logs

All disputed transactions will be logged for review.

8. Fraudulent Transactions

Any fraudulent transaction will be handled as per Australian law.

9. Refund Policy

If a refund is required due to a dispute, TMEX Pty Ltd will process the refund.

10. Complaint Logging

All complaints must be logged into the ticket management system.

4. Information Security Policy Scope

All processes, activities, and assets are within the scope of this information security mail, especially:

  • Implementation and maintenance of information systems
  • Secure development
  • Intellectual property and sales / contractual information protection
  • Human resources security
  • Data and information exchange procedures and interfaces with regulatory authorities, contractual workers, clients, and other relevant parties.

Objectives

  • Confidentiality – only individuals with authorization should access data and information assets.
  • Integrity – data should be intact, accurate, and complete, as well as IT systems must be kept operational.
  • Availability – users should be able to access information or systems when needed.
  • Create an overall approach to information security.
  • Detect and preempt information security breaches such as misuse of networks, data, applications, and computer systems.
  • Maintain the organization's reputation and uphold ethical and legal responsibilities.
  • Respect customer rights, including how to react to inquiries and complaints about non-compliance.

Policies, Procedures, and Guidelines

All the Information Security policies and their needs have been addressed below:

1. Information Risk Management Procedure

Detailed risk assessments for information risks shall be undertaken to identify threats, vulnerabilities, and potential impacts. This assessment shall determine acceptable, transferable, and avoidable risks and risk treatments.

2. Access Control Policy

Data must have sufficient granularity to allow authorized access while maintaining security.

3. E-mail Security Policy

TMEX Pty Ltd shall implement systems and procedures to ensure efficient business communication and prevent misuse of the email facility.

4. Internet & Intranet Security Policy

TMEX Pty Ltd should utilize the Internet for business efficiently while ensuring security against unauthorized access.

5. Password Security Policy

All passwords must:

  • Be at least eight characters long
  • Contain at least one number and one special character
  • Expire every six months
6. Application Security Policy

Ensuring proper procedures, access controls, and security requirements for software development and maintenance.

7. Operating System Security Policy

Protecting operating system resources at a level appropriate for the data being processed.

8. Backup & Recovery Policy

Systems and procedures for the backup of business data must be standardized and monitored regularly.

9. Log and Audit Trail Policy

Establishing a framework for logging and auditing system events.

10. Version Control Policy

Managing and controlling version changes in application systems, add-ons, network software, and operating systems.

11. Data Archival Policy

Addressing proper archival of project-related data as per client requirements.

12. Encryption Policy

Using cryptography to meet Information Security Management System (ISMS) requirements.

13. Data Migration Policy

Ensuring proper handling of data migration between systems/databases.

14. Data Security

Implementing physical, technical, and organizational security measures to protect personal data.

15. Database Security Procedure

Ensuring confidentiality, integrity, availability, and accountability of databases.

16. Key Management Procedure

Establishing techniques and procedures for cryptographic key relationships.

17. Cloud Computing

Assessing cloud computing requirements for data security, privacy, legal compliance, and business continuity.

18. Digital Security of Systems Containing Our Data
  • Encrypting data at rest using AES-256
  • Blocking database access on the Internet
  • Using TLS protocol for encryption in motion
  • Allowing API requests only over HTTPS
  • Implementing geography-based firewalls
19. Physical Security of Systems Hosting Application & Data

All data is hosted on Amazon Web Services (AWS). More details can be found at AWS Data Center Physical Security.

5. Change Management, Incident Response & Exception Management

This policy outlines the rules relating to the management of change, Incident Response, and Exception management for any TMEX Pty Ltd projects.

Scope

This policy applies to any person or systems that are developed or operated by TMEX Pty Ltd (The Company).

Objectives

  • Manage changes to the Application & its infrastructure
  • Enable developers and clients to plan accordingly
  • Promote communication and collaboration regarding change items
  • Share knowledge with End Users regarding any modifications
  • Enable a smooth transition for new changes
  • Minimise the likelihood of outages
  • Maintain compliance with applicable regulations
  • Reduce the impact of changes on other tasks/projects

Policy

The following outlines the process for submitting, reviewing, approving, deferring, and closing change items.

Submittal of a Change Request
  • Change requests are to be submitted via the Company’s Change Management system by the owner of the change.
  • The change should not be completed until reviewed and approved according to procedures defined within this policy.
  • All sections of the change request should be completed thoroughly.
  • The documentation must identify the scope of the change, areas affected, back-out process, testing completed, communication plan, and planned date of deployment.
  • Once a change request is submitted, it will be known as a change item and is assigned a change number.
Review of New Change Items
  • New change items to be reviewed during daily meetings.
  • The agenda of the change meeting should be to review each pending change item with the group to ensure all attending understand the change and its dependencies.
  • Items that are understood and agreed to by all are motioned for approval.
  • Any incomplete requests will be held or deferred as decided on during the meeting.
Approval & Deferral of Change Items
  • Authorization of a change item occurs after the change is reviewed and depends on the priority.
Change Item Types and Authorization
Type Authorization Notes
Standard Approval Required Routine change, can be upgraded to major or emergency if required.
Emergency Approval Required Response to failure or urgent fix.
Major Approval Required Requires multiple dependencies and other associated change requests.
Minor Approval Required Small changes with minimal effect.
Significant Approval Required Large impact, may require multiple sub-changes.

Items that are not approved should not be implemented until the review and approval process is followed.

Closing a Change Request
  • Approved change items that have been deployed are reviewed for closure during change meetings.
  • The owner of the change should be available to discuss the implementation.
  • If the change has performed as desired, it may be closed.
  • If the change causes issues, attendees will determine if it should be reverted.
  • Appropriate actions should be noted and successfully acted upon before marking the item closed.
Exceptions Management

Exceptions to this policy will be handled by the Security Policy.

Incident Response

In emergency cases, actions may be taken by the Development Team following the ITS Incident Response Policy, which may include rendering systems inaccessible.

6. Business Continuity Plan & IT Disaster Recovery Plan

Scope

This policy applies to any person or systems that are developed or operated by TMEX Pty Ltd (The Company).

Objectives

The purpose of this policy is to define what would happen to our product(s) if any of the following services running in AWS region XYZ experienced an outage (S3, RDS, Dynamo, SNS, SES, Lambda, etc.).

  • How long before we fully recover?
  • How much data loss would we incur?
  • What process would we follow to recover?
  • How would we communicate the status and next steps internally?
  • How would we communicate the status and next steps to customers?

These questions quickly reminded us that DR planning requires direction from the business.

Recovery Objectives

  • Recovery Time Objective (RTO): The length of time it would take us to swap to a second, hot production service in a separate AWS region.
  • Recovery Point Objective (RPO): The acceptable amount of offline time measured in time.

Policy & Procedure

This checklist provides possible initial actions that you might take following a disaster.

Plan Initiation
  1. Notify senior management.
  2. Contact and set up a disaster recovery team.
  3. Determine the degree of disaster.
  4. Implement a proper application recovery plan dependent on the extent of the disaster.
  5. Monitor progress.
  6. Notify users of the disruption of service.
Application & API (Web Services)

All Web services we develop are server-less and auto-scalable. We can redeploy our web services from our CI/CD channel in different availability regions within <15 minutes in case of disaster and redirect all traffic. The UI component will be hosted as static web content and JavaScript.

Database

Failure of the database will be low as we have two instances of the database in two different availability zones. If one data center is affected, the second instance will be available for service.

Disaster Recovery for Database
  • Option 1: Restore data using the point-in-time feature.
  • Option 2: Restore the database from the latest snapshot.
  • Option 3: Restore data from the daily backup (cloud storage).
  • Option 4: Restore data from an off-site daily backup.

7. Privacy Policy

Summary

We look after your personal information as if it were our own. Our Privacy Policy presents our commitment to:

  • Limit the types of personal information that we need to collect to provide you with the customized edQuire experience.
  • Collect personal information from students, teachers, and the school to ensure that the information is accurate.
  • Limit the purpose of collecting personal information because, without it, we can’t provide you with the edQuire experience.
  • Provide you with access to your personal information that we hold and allow updates.
  • Limit the circumstances under which your personal information is sent overseas and the measures we take to protect it as an Australian company operating internationally.

Kinds of Personal Information That We Collect and Hold

Personal information includes information or an opinion about a reasonably identifiable individual. For example, this may include your name, age, gender, postcode, and contact details.

We may collect the following types of personal information:

  • Name
  • Business name, including ABN/ACN numbers
  • Email addresses
  • Telephone number and other contact details
  • Statistics on page views, traffic to and from the site, ad data, IP addresses, and standard web log information
  • Any additional information relating to you that you provide to us directly through our website or indirectly through your use of our website or online presence
  • Other personal information that may be required to facilitate your dealings with us

How We Collect and Hold Personal Information

We may collect personal information either directly from you or through third parties. We may collect this information when you:

  • Register on our website or in person
  • Communicate with us through correspondence, email, or other electronic messages
  • Use other social applications, services, or websites
  • Interact with our websites, services, content, and apps
  • Use web analytic software, cookies, or clickstream data
  • Engage with us on social media platforms
  • Provide us with information about other individuals (e.g., staff, directors, or authorized persons) with their awareness

We protect your personal information from unauthorized access, alteration, disclosure, or destruction. Data transmitted over public networks is either anonymized or sent encrypted. Our security measures include:

  • Strict access controls for authorized employees and contractors
  • Encryption of sensitive data
  • Physical security measures to protect data storage

Purposes for Collecting, Holding, Using, and Disclosing Personal Information

We may collect, hold, use, and disclose your personal information for the following purposes:

  • To offer you tailored content, including relevant features and services
  • To enable you to access and use our website and services
  • To operate, protect, improve, and optimize our website, business, and member experience
  • To send you service, support, and administrative messages, updates, and security alerts
  • To comply with legal obligations, resolve disputes, and enforce agreements

We may also disclose your personal information to:

  • Our business partners who offer relevant services such as insurance and training
  • Trusted third parties who may use anonymized consumer insights to personalize and enhance services

Accessing and Updating Your Personal Data

Whenever you use our services, we aim to provide you with access to your personal information. If that information is incorrect, we strive to give you ways to update or delete it unless we are required to retain it for legal purposes. We may ask you to verify your identity before processing your request.

Security

We may hold your personal information in electronic or hard copy form. We take reasonable steps to protect your personal information from misuse, interference, and loss, as well as unauthorized access, modification, or disclosure. However, we cannot guarantee complete security.

Complaint Resolution Mechanism

If you have a question, concern, or complaint regarding how we handle your personal information, please contact our Compliance Officer:

TMEX Pty Ltd

Email: contact@tmexchange.com.au

We will respond within a reasonable period and inform you who will handle your request and when you can expect a further response.

8. Fraud Management Policy

Scope

This Fraud Management Policy applies to all employees, contractors, and stakeholders involved in the operations of TMEX Pty Ltd, including but not limited to currency exchange services. It encompasses all aspects of fraud prevention, detection, reporting, and response within the organization.

Objectives

  1. Fraud Prevention:
    • Establish robust customer due diligence procedures to prevent fraudulent activities.
    • Implement advanced transaction monitoring systems to detect and prevent suspicious patterns of activity.
  2. Employee Training:
    • Provide regular training programs for employees to enhance awareness of fraud risks.
    • Educate employees on recognizing and reporting suspicious activities promptly.
  3. Reporting and Investigation:
    • Create a responsive reporting mechanism for employees to report suspected fraudulent activities.
    • Establish an efficient investigation team for thorough and prompt examination of reported incidents.
  4. Customer Communication:
    • Communicate transparently with affected customers in the event of a suspected or confirmed fraud incident.
    • Equip customer support channels to effectively handle fraud-related inquiries and complaints.
  5. Collaboration with Law Enforcement:
    • Work with law enforcement agencies in reporting and investigating fraud incidents.
    • Provide relevant information and evidence as required by applicable laws and regulations.
  6. Technology Security:
    • Implement and regularly update information security measures, including encryption and firewalls, to protect customer data and transactions from unauthorized access.
  7. Regular Audits and Reviews:
    • Conduct periodic audits to assess the effectiveness of fraud prevention measures.
    • Review the Fraud Management Policy annually and update it as needed to address emerging threats and changes in the business environment.
  8. Collaboration with Industry Partners:
    • Work with industry partners, financial institutions, and regulatory bodies to share information and best practices for fraud prevention.
  9. Legal Compliance:
    • Comply with all applicable laws and regulations related to fraud prevention and reporting.

Policy

TMEX Pty Ltd is dedicated to upholding the highest standards of integrity and security in its travel money exchange operations. Our Fraud Management Policy encompasses a comprehensive approach to prevent, detect, and respond to fraudulent activities within our organization. We commit to implementing robust measures, including advanced transaction monitoring systems, to prevent and detect suspicious transactions.

Employee training programs will ensure a heightened awareness of fraud risks, empowering our workforce to recognize and promptly report any irregularities. In the event of suspected or confirmed fraud incidents, transparent communication with affected customers will be prioritized, and our customer support channels will be equipped to handle related inquiries effectively. Collaboration with law enforcement agencies and industry partners will be sustained to share information and best practices for fraud prevention.

TMEX Pty Ltd will rigorously comply with all applicable laws and regulations, conducting regular audits and reviews of our fraud prevention measures. This policy is effective from [Effective Date], with ongoing training and periodic reviews to adapt to emerging threats and changes in the business environment, ensuring the continued efficacy of our fraud prevention efforts. This policy has been approved by management to underscore our commitment to maintaining the trust and security of our customers and stakeholders.